Cisco ONS 15454 DWDM Reference Manual, Release 9.2
Cisco ONS 15454 DWDM Reference Manual, Release 9.2
Retour à l'accueil, cliquez ici
Voir également :
Cisco-Telephones-IP-..> 01-Jun-2013 10:28 2.4M
Cisco-UCS-C200-Serve..> 01-Jun-2013 10:27 2.6M
Cisco-ONS-15454-DWDM..> 01-Jun-2013 10:27 4.8M
Cisco-ONS-15454-Refe..> 01-Jun-2013 10:26 3.0M
Cisco-Unified-IP-Pho..> 01-Jun-2013 08:01 2.3M
Cisco-Meraki-Cloud-C..> 01-Jun-2013 07:55 2.3M
Cisco-IPSec-Negotiat..> 01-Jun-2013 07:52 2.1M
Cisco-ASA-5500.htm 01-Jun-2013 07:45 2.1M
CiscoSecurityApplian..> 01-Jun-2013 07:35 2.0M
Cisco-Manuel-du-tele..> 03-Apr-2013 15:45 2.0M
Cisco-836-Router-and..> 03-Apr-2013 15:38 1.6M
Cisco-837-Router-and..> 03-Apr-2013 15:38 1.6M
Cisco-Manuel-du-tele..> 03-Apr-2013 15:37 1.8M
Cisco-ASR-9000-Serie..> 04-Sep-2012 10:04 4.1M
Cisco-ASR-9000-Serie..> 04-Sep-2012 09:44 3.5M
Cisco-ASR-9000-Serie..> 04-Sep-2012 09:40 3.0M
Cisco-ASR-9000-Serie..> 04-Sep-2012 09:34 2.9M
Cisco-ASR-9000-Serie..> 04-Sep-2012 09:29 2.7M
Cisco-ASR-9000-Serie..> 04-Sep-2012 09:24 3.7M
CiscoPrimeNetworkCon..> 04-Sep-2012 09:17 3.0M
XML-Schema-Object-Do..> 03-Sep-2012 18:55 2.1M
XML-Schema-Object-Do..> 03-Sep-2012 18:35 4.9M
Cisco-IOS-XR-XML-API..> 03-Sep-2012 18:29 4.7M
Cisco-ASR-9000-Serie..> 03-Sep-2012 17:25 5.0M
Cisco-ASR-9000-Serie..> 03-Sep-2012 17:20 5.7M
Cisco-ASR-9000-Serie..> 03-Sep-2012 17:15 5.9M
Cisco-IOS-XR-Carrier..> 03-Sep-2012 17:10 4.5M
Cisco-ASR-9000-Serie..> 03-Sep-2012 17:07 4.3M
Cisco-Introduction-t..> 03-Sep-2012 16:57 4.2M
Cisco-Security-Appli..> 03-Sep-2012 16:54 4.2M
liendocumentationcis..> 28-Jan-2012 10:29 5.2K
white_paper_c11-4621..> 28-Jan-2012 10:24 55K
cisco.htm 26-Jan-2012 17:35 1.5M
liendocumentationcis..> 26-Jan-2012 17:32 5.2K
liensdocumentationci..> 26-Jan-2012 17:31 5.0K
CiscoASA5500.htm 01-Jan-2012 22:26 3.3M
ciscoVPNClientAdmini..> 01-Jan-2012 12:56 223K
Cisco7600SeriesRoute..> 01-Jan-2012 12:51 2.7MAmericas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 Cisco ONS 15454 DWDM Reference Manual Cisco ONS 15454, Cisco ONS 15454-M2, and Cisco ONS 15454-M6 Product and Software Release 9.2 July 2012 Text Part Number: 78-19285-02THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense. The following information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency energy. If it is not installed in accordance with Cisco’s installation instructions, it may cause interference with radio and television reception. This equipment has been tested and found to comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules. These specifications are designed to provide reasonable protection against such interference in a residential installation. However, there is no guarantee that interference will not occur in a particular installation. Modifying the equipment without Cisco’s written authorization may result in the equipment no longer complying with FCC requirements for Class A or Class B digital devices. In that event, your right to use the equipment may be limited by FCC regulations, and you may be required to correct any interference to radio or television communications at your own expense. You can determine whether your equipment is causing interference by turning it off. If the interference stops, it was probably caused by the Cisco equipment or one of its peripheral devices. If the equipment causes interference to radio or television reception, try to correct the interference by using one or more of the following measures: • Turn the television or radio antenna until the interference stops. • Move the equipment to one side or the other of the television or radio. • Move the equipment farther away from the television or radio. • Plug the equipment into an outlet that is on a different circuit from the television or radio. (That is, make certain the equipment and the television or radio are on circuits controlled by different circuit breakers or fuses.) Modifications to this product not authorized by Cisco Systems, Inc. could void the FCC approval and negate your authority to operate the product. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R) Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental. Cisco ONS 15454 DWDM Reference Manual, Release 9.2 Copyright © 2007–2012 Cisco Systems, Inc. All rights reserved.iii Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 CONTENTS Preface lvii Revision History lvii Document Objectives lxi Audience lxi Document Organization lxi Related Documentation lxiii Document Conventions lxiv Obtaining Optical Networking Information lxx Where to Find Safety and Warning Information lxx Cisco Optical Networking Product Documentation CD-ROM lxx Obtaining Documentation and Submitting a Service Request lxx CHAPTER 1 Cisco ONS 15454 (ANSI and ETSI), ONS 15454 M2, and ONS 15454 M6 Shelf Assembly 1-1 CHAPTER 2 Common Control Cards 2-1 2.1 Card Overview 2-2 2.1.1 Common Control Cards 2-2 2.1.2 Card Compatibility 2-2 2.1.3 Front Mount Electrical Connections (ETSI only) 2-3 2.2 Safety Labels 2-3 2.2.1 Hazard Level 1 Label 2-3 2.3 TCC2 Card 2-3 2.3.1 TCC2 Functionality 2-5 2.3.2 Redundant TCC2 Card Installation 2-6 2.3.3 TCC2 Card-Level Indicators 2-6 2.3.4 Network-Level Indicators 2-7 2.3.5 Power-Level Indicators 2-7 2.4 TCC2P Card 2-8 2.4.1 TCC2P Functionality 2-10 2.4.2 Redundant TCC2P Card Installation 2-10 2.4.3 TCC2P Card-Level Indicators 2-11 2.4.4 Network-Level Indicators 2-11 2.4.5 Power-Level Indicators 2-12Contents iv Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 2.5 TCC3 Card 2-12 2.5.1 TCC3 Functionality 2-14 2.5.2 Redundant TCC3 Card Installation 2-14 2.5.3 TCC3 Card-Level Indicators 2-15 2.5.4 Network-Level Indicators 2-15 2.5.5 Power-Level Indicators 2-16 2.6 TNC Card 2-16 2.6.1 Functions of TNC 2-17 2.6.1.1 Communication and Control 2-17 2.6.1.2 Optical Service Channel 2-18 2.6.1.3 Timing and Synchronization 2-18 2.6.1.4 MultiShelf Management 2-19 2.6.1.5 Database Storage 2-19 2.6.1.6 Interface Ports 2-19 2.6.1.7 External Alarms and Controls 2-20 2.6.1.8 Digital Image Signing (DIS) 2-21 2.6.2 Faceplate and Block Diagram 2-21 2.6.3 Lamp Test 2-22 2.6.4 TNC Card Installation (ONS 15454 M6) 2-22 2.6.5 Card-Level Indicators 2-22 2.6.6 Network-Level Indicators 2-22 2.6.7 Power-Level Indicators 2-24 2.6.8 Ethernet Port Indicators 2-24 2.6.9 SFP Indicators 2-24 2.6.10 Protection Schemes 2-25 2.6.11 Cards Supported by TNC 2-25 2.7 TSC Card 2-25 2.7.1 Functions of TSC 2-26 2.7.1.1 Communication and Control 2-26 2.7.1.2 Timing and Synchronization 2-27 2.7.1.3 MultiShelf Management 2-27 2.7.1.4 Database Storage 2-27 2.7.1.5 Interface Ports 2-28 2.7.1.6 External Alarms and Controls 2-28 2.7.1.7 Digital Image Signing (DIS) 2-29 2.7.2 Faceplate and Block Diagram 2-29 2.7.3 Lamp Test 2-30 2.7.4 TSC Card Installation (ONS 15454 M6) 2-30 2.7.5 Card-Level Indicators 2-30 2.7.6 Network-Level Indicators 2-30Contents v Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 2.7.7 Power-Level Indicators 2-31 2.7.8 Ethernet Port Indicators 2-32 2.7.9 Protection Schemes 2-32 2.7.10 Cards Supported by TSC 2-33 2.8 Digital Image Signing 2-33 2.8.1 DIS Identification 2-33 2.9 AIC-I Card 2-34 2.9.1 AIC-I Card-Level Indicators 2-35 2.9.2 External Alarms and Controls 2-36 2.9.3 Orderwire 2-37 2.9.4 Power Monitoring 2-38 2.9.5 User Data Channel 2-38 2.9.6 Data Communications Channel 2-39 2.10 MS-ISC-100T Card 2-39 2.10.1 MS-ISC-100T Card-Level Indicators 2-41 2.11 Front Mount Electrical Connections 2-42 2.11.1 MIC-A/P FMEC 2-42 2.11.2 MIC-C/T/P FMEC 2-45 CHAPTER 3 Optical Service Channel Cards 3-1 3.1 Card Overview 3-1 3.1.1 Card Summary 3-2 3.1.2 Card Compatibility 3-2 3.2 Class 1 Laser Safety Labels 3-3 3.2.1 Class 1 Laser Product Label 3-3 3.2.2 Hazard Level 1 Label 3-3 3.2.3 Laser Source Connector Label 3-3 3.2.4 FDA Statement Label 3-4 3.2.5 Shock Hazard Label 3-4 3.3 OSCM Card 3-5 3.3.1 Power Monitoring 3-8 3.3.2 OSCM Card-Level Indicators 3-8 3.3.3 OSCM Port-Level Indicators 3-9 3.4 OSC-CSM Card 3-9 3.4.1 Power Monitoring 3-13 3.4.2 Alarms and Thresholds 3-14 3.4.3 OSC-CSM Card-Level Indicators 3-14 3.4.4 OSC-CSM Port-Level Indicators 3-15Contents vi Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 CHAPTER 4 Optical Amplifier Cards 4-1 4.1 Card Overview 4-1 4.1.1 Applications 4-2 4.1.2 Card Summary 4-2 4.1.3 Card Compatibility 4-3 4.1.4 Optical Power Alarms and Thresholds 4-5 4.2 Class 1M Laser Safety Labels 4-5 4.2.1 Class 1M Laser Product Statement 4-5 4.2.2 Hazard Level 1M Label 4-6 4.2.3 Laser Source Connector Label 4-6 4.2.4 FDA Statement Label 4-6 4.2.5 Shock Hazard Label 4-7 4.3 OPT-PRE Amplifier Card 4-7 4.3.1 OPT-PRE Faceplate Ports 4-8 4.3.2 OPT-PRE Block Diagrams 4-9 4.3.3 OPT-PRE Power Monitoring 4-10 4.3.4 OPT-PRE Amplifier Card-Level Indicators 4-11 4.3.5 OPT-PRE Amplifier Port-Level Indicators 4-11 4.4 OPT-BST Amplifier Card 4-11 4.4.1 OPT-BST Faceplate Ports 4-12 4.4.2 OPT-BST Block Diagrams 4-13 4.4.3 OPT-BST Power Monitoring 4-14 4.4.4 OPT-BST Card-Level Indicators 4-15 4.4.5 OPT-BST Port-Level Indicators 4-15 4.5 OPT-BST-E Amplifier Card 4-16 4.5.1 OPT-BST-E Faceplate Ports 4-16 4.5.2 OPT-BST-E Block Diagrams 4-17 4.5.3 OPT-BST-E Power Monitoring 4-18 4.5.4 OPT-BST-E Card-Level Indicators 4-19 4.5.5 OPT-BST-E Port-Level Indicators 4-19 4.6 OPT-BST-L Amplifier Card 4-19 4.6.1 OPT-BST-L Faceplate Ports 4-20 4.6.2 OPT-BST-L Block Diagrams 4-21 4.6.3 OPT-BST-L Power Monitoring 4-22 4.6.4 OPT-BST-L Card-Level Indicators 4-23 4.6.5 OPT-BST-L Port-Level Indicators 4-23 4.7 OPT-AMP-L Card 4-24 4.7.1 OPT-AMP-L Faceplate Ports 4-25 4.7.2 OPT-AMP-L Block Diagrams 4-26Contents vii Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 4.7.3 OPT-AMP-L Power Monitoring 4-28 4.7.4 OPT-AMP-L Card-Level Indicators 4-28 4.7.5 OPT-AMP-L Port-Level Indicators 4-29 4.8 OPT-AMP-17-C Card 4-29 4.8.1 OPT-AMP-17-C Faceplate Ports 4-29 4.8.2 OPT-AMP-17-C Block Diagrams 4-31 4.8.3 OPT-AMP-17-C Automatic Power Control 4-32 4.8.4 OPT-AMP-17-C Power Monitoring 4-32 4.8.5 OPT-AMP-17-C Card-Level Indicators 4-32 4.8.6 OPT-AMP-17-C Port-Level Indicators 4-33 4.9 OPT-AMP-C Card 4-33 4.9.1 OPT-AMP-C Card Faceplate Ports 4-34 4.9.2 OPT-AMP-C Card Block Diagrams 4-35 4.9.3 OPT-AMP-C Card Power Monitoring 4-37 4.9.4 OPT-AMP-C Card-Level Indicators 4-37 4.9.5 OPT-AMP-C Card Port-Level Indicators 4-38 4.10 OPT-RAMP-C and OPT-RAMP-CE Cards 4-38 4.10.1 Card Faceplate Ports 4-39 4.10.2 Card Block Diagram 4-40 4.10.3 OPT-RAMP-C and OPT-RAMP-CE Card Power Monitoring 4-42 4.10.4 OPT-RAMP-C and OPT-RAMP-CE Card Level Indicators 4-42 4.10.5 OPT-RAMP-C and OPT-RAMP-CE Card Port-Level Indicators 4-43 CHAPTER 5 Multiplexer and Demultiplexer Cards 5-1 5.1 Card Overview 5-1 5.1.1 Card Summary 5-2 5.1.2 Card Compatibility 5-2 5.1.3 Interface Classes 5-2 5.1.4 Channel Allocation Plan 5-5 5.2 Safety Labels 5-8 5.2.1 Class 1 Laser Product Labels 5-8 5.2.1.1 Class 1 Laser Product Label 5-8 5.2.1.2 Hazard Level 1 Label 5-9 5.2.1.3 Laser Source Connector Label 5-9 5.2.1.4 FDA Statement Label 5-10 5.2.1.5 Shock Hazard Label 5-10 5.2.2 Class 1M Laser Product Cards 5-10 5.2.2.1 Class 1M Laser Product Statement 5-11 5.2.2.2 Hazard Level 1M Label 5-11Contents viii Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 5.2.2.3 Laser Source Connector Label 5-11 5.2.2.4 FDA Statement Label 5-12 5.2.2.5 Shock Hazard Label 5-12 5.3 32MUX-O Card 5-13 5.3.1 Channel Plan 5-15 5.3.2 Power Monitoring 5-17 5.3.3 32MUX-O Card-Level Indicators 5-17 5.3.4 32MUX-O Port-Level Indicators 5-17 5.4 32DMX-O Card 5-17 5.4.1 Power Monitoring 5-20 5.4.2 32DMX-O Card-Level Indicators 5-21 5.4.3 32DMX-O Port-Level Indicators 5-21 5.5 4MD-xx.x Card 5-21 5.5.1 Wavelength Pairs 5-24 5.5.2 Power Monitoring 5-24 5.5.3 4MD-xx.x Card-Level Indicators 5-24 5.5.4 4MD-xx.x Port-Level Indicators 5-25 CHAPTER 6 Tunable Dispersion Compensating Units 6-1 6.1 Card Overview 6-1 6.1.1 Card Summary 6-2 6.2 Class 1M Laser Safety Labels 6-2 6.2.1 Class 1M Laser Product Cards 6-2 6.2.1.1 Hazard Level 1M Label 6-2 6.2.1.2 Laser Source Connector Label 6-3 6.2.1.3 FDA Statement Label 6-3 6.3 TDC-CC and TDC-FC Cards 6-3 6.3.1 Key Features 6-4 6.3.2 TDC-CC and TDC-FC Faceplate Diagram 6-5 6.3.3 Functioning of Optical Ports 6-6 6.3.4 TDC-CC and TDC-FC Block Diagram 6-6 6.3.5 Lamp Test 6-6 6.3.6 TDC-CC and TDC-FC Card-Level Indicators 6-6 6.4 Monitoring Optical Performance 6-7 CHAPTER 7 Protection Switching Module 7-1 7.1 PSM Card Overview 7-1 7.2 Key Features 7-2Contents ix Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 7.3 PSM Block Diagram 7-2 7.4 PSM Faceplate Ports 7-3 7.5 PSM Card-Level Indicators 7-4 7.6 PSM Bidirectional Switching 7-5 CHAPTER 8 Optical Add/Drop Cards 8-1 8.1 Card Overview 8-1 8.1.1 Card Summary 8-2 8.1.2 Card Compatibility 8-2 8.1.3 Interface Classes 8-3 8.1.4 DWDM Card Channel Allocation Plan 8-7 8.2 Class 1M Laser Product Safety Lasers 8-8 8.2.1 Class 1M Laser Product Statement 8-9 8.2.2 Hazard Level 1M Label 8-9 8.2.3 Laser Source Connector Label 8-9 8.2.4 FDA Statement Label 8-10 8.2.5 Shock Hazard Label 8-10 8.3 AD-1C-xx.x Card 8-11 8.3.1 Power Monitoring 8-13 8.3.2 AD-1C-xx.x Card-Level Indicators 8-14 8.3.3 AD-1C-xx.x Port-Level Indicators 8-14 8.4 AD-2C-xx.x Card 8-14 8.4.1 Wavelength Pairs 8-16 8.4.2 Power Monitoring 8-17 8.4.3 AD-2C-xx.x Card-Level Indicators 8-17 8.4.4 AD-2C-xx.x Port-Level Indicators 8-18 8.5 AD-4C-xx.x Card 8-18 8.5.1 Wavelength Sets 8-20 8.5.2 Power Monitoring 8-21 8.5.3 AD-4C-xx.x Card-Level Indicators 8-21 8.5.4 AD-4C-xx.x Port-Level Indicators 8-22 8.6 AD-1B-xx.x Card 8-22 8.6.1 Power Monitoring 8-24 8.6.2 AD-1B-xx.x Card-Level Indicators 8-25 8.6.3 AD-1B-xx.x Port-Level Indicators 8-25 8.7 AD-4B-xx.x Card 8-25 8.7.1 Power Monitoring 8-27 8.7.2 AD-4B-xx.x Card-Level Indicators 8-28Contents x Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 8.7.3 AD-4B-xx.x Port-Level Indicators 8-28 CHAPTER 9 Reconfigurable Optical Add/Drop Cards 9-1 9.1 Card Overview 9-2 9.1.1 Card Summary 9-2 9.1.2 Card Compatibility 9-3 9.1.3 Interface Classes 9-5 9.1.4 Channel Allocation Plans 9-11 9.2 Safety Labels for Class 1M Laser Product Cards 9-14 9.2.1 Class 1M Laser Product Statement 9-14 9.2.2 Hazard Level 1M Label 9-15 9.2.3 Laser Source Connector Label 9-15 9.2.4 FDA Statement Label 9-15 9.2.5 Shock Hazard Label 9-16 9.3 32WSS Card 9-16 9.3.1 32WSS Faceplate Ports 9-17 9.3.2 32WSS Block Diagram 9-18 9.3.3 32WSS ROADM Functionality 9-21 9.3.4 32WSS Power Monitoring 9-21 9.3.5 32WSS Channel Allocation Plan 9-22 9.3.6 32WSS Card-Level Indicators 9-23 9.3.7 32WSS Port-Level Indicators 9-23 9.4 32WSS-L Card 9-23 9.4.1 32WSS-L Faceplate Ports 9-24 9.4.2 32WSS-L Block Diagram 9-25 9.4.3 32WSS-L ROADM Functionality 9-28 9.4.4 32WSS-L Power Monitoring 9-28 9.4.5 32WSS-L Channel Plan 9-28 9.4.6 32WSS-L Card-Level Indicators 9-30 9.5 32DMX Card 9-30 9.5.1 32DMX Faceplate Ports 9-30 9.5.2 32DMX Block Diagram 9-31 9.5.3 32DMX ROADM Functionality 9-32 9.5.4 32DMX Power Monitoring 9-33 9.5.5 32DMX Channel Allocation Plan 9-33 9.5.6 32DMX Card-Level Indicators 9-34 9.5.7 32DMX Port-Level Indicators 9-35 9.6 32DMX-L Card 9-35 9.6.1 32DMX-L Faceplate Ports 9-35Contents xi Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 9.6.2 32DMX-L Block Diagram 9-36 9.6.3 32DMX-L ROADM Functionality 9-37 9.6.4 32DMX-L Power Monitoring 9-38 9.6.5 32DMX-L Channel Plan 9-38 9.6.6 32DMX-L Card-Level Indicators 9-39 9.6.7 32DMX-L Port-Level Indicators 9-40 9.7 40-DMX-C Card 9-40 9.7.1 40-DMX-C Faceplate Ports 9-40 9.7.2 40-DMX-C Block Diagram 9-41 9.7.3 40-DMX-C ROADM Functionality 9-42 9.7.4 40-DMX-C Power Monitoring 9-43 9.7.5 40-DMX-C Channel Plan 9-43 9.7.6 40-DMX-C Card-Level Indicators 9-44 9.7.7 40-DMX-C Port-Level Indicators 9-45 9.8 40-DMX-CE Card 9-45 9.8.1 40-DMX-CE Card Faceplate Ports 9-45 9.8.2 40-DMX-CE Card Block Diagram 9-46 9.8.3 40-DMX-CE Card ROADM Functionality 9-47 9.8.4 40-DMX-CE Card Power Monitoring 9-48 9.8.5 40-DMX-CE Card Channel Plan 9-48 9.8.6 40-DMX-CE Card-Level Indicators 9-49 9.8.7 40-DMX-CE Card Port-Level Indicators 9-50 9.9 40-MUX-C Card 9-50 9.9.1 40-MUX-C Card Faceplate Ports 9-50 9.9.2 40-MUX-C Card Block Diagram 9-51 9.9.3 40-MUX-C Card Power Monitoring 9-52 9.9.4 40-MUX-C Card Channel Plan 9-53 9.9.5 40-MUX-C Card-Level Indicators 9-54 9.9.6 40-MUX-C Port-Level Indicators 9-55 9.10 40-WSS-C Card 9-55 9.10.1 40-WSS-C Faceplate Ports 9-55 9.10.2 40-WSS-C Block Diagram 9-56 9.10.3 40-WSS-C ROADM Functionality 9-58 9.10.4 40-WSS-C Power Monitoring 9-58 9.10.5 40-WSS-C Channel Plan 9-59 9.10.6 40-WSS-C Card-Level Indicators 9-60 9.10.7 40-WSS-C Port-Level Indicators 9-61 9.11 40-WSS-CE Card 9-61 9.11.1 40-WSS-CE Faceplate Ports 9-62Contents xii Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 9.11.2 40-WSS-CE Card Block Diagram 9-63 9.11.3 40-WSS-CE Card ROADM Functionality 9-65 9.11.4 40-WSS-CE Card Power Monitoring 9-65 9.11.5 40-WSS-CE Card Channel Plan 9-66 9.11.6 40-WSS-CE Card-Level Indicators 9-67 9.11.7 40-WSS-CE Card Port-Level Indicators 9-68 9.12 40-WXC-C Card 9-68 9.12.1 40-WXC-C Faceplate Ports 9-69 9.12.2 40-WXC-C Block Diagram 9-70 9.12.3 40-WXC-C Power Monitoring 9-71 9.12.4 40-WXC-C Channel Plan 9-72 9.12.5 40-WXC-C Card-Level Indicators 9-74 9.12.6 40-WXC-C Port-Level Indicators 9-74 9.13 80-WXC-C Card 9-74 9.13.1 80-WXC-C Faceplate and Optical Module Functional Block Diagram 9-75 9.13.2 80-WXC-C Power Monitoring 9-77 9.13.3 80-WXC-C Channel Plan 9-78 9.13.4 80-WXC-C Card-Level Indicators 9-80 9.13.5 80-WXC-C Port-Level Indicators 9-81 9.14 Single Module ROADM (SMR-C) Cards 9-81 9.14.1 SMR-C Card Key Features 9-82 9.14.2 40-SMR1-C Card 9-82 9.14.2.1 40-SMR1-C Faceplate Ports 9-82 9.14.2.2 40-SMR1-C Block Diagram 9-83 9.14.2.3 40-SMR1-C Power Monitoring 9-85 9.14.2.4 40-SMR1-C Channel Plan 9-85 9.14.2.5 40-SMR1-C Card-Level Indicators 9-86 9.14.2.6 40-SMR1-C Port-Level Indicators 9-87 9.14.3 40-SMR2-C Card 9-87 9.14.3.1 40-SMR2-C Faceplate Ports 9-87 9.14.3.2 40-SMR2-C Block Diagram 9-88 9.14.3.3 40-SMR2-C Power Monitoring 9-89 9.14.3.4 40-SMR2-C Channel Plan 9-90 9.14.3.5 40-SMR2-C Card-Level Indicators 9-91 9.14.3.6 40-SMR2-C Port-Level Indicators 9-91 9.15 MMU Card 9-92 9.15.1 MMU Faceplate Ports 9-92 9.15.2 MMU Block Diagram 9-93 9.15.3 MMU Power Monitoring 9-94Contents xiii Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 9.15.4 MMU Card-Level Indicators 9-94 9.15.5 MMU Port-Level Indicators 9-95 CHAPTER 10 Transponder and Muxponder Cards 10-1 10.1 Card Overview 10-2 10.1.1 Card Summary 10-3 10.1.2 Card Compatibility 10-5 10.2 Safety Labels 10-8 10.2.1 Class 1 Laser Product Cards 10-8 10.2.1.1 Class 1 Laser Product Label 10-8 10.2.1.2 Hazard Level 1 Label 10-9 10.2.1.3 Laser Source Connector Label 10-9 10.2.1.4 FDA Statement Label 10-10 10.2.1.5 Shock Hazard Label 10-10 10.2.2 Class 1M Laser Product Cards 10-10 10.2.2.1 Class 1M Laser Product Statement 10-11 10.2.2.2 Hazard Level 1M Label 10-11 10.2.2.3 Laser Source Connector Label 10-11 10.2.2.4 FDA Statement Label 10-12 10.2.2.5 Shock Hazard Label 10-12 10.3 TXP_MR_10G Card 10-13 10.3.1 Automatic Laser Shutdown 10-15 10.3.2 TXP_MR_10G Card-Level Indicators 10-16 10.3.3 TXP_MR_10G Port-Level Indicators 10-16 10.4 TXP_MR_10E Card 10-16 10.4.1 Key Features 10-17 10.4.2 Faceplate and Block Diagram 10-17 10.4.3 Client Interface 10-18 10.4.4 DWDM Trunk Interface 10-18 10.4.5 Enhanced FEC (E-FEC) Feature 10-19 10.4.6 FEC and E-FEC Modes 10-19 10.4.7 Client-to-Trunk Mapping 10-19 10.4.8 Automatic Laser Shutdown 10-20 10.4.9 TXP_MR_10E Card-Level Indicators 10-20 10.4.10 TXP_MR_10E Port-Level Indicators 10-20 10.5 TXP_MR_10E_C and TXP_MR_10E_L Cards 10-21 10.5.1 Key Features 10-21 10.5.2 Faceplates and Block Diagram 10-22 10.5.3 Client Interface 10-22Contents xiv Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 10.5.4 DWDM Trunk Interface 10-23 10.5.5 Enhanced FEC (E-FEC) Feature 10-23 10.5.6 FEC and E-FEC Modes 10-23 10.5.7 Client-to-Trunk Mapping 10-24 10.5.8 Automatic Laser Shutdown 10-24 10.5.9 TXP_MR_10E_C and TXP_MR_10E_L Card-Level Indicators 10-24 10.5.10 TXP_MR_10E_C and TXP_MR_10E_L Port-Level Indicators 10-24 10.6 TXP_MR_2.5G and TXPP_MR_2.5G Cards 10-25 10.6.1 Faceplate 10-27 10.6.2 Block Diagram 10-27 10.6.3 Automatic Laser Shutdown 10-28 10.6.4 TXP_MR_2.5G and TXPP_MR_2.5G Card-Level Indicators 10-29 10.6.5 TXP_MR_2.5G and TXPP_MR_2.5G Port-Level Indicators 10-29 10.7 MXP_2.5G_10G Card 10-29 10.7.1 Timing Synchronization 10-32 10.7.2 Automatic Laser Shutdown 10-32 10.7.3 MXP_2.5G_10G Card-Level Indicators 10-32 10.7.3.1 MXP_2.5G_10G Port-Level Indicators 10-33 10.7.4 MXP_2.5G_10E Card 10-33 10.7.4.1 Key Features 10-34 10.7.5 Faceplate 10-35 10.7.6 Client Interfaces 10-36 10.7.6.1 DWDM Interface 10-36 10.7.7 Multiplexing Function 10-36 10.7.8 Timing Synchronization 10-37 10.7.9 Enhanced FEC (E-FEC) Capability 10-37 10.7.10 FEC and E-FEC Modes 10-37 10.7.11 SONET/SDH Overhead Byte Processing 10-38 10.7.12 Client Interface Monitoring 10-38 10.7.13 Wavelength Identification 10-38 10.7.14 Automatic Laser Shutdown 10-39 10.7.15 Jitter 10-39 10.7.16 Lamp Test 10-39 10.7.17 Onboard Traffic Generation 10-40 10.7.18 MXP_2.5G_10E Card-Level Indicators 10-40 10.7.19 MXP_2.5G_10E Port-Level Indicators 10-40 10.8 MXP_2.5G_10E_C and MXP_2.5G_10E_L Cards 10-40 10.8.1 Key Features 10-41 10.8.2 Faceplate 10-42Contents xv Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 10.8.3 Client Interfaces 10-43 10.8.4 DWDM Interface 10-43 10.8.5 Multiplexing Function 10-44 10.8.6 Timing Synchronization 10-44 10.8.7 Enhanced FEC (E-FEC) Capability 10-44 10.8.8 FEC and E-FEC Modes 10-45 10.8.9 SONET/SDH Overhead Byte Processing 10-45 10.8.10 Client Interface Monitoring 10-45 10.8.11 Wavelength Identification 10-45 10.8.12 Automatic Laser Shutdown 10-48 10.8.13 Jitter 10-48 10.8.14 Lamp Test 10-48 10.8.15 Onboard Traffic Generation 10-49 10.8.16 MXP_2.5G_10E_C and MXP_2.5G_10E_L Card-Level Indicators 10-49 10.8.17 MXP_2.5G_10E and MXP_2.5G_10E_L Port-Level Indicators 10-49 10.9 MXP_MR_2.5G and MXPP_MR_2.5G Cards 10-49 10.9.1 Performance Monitoring 10-52 10.9.2 Distance Extension 10-52 10.9.3 Slot Compatibility 10-52 10.9.4 Interoperability with Cisco MDS Switches 10-52 10.9.5 Client and Trunk Ports 10-52 10.9.6 Faceplates 10-52 10.9.7 Block Diagram 10-53 10.9.8 Automatic Laser Shutdown 10-54 10.9.9 MXP_MR_2.5G and MXPP_MR_2.5G Card-Level Indicators 10-55 10.9.10 MXP_MR_2.5G and MXPP_MR_2.5G Port-Level Indicators 10-55 10.10 MXP_MR_10DME_C and MXP_MR_10DME_L Cards 10-55 10.10.1 Key Features 10-58 10.10.2 Faceplate 10-59 10.10.3 Wavelength Identification 10-60 10.10.4 MXP_MR_10DME_C and MXP_MR_10DME_L Card-Level Indicators 10-63 10.10.5 MXP_MR_10DME_C and MXP_MR_10DME_L Port-Level Indicators 10-64 10.11 40G-MXP-C Card 10-64 10.11.1 Key Features 10-66 10.11.2 Faceplate and Block Diagram 10-67 10.11.3 Wavelength Identification 10-68 10.11.4 40G-MXP-C Card-Level Indicators 10-70 10.11.5 40G-MXP-C Card Port-Level Indicators 10-70 10.12 GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE Cards 10-71Contents xvi Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 10.12.1 Key Features 10-72 10.12.2 Protocol Compatibility list 10-74 10.12.3 Faceplate and Block Diagram 10-74 10.12.4 Client Interface 10-77 10.12.5 GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE Card-Level Indicators 10-78 10.12.6 GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE Port-Level Indicators 10-78 10.12.7 DWDM Trunk Interface 10-79 10.12.8 Configuration Management 10-79 10.12.9 Security 10-79 10.12.10 Card Protection 10-80 10.12.10.1 1+1 Protection 10-80 10.12.10.2 Y-Cable Protection 10-80 10.12.10.3 Layer 2 Over DWDM Protection 10-81 10.12.11 IGMP Snooping 10-81 10.12.11.1 IGMP Snooping Guidelines and Restrictions 10-82 10.12.11.2 Fast-Leave Processing 10-83 10.12.11.3 Static Router Port Configuration 10-83 10.12.11.4 Report Suppression 10-83 10.12.11.5 IGMP Statistics and Counters 10-83 10.12.12 Multicast VLAN Registration 10-84 10.12.13 MAC Address Learning 10-84 10.12.14 MAC Address Retrieval 10-84 10.12.15 Link Integrity 10-85 10.12.16 Ingress CoS 10-85 10.12.17 CVLAN Rate Limiting 10-86 10.12.18 DSCP to CoS Mapping 10-86 10.12.19 Link Aggregation Control Protocol 10-87 10.12.19.1 Advantages of LACP 10-87 10.12.19.2 Functions of LACP 10-87 10.12.19.3 Modes of LACP 10-87 10.12.19.4 Parameters of LACP 10-87 10.12.19.5 Unicast Hashing Schemes 10-88 10.12.19.6 Supported LACP Features 10-88 10.12.19.7 LACP Limitations and Restrictions 10-88 10.12.20 Ethernet Connectivity Fault Management 10-89 10.12.20.1 Maintenance Domain 10-89 10.12.20.2 Maintenance Association 10-89 10.12.20.3 Maintenance End Points 10-89 10.12.20.4 Maintenance Intermediate Points 10-90 10.12.20.5 CFM Messages 10-90Contents xvii Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 10.12.20.6 Supported CFM Features 10-90 10.12.20.7 CFM Limitations and Restrictions 10-91 10.12.21 Ethernet OAM 10-91 10.12.21.1 Components of the Ethernet OAM 10-91 10.12.21.2 Benefits of the Ethernet OAM 10-92 10.12.21.3 Features of the Ethernet OAM 10-92 10.12.21.4 Ethernet OAM Supported Features 10-92 10.12.21.5 Ethernet OAM Limitations and Restrictions 10-92 10.12.22 Resilient Ethernet Protocol 10-93 10.12.22.1 REP Segments 10-93 10.12.22.2 Characteristics of REP Segments 10-93 10.12.22.3 REP Port States 10-93 10.12.22.4 Link Adjacency 10-94 10.12.22.5 Fast Reconvergence 10-94 10.12.22.6 VLAN Load Balancing 10-94 10.12.22.7 REP Configuration Sequence 10-94 10.12.22.8 REP Supported Interfaces 10-95 10.12.22.9 REP Limitations and Restrictions 10-95 10.13 ADM-10G Card 10-96 10.13.1 Key Features 10-96 10.13.2 ADM-10G POS Encapsulation, Framing, and CRC 10-97 10.13.2.1 POS Overview 10-97 10.13.2.2 POS Framing Modes 10-98 10.13.2.3 GFP Interoperability 10-98 10.13.2.4 LEX Interoperability 10-98 10.13.3 Faceplate 10-98 10.13.4 Port Configuration Rules 10-99 10.13.5 Client Interfaces 10-100 10.13.6 Interlink Interfaces 10-101 10.13.7 DWDM Trunk Interface 10-101 10.13.8 Configuration Management 10-101 10.13.9 Security 10-103 10.13.10 Protection 10-103 10.13.10.1 Circuit Protection Schemes 10-103 10.13.10.2 Port Protection Schemes 10-103 10.13.10.3 Flexible Protection Mechanism 10-103 10.13.11 Circuit Provisioning 10-104 10.13.12 ADM-10G CCAT and VCAT Characteristics 10-104 Available Circuit Sizes 10-105 10.13.13 Automatic Laser Shutdown 10-106Contents xviii Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Intermediate Path Performance Monitoring 10-106 Pointer Justification Count Performance Monitoring 10-106 Performance Monitoring Parameter Definitions 10-107 10.13.14 ADM-10G Card-Level Indicators 10-110 10.13.15 ADM-10G Card Port-Level Indicators 10-110 10.14 OTU2_XP Card 10-111 10.14.1 Key Features 10-112 10.14.2 Faceplate and Block Diagram 10-113 10.14.3 OTU2_XP Card-Level Indicators 10-115 10.14.4 OTU2_XP Port-Level Indicators 10-115 10.14.5 OTU2_XP Card Interface 10-116 10.14.5.1 Client Interface 10-116 10.14.5.2 Trunk Interface 10-116 10.14.6 Configuration Management 10-117 10.14.7 OTU2_XP Card Configuration Rules 10-117 10.14.8 Security 10-119 10.14.9 Automatic Laser Shutdown 10-119 10.14.10 ODU Transparency 10-120 10.14.11 Protection 10-120 10.14.11.1 Y-Cable Protection 10-120 10.14.11.2 Splitter Protection 10-120 10.15 MLSE UT 10-121 10.15.1 Error Decorrelator 10-121 10.16 TXP_MR_10EX_C Card 10-121 10.16.1 Key Features 10-121 10.16.2 Faceplate and Block Diagram 10-122 10.16.3 Client Interface 10-123 10.16.4 DWDM Trunk Interface 10-123 10.16.5 Enhanced FEC (E-FEC) Feature 10-123 10.16.6 FEC and E-FEC Modes 10-124 10.16.7 Client-to-Trunk Mapping 10-124 10.16.8 Automatic Laser Shutdown 10-124 10.16.9 TXP_MR_10EX_C Card-Level Indicators 10-124 10.16.10 TXP_MR_10EX_C Port-Level Indicators 10-125 10.17 MXP_2.5G_10EX_C card 10-125 10.17.1 Key Features 10-126 10.17.2 Faceplate 10-127 10.17.3 Client Interfaces 10-127 10.17.4 DWDM Interface 10-128Contents xix Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 10.17.5 Multiplexing Function 10-128 10.17.6 Timing Synchronization 10-128 10.17.7 Enhanced FEC (E-FEC) Capability 10-129 10.17.8 FEC and E-FEC Modes 10-129 10.17.9 SONET/SDH Overhead Byte Processing 10-129 10.17.10 Client Interface Monitoring 10-129 10.17.11 Wavelength Identification 10-130 10.17.12 Automatic Laser Shutdown 10-131 10.17.13 Jitter 10-131 10.17.14 Lamp Test 10-131 10.17.15 Onboard Traffic Generation 10-131 10.17.16 MXP_2.5G_10EX_C Card-Level Indicators 10-132 10.17.17 MXP_2.5G_10EX_C Port-Level Indicators 10-132 10.18 MXP_MR_10DMEX_C Card 10-132 10.18.1 Key Features 10-134 10.18.2 Faceplate 10-135 10.18.3 Wavelength Identification 10-136 10.18.4 MXP_MR_10DMEX_C Card-Level Indicators 10-138 10.18.5 MXP_MR_10DMEX_C Port-Level Indicators 10-138 10.19 Y-Cable and Splitter Protection 10-139 10.19.1 Y-Cable Protection 10-139 10.19.2 Splitter Protection 10-141 10.20 Far-End Laser Control 10-142 10.21 Jitter Considerations 10-142 10.22 Termination Modes 10-143 10.23 SFP and XFP Modules 10-144 CHAPTER 11 Node Reference 11-1 11.1 DWDM Node Configurations 11-1 11.1.1 Terminal Node 11-2 11.1.2 OADM Node 11-8 11.1.3 ROADM Node 11-10 11.1.4 Hub Node 11-27 11.1.5 Anti-ASE Node 11-31 11.1.6 Line Amplifier Node 11-32 11.1.7 OSC Regeneration Node 11-33 11.2 Supported Node Configurations for OPT-RAMP-C and OPT-RAMP-CE Cards 11-34 11.2.1 OPT-RAMP-C or OPT-RAMP-CE Card in an Add/Drop Node 11-36 11.2.2 OPT-RAMP-C or OPT-RAMP-CE Card in a Line Site Node with Booster Amplification 11-36Contents xx Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 11.3 Supported Node Configurations for PSM Card 11-38 11.3.1 Channel Protection 11-38 11.3.2 Multiplex Section Protection 11-40 11.3.3 Line Protection 11-40 11.3.4 Standalone 11-41 11.4 Multishelf Node 11-42 11.4.1 Multishelf Node Layout 11-43 11.4.2 DCC/GCC/OSC Terminations 11-43 11.5 Optical Sides 11-44 11.5.1 Optical Side Stages 11-44 11.5.1.1 Fiber Stage 11-45 11.5.1.2 A/D Stage 11-47 11.5.2 Side Line Ports 11-47 11.5.3 Optical Side Configurations 11-48 11.6 Configuring Mesh DWDM Networks 11-53 11.6.1 Line Termination Mesh Node Using 40-WXC-C Cards 11-53 11.6.1.1 40-Channel Omni-directional n-degree ROADM Node 11-58 11.6.1.2 40-Channel Colorless n-Degree ROADM Node 11-58 11.6.1.3 40-Channel Colorless and Omni-directional n-Degree ROADM Node 11-59 11.6.2 Line Termination Mesh Node Using 80-WXC-C Cards 11-61 11.6.2.1 80-Channel Omni-directional n-degree ROADM Node 11-63 11.6.2.2 80-Channel Colorless n-degree ROADM Node 11-64 11.6.2.3 80-Channel Colorless and Omni-directional n-Degree ROADM Node 11-65 11.6.3 Line Termination Mesh Node Using 40-SMR2-C Cards 11-67 11.6.4 XC Termination Mesh Node 11-69 11.6.5 Mesh Patch Panels and Shelf Layouts 11-70 11.6.6 Using a Mesh Node With Omni-Directional Add/Drop Section 11-73 11.7 DWDM Node Cabling 11-74 11.7.1 OSC Link Termination Fiber-Optic Cabling 11-74 11.7.2 Hub Node Fiber-Optic Cabling 11-77 11.7.3 Terminal Node Fiber-Optic Cabling 11-79 11.7.4 Line Amplifier Node Fiber-Optic Cabling 11-79 11.7.5 OSC Regeneration Node Fiber-Optic Cabling 11-81 11.7.6 Amplified or Passive OADM Node Fiber-Optic Cabling 11-83 11.7.7 ROADM Node Fiber-Optic Cabling 11-88 11.8 Automatic Node Setup 11-90 11.8.1 Raman Setup and Tuning 11-93 11.9 DWDM Functional View 11-96 11.9.1 Navigating Functional View 11-97Contents xxi Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 11.9.2 Using the Graphical Display 11-98 11.9.2.1 Displaying a Side 11-98 11.9.2.2 Displaying Card Information 11-99 11.9.2.3 Displaying Port Information 11-100 11.9.2.4 Displaying Patchcord Information 11-101 11.9.2.5 Displaying MPO Information 11-102 11.9.2.6 Alarm Box Information 11-103 11.9.2.7 Transponder and Muxponder Information 11-103 11.9.2.8 Changing the Views 11-104 11.9.2.9 Selecting Circuits 11-105 11.9.2.10 Displaying Optical Path Power 11-105 11.10 DWDM Network Functional View 11-106 11.10.1 Navigating Network Functional View 11-107 11.10.2 Using the Graphical Display 11-108 11.10.2.1 Displaying Optical Power 11-109 11.10.2.2 Selecting the Circuit 11-109 11.10.2.3 Exporting Reports 11-110 11.11 Non-DWDM (TDM) Networks 11-111 CHAPTER 12 Network Reference 12-1 12.1 Network Applications 12-2 12.2 Network Topologies 12-2 12.2.1 Ring Networks 12-2 12.2.1.1 Hubbed Traffic Topology 12-2 12.2.1.2 Multihubbed Traffic Topology 12-3 12.2.1.3 Any-to-Any Traffic Topology 12-4 12.2.1.4 Meshed Traffic Topology 12-5 12.2.2 Linear Networks 12-6 12.2.3 Mesh Networks 12-7 12.3 Interconnected Rings 12-9 12.3.1 Interconnected Ring Scenarios 12-11 12.3.1.1 Scenario A: Interconnect Traffic from Tributary Ring to Main Ring without Local Add/Drop in the Tributary Ring 12-11 12.3.1.2 Scenario B: Interconnect Traffic from Tributary Ring to Main Ring with Local Add/Drop in the Tributary Ring 12-13 12.3.1.3 Scenario C: Interconnect Traffic Between Tributary Rings Using the Main Ring 12-14 12.4 Spur Configuration 12-16 12.4.1 Spur Configuration Scenarios 12-16 12.4.1.1 Scenario A: Spur Configuration without 15454 Chassis in RemoteTerminal T 12-16Contents xxii Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 12.4.1.2 Scenario B: Spur Configuration with Passive MUX and DMX Units in Remote Terminal T 12-17 12.4.1.3 Scenario C: Spur Configuration with Active MUX and DMX Units in Remote Terminal T 12-18 12.5 Network Topologies for the OPT-RAMP-C and OPT-RAMP-CE Cards 12-18 12.6 Network Topologies for the PSM Card 12-19 12.7 Optical Performance 12-19 12.8 Automatic Power Control 12-20 12.8.1 APC at the Amplifier Card Level 12-20 12.8.2 APC at the Shelf Controller Layer 12-21 12.8.3 Managing APC 12-23 12.9 Power Side Monitoring 12-24 12.10 Span Loss Verification 12-25 12.10.1 Span Loss Measurements on Raman Links 12-26 12.11 Network Optical Safety 12-27 12.11.1 Automatic Laser Shutdown 12-27 12.11.2 Automatic Power Reduction 12-28 12.11.3 Network Optical Safety on OPT-RAMP-C and OPT-RAMP-CE Cards 12-29 12.11.3.1 RAMAN-TX Settings on Raman Pump 12-29 12.11.3.2 COM-TX Safety Setting on EDFA 12-29 12.11.4 Fiber Cut Scenarios 12-30 12.11.4.1 Scenario 1: Fiber Cut in Nodes Using OPT-BST/OPT-BST-E Cards 12-30 12.11.4.2 Scenario 2: Fiber Cut in Nodes Using OSC-CSM Cards 12-32 12.11.4.3 Scenario 3: Fiber Cut in Nodes Using OPT-BST-L Cards 12-34 12.11.4.4 Scenario 4: Fiber Cut in Nodes Using OPT-AMP-L, OPT-AMP-C, OPT-AMP-17-C (OPT-LINE Mode), 40-SMR1-C, or 40-SMR2-C Cards 12-35 12.11.4.5 Scenario 5: Fiber Cut in Nodes Using DCN Extension 12-37 12.11.4.6 Scenario 6: Fiber Cut in Nodes Using OPT-RAMP-C or OPT-RAMP-CE Cards 12-39 12.12 Network-Level Gain—Tilt Management of Optical Amplifiers 12-40 12.12.1 Gain Tilt Control at the Card Level 12-41 12.12.2 System Level Gain Tilt Control 12-43 12.12.2.1 System Gain Tilt Compensation Without ROADM Nodes 12-43 12.12.2.2 System Gain Tilt Compensation With ROADM Nodes 12-45 12.13 Optical Data Rate Derivations 12-46 12.13.1 OC-192/STM-64 Data Rate (9.95328 Gbps) 12-46 12.13.2 10GE Data Rate (10.3125 Gbps) 12-46 12.13.3 10G FC Data Rate (10.51875 Gbps) 12-46 12.13.4 ITU-T G.709 Optical Data Rates 12-47 12.13.4.1 OC-192 Packaged Into OTU2 G.709 Frame Data Rate (10.70923 Gbps) 12-48Contents xxiii Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 12.13.4.2 10GE Packaged Into OTU2 G.709 Frame Data Rate (Nonstandard 11.0957 Gbps) 12-48 12.13.4.3 10G FC Packaged Into OTU2 G.709 Frame Data Rate (Nonstandard 11.31764 Gbps) 12-48 12.14 Even Band Management 12-48 12.15 Wavelength Drifted Channel Automatic Shutdown 12-52 CHAPTER 13 Optical Channel Circuits and Virtual Patchcords Reference 13-1 13.1 Optical Channel Circuits 13-1 13.1.1 OCHNC Circuits 13-2 13.1.2 OCHCC Circuits 13-3 13.1.3 OCH Trail Circuits 13-3 13.1.4 Administrative and Service States 13-5 13.1.5 Creating and Deleting OCHCCs 13-6 13.1.6 OCHCCs and Service and Communications Channels 13-6 13.2 Virtual Patchcords 13-7 13.2.1 PPC Provisioning Rules 13-12 13.3 End-to-End SVLAN Circuit 13-13 13.3.1 End-to-End SVLAN Provisioning Rules 13-13 CHAPTER 14 Cisco Transport Controller Operation 14-1 14.1 CTC Software Delivery Methods 14-1 14.1.1 CTC Software Installed on the TCC2/TCC2P/TCC3/TNC/TSC Card 14-2 14.1.2 CTC Software Installed on the PC or UNIX Workstation 14-2 14.2 CTC Installation Overview 14-2 14.3 PC and UNIX Workstation Requirements 14-3 14.4 ONS 15454 Connections 14-5 14.5 CTC Window 14-8 14.5.1 Summary Pane 14-10 14.5.2 Node View (Multishelf Mode), Node View (Single-Shelf Mode), and Shelf View (Multishelf Mode) 14-11 14.5.2.1 CTC Card Colors 14-11 14.5.2.2 Multishelf View Card Shortcuts 14-13 14.5.2.3 Node View (Single-Shelf Mode) or Shelf View (Multishelf Mode) Card Shortcuts 14-13 14.5.2.4 Node View (Single-Shelf Mode) or Shelf View (Multishelf Mode) Port Shortcuts 14-14 14.5.2.5 Card View (Single-Shelf Mode) or Shelf View (Multishelf Mode) Port Shortcuts 14-14 14.5.2.6 Multishelf View Tabs 14-14 14.5.2.7 Node View (Single-Shelf Mode) or Shelf View (Multishelf Mode) Tabs 14-14Contents xxiv Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 14.5.3 Network View 14-15 14.5.3.1 Network View Tabs 14-16 14.5.3.2 CTC Node Colors 14-17 14.5.3.3 DCC Links 14-17 14.5.3.4 Link Consolidation 14-17 14.5.4 Card View 14-18 14.6 Using the CTC Launcher Application to Manage Multiple ONS Nodes 14-19 14.7 TCC2/TCC2P/TCC3/TNC/TSC Card Reset 14-22 14.8 TCC2/TCC2P/TCC3/TNC/TSC Card Database 14-23 14.9 Software Revert 14-23 CHAPTER 15 Security Reference 15-1 15.1 User IDs and Security Levels 15-1 15.2 User Privileges and Policies 15-2 15.2.1 User Privileges by CTC Task 15-2 15.2.2 Security Policies 15-6 15.2.2.1 Superuser Privileges for Provisioning Users 15-7 15.2.2.2 Idle User Timeout 15-7 15.2.2.3 User Password, Login, and Access Policies 15-7 15.3 Audit Trail 15-8 15.3.1 Audit Trail Log Entries 15-8 15.3.2 Audit Trail Capacities 15-9 15.4 RADIUS Security 15-9 15.4.1 RADIUS Authentication 15-9 15.4.2 Shared Secrets 15-9 CHAPTER 16 Timing Reference 16-1 16.1 Node Timing Parameters 16-1 16.2 Network Timing 16-2 16.3 Synchronization Status Messaging 16-3 CHAPTER 17 Management Network Connectivity 17-1 17.1 IP Networking Overview 17-2 17.2 IP Addressing Scenarios 17-2 17.2.1 Scenario 1: CTC and ONS 15454s on Same Subnet 17-3 17.2.2 Scenario 2: CTC and ONS 15454s Connected to a Router 17-3 17.2.3 Scenario 3: Using Proxy ARP to Enable an ONS 15454 Gateway 17-4 17.2.4 Scenario 4: Default Gateway on CTC Computer 17-7Contents xxv Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 17.2.5 Scenario 5: Using Static Routes to Connect to LANs 17-8 17.2.6 Scenario 6: Using OSPF 17-10 17.2.7 Scenario 7: Provisioning the ONS 15454 Proxy Server 17-12 17.2.8 Scenario 8: Dual GNEs on a Subnet 17-17 17.2.9 Scenario 9: IP Addressing with Secure Mode Enabled 17-19 17.2.9.1 Secure Mode Behavior 17-19 17.2.9.2 Secure Node Locked and Unlocked Behavior 17-22 17.3 DCN Case Studies 17-23 17.3.1 SOCKS Proxy Settings 17-23 17.3.2 OSPF 17-23 17.3.3 Management of Non-LAN Connected Multishelf Node 17-24 17.3.4 DCN Case Study 1: Ring Topology with Two Subnets and Two DCN Connections 17-24 17.3.4.1 DCN Case Study 1 IP Configuration 17-25 17.3.4.2 DCN Case Study 1 Limitations 17-27 17.3.5 DCN Case Study 2: Linear Topology with DCN Connections on Both Ends 17-28 17.3.5.1 DCN Case Study 2 IP Configurations 17-28 17.3.5.2 DCN Case Study 2 Limitations 17-30 17.3.6 DCN Case Study 3: Linear Topology with DCN Connections on Both Ends Using OSPF Routing 17-30 17.3.6.1 DCN Case Study 3 IP Configurations 17-31 17.3.6.2 DCN Case Study 3 Limitations 17-34 17.3.7 DCN Case Study 4: Two Linear Cascaded Topologies With Two DCN Connections 17-34 17.3.7.1 DCN Case Study 4 IP Configurations 17-35 17.3.7.2 DCN Case Study 4 Limitations 17-37 17.4 DCN Extension 17-37 17.4.1 Network Using OSC 17-38 17.4.2 Network Using External DCN 17-38 17.4.3 Network Using GCC/DCC 17-39 17.5 Routing Table 17-39 17.6 External Firewalls 17-41 17.7 Open GNE 17-42 17.8 TCP/IP and OSI Networking 17-45 17.9 Link Management Protocol 17-49 17.9.1 Overview 17-49 17.9.1.1 MPLS 17-50 17.9.1.2 GMPLS 17-50 17.9.2 Configuring LMP 17-51 17.9.2.1 Control Channel Management 17-51 17.9.2.2 TE Link Management 17-52Contents xxvi Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 17.9.2.3 Link Connectivity Verification 17-52 17.9.2.4 Fault Management 17-52 17.9.3 LMP WDM 17-53 17.9.4 LMP Network Implementation 17-53 17.10 IPv6 Network Compatibility 17-54 17.11 IPv6 Native Support 17-54 17.11.1 IPv6 Enabled Mode 17-56 17.11.2 IPv6 Disabled Mode 17-56 17.11.3 IPv6 in Non-secure Mode 17-56 17.11.4 IPv6 in Secure Mode 17-56 17.11.5 IPv6 Limitations 17-56 17.12 Integration with Cisco CRS-1 Routers 17-57 17.12.1 Card Compatibility 17-57 17.12.2 Node Management 17-58 17.12.2.1 Physical Connections 17-58 17.12.2.2 CTC Display 17-58 17.12.3 Circuit Management 17-59 17.12.3.1 LMP Provisioning 17-59 17.12.3.2 OCH Trail Circuit Provisioning 17-60 17.12.4 Cisco CRS-1 Router Management from CTC 17-60 17.13 Photonic Path Trace 17-61 17.14 Shared Risk Link Group 17-62 17.15 Proactive Protection Regen 17-63 CHAPTER 18 Alarm and TCA Monitoring and Management 18-1 18.1 Overview 18-1 18.2 Alarm Counts on the LCD for a Node, Slot, or Port 18-2 18.3 Alarm Display 18-2 18.3.1 Viewing Alarms by Time Zone 18-3 18.3.2 Controlling Alarm Display 18-4 18.3.3 Filtering Alarms 18-4 18.3.4 Conditions Tab 18-4 18.3.5 Controlling the Conditions Display 18-5 18.3.5.1 Retrieving and Displaying Conditions 18-5 18.3.5.2 Conditions Column Descriptions 18-5 18.3.5.3 Filtering Conditions 18-6 18.3.6 Viewing History 18-6 18.3.6.1 History Column Descriptions 18-7 18.3.6.2 Retrieving and Displaying Alarm and Condition History 18-8Contents xxvii Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 18.3.7 Alarm History and Log Buffer Capacities 18-8 18.4 Alarm Severities 18-8 18.5 Alarm Profiles 18-9 18.5.1 Creating and Modifying Alarm Profiles 18-9 18.5.2 Alarm Profile Buttons 18-10 18.5.3 Alarm Profile Editing 18-10 18.5.4 Alarm Severity Options 18-11 18.5.5 Row Display Options 18-11 18.5.6 Applying Alarm Profiles 18-11 18.6 External Alarms and Controls 18-12 18.6.1 External Alarms 18-12 18.6.2 External Controls 18-12 18.6.3 Virtual Wires 18-13 18.7 Alarm Suppression 18-14 18.7.1 Alarms Suppressed for Maintenance 18-14 18.7.2 Alarms Suppressed by User Command 18-14 18.8 Multishelf Configuration Alarming 18-15 18.8.1 Viewing Multishelf Alarmed Entities 18-15 18.8.2 Multishelf-Specific Alarming 18-15 18.8.2.1 Ethernet Communication Alarms 18-16 18.8.2.2 Multishelf Correlated Alarms 18-16 18.9 Threshold Crossing Alert Suppression 18-16 18.9.1 Overview 18-16 18.9.2 G.709, SONET, and SDH TCA Groups 18-17 CHAPTER 19 Performance Monitoring 19-1 19.1 Threshold Performance Monitoring 19-2 19.2 TNC Card Performance Monitoring 19-2 19.2.1 Optics PM Window 19-3 19.2.2 Payload PM Window 19-3 19.2.3 RMONs Supported by TNC Card 19-6 19.3 Transponder, Muxponder, Xponder, and ADM-10G Card Performance Monitoring 19-7 19.3.1 Optics PM Window 19-9 19.3.2 Payload PM Window 19-10 19.3.2.1 Payload PM SONET/SDH Window 19-11 19.3.2.2 Payload PM Statistics Window 19-12 19.3.2.3 MXP_MR_2.5G/MXPP_MR_2.5G Payload Utilization Window 19-16 19.3.2.4 Payload History Window 19-17 19.3.3 OTN PM Window 19-17Contents xxviii Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 19.3.4 Ether Ports PM Window 19-20 19.3.4.1 Ether Port Statistics Window 19-20 19.3.4.2 Ether Ports Utilization Window 19-22 19.3.4.3 Ether Ports History Window 19-22 19.4 DWDM Card Performance Monitoring 19-23 19.4.1 Optical Amplifier Card Performance Monitoring Parameters 19-23 19.4.2 Multiplexer and Demultiplexer Card Performance Monitoring Parameters 19-23 19.4.3 4MD-xx.x Card Performance Monitoring Parameters 19-23 19.4.4 OADM Channel Filter Card Performance Monitoring Parameters 19-24 19.4.5 OADM Band Filter Card Performance Monitoring Parameters 19-24 19.4.6 Optical Service Channel Card Performance Monitoring Parameters 19-24 19.5 Optics and 8b10b PM Parameter Definitions 19-27 19.6 ITU G.709 and ITU-T G.8021 Trunk-Side PM Parameter Definitions 19-28 19.7 Full RMON Statistics PM Parameter Definitions 19-30 19.8 FEC PM Parameter Definitions 19-33 19.9 SONET PM Parameter Definitions 19-34 19.10 SDH PM Parameter Definitions 19-35 19.11 Pointer Justification Count Performance Monitoring 19-37 CHAPTER 20 SNMP 20-1 20.1 SNMP Overview 20-1 20.2 Basic SNMP Components 20-3 20.3 SNMP External Interface Requirement 20-4 20.4 SNMP Version Support 20-4 20.4.1 SNMPv3 Support 20-4 20.5 SNMP Message Types 20-5 20.6 SNMP Management Information Bases 20-6 20.6.1 IETF-Standard MIBs for the ONS 15454 20-6 20.6.2 Proprietary ONS 15454 MIBs 20-7 20.6.3 Generic Threshold and Performance Monitoring MIBs 20-11 20.6.4 MIBs Supported in GE-XP, 10GE-XP, GE-XPE, 10GE-XPE Cards 20-14 20.6.5 MIBs Supported in TNC and TSC Cards 20-14 20.7 SNMP Trap Content 20-15 20.7.1 Generic and IETF Traps 20-15 20.7.2 Variable Trap Bindings 20-16 20.8 SNMPv1/v2 Community Names 20-22 20.9 SNMP in Multishelf Management 20-22Contents xxix Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 20.10 SNMPv1/v2 Proxy Over Firewalls 20-24 20.11 SNMPv3 Proxy Configuration 20-25 20.12 Remote Monitoring 20-25 20.12.1 64-Bit RMON Monitoring over DCC 20-26 20.12.1.1 Row Creation in MediaIndependentTable 20-26 20.12.1.2 Row Creation in cMediaIndependentHistoryControlTable 20-26 20.12.2 HC-RMON-MIB Support 20-27 20.12.3 Ethernet Statistics RMON Group 20-27 20.12.3.1 Row Creation in etherStatsTable 20-27 20.12.3.2 Get Requests and GetNext Requests 20-27 20.12.3.3 Row Deletion in etherStatsTable 20-27 20.12.3.4 64-Bit etherStatsHighCapacity Table 20-28 20.12.4 History Control RMON Group 20-28 20.12.4.1 History Control Table 20-28 20.12.4.2 Row Creation in historyControlTable 20-28 20.12.4.3 Get Requests and GetNext Requests 20-29 20.12.4.4 Row Deletion in historyControl Table 20-29 20.12.5 Ethernet History RMON Group 20-29 20.12.5.1 64-Bit etherHistoryHighCapacityTable 20-29 20.12.6 Alarm RMON Group 20-29 20.12.6.1 Alarm Table 20-29 20.12.6.2 Row Creation in alarmTable 20-29 20.12.6.3 Get Requests and GetNext Requests 20-31 20.12.6.4 Row Deletion in alarmTable 20-31 20.12.7 Event RMON Group 20-31 20.12.7.1 Event Table 20-31 20.12.7.2 Log Table 20-32 APPENDIX A Hardware Specifications A-1 A.1 ONS 15454, ONS 15454 M2, and ONS 15454 M6 Shelf Specifications A-1 A.2 General Card Specifications A-2 A.2.1 Power A-2 A.2.2 Temperature A-4 A.3 Common Control Card Specifications A-4 A.3.1 TCC2 Card Specifications A-4 A.3.2 TCC2P Card Specifications A-5 A.3.3 TCC3 Card Specifications A-6 A.3.4 TNC Card Specifications (Cisco ONS 15454 M2 and Cisco ONS 15454 M6) A-6 A.3.5 TSC Card Specifications (ONS 15454 M2 and ONS 15454 M6) A-7Contents xxx Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 A.3.6 AIC-I Card Specifications A-8 A.3.7 AEP Specifications (ANSI only) A-9 A.3.8 MIC-A/P FMEC Specifications (ETSI only) A-10 A.3.9 MIC-C/T/P FMEC Specifications (ETSI only) A-10 A.3.10 MS-ISC-100T Card Specifications A-11 A.4 Optical Service Channel Cards A-11 A.4.1 OSCM Card Specifications A-11 A.4.2 OSC-CSM Card Specifications A-12 A.5 Optical Amplifier Cards A-13 A.5.1 OPT-PRE Amplifier Card Specifications A-13 A.5.2 OPT-BST Amplifier Card Specifications A-13 A.5.3 OPT-BST-E Amplifier Card Specifications A-14 A.5.4 OPT-BST-L Amplifier Card Specifications A-15 A.5.5 OPT-AMP-L Preamplifier Card Specifications A-15 A.5.6 OPT-AMP-17-C Amplifier Card Specifications A-16 A.5.7 OPT-AMP-C Amplifier Card Specifications A-17 A.5.8 OPT-RAMP-C Amplifier Card Specifications A-17 A.5.9 OPT-RAMP-CE Amplifier Card Specifications A-18 A.6 PSM (Protection Switching Module) Card Specifications A-19 A.7 Multiplexer and Demultiplexer Cards A-20 A.7.1 32MUX-O Card Specifications A-20 A.7.2 32DMX-O Card Specifications A-20 A.7.3 4MD-xx.x Card Specifications A-21 A.8 Reconfigurable Optical Add/Drop Cards A-22 A.8.1 32DMX Card Specifications A-22 A.8.2 32DMX-L Card Specifications A-24 A.8.3 32WSS Card Specifications A-26 A.8.4 32WSS-L Card Specifications A-28 A.8.5 40-MUX-C Card Specifications A-30 A.8.6 40-DMX-C Card Specifications A-30 A.8.7 40-DMX-CE Card Specifications A-31 A.8.8 40-WSS-C Card Specifications A-32 A.8.9 40-WSS-CE Card Specifications A-34 A.8.10 40-WXC-C Card Specifications A-37 A.8.11 80-WXC-C Card Specifications A-38 A.8.12 40-SMR1-C Card Specifications A-39 A.8.13 40-SMR2-C Card Specifications A-40 A.8.14 MMU Card Specifications A-42 A.9 Optical Add/Drop Cards A-44Contents xxxi Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 A.9.1 AD-1C-xx.x Card Specifications A-44 A.9.2 AD-2C-xx.x Card Specifications A-44 A.9.3 AD-4C-xx.x Card Specifications A-45 A.9.4 AD-1B-xx.x Card Specifications A-47 A.9.5 AD-4B-xx.x Card Specifications A-50 A.10 Transponder and Muxponder Card Specifications A-54 A.10.1 TXP_MR_10G Card Specifications A-54 A.10.2 MXP_2.5G_10G Card Specifications A-56 A.10.3 TXP_MR_2.5G and TXPP_MR_2.5G Card Specifications A-58 A.10.4 MXP_MR_2.5G and MXPP_MR_2.5G Card Specifications A-60 A.10.5 MXP_2.5G_10E Card Specifications A-63 A.10.6 MXP_2.5G_10E_C Card Specifications A-64 A.10.7 MXP_2.5G_10E_L Card Specifications A-68 A.10.8 MXP_2.5G_10EX_C Card Specifications A-71 A.10.9 MXP_MR_10DME_C Card Specifications A-74 A.10.10 MXP_MR_10DME_L Card Specifications A-77 A.10.11 MXP_MR_10DMEX_C Card Specifications A-79 A.10.12 TXP_MR_10E Card Specifications A-81 A.10.13 TXP_MR_10E_C Card Specifications A-84 A.10.14 TXP_MR_10E_L Card Specifications A-87 A.10.15 TXP_MR_10EX_C Card Specifications A-90 A.10.16 40G-MXP-C Card Specifications A-93 A.10.17 ADM-10G Card Specifications A-95 A.10.18 GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE Card Specifications A-96 A.10.19 OTU2_XP Card Specifications A-98 A.11 TDC-CC and TDC-FC Card Specifications A-99 A.12 Mesh Patch Panel Specifications A-100 A.12.1 PP-MESH-4 Patch Panel Specifications A-100 A.12.2 PP-MESH-8 Patch Panel Specifications A-101 A.12.3 15454-PP-4-SMR Patch Panel Specifications A-101 A.13 SFP and XFP Specifications A-102 A.14 Patch Panel Specifications A-102 APPENDIX B Administrative and Service States B-1 B.1 Service States B-1 B.2 Administrative States B-2 B.3 Service State Transitions B-3 B.3.1 DWDM Shelf Service State Transitions B-3 B.3.2 DWDM Card Service State Transitions B-4Contents xxxii Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 B.3.3 Optical Payload Port Service State Transitions B-8 B.3.4 OSC Port Service State Transitions B-10 B.3.5 OCHNC, OCHCC, and OCH-Trail Service State Transitions B-12 B.3.6 Transponder/Muxponder Card Service State Transitions B-13 B.3.7 Transponder/Muxponder Port Service State Transitions B-18 CHAPTER C Pseudo Command Line Interface Reference C-1 C.1 Understanding PCLI C-1 C.1.1 PCLI Security C-2 C.2 PCLI Command Modes C-2 C.2.1 Common Commands C-2 C.2.2 User EXEC Mode C-2 C.2.3 Privileged EXEC Mode C-3 C.2.4 Global Configuration Mode C-4 C.2.5 VLAN Configuration Mode C-4 C.2.6 Interface Configuration Mode C-5 C.2.7 Service Instance Configuration Mode C-6 C.2.8 Policy Map Configuration Mode C-7 C.2.9 VLAN Profile Config Mode C-7 APPENDIX D Fiber and Connector Losses in Raman Link Configuration D-1 I NDEXFIGURES xxxiii Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Figure 2-1 Hazard Level Label 2-3 Figure 2-2 TCC2 Faceplate and Block Diagram 2-5 Figure 2-3 TCC2P Faceplate and Block Diagram 2-9 Figure 2-4 TCC3 Faceplate and Block Diagram 2-13 Figure 2-5 TNC Faceplate and Block Diagram 2-21 Figure 2-6 TSC Faceplate and Block Diagram 2-29 Figure 2-7 AIC-I Faceplate and Block Diagram 2-35 Figure 2-8 RJ-11 Connector 2-38 Figure 2-9 MS-ISC-100T Faceplate 2-41 Figure 2-10 MIC-A/P Faceplate 2-42 Figure 2-11 MIC-A/P Block Diagram 2-43 Figure 2-12 MIC-C/T/P Faceplate 2-45 Figure 2-13 MIC-C/T/P Block Diagram 2-46 Figure 3-1 Class 1 Laser Product Label 3-3 Figure 3-2 Hazard Level Label 3-3 Figure 3-3 Laser Source Connector Label 3-4 Figure 3-4 FDA Statement Label 3-4 Figure 3-5 FDA Statement Label 3-4 Figure 3-6 Shock Hazard Label 3-5 Figure 3-7 OSCM Card Faceplate 3-7 Figure 3-8 OSCM VOA Optical Module Functional Block Diagram 3-8 Figure 3-9 OSC-CSM Faceplate 3-11 Figure 3-10 OSC-CSM Block Diagram 3-12 Figure 3-11 OSC-CSM Optical Module Functional Block Diagram 3-13 Figure 4-1 Class 1M Laser Product Statement 4-5 Figure 4-2 Hazard Level Label 4-6 Figure 4-3 Laser Source Connector Label 4-6 Figure 4-4 FDA Statement Label 4-6 Figure 4-5 FDA Statement Label 4-7 Figure 4-6 Shock Hazard Label 4-7Figures xxxiv Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Figure 4-7 OPT-PRE Faceplate 4-9 Figure 4-8 OPT-PRE Block Diagram 4-10 Figure 4-9 OPT-PRE Optical Module Functional Block Diagram 4-10 Figure 4-10 OPT-BST Faceplate 4-13 Figure 4-11 OPT-BST Block Diagram 4-14 Figure 4-12 OPT-BST Optical Module Functional Block Diagram 4-14 Figure 4-13 OPT-BST-E Faceplate 4-17 Figure 4-14 OPT-BST-E Block Diagram 4-18 Figure 4-15 OPT-BST-E Optical Module Functional Block Diagram 4-18 Figure 4-16 OPT-BST-L Faceplate 4-21 Figure 4-17 OPT-BST-L Block Diagram 4-22 Figure 4-18 OPT-BST-L Optical Module Functional Block Diagram 4-22 Figure 4-19 OPT-AMP-L Faceplate 4-26 Figure 4-20 OPT-AMP-L Block Diagram 4-27 Figure 4-21 OPT-AMP-L Optical Module Functional Block Diagram 4-27 Figure 4-22 OPT-AMP-17-C Faceplate 4-30 Figure 4-23 OPT-AMP17-C Block Diagram 4-31 Figure 4-24 OPT-AMP-17-C Optical Module Functional Block Diagram 4-31 Figure 4-25 OPT-AMP-C Card Faceplate 4-35 Figure 4-26 OPT-AMP-C Block Diagram 4-36 Figure 4-27 OPT-AMP-C Optical Module Functional Block Diagram 4-36 Figure 4-28 OPT-RAMP-C Faceplate 4-40 Figure 4-29 OPT-RAMP-C and OPT-RAMP-CE Block Diagram 4-41 Figure 4-30 OPT-RAMP-C and OPT-RAMP-CE Card Functional Block Diagram 4-41 Figure 5-1 Class 1 Laser Product Label 5-9 Figure 5-2 Hazard Level Label 5-9 Figure 5-3 Laser Source Connector Label 5-9 Figure 5-4 FDA Statement Label 5-10 Figure 5-5 FDA Statement Label 5-10 Figure 5-6 Shock Hazard Label 5-10 Figure 5-7 Class 1M Laser Product Statement 5-11 Figure 5-8 Hazard Level Label 5-11 Figure 5-9 Laser Source Connector Label 5-11 Figure 5-10 FDA Statement Label 5-12 Figure 5-11 FDA Statement Label 5-12Figures xxxv Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Figure 5-12 Shock Hazard Label 5-12 Figure 5-13 32MUX-O Faceplate 5-14 Figure 5-14 32MUX-O Block Diagram 5-15 Figure 5-15 32MUX-O Optical Module Functional Block Diagram 5-15 Figure 5-16 32DMX-O Faceplate 5-19 Figure 5-17 32DMX-O Block Diagram 5-20 Figure 5-18 32DMX-O Optical Module Functional Block Diagram 5-20 Figure 5-19 4MD-xx.x Faceplate 5-22 Figure 5-20 4MD-xx.x Block Diagram 5-23 Figure 5-21 4MD-xx.x Optical Module Functional Block Diagram 5-23 Figure 6-1 Hazard Level Label 6-2 Figure 6-2 Laser Source Connector Label 6-3 Figure 6-3 FDA Statement Label 6-3 Figure 6-4 FDA Statement Label 6-3 Figure 6-5 TDC-CC and TDC-FC Faceplates 6-5 Figure 6-6 Block Diagram of TDC-CC and TDC-FC 6-6 Figure 7-1 PSM Block Diagram 7-3 Figure 7-2 PSM Card Faceplate 7-4 Figure 7-3 PSM Bidirectional Switching 7-5 Figure 8-1 Class 1M Laser Product Statement 8-9 Figure 8-2 Hazard Level Label 8-9 Figure 8-3 Laser Source Connector Label 8-10 Figure 8-4 FDA Statement Label 8-10 Figure 8-5 FDA Statement Label 8-10 Figure 8-6 Shock Hazard Label 8-11 Figure 8-7 AD-1C-xx.x Faceplate 8-12 Figure 8-8 AD-1C-xx.x Block Diagram 8-13 Figure 8-9 AD-1C-xx.x Optical Module Functional Block Diagram 8-13 Figure 8-10 AD-2C-xx.x Faceplate 8-15 Figure 8-11 AD-2C-xx.x Block Diagram 8-16 Figure 8-12 AD-2C-xx.x Optical Module Functional Block Diagram 8-16 Figure 8-13 AD-4C-xx.x Faceplate 8-19 Figure 8-14 AD-4C-xx.x Block Diagram 8-20 Figure 8-15 AD-4C-xx.x Optical Module Functional Block Diagram 8-20 Figure 8-16 AD-1B-xx.x Faceplate 8-23Figures xxxvi Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Figure 8-17 AD-1B-xx.x Block Diagram 8-24 Figure 8-18 AD-1B-xx.x Optical Module Functional Block Diagram 8-24 Figure 8-19 AD-4B-xx.x Faceplate 8-26 Figure 8-20 AD-4B-xx.x Block Diagram 8-27 Figure 8-21 AD-4B-xx.x Optical Module Functional Block Diagram 8-27 Figure 9-1 Class 1M Laser Product Statement 9-14 Figure 9-2 Hazard Level Label 9-15 Figure 9-3 Laser Source Connector Label 9-15 Figure 9-4 FDA Statement Label 9-15 Figure 9-5 FDA Statement Label 9-16 Figure 9-6 Shock Hazard Label 9-16 Figure 9-7 32WSS Faceplate and Ports 9-18 Figure 9-8 32WSS Block Diagram 9-19 Figure 9-9 32WSS Optical Block Diagram 9-20 Figure 9-10 32WSS-L Faceplate and Ports 9-25 Figure 9-11 32WSS-L Block Diagram 9-26 Figure 9-12 32WSS-L Optical Block Diagram 9-27 Figure 9-13 32DMX Faceplate and Ports 9-31 Figure 9-14 32DMX Block Diagram 9-32 Figure 9-15 32DMX Optical Module Functional Block Diagram 9-32 Figure 9-16 32DMX-L Faceplate and Ports 9-36 Figure 9-17 32DMX-L Block Diagram 9-37 Figure 9-18 32DMX-L Optical Module Functional Block Diagram 9-37 Figure 9-19 40-DMX-C Faceplate 9-41 Figure 9-20 40-DMX-C Block Diagram 9-42 Figure 9-21 40-DMX-C Optical Module Functional Block Diagram 9-42 Figure 9-22 40-DMX-CE Card Faceplate 9-46 Figure 9-23 40-DMX-CE Card Block Diagram 9-47 Figure 9-24 40-DMX-CE Card Optical Module Functional Block Diagram 9-47 Figure 9-25 40-MUX-C Card Faceplate 9-51 Figure 9-26 40-MUX-C Card Block Diagram 9-52 Figure 9-27 40-MUX-C Optical Module Functional Block Diagram 9-52 Figure 9-28 40-WSS-C Faceplate 9-56 Figure 9-29 40-WSS-C Block Diagram 9-57 Figure 9-30 40-WSS-C Optical Module Functional Block Diagram 9-58Figures xxxvii Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Figure 9-31 40-WSS-CE Faceplate 9-63 Figure 9-32 40-WSS-CE Block Diagram 9-64 Figure 9-33 40-WSS-CE Card Optical Module Functional Block Diagram 9-65 Figure 9-34 40-WXC-C Faceplate 9-70 Figure 9-35 40-WXC-C Optical Module Functional Block Diagram 9-71 Figure 9-36 80-WXC-C Faceplate and the Optical Module Functional Block Diagram 9-76 Figure 9-37 40-SMR1-C Faceplate 9-83 Figure 9-38 40-SMR1-C Block Diagram 9-84 Figure 9-39 40-SMR2-C Faceplate 9-88 Figure 9-40 40-SMR2-C Block Diagram 9-88 Figure 9-41 MMU Faceplate and Ports 9-93 Figure 9-42 MMU Block Diagram 9-94 Figure 10-1 Class 1 Laser Product Label 10-9 Figure 10-2 Hazard Level Label 10-9 Figure 10-3 Laser Source Connector Label 10-9 Figure 10-4 FDA Statement Label 10-10 Figure 10-5 FDA Statement Label 10-10 Figure 10-6 Shock Hazard Label 10-10 Figure 10-7 Class 1M Laser Product Statement 10-11 Figure 10-8 Hazard Level Label 10-11 Figure 10-9 Laser Source Connector Label 10-12 Figure 10-10 FDA Statement Label 10-12 Figure 10-11 FDA Statement Label 10-12 Figure 10-12 Shock Hazard Label 10-13 Figure 10-13 TXP_MR_10G Faceplate and Block Diagram 10-15 Figure 10-14 TXP_MR_10E Faceplate and Block Diagram 10-18 Figure 10-15 TXP_MR_10E_C and TXP_MR_10E_L Faceplates and Block Diagram 10-22 Figure 10-16 TXP_MR_2.5G and TXPP_MR_2.5G Faceplates 10-27 Figure 10-17 TXP_MR_2.5G and TXPP_MR_2.5G Block Diagram 10-28 Figure 10-18 MXP_2.5G_10G Faceplate 10-31 Figure 10-19 MXP_2.5G_10G Card Block Diagram 10-32 Figure 10-20 MXP_2.5G_10E Faceplate 10-35 Figure 10-21 MXP_2.5G_10E Block Diagram 10-36 Figure 10-22 MXP_2.5G_10E _C and MXP_2.5G_10E_L Faceplates and Block Diagram 10-43 Figure 10-23 MXP_MR_2.5G and MXPP_MR_2.5G Faceplates 10-53Figures xxxviii Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Figure 10-24 MXP_MR_2.5G and MXPP_MR_2.5G Block Diagram 10-54 Figure 10-25 MXP_MR_10DME_C and MXP_MR_10DME_L Faceplates and Block Diagram 10-60 Figure 10-26 40G-MXP-C Cards in Unidirectional Regeneration Configuration 10-66 Figure 10-27 40G-MXP-C Faceplate and Block Diagram 10-68 Figure 10-28 GE_XP and GE_XPE Faceplates and Block Diagram 10-75 Figure 10-29 10GE_XP and 10GE_XPE Faceplates and Block Diagram 10-76 Figure 10-30 Recommended Topology for Using ONS-SC-E1-T1-PW and ONS -SC-E3-T3-PW SFPs 10-77 Figure 10-31 ADM-10G Card Faceplate and Block Diagram 10-99 Figure 10-32 ADM-10G Card Port Capacities 10-100 Figure 10-33 OTU2_XP Card Faceplate and Block Diagram 10-114 Figure 10-34 TXP_MR_10EX_C Faceplate and Block Diagram 10-122 Figure 10-35 MXP_2.5G_10EX_C Faceplate and Block Diagram 10-127 Figure 10-36 MXP_MR_10DMEX_C Faceplate and Block Diagram 10-136 Figure 10-37 Y-Cable Protection 10-141 Figure 10-38 Splitter Protection 10-142 Figure 11-1 Terminal Node Configuration With 32MUX-O Cards Installed 11-3 Figure 11-2 Terminal Node Configuration with 40-WSS-C Cards Installed 11-4 Figure 11-3 Terminal Node with 40-MUX-C Cards Installed 11-5 Figure 11-4 Terminal Node with 40-SMR1-C Card Installed - Cisco ONS 15454 and Cisco ONS 15454 M6 11-6 Figure 11-5 Terminal Node with 40-SMR1-C and Booster Amplifier Cards Installed - Cisco ONS 15454 and Cisco ONS 15454 M6 11-7 Figure 11-6 Terminal Node with 40-SMR2-C Card Installed - Cisco ONS 15454 and Cisco ONS 15454 M6 11-8 Figure 11-7 Amplified OADM Node Configuration Example 11-9 Figure 11-8 Amplified OADM Node Channel Flow Example 11-10 Figure 11-9 ROADM Node with 32DMX Cards Installed 11-11 Figure 11-10 ROADM Node with 40-WSS-C Cards Installed 11-12 Figure 11-11 ROADM Node with 40-SMR1-C Cards Installed - Cisco ONS 15454 and Cisco ONS 15454 M6 11-13 Figure 11-12 ROADM Node with 40-SMR1-C and Booster Amplifier Cards Installed - Cisco ONS 15454 and Cisco ONS 15454 M6 11-14 Figure 11-13 ROADM Node with 40-SMR2-C Cards Installed - 15454 - Cisco ONS 15454 and Cisco ONS 15454 M6 11-15 Figure 11-14 80-Channel Colored Two-Degree ROADM Node 11-16 Figure 11-15 ONS 15454 M6 80-Channel Colored Two-degree ROADM Node 11-17 Figure 11-16 80-Channel n-degree ROADM node with Omni-directional Side 11-18 Figure 11-17 ONS 15454 M6 80-Channel n-degree ROADM node with Omni-directional Side 11-19 Figure 11-18 40-Channel n-degree ROADM Node with 40-WXC-C Based Colorless Side 11-20 Figure 11-19 40-Channel Four-degree ROADM Node with 40-SMR2-C Based Colorless Side 11-21Figures xxxix Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Figure 11-20 80-Channel Colorless ROADM Node 11-22 Figure 11-21 80-Channel Colorless Two-degree ROADM Node 11-23 Figure 11-22 80-Channel Colorless ROADM Node with OPT-RAMP-C Card 11-24 Figure 11-23 ONS 15454 M6 80-Channel Two-degree Colorless ROADM Node 11-25 Figure 11-24 ROADM Optical Signal Flow Example Using 32WSS or 40-WSS-C Card 11-26 Figure 11-25 ROADM Optical Signal Flow Example Using 40-SMR1-C Card 11-27 Figure 11-26 Hub Node Configuration Example with 32-Channel C-Band Cards 11-29 Figure 11-27 Hub Node Configuration Example with 40-WSS-C Cards 11-30 Figure 11-28 Hub Node Channel Flow Example 11-31 Figure 11-29 Anti-ASE Node Channel Flow Example 11-32 Figure 11-30 Line Amplifier Node Configuration Example - Cisco ONS 15454 M6 and Cisco ONS 15454 M2 11-33 Figure 11-31 OSC Regeneration Line Node Configuration Example - Cisco ONS 15454, Cisco ONS 15454 M6, and Cisco ONS 15454 M2 11-34 Figure 11-32 OSC Regeneration Line Node Flow 11-34 Figure 11-33 OPT-RAMP-C or OPT-RAMP-CE Card in an Add/Drop Node 11-36 Figure 11-34 OPT-RAMP-C Card or OPT-RAMP-CE Card in a Line Site Configuration 11-37 Figure 11-35 Line Site Configured with OPT-AMP-C 11-37 Figure 11-36 Line Site with OPT-RAMP-C or OPT-RAMP-CE On One Side 11-38 Figure 11-37 PSM Channel Protection Configuration 11-39 Figure 11-38 PSM Multiplex Section Protection Configuration 11-40 Figure 11-39 PSM Line Protection Configuration 11-41 Figure 11-40 Multishelf Node Configuration 11-42 Figure 11-41 Interconnecting Sides Conceptual View 11-44 Figure 11-42 Line Termination Mesh Node Shelf 11-54 Figure 11-43 Line Termination Mesh Node Side—40-MUX-C Cards 11-55 Figure 11-44 Line Termination Mesh Node Side—40-WSS-C Cards 11-56 Figure 11-45 Line Termination Mesh Nodes—ROADM With MMU Cards 11-57 Figure 11-46 40-Channel Omni-directional Four-Degree ROADM Node 11-58 Figure 11-47 40-Channel Colorless Four-Degree ROADM Node 11-59 Figure 11-48 40-Channel n-Degree ROADM Node with Colorless and Omni-directional Side 11-60 Figure 11-49 40-Channel Colorless and Omni-directional Four-Degree ROADM Node 11-61 Figure 11-50 Line Termination Node 11-62 Figure 11-51 Four-Degree Line Termination Mesh Node Functional Diagram 11-63 Figure 11-52 80-Channel Omni-directional Four-Degree ROADM Node 11-64 Figure 11-53 80-Channel Colorless Four-Degree ROADM Node 11-65 Figure 11-54 80-Channel n-degree ROADM Node with Colorless and Omnidirectional Side 11-66Figures xl Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Figure 11-55 80-Channel Colorless and Omni-directional Four-Degree ROADM Node 11-67 Figure 11-56 Line Termination Mesh Node Shelf 11-68 Figure 11-57 Four-Degree Line Termination Mesh Node Functional Diagram 11-69 Figure 11-58 XC Termination Mesh Node Shelf 11-70 Figure 11-59 PP-MESH-4 Patch Panel Block Diagram 11-71 Figure 11-60 PP-MESH-4 Patch Panel Signal Flow 11-71 Figure 11-61 15454-PP-4-SMR Patch Panel Block Diagram 11-72 Figure 11-62 15454-PP-4-SMR Patch Panel Signal Flow 11-73 Figure 11-63 Mesh Node With Omni-Directional Add/Drop Section 11-74 Figure 11-64 Fibering OSC Terminations—Hub Node with OSCM Cards 11-76 Figure 11-65 Fibering a Hub Node 11-78 Figure 11-66 Fibering a Line Amplifier Node 11-80 Figure 11-67 Fibering an OSC Regeneration Node 11-82 Figure 11-68 Fibering an Amplified OADM Node 11-85 Figure 11-69 Fibering a Passive OADM Node 11-87 Figure 11-70 Fibering a ROADM Node 11-89 Figure 11-71 WDM-ANS Provisioning 11-92 Figure 11-72 Raman Gain on Node B 11-95 Figure 11-73 Functional View for an Eight-Sided Node 11-97 Figure 11-74 Side A Details 11-98 Figure 11-75 Side A OPT-BST Card Shelf and Slot Information 11-100 Figure 11-76 Side A 40-MUX Port Information 11-101 Figure 11-77 Patchcord Input and Output Port State Information 11-102 Figure 11-78 MPO Information 11-103 Figure 11-79 Side A MPO Connection to an MXP Before Double-Clicking 11-104 Figure 11-80 Side A MPO Connection to an MXP After Double-Clicking 11-104 Figure 11-81 Side A View Options 11-105 Figure 11-82 Side A View Options (after Selecting Fit to View) 11-105 Figure 11-83 Optical Path Power 11-106 Figure 11-84 DWDM Network Functional View 11-108 Figure 12-1 Hubbed Traffic Topology 12-3 Figure 12-2 Multihubbed Traffic Topology 12-4 Figure 12-3 Any-to-Any Traffic Topology 12-5 Figure 12-4 Meshed Traffic Topology 12-6 Figure 12-5 Linear Configuration with an OADM Node 12-6Figures xli Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Figure 12-6 Linear Configuration without an OADM Node 12-7 Figure 12-7 Single-Span Link 12-7 Figure 12-8 Mesh Network 12-8 Figure 12-9 Multiring Network 12-9 Figure 12-10 Interconnected Rings 12-10 Figure 12-11 Colorless and Omni-directional n- Degree ROADM Node 12-10 Figure 12-12 Colorless Two-Degree ROADM Node 12-11 Figure 12-13 Interconnected Ring - Scenario A-1 12-12 Figure 12-14 Interconnected Ring - Scenario A-2 12-12 Figure 12-15 Interconnected Ring - Scenario B-1 12-13 Figure 12-16 Interconnected Ring - Scenario B-2 12-14 Figure 12-17 Interconnected Ring - Scenario C-1 12-15 Figure 12-18 Interconnected Ring - Scenario C-2 12-15 Figure 12-19 Spur 12-16 Figure 12-20 Scenario A: Spur Without 15454 Chassis in RemoteTerminal T 12-17 Figure 12-21 Scenario B: Spur With Passive MUX and DMX Units in Remote Terminal T 12-17 Figure 12-22 Scenario C: Spur with Active MUX and DMX Units in Remote Terminal T 12-18 Figure 12-23 Using Amplifier Gain Adjustment to Compensate for System Degradation 12-21 Figure 12-24 ROADM Power Monitoring Subtab 12-25 Figure 12-25 Nodes Using OPT-BST/OPT-BST-E Cards 12-31 Figure 12-26 Nodes Using OSC-CSM Cards 12-33 Figure 12-27 Nodes Using OPT-BST-L Cards 12-34 Figure 12-28 Nodes Using OPT-AMP Cards 12-36 Figure 12-29 Fiber Cut With DCN Extension 12-38 Figure 12-30 Nodes Using OPT-RAMP-C or OPT-RAMP-CE Cards 12-39 Figure 12-31 Effect of Gain Ripple and Gain Tilt on Amplifier Output Power 12-41 Figure 12-32 Flat Gain (Gain Tilt = 0 dB) 12-42 Figure 12-33 Effect of VOA Attenuation on Gain Tilt 12-42 Figure 12-34 System Tilt Compensation Without an ROADM Node 12-44 Figure 12-35 Cisco TransportPlanner Installation Parameters 12-45 Figure 12-36 System Tilt Compensation With an ROADM Node 12-46 Figure 12-37 ITU-T G.709 Frame Structure 12-47 Figure 12-38 104-Channel C-Band plus L-Band ROADM Node 12-50 Figure 12-39 112-Channel C-Band plus L-Band ROADM Node 12-51 Figure 13-1 Optical Channel Circuits 13-1Figures xlii Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Figure 13-2 Optical Channel Management 13-4 Figure 13-3 Network View Provisionable Patchcords Tab 13-10 Figure 14-1 Node View (Default Login View for Single-Shelf Mode) 14-9 Figure 14-2 Multishelf View (Default Login View for Multishelf Mode) 14-10 Figure 14-3 Terminal Loopback Indicator 14-13 Figure 14-4 Facility Loopback Indicator 14-13 Figure 14-5 Network in CTC Network View 14-16 Figure 14-6 Static IP-Over-CLNS Tunnels 14-20 Figure 14-7 TL1 Tunnels 14-21 Figure 16-1 ONS 15454 Timing Example 16-3 Figure 17-1 Scenario 1: CTC and ONS 15454s on Same Subnet (ANSI and ETSI) 17-3 Figure 17-2 Scenario 2: CTC and ONS 15454s Connected to Router (ANSI and ETSI) 17-4 Figure 17-3 Scenario 3: Using Proxy ARP (ANSI and ETSI) 17-6 Figure 17-4 Scenario 3: Using Proxy ARP with Static Routing (ANSI and ETSI) 17-7 Figure 17-5 Scenario 4: Default Gateway on a CTC Computer (ANSI and ETSI) 17-8 Figure 17-6 Scenario 5: Static Route With One CTC Computer Used as a Destination (ANSI and ETSI) 17-9 Figure 17-7 Scenario 5: Static Route With Multiple LAN Destinations (ANSI and ETSI) 17-10 Figure 17-8 Scenario 6: OSPF Enabled (ANSI and ETSI) 17-11 Figure 17-9 Scenario 6: OSPF Not Enabled (ANSI and ETSI) 17-12 Figure 17-10 Scenario 7: ONS 15454 Proxy Server with GNE and ENEs on the Same Subnet (ANSI and ETSI) 17-14 Figure 17-11 Scenario 7: ONS 15454 Proxy Server with GNE and ENEs on Different Subnets (ANSI and ETSI) 17-15 Figure 17-12 Scenario 7: ONS 15454 Proxy Server With ENEs on Multiple Rings (ANSI and ETSI) 17-16 Figure 17-13 Scenario 8: Dual GNEs on the Same Subnet (ANSI and ETSI) 17-18 Figure 17-14 Scenario 8: Dual GNEs on Different Subnets (ANSI and ETSI) 17-19 Figure 17-15 Scenario 9: ONS 15454 GNE and ENEs on the Same Subnet with Secure Mode Enabled 17-21 Figure 17-16 Scenario 9: ONS 15454 GNE and ENEs on Different Subnets with Secure Mode Enabled 17-22 Figure 17-17 DCN Case Study 1: ONS 15454 Ring with Two Subnets and Two DCN Connections 17-24 Figure 17-18 DCN Case Study 1: ONS 15454 Ring with Two Subnets, Two DCN Connections, and GRE Tunnel 17-25 Figure 17-19 DCN Case Study 2: ONS 15454 Linear Topology with DCN Connections at Both Ends 17-28 Figure 17-20 DCN Case Study 3: ONS 15454 Linear Topology with DCN Connections at Both Ends Using OSPF 17-31 Figure 17-21 DCN Case Study 4: Two Linear Cascaded Topologies with Two DCN Connections 17-35 Figure 17-22 Network Using OSC 17-38 Figure 17-23 Network Using External DCN 17-38 Figure 17-24 Network Using GCC/DCC 17-39 Figure 17-25 Proxy and Firewall Tunnels for Foreign Terminations 17-44Figures xliii Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Figure 17-26 Foreign Node Connection to an ENE Ethernet Port 17-45 Figure 17-27 OSI/MSTP Scenario 1 17-46 Figure 17-28 OSI/MSTP Scenario 2 17-47 Figure 17-29 OSI/MSTP Scenario 3 17-48 Figure 17-30 OSI/IP Scenario 4 17-49 Figure 17-31 LMP and LMP-WDM Relationship 17-53 Figure 17-32 LMP System Implementation 17-54 Figure 17-33 IPv6-IPv4 Interaction 17-55 Figure 17-34 Cisco ONS 15454 DWDM Node and Cisco CRS-1 Router Network 17-58 Figure 17-35 Cisco CRS-1 Router in CTC Network View 17-59 Figure 17-36 Cisco CRS-1 Router PM Parameters 17-61 Figure 17-37 Photonic Path Trace 17-62 Figure 18-1 ONS 15454 Shelf LCD Panel 18-2 Figure 18-2 External Alarms and Controls Using a Virtual Wire 18-13 Figure 18-3 Navigating to Shelf View from Multishelf View 18-15 Figure 19-1 ONS 15454 ANSI Node PM Read Points for TXP_MR_10G Card 19-8 Figure 19-2 ONS 15454 ETSI Node PM Read Points on TXP_MR_10G Cards 19-9 Figure 19-3 ONS 15454 ANSI Node PM Read Points on OSCM and OSC-CSM Cards 19-25 Figure 19-4 ONS 15454 ETSI Node PM Read Points on OSCM and OSC-CSM Cards 19-26 Figure 20-1 Basic Network Managed by SNMP 20-2 Figure 20-2 Example of the Primary SNMP Components 20-3 Figure 20-3 Agent Gathering Data from a MIB and Sending Traps to the Manager 20-4Figures xliv Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02TABLES xlv Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Table 2-1 Platform and Software Release Compatibility for Control Cards 2-2 Table 2-2 TCC2 Card-Level Indicators 2-6 Table 2-3 TCC2 Network-Level Indicators 2-7 Table 2-4 TCC2 Power-Level Indicators 2-7 Table 2-5 TCC2P Card-Level Indicators 2-11 Table 2-6 TCC2P Network-Level Indicators 2-11 Table 2-7 TCC2P Power-Level Indicators 2-12 Table 2-8 TCC3 Card-Level Indicators 2-15 Table 2-9 TCC3 Network-Level Indicators 2-15 Table 2-10 TCC3 Power-Level Indicators 2-16 Table 2-11 TNC Card-Level Indicators 2-22 Table 2-12 TNC Network-Level Indicators 2-23 Table 2-13 TNC Power-Level Indicators 2-24 Table 2-14 TNC Port-Level Indicators 2-24 Table 2-15 TNC SFP Indicators 2-25 Table 2-16 TSC Card-Level Indicators 2-30 Table 2-17 TSC Network-Level Indicators 2-31 Table 2-18 TSC Power-Level Indicators 2-32 Table 2-19 TSC Port-Level Indicators 2-32 Table 2-20 DIS Conventions in the Software Version 2-34 Table 2-21 AIC-I Card-Level Indicators 2-35 Table 2-22 Orderwire Pin Assignments 2-38 Table 2-23 UDC Pin Assignments 2-38 Table 2-24 DCC Pin Assignments 2-39 Table 2-25 MS-ISC-100T Card Port Assignments 2-40 Table 2-26 MS-ISC-100T Card-Level Indicators 2-42 Table 2-27 Alarm Interface Pinouts on the MIC-A/P DB-62 Connector 2-43 Table 3-1 OSCM, OSC-CSM, and MMU Card Summary 3-2 Table 3-2 Software Release Compatibility for Optical Service Channel Cards 3-2 Table 3-3 OSCM VOA Port Calibration 3-8Tables xlvi Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Table 3-4 OSCM Card-Level Indicators 3-8 Table 3-5 OSC-CSM Port Calibration 3-14 Table 3-6 Alarms and Thresholds 3-14 Table 3-7 OSC-CSM Card-Level Indicators 3-15 Table 4-1 Optical Amplifier Cards for the ONS 15454 4-3 Table 4-2 Software Release Compatibility for Optical Amplifier Cards 4-4 Table 4-3 Alarms and Thresholds 4-5 Table 4-4 OPT-PRE Port Calibration 4-10 Table 4-5 OPT-PRE Amplifier Card-Level Indicators 4-11 Table 4-6 OPT-BST Port Calibration 4-14 Table 4-7 OPT-BST Card-Level Indicators 4-15 Table 4-8 OPT-BST-E Port Calibration 4-18 Table 4-9 OPT-BST-E Card-Level Indicators 4-19 Table 4-10 OPT-BST-L Port Calibration 4-22 Table 4-11 OPT-BST-L Card-Level Indicators 4-23 Table 4-12 OPT-AMP-L Port Calibration 4-28 Table 4-13 OPT-AMP-L Card-Level Indicators 4-28 Table 4-14 OPT-AMP-17-C Port Calibration 4-32 Table 4-15 OPT-AMP-17-C Card-Level Indicators 4-32 Table 4-16 OPT-AMP-C Port Calibration 4-37 Table 4-17 OPT-AMP-C Card-Level Indicators 4-37 Table 4-18 OPT-RAMP-C and OPT-RAMP-CE Port Calibration 4-42 Table 4-19 OPT-RAMP-C and OPT-RAMP-CE Card-Level Indicators 4-43 Table 5-1 Multiplexer and Demultiplexer Cards 5-2 Table 5-2 Software Compatibility for Legacy Multiplexer and Demultiplexer Cards 5-2 Table 5-3 ONS 15454 Card Interfaces Assigned to Input Power Classes 5-3 Table 5-4 40-Gbps Interface Optical Performance 5-3 Table 5-5 10-Gbps Interface Optical Performance Parameters 5-4 Table 5-6 2.5-Gbps Interface Optical Performance 5-5 Table 5-7 DWDM Channel Allocation Plan (C Band) 5-6 Table 5-8 DWDM Channel Allocation Plan (L Band) 5-7 Table 5-9 32MUX-O Channel Plan 5-16 Table 5-10 32MUX-O Port Calibration 5-17 Table 5-11 32MUX-O Card-Level Indicators 5-17 Table 5-12 32DMX-O Port Calibration 5-20Tables xlvii Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Table 5-13 32DMX-O Card-Level Indicators 5-21 Table 5-14 4MD-xx.x Channel Sets 5-24 Table 5-15 4MD-xx.x Port Calibration 5-24 Table 5-16 4MD-xx.x Card-Level Indicators 5-25 Table 6-1 T-DCU Cards 6-2 Table 6-2 TDC-CC and TDC-FC Tunable CD Value 6-4 Table 6-3 TDC-CC and TDC-FC Card-Level Indicators 6-7 Table 7-1 PSM Card-Level Indicators 7-4 Table 8-1 Optical Add/Drop Cards 8-2 Table 8-2 Software Release Compatibility for Optical Add/Drop Cards 8-3 Table 8-3 ONS 15454 Card Interfaces Assigned to Input Power Classes 8-4 Table 8-4 40-Gbps Interface Optical Performance 8-4 Table 8-5 10-Gbps Interface Optical Performance 8-5 Table 8-6 2.5-Gbps Interface Optical Performance 8-6 Table 8-7 DWDM Channel Allocation Plan (C Band) 8-7 Table 8-8 AD-1C-xx.x Port Calibration 8-13 Table 8-9 AD-1C-xx.x Card-Level Indicators 8-14 Table 8-10 AD-2C-xx.x Channel Pairs 8-17 Table 8-11 AD-2C-xx.x Port Calibration 8-17 Table 8-12 AD-2C-xx.x Card-Level Indicators 8-18 Table 8-13 AD-4C-xx.x Channel Sets 8-21 Table 8-14 AD-4C-xx.x Port Calibration 8-21 Table 8-15 AD-4C-xx.x Card-Level Indicators 8-21 Table 8-16 AD-1B-xx.x Port Calibration 8-24 Table 8-17 AD-1B-xx.x Card-Level Indicators 8-25 Table 8-18 AD-4B-xx.x Port Calibration 8-28 Table 8-19 AD-4B-xx.x Card-Level Indicators 8-28 Table 9-1 ROADM Card Summary 9-2 Table 9-2 Software Release Compatibility for ROADM Cards 9-3 Table 9-3 Cisco ONS 15454 Card Interfaces Assigned to Input Power Classes 9-5 Table 9-4 40-Gbps Interface Optical Performance 9-6 Table 9-5 10-Gbps Interface Optical Performance (Class A, B, C, I, and K) 9-7 Table 9-6 10-Gbps Interface Optical Performance (Class N, O, P, and V) 9-8 Table 9-7 10-Gbps Interface Optical Performance (Class W, X, Y, and Z) 9-9 Table 9-8 2.5-Gbps Interface Optical Performance (Class D, E, and F) 9-9Tables xlviii Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Table 9-9 2.5-Gbps Interface Optical Performance (Class G, H, and M) 9-10 Table 9-10 DWDM C-Band Channel Allocation Plan with 50-GHz Spacing 9-11 Table 9-11 DWDM L-band Channel Allocation Plan at 50 GHz Spacing 9-13 Table 9-12 32WSS Port Calibration 9-21 Table 9-13 32WSS Channel Allocation Plan 9-22 Table 9-14 32WSS Card-Level Indicators 9-23 Table 9-15 32WSS-L Port Calibration 9-28 Table 9-16 32WSS-L Channel Plan 9-29 Table 9-17 32WSS-L Card-Level Indicators 9-30 Table 9-18 32DMX Port Calibration 9-33 Table 9-19 32DMX Channel Allocation Plan 9-33 Table 9-20 32DMX Card-Level Indicators 9-34 Table 9-21 32DMX-L Port Calibration 9-38 Table 9-22 32DMX-L Channel Plan 9-38 Table 9-23 32DMX-L Card-Level Indicators 9-39 Table 9-24 40-DMX-C Port Calibration 9-43 Table 9-25 40-DMX-C Channel Plan 9-43 Table 9-26 40-DMX-C Card-Level Indicators 9-45 Table 9-27 40-DMX-CE Card Port Calibration 9-48 Table 9-28 40-DMX-CE Card Channel Plan 9-48 Table 9-29 40-DMX-CE Card-Level Indicators 9-49 Table 9-30 40-MUX-C Port Calibration 9-53 Table 9-31 40-MUX-C Channel Plan 9-53 Table 9-32 40-MUX-C Card-Level Indicators 9-54 Table 9-33 40-WSS-C Physical Photodiode Port Calibration 9-58 Table 9-34 40-WSS-C Virtual Photodiode Port Calibration 9-59 Table 9-35 40-WSS-C Channel Plan 9-59 Table 9-36 40-WSS-C Card-Level Indicators 9-61 Table 9-37 40-WSS-CE Physical Photodiode Port Calibration 9-65 Table 9-38 40-WSS-CE Virtual Photodiode Port Calibration 9-66 Table 9-39 40-WSS-CE Channel Plan 9-66 Table 9-40 40-WSS-CE Card-Level Indicators 9-68 Table 9-41 40-WXC-C Physical Photodiode Port Calibration 9-71 Table 9-42 40-WXC-C Virtual Photodiode Port Calibration 9-72 Table 9-43 40-WXC-C Channel Plan 9-73Tables xlix Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Table 9-44 40-WXC-C Card-Level Indicators 9-74 Table 9-45 80-WXC-C Port Calibration 9-77 Table 9-46 80-WXC-C Virtual Photodiode Port Calibration 9-78 Table 9-47 80-WXC-C Channel Plan 9-78 Table 9-48 80-WXC-C Card-Level Indicators 9-81 Table 9-49 40-SMR1-C Port Calibration 9-85 Table 9-50 40-SMR1-C Channel Plan 9-85 Table 9-51 40-SMR1-C Card-Level Indicators 9-87 Table 9-52 40-SMR2-C Port Calibration 9-89 Table 9-53 40-SMR2-C Channel Plan 9-90 Table 9-54 40-SMR2-C Card-Level Indicators 9-91 Table 9-55 MMU Port Calibration 9-94 Table 9-56 MMU Card-Level Indicators 9-95 Table 10-1 Cisco ONS 15454 Transponder and Muxponder Cards 10-3 Table 10-2 Platform and Software Release Compatibility for Transponder and Muxponder Cards 10-5 Table 10-3 TXP_MR_10G Card-Level Indicators 10-16 Table 10-4 TXP_MR_10G Port-Level Indicators 10-16 Table 10-5 TXP_MR_10E Card-Level Indicators 10-20 Table 10-6 TXP_MR_10E Port-Level Indicators 10-20 Table 10-7 TXP_MR_10E _C and TXP_MR_10E_L Card-Level Indicators 10-24 Table 10-8 TXP_MR_10E_C and TXP_MR_10E_L Port-Level Indicators 10-24 Table 10-9 2R and 3R Mode and ITU-T G.709 Compliance by Client Interface 10-25 Table 10-10 Trunk Bit Rates With ITU-T G.709 Enabled 10-26 Table 10-11 TXP_MR_2.5G and TXPP_MR_2.5G Card-Level Indicators 10-29 Table 10-12 TXP_MR_2.5G and TXPP_MR_2.5G Port-Level Indicators 10-29 Table 10-13 MXP_2.5G_10G Card-Level Indicators 10-33 Table 10-14 MXP_2.5G_10G Port-Level Indicators 10-33 Table 10-15 MXP_2.5G_10E Trunk Wavelengths 10-38 Table 10-16 MXP_2.5G_10E Card-Level Indicators 10-40 Table 10-17 MXP_2.5G_10E Port-Level Indicators 10-40 Table 10-18 MXP_2.5G_10E_C Trunk Wavelengths 10-46 Table 10-19 MXP_2.5G_10E_L Trunk Wavelengths 10-47 Table 10-20 MXP_2.5G_10E_C and MXP_2.5G_10E_L Card-Level Indicators 10-49 Table 10-21 MXP_2.5G_10E_C and MXP_2.5G_10E_L Port-Level Indicators 10-49 Table 10-22 Card Versions 10-50Tables l Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Table 10-23 MXP_MR_2.5G and MXPP_MR_2.5G Client Interface Data Rates and Encapsulation 10-51 Table 10-24 Client Data Rates and Ports 10-51 Table 10-25 MXP_MR_2.5G and MXPP_MR_2.5G Card-Level Indicators 10-55 Table 10-26 MXP_MR_2.5G and MXPP_MR_2.5G Port-Level Indicators 10-55 Table 10-27 MXP_MR_10DME_C and MXP_MR_10DME_L Client Interface Data Rates and Encapsulation 10-57 Table 10-28 Supported Client Data Rates for Ports 1 through 4 and Ports 5 through 8 10-57 Table 10-29 MXP_MR_10DME_C Trunk Wavelengths 10-61 Table 10-30 MXP_MR_10DME_L Trunk Wavelengths 10-62 Table 10-31 MXP_MR_10DME_C and MXP_MR_10DME_L Card-Level Indicators 10-63 Table 10-32 MXP_MR_10DME_C and MXP_MR_10DME_L Port-Level Indicators 10-64 Table 10-33 40G-MXP-C Client Interface Data Rates 10-65 Table 10-34 40G-MXP-C Client Interface Input Data Rates 10-65 Table 10-35 40G-MXP-C Trunk Wavelengths 10-69 Table 10-36 40G-MXP-C Card-Level Indicators 10-70 Table 10-37 40G-MXP-C Card Port-Level Indicators 10-71 Table 10-38 GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE Card Modes 10-72 Table 10-39 Protocol Compatibility List for GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE Cards 10-74 Table 10-40 GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE Card-Level Indicators 10-78 Table 10-41 GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE Port-Level Indicators 10-78 Table 10-42 OC-48/STM-16 Configuration Limitations 10-102 Table 10-43 Supported SONET Circuit Sizes of ADM-10G card on ONS 15454 10-105 Table 10-44 Supported SDH Circuit Sizes of ADM-10G card on ONS 15454 SDH 10-106 Table 10-45 STS Near-end Path Performance Monitoring Parameters 10-107 Table 10-46 VC-4 Near-end Path Performance Monitoring Parameters 10-109 Table 10-47 ADM-10G Card-Level Indicators 10-110 Table 10-48 ADM-10G Card Port-Level LED Indications 10-111 Table 10-49 OTU2_XP Card Configurations and Ports 10-111 Table 10-50 OTU2_XP Card-Level Indicators 10-115 Table 10-51 OTU2_XP PPM Port-Level Indicators 10-115 Table 10-52 OTU2_XP Card Configuration for IB_5G Payload Provisioning 10-118 Table 10-53 Card Configuration Transition Summary 10-118 Table 10-54 TXP_MR_10EX_C Card-Level Indicators 10-124 Table 10-55 TXP_MR_10EX _C Port-Level Indicators 10-125 Table 10-56 MXP_2.5G_10EX_C Trunk Wavelengths 10-130 Table 10-57 MXP_2.5G_10EX_C Card-Level Indicators 10-132Tables li Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Table 10-58 MXP_2.5G_10E_C and MXP_2.5G_10E_L Port-Level Indicators 10-132 Table 10-59 MXP_MR_10DMEX_C Client Interface Data Rates and Encapsulation 10-133 Table 10-60 Supported Client Data Rates for Ports 1 through 4 and Ports 5 through 8 10-134 Table 10-61 MXP_MR_10DMEX_C Trunk Wavelengths 10-137 Table 10-62 MXP_MR_10DMEX_C Card-Level Indicators 10-138 Table 10-63 MXP_MR_10DMEX_C Port-Level Indicators 10-139 Table 10-64 Termination Modes 10-143 Table 11-1 Supported Fiber Stage Configurations 11-46 Table 11-2 Multishelf ROADM Layout Example 11-49 Table 11-3 Multishelf Protected ROADM Layout Example 11-49 Table 11-4 Multishelf Four-Degree Mesh Node Layout Example 11-49 Table 11-5 Multishelf Four-Degree Protected Mesh Node Layout Example 11-50 Table 11-6 Multishelf Four-Degree Protected Mesh Node Layout Example 11-50 Table 11-7 Multishelf Four-Degree Mesh Node Upgrade Layout Example 11-51 Table 11-8 Multishelf Eight-Degree Mesh Node Layout Example 11-51 Table 11-9 Multishelf Four-Degree Mesh Node Upgrade Layout Example 11-52 Table 11-10 Multishelf Four-Degree Mesh Node User-Defined Layout Example 11-52 Table 11-11 Ranges and Values for the ANS Parameters 11-91 Table 11-12 Example of Raman Power Measurements 11-96 Table 11-13 Circuits, Optical Power, and Alarms tab 11-107 Table 12-1 Supported Topologies and Node Types 12-19 Table 12-2 Flat Output Gain Range Limits 12-43 Table 12-3 Detection of Power Fluctuation 12-52 Table 13-1 OCHNC Ports 13-2 Table 13-2 OCHCC and OCH Trail Ports 13-4 Table 13-3 Internal Patchcord Ports 13-8 Table 13-4 Provisionable Patchcord Ports 13-11 Table 14-1 JRE Compatibility 14-3 Table 14-2 Computer Requirements for CTC 14-4 Table 14-3 Connection Methods for ONS 15454, ONS 15454 M2, and ONS 15454 M6 14-7 Table 14-4 Multishelf View (Multishelf Mode), Node View (Single-Shelf Mode), and Shelf View (Multishelf Mode) Card Colors 14-11 Table 14-5 Multishelf View (Multishelf Mode) and Node View (Single-Shelf Mode) FMEC Color 14-12 Table 14-6 Node View (Single-Shelf Mode) or Shelf View (Multishelf Mode) Card Statuses 14-12 Table 14-7 Node View (Single-Shelf Mode) or Shelf View (Multishelf Mode) Card Port Colors and Service States 14-12 Table 14-8 Multishelf View Tabs and Subtabs 14-14Tables lii Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Table 14-9 Node View (Single-Shelf Mode) or Shelf View (Multishelf Mode) Tabs and Subtabs 14-15 Table 14-10 Network View Tabs and Subtabs 14-16 Table 14-11 Node Status Shown in Network View 14-17 Table 14-12 DCC Colors Indicating State in Network View 14-17 Table 14-13 Link Icons 14-18 Table 14-14 Card View Tabs and Subtabs 14-18 Table 14-15 TL1 and Static IP-Over-CLNS Tunnels Comparison 14-21 Table 15-1 ONS 15454 Security Levels—Node View 15-2 Table 15-2 ONS 15454 Security Levels—Network View 15-5 Table 15-3 ONS 15454 Default User Idle Times 15-7 Table 15-4 Audit Trail Window Columns 15-8 Table 15-5 Shared Secret Character Groups 15-10 Table 16-1 SDH SSM Message Set 16-4 Table 16-2 SSM Generation 1 Message Set 16-4 Table 16-3 SSM Generation 2 Message Set 16-4 Table 17-1 General ONS 15454 IP Troubleshooting Checklist 17-2 Table 17-2 ONS 15454 Gateway and End NE Settings 17-14 Table 17-3 Proxy Server Firewall Filtering Rules 17-17 Table 17-4 Proxy Server Firewall Filtering Rules 17-17 Table 17-5 DCN Case Study 1 Node IP Addresses 17-27 Table 17-6 DCN Case Study 2 Node IP Addresses 17-30 Table 17-7 DCN Case Study 3 Node IP Addresses 17-33 Table 17-8 DCN Case Study 4 Node IP Addresses 17-37 Table 17-9 Sample Routing Table Entries 17-40 Table 17-10 Ports Used by the TCC2/TCC2P/TCC3/TNC/TSC 17-41 Table 17-11 Differences Between an IPv6 Node and an IPv4 Node 17-55 Table 18-1 Alarm Column Descriptions 18-2 Table 18-2 Color Codes for Alarms and Condition Severities 18-3 Table 18-3 Alarm Display 18-4 Table 18-4 Conditions Display 18-5 Table 18-5 Conditions Column Description 18-5 Table 18-6 History Column Description 18-7 Table 18-7 Alarm Profile Buttons 18-10 Table 18-8 Alarm Profile Editing Options 18-11 Table 18-9 TCA Suppression Groups 18-18Tables liii Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Table 19-1 Optics PM Parameters 19-3 Table 19-2 Payload Ethernet PM Parameters 19-4 Table 19-3 Payload SONET PM Parameters 19-4 Table 19-4 Payload SDH PM Parameters 19-6 Table 19-5 Full RMON Statistics on TNC Card 19-6 Table 19-6 Trunk-Side and Client-Side Optics PM Parameters 19-10 Table 19-7 Transponder, Muxponder, and Xponder Port Type PM Provisioning Options 19-11 Table 19-8 ONS 15454 SONET/SDH Layer Far-End and Near-End PMs 19-12 Table 19-9 Full RMON Statistics on TXP_MR_10G, TXP_MR_10E, TXP_MR_10E_C, TXP_MR_10E_L, GE_XP, 10GE_XP, GE_XPE, 10GE_XPE, and OTU2_XP Cards 19-13 Table 19-10 Full RMON Statistics on ADM-10G Card 19-13 Table 19-11 Gigabit Ethernet (GE) or Fibre Channel (FC) Payload PMs for the TXP_MR_2.5G and TXPP_MR_2.5G Cards 19-14 Table 19-12 10G Fibre Channel (FC) Payload PMs for the OTU2_XP Card 19-14 Table 19-13 ONE_GE or FC1G Payload PMs for the MXP_MR_2.5G and MXPP_MR_2.5G Cards 19-15 Table 19-14 FC1G Payload PMs on the Client Side 19-15 Table 19-15 GFP-T Payload PMs 19-16 Table 19-16 maxBaseRate for STS and VC Circuits 19-16 Table 19-17 History Statistics per Time Interval 19-17 Table 19-18 Transponder, Muxponder, and Xponder PM Provisioning Options 19-17 Table 19-19 ITU G.709 OTN Trunk-Side PMs 19-19 Table 19-20 FEC OTN Trunk-Side PMs 19-19 Table 19-21 ONS 15454 Optics and 8b10b PMs 19-20 Table 19-22 E-Series Ethernet Statistics Parameters 19-20 Table 19-23 Ethernet History Statistics per Time Interval 19-23 Table 19-24 Optical PM Parameters for Optical Amplifier Cards 19-23 Table 19-25 Optical PM Parameters of Multiplexer and Demultiplexer Cards 19-23 Table 19-26 Optical PM Parameters for 4MD-xx.x Cards 19-24 Table 19-27 Optical PM Parameters for AD-1C-xx.x, AD-2C-xx.x, and AD-4C-xx.x Cards 19-24 Table 19-28 Optical PM Parameters for AD-1B-xx.x and AD-4B-xx.x Cards 19-24 Table 19-29 ANSI OSCM/OSC-CSM (OC3) Card PMs 19-26 Table 19-30 ETSI OSCM and OSC-CSM Card PMs 19-26 Table 19-31 ONS 15454 Optics and 8b10b PM Parameter Definitions 19-27 Table 19-32 ITU G.709 and ITU-T G.8021 Section Monitoring PM Definitions 19-29 Table 19-33 ITU G.709 Path Monitoring PM Definitions 19-29 Table 19-34 Full RMON Statistics PM Definitions 19-30Tables liv Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Table 19-35 FEC PM Definitions 19-34 Table 19-36 SONET PM Parameters 19-34 Table 19-37 SDH PM Parameters 19-35 Table 20-1 ONS 15454 SNMP Message Types 20-5 Table 20-2 IETF Standard MIBs Implemented in the ONS 15454 System 20-6 Table 20-3 ONS 15454 Proprietary MIBs 20-7 Table 20-4 cerentGenericPmThresholdTable 20-12 Table 20-5 32-Bit cerentGenericPmStatsCurrentTable 20-13 Table 20-6 32-Bit cerentGenericPmStatsIntervalTable 20-13 Table 20-7 Traps Supported in GE-XP, 10GE-XP, GE-XPE, and 10GE-XPE Cards 20-14 Table 20-8 MIBs Supported in TNC Card 20-14 Table 20-9 MIBs Supported in TSC Card 20-14 Table 20-10 Supported Generic IETF Traps 20-15 Table 20-11 Supported ONS 15454 SNMPv2 Trap Variable Bindings 20-16 Table 20-12 RMON History Control Periods and History Categories 20-28 Table 20-13 OIDs Supported in the AlarmTable 20-30 Table A-1 Individual Card Power Requirements(Typical Values at 25 degrees C) A-2 Table A-2 32MUX-O Optical Specifications A-20 Table A-3 32DMX-O Optical Specifications A-21 Table A-4 4MD-xx.x Optical Specifications A-21 Table A-5 32DMX Optical Specifications A-22 Table A-6 32DMX Channel Plan A-23 Table A-7 32DMX -L Optical Specifications A-24 Table A-8 32DMX-L Channel Plan A-25 Table A-9 32WSS Optical Specifications A-26 Table A-10 32WSS Channel Plan A-27 Table A-11 32WSS-L Optical Specifications A-28 Table A-12 32WSS-L Channel Plan A-29 Table A-13 40-MUX-C Card Optical Specifications A-30 Table A-14 40-DMX-C Card Optical Specifications A-31 Table A-15 40-DMX-CE Card Optical Specifications A-31 Table A-16 40-WSS-C Optical Specifications A-32 Table A-17 40-WSS-C Channel Grid A-33 Table A-18 40-WSS-C Card Optical Specifications A-35 Table A-19 40-WSS-C Card Channel Grid A-36Tables lv Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Table A-20 40-WXC-C Optical Specifications A-37 Table A-21 80-WXC-C Card Optical Specifications A-38 Table A-22 40-SMR1-C Optical Specifications A-39 Table A-23 40-SMR2-C Optical Specifications A-40 Table A-24 MMU Optical Specifications A-42 Table A-25 AD-1C-xx.x Card Optical Specifications A-44 Table A-26 AD-2C-xx.x Card Optical Specifications A-45 Table A-27 AD-4C-xx.x Optical Specifications A-46 Table A-28 AD-1B-xx.x Channel Allocation Plan by Band A-47 Table A-29 AD-1B-xx.x Optical Specifications A-49 Table A-30 AD-1B-xx.x Transmit and Receive Dropped Band Wavelength Ranges A-49 Table A-31 AD-4B-xx.x Channel Allocation Plan by Band A-51 Table A-32 AD-4B-xx.x Optical Specifications A-53 Table A-33 AD-4B-xx.x Transmit and Receive Dropped Band Wavelength Ranges A-53 Table A-34 TXP_MR_2.5G/TXPP_MR_2.5G Card Receiver Trunk Side Specifications A-59 Table A-35 MXP_MR_2.5G/MXPP_MR_2.5G Card Receiver Trunk Side Specifications A-62 Table A-36 MXP_2.5G_10E Card Receiver Trunk Side Specifications A-64 Table A-37 MXP_2.5G_10E_C Card Trunk Wavelengths A-65 Table A-38 MXP_2.5G_10E_C Card Receiver Trunk Side Specifications A-66 Table A-39 MXP_2.5G_10E_L Card Trunk Wavelengths A-69 Table A-40 MXP_2.5G_10E_L Card Receiver Trunk Side Specifications A-70 Table A-41 MXP_2.5G_10EX_C Card Trunk Wavelengths A-72 Table A-42 TMXP_2.5G_10EX_C Card Receiver Trunk Side Specifications A-73 Table A-43 MXP_MR_10DME_C Card Receiver Trunk Side Specifications A-76 Table A-44 MXP_MR_10DME_L Card Receiver Trunk Side Specifications A-78 Table A-45 MXP_MR_10DMEX_C Card Receiver Trunk Side Specifications A-80 Table A-46 TXP_MR_10E Card Receiver Trunk Side Specifications A-82 Table A-47 TXP_MR_10E_C Card Trunk Wavelengths A-84 Table A-48 TXP_MR_10E _C Card Receiver Trunk Side Specifications A-86 Table A-49 TXP_MR_10E_L Card Trunk Wavelengths A-88 Table A-50 TXP_MR_10E Card Receiver Trunk Side Specifications A-89 Table A-51 TXP_MR_10EX_C Card Trunk Wavelengths A-91 Table A-52 TXP_MR_10E _C Card Receiver Trunk Side Specifications A-92 Table A-53 40G-MXP-C Card Receiver (Trunk) Side Specifications A-94 Table A-54 GE_XP and GE_XPE Card Receiver Trunk Side Specifications A-97Tables lvi Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Table A-55 TDC-CC and TDC-FC Tunable CD Value A-99 Table A-56 PP-MESH-4 Patch Panel Optical Specifications A-100 Table A-57 PP-MESH-8 Patch Panel Optical Specifications A-101 Table A-58 15454-PP-4-SMR Patch Panel Optical Specifications A-101 Table B-1 ONS 15454 Service State Primary States and Primary State Qualifiers B-1 Table B-2 ONS 15454 Secondary States B-2 Table B-3 ONS 15454 Administrative States B-2 Table B-4 ONS 15454 Shelf Service State Transitions B-3 Table B-5 ONS 15454 Optical Unit Service State Transitions B-5 Table B-6 ONS 15454 Optical Payload Port Service State Transitions B-8 Table B-7 ONS 15454 OSC Port Service State Transitions B-10 Table B-8 ONS 15454 OCHNC Service State Transitions B-12 Table B-9 ONS 15454 Transponder/Muxponder Card Service State Transitions B-14 Table B-10 ONS 15454 Transponder/Muxponder Port Service State Transitions B-19 Table C-1 History Keys C-22 Table C-2 Setting speed values C-86 Table D-1 Limit for Connector Losses D-2lvii Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Preface Note The terms "Unidirectional Path Switched Ring" and "UPSR" may appear in Cisco literature. These terms do not refer to using Cisco ONS 15xxx products in a unidirectional path switched ring configuration. Rather, these terms, as well as "Path Protected Mesh Network" and "PPMN," refer generally to Cisco's path protection feature, which may be used in any topological network configuration. Cisco does not recommend using its path protection feature in any particular topological network configuration. This section explains the objectives, intended audience, and organization of this publication and describes the conventions that convey instructions and other information. This section provides the following information: • Revision History • Document Objectives • Audience • Document Organization • Related Documentation • Document Conventions • Obtaining Optical Networking Information • Obtaining Documentation and Submitting a Service Request Revision History Date Notes May 2010 • Added the section “Flexible Protection Mechanism” in the chapter “Transponder and Muxponder Cards”. • Updated the table “Single-Mode Fiber XFP Port Cabling Specifications” in the appendix “Hardware Specifications”. June 2010 • Updated the table “ONS 15454 Security Levels—Node View” in the chapter “Security Reference”.lviii Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Preface July 2010 • Updated the table “SFP/XFP Card Compatibility” in the chapter “Transponder and Muxponder Cards”. • Updated the section “40G-MXP-C Card Specifications” in the appendix “Hardware Specifications”. • Updated the sub-section “Key Features” under the section “40G-MXP-C Card” in the chapter “Transponder and Muxponder Cards”. • Updated the following sections: – Updated the key features for the MXP_MR_10DME card in the chapter, Transponder and Muxponder Cards. – Updated the section, Y-cable protection in the chapter, Transponder and Muxponder Cards. August 2010 • Updated the table “Node View (Single-Shelf Mode) or Shelf View (Multishelf Mode) Tabs and Subtab” in the chapter, “Cisco Transport Controller Operation”. • Updated the tables “SFP Specifications” and “Single-Mode Fiber SFP Port Cabling Specifications” in the appendix “Hardware Specifications”. September 2010 • Updated the table “SFP/XFP Card Compatibility” in the chapter “Transponder and Muxponder Cards”. • Updated the “OTU2_XP Card” section in the Chapter “Transponder and Muxponder Cards”. • Added the FAPS switching criteria in the section, “Layer 2 Over DWDM Protection” in the chapter, “Transponder and Muxponder Cards”. October 2010 • Updated the "Class 1M Laser Product Statement" section in the chapters “Optical Amplifier Cards”, “Multiplexer and Demultiplexer Cards”, “Optical Add/Drop Cards”, “Reconfigurable Optical Add/Drop Cards”, and “Transponder and Muxponder Cards”. • Updated the table “Internal Patchcord Ports” in the chapter “Optical Channel Circuits and Virtual Patchcords Reference”. November 2010 • Updated the “SFP/XFP Card Compatibility” table in the “Transponder and Muxponder Cards” chapter with a new footnote. • Updated the section, “SNMP in Multishelf Management” in the chapter, SNMP. • Updated the width of the single slot cards for Control cards and Transponder and Muxponder Cards in the appendix, "Hardware Specifications". • Updated the table “SFP/XFP Card Compatibility” in the chapter “Transponder and Muxponder Cards”. • Updated the tables “SFP Specifications” and “Single-Mode Fiber SFP Port Cabling Specifications” in the appendix, “Hardware Specifications”. December 2010 • Updated the table "ONS 15454 Security Levels—Node View" in the chapter "Security Reference". January 2011 • Updated the width of all the cards in the appendix, "Hardware Specifications". • Updated the section “40G-MXP-C Card” and the table “40G-MXP-C Card Port-Level Indicators” i nthe chapter “Transponder and Muxponder Cards”. March 2011 • Removed the table “8G Fibre Channel (FC) Payload PMs for the 40G-MXP-C Card” in the chapter, “Performance Monitoring”. Date Noteslix Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Preface April 2011 • Updated the section “Interllink Interfaces” and the table “SFP/XFP Card Compatibility” in the chapter “Transponder and Muxponder Cards”. • Updated the table, “XFP Specifications” in the chapter, “Hardware Specifications”. • Updated the section “Safety Labels” in the following chapters: – Common Control Cards – Optical Service Channel Cards – Optical Amplifier Cards – Multiplexer and Demultiplexer Cards – Tunable Dispersion Compensating Units – Optical Add/Drop Cards – Reconfigurable Optical Add/Drop Cards – Transponder and Muxponder Cards • Updated the section “Node View (Multishelf Mode), Node View (Single-Shelf Mode), and Shelf View (Multishelf Mode)” in the chapter “Cisco Transport Controller Operation”. • Updated the section “SFP and XFP Modules” in the chapter “Transponder and Muxponder Cards”. • Updated the power values in the “Individual Card Power Requirements” table in the appendix, “Hardware Specifications”. May 2011 • Updated the section “SFP and XFP Modules” in the chapter “Transponder and Muxponder Cards”. • Removed the sections “SFP Specifications” and “XFP Specifications” and added the section “SFP and XFP Specifications” in the appendix “Hardware Specifications”. • Updated the minimum output power value for the MXP_MR_10DMEX_C card in the appendix “Hardware Specifications”. June 2011 • Updated the section “Y-Cable Protection” in the chapter “Transponder and Muxponder Cards”. • Updated the sections “MXP_2.5G_10EX_C Card Specifications” and “TXP_MR_10EX_C Card Specifications” in the chapter “Hardware Specifications”. • Updated the TNC and TSC card power consumption values in Table A-1 in the chapter “Hardware Specifications”. July 2011 • Added a note in the “PC and UNIX Workstation Requirements” section of Chapter, “Cisco Transport Controller Operation”. August 2011 • Updated the sub-section “Configuration Management” under the section “OTU2_XP Card” in the chapter “Transponder and Muxponder Cards”. • Updated the section “40G-MXP-C Card” in the chapter “Transponder and Muxponder Cards”. Date Noteslx Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Preface September 2011 • Updated the key features section of TXP_MR_10G, TXP_MR_10E, TXP_MR_10E_C, TXP_MR_10E_L, TXP_MR_10EX_C, and OTU2_XP cards in the chapter “Transponder and Muxponder Cards”. • Added a note to SONET PM Parameters table in “SONET PM Parameter Definitions” section. • Replaced G.975.1 with G.975.1 I.7 and added a note in the "Enhanced FEC (E-FEC) Feature" section in the chapter, "Transponder and Muxponder Cards". • Created a “Summary Pane” section in the chapter, “Cisco Transport Controller Operation”. October 2011 • Removed the Temperature table and updated the Temperature section with standard operating temperature values, removed the Environmental section from all the 15454 card specifications, and added "Environmental Exception" to “40G-MXP-C Card Specifications” section in the appendix "Hardware Specifications." December 2011 • Updated the power values in the table “Individual Card Power Requirements” in the appendix “Hardware Specifications”. • Updated the section “Termination Modes” in the chapter “Transponder and Muxponder Cards”. January 2012 • Updated the section “GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE Cards” with pluggable limitations in the chapter Transponder and Muxponder Cards”. February 2012 • Removed the autonegotiation support statement for ADM-10G card from the “Key Features” section in the chapter “Transponder and Muxponder Cards”. March 2012 • Updated the section, “Multishelf Node” in the chapter, “ Node Reference”. April 2012 • Updated the “Functional View for an Eight-Sided Node” diagram in the chapter “Node Reference”. • Added a note in the “Displaying Optical Power” section of chapter, “Node Reference”. • Updated the "Faceplate and Block Diagram" section of "GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE Cards" in the chapter, “Transponder and Muxponder Cards”. • Upadted the section “SNMP in Multishelf Management” in the chapter “SNMP”. May 2012 Updated the section “Optical Channel Circuits” in the chapter “Optical Channel Circuits and Virtual Patchcords Reference”. June 2012 Updated the section “Generic Threshold and Performance Monitoring MIBs” in the chapter “SNMP”. July 2012 Document Part Number revisioned to 78-19285-02 and a full length book-PDF was generated. Date Noteslxi Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Preface Document Objectives This document provides background and reference material for Cisco ONS 15454 dense wavelength division (DWDM) systems. Audience To use this publication, you should be familiar with Cisco or equivalent optical transmission hardware and cabling, telecommunications hardware and cabling, electronic circuitry and wiring practices, and preferably have experience as a telecommunications technician. Document Organization Table 1 Cisco ONS 15454 Reference Manual Chapters Title Summary Chapter 1, “Cisco ONS 15454 (ANSI and ETSI), ONS 15454 M2, and ONS 15454 M6 Shelf Assembly” Provides a description of Cisco ONS 15454 (ANSI and ETSI),Cisco ONS 15454 M2, and Cisco ONS 15454 M6 shelf assemblies. Chapter 2, “Common Control Cards” Includes descriptions of the TCC2, TCC3, TCC2P, AIC-I, and MS-ISC-100T cards. Chapter 3, “Optical Service Channel Cards” Includes descriptions of OSCM and OSC-CSM cards. Chapter 4, “Optical Amplifier Cards” Includes descriptions of the OPT-PRE, OPT-BST, OPT-BST-E, OP-BST-L, OPT-AMP-L, OPT-AMP-C, and OPT-AMP-17-C cards, as well as card temperature ranges and card compatibility. Chapter 5, “Multiplexer and Demultiplexer Cards” Includes descriptions of the Protection Switching Module (PSM) card used in Cisco ONS 15454 dense wavelength division multiplexing (DWDM) networks. Chapter 6, “Tunable Dispersion Compensating Units” Explains the Tunable Dispersion Compensating Units (T-DCU) used in Cisco ONS 15454 dense wavelength division multiplexing (DWDM) networks. Chapter 7, “Protection Switching Module” Includes descriptions of the 32-MUX-O, 32DMX-O, and 4MD-xx.x cards. Chapter 8, “Optical Add/Drop Cards” Includes descriptions of the AD-1C-xx.x, AD-2C-xx.x, AD-4C-xx.x, AD-1B-xx.x, and AD-4B-xx.x cards, card temperature ranges, compatibility, and applications.lxii Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Preface Chapter 9, “Reconfigurable Optical Add/Drop Cards” Includes descriptions of the 32WSS, 32WSS-L, 32DMX, 32DMX-L, 40-DMX-C, 40-DMX-CE, 40-MUX-C, 40-WSS-C, 40-WSS-CE, 40-WXC-C, and MMUC cards, card temperature ranges, compatibility, and applications. Chapter 10, “Transponder and Muxponder Cards” Includes information about ransponder (TXP), muxponder (MXP), GE_XP, 10GE_XP, and ADM-10G cards, as well as their associated plug-in modules (Small Form-factor Pluggables [SFPs or XFPs]). Chapter 11, “Node Reference” Explains the DWDM node types t available for the ONS 15454. The DWDM node type is determined by the type of amplifier and filter cards that are installed in an ONS 15454. Also explains the DWDM automatic power control (APC), reconfigurable optical add/drop multiplexing (ROADM) power equalization, span loss verification, and automatic node setup (ANS) functions. Chapter 12, “Network Reference” Explains the DWDM network applications and topologies. Also provides network-level optical performance references. Chapter 13, “Optical Channel Circuits and Virtual Patchcords Reference” Explains the DWDM optical channel (OCH) circuit types and virtual patchcords that can be provisioned. Circuit types include the OCH client connection (OCHCC), the OCH trail, and the OCH network connection (OCHNC). Chapter 14, “Cisco Transport Controller Operation” Describes Cisco Transport Controller (CTC), the software interface for the Cisco ONS 15454. Chapter 15, “Security Reference” Provides information about Cisco ONS 15454 users and security. Chapter 16, “Timing Reference” Provides information about Cisco ONS 15454 users and node timing. Chapter 17, “Management Network Connectivity” Provides an overview of ONS 15454 data communications network (DCN) connectivity. Cisco Optical Networking System (ONS) network communication is based on IP, including communication between Cisco Transport Controller (CTC) computers and ONS 15454 nodes, and communication among networked ONS 15454 nodes. The chapter shows common Cisco ONS 15454 IP network configurations and includes detailed data communications network (DCN) case studies. Table 1 Cisco ONS 15454 Reference Manual Chapters (continued) Title Summarylxiii Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Preface Related Documentation Use the Cisco ONS 15454 DWDM Reference Manual in conjunction with the following referenced Release 9.2 publications: • Cisco ONS 15454 DWDM Procedure Guide • Cisco ONS 15454 DWDM Troubleshooting Guide • Cisco ONS SONET TL1 Command Guide • Cisco ONS SONET TL1 Reference Guide • Cisco ONS SONET TL1 Command Quick Reference Guide • Cisco ONS 15454 SDH TL1 Command Guide • Cisco ONS 15454 SDH TL1 Reference Guide Chapter 18, “Alarm and TCA Monitoring and Management” Describes Cisco Transport Controller (CTC) alarm and threshold crossing alert (TCA) monitoring and management. Chapter 19, “Performance Monitoring” Performance monitoring (PM) parameters are used by service providers to gather, store, set thresholds for, and report performance data for early detection of problems. In this chapter, PM parameters and concepts are defined for transponder, muxponder, and dense wavelength division multiplexing (DWDM) cards in the Cisco ONS 15454 including optical amplifier, multiplexer, demutiplexer, optical add/drop multiplexer (OADM), and optical service channel (OSC) cards. Chapter 20, “SNMP” Explains Simple Network Management Protocol (SNMP) as implemented by the Cisco ONS 15454. Appendix A, “Hardware Specifications” Contains hardware and software specifications for the ONS 15454 ANSI and ETSI shelf assemblies and cards. Appendix B, “Administrative and Service States” Describes the administrative and service states for Cisco ONS 15454 dense wavelength division multiplexing (DWDM) cards, optical payload ports, out-of-band optical service channel (OSC) ports, optical channel network connections (OCHNCs), and transponder/muxponder cards and ports. Appendix C, “Pseudo Command Line Interface Reference” Describes Pseudo-IOS command line interface (PCLI) for GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE cards. Appendix D, “Fiber and Connector Losses in Raman Link Configuration” Describes guidelines to be followed when configuring a Raman link. Table 1 Cisco ONS 15454 Reference Manual Chapters (continued) Title Summarylxiv Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Preface • Cisco ONS 15454 SDH TL1 Command Quick Reference Guide • Release Notes for Cisco ONS 15454 Release 9.2 • Release Notes for Cisco ONS 15454 SDH Release 9.2 • Cisco TransportPlanner DWDM Operations Guide • Cisco ONS 15454 Hardware Installation Guide For an update on End-of-Life and End-of-Sale notices, refer to http://www.cisco.com/en/US/products/hw/optical/ps2006/prod_eol_notices_list.html Document Conventions This publication uses the following conventions: Note Means reader take note. Notes contain helpful suggestions or references to material not covered in the document. Caution Means reader be careful. In this situation, the user might do something that could result in equipment damage or loss of data. Convention Application boldface Commands and keywords in body text. italic Command input that is supplied by the user. [ ] Keywords or arguments that appear within square brackets are optional. { x | x | x } A choice of keywords (represented by x) appears in braces separated by vertical bars. The user must select one. Ctrl The control key. For example, where Ctrl + D is written, hold down the Control key while pressing the D key. screen font Examples of information displayed on the screen. boldface screen font Examples of information that the user must enter. < > Command parameters that must be replaced by module-specific codes.lxv Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Preface Warning IMPORTANT SAFETY INSTRUCTIONS This warning symbol means danger. You are in a situation that could cause bodily injury. Before you work on any equipment, be aware of the hazards involved with electrical circuitry and be familiar with standard practices for preventing accidents. Use the statement number provided at the end of each warning to locate its translation in the translated safety warnings that accompanied this device. Statement 1071 SAVE THESE INSTRUCTIONS Waarschuwing BELANGRIJKE VEILIGHEIDSINSTRUCTIES Dit waarschuwingssymbool betekent gevaar. U verkeert in een situatie die lichamelijk letsel kan veroorzaken. Voordat u aan enige apparatuur gaat werken, dient u zich bewust te zijn van de bij elektrische schakelingen betrokken risico's en dient u op de hoogte te zijn van de standaard praktijken om ongelukken te voorkomen. Gebruik het nummer van de verklaring onderaan de waarschuwing als u een vertaling van de waarschuwing die bij het apparaat wordt geleverd, wilt raadplegen. BEWAAR DEZE INSTRUCTIES Varoitus TÄRKEITÄ TURVALLISUUSOHJEITA Tämä varoitusmerkki merkitsee vaaraa. Tilanne voi aiheuttaa ruumiillisia vammoja. Ennen kuin käsittelet laitteistoa, huomioi sähköpiirien käsittelemiseen liittyvät riskit ja tutustu onnettomuuksien yleisiin ehkäisytapoihin. Turvallisuusvaroitusten käännökset löytyvät laitteen mukana toimitettujen käännettyjen turvallisuusvaroitusten joukosta varoitusten lopussa näkyvien lausuntonumeroiden avulla. SÄILYTÄ NÄMÄ OHJEET Attention IMPORTANTES INFORMATIONS DE SÉCURITÉ Ce symbole d'avertissement indique un danger. Vous vous trouvez dans une situation pouvant entraîner des blessures ou des dommages corporels. Avant de travailler sur un équipement, soyez conscient des dangers liés aux circuits électriques et familiarisez-vous avec les procédures couramment utilisées pour éviter les accidents. Pour prendre connaissance des traductions des avertissements figurant dans les consignes de sécurité traduites qui accompagnent cet appareil, référez-vous au numéro de l'instruction situé à la fin de chaque avertissement. CONSERVEZ CES INFORMATIONS Warnung WICHTIGE SICHERHEITSHINWEISE Dieses Warnsymbol bedeutet Gefahr. Sie befinden sich in einer Situation, die zu Verletzungen führen kann. Machen Sie sich vor der Arbeit mit Geräten mit den Gefahren elektrischer Schaltungen und den üblichen Verfahren zur Vorbeugung vor Unfällen vertraut. Suchen Sie mit der am Ende jeder Warnung angegebenen Anweisungsnummer nach der jeweiligen Übersetzung in den übersetzten Sicherheitshinweisen, die zusammen mit diesem Gerät ausgeliefert wurden. BEWAHREN SIE DIESE HINWEISE GUT AUF.lxvi Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Preface Avvertenza IMPORTANTI ISTRUZIONI SULLA SICUREZZA Questo simbolo di avvertenza indica un pericolo. La situazione potrebbe causare infortuni alle persone. Prima di intervenire su qualsiasi apparecchiatura, occorre essere al corrente dei pericoli relativi ai circuiti elettrici e conoscere le procedure standard per la prevenzione di incidenti. Utilizzare il numero di istruzione presente alla fine di ciascuna avvertenza per individuare le traduzioni delle avvertenze riportate in questo documento. CONSERVARE QUESTE ISTRUZIONI Advarsel VIKTIGE SIKKERHETSINSTRUKSJONER Dette advarselssymbolet betyr fare. Du er i en situasjon som kan føre til skade på person. Før du begynner å arbeide med noe av utstyret, må du være oppmerksom på farene forbundet med elektriske kretser, og kjenne til standardprosedyrer for å forhindre ulykker. Bruk nummeret i slutten av hver advarsel for å finne oversettelsen i de oversatte sikkerhetsadvarslene som fulgte med denne enheten. TA VARE PÅ DISSE INSTRUKSJONENE Aviso INSTRUÇÕES IMPORTANTES DE SEGURANÇA Este símbolo de aviso significa perigo. Você está em uma situação que poderá ser causadora de lesões corporais. Antes de iniciar a utilização de qualquer equipamento, tenha conhecimento dos perigos envolvidos no manuseio de circuitos elétricos e familiarize-se com as práticas habituais de prevenção de acidentes. Utilize o número da instrução fornecido ao final de cada aviso para localizar sua tradução nos avisos de segurança traduzidos que acompanham este dispositivo. GUARDE ESTAS INSTRUÇÕES ¡Advertencia! INSTRUCCIONES IMPORTANTES DE SEGURIDAD Este símbolo de aviso indica peligro. Existe riesgo para su integridad física. Antes de manipular cualquier equipo, considere los riesgos de la corriente eléctrica y familiarícese con los procedimientos estándar de prevención de accidentes. Al final de cada advertencia encontrará el número que le ayudará a encontrar el texto traducido en el apartado de traducciones que acompaña a este dispositivo. GUARDE ESTAS INSTRUCCIONES Varning! VIKTIGA SÄKERHETSANVISNINGAR Denna varningssignal signalerar fara. Du befinner dig i en situation som kan leda till personskada. Innan du utför arbete på någon utrustning måste du vara medveten om farorna med elkretsar och känna till vanliga förfaranden för att förebygga olyckor. Använd det nummer som finns i slutet av varje varning för att hitta dess översättning i de översatta säkerhetsvarningar som medföljer denna anordning. SPARA DESSA ANVISNINGARlxvii Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Prefacelxviii Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Preface Aviso INSTRUÇÕES IMPORTANTES DE SEGURANÇA Este símbolo de aviso significa perigo. Você se encontra em uma situação em que há risco de lesões corporais. Antes de trabalhar com qualquer equipamento, esteja ciente dos riscos que envolvem os circuitos elétricos e familiarize-se com as práticas padrão de prevenção de acidentes. Use o número da declaração fornecido ao final de cada aviso para localizar sua tradução nos avisos de segurança traduzidos que acompanham o dispositivo. GUARDE ESTAS INSTRUÇÕES Advarsel VIGTIGE SIKKERHEDSANVISNINGER Dette advarselssymbol betyder fare. Du befinder dig i en situation med risiko for legemesbeskadigelse. Før du begynder arbejde på udstyr, skal du være opmærksom på de involverede risici, der er ved elektriske kredsløb, og du skal sætte dig ind i standardprocedurer til undgåelse af ulykker. Brug erklæringsnummeret efter hver advarsel for at finde oversættelsen i de oversatte advarsler, der fulgte med denne enhed. GEM DISSE ANVISNINGERlxix Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Prefacelxx Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Preface Obtaining Optical Networking Information This section contains information that is specific to optical networking products. For information that pertains to all of Cisco, refer to the Obtaining Documentation and Submitting a Service Request section. Where to Find Safety and Warning Information For safety and warning information, refer to the Cisco Optical Transport Products Safety and Compliance Information document that accompanied the product. This publication describes the international agency compliance and safety information for the Cisco ONS 15454 system. It also includes translations of the safety warnings that appear in the ONS 15454 system documentation. Cisco Optical Networking Product Documentation CD-ROM Optical networking-related documentation, including Cisco ONS 15xxx product documentation, is available in a CD-ROM package that ships with your product. The Optical Networking Product Documentation CD-ROM is updated periodically and may be more current than printed documentation. Obtaining Documentation and Submitting a Service Request For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html Subscribe to the What’s New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.CHAPTER 1-1 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 1 Cisco ONS 15454 (ANSI and ETSI), ONS 15454 M2, and ONS 15454 M6 Shelf Assembly For information on the Cisco ONS 15454 (ANSI and ETSI), ONS 15454 M2, and ONS 15454 M6 shelf assemblies, see the Cisco ONS 15454 Hardware Installation Guide.1-2 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 1 Cisco ONS 15454 (ANSI and ETSI), ONS 15454 M2, and ONS 15454 M6 Shelf AssemblyCHAPTER 2-1 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 2 Common Control Cards Note The terms "Unidirectional Path Switched Ring" and "UPSR" may appear in Cisco literature. These terms do not refer to using Cisco ONS 15xxx products in a unidirectional path switched ring configuration. Rather, these terms, as well as "Path Protected Mesh Network" and "PPMN," refer generally to Cisco's path protection feature, which may be used in any topological network configuration. Cisco does not recommend using its path protection feature in any particular topological network configuration. This chapter describes the Cisco ONS 15454 common-control cards. For installation and card turn-up procedures, refer to the Cisco ONS 15454 DWDM Procedure Guide. For card safety and compliance information, refer to the Cisco Optical Transport Products Safety and Compliance Information document. Note Unless otherwise specified, “ONS 15454” refers to both ANSI and ETSI shelf assemblies. Note The cards described in this chapter are supported on the Cisco ONS 15454, Cisco ONS 15454 M6, Cisco ONS 15454 M2 platforms, unless noted otherwise. Chapter topics include: • 2.1 Card Overview, page 2-2 • 2.3 TCC2 Card, page 2-3 • 2.4 TCC2P Card, page 2-8 • 2.5 TCC3 Card, page 2-12 • 2.6 TNC Card, page 2-16 • 2.7 TSC Card, page 2-25 • 2.8 Digital Image Signing, page 2-33 • 2.9 AIC-I Card, page 2-34 • 2.10 MS-ISC-100T Card, page 2-39 • 2.11 Front Mount Electrical Connections, page 2-422-2 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 2 Common Control Cards Card Overview 2.1 Card Overview The card overview section lists the cards described in this chapter. Each card is marked with a symbol that corresponds to a slot (or slots) on the ONS 15454 shelf assembly. The cards are then installed into slots displaying the same symbols. For a list of slots and symbols, see the “Card Slot Requirements” section in the Cisco ONS 15454 Hardware Installation Guide. 2.1.1 Common Control Cards The following common control cards are needed to support the functions of the DWDM, transponder, and muxponder cards on ONS 15454 shelf: • TCC2 or TCC2P or TCC3 • AIC-I (optional) • MS-ISC-100T (multishelf configurations only) The TNC and TSC cards are used to support the functions of DWDM, transponder, and muxponder cards on the Cisco ONS 15454 M2 and Cisco ONS 15454 M6 shelves. 2.1.2 Card Compatibility Table 2-1 lists the platform and software release compatibility for the control cards. Table 2-1 Platform and Software Release Compatibility for Control Cards Card Name R4.5 R4.6 R4.7 R5.0 R6.0 R7.0 R7.2 R8.0 R8.5 R9.0 R9.1 R9.2 TCC2 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454-DWDM TCC2P 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454-DWDM AIC-I 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454-DWDM MS-ISC-100T 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454-DWDM TCC3 No No No No No No No No No No No 15454-DWDM TNC No No No No No No No No No No No 15454-M2 and 15454-M6 TSC No No No No No No No No No No No 15454-M2 and 15454-M62-3 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 2 Common Control Cards Safety Labels 2.1.3 Front Mount Electrical Connections (ETSI only) The following Front Mount Electrical Connections (FMECs) are needed to support the functions of the DWDM, transponder, and muxponder cards: • MIC-A/P • MIC-C/T/P 2.2 Safety Labels This section explains the significance of the safety labels attached to some of the cards. The faceplates of the cards are clearly labeled with warnings about the laser radiation levels. You must understand all warning labels before working on these cards. 2.2.1 Hazard Level 1 Label The Hazard Level 1 label is shown in Figure 2-1. Figure 2-1 Hazard Level Label The Hazard Level label warns users against exposure to laser radiation of Class 1 limits calculated in accordance with IEC60825-1 Ed.1.2. This label is displayed on the faceplate of the cards. Warning Class 1 laser product. Statement 1008 2.3 TCC2 Card (Cisco ONS 15454 only) Note For TCC2 card specifications, see the “A.3.1 TCC2 Card Specifications” section on page A-4. The Advanced Timing, Communications, and Control (TCC2) card performs system initialization, provisioning, alarm reporting, maintenance, diagnostics, IP address detection/resolution, SONET section overhead (SOH) data communications channel/generic communications channel (DCC/GCC) HAZARD LEVEL 1 655422-4 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 2 Common Control Cards TCC2 Card termination, optical service channel (OSC) DWDM data communications network (DCN) termination, and system fault detection for the ONS 15454. The TCC2 also ensures that the system maintains Stratum 3 (Telcordia GR-253-CORE) timing requirements. It monitors the supply voltage of the system. Note The LAN interface of the TCC2 card meets the standard Ethernet specifications by supporting a cable length of 328 ft (100 m) at temperatures from 32 to 149 degrees Fahrenheit (0 to 65 degrees Celsius). Figure 2-2 shows the faceplate and block diagram for the TCC2. 2-5 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 2 Common Control Cards TCC2 Card Figure 2-2 TCC2 Faceplate and Block Diagram 2.3.1 TCC2 Functionality The TCC2 card terminates up to 32 DCCs. The TCC2 hardware is prepared for up to 84 DCCs, which will be available in a future software release. FAIL A PWR B ACT/STBY ACO CRIT MIN REM SYNC RS-232 TCP/IP MAJ ACO TCC2 LAMP BACKPLANE Ethernet Repeater Mate TCC2 Ethernet Port Backplane Ethernet Port (Shared with Mate TCC2) SDRAM Memory & Compact Flash FPGA TCCA ASIC SCL Processor Serial Debug Modem Interface RS-232 Craft Interface Backplane RS-232 Port (Shared with Mate TCC2) Faceplate RS-232 Port Note: Only 1 RS-232 Port Can Be Active - Backplane Port Will Supercede Faceplate Port Faceplate Ethernet Port SCL Links to All Cards HDLC Message Bus Mate TCC2 HDLC Link Modem Interface (Not Used) 400MHz Processor Communications Processor SCC3 MCC1 FCC1 MCC2 SCC4 FCC2 SCC1 SCC2 DCC Processor System Timing BITS Input/ Output Ref Clocks (all I/O Slots) -48V PWR Monitors Real Time Clock 1376392-6 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 2 Common Control Cards TCC2 Card The node database, IP address, and system software are stored in TCC2 nonvolatile memory, which allows quick recovery in the event of a power or card failure. The TCC2 performs all system-timing functions for each ONS 15454. The TCC2 monitors the recovered clocks from each traffic card and two building integrated timing supply (BITS) ports for frequency accuracy. The TCC2 selects a recovered clock, a BITS, or an internal Stratum 3 reference as the system-timing reference. You can provision any of the clock inputs as primary or secondary timing sources. A slow-reference tracking loop allows the TCC2 to synchronize with the recovered clock, which provides holdover if the reference is lost. The TCC2 monitors both supply voltage inputs on the shelf. An alarm is generated if one of the supply voltage inputs has a voltage out of the specified range. Install TCC2 cards in Slots 7 and 11 for redundancy. If the active TCC2 fails, traffic switches to the protect TCC2. The TCC2 card has two built-in interface ports for accessing the system: an RJ-45 10BaseT LAN interface and an EIA/TIA-232 ASCII interface for local craft access. It also has a 10BaseT LAN port for user interfaces via the backplane. 2.3.2 Redundant TCC2 Card Installation Cisco does not support operation of the ONS 15454 with only one TCC2 card. For full functionality and to safeguard your system, always operate with two TCC2 cards. When a second TCC2 card is inserted into a node, it synchronizes its software, its backup software, and its database with the active TCC2. If the software version of the new TCC2 does not match the version on the active TCC2, the newly inserted TCC2 copies from the active TCC2, taking about 15 to 20 minutes to complete. If the backup software version on the new TCC2 does not match the version on the active TCC2, the newly inserted TCC2 copies the backup software from the active TCC2 again, taking about 15 to 20 minutes. Copying the database from the active TCC2 takes about 3 minutes. Depending on the software version and backup version the new TCC2 started with, the entire process can take between 3 and 40 minutes. 2.3.3 TCC2 Card-Level Indicators The TCC2 faceplate has ten LEDs. Table 2-2 describes the two card-level LEDs on the TCC2 faceplate. Table 2-2 TCC2 Card-Level Indicators Card-Level LEDs Definition Red FAIL LED This LED is on during reset. The FAIL LED flashes during the boot and write process. Replace the card if the FAIL LED persists. ACT/STBY LED Green (Active) Yellow (Standby) Indicates the TCC2 is active (green) or in standby (yellow) mode. The ACT/STBY LED also provides the timing reference and shelf control. When the active TCC2 is writing to its database or to the standby TCC2 database, the card LEDs blink. To avoid memory corruption, do not remove the TCC2 when the active or standby LED is blinking. 2-7 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 2 Common Control Cards TCC2 Card 2.3.4 Network-Level Indicators Table 2-3 describes the six network-level LEDs on the TCC2 faceplate. 2.3.5 Power-Level Indicators Table 2-4 describes the two power-level LEDs on the TCC2 faceplate. Note For ONS 15454 ETSI shelf, the power-level LEDs are either green or red. The LED is green when the voltage on supply inputs is between the extremely low battery voltage and extremely high battery voltage thresholds. The LED is red when the voltage on supply inputs is above extremely high battery voltage or below extremely low battery voltage thresholds. Table 2-3 TCC2 Network-Level Indicators System-Level LEDs Definition Red CRIT LED Indicates critical alarms in the network at the local terminal. Red MAJ LED Indicates major alarms in the network at the local terminal. Yellow MIN LED Indicates minor alarms in the network at the local terminal. Red REM LED Provides first-level alarm isolation. The remote (REM) LED turns red when an alarm is present in one or more of the remote terminals. Green SYNC LED Indicates that node timing is synchronized to an external reference. Green ACO LED After pressing the alarm cutoff (ACO) button, the ACO LED turns green. The ACO button opens the audible alarm closure on the backplane. ACO is stopped if a new alarm occurs. After the originating alarm is cleared, the ACO LED and audible alarm control are reset. Table 2-4 TCC2 Power-Level Indicators Power-Level LEDs Definition Green/Amber/Red PWR A LED The PWR A LED is green when the voltage on supply input A is between the low battery voltage (LWBATVG) and high battery voltage (HIBATVG) thresholds. The LED is amber when the voltage on supply input A is between the high battery voltage and extremely high battery voltage (EHIBATVG) thresholds or between the low battery voltage and extremely low battery voltage (ELWBATVG) thresholds. The LED is red when the voltage on supply input A is above extremely high battery voltage or below extremely low battery voltage thresholds. Green/Amber/Red PWR B LED The PWR B LED is green when the voltage on supply input B is between the low battery voltage and high battery voltage thresholds. The LED is amber when the voltage on supply input B is between the high battery voltage and extremely high battery voltage thresholds or between the low battery voltage and extremely low battery voltage thresholds. The LED is red when the voltage on supply input B is above extremely high battery voltage or below extremely low battery voltage thresholds. 2-8 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 2 Common Control Cards TCC2P Card 2.4 TCC2P Card (Cisco ONS 15454 only) Note For TCC2P card specifications, see the “A.3.2 TCC2P Card Specifications” section on page A-5. The Advanced Timing, Communications, and Control Plus (TCC2P) card is an enhanced version of the TCC2 card. The primary enhancements are Ethernet security features and 64K composite clock BITS timing. The TCC2P card performs system initialization, provisioning, alarm reporting, maintenance, diagnostics, IP address detection/resolution, SONET SOH DCC/GCC termination, and system fault detection for the ONS 15454. The TCC2P also ensures that the system maintains Stratum 3 (Telcordia GR-253-CORE) timing requirements. It monitors the supply voltage of the system. The TCC2P card supports multi-shelf management. The TCC2P card acts as a shelf controller and node controller for the ONS 15454. The TCC2P card supports up to 12 subtended shelves through the MSM-ISC card or external switch. In a multi-shelf configuration, the TCC2P card allows the ONS 15454 node to be a node controller if an M6 shelf is subtended to it. The TCC2P card is compliant to the following standards: • The LAN interface of the TCC2P card meets the standard Ethernet specifications by supporting a cable length of 328 ft (100 m) at temperatures from 32 to 149 degrees Fahrenheit (0 to 65 degrees Celsius). The interfaces can operate with a cable length of 32.8 ft (10 m) maximum at temperatures from –40 to 32 degrees Fahrenheit (–40 to 0 degrees Celsius). • The TCC2P card is Restriction of Use of Hazardous Substances (RoHS) complaint. The RoHS regulations limit or ban the specific substances such as lead, cadmium, polybrominated biphenyl (PBB), mercury, hexavalent chromium, and polybrominated diphenyl ether (PBDE) flame retardants in a new electronic and electric equipment. Figure 2-3 shows the faceplate and block diagram for the TCC2P card. 2-9 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 2 Common Control Cards TCC2P Card Figure 2-3 TCC2P Faceplate and Block Diagram FAIL A PWR B ACT/STBY ACO CRIT MIN REM SYNC RS-232 TCP/IP MAJ ACO TCC2P LAMP BACKPLANE Ethernet Switch Mate TCC2 Ethernet Port Backplane Ethernet Port (Shared with Mate TCC2) SDRAM Memory & Compact Flash FPGA TCCA ASIC SCL Processor Serial Debug Modem Interface EIA/TIA 232 Craft Interface Backplane EIA/TIA 232 Port (Shared with Mate TCC2) Faceplate EIA/TIA 232 Port Note: Only 1 EIA/TIA 232 Port Can Be Active - Backplane Port Will Supercede Faceplate Port Faceplate Ethernet Port SCL Links to All Cards HDLC Message Bus Mate TCC2 HDLC Link Modem Interface 400MHz (Not Used) Processor Communications Processor SCC3 MCC1 FCC1 MCC2 SCC4 FCC2 SMC1 SCC2 DCC Processor System Timing BITS Input/ Output Ref Clocks -48V PWR (all I/O Slots) Monitors Real Time Clock Ethernet Phy SCC12-10 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 2 Common Control Cards TCC2P Card 2.4.1 TCC2P Functionality The TCC2P card supports multichannel, high-level data link control (HDLC) processing for the DCC. Up to 84 DCCs can be routed over the TCC2P card and up to 84 section DCCs can be terminated at the TCC2P card (subject to the available optical digital communication channels). The TCC2P selects and processes 84 DCCs to facilitate remote system management interfaces. The TCC2P card also originates and terminates a cell bus carried over the module. The cell bus supports links between any two cards in the node, which is essential for peer-to-peer communication. Peer-to-peer communication accelerates protection switching for redundant cards. The node database, IP address, and system software are stored in TCC2P card nonvolatile memory, which allows quick recovery in the event of a power or card failure. The TCC2P card performs all system-timing functions for each ONS 15454. The TCC2P card monitors the recovered clocks from each traffic card and two BITS ports for frequency accuracy. The TCC2P card selects a recovered clock, a BITS, or an internal Stratum 3 reference as the system-timing reference. You can provision any of the clock inputs as primary or secondary timing sources. A slow-reference tracking loop allows the TCC2P card to synchronize with the recovered clock, which provides holdover if the reference is lost. The TCC2P card supports 64/8K composite clock and 6.312 MHz timing output. The TCC2P card monitors both supply voltage inputs on the shelf. An alarm is generated if one of the supply voltage inputs has a voltage out of the specified range. Install TCC2P cards in Slots 7 and 11 for redundancy. If the active TCC2P card fails, traffic switches to the protect TCC2P card. All TCC2P card protection switches conform to protection switching standards when the bit error rate (BER) counts are not in excess of 1 * 10 exp – 3 and completion time is less than 50 ms. The TCC2P card has two built-in Ethernet interface ports for accessing the system: one built-in RJ-45 port on the front faceplate for on-site craft access and a second port on the backplane. The rear Ethernet interface is for permanent LAN access and all remote access via TCP/IP as well as for Operations Support System (OSS) access. The front and rear Ethernet interfaces can be provisioned with different IP addresses using CTC. Two EIA/TIA-232 serial ports, one on the faceplate and a second on the backplane, allow for craft interface in TL1 mode. Note To use the serial port craft interface wire-wrap pins on the backplane, the DTR signal line on the backplane port wire-wrap pin must be connected and active. 2.4.2 Redundant TCC2P Card Installation Cisco does not support operation of the ONS 15454 with only one TCC2P card. For full functionality and to safeguard your system, always operate with two TCC2P cards. When a second TCC2P card is inserted into a node, it synchronizes its software, its backup software, and its database with the active TCC2P card. If the software version of the new TCC2P card does not match the version on the active TCC2P card, the newly inserted TCC2P card copies from the active TCC2P card, taking about 15 to 20 minutes to complete. If the backup software version on the new TCC2P card does not match the version on the active TCC2P card, the newly inserted TCC2P card copies the backup 2-11 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 2 Common Control Cards TCC2P Card software from the active TCC2P card again, taking about 15 to 20 minutes. Copying the database from the active TCC2P card takes about 3 minutes. Depending on the software version and backup version the new TCC2P card started with, the entire process can take between 3 and 40 minutes. 2.4.3 TCC2P Card-Level Indicators The TCC2P faceplate has ten LEDs. Table 2-5 describes the two card-level LEDs on the TCC2P faceplate. 2.4.4 Network-Level Indicators Table 2-6 describes the six network-level LEDs on the TCC2P faceplate. Table 2-5 TCC2P Card-Level Indicators Card-Level LEDs Definition Red FAIL LED This LED is on during reset. The FAIL LED flashes during the boot and write process. Replace the card if the FAIL LED persists. ACT/STBY LED Green (Active) Amber (Standby) Indicates the TCC2P is active (green) or in standby (amber) mode. The ACT/STBY LED also provides the timing reference and shelf control. When the active TCC2P is writing to its database or to the standby TCC2P database, the card LEDs blink. To avoid memory corruption, do not remove the TCC2P when the active or standby LED is blinking. Table 2-6 TCC2P Network-Level Indicators System-Level LEDs Definition Red CRIT LED Indicates critical alarms in the network at the local terminal. Red MAJ LED Indicates major alarms in the network at the local terminal. Amber MIN LED Indicates minor alarms in the network at the local terminal. Red REM LED Provides first-level alarm isolation. The remote (REM) LED turns red when an alarm is present in one or more of the remote terminals. Green SYNC LED Indicates that node timing is synchronized to an external reference. Green ACO LED After pressing the ACO button, the ACO LED turns green. The ACO button opens the audible alarm closure on the backplane. ACO is stopped if a new alarm occurs. After the originating alarm is cleared, the ACO LED and audible alarm control are reset.2-12 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 2 Common Control Cards TCC3 Card 2.4.5 Power-Level Indicators Table 2-7 describes the two power-level LEDs on the TCC2P faceplate. Note For ONS 15454 ETSI shelf, the power-level LEDs are either green or red. The LED is green when the voltage on supply inputs is between the extremely low battery voltage and extremely high battery voltage thresholds. The LED is red when the voltage on supply inputs is above extremely high battery voltage or below extremely low battery voltage thresholds. 2.5 TCC3 Card (Cisco ONS 15454 only) Note For TCC3 card specifications, see the “A.3.3 TCC3 Card Specifications” section on page A-6. The Timing Communications Control Three (TCC3) card is an enhanced version of the TCC2P card. The primary enhancements include the increase in memory size and compact flash space. The TCC3 card boots up as TCC2P card in older releases and as TCC3 card from Release 9.2 onwards. The TCC3 card performs system initialization, provisioning, alarm reporting, maintenance, diagnostics, IP address detection/resolution, SONET SOH DCC/GCC termination, and system fault detection for the ONS 15454. The TCC3 also ensures that the system maintains Stratum 3 (Telcordia GR-253-CORE) timing requirements. It monitors the supply voltage of the system. The TCC3 card supports multi-shelf management. The TCC3 card acts as a shelf controller and node controller for the ONS 15454. The TCC3 card supports up to 30 subtended shelves through the MSM-ISC card or external switch. In a multi-shelf configuration, the TCC3 card allows the ONS 15454 node to be a node controller if an M6 shelf is subtended to it. We recommend the use the TCC3 card as a node controller when the number of subtended shelves exceeds 12. Table 2-7 TCC2P Power-Level Indicators Power-Level LEDs Definition Green/Amber/Red PWR A LED The PWR A LED is green when the voltage on supply input A is between the low battery voltage (LWBATVG) and high battery voltage (HIBATVG) thresholds. The LED is amber when the voltage on supply input A is between the high battery voltage and extremely high battery voltage (EHIBATVG) thresholds or between the low battery voltage and extremely low battery voltage (ELWBATVG) thresholds. The LED is red when the voltage on supply input A is above extremely high battery voltage or below extremely low battery voltage thresholds. Green/Amber/Red PWR B LED The PWR B LED is green when the voltage on supply input B is between the low battery voltage and high battery voltage thresholds. The LED is amber when the voltage on supply input B is between the high battery voltage and extremely high battery voltage thresholds or between the low battery voltage and extremely low battery voltage thresholds. The LED is red when the voltage on supply input B is above extremely high battery voltage or below extremely low battery voltage thresholds. 2-13 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 2 Common Control Cards TCC3 Card The TCC3 card is compliant with the following standards: • The LAN interface of the TCC3 card meets the standard Ethernet specifications by supporting a cable length of 328 ft (100 m) at temperatures ranging from 32 to 149 degrees Fahrenheit (0 to 65 degrees Celsius). The interfaces can operate with a cable length of 32.8 ft (10 m) maximum at temperatures from –40 to 32 degrees Fahrenheit (–40 to 0 degrees Celsius). • The TCC3 card is Restriction of Use of Hazardous Substances (RoHS) compliant. The RoHS regulations limit or ban the specific substances such as lead, cadmium, polybrominated biphenyl (PBB), mercury, hexavalent chromium, and polybrominated diphenyl ether (PBDE) flame retardants in a new electronic and electric equipment. Figure 2-3 shows the faceplate and block diagram for the TCC3 card. Figure 2-4 TCC3 Faceplate and Block Diagram FAIL A PWR B ACT/STBY ACO CRIT MIN REM SYNC RS-232 TCP/IP MAJ ACO TCC3 LAMP BACKPLANE Ethernet Switch Mate TCC Ethernet Port Backplane Ethernet Port (Shared with Mate TCC) SDRAM Memory & Compact Flash FPGA TCCA FPGA SCL Processor Serial Debug Modem Interface EIA/TIA 232 Craft Interface Backplane EIA/TIA 232 Port (Shared with Mate TCC) Faceplate EIA/TIA 232 Port Note: Only 1 EIA/TIA 232 Port Can Be Active - Backplane Port Will Supercede Faceplate Port Faceplate Ethernet Port SCL Links to All Cards HDLC Message Bus Mate TCC HDLC Link Modem Interface (Not Used) 400MHz Processor Communications Processor SCC3 MCC1 FCC1 MCC2 SCC4 FCC2 SMC1 SCC2 DCC Processor System Timing BITS Input/ Output Ref Clocks (all I/O Slots) -48V PWR Monitors Real Time Clock Ethernet Phy SCC1 2486632-14 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 2 Common Control Cards TCC3 Card 2.5.1 TCC3 Functionality The TCC3 card supports multichannel, high-level data link control (HDLC) processing for the DCC. Up to 84 DCCs can be routed over the TCC3 card and up to 84 section DCCs can be terminated at the TCC3 card (subject to the available optical digital communication channels). The TCC3 selects and processes 84 DCCs to facilitate remote system management interfaces. The TCC3 card also originates and terminates a cell bus carried over the module. The cell bus supports links between any two cards in the node, which is essential for peer-to-peer communication. Peer-to-peer communication accelerates protection switching for redundant cards. The node database, IP address, and system software are stored in the TCC3 card’s nonvolatile memory, which allows quick recovery of data in the event of a power or card failure. The TCC3 card performs all system-timing functions for the ONS 15454. The TCC3 card monitors the recovered clocks from each traffic card and two BITS ports for frequency accuracy. The TCC3 card selects a recovered clock, a BITS, or an internal Stratum 3 reference as the system-timing reference. You can provision any of the clock inputs as primary or secondary timing sources. A slow-reference tracking loop allows the TCC3 card to synchronize with the recovered clock, which provides holdover if the reference is lost. The TCC3 card supports 64/8K composite clock and 6.312 MHz timing output. The TCC3 card monitors both the supply voltage inputs on the shelf. An alarm is generated if one of the supply voltage inputs has a voltage level above the specified range. The TCC3 card has two built-in Ethernet interface ports for accessing the system: one built-in RJ-45 port on the front faceplate for on-site craft access and a second port on the backplane. The rear Ethernet interface is for permanent LAN access and all remote access via TCP/IP as well as for Operations Support System (OSS) access. The front and rear Ethernet interfaces can be provisioned with different IP addresses using CTC. Two EIA/TIA-232 serial ports, one on the faceplate and a second on the backplane, allow for craft interface in TL1 mode. Note To use the serial port craft interface wire-wrap pins on the backplane, the DTR signal line on the backplane port wire-wrap pin must be connected and active. 2.5.2 Redundant TCC3 Card Installation We do not recommend the operation of the ONS 15454 with only one TCC3 card. For full functionality and to safeguard your system, always operate with two TCC3 cards. Install TCC3 cards in Slots 7 and 11 for redundancy. If the active TCC3 card fails, traffic switches to the protect TCC3 card. All TCC3 card protection switches conform to protection switching standards when the bit error rate (BER) counts are not in excess of 1 * 10 exp – 3 and completion time is less than 50 ms. When a second TCC3 card is inserted into a node, it synchronizes its software, backup software, and database with those of the active TCC3 card. If the software version of the new TCC3 card does not match the version on the active TCC3 card, the newly inserted TCC3 card copies from the active TCC3 card, taking about 15 to 20 minutes to complete. Copying the database from the active TCC3 card takes about 3 minutes. Depending on the software version and backup version the new TCC3 card started with, the entire process can take between 3 and 40 minutes. 2-15 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 2 Common Control Cards TCC3 Card 2.5.3 TCC3 Card-Level Indicators The TCC3 faceplate has ten LEDs. Table 2-5 describes the two card-level LEDs on the TCC3 faceplate. 2.5.4 Network-Level Indicators Table 2-6 describes the six network-level LEDs on the TCC3 faceplate. Table 2-8 TCC3 Card-Level Indicators Card-Level LEDs Definition Red FAIL LED Indicates the TCC3 card is being reset. The FAIL LED flashes during the boot and write process. Replace the card if the FAIL LED persists. ACT/STBY LED Green (Active) Amber (Standby) Indicates the TCC3 is active (green) or in standby (amber) mode. The ACT/STBY LED also provides the timing reference and shelf control. When the active TCC3 is writing to its database or to the standby TCC3 database, the card LEDs blink. To avoid memory corruption, do not remove the TCC3 when the active or standby LED is blinking. Table 2-9 TCC3 Network-Level Indicators System-Level LEDs Definition Red CRIT LED Indicates critical alarms in the network at the local terminal. Red MAJ LED Indicates major alarms in the network at the local terminal. Amber MIN LED Indicates minor alarms in the network at the local terminal. Red REM LED Indicates first-level alarm isolation. The remote (REM) LED turns red when an alarm is present in one or more of the remote terminals. Green SYNC LED Indicates that node timing is synchronized to an external reference. Green ACO LED Indicates teh audible alarms. After pressing the ACO button, the ACO LED turns green. The ACO button opens the audible alarm closure on the backplane. ACO is stopped if a new alarm occurs. After the originating alarm is cleared, the ACO LED and audible alarm control are reset.2-16 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 2 Common Control Cards TNC Card 2.5.5 Power-Level Indicators Table 2-7 describes the two power-level LEDs on the TCC3 faceplate. Note For the ONS 15454 ETSI shelf, the power-level LEDs are either green or red. The LED is green when the voltage on supply inputs is between the extremely low battery voltage and extremely high battery voltage thresholds. The LED is red when the voltage on supply inputs is above extremely high battery voltage or below extremely low battery voltage thresholds. 2.6 TNC Card (Cisco ONS 15454 M2 and ONS 15454 M6 only) The TNC card combines the functions of multiple cards such as TCC2P, OSCM, ISC, and AIC-I cards. The card has a similar look and feel to TCC2/TCC2P/TCC3 cards. Note For TNC card specifications, see the A.3.4 TNC Card Specifications (Cisco ONS 15454 M2 and Cisco ONS 15454 M6), page A-6 section. The TNC card is provisioned as master and slave in the 15454-M6 shelf, and as a stand-alone card in the 15454-M2 shelf. The TNC card serves as the processor card for the node. On the 15454-M6 shelf, install redundant TNC cards in slots 1 and 8. If the active TNC card fails, system traffic switches to the redundant TNC card. The card supports line cards from slots 2 to 7. On the 15454-M2 shelf, install the stand-alone TNC card in slot 1. The TNC card supports line cards in slots 2 and 3. Table 2-10 TCC3 Power-Level Indicators Power-Level LEDs Definition Green/Amber/Red PWR A LED Indicates the voltage on supply input A. The PWR A LED is green when the voltage on supply input A is between the low battery voltage (LWBATVG) and high battery voltage (HIBATVG) thresholds. The LED is amber when the voltage on supply input A is between the high battery voltage and extremely high battery voltage (EHIBATVG) thresholds or between the low battery voltage and extremely low battery voltage (ELWBATVG) thresholds. The LED is red when the voltage on supply input A is above extremely high battery voltage or below extremely low battery voltage thresholds. Green/Amber/Red PWR B LED Indicates the voltage on supply input B.The PWR B LED is green when the voltage on supply input B is between the low battery voltage and high battery voltage thresholds. The LED is amber when the voltage on supply input B is between the high battery voltage and extremely high battery voltage thresholds or between the low battery voltage and extremely low battery voltage thresholds. The LED is red when the voltage on supply input B is above extremely high battery voltage or below extremely low battery voltage thresholds. 2-17 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 2 Common Control Cards TNC Card The TNC card monitors both the supply voltage inputs on the 15454-M6 shelf. The TNC card raises an alarm if one of the supply voltage inputs has a voltage out of the specified range. The 15454-M2 shelf has dual power supply. You can insert and remove the TNC card even when the system is online, without impacting the system traffic. You can upgrade the TSC card to a TNC card. During the upgrade, the TNC card does not support OSC functions such as UDC, VoIP, DCC, and timing function. However, you can still provision the SFP ports on the TNC card during the upgrade. The TNC and TSC cards cannot be inserted in the same shelf. Note Downgrade procedures from TNC cards to TSC cards are not supported. For information on upgrading TSC card to a TNC card, refer chapter, "Upgrade, Add, and Remove Cards and Nodes" in the Cisco ONS 15454 DWDM Procedure Guide. The TNC card supports all the alarms supported by the TCC2P and AIC-I cards. The card adjusts the fan speed according to the temperature and reports a fan failure alarm. Note The LAN interface of the TNC card meets the standard Ethernet specifications by supporting a cable length of 328 ft (100 m) at temperatures from 32 to 149 degrees Fahrenheit (0 to 65 degrees Celsius). The interfaces can operate with a cable length of 32.8 ft (10 m) maximum at temperatures from -40 to 32 degrees Fahrenheit (-40 to 0 degrees Celsius). 2.6.1 Functions of TNC The functions of the TNC card are explained in the following sections: 2.6.1.1 Communication and Control The TNC card acts as node controller and shelf controller. The control tasks include system initialization, provisioning, alarm reporting, maintenance, diagnostics, IP address detection, and resolution. The control tasks also include SONET and SDH data communications channel (DCC) termination, 84 section SDCC and multiplex section MSDCC terminations, 28 SDCC tunnels or SDCC-to-line LDCC terminations, and system fault detection for the 15454-M2 and 15454-M6 shelves. The system initialization tasks include assigning the network parameters to the system and loading the system with the provisioning data stored in the database. The line cards in the system do not boot without the TNC card. The TNC card supports and provides the following: • OSC communication to implement the Optical DCN, User Data Channels and Voice over IP interface. • Supervisory data channel (SDC) for communication between the nodes. • Two point-to-point Ethernet channels at 10 Mbps to carry Voice over IP traffic. • Two point-to-point Ethernet channels at 10/100 Mbps to carry UDC traffic. • Passive inventory of external devices on the 15454-M2 and 15454-M6 shelves. • Supports OSC, UDC, and VoIP traffic. Two UDC/VoIP ports are present on the external connection unit that can be configured to carry UDC/VoIP traffic.2-18 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 2 Common Control Cards TNC Card Note The TNC card supports UDC and VoIP configuration only when OSC is configured on the ports. To delete the OSC channel on a port, delete the UDC and VoIP configuration on that port. For more information, refer chapter, "Install the Cisco ONS 15454 Shelf Assembly" in the Cisco ONS 15454 DWDM Procedure Guide. On the 15454-M2 and 15454-M6 shelves, the TNC card must adhere to the following rules for SDCC/LDCC allocation: • SDCC + SDCC Tunnels <= 68 • LDCC <= 28 • IP Tunnels <= 10 • SDCC + SDCC tunnels + (LDCC * 3) <= 84 2.6.1.2 Optical Service Channel The TNC card supports two optical service channels (OSC) through two small-form factor pluggable (SFP) ports. The two SFP ports are named SFP1 and SFP2. The supported SFPs on TNC ports are ONS-SC-OSC-ULH, ONS-SE-155-1510, and ONS-SC-Z3-1510. Note When you replace SFPs on the TNC card, provisioning for the current SFP has to be deleted before the new SFP is plugged in. SFP1 supports the following payloads: • OC-3/STM-1 • Fast Ethernet (FE) • Gigabit Ethernet (GE) SFP2 supports the following payloads: • Fast Ethernet (FE) • Gigabit Ethernet (GE) 2.6.1.3 Timing and Synchronization The TNC card performs all the system-timing functions for the 15454-M2 and 15454-M6 shelves. This includes short-term clock recovery, reducing the need to reset the calendar and time-of-day settings after a power failure. The TNC card ensures that the system maintains Stratum 3 (Telcordia GR-253-CORE) timing and synchronization requirements. The TNC card supports external, line, and internal timing inputs. The TNC card supports 64KHz+8KHz composite clock and 6.312 MHz timing output. Note The TNC card supports the BITS-1 and BITS-2 external timing interfaces on the ONS 15454 M6 shelf. The card supports the BITS-1 interface on the ONS 15454 M2 shelf.2-19 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 2 Common Control Cards TNC Card The TNC card monitors the recovered clocks from each traffic card and two building integrated timing supply (BITS-1 and BITS-2) ports for accurate frequencies. The card selects a recovered clock, a BITS, OC-N/STM-N, or an internal Stratum 3 reference as the system-timing reference. You can provision any of the clock inputs as primary or secondary timing sources. A slow-reference tracking loop allows the TNC card to synchronize with the recovered clock, which provides holdover if the reference is lost. The card supports SNTP operation that allows the nodes to synchronize the system clock automatically with a reference SNTP server following system reboots, card resets, and software upgrades. For more information on the timing function, see the Timing Reference chapter. 2.6.1.4 MultiShelf Management The TNC card supports multishelf management of up to 30 shelves including the node controller. The card supports up to 29 subtending shelves. The subtending shelves can be the ONS 15454 M6 or ONS 15454 shelves. This allows network administrators to isolate faults and provision new services across the DWDM network. In the ONS 15454 M6 shelf, there are six FE RJ45 ports on the ECU and each TNC card supports three FE RJ45 connections to connect subtending shelves. 2.6.1.5 Database Storage The TNC card provides 4 GB of non-volatile database storage (IDE Compact Flash Module) for communication, provisioning, and system control. This allows full database recovery during power failure. The TNC card supports writing and reading to and from an external non-volatile memory device. The card also communicates with the non-volatile memory device through a USB 2.0 standard interface. The USB-WRITE-FAIL alarm may be raised on the TNC card when synchronization occurs between Compact Flash and USB Flash. If this alarm does not clear even after 20 minutes duration, it is recommended to contact TAC. For information on USB-WRITE-FAIL alarm, see the Cisco ONS 15454 DWDM Troubleshooting Guide. Note The configuration details are stored in the database of the TNC card. The database restore from a TNC card to a TSC card or vice versa is not supported. 2.6.1.6 Interface Ports The TNC card has three built-in interface ports: • RJ-45 LAN port • RJ-45 console port • RS-232 port (serial port) The RJ-45 LAN port and RS-232 port are located on the faceplate of the TNC card. The RJ-45 console port is behind the faceplate of the TNC card. The front access RJ-45 LAN port provides 10/100 BASE-T Ethernet connectivity to the system. The RJ-45 LAN port has LEDs to provide link and activity status. The RJ-45 LAN port provides local and remote access to the Cisco Transport Controller through a common Web interface. The RJ-45 console port is used to launch a debug session on the TNC card.2-20 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 2 Common Control Cards TNC Card The RS-232 port is used to connect to the Transaction Language 1 (TL1) management interface. In TL1 mode, the RS-232 port runs at 9.6 Kbps without any flow control. The front access LAN port and RJ-45 EMS LAN port can be provisioned with different IP addresses by configuring the TNC card in secure mode using CTC. On 15454 M2, the EMS port is on the power module. On 15454 M6, the EMS port is on the ECU. The two SFP ports (SFP1 and SFP2) are used for primary OSC and secondary OSC connections. SFP1 supports OC-3/STM-1, FE, or GE payloads; SFP2 supports FE or GE payloads. The two SFP ports on the TNC card are in IS,AINS administrative state during payload creation. In this state, only the following alarms are raised: • AS-MT alarm on PPM • AS-CMD alarm on PPM and facility • Prov-Mismatch alarm on PPM The TX power is -40 and RX power is -50 for Ultra long-haul SFPs. The TX power is -40 and RX power is -40 for other SFPs. When the OSC is created, the two SFP ports move to IS state. In this state, all the supported alarms are raised. Note VLAN tagged traffic is not supported on UDC or VoIP ports that are present on the external connection unit. 2.6.1.7 External Alarms and Controls The TNC card provides customer-defined (environmental) alarms and external controls on the ONS 15454 M6 shelf. The card provides input/output alarm contact closures. The TNC card operates in two modes: • External alarms mode - This is the default mode and up to 14 alarm input ports can be configured. External alarms (input contacts) are typically used for external sensors such as open doors, temperature sensors, flood sensors, and other environmental conditions. • External control mode - Up to 10 alarm input ports and four alarm output ports can be configured. External controls (output contacts) are typically used to drive visual or audible devices such as bells and lights, but they can control other devices such as generators, heaters, and fans. To configure the external alarms and external controls, go to Provisioning -> Alarm Extenders tab in the CTC node view. To view the external alarms and external controls, go to Maintenance -> Alarm Extenders tab in the CTC node view. For information on how to configure and view the external alarms and external controls, refer chapter “Manage Alarms” in the Cisco ONS 15454 DWDM Procedure Guide. Note The LCD module must be present in the ONS 15454 M6 shelf assembly to provision alarms from the ECU, fan-tray assembly, or power modules. For information on pinouts of external alarms and external controls, see the “ONS 15454 ANSI Alarm, Timing, LAN, and Craft Pin Connections” section in the Cisco ONS 15454 Hardware Installtion Guide.2-21 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 2 Common Control Cards TNC Card 2.6.1.8 Digital Image Signing (DIS) The TNC card provides services that authenticate the origin of the software running on the Cisco ONS 15454 M2 and Cisco ONS 15454 M6 platforms, see the 2.8 Digital Image Signing, page 2-33 section. 2.6.2 Faceplate and Block Diagram The faceplate design of the TNC card allows sufficient space to insert or remove cables while accessing the Ethernet and SFP ports. The TNC card can be installed only in slots 1 or 8 of the ONS 15454 M6 shelf and in slot 1 of the ONS 15454 M2 shelf. The TNC card has an identifier on the faceplate that matches with an identifier in the shelf. A key is also provided on the backplane interface connectors as identifier in the shelf. The TNC card supports field-programmable gate array (FPGA) for the backplane interface. The TNC card has three FPGA: TCCA, SYNTIDE, and FRAMPOS. Figure 2-5 illustrates the faceplate and block diagram for the TNC card. Figure 2-5 TNC Faceplate and Block Diagram HAZARD LEVEL 1 COMPLIES WITH 21 CFR 1040.10 AND 1040.11 EXCEPT FOR DEVIATIONS PURSUANT TO LASER NOTICE No.50, DATED JUNE 24, 2007 TNC FAIL ACT/STBY ACO SFP2 PWR A B LAMP TEST SFP1 LINK EIA/TIA-232 LINK ACT TCP/IP LINK ACT ACT TX RX TX RX CRIT REM MAJ SYNC MIN ACO 1GB DDR2 Mini-DIMM CPU MPC8568E GE Phy GE Phy GE Phy SFP1 SFP2 BusMux CPLD Ethernet Switch Local Ethernet Switch External Glue Logic CPLD SYNTIDE FPGA Boot Flash USB Controller FRAMPOS FPGA TCCA FPGA T1/E1 Framers LOG NVRAM FE Phy 4GB Compact Flash 2778552-22 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 2 Common Control Cards TNC Card 2.6.3 Lamp Test The TNC card supports a lamp test function that is activated by pressing the Lamp Test button on the faceplate or from CTC. The lamp test function allows the user to test the working state of LEDs and ensures that all LEDs are functional. When you activate the lamp test function, all the port LEDs illuminate simultaneously for several seconds. 2.6.4 TNC Card Installation (ONS 15454 M6) On the ONS 15454 M6 shelf, the TNC card operates in either simplex or duplex (redundant) control mode. In redundant control mode, high availability is achieved. When a redundant TNC card is inserted into a node, it synchronizes its software, backup software, and database with the active TNC card. If the software versions do not match, the redundant TNC card copies from the active TNC card, taking about 15 to 20 minutes to complete. If the software versions match, the redundant TNC card copies the backup software from the active TNC card, taking about 15 to 20 minutes. Copying the database from the active TNC card takes about 3 minutes. Depending on the software version and backup version the redundant TNC card started with, the entire process can take between 3 and 40 minutes. 2.6.5 Card-Level Indicators The TNC faceplate has twelve LEDs. Table 2-11 describes the two card-level LEDs on the TNC faceplate. 2.6.6 Network-Level Indicators Table 2-12 describes the six network-level LEDs on the TNC faceplate. Table 2-11 TNC Card-Level Indicators Card-Level LEDs Definition Red FAIL LED Indicates the TNC card is in fail mode. This LED is on during reset. This LED flashes during the boot and write process. Replace the card if the FAIL LED persists. ACT/STBY LED Green (Active) Amber (Standby) Indicates the TNC card is active (green) or in standby (amber) mode. The ACT/STBY LED also provides the timing reference and shelf control. When the active TNC is writing to its database or to the standby TNC database, the card LEDs blink. To avoid memory corruption, do not remove the TNC card when the active or standby LED is blinking.2-23 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 2 Common Control Cards TNC Card Table 2-12 TNC Network-Level Indicators System-Level LEDs Definition Red CRIT LED Indicates critical alarms in the network at the local terminal. Red MAJ LED Indicates major alarms in the network at the local terminal. Yellow MIN LED Indicates minor alarms in the network at the local terminal. Red REM LED Provides first-level alarm isolation. The remote (REM) LED turns red when a critical, major, or minor alarm is present in one or more of the remote terminals. Green SYNC LED Indicates the synchronization status; Indicates that node timing is synchronized to an external reference. Green ACO LED Indicates the Alarm Cut-Off status. After pressing the ACO button, the ACO LED turns green. The ACO button opens the audible alarm closure on the backplane. ACO is stopped if a new alarm occurs. After the originating alarm is cleared, the ACO LED and audible alarm control are reset.2-24 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 2 Common Control Cards TNC Card 2.6.7 Power-Level Indicators Table 2-13 describes the two power-level LEDs on the TNC faceplate. 2.6.8 Ethernet Port Indicators Table 2-14 describes the two port-level LEDs on the TNC faceplate. 2.6.9 SFP Indicators Table 2-15 describes the SFP LED indicators. Table 2-13 TNC Power-Level Indicators Power-Level LEDs Definition Green/Red PWR A LED Indicates the status of power to the card. The PWR A LED is green when the voltage on supply input A is between the low battery voltage (LWBATVG) and high battery voltage (HIBATVG) thresholds. The LED is red when the voltage on supply input A is above high battery voltage/extremely high battery voltage (EHIBATVG ) or below low battery voltage/extremely low battery voltage (ELWBATVG) thresholds. The LED is red when the voltage on supply input A is 0. Green/Red PWR B LED Indicates the status of power to the card. The PWR B LED is green when the voltage on supply input B is between the low battery voltage and high battery voltage thresholds. The LED is red when the voltage on supply input B is above high battery voltage/extremely high battery (EHIBATVG ) voltage or below low battery voltage/extremely low battery voltage (ELWBATVG) thresholds. The LED is red when the voltage on supply input B is 0. Table 2-14 TNC Port-Level Indicators Port-Level LEDs Definition Green LINK LED Indicates the connectivity status. Amber ACT LED Indicates data reception.2-25 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 2 Common Control Cards TSC Card 2.6.10 Protection Schemes The TNC card supports active and redundant architecture. The ONS 15454 M6 shelf supports 1:1 equipment protection with one TNC card acting as active and the other TNC card as redundant. The ONS 15454 M2 shelf supports simplex control mode. In this mode, the active TNC card operates without a redundant TNC card. The ONS 15454 M6 shelf supports both simplex and redundant control mode. In redundant control mode, the active TNC card operates with a redundant TNC card as the backup. If the active TNC card is removed, system traffic switches to the redundant TNC card. If the redundant TNC card is not present or not in the standby state, removing the active TNC card results in loss of system traffic and management connectivity. In redundant control mode, a TNC card can protect another TNC card. However, a TNC card cannot protect a TSC card or vice versa. 2.6.11 Cards Supported by TNC The TNC card supports 15454 MSTP line cards except the following cards: • OSCM • ISC • AIC • AIC-I The TNC card is not interoperable with TCC2 /TCC2P/TCC3 cards. The TNC and TCC cards cannot be inserted in the same shelf. The line cards such as Transponder and Muxponder cards can be inserted in the ONS 15454 M2 and ONS 15454 M6 shelves along with the TNC card. 2.7 TSC Card (Cisco ONS 15454 M2 and ONS 15454 M6 only) The TSC card combines the functions of multiple cards such as TCC2P, ISC, and AIC-I cards. The card has a similar look and feel to TCC2/TCC2P/TCC3 cards. Table 2-15 TNC SFP Indicators Port Type Link LED Activity LED OC3 • RED - No link • GREEN - Link — FE • RED - No link • GREEN - Link Blinks on packet flow GE • RED - No link • GREEN - Link Blinks on packet flow2-26 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 2 Common Control Cards TSC Card Note For TSC card specifications, see the A.3.5 TSC Card Specifications (ONS 15454 M2 and ONS 15454 M6), page A-7 section. The TSC card is provisioned as master and slave in the ONS 15454 M6 shelf, and as a stand-alone card in the ONS 15454 M2 shelf. The TSC card serves as the processor card for the node. On the ONS 15454 M6 shelf, install redundant TSC cards in slots 1 and 8. If the active TSC card fails, system traffic switches to the redundant TSC card. The TSC card supports line cards from slots 2 to 7. On the ONS 15454 M2 shelf, install the stand-alone TSC card in slot 1. The TSC card supports line cards in slots 2 and 3. The TSC card monitors both the supply voltage inputs on the 15454-M6 shelf. The TSC card raises an alarm if one of the supply voltage inputs has a voltage out of the specified range. The 15454-M2 shelf has dual power supply. You can insert and remove the TSC card even when the system is online, without impacting the system traffic. The TSC card does not support optical service channel (OSC) and SFP ports. You can upgrade the TSC card to a TNC card. During the upgrade, the TNC card does not support OSC functions such as UDC, VoIP, DCC, and timing function. However, you can still provision SFP ports on the TNC card during the upgrade. The TNC and TSC cards cannot be inserted in the same shelf. The TSC card supports all the alarms supported by the TCC2P and AIC-I cards. The card adjusts the fan speed according to the temperature and reports a fan failure alarm. Note The LAN interface of the TSC card meets the standard Ethernet specifications by supporting a cable length of 328 ft (100 m) at temperatures from 32 to 149 degrees Fahrenheit (0 to 65 degrees Celsius). The interfaces can operate with a cable length of 32.8 ft (10 m) maximum at temperatures from -40 to 32 degrees Fahrenheit (-40 to 0 degrees Celsius). 2.7.1 Functions of TSC The functions of the TSC card are explained in the following sections: 2.7.1.1 Communication and Control The TSC card acts as a shelf controller. The control tasks include system initialization, provisioning, alarm reporting, maintenance, diagnostics, IP address detection, and resolution. The control tasks also include SONET and SDH data communications channel (DCC) termination, 84 section SDCC and multiplex section MSDCC terminations, 28 SDCC tunnels or SDCC-to-line LDCC terminations, and system fault detection for the ONS 15454 M2 and ONS 15454 M6 shelves. The system initialization tasks include assigning the network parameters to the system and loading the system with the provisioning data stored in the database. The line cards in the system do not boot without the TSC card. The TSC card supports and provides the following: • Passive inventory of external devices on the 15454-M2 and 15454-M6 shelves. • 100 Mbps UDC on the 15454-M6 shelf. 2-27 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 2 Common Control Cards TSC Card On the 15454-M2 and 15454-M6 shelves, the TSC card must adhere to the following rules for SDCC/LDCC allocation. • SDCC + SDCC Tunnels <= 68 • LDCC <= 28 • IP Tunnels <= 10 • SDCC + SDCC tunnels + (LDCC * 3) <= 84 2.7.1.2 Timing and Synchronization The TSC card performs all the system-timing functions for the 15454-M2 and 15454-M6 shelves. This includes short-term clock recovery, reducing the need to reset the calendar and time-of-day settings after a power failure. The TSC card ensures that the system maintains Stratum 3 (Telcordia GR-253-CORE) timing and synchronization requirements. The TSC card supports external, line, and internal timing inputs. The TSC card supports 64KHz+8KHz composite clock and 6.312 MHz timing output. Note The TSC card supports the BITS-1 and BITS-2 external timing interfaces on the 15454-M6 shelf. The card supports the BITS-1 interface on the 15454-M2 shelf. The TSC card monitors the recovered clocks from each traffic card and two building integrated timing supply (BITS-1 and BITS-2) ports for accurate frequencies. The card selects a recovered clock, a BITS, OC-N/STM-N, or an internal Stratum 3 reference as the system-timing reference. You can provision any of the clock inputs as primary or secondary timing sources. A slow-reference tracking loop allows the TSC card to synchronize with the recovered clock, which provides holdover if the reference is lost. The card supports SNTP operation that allows the nodes to synchronize the system clock automatically with a reference SNTP server following system reboots, card resets, and software upgrades. For more information on the timing function, see the Timing Reference chapter. 2.7.1.3 MultiShelf Management The TSC card supports multishelf management with support for up to 30 shelves including the node controller. The card supports up to 29 subtending shelves. The subtending shelves can be the 15454-M6 or 15454-DWDM shelves. This allows network administrators to isolate faults and provision new services across the DWDM network. In the 15454-M6 shelf, there are six FE RJ45 ports on the ECU. Each TSC card supports three FE RJ45 connections to connect subtending shelves. 2.7.1.4 Database Storage The TSC card provides 4 GB of non-volatile database storage (IDE Compact Flash Module) for communication, provisioning, and system control. This allows full database recovery during power failure. The TSC card supports writing and reading to and from an external non-volatile memory device. The card also communicates with the non-volatile memory device through a USB 2.0 standard interface.2-28 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 2 Common Control Cards TSC Card Note The configuration details are stored in the database of the TSC card. The database restore from a TSC card to a TNC card or vice versa is not supported. 2.7.1.5 Interface Ports The TSC card has three built-in interface ports: • RJ-45 LAN port • RJ-45 console port • RS-232 port (serial port) The RJ-45 LAN port and RS-232 port are located on the faceplate of the TSC card. The RJ-45 console port is behind the faceplate of the TSC card. The front access RJ-45 LAN port provides 10/100 BASE-T Ethernet connectivity to the system. The RJ-45 LAN port has LEDs to provide link and activity status. The RJ-45 LAN port provides local and remote access to the Cisco Transport Controller through a common Web interface. The RJ-45 console port is used to launch a debug session on the TSC card. The RS-232 port is used to connect to the TL1 management interface. In TL1 mode, the RS-232 port runs at 9.6 Kbps without any flow control. The front access LAN port and RJ-45 EMS LAN port can be provisioned with different IP addresses by configuring the TSC card in secure mode using CTC. On 15454 M2, the EMS port is on the power module. On 15454 M6, the EMS port is on the ECU. 2.7.1.6 External Alarms and Controls The TSC card provides customer-defined (environmental) alarms and external controls on the ONS 15454 M6 shelf. The card provides input/output alarm contact closures. The TSC card operates in two modes: • External alarms mode - This is the default mode and up to 14 alarm input ports can be configured. External alarms (input contacts) are typically used for external sensors such as open doors, temperature sensors, flood sensors, and other environmental conditions. • External control mode - Up to 10 alarm input ports and four alarm output ports can be configured. External controls (output contacts) are typically used to drive visual or audible devices such as bells and lights, but they can control other devices such as generators, heaters, and fans. To configure the external alarms and external controls, go to Provisioning -> Alarm Extenders tab in the CTC node view. To view the external alarms and external controls, go to Maintenance -> Alarm Extenders tab in the CTC node view. For information on how to configure and view the external alarms and external controls, refer chapter “Manage Alarms” in the Cisco ONS 15454 DWDM Procedure Guide. Note The LCD module must be present in the ONS 15454 M6 shelf assembly to provision alarms from the ECU, fan-tray assembly, or power modules. For information on pinouts of external alarms and external controls, see the “ONS 15454 ANSI Alarm, Timing, LAN, and Craft Pin Connections” section in the Cisco ONS 15454 Hardware Installation Guide.2-29 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 2 Common Control Cards TSC Card 2.7.1.7 Digital Image Signing (DIS) The TSC card provides services that authenticate the origin of the software running on the Cisco ONS 15454 M2 and Cisco ONS 15454 M6 platforms. For more information, see the 2.8 Digital Image Signing, page 2-33 section. 2.7.2 Faceplate and Block Diagram The faceplate design of the TSC card allows sufficient space to insert or remove cables while accessing the Ethernet ports. The TSC card can be installed only in slots 1 or 8 of the 15454-M6 shelf and in slot 1 of the 15454-M2 shelf. The TSC card has an identifier on the faceplate that matches with an identifier in the shelf. A key is also provided on the backplane interface connectors as identifier in the shelf. The TSC card supports field-programmable gate array (FPGA) for the backplane interface. The TSC card has two FPGA: TCCA and SYNTIDE. Figure 2-6 illustrates the faceplate and block diagram for the TSC card. Figure 2-6 TSC Faceplate and Block Diagram TSC FAIL ACT/STBY CRIT REM MAJ SYNC MIN ACO ACO PWR A B LAMP TEST EIA/TIA-232 TCP/IP LINK ACT 256MB DDR2 Mini-DIMM CPU MPC8568E GE Phy GE Phy BusMux CPLD Ethernet Switch Local Ethernet Switch External Glue Logic CPLD SYNTIDE FPGA Boot Flash USB Controller TCCA FPGA T1/E1 Framers LOG NVRAM 256MB Compact Flash 2778562-30 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 2 Common Control Cards TSC Card 2.7.3 Lamp Test The TSC card supports a lamp test function that is activated by pressing the Lamp Test button on the faceplate or from CTC. The lamp test function allows the user to test the working state of LEDs and ensures that all LEDs are functional. When you activate the lamp test function, all the port LEDs illuminate simultaneously for several seconds. 2.7.4 TSC Card Installation (ONS 15454 M6) On the ONS 15454 M6 shelf, the TSC card operates in either simplex or duplex (redundant) control mode. In redundant control mode, high availability is achieved. When a redundant TSC card is inserted into a node, it synchronizes its software, backup software, and database with the active TSC card. If the software versions do not match, the redundant TSC card copies from the active TSC card, taking about 15 to 20 minutes to complete. If the software versions match, the redundant TSC card copies the backup software from the active TSC card, taking about 15 to 20 minutes. Copying the database from the active TSC card takes about 3 minutes. Depending on the software version and backup version the redundant TSC card started with, the entire process can take between 3 and 40 minutes. 2.7.5 Card-Level Indicators The TSC faceplate has twelve LEDs. Table 2-11 describes the two card-level LEDs on the TSC faceplate. 2.7.6 Network-Level Indicators Table 2-12 describes the six network-level LEDs on the TSC faceplate. Table 2-16 TSC Card-Level Indicators Card-Level LEDs Definition Red FAIL LED Indicates the TSC card is in fail mode. The FAIL LED flashes during the boot and write process. Replace the card if the FAIL LED persists. ACT/STBY LED Green (Active) Amber (Standby) Indicates the TSC card is active (green) or in standby (amber) mode. The ACT/STBY LED also provides the timing reference and shelf control. When the active TSC is writing to its database or to the standby TSC database, the card LEDs blink. To avoid memory corruption, do not remove the TSC card when the active or standby LED is blinking.2-31 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 2 Common Control Cards TSC Card 2.7.7 Power-Level Indicators Table 2-13 describes the two power-level LEDs on the TSC faceplate. Table 2-17 TSC Network-Level Indicators System-Level LEDs Definition Red CRIT LED Indicates critical alarms in the network at the local terminal. Red MAJ LED Indicates major alarms in the network at the local terminal. Yellow MIN LED Indicates minor alarms in the network at the local terminal. Red REM LED Provides first-level alarm isolation. The remote (REM) LED turns red when a critical, major, or minor alarm is present in one or more of the remote terminals. Green SYNC LED Indicates the synchronization status; Indicates that node timing is synchronized to an external reference. Green ACO LED Indicates the Alarm Cut-Off status. After pressing the ACO button, the ACO LED turns green. The ACO button opens the audible alarm closure on the backplane. ACO is stopped if a new alarm occurs. After the originating alarm is cleared, the ACO LED and audible alarm control are reset.2-32 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 2 Common Control Cards TSC Card 2.7.8 Ethernet Port Indicators Table 2-14 describes the two port-level LEDs on the TSC faceplate. 2.7.9 Protection Schemes The TSC card supports active and redundant architecture. The ONS 15454 M6 shelf supports 1:1 equipment protection with one TSC card acting as active and the other TSC card as redundant. The 15454-M2 shelf supports simplex control mode. In this mode, the active TSC card operates without a redundant TSC card. The 15454-M6 shelf supports both simplex and redundant control mode. In redundant control mode, the active TSC card operates with a redundant TSC card as the backup. If the active TSC card is removed, system traffic switches to the redundant TSC card. If the redundant TSC card is not present or not in the standby state, removing the active TSC card results in loss of system traffic and management connectivity. Table 2-18 TSC Power-Level Indicators Power-Level LEDs Definition Green/Red PWR A LED Indicates the status of power to the card. The PWR A LED is green when the voltage on supply input A is between the low battery voltage (LWBATVG) and high battery voltage (HIBATVG) thresholds. The LED is red when the voltage on supply input A is above high battery voltage/extremely high battery voltage (EHIBATVG ) or below low battery voltage/extremely low battery voltage (ELWBATVG) thresholds. The LED is red when the voltage on supply input A is 0. Green/Red PWR B LED Indicates the status of power to the card. The PWR B LED is green when the voltage on supply input B is between the low battery voltage and high battery voltage thresholds. The LED is red when the voltage on supply input B is above high battery voltage/extremely high battery (EHIBATVG ) voltage or below low battery voltage/extremely low battery voltage (ELWBATVG) thresholds. The LED is red when the voltage on supply input B is 0. Table 2-19 TSC Port-Level Indicators Port-Level LEDs Definition Green LINK LED Indicates the connectivity status. Amber ACT LED Indicates the data reception.2-33 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 2 Common Control Cards Digital Image Signing In redundant control mode, a TSC card can protect another TSC card. However, a TSC card cannot protect a TNC card or vice versa. 2.7.10 Cards Supported by TSC The TSC card supports 15454 MSTP line cards except the following cards: • OSCM • ISC • AIC • AIC-I The TSC card is not interoperable with TCC2 /TCC2P/TCC3 cards. The TSC and TCC cards cannot be inserted in the same shelf. The line cards such as Transponder and Muxponder cards can be inserted in the 15454-M2 and 15454-M6 shelves along with the TSC card. 2.8 Digital Image Signing (Cisco ONS 15454 M2 and ONS 15454 M6 only) The DIS feature complies with the new U.S. Government Federal Information Processing Standard (FIPS) 140-3 to provide security for all software provided on the Cisco ONS 15454 M6 and ONS 15454 M2 platforms. This standard requires software to be digitally signed and verified for authenticity and integrity prior to load and execution. DIS feature automatically provides increased protection. DIS focuses on software security and provides increased protection from attacks and threats to Cisco ONS 15454 M2 and ONS 15454 M6 products. DIS verifies software integrity and provides assurance that the software has not been tampered with or modified. Digitally signed Cisco software provides counterfeit protection. New controller cards, such as TNC/TSC, provide services that authenticate the origin of the software running on the Cisco ONS 15454 M2 and Cisco ONS 15454 M6 platforms. The signage and verification process is transparent until verification fails. 2.8.1 DIS Identification Digitally signed software can be identified by the last three characters appended to the working version and protected version field in CTC. The DIS conventions can be viewed under the working version displayed in the Maintenance > Software tab in CTC. For example, 9.2.0 (09.20-X10C-29.09-SDA) and 9.2.0 (09.20-010C-18.18-SPA).2-34 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 2 Common Control Cards AIC-I Card The significance of the three characters appended to the software version is explained in Table: For information on how to retrieve and view DIS information in CTC please refer to the “Turn Up a Node” Chapter in the Cisco ONS 15454 DWDM Procedure Guide, 9.2. 2.9 AIC-I Card (Cisco ONS 15454 only) Note For hardware specifications, see the “A.3.6 AIC-I Card Specifications” section on page A-8. The optional Alarm Interface Controller–International (AIC-I) card provides customer-defined (environmental) alarms and controls and supports local and express orderwire. It provides 12 customer-defined input and 4 customer-defined input/output contacts. The physical connections are via the backplane wire-wrap pin terminals. If you use the additional alarm expansion panel (AEP), the AIC-I card can support up to 32 inputs and 16 outputs, which are connected on the AEP connectors. The AEP is compatible with ANSI shelves only. A power monitoring function monitors the supply voltage (–48 VDC). Figure 2-7 shows the AIC-I faceplate and a block diagram of the card. Table 2-20 DIS Conventions in the Software Version Character Meaning S (first character) Indicates that the package is signed. P or D (second character) Production (P) or Development (D) image. Production image—Software approved for general release. Development image—development software provided under special conditions for limited use. A (third character) This third character indicates the version of the key used for signature generation. The version changes when a key is revoked and a new key is used. The values of the version key varies from A to Z.2-35 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 2 Common Control Cards AIC-I Card Figure 2-7 AIC-I Faceplate and Block Diagram 2.9.1 AIC-I Card-Level Indicators Table 2-21 describes the eight card-level LEDs on the AIC-I card faceplate. AIC-I Fail Express orderwire Local orderwire EEPROM LED x2 AIC-I FPGA SCL links 4 x IN/OUT Power Monitoring 12/16 x IN Ringer Act Ring Ring Input Output 78828 FAIL ACT ACC INPUT/OUTPUT EOW LOW RING AIC-1 (DTMF) (DTMF) UDC-A UDC-B DCC-A DCC-B ACC PWR A B RING DCC-B DCC-A UDC-B UDC-A Table 2-21 AIC-I Card-Level Indicators Card-Level LEDs Description Red FAIL LED Indicates that the card’s processor is not ready. The FAIL LED is on during reset and flashes during the boot process. Replace the card if the red FAIL LED persists. Green ACT LED Indicates the AIC-I card is provisioned for operation.2-36 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 2 Common Control Cards AIC-I Card 2.9.2 External Alarms and Controls The AIC-I card provides input/output alarm contact closures. You can define up to 12 external alarm inputs and 4 external alarm inputs/outputs (user configurable). The physical connections are made using the backplane wire-wrap pins or FMEC connections. For information about increasing the number of input/output contacts, see the “ONS 15454 ANSI Alarm Expansion Panel” section in the Cisco ONS 15454 Hardware Installation Guide. LEDs on the front panel of the AIC-I indicate the status of the alarm lines, one LED representing all of the inputs and one LED representing all of the outputs. External alarms (input contacts) are typically used for external sensors such as open doors, temperature sensors, flood sensors, and other environmental conditions. External controls (output contacts) are typically used to drive visual or audible devices such as bells and lights, but they can control other devices such as generators, heaters, and fans. You can program each of the twelve input alarm contacts separately. You can program each of the sixteen input alarm contacts separately. Choices include: • Alarm on Closure or Alarm on Open • Alarm severity of any level (Critical, Major, Minor, Not Alarmed, Not Reported) • Service Affecting or Non-Service Affecting alarm-service level • 63-character alarm description for CTC display in the alarm log You cannot assign the fan-tray abbreviation for the alarm; the abbreviation reflects the generic name of the input contacts. The alarm condition remains raised until the external input stops driving the contact or you provision the alarm input. The output contacts can be provisioned to close on a trigger or to close manually. The trigger can be a local alarm severity threshold, a remote alarm severity, or a virtual wire: • Local NE alarm severity: A hierarchy of Not Reported, Not Alarmed, Minor, Major, or Critical alarm severities that you set to cause output closure. For example, if the trigger is set to Minor, a Minor alarm or above is the trigger. Green/Red PWR A LED The PWR A LED is green when a supply voltage within a specified range has been sensed on supply input A. It is red when the input voltage on supply input A is out of range. Green/Red PWR B LED The PWR B LED is green when a supply voltage within a specified range has been sensed on supply input B. It is red when the input voltage on supply input B is out of range. Yellow INPUT LED The INPUT LED is yellow when there is an alarm condition on at least one of the alarm inputs. Yellow OUTPUT LED The OUTPUT LED is yellow when there is an alarm condition on at least one of the alarm outputs. Green RING LED The RING LED on the local orderwire (LOW) side is flashing green when a call is received on the LOW. Green RING LED The RING LED on the express orderwire (EOW) side is flashing green when a call is received on the EOW. Table 2-21 AIC-I Card-Level Indicators (continued) Card-Level LEDs Description2-37 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 2 Common Control Cards AIC-I Card • Remote NE alarm severity: Same as the local NE alarm severity but applies to remote alarms only. • Virtual wire entities: You can provision any environmental alarm input to raise a signal on any virtual wire on external outputs 1 through 4 when the alarm input is an event. You can provision a signal on any virtual wire as a trigger for an external control output. You can also program the output alarm contacts (external controls) separately. In addition to provisionable triggers, you can manually force each external output contact to open or close. Manual operation takes precedence over any provisioned triggers that might be present. Note For ANSI shelves, the number of inputs and outputs can be increased using the AEP. The AEP is connected to the shelf backplane and requires an external wire-wrap panel. 2.9.3 Orderwire Orderwire allows a craftsperson to plug a phoneset into an ONS 15454 and communicate with craftspeople working at other ONS 15454s or other facility equipment. The orderwire is a pulse code modulation (PCM) encoded voice channel that uses E1 or E2 bytes in section/line overhead. The AIC-I allows simultaneous use of both local (section overhead signal) and express (line overhead channel) orderwire channels on a SONET/SDH ring or particular optics facility. Express orderwire also allows communication via regeneration sites when the regenerator is not a Cisco device. You can provision orderwire functions with CTC similar to the current provisioning model for DCC/GCC channels. In CTC, you provision the orderwire communications network during ring turn-up so that all NEs on the ring can reach one another. Orderwire terminations (that is, the optics facilities that receive and process the orderwire channels) are provisionable. Both express and local orderwire can be configured as on or off on a particular SONET/SDH facility. The ONS 15454 supports up to four orderwire channel terminations per shelf. This allows linear, single ring, dual ring, and small hub-and-spoke configurations. Orderwire is not protected in ring topologies such as bidirectional line switched ring (BLSR), multiplex section-shared protection ring (MS-SPRing), path protection, or subnetwork connection protection (SNCP) ring. Caution Do not configure orderwire loops. Orderwire loops cause feedback that disables the orderwire channel. The ONS 15454 implementation of both local and express orderwire is broadcast in nature. The line acts as a party line. Anyone who picks up the orderwire channel can communicate with all other participants on the connected orderwire subnetwork. The local orderwire party line is separate from the express orderwire party line. Up to four OC-N/STM-N facilities for each local and express orderwire are provisionable as orderwire paths. The AIC-I supports selective dual tone multifrequency (DTMF) dialing for telephony connectivity, which causes one AIC-I card or all ONS 15454 AIC-I cards on the orderwire subnetwork to “ring.” The ringer/buzzer resides on the AIC-I. There is also a “ring” LED that mimics the AIC-I ringer. It flashes when a call is received on the orderwire subnetwork. A party line call is initiated by pressing *0000 on the DTMF pad. Individual dialing is initiated by pressing * and the individual four-digit number on the DTMF pad. Table 2-22 shows the pins on the orderwire connector that correspond to the tip and ring orderwire assignments. 2-38 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 2 Common Control Cards AIC-I Card When provisioning the orderwire subnetwork, make sure that an orderwire loop does not exist. Loops cause oscillation and an unusable orderwire channel. Figure 2-8 shows the standard RJ-11 connectors used for orderwire ports. Figure 2-8 RJ-11 Connector 2.9.4 Power Monitoring The AIC-I card provides a power monitoring circuit that monitors the supply voltage of –48 VDC for presence, undervoltage, and overvoltage. 2.9.5 User Data Channel The user data channel (UDC) features a dedicated data channel of 64 kbps (F1 byte) between two nodes in an ONS 15454 network. Each AIC-I card provides two user data channels, UDC-A and UDC-B, through separate RJ-11 connectors on the front of the AIC-I card. Each UDC can be routed to an individual optical interface in the ONS 15454. For instructions, see the Cisco ONS 15454 DWDM Procedure Guide. The UDC ports are standard RJ-11 receptacles. Table 2-23 lists the UDC pin assignments. Table 2-22 Orderwire Pin Assignments RJ-11 Pin Number Description 1 Four-wire receive ring 2 Four-wire transmit tip 3 Two-wire ring 4 Two-wire tip 5 Four-wire transmit ring 6 Four-wire receive tip 61077 Pin 1 Pin 6 RJ-11 Table 2-23 UDC Pin Assignments RJ-11 Pin Number Description 1 For future use 2 TXN 3 RXN2-39 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 2 Common Control Cards MS-ISC-100T Card 2.9.6 Data Communications Channel The DCC features a dedicated data channel of 576 kbps (D4 to D12 bytes) between two nodes in an ONS 15454 network. Each AIC-I card provides two data communications channels, DCC-A and DCC-B, through separate RJ-45 connectors on the front of the AIC-I card. Each DCC can be routed to an individual optical interface in the ONS 15454. For instructions, see the Cisco ONS 15454 DWDM Procedure Guide. The DCC ports are synchronous serial interfaces. The DCC ports are standard RJ-45 receptacles. Table 2-24 lists the DCC pin assignments. 2.10 MS-ISC-100T Card (Cisco ONS 15454 only) Note For hardware specifications, see the “A.3.10 MS-ISC-100T Card Specifications” section on page A-11. The Multishelf Internal Switch Card (MS-ISC-100T) is an Ethernet switch used to implement the multishelf LAN. It connects the node controller shelf to the network and to subtending shelves. The MS-ISC-100T must always be equipped on the node controller shelf; it cannot be provisioned on a subtending controller shelf. The recommended configuration is to implement LAN redundancy using two MS-ISC-100T cards: one switch is connected to the Ethernet front panel port of the TCC2/TCC2P card in Slot 7, and the other switch is connected to the Ethernet front panel port of the TCC2/TCC2P card in Slot 11. The Ethernet 4 RXP 5 TXP 6 For future use Table 2-23 UDC Pin Assignments (continued) RJ-11 Pin Number Description Table 2-24 DCC Pin Assignments RJ-45 Pin Number Description 1 TCLKP 2 TCLKN 3 TXP 4 TXN 5 RCLKP 6 RCLKN 7 RXP 8 RXN2-40 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 2 Common Control Cards MS-ISC-100T Card configuration of the MS-ISC-100T card is part of the software package and is automatically loaded. The MS-ISC-100T card operates in Slots 1 to 6 and 12 to 17 on the node controller shelf; the recommended slots are Slot 6 and Slot 12. Table 2-25 lists the MS-ISC-100T port assignments. Figure 2-9 shows the card faceplate. Caution Shielded twisted-pair cabling should be used for interbuilding applications. Table 2-25 MS-ISC-100T Card Port Assignments Port Description DCN 1and DCN 2 Connection to the network SSC1 to SSC7 Connection to subtending shelves NC Connection to TCC2/TCC2P using a cross-over cable PRT Connection to the PRT port of the redundant MS-ISC-100T2-41 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 2 Common Control Cards MS-ISC-100T Card Figure 2-9 MS-ISC-100T Faceplate 2.10.1 MS-ISC-100T Card-Level Indicators The MS-ISC-100T card supports two card-level LED indicators. The card-level indicators are described in Table 2-26. FAIL ACT MS ISC 100T CONSOLE 145274 DC2 SSC1 SSC2 SSC3 SSC4 SSC5 SSC6 SSC7 NC PRT DCN12-42 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 2 Common Control Cards Front Mount Electrical Connections 2.11 Front Mount Electrical Connections This section describes the MIC-A/P and MIC-C/T/P FMECs, which provide power, external alarm, and timing connections for the ONS 15454 ETSI shelf. 2.11.1 MIC-A/P FMEC Note For hardware specifications, see the “A.3.8 MIC-A/P FMEC Specifications (ETSI only)” section on page A-10. The MIC-A/P FMEC provides connection for the BATTERY B input, one of the two possible redundant power supply inputs. It also provides connection for eight alarm outputs (coming from the TCC2/TCC2P card), sixteen alarm inputs, and four configurable alarm inputs/outputs. Its position is in Slot 23 in the center of the subrack Electrical Facility Connection Assembly (EFCA) area. The MIC-A/P FMEC has the following features: • Connection for one of the two possible redundant power supply inputs • Connection for eight alarm outputs (coming from the TCC2/TCC2P card) • Connection for four configurable alarm inputs/outputs • Connection for sixteen alarm inputs • Storage of manufacturing and inventory data For proper system operation, both the MIC-A/P and MIC-C/T/P FMECs must be installed in the ONS 15454 ETSI shelf. Figure 2-10 shows the MIC-A/P faceplate. Figure 2-10 MIC-A/P Faceplate Figure 2-11 shows a block diagram of the MIC-A/P. Table 2-26 MS-ISC-100T Card-Level Indicators Card-Level LEDs Description FAIL LED (Red) The red FAIL LED indicates that the card processor is not ready or that a catastrophic software failure occurred on the card. As part of the boot sequence, the FAIL LED is turned on until the software deems the card operational. ACT LED (Green) The green ACT LED provides the operational status of the card. If the ACT LED is green, it indicates that the card is active and the software is operational. MIC-A/P ALARM IN/OUT CLEI CODE BARCODE POWER RATING GND CAUT BATTERY B ION TIGHTEN THE FACEPLATE GHTEN THE FACEPLATE SCREWS WITH 1.0 NM TORQUE SCREWS WITH 1.0 NM TORQUE 2713052-43 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 2 Common Control Cards Front Mount Electrical Connections Figure 2-11 MIC-A/P Block Diagram Table 2-27 shows the alarm interface pinouts on the MIC-A/P DB-62 connector. Inventory Data (EEPROM) 61332 B a c k p l a n e 3W3 Connector Alarms DB62 Connector Power 16 Alarm inputs 4 Alarm in/outputs Table 2-27 Alarm Interface Pinouts on the MIC-A/P DB-62 Connector Pin No. Signal Name Signal Description 1 ALMCUTOFF N Alarm cutoff, normally open ACO pair 2 ALMCUTOFF P Alarm cutoff, normally open ACO pair 3 ALMINP0 N Alarm input pair 1, reports closure on connected wires 4 ALMINP0 P Alarm input pair 1, reports closure on connected wires 5 ALMINP1 N Alarm input pair 2, reports closure on connected wires 6 ALMINP1 P Alarm input pair 2, reports closure on connected wires 7 ALMINP2 N Alarm input pair 3, reports closure on connected wires 8 ALMINP2 P Alarm input pair 3, reports closure on connected wires 9 ALMINP3 N Alarm input pair 4, reports closure on connected wires 10 ALMINP3 P Alarm input pair 4, reports closure on connected wires 11 EXALM0 N External customer alarm 1 12 EXALM0 P External customer alarm 1 13 GND Ground 14 EXALM1 N External customer alarm 2 15 EXALM1 P External customer alarm 2 16 EXALM2 N External customer alarm 3 17 EXALM2 P External customer alarm 3 18 EXALM3 N External customer alarm 4 19 EXALM3 P External customer alarm 4 20 EXALM4 N External customer alarm 5 21 EXALM4 P External customer alarm 5 22 EXALM5 N External customer alarm 6 23 EXALM5 P External customer alarm 6 24 EXALM6 N External customer alarm 7 25 EXALM6 P External customer alarm 72-44 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 2 Common Control Cards Front Mount Electrical Connections 26 GND Ground 27 EXALM7 N External customer alarm 8 28 EXALM7 P External customer alarm 8 29 EXALM8 N External customer alarm 9 30 EXALM8 P External customer alarm 9 31 EXALM9 N External customer alarm 10 32 EXALM9 P External customer alarm 10 33 EXALM10 N External customer alarm 11 34 EXALM10 P External customer alarm 11 35 EXALM11 N External customer alarm 12 36 EXALM11 P External customer alarm 12 37 ALMOUP0 N Normally open output pair 1 38 ALMOUP0 P Normally open output pair 1 39 GND Ground 40 ALMOUP1 N Normally open output pair 2 41 ALMOUP1 P Normally open output pair 2 42 ALMOUP2 N Normally open output pair 3 43 ALMOUP2 P Normally open output pair 3 44 ALMOUP3 N Normally open output pair 4 45 ALMOUP3 P Normally open output pair 4 46 AUDALM0 N Normally open Minor audible alarm 47 AUDALM0 P Normally open Minor audible alarm 48 AUDALM1 N Normally open Major audible alarm 49 AUDALM1 P Normally open Major audible alarm 50 AUDALM2 N Normally open Critical audible alarm 51 AUDALM2 P Normally open Critical audible alarm 52 GND Ground 53 AUDALM3 N Normally open Remote audible alarm 54 AUDALM3 P Normally open Remote audible alarm 55 VISALM0 N Normally open Minor visual alarm 56 VISALM0 P Normally open Minor visual alarm 57 VISALM1 N Normally open Major visual alarm 58 VISALM1 P Normally open Major visual alarm 59 VISALM2 N Normally open Critical visual alarm 60 VISALM2 P Normally open Critical visual alarm Table 2-27 Alarm Interface Pinouts on the MIC-A/P DB-62 Connector (continued) Pin No. Signal Name Signal Description2-45 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 2 Common Control Cards Front Mount Electrical Connections 2.11.2 MIC-C/T/P FMEC Note For hardware specifications, see the “A.3.9 MIC-C/T/P FMEC Specifications (ETSI only)” section on page A-10. The MIC-C/T/P FMEC provides connection for the BATTERY A input, one of the two possible redundant power supply inputs. It also provides connection for system management serial port, system management LAN port, modem port (for future use), and system timing inputs and outputs. Install the MIC-C/T/P in Slot 24. The MIC-C/T/P FMEC has the following features: • Connection for one of the two possible redundant power supply inputs • Connection for two serial ports for local craft/modem (for future use) • Connection for one LAN port • Connection for two system timing inputs • Connection for two system timing outputs • Storage of manufacturing and inventory data For proper system operation, both the MIC-A/P and MIC-C/T/P FMECs must be installed in the shelf. Figure 2-12 shows the MIC-C/T/P FMEC faceplate. Figure 2-12 MIC-C/T/P Faceplate Figure 2-13 shows a block diagram of the MIC-C/T/P. 61 VISALM3 N Normally open Remote visual alarm 62 VISALM3 P Normally open Remote visual alarm Table 2-27 Alarm Interface Pinouts on the MIC-A/P DB-62 Connector (continued) Pin No. Signal Name Signal Description MIC-C/T/P CLEI CODE BARCODE POWER RATING GND T BATTERY A IMING A IN TIMING B OUT CAUTION TIGHTEN THE FACEPLATE GHTEN THE FACEPLATE SCREWS WITH 1.0 NM TORQUE SCREWS WITH 1.0 NM TORQUE 271306 LAN AUX TERM L ACT INK2-46 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 2 Common Control Cards Front Mount Electrical Connections Figure 2-13 MIC-C/T/P Block Diagram The MIC-C/T/P FMEC has one pair of LEDs located on the RJ45 LAN connector. The green LED is on when a link is present, and the amber LED is on when data is being transferred. Inventory Data (EEPROM) 61334 B a c k p l a n e 3W3 connector Power RJ-45 connectors System management serial ports RJ-45 connectors System management LAN 4 coaxial connectors Timing 2 x in / 2 x outCHAPTER 3-1 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 3 Optical Service Channel Cards This chapter describes the optical service channel (OSC) cards for Cisco ONS 15454 dense wavelength division multiplexing (DWDM) networks. For installation and card turn-up procedures, refer to the Cisco ONS 15454 DWDM Procedure Guide. For card safety and compliance information, refer to the Cisco Optical Transport Products Safety and Compliance Information document. Note Unless noted otherwise, the cards described in this chapter are supported on the Cisco ONS 15454, Cisco ONS 15454 M6, Cisco ONS 15454 M2 platforms. Note Unless otherwise specified, “ONS 15454” refers to both ANSI and ETSI shelf assemblies. Chapter topics include: • 3.1 Card Overview, page 3-1 • 3.2 Class 1 Laser Safety Labels, page 3-3 • 3.3 OSCM Card, page 3-5 • 3.4 OSC-CSM Card, page 3-9 3.1 Card Overview This section provides card summary and compatibility information. Note Each card is marked with a symbol that corresponds to a slot (or slots) on the ONS 15454 shelf assembly. The cards are then installed into slots displaying the same symbols. For a list of slots and symbols, see the “Card Slot Requirements” section in the Cisco ONS 15454 Hardware Installation Guide. An optical service channel (OSC) is a bidirectional channel connecting two adjacent nodes in a DWDM ring. For every DWDM node (except terminal nodes), two different OSC terminations are present, one for the west side and another for the east side. The channel transports OSC overhead that is used to manage ONS 15454 DWDM networks. An OSC signal uses the 1510-nm wavelength and does not affect client traffic. The primary purpose of this channel is to carry clock synchronization and orderwire channel communications for the DWDM network. It also provides transparent links between each node in the network. The OSC is an OC-3/STM-1 formatted signal. 3-2 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 3 Optical Service Channel Cards Card Overview There are two versions of the OSC modules: the OSCM, and the OSC-CSM, which contains the OSC wavelength combiner and separator component in addition to the OSC module. The Mesh/Multiring Upgrade (MMU) card is used to optically bypass a given wavelength from one section of the network or ring to another one without requiring 3R regeneration. Note On 15454-M2 and 15454-M6 shelves, the TNC card includes the functions of the OSCM card. OSC can be created on the OC3 port (SFP-0) of the TNC card. The TNC card supports two optical service channels (OSC): primary OSC and secondary OSC. The primary optical service channel (SFP-0) supports the following interfaces: • OC-3/STM-1 • Fast Ethernet (FE) • Gigabit Ethernet (GE). The secondary optical service channel (SFP-1) supports the following interfaces: • Fast Ethernet (FE) • Gigabit Ethernet (GE). 3.1.1 Card Summary Table 3-1 lists and summarizes the functions of each card. 3.1.2 Card Compatibility Table 3-2 lists the CTC software compatibility for the OSC and OSCM cards. Table 3-1 OSCM, OSC-CSM, and MMU Card Summary Card Port Description For Additional Information OSCM The OSCM has one set of optical ports and one Ethernet port located on the faceplate. It operates in Slots 8 and 10. See the “3.3 OSCM Card” section on page 3-5. OSC-CSM The OSC-CSM has three sets of optical ports and one Ethernet port located on the faceplate. It operates in Slots 1 to 6 and 12 to 17. See the “3.4 OSC-CSM Card” section on page 3-9. Table 3-2 Software Release Compatibility for Optical Service Channel Cards Card Name R4.5 R4.6 R4.7 R5.0 R6.0 R7.0 R7.2 R8.0 R8.5 R9.0 R9.1 R9.2 OSCM Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes OSC-CS M Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes3-3 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 3 Optical Service Channel Cards Class 1 Laser Safety Labels 3.2 Class 1 Laser Safety Labels This section explains the significance of the safety labels attached to the OSCM and OSC-CSM cards. The faceplates of the cards are clearly labeled with warnings about the laser radiation levels. You must understand all warning labels before working on these cards. 3.2.1 Class 1 Laser Product Label The Class 1 Laser Product label is shown in Figure 3-1. Figure 3-1 Class 1 Laser Product Label Class 1 lasers are products whose irradiance does not exceed the Maximum Permissible Exposure (MPE) value. Therefore, for Class 1 laser products the output power is below the level at which it is believed eye damage will occur. Exposure to the beam of a Class 1 laser will not result in eye injury and may therefore be considered safe. However, some Class 1 laser products may contain laser systems of a higher Class but there are adequate engineering control measures to ensure that access to the beam is not reasonably likely. Anyone who dismantles a Class 1 laser product that contains a higher Class laser system is potentially at risk of exposure to a hazardous laser beam 3.2.2 Hazard Level 1 Label The Hazard Level 1 label is shown in Figure 3-2. Figure 3-2 Hazard Level Label The Hazard Level label warns users against exposure to laser radiation of Class 1 limits calculated in accordance with IEC60825-1 Ed.1.2. This label is displayed on the faceplate of the cards. 3.2.3 Laser Source Connector Label The Laser Source Connector label is shown in Figure 3-3. CLASS 1 LASER PRODUCT 145952 HAZARD LEVEL 1 655423-4 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 3 Optical Service Channel Cards Class 1 Laser Safety Labels Figure 3-3 Laser Source Connector Label This label indicates that a laser source is present at the optical connector where the label has been placed. 3.2.4 FDA Statement Label The FDA Statement labels are shown in Figure 3-4 and Figure 3-5. These labels show compliance to FDA standards and that the hazard level classification is in accordance with IEC60825-1 Am.2 or Ed.1.2. Figure 3-4 FDA Statement Label Figure 3-5 FDA Statement Label 3.2.5 Shock Hazard Label The Shock Hazard label is shown in Figure 3-6. 96635 96634 COMPLIES WITH 21 CFR 1040.10 AND 1040.11 EXCEPT FOR DEVIATIONS PURSUANT TO LASER NOTICE NO.50, DATED JULY 26, 2001 282324 COMPLIES WITH 21 CFR 1040.10 AND 1040.11 EXCEPT FOR DEVIATIONS PURSUANT TO LASER NOTICE NO.50, DATED JUNE 24, 20073-5 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 3 Optical Service Channel Cards OSCM Card Figure 3-6 Shock Hazard Label This label alerts personnel to electrical hazard within the card. The potential of shock hazard exists when removing adjacent cards during maintenance, and touching exposed electrical circuitry on the card itself. This section describes the optical service channel cards. An optical service channel (OSC) is a bidirectional channel connecting two adjacent nodes in a DWDM ring. For every DWDM node (except terminal nodes), two different OSC terminations are present, one for the west side and another for the east side. The channel transports OSC overhead that is used to manage ONS 15454 DWDM networks. An OSC signal uses the 1510-nm wavelength and does not affect client traffic. The primary purpose of this channel is to carry clock synchronization and orderwire channel communications for the DWDM network. It also provides transparent links between each node in the network. The OSC is an OC-3/STM-1 formatted signal. There are two versions of the OSC modules: the OSCM, and the OSC-CSM, which contains the OSC wavelength combiner and separator component in addition to the OSC module. 3.3 OSCM Card (Cisco ONS 15454 only) Note For OSCM card specifications, see the “A.4.1 OSCM Card Specifications” section on page A-11. Note On 15454-M2 and 15454-M6 shelves, the TNC card includes the functions of the OSCM card. The OSCM card is used in amplified nodes that include the OPT-BST, OPT-BST-E, or OPT-BST-L booster amplifier. The OPT-BST, OPT-BST-E, and OPT-BST-L cards include the required OSC wavelength combiner and separator component. The OSCM cannot be used in nodes where you use OC-N/STM-N cards, electrical cards, or cross-connect cards. The OSCM uses Slots 8 and 10, which are also cross-connect card slots. The OSCM supports the following features: • OC-3/STM-1 formatted OSC • Supervisory data channel (SDC) forwarded to the TCC2/TCC2P/TCC3 cards for processing • Distribution of the synchronous clock to all nodes in the ring • 100BaseT far-end (FE) User Channel (UC) • Monitoring functions such as orderwire support and optical safety 655413-6 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 3 Optical Service Channel Cards OSCM Card The OC-3/STM-1 section data communications channel (SDCC or RS-DCC) overhead bytes are used for network communications. An optical transceiver terminates the OC-3/STM-1, then it is regenerated and converted into an electrical signal. The SDCC or RS-DCC bytes are forwarded to the active and standby TCC2/TCC2P/TCC3 cards for processing through the system communication link (SCL) bus on the backplane. Orderwire bytes (E1, E2, F1) are also forwarded via the SCL bus to the TCC2/TCC2P/TCC3 for forwarding to the AIC-I card. The payload portion of the OC-3/STM-1 is used to carry the fast Ethernet UC. The frame is sent to a packet-over-SONET/SDH (POS) processing block that extracts the Ethernet packets and makes them available at the RJ-45 connector. The OSCM distributes the reference clock information by removing it from the incoming OC-3/STM-1 signal and then sending it to the DWDM cards. The DWDM cards then forward the clock information to the active and standby TCC2/TCC2P/TCC3 cards.3-7 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 3 Optical Service Channel Cards OSCM Card Figure 3-7 shows the OSCM card faceplate and block diagram. Figure 3-7 OSCM Card Faceplate For information on safety labels for the card, see the “3.2 Class 1 Laser Safety Labels” section on page 3-3. Figure 3-8 shows the block diagram of the variable optical attenuator (VOA) within the OSCM. OSCM FAIL ACT SF UC RX TX 96464 ASIC OC3-ULR Optical transceiver OSC Line OC-3 FPGA OC-12 POS OC-3 MII 145944 Processor VOA Physical Interface DC/DC 19.44 MHz Line Ref clock Power supply Input filters MT CLKt BAT A&B 0 Slot 1-6 MT CLKt 0 Slot 12-17 6 M P SCL Bus to TCCs FE FE User Channel 6 TOH & Cell Bus3-8 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 3 Optical Service Channel Cards OSCM Card Figure 3-8 OSCM VOA Optical Module Functional Block Diagram 3.3.1 Power Monitoring Physical photodiode P1 monitors the power for the OSCM card. The returned power level value is calibrated to the OSC TX port (Table 3-3). For information on the associated TL1 AIDs for the optical power monitoring points, refer the “CTC Port Numbers and TL1 Aids” section in Cisco ONS SONET TL1 Command Guide, Release 9.2. 3.3.2 OSCM Card-Level Indicators The OSCM card has three card-level LED indicators, described in Table 3-4. P1 P1 OSC TX Physical photodiode OSC Variable optical attenuator Control Module OSC RX Control Interface 124968 Table 3-3 OSCM VOA Port Calibration Photodiode CTC Type Name Calibrated to Port P1 Output OSC OSC TX Table 3-4 OSCM Card-Level Indicators Card-Level Indicators Description Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready or that there is an internal hardware failure. Replace the card if the red FAIL LED persists.3-9 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 3 Optical Service Channel Cards OSC-CSM Card 3.3.3 OSCM Port-Level Indicators You can find the status of the card ports using the LCD screen on the ONS 15454 fan-tray assembly. Use the LCD to view the status of any port or card slot; the screen displays the number and severity of alarms for a given port or slot. The OSCM has one OC-3/STM-1 optical port located on the faceplate. One long-reach OSC transmits and receives the OSC to and from another DWDM node. Both DCN data and FE payload are carried on this link. 3.4 OSC-CSM Card Note For OSC-CSM card specifications, see the “A.4.2 OSC-CSM Card Specifications” section on page A-12. The OSC-CSM card is used in unamplified nodes. This means that the booster amplifier with the OSC wavelength combiner and separator is not required for OSC-CSM operation. The OSC-CSM can be installed in Slots 1 to 6 and 12 to 17. To operate in hybrid mode, the OSC-CSM cards must be accompanied by cross-connect cards. The cross-connect cards enable functionality on the OC-N/STM-N cards and electrical cards. The OSC-CSM supports the following features: • Optical combiner and separator module for multiplexing and demultiplexing the optical service channel to or from the wavelength division multiplexing (WDM) signal • OC-3/STM-1 formatted OSC • SDC forwarded to the TCC2/TCC2P/TCC3 cards for processing • Distribution of the synchronous clock to all nodes in the ring • 100BaseT FE UC • Monitoring functions such as orderwire support • Optical safety: Signal loss detection and alarming, fast transmitted power shut down by means of an optical 1x1 switch • Optical safety remote interlock (OSRI), a feature capable of shutting down the optical output power Green ACT LED The green ACT LED indicates that the OSCM is carrying traffic or is traffic-ready. Amber SF LED The amber SF LED indicates a signal failure or condition such as loss of signal (LOS), loss of frame alignment (LOF), line alarm indication signal (AIS-L), or high BER on one or more of the card’s ports. The amber signal fail (SF) LED also illuminates when the transmit and receive fibers are incorrectly connected. When the fibers are properly connected, the light turns off. Table 3-4 OSCM Card-Level Indicators (continued) Card-Level Indicators Description3-10 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 3 Optical Service Channel Cards OSC-CSM Card • Automatic laser shutdown (ALS), a safety mechanism used in the event of a fiber cut. For details on ALS provisioning for the card, see the Cisco ONS 15454 DWDM Procedure Guide. For information on using the card to implement ALS in a network, see the “12.11 Network Optical Safety” section on page 12-27. The WDM signal coming from the line is passed through the OSC combiner and separator, where the OSC signal is extracted from the WDM signal. The WDM signal is sent along with the remaining channels to the COM port (label on the front panel) for routing to the OADM or amplifier units, while the OSC signal is sent to an optical transceiver. The OSC is an OC-3/STM-1 formatted signal. The OC-3/STM-1 SDCC or RS-DCC overhead bytes are used for network communications. An optical transceiver terminates the OC-3/STM-1, and then it is regenerated and converted into an electrical signal. The SDCC or RS-DCC bytes are forwarded to the active and standby TCC2/TCC2P/TCC3 cards for processing via the SCL bus on the backplane. Orderwire bytes (E1, E2, F1) are also forwarded via the SCL bus to the TCC2/TCC2P/TCC3 for forwarding to the AIC-I card. The payload portion of the OC-3/STM-1 is used to carry the fast Ethernet UC. The frame is sent to a POS processing block that extracts the Ethernet packets and makes them available at the RJ-45 front panel connector. The OSC-CSM distributes the reference clock information by removing it from the incoming OC-3/STM-1 signal and then sending it to the active and standby TCC2/TCC2P/TCC3 cards. The clock distribution is different from the OSCM card because the OSC-CSM does not use Slot 8 or 10 (cross-connect card slots). Note S1 and S2 (Figure 3-11 on page 3-13) are optical splitters with a splitter ratio of 2:98. The result is that the power at the MON TX port is about 17 dB lower than the relevant power at the COM RX port, and the power at the MON RX port is about 20 dB lower than the power at the COM TX port. The difference is due to the presence of a tap coupler for the P1 photodiode.3-11 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 3 Optical Service Channel Cards OSC-CSM Card Figure 3-9 shows the OSC-CSM faceplate. Figure 3-9 OSC-CSM Faceplate For information on safety labels for the card, see the “3.2 Class 1 Laser Safety Labels” section on page 3-3. Figure 3-10 shows a block diagram of the OSC-CSM card. 96465 OSC CSM FAIL ACT SF UC RX MON TX RX COM TX RX LINE TX ASIC OC3-ULR Optical transceiver OSC combiner separator OSC Line COM OC-3 FPGA OC-12 POS OC-3 MII TOH & Cell Bus 145943 Processor Physical Interface DC/DC Power supply Input filters MPMP BAT A&B SCL Bus to TCCs RxClkRef FE User Channel3-12 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 3 Optical Service Channel Cards OSC-CSM Card Figure 3-10 OSC-CSM Block Diagram ASIC OC3-ULR Optical transceiver OSC combiner separator OSC Line COM OC-3 FPGA OC-12 POS OC-3 MII TOH & Cell Bus 96477 Processor Physical Interface DC/DC Power supply Input filters MPMP BAT A&B SCL Bus to TCCs RxClkRef FE User Data Channel3-13 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 3 Optical Service Channel Cards OSC-CSM Card Figure 3-11 shows the OSC-CSM optical module functional block diagram. Figure 3-11 OSC-CSM Optical Module Functional Block Diagram 3.4.1 Power Monitoring Physical photodiodes P1, P2, P3, and P5 monitor the power for the OSC-CSM card. Their function is as follows: • P1: The returned power value is calibrated to the LINE RX port, including the insertion loss of the previous filter (the reading of this power dynamic range has been brought backward towards the LINE RX output). • P2: The returned value is calibrated to the LINE RX port. • P3: The returned value is calibrated to the COM RX port. • P5: The returned value is calibrated to the OSC TX port, including the insertion loss of the subsequent filter. The returned power level values are calibrated to the ports as shown in Table 3-5. P P P P P V V 124897 MON RX MON TX COM TX OSC RX LINE TX COM RX LINE RX DROP section ADD section OSC TX Control Interface Filter Filter S1 P1 P2 P5 P4 PV1 PV2 P3 HW Switch Control Opt. Switch S2 Virtual photodiode Physical photodiode Variable optical attenuator P V Optical splitter Control3-14 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 3 Optical Service Channel Cards OSC-CSM Card The OSC power on the LINE TX is the same as the power reported from P5. The PM parameters for the power values are listed in Table 19-31. For information on the associated TL1 AIDs for the optical power monitoring points, refer the “CTC Port Numbers and TL1 Aids” section in Cisco ONS SONET TL1 Command Guide, Release 9.2. 3.4.2 Alarms and Thresholds Table 3-6 lists the alarms and its related thresholds for the OSC-CSM card. 3.4.3 OSC-CSM Card-Level Indicators The OSC-CSM card has three card-level LED indicators, described in Table 3-7. Table 3-5 OSC-CSM Port Calibration Photodiode CTC Type Name Calibrated to Port Power PM Parameters P1 Input Line LINE RX Channel Power Supported OSC Power P2 Input Line LINE RX OSC Power Supported P3 Input Com COM RX Channel Power Supported P5 Output OSC OSC TX OSC Power Supported Table 3-6 Alarms and Thresholds Port Alarms Thresholds LINE RX LOS None LOS-P LOS-P Fail Low LOS-O LOS-O Fail Low LINE TX None None OSC TX OPWR-DEG-HIGH OPWR-DEG-HIGH Th OPWR-DEG-LOW OPWR-DEG-LOW Th OPWR-FAIL-LOW OPWR-FAIL-LOW Th OSC RX None None COM TX None None COM RX LOS-P LOS-P Fail Low3-15 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 3 Optical Service Channel Cards OSC-CSM Card 3.4.4 OSC-CSM Port-Level Indicators You can find the status of the card ports using the LCD screen on the ONS 15454 fan-tray assembly. Use the LCD to view the status of any port or card slot; the screen displays the number and severity of alarms for a given port or slot. The OSC-CSM has a OC3 port and three other sets of ports located on the faceplate. Table 3-7 OSC-CSM Card-Level Indicators Card-Level Indicators Description Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready or that there is an internal hardware failure. Replace the card if the red FAIL LED persists. Green ACT LED The green ACT LED indicates that the OSC-CSM is carrying traffic or is traffic-ready. Amber SF LED The amber SF LED indicates a signal failure or condition such as LOS, LOF, AIS-L, or high BER on one or more of the card’s ports. The amber SF LED also illuminates when the transmit and receive fibers are incorrectly connected. When the fibers are properly connected, the light turns off.3-16 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 3 Optical Service Channel Cards OSC-CSM CardCHAPTER 4-1 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 4 Optical Amplifier Cards This chapter describes the optical amplifier cards used in Cisco ONS 15454 dense wavelength division multiplexing (DWDM) networks. For installation and card turn-up procedures, refer to the Cisco ONS 15454 DWDM Procedure Guide. For card safety and compliance information, refer to the Cisco Optical Transport Products Safety and Compliance Information document. Note The cards described in this chapter are supported on the Cisco ONS 15454, Cisco ONS 15454 M6, Cisco ONS 15454 M2 platforms, unless noted otherwise. Note Unless otherwise specified, “ONS 15454” refers to both ANSI and ETSI shelf assemblies. Chapter topics include: • 4.1 Card Overview, page 4-1 • 4.2 Class 1M Laser Safety Labels, page 4-5 • 4.3 OPT-PRE Amplifier Card, page 4-7 • 4.4 OPT-BST Amplifier Card, page 4-11 • 4.5 OPT-BST-E Amplifier Card, page 4-16 • 4.6 OPT-BST-L Amplifier Card, page 4-19 • 4.7 OPT-AMP-L Card, page 4-24 • 4.8 OPT-AMP-17-C Card, page 4-29 • 4.9 OPT-AMP-C Card, page 4-33 • 4.10 OPT-RAMP-C and OPT-RAMP-CE Cards, page 4-38 4.1 Card Overview This section provides summary and compatibility information for the optical amplifier cards. Note Each card is marked with a symbol that corresponds to a slot (or slots) on the ONS 15454 shelf assembly. Cards should be installed in slots that have the same symbols. For a list of slots and symbols, see the "Card Slot Requirements" section in the Cisco ONS 15454 Hardware Installation Guide. 4-2 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 4 Optical Amplifier Cards Card Overview Optical amplifiers are used in amplified nodes (such as hub nodes), amplified OADM nodes, and line amplifier nodes. The nine types of ONS 15454 DWDM amplifiers are: • Optical Preamplifier (OPT-PRE) • Optical Booster amplifier (OPT-BST) • Optical Booster Enhanced amplifier (OPT-BST-E) • Optical Booster L-band amplifier (OPT-BST-L) • Optical L-band preamplifier (OPT-AMP-L) • Optical C-band amplifier (OPT-AMP-17-C). • Optical C-band high-gain high-power amplifier (OPT-AMP-C) • Optical C-band Raman amplifier (OPT-RAMP-C) • Optical C-band enhanced Raman amplifier (OPT-RAMP-CE) Optical amplifier card architecture includes an optical plug-in module with a controller that manages optical power, laser current, and temperature control loops. An amplifier also manages communication with the TCC2/TCC2P/TCC3/TNC/TSC card and operation, administration, maintenance, and provisioning (OAM&P) functions such as provisioning, controls, and alarms. 4.1.1 Applications Using CTC (CTC > Card > Provisioning), the following amplifiers can be configured as booster or preamplifiers: • OPT-AMP-C • OPT-AMP-17C • OPT-AMP-L • OPT-BST-E • OPT-BST The amplifier functions as a booster amplifier by default. The amplifier role is automatically configured when the CTP NE update configuration file is loaded in CTC. The amplifier role can also be manually modified. Note The OPT-BST and OPT-BST-E amplifiers are supported as preamplifiers in sites that are equipped with the OPT-RAMP-C card. In any other configuration, the OPT-BST and OPT-BST-E cards must be configured as a booster amplifier. For more information about the supported configurations and network topologies, see Chapter 11, “Node Reference” and Chapter 12, “Network Reference.” 4.1.2 Card Summary Table 4-1 lists and summarizes the functions of each optical amplifier card.4-3 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 4 Optical Amplifier Cards Card Overview 4.1.3 Card Compatibility Table 4-2 lists the Cisco Transport Controller (CTC) software compatibility for each optical amplifier card. Table 4-1 Optical Amplifier Cards for the ONS 15454 Card Port Description For Additional Information OPT-PRE The OPT-PRE amplifier has five optical ports (three sets) located on the faceplate. It operates in Slots 1 to 6 and 12 to 17. See the “4.3 OPT-PRE Amplifier Card” section on page 4-7. OPT-BST The OPT-BST amplifier has four sets of optical ports located on the faceplate. It operates in Slots 1 to 6 and 12 to 17. See the “4.4 OPT-BST Amplifier Card” section on page 4-11. OPT-BST-E The OPT-BST-E amplifier has four sets of optical ports located on the faceplate. It operates in Slots 1 to 6 and 12 to 17. See the “4.5 OPT-BST-E Amplifier Card” section on page 4-16. OPT-BST-L The OPT-BST-L L-band amplifier has four sets of optical ports located on the faceplate. It operates in Slots 1 to 6 and 12 to 17. See the “4.6 OPT-BST-L Amplifier Card” section on page 4-19. OPT-AMP-L The OPT-AMP-L L-band preamplifier has five sets of optical ports located on the faceplate. It is a two-slot card that operates in Slots 1 to 6 and 12 to 17. See the “4.7 OPT-AMP-L Card” section on page 4-24. OPT-AMP-17-C The OPT-AMP-17-C C-band low-gain preamplifier/booster amplifier has four sets of optical ports located on the faceplate. It operates in Slots 1 to 6 and 12 to 17. See the “4.8 OPT-AMP-17-C Card” section on page 4-29. OPT-AMP-C The OPT-AMP-C C-band high-gain, high-power preamplifier/booster amplifier has five sets of optical ports located on the faceplate. It operates as a preamplifier when equipped and provisioned in Slots 2 to 6 and 11 to 16 or as a booster amplifier when equipped and provisioned in Slot 1 and 17. See the “4.9 OPT-AMP-C Card” section on page 4-33. OPT-RAMP-C The OPT-RAMP-C C-band amplifier has five sets of optical ports located on the faceplate and operates in Slots 1 to 5 and 12 to 16. See the “4.10 OPT-RAMP-C and OPT-RAMP-CE Cards” section on page 4-38. OPT-RAMP-CE The OPT-RAMP-CE C-band amplifier has five sets of optical ports located on the faceplate and operates in Slots 1 to 5 and 12 to 16. See the “4.10 OPT-RAMP-C and OPT-RAMP-CE Cards” section on page 4-38.4-4 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 4 Optical Amplifier Cards Card Overview Table 4-2 Software Release Compatibility for Optical Amplifier Cards Card Type R4.5 R4.6 R4.7 R5.0 R6.0 R7.0 R7.2 R8.0 R8.5 R9.0 R9.1 R 9.2 OPT-PRE 15454- DWDM 15454- DWDM 15454- DWD M 15454 -DW DM 15454- DWD M 15454- DWD M 15454 -DWD M 15454- DWD M 15454 -DWD M 15454- DWDM 15454 -DW DM ONS 15454, 15454 -M2, 15454 -M6 OPT-BST 15454- DWDM 15454- DWDM 15454- DWD M 15454 -DW DM 15454- DWD M 15454- DWD M 15454 -DWD M 15454- DWD M 15454 -DWD M 15454- DWDM 15454 -DW DM ONS 15454, 15454 -M2, 15454 -M6 OPT-BST-E No No 15454- DWD M 15454 -DW DM 15454- DWD M 15454- DWD M 15454 -DWD M 15454- DWD M 15454 -DWD M 15454- DWDM 15454 -DW DM ONS 15454, 15454 -M2, 15454 -M6 OPT-BST-L No No No No No 15454- DWD M 15454 -DWD M 15454- DWD M 15454 -DWD M 15454- DWDM 15454 -DW DM 15454 -DWD M OPT-AMP-L No No No No No 15454- DWD M 15454 -DWD M 15454- DWD M 15454 -DWD M 15454- DWDM 15454 -DW DM 15454 -DWD M OPT-AMP-17-C No No No No No No No 15454- DWD M 15454 -DWD M 15454- DWDM 15454 -DW DM ONS 15454, 15454 -M2, 15454 -M6 OPT-AMP-C No No No No No No No No 15454 -DWD M 15454- DWDM 15454 -DW DM ONS 15454, 15454 -M2, 15454 -M6 OPT-RAMP-C No No No No No No No No No 15454- DWDM 15454 -DW DM ONS 15454, 15454 -M6 OPT-RAMP-CE No No No No No No No No No No 15454 -DW DM ONS 15454, 15454 -M64-5 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 4 Optical Amplifier Cards Class 1M Laser Safety Labels 4.1.4 Optical Power Alarms and Thresholds Table 4-3 lists the alarms and related thresholds for the OPT-BST, OPT-BST-E, OPT-BST-L, OPT-AMP-L, OPT-AMP-17-C, and OPT-AMP-C cards. 4.2 Class 1M Laser Safety Labels This section explains the significance of the safety labels attached to the optical amplifier cards. The faceplates of the cards are clearly labeled with warnings about the laser radiation levels. You must understand all warning labels before working on these cards. 4.2.1 Class 1M Laser Product Statement Figure 4-1 shows the Class 1M Laser Product statement. Class 1M lasers are products that produce either a highly divergent beam or a large diameter beam. Therefore, only a small part of the whole laser beam can enter the eye. However, these laser products can be harmful to the eye if the beam is viewed using magnifying optical instruments. Figure 4-1 Class 1M Laser Product Statement Table 4-3 Alarms and Thresholds Port Alarms Thresholds LINE RX LOS None LOS-P LOS-P Fail Low LOS-O LOS-O Fail Low LINE TX OPWR-FAIL OPWR Fail Low OSC TX None None OSC RX None None COM TX None None COM RX LOS-P LOS-P Fail Low CAUTION HAZARD LEVEL 1M INVISIBLE LASER RADIATION DO NOT VIEW DIRECTLY WITH NON-ATTENUATING OPTICAL INSTRUMENTS λ = = 1400nm TO 1610nm 1459534-6 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 4 Optical Amplifier Cards Class 1M Laser Safety Labels 4.2.2 Hazard Level 1M Label Figure 4-2 shows the Hazard Level 1M label. The Hazard Level label warns users against exposure to laser radiation calculated in accordance with IEC60825-1 Ed.1.2. This label is displayed on the faceplate of the cards. Figure 4-2 Hazard Level Label 4.2.3 Laser Source Connector Label Figure 4-3 shows the Laser Source Connector label. This label indicates that a laser source is present at the optical connector where the label appears. Figure 4-3 Laser Source Connector Label 4.2.4 FDA Statement Label The FDA Statement labels are shown in Figure 4-4 and Figure 4-5. Figure 4-4 FDA Statement Label HAZARD LEVEL 1M 145990 96635 96634 COMPLIES WITH 21 CFR 1040.10 AND 1040.11 EXCEPT FOR DEVIATIONS PURSUANT TO LASER NOTICE NO.50, DATED JULY 26, 20014-7 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 4 Optical Amplifier Cards OPT-PRE Amplifier Card Figure 4-5 FDA Statement Label These labels show compliance to FDA standards and that the hazard level classification is in accordance with IEC60825-1 Am.2 or Ed.1.2. 4.2.5 Shock Hazard Label Figure 4-6 shows the Shock Hazard label. This label alerts you to an electrical hazard within the card. The potential for shock exists when you remove adjacent cards during maintenance or touch exposed electrical circuity on the card. Figure 4-6 Shock Hazard Label 4.3 OPT-PRE Amplifier Card Note For hardware specifications, see the “A.5.1 OPT-PRE Amplifier Card Specifications” section on page A-13. Note For OPT-PRE card safety labels, see the “4.2 Class 1M Laser Safety Labels” section on page 4-5. The OPT-PRE is a C-band, DWDM, two-stage erbium-doped fiber amplifier (EDFA) with midamplifier loss (MAL) that can be connected to a dispersion compensating unit (DCU). The OPT-PRE is equipped with a built-in variable optical attenuator (VOA) that controls the gain tilt and can also be used to pad the DCU to a reference value. You can install the OPT-PRE in Slots 1 to 6 and 12 to 17. The card is designed to support up to 80 channels at 50-GHz channel spacing. The OPT-PRE features include: • Fixed gain mode with programmable tilt • True variable gain 282324 COMPLIES WITH 21 CFR 1040.10 AND 1040.11 EXCEPT FOR DEVIATIONS PURSUANT TO LASER NOTICE NO.50, DATED JUNE 24, 2007 655414-8 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 4 Optical Amplifier Cards OPT-PRE Amplifier Card • Fast transient suppression • Nondistorting low-frequency transfer function • Settable maximum output power • Fixed output power mode (mode used during provisioning) • MAL for fiber-based DCU • Amplified spontaneous emissions (ASE) compensation in fixed gain mode • Full monitoring and alarm handling with settable thresholds • Four signal photodiodes to monitor the input and output optical power of the two amplifier stages through CTC • An optical output port for external monitoring Note The optical splitter has a ratio of 1:99, resulting in about 20 dB-lower power at the MON port than at the COM TX port. 4.3.1 OPT-PRE Faceplate Ports The OPT-PRE amplifier has five optical ports located on the faceplate: • MON is the output monitor port • COM RX (receive) is the input signal port • COM TX (transmit) is the output signal port • DC RX is the MAL input signal port • DC TX is the MAL output signal port4-9 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 4 Optical Amplifier Cards OPT-PRE Amplifier Card Figure 4-7 shows the OPT-PRE amplifier card faceplate. Figure 4-7 OPT-PRE Faceplate 4.3.2 OPT-PRE Block Diagrams Figure 4-8 shows a simplified block diagram of the OPT-PRE card’s features. OPT PRE FAIL ACT SF MON RX COM TX RX DC TX 964664-10 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 4 Optical Amplifier Cards OPT-PRE Amplifier Card Figure 4-8 OPT-PRE Block Diagram Figure 4-9 shows the a block diagram of how the OPT-PRE optical module functions. Figure 4-9 OPT-PRE Optical Module Functional Block Diagram 4.3.3 OPT-PRE Power Monitoring Physical photodiodes P1, P2, P3, and P4 monitor the power for the OPT-PRE card. Table 4-4 shows the returned power level values calibrated to each port. Optical module COM RX DC RX 96478 Processor DC TX COM TX MON FPGA For SCL Bus management SCL Bus TCCi M SCL Bus TCCi P DC/DC Power supply Input filters BAT A&B 98298 DCU COM RX COM TX DC TX DC RX MON P1 P2 P3 P4 P Physical photodiode Variable optical attenuator Table 4-4 OPT-PRE Port Calibration Photodiode CTC Type Name Calibrated to Port P1 Input Com COM RX P2 Output DC DC TX P3 Input DC DC RX P4 Output COM (Total Output) COM TX Output COM (Signal Output)4-11 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 4 Optical Amplifier Cards OPT-BST Amplifier Card For information on the associated TL1 AIDs for the optical power monitoring points, refer the “CTC Port Numbers and TL1 Aids” section in Cisco ONS SONET TL1 Command Guide, Release 9.2. 4.3.4 OPT-PRE Amplifier Card-Level Indicators Table 4-5 shows the three card-level LED indicators on the OPT-PRE amplifier card. 4.3.5 OPT-PRE Amplifier Port-Level Indicators You can determine the status of the card ports using the LCD screen on the ONS 15454 fan-tray assembly. Use the LCD to view the status of any port or card slot; the screen displays the number and severity of alarms for a given port or slot. 4.4 OPT-BST Amplifier Card Note For hardware specifications, see the “A.5.2 OPT-BST Amplifier Card Specifications” section on page A-13. Note For OPT-BST card safety labels, see the “4.2 Class 1M Laser Safety Labels” section on page 4-5. The OPT-BST is designed to ultimately support up to 80 channels at 50-GHz channel spacing. The OPT-BST is a C-band, DWDM EDFA with optical service channel (OSC) add-and-drop capability. When an OPT-BST installed in the an ONS 15454, an OSCM card is also needed to process the OSC. You can install the OPT-BST in Slots 1 to 6 and 12 to 17. The card’s features include: • Fixed gain mode (with programmable tilt) • Gain range of 5 to 20 dB in constant gain mode and output power mode • True variable gain • Built-in VOA to control gain tilt • Fast transient suppression Table 4-5 OPT-PRE Amplifier Card-Level Indicators Card-Level Indicators Description Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready or that an internal hardware failure occurred. Replace the card if the red FAIL LED persists. Green ACT LED The green ACT LED indicates that the OPT-PRE is carrying traffic or is traffic-ready. Amber SF LED The amber SF LED indicates a signal failure or condition such as LOS on one or more of the card’s ports. The amber SF LED also turns on when the transmit and receive fibers are incorrectly connected. When the fibers are properly connected, the light turns off.4-12 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 4 Optical Amplifier Cards OPT-BST Amplifier Card • Nondistorting low-frequency transfer function • Settable maximum output power • Fixed output power mode (mode used during provisioning) • ASE compensation in fixed gain mode • Full monitoring and alarm handling with settable thresholds • Optical Safety Remote Interlock (OSRI), a CTC software feature capable of shutting down optical output power or reducing the power to a safe level (automatic power reduction) • Automatic laser shutdown (ALS), a safety mechanism used in the event of a fiber cut. For details on ALS provisioning for the card, refer to the Cisco ONS 15454 DWDM Procedure Guide. For information about using the card to implement ALS in a network, see the “12.11 Network Optical Safety” section on page 12-27. Note The optical splitters each have a ratio of 1:99. The result is that MON TX and MON RX port power is about 20 dB lower than COM TX and COM RX port power. 4.4.1 OPT-BST Faceplate Ports The OPT-BST amplifier has eight optical ports located on the faceplate: • MON RX is the output monitor port (receive section). • MON TX is the output monitor port. • COM RX is the input signal port. • LINE TX is the output signal port. • LINE RX is the input signal port (receive section). • COM TX is the output signal port (receive section). • OSC RX is the OSC add input port. • OSC TX is the OSC drop output port.4-13 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 4 Optical Amplifier Cards OPT-BST Amplifier Card Figure 4-10 shows the OPT-BST amplifier card faceplate. Figure 4-10 OPT-BST Faceplate 4.4.2 OPT-BST Block Diagrams Figure 4-11 shows a simplified block diagram of the OPT-BST card’s features. OPT BST FAIL ACT SF RX MON TX RX COM TX RX OSC TX RX LINE TX 964674-14 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 4 Optical Amplifier Cards OPT-BST Amplifier Card Figure 4-11 OPT-BST Block Diagram Figure 4-12 shows a block diagram of how the OPT-BST optical module functions. Figure 4-12 OPT-BST Optical Module Functional Block Diagram 4.4.3 OPT-BST Power Monitoring Physical photodiodes P1, P2, P3, and P4 monitor the power for the OPT-BST card. Table 4-6 shows the returned power level values calibrated to each port. Optical module Line RX Monitor Line RX 96479 Processor Line TX COM TX Com RX OSC TX Monitor Line TX OSC RX FPGA For SCL Bus management SCL Bus TCCi M SCL Bus TCCi P DC/DC Power supply Input filters BAT A&B 98300 MON TX OSC RX MON RX OSC TX OSC COM RX P1 P2 P3 P4 COM TX LINE TX APR signal LINE RX in RX P Physical photodiode Table 4-6 OPT-BST Port Calibration Photodiode CTC Type Name Calibrated to Port Power PM Parameter P1 Input Com COM RX Channel Power Supported4-15 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 4 Optical Amplifier Cards OPT-BST Amplifier Card The power on the OSC TX and COM TX ports are calculated by adding the insertion loss (IL) to the power reported from P3 and P4. The PM parameters for the power values are listed in Table 19-31. For information on the associated TL1 AIDs for the optical power monitoring points, refer the “CTC Port Numbers and TL1 Aids” section in Cisco ONS SONET TL1 Command Guide, Release 9.2. 4.4.4 OPT-BST Card-Level Indicators Table 4-7 describes the three card-level LED indicators on the OPT-BST card. 4.4.5 OPT-BST Port-Level Indicators You can determine the status of the card ports using the LCD screen on the ONS 15454 fan-tray assembly. Use the LCD to view the status of any port or card slot; the screen displays the number and severity of alarms for a given port or slot. P2 Output Line (Total Output) LINE TX Channel Power Supported Output Line (Signal Output) P3 Input Line LINE RX Channel Power Supported P4 Input Line LINE RX OSC Power Supported Table 4-6 OPT-BST Port Calibration (continued) Photodiode CTC Type Name Calibrated to Port Power PM Parameter Table 4-7 OPT-BST Card-Level Indicators Card-Level Indicators Description Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready or that an internal hardware failure occurred. Replace the card if the red FAIL LED persists. Green ACT LED The green ACT LED indicates that the OPT-BST is carrying traffic or is traffic-ready. Amber SF LED The amber SF LED indicates a signal failure or condition such as LOS on one or more of the card’s ports. The amber SF LED also turns on when the transmit and receive fibers are incorrectly connected. When the fibers are properly connected, the light turns off.4-16 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 4 Optical Amplifier Cards OPT-BST-E Amplifier Card 4.5 OPT-BST-E Amplifier Card Note For hardware specifications, see the “A.5.3 OPT-BST-E Amplifier Card Specifications” section on page A-14. Note For OPT-BST-E safety labels, see the “4.2 Class 1M Laser Safety Labels” section on page 4-5. The OPT-BST-E amplifier card is a gain-enhanced version of the OPT-BST card. It is designed to support up to 80 channels at 50-GHz channel spacing. The OPT-BST-E is a C-band, DWDM EDFA with OSC add-and-drop capability. When an OPT-BST-E installed, an OSCM card is needed to process the OSC. You can install the OPT-BST-E in Slots 1 to 6 and 12 to 17. The card’s features include: • Fixed gain mode (with programmable tilt) • True variable gain • Gain range of 8 to 23 dBm with the tilt managed at 0 dBm in constant gain mode and output power mode • Enhanced gain range of 23 to 26 dBm with unmanaged tilt • Built-in VOA to control the gain tilt • Fast transient suppression • Nondistorting low-frequency transfer function • Settable maximum output power • Fixed output power mode (mode used during provisioning) • ASE compensation in fixed gain mode • Full monitoring and alarm handling with settable thresholds • OSRI • ALS Note The optical splitters each have a ratio of 1:99. The result is that MON TX and MON RX port power is about 20 dB lower than COM TX and COM RX port power. 4.5.1 OPT-BST-E Faceplate Ports The OPT-BST-E amplifier card has eight optical ports located on the faceplate: • MON RX is the output monitor port (receive section). • MON TX is the output monitor port. • COM RX is the input signal port. • LINE TX is the output signal port. • LINE RX is the input signal port (receive section). • COM TX is the output signal port (receive section).4-17 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 4 Optical Amplifier Cards OPT-BST-E Amplifier Card • OSC RX is the OSC add input port. • OSC TX is the OSC drop output port. Figure 4-13 shows the OPT-BST-E amplifier card faceplate. Figure 4-13 OPT-BST-E Faceplate 4.5.2 OPT-BST-E Block Diagrams Figure 4-14 shows a simplified block diagram of the OPT-BST-E card’s features. OPT BST-E FAIL ACT SF RX MON TX RX COM TX RX OSC TX RX LINE TX 1459394-18 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 4 Optical Amplifier Cards OPT-BST-E Amplifier Card Figure 4-14 OPT-BST-E Block Diagram Figure 4-15 shows a block diagram of how the OPT-BST-E optical module functions. Figure 4-15 OPT-BST-E Optical Module Functional Block Diagram 4.5.3 OPT-BST-E Power Monitoring Physical photodiodes P1, P2, P3, and P4 monitor the power for the OPT-BST-E card. Table 4-8 shows the returned power level values calibrated to each port. Optical module Line RX Monitor Line RX 96479 Processor Line TX COM TX Com RX OSC TX Monitor Line TX OSC RX FPGA For SCL Bus management SCL Bus TCCi M SCL Bus TCCi P DC/DC Power supply Input filters BAT A&B 98300 MON TX OSC RX MON RX OSC TX OSC COM RX P1 P2 P3 P4 COM TX LINE TX APR signal LINE RX in RX P Physical photodiode Table 4-8 OPT-BST-E Port Calibration Photodiode CTC Type Name Calibrated to Port Power PM Parameter P1 Input Com COM RX Channel Power Supported4-19 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 4 Optical Amplifier Cards OPT-BST-L Amplifier Card The power on the OSC-TX and COM-TX ports are calculated by adding the insertion loss (IL) to the power reported from P3 and P4. The PM parameters for the power values are listed in Table 19-31. For information on the associated TL1 AIDs for the optical power monitoring points, refer the “CTC Port Numbers and TL1 Aids” section in Cisco ONS SONET TL1 Command Guide, Release 9.2. 4.5.4 OPT-BST-E Card-Level Indicators Table 4-9 describes the three card-level LED indicators on the OPT-BST-E amplifier card. 4.5.5 OPT-BST-E Port-Level Indicators You can determine the status of the card ports using the LCD screen on the ONS 15454 fan-tray assembly. Use the LCD to view the status of any port or card slot; the screen displays the number and severity of alarms for a given port or slot. 4.6 OPT-BST-L Amplifier Card (Cisco ONS 15454 only) P2 Output Line (Total Output) LINE TX Channel Power Supported Output Line (Signal Output) P3 Input Line LINE RX Channel Power Supported P4 Input Line LINE RX OSC Power Supported Table 4-8 OPT-BST-E Port Calibration (continued) Photodiode CTC Type Name Calibrated to Port Power PM Parameter Table 4-9 OPT-BST-E Card-Level Indicators Card-Level Indicators Description Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready or that an internal hardware failure occurred. Replace the card if the red FAIL LED persists. Green ACT LED The green ACT LED indicates that the OPT-BST-E is carrying traffic or is traffic-ready. Amber SF LED The amber SF LED indicates a signal failure or condition such as LOS on one or more of the card’s ports. The amber SF LED also turns on when the transmit and receive fibers are incorrectly connected. When the fibers are properly connected, the light turns off.4-20 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 4 Optical Amplifier Cards OPT-BST-L Amplifier Card Note For hardware specifications, see the “A.5.4 OPT-BST-L Amplifier Card Specifications” section on page A-15. Note For OPT-BST-L safety labels, see the “4.2 Class 1M Laser Safety Labels” section on page 4-5. The OPT-BST-L is an L-band, DWDM EDFA with OSC add-and-drop capability. The card is well suited for use in networks that employ dispersion shifted (DS) fiber or SMF-28 single-mode fiber. The OPT-BST-L is designed to ultimately support 64 channels at 50-GHz channel spacing, but in Software R9.0 and earlier it is limited to 32 channels at 100-GHz spacing.When an ONS 15454 has an OPT-BST-L installed, an OSCM card is needed to process the OSC. You can install the OPT-BST-L in Slots 1 to 6 and 12 to 17. The card’s features include: • Fixed gain mode (with programmable tilt) • Standard gain range of 8 to 20 dB in the programmable gain tilt mode • True variable gain • 20 to 27 dB gain range in the uncontrolled gain tilt mode • Built-in VOA to control gain tilt • Fast transient suppression • Nondistorting low-frequency transfer function • Settable maximum output power • Fixed output power mode (mode used during provisioning) • ASE compensation in fixed gain mode • Full monitoring and alarm handling with settable thresholds • OSRI • ALS Note The optical splitters each have a ratio of 1:99. The result is that MON TX and MON RX port power is about 20 dB lower than COM TX and COM RX port power. 4.6.1 OPT-BST-L Faceplate Ports The OPT-BST-L amplifier has eight optical ports located on the faceplate: • MON RX is the output monitor port (receive section). • MON TX is the output monitor port. • COM RX is the input signal port. • LINE TX is the output signal port. • LINE RX is the input signal port (receive section). • COM TX is the output signal port (receive section). • OSC RX is the OSC add input port. 4-21 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 4 Optical Amplifier Cards OPT-BST-L Amplifier Card • OSC TX is the OSC drop output port. Figure 4-16 shows the OPT-BST-L card faceplate. Figure 4-16 OPT-BST-L Faceplate 4.6.2 OPT-BST-L Block Diagrams Figure 4-17 shows a simplified block diagram of the OPT-BST-L card’s features. OPT BST-L FAIL ACT SF RX MON TX RX COM TX RX OSC TX RX LINE TX 1809294-22 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 4 Optical Amplifier Cards OPT-BST-L Amplifier Card Figure 4-17 OPT-BST-L Block Diagram Figure 4-18 shows a block diagram of how the OPT-BST-L optical module functions. Figure 4-18 OPT-BST-L Optical Module Functional Block Diagram 4.6.3 OPT-BST-L Power Monitoring Physical photodiodes P1, P2, P3, P4, and P5 monitor the power for the OPT-BST-L card. Table 4-10 shows the returned power level values calibrated to each port. Optical module Line RX Monitor Line RX 180930 Processor Line TX COM TX COM RX OSC TX Monitor Line TX OSC RX FPGA For SCL Bus management SCL Bus TCCi M SCL Bus TCCi P DC/DC Power supply Input filters BAT A&B 134976 MON TX OSC RX MON RX OSC TX OSC COM RX P1 P2 P4 P5 COM TX LINE TX APR signal LINE RX in RX P Physical photodiode P3 Table 4-10 OPT-BST-L Port Calibration Photodiode CTC Type Name Calibrated to Port Power PM Parameter P1 Input COM COM RX Channel Power Supported4-23 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 4 Optical Amplifier Cards OPT-BST-L Amplifier Card The power values on the OSC-TX and COM-TX ports are calculated by adding the insertion loss (IL) to the power values reported from P4 and P5. The OSC power on the LINE TX is calculated by adding the IL to the power reported from P3. The PM parameters for the power values are listed in Table 19-31. For information on the associated TL1 AIDs for the optical power monitoring points, refer the “CTC Port Numbers and TL1 Aids” section in Cisco ONS SONET TL1 Command Guide, Release 9.2. 4.6.4 OPT-BST-L Card-Level Indicators Table 4-11 shows the three card-level LEDs on the OPT-BST-L card. 4.6.5 OPT-BST-L Port-Level Indicators You can determine the status of the card ports using the LCD screen on the ONS 15454 fan-tray assembly. Use the LCD to view the status of any port or card slot; the screen displays the number and severity of alarms for a given port or slot. P2 Output Line (Total Output) LINE TX Channel Power Supported Output Line (Signal Output) P3 Input OSC OSC RX OSC Power Supported P4 Input Line LINE RX Channel Power Supported P5 Input Line LINE RX OSC Power Supported Table 4-10 OPT-BST-L Port Calibration (continued) Photodiode CTC Type Name Calibrated to Port Power PM Parameter Table 4-11 OPT-BST-L Card-Level Indicators Card-Level Indicators Description Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready or that an internal hardware failure occurred. Replace the card if the red FAIL LED persists. Green ACT LED The green ACT LED indicates that the OPT-BST-L is carrying traffic or is traffic-ready. Amber SF LED The amber SF LED indicates a signal failure or condition such as LOS on one or more of the card’s ports. The amber SF LED also turns on when the transmit and receive fibers are incorrectly connected. When the fibers are properly connected, the light turns off.4-24 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 4 Optical Amplifier Cards OPT-AMP-L Card 4.7 OPT-AMP-L Card (Cisco ONS 15454 only) Note For hardware specifications, see the “A.5.5 OPT-AMP-L Preamplifier Card Specifications” section on page A-15. Note For OPT-AMP-L card safety labels, see the “4.2 Class 1M Laser Safety Labels” section on page 4-5. The OPT-AMP-L is an L-band, DWDM optical amplifier card consisting of a two-stage EDFA with midstage access loss (MSL) for an external DCU and OSC add-and-drop capability. Using CTC, the card is provisionable as a preamplifier (OPT-PRE) or booster amplifier (OPT-BST), and is well suited for use in networks that employ DS or SMF-28 fiber. The amplifier can operate up to 64 optical transmission channels at 50-GHz channel spacing in the 1570 nm to 1605 nm wavelength range. When an OPT-AMP-L installed, an OSCM card is needed to process the OSC. You can install the two-slot OPT-AMP-L in Slots 1 to 6 and 12 to 17. The card has the following features: • Maximum power output of 20 dBm • True variable gain amplifier with settable range from 12 to 24 dBm in the standard gain range and 24 dBm to 35 dbM with uncontrolled gain tilt • Built-in VOA to control gain tilt • Up to 12 dBm MSL for an external DCU • Fast transient suppression; able to adjust power levels in hundreds of microseconds to avoid bit errors in failure or capacity growth situations • Nondistorting low frequency transfer function • Midstage access loss for dispersion compensation unit • Constant pump current mode (test mode) • Constant output power mode (used during optical node setup) • Constant gain mode • Internal ASE compensation in constant gain mode and in constant output power mode • Full monitoring and alarm handling capability • Optical safety support through signal loss detection and alarm at any input port, fast power down control (less than one second), and reduced maximum output power in safe power mode. For details on ALS provisioning for the card, refer to the Cisco ONS 15454 DWDM Procedure Guide. For information on using the card to implement ALS in a network, see the “12.11 Network Optical Safety” section on page 12-27. Note Before disconnecting any OPT AMP-L fiber for troubleshooting, first make sure the OPT AMP-L card is unplugged.4-25 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 4 Optical Amplifier Cards OPT-AMP-L Card 4.7.1 OPT-AMP-L Faceplate Ports The OPT-AMP-L amplifier card has ten optical ports located on the faceplate: • MON RX is the output monitor port (receive section). • MON TX is the output monitor port. • COM RX is the input signal port. • LINE TX is the output signal port. • LINE RX is the input signal port (receive section). • COM TX is the output signal port (receive section). • OSC RX is the OSC add input port. • OSC TX is the OSC drop output port. • DC TX is the output signal to the DCU. • DC RX is the input signal from the DCU.4-26 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 4 Optical Amplifier Cards OPT-AMP-L Card Figure 4-19 shows the OPT-AMP-L card faceplate. Figure 4-19 OPT-AMP-L Faceplate 4.7.2 OPT-AMP-L Block Diagrams Figure 4-20 shows a simplified block diagram of the OPT-AMP-L card’s features. OPT-AMP-L FAIL ACT SF RX MON TX RX COM TX RX OSC TX RX LINE TX RX DC TX 1809314-27 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 4 Optical Amplifier Cards OPT-AMP-L Card Figure 4-20 OPT-AMP-L Block Diagram Figure 4-21 shows a block diagram of how the OPT-AMP-L optical module functions. Figure 4-21 OPT-AMP-L Optical Module Functional Block Diagram Optical module Monitor Line RX Line RX DC RX Processor Line TX DC TX COM TX COM RX OSC TX Monitor Line TX OSC RX FPGA For SCL Bus management SCL Bus TCCi M SCL Bus TCCi P DC/DC Power supply Input filters BAT A&B 180932 MON TX OSC RX OSC TX COM RX COM TX MON RX LINE TX LINE RX P1 P Physical photodiode Variable optical attenuator P2 P3 P6 P4 DC TX DC RX External Mid-Stage Loss OSC Add OSC Drop P7 P5 Transmit Section Receive Section 1452564-28 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 4 Optical Amplifier Cards OPT-AMP-L Card 4.7.3 OPT-AMP-L Power Monitoring Physical photodiodes P1 through P7 monitor the power for the OPT-AMP-L card. Table 4-12 shows the returned power level values calibrated to each port. The power values on the OSC-TX and COM-TX ports are calculated by adding the insertion loss (IL) to the power values reported from P5 and P6. The power values on the LINE TX port is calculated by adding the IL to the power value reported from P7. The PM parameters for the power values are listed in Table 19-31. For information on the associated TL1 AIDs for the optical power monitoring points, refer the “CTC Port Numbers and TL1 Aids” section in Cisco ONS SONET TL1 Command Guide, Release 9.2. 4.7.4 OPT-AMP-L Card-Level Indicators Table 4-13 shows the three card-level LEDs on the OPT-AMP-L card. Table 4-12 OPT-AMP-L Port Calibration Photodiode CTC Type Name Calibrated to Port Power PM Parameter P1 Input COM COM RX Channel Power Supported P2 Output DC (total power) DC TX Channel Power Supported Output DC (signal power) P3 Input DC (input power) DC RX Channel Power Supported P4 Output Line (total power) LINE TX Channel Power Supported Output Line (signal power) P5 Input Line LINE RX Channel Power Supported P6 Input Line LINE RX OSC Power Supported P7 Input OSC OSC RX OSC Power Supported Table 4-13 OPT-AMP-L Card-Level Indicators Card-Level Indicators Description Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready or that an internal hardware failure occurred. Replace the card if the red FAIL LED persists. Green ACT LED The green ACT LED indicates that the OPT-AMP-L is carrying traffic or is traffic-ready. Amber SF LED The amber SF LED indicates a signal failure or condition such as LOS on one or more of the card’s ports. The amber SF LED also turns on when the transmit and receive fibers are incorrectly connected. When the fibers are properly connected, the light turns off.4-29 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 4 Optical Amplifier Cards OPT-AMP-17-C Card 4.7.5 OPT-AMP-L Port-Level Indicators You can determine the status of the card ports using the LCD screen on the ONS 15454 fan-tray assembly. Use the LCD to view the status of any port or card slot; the screen displays the number and severity of alarms for a given port or slot. 4.8 OPT-AMP-17-C Card Note For hardware specifications, see the “A.5.6 OPT-AMP-17-C Amplifier Card Specifications” section on page A-16. Note For OPT-AMP-17-C safety labels, see the “4.2 Class 1M Laser Safety Labels” section on page 4-5. The OPT-AMP-17-C is a 17-dB gain, C-band, DWDM EDFA amplifier/preamplifier with OSC add-and-drop capability. It supports 80 channels at 50-GHz channel spacing in the C-band (that is, the 1529 nm to 1562.5 nm wavelength range). When an ONS 15454 has an OPT-AMP-17-C installed, an OSCM card is needed to process the OSC. You can install the OPT-AMP-17-C in Slots 1 to 6 and 12 to 17. The card’s features include: • Fixed gain mode (no programmable tilt) • Standard gain range of 14 to 20 dB at startup when configured as a preamplifier • Standard gain range of 20 to 23 dB in the transient mode when configured as a preamplifier • Gain range of 14 to 23 dB (with no transient gain range) when configured as a booster amplifier • True variable gain • Fast transient suppression • Nondistorting low-frequency transfer function • Settable maximum output power • Fixed output power mode (mode used during provisioning) • ASE compensation in fixed gain mode • Full monitoring and alarm handling with settable thresholds • OSRI • ALS 4.8.1 OPT-AMP-17-C Faceplate Ports The OPT-AMP-17-C amplifier card has eight optical ports located on the faceplate: • MON RX is the output monitor port (receive section). • MON TX is the output monitor port. • COM RX is the input signal port. 4-30 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 4 Optical Amplifier Cards OPT-AMP-17-C Card • LINE TX is the output signal port. • LINE RX is the input signal port (receive section). • COM TX is the output signal port (receive section). • OSC RX is the OSC add input port. • OSC TX is the OSC drop output port. Figure 4-22 shows the OPT-AMP-17-C amplifier card faceplate. Figure 4-22 OPT-AMP-17-C Faceplate OPT -AMP 17-C FAIL ACT SF RX MON TX RX COM TX RX OSC TX RX LINE TX 1595204-31 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 4 Optical Amplifier Cards OPT-AMP-17-C Card 4.8.2 OPT-AMP-17-C Block Diagrams Figure 4-23 shows a simplified block diagram of the OPT-AMP-17C card’s features. Figure 4-23 OPT-AMP17-C Block Diagram Figure 4-24 shows how the OPT-AMP-17-C optical module functions. Figure 4-24 OPT-AMP-17-C Optical Module Functional Block Diagram Optical module Line RX Monitor Line RX 180928 Processor Line TX COM TX COM RX OSC TX Monitor Line TX OSC RX FPGA For SCL Bus management SCL Bus TCCi M SCL Bus TCCi P DC/DC Power supply Input filters BAT A&B MON TX OSC RX MON RX OSC TX OSC COM RX P1 P2 P4 P5 COM TX LINE TX APR signal LINE RX in RX P Physical photodiode P3 OSC add OSC drop 1595194-32 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 4 Optical Amplifier Cards OPT-AMP-17-C Card 4.8.3 OPT-AMP-17-C Automatic Power Control A transient gain range of 20 to 23 dB is available to APC in order to permit other amplifiers to reach their expected set points. However, operation in this range is not continuous. At startup, the OPT-AMP-17-C card caps the gain at a maximum of 20 dB. Note When the OPT-AMP-17-C operates as a booster amplifier, APC does not control its gain. 4.8.4 OPT-AMP-17-C Power Monitoring Physical photodiodes P1, P2, P3, P4, and P5 monitor power for the OPT-AMP-17-C card. Table 4-14 shows the returned power level values calibrated to each port. The power on the OSC-TX and COM-TX ports are calculated by adding the insertion loss (IL) to the power reported from P3 and P4. The OSC power on the LINE TX is calculated by adding the IL to the power reported from P5. The PM parameters for the power values are listed in Table 19-31. For information on the associated TL1 AIDs for the optical power monitoring points, refer the “CTC Port Numbers and TL1 Aids” section in Cisco ONS SONET TL1 Command Guide, Release 9.2. 4.8.5 OPT-AMP-17-C Card-Level Indicators Table 4-15 shows the three card-level LEDs on the OPT-AMP-17-C card. Table 4-14 OPT-AMP-17-C Port Calibration Photodiode CTC Type Name Calibrated to Port Power PM Parameter P1 Input COM COM RX Channel Power Supported P2 Output Line (Total Output) LINE TX Channel Power Supported Output Line (Signal Output) P3 Input Line LINE RX Channel Power Supported P4 Input Line LINE RX OSC Power Supported P5 Input OSC OSC RX OSC Power Supported Table 4-15 OPT-AMP-17-C Card-Level Indicators Card-Level Indicators Description Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready or that an internal hardware failure occurred. Replace the card if the red FAIL LED persists.4-33 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 4 Optical Amplifier Cards OPT-AMP-C Card 4.8.6 OPT-AMP-17-C Port-Level Indicators You can determine the status of the card ports using the LCD screen on the ONS 15454 fan-tray assembly. Use the LCD to view the status of any port or card slot; the screen displays the number and severity of alarms for a given port or slot. 4.9 OPT-AMP-C Card Note For hardware specifications, see the “A.5.7 OPT-AMP-C Amplifier Card Specifications” section on page A-17. Note For OPT-AMP-C card safety labels, see the “4.2 Class 1M Laser Safety Labels” section on page 4-5. The OPT-AMP-C card is a 20-dB output power, C-band, DWDM EDFA amplifier/preamplifier. It contains mid-stage access loss for a Dispersion Compensation Unit (DCU). To control gain tilt, a VOA is used. The VOA can also be used to attenuate the signal to the DCU to a reference value. The amplifier module also includes the OSC add (TX direction) and drop (RX direction) optical filters. The OPT-AMP-C card supports 80 channels at 50-GHz channel spacing in the C-band (that is, the 1529 nm to 1562.5 nm wavelength range). When an ONS 15454 has an OPT-AMP-C card installed, an OSCM card is needed to process the OSC. You can install the OPT-AMP-C card in Slots 1 to 6 and 12 to 17. Slots 2 to 6 and Slots 12 to 16 are the default slots for provisioning the OPT-AMP-C card as a preamplifier, and slots 1 and 17 are the default slots for provisioning the OPT-AMP-C card as a booster amplifier. The card’s features include: • Fast transient suppression • Nondistorting low-frequency transfer function • Mid-stage access for DCU • Constant pump current mode (test mode) • Fixed output power mode (mode used during provisioning) • Constant gain mode • ASE compensation in Constant Gain and Constant Output Power modes • Programmable tilt Green ACT LED The green ACT LED indicates that the OPT-AMP-17-C is carrying traffic or is traffic-ready. Amber SF LED The amber SF LED indicates a signal failure or condition such as LOS on one or more of the card’s ports. The amber SF LED also turns on when the transmit and receive fibers are incorrectly connected. When the fibers are properly connected, the light turns off. Table 4-15 OPT-AMP-17-C Card-Level Indicators (continued) Card-Level Indicators Description4-34 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 4 Optical Amplifier Cards OPT-AMP-C Card • Full monitoring and alarm handling capability • Gain range with gain tilt control of 12 to 24 dB • Extended gain range (with uncontrolled tilt) of 24 to 35 dB • Full monitoring and alarm handling with settable thresholds • OSRI • ALS 4.9.1 OPT-AMP-C Card Faceplate Ports The OPT-AMP-C amplifier card has 10 optical ports located on the faceplate: • MON RX is the output monitor port (receive section). • MON TX is the output monitor port. • COM RX is the input signal port. • COM TX is the output signal port (receive section). • DC RX is the input DCU port. • DC TX is the output DCU port. • OSC RX is the OSC add input port. • OSC TX is the OSC drop output port. • LINE RX is the input signal port (receive section). • LINE TX is the output signal port. 4-35 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 4 Optical Amplifier Cards OPT-AMP-C Card Figure 4-25 shows the OPT-AMP-C amplifier card faceplate. Figure 4-25 OPT-AMP-C Card Faceplate 4.9.2 OPT-AMP-C Card Block Diagrams Figure 4-26 shows a simplified block diagram of the OPT-AMP-C card features. OPT -AMP -C FAIL ACT SF RX MON TX RX COM TX RX OSC TX RX DC TX RX LINE TX 2745104-36 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 4 Optical Amplifier Cards OPT-AMP-C Card Figure 4-26 OPT-AMP-C Block Diagram Figure 4-27 shows how the OPT-AMP-C optical module functions. Figure 4-27 OPT-AMP-C Optical Module Functional Block Diagram Optical module Line RX Monitor Line RX 240356 Processor COM TX COM RX Line TX OSC TX Monitor Line TX DCU TX DCU RX OSC RX FPGA For SCL Bus management SCL Bus TCCi M SCL Bus TCCi P DC/DC Power supply Input filters BAT A&B MON TX OSC RX OSC TX COM RX COM TX MON RX LINE TX LINE RX P1 P Physical photodiode Variable optical attenuator P2 P3 P6 P4 DC TX DC RX External Mid-Stage Loss OSC Add OSC Drop P7 P5 Transmit Section Receive Section 1452564-37 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 4 Optical Amplifier Cards OPT-AMP-C Card 4.9.3 OPT-AMP-C Card Power Monitoring Physical photodiodes P1 through P7 monitor the power for the OPT-AMP-C card (see Table 4-16). The power on the OSC-TX and COM-TX ports are calculated by adding the insertion loss (IL) to the power reported from P5 and P6. The OSC power on the LINE TX is calculated by adding the IL to the power reported from P7. The PM parameters for the power values are listed in Table 19-31. For information on the associated TL1 AIDs for the optical power monitoring points, refer the “CTC Port Numbers and TL1 Aids” section in Cisco ONS SONET TL1 Command Guide, Release 9.2. 4.9.4 OPT-AMP-C Card-Level Indicators Table 4-17 shows the three card-level LEDs on the OPT-AMP-C card. Table 4-16 OPT-AMP-C Port Calibration Photodiode CTC Type Name Calibrated to Port Power PM Parameters P1 Input COM COM RX Channel Power Supported P2 Output DC (total power) DC TX Channel Power Supported Output DC (signal power) P3 Input DC (input power) DC RX Channel Power Supported P4 Output Line (total power) LINE TX Channel Power Supported Output Line (signal power) P5 Input Line LINE RX Channel Power Supported P6 Input Line LINE RX OSC Power Supported P7 Input OSC OSC RX OSC Power Supported Table 4-17 OPT-AMP-C Card-Level Indicators Card-Level Indicators Description Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready or that an internal hardware failure occurred. Replace the card if the red FAIL LED persists. Green ACT LED The green ACT LED indicates that the OPT-AMP-C card is carrying traffic or is traffic-ready. Amber SF LED The amber SF LED indicates a signal failure or condition such as LOS on one or more of the card’s ports. The amber SF LED also turns on when the transmit and receive fibers are incorrectly connected. When the fibers are properly connected, the light turns off.4-38 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 4 Optical Amplifier Cards OPT-RAMP-C and OPT-RAMP-CE Cards 4.9.5 OPT-AMP-C Card Port-Level Indicators You can determine the status of the card ports using the LCD screen on the ONS 15454 fan-tray assembly. Use the LCD to view the status of any port or card slot; the screen displays the number and severity of alarms for a given port or slot. 4.10 OPT-RAMP-C and OPT-RAMP-CE Cards (Cisco ONS 15454 and ONS 15454 M6 only) Note For hardware specifications, see the “A.5.8 OPT-RAMP-C Amplifier Card Specifications” section on page A-17 and “A.5.9 OPT-RAMP-CE Amplifier Card Specifications” section on page A-18. Note For OPT-RAMP-C or OPT-RAMP-CE card safety labels, see the “4.2 Class 1M Laser Safety Labels” section on page 4-5. The OPT-RAMP-C card is a double-slot card that improves unregenerated sections in long spans using the span fiber to amplify the optical signal. Different wavelengths in C-band receive different gain values. To achieve Raman amplification, two Raman signals (that do not carry any payload or overhead) are required to be transmitted on the optical fiber because the gain generated by one signal is not flat. The energy of these Raman signals transfer to the higher region of the spectrum thereby amplifying the signals transmitted at higher wavelengths. The Raman effect reduces span loss but does not compensate it completely. When the Raman optical powers are set correctly, a gain profile with limited ripple is achieved. The wavelengths of the Raman signals are not in the C-band of the spectrum (used by MSTP for payload signals). The two Raman wavelengths are fixed and always the same. Due to a limited Raman gain, an EDFA amplifier is embedded into the card to generate a higher total gain. An embedded EDFA gain block provides a first amplification stage, while the mid stage access (MSA) is used for DCU loss compensation. The OPT-RAMP-CE card is a 20 dBm output power, gain-enhanced version of the OPT-RAMP-C card and is optimized for short spans. The OPT-RAMP-C and OPT-RAMP-CE cards can support up to 80 optical transmission channels at 50-GHz channel spacing over the C-band of the optical spectrum (wavelengths from 1529 nm to 1562.5 nm). To provide a counter-propagating Raman pump into the transmission fiber, the Raman amplifier provides up to 500 mW at the LINE-RX connector. The OPT-RAMP-C or OPT-RAMP-CE card can be installed in Slots 1 to 5 and 12 to 16, and supports all network configurations. However, the OPT-RAMP-C or OPT-RAMP-CE card must be equipped on both endpoints of a span. The Raman total power and Raman ratio can be configured using CTC. For information on how to configure the Raman parameters, refer the Cisco ONS 15454 DWDM Procedure Guide. The Raman configuration can be viewed on the Maintenance > Installation tab. The features of the OPT-RAMP-C and OPT-RAMP-CE card include: • Raman pump with embedded EDFA gain block • Raman section: 500 mW total pump power for two pump wavelengths • EDFA section: – OPT-RAMP-C: 16 dB gain and 17 dB output power4-39 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 4 Optical Amplifier Cards OPT-RAMP-C and OPT-RAMP-CE Cards – OPT-RAMP-CE: 11 dB gain and 20 dB output power • Gain Flattening Filter (GFF) for Raman plus EDFA ripple compensation • MSA for DC units • VOA for DC input power control • Full monitoring of pump, OSC, and signal power • Fast gain control for transient suppression • Low-FIT (hardware-managed) optical laser safety • Hardware output signals for LOS monitoring at input photodiodes • Optical service channel add and drop filters • Raman pump back-reflection detector 4.10.1 Card Faceplate Ports The OPT-RAMP-C and OPT-RAMP-CE cards have ten optical ports located on the faceplate: • MON RX is the output monitor port (receive section). • MON TX is the output monitor port. • COM RX is the input signal port (receive section). • COM TX is the output signal port. • DC RX is the input DCU port. • DC TX is the output DCU port. • OSC RX is the OSC add input port. • OSC TX is the OSC drop output port. • LINE RX is the input signal port (receive section). • LINE TX is the output signal port. Figure 4-28 shows the OPT-RAMP-C card faceplate.4-40 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 4 Optical Amplifier Cards OPT-RAMP-C and OPT-RAMP-CE Cards Figure 4-28 OPT-RAMP-C Faceplate The OPT-RAMP-CE card faceplate is the same as that of the OPT-RAMP-C card. 4.10.2 Card Block Diagram Figure 4-29 shows a simplified block diagram of the OPT-RAMP-C and OPT-RAMP-CE card features. 270710 LINE OSC DC COM MOM RX TX RX TX RX TX RX TX RX TX FAIL ACT DF OPT-RAMP-C4-41 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 4 Optical Amplifier Cards OPT-RAMP-C and OPT-RAMP-CE Cards Figure 4-29 OPT-RAMP-C and OPT-RAMP-CE Block Diagram Figure 4-30 shows a block diagram of how the OPT-RAMP-C and OPT-RAMP-CE card functions. Figure 4-30 OPT-RAMP-C and OPT-RAMP-CE Card Functional Block Diagram Optical module Line RX Monitor Line RX 240356 Processor COM TX COM RX Line TX OSC TX Monitor Line TX DCU TX DCU RX OSC RX FPGA For SCL Bus management SCL Bus TCCi M SCL Bus TCCi P DC/DC Power supply Input filters BAT A&B 270709 OSC-TX W to E section E to W section Line-TX Line-RX COM-RX COM-TX OSC Drop OSC Add Pump 1 Pump 2 PD 8 PD 9 PD 11 PD 10 PD 12 PD 7 PD 5 PD 6 PD 1 PD 2 PD 3 PD 4 Pump Drop Pump Add PD Physical photodiode Variable optical attenuator4-42 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 4 Optical Amplifier Cards OPT-RAMP-C and OPT-RAMP-CE Cards Two Raman pump lasers are combined internally and launched in-fiber at the LINE-RX port, thereby counter-propagating with the DWDM signal. An EDFA gain block provides further amplification of the DWDM signal, which allows regulated output power entry in the mid stage access and acts upon the VOA attenuation. While the optical filters are present for the OSC add and drop functions, the OSC signal counter-propagates with the DWDM signal. Two monitor ports, MON-RX and MON-TX, are provided at the EDFA input and output stages and are used to evaluate the total gain ripple. A total of 12 photodiodes (PDs) are provided, allowing full monitoring of RP power, DWDM power, and OSC power in each section of the device. In particular, PD12 allows the detection of the remnant Raman pump power at the end of the counter-pumped span, while PD11 detects the amount of Raman pump power backscattered by the LINE-RX connector and transmission fiber. The EDFA section calculates the signal power, considering the expected ASE power contribution to the total output power. The signal output power or the signal gain can be used as feedback signals for the EDFA pump power control loop. The ASE power is derived according to the working EDFA gain. PD2, PD3, and PD4 provide the total power measured by the photodiode and the signal power is derived by calculating the total power value. The insertion loss of the main optical path and the relative optical attenuation of the two monitor ports are stored into the card’s not-volatile memory. 4.10.3 OPT-RAMP-C and OPT-RAMP-CE Card Power Monitoring Physical photodiodes PD1 through PD12 monitor the power for the OPT-RAMP-C and OPT-RAMP-CE cards (see Table 4-18). For information on the associated TL1 AIDs for the optical power monitoring points, refer the “CTC Port Numbers and TL1 Aids” section in Cisco ONS SONET TL1 Command Guide, Release 9.2. 4.10.4 OPT-RAMP-C and OPT-RAMP-CE Card Level Indicators Table 4-19 shows the three card-level LEDs on the OPT-RAMP-C and OPT-RAMP-CE cards. Table 4-18 OPT-RAMP-C and OPT-RAMP-CE Port Calibration Photodiode CTC Type Name Calibrated to Port PD1 EDFA DWDM Input Power LINE-RX PD2 EDFA Output Power (pre-VOA attenuation) DC-TX (port with 0 dB VOA attenuation) PD3 DCU Input Power DC-TX PD4 DCU Output Power DC-RX PD5 DWDM Input Power COM-RX PD6 OSC ADD Input Power OSC-RX PD7 OSC DROP Output Power OSC-TX PD8 Pump 1 in-fiber Output Power LINE-RX PD9 Pump 2 in-fiber Output Power LINE-RX PD10 Total Pump in-fiber Output Power LINE-RX PD11 Back-Reflected Pump Power LINE-RX PD12 Remnant Pump Power LINE-TX4-43 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 4 Optical Amplifier Cards OPT-RAMP-C and OPT-RAMP-CE Cards 4.10.5 OPT-RAMP-C and OPT-RAMP-CE Card Port-Level Indicators You can determine the status of the card ports using the LCD screen on the ONS 15454 fan-tray assembly. Use the LCD to view the status of any port or card slot; the screen displays the number and severity of alarms for a given port or slot. Table 4-19 OPT-RAMP-C and OPT-RAMP-CE Card-Level Indicators Card-Level Indicators Description Red FAIL LED The red FAIL LED indicates that the card processor is not ready or that an internal hardware failure occurred. Replace the card if the red FAIL LED persists. Green ACT LED The green ACT LED indicates that the OPT-RAMP-C or OPT-RAMP-CE card is carrying traffic or is traffic-ready. Amber SF LED The amber SF LED indicates a signal failure or condition such as LOS on one or more of the card ports. The amber SF LED also turns on when the transmit and receive fibers are incorrectly connected. When the fibers are properly connected, the light turns off.4-44 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 4 Optical Amplifier Cards OPT-RAMP-C and OPT-RAMP-CE CardsCHAPTER 5-1 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 5 Multiplexer and Demultiplexer Cards This chapter describes legacy multiplexer and demultiplexer cards used in Cisco ONS 15454 dense wavelength division multiplexing (DWDM) networks. For installation and card turn-up procedures, see the Cisco ONS 15454 DWDM Procedure Guide. For card safety and compliance information, see the Cisco Optical Transport Products Safety and Compliance Information document. Note Unless otherwise specified, “ONS 15454” refers to both ANSI and ETSI shelf assemblies. Chapter topics include: • 5.1 Card Overview, page 5-1 • 5.2 Safety Labels, page 5-8 • 5.3 32MUX-O Card, page 5-13 • 5.4 32DMX-O Card, page 5-17 • 5.5 4MD-xx.x Card, page 5-21 Note For a description of the 32DMX, 32DMX-L, 40-DMX-C, 40-DMX-CE, 40-MUX-C, 40-WSS-C, 40-WSS-CE, and 40-WXC-C cards, see Chapter 9, “Reconfigurable Optical Add/Drop Cards.” 5.1 Card Overview The card overview section contains card summary, compatibility, interface class, and channel allocation plan information for legacy multiplexer and demultiplexer cards. Note Each card is marked with a symbol that corresponds to a slot (or slots) on the ONS 15454 shelf assembly. The cards are then installed into slots displaying the same symbols. For a list of slots and symbols, see the "Card Slot Requirements" section in the Cisco ONS 15454 Hardware Installation Guide. 5-2 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 5 Multiplexer and Demultiplexer Cards Card Overview 5.1.1 Card Summary Table 5-1 lists and summarizes the functions of the 32MUX-O, 32DMX-O, and 4MD-xx.x cards. 5.1.2 Card Compatibility Table 5-2 lists the CTC software compatibility for the legacy cards. 5.1.3 Interface Classes The 32MUX-O, 32DMX-O, and 4MD-xx.x cards have different input and output optical channel signals depending on the interface card where the input signal originates. The input interface cards have been grouped in classes listed in Table 5-3. The subsequent tables list the optical performance and output power of each interface class. Table 5-1 Multiplexer and Demultiplexer Cards Card Port Description For Additional Information 32MUX-O The 32MUX-O has five sets of ports located on the faceplate. It operates in Slots 1 to 5 and 12 to 16. See the “5.3 32MUX-O Card” section on page 5-13. 32DMX-O The 32DMX-O has five sets of ports located on the faceplate. It operates in Slots 1 to 5 and 12 to 16. “5.4 32DMX-O Card” section on page 5-17 4MD-xx.x The 4MD-xx.x card has five sets of ports located on the faceplate. It operates in Slots 1 to 6 and 12 to 17. See the “5.5 4MD-xx.x Card” section on page 5-21. Table 5-2 Software Compatibility for Legacy Multiplexer and Demultiplexer Cards Release Cards 32MUX-O 32DMX-O 4MD-xx.x R4.5 Yes Yes Yes R4.6 Yes Yes Yes R4.7 Yes Yes Yes R5.0 Yes Yes Yes R6.0 Yes Yes Yes R7.0 Yes Yes Yes R7.2 Yes Yes Yes R8.0 Yes Yes Yes R8.5 Yes Yes Yes R9.0 Yes Yes Yes R9.1 Yes Yes Yes R9.2 Yes Yes Yes5-3 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 5 Multiplexer and Demultiplexer Cards Card Overview Table 5-5 lists the optical performance parameters for 40-Gbps cards that provide signal input to multiplexer and demultiplexer cards. Table 5-3 ONS 15454 Card Interfaces Assigned to Input Power Classes Input Power Class Card A 10-Gbps multirate transponder cards (TXP_MR_10G, TXP_MR_10E, TXP_MR_10E_C, and TXP_MR_10E_L) with forward error correction (FEC) enabled, 10-Gbps muxponder cards (MXP_2.5G_10G, MXP_2.5G_10E, MXP_MR_10DME_C, MXP_MR_10DME_L, MXP_2.5G_10E_C, and MXP_2.5G_10E_L) with FEC enabled, and 40-Gbps muxponder card (40G-MXP-C) B 10-Gbps multirate transponder card (TXP_MR_10G) without FEC, 10-Gbps muxponder cards (MXP_2.5G_10G, MXP_MR_10DME_C, MXP_MR_10DME_L), 40-Gbps muxponder card (40G-MXP-C), and ADM-10G cards with FEC disabled C OC-192 LR ITU cards (TXP_MR_10E, TXP_MR_10E_C, and TXP_MR_10E_L) without FEC D 2.5-Gbps multirate transponder card (TXP_MR_2.5G), both protected and unprotected, with FEC enabled E OC-48 100-GHz DWDM muxponder card (MXP_MR_2.5G) and 2.5-Gbps multirate transponder card (TXP_MR_2.5G), protected or unprotected, with FEC disabled and retime, reshape, and regenerate (3R) mode enabled F 2.5-Gbps multirate transponder card (TXP_MR_2.5G), protected or unprotected, in regenerate and reshape (2R) mode G OC-48 ELR 100 GHz card H 2/4 port GbE transponder (GBIC WDM 100GHz) I TXP_MR_10E, TXP_MR_10E_C, and TXP_MR_10E_L cards with enhanced FEC (E-FEC) and the MXP_2.5G_10E, MXP_2.5G_10E_C, MXP_2.5G_10E_L, MXP_MR_10DME_C, MXP_MR_10DME_L, and 40G-MXP-C cards with E-FEC enabled Table 5-4 40-Gbps Interface Optical Performance Parameter Class A Class B Class I Type Power Limited OSNR1 Limited Power Limited OSNR Limited Power Limited OSNR Limited Maximum bit rate 40 Gbps 40 Gbps 40 Gbps Regeneration 3R 3R 3R FEC Yes No Yes (E-FEC) Threshold Optimum Average Optimum Maximum BER2 10–15 10–12 10–15 OSNR1 sensitivity 23 dB 9 dB 23 dB 19 dB 20 dB 8 dB Power sensitivity –24 dBm –18 dBm –21 dBm –20 dBm –26 dBm –18 dBm Power overload –8 dBm –8 dBm –8 dBm5-4 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 5 Multiplexer and Demultiplexer Cards Card Overview Table 5-5 lists the optical performance parameters that provide signal input for the 40-Gbps multiplexer and demultiplexer cards. Transmitted Power Range3 OC-192 LR ITU — — — Dispersion compensation tolerance +/–800 ps/nm +/–1,000 ps/nm +/–800 ps/nm 1. OSNR = optical signal-to-noise ratio 2. BER = bit error rate 3. These values, decreased by patchcord and connector losses, are also the input power values for the OADM cards. Table 5-4 40-Gbps Interface Optical Performance (continued) Parameter Class A Class B Class I Type Power Limited OSNR1 Limited Power Limited OSNR Limited Power Limited OSNR Limited Table 5-5 10-Gbps Interface Optical Performance Parameters Parameter Class A Class B Class C Class I Type Power Limited OSNR1 Limited Power Limited OSNR Limited OSNR Limited Power Limited OSNR Limited Maximum bit rate 10 Gbps 10 Gbps 10 Gbps 10 Gbps Regeneration 3R 3R 3R 3R FEC Yes No No Yes (E-FEC) Threshold Optimum Average Average Optimum Maximum BER2 10–15 10–12 10–12 10–15 OSNR1 sensitivity 23 dB 9 dB 23 dB 19 dB 19 dB 20 dB 8 dB Power sensitivity –24 dBm –18 dBm –21 dBm –20 dBm –22 dBm –26 dBm –18 dBm Power overload –8 dBm –8 dBm –9 dBm –8 dBm Transmitted Power Range3 10-Gbps multirate transponder/10-Gbps FEC transponder (TXP_MR_10G) +2.5 to 3.5 dBm +2.5 to 3.5 dBm — — OC-192 LR ITU — — +3.0 to 6.0 dBm — 10-Gbps multirate transponder/10-Gbps FEC transponder (TXP_MR_10E) +3.0 to 6.0 dBm +3.0 to 6.0 dBm — +3.0 to 6.0 dBm Dispersion compensation tolerance +/–800 ps/nm +/–1,000 ps/nm +/–1,000 ps/nm +/–800 ps/nm5-5 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 5 Multiplexer and Demultiplexer Cards Card Overview Table 5-6 lists the optical interface performance parameters for 2.5-Gbps cards that provide signal input to multiplexer and demultiplexer cards. 5.1.4 Channel Allocation Plan ONS 15454 DWDM multiplexer and demultiplexer cards are designed for use with specific channels in the C band and L band. In most cases, the channels for these cards are either numbered (for example, 1 to 32 or 1 to 40) or delimited (odd or even). Client interfaces must comply with these channel assignments to be compatible with the ONS 15454 system. Table 5-7 lists the channel IDs and wavelengths assigned to the C-band DWDM channels. 1. OSNR = optical signal-to-noise ratio 2. BER = bit error rate 3. These values, decreased by patchcord and connector losses, are also the input power values for the OADM cards. Table 5-6 2.5-Gbps Interface Optical Performance Parameter Class D Class E Class F Class G Class H Class J Type Power Limited OSNR Limited Power Limited OSNR Limited OSNR Limited Power Limited OSNR Limited Power Limited OSNR Limited Power Limited Maximum bit rate 2.5 Gbps 2.5 Gbps 2.5 Gbps 2.5 Gbps 1.25 Gbps 2.5 Gbps Regeneration 3R 3R 2R 3R 3R 3R FEC Yes No No No No No Threshold Average Average Average Average Average Average Maximum BER 10–15 10–12 10–12 10–12 10–12 10–12 OSNR sensitivity 14 dB 6 dB 14 dB 10 dB 15 dB 14 dB 11 dB 13 dB 8 dB 12 dB Power sensitivity –31 dBm –25 dBm –30 dBm –23 dBm –24 dBm –27 dBm –33 dBm –28 dBm –18 dBm –26 dBm Power overload –9 dBm –9 dBm –9 dBm –9 dBm –7 dBm –17dBm Transmitted Power Range1 1. These values, decreased by patchcord and connector losses, are also the input power values for the OADM cards. TXP_MR_2.5G –1.0 to 1.0 dBm –1.0 to 1.0 dBm –1.0 to 1.0 dBm –2.0 to 0 dBm TXPP_MR_2.5G –4.5 to –2.5 dBm –4.5 to –2.5 dBm –4.5 to –2.5 dBm MXP_MR_2.5G — +2.0 to +4.0 dBm — MXPP_MR_2.5G — –1.5 to +0.5 dBm — 2/4 port GbE Transponder (GBIC WDM 100GHz) +2.5 to 3.5 dBm — Dispersion compensation tolerance –1200 to +5400 ps/nm –1200 to +5400 ps/nm –1200 to +3300 ps/nm –1200 to +3300 ps/nm –1000 to +3600 ps/nm –1000 to +3200 ps/nm5-6 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 5 Multiplexer and Demultiplexer Cards Card Overview Note In some cases, a card uses only one of the bands (C band or L band) and some or all of the channels listed in a band. Also, some cards use channels on the 100-GHz ITU grid while others use channels on the 50-GHz ITU grid. See the specific card description or Appendix A, “Hardware Specifications” for more details. Table 5-7 DWDM Channel Allocation Plan (C Band) Channel Number Frequency (THz) Wavelength (nm) Channel Number Frequency (THz) Wavelength (nm) 1 196.00 1529.55 42 193.95 1545.72 2 195.95 1529.94 43 193.90 1546.119 3 195.90 1530.334 44 193.85 1546.518 4 195.85 1530.725 45 193.80 1546.917 5 195.80 1531.116 46 193.75 1547.316 6 195.75 1531.507 47 193.70 1547.715 7 195.70 1531.898 48 193.65 1548.115 8 195.65 1532.290 49 193.60 1548.515 9 195.60 1532.681 50 193.55 1548.915 10 195.55 1533.073 51 193.50 1549.32 11 195.50 1533.47 52 193.45 1549.71 12 195.45 1533.86 53 193.40 1550.116 13 195.40 1534.250 54 193.35 1550.517 14 195.35 1534.643 55 193.30 1550.918 15 195.30 1535.036 56 193.25 1551.319 16 195.25 1535.429 57 193.20 1551.721 17 195.20 1535.822 58 193.15 1552.122 18 195.15 1536.216 59 193.10 1552.524 19 195.10 1536.609 60 193.05 1552.926 20 195.05 1537.003 61 193.00 1553.33 21 195.00 1537.40 62 192.95 1553.73 22 194.95 1537.79 63 192.90 1554.134 23 194.90 1538.186 64 192.85 1554.537 24 194.85 1538.581 65 192.80 1554.940 25 194.80 1538.976 66 192.75 1555.343 26 194.75 1539.371 67 192.70 1555.747 27 194.70 1539.766 68 192.65 1556.151 28 194.65 1540.162 69 192.60 1556.555 29 194.60 1540.557 70 192.55 1556.959 30 194.55 1540.953 71 192.50 1557.365-7 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 5 Multiplexer and Demultiplexer Cards Card Overview Table 5-8 lists the channel IDs and wavelengths assigned to the L-band channels. 31 194.50 1541.35 72 192.45 1557.77 32 194.45 1541.75 73 192.40 1558.173 33 194.40 1542.142 74 192.35 1558.578 34 194.35 1542.539 75 192.30 1558.983 35 194.30 1542.936 76 192.25 1559.389 36 194.25 1543.333 77 192.20 1559.794 37 194.20 1543.730 78 192.15 1560.200 38 194.15 1544.128 79 192.10 1560.606 39 194.10 1544.526 80 192.05 1561.013 40 194.05 1544.924 81 192.00 1561.42 41 194.00 1545.32 82 191.95 1561.83 Table 5-7 DWDM Channel Allocation Plan (C Band) (continued) Channel Number Frequency (THz) Wavelength (nm) Channel Number Frequency (THz) Wavelength (nm) Table 5-8 DWDM Channel Allocation Plan (L Band) Channel Number Frequency (THz) Wavelength (nm) Channel Number Frequency (THz) Wavelength (nm) 1 190.85 1570.83 41 188.85 1587.46 2 190.8 1571.24 42 188.8 1587.88 3 190.75 1571.65 43 188.75 1588.30 4 190.7 1572.06 44 188.7 1588.73 5 190.65 1572.48 45 188.65 1589.15 6 190.6 1572.89 46 188.6 1589.57 7 190.55 1573.30 47 188.55 1589.99 8 190.5 1573.71 48 188.5 1590.41 9 190.45 1574.13 49 188.45 1590.83 10 190.4 1574.54 50 188.4 1591.26 11 190.35 1574.95 51 188.35 1591.68 12 190.3 1575.37 52 188.3 1592.10 13 190.25 1575.78 53 188.25 1592.52 14 190.2 1576.20 54 188.2 1592.95 15 190.15 1576.61 55 188.15 1593.37 16 190.1 1577.03 56 188.1 1593.79 17 190.05 1577.44 57 188.05 1594.22 18 190 1577.86 58 188 1594.64 19 189.95 1578.27 59 187.95 1595.065-8 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 5 Multiplexer and Demultiplexer Cards Safety Labels 5.2 Safety Labels This section explains the significance of the safety labels attached to some of the cards. The faceplates of the cards are clearly labeled with warnings about the laser radiation levels. You must understand all warning labels before working on these cards. 5.2.1 Class 1 Laser Product Labels The 32MUX-O card has a Class 1 laser. The labels that appear on the card are described in the following sections. 5.2.1.1 Class 1 Laser Product Label The Class 1 Laser Product label is shown in Figure 5-1. 20 189.9 1578.69 60 187.9 1595.49 21 189.85 1579.10 61 187.85 1595.91 22 189.8 1579.52 62 187.8 1596.34 23 189.75 1579.93 63 187.75 1596.76 24 189.7 1580.35 64 187.7 1597.19 25 189.65 1580.77 65 187.65 1597.62 26 189.6 1581.18 66 187.6 1598.04 27 189.55 1581.60 67 187.55 1598.47 28 189.5 1582.02 68 187.5 1598.89 29 189.45 1582.44 69 187.45 1599.32 30 189.4 1582.85 70 187.4 1599.75 31 189.35 1583.27 71 187.35 1600.17 32 189.3 1583.69 72 187.3 1600.60 33 189.25 1584.11 73 187.25 1601.03 34 189.2 1584.53 74 187.2 1601.46 35 189.15 1584.95 75 187.15 1601.88 36 189.1 1585.36 76 187.1 1602.31 37 189.05 1585.78 77 187.05 1602.74 38 189 1586.20 78 187 1603.17 39 188.95 1586.62 79 186.95 1603.60 40 188.9 1587.04 80 186.9 1604.03 Table 5-8 DWDM Channel Allocation Plan (L Band) (continued) Channel Number Frequency (THz) Wavelength (nm) Channel Number Frequency (THz) Wavelength (nm)5-9 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 5 Multiplexer and Demultiplexer Cards Safety Labels Figure 5-1 Class 1 Laser Product Label Class 1 lasers are products whose irradiance does not exceed the Maximum Permissible Exposure (MPE) value. Therefore, for Class 1 laser products the output power is below the level at which it is believed eye damage will occur. Exposure to the beam of a Class 1 laser will not result in eye injury and may therefore be considered safe. However, some Class 1 laser products may contain laser systems of a higher class but there are adequate engineering control measures to ensure that access to the beam is not reasonably likely. Anyone who dismantles a Class 1 laser product that contains a higher Class laser system is potentially at risk of exposure to a hazardous laser beam 5.2.1.2 Hazard Level 1 Label The Hazard Level 1 label is shown in Figure 5-2. This label is displayed on the faceplate of the cards. Figure 5-2 Hazard Level Label The Hazard Level label warns users against exposure to laser radiation of Class 1 limits calculated in accordance with IEC60825-1 Ed.1.2. 5.2.1.3 Laser Source Connector Label The Laser Source Connector label is shown in Figure 5-3. Figure 5-3 Laser Source Connector Label This label indicates that a laser source is present at the optical connector where the label has been placed. CLASS 1 LASER PRODUCT 145952 HAZARD LEVEL 1 65542 966355-10 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 5 Multiplexer and Demultiplexer Cards Safety Labels 5.2.1.4 FDA Statement Label The FDA Statement labels are shown in Figure 5-4 and Figure 5-5. These labels show compliance to FDA standards and that the hazard level classification is in accordance with IEC60825-1 Am.2 or Ed.1.2. Figure 5-4 FDA Statement Label Figure 5-5 FDA Statement Label 5.2.1.5 Shock Hazard Label The Shock Hazard label is shown in Figure 5-6. Figure 5-6 Shock Hazard Label This label alerts personnel to electrical hazard within the card. The potential of shock hazard exists when removing adjacent cards during maintenance, and touching exposed electrical circuitry on the card itself. 5.2.2 Class 1M Laser Product Cards The 32DMX-O and 4MD-xx.x cards have Class IM lasers. The labels that appear on these cards are described in the following subsections. 96634 COMPLIES WITH 21 CFR 1040.10 AND 1040.11 EXCEPT FOR DEVIATIONS PURSUANT TO LASER NOTICE NO.50, DATED JULY 26, 2001 282324 COMPLIES WITH 21 CFR 1040.10 AND 1040.11 EXCEPT FOR DEVIATIONS PURSUANT TO LASER NOTICE NO.50, DATED JUNE 24, 2007 655415-11 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 5 Multiplexer and Demultiplexer Cards Safety Labels 5.2.2.1 Class 1M Laser Product Statement The Class 1M Laser Product statement is shown in Figure 5-7. Figure 5-7 Class 1M Laser Product Statement Class 1M lasers are products that produce either a highly divergent beam or a large diameter beam. Therefore, only a small part of the whole laser beam can enter the eye. However, these laser products can be harmful to the eye if the beam is viewed using magnifying optical instruments. 5.2.2.2 Hazard Level 1M Label The Hazard Level 1M label is shown in Figure 5-8. Figure 5-8 Hazard Level Label The Hazard Level label warns users against exposure to laser radiation of Class 1 limits calculated in accordance with IEC60825-1 Ed.1.2. This label is displayed on the faceplate of the cards. 5.2.2.3 Laser Source Connector Label The Laser Source Connector label is shown in Figure 5-9. Figure 5-9 Laser Source Connector Label CAUTION HAZARD LEVEL 1M INVISIBLE LASER RADIATION DO NOT VIEW DIRECTLY WITH NON-ATTENUATING OPTICAL INSTRUMENTS λ = = 1400nm TO 1610nm 145953 HAZARD LEVEL 1M 145990 966355-12 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 5 Multiplexer and Demultiplexer Cards Safety Labels This label indicates that a laser source is present at the optical connector where the label has been placed. 5.2.2.4 FDA Statement Label The FDA Statement labels are shown in Figure 5-10 and Figure 5-11. These labels show compliance to FDA standards and that the hazard level classification is in accordance with IEC60825-1 Am.2 or Ed.1.2. Figure 5-10 FDA Statement Label Figure 5-11 FDA Statement Label 5.2.2.5 Shock Hazard Label The Shock Hazard label is shown in Figure 5-6. Figure 5-12 Shock Hazard Label This label alerts personnel to electrical hazard within the card. The potential of shock hazard exists when removing adjacent cards during maintenance, and touching exposed electrical circuitry on the card itself. 96634 COMPLIES WITH 21 CFR 1040.10 AND 1040.11 EXCEPT FOR DEVIATIONS PURSUANT TO LASER NOTICE NO.50, DATED JULY 26, 2001 282324 COMPLIES WITH 21 CFR 1040.10 AND 1040.11 EXCEPT FOR DEVIATIONS PURSUANT TO LASER NOTICE NO.50, DATED JUNE 24, 2007 655415-13 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 5 Multiplexer and Demultiplexer Cards 32MUX-O Card 5.3 32MUX-O Card Note See the “A.7.1 32MUX-O Card Specifications” section on page A-20 for hardware specifications. The 32-Channel Multiplexer (32MUX-O) card multiplexes 32 100-GHz-spaced channels identified in the channel plan. The 32MUX-O card takes up two slots in an ONS 15454 and can be installed in Slots 1 to 5 and 12 to 16. The 32MUX-O features include: • Arrayed waveguide grating (AWG) device that enables full multiplexing functions for the channels. • Each single-channel port is equipped with VOAs for automatic optical power regulation prior to multiplexing. In the case of electrical power failure, the VOA is set to its maximum attenuation for safety purposes. A manual VOA setting is also available. • Each single-channel port is monitored using a photodiode to enable automatic power regulation. An additional optical monitoring port with 1:99 splitting ratio is available. Figure 5-13 shows the 32MUX-O faceplate.5-14 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 5 Multiplexer and Demultiplexer Cards 32MUX-O Card Figure 5-13 32MUX-O Faceplate For information on safety labels for the card, see the “5.2.1 Class 1 Laser Product Labels” section on page 5-8. Figure 5-14 shows a block diagram of the 32MUX-O card. 30.3 - 36.6 38.1 - 44.5 46.1 - 52.5 54.1 - 60.6 32MUX-0 COM TX RX MON FAIL ACT SF 964685-15 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 5 Multiplexer and Demultiplexer Cards 32MUX-O Card Figure 5-14 32MUX-O Block Diagram The 32MUX-O card has four receive connectors that accept multifiber push-on (MPO) cables on its front panel for the client input interfaces. MPO cables break out into eight separate cables. The 32MUX-O card also has two LC-PC-II optical connectors, one for the main output and the other for the monitor port. Figure 5-15 shows the 32MUX-O optical module functional block diagram. Figure 5-15 32MUX-O Optical Module Functional Block Diagram 5.3.1 Channel Plan The 32MUX-O is typically used in hub nodes and provides the multiplexing of 32 channels, spaced at 100 GHz, into one fiber before their amplification and transmission along the line. The channel plan is shown in Table 5-9. Optical module 30.3 to 36.6 8 CHS RX 38.1 to 44.5 8 CHS RX 46.1 to 52.5 8 CHS RX 54.1 to 60.6 8 CHS RX 134413 Processor MON COM TX FPGA For SCL Bus management SCL Bus TCCi M SCL Bus TCCi P DC/DC Power supply Input filters BAT A&B 98301 1 32 Control Control interface Physical photodiode Variable optical attenuator MON COM TX Inputs P32 P31 P30 P29 P4 P3 P2 P1 P5-16 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 5 Multiplexer and Demultiplexer Cards 32MUX-O Card Table 5-9 32MUX-O Channel Plan Channel Number1 1. The Channel Number column is only for reference purposes. The channel ID is consistent with the ONS 15454 and is used in card identification. Channel ID Frequency (GHz) Wavelength (nm) 1 30.3 195.9 1530.33 2 31.2 195.8 1531.12 3 31.9 195.7 1531.90 4 32.6 195.6 1532.68 5 34.2 195.4 1534.25 6 35.0 195.3 1535.04 7 35.8 195.2 1535.82 8 36.6 195.1 1536.61 9 38.1 194.9 1538.19 10 38.9 194.8 1538.98 11 39.7 194.7 1539.77 12 40.5 194.6 1540.56 13 42.1 194.4 1542.14 14 42.9 194.3 1542.94 15 43.7 194.2 1543.73 16 44.5 194.1 1544.53 17 46.1 193.9 1546.12 18 46.9 193.8 1546.92 19 47.7 193.7 1547.72 20 48.5 193.6 1548.51 21 50.1 193.4 1550.12 22 50.9 193.3 1550.92 23 51.7 193.2 1551.72 24 52.5 193.1 1552.52 25 54.1 192.9 1554.13 26 54.9 192.8 1554.94 27 55.7 192.7 1555.75 28 56.5 192.6 1556.55 29 58.1 192.4 1558.17 30 58.9 192.3 1558.98 31 59.7 192.2 1559.79 32 60.6 192.1 1560.615-17 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 5 Multiplexer and Demultiplexer Cards 32DMX-O Card 5.3.2 Power Monitoring Physical photodiodes P1 through P32 monitor the power for the 32MUX-O card. The returned power level values are calibrated to the ports as shown in Table 5-10. For information on the associated TL1 AIDs for the optical power monitoring points, refer the “CTC Port Numbers and TL1 Aids” section in Cisco ONS SONET TL1 Command Guide, Release 9.2. 5.3.3 32MUX-O Card-Level Indicators The 32MUX-O card has three card-level LED indicators, described in Table 5-11. 5.3.4 32MUX-O Port-Level Indicators You can find the status of the card ports using the LCD screen on the ONS 15454 fan-tray assembly. Use the LCD to view the status of any port or card slot; the screen displays the number and severity of alarms for a given port or slot. The 32MUX-O card has five sets of ports located on the faceplate. COM TX is the line output. COM MON is the optical monitoring port. The xx.x to yy.y RX ports represent the four groups of eight channels ranging from wavelength xx.x to wavelength yy.y, according to the channel plan. 5.4 32DMX-O Card Note See the “A.7.2 32DMX-O Card Specifications” section on page A-20 for hardware specifications. Table 5-10 32MUX-O Port Calibration Photodiode CTC Type Name Calibrated to Port P1–P32 ADD COM TX Table 5-11 32MUX-O Card-Level Indicators Card-Level Indicators Description Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready or that there is an internal hardware failure. Replace the card if the red FAIL LED persists. Green ACT LED The green ACT LED indicates that the 32MUX-O is carrying traffic or is traffic-ready. Amber SF LED The amber SF LED indicates a signal failure on one or more of the card’s ports. The amber SF LED also illuminates when the transmit and receive fibers are incorrectly connected. When the fibers are properly connected, the light turns off.5-18 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 5 Multiplexer and Demultiplexer Cards 32DMX-O Card The 32-Channel Demultiplexer (32DMX-O) card demultiplexes 32 100-GHz-spaced channels identified in the channel plan. The 32DMX-O takes up two slots in an ONS 15454 and can be installed in Slots 1 to 5 and 12 to 16. The 32DMX-O features include: • AWG that enables channel demultiplexing functions. • Each single-channel port is equipped with VOAs for automatic optical power regulation after demultiplexing. In the case of electrical power failure, the VOA is set to its maximum attenuation for safety purposes. A manual VOA setting is also available. • The 32DXM-O has four physical receive connectors that accept MPO cables on its front panel for the client input interfaces. MPO cables break out into eight separate cables. Note In contrast, the single-slot 32DMX card does not have VOAs on each drop port for optical power regulation. The 32DMX optical demultiplexer module is used in conjunction with the 32WSS card in ONS 15454 Multiservice Transport Platform (MSTP) nodes. • Each single-channel port is monitored using a photodiode to enable automatic power regulation. Figure 5-16 shows the 32DMX-O card faceplate.5-19 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 5 Multiplexer and Demultiplexer Cards 32DMX-O Card Figure 5-16 32DMX-O Faceplate For information on safety labels for the card, see the “5.2.2 Class 1M Laser Product Cards” section on page 5-10. Figure 5-17 shows a block diagram of the 32DMX-O card. 32DMX-0 FAIL ACT SF 30.3 - 36.6 38.1 - 44.5 46.1 - 52.5 TX 54.1 - 60.6 RX COM MON 1459355-20 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 5 Multiplexer and Demultiplexer Cards 32DMX-O Card Figure 5-17 32DMX-O Block Diagram Figure 5-18 shows the 32DMX-O optical module functional block diagram. Figure 5-18 32DMX-O Optical Module Functional Block Diagram 5.4.1 Power Monitoring Physical photodiodes P1 through P33 monitor the power for the 32DMX-O card. The returned power level values are calibrated to the ports as shown in Table 5-12. Optical module 30.3 to 36.6 8 CHS TX 38.1 to 44.5 8 CHS TX 46.1 to 52.5 8 CHS TX 54.1 to 60.6 8 CHS TX 96480 Processor MON COM RX FPGA For SCL Bus management SCL Bus TCCi M SCL Bus TCCi P DC/DC Power supply Input filters BAT A&B 98302 1 32 Control Control interface Physical photodiode Variable optical attenuator COM RX DROP TX P32 P31 P30 P29 P4 P3 P2 P1 P P33 Table 5-12 32DMX-O Port Calibration Photodiode CTC Type Name Calibrated to Port P1–P32 DROP DROP TX P33 INPUT COM COM RX5-21 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 5 Multiplexer and Demultiplexer Cards 4MD-xx.x Card For information on the associated TL1 AIDs for the optical power monitoring points, refer the “CTC Port Numbers and TL1 Aids” section in Cisco ONS SONET TL1 Command Guide, Release 9.2. 5.4.2 32DMX-O Card-Level Indicators The 32DMX-O card has three card-level LED indicators, described in Table 5-13. 5.4.3 32DMX-O Port-Level Indicators You can find the status of the card ports using the LCD screen on the ONS 15454 fan-tray assembly. Use the LCD to view the status of any port or card slot; the screen displays the number and severity of alarms for a given port or slot. The 32DMX-O card has five sets of ports located on the faceplate. MON is the output monitor port. COM RX is the line input. The xx.x to yy.y TX ports represent the four groups of eight channels ranging from wavelength xx.x to wavelength yy.y according to the channel plan. 5.5 4MD-xx.x Card Note See the “A.7.3 4MD-xx.x Card Specifications” section on page A-21 for hardware specifications. The 4-Channel Multiplexer/Demultiplexer (4MD-xx.x) card multiplexes and demultiplexes four 100-GHz-spaced channels identified in the channel plan. The 4MD-xx.x card is designed to be used with band OADMs (both AD-1B-xx.x and AD-4B-xx.x). The card is bidirectional. The demultiplexer and multiplexer functions are implemented in two different sections of the same card. In this way, the same card can manage signals flowing in opposite directions. There are eight versions of this card that correspond with the eight sub-bands specified in Table 5-14 on page 5-24. The 4MD-xx.x can be installed in Slots 1 to 6 and 12 to 17. The 4MD-xx.x has the following features implemented inside a plug-in optical module: • Passive cascade of interferential filters perform the channel multiplex/demultiplex function. • Software-controlled VOAs at every port of the multiplex section regulate the optical power of each multiplexed channel. Table 5-13 32DMX-O Card-Level Indicators Card-Level Indicators Description Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready or that there is an internal hardware failure. Replace the card if the red FAIL LED persists. Green ACT LED The green ACT LED indicates that the 32DMX-O is carrying traffic or is traffic-ready. Amber SF LED The amber SF LED indicates a signal failure on one or more of the card’s ports. The amber SF LED also illuminates when the transmit and receive fibers are incorrectly connected. When the fibers are properly connected, the light turns off.5-22 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 5 Multiplexer and Demultiplexer Cards 4MD-xx.x Card • Software-monitored photodiodes at the input and output multiplexer and demultiplexer ports for power control and safety purposes. • Software-monitored virtual photodiodes at the common DWDM output and input ports. A virtual photodiode is a firmware calculation of the optical power at that port. This calculation is based on the single channel photodiode reading and insertion losses of the appropriated paths. Figure 5-19 shows the 4MD-xx.x faceplate. Figure 5-19 4MD-xx.x Faceplate For information on safety labels for the card, see the “5.2.2 Class 1M Laser Product Cards” section on page 5-10. Figure 5-20 shows a block diagram of the 4MD-xx.x card. 4MD -X.XX FAIL ACT SF RX 15xx.xx TX RX 15xx.xx TX RX 15xx.xx TX RX 15xx.xx TX RX COM TX 964705-23 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 5 Multiplexer and Demultiplexer Cards 4MD-xx.x Card Figure 5-20 4MD-xx.x Block Diagram Figure 5-21 shows the 4MD-xx.x optical module functional block diagram. Figure 5-21 4MD-xx.x Optical Module Functional Block Diagram The optical module shown in Figure 5-21 is optically passive and consists of a cascade of interferential filters that perform the channel multiplexing and demultiplexing functions. VOAs are present in every input path of the multiplex section in order to regulate the optical power of each multiplexed channel. Some optical input and output ports are monitored by means of photodiodes implemented both for power control and for safety purposes. An internal control manages VOA settings and functionality as well as photodiode detection and alarm thresholds. The power at the main output Optical Module Channel Inputs 96482 Processor COM TX COM RX Channel Outputs FPGA For SCL Bus management SCL Bus TCC M SCL Bus TCC P DC/DC converter Power supply input filters BAT A&B 98303 Virtual photodiode COM TX COM RX Demux RX channels TX channels Physical photodiode Variable optical attenuator Control Control interface V1 V Mux P1 P2 P3 P3 P5 P6 P7 P8 P V25-24 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 5 Multiplexer and Demultiplexer Cards 4MD-xx.x Card and input ports is monitored through the use of virtual photodiodes. A virtual photodiode is implemented in the firmware of the plug-in module. This firmware calculates the power on a port, summing the measured values from all single channel ports (and applying the proper path insertion loss) and then providing the TCC2/TCC2P/TCC3/TNC/TSC card with the obtained value. 5.5.1 Wavelength Pairs Table 5-14 shows the band IDs and the add/drop channel IDs for the 4MD-xx.x card. 5.5.2 Power Monitoring Physical photodiodes P1 through P8 and virtual photodiodes V1 and V2 monitor the power for the 4MD-xx.x card. The returned power level values are calibrated to the ports as shown in Table 5-15. For information on the associated TL1 AIDs for the optical power monitoring points, refer the “CTC Port Numbers and TL1 Aids” section in Cisco ONS SONET TL1 Command Guide, Release 9.2. 5.5.3 4MD-xx.x Card-Level Indicators The 4MD-xx.x card has three card-level LED indicators, described in Table 5-16. Table 5-14 4MD-xx.x Channel Sets Band ID Add/Drop Channel IDs Band 30.3 (A) 30.3, 31.2, 31.9, 32.6 Band 34.2 (B) 34.2, 35.0, 35.8, 36.6 Band 38.1 (C) 38.1, 38.9, 39.7, 40.5 Band 42.1 (D) 42.1, 42.9, 43.7, 44.5 Band 46.1 (E) 46.1, 46.9, 47.7, 48.5 Band 50.1 (F) 50.1, 50.9, 51.7, 52.5 Band 54.1 (G) 54.1, 54.9, 55.7, 56.5 Band 58.1 (H) 58.1, 58.9, 59.7, 60.6 Table 5-15 4MD-xx.x Port Calibration Photodiode CTC Type Name Calibrated to Port P1–P4 ADD COM TX P5–P8 DROP DROP TX V1 OUT COM COM TX V2 IN COM COM RX5-25 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 5 Multiplexer and Demultiplexer Cards 4MD-xx.x Card 5.5.4 4MD-xx.x Port-Level Indicators You can find the status of the card ports using the LCD screen on the ONS 15454 fan-tray assembly. Use the LCD to view the status of any port or card slot; the screen displays the number and severity of alarms for a given port or slot. The 4MD-xx.x card has five sets of ports located on the faceplate. COM RX is the line input. COM TX is the line output. The 15xx.x TX ports represent demultiplexed channel outputs 1 to 4. The 15xx.x RX ports represent multiplexed channel inputs 1 to 4. Table 5-16 4MD-xx.x Card-Level Indicators Card-Level Indicators Description Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready or that there is an internal hardware failure. Replace the card if the red FAIL LED persists. Green ACT LED The green ACT LED indicates that the 4MD-xx.x card is carrying traffic or is traffic-ready. Amber SF LED The amber SF LED indicates a signal failure on one or more of the card’s ports. The amber SF LED also illuminates when the transmit and receive fibers are incorrectly connected. When the fibers are properly connected, the light turns off.5-26 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 5 Multiplexer and Demultiplexer Cards 4MD-xx.x CardCHAPTER 6-1 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 6 Tunable Dispersion Compensating Units This chapter explains the Tunable Dispersion Compensating Units (T-DCU) used in Cisco ONS 15454 dense wavelength division multiplexing (DWDM) networks. For installation and card turn-up procedures, refer to the Cisco ONS 15454 DWDM Procedure Guide. For card safety and compliance information, refer to the Cisco Optical Transport Products Safety and Compliance Information document. Note Unless otherwise specified, “ONS 15454” refers to both ANSI and ETSI shelf assemblies. The T-DCU unit compensates for chromatic dispersion (CD) of the transmission fiber. The T-DCU provides two line cards with varied set of tunable wavelengths to compensate for CD. This chapter includes: • 6.1 Card Overview, page 6-1 • 6.2 Class 1M Laser Safety Labels, page 6-2 • 6.3 TDC-CC and TDC-FC Cards, page 6-3 • 6.4 Monitoring Optical Performance, page 6-7 6.1 Card Overview The T-DCU card provides a selectable set of discrete negative chromatic dispersion values to compensate for chromatic dispersion of the transmission line. The card operates over the entire C-band (in the range of 1529.0 nm to 1562.5 nm) and monitors the optical power at the input and the output ports. The two types of T-DCU line cards are: • TDC-CC (Coarse T-DCU) • TDC-FC (Fine T-DCU) Note Each T-DCU card is marked with a symbol that corresponds to a slot (or slots) on the ONS 15454 shelf assembly. Cards should be installed in slots that have the same symbols. See the 1.16.1 Card Slot Requirements section on page 1-59 for a list of slots and symbols.6-2 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 6 Tunable Dispersion Compensating Units Class 1M Laser Safety Labels 6.1.1 Card Summary Table 6-1 lists and summarizes the information about the TDC-CC and TDC-FC cards. 6.2 Class 1M Laser Safety Labels This section explains the significance of the safety labels attached to some of the cards. The faceplates of the cards are clearly labeled with warnings about the laser radiation levels. You must understand all warning labels before working on these cards. 6.2.1 Class 1M Laser Product Cards The TDC-CC and TDC-FC cards can be connected to Class 1M lasers. The labels that appear on these cards are described in the following subsections. Class 1M lasers are products that produce either a highly divergent beam or a large diameter beam. Therefore, only a small part of the whole laser beam can enter the eye. However, these laser products can be harmful to the eye if the beam is viewed using magnifying optical instruments. 6.2.1.1 Hazard Level 1M Label The Hazard Level 1M label is shown in Figure 6-1. Figure 6-1 Hazard Level Label The Hazard Level label warns users against exposure to laser radiation of Class 1 limits calculated in accordance with IEC60825-1 Ed.1.2. Table 6-1 T-DCU Cards Card Port Description For Additional Information TDC-CC The TDC-CC has one set of optical ports located on the faceplate. It operates in slots 1 to 6 and slots 12 to 17. See the 6.3 TDC-CC and TDC-FC Cards section. TDC-FC The TDC-FC has one set of optical ports located on the faceplate. It operates in slots 1 to 6 and slots 12 to 17. CAUTION HAZARD LEVEL 1M INVISIBLE LASER RADIATION DO NOT VIEW DIRECTLY WITH NON-ATTENUATING OPTICAL INSTRUMENTS λ = = 1400nm TO 1610nm 1459536-3 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 6 Tunable Dispersion Compensating Units TDC-CC and TDC-FC Cards 6.2.1.2 Laser Source Connector Label The Laser Source Connector label is shown in Figure 6-2. Figure 6-2 Laser Source Connector Label This label indicates that a laser source is present at the optical connector where the label has been placed. 6.2.1.3 FDA Statement Label The FDA Statement labels are shown in Figure 6-3 and Figure 6-4. These labels show compliance to FDA standards and that the hazard level classification is in accordance with IEC60825-1 Am.2 or Ed.1.2. Figure 6-3 FDA Statement Label Figure 6-4 FDA Statement Label 6.3 TDC-CC and TDC-FC Cards The TDC-CC card provides 16 values of CD ranging from 0 to -1650 ps/nm with a granularity of 110 ps/nm in the C-band spectrum. The TDC-FC card provides 16 values of CD ranging from 0 to -675 ps/nm with a granularity of 45 ps/nm in the C-band spectrum. 96635 96634 COMPLIES WITH 21 CFR 1040.10 AND 1040.11 EXCEPT FOR DEVIATIONS PURSUANT TO LASER NOTICE NO.50, DATED JULY 26, 2001 282324 COMPLIES WITH 21 CFR 1040.10 AND 1040.11 EXCEPT FOR DEVIATIONS PURSUANT TO LASER NOTICE NO.50, DATED JUNE 24, 20076-4 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 6 Tunable Dispersion Compensating Units TDC-CC and TDC-FC Cards You can configure the TDC-CC and TDC-FC cards for the CD value listed in Table 6-2. Refer to the Cisco ONS 15454 DWDM Procedure Guide to set the compensating value using CTC. 6.3.1 Key Features The TDC-CC and TDC-FC cards provide the following features: • Single slot card with three LEDs on the front panel. • Two LC-PC-II optical connectors on the front panel. • Operates in slots from slot 1 to 6 and 12 to 17. • Operates over the C-band (wavelengths from 1529 nm to 1562.5 nm) of the optical spectrum. • Allows upto 16 provisionable CD values for chromatic dispersion compensation. • Connects to OPT-PRE, OPT-AMP-C, OPT-RAMP-C, and OPT-RAMP-CE amplifiers and 40-SMR-1 and 40-SMR-2 cards. • Supports performance monitoring and alarm handling for selectable thresholds. • Allows monitoring and provisioning using CTC, SNMP, or TL1. Table 6-2 TDC-CC and TDC-FC Tunable CD Value Unit Configuration TDC-CC [ps/nm] TDC-FC [ps/nm] 0 0 1 1. The default value of the TDC-CC CD value for Coarse Unit is 0. 0 2 2. The default value of the TDC-FC value for Fine Unit is 0. 1 -110 -45 2 -220 -90 3 -330 -135 4 -440 -180 5 -550 -225 6 -660 -270 7 -770 -315 8 -880 -360 9 -990 -405 10 -1100 -450 11 -1210 -495 12 -1320 -540 13 -1430 -585 14 -1540 -630 15 -1650 -6756-5 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 6 Tunable Dispersion Compensating Units TDC-CC and TDC-FC Cards 6.3.2 TDC-CC and TDC-FC Faceplate Diagram Figure 6-5 shows the TDC-CC and TDC-FC faceplate diagram. The TDC-CC and TDC-FC cards can be installed or pulled out of operation from any user interface slot, without impacting other service cards operating within that shelf. To install the TDC-CC and TDC-FC cards, refer the section NTP-G30 Install the DWDM Cards of the Cisco ONS 15454 DWDM Procedure Guide. Figure 6-5 TDC-CC and TDC-FC Faceplates Note The coarse T-DCU is identified with the card label as TDC-CC and the fine T-DCU with TDC-FC in the faceplate of the T-DCU card. TDC-CC FAIL ACT SF DC RX TX TDC-FC FAIL ACT SF DC RX TX Any of the 12 general purpose slots 2764446-6 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 6 Tunable Dispersion Compensating Units TDC-CC and TDC-FC Cards 6.3.3 Functioning of Optical Ports The T-DCU unit contains the DC-RX (input) and DC-TX (output) ports. The optical signal enters the DC-RX port, compensates the chromatic dispersion and then exits from the DC-TX port. 6.3.4 TDC-CC and TDC-FC Block Diagram The TDC-CC and TDC-FC cards embed an optical module with four spools (D1, D2, D3, and D4) of dispersion compensating fiber that connects through the 2x2 bypass switches (Figure 6-6). Each bypass switch allows the corresponding dispersion compensation fiber spools to connect to the optical path from the DC-RX (input port) to the DC-TX (output port). The switch configuration selects the requested CD value and combines the four spools based on the 16 chromatic dispersion compensation values fetched. The photodiodes PD1 and PD2 are used to monitor the input and output ports respectively. Figure 6-6 Block Diagram of TDC-CC and TDC-FC 6.3.5 Lamp Test The TDC-CC and TDC-FC cards support a lamp test function that is activated either from the ONS 15454 front panel or CTC to ensure that all LEDs are functional. 6.3.6 TDC-CC and TDC-FC Card-Level Indicators Table 6-3 lists the card-level LEDs on the TDC-CC and TDC-FC cards. 276445 2x2 Switch D1 2x2 Switch D2 2x2 Switch D3 2x2 Switch D4 S1 S2 S3 S4 DC-RX DC-TX PD1 PD26-7 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 6 Tunable Dispersion Compensating Units Monitoring Optical Performance 6.4 Monitoring Optical Performance The TDC-CC and TDC-FC cards monitor the optical input power and optical output power of the fiber. It monitors the insertion loss from the input (DC-RX) to the output (DC-TX) port, with the help of the two photodiodes PD1 and PD2. The TDC-CC and TDC-FC cards report the minimum, average, and maximum power statistics of each of the monitored ports or channels in the specific card. To view the optical power statistics of the TDC-CC and TDC-FC cards, refer to the Cisco ONS 15454 DWDM Procedure Guide. The performance data is recorded at 15 minutes and 24 hours intervals. Note You can view the performance monitoring (PM) data of the card using CTC, SNMP, and TL1 interfaces. Note The PM data is stored on a wrap-around basis at 32 x 15 min and 2 x 24 hour intervals. Table 6-3 TDC-CC and TDC-FC Card-Level Indicators Card-Level LED Description Red FAIL LED The red FAIL LED indicates that the card processor is not ready. This LED is ON during reset. The FAIL LED flashes during the boot process. Replace the card if the red FAIL LED persists. ACT/STBY LED Green (Active) Amber (Standby) If the ACT/STBY LED is green, the card is operational (one or both ports active) and ready to carry traffic. If the ACT/STBY LED is amber, the card is operational and in standby (protect) mode. Amber SF LED The Amber SF LED indicates a signal failure or condition such as LOS and LOF on one or more of the card ports. The amber SF LED is also ON if the transmit and receive fibers are incorrectly connected. If the fibers are properly connected and the link is working, the light turns OFF.6-8 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 6 Tunable Dispersion Compensating Units Monitoring Optical PerformanceCHAPTER 7-1 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 7 Protection Switching Module This chapter describes the Protection Switching Module (PSM) card used in Cisco ONS 15454 dense wavelength division multiplexing (DWDM) networks. For installation and card turn-up procedures, refer to the Cisco ONS 15454 DWDM Procedure Guide. For card safety and compliance information, refer to the Cisco Optical Transport Products Safety and Compliance Information document. Note Unless otherwise specified, “ONS 15454” refers to both ANSI and ETSI shelf assemblies. Chapter topics include: • 7.1 PSM Card Overview • 7.2 Key Features • 7.3 PSM Block Diagram • 7.4 PSM Faceplate Ports • 7.5 PSM Card-Level Indicators • 7.6 PSM Bidirectional Switching 7.1 PSM Card Overview The PSM card performs splitter protection functions. In the transmit (TX) section of the PSM card (see Figure 7-1), the signal received on the common receive port is duplicated by a hardware splitter to both the working and protect transmit ports. In the receive (RX) section of the PSM card (Figure 7-1), a switch is provided to select one of the two input signals (on working and protect receive ports) to be transmitted through the common transmit port. The PSM card supports multiple protection configurations: • Channel protection—The PSM COM ports are connected to the TXP/MXP trunk ports. • Line (or path) protection—The PSM working (W) and protect (P) ports are connected directly to the external line. • Multiplex section protection—The PSM is equipped between the MUX/DMX stage and the amplification stage. • Standalone—The PSM can be equipped in any slot and supports all node configurations.7-2 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 7 Protection Switching Module Key Features The PSM card is a single-slot card that can be installed in any node from Slot 1 to 6 and 12 to 17. The PSM card includes six LC-PC-II optical connectors on the front panel. In channel protection configuration, the PSM card can be installed in a different shelf from its peer TXP/MXP card. Note It is strongly recommended that you use the default layouts designed by Cisco Transport Planner, which place the PSM card and its peer TXP/MXP card as close as possible to simplify cable management. For more information on the node configurations supported for the PSM card, see the “11.3 Supported Node Configurations for PSM Card” section on page 11-38. For more information on the network topologies supported for the PSM card, see the “12.6 Network Topologies for the PSM Card” section on page 12-19. 7.2 Key Features The PSM card provides the following features: • Operates over the C-band (wavelengths from 1529 nm to 1562.5 nm) and L-band (wavelengths from 1570.5 nm to 1604 nm) of the optical spectrum. • Implements bidirectional nonrevertive protection scheme. For more details on bidirectional switching, see the “7.6 PSM Bidirectional Switching” section on page 7-5. • Supports automatic creation of splitter protection group when the PSM card is provisioned. • Supports switching priorities based on ITU-T G.873.1. • Supports performance monitoring and alarm handling with settable thresholds. • Supports automatic laser shutdown (ALS), a safety mechanism used in the event of a fiber cut. ALS is applicable only in line protection configuration. For details on ALS provisioning for the card, refer to the Cisco ONS 15454 DWDM Procedure Guide. For information about using the card to implement ALS in a network, see the “12.11 Network Optical Safety” section on page 12-27. 7.3 PSM Block Diagram Figure 7-1 shows a simplified block diagram of the PSM card.7-3 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 7 Protection Switching Module PSM Faceplate Ports Figure 7-1 PSM Block Diagram 7.4 PSM Faceplate Ports The PSM card has six optical ports located on the faceplate: • COM-RX (receive) is the input signal port. • COM-TX (transmit) is the output signal port. • W-RX is the working input signal port (receive section). • W-TX is the working output signal port (transmit section). • P-RX is the protect input signal port (receive section). • P-TX is the protect output signal port (transmit section). All ports are equipped with photodiodes to monitor optical power and other related thresholds. The COM-RX port is equipped with a virtual photodiode (firmware calculations of port optical power) to monitor optical power. The W-RX, P-RX, W-TX, and P-TX ports have optical power regulation, which are provided by variable optical attenuators (VOA). All VOAs equipped within the PSM card work in control attenuation mode. Figure 7-2 shows the PSM card faceplate. 270910 TX Section RX Section COM-RX W-TX P-TX W-RX P-RX COM-TX PD5 VOA3 1x2 Switch 50/50 Splitter PD2 PD4 PD3 VOA1 PD1 VOA2 Virtual PD7-4 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 7 Protection Switching Module PSM Card-Level Indicators Figure 7-2 PSM Card Faceplate 7.5 PSM Card-Level Indicators Table 7-1 shows the three card-level indicators on the PSM card. 270911 PSM FAIL ACT SF P COM RX TX RX TX RX TX W 1345567 Any of the 12 general purpose slots Table 7-1 PSM Card-Level Indicators Card-Level Indicators Description Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready or that an internal hardware failure occurred. Replace the card if the red FAIL LED persists.7-5 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 7 Protection Switching Module PSM Bidirectional Switching 7.6 PSM Bidirectional Switching A VOA is equipped after the hardware splitter within the PSM card. The VOA implements bidirectional switching when there is a single fiber cut in a protection configuration involving two peer PSM cards. Figure 7-3 shows a sample configuration that explains the bidirectional switching capability of the PSM card. Figure 7-3 PSM Bidirectional Switching In this example, there is a fiber cut in the working path from Station A to Station B as shown in Figure 7-3. As a result of the fiber cut, an LOS alarm is raised on the W-RX port of Station B and it immediately switches traffic on to its P-RX port. Station B simultaneously also stops transmission (for approximately 25 milliseconds) on its W-TX port, which raises an LOS alarm on the W-RX port of Station A. This causes Station A to also switch traffic to its P-RX port. In this way, PSM implements bidirectional switching without any data exchange between the two stations. Since the two stations do not communicate using signaling protocols (overhead bytes), a Manual or Force protection switch on the PSM card is implemented by creating a traffic hit. For example, consider that you perform a Manual or Force protection switch on Station A. The TX VOA on the active path is set to automatic VOA shutdown (AVS) state for 25 milliseconds. This causes Station B to switch traffic to the other path because it cannot differentiate between a maintenance operation and a real fail. After 25 milliseconds, the VOA in Station A is automatically reset. However, Station B will not revert back by itself because of nonrevertive switching protection scheme used in the PSM card. Green ACT LED The green ACT LED indicates that the PSM is carrying traffic or is traffic-ready. Amber SF LED The amber SF LED indicates a signal failure or condition such as LOS on one or more of the card’s ports. The amber SF LED also turns on when the transmit and receive fibers are incorrectly connected. When the fibers are properly connected, the light turns off. Table 7-1 PSM Card-Level Indicators (continued) Card-Level Indicators Description 270915 TX Section RX Section COM-RX W-TX P-TX W-RX P-RX W-RX P-RX W-TX P-TX COM-TX PD5 RX Section TX Section COM-TX COM-RX PD3 PD4 PD2 PD1 A B PD3 PD4 PD2 PD1 PD57-6 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 7 Protection Switching Module PSM Bidirectional Switching To effectively implement switching, the Lockout and Force commands must be performed on both the stations. If these commands are not performed on both the stations, the far-end and near-end PSMs can be misaligned. In case of misalignment, when a path recovers, traffic might not recover automatically. You might have to perform a Force protection switch to recover traffic. Note The order in which you repair the paths is important in the event of a double failure (both the working and protect paths are down due to a fiber cut) on the PSM card in line protection configuration when the active path is the working path. If you repair the working path first, traffic is automatically restored. However, if you repair the protect path first, traffic is not automatically restored. You must perform a Force protection switch to restore traffic on the protect path.CHAPTER 8-1 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 8 Optical Add/Drop Cards This chapter describes optical add/drop cards used in Cisco ONS 15454 dense wavelength division multiplexing (DWDM) networks. For installation and card turn-up procedures, refer to the Cisco ONS 15454 DWDM Procedure Guide. For card safety and compliance information, refer to the Cisco Optical Transport Products Safety and Compliance Information document. Note The cards described in this chapter are supported on the Cisco ONS 15454, Cisco ONS 15454 M6, Cisco ONS 15454 M2 platforms, unless noted otherwise. Note Unless otherwise specified, “ONS 15454” refers to both ANSI and ETSI shelf assemblies. Chapter topics include: • 8.1 Card Overview, page 8-1 • 8.2 Class 1M Laser Product Safety Lasers, page 8-8 • 8.3 AD-1C-xx.x Card, page 8-11 • 8.4 AD-2C-xx.x Card, page 8-14 • 8.5 AD-4C-xx.x Card, page 8-18 • 8.6 AD-1B-xx.x Card, page 8-22 • 8.7 AD-4B-xx.x Card, page 8-25 8.1 Card Overview The card overview section contains card overview, software compatibility, interface class, and channel allocation information for optical add/drop cards. Note Each card is marked with a symbol that corresponds to a slot (or slots) on the ONS 15454 shelf assembly. The cards are then installed into slots displaying the same symbols. For a list of slots and symbols, see the "Card Slot Requirements" section in the Cisco ONS 15454 Hardware Installation Guide. Optical add/drop cards are divided into two groups: band optical add/drop multiplexer (OADM) cards and channel OADM cards. Band OADM cards add and drop one or four bands of adjacent channels. The cards in this chapter, including the 4-Band OADM (AD-4B-xx.x) and the 1-Band OADM (AD-1B-xx.x) 8-2 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 8 Optical Add/Drop Cards Card Overview are utilized only in the C band. Channel OADM cards add and drop one, two, or four adjacent channels; they include the 4-Channel OADM (AD-4C-xx.x), the 2-Channel OADM (AD-2C-xx.x), and the 1-Channel OADM (AD-1C-xx.x). Note For information about L band add and drop capability, see Chapter 9, “Reconfigurable Optical Add/Drop Cards.” 8.1.1 Card Summary Table 8-1 lists and summarizes the functions of the optical add/drop cards. 8.1.2 Card Compatibility Table 8-2 lists the CTC software compatibility for each optical add/drop card. Table 8-1 Optical Add/Drop Cards Card Port Description For Additional Information AD-1C-xx.x The AD-1C-xx.x card has three sets of ports located on the faceplate. It operates in Slots 1 to 6 and 12 to 17. See the “8.3 AD-1C-xx.x Card” section on page 8-11. AD-2C-xx.x The AD-2C-xx.x card has four sets of ports located on the faceplate. It operates in Slots 1 to 6 and 12 to 17. See the “8.4 AD-2C-xx.x Card” section on page 8-14. AD-4C-xx.x The AD-4C-xx.x card has six sets of ports located on the faceplate. It operates in Slots 1 to 6 and 12 to 17. See the “8.5 AD-4C-xx.x Card” section on page 8-18. AD-1B-xx.x The AD-1B-xx.x card has three sets of ports located on the faceplate. It operates in Slots 1 to 6 and 12 to 17. See the “8.6 AD-1B-xx.x Card” section on page 8-22. AD-4B-xx.x The AD-4B-xx.x card has six sets of ports located on the faceplate. It operates in Slots 1 to 6 and 12 to 17. See the “8.7 AD-4B-xx.x Card” section on page 8-25.8-3 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 8 Optical Add/Drop Cards Card Overview 8.1.3 Interface Classes The AD-1C-xx.x, AD-2C-xx.x, AD-4C-xx.x, AD-1B-xx.x, and AD-4B-xx.x cards have different input and output optical channel signals depending on the interface card where the input signal originates from. The input interface cards have been grouped in classes listed in Table 8-3. The subsequent tables list the optical performances and output power of each interface class. Table 8-2 Software Release Compatibility for Optical Add/Drop Cards Card Name R4.5 R4.6 R4.7 R5.0 R6.0 R7.0 R7.2 R8.0 R8.5 R9.0 R9.1 R9.2 AD-1C-xx.x 15454- DWD M 15454- DWD M 15454 -DWD M 15454 -DWD M 15454- DWD M 15454- DWD M 15454 -DW DM 15454- DWD M 15454- DWDM 15454- DWDM 15454 -DWD M 15454- DWDM , 15454- M2, 15454- M6 AD-2C-xx.x 15454- DWD M 15454- DWD M 15454 -DWD M 15454 -DWD M 15454- DWD M 15454- DWD M 15454 -DW DM 15454- DWD M 15454- DWDM 15454- DWDM 15454 -DWD M 15454- DWDM , 15454- M2, 15454- M6 AD-4C-xx.x 15454- DWD M 15454- DWD M 15454 -DWD M 15454 -DWD M 15454- DWD M 15454- DWD M 15454 -DW DM 15454- DWD M 15454- DWDM 15454- DWDM 15454 -DWD M 15454- DWDM , 15454- M2, 15454- M6 AD-1B-xx.x 15454- DWD M 15454- DWD M 15454 -DWD M 15454 -DWD M 15454- DWD M 15454- DWD M 15454 -DW DM 15454- DWD M 15454- DWDM 15454- DWDM 15454 -DWD M 15454- DWDM AD-4B-xx.x 15454- DWD M 15454- DWD M 15454 -DWD M 15454 -DWD M 15454- DWD M 15454- DWD M 15454 -DW DM 15454- DWD M 15454- DWDM 15454- DWDM 15454 -DWD M 15454- DWDM8-4 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 8 Optical Add/Drop Cards Card Overview Table 8-4 lists the optical performance parameters for 40-Gbps cards that provide signal input to the optical add/drop cards. Table 8-3 ONS 15454 Card Interfaces Assigned to Input Power Classes Input Power Class Card A 10-Gbps multirate transponder cards (TXP_MR_10G, TXP_MR_10E, TXP_MR_10E_C, and TXP_MR_10E_L) with forward error correction (FEC) enabled, 10-Gbps muxponder cards (MXP_2.5G_10G, MXP_2.5G_10E, MXP_MR_10DME_C, MXP_MR_10DME_L, MXP_2.5G_10E_C, and MXP_2.5G_10E_L) with FEC enabled, and 40-Gbps muxponder card (40G-MXP-C) B 10-Gbps multirate transponder card (TXP_MR_10G) without FEC and the 10-Gbps muxponder card (MXP_2.5G_10G, MXP_MR_10DME_C, MXP_MR_10DME_L), and 40-Gbps muxponder card (40G-MXP-C), and ADM-10G cards with FEC disabled C OC-192 LR ITU cards (TXP_MR_10E, TXP_MR_10E_C, and TXP_MR_10E_L) without FEC D 2.5-Gbps multirate transponder card (TXP_MR_2.5G), both protected and unprotected, with FEC enabled E OC-48 100-GHz DWDM muxponder card (MXP_MR_2.5G) and 2.5-Gbps multirate transponder card (TXP_MR_2.5G), both protected and unprotected, with FEC disabled and retime, reshape, and regenerate (3R) mode enabled F 2.5-Gbps multirate transponder card (TXP_MR_2.5G), both protected and unprotected, in regenerate and reshape (2R) mode G OC-48 ELR 100 GHz card H 2/4 port GbE transponder (GBIC WDM 100GHz) I TXP_MR_10E, TXP_MR_10E_C, and TXP_MR_10E_L cards with enhanced FEC (E-FEC) and the MXP_2.5G_10E, MXP_2.5G_10E_C, MXP_2.5G_10E_L, MXP_MR_10DME_C, MXP_MR_10DME_L, and 40G-MXP-C cards with E-FEC enabled Table 8-4 40-Gbps Interface Optical Performance Parameter Class A Class B Class I Type Power Limited OSNR1 Limited (if appl.) Power Limited OSNR Limited (if appl.) Power Limited OSNR Limited (if appl.) Maximum bit rate 40 Gbps 40 Gbps 40 Gbps Regeneration 3R 3R 3R FEC Yes No Yes (E-FEC) Threshold Optimum Average Optimum Maximum BER2 10–15 10–12 10–15 OSNR1 sensitivity 23 dB 9 dB 23 dB 19 dB 20 dB 8 dB Power sensitivity –24 dBm –18 dBm –21 dBm –20 dBm –26 dBm –18 dBm8-5 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 8 Optical Add/Drop Cards Card Overview Table 8-5 lists the optical performance parameters for 40-Gbps cards that provide signal input to the optical add/drop cards. Power overload –8 dBm –8 dBm –8 dBm Transmitted Power Range3 OC-192 LR ITU — — — Dispersion compensation tolerance +/–800 ps/nm +/–1,000 ps/nm +/–800 ps/nm 1. OSNR = optical signal-to-noise ratio 2. BER = bit error rate 3. These values, decreased by patchcord and connector losses, are also the input power values for the OADM cards. Table 8-4 40-Gbps Interface Optical Performance (continued) Parameter Class A Class B Class I Type Power Limited OSNR1 Limited (if appl.) Power Limited OSNR Limited (if appl.) Power Limited OSNR Limited (if appl.) Table 8-5 10-Gbps Interface Optical Performance Parameter Class A Class B Class C Class I Type Power Limited OSNR1 Limited (if appl.) Power Limited OSNR Limited (if appl.) OSNR Limited Power Limited OSNR Limited (if appl.) Maximum bit rate 10 Gbps 10 Gbps 10 Gbps 10 Gbps Regeneration 3R 3R 3R 3R FEC Yes No No Yes (E-FEC) Threshold Optimum Average Average Optimum Maximum BER2 10–15 10–12 10–12 10–15 OSNR1 sensitivity 23 dB 9 dB 23 dB 19 dB 19 dB 20 dB 8 dB Power sensitivity –24 dBm –18 dBm –21 dBm –20 dBm –22 dBm –26 dBm –18 dBm Power overload –8 dBm –8 dBm –9 dBm –8 dBm Transmitted Power Range3 10-Gbps multirate transponder/10-Gbps FEC transponder (TXP_MR_10G) +2.5 to 3.5 dBm +2.5 to 3.5 dBm — — OC-192 LR ITU — — +3.0 to 6.0 dBm —8-6 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 8 Optical Add/Drop Cards Card Overview 2.5-Gbps cards that provide signal input to the optical add/drop cards have the interface performance parameters listed in Table 8-6. 10-Gbps multirate transponder/10-Gbps FEC transponder (TXP_MR_10E) +3.0 to 6.0 dBm +3.0 to 6.0 dBm — +3.0 to 6.0 dBm Dispersion compensation tolerance +/–800 ps/nm +/–1,000 ps/nm +/–1,000 ps/nm +/–800 ps/nm 1. OSNR = optical signal-to-noise ratio 2. BER = bit error rate 3. These values, decreased by patchcord and connector losses, are also the input power values for the OADM cards. Table 8-5 10-Gbps Interface Optical Performance (continued) Parameter Class A Class B Class C Class I Type Power Limited OSNR1 Limited (if appl.) Power Limited OSNR Limited (if appl.) OSNR Limited Power Limited OSNR Limited (if appl.) Table 8-6 2.5-Gbps Interface Optical Performance Parameter Class D Class E Class F Class G Class H Class J Type Power Limited OSNR Limited (if appl.) Power Limited OSNR Limited (if appl.) OSNR Limited Power Limited OSNR Limited (if appl.) Power Limited OSNR Limited (if appl.) Power Limited Maximum bit rate 2.5 Gbps 2.5 Gbps 2.5 Gbps 2.5 Gbps 1.25 Gbps 2.5 Gbps Regeneration 3R 3R 2R 3R 3R 3R FEC Yes No No No No No Threshold Average Average Average Average Average Average Maximum BER 10–15 10–12 10–12 10–12 10–12 10–12 OSNR sensitivity 14 dB 6 dB 14 dB 10 dB 15 dB 14 dB 11 dB 13 dB 8 dB 12 dB Power sensitivity –31 dBm –25 dBm –30 dBm –23 dBm –24 dBm –27 dBm –33 dBm –28 dBm –18 dBm –26 dBm Power overload –9 dBm –9 dBm –9 dBm –9 dBm –7 dBm –17dBm Transmitted Power Range1 TXP_MR_2.5G –1.0 to 1.0 dBm –1.0 to 1.0 dBm –1.0 to 1.0 dBm –2.0 to 0 dBm — — TXPP_MR_2.5G –4.5 to –2.5 dBm –4.5 to –2.5 dBm –4.5 to –2.5 dBm MXP_MR_2.5G — +2.0 to +4.0 dBm — MXPP_MR_2.5G — –1.5 to +0.5 dBm —8-7 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 8 Optical Add/Drop Cards Card Overview 8.1.4 DWDM Card Channel Allocation Plan ONS 15454 DWDM channel OADM and band OADM cards are designed for use with specific channels in the C band. In most cases, the channels for these cards are either numbered (for example, 1 to 32) or delimited (odd or even). Client interfaces must comply with these channel assignments to be compatible with the ONS 15454 system. Table 8-7 lists the channel IDs and wavelengths assigned to the C-band DWDM channels. Note In some cases, a card uses only some or all of the channels listed in a band. Also, some cards use channels on the 100-GHz ITU-T grid while others use channels on the 50-GHz ITU-T grid. See specific card descriptions in Appendix A, “Hardware Specifications,” for more details. 2/4 port GbE Transponder (GBIC WDM 100GHz) — — — — +2.5 to 3.5 dBm — Dispersion compensation tolerance –1200 to +5400 ps/nm –1200 to +5400 ps/nm –1200 to +3300 ps/nm –1200 to +3300 ps/nm –1000 to +3600 ps/nm –1000 to +3200 ps/nm 1. These values, decreased by patchcord and connector losses, are also the input power values for the OADM cards. Table 8-6 2.5-Gbps Interface Optical Performance (continued) Parameter Class D Class E Class F Class G Class H Class J Type Power Limited OSNR Limited (if appl.) Power Limited OSNR Limited (if appl.) OSNR Limited Power Limited OSNR Limited (if appl.) Power Limited OSNR Limited (if appl.) Power Limited Table 8-7 DWDM Channel Allocation Plan (C Band) Channel Number Frequency (THz) Wavelength (nm) Channel Number Frequency (THz) Wavelength (nm) 1 196.00 1529.55 42 193.95 1545.72 2 195.95 1529.94 43 193.90 1546.119 3 195.90 1530.334 44 193.85 1546.518 4 195.85 1530.725 45 193.80 1546.917 5 195.80 1531.116 46 193.75 1547.316 6 195.75 1531.507 47 193.70 1547.715 7 195.70 1531.898 48 193.65 1548.115 8 195.65 1532.290 49 193.60 1548.515 9 195.60 1532.681 50 193.55 1548.915 10 195.55 1533.073 51 193.50 1549.32 11 195.50 1533.47 52 193.45 1549.71 12 195.45 1533.86 53 193.40 1550.1168-8 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 8 Optical Add/Drop Cards Class 1M Laser Product Safety Lasers 8.2 Class 1M Laser Product Safety Lasers This section lists the safety labels attached to the AD-1C-xx.x, AD-2C-xx.x, AD-4c-xx.x, AD-1B-xx.x, and AD-4B-xx.xx cards. 13 195.40 1534.250 54 193.35 1550.517 14 195.35 1534.643 55 193.30 1550.918 15 195.30 1535.036 56 193.25 1551.319 16 195.25 1535.429 57 193.20 1551.721 17 195.20 1535.822 58 193.15 1552.122 18 195.15 1536.216 59 193.10 1552.524 19 195.10 1536.609 60 193.05 1552.926 20 195.05 1537.003 61 193.00 1553.33 21 195.00 1537.40 62 192.95 1553.73 22 194.95 1537.79 63 192.90 1554.134 23 194.90 1538.186 64 192.85 1554.537 24 194.85 1538.581 65 192.80 1554.940 25 194.80 1538.976 66 192.75 1555.343 26 194.75 1539.371 67 192.70 1555.747 27 194.70 1539.766 68 192.65 1556.151 28 194.65 1540.162 69 192.60 1556.555 29 194.60 1540.557 70 192.55 1556.959 30 194.55 1540.953 71 192.50 1557.36 31 194.50 1541.35 72 192.45 1557.77 32 194.45 1541.75 73 192.40 1558.173 33 194.40 1542.142 74 192.35 1558.578 34 194.35 1542.539 75 192.30 1558.983 35 194.30 1542.936 76 192.25 1559.389 36 194.25 1543.333 77 192.20 1559.794 37 194.20 1543.730 78 192.15 1560.200 38 194.15 1544.128 79 192.10 1560.606 39 194.10 1544.526 80 192.05 1561.013 40 194.05 1544.924 81 192.00 1561.42 41 194.00 1545.32 82 191.95 1561.83 Table 8-7 DWDM Channel Allocation Plan (C Band) (continued) Channel Number Frequency (THz) Wavelength (nm) Channel Number Frequency (THz) Wavelength (nm)8-9 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 8 Optical Add/Drop Cards Class 1M Laser Product Safety Lasers 8.2.1 Class 1M Laser Product Statement The Class 1M Laser Product statement is shown in Figure 8-1. Figure 8-1 Class 1M Laser Product Statement Class 1M lasers are products that produce either a highly divergent beam or a large diameter beam. Therefore, only a small part of the whole laser beam can enter the eye. However, these laser products can be harmful to the eye if the beam is viewed using magnifying optical instruments. 8.2.2 Hazard Level 1M Label The Hazard Level 1M label is shown in Figure 8-2. Figure 8-2 Hazard Level Label The Hazard Level label warns users against exposure to laser radiation of Class 1 limits calculated in accordance with IEC60825-1 Ed.1.2. This label is displayed on the faceplate of the cards. 8.2.3 Laser Source Connector Label The Laser Source Connector label is shown in Figure 8-3. CAUTION HAZARD LEVEL 1M INVISIBLE LASER RADIATION DO NOT VIEW DIRECTLY WITH NON-ATTENUATING OPTICAL INSTRUMENTS λ = = 1400nm TO 1610nm 145953 HAZARD LEVEL 1M 1459908-10 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 8 Optical Add/Drop Cards Class 1M Laser Product Safety Lasers Figure 8-3 Laser Source Connector Label This label indicates that a laser source is present at the optical connector where the label has been placed. 8.2.4 FDA Statement Label The FDA Statement labels are shown in Figure 8-4 and Figure 8-5. These labels show compliance to FDA standards and that the hazard level classification is in accordance with IEC60825-1 Am.2 or Ed.1.2. Figure 8-4 FDA Statement Label Figure 8-5 FDA Statement Label 8.2.5 Shock Hazard Label The Shock Hazard label is shown in Figure 8-6. 96635 96634 COMPLIES WITH 21 CFR 1040.10 AND 1040.11 EXCEPT FOR DEVIATIONS PURSUANT TO LASER NOTICE NO.50, DATED JULY 26, 2001 282324 COMPLIES WITH 21 CFR 1040.10 AND 1040.11 EXCEPT FOR DEVIATIONS PURSUANT TO LASER NOTICE NO.50, DATED JUNE 24, 20078-11 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 8 Optical Add/Drop Cards AD-1C-xx.x Card Figure 8-6 Shock Hazard Label This label alerts personnel to electrical hazard within the card. The potential of shock hazard exists when removing adjacent cards during maintenance, and touching exposed electrical circuitry on the card itself. 8.3 AD-1C-xx.x Card Note See the “A.9.1 AD-1C-xx.x Card Specifications” section on page A-44 for hardware specifications. The 1-Channel OADM (AD-1C-xx.x) card passively adds or drops one of the 32 channels utilized within the 100-GHz-spacing of the DWDM card system. Thirty-two versions of this card—each designed only for use with one wavelength—are used in the ONS 15454 DWDM system. Each wavelength version of the card has a different part number. The AD-1C-xx.x can be installed in Slots 1 to 6 and 12 to 17. The AD-1C-xx.x has the following internal features: • Two cascaded passive optical interferential filters perform the channel add and drop functions. • One software-controlled variable optical attenuator (VOA) regulates the optical power of the inserted channel. • Software-controlled VOA regulates the insertion loss of the express optical path. • VOA settings and functions, photodiode detection, and alarm thresholds, are internally controlled. • Virtual photodiodes (firmware calculations of port optical power) at the common DWDM output and input ports are monitored within the software. Figure 8-7 shows the AD-1C-xx.x faceplate. 655418-12 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 8 Optical Add/Drop Cards AD-1C-xx.x Card Figure 8-7 AD-1C-xx.x Faceplate For information on safety labels for the card, see the “8.2 Class 1M Laser Product Safety Lasers” section on page 8-8. Figure 8-8 shows a block diagram of the AD-1C-xx.x card. AD-1C -X.XX FAIL ACT SF RX 15xx.xx TX RX EXP TX RX COM TX 964738-13 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 8 Optical Add/Drop Cards AD-1C-xx.x Card Figure 8-8 AD-1C-xx.x Block Diagram Figure 8-9 shows the AD-1C-xx.x optical module functional block diagram. Figure 8-9 AD-1C-xx.x Optical Module Functional Block Diagram 8.3.1 Power Monitoring Physical photodiodes P1 through P4 and virtual photodiodes V1 and V2 monitor the power for the AD-1C-xx.x card. The returned power level values are calibrated to the ports as shown in Table 8-8. Optical Module COM RX COM TX 124074 uP8260 processor DC/DC converter EXP TX EXP RX FPGA For SCL Bus management SCL Bus TCC M SCL Bus TCC P Power supply Input filters BAT A&B Add Rx Drop Tx 98304 Control Control interface Virtual photodiode COM RX EXP RX EXP TX TX Channel 15xx.xx RX Physical photodiode Variable optical attenuator V1 P COM TX P1 P3 P5 P4 V2 P2 V Table 8-8 AD-1C-xx.x Port Calibration Photodiode CTC Type Name Calibrated to Port P1 ADD DROP RX P2 DROP DROP TX8-14 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 8 Optical Add/Drop Cards AD-2C-xx.x Card For information on the associated TL1 AIDs for the optical power monitoring points, refer the “CTC Port Numbers and TL1 Aids” section in Cisco ONS SONET TL1 Command Guide, Release 9.2. 8.3.2 AD-1C-xx.x Card-Level Indicators The AD-1C-xx.x card has three card-level LED indicators, described in Table 8-9. 8.3.3 AD-1C-xx.x Port-Level Indicators You can find the status of the card port using the LCD screen on the ONS 15454 fan-tray assembly. Use the LCD to view the status of any port or card slot; the screen displays the number and severity of alarms for a given port or slot. The AD-1C-xx.x has six LC-PC-II optical ports: two for add/drop channel client input and output, two for express channel input and output, and two for communication. 8.4 AD-2C-xx.x Card Note See the “A.9.2 AD-2C-xx.x Card Specifications” section on page A-44 for hardware specifications. The 2-Channel OADM (AD-2C-xx.x) card passively adds or drops two adjacent 100-GHz channels within the same band. Sixteen versions of this card—each designed for use with one pair of wavelengths—are used in the ONS 15454 DWDM system. The card bidirectionally adds and drops in two different sections on the same card to manage signal flow in both directions. Each version of the card has a different part number. The AD-2C-xx.x has the following features: P3 IN EXP EXP RX P4 OUT EXP EXP TX V1 IN COM COM RX V2 OUT COM COM TX Table 8-8 AD-1C-xx.x Port Calibration (continued) Photodiode CTC Type Name Calibrated to Port Table 8-9 AD-1C-xx.x Card-Level Indicators Card-Level Indicators Description Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready or that there is an internal hardware failure. Replace the card if the red FAIL LED persists. Green ACT LED The green ACT LED indicates that the AD-1C-xx.x card is carrying traffic or is traffic-ready. Amber SF LED The amber SF LED indicates a signal failure. The SF LED also illuminates when the transmitting and receiving fibers are incorrectly connected. When the fibers are properly connected, the LED turns off.8-15 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 8 Optical Add/Drop Cards AD-2C-xx.x Card • Passive cascade of interferential filters perform the channel add and drop functions. • Two software-controlled VOAs in the add section, one for each add port, regulate the optical power of inserted channels. • Software-controlled VOAs regulate insertion loss on express channels. • VOA settings and functions, photodiode detection, and alarm thresholds are internally controlled. • Virtual photodiodes (firmware calculation of port optical power) at the common DWDM output and input ports are monitored within the software. Figure 8-10 shows the AD-2C-xx.x faceplate. Figure 8-10 AD-2C-xx.x Faceplate For information on safety labels for the card, see the “8.2 Class 1M Laser Product Safety Lasers” section on page 8-8. AD-2C -X.XX FAIL ACT SF RX 15xx.xx TX RX 15xx.xx TX RX EXP TX RX COM TX 964748-16 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 8 Optical Add/Drop Cards AD-2C-xx.x Card Figure 8-11 shows a block diagram of the AD-2C-xx.x card. Figure 8-11 AD-2C-xx.x Block Diagram Figure 8-12 shows the AD-2C-xx.x optical module functional block diagram. Figure 8-12 AD-2C-xx.x Optical Module Functional Block Diagram 8.4.1 Wavelength Pairs The AD-2C-xx.x cards are provisioned for the wavelength pairs listed in Table 8-10. In this table, channel IDs are given rather than wavelengths. To compare channel IDs with the actual wavelengths they represent, see wavelengths in Table 8-7 on page 8-7. Optical Module COM RX COM TX 98305 uP8260 processor DC/DC converter EXP TX EXP RX FPGA For SCL Bus management SCL Bus TCC M SCL Bus TCC P Power supply input filters BAT A&B Add RX Drop TX Add RX Drop TX CH 1 CH 2 98306 Control Control interface Virtual photodiode COM RX EXP RX EXP TX TX Second channel TX RX RX Physical photodiode Variable optical attenuator V V1 V2 COM TX First channel P1 P P3 P4 P2 P5 P7 P68-17 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 8 Optical Add/Drop Cards AD-2C-xx.x Card 8.4.2 Power Monitoring Physical photodiodes P1 through P10 and virtual photodiodes V1 and V2 monitor the power for the AD-2C-xx.x card. The returned power level values are calibrated to the ports as shown in Table 8-11. For information on the associated TL1 AIDs for the optical power monitoring points, refer the “CTC Port Numbers and TL1 Aids” section in Cisco ONS SONET TL1 Command Guide, Release 9.2. 8.4.3 AD-2C-xx.x Card-Level Indicators The AD-2C-xx.x card has three card-level LED indicators, described in Table 8-12. Table 8-10 AD-2C-xx.x Channel Pairs Band ID Add/Drop Channel ID Band 30.3 (A) 30.3, 31.2 31.9, 32.6 Band 34.2 (B) 34.2, 35.0 35.8, 36.6 Band 38.1 (C) 38.1, 38.9 39.7, 40.5 Band 42.1 (D) 42.1, 42.9 43.7, 44.5 Band 46.1 (E) 46.1, 46.9 47.7, 48.5 Band 50.1 (F) 50.1, 50.9 51.7, 52.5 Band 54.1 (G) 54.1, 54.9 55.7, 56.5 Band 58.1 (H) 58.1, 58.9 59.7, 60.6 Table 8-11 AD-2C-xx.x Port Calibration Photodiode CTC Type Name Calibrated to Port P1–P2 ADD COM TX P3–P4 DROP DROP TX P5 IN EXP EXP RX P6 OUT EXP EXP TX V1 IN COM COM RX V2 OUT COM COM TX8-18 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 8 Optical Add/Drop Cards AD-4C-xx.x Card 8.4.4 AD-2C-xx.x Port-Level Indicators You can find the status of the card port using the LCD screen on the ONS 15454 fan-tray assembly. Use the LCD to view the status of any port or card slot; the screen displays the number and severity of alarms for a given port or slot. The AD-2C-xx.x card has eight LC-PC-II optical ports: four for add/drop channel client input and output, two for express channel input and output, and two for communication. 8.5 AD-4C-xx.x Card Note See the “A.9.3 AD-4C-xx.x Card Specifications” section on page A-45 for hardware specifications. The 4-Channel OADM (AD-4C-xx.x) card passively adds or drops all four 100-GHz-spaced channels within the same band. Eight versions of this card—each designed for use with one band of wavelengths—are used in the ONS 15454 DWDM system. The card bidirectionally adds and drops in two different sections on the same card to manage signal flow in both directions. There are eight versions of this card with eight part numbers. The AD-4C-xx.x has the following features: • Passive cascade of interferential filters perform the channel add and drop functions. • Four software-controlled VOAs in the add section, one for each add port, regulate the optical power of inserted channels. • Two software-controlled VOAs regulate insertion loss on express and drop path, respectively. • Internal control of the VOA settings and functions, photodiode detection, and alarm thresholds. • Software-monitored virtual photodiodes (firmware calculation of port optical power) at the common DWDM output and input ports. Figure 8-13 shows the AD-4C-xx.x faceplate. Table 8-12 AD-2C-xx.x Card-Level Indicators Card-Level Indicators Description Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready or that there is an internal hardware failure. Replace the card if the red FAIL LED persists. Green ACT LED The green ACT LED indicates that the AD-2C-xx.x card is carrying traffic or is traffic-ready. Amber SF LED The amber SF LED indicates a signal failure. The amber SF LED also illuminates when the transmit and receive fibers are incorrectly connected. When the fibers are properly connected, the light turns off.8-19 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 8 Optical Add/Drop Cards AD-4C-xx.x Card Figure 8-13 AD-4C-xx.x Faceplate For information on safety labels for the card, see the “8.2 Class 1M Laser Product Safety Lasers” section on page 8-8. Figure 8-14 shows a block diagram of the AD-4C-xx.x card. AD-4C -X.XX FAIL ACT SF RX 15xx.xx TX RX 15xx.xx TX RX 15xx.xx TX RX 15xx.xx TX RX EXP TX RX COM TX 964758-20 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 8 Optical Add/Drop Cards AD-4C-xx.x Card Figure 8-14 AD-4C-xx.x Block Diagram Figure 8-15 shows the AD-4C-xx.x optical module functional block diagram. Figure 8-15 AD-4C-xx.x Optical Module Functional Block Diagram 8.5.1 Wavelength Sets The AD-4C-xx.x cards are provisioned for the sets of four 100-GHz-spaced wavelengths shown Table 8-13 on page 8-21. Optical Module COM RX COM TX 124075 uP8260 processor DC/DC converter EXP TX EXP RX FPGA For SCL Bus management SCL Bus TCC M SCL Bus TCC P Power supply Input filters BAT A&B Add Rx Drop Tx Channel 1 Add Rx Drop Tx Channel 2 Add Rx Drop Tx Channel 3 Add Rx Drop Tx Channel 4 98299 Control Control interface 4Ch OADM module Virtual photodiode COM RX COM TX EXP RX EXP TX TX Channels RX Channels Physical photodiode Variable optical attenuator V V1 V2 P1 P9 P11 P10 P12 P2 P3 P4 P5 P6 P7 P8 P8-21 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 8 Optical Add/Drop Cards AD-4C-xx.x Card 8.5.2 Power Monitoring Physical photodiodes P1 through P10 and virtual photodiodes V1 and V2 monitor the power for the AD-4C-xx.x card. The returned power level values are calibrated to the ports as shown in Table 8-14. For information on the associated TL1 AIDs for the optical power monitoring points, refer the “CTC Port Numbers and TL1 Aids” section in Cisco ONS SONET TL1 Command Guide, Release 9.2. 8.5.3 AD-4C-xx.x Card-Level Indicators The AD-4C-xx.x card has three card-level LED indicators, described in Table 8-15. Table 8-13 AD-4C-xx.x Channel Sets Band ID Add/Drop Wavelengths Band 30.3 (A) 1530.3, 1531.2, 1531.9, 1532.6 Band 34.2 (B) 1534.2, 1535.0, 1535.8, 1536.6 Band 38.1 (C) 1538.1, 1538.9, 1539.7, 1540.5 Band 42.1 (D) 1542.1, 1542.9, 1543.7, 1544.5 Band 46.1 (E) 1546.1, 1546.9, 1547.7, 1548.5 Band 50.1 (F) 1550.1, 1550.9, 1551.7, 1552.5 Band 54.1 (G) 1554.1, 1554.9, 1555.7, 1556.5 Band 58.1 (H) 1558.1, 1558.9, 1559.7, 1560.6 Table 8-14 AD-4C-xx.x Port Calibration Photodiode CTC Type Name Calibrated to Port P1–P4 ADD COM TX P5–P8 DROP DROP TX P9 IN EXP EXP RX P10 OUT EXP EXP TX V1 IN COM COM RX V2 OUT COM COM TX Table 8-15 AD-4C-xx.x Card-Level Indicators Card-Level Indicators Description Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready or that there is an internal hardware failure. Replace the card if the red FAIL LED persists.8-22 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 8 Optical Add/Drop Cards AD-1B-xx.x Card 8.5.4 AD-4C-xx.x Port-Level Indicators You can find the status of the card port using the LCD screen on the ONS 15454 fan-tray assembly. Use the LCD to view the status of any port or card slot; the screen displays the number and severity of alarms for a given port or slot. The AD-4C-xx.x card has 12 LC-PC-II optical ports: eight for add/drop channel client input and output, two for express channel input and output, and two for communication. 8.6 AD-1B-xx.x Card (Cisco ONS 15454 only) Note See the “A.9.4 AD-1B-xx.x Card Specifications” section on page A-47 for hardware specifications. The 1-Band OADM (AD-1B-xx.x) card passively adds or drops a single band of four adjacent 100-GHz-spaced channels. Eight versions of this card with eight different part numbers—each version designed for use with one band of wavelengths—are used in the ONS 15454 DWDM system. The card bidirectionally adds and drops in two different sections on the same card to manage signal flow in both directions. This card can be used when there is asymmetric adding and dropping on each side (east or west) of the node; a band can be added or dropped on one side but not on the other. The AD-1B xx.x can be installed in Slots 1 to 6 and 12 to17 and has the following features: • Passive cascaded interferential filters perform the channel add and drop functions. • Two software-controlled VOAs regulate the optical power flowing in the express and drop OADM paths (drop section). • Output power of the dropped band is set by changing the attenuation of the VOA drop. • The VOA express is used to regulate the insertion loss of the express path. • VOA settings and functions, photodiode detection, and alarm thresholds are internally controlled. • Virtual photodiode (firmware calculation of port optical power) at the common DWDM output are monitored within the software. Figure 8-16 shows the AD-1B-xx.x faceplate. Green ACT LED The green ACT LED indicates that the AD-4C-xx.x card is carrying traffic or is traffic-ready. Amber SF LED The amber SF LED indicates a signal failure or condition. The amber SF LED also illuminates when the transmit and receive fibers are incorrectly connected. When the fibers are properly connected, the light turns off. Table 8-15 AD-4C-xx.x Card-Level Indicators (continued) Card-Level Indicators Description8-23 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 8 Optical Add/Drop Cards AD-1B-xx.x Card Figure 8-16 AD-1B-xx.x Faceplate For information on safety labels for the card, see the “8.2 Class 1M Laser Product Safety Lasers” section on page 8-8. Figure 8-17 shows a block diagram of the AD-1B-xx.x card. AD-1B -X.XX FAIL ACT SF RX XX.X TX RX EXP TX RX COM TX 964718-24 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 8 Optical Add/Drop Cards AD-1B-xx.x Card Figure 8-17 AD-1B-xx.x Block Diagram Figure 8-18 shows the AD-1B-xx.x optical module functional block diagram. Figure 8-18 AD-1B-xx.x Optical Module Functional Block Diagram 8.6.1 Power Monitoring Physical photodiodes P1 through P4 and virtual photodiodes V1 and V2 monitor the power for the AD-1B-xx.x card. The returned power level values are calibrated to the ports as shown in Table 8-16. Optical Module COM RX COM TX 124073 uP8260 processor DC/DC converter EXP TX EXP RX FPGA For SCL Bus management SCL Bus TCC M SCL Bus TCC P Power supply Input filters BAT A&B Band xx.x Rx Band xx.x Tx 98307 Control Control interface Virtual photodiode COM RX EXP RX EXP TX TX Band xx.x Physical photodiode RX Physical photodiode V V2 V1 COM TX P1 P3 P5 P4 P2 P Table 8-16 AD-1B-xx.x Port Calibration Photodiode CTC Type Name Calibrated to Port P1 ADD BAND RX P2 DROP BAND TX8-25 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 8 Optical Add/Drop Cards AD-4B-xx.x Card For information on the associated TL1 AIDs for the optical power monitoring points, refer the “CTC Port Numbers and TL1 Aids” section in Cisco ONS SONET TL1 Command Guide, Release 9.2. 8.6.2 AD-1B-xx.x Card-Level Indicators The AD-1B-xx.x card has three card-level LED indicators, described in Table 8-17. 8.6.3 AD-1B-xx.x Port-Level Indicators You can find the status of the card port using the LCD screen on the ONS 15454 fan-tray assembly. Use the LCD to view the status of any port or card slot; the screen displays the number and severity of alarms for a given port or slot. The AD-1B-xx.x has six LC-PC-II optical ports: two for add/drop channel client input and output, two for express channel input and output, and two for communication. 8.7 AD-4B-xx.x Card (Cisco ONS 15454 only) The 4-Band OADM (AD-4B-xx.x) card passively adds or drops four bands of four adjacent 100-GHz-spaced channels. Two versions of this card with different part numbers—each version designed for use with one set of bands—are used in the ONS 15454 DWDM system. The card bidirectionally adds and drops in two different sections on the same card to manage signal flow in both directions. This card can be used when there is asymmetric adding and dropping on each side (east or west) of the node; a band can be added or dropped on one side but not on the other. The AD1B-xx.x can be installed in Slots 1 to 6 and 12 to 17 and has the following features: P3 IN EXP EXP RX P4 OUT EXP EXP TX V1 IN COM COM RX V2 OUT COM COM TX Table 8-16 AD-1B-xx.x Port Calibration (continued) Photodiode CTC Type Name Calibrated to Port Table 8-17 AD-1B-xx.x Card-Level Indicators Card-Level Indicators Description Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready or that there is an internal hardware failure. Replace the card if the red FAIL LED persists. Green ACT LED The green ACT LED indicates that the AD-1B-xx.x card is carrying traffic or is traffic-ready. Amber SF LED The amber SF LED indicates a signal failure. The amber SF LED also illuminates when the transmit and receive fibers are incorrectly connected. When the fibers are properly connected, the light turns off.8-26 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 8 Optical Add/Drop Cards AD-4B-xx.x Card • Five software-controlled VOAs regulate the optical power flowing in the OADM paths. • Output power of each dropped band is set by changing the attenuation of each VOA drop. • The VOA express is used to regulate the insertion loss of the express path. • VOA settings and functions, photodiode detection, and alarm thresholds are internally controlled. • Virtual photodiode (firmware calculation of port optical power) at the common DWDM output port are monitored within the software. Figure 8-19 shows the AD-4B-xx.x faceplate. Figure 8-19 AD-4B-xx.x Faceplate For information on safety labels for the card, see the “8.2 Class 1M Laser Product Safety Lasers” section on page 8-8. Figure 8-20 shows a block diagram of the AD-4B-xx.x card. AD-4B -X.XX FAIL ACT SF RX XX.X TX RX XX.X TX RX XX.X TX RX XX.X TX RX EXP TX RX COM TX 964728-27 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 8 Optical Add/Drop Cards AD-4B-xx.x Card Figure 8-20 AD-4B-xx.x Block Diagram Figure 8-21 shows the AD-4B-xx.x optical module functional block diagram. Figure 8-21 AD-4B-xx.x Optical Module Functional Block Diagram 8.7.1 Power Monitoring Physical photodiodes P1 through P11 and virtual photodiode V1 monitor the power for the AD-4B-xx.x card. The returned power level values are calibrated to the ports as shown in Table 8-18. Optical Module COM RX COM TX 124075 uP8260 processor DC/DC converter EXP TX EXP RX FPGA For SCL Bus management SCL Bus TCC M SCL Bus TCC P Power supply Input filters BAT A&B Add Rx Drop Tx Channel 1 Add Rx Drop Tx Channel 2 Add Rx Drop Tx Channel 3 Add Rx Drop Tx Channel 4 Virtual photodiode COM RX TX B30.3 or B46.1 RX Control Control interface Physical photodiode Variable optical attenuator V V1 EXP RX EXP TX COM TX TX B34.2 or B50.1 RX TX B38.1 or B54.1 RX TX RX B42.1 or B58.1 98308 P1 P P2 P3 P4 P9 P11 P12 P10 P5 P6 P7 P88-28 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 8 Optical Add/Drop Cards AD-4B-xx.x Card For information on the associated TL1 AIDs for the optical power monitoring points, refer the “CTC Port Numbers and TL1 Aids” section in Cisco ONS SONET TL1 Command Guide, Release 9.2. 8.7.2 AD-4B-xx.x Card-Level Indicators The AD-4B-xx.x card has three card-level LED indicators, described in Table 8-19. 8.7.3 AD-4B-xx.x Port-Level Indicators You can find the status of the card port using the LCD screen on the ONS 15454 fan-tray assembly. Use the LCD to view the status of any port or card slot; the screen displays the number and severity of alarms for a given port or slot. The AD-4B-xx.x has 12 LC-PC-II optical ports: eight for add/drop band client input and output, two for express channel input and output, and two for communication. Table 8-18 AD-4B-xx.x Port Calibration Photodiode CTC Type Name Calibrated to Port P1–P4 ADD COM TX P5–P8 DROP DROP TX P9 IN EXP EXP RX P10 OUT EXP EXP TX P11 IN COM COM RX V1 OUT COM COM TX Table 8-19 AD-4B-xx.x Card-Level Indicators Card-Level Indicators Description Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready or that there is an internal hardware failure. Replace the card if the red FAIL LED persists. Green ACT LED The green ACT LED indicates that the AD-4B-xx.x card is carrying traffic or is traffic-ready. Amber SF LED The amber SF LED indicates a signal failure. The amber SF LED also illuminates when the transmit and receive fibers are incorrectly connected. When the fibers are properly connected, the light turns off.CHAPTER 9-1 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 9 Reconfigurable Optical Add/Drop Cards This chapter describes the Cisco ONS 15454 cards deployed in reconfigurable optical add/drop (ROADM) networks. For installation and card turn-up procedures, refer to the Cisco ONS 15454 DWDM Procedure Guide. For card safety and compliance information, refer to the Cisco Optical Transport Products Safety and Compliance Information document. Note The cards described in this chapter are supported on the Cisco ONS 15454, Cisco ONS 15454 M6, Cisco ONS 15454 M2 platforms, unless noted otherwise. Note Unless otherwise specified, “ONS 15454” refers to both ANSI and ETSI shelf assemblies. Chapter topics include: • 9.1 Card Overview, page 9-2 • 9.2 Safety Labels for Class 1M Laser Product Cards, page 9-14 • 9.3 32WSS Card, page 9-16 • 9.4 32WSS-L Card, page 9-23 • 9.5 32DMX Card, page 9-30 • 9.6 32DMX-L Card, page 9-35 • 9.7 40-DMX-C Card, page 9-40 • 9.8 40-DMX-CE Card, page 9-45 • 9.9 40-MUX-C Card, page 9-50 • 9.10 40-WSS-C Card, page 9-55 • 9.11 40-WSS-CE Card, page 9-61 • 9.12 40-WXC-C Card, page 9-68 • 9.13 80-WXC-C Card, page 9-74 • 9.14 Single Module ROADM (SMR-C) Cards, page 9-81 • 9.15 MMU Card, page 9-929-2 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards Card Overview Note This chapter contains information about cards that perform mesh topology functions. Multiplexer and demultiplexer cards that do not perform these functions are described in Chapter 5, “Multiplexer and Demultiplexer Cards.” 9.1 Card Overview The ROADM cards include six add drop cards utilized in the C-band (32WSS, 32DMX, 32DMX-C, 40-MUX-C, 40-WXC-C, 80-WXC-C, and MMU), two add drop cards utilized for the L-band (32WSS-L, and 32DMX-L), and two single module ROADM (SMR) cards utilized in the C-band (40-SMR1-C and 40-SMR2-C). This section provides card summary, compatibility, channel allocation, and safety information. Note Each card is marked with a symbol that corresponds to a slot (or slots) on the ONS 15454 shelf assembly. The cards are then installed into slots that have the same symbols. For a list of slots and symbols, see the "Card Slot Requirements" section in the Cisco ONS 15454 Hardware Installation Guide. 9.1.1 Card Summary Table 9-1 lists and summarizes information about each ROADM card. Table 9-1 ROADM Card Summary Card Port Description For Additional Information 32WSS The 32WSS card has seven sets of ports located on the faceplate. It operates in Slots 1 to 5 and 12 to 16. See the “9.3 32WSS Card” section on page 9-16 32WSS-L The 32WSS-L card has seven sets of ports located on the faceplate. It operates in Slots 1 to 5 and 12 to 16. See the “9.4 32WSS-L Card” section on page 9-23 32DMX The 32DMX has five sets of ports located on the faceplate. It operates in Slots 1 to 6 and 12 to 17. See the “9.5 32DMX Card” section on page 9-30 32DMX-L The 32DMX-L has five sets of ports located on the faceplate. It operates in Slots 1 to 6 and 12 to 17. See the “9.6 32DMX-L Card” section on page 9-35 40-DMX-C The 40-DMX-C has six sets of ports located on the faceplate. It operates in Slots 1 to 6 and 12 to 17. See the “9.7 40-DMX-C Card” section on page 9-40 40-DMX-CE The 40-DMX-CE has six sets of ports located on the faceplate. It operates in Slots 1 to 6 and 12 to 17. See the “9.8 40-DMX-CE Card” section on page 9-45 40-MUX-C The 40-MUX-C has six sets of ports located on the faceplate. It operates in Slots 1 to 6 and 12 to 17. See the “9.9 40-MUX-C Card” section on page 9-50.9-3 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards Card Overview 9.1.2 Card Compatibility Table 9-2 lists the Cisco Transport Controller (CTC) software compatibility for the ROADM cards. 40-WSS-C The 40-WSS-C card has eight sets of ports located on the faceplate. It operates in Slots 1 to 5 and 12 to 16. See the “9.10 40-WSS-C Card” section on page 9-55 40-WSS-CE The 40-WSS-CE card has eight sets of ports located on the faceplate. It operates in Slots 1 to 5 and 12 to 16. See the “9.11 40-WSS-CE Card” section on page 9-61 40-WXC-C The 40-WXC-C card has five sets of ports located on the faceplate. It operates in Slots 1 to 5 and 12 to 16. See the “9.12 40-WXC-C Card” section on page 9-68 80-WXC-C The 80-WXC-C card has 14 ports located on the faceplate. It operates in Slots 1 to 5 and 12 to 16. See the “9.13 80-WXC-C Card” section on page 9-74. 40-SMR1-C The 40-SMR1-C card has six sets of ports located on the faceplate. It operates in Slots 1 to 5 and 12 to 16. See the “9.14 Single Module ROADM (SMR-C) Cards” section on page 9-81 40-SMR2-C The 40-SMR2-C card has six sets of ports located on the faceplate. It operates in Slots 1 to 5 and 12 to 16. See the “9.14 Single Module ROADM (SMR-C) Cards” section on page 9-81 MMU The MMU card has six sets of ports located on the faceplate. It operates in Slots 1 to 6 and 12 to 17. See the “9.15 MMU Card” section on page 9-92 Table 9-1 ROADM Card Summary (continued) Card Port Description For Additional Information Table 9-2 Software Release Compatibility for ROADM Cards Card Name R4.5 R4.6 R4.7 R5.0 R6.0 R7.0 R7.2 R8.0 R8.5 R9.0 R9.1 R9.2 32WSS No No 15454- DWDM 15454- DWDM 15454- DWDM 15454- DWD M 15454- DWD M 15454- DWD M 15454- DWD M 15454 -DWD M 15454 -DWD M 15454-D WDM 32WSS-L No No No No No 15454- DWD M 15454- DWD M 15454- DWD M 15454- DWD M 15454 -DWD M 15454 -DWD M 15454-D WDM 40-WSS-C No No No No No No No 15454- DWD M 15454- DWD M 15454 -DWD M 15454 -DWD M 15454-D WDM, 15454-M 6 40-WSS-CE No No No No No No No 15454- DWD M 15454- DWD M 15454 -DWD M 15454 -DWD M 15454-D WDM, 15454-M 69-4 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards Card Overview 32DMX No No 15454- DWDM 15454- DWDM 15454- DWDM 15454- DWD M 15454- DWD M 15454- DWD M 15454- DWD M 15454 -DWD M 15454 -DWD M 15454-D WDM, 32DMX-L No No No No No 15454- DWD M 15454- DWD M 15454- DWD M 15454- DWD M 15454 -DWD M 15454 -DWD M 15454-D WDM 40-DMX-C No No No No No No No 15454- DWD M 15454- DWD M 15454 -DWD M 15454 -DWD M 15454-D WDM, 15454-M 6 40-DMX-C E No No No No No No No 15454- DWD M 15454- DWD M 15454 -DWD M 15454 -DWD M 15454-D WDM, 15454-M 6 40-MUX-C No No No No No No No 15454- DWD M 15454- DWD M 15454 -DWD M 15454 -DWD M 15454-D WDM, 15454-M 6 40-WXC-C No No No No No No No 15454- DWD M 15454- DWD M 15454 -DWD M 15454 -DWD M 15454-D WDM, 15454-M 6 80-WXC-C No No No No No No No No No No No 15454-D WDM, 15454-M 6 40-SMR1-C No No No No No No No No No No 15454 -DWD M 15454-D WDM, 15454-M 2, 15454-M 6 40-SMR2-C No No No No No No No No No No 15454 -DWD M 15454-D WDM, 15454-M 2, 15454-M 6 MMU No No No No No 15454- DWD M 15454- DWD M 15454- DWD M 15454- DWD M 15454 -DWD M 15454 -DWD M 15454-D WDM Table 9-2 Software Release Compatibility for ROADM Cards Card Name R4.5 R4.6 R4.7 R5.0 R6.0 R7.0 R7.2 R8.0 R8.5 R9.0 R9.1 R9.29-5 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards Card Overview 9.1.3 Interface Classes The input interface cards have been grouped in classes listed in Table 9-3. The subsequent tables list the optical performance and output power of each interface class. Table 9-3 Cisco ONS 15454 Card Interfaces Assigned to Input Power Classes Input Power Class Card A 10-Gbps multirate transponder cards (TXP_MR_10G, TXP_MR_10E, TXP_MR_10E_C, and TXP_MR_10E_L), 10-Gbps muxponder cards (MXP_2.5G_10G, MXP_2.5G_10E, MXP_MR_10DME_C, MXP_MR_10DME_L, MXP_2.5G_10E_C, and MXP_2.5G_10E_L) with forward error correction (FEC) enabled, and 40-Gbps muxponder card (40G-MXP-C) B 10-Gbps multirate transponder card (TXP_MR_10G) and muxponder card (MXP_2.5G_10G) without FEC C OC-192 LR ITU cards without FEC, 10-Gbps multirate transponder (TXP_MR_10E, TXP_MR_10E_C, and TXP_MR_10E_L) and muxponder (MXP_2.5G_10E, MXP_2.5G_10E_L, and MXP_MR_10DME_L) cards with FEC disabled D 2.5-Gbps multirate transponder card (TXP_MR_2.5G), both protected and unprotected, with FEC enabled E OC-48 100-GHz dense wavelength division multiplexing (DWDM) muxponder card (MXP_MR_2.5G) and 2.5-Gbps multirate transponder card (TXP_MR_2.5G), protected or unprotected; FEC disabled; and retime, reshape, and regenerate (3R) mode enabled F 2.5-Gbps multirate transponder card (TXP_MR_2.5G), protected or unprotected, in regenerate and reshape (2R) mode G OC-48 ELR 100 GHz card H 2/4 port GbE transponder (GBIC WDM 100GHz) I 10-Gbps multirate transponder cards (TXP_MR_10E, TXP_MR_10E_C, and TXP_MR_10E_L) and 10-Gbps muxponder cards (MXP_2.5G_10E, MXP_2.5G_10E_L, and MXP_MR_10DME_L) with enhanced FEC (E-FEC) enabled, and 40-Gbps muxponder card (40G-MXP-C) K OC-192/STM-64 LR ITU cards without FEC, 100GHz 10Gbps Ethernet Xponder (GE_XP, GE_XPE, 10GE_XP, 10GE_XPE), Sonet/SDH add/drop (ADM_10G), OTU2 Xponder (OTU2_XP), with FEC disabled L 40Gbps Duobinary CRS-1 DWDM ITU-T line card M 2.5 Gbps DWDM ITU-T SPF N 10Gbps enhanced full tunable transponder (TXP_MR_10E_C) and muxponder (MXP_2.5G_10E_C, MXP_MR_10DME_C) with E-FEC enabled O 10Gbps Ethernet Xponder (GE_XP, GE_XPE, 10GE_XP, 10GE_XPE), 10Gbps Sonet/SDH add/drop (ADM_10G), OTU2 Xponder (OTU2_XP), with FEC enabled P 10Gbps Ethernet Xponder (GE_XP, GE_XPE, 10GE_XP, 10GE_XPE), 10Gbps Sonet/SDH add/drop (ADM_10G), OTU2 Xponder (OTU2_XP), with E-FEC enabled9-6 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards Card Overview Table 9-4 lists the optical performance parameters for 40-Gbps cards. T 40Gbps DPSK CRS-1 DWDM ITU-T line card V OC-192/STM-64 LR ITU cards without FEC, full tunable 10Gbps Ethernet Xponder (GE_XP, GE_XPE, 10GE_XP, 10GE_XPE), Sonet/SDH add/drop (ADM_10G), OTU2 Xponder (OTU2_XP), with FEC disabled, full tunable W 10Gbps Ethernet Xponder (GE_XP, GE_XPE, 10GE_XP, 10GE_XPE), Sonet/SDH add/drop (ADM_10G), OTU2 Xponder (OTU2_XP), with FEC enabled, full tunable X 10Gbps Ethernet Xponder (GE_XP, GE_XPE, 10GE_XP, 10GE_XPE), Sonet/SDH add/drop (ADM_10G), OTU2 Xponder (OTU2_XP), with E-FEC enabled, full tunable Y 10Gbps enhanced full tunable transponder (TXP_MR_10EX_C) and muxponder (MXP_2.5G_10EX_C, MXP_MR_10DMEX_C), with FEC enabled and maximum likelihood sequence estimator (MLSE) correction Z 10Gbps enhanced full tunable transponder (TXP_MR_10EX_C) and muxponder (MXP_2.5G_10EX_C, MXP_MR_10DMEX_C), with E-FEC enabled and MLSE correction Table 9-3 Cisco ONS 15454 Card Interfaces Assigned to Input Power Classes (continued) Input Power Class Card Table 9-4 40-Gbps Interface Optical Performance Parameter Class A Class I Type Power Limited OSNR1 Limited (if appl.) 1. OSNR = optical signal-to-noise ratio Power Limited OSNR Limited (if appl.) Maximum bit rate 10 Gbps 10 Gbps Regeneration 3R 3R FEC Yes Yes (E-FEC) Threshold Optimum Optimum Maximum BER2 2. BER = bit error rate 10–15 10–15 OSNR1 sensitivity 23 dB 9 dB 20 dB 8 dB Power sensitivity –24 dBm –18 dBm –26 dBm –18 dBm Power overload –8 dBm –8 dBm Transmitted Power Range3 3. These values, decreased by patchcord and connector losses, are also the input power values for the OADM cards. OC-192 LR ITU — — Dispersion compensation tolerance +/–800 ps/nm +/–800 ps/nm9-7 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards Card Overview Table 9-5, Table 9-6, and Table 9-7 lists the optical performance parameters for 10-Gbps cards. Table 9-5 10-Gbps Interface Optical Performance (Class A, B, C, I, and K) Parameter Class A Class B Class C Class I Class K Type Power Limited OSNR1 Limited Power Limited OSNR Limit ed Power Limited OSNR Limite d Power Limited OSNR Limited Power Limited OSNR Limited Maximum bit rate 10 Gbps 10 Gbps 10 Gbps 10 Gbps 10 Gbps Regeneratio n 3R 3R 3R 3R 3R FEC Yes No No Yes (E-FEC) No Threshold Optimum Average Average Optimum Average Maximum BER2 10–15 10–12 10–12 10–15 10–12 OSNR1 sensitivity 23 dB 8.5 dB 23 dB 19 dB 19 dB 19 dB 20 dB 6 dB 23 dB3 16 dB3 23 dB4 17 dB4 23 dB5 17 dB5 Power sensitivity –24 dBm –18 dBm –21 dBm –20 dBm –22 dBm –22 dBm –26 dBm –18 dBm –24 dBm3 –17 dBm3 –23 dBm4 –18 dBm4 –23 dBm5 –17 dBm5 Power overload –8 dBm –8 dBm –9 dBm –8 dBm –7 dBm Transmitted Power Range6 10-Gbps multirate transponder/ 10-Gbps FEC transponder +2.5 to 3.5 dBm (for TXP_MR_10G) +3.0 to 6.0 dBm (for TXP_MR_10E) +2.5 to 3.5 dBm +3.0 to 6.0 dBm +3.0 to 6.0 dBm — OC-192 LR ITU — — +3.0 to 6.0 dBm — –1.0 to +3.0 dBm 10-Gbps Ethernet Xponder, Sonet/SDH Add/Drop, OTU2 Xponder — — — — –1.0 to +3.0 dBm Dispersion compensatio n tolerance +/–800 ps/nm +/–1,000 ps/nm +/–1,000 ps/nm +/–800 ps/nm –400 to +800 ps/nm9-8 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards Card Overview 1. OSNR = optical signal-to-noise ratio 2. BER = bit error rate 3. This value is for Xen Pak XFP used with Catalyst card. 4. This value is for XFP used with Catalyst, Xponder, and ADM-10G cards. 5. This value is for X2 XFP used with Catalyst card. 6. These values, decreased by patchcord and connector losses, are also the input power values for the optical add drop multiplexer (OADM) cards. Table 9-6 10-Gbps Interface Optical Performance (Class N, O, P, and V) Parameter Class N Class O Class P Class V Type Power Limited OSNR Limited Power Limited OSNR1 Limited 1. OSNR = optical signal-to-noise ratio Power Limited OSNR Limited Power Limited OSNR Limited Maximum bit rate 10 Gbps 10 Gbps 10 Gbps 10 Gbps Regeneration 3R 3R 3R 3R FEC Yes (E-FEC) Yes Yes (E-FEC) No Threshold Optimum Optimum Optimum Average Maximum BER2 2. BER = bit error rate 10–15 10–15 10–15 10–12 OSNR1 sensitivity 19 dB 5 dB 11 dB 11 dB 23 dB 8 dB 23 dB 16 dB Power sensitivity –27 dBm –20 dBm –18 dBm –18 dBm –27 dBm –18 dBm –24 dBm –18 dBm Power overload –8 dBm –7 dBm –7 dBm –7 dBm Transmitted Power Range3 3. These values, decreased by patchcord and connector losses, are also the input power values for the optical add drop multiplexer (OADM) cards. 10-Gbps multirate transponder/10-Gbp s FEC transponder +3.0 to 6.0 dBm — — — OC-192 LR ITU — — — 0 to +3.0 dBm 10-Gbps Ethernet Xponder, Sonet/SDH Add/Drop, OTU2 Xponder — –1.0 to +3.0 dBm –1.0 to +3.0 dBm 0 to +3.0 dBm Dispersion compensation tolerance +/–800 ps/nm –500 to +1100 ps/nm –500 to +1100 ps/nm –500 to +1600 ps/nm9-9 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards Card Overview Table 9-8 and Table 9-9 lists the optical interface performance parameters for 2.5-Gbps cards. Table 9-7 10-Gbps Interface Optical Performance (Class W, X, Y, and Z) Parameter Class W Class X Class Y Class Z Type Power Limited OSNR Limited Power Limited OSNR Limited Power Limited OSNR1 Limited 1. OSNR = optical signal-to-noise ratio Power Limited OSNR Limited Maximum bit rate 10 Gbps 10 Gbps 10 Gbps 10 Gbps Regeneration 3R 3R 3R 3R FEC Yes Yes (E-FEC) Yes Yes (E-FEC) Threshold Optimum Optimum Optimum Optimum Maximum BER2 2. BER = bit error rate 10–15 10–15 10–15 10–15 OSNR1 sensitivity 8.5 dB 8.5 dB 19 dB 5 dB 23 dB 8 dB 19 dB 5.5 dB Power sensitivity –18 dBm –18 dBm –27 dBm –20 dBm –24 dBm –20 dBm –27 dBm –20 dBm Power overload –7 dBm –7 dBm –8 dBm –8 dBm Transmitted Power Range3 3. These values, decreased by patchcord and connector losses, are also the input power values for the optical add drop multiplexer (OADM) cards. 10-Gbps multirate transponder/10-Gbps FEC transponder — — +3.0 to 6.0 dBm +3.0 to 6.0 dBm OC-192 LR ITU — — — — 10-Gbps Ethernet Xponder, Sonet/SDH Add/Drop, OTU2 Xponder 0 to +3.0 dBm 0 to +3.0 dBm — — Dispersion compensation tolerance –500 to +1100 ps/nm –500 to +1300 ps/nm –800 to +1600 ps/nm –2200 to +3700 ps/nm Table 9-8 2.5-Gbps Interface Optical Performance (Class D, E, and F) Parameter Class D Class E Class F Type Power Limited OSNR Limited Power Limited OSNR Limited Power Limited OSNR Limited Maximum bit rate 2.5 Gbps 2.5 Gbps 2.5 Gbps Regeneration 3R 3R 2R FEC Yes No No Threshold Average Average Average Maximum BER 10–15 10–12 10–12 OSNR sensitivity 14 dB 5 dB 14 dB 10 dB 15 dB 15 dB Power sensitivity –31 dBm –25 dBm –30 dBm –23 dBm –24 dBm –24 dBm Power overload –9 dBm –9 dBm –9 dBm9-10 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards Card Overview Transmitted Power Range1 TXP_MR_2.5G and TXPP_MR_2.5G –1.0 to 1.0 dBm –1.0 to 1.0 dBm –1.0 to 1.0 dBm MXP_MR_2.5G and MXPP_MR_2.5G — +2.0 to +4.0 dBm — OC-48 ELR 100 GHz — — — 2/4 port GbE Transponder (GBIC WDM 100GHz) ——— 2.5 Gbps DWDM ITU-T SPF ——— Dispersion compensation tolerance –1200 to +5400 ps/nm –1200 to +5400 ps/nm –1200 to +3300 ps/nm 1. These values, decreased by patchcord and connector losses, are also the input power values for the OADM cards. Table 9-9 2.5-Gbps Interface Optical Performance (Class G, H, and M) Parameter Class G Class H Class M Type Power Limited OSNR Limited Power Limited OSNR Limited Power Limited OSNR Limited Maximum bit rate 2.5 Gbps 1.25 Gbps 2.5 Gbps Regeneration 3R 3R 3R FEC No No No Threshold Average Average Average Maximum BER 10–12 10–12 10–12 OSNR sensitivity 14 dB 11 dB 13 dB 8 dB 14 dB 9 dB Power sensitivity –27 dBm –23 dBm –28 dBm –18 dBm –28 dBm –22 dBm Power overload –9 dBm –7 dBm –9 dBm Transmitted Power Range1 TXP_MR_2.5G — — — TXPP_MR_2.5G — MXP_MR_2.5G –2.0 to 0 dBm MXPP_MR_2.5G — OC-48 ELR 100 GHz — — — 2/4 port GbE Transponder (GBIC WDM 100GHz) –1200 to +3300 ps/nm 0 to +3 dBm — Table 9-8 2.5-Gbps Interface Optical Performance (Class D, E, and F) (continued) Parameter Class D Class E Class F Type Power Limited OSNR Limited Power Limited OSNR Limited Power Limited OSNR Limited9-11 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards Card Overview 9.1.4 Channel Allocation Plans ONS 15454 DWDM ROADM cards are designed for use with specific channels in the C band and L band. In most cases, the channels for these cards are either numbered (for example, 1 to 32 or 1 to 40) or delimited (odd or even). Client interfaces must comply with these channel assignments to be compatible with the ONS 15454 system. . The following cards operate in the C-band: • 32WSS • 32DMX • 32DMX-C • 40-MUX-C • 40-WXC-C • 80-WXC-C • 40-SMR1-C • 40-SMR2-C • MMU Table 9-10 lists the C-band channel IDs and wavelengths at ITU-T 50-GHz intervals. This is a comprehensive C-band channel table that encompasses present and future card capabilities. . 2.5 Gbps DWDM ITU-T SPF — 0 to +4 dBm Dispersion compensation tolerance –1000 to +3600 ps/nm –800 to +2400 ps/nm 1. These values, decreased by patchcord and connector losses, are also the input power values for the OADM cards. Table 9-9 2.5-Gbps Interface Optical Performance (Class G, H, and M) (continued) Parameter Class G Class H Class M Type Power Limited OSNR Limited Power Limited OSNR Limited Power Limited OSNR Limited Table 9-10 DWDM C-Band1 Channel Allocation Plan with 50-GHz Spacing Channel Number Frequency (THz) Wavelength (nm) Channel Number Frequency (THz) Wavelength (nm) 1 196.00 1529.55 42 193.95 1545.72 2 195.95 1529.94 43 193.90 1546.119 3 195.90 1530.334 44 193.85 1546.518 4 195.85 1530.725 45 193.80 1546.917 5 195.80 1531.116 46 193.75 1547.316 6 195.75 1531.507 47 193.70 1547.715 7 195.70 1531.898 48 193.65 1548.115 8 195.65 1532.290 49 193.60 1548.5159-12 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards Card Overview The following add drop cards utilize the L-band DWDM channels: 9 195.60 1532.681 50 193.55 1548.915 10 195.55 1533.073 51 193.50 1549.32 11 195.50 1533.47 52 193.45 1549.71 12 195.45 1533.86 53 193.40 1550.116 13 195.40 1534.250 54 193.35 1550.517 14 195.35 1534.643 55 193.30 1550.918 15 195.30 1535.036 56 193.25 1551.319 16 195.25 1535.429 57 193.20 1551.721 17 195.20 1535.822 58 193.15 1552.122 18 195.15 1536.216 59 193.10 1552.524 19 195.10 1536.609 60 193.05 1552.926 20 195.05 1537.003 61 193.00 1553.33 21 195.00 1537.40 62 192.95 1553.73 22 194.95 1537.79 63 192.90 1554.134 23 194.90 1538.186 64 192.85 1554.537 24 194.85 1538.581 65 192.80 1554.940 25 194.80 1538.976 66 192.75 1555.343 26 194.75 1539.371 67 192.70 1555.747 27 194.70 1539.766 68 192.65 1556.151 28 194.65 1540.162 69 192.60 1556.555 29 194.60 1540.557 70 192.55 1556.959 30 194.55 1540.953 71 192.50 1557.36 31 194.50 1541.35 72 192.45 1557.77 32 194.45 1541.75 73 192.40 1558.173 33 194.40 1542.142 74 192.35 1558.578 34 194.35 1542.539 75 192.30 1558.983 35 194.30 1542.936 76 192.25 1559.389 36 194.25 1543.333 77 192.20 1559.794 37 194.20 1543.730 78 192.15 1560.200 38 194.15 1544.128 79 192.10 1560.606 39 194.10 1544.526 80 192.05 1561.013 40 194.05 1544.924 81 192.00 1561.42 41 194.00 1545.32 82 191.95 1561.83 1. Channels on the C-band are 4-skip-1, starting at 1530.33 nm. Table 9-10 DWDM C-Band1 Channel Allocation Plan with 50-GHz Spacing (continued) Channel Number Frequency (THz) Wavelength (nm) Channel Number Frequency (THz) Wavelength (nm)9-13 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards Card Overview • 32WSS-L • 32DMX-L Table 9-11 lists the L-band channel IDs and wavelengths at ITU-T 50-GHz intervals. This is a comprehensive L-band channel table that encompasses present and future card capabilities. Table 9-11 DWDM L-band1 Channel Allocation Plan at 50 GHz Spacing Channel Number Frequency (THz) Wavelength (nm) Channel Number Frequency (THz) Wavelength (nm) 1 190.85 1570.83 41 188.85 1587.46 2 190.8 1571.24 42 188.8 1587.88 3 190.75 1571.65 43 188.75 1588.30 4 190.7 1572.06 44 188.7 1588.73 5 190.65 1572.48 45 188.65 1589.15 6 190.6 1572.89 46 188.6 1589.57 7 190.55 1573.30 47 188.55 1589.99 8 190.5 1573.71 48 188.5 1590.41 9 190.45 1574.13 49 188.45 1590.83 10 190.4 1574.54 50 188.4 1591.26 11 190.35 1574.95 51 188.35 1591.68 12 190.3 1575.37 52 188.3 1592.10 13 190.25 1575.78 53 188.25 1592.52 14 190.2 1576.20 54 188.2 1592.95 15 190.15 1576.61 55 188.15 1593.37 16 190.1 1577.03 56 188.1 1593.79 17 190.05 1577.44 57 188.05 1594.22 18 190 1577.86 58 188 1594.64 19 189.95 1578.27 59 187.95 1595.06 20 189.9 1578.69 60 187.9 1595.49 21 189.85 1579.10 61 187.85 1595.91 22 189.8 1579.52 62 187.8 1596.34 23 189.75 1579.93 63 187.75 1596.76 24 189.7 1580.35 64 187.7 1597.19 25 189.65 1580.77 65 187.65 1597.62 26 189.6 1581.18 66 187.6 1598.04 27 189.55 1581.60 67 187.55 1598.47 28 189.5 1582.02 68 187.5 1598.89 29 189.45 1582.44 69 187.45 1599.32 30 189.4 1582.85 70 187.4 1599.75 31 189.35 1583.27 71 187.35 1600.179-14 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards Safety Labels for Class 1M Laser Product Cards 9.2 Safety Labels for Class 1M Laser Product Cards This section explains the significance of the safety labels attached to some of the cards. The card faceplates are clearly labeled with warnings about the laser radiation levels. You must understand all warning labels before working on these cards. The 40-SMR1-C and 40-SMR2-C cards have Class IM lasers. The labels that appear on these cards are described in the following subsections. 9.2.1 Class 1M Laser Product Statement Figure 9-1 shows the Class 1M Laser Product statement. Figure 9-1 Class 1M Laser Product Statement Class 1M lasers are products that produce either a highly divergent beam or a large diameter beam. Therefore, only a small part of the whole laser beam can enter the eye. However, these laser products can be harmful to the eye if the beam is viewed using magnifying optical instruments. 32 189.3 1583.69 72 187.3 1600.60 33 189.25 1584.11 73 187.25 1601.03 34 189.2 1584.53 74 187.2 1601.46 35 189.15 1584.95 75 187.15 1601.88 36 189.1 1585.36 76 187.1 1602.31 37 189.05 1585.78 77 187.05 1602.74 38 189 1586.20 78 187 1603.17 39 188.95 1586.62 79 186.95 1603.60 40 188.9 1587.04 80 186.9 1604.03 1. Channels on the L-band are contiguous, starting at 1577.86 nm. The channels listed in this table begin with 1570.83 nm for backward compatibility with other ONS products. Table 9-11 DWDM L-band1 Channel Allocation Plan at 50 GHz Spacing (continued) Channel Number Frequency (THz) Wavelength (nm) Channel Number Frequency (THz) Wavelength (nm) CAUTION HAZARD LEVEL 1M INVISIBLE LASER RADIATION DO NOT VIEW DIRECTLY WITH NON-ATTENUATING OPTICAL INSTRUMENTS λ = = 1400nm TO 1610nm 1459539-15 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards Safety Labels for Class 1M Laser Product Cards 9.2.2 Hazard Level 1M Label Figure 9-2 shows the Hazard Level 1M label. The Hazard Level label warns users against exposure to laser radiation by Class 1 limits calculated in accordance with IEC60825-1 Ed.1.2. This label is displayed on the faceplate of the cards. Figure 9-2 Hazard Level Label 9.2.3 Laser Source Connector Label Figure 9-3 shows the Laser Source Connector label. This label indicates that a laser source is present at the optical connector where the label is located. Figure 9-3 Laser Source Connector Label 9.2.4 FDA Statement Label The FDA Statement labels are shown in Figure 9-4 and Figure 9-5. These labels show compliance to FDA standards and that the hazard level classification is in accordance with IEC60825-1 Am.2 or Ed.1.2. Figure 9-4 FDA Statement Label HAZARD LEVEL 1M 145990 96635 96634 COMPLIES WITH 21 CFR 1040.10 AND 1040.11 EXCEPT FOR DEVIATIONS PURSUANT TO LASER NOTICE NO.50, DATED JULY 26, 20019-16 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards 32WSS Card Figure 9-5 FDA Statement Label 9.2.5 Shock Hazard Label Figure 9-6 shows the Shock Hazard label. This label alerts you to electrical hazards within a card. A shock hazard exists when you remove adjacent cards during maintenance, or when you touch exposed electrical circuitry on the card itself. Figure 9-6 Shock Hazard Label 9.3 32WSS Card (Cisco ONS 15454 only) Note See the “A.8.3 32WSS Card Specifications” section on page A-26 for hardware specifications. The two-slot 32-Channel Wavelength Selective Switch (32WSS) card performs channel add/drop processing within the ONS 15454 DWDM node. The 32WSS card can be installed in the following pairs of slots: • Slots 1 and 2 • Slots 3 and 4 • Slots 5 and 6 • Slots 12 and 13 • Slots 14 and 15 • Slots 16 and 17 282324 COMPLIES WITH 21 CFR 1040.10 AND 1040.11 EXCEPT FOR DEVIATIONS PURSUANT TO LASER NOTICE NO.50, DATED JUNE 24, 2007 655419-17 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards 32WSS Card 9.3.1 32WSS Faceplate Ports The 32WSS has six types of ports: • ADD RX ports (1 to 32): These ports are used for adding channels (listed in Table 9-13 on page 9-22). Each add channel is associated with an individual switch element that selects whether that channel is added. Each add port has optical power regulation provided by a variable optical attenuator (VOA). The 32WSS has four physical receive connectors that accept multifiber push-on (MPO) cables on its front panel for the client input interfaces.Each MPO cable breaks out into eight separate cables. • EXP RX port: The EXP RX port receives an optical signal from another 32WSS card in the same network element (NE). • EXP TX port: The EXP TX port sends an optical signal to the other 32WSS card within the NE. • COM TX port: The COM TX (line input) port sends an aggregate optical signal to a booster amplifier card (for example, OPT-BST) for transmission outside of the NE. • COM RX port: The COM RX port receives the optical signal from a preamplifier (such as the OPT-PRE) and sends it to the optical splitter. • DROP TX port: The DROP TX port sends the split-off optical signal containing drop channels to the 32DMX card, where the channels are further processed and dropped. Figure 9-7 shows the 32WSS card front panel and identifies the traffic flow through the ports. 9-18 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards 32WSS Card Figure 9-7 32WSS Faceplate and Ports 9.3.2 32WSS Block Diagram Figure 9-8 provides a high-level functional block diagram of the 32WSS card and Figure 9-9 on page 9-20 shows how optical signals are processed on the EXP RX and COM RX ports. 115291 FAIL ACT SF 54.1-60.6 46.1-52.5 38.1-44.5 30.3-36.6 DROP RX TX TX EXP RX TX COM RX TX ADD RX 32WSS 32 Add Ports Add 1-8 Add 9-16 Add 17-24 Add 25-32 DROP TX EXP RX EXP TX COM RX COM TX9-19 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards 32WSS Card Figure 9-8 32WSS Block Diagram Aggregate optical signals that enter the EXP RX and COM RX port are processed in two ways: Add channel/pass-through and optical splitter processing. The optical processing stages are shown in Figure 9-9, which provides a detailed optical functional diagram of the 32WSS card. EXP RX port (In from other 32WSS within the network element) EXP TX port (To the other 32WSS within the network element) DROP TX port dropped channels (To COM RX port of 32DMX) COM RX port (In from preamplifier, OPT-PRE, or OSC-CSM) COM TX port (To OPT-BST or OSC-CSM) 115293 32 add ports Add 1 Add 2 Add 32 Optical splitter Add channel or pass-through Wavelength selective switch9-20 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards 32WSS Card Figure 9-9 32WSS Optical Block Diagram The EXP RX PORT and COM RX PORT operate as follows: • EXP RX Port Add Channel/Pass-through Processing The incoming optical signal is received at the EXP RX port from the other 32WSS card within the NE. The incoming aggregate optical signal is demultiplexed into 32 individual wavelengths, or channels. Each channel is then individually processed by the optical switch, which performs add/pass-through processing. By using software controls, the switch either selects the optical channel coming in from the demultiplexer (that is, the pass-through channel) or it selects the external ADD channel. If the ADD port channel is selected this channel is transmitted and the optical signal coming from the demultiplexer is blocked. After the optical switch stage, all of the channels are multiplexed into an aggregate optical signal, which is sent out on the COM TX port. The output is typically connected to an OPT-BST or OPT-BST-E card (in the event a booster amplifier is needed) or to an OSC-CSM card (if no amplification is needed). • COM RX Port Optical Splitter Processing The COM RX port receives the incoming optical signal and directs it to the 32WSS card’s optical splitter. The splitter optically diverts channels that are designated to be dropped to the DROP TX port. The DROP TX port is typically connected to the COM RX port of the 32DMX where the drop channels are being dropped. Channels that are not dropped pass-through the optical splitter and flow out of the 32WSS card EXP TX port. Typically, this optical signal is connected to the other 32WSS module within the NE. 1 2 32 Add 32 32 1 pass-through EXP RX port (In from 32WSS) EXP TX port (To 32WSS) DROP TX port (To 32DMX) 2 pass-through 32 pass-through Optical splitter Dropped channels 2 Photodiode VOA COM RX port (In from OPT-PRE preamplifier or OSC-CSM) COM TX port (To OPT-BST or OSC-CSM) Add 2 2 Add 1 1 115292 Optical DMUX (AWG) Optical MUX (AWG) Optical switch (Add channel or pass-through) P1 P33 P2 P34 P32 P64 P65 P66 P67 P68 P699-21 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards 32WSS Card • COM TX Port Monitoring The COM TX value can be measured by either a physical or a virtual photodiode of the 15454-32WSS card. If the vendor ID of the 15454-32WSS card is between 1024 (0x400) and 2047 (0x800) the COM TX value is measured by physical photodiode. If the vendor ID of the 15454-32WSS card is greater than 2048 (0x800), the COM TX value is measured by the virtual photodiode. For COM TX values measured by virtual photodiode, check the values at the RX port in the downstream of the COM TX port (COM-RX port on OPT-BST or OSC-CSM card). 9.3.3 32WSS ROADM Functionality The 32WSS card works in combination with the 32DMX card to implement ROADM functionality. As a ROADM node, the ONS 15454 can be configured to add or drop individual optical channels using CTC, Cisco TransportPlanner, and Cisco Transport Manager (CTM). ROADM functionality using the 32WSS card requires two 32DMX single-slot cards and two 32WSS double-slot cards (totalling six slots needed in the ONS 15454 chassis). For other cards’ ROADM functionality, see that card’s description in this chapter. For a diagram of a typical ROADM configuration, see the “11.1.3 ROADM Node” section on page 11-10. Note A terminal site can be configured using only a 32WSS card and a 32DMX card plugged into the east or west side of the shelf. 9.3.4 32WSS Power Monitoring Physical photodiodes P1 through P69 monitor the power for the 32WSS card. Table 9-12 shows how the returned power level values are calibrated to each port. For information on the associated TL1 AIDs for the optical power monitoring points, refer the “CTC Port Numbers and TL1 Aids” section in Cisco ONS SONET TL1 Command Guide, Release 9.2. Table 9-12 32WSS Port Calibration Photodiode CTC Type Name Calibrated to Port P1–P32 ADD (Power ADD) ADD RX P33–P641 1. P33–P64 monitor either ADD or PASSTHROUGH power, depending on the state of the optical switch PASS THROUGH COM TX ADD (Power) COM TX P65 OUT EXP EXP TX P66 IN EXP EXP RX P67 OUT COM COM TX P68 IN COM COM RX P69 DROP DROP TX9-22 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards 32WSS Card 9.3.5 32WSS Channel Allocation Plan The 32WSS Card’s channel labels, frequencies, and wavelengths are listed in Table 9-13. Table 9-13 32WSS Channel Allocation Plan Band ID Channel Label Frequency (THz) Wavelength (nm) B30.3 30.3 195.9 1530.33 31.1 195.8 1531.12 31.9 195.7 1531.90 32.6 195.6 1532.68 B34.2 34.2 195.4 1534.25 35.0 195.3 1535.04 35.8 195.2 1535.82 36.1 195.1 1536.61 B38.1 38.1 194.9 1538.19 38.9 194.8 1538.87 39.7 194.7 1539.77 40.5 194.6 1540.46 B42.1 42.1 194.4 1542.14 42.9 194.3 1542.94 43.7 194.2 1543.73 44.5 194.1 1544.53 B46.1 46.1 193.9 1546.12 46.9 193.8 1546.92 47.7 193.7 1547.72 48.5 193.6 1548.51 B50.1 50.1 193.4 1550.12 50.9 193.3 1550.92 51.7 193.2 1551.72 52.5 193.1 1552.52 B54.1 54.1 192.9 1554.13 54.9 192.8 1554.94 55.7 192.7 1555.75 56.5 192.6 1556.55 B58.1 58.1 192.4 1558.17 58.9 192.3 1558.98 59.7 192.2 1559.79 60.6 192.1 1560.619-23 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards 32WSS-L Card 9.3.6 32WSS Card-Level Indicators Table 9-14 describes the three card-level LED indicators on the 32WSS card. 9.3.7 32WSS Port-Level Indicators You can find the alarm status of the 32WSS card’s ports using the LCD screen on the ONS 15454 fan-tray assembly. The screen displays the number and severity of alarms on a given port or slot. For the procedure to view these counts, refer to “Manage Alarms” in the Cisco ONS 15454 DWDM Procedure Guide. 9.4 32WSS-L Card (Cisco ONS 15454 only) Note See the “A.8.4 32WSS-L Card Specifications” section on page A-28 for hardware specifications. The two-slot 32-Channel Wavelength Selective Switch L-Band (32WSS-L) card performs channel add/drop processing within the ONS 15454 DWDM node. The 32WSS-L card is particularly well suited for use in networks that employ DS fiber or SMF-28 single-mode fiber.The 32WSS-L card can be installed in the following pairs of slots: • Slots 1 and 2 • Slots 3 and 4 • Slots 5 and 6 • Slots 12 and 13 • Slots 14 and 15 • Slots16 and 17 Table 9-14 32WSS Card-Level Indicators Card-Level Indicators Description Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready or that there is an internal hardware failure. Replace the card if the red FAIL LED persists. Green ACT LED The green ACT LED indicates that the 32WSS card is carrying traffic or is traffic-ready. Amber SF LED The amber SF LED indicates a signal failure on one or more of the card’s ports. The amber SF LED also illuminates when the transmit and receive fibers are incorrectly connected. When the fibers are properly connected, the light turns off.9-24 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards 32WSS-L Card 9.4.1 32WSS-L Faceplate Ports The 32WSS-L card faceplate has six types of ports: • ADD RX ports (1 to 32): These ports are used for adding channels (which are listed in Table 9-16 on page 9-29). Each add channel is associated with an individual switch element that selects whether the channel is added. Each add port has optical power regulation provided by a VOA. • EXP RX port: The EXP RX port receives an optical signal from another 32WSS-L card in the same NE. • EXP TX port: The EXP TX port sends an optical signal to the other 32WSS-L card within the NE. • COM TX port: The COM TX port sends an aggregate optical signal to a booster amplifier card (for example, the OPT-BST card) for transmission outside of the NE. • COM RX port: The COM RX port receives the optical signal from a preamplifier (such as the OPT-PRE) and sends it to the optical splitter. • DROP TX port: The DROP TX port sends the split-off optical signal with drop channels to the 32DMX-L card, where the channels are further processed and dropped. Figure 9-10 shows the 32WSS-L module front panel and identifies the traffic flow through the ports. 9-25 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards 32WSS-L Card Figure 9-10 32WSS-L Faceplate and Ports 9.4.2 32WSS-L Block Diagram Figure 9-11 provides a high-level functional block diagram of the 32WSS-L card and Figure 9-12 on page 9-27 shows how optical signals are processed on the EXP RX and COM RX ports. 134973 FAIL ACT SF 98.0-04.0 91.2-97.1 84.5-90.4 77.8-83.6 DROP RX TX TX EXP RX TX COM RX TX ADD RX 32WSS-L 32 Add Ports Add 1-8 Add 9-16 Add 17-24 Add 25-32 DROP TX EXP RX EXP TX COM RX COM TX9-26 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards 32WSS-L Card Figure 9-11 32WSS-L Block Diagram Aggregate optical signals that enter the EXP RX and COM RX ports are processed in two ways: add channel/pass-through and optical splitter processing. The optical processing stages are shown in Figure 9-12, which provides a detailed optical functional diagram of the 32WSS-L card. EXP RX port (In from other 32WSS-L within the network element) EXP TX port (To the other 32WSS-L within the network element) DROP TX port dropped channels (To COM RX port of 32DMX) COM RX port (In from OPT-AMP-L preamplifier or OSC-CSM) COM TX port (To o OPT-AMP-L booster or OSC-CSM) 134971 32 add ports Add 1 Add 2 Add 32 Optical splitter Add channel or pass-through Wavelength selective switch9-27 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards 32WSS-L Card Figure 9-12 32WSS-L Optical Block Diagram The EXP RX PORT and COM RX PORT operate as follows: • EXP RX Port Add Channel/Pass-through Processing The incoming optical signal is received at the EXP RX port from the other 32WSS-L card within the NE. The incoming aggregate optical signal is demultiplexed into 32 individual wavelengths, or channels. Each channel is then individually processed by the optical switch, which performs add/pass-through processing. By using software controls, the switch either selects the optical channel coming in from the demultiplexer (that is, the pass-through channel) or it selects the external ADD channel. If the ADD port channel is selected this channel is transmitted and the optical signal coming from the demultiplexer is blocked. After the optical switch stage, all of the channels are multiplexed into an aggregate optical signal, which is sent out on the COM TX port. The output is typically connected to an OPT-AMP-L or OPT-BST-E card (in the event a booster amplifier is needed) or to an OSC-CSM card (if no amplification is needed). • COM RX Port Optical Splitter Processing The COM RX port receives the incoming optical signal and directs it to the 32WSS-L card’s optical splitter. The splitter optically diverts channels that are designated to be dropped to the DROP TX port. The DROP TX port is typically connected to the COM RX port of the 32DMX-L where the drop channels are being dropped. Channels that are not dropped pass-through the optical splitter and flow out of the 32WSS-L card EXP TX port. Typically, this optical signal is connected to the other 32WS-L module within the NE. 1 2 32 Add 32 32 1 pass-through EXP RX port (In from 32WSS-L) EXP TX port (To 32WSS-L) DROP TX port (To 32DMX-L) 2 pass-through 32 pass-through Optical splitter Dropped channels 2 Photodiode VOA Add 2 2 Add 1 1 134972 Optical DMUX (AWG) Optical MUX (AWG) Optical switch (Add channel or pass-through) P1 P33 P2 P34 P32 P64 P65 P66 P67 P68 P69 COM RX port (In from OPT-AMP-L preamplifier or OSC-CSM) COM TX port (To OPT-AMP-L booster or OSC-CSM)9-28 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards 32WSS-L Card 9.4.3 32WSS-L ROADM Functionality The 32WSS-L works in combination with the 32DMX-L to implement L-band (1570 to 1620 nm) functionality. As a ROADM node, the ONS 15454 can be configured to add or drop individual optical channels using CTC, Cisco TransportPlanner, and CTM. ROADM functionality using the 32WSS-L card requires two 32DMX-L single-slot cards and two 32WSS-L double-slot cards (totalling six slots needed in the ONS 15454 chassis). For other cards’ ROADM functionality, see that card’s description in this chapter. For a diagram of a typical ROADM configuration, see the “11.1.3 ROADM Node” section on page 11-10. Note A terminal site can be configured using a 32WSS-L card and a 32DMX-L card plugged into the east or west side of the shelf. 9.4.4 32WSS-L Power Monitoring Physical photodiodes P1 through P69 monitor the power for the 32WSS-L card. Table 9-15 shows the returned power level values calibrated to each port. For information on the associated TL1 AIDs for the optical power monitoring points, refer the “CTC Port Numbers and TL1 Aids” section in Cisco ONS SONET TL1 Command Guide, Release 9.2. 9.4.5 32WSS-L Channel Plan The 32WSS-L card uses 32 banded channels on the ITU-T 100-GHz grid, as shown in Table 9-16. Table 9-15 32WSS-L Port Calibration Photodiode CTC Type Name Calibrated to Port P1–P32 ADD (Power ADD) ADD RX P33–P641 1. P33–P64 monitor either ADD or PASSTHROUGH power, depending on the state of the optical switch PASS THROUGH COM TX ADD (Power) COM TX P65 OUT EXP EXP TX P66 IN EXP EXP RX P67 OUT COM COM TX P68 IN COM COM RX P69 DROP DROP TX9-29 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards 32WSS-L Card Table 9-16 32WSS-L Channel Plan Band ID Channel Label Frequency (THz) Wavelength (nm) B77.8 77.8 190 1577.86 78.6 189.9 1578.69 79.5 189.8 1579.52 80.3 189.7 1580.35 B81.1 81.1 189.6 1581.18 82.0 189.5 1582.02 82.8 189.4 1582.85 83.6 189.3 1583.69 B84.5 84.5 189.2 1584.53 85.3 189.1 1585.36 86.2 189 1586.20 87.0 188.9 1587.04 B87.8 87.8 188.8 1587.88 88.7 188.7 1588.73 89.5 188.6 1589.57 90.4 188.5 1590.41 B91.2 91.2 188.4 591.26 92.1 188.3 1592.10 92.9 188.2 1592.95 93.7 188.1 1593.79 B94.6 94.6 188 1594.64 95.4 187.9 1595.49 96.3 187.8 1596.34 97.1 187.7 1597.19 B98.0 98.0 187.6 1598.04 98.8 187.5 1598.89 99.7 187.4 1599.75 00.6 187.3 1600.60 B01.4 01.4 187.2 1601.46 02.3 187.1 1602.31 03.1 187 1603.17 04.0 186.9 1604.039-30 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards 32DMX Card 9.4.6 32WSS-L Card-Level Indicators Table 9-17 describes the three card-level LED indicators on the 32WSS-L card. 9.5 32DMX Card (Cisco ONS 15454 only) Note See the “A.8.1 32DMX Card Specifications” section on page A-22 for hardware specifications. The single-slot 32-Channel Demultiplexer (32DMX) card is an optical demultiplexer. The card receives an aggregate optical signal on its COM RX port and demultiplexes it into to (32) ITU-T 100-GHz-spaced channels. The 32DMX card can be installed in Slots 1 to 6 and in Slots 12 to 17. 9.5.1 32DMX Faceplate Ports The 32DMX card has two types of ports: • COM RX port: COM RX is the input port for the aggregate optical signal being demultiplexed. This port is supported by a VOA for optical power regulation and a photodiode for optical power monitoring. • DROP TX ports (1 to 32): On its output, the 32DMX provides 32 drop ports (listed in Table 9-19 on page 9-33) that are typically used for dropping channels within the ROADM node. These ports are connected using four 8-fiber MPO ribbon connectors. The incoming optical signal to the demultiplexer comes into the COM RX port. This input port is connected using a single LC duplex optical connector.Each drop port has a photodiode for optical power monitoring. Unlike the two-slot 32DMX-O demultiplexer, the drop ports on the 32DMX do not have a VOA per channel for optical power regulation. For a description of the 32DMX-O card, see the “5.4 32DMX-O Card” section on page 5-17. Figure 9-13 shows the 32DMX card front panel and the basic traffic flow through the ports. Table 9-17 32WSS-L Card-Level Indicators Card-Level Indicators Description Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready or that an internal hardware failure occurred. Replace the card if the red FAIL LED persists. Green ACT LED The green ACT LED indicates that the 32WSS-L card is carrying traffic or is traffic-ready. Amber SF LED The amber SF LED indicates a signal failure on one or more of the card’s ports. The amber SF LED also turns on when the transmit and receive fibers are incorrectly connected. When the fibers are properly connected, the light turns off.9-31 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards 32DMX Card Figure 9-13 32DMX Faceplate and Ports 9.5.2 32DMX Block Diagram A block diagram of the 32DMX card is shown in Figure 9-14. 145936 32DMX FAIL ACT SF 54.1-60.6 46.1-52.5 38.1-44.5 30.3-36.6 COM RX TX MON 32 Drop Port Outputs 32 Drop Ports Logical View Drop 1-8 Drop 9-16 Drop 17-24 Drop 25-32 COM RX (Receives Drop-TX from 32WSS on COM RX) COM-RX Drop-1 Drop-2 Drop-329-32 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards 32DMX Card Figure 9-14 32DMX Block Diagram Figure 9-15 shows the 32DMX optical module functional block diagram. Figure 9-15 32DMX Optical Module Functional Block Diagram 9.5.3 32DMX ROADM Functionality The 32DMX card works in combination with the 32WSS card to implement ROADM functionality. As a ROADM node, the ONS 15454 can be configured to add or drop individual optical channels using CTC, Cisco TransportPlanner, and CTM. ROADM functionality using the 32DMX card requires two 32DMX single-slot cards and two 32WSS double-slot cards (for six slots total in the ONS 15454 chassis). Optical module 30.3 to 36.6 8 CHS TX 38.1 to 44.5 8 CHS TX 46.1 to 52.5 8 CHS TX 54.1 to 60.6 8 CHS TX 96480 Processor MON COM RX FPGA For SCL Bus management SCL Bus TCCi M SCL Bus TCCi P DC/DC Power supply Input filters BAT A&B 1 32 Physical photodiode Variable optical attenuator COM RX 20 dB max attenuation DROP TX P4 P3 P2 P1 P32 P31 P30 P29 P33 P34 P 1249679-33 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards 32DMX Card For information about the ROADM functionality for other cards, see that card’s description in this chapter. For a diagram of a typical ROADM configuration, see the “11.1.3 ROADM Node” section on page 11-10. Note A terminal site can be configured using only a 32WSS card and a 32DMX card plugged into the east or west side of the shelf. 9.5.4 32DMX Power Monitoring Physical photodiodes P1 through P33 monitor the power for the 32DMX card. The returned power level values are calibrated to the ports as shown in Table 9-18. For information on the associated TL1 AIDs for the optical power monitoring points, refer the “CTC Port Numbers and TL1 Aids” section in Cisco ONS SONET TL1 Command Guide, Release 9.2. 9.5.5 32DMX Channel Allocation Plan The 32DMX card’s channel labels, frequencies, and wavelengths are listed in Table 9-19. Table 9-18 32DMX Port Calibration Photodiode CTC Type Name Calibrated to Port P1–P32 DROP DROP TX P33 INPUT COM COM RX Table 9-19 32DMX Channel Allocation Plan Band ID Channel Label Frequency (THz) Wavelength (nm) B30.3 30.3 195.9 1530.33 31.1 195.8 1531.12 31.9 195.7 1531.90 32.6 195.6 1532.68 B34.2 34.2 195.4 1534.25 35.0 195.3 1535.04 35.8 195.2 1535.82 36.1 195.1 1536.61 B38.1 38.1 194.9 1538.19 38.9 194.8 1538.87 39.7 194.7 1539.77 40.5 194.6 1540.469-34 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards 32DMX Card 9.5.6 32DMX Card-Level Indicators Table 9-20 describes the three card-level LED indicators on the 32DMX card. B42.1 42.1 194.4 1542.14 42.9 194.3 1542.94 43.7 194.2 1543.73 44.5 194.1 1544.53 B46.1 46.1 193.9 1546.12 46.9 193.8 1546.92 47.7 193.7 1547.72 48.5 193.6 1548.51 B50.1 50.1 193.4 1550.12 50.9 193.3 1550.92 51.7 193.2 1551.72 52.5 193.1 1552.52 B54.1 54.1 192.9 1554.13 54.9 192.8 1554.94 55.7 192.7 1555.75 56.5 192.6 1556.55 B58.1 58.1 192.4 1558.17 58.9 192.3 1558.98 59.7 192.2 1559.79 60.6 192.1 1560.61 Table 9-19 32DMX Channel Allocation Plan (continued) Band ID Channel Label Frequency (THz) Wavelength (nm) Table 9-20 32DMX Card-Level Indicators Card-Level Indicators Description Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready or that an internal hardware failure occurred. Replace the card if the red FAIL LED persists. Green ACT LED The green ACT LED indicates that the 32DMX card is carrying traffic or is traffic-ready. Amber SF LED The amber SF LED indicates a signal failure on one or more of the card’s ports. The amber SF LED also turns on when the transmit and receive fibers are incorrectly connected. When the fibers are properly connected, the light turns off.9-35 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards 32DMX-L Card 9.5.7 32DMX Port-Level Indicators You can find the alarm status of the 32DMX card’s ports using the LCD screen on the ONS 15454 fan-tray assembly. The screen displays the number and severity of alarms on a given port or slot. For the procedure to view these counts, refer to “Manage Alarms” in the Cisco ONS 15454 DWDM Procedure Guide. 9.6 32DMX-L Card (Cisco ONS 15454 only) Note See the “A.8.2 32DMX-L Card Specifications” section on page A-24 for hardware specifications. The single-slot 32-Channel Demultiplexer L-Band card (32DMX-L) is an L-band optical demultiplexer. The card receives an aggregate optical signal on its COM RX port and demultiplexes it into to (32) 100-GHz-spaced channels. The 32DMX-L card is particularly well suited for use in networks that employ DS fiber or SMF-28 single-mode fiber. The 32DMX-L card can be installed in Slots 1 to 6 and in Slots 12 to 17. 9.6.1 32DMX-L Faceplate Ports The 32DMX-L card has two types of ports: • COM RX port: COM RX is the input port for the aggregate optical signal being demultiplexed. This port is supported by both a VOA for optical power regulation and a photodiode for optical power monitoring. • DROP TX ports (1 to 32): On its output, the 32DMX-L card provides 32 drop ports (listed in Table 9-25 on page 9-43) that are typically used for dropping channels within the ROADM node. These ports are connected using four 8-fiber MPO ribbon connectors. Each drop port has a photodiode for optical power monitoring. Unlike the two-slot 32DMX-O demultiplexer, the drop ports on the 32DMX-L do not have a VOA per channel for optical power regulation. For a description of the 32DMX-O card, see the “5.4 32DMX-O Card” section on page 5-17. Figure 9-16 shows the 32DMX-L card front panel and the basic traffic flow through the ports.9-36 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards 32DMX-L Card Figure 9-16 32DMX-L Faceplate and Ports 9.6.2 32DMX-L Block Diagram Figure 9-17 shows a block diagram of the 32DMX-L card. 145940 32DMX FAIL ACT SF 98.0-04.0 91.2-97.1 84.5-90.4 77.8-83.6 COM RX TX 32 Drop Port Outputs 32 Drop Ports Logical View Drop 1-8 Drop 9-16 Drop 17-24 Drop 25-32 COM RX (Receives Drop-TX from 32WSS-L on COM RX) COM-RX Drop-1 Drop-2 Drop-32 MON9-37 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards 32DMX-L Card Figure 9-17 32DMX-L Block Diagram Figure 9-18 shows the 32DMX-L optical module functional block diagram. Figure 9-18 32DMX-L Optical Module Functional Block Diagram 9.6.3 32DMX-L ROADM Functionality The 32DMX-L card works in combination with the 32WSS-L card to implement ROADM functionality. AS a ROADM node, the ONS 15454 can be configured to add or drop individual optical channels using CTC, Cisco TransportPlanner, and CTM. ROADM functionality using the 32DMX-L card requires two 32DMX-L single-slot cards and two 32WSS-L double-slot cards (for a total of six slots in the ONS 15454 chassis). Optical module 77.8 to 83.6 8 CHS TX 84.5 to 90.4 8 CHS TX 91.2 to 97.1 8 CHS TX 98.0 to 04.0 8 CHS TX 134969 Processor MON COM RX FPGA For SCL Bus management SCL Bus TCCi M SCL Bus TCCi P DC/DC Power supply Input filters BAT A&B 1 32 Physical photodiode Variable optical attenuator COM RX 20 dB max attenuation DROP TX P4 P3 P2 P1 P32 P31 P30 P29 P33 P34 P 1249679-38 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards 32DMX-L Card For information about ROADM functionality for other cards, see that card’s description in this chapter. For a diagram of a typical ROADM configuration, see the “11.1.3 ROADM Node” section on page 11-10. Note A terminal site can be configured using only a 32WSS-L card and a 32DMX-L card plugged into the east or west side of the shelf. 9.6.4 32DMX-L Power Monitoring Physical photodiodes P1 through P33 monitor the power for the 32DMX-L card. The returned power level values are calibrated to the ports as shown in Table 9-21. For information on the associated TL1 AIDs for the optical power monitoring points, refer the “CTC Port Numbers and TL1 Aids” section in Cisco ONS SONET TL1 Command Guide, Release 9.2. 9.6.5 32DMX-L Channel Plan The 32DMX-L card uses 32 banded channels on the ITU-T 100-GHz grid, as shown in Table 9-22. Table 9-21 32DMX-L Port Calibration Photodiode CTC Type Name Calibrated to Port P1–P32 DROP DROP TX P33 INPUT COM COM RX Table 9-22 32DMX-L Channel Plan Band ID Channel Label Frequency (THz) Wavelength (nm) B77.8 77.8 190 1577.86 78.6 189.9 1578.69 79.5 189.8 1579.52 80.3 189.7 1580.35 B81.1 81.1 189.6 1581.18 82.0 189.5 1582.02 82.8 189.4 1582.85 83.6 189.3 1583.69 B84.5 84.5 189.2 1584.53 85.3 189.1 1585.36 86.2 189 1586.20 87.0 188.9 1587.049-39 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards 32DMX-L Card 9.6.6 32DMX-L Card-Level Indicators Table 9-23 describes the three card-level LED indicators on the 32DMX-L card. B87.8 87.8 188.8 1587.88 88.7 188.7 1588.73 89.5 188.6 1589.57 90.4 188.5 1590.41 B91.2 91.2 188.4 1591.26 92.1 188.3 1592.10 92.9 188.2 1592.95 93.7 188.1 1593.79 B94.6 94.6 188 1594.64 95.4 187.9 1595.49 96.3 187.8 1596.34 97.1 187.7 1597.19 B98.0 98.0 187.6 1598.04 98.8 187.5 1598.89 99.7 187.4 1599.75 00.6 187.3 1600.60 B01.4 01.4 187.2 1601.46 02.3 187.1 1602.31 03.1 187 1603.17 04.0 186.9 1604.03 Table 9-22 32DMX-L Channel Plan (continued) Band ID Channel Label Frequency (THz) Wavelength (nm) Table 9-23 32DMX-L Card-Level Indicators Card-Level Indicators Description Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready or that an internal hardware failure occurred. Replace the card if the red FAIL LED persists. Green ACT LED The green ACT LED indicates that the 32DMX-L card is carrying traffic or is traffic-ready. Amber SF LED The amber SF LED indicates a signal failure on one or more of the card’s ports. The amber SF LED also turns on when the transmit and receive fibers are incorrectly connected. When the fibers are properly connected, the light turns off.9-40 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards 40-DMX-C Card 9.6.7 32DMX-L Port-Level Indicators You can find the alarm status of the 32DMX-L card’s ports using the LCD screen on the ONS 15454 fan-tray assembly. The screen displays the number and severity of alarms on a given port or slot. For the procedure to view these counts, refer to “Manage Alarms” in the Cisco ONS 15454 DWDM Procedure Guide. 9.7 40-DMX-C Card (Cisco ONS 15454 and ONS 15454 M6 only) Note See the “A.8.6 40-DMX-C Card Specifications” section on page A-30 for hardware specifications. The single-slot 40-Channel Demultiplexer C-band (40-DMX-C) card demultiplexes 40 100-GHz-spaced channels identified in the channel plan (Table 9-25 on page 9-43), and sends them to dedicated output ports. The overall optical power can be adjusted using a single VOA that is common to all channels. The 40-DMX-C card is unidirectional, optically passive, and can be installed in Slots 1 to 6 and 12 to 17. 9.7.1 40-DMX-C Faceplate Ports The 40-DMX-C has two types of ports: • COM RX port: COM RX is the line input port for the aggregate optical signal being demultiplexed. This port is supported by a VOA for optical power regulation and a photodiode for per channel optical power monitoring. Note By default, the VOA is set to its maximum attenuation for safety purposes (for example, electrical power failure). A manual VOA setting is also available. • DROP TX ports (1 to 40): On its output, the 40-DMX-C card provides 40 drop ports that are typically used for dropping channels within the ROADM node. These ports are connected using five physical connectors on the front panel that accept MPO client input cables. (MPO cables break out into eight separate cables.) The 40-DMX-C card also has one LC-PC-II optical connector for the main input. Figure 9-19 shows the 40-DMX-C card faceplate.9-41 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards 40-DMX-C Card Figure 9-19 40-DMX-C Faceplate 9.7.2 40-DMX-C Block Diagram Figure 9-20 shows a block diagram of the 40-DMX-C card. 159554 40-DMX-C 36.6 - 42.1 30.3 - 35.8 42.9 - 48.5 49.3 - 54.9 55.7 - 61.4 TX COM RX FAIL ACT SF 40 Drop Ports Drop 1-8 Drop 9-16 Drop 17-24 Drop 25-32 Drop 33-40 40 Drop Port Outputs Logical View COM-RX Drop-1 Drop-2 Drop-40 COM RX (Receives Drop-TX from 40-WSS-C on COM RX)9-42 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards 40-DMX-C Card Figure 9-20 40-DMX-C Block Diagram Figure 9-21 shows the 40-DMX-C optical module functional block diagram. Figure 9-21 40-DMX-C Optical Module Functional Block Diagram 9.7.3 40-DMX-C ROADM Functionality The 40-DMX-C card works in combination with the 40-WSS-C card to implement ROADM functionality. As a ROADM node, the ONS 15454 can be configured at the optical channel level using CTC, Cisco TransportPlanner, and CTM. ROADM functionality using the 40-DMX-C card requires two single-slot 40-DMX-C cards and two 40-WSS-C double-slot cards (for a total of six slots in the ONS 15454 chassis). Optical module 151971 Processor COM RX FPGA For SCL Bus management SCL Bus TCCi M SCL Bus TCCi P DC/DC Power supply Input filters BAT A&B 36.6 to 42.1 8 CHS RX 30.3 to 35.8 8 CHS RX 42.9 to 48.5 8 CHS RX 49.3 to 54.9 8 CHS RX 55.7 to 61.4 8 CHS RX 1 40 Control Control interface Physical photodiode Variable optical attenuator COM RX DROP TX P40 P39 P38 P37 P4 P3 P2 P1 P P41 1519729-43 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards 40-DMX-C Card For other cards’ ROADM functionality, see that card’s description in this chapter. For a diagram of a typical ROADM configuration, see the “11.1.3 ROADM Node” section on page 11-10. 9.7.4 40-DMX-C Power Monitoring Physical photodiodes P1 through P40 monitor the power at the outputs of the 40-DMX-C card. P41 monitors the total multiplexed power at the input, calibrated to the COM-RX port. Table 9-24 shows the returned power level values calibrated to each port. For information on the associated TL1 AIDs for the optical power monitoring points, refer the “CTC Port Numbers and TL1 Aids” section in Cisco ONS SONET TL1 Command Guide, Release 9.2. 9.7.5 40-DMX-C Channel Plan Table 9-25 shows the 40 ITU-T 100-GHz-spaced, C-band channels (wavelengths) that are demultiplexed by the 40-DMX-C card. Table 9-24 40-DMX-C Port Calibration Photodiode CTC Type Name Calibrated to Port P1–P40 DROP DROP TX P41 INPUT COM COM RX Table 9-25 40-DMX-C Channel Plan Band ID Channel Label Frequency (GHz) Wavelength (nm) B30.3 30.3 195.9 1530.33 31.1 195.8 1531.12 31.9 195.7 1531.90 32.6 195.6 1532.68 33.4 195.5 1533.47 B34.2 34.2 195.4 1534.25 35.0 195.3 1535.04 35.8 195.2 1535.82 36.6 195.1 1536.61 37.4 195 1537.40 B38.1 38.1 194.9 1538.19 38.9 194.8 1538.98 39.7 194.7 1539.77 40.5 194.6 1540.56 41.3 194.5 1541.359-44 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards 40-DMX-C Card 9.7.6 40-DMX-C Card-Level Indicators The 40-DMX-C card has three card-level LED indicators, described in Table 9-26. B42.1 42.1 194.4 1542.14 42.9 194.3 1542.94 43.7 194.2 1543.73 44.5 194.1 1544.53 45.3 194 1545.32 B46.1 46.1 193.9 1546.12 46.9 193.8 1546.92 47.7 193.7 1547.72 48.5 193.6 1548.51 49.3 193.5 1549.32 B50.1 50.1 193.4 1550.12 50.9 193.3 1550.92 51.7 193.2 1551.72 52.5 193.1 1552.52 53.3 193 1553.33 B54.1 54.1 192.9 1554.13 54.9 192.8 1554.94 55.7 192.7 1555.75 56.5 192.6 1556.55 57.3 192.5 1557.36 B58.1 58.1 192.4 1558.17 58.9 192.3 1558.98 59.7 192.2 1559.79 60.6 192.1 1560.61 61.4 192 1561.42 Table 9-25 40-DMX-C Channel Plan (continued) Band ID Channel Label Frequency (GHz) Wavelength (nm)9-45 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards 40-DMX-CE Card 9.7.7 40-DMX-C Port-Level Indicators You can find the alarm status of the 40-DMX-C card ports using the LCD screen on the ONS 15454 fan-tray assembly. The screen displays the number and severity of alarms on a given port or slot. For the procedure to view these counts, refer to “Manage Alarms” in the Cisco ONS 15454 DWDM Procedure Guide. 9.8 40-DMX-CE Card (Cisco ONS 15454 and ONS 15454 M6 only) Note See the “A.8.7 40-DMX-CE Card Specifications” section on page A-31 for hardware specifications. The single-slot 40-Channel Demultiplexer C-band, even channels (40-DMX-CE) card demultiplexes 40 100-GHz-spaced even-numbered channels identified in the channel plan (Table 9-28 on page 9-48), and sends them to dedicated output ports. The overall optical power can be adjusted using a single VOA that is common to all channels. The 40-DMX-CE card is unidirectional, optically passive, and can be installed in Slots 1 to 6 and 12 to 17. 9.8.1 40-DMX-CE Card Faceplate Ports The 40-DMX-CE card has two types of ports: • COM RX port: COM RX is the line input port for the aggregate optical signal being demultiplexed. This port is supported by a VOA for optical power regulation and a photodiode for per channel optical power monitoring. Note By default, the VOA is set to its maximum attenuation for safety purposes (for example, electrical power failure). A manual VOA setting is also available. Table 9-26 40-DMX-C Card-Level Indicators Card-Level Indicators Description Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready or that an internal hardware failure occurred. Replace the card if the red FAIL LED persists. Green ACT LED The green ACT LED indicates that the 40-DMX-C card is carrying traffic or is traffic-ready. Amber SF LED The amber SF LED indicates a signal failure on one or more of the card’s ports. The amber SF LED also turns on when the transmit and receive fibers are incorrectly connected. When the fibers are properly connected, the light turns off.9-46 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards 40-DMX-CE Card • DROP TX ports (1 to 40): On its output, the 40-DMX-CE card provides 40 drop ports that are typically used for dropping channels within the ROADM node. These ports are connected using five physical connectors on the front panel that accept MPO client input cables. (MPO cables break out into eight separate cables.) The 40-DMX-CE card also has one LC-PC-II optical connector for the main input. Figure 9-22 shows the 40-DMX-CE card faceplate. Figure 9-22 40-DMX-CE Card Faceplate 9.8.2 40-DMX-CE Card Block Diagram Figure 9-23 shows a block diagram of the 40-DMX-CE card. 240642 40-DMX-C 37.0 - 42.5 30.7 - 36.2 43.3 - 48.9 49.7 - 55.3 56.2 - 61.8 TX COM RX FAIL ACT SF 40 Drop Ports Drop 1-8 Drop 9-16 Drop 17-24 Drop 25-32 Drop 33-40 40 Drop Port Outputs Logical View COM-RX Drop-1 Drop-2 Drop-40 COM RX (Receives Drop-TX from 40-WSS-CE on COM RX)9-47 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards 40-DMX-CE Card Figure 9-23 40-DMX-CE Card Block Diagram Figure 9-24 shows the 40-DMX-CE card optical module functional block diagram. Figure 9-24 40-DMX-CE Card Optical Module Functional Block Diagram 9.8.3 40-DMX-CE Card ROADM Functionality The 40-DMX-CE card works in combination with the 40-WSS-CE card to implement ROADM functionality. As a ROADM node, the ONS 15454 can be configured at the optical channel level using CTC, Cisco TransportPlanner, and CTM. ROADM functionality using the 40-DMX-CE card requires two single-slot 40-DMX-CE cards and two 40-WSS-CE double-slot cards (for a total of six slots in the ONS 15454 chassis). Optical module 240641 Processor COM RX FPGA For SCL Bus management SCL Bus TCCi M SCL Bus TCCi P DC/DC Power supply Input filters BAT A&B 37.0 to 42.5 8 CHS RX 30.7 to 36.2 8 CHS RX 43.3 to 48.9 8 CHS RX 49.7 to 55.3 8 CHS RX 56.1 to 61.8 8 CHS RX 1 40 Control Control interface Physical photodiode Variable optical attenuator COM RX DROP TX P40 P39 P38 P37 P4 P3 P2 P1 P P41 1519729-48 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards 40-DMX-CE Card For the ROADM functionality of other cards, see the description of that card in this chapter. For a diagram of a typical ROADM configuration, see the “11.1.3 ROADM Node” section on page 11-10. 9.8.4 40-DMX-CE Card Power Monitoring Physical photodiodes P1 through P40 monitor the power at the outputs of the 40-DMX-CE card. P41 monitors the total multiplexed power at the input, calibrated to the COM-RX port. Table 9-27 shows the returned power level values calibrated to each port. For information on the associated TL1 AIDs for the optical power monitoring points, refer the “CTC Port Numbers and TL1 Aids” section in Cisco ONS SONET TL1 Command Guide, Release 9.2. 9.8.5 40-DMX-CE Card Channel Plan Table 9-28 shows the 40 ITU-T 100-GHz-spaced, C-band channels (wavelengths) that are demultiplexed by the 40-DMX-CE card. Table 9-27 40-DMX-CE Card Port Calibration Photodiode CTC Type Name Calibrated to Port P1–P40 DROP DROP TX P41 INPUT COM COM RX Table 9-28 40-DMX-CE Card Channel Plan Band ID Channel Label Frequency (GHz) Wavelength (nm) B30.7 30.7 195.85 1530.72 31.5 195.75 1531.51 32.3 195.65 1532.29 33.1 195.55 1533.07 33.9 195.45 1533.86 B34.6 34.6 195.35 1534.64 35.4 195.25 1535.43 36.2 195.15 1536.22 37.0 195.05 1537.00 37.8 194.95 1537.79 B38.6 38.6 194.85 1538.58 39.4 194.75 1539.37 40.1 194.65 1540.16 40.9 194.55 1540.95 41.8 194.45 1541.759-49 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards 40-DMX-CE Card 9.8.6 40-DMX-CE Card-Level Indicators The 40-DMX-CE card has three card-level LED indicators, described in Table 9-29. B42.5 42.5 194.35 1542.54 43.3 194.25 1543.33 44.1 194.15 1544.13 44.9 194.05 1544.92 45.7 193.95 1545.72 B46.5 46.5 193.85 1546.52 47.3 193.75 1547.32 48.1 193.65 1548.11 48.9 193.55 1548.91 49.7 193.45 1549.72 B50.5 50.5 193.35 1550.52 51.3 193.25 1551.32 52.1 193.15 1552.12 52.9 193.05 1552.93 53.7 192.95 1553.73 B54.4 54.4 192.85 1554.54 55.3 192.75 1555.34 56.1 192.65 1556.15 56.9 192.55 1556.96 57.8 192.45 1557.77 B58.6 58.6 192.35 1558.58 59.4 192.25 1559.39 60.2 192.15 1560.20 61.0 192.05 1561.01 61.8 191.95 1561.83 Table 9-28 40-DMX-CE Card Channel Plan (continued) Band ID Channel Label Frequency (GHz) Wavelength (nm) Table 9-29 40-DMX-CE Card-Level Indicators Card-Level Indicators Description Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready or that an internal hardware failure occurred. Replace the card if the red FAIL LED persists.9-50 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards 40-MUX-C Card 9.8.7 40-DMX-CE Card Port-Level Indicators You can find the alarm status of the 40-DMX-CE card ports using the LCD screen on the ONS 15454 fan-tray assembly. The screen displays the number and severity of alarms on a given port or slot. For the procedure to view these counts, refer to the “Manage Alarms” chapter in the Cisco ONS 15454 DWDM Procedure Guide. 9.9 40-MUX-C Card (Cisco ONS 15454 and ONS 15454 M6 only) Note See the “A.8.5 40-MUX-C Card Specifications” section on page A-30 for hardware specifications. The single-slot 40-Channel Multiplexer C-band (40-MUX-C) card multiplexes forty ITU-T 100-GHz-spaced channels identified in the channel plan in Table 9-25 on page 9-43. The 40-MUX-C card can be installed in Slots 1 to 6 and 12 to 17. The 40-MUX-C card is typically used in hub nodes. 9.9.1 40-MUX-C Card Faceplate Ports The 40-MUX-C card has two types of ports: • COM TX port: COM TX is the line output port for the aggregate optical signal being multiplexed. This port is supported by both a VOA for optical power regulation and a photodiode for per channel optical power monitoring. Note By default, the VOA is set to its maximum attenuation for safety purposes (for example, electrical power failure). A manual VOA setting is also available. • DROP RX ports (1 to 40): The 40-MUX-C card provides 40 input optical channels. These ports are connected using five physical receive connectors on the card’s front panel that accept MPO cables for the client input interfaces. MPO cables break out into eight separate cables. The 40-DMX-C card also has one LC-PC-II optical connector for the main output. For the wavelength range, see Table 9-25 on page 9-43. Figure 9-25 shows the 40-MUX-C card faceplate. Green ACT LED The green ACT LED indicates that the 40-DMX-CE card is carrying traffic or is traffic-ready. Amber SF LED The amber SF LED indicates a signal failure on one or more of the card’s ports. The amber SF LED also turns on when the transmit and receive fibers are incorrectly connected. When the fibers are properly connected, the light turns off. Table 9-29 40-DMX-CE Card-Level Indicators (continued) Card-Level Indicators Description9-51 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards 40-MUX-C Card Figure 9-25 40-MUX-C Card Faceplate 9.9.2 40-MUX-C Card Block Diagram Figure 9-26 shows a block diagram of the 40-MUX-C card. 40-MUX-C 36.6 - 42.1 30.3 - 35.8 42.9 - 48.5 49.3 - 54.9 55.7 - 61.4 RX COM TX FAIL ACT SF 159555 Client ports 1-8 Client ports 9-16 Client ports 17-24 Client ports 25-32 Client ports 33-40 Logical View COM TX Client-1 Client-2 Client-40 40 Client Channel Inputs 40 Client Ports COM TX Sends combined signal to OPT- BST9-52 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards 40-MUX-C Card Figure 9-26 40-MUX-C Card Block Diagram Figure 9-27 shows the 40-MUX-C optical module functional block diagram. Figure 9-27 40-MUX-C Optical Module Functional Block Diagram 9.9.3 40-MUX-C Card Power Monitoring Physical photodiodes P1 through P40 monitor the power of the individual input ports to the 40-MUX-C card. P41 monitors the total multiplexed output power, calibrated to the COM-TX port. Table 9-30 shows the returned power level values calibrated to each port. Optical module 36.6 to 42.1 8 CHS RX 30.3 to 35.8 8 CHS RX 42.9 to 48.5 8 CHS RX 49.3 to 54.9 8 CHS RX 55.7 to 61.4 8 CHS RX Processor COM TX FPGA For SCL Bus management SCL Bus TCCi M SCL Bus TCCi P DC/DC Power supply Input filters BAT A&B 151974 1 40 Control Control interface Physical photodiode Variable optical attenuator Inputs COM TX P40 P39 P38 P37 P4 P3 P2 P1 P 1519759-53 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards 40-MUX-C Card For information on the associated TL1 AIDs for the optical power monitoring points, refer the “CTC Port Numbers and TL1 Aids” section in Cisco ONS SONET TL1 Command Guide, Release 9.2. 9.9.4 40-MUX-C Card Channel Plan Table 9-31 shows the 40 ITU-T 100-GHz-spaced, C-band channels (wavelengths) that are multiplexed by the 40-MUX-C card. Table 9-30 40-MUX-C Port Calibration Photodiode CTC Type Name Calibrated to Port P1–P40 ADD ADD RX P41 OUTPUT COM COM-TX Table 9-31 40-MUX-C Channel Plan Band ID Channel Label Frequency (GHz) Wavelength (nm) B30.3 30.3 195.9 1530.33 31.1 195.8 1531.12 31.9 195.7 1531.90 32.6 195.6 1532.68 33.4 195.5 1533.47 B34.2 34.2 195.4 1534.25 35.0 195.3 1535.04 35.8 195.2 1535.82 36.6 195.1 1536.61 37.4 195 1537.40 B38.1 38.1 194.9 1538.19 38.9 194.8 1538.98 39.7 194.7 1539.77 40.5 194.6 1540.56 41.3 194.5 1541.35 B42.1 42.1 194.4 1542.14 42.9 194.3 1542.94 43.7 194.2 1543.73 44.5 194.1 1544.53 45.3 194 1545.329-54 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards 40-MUX-C Card 9.9.5 40-MUX-C Card-Level Indicators The 40-MUX-C card has three card-level LED indicators, described in Table 9-32. B46.1 46.1 193.9 1546.12 46.9 193.8 1546.92 47.7 193.7 1547.72 48.5 193.6 1548.51 49.3 193.5 1549.32 B50.1 50.1 193.4 1550.12 50.9 193.3 1550.92 51.7 193.2 1551.72 52.5 193.1 1552.52 53.3 193 1553.33 B54.1 54.1 192.9 1554.13 54.9 192.8 1554.94 55.7 192.7 1555.75 56.5 192.6 1556.55 57.3 192.5 1557.36 B58.1 58.1 192.4 1558.17 58.9 192.3 1558.98 59.7 192.2 1559.79 60.6 192.1 1560.61 61.4 192 1561.42 Table 9-31 40-MUX-C Channel Plan (continued) Band ID Channel Label Frequency (GHz) Wavelength (nm) Table 9-32 40-MUX-C Card-Level Indicators Card-Level Indicators Description Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready or that an internal hardware failure occurred. Replace the card if the red FAIL LED persists. Green ACT LED The green ACT LED indicates that the 40-MUX-C card is carrying traffic or is traffic-ready. Amber SF LED The amber SF LED indicates a signal failure on one or more of the card’s ports. The amber SF LED also turns on when the transmit and receive fibers are incorrectly connected. When the fibers are properly connected, the light turns off.9-55 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards 40-WSS-C Card 9.9.6 40-MUX-C Port-Level Indicators You can find the alarm status of the 40-MUX-C card ports using the LCD screen on the ONS 15454 fan-tray assembly. The screen displays the number and severity of alarms on a given port or slot. For the procedure to view these counts, refer to “Manage Alarms” in the Cisco ONS 15454 DWDM Procedure Guide. 9.10 40-WSS-C Card (Cisco ONS 15454 and ONS 15454 M6 only) Note See the “A.8.8 40-WSS-C Card Specifications” section on page A-32 for hardware specifications. The double-slot 40-channel Wavelength Selective Switch C-Band (40-WSS-C) card switches 40 ITU-T 100-GHz-spaced channels identified in the channel plan (Table 9-25 on page 9-43) and sends them to dedicated output ports. The 40-WSS-C card is bidirectional and optically passive. The card can be installed in Slots 1 to 6 and 12 to 17 The 40-WSS-C features include: • Receipt of an aggregate DWDM signal into 40 output optical channels from the Line receive port (EXP RX) in one direction and from the COM-RX port in the other direction. • Per-channel optical power monitoring using photodiodes. • Signal splitting in a 70%-to-30% ratio, sent to the 40-DMX-C for dropping signals, then to the other 40-WSS-C card. • Aggregate DWDM signal monitoring and control through a variable optical attenuator (VOA). In the case of electrical power failure, the VOA is set to its maximum attenuation for safety purposes. A manual VOA setting is also available. Within the 40-WSS-C card, the first AWG opens the spectrum and each wavelength is directed to one of the ports of a 1x2 optical switch. The same wavelength can be passed through or stopped. If the pass-through wavelength is stopped, a new channel can be added at the ADD port. The card’s second AWG multiplexes all of the wavelengths, and the aggregate signal is output through the COM-TX port. 9.10.1 40-WSS-C Faceplate Ports The 40-WSS-C has eight types of ports: • ADD RX ports (1 to 40): These ports are used for adding channels. Each add channel is associated with an individual switch element that selects whether an individual channel is added. Each add port has optical power regulation provided by a VOA. The five connectors on the card faceplate accept MPO cables for the client input interfaces. MPO cables break out into eight separate cables. The 40-WSS-C card also has one LC-PC-II optical connector for the main input. • COM RX: The COM RX port receives the optical signal from a preamplifier (such as the OPT-PRE) and sends it to the optical splitter. • COM TX: The COM TX port sends an aggregate optical signal to a booster amplifier card (for example, the OPT-BST card) for transmission outside of the NE.9-56 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards 40-WSS-C Card • EXP RX port: The EXP RX port receives an optical signal from another 40-WSS-C card in the same NE. • EXP TX: The EXP TX port sends an optical signal to the other 40-WSS-C card within the NE. • DROP TX port: The DROP TX port sends the split off optical signal that contains drop channels to the 40-DMX-C card, where the channels are further processed and dropped. Figure 9-28 shows the 40-WSS-C card faceplate. Figure 9-28 40-WSS-C Faceplate 9.10.2 40-WSS-C Block Diagram Figure 9-29 shows a block diagram of the 40-WSS-C card. 159394 40-WSS-C 36.6 - 42.1 30.3 - 35.8 42.9 - 48.5 49.3 - 54.9 55.7 - 61.4 ADD RX COM RX TX EXP RX TX DROP TX FAIL ACT SF9-57 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards 40-WSS-C Card Figure 9-29 40-WSS-C Block Diagram Figure 9-30 shows the 40-WSS-C optical module functional block diagram. 159393 ADD RX CONTROL Control Interface Comon TX Comon RX EXPRESS RX 2 2 ADD 2 2 Pas Through EXPRESS TX Virtual photodiode DROP TX 1 1 ADD 1 1 Pas Through 40 40 ADD 70/30 40 2 Pas Through9-58 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards 40-WSS-C Card Figure 9-30 40-WSS-C Optical Module Functional Block Diagram 9.10.3 40-WSS-C ROADM Functionality The 40-WSS-C card works in combination with the 40-DMX-C card to implement ROADM functionality. As a ROADM node, the ONS 15454 can be configured at the optical channel level using CTC, Cisco TransportPlanner, and CTM. ROADM functionality using the 40-WSS-C card requires two 40-WSS-C double-slot cards and two 40-DMX-C single-slot cards (for a total of six slots in the ONS 15454 chassis). For information about ROADM functionality for other cards, see that card’s description in this chapter. For a diagram of a typical ROADM configuration, see the “11.1.3 ROADM Node” section on page 11-10. 9.10.4 40-WSS-C Power Monitoring The 40-WSS-C has physical diodes that monitor power at various locations on the card. Table 9-33 lists the physical diode descriptions. Optical module 159392 uP8260 COM RX COM TX FPGA For SCL Bus management 2xSCL Buses DC/DC Power supply Input filters BAT A&B EXP RX ADD RX LC connector MPO connector EXP TX DROP TX Table 9-33 40-WSS-C Physical Photodiode Port Calibration Physical Photodiode CTC Type Name Calibrated to Port(s) P1 DROP DROP TX P2 EXP EXP RX9-59 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards 40-WSS-C Card For information on the associated TL1 AIDs for the optical power monitoring points, refer the “CTC Port Numbers and TL1 Aids” section in Cisco ONS SONET TL1 Command Guide, Release 9.2. Additionally, the 40-WSS-C has two virtual diodes. Virtual diodes are monitor points for each physical photodiode; they are identified with a physical diode relative to the way that the physical diode is identified with one of the two interlink (ILK) ports. Table 9-34 lists the virtual diodes. 9.10.5 40-WSS-C Channel Plan Table 9-35 shows the 40 ITU-T 100-GHz-spaced, C-band channels (wavelengths) that are switched by the 40-WSS-C card. PDi3 1 RX Add i RX ports (that is, channel input Add i RX power), up to 40 ports and therefore 40 PDs1 PDi4 1 TX COM TX port (that is, per channel output COM TX power) up to 40 channels and therefore 40 PDs PD5 COM COM TX port (that is, total output COM TX power) 1. i indicates any channel from 01 through 40. Table 9-33 40-WSS-C Physical Photodiode Port Calibration (continued) Physical Photodiode CTC Type Name Calibrated to Port(s) Table 9-34 40-WSS-C Virtual Photodiode Port Calibration Virtual Photodiode CTC Type Name Calibrated to Port(s) VPD1 COM COM RX port (total input COM RX power) VPD2 EXP EXP TX port (total output EXP TX power) Table 9-35 40-WSS-C Channel Plan Band ID Channel Label Frequency (GHz) Wavelength (nm) B30.3 30.3 195.9 1530.33 31.1 195.8 1531.12 31.9 195.7 1531.90 32.6 195.6 1532.68 33.4 195.5 1533.47 B34.2 34.2 195.4 1534.25 35.0 195.3 1535.04 35.8 195.2 1535.82 36.6 195.1 1536.61 37.4 195 1537.409-60 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards 40-WSS-C Card 9.10.6 40-WSS-C Card-Level Indicators The 40-WSS-C card has three card-level LED indicators, described in Table 9-36. B38.1 38.1 194.9 1538.19 38.9 194.8 1538.98 39.7 194.7 1539.77 40.5 194.6 1540.56 41.3 194.5 1541.35 B42.1 42.1 194.4 1542.14 42.9 194.3 1542.94 43.7 194.2 1543.73 44.5 194.1 1544.53 45.3 194 1545.32 B46.1 46.1 193.9 1546.12 46.9 193.8 1546.92 47.7 193.7 1547.72 48.5 193.6 1548.51 49.3 193.5 1549.32 B50.1 50.1 193.4 1550.12 50.9 193.3 1550.92 51.7 193.2 1551.72 52.5 193.1 1552.52 53.3 193 1553.33 B54.1 54.1 192.9 1554.13 54.9 192.8 1554.94 55.7 192.7 1555.75 56.5 192.6 1556.55 57.3 192.5 1557.36 B58.1 58.1 192.4 1558.17 58.9 192.3 1558.98 59.7 192.2 1559.79 60.6 192.1 1560.61 61.4 192 1561.42 Table 9-35 40-WSS-C Channel Plan (continued) Band ID Channel Label Frequency (GHz) Wavelength (nm)9-61 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards 40-WSS-CE Card 9.10.7 40-WSS-C Port-Level Indicators You can find the alarm status of the 40-WSS-C card ports using the LCD screen on the ONS 15454 fan-tray assembly. The screen displays the number and severity of alarms on a given port or slot. For the procedure to view these counts, refer to the “Manage Alarms” chapter in the Cisco ONS 15454 DWDM Procedure Guide. 9.11 40-WSS-CE Card (Cisco ONS 15454 and ONS 15454 M6 only) Note See the “A.8.9 40-WSS-CE Card Specifications” section on page A-34 for hardware specifications. The double-slot 40-channel Wavelength Selective Switch Even-Channel C-Band (40-WSS-CE) card switches 40 ITU-T 100-GHz-spaced channels identified in the channel plan (Table 9-39 on page 9-66) and sends them to dedicated output ports. The 40-WSS-CE card is bidirectional and optically passive. The card can be installed in Slots 1 to 6 and 12 to 17. The 40-WSS-CE features include: • Receipt of an aggregate DWDM signal into 40 output optical channels from the Line receive port (EXP RX) in one direction and from the COM-RX port in the other direction. • Per-channel optical power monitoring using photodiodes. • Signal splitting in a 70-to-30 percent ratio, sent to the 40-DMX-CE card for dropping signals, then to the other 40-WSS-CE card. • Aggregate DWDM signal monitoring and control through a VOA. In the case of electrical power failure, the VOA is set to its maximum attenuation for safety purposes. A manual VOA setting is also available. Within the 40-WSS-CE card, the first AWG opens the spectrum and each wavelength is directed to one of the ports of a 1x2 optical switch. The same wavelength can be passed through or stopped. If the pass-through wavelength is stopped, a new channel can be added at the ADD port. The card’s second AWG multiplexes all of the wavelengths, and the aggregate signal is output through the COM-TX port. Table 9-36 40-WSS-C Card-Level Indicators Card-Level Indicators Description Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready or that an internal hardware failure occurred. Replace the card if the red FAIL LED persists. Green ACT LED The green ACT LED indicates that the 40-WSS-C is carrying traffic or is traffic-ready. Amber SF LED The amber SF LED indicates a signal failure on one or more of the card’s ports. The amber SF LED also turns on when the transmit and receive fibers are incorrectly connected. When the fibers are properly connected, the light turns off.9-62 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards 40-WSS-CE Card 9.11.1 40-WSS-CE Faceplate Ports The 40-WSS-CE card has eight types of ports: • ADD RX ports (1 to 40): These ports are used for adding channels. Each add channel is associated with an individual switch element that selects whether an individual channel is added. Each add port has optical power regulation provided by a VOA. The five connectors on the card faceplate accept MPO cables for the client input interfaces. MPO cables break out into eight separate cables. The 40-WSS-CE card also has one LC-PC-II optical connector for the main input. • COM RX: The COM RX port receives the optical signal from a preamplifier (such as the OPT-PRE) and sends it to the optical splitter. • COM TX: The COM TX port sends an aggregate optical signal to a booster amplifier card (for example, the OPT-BST card) for transmission outside of the NE. • EXP RX port: The EXP RX port receives an optical signal from another 40-WSS-CE card in the same NE. • EXP TX: The EXP TX port sends an optical signal to the other 40-WSS-CE card within the NE. • DROP TX port: The DROP TX port sends the split off optical signal that contains drop channels to the 40-DMX-C card, where the channels are further processed and dropped. Figure 9-31 shows the 40-WSS-CE card faceplate.9-63 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards 40-WSS-CE Card Figure 9-31 40-WSS-CE Faceplate 9.11.2 40-WSS-CE Card Block Diagram Figure 9-32 shows a block diagram of the 40-WSS-CE card. 240643 40-WSS-C 37.0 - 42.5 30.7 - 36.2 43.3 - 48.9 49.7 - 55.3 56.2 - 61.8 ADD RX COM RX TX EXP RX TX DROP TX FAIL ACT SF9-64 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards 40-WSS-CE Card Figure 9-32 40-WSS-CE Block Diagram Figure 9-33 shows the 40-WSS-CE optical module functional block diagram. 159393 ADD RX CONTROL Control Interface Comon TX Comon RX EXPRESS RX 2 2 ADD 2 2 Pas Through EXPRESS TX Virtual photodiode DROP TX 1 1 ADD 1 1 Pas Through 40 40 ADD 70/30 40 2 Pas Through9-65 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards 40-WSS-CE Card Figure 9-33 40-WSS-CE Card Optical Module Functional Block Diagram 9.11.3 40-WSS-CE Card ROADM Functionality The 40-WSS-CE card works in combination with the 40-DMX-CE card to implement ROADM functionality. As a ROADM node, the ONS 15454 can be configured at the optical channel level using CTC, Cisco TransportPlanner, and CTM. ROADM functionality using the 40-WSS-CE card requires two 40-WSS-CE double-slot cards and two 40-DMX-CE single-slot cards (for a total of six slots in the ONS 15454 chassis). For information about ROADM functionality for another cards, see the description of that card in this chapter. For a diagram of a typical ROADM configuration, see the “11.1.3 ROADM Node” section on page 11-10. 9.11.4 40-WSS-CE Card Power Monitoring The 40-WSS-CE card has physical diodes that monitor power at various locations on the card. Table 9-37 lists the physical diode descriptions. Optical module 159392 uP8260 COM RX COM TX FPGA For SCL Bus management 2xSCL Buses DC/DC Power supply Input filters BAT A&B EXP RX ADD RX LC connector MPO connector EXP TX DROP TX Table 9-37 40-WSS-CE Physical Photodiode Port Calibration Physical Photodiode CTC Type Name Calibrated to Port(s) P1 DROP DROP TX P2 EXP EXP RX9-66 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards 40-WSS-CE Card For information on the associated TL1 AIDs for the optical power monitoring points, refer the “CTC Port Numbers and TL1 Aids” section in Cisco ONS SONET TL1 Command Guide, Release 9.2. Additionally, the 40-WSS-CE card has two virtual diodes. Virtual diodes are monitor points for each physical photodiode; they are identified with a physical diode relative to the way that the physical diode is identified with one of the two interlink (ILK) ports. Table 9-38 lists the virtual diodes. 9.11.5 40-WSS-CE Card Channel Plan Table 9-39 shows the 40 ITU-T 100-GHz-spaced, C-band channels (wavelengths) that are switched by the 40-WSS-CE card. PDi3 1 RX Add i RX ports (that is, channel input Add i RX power), up to 40 ports and therefore 40 PDs1 PDi4 1 TX COM TX port (that is, per channel output COM TX power) up to 40 channels and therefore 40 PDs PD5 COM COM TX port (that is, total output COM TX power) 1. i indicates any channel from 01 through 40. Table 9-37 40-WSS-CE Physical Photodiode Port Calibration (continued) Physical Photodiode CTC Type Name Calibrated to Port(s) Table 9-38 40-WSS-CE Virtual Photodiode Port Calibration Virtual Photodiode CTC Type Name Calibrated to Port(s) VPD1 COM COM RX port (total input COM RX power) VPD2 EXP EXP TX port (total output EXP TX power) Table 9-39 40-WSS-CE Channel Plan Band ID Channel Label Frequency (GHz) Wavelength (nm) B30.7 30.7 195.85 1530.72 31.5 195.75 1531.51 32.3 195.65 1532.29 33.1 195.55 1533.07 33.9 195.45 1533.86 B34.6 34.6 195.35 1534.64 35.4 195.25 1535.43 36.2 195.15 1536.22 37.0 195.05 1537.00 37.8 194.95 1537.799-67 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards 40-WSS-CE Card 9.11.6 40-WSS-CE Card-Level Indicators The 40-WSS-CE card has three card-level LED indicators, described in Table 9-40. B38.6 38.6 194.85 1538.58 39.4 194.75 1539.37 40.1 194.65 1540.16 40.9 194.55 1540.95 41.8 194.45 1541.75 B42.5 42.5 194.35 1542.54 43.3 194.25 1543.33 44.1 194.15 1544.13 44.9 194.05 1544.92 45.7 193.95 1545.72 B46.5 46.5 193.85 1546.52 47.3 193.75 1547.32 48.1 193.65 1548.11 48.9 193.55 1548.91 49.7 193.45 1549.72 B50.5 50.5 193.35 1550.52 51.3 193.25 1551.32 52.1 193.15 1552.12 52.9 193.05 1552.93 53.7 192.95 1553.73 B54.4 54.4 192.85 1554.54 55.3 192.75 1555.34 56.1 192.65 1556.15 56.9 192.55 1556.96 57.8 192.45 1557.77 B58.6 58.6 192.35 1558.58 59.4 192.25 1559.39 60.2 192.15 1560.20 61.0 192.05 1561.01 61.8 191.95 1561.83 Table 9-39 40-WSS-CE Channel Plan (continued) Band ID Channel Label Frequency (GHz) Wavelength (nm)9-68 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards 40-WXC-C Card 9.11.7 40-WSS-CE Card Port-Level Indicators You can find the alarm status of the 40-WSS-CE card ports using the LCD screen on the ONS 15454 fan-tray assembly. The screen displays the number and severity of alarms on a given port or slot. For the procedure to view these counts, refer to the “Manage Alarms” chapter in the Cisco ONS 15454 DWDM Procedure Guide. 9.12 40-WXC-C Card (Cisco ONS 15454 and ONS 15454 M6 only) Note See the “A.8.10 40-WXC-C Card Specifications” section on page A-37 or hardware specifications. The double-slot 40-channel Wavelength Cross-Connect C-band (40-WXC-C) card selectively sends any wavelength combination coming from nine input ports to a common output port. The device can manage up to 41 channels spaced at 100GHz on each port according to the channel grid in Table 9-10 on page 9-11. Each channel can be selected from any input. The card is optically passive and provides bidirectional capability. It can be installed in Slots 1 to 6 and 12 to 17. .The 40-WXC-C card provides the following features: • Demultiplexing, selection, and multiplexing of DWDM aggregate signal from input ports to common output port. • Aggregate DWDM signal monitoring and control through a VOA. • VOAs are deployed in every channel path in order to regulate the channel’s optical power. In the case of an electrical power failure, VOAs are set to their maximum attenuation value, or to a fixed and configurable one. The VOA can also be set manually. • Per-channel optical power monitoring using photodiodes. The 40-WXC-C card acts as a selector element with the following characteristics: • It is able to select a wavelength from one input port and pass the wavelength through to the common out port. Simultaneously, the card can block the same wavelength coming from the other eight input ports. • It is able to stop wavelengths from all nine inputs. Table 9-40 40-WSS-CE Card-Level Indicators Card-Level Indicators Description Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready or that an internal hardware failure occurred. Replace the card if the red FAIL LED persists. Green ACT LED The green ACT LED indicates that the 40-WSS-CE card is carrying traffic or is traffic-ready. Amber SF LED The amber SF LED indicates a signal failure on one or more of the card’s ports. The amber SF LED also turns on when the transmit and receive fibers are incorrectly connected. When the fibers are properly connected, the light turns off.9-69 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards 40-WXC-C Card • It is able to monitor optical power and control path attenuation using per channel VOA independently of the wavelength input-to-out port connection. 9.12.1 40-WXC-C Faceplate Ports The 40-WXC-C card has six types of ports: • COM RX: The COM RX port receives the optical signal from a preamplifier (such as the OPT-PRE) and sends it to the optical splitter. • COM TX: The COM TX port sends an aggregate optical signal to a booster amplifier card (for example, the OPT-BST card) for transmission outside of the NE. • EXP TX: The EXP TX port sends an optical signal to the other 40-WXC-C card within the NE. • MON TX: The optical service channel (OSC) monitor. • ADD/DROP RX: The 40-WXC-C card provides 40 input optical channels. For the wavelength range, see Table 9-43 on page 9-73. • ADD/DROP TX: The DROP TX port sends the split off optical signal that contains drop channels to the 40-WXC-C card, where the channels are further processed and dropped. Figure 9-34 shows the 40-WXC-C card faceplate.9-70 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards 40-WXC-C Card Figure 9-34 40-WXC-C Faceplate 9.12.2 40-WXC-C Block Diagram Figure 9-35 shows the 40-WXC-C optical module functional block diagram. 159396 40-WXC EXP COM RX TX EXP TX ADD DROP RX TX MON TX FAIL ACT SF RX EXP RX Ports (from 1 to 8): fibres come FROM Mesh PP Monitor Port: monitors the traffic transmitted on COM TX Port DROP TX: fibre connected to 40-DMX for local chs drop ADD RX: fibre connected to 40- MUX or xx-WSS for local chs Add EXP TX: internal connection TO Mesh PP COM RX: line RX interface FROM Pre-Amplifier COM TX: line TX interface TO Booster Amplifier9-71 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards 40-WXC-C Card Figure 9-35 40-WXC-C Optical Module Functional Block Diagram 9.12.3 40-WXC-C Power Monitoring The 40-WXC-C has 83 physical diodes (P1 through P40) that monitor power at the outputs of the card. Table 9-41 describes the physical diodes. WXC optical module COM TX ADD RX Virtual PDi3 P5 Table 9-41 40-WXC-C Physical Photodiode Port Calibration Physical Photodiode CTC Type Name Calibrated to Port(s) P1 DROP DROP TX P2 EXP EXP RX PDi3 1 1. i indicates any channel from 01 through 40. RX Add i RX ports (that is, channel input Add i RX power), up to 40 ports and therefore 40 PDs1 PDi4 1 TX COM TX port (that is, per channel output COM TX power) up to 40 channels and therefore 40 PDs PD5 COM COM TX port (that is, total output COM TX power)9-72 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards 40-WXC-C Card For information on the associated TL1 AIDs for the optical power monitoring points, refer the “CTC Port Numbers and TL1 Aids” section in Cisco ONS SONET TL1 Command Guide, Release 9.2. Additionally, the 40-WXC-C has two virtual diodes. Virtual diodes are monitor points for each physical photodiode; they are identified with a physical diode relative to the way that the physical diode is identified with one of the two interlink (ILK) ports. Table 9-42 lists the virtual diodes. The usage of WXC and mesh PP power readings to troubleshoot a LOS-P in WXC COM TX port in Side A is described in the following example. The example is explained assuming a single wavelength 1558.17 in the setup that comes from Side H to Side A. If there is more than one wavelength, then there is a risk of dropping traffic when pulling common fibers. The example is explained below: When the wavelength from side H is 1558.17, you can check the power reading at WXC EXP TX port of the WXC card and verify the consistency with side H pre output power and WXC COMRX-EXPTX port loss. You can also check with a power meter connected to the 8th fiber (since it is from side H) of an MPO-FC (or LC) cable connected to the TAP-TX port of the MESH-PP. This value should be consistent with the previous reading, less than the insertion loss of the installed PP-MESH. If it is consistent, the issue is with the MPO between side A WXC and PP-MESH. If it is not consistent, the issue is with the PP-MESH or the LC-LC from side H. With only the PP-MESH already tested during installation, the only issue can be with the patch cord b. You can check if the 1558.17 wavelength from side H is unequalized (that is, if the channel is not aligned with the linear fit of the power values of the other channels) by keeping the DMX COM-RX port of side H in maintenance, and checking both the signal and ASE levels of CHAN-TX ports of the DMX card. If the channel is equalized (that is, if the channel is aligned with the linear fit of the power values of the other channels), then the issue is in the WXC side A that cannot properly regulate the VOA for such channel. If the channel is unequalized, then the issue is on a remote node. Note With an OSA or a spare 40 DMX, you can see the light coming from all the sides from TAP-TX of the PP-MESH. 9.12.4 40-WXC-C Channel Plan Table 9-43 shows the 40 ITU-T 100-GHz-spaced, C-band channels (wavelengths) that are cross connected by the 40-WXC-C card. Table 9-42 40-WXC-C Virtual Photodiode Port Calibration Virtual Photodiode CTC Type Name Calibrated to Port(s) VPD1 COM COM RX port (total input COM RX power) VPD2 EXP EXP TX port (total output EXP TX power)9-73 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards 40-WXC-C Card Table 9-43 40-WXC-C Channel Plan Band ID Channel Label Frequency (GHz) Wavelength (nm) Ch. 01 29.5 196 1529.55 B30.3 30.3 195.9 1530.33 31.1 195.8 1531.12 31.9 195.7 1531.90 32.6 195.6 1532.68 33.4 195.5 1533.47 B34.2 34.2 195.4 1534.25 35.0 195.3 1535.04 35.8 195.2 1535.82 36.6 195.1 1536.61 37.4 195 1537.40 B38.1 38.1 194.9 1538.19 38.9 194.8 1538.98 39.7 194.7 1539.77 40.5 194.6 1540.56 41.3 194.5 1541.35 B42.1 42.1 194.4 1542.14 42.9 194.3 1542.94 43.7 194.2 1543.73 44.5 194.1 1544.53 45.3 194 1545.32 B46.1 46.1 193.9 1546.12 46.9 193.8 1546.92 47.7 193.7 1547.72 48.5 193.6 1548.51 49.3 193.5 1549.32 B50.1 50.1 193.4 1550.12 50.9 193.3 1550.92 51.7 193.2 1551.72 52.5 193.1 1552.52 53.3 193 1553.339-74 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards 80-WXC-C Card 9.12.5 40-WXC-C Card-Level Indicators The 40-WXC-C card has three card-level LED indicators described in Table 9-44. 9.12.6 40-WXC-C Port-Level Indicators You can find the alarm status of the 40-WXC-C card ports using the LCD screen on the ONS 15454 fan-tray assembly. The screen displays the number and severity of alarms on a given port or slot. For the procedure to view these counts, refer to “Manage Alarms” in the Cisco ONS 15454 DWDM Procedure Guide. 9.13 80-WXC-C Card (Cisco ONS 15454 and ONS 15454 M6 only) B54.1 54.1 192.9 1554.13 54.9 192.8 1554.94 55.7 192.7 1555.75 56.5 192.6 1556.55 57.3 192.5 1557.36 B58.1 58.1 192.4 1558.17 58.9 192.3 1558.98 59.7 192.2 1559.79 60.6 192.1 1560.61 61.4 192 1561.42 1. This channel is unused by the 40-WXC-C Table 9-43 40-WXC-C Channel Plan (continued) Band ID Channel Label Frequency (GHz) Wavelength (nm) Table 9-44 40-WXC-C Card-Level Indicators Card-Level Indicators Description Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready or that an internal hardware failure occurred. Replace the card if the red FAIL LED persists. Green ACT LED The green ACT LED indicates that the 40-WXC-C is carrying traffic or is traffic-ready. Amber SF LED The amber SF LED indicates a signal failure on one or more of the card’s ports. The amber SF LED also turns on when the transmit and receive fibers are incorrectly connected. When the fibers are properly connected, the light turns off.9-75 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards 80-WXC-C Card Note See the “A.8.11 80-WXC-C Card Specifications” section on page A-38 or hardware specifications. The double-slot 80-channel Wavelength Cross-Connect C-band (80-WXC-C) card manages up to 80 ITU-T 100-GHz-spaced channels identified in the channel plan (Table 9-10 on page 9-11) and sends them to dedicated output ports. Each channel can be selected from any input port to any output port. The card is optically passive, and provides bidirectional capability. It can be installed in Slots 1 to 5 and 12 to 16 the ONS 15454 chassis and Slots 2 to 6 in the ONS 15454 M6 chassis. The 80-WXC-C card provides the following functionalities: • When used in the multiplexer or bidirectional mode, the 80-WXC-C card allows selection of a single wavelength or any combination of wavelengths from any of the nine input ports to the common output port. • When used in the bidirectional mode, the output wavelength from the COM-RX port is split to manage the express and drop wavelengths. • When used in the demultiplexer mode, the 80-WXC-C card, allows selection of a single wavelength or a combination of wavelengths from the common input port to any of the nine output ports. • Automatic VOA shutdown (AVS) blocking state on each wavelength and port. • Per-channel (closed loop) power regulation on the output port based on OCM block feedback. • Per-channel (open loop) attenuation regulation on the output port which is not based on the OCM feedback. The OCM unit provides per-channel optical power monitoring on the following ports: • COM port in output direction • COM port in input direction • DROP-TX port in output direction • Eight Express/Add/Drop (EAD) ports and one Add/Drop (AD) port in both input and output directions 9.13.1 80-WXC-C Faceplate and Optical Module Functional Block Diagram The 80-WXC-C card has 14 types of ports: • MON: The MON port monitors power on the COM T/R port. • COM RX: The COM RX port receives the optical signal from a preamplifier (such as the OPT-PRE) and sends it to the optical splitter. • DROP TX: In the bidirectional mode, the DROP TX port sends the optical signal to the demultiplexer. • EXP TX: The EXP TX port sends the split off optical signal that contains pass-through channels to the other side of the NE . • COM T/R: The COM port is bidirectional. It functions as a COM TX port in the multiplexer mode and as a COM RX port in the demultiplexer mode. • AD T/R: The AD port functions as ADD RX port in bidirectional and multiplexer modes and as a DROP port in the demultiplexer mode. • EAD T/R i (where i = 1 to 8): The EAD ports function as EXP ports in the bidirectional mode, as ADD ports in the multiplexer mode, and as DROP ports in the demultiplexer mode.9-76 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards 80-WXC-C Card Figure 9-36 shows the 80-WXC-C card faceplate and the optical module functional block diagram. Figure 9-36 80-WXC-C Faceplate and the Optical Module Functional Block Diagram COMPLIES WITH 21 CFR 1040.10 AND 1040.11 EXCEPT FOR DEVIATIONS PURSUANT TO LASER NOTICE No.50, DATED JUNE 24, 2007 5 6 7 ADD / DROP 8 3 4 EXP DROP TX RX COM TX 1 2 R/T COM T/R MON FAIL ACT SF 80-WXC-C EXP / ADD / DROP R/T R/T R/T R/T 249126 VPD4 VPD3 VOA DROP_TX OCM 12 PD2 EAD 1...8 OCM 1...9 AD DROP TX EXP TX COM RX MON COM LC connectors Variable optical attenuator OUT OCM 10 OCM 11 1 10 PD1 9 40/60 12x1 Optical Switch OCM WXC9-77 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards 80-WXC-C Card The different units of the 80-WXC-C card are: • 40/60 splitter with VOA on drop path—The preamplifier output signal from the preamplifier is split in a 40%-to-60% ratio; 40% is sent on the drop path (DROP-TX port) and 60% is sent on the pass-through path (EXP-TX port). The VOA equipped on the drop path is used to match the power range of the receiver photodiode without the need for bulk attenuation. If a channel is expected to be dropped in the 80-WXC-C card, the pass-through channel is stopped after the EXP-TX port either by a 40-WSS-C or a 40-WXC-C card. • 50 Ghz 10 port WXC—The WXC block is optically passive and has bidirectional capability. The WXC block can selectively send any wavelength combination coming from the eight input EAD ports and one AD port to a common (COM) output port, when used as a multiplexer, whereas it can selectively send any wavelength combination coming from its common (COM) input port to any of the eight output EAD ports and one AD port, when used as a demultiplexer. The WXC block can manage (on each port) up to 80 channels according to the channel grid reported in Table 9-47. Each channel can be selected from any input and routed to any output. • 50 Ghz Optical Channel Monitor (OCM)—The OCM provides per channel power monitoring on the COM T/R, DROP-TX, AD, and EADi (i=1 to 8) ports. The power value for each wavelength is refreshed after a variable timer depending on the port and card activity. 9.13.2 80-WXC-C Power Monitoring The 80-WXC-C has two physical photodiodes and an OCM unit that monitors power at the different ports of the card. Table 9-45 describes the physical photodiodes. For information on the associated TL1 AIDs for the optical power monitoring points, see the “CTC Port Numbers and TL1 Aids” section in the Cisco ONS SONET TL1 Command Guide, Release 9.2. Table 9-45 80-WXC-C Port Calibration Physical Photodiode CTC Type Name Calibrated to Port(s) PD1 COM Total Power COM PD2 EXP-TX Total Power EXP-TX OCM1 EAD 1 Per-Channel and Total Power EAD-1 OCM2 EAD 2 Per-Channel and Total Power EAD-2 OCM3 EAD 3 Per-Channel and Total Power EAD-3 OCM4 EAD 4 Per-Channel and Total Power EAD-4 OCM5 EAD 5 Per-Channel and Total Power EAD-5 OCM6 EAD 6 Per-Channel and Total Power EAD-6 OCM7 EAD 7 Per-Channel and Total Power EAD-7 OCM8 EAD 8 Per-Channel and Total Power EAD-8 OCM9 AD Per-Channel and Total Power AD OCM10 Output Per-Channel and Total Power COM OCM11 Input Per-Channel and Total Power COM OCM12 Drop Per-Channel and Total Power DROP-TX9-78 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards 80-WXC-C Card Additionally, the 80-WXC-C has two virtual photodiodes. Table 9-46 lists the virtual photodiodes. 9.13.3 80-WXC-C Channel Plan Table 9-47 shows the 80 ITU-T 50-GHz-spaced, C-band channels (wavelengths) that are cross connected by the 80-WXC-C card. Table 9-46 80-WXC-C Virtual Photodiode Port Calibration Virtual Photodiode CTC Type Name Calibrated to Port(s) VPD3 DROP-TX Total Power DROP-TX VPD4 COM-RX Total Power COM-RX Table 9-47 80-WXC-C Channel Plan Band ID Channel Label Frequency (THz) Wavelength (nm) Ch. 01 - 196 1529.55 30.3 30.3 195.9 1530.33 30.7 195.85 1530.72 31.1 195.8 1531.12 31.5 195.75 1531.51 31.9 195.7 1531.90 32.3 195.65 1532.29 32.7 195.6 1532.68 33.1 195.55 1533.07 33.5 195.5 1533.47 33.9 195.45 1533.86 34.3 34.3 195.4 1534.25 34.6 195.35 1534.64 35.0 195.3 1535.04 35.4 195.25 1535.43 35.8 195.2 1535.82 36.2 195.15 1536.22 36.6 195.1 1536.61 37.0 195.05 1537 37.4 195 1537.40 37.8 194.95 1537.799-79 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards 80-WXC-C Card 38.2 38.2 194.9 1538.19 38.6 194.85 1538.58 39.0 194.8 1538.98 39.4 194.75 1539.37 39.8 194.7 1539.77 40.2 194.65 1540.16 40.6 194.6 1540.56 41.0 194.55 1540.95 41.3 194.5 1541.35 41.7 194.45 1541.75 42.1 42.1 194.4 1542.14 42.5 194.35 1542.94 42.9 194.3 1542.94 43.3 194.25 1543.33 43.7 194.2 1543.73 44.1 194.15 1544.13 44.5 194.1 1544.53 44.9 194.05 1544.92 45.3 194 1545.32 45.7 193.95 1545.72 46.1 46.1 193.9 1546.12 46.5 193.85 1546.52 46.9 193.8 1546.92 47.3 193.75 1547.32 47.7 193.7 1547.72 48.1 193.65 1548.11 48.5 193.6 1548.51 48.9 193.55 1548.91 49.3 193.5 1549.32 49.7 193.45 1549.72 Table 9-47 80-WXC-C Channel Plan (continued) Band ID Channel Label Frequency (THz) Wavelength (nm)9-80 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards 80-WXC-C Card 9.13.4 80-WXC-C Card-Level Indicators The 80-WXC-C card has three card-level LED indicators described in Table 9-48. 50.1 50.1 193.4 1550.12 50.5 193.35 1550.52 50.9 193.3 1550.92 51.3 193.25 1551.32 51.7 193.2 1551.72 52.1 193.15 1552.12 52.5 193.1 1552.52 52.9 193.05 1552.93 53.3 193 1553.33 53.7 192.95 1553.73 54.1 54.1 192.9 1554.13 54.5 192.85 1554.54 54.9 192.8 1554.94 55.3 192.75 1555.34 55.7 192.7 1555.75 56.2 192.65 1556.15 56.6 192.6 1556.55 57.0 192.55 1556.96 57.4 192.5 1557.36 57.8 192.45 1557.77 58.2 58.2 192.4 1558.17 58.6 192.35 1558.58 59.0 192.3 1558.98 59.4 192.25 1559.39 59.8 192.2 1559.79 60.2 192.15 1560.20 60.6 192.1 1560.61 61.0 192.05 1561.01 61.4 192 1561.42 61.8 191.95 1561.83 1. This channel is unused by the 80-WXC-C Table 9-47 80-WXC-C Channel Plan (continued) Band ID Channel Label Frequency (THz) Wavelength (nm)9-81 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards Single Module ROADM (SMR-C) Cards 9.13.5 80-WXC-C Port-Level Indicators You can find the alarm status of the 80-WXC-C card ports using the LCD screen or unit. The LCD screen is on the ONS 15454 and ONS 15454 M2 fan-tray assembly and is a separate unit in ONS 15454 M6. The screen displays the number and severity of alarms on a given port or slot. For the procedure to view these counts, see the “Manage Alarms” section in the Cisco ONS 15454 DWDM Procedure Guide. 9.14 Single Module ROADM (SMR-C) Cards Note See the “A.8.12 40-SMR1-C Card Specifications” section on page A-39 and “A.8.13 40-SMR2-C Card Specifications” section on page A-40, or hardware specifications. Note For 40-SMR1-C and 40-SMR2-C safety label information, see the “9.2 Safety Labels for Class 1M Laser Product Cards” section on page 9-14. The single-slot 40-channel single module ROADM (SMR-C) cards integrate the following functional blocks onto a single line card: • Optical preamplifier • Optical booster amplifier • Optical service channel (OSC) filter • 2x1 wavelength cross-connect (WXC) or a 4x1 WXC • Optical channel monitor (OCM) The SMR-C cards are available in two versions: • 9.14.2 40-SMR1-C Card • 9.14.3 40-SMR2-C Card The SMR-C cards can manage up to 40 channels spaced at 100GHz on each port according to the channel grid in Table 9-10. The cards can be installed in Slots 1 to 6 and 12 to 17. Table 9-48 80-WXC-C Card-Level Indicators Card-Level Indicators Description Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready or that an internal hardware failure occurred. Replace the card if the red FAIL LED persists. Green ACT LED The green ACT LED indicates that the 80-WXC-C is carrying traffic or is traffic-ready. Amber SF LED The amber SF LED indicates a signal failure on one or more of the card’s ports. The amber SF LED also turns on when the transmit and receive fibers are incorrectly connected. When the fibers are properly connected, the light turns off.9-82 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards Single Module ROADM (SMR-C) Cards 9.14.1 SMR-C Card Key Features The optical amplifier units in the SMR-C cards provide the following features: • Embedded gain flattening filter • Mid-stage access for dispersion compensation unit (only applicable for preamplifier erbium-doped fiber amplifier [EDFA]) • Fixed output power mode • Fixed gain mode • Nondistorting low-frequency transfer function • Amplified spontaneous emissions (ASE) compensation in fixed gain and fixed output power mode • Fast transient suppression • Programmable tilt (only applicable for preamplifier EDFA) • Full monitoring and alarm handling capability • Optical safety support through signal loss detection and alarm at any input port, fast power down control, and reduced maximum output power in safe power mode. • EDFA section calculates the signal power, by taking into account the expected ASE power contribution to the total output power. The signal output power or the signal gain can be used as feedback signals for the EDFA pump power control loop. The 1x2 WXC unit (40-SMR1-C card) provides the following features: • Selection of individual wavelength of the aggregated 100GHz signal from either the EXP-RX or ADD-RX ports • Automatic VOA shutdown (AVS) blocking state on each wavelength and port • Per-channel power regulation based on external OCM unit • Open loop path attenuation control for each wavelength and port The 1x4 WXC unit (40-SMR2-C card) provides the following features: • Selection of individual wavelength of the aggregated 100GHz signal from either the EXPi-RX (where i = 1, 2, 3) or ADD-RX ports • Automatic VOA shutdown (AVS) blocking state on each wavelength and port • Per-channel power regulation based on external OCM unit • Open loop path attenuation control for each wavelength and port The OCM unit provides per channel optical power monitoring at EXP-RX, ADD-RX, DROP-TX, and LINE-TX ports. 9.14.2 40-SMR1-C Card The 40-SMR1-C card includes a 100Ghz 1x2 WXC unit with integrated preamplifier unit (single EDFA). 9.14.2.1 40-SMR1-C Faceplate Ports The 40-SMR1-C card has the following types of ports: • MON RX: The MON RX port monitors power on the EXP-TX output port.9-83 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards Single Module ROADM (SMR-C) Cards • MON TX: The MON TX port monitors power on the LINE-TX output port. • DC RX: The DC RX port receives the optical signal from the dispersion compensating unit (DCU) and sends it to the second stage preamplifier input. • DC TX: The DC TX port sends the optical signal from the first stage preamplifier output to the DCU. • OSC RX: The OSC RX port is the OSC add input port. • OSC TX: The OSC TX port is the OSC drop output port. • ADD/DROP RX: The ADD RX port receives the optical signal from the multiplexer section of the NE and sends it to the 1x2 WXC unit. • ADD/DROP TX: The DROP TX port sends the split off optical signal to the demultiplexer section of the NE. • LINE RX: The LINE RX port is the input signal port. • LINE TX: The LINE TX port is the output signal port. • EXP RX: The EXP RX port receives the optical signal from the other side of the NE and sends it to the 1x2 WXC unit. • EXP TX: The EXP TX port sends the split off optical signal that contains pass-through channels to the other side of the NE. Figure 9-37 shows the 40-SMR1-C card faceplate. Figure 9-37 40-SMR1-C Faceplate 9.14.2.2 40-SMR1-C Block Diagram Figure 9-38 shows a block diagram of the 40-SMR1-C card. LEVEL 1M HAZARD OSC DC EXP MON RX TX ADD & DROP RX TX LINE RX TX RX TX RX TX RX TX SF ACT FAIL 1-C 40-SMR COMPLIES WITH 21 CFR 1040.10 AND FOR DEVIATIONS 1040.11 EXCEPT NOTICE No.50, DATED PURSUANT TO LASER JUNE 24, 2007 2764409-84 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards Single Module ROADM (SMR-C) Cards Figure 9-38 40-SMR1-C Block Diagram The different units of the 40-SMR1-C card are: • OSC filter—The OSC filter allows to add an OSC channel to the C-band in the transmission path and to drop an OSC channel on the receiving path. The OSCM card that is connected to the OSC-TX and OSC-RX ports generates the OSC channel. • Double-stage variable gain EDFA preamplifier—The double-stage preamplifier allows the insertion of a DCU between the DC-TX and DC-RX ports to compensate for chromatic dispersion. It is also equipped with built-in variable optical attenuator (VOA) and gain flattening filter (GFF) that provides tilt compensation and enables the use of this device over an extended range of span losses (5 dB to 35 dB). • 70/30 splitter and VOA—The output signal from the preamplifier is split in a 70%-to-30% ratio, 70% is sent on the pass-through path (EXP-TX port) and 30% is sent on the drop path (DROP-TX port). The VOA equipped on the drop path is used to match the power range of the receiver photo diode without the need for bulk attenuation. If a channel is expected to be dropped in the 40-SMR1-C card, the pass-through channel is stopped after the EXP-TX port either by a 40-WSS-C, 40-SMR1-C, or 40-SMR2-C card. • 1x2 WXC—The 1x2 WXC aggregates on its output port a 100-GHz-spaced optical channel received from either its ADD-RX or EXP-RX port. In addition to the switching function, the 1x2 WXC allows to set a different per channel power for each of the managed wavelengths and also monitor the optical power. • OCM—The OCM provides per channel power monitoring on the DROP-RX, EXP-RX, ADD-RX, and LINE-TX ports. The power value for each wavelength is refreshed after a variable timer depending on the port and card activity. OSC-TX DC-TX DC-RX DROP-TX OSC-RX ADD-RX OCM Block OCM4 OCM3 OCM2 OCM1 VOA3 VOA2 LINE TX LINE RX MON-TX EXP-RX EXP-TX MON-RX EDFA 1 (variable Gain VOA1 30% 70% OSC DROP PD2 PD3 PD4 TAP TAP PD5 TAP PD8 OSC ADD TAP TAP TAP 276446 TAP PD6 WXC Block PD1 LC connector9-85 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards Single Module ROADM (SMR-C) Cards 9.14.2.3 40-SMR1-C Power Monitoring The 40-SMR1-C card has seven physical diodes (PD1 through PD6 and PD8) and an OCM unit that monitors power at the input and output ports of the card (see Table 9-49). 9.14.2.4 40-SMR1-C Channel Plan Table 9-50 shows the 40 ITU-T 100-GHz-spaced, C-band channels (wavelengths) supported by the 40-SMR1-C card. Table 9-49 40-SMR1-C Port Calibration Physical Photodiode CTC Type Name Calibrated to Port(s) PD1 LINE LINE-RX PD2 LINE LINE-RX PD3 DC DC-TX PD4 DC DC-RX PD5 EXP EXP-TX PD6 OSC OSC-RX PD8 LINE LINE-TX OCM1 LINE OCH LINE-TX OCM2 DROP OCH DROP-TX OCM3 ADD OCH ADD-RX OCM4 EXP OCH EXP-RX Table 9-50 40-SMR1-C Channel Plan Band ID Channel Label Frequency (GHz) Wavelength (nm) B30.3 30.3 195.9 1530.33 31.1 195.8 1531.12 31.9 195.7 1531.90 32.6 195.6 1532.68 33.4 195.5 1533.47 B34.2 34.2 195.4 1534.25 35.0 195.3 1535.04 35.8 195.2 1535.82 36.6 195.1 1536.61 37.4 195 1537.409-86 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards Single Module ROADM (SMR-C) Cards 9.14.2.5 40-SMR1-C Card-Level Indicators The 40-SMR1-C card has three card-level LED indicators described in Table 9-51. B38.1 38.1 194.9 1538.19 38.9 194.8 1538.98 39.7 194.7 1539.77 40.5 194.6 1540.56 41.3 194.5 1541.35 B42.1 42.1 194.4 1542.14 42.9 194.3 1542.94 43.7 194.2 1543.73 44.5 194.1 1544.53 45.3 194 1545.32 B46.1 46.1 193.9 1546.12 46.9 193.8 1546.92 47.7 193.7 1547.72 48.5 193.6 1548.51 49.3 193.5 1549.32 B50.1 50.1 193.4 1550.12 50.9 193.3 1550.92 51.7 193.2 1551.72 52.5 193.1 1552.52 53.3 193 1553.33 B54.1 54.1 192.9 1554.13 54.9 192.8 1554.94 55.7 192.7 1555.75 56.5 192.6 1556.55 57.3 192.5 1557.36 B58.1 58.1 192.4 1558.17 58.9 192.3 1558.98 59.7 192.2 1559.79 60.6 192.1 1560.61 61.4 192 1561.42 Table 9-50 40-SMR1-C Channel Plan (continued) Band ID Channel Label Frequency (GHz) Wavelength (nm)9-87 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards Single Module ROADM (SMR-C) Cards 9.14.2.6 40-SMR1-C Port-Level Indicators You can find the alarm status of the 40-SMR1-C card ports using the LCD screen on the ONS 15454 fan-tray assembly. The screen displays the number and severity of alarms on a given port or slot. For the procedure to view these counts, refer to “Manage Alarms” in the Cisco ONS 15454 DWDM Procedure Guide. 9.14.3 40-SMR2-C Card The 40-SMR2-C card includes a 100Ghz 1x4 WXC unit with integrated preamplifier and booster amplifier units (double EDFA). 9.14.3.1 40-SMR2-C Faceplate Ports The 40-SMR2-C card has the following types of ports: • MON RX: The MON RX port monitors power on the EXP-TX output port. • MON TX: The MON TX port monitors power on the LINE-TX output port. • DC RX: The DC RX port receives the optical signal from the dispersion compensating unit (DCU) and sends it to the second stage preamplifier input. • DC TX: The DC TX port sends the optical signal from the first stage preamplifier output to the DCU. • OSC RX: The OSC RX port is the OSC add input port. • OSC TX: The OSC TX port is the OSC drop output port. • ADD/DROP RX: The ADD RX port receives the optical signal from the multiplexer section of the NE and sends it to the 1x4 WXC unit. • ADD/DROP TX: The DROP TX port sends the split off optical signal to the demultiplexer section of the NE. • LINE RX: The LINE RX port is the input signal port. • LINE TX: The LINE TX port is the output signal port. • EXP TX: The EXP TX port sends the split off optical signal that contains pass-through channels to the other side of the NE. Table 9-51 40-SMR1-C Card-Level Indicators Card-Level Indicators Description Red FAIL LED The red FAIL LED indicates that the card processor is not ready or that an internal hardware failure occurred. Replace the card if the red FAIL LED persists. Green ACT LED The green ACT LED indicates that the card is carrying traffic or is traffic-ready. Amber SF LED The amber SF LED indicates a signal failure on one or more of the card ports. The amber SF LED also turns on when the transmit and receive fibers are incorrectly connected. When the fibers are properly connected, the light turns off.9-88 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards Single Module ROADM (SMR-C) Cards • EXPi-RX (where i = 1, 2, 3): The EXPi-RX port receives the optical signal from the other side of the NE and sends it to the 1x4 WXC unit. Figure 9-37 shows the 40-SMR2-C card faceplate. Figure 9-39 40-SMR2-C Faceplate 9.14.3.2 40-SMR2-C Block Diagram Figure 9-38 shows a block diagram of the 40-SMR2-C card. Figure 9-40 40-SMR2-C Block Diagram The different units of the 40-SMR2-C card are: 276441 EXP OSC DC RX TX ADD & DROP RX TX LINE RX TX RX TX RX TX MON SF ACT FAIL 2-C 40-SMR COMPLIES WITH 21 CFR 1040.10 AND FOR DEVIATIONS 1040.11 EXCEPT NOTICE No.50, DATED PURSUANT TO LASER JUNE 24, 2007 LEVEL 1M HAZARD OSC-TX DC-TX DC-RX DROP-TX OSC-RX ADD-RX LINE TX LINE RX MON-TX EXP1-RX EXP2-RX EXP3-RX MON-RX EDFA 1 (Variable Gain) EDFA 2 (Fixed Gain) 30% 70% OSC DROP PD2 PD3 PD4 TAP TAP PD5 TAP PD8 PD7 OSC ADD TAP TAP 276447 TAP PD6 4x1 WXC Block PD1 TAP TAP LC connector MPO connector EXP-TX 6 ports OCM Block9-89 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards Single Module ROADM (SMR-C) Cards • OSC filter—The OSC filter allows to add an OSC channel to the C-band in the transmission path and to drop an OSC channel on the receiving path. The OSCM card that is connected to the OSC-TX and OSC-RX ports generates the OSC channel. • Double-stage variable gain EDFA preamplifier—The double-stage preamplifier allows the insertion of a DCU between the DC-TX and DC-RX ports to compensate for chromatic dispersion. It is also equipped with built-in variable optical attenuator (VOA) and gain flattening filter (GFF) that provides tilt compensation and enables the use of this device over an extended range of span losses (5 dB to 35 dB). • 70/30 splitter and VOA—The output signal from the preamplifier is split in a 70%-to-30% ratio, 70% is sent on the pass-through path (EXP-TX port) and 30% is sent on the drop path (DROP-TX port). The VOA equipped on the drop path is used to match the power range of the receiver photo diode without the need for bulk attenuation. If a channel is expected to be dropped in the 40-SMR2-C card, the pass-through channel is stopped after the EXP-TX port by a 40-WSS-C, 40-SMR1-C, or 40-SMR2-C card. • 1x4 WXC—The 1x4 WXC aggregates on its output port a 100-GHz-spaced optical channel received from either its ADD-RX or EXPi-RX (where i = 1, 2, 3) port. In addition to the switching function, the 1x4 WXC allows to set a different per channel power for each of the managed wavelengths and also monitor the optical power. • Single-stage fixed gain EDFA booster amplifier—The booster amplifier amplifies the output signal from the 1x4 WXC unit before transmitting it into the fiber. Since it is a fixed gain (17 dB) amplifier, it does not allow gain tilt control. • OCM—The OCM provides per channel power monitoring on the DROP-RX, EXPi-RX (where i = 1, 2, 3), ADD-RX, and LINE-TX ports. The power value for each wavelength is refreshed after a variable timer depending on the port and card activity. 9.14.3.3 40-SMR2-C Power Monitoring The 40-SMR2-C card has eight physical diodes (PD1 through PD8) and an OCM unit that monitors power at the input and output ports of the card (see Table 9-52). Table 9-52 40-SMR2-C Port Calibration Physical Photodiode CTC Type Name Calibrated to Port(s) PD1 LINE LINE-RX PD2 LINE LINE-RX PD3 DC DC-TX PD4 DC DC-RX PD5 EXP EXP-TX PD6 OSC OSC-RX PD7 Not reported on CTC Internal port PD8 LINE LINE-TX OCM1 LINE OCH LINE-TX OCM2 DROP OCH DROP-TX OCM3 ADD OCH ADD-RX OCM4 EXP-1 OCH EXP1-RX9-90 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards Single Module ROADM (SMR-C) Cards 9.14.3.4 40-SMR2-C Channel Plan Table 9-53 shows the 40 ITU-T 100-GHz-spaced, C-band channels (wavelengths) supported by the 40-SMR2-C card. OCM5 EXP-2 OCH EXP2-RX OCM6 EXP-3 OCH EXP3-RX Table 9-52 40-SMR2-C Port Calibration (continued) Physical Photodiode CTC Type Name Calibrated to Port(s) Table 9-53 40-SMR2-C Channel Plan Band ID Channel Label Frequency (GHz) Wavelength (nm) B30.3 30.3 195.9 1530.33 31.1 195.8 1531.12 31.9 195.7 1531.90 32.6 195.6 1532.68 33.4 195.5 1533.47 B34.2 34.2 195.4 1534.25 35.0 195.3 1535.04 35.8 195.2 1535.82 36.6 195.1 1536.61 37.4 195 1537.40 B38.1 38.1 194.9 1538.19 38.9 194.8 1538.98 39.7 194.7 1539.77 40.5 194.6 1540.56 41.3 194.5 1541.35 B42.1 42.1 194.4 1542.14 42.9 194.3 1542.94 43.7 194.2 1543.73 44.5 194.1 1544.53 45.3 194 1545.32 B46.1 46.1 193.9 1546.12 46.9 193.8 1546.92 47.7 193.7 1547.72 48.5 193.6 1548.51 49.3 193.5 1549.329-91 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards Single Module ROADM (SMR-C) Cards 9.14.3.5 40-SMR2-C Card-Level Indicators The 40-SMR2-C card has three card-level LED indicators described in Table 9-54. 9.14.3.6 40-SMR2-C Port-Level Indicators You can find the alarm status of the 40-SMR2-C card ports using the LCD screen on the ONS 15454 fan-tray assembly. The screen displays the number and severity of alarms on a given port or slot. For the procedure to view these counts, refer to “Manage Alarms” in the Cisco ONS 15454 DWDM Procedure Guide. B50.1 50.1 193.4 1550.12 50.9 193.3 1550.92 51.7 193.2 1551.72 52.5 193.1 1552.52 53.3 193 1553.33 B54.1 54.1 192.9 1554.13 54.9 192.8 1554.94 55.7 192.7 1555.75 56.5 192.6 1556.55 57.3 192.5 1557.36 B58.1 58.1 192.4 1558.17 58.9 192.3 1558.98 59.7 192.2 1559.79 60.6 192.1 1560.61 61.4 192 1561.42 Table 9-53 40-SMR2-C Channel Plan (continued) Band ID Channel Label Frequency (GHz) Wavelength (nm) Table 9-54 40-SMR2-C Card-Level Indicators Card-Level Indicators Description Red FAIL LED The red FAIL LED indicates that the card processor is not ready or that an internal hardware failure occurred. Replace the card if the red FAIL LED persists. Green ACT LED The green ACT LED indicates that the card is carrying traffic or is traffic-ready. Amber SF LED The amber SF LED indicates a signal failure on one or more of the card ports. The amber SF LED also turns on when the transmit and receive fibers are incorrectly connected. When the fibers are properly connected, the light turns off.9-92 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards MMU Card 9.15 MMU Card (Cisco ONS 15454 only) The single-slot Mesh Multi-Ring Upgrade Module (MMU) card supports multiring and mesh upgrades for ROADM nodes in both the C-band and the L-band. Mesh/multiring upgrade is the capability to optically bypass a given wavelength from one section of the network or ring to another one without requiring 3R regeneration. In each node, you need to install one east MMU and one west MMU. The card can be installed in Slots 1 through 6 and 12 through 17. 9.15.1 MMU Faceplate Ports The MMU has six types of ports: • EXP RX port: The EXP RX port receives the optical signal from the ROADM section available on the NE. • EXP TX port: The EXP TX port sends the optical signal to the ROADM section available on the NE. • EXP-A RX port: The EXP-A RX port receives the optical signal from the ROADM section available on other NEs or rings. • EXP-A TX port: The EXP-A TX port sends the optical signal to the ROADM section available on other NEs or rings. • COM TX port: The COM TX port sends the optical signal to the fiber stage section. • COM RX port: The COM RX port receives the optical signal from the fiber stage section. Figure 9-41 shows the MMU card faceplate. 9-93 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards MMU Card Figure 9-41 MMU Faceplate and Ports 9.15.2 MMU Block Diagram Figure 9-42 provides a high-level functional block diagram of the MMU card. 145190 ACT FAIL MMU SF RX TX EXP A RX TX EXP RX TX COM9-94 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards MMU Card Figure 9-42 MMU Block Diagram 9.15.3 MMU Power Monitoring Physical photodiodes P1 through P3 monitor the power for the MMU card. The returned power level values are calibrated to the ports as shown in Table 9-55. VP1 to VP3 are virtual photodiodes that have been created by adding (by software computation) the relevant path insertion losses of the optical splitters (stored in the module) to the real photodiode (P1 to P3) measurement. For information on the associated TL1 AIDs for the optical power monitoring points, refer the “CTC Port Numbers and TL1 Aids” section in Cisco ONS SONET TL1 Command Guide, Release 9.2. 9.15.4 MMU Card-Level Indicators Table 9-56 describes the three card-level LED indicators on the MMU card. 145191 COM TX VPD2 75/25 PD1 EXP RX PD2 EXP A RX COM RX VPD3 95/5 95/5 VPD1 EXP TX Legend LC PC II Connector Optical splitter/coupler Real photodiode Virtual photodiode PD3 EXP A TX Table 9-55 MMU Port Calibration Photodiode CTC Type Name Calibrated to Port P1 1 (EXP-RX) EXP RX P2 5 (EXP A-RX) EXP A RX P3 6 (EXP A-TX) EXP A TX VP1 2 (EXP-TX) EXP TX VP2 4 (COM-TX) COM TX VP3 3 (COM-RX) COM RX9-95 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards MMU Card 9.15.5 MMU Port-Level Indicators You can find the alarm status of the MMU card’s ports using the LCD screen on the ONS 15454 fan-tray assembly. The screen displays the number and severity of alarms on a given port or slot. For the procedure to view these counts, refer to “Manage Alarms” in the Cisco ONS 15454 DWDM Procedure Guide. Table 9-56 MMU Card-Level Indicators Card-Level Indicators Description Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready or that n internal hardware failure occurred. Replace the card if the red FAIL LED persists. Green ACT LED The green ACT LED indicates that the MMU card is carrying traffic or is traffic-ready. Amber SF LED The amber SF LED indicates a signal failure on one or more of the card’s ports. The amber SF LED also turns on when the transmit and receive fibers are incorrectly connected. When the fibers are properly connected, the light turns off.9-96 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 9 Reconfigurable Optical Add/Drop Cards MMU CardCHAPTER 10-1 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 10 Transponder and Muxponder Cards Note The terms “Unidirectional Path Switched Ring” and “UPSR” may appear in Cisco literature. These terms do not refer to using Cisco ONS 15xxx products in a unidirectional path switched ring configuration. Rather, these terms, as well as “Path Protected Mesh Network” and “PPMN,” refer generally to Cisco’s path protection feature, which may be used in any topological network configuration. Cisco does not recommend using its path protection feature in any particular topological network configuration. This chapter describes Cisco ONS 15454 transponder (TXP), muxponder (MXP), GE_XP, 10GE_XP, GE_XPE, 10GE_XPE, ADM-10G, and OTU2_XP cards, as well as their associated plug-in modules (Small Form-factor Pluggables [SFPs or XFPs]). For installation and card turn-up procedures, refer to the Cisco ONS 15454 DWDM Procedure Guide. For card safety and compliance information, refer to the Cisco Optical Transport Products Safety and Compliance Information document. Note Unless otherwise specified, “ONS 15454” refers to both ANSI and ETSI shelf assemblies. Note The cards described in this chapter are supported on the Cisco ONS 15454, Cisco ONS 15454 M6, Cisco ONS 15454 M2 platforms, unless noted otherwise. Chapter topics include: • 10.1 Card Overview, page 10-2 • 10.2 Safety Labels, page 10-8 • 10.3 TXP_MR_10G Card, page 10-13 • 10.4 TXP_MR_10E Card, page 10-16 • 10.5 TXP_MR_10E_C and TXP_MR_10E_L Cards, page 10-21 • 10.6 TXP_MR_2.5G and TXPP_MR_2.5G Cards, page 10-25 • 10.7 MXP_2.5G_10G Card, page 10-29 • 10.8 MXP_2.5G_10E_C and MXP_2.5G_10E_L Cards, page 10-40 • 10.9 MXP_MR_2.5G and MXPP_MR_2.5G Cards, page 10-49 • 10.10 MXP_MR_10DME_C and MXP_MR_10DME_L Cards, page 10-55 • 10.11 40G-MXP-C Card, page 10-64 • 10.12 GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE Cards, page 10-7110-2 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards Card Overview • 10.13 ADM-10G Card, page 10-96 • 10.14 OTU2_XP Card, page 10-111 • 10.15 MLSE UT, page 10-121 • 10.16 TXP_MR_10EX_C Card, page 10-121 • 10.17 MXP_2.5G_10EX_C card, page 10-125 • 10.18 MXP_MR_10DMEX_C Card, page 10-132 • 10.19 Y-Cable and Splitter Protection, page 10-139 • 10.20 Far-End Laser Control, page 10-142 • 10.21 Jitter Considerations, page 10-142 • 10.22 Termination Modes, page 10-143 • 10.23 SFP and XFP Modules, page 10-144 Note Cisco ONS 15454 DWDM supports IBM's 5G DDR (Double Data Rate) InfiniBand1 interfaces. 10.1 Card Overview The card overview section lists the cards described in this chapter and provides compatibility information. Note Each card is marked with a symbol that corresponds to a slot (or slots) on the ONS 15454 shelf assembly. The cards are then installed into slots displaying the same symbols. For a list of slots and symbols, see the "Card Slot Requirements" section in the Cisco ONS 15454 Hardware Installation Guide. The purpose of a TXP, MXP, GE_XP, 10GE_XP, GE_XPE, 10GE_XPE, ADM-10G, or OTU2_XP card is to convert the “gray” optical client interface signals into trunk signals that operate in the “colored” dense wavelength division multiplexing (DWDM) wavelength range. Client-facing gray optical signals generally operate at shorter wavelengths, whereas DWDM colored optical signals are in the longer wavelength range (for example, 1490 nm = violet; 1510 nm = blue; 1530 nm = green; 1550 nm = yellow; 1570 nm = orange; 1590 nm = red; 1610 nm = brown). Some of the newer client-facing SFPs, however, operate in the colored region. Transponding or muxponding is the process of converting the signals between the client and trunk wavelengths. An MXP generally handles several client signals. It aggregates, or multiplexes, lower rate client signals together and sends them out over a higher rate trunk port. Likewise, it demultiplexes optical signals coming in on a trunk and sends them out to individual client ports. A TXP converts a single client signal to a single trunk signal and converts a single incoming trunk signal to a single client signal. GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE cards can be provisioned as TXPs, as MXPs, or as Layer 2 switches. All of the TXP and MXP cards perform optical to electrical to optical (OEO) conversion. As a result, they are not optically transparent cards. The reason for this is that the cards must operate on the signals passing through them, so it is necessary to do an OEO conversion. 1. 5G DDR InfiniBand is referred to as IB_5G.10-3 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards Card Overview On the other hand, the termination mode for all of the TXPs and MXPs, which is done at the electrical level, can be configured to be transparent. In this case, neither the Line nor the Section overhead is terminated. The cards can also be configured so that either Line or Section overhead can be terminated, or both can be terminated. Note The MXP_2.5G_10G card, by design, when configured in the transparent termination mode, actually does terminate some of the bytes. See Table 10-64 on page 10-143 for details. 10.1.1 Card Summary Table 10-1 lists and summarizes the functions of each TXP, TXPP, MXP, MXPP, GE_XP, 10GE_XP, GE_XPE, 10GE_XPE, ADM-10G, and OTU2_XP card. Table 10-1 Cisco ONS 15454 Transponder and Muxponder Cards Card Port Description For Additional Information TXP_MR_10G The TXP_MR_10G card has two sets of ports located on the faceplate. See the “10.3 TXP_MR_10G Card” section on page 10-13. TXP_MR_10E The TXP_MR_10E card has two sets of ports located on the faceplate. See the “10.4 TXP_MR_10E Card” section on page 10-16. TXP_MR_10E_C and TXP_MR_10E_L The TXP_MR_10E_C and TXP_MR_10E_L cards have two sets of ports located on the faceplate. See the “10.5 TXP_MR_10E_C and TXP_MR_10E_L Cards” section on page 10-21. TXP_MR_2.5G The TXP_MR_2.5G card has two sets of ports located on the faceplate. See the “10.6 TXP_MR_2.5G and TXPP_MR_2.5G Cards” section on page 10-25. TXPP_MR_2.5G The TXPP_MR_2.5G card has three sets of ports located on the faceplate. See the “10.6 TXP_MR_2.5G and TXPP_MR_2.5G Cards” section on page 10-25. MXP_2.5G_10G The MXP_2.5G_10G card has nine sets of ports located on the faceplate. See the “10.7 MXP_2.5G_10G Card” section on page 10-29. MXP_2.5G_10E The MXP_2.5G_10E card has nine sets of ports located on the faceplate. See the “10.7.4 MXP_2.5G_10E Card” section on page 10-33. MXP_2.5G_10E_C and MXP_2.5G_10E_L The MXP_2.5G_10E_C and MXP_2.5G_10E_L cards have nine sets of ports located on the faceplate. See the “10.8 MXP_2.5G_10E_C and MXP_2.5G_10E_L Cards” section on page 10-40. MXP_MR_2.5G The MXP_MR_2.5G card has nine sets of ports located on the faceplate. See the “10.9 MXP_MR_2.5G and MXPP_MR_2.5G Cards” section on page 10-49. MXPP_MR_2.5G The MXPP_MR_2.5G card has ten sets of ports located on the faceplate. See the “10.9 MXP_MR_2.5G and MXPP_MR_2.5G Cards” section on page 10-49.10-4 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards Card Overview MXP_MR_10DME_C and MXP_MR_10DME_L The MXP_MR_10DME_C and MXP_MR_10DME_L cards have eight sets of ports located on the faceplate. See the “10.10 MXP_MR_10DME_C and MXP_MR_10DME_L Cards” section on page 10-55. 40G-MXP-C The 40G-MXP-C card has five ports located on the faceplate. See the “10.11 40G-MXP-C Card” section on page 10-64. GE_XP and GE_XPE The GE_XP and GE_XPE cards have twenty Gigabit Ethernet client ports and two 10 Gigabit Ethernet trunk ports. See the “10.12 GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE Cards” section on page 10-71. 10GE_XP and 10GE_XPE The 10GE_XP and 10GE_XPE cards have two 10 Gigabit Ethernet client ports and two 10 Gigabit Ethernet trunk ports. See the “10.12 GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE Cards” section on page 10-71. ADM-10G The ADM-10G card has 19 sets of ports located on the faceplate. See the “10.13 ADM-10G Card” section on page 10-96. OTU2_XP The OTU2_XP card has four ports located on the faceplate. See the “10.14 OTU2_XP Card” section on page 10-111. TXP_MR_10EX_C The TXP_MR_10EX_C card has two sets of ports located on the faceplate. See the “10.16 TXP_MR_10EX_C Card” section on page 10-121. MXP_2.5G_10EX_C The MXP_2.5G_10EX_C card has nine sets of ports located on the faceplate. See the “10.17 MXP_2.5G_10EX_C card” section on page 10-125. MXP_MR_10DMEX_C The MXP_MR_10DMEX_C card has eight sets of ports located on the faceplate. See the “10.18 MXP_MR_10DMEX_C Card” section on page 10-132. Table 10-1 Cisco ONS 15454 Transponder and Muxponder Cards (continued) Card Port Description For Additional Information10-5 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards Card Overview 10.1.2 Card Compatibility Table 10-2 lists the platform and Cisco Transport Controller (CTC) software compatibility for each TXP, TXPP, MXP, MXPP, GE_XP, 10GE_XP, GE_XPE, 10GE_XPE, ADM-10G, and OTU2_XP card. Table 10-2 Platform and Software Release Compatibility for Transponder and Muxponder Cards Card Name R4.5 R4.6 R4.7 R5.0 R6.0 R7.0 R7.2 R8.0 R8.5 R9.0 R9.1 R9.2 TXP_MR_10G 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DWD M TXP_MR_10E No No 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DWD M, 15454 -M2, 15454 -M6 TXP_MR_10E_C No No No No No 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DWD M, 15454 -M2, 15454 -M6 TXP_MR_10E_L No No No No No 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DWD M TXP_MR_2.5G 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DWD M, 15454 -M2, 15454 -M6 TXPP_MR_2.5G 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DWD M, 15454 -M2, 15454 -M6 MXP_2.5G_10G 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DWD M10-6 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards Card Overview MXP_2.5G_10E No No 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DWD M, 15454 -M2, 15454 -M6 MXP_2.5G_10E_C No No No No No 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DWD M, 15454 -M2, 15454 -M6 MXP_2.5G_10E_L No No No No No 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DWD M MXP_MR_2.5G No No 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DWD M, 15454 -M2, 15454 -M6 MXPP_MR_2.5G No No 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DWD M, 15454 -M2, 15454 -M6 MXP_MR_10DME_C No No No No No 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DWD M, 15454 -M2, 15454 -M6 MXP_MR_10DME_L No No No No No 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DWD M Table 10-2 Platform and Software Release Compatibility for Transponder and Muxponder Cards Card Name R4.5 R4.6 R4.7 R5.0 R6.0 R7.0 R7.2 R8.0 R8.5 R9.0 R9.1 R9.210-7 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards Card Overview GE_XP No No No No No No No 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DWD M, 15454 -M2, 15454 -M6 10GE_XP No No No No No No No 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DWD M, 15454 -M2, 15454 -M6 GE_XPE No No No No No No No No No 15454 -DW DM 15454 -DW DM 15454 -DWD M, 15454 -M2, 15454 -M6 10GE_XPE No No No No No No No No No 15454 -DW DM 15454 -DW DM 15454 -DWD M, 15454 -M2, 15454 -M6 ADM-10G No No No No No No No 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DW DM 15454 -DWD M, 15454 -M2, 15454 -M6 OTU2_XP No No No No No No No No No 15454 -DW DM 15454 -DW DM 15454 -DWD M, 15454 -M2, 15454 -M6 Table 10-2 Platform and Software Release Compatibility for Transponder and Muxponder Cards Card Name R4.5 R4.6 R4.7 R5.0 R6.0 R7.0 R7.2 R8.0 R8.5 R9.0 R9.1 R9.210-8 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards Safety Labels 10.2 Safety Labels This section explains the significance of the safety labels attached to some of the cards. The faceplates of the cards are clearly labeled with warnings about the laser radiation levels. You must understand all warning labels before working on these cards. 10.2.1 Class 1 Laser Product Cards The MXP_2.5G_10G, MXP_2.5G_10E, MXP_2.5G_10E_C, MXP_2.5G_10E_L, ADM-10G, GE_XP, 10GE_XP, GE_XPE, 10GE_XPE, and OTU2_XP cards have Class 1 lasers. The labels that appear on these cards are described in the following sections. 10.2.1.1 Class 1 Laser Product Label The Class 1 Laser Product label is shown in Figure 10-1. TXP_MR_10EX_C No No No No No No No No No No 15454 -DW DM 15454 -DWD M, 15454 -M2, 15454 -M6 MXP_2.5G_10EX_C No No No No No No No No No No 15454 -DW DM 15454 -DWD M, 15454 -M2, 15454 -M6 MXP_MR_10DMEX_ C No No No No No No No No No No 15454 -DW DM 15454 -DWD M, 15454 -M2, 15454 -M6 40G-MXP-C No No No No No No No No No No No 15454 -DWD M, 15454 -M2, 15454 -M6 Table 10-2 Platform and Software Release Compatibility for Transponder and Muxponder Cards Card Name R4.5 R4.6 R4.7 R5.0 R6.0 R7.0 R7.2 R8.0 R8.5 R9.0 R9.1 R9.210-9 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards Safety Labels Figure 10-1 Class 1 Laser Product Label Class 1 lasers are products whose irradiance does not exceed the Maximum Permissible Exposure (MPE) value. Therefore, for Class 1 laser products the output power is below the level at which it is believed eye damage will occur. Exposure to the beam of a Class 1 laser will not result in eye injury and can therefore be considered safe. However, some Class 1 laser products might contain laser systems of a higher Class but there are adequate engineering control measures to ensure that access to the beam is not reasonably likely. Anyone who dismantles a Class 1 laser product that contains a higher Class laser system is potentially at risk of exposure to a hazardous laser beam 10.2.1.2 Hazard Level 1 Label The Hazard Level 1 label is shown in Figure 10-2. This label is displayed on the faceplate of the cards. Figure 10-2 Hazard Level Label The Hazard Level label warns users against exposure to laser radiation of Class 1 limits calculated in accordance with IEC60825-1 Ed.1.2. 10.2.1.3 Laser Source Connector Label The Laser Source Connector label is shown in Figure 10-3. Figure 10-3 Laser Source Connector Label This label indicates that a laser source is present at the optical connector where the label has been placed. CLASS 1 LASER PRODUCT 145952 HAZARD LEVEL 1 65542 9663510-10 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards Safety Labels 10.2.1.4 FDA Statement Label The FDA Statement labels are shown in Figure 10-4 and Figure 10-5. These labels show compliance to FDA standards and that the hazard level classification is in accordance with IEC60825-1 Am.2 or Ed.1.2. Figure 10-4 FDA Statement Label Figure 10-5 FDA Statement Label 10.2.1.5 Shock Hazard Label The Shock Hazard label is shown in Figure 10-6. Figure 10-6 Shock Hazard Label This label alerts personnel to electrical hazard within the card. The potential of shock hazard exists when removing adjacent cards during maintenance, and touching exposed electrical circuitry on the card itself. 10.2.2 Class 1M Laser Product Cards The TXP_MR_10G, TXP_MR_10E, TXP_MR_10E_C, TXP_MR_10E_L, TXP_MR_2.5G, TXPP_MR_2.5G, MXP_MR_2.5G, MXPP_MR_2.5G, MXP_MR_10DME_C, MXP_MR_10DME_L, and 40G-MXP-C cards have Class 1M lasers. 96634 COMPLIES WITH 21 CFR 1040.10 AND 1040.11 EXCEPT FOR DEVIATIONS PURSUANT TO LASER NOTICE NO.50, DATED JULY 26, 2001 282324 COMPLIES WITH 21 CFR 1040.10 AND 1040.11 EXCEPT FOR DEVIATIONS PURSUANT TO LASER NOTICE NO.50, DATED JUNE 24, 2007 6554110-11 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards Safety Labels The labels that appear on these cards are described in the following subsections. 10.2.2.1 Class 1M Laser Product Statement The Class 1M Laser Product statement is shown in Figure 10-7. Figure 10-7 Class 1M Laser Product Statement Class 1M lasers are products that produce either a highly divergent beam or a large diameter beam. Therefore, only a small part of the whole laser beam can enter the eye. However, these laser products can be harmful to the eye if the beam is viewed using magnifying optical instruments. 10.2.2.2 Hazard Level 1M Label The Hazard Level 1M label is shown in Figure 10-8. This label is displayed on the faceplate of the cards. Figure 10-8 Hazard Level Label The Hazard Level label warns users against exposure to laser radiation of Class 1 limits calculated in accordance with IEC60825-1 Ed.1.2. 10.2.2.3 Laser Source Connector Label The Laser Source Connector label is shown in Figure 10-9. CAUTION HAZARD LEVEL 1M INVISIBLE LASER RADIATION DO NOT VIEW DIRECTLY WITH NON-ATTENUATING OPTICAL INSTRUMENTS λ = = 1400nm TO 1610nm 145953 HAZARD LEVEL 1M 14599010-12 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards Safety Labels Figure 10-9 Laser Source Connector Label This label indicates that a laser source is present at the optical connector where the label has been placed. 10.2.2.4 FDA Statement Label The FDA Statement labels are shown in Figure 10-10 and Figure 10-11. These labels show compliance to FDA standards and that the hazard level classification is in accordance with IEC60825-1 Am.2 or Ed.1.2. Figure 10-10 FDA Statement Label Figure 10-11 FDA Statement Label 10.2.2.5 Shock Hazard Label The Shock Hazard label is shown in Figure 10-12. 96635 96634 COMPLIES WITH 21 CFR 1040.10 AND 1040.11 EXCEPT FOR DEVIATIONS PURSUANT TO LASER NOTICE NO.50, DATED JULY 26, 2001 282324 COMPLIES WITH 21 CFR 1040.10 AND 1040.11 EXCEPT FOR DEVIATIONS PURSUANT TO LASER NOTICE NO.50, DATED JUNE 24, 200710-13 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards TXP_MR_10G Card Figure 10-12 Shock Hazard Label This label alerts personnel to electrical hazard within the card. The potential of shock hazard exists when removing adjacent cards during maintenance, and touching exposed electrical circuitry on the card itself. 10.3 TXP_MR_10G Card (Cisco ONS 15454 only) The TXP_MR_10G processes one 10-Gbps signal (client side) into one 10-Gbps, 100-GHz DWDM signal (trunk side). It provides one 10-Gbps port per card that can be provisioned for an STM-64/OC-192 short reach (1310-nm) signal, compliant with ITU-T G.707, ITU-T G.709, ITU-T G.691, and Telcordia GR-253-CORE, or a 10GBASE-LR signal compliant with IEEE 802.3. The TXP_MR_10G card is tunable over two neighboring wavelengths in the 1550-nm, ITU 100-GHz range. It is available in 16 different versions, each of which covers two wavelengths, for a total coverage of 32 different wavelengths in the 1550-nm range. Note ITU-T G.709 specifies a form of forward error correction (FEC) that uses a “wrapper” approach. The digital wrapper lets you transparently take in a signal on the client side, wrap a frame around it and restore it to its original form. FEC enables longer fiber links because errors caused by the optical signal degrading with distance are corrected. The trunk port operates at 9.95328 Gbps (or 10.70923 Gbps with ITU-T G.709 Digital Wrapper/FEC) and at 10.3125 Gbps (or 11.095 Gbps with ITU-T G.709 Digital Wrapper/FEC) over unamplified distances up to 80 km (50 miles) with different types of fiber such as C-SMF or dispersion compensated fiber limited by loss and/or dispersion. Caution Because the transponder has no capability to look into the payload and detect circuits, a TXP_MR_10G card does not display circuits under card view. Caution You must use a 15-dB fiber attenuator (10 to 20 dB) when working with the TXP_MR_10G card in a loopback on the trunk port. Do not use direct fiber loopbacks with the TXP_MR_10G card. Using direct fiber loopbacks causes irreparable damage to the TXP_MR_10G card. 6554110-14 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards TXP_MR_10G Card You can install TXP_MR_10G cards in Slots 1 to 6 and 12 to 17 and provision this card in a linear configuration. TXP_MR_10G cards cannot be provisioned as a bidirectional line switched ring (BLSR)/Multiplex Section - Shared Protection Ring (MS-SPRing), a path protection/single node control point (SNCP), or a regenerator. They can only be used in the middle of BLSR/MS-SPRing and 1+1 spans when the card is configured for transparent termination mode. The TXP_MR_10G port features a 1550-nm laser for the trunk port and a 1310-nm laser for the for the client port and contains two transmit and receive connector pairs (labeled) on the card faceplate. The MTU setting is used to display the OverSizePkts counters on the receiving trunk and client port interfaces. Traffic of frame sizes up to 65535 bytes pass without any packet drops, from the client port to the trunk port and vice versa irrespective of the MTU setting. Figure 10-13 shows the TXP_MR_10G faceplate and block diagram.10-15 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards TXP_MR_10G Card Figure 10-13 TXP_MR_10G Faceplate and Block Diagram For information on safety labels for the card, see the “10.2.2 Class 1M Laser Product Cards” section on page 10-10. 10.3.1 Automatic Laser Shutdown The Automatic Laser Shutdown (ALS) procedure is supported on both client and trunk interfaces. On the client interface, ALS is compliant with ITU-T G.664 (6/99). On the data application and trunk interface, the switch on and off pulse duration is greater than 60 seconds and is user-configurable. For details on ALS provisioning for the card, refer to the Cisco ONS 15454 DWDM Procedure Guide. uP bus Serial bus uP Flash RAM Optical transceiver 145948 Framer/FEC/DWDM processor Client interface DWDM trunk (long range) Optical transceiver Client interface STM-64/OC-192 SR-1 optics modules or 10GBASE-LR B a c k p l a n e DWDM trunk STM-64/OC-192 10G MR TXP 1530.33 - 1531.12 FAIL ACT/STBY SF TX RX CLIENT 1530.33 1531.12 DWDM TX RX ! MAX INPUT POWER LEVEL - 8 dBm10-16 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards TXP_MR_10E Card 10.3.2 TXP_MR_10G Card-Level Indicators Table 10-3 lists the three card-level LEDs on the TXP_MR_10G card. 10.3.3 TXP_MR_10G Port-Level Indicators Table 10-4 lists the four port-level LEDs in the TXP_MR_10G card. 10.4 TXP_MR_10E Card The TXP_MR_10E card is a multirate transponder for the ONS 15454 platform. The card is fully backward compatible with the TXP_MR_10G card. It processes one 10-Gbps signal (client side) into one 10-Gbps, 100-GHz DWDM signal (trunk side) that is tunable over four wavelength channels (spaced at 100 GHz on the ITU grid) in the C band and tunable over eight wavelength channels (spaced at 50 GHz on the ITU grid) in the L band. There are eight versions of the C-band card, with each version covering four wavelengths, for a total coverage of 32 wavelengths. There are five versions of the L-band card, with each version covering eight wavelengths, for a total coverage of 40 wavelengths. Table 10-3 TXP_MR_10G Card-Level Indicators Card-Level LED Description FAIL LED (Red) Red indicates that the card’s processor is not ready. This LED is on during reset. The FAIL LED flashes during the boot process. Replace the card if the red FAIL LED persists. ACT/STBY LED Green (Active) Amber (Standby) Green indicates that the card is operational (one or both ports active) and ready to carry traffic. Amber indicates that the card is operational and in standby (protect) mode. SF LED (Amber) Amber indicates a signal failure or condition such as loss of signal (LOS), loss of frame (LOF), or high bit error rates (BERs) on one or more of the card’s ports. The amber SF LED is also illuminated if the transmit and receive fibers are incorrectly connected. If the fibers are properly connected and the link is working, the LED turns off. Table 10-4 TXP_MR_10G Port-Level Indicators Port-Level LED Description Green Client LED The green Client LED indicates that the client port is in service and that it is receiving a recognized signal. Green DWDM LED The green DWDM LED indicates that the DWDM port is in service and that it is receiving a recognized signal. Green Wavelength 1 LED Each port supports two wavelengths on the DWDM side. Each wavelength LED matches one of the wavelengths. This LED indicates that the card is configured for Wavelength 1. Green Wavelength 2 LED Each port supports two wavelengths on the DWDM side. Each wavelength LED matches one of the wavelengths. This LED indicates that the card is configured for Wavelength 2.10-17 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards TXP_MR_10E Card You can install TXP_MR_10E cards in Slots 1 to 6 and 12 to 17 and provision the cards in a linear configuration, BLSR/MS-SPRing, path protection/SNCP, or a regenerator. The card can be used in the middle of BLSR/MS-SPRing or 1+1 spans when the card is configured for transparent termination mode. The TXP_MR_10E card features a 1550-nm tunable laser (C band) or a 1580-nm tunable laser (L band) for the trunk port and a separately orderable ONS-XC-10G-S1 1310-nm or ONS-XC-10G-L2 1550-nm laser XFP module for the client port. Note When the ONS-XC-10G-L2 XFP is installed, the TXP_MR_10E card must be installed in Slots 6, 7, 12 or 13) On its faceplate, the TXP_MR_10E card contains two transmit and receive connector pairs, one for the trunk port and one for the client port. Each connector pair is labeled. 10.4.1 Key Features The key features of the TXP_MR_10E card are: • A tri-rate client interface (available through the ONS-XC-10G-S1 XFP, ordered separately) – OC-192 (SR1) – 10GE (10GBASE-LR) – 10G-FC (1200-SM-LL-L) • OC-192 to ITU-T G.709 OTU2 provisionable synchronous and asynchronous mapping • The MTU setting is used to display the OverSizePkts counters on the receiving trunk and client port interfaces. Traffic of frame sizes up to 65535 bytes pass without any packet drops, from the client port to the trunk port and vice versa irrespective of the MTU setting. 10.4.2 Faceplate and Block Diagram Figure 10-14 shows the TXP_MR_10E faceplate and block diagram.10-18 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards TXP_MR_10E Card Figure 10-14 TXP_MR_10E Faceplate and Block Diagram For information on safety labels for the card, see the “10.2.2 Class 1M Laser Product Cards” section on page 10-10. Caution You must use a 15-dB fiber attenuator (10 to 20 dB) when working with the TXP_MR_10E card in a loopback on the trunk port. Do not use direct fiber loopbacks with the TXP_MR_10E card. Using direct fiber loopbacks causes irreparable damage to the TXP_MR_10E card. 10.4.3 Client Interface The client interface is implemented with a separately orderable XFP module. The module is a tri-rate transceiver, providing a single port that can be configured in the field to support an OC-192 SR-1 (Telcordia GR-253-CORE) or STM-64 I-64.1 (ITU-T G.691) optical interface, as well as 10GE LAN PHY (10GBASE-LR), 10GE WAN PHY (10GBASE-LW), or 10G FC signals. The client side XFP pluggable module supports LC connectors and is equipped with a 1310-nm laser. 10.4.4 DWDM Trunk Interface On the trunk side, the TXP_MR_10E card provides a 10-Gbps STM-64/OC-192 interface. There are four tunable channels available in the 1550-nm band or eight tunable channels available in the 1580-nm band on the 50-GHz ITU grid for the DWDM interface. The TXP_MR_10E card provides 3R (retime, reshape, uP bus Serial bus uP Flash RAM Optical transceiver 131186 Framer/FEC/DWDM processor FAIL ACT/STBY SF 10 Gb/s TP 1538.19 1538.98 Client interface DWDM trunk (long range) Optical transceiver Client interface STM-64/OC-192 or 10GE (10GBASE-LR) or 10G-FC (1200-SM-LL-L) B a c k p l a n e TX RX RX TX DWDM trunk STM-64/OC-192 4 tunable channels (C-band) or 8 tunable channels (L-band) on the 100-GHz ITU grid10-19 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards TXP_MR_10E Card and regenerate) transponder functionality for this 10-Gbps trunk interface. Therefore, the card is suited for use in long-range amplified systems. The DWDM interface is complaint with ITU-T G.707, ITU-T G.709, and Telcordia GR-253-CORE standards. The DWDM trunk port operates at a rate that is dependent on the input signal and the presence or absence of the ITU-T G.709 Digital Wrapper/FEC. The possible trunk rates are: • OC192 (9.95328 Gbps) • OTU2 (10.70923 Gbps) • 10GE (10.3125 Gbps) or 10GE into OTU2 (ITU G.sup43 11.0957 Gbps) • 10G FC (10.51875 Gbps) or 10G FC into OTU2 (nonstandard 11.31764 Gbps) The maximum system reach in filterless applications without the use of optical amplification or regenerators is nominally rated at 23 dB over C-SMF fiber. This rating is not a product specification, but is given for informational purposes. It is subject to change. 10.4.5 Enhanced FEC (E-FEC) Feature A key feature of the TXP_MR_10E is the availability to configure the forward error correction in three modes: NO FEC, FEC, and E-FEC. The output bit rate is always 10.7092 Gbps as defined in ITU-T G.709, but the error coding performance can be provisioned as follows: • NO FEC—No forward error correction • FEC—Standard ITU-T G.975 Reed-Solomon algorithm • E-FEC—Standard ITU-T G.975.1 I.7 algorithm, which is a super FEC code Note The E-FEC of the ONS 15454 and Cisco ASR 9000 are not compatible. 10.4.6 FEC and E-FEC Modes As client side traffic passes through the TXP_MR_10E card, it can be digitally wrapped using FEC mode, E-FEC mode, or no error correction at all. The FEC mode setting provides a lower level of error detection and correction than the E-FEC mode setting of the card. As a result, using E-FEC mode allows higher sensitivity (lower optical signal-to-noise ratio [OSNR]) with a lower bit error rate than FEC mode. E-FEC enables longer distance trunk-side transmission than with FEC. The E-FEC feature is one of three basic modes of FEC operation. FEC can be turned off, FEC can be turned on, or E-FEC can be turned on to provide greater range and lower BER. The default mode is FEC on and E-FEC off. E-FEC is provisioned using CTC. Caution Because the transponder has no visibility into the data payload and detect circuits, the TXP_MR_10E card does not display circuits under the card view. 10.4.7 Client-to-Trunk Mapping The TXP_MR_10E card can perform ODU2-to-OCh mapping, which allows operators to provision data payloads in a standard way across 10-Gbps optical links. 10-20 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards TXP_MR_10E Card Digital wrappers that define client side interfaces are called Optical Data Channel Unit 2 (ODU2) entities in ITU-T G.709. Digital wrappers that define trunk side interfaces are called Optical Channels (OCh) in ITU-T G.709. ODU2 digital wrappers can include Generalized Multiprotocol Label Switching (G-MPLS) signaling extensions to ITU-T G.709 (such as Least Significant Part [LSP] and Generalized Payload Identifier [G-PID] values) to define client interfaces and payload protocols. 10.4.8 Automatic Laser Shutdown The ALS procedure is supported on both client and trunk interfaces. On the client interface, ALS is compliant with ITU-T G.664 (6/99). On the data application and trunk interface, the switch on and off pulse duration is greater than 60 seconds. The on and off pulse duration is user-configurable. For details on ALS provisioning for the card, refer to the Cisco ONS 15454 DWDM Procedure Guide. 10.4.9 TXP_MR_10E Card-Level Indicators Table 10-5 lists the three card-level LEDs on the TXP_MR_10E card. 10.4.10 TXP_MR_10E Port-Level Indicators Table 10-6 lists the two port-level LEDs in the TXP_MR_10E card. Table 10-5 TXP_MR_10E Card-Level Indicators Card-Level LED Description Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready. This LED is on during reset. The FAIL LED flashes during the boot process. Replace the card if the red FAIL LED persists. ACT/STBY LED Green (Active) Amber (Standby) If the ACT/STBY LED is green, the card is operational (one or both ports active) and ready to carry traffic. If the ACT/STBY LED is amber, the card is operational and in standby (protect) mode. Amber SF LED The amber SF LED indicates a signal failure or condition such as LOS, LOF, or high BERs on one or more of the card’s ports. The amber SF LED is also on if the transmit and receive fibers are incorrectly connected. If the fibers are properly connected and the link is working, the light turns off. Table 10-6 TXP_MR_10E Port-Level Indicators Port-Level LED Description Green Client LED The green Client LED indicates that the client port is in service and that it is receiving a recognized signal. Green DWDM LED The green DWDM LED indicates that the DWDM port is in service and that it is receiving a recognized signal.10-21 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards TXP_MR_10E_C and TXP_MR_10E_L Cards 10.5 TXP_MR_10E_C and TXP_MR_10E_L Cards TXP_MR_10E_L: (Cisco ONS 15454 only) The TXP_MR_10E_C and TXP_MR_10E_L cards are multirate transponders for the ONS 15454 platform. The cards are fully backward compatible with the TXP_MR_10G and TXP_MR_10E cards. They processes one 10-Gbps signal (client side) into one 10-Gbps, 100-GHz DWDM signal (trunk side). The TXP_MR_10E_C is tunable over the entire set of C-band wavelength channels (82 channels spaced at 50 GHz on the ITU grid). The TXP_MR_10E_L is tunable over the entire set of L-band wavelength channels (80 channels spaced at 50 GHz on the ITU grid) and is particularly well suited for use in networks that employ DS fiber or SMF-28 single-mode fiber. The advantage of these cards over previous versions (TXP_MR_10G and TXP_MR_10E) is that there is only one version of each card (one C-band version and one L-band version) instead of several versions needed to cover each band. You can install TXP_MR_10E_C and TXP_MR_10E_L cards in Slots 1 to 6 and 12 to 17 and provision the cards in a linear configuration, BLSR/MS-SPRing, path protection/SNCP, or a regenerator. The cards can be used in the middle of BLSR/MS-SPRing or 1+1 spans when the cards are configured for transparent termination mode. The TXP_MR_10E_C and TXP_MR_10E_L cards feature a universal transponder 2 (UT2) 1550-nm tunable laser (C band) or a UT2 1580-nm tunable laser (L band) for the trunk port and a separately orderable ONS-XC-10G-S1 1310-nm or ONS-XC-10G-L2 1550-nm laser XFP module for the client port. Note When the ONS-XC-10G-L2 XFP is installed, the TXP_MR_10E_C or TXP_MR_10E-L card is required to be installed in a high-speed slot (slot 6, 7, 12, or 13) On its faceplate, the TXP_MR_10E_C and TXP_MR_10E_L cards contain two transmit and receive connector pairs, one for the trunk port and one for the client port. Each connector pair is labeled. 10.5.1 Key Features The key features of the TXP_MR_10E_C and TXP_MR_10E_L cards are: • A tri-rate client interface (available through the ONS-XC-10G-S1 XFP, ordered separately): – OC-192 (SR1) – 10GE (10GBASE-LR) – 10G-FC (1200-SM-LL-L) • A UT2 module tunable through the entire C band (TXP_MR_10E_C card) or L band (TXP_MR_10E_L card). The channels are spaced at 50 GHz on the ITU grid. • OC-192 to ITU-T G.709 OTU2 provisionable synchronous and asynchronous mapping. • The MTU setting is used to display the OverSizePkts counters on the receiving trunk and client port interfaces. Traffic of frame sizes up to 65535 bytes pass without any packet drops, from the client port to the trunk port and vice versa irrespective of the MTU setting.10-22 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards TXP_MR_10E_C and TXP_MR_10E_L Cards 10.5.2 Faceplates and Block Diagram Figure 10-15 shows the TXP_MR_10E_C and TXP_MR_10E_L faceplates and block diagram. Figure 10-15 TXP_MR_10E_C and TXP_MR_10E_L Faceplates and Block Diagram For information on safety labels for the cards, see the “10.2.2 Class 1M Laser Product Cards” section on page 10-10. Caution You must use a 15-dB fiber attenuator (10 to 20 dB) when working with the TXP_MR_10E_C or TXP_MR_10E_L card in a loopback on the trunk port. Do not use direct fiber loopbacks with the cards. Using direct fiber loopbacks causes irreparable damage to the cards. 10.5.3 Client Interface The client interface is implemented with a separately orderable XFP module. The module is a tri-rate transceiver, providing a single port that can be configured in the field to support an OC-192 SR-1 (Telcordia GR-253-CORE) or STM-64 I-64.1 (ITU-T G.691) optical interface, as well as 10GE LAN PHY (10GBASE-LR), 10GE WAN PHY (10GBASE-LW), or 10G-FC signals. The client side XFP pluggable module supports LC connectors and is equipped with a 1310-nm laser. uP bus Serial bus uP Flash RAM Optical transceiver 134975 Framer/FEC/DWDM processor Client interface DWDM trunk (long range) Optical transceiver Client interface STM-64/OC-192 or 10GE (10GBASE-LR) or 10G-FC (1200-SM-LL-L) B a c k p l a n e DWDM trunk STM-64/OC-192 82 tunable channels (C-band) or 80 tunable channels (L-band) on the 50-GHz ITU grid FAIL ACT/STBY SF 10E MR TXP L TX RX RX TX FAIL ACT/STBY SF 10E MR TXP C TX RX RX TX10-23 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards TXP_MR_10E_C and TXP_MR_10E_L Cards 10.5.4 DWDM Trunk Interface On the trunk side, the TXP_MR_10E_C and TXP_MR_10E_L cards provide a 10-Gbps STM-64/OC-192 interface. There are 80 tunable channels available in the 1550-nm C band or 82 tunable channels available in the 1580-nm L band on the 50-GHz ITU grid for the DWDM interface. The TXP_MR_10E_C and TXP_MR_10E_C cards provide 3R transponder functionality for this 10-Gbps trunk interface. Therefore, the card is suited for use in long-range amplified systems. The DWDM interface is compliant with ITU-T G.707, ITU-T G.709, and Telcordia GR-253-CORE standards. The DWDM trunk port operates at a rate that is dependent on the input signal and the presence or absence of the ITU-T G.709 Digital Wrapper/FEC. The possible trunk rates are: • OC192 (9.95328 Gbps) • OTU2 (10.70923 Gbps) • 10GE (10.3125 Gbps) or 10GE into OTU2 (ITU G.sup43 11.0957 Gbps) • 10G-FC (10.51875 Gbps) or 10G-FC into OTU2 (nonstandard 11.31764 Gbps) The maximum system reach in filterless applications without the use of optical amplification or regenerators is nominally rated at 23 dB over C-SMF fiber. This rating is not a product specification, but is given for informational purposes. It is subject to change. 10.5.5 Enhanced FEC (E-FEC) Feature A key feature of the TXP_MR_10E_C and TXP_MR_10E_L cards is the availability to configure the forward error correction in three modes: NO FEC, FEC, and E-FEC. The output bit rate is always 10.7092 Gbps as defined in ITU-T G.709, but the error coding performance can be provisioned as follows: • NO FEC—No forward error correction • FEC—Standard ITU-T G.975 Reed-Solomon algorithm • E-FEC—Standard ITU-T G.975.1 I.7 algorithm, which is a super FEC code 10.5.6 FEC and E-FEC Modes As client side traffic passes through the TXP_MR_10E_C and TXP_MR_10E_L cards, it can be digitally wrapped using FEC mode, E-FEC mode, or no error correction at all. The FEC mode setting provides a lower level of error detection and correction than the E-FEC mode setting of the card. As a result, using E-FEC mode allows higher sensitivity (lower OSNR) with a lower bit error rate than FEC mode. E-FEC enables longer distance trunk-side transmission than with FEC. The E-FEC feature is one of three basic modes of FEC operation. FEC can be turned off, FEC can be turned on, or E-FEC can be turned on to provide greater range and lower BER. The default mode is FEC on and E-FEC off. E-FEC is provisioned using CTC. Caution Because the transponder has no visibility into the data payload and detect circuits, the TXP_MR_10E_C and TXP_MR_10E_L cards do not display circuits under the card view. 10-24 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards TXP_MR_10E_C and TXP_MR_10E_L Cards 10.5.7 Client-to-Trunk Mapping The TXP_MR_10E_C and TXP_MR_10E_L cards can perform ODU2-to-OCh mapping, which allows operators to provision data payloads in a standard way across 10-Gbps optical links. Digital wrappers that define client side interfaces are called ODU2 entities in ITU-T G.709. Digital wrappers that define trunk side interfaces are called OCh in ITU-T G.709. ODU2 digital wrappers can include G-MPLS signaling extensions to ITU-T G.709 (such as LSP and G-PID values) to define client interfaces and payload protocols. 10.5.8 Automatic Laser Shutdown The ALS procedure is supported on both client and trunk interfaces. On the client interface, ALS is compliant with ITU-T G.664 (6/99). On the data application and trunk interface, the switch on and off pulse duration is greater than 60 seconds. The on and off pulse duration is user-configurable. For details regarding ALS provisioning for the TXP_MR_10E_C and TXP_MR_10E_L cards, refer to the Cisco ONS 15454 DWDM Procedure Guide. 10.5.9 TXP_MR_10E_C and TXP_MR_10E_L Card-Level Indicators Table 10-7 lists the three card-level LEDs on the TXP_MR_10E_C and TXP_MR_10E_L cards. 10.5.10 TXP_MR_10E_C and TXP_MR_10E_L Port-Level Indicators Table 10-8 lists the two port-level LEDs in the TXP_MR_10E_C and TXP_MR_10E_L cards. Table 10-7 TXP_MR_10E _C and TXP_MR_10E_L Card-Level Indicators Card-Level LED Description Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready. This LED is on during reset. The FAIL LED flashes during the boot process. Replace the card if the red FAIL LED persists. ACT/STBY LED Green (Active) Amber (Standby) If the ACT/STBY LED is green, the card is operational (one or both ports active) and ready to carry traffic. If the ACT/STBY LED is amber, the card is operational and in standby (protect) mode. Amber SF LED The amber SF LED indicates a signal failure or condition such as LOS, LOF, or high BERs on one or more of the card’s ports. The amber SF LED is also on if the transmit and receive fibers are incorrectly connected. If the fibers are properly connected and the link is working, the light turns off. Table 10-8 TXP_MR_10E_C and TXP_MR_10E_L Port-Level Indicators Port-Level LED Description Green Client LED The green Client LED indicates that the client port is in service and that it is receiving a recognized signal. Green DWDM LED The green DWDM LED indicates that the DWDM port is in service and that it is receiving a recognized signal.10-25 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards TXP_MR_2.5G and TXPP_MR_2.5G Cards 10.6 TXP_MR_2.5G and TXPP_MR_2.5G Cards The TXP_MR_2.5G card processes one 8-Mbps to 2.488-Gbps signal (client side) into one 8-Mbps to 2.5-Gbps, 100-GHz DWDM signal (trunk side). It provides one long-reach STM-16/OC-48 port per card, compliant with ITU-T G.707, ITU-T G.709, ITU-T G.957, and Telcordia GR-253-CORE. The TXPP_MR_2.5G card processes one 8-Mbps to 2.488-Gbps signal (client side) into two 8-Mbps to 2.5-Gbps, 100-GHz DWDM signals (trunk side). It provides two long-reach STM-16/OC-48 ports per card, compliant with ITU-T G.707, ITU-T G.957, and Telcordia GR-253-CORE. The TXP_MR_2.5G and TXPP_MR_2.5G cards are tunable over four wavelengths in the 1550-nm, ITU 100-GHz range. They are available in eight versions, each of which covers four wavelengths, for a total coverage of 32 different wavelengths in the 1550-nm range. Note ITU-T G.709 specifies a form of FEC that uses a “wrapper” approach. The digital wrapper lets you transparently take in a signal on the client side, wrap a frame around it, and restore it to its original form. FEC enables longer fiber links because errors caused by the optical signal degrading with distance are corrected. The trunk/line port operates at up to 2.488 Gbps (or up to 2.66 Gbps with ITU-T G.709 Digital Wrapper/FEC) over unamplified distances up to 360 km (223.7 miles) with different types of fiber such as C-SMF or higher if dispersion compensation is used. Caution Because the transponder has no capability to look into the payload and detect circuits, a TXP_MR_2.5G or TXPP_MR_2.5G card does not display circuits under card view. The TXP_MR_2.5G and TXPP_MR_2.5G cards support 2R (retime, regenerate) and 3R (retime, reshape, and regenerate) modes of operation where the client signal is mapped into a ITU-T G.709 frame. The mapping function is simply done by placing a digital wrapper around the client signal. Only OC-48/STM-16 client signals are fully ITU-T G.709 compliant, and the output bit rate depends on the input client signal. Table 10-9 shows the possible combinations of client interfaces, input bit rates, 2R and 3R modes, and ITU-T G.709 monitoring. Table 10-9 2R and 3R Mode and ITU-T G.709 Compliance by Client Interface Client Interface Input Bit Rate 3R vs. 2R ITU-T G.709 OC-48/STM-16 2.488 Gbps 3R On or Off DV-6000 2.38 Gbps 2R — 2 Gigabit Fibre Channel (2G-FC)/fiber connectivity (FICON) 2.125 Gbps 3R1 On or Off High-Definition Television (HDTV) 1.48 Gbps 2R — Gigabit Ethernet (GE) 1.25 Gbps 3R On or Off 1 Gigabit Fibre Channel (1G-FC)/FICON 1.06 Gbps 3R On or Off OC-12/STM-4 622 Mbps 3R On or Off OC-3/STM-1 155 Mbps 3R On or Off Enterprise System Connection (ESCON) 200 Mbps 2R — SDI/D1/DVB-ASI video 270 Mbps 2R —10-26 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards TXP_MR_2.5G and TXPP_MR_2.5G Cards Note ITU-T G.709 and FEC support is disabled for all the 2R payload types in the TXP_MR_2.5G and TXPP_MR_2.5G cards. The output bit rate is calculated for the trunk bit rate by using the 255/238 ratio as specified in ITU-T G.709 for OTU1. Table 10-10 lists the calculated trunk bit rates for the client interfaces with ITU-T G.709 enabled. For 2R operation mode, the TXP_MR_2.5G and TXPP_MR_2.5G cards have the ability to pass data through transparently from client side interfaces to a trunk side interface, which resides on an ITU grid. The data might vary at any bit rate from 200-Mbps up to 2.38-Gbps, including ESCON, DVB-ASI, ISC-1, and video signals. In this pass-through mode, no performance monitoring (PM) or digital wrapping of the incoming signal is provided, except for the usual PM outputs from the SFPs. Similarly, this card has the ability to pass data through transparently from the trunk side interfaces to the client side interfaces with bit rates varying from 200-Mbps up to 2.38-Gbps. Again, no PM or digital wrapping of received signals is available in this pass-through mode. For 3R operation mode, the TXP_MR_2.5G and TXPP_MR_2.5G cards apply a digital wrapper to the incoming client interface signals (OC-N/STM-N, 1G-FC, 2G-FC, GE). PM is available on all of these signals except for 2G-FC, and varies depending upon the type of signal. For client inputs other than OC-48/STM-16, a digital wrapper might be applied but the resulting signal is not ITU-T G.709 compliant. The card applies a digital wrapper that is scaled to the frequency of the input signal. The TXP_MR_2.5G and TXPP_MR_2.5G cards have the ability to take digitally wrapped signals in from the trunk interface, remove the digital wrapper, and send the unwrapped data through to the client interface. PM of the ITU-T G.709 OH and SONET/SDH OH is implemented. ISC-1 Compat 1.06 Gbps 2R Off ISC-3 1.06 or 2.125 Gbps 2R — ETR_CLO 16 Mbps 2R — 1. No monitoring Table 10-9 2R and 3R Mode and ITU-T G.709 Compliance by Client Interface (continued) Client Interface Input Bit Rate 3R vs. 2R ITU-T G.709 Table 10-10 Trunk Bit Rates With ITU-T G.709 Enabled Client Interface ITU-T G.709 Disabled ITU-T G.709 Enabled OC-48/STM-16 2.488 Gbps 2.66 Gbps 2G-FC 2.125 Gbps 2.27 Gbps GE 1.25 Gbps 1.34 Gbps 1G-FC 1.06 Gbps 1.14 Gbps OC-12/STM-3 622 Mbps 666.43 Mbps OC-3/STM-1 155 Mbps 166.07 Mbps10-27 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards TXP_MR_2.5G and TXPP_MR_2.5G Cards 10.6.1 Faceplate Figure 10-16 shows the TXP_MR_2.5G and TXPP_MR_2.5G faceplates. Figure 10-16 TXP_MR_2.5G and TXPP_MR_2.5G Faceplates For information on safety labels for the cards, see the “10.2.2 Class 1M Laser Product Cards” section on page 10-10. 10.6.2 Block Diagram Figure 10-17 shows a block diagram of the TXP_MR_2.5G and TXPP_MR_2.5G cards. CLIENT 2.5G MR TXP-P 1530.33 - 1532.68 2.5G MR TXP 1530.33 - 1532.68 FAIL ACT/STBY SF HAZARD LEVEL 1M TX RX DWDM A RX TX DWDM B RX TX ! MAX INPUT POWER LEVEL - 8 dBm CLIENT ! MAX INPUT POWER LEVEL - 8 dBm FAIL ACT/STBY SF HAZARD LEVEL 1M TX RX RX TX DWDM 14594610-28 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards TXP_MR_2.5G and TXPP_MR_2.5G Cards Figure 10-17 TXP_MR_2.5G and TXPP_MR_2.5G Block Diagram Caution You must use a 20-dB fiber attenuator (15 to 25 dB) when working with the TXP_MR_2.5G and TXPP_MR_2.5G cards in a loopback on the trunk port. Do not use direct fiber loopbacks with the TXP_MR_2.5G and TXPP_MR_2.5G cards. Using direct fiber loopbacks causes irreparable damage to the TXP_MR_2.5G and TXPP_MR_2.5G cards. You can install TXP_MR_2.5G and TXPP_MR_2.5G cards in Slots 1 to 6 and 12 to 17. You can provision this card in a linear configuration. TXP_MR_10G and TXPP_MR_2.5G cards cannot be provisioned as a BLSR/MS-SPRing, a path protection/SNCP, or a regenerator. They can be used in the middle of BLSR/MS-SPRing or 1+1 spans only when the card is configured for transparent termination mode. The TXP_MR_2.5G card features a 1550-nm laser for the trunk/line port and a 1310-nm laser for the client port. It contains two transmit and receive connector pairs (labeled) on the card faceplate. The card uses dual LC connectors for optical cable termination. The TXPP_MR_2.5G card features a 1550-nm laser for the trunk/line port and a 1310-nm or 850-nm laser (depending on the SFP) for the client port and contains three transmit and receive connector pairs (labeled) on the card faceplate. The card uses dual LC connectors for optical cable termination. 10.6.3 Automatic Laser Shutdown The ALS procedure is supported on both client and trunk interfaces. On the client interface, ALS is compliant with ITU-T G.664 (6/99). On the data application and trunk interface, the switch on and off pulse duration is greater than 60 seconds. The on and off pulse duration is user-configurable. For details regarding ALS provisioning for the TXP_MR_2.5G and TXPP_MR_2.5G cards, refer to the Cisco ONS 15454 DWDM Procedure Guide. SFP Client Switch Switch Driver Tunable Laser Switch Cross Switch Limiting Amp Limiting Amp Main APD+TA Protect APD+TA Mux Demux Mux Demux Mux Demux CPU Main ASIC Protect FPGA ASIC SCL FPGA SCL BUS 2R Tx path Trunk Out 2R Rx path CELL BUS CPU I/F CELL BUS DCC CPU to GCC 9663610-29 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards MXP_2.5G_10G Card 10.6.4 TXP_MR_2.5G and TXPP_MR_2.5G Card-Level Indicators Table 10-11 lists the three card-level LEDs on the TXP_MR_2.5G and TXPP_MR_2.5G cards. 10.6.5 TXP_MR_2.5G and TXPP_MR_2.5G Port-Level Indicators Table 10-12 lists the four port-level LEDs on the TXP_MR_2.5G and TXPP_MR_2.5G cards. 10.7 MXP_2.5G_10G Card (Cisco ONS 15454 only) The MXP_2.5G_10G card multiplexes/demultiplexes four 2.5-Gbps signals (client side) into one 10-Gbps, 100-GHz DWDM signal (trunk side). It provides one extended long-range STM-64/OC-192 port per card on the trunk side (compliant with ITU-T G.707, ITU-T G.709, ITU-T G.957, and Telcordia GR-253-CORE) and four intermediate- or short-range OC-48/STM-16 ports per card on the client side. The port operates at 9.95328 Gbps over unamplified distances up to 80 km (50 miles) with different types of fiber such as C-SMF or dispersion compensated fiber limited by loss and/or dispersion. Table 10-11 TXP_MR_2.5G and TXPP_MR_2.5G Card-Level Indicators Card-Level LED Description Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready. This LED is on during reset. The FAIL LED flashes during the boot process. Replace the card if the red FAIL LED persists. ACT/STBY LED Green (Active) Amber (Standby) If the ACT/STBY LED is green, the card is operational (one or both ports active) and ready to carry traffic. If the ACT/STBY LED is amber, the card is operational and in standby (protect) mode. Amber SF LED The amber SF LED indicates a signal failure or condition such as LOS, LOF, or high BERs on one or more of the card’s ports. The amber SF LED is also on if the transmit and receive fibers are incorrectly connected. If the fibers are properly connected and the link is working, the light turns off. Table 10-12 TXP_MR_2.5G and TXPP_MR_2.5G Port-Level Indicators Port-Level LED Description Green Client LED The green Client LED indicates that the client port is in service and that it is receiving a recognized signal. Green DWDM LED (TXP_MR_2.5G only) The green DWDM LED indicates that the DWDM port is in service and that it is receiving a recognized signal. Green DWDM A LED (TXPP_MR_2.5G only) The green DWDM A LED indicates that the DWDM A port is in service and that it is receiving a recognized signal. Green DWDM B LED (TXPP_MR_2.5G only) The green DWDM B LED indicates that the DWDM B port is in service and that it is receiving a recognized signal.10-30 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards MXP_2.5G_10G Card Client ports on the MXP_2.5G_10G card are also interoperable with SONET OC-1 (STS-1) fiber optic signals defined in Telcordia GR-253-CORE. An OC-1 signal is the equivalent of one DS-3 channel transmitted across optical fiber. OC-1 is primarily used for trunk interfaces to phone switches in the United States. There is no SDH equivalent for SONET OC-1. The MXP_2.5G_10G card is tunable over two neighboring wavelengths in the 1550-nm, ITU 100-GHz range. It is available in 16 different versions, each of which covers two wavelengths, for a total coverage of 32 different wavelengths in the 1550-nm range. Note ITU-T G.709 specifies a form of FEC that uses a “wrapper” approach. The digital wrapper lets you transparently take in a signal on the client side, wrap a frame around it and restore it to its original form. FEC enables longer fiber links because errors caused by the optical signal degrading with distance are corrected. The port can also operate at 10.70923 Gbps in ITU-T G.709 Digital Wrapper/FEC mode. Caution Because the transponder has no capability to look into the payload and detect circuits, an MXP_2.5G_10G card does not display circuits under card view. Caution You must use a 20-dB fiber attenuator (15 to 25 dB) when working with the MXP_2.5G_10G card in a loopback on the trunk port. Do not use direct fiber loopbacks with the MXP_2.5G_10G card. Using direct fiber loopbacks causes irreparable damage to the MXP_2.5G_10G card. You can install MXP_2.5G_10G cards in Slots 1 to 6 and 12 to 17. Caution Do not install an MXP_2.5G_10G card in Slot 3 if you have installed a DS3/EC1-48 card in Slots 1or 2. Likewise, do not install an MXP_2.5G_10G card in Slot 17 if you have installed a DS3/EC1-48 card in Slots 15 or 16. If you do, the cards will interact and cause DS-3 bit errors. You can provision this card in a linear configuration. MXP_2.5G_10G cards cannot be provisioned as a BLSR/MS-SPRing, a path protection/SNCP, or a regenerator. They can be used in the middle of BLSR/MS-SPRing or 1+1 spans only when the card is configured for transparent termination mode. The MXP_2.5G_10G port features a 1550-nm laser on the trunk port and four 1310-nm lasers on the client ports and contains five transmit and receive connector pairs (labeled) on the card faceplate. The card uses a dual LC connector on the trunk side and SFP connectors on the client side for optical cable termination. Note When you create a 4xOC-48 OCHCC circuit, you need to select the G.709 and Synchronous options. A 4xOC-48 OCHCC circuit is supported by G.709 and synchronous mode. This is necessary to provision a 4xOC-48 OCHCC circuit. Figure 10-18 shows the MXP_2.5G_10G faceplate.10-31 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards MXP_2.5G_10G Card Figure 10-18 MXP_2.5G_10G Faceplate For information on safety labels for the card, see the “10.2.1 Class 1 Laser Product Cards” section on page 10-8. Figure 10-19 shows a block diagram of the MXP_2.5G_10G card. CLIENT DWDM 1 2 4x 2.5G 10G MXP 1530.33 - 1531.12 FAIL ACT/STBY SF TX RX TX RX 3 TX RX 4 TX RX ! MAX INPUT POWER LEVEL - 8 dBm TX RX 1530.33 1531.12 14594510-32 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards MXP_2.5G_10G Card Figure 10-19 MXP_2.5G_10G Card Block Diagram 10.7.1 Timing Synchronization The MXP_2.5G_10G card is synchronized to the TCC2/TCC2P/TCC3 clock during normal conditions and transmits the ITU-T G.709 frame using this clock. The TCC2/TCC2P/TCC3 card can operate from an external building integrated timing supply (BITS) clock, an internal Stratum 3 clock, or from clock recovered from one of the four valid client clocks. If clocks from both TCC2/TCC2P/TCC3 cards are not available, the MXP_2.5G_10G card switches automatically (with errors, not hitless) to an internal 19.44 MHz clock that does not meet SONET clock requirements. This will result in a clock alarm. 10.7.2 Automatic Laser Shutdown The ALS procedure is supported on both client and trunk interfaces. On the client interface, ALS is compliant with ITU-T G.664 (6/99). On the data application and trunk interface, the switch on and off pulse duration is greater than 60 seconds. The on and off pulse duration is user-configurable. For details regarding ALS provisioning for the MXP_2.5G_10G card, refer to the Cisco ONS 15454 DWDM Procedure Guide. 10.7.3 MXP_2.5G_10G Card-Level Indicators Table 10-13 describes the three card-level LEDs on the MXP_2.5G_10G card. uP bus uP Flash RAM ASIC Optical Transceiver STM-64 / OC-192 9.953, 10.3125, 10.709, or 11.095 Gbps SCI 83659 B a c k p l a n e Optical Transceiver STM-64 / OC-192 9.95328 or 10.70923 Gbps Framer/FEC/DWDM Processor DWDM (Trunk) Client10-33 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards MXP_2.5G_10G Card 10.7.3.1 MXP_2.5G_10G Port-Level Indicators Table 10-14 describes the four port-level LEDs on the MXP_2.5G_10G card. 10.7.4 MXP_2.5G_10E Card The faceplate designation of the card is “4x2.5G 10E MXP.” The MXP_2.5G_10E card is a DWDM muxponder for the ONS 15454 platform that supports full transparent termination the client side. The card multiplexes four 2.5 Gbps client signals (4 x OC48/STM-16 SFP) into a single 10-Gbps DWDM optical signal on the trunk side. The MXP_2.5G_10E provides wavelength transmission service for the four incoming 2.5 Gbps client interfaces. The MXP_2.5G_10E muxponder passes all SONET/SDH overhead bytes transparently. The digital wrapper function (ITU-T G.709 compliant) formats the DWDM wavelength so that it can be used to set up generic communications channels (GCCs) for data communications, enable FEC, or facilitate performance monitoring. Table 10-13 MXP_2.5G_10G Card-Level Indicators Card-Level LED Description Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready. This LED is on during reset. The FAIL LED flashes during the boot process. Replace the card if the red FAIL LED persists. ACT/STBY LED Green (Active) Amber (Standby) If the ACT/STBY LED is green, the card is operational (one or more ports active) and ready to carry traffic. If the ACT/STBY LED is amber, the card is operational and in standby (protect) mode. Amber SF LED The amber SF LED indicates a signal failure or condition such as LOS, LOF, or high BERs on one or more of the card’s ports. The amber SF LED is also on if the transmit and receive fibers are incorrectly connected. If the fibers are properly connected and the link is working, the light turns off. Table 10-14 MXP_2.5G_10G Port-Level Indicators Port-Level LED Description Green Client LED (four LEDs) The green Client LED indicates that the client port is in service and that it is receiving a recognized signal. The card has four client ports, and so has four Client LEDs. Green DWDM LED The green DWDM LED indicates that the DWDM port is in service and that it is receiving a recognized signal. Green Wavelength 1 LED Each port supports two wavelengths on the DWDM side. Each wavelength LED matches one of the wavelengths. This LED indicates that the card is configured for Wavelength 1. Green Wavelength 2 LED Each port supports two wavelengths on the DWDM side. Each wavelength LED matches one of the wavelengths. This LED indicates that the card is configured for Wavelength 2.10-34 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards MXP_2.5G_10G Card The MXP_2.5G_10E works with optical transport network (OTN) devices defined in ITU-T G.709. The card supports ODU1 to OTU2 multiplexing, an industry standard method for asynchronously mapping a SONET/SDH payload into a digitally wrapped envelope. See the “10.7.7 Multiplexing Function” section on page 10-36. The MXP_2.5G_10E card is not compatible with the MXP_2.5G_10G card, which does not support full transparent termination. You can install MXP_2.5G_10E cards in Slots 1 to 6 and 12 to 17. You can provision this card in a linear configuration, as a BLSR/MS-SPRing, a path protection/SNCP, or a regenerator. The card can be used in the middle of BLSR/MS-SPRing or 1+1 spans when the card is configured for transparent termination mode. The MXP_2.5G_10E features a 1550-nm laser on the trunk port and four 1310-nm lasers on the client ports and contains five transmit and receive connector pairs (labeled) on the card faceplate. The card uses a dual LC connector on the trunk side and uses SFP modules on the client side for optical cable termination. The SFP pluggable modules are short reach (SR) or intermediate reach (IR) and support an LC fiber connector. Note When you create a 4xOC-48 OCHCC circuit, you need to select the G.709 and Synchronous options. A 4xOC-48 OCHCC circuit is supported by G.709 and synchronous mode. This is necessary to provision a 4xOC-48 OCHCC circuit. 10.7.4.1 Key Features The MXP_2.5G_10E card has the following high level features: • Four 2.5 Gbps client interfaces (OC-48/STM-16) and one 10 Gbps trunk. The four OC-48 signals are mapped into a ITU-T G.709 OTU2 signal using standard ITU-T G.709 multiplexing. • Onboard E-FEC processor: The processor supports both standard Reed-Solomon (RS, specified in ITU-T G.709) and E-FEC, which allows an improved gain on trunk interfaces with a resultant extension of the transmission range on these interfaces. The E-FEC functionality increases the correction capability of the transponder to improve performance, allowing operation at a lower OSNR compared to the standard RS (237,255) correction algorithm. A new block code (BCH) algorithm implemented in E-FEC allows recovery of an input BER up to 1E-3. • Pluggable client interface optic modules: The MXP_2.5G_10E card has modular interfaces. Two types of optics modules can be plugged into the card. These include an OC-48/STM 16 SR-1 interface with a 7-km (4.3-mile) nominal range (for short range and intra-office applications) and an IR-1 interface with a range up to 40 km (24.9 miles). SR-1 is defined in Telcordia GR-253-CORE and in I-16 (ITU-T G.957). IR-1 is defined in Telcordia GR-253-CORE and in S-16-1 (ITU-T G.957). • High level provisioning support: The MXP_2.5G_10E card is initially provisioned using Cisco TransportPlanner software. Subsequently, the card can be monitored and provisioned using CTC software. • Link monitoring and management: The MXP_2.5G_10E card uses standard OC-48 OH (overhead) bytes to monitor and manage incoming interfaces. The card passes the incoming SDH/SONET data stream and its overhead bytes transparently. • Control of layered SONET/SDH transport overhead: The card is provisionable to terminate regenerator section overhead. This is used to eliminate forwarding of unneeded layer overhead. It can help reduce the number of alarms and help isolate faults in the network.10-35 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards MXP_2.5G_10G Card • Automatic timing source synchronization: The MXP_2.5G_10E normally synchronizes from the TCC2/TCC2P/TCC3/TNC/TSC card. If for some reason, such as maintenance or upgrade activity, the TCC2/TCC2P/TCC3/TNC/TSC is not available, the MXP_2.5G_10E automatically synchronizes to one of the input client interface clocks. • Configurable squelching policy: The card can be configured to squelch the client interface output if there is LOS at the DWDM receiver or if there is a remote fault. In the event of a remote fault, the card manages multiplex section alarm indication signal (MS-AIS) insertion. 10.7.5 Faceplate Figure 10-20 shows the MXP_2.5G_10E faceplate. Figure 10-20 MXP_2.5G_10E Faceplate For information on safety labels for the card, see the “10.2.1 Class 1 Laser Product Cards” section on page 10-8. Figure 10-21 shows a block diagram of the MXP_2.5G_10E card. 145937 FAIL ACT/STBY SF 4x2.5 10 E MxP 530.33- 1550.12 RX TX TX RX TX RX TX RX TX RX Client LEDs DWDM LED10-36 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards MXP_2.5G_10G Card Figure 10-21 MXP_2.5G_10E Block Diagram 10.7.6 Client Interfaces The MXP_2.5G_10E provides four intermediate- or short-range OC-48/STM-16 ports per card on the client side. Both SR-1 or IR-1 optics can be supported and the ports use SFP connectors. The client interfaces use four wavelengths in the 1310-nm, ITU 100-MHz-spaced, channel grid. 10.7.6.1 DWDM Interface The MXP_2.5G_10E serves as an OTN multiplexer, transparently mapping four OC-48 channels asynchronously to ODU1 into one 10-Gbps trunk. The DWDM trunk is tunable for transmission over four wavelengths in the 1550-nm, ITU 100-GHz spaced channel grid. Caution You must use a 20-dB fiber attenuator (15 to 25 dB) when working with the MXP_2.5G_10E card in a loopback on the trunk port. Do not use direct fiber loopbacks with the MXP_2.5G_10E card. Using direct fiber loopbacks causes irreparable damage to the MXP_2.5G_10E card. 10.7.7 Multiplexing Function The muxponder is an integral part of the reconfigurable optical add/drop multiplexer (ROADM) network. The key function of MXP_2.5G_10E is to multiplex 4 OC-48/STM16 signals onto one ITU-T G.709 OTU2 optical signal (DWDM transmission). The multiplexing mechanism allows the signal to be terminated at a far-end node by another MXP_2.5G_10E card. Termination mode transparency on the muxponder is configured using OTUx and ODUx OH bytes. The ITU-T G.709 specification defines OH byte formats that are used to configure, set, and monitor frame alignment, FEC mode, section monitoring, tandem connection monitoring, and termination mode transparency. uP bus Serial bus Processor Onboard Flash memory RAM Optical transceiver 115357 FEC/ Wrapper Processor (G.709 FEC) E-FEC DWDM (trunk) 10GE (10GBASE-LR) SR-1 (short reach/intra-office) or IR-1 (intermediate range) SFP client optics modules Optical transceiver Optical transceiver Optical transceiver Optical transceiver B a c k p l a n e10-37 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards MXP_2.5G_10G Card The MXP_2.5G_10E card performs ODU to OTU multiplexing as defined in ITU-T G.709. The ODU is the framing structure and byte definition (ITU-T G.709 digital wrapper) used to define the data payload coming into one of the SONET/SDH client interfaces on MXP_2.5G_10E. The term ODU1 refers to an ODU that operates at 2.5-Gbps line rate. On the MXP_2.5G_10E, there are four client interfaces that can be defined using ODU1 framing structure and format by asserting a ITU-T G.709 digital wrapper. The output of the muxponder is a single 10-Gbps DWDM trunk interface defined using OTU2. It is within the OTU2 framing structure that FEC or E-FEC information is appended to enable error checking and correction. 10.7.8 Timing Synchronization The MXP_2.5G_10E card is synchronized to the TCC2/TCC2P/TCC3/TNC/TSC clock during normal conditions and transmits the ITU-T G.709 frame using this clock. No holdover function is implemented. If neither TCC2/TCC2P/TCC3/TNC/TSC clock is available, the MXP_2.5G_10E switches automatically (hitless) to the first of the four valid client clocks with no time restriction as to how long it can run on this clock. The MXP_2.5G_10E continues to monitor the TCC2/TCC2P/TCC3/TNC/TSC card. If a TCC2/TCC2P/TCC3/TNC/TSC card is restored to working order, the MXP_2.5G_10E reverts to the normal working mode of running from the TCC2/TCC2P/TCC3/TNC/TSC clock. If there is no valid TCC2/TCC2P/TCC3/TNC/TSC clock and all of the client channels become invalid, the card waits (no valid frames processed) until one of the TCC2/TCC2P/TCC3/TNC/TSC cards supplies a valid clock. In addition, the card is allowed to select the recovered clock from one active and valid client channel and supply that clock to the TCC2/TCC2P/TCC3/TNC/TSC card. 10.7.9 Enhanced FEC (E-FEC) Capability The MXP_2.5G_10E can configure the FEC in three modes: NO FEC, FEC, and E-FEC. The output bit rate is always 10.7092 Gbps as defined in ITU-T G.709, but the error coding performance can be provisioned as follows: • NO FEC—No FEC • FEC—Standard ITU-T G.975 Reed-Solomon algorithm • E-FEC—Standard ITU-T G.975.1 I.7, two orthogonally concatenated BCH super FEC code. This FEC scheme contains three parameterizations of the same scheme of two orthogonally interleaved BCH. The constructed code is decoded iteratively to achieve the expected performance. 10.7.10 FEC and E-FEC Modes As client side traffic passes through the MXP_2.5G_10E card, it can be digitally wrapped using FEC mode error correction or E-FEC mode error correction (or no error correction at all). The FEC mode setting provides a lower level of error detection and correction than the E-FEC mode setting of the card. As a result, using E-FEC mode allows higher sensitivity (lower OSNR) with a lower BER than FEC mode. E-FEC enables longer distance trunk-side transmission than with FEC. The E-FEC feature is one of three basic modes of FEC operation. FEC can be turned off, FEC can be turned on, or E-FEC can be turned on to provide greater range and lower BER. The default mode is FEC on and E-FEC off. E-FEC is provisioned using CTC.10-38 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards MXP_2.5G_10G Card 10.7.11 SONET/SDH Overhead Byte Processing The card passes the incoming SONET/SDH data stream and its overhead bytes for the client signal transparently. The card can be provisioned to terminate regenerator section overhead. This is used to eliminate forwarding of unneeded layer overhead. It can help reduce the number of alarms and help isolate faults in the network. 10.7.12 Client Interface Monitoring The following parameters are monitored on the MXP_2.5G_10E card: • Laser bias current is measured as a PM parameter • LOS is detected and signaled • Transmit (TX) and receive (RX) power are monitored The following parameters are monitored in real time mode (one second): • Optical power transmitted (client) • Optical power received (client) In case of loss of communication (LOC) at the DWDM receiver or far-end LOS, the client interface behavior is configurable. AIS can be invoked or the client signal can be squelched. 10.7.13 Wavelength Identification The card uses trunk lasers that are wave-locked, which allows the trunk transmitter to operate on the ITU grid effectively. Table 10-15 describes the required trunk transmit laser wavelengths. The laser is tunable over eight wavelengths at 50-GHz spacing or four at 100-GHz spacing. Table 10-15 MXP_2.5G_10E Trunk Wavelengths Band Wavelength (nm) 30.3 1530.33 30.3 1531.12 30.3 1531.90 30.3 1532.68 34.2 1534.25 34.2 1535.04 34.2 1535.82 34.2 1536.61 38.1 1538.19 38.1 1538.98 38.1 1539.77 38.1 1540.56 42.1 1542.14 42.1 1542.9410-39 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards MXP_2.5G_10G Card 10.7.14 Automatic Laser Shutdown The ALS procedure is supported on both client and trunk interfaces. On the client interface, ALS is compliant with ITU-T G.664 (6/99). On the data application and trunk interface, the switch on and off pulse duration is greater than 60 seconds. The on and off pulse duration is user-configurable. For details regarding ALS provisioning for the MXP_2.5G_10E card, refer to the Cisco ONS 15454 DWDM Procedure Guide. 10.7.15 Jitter For SONET and SDH signals, the MXP_2.5G_10E card complies with Telcordia GR-253-CORE, ITU-T G.825, and ITU-T G.873 for jitter generation, jitter tolerance, and jitter transfer. See the “10.21 Jitter Considerations” section on page 10-142 for more information. 10.7.16 Lamp Test The MXP_2.5G_10E card supports a lamp test function that is activated from the ONS 15454 front panel or through CTC to ensure that all LEDs are functional. 42.1 1543.73 42.1 1544.53 46.1 1546.12 46.1 1546.92 46.1 1547.72 46.1 1548.51 50.1 1550.12 50.1 1550.92 50.1 1551.72 50.1 1552.52 54.1 1554.13 54.1 1554.94 54.1 1555.75 54.1 1556.55 58.1 1558.17 58.1 1558.98 58.1 1559.79 58.1 1560.61 Table 10-15 MXP_2.5G_10E Trunk Wavelengths (continued) Band Wavelength (nm)10-40 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards MXP_2.5G_10E_C and MXP_2.5G_10E_L Cards 10.7.17 Onboard Traffic Generation The MXP_2.5G_10E card provides internal traffic generation for testing purposes according to pseudo-random bit sequence (PRBS), SONET/SDH, or ITU-T G.709. 10.7.18 MXP_2.5G_10E Card-Level Indicators Table 10-16 describes the three card-level LEDs on the MXP_2.5G_10E card. 10.7.19 MXP_2.5G_10E Port-Level Indicators Table 10-17 describes the port-level LEDs on the MXP_2.5G_10E card. 10.8 MXP_2.5G_10E_C and MXP_2.5G_10E_L Cards MXP_2.5G_10E_L: (Cisco ONS 15454 only) The MXP_2.5G_10E_C and MXP_2.5G_10E_L cards are DWDM muxponders for the ONS 15454 platform that support transparent termination mode on the client side. The faceplate designation of the cards is “4x2.5G 10E MXP C” for the MXP_2.5G_10E_C card and “4x2.5G 10E MXP L” for the MXP_2.5G_10E_L card. The cards multiplex four 2.5-Gbps client signals (4 x OC48/STM-16 SFP) into a single 10-Gbps DWDM optical signal on the trunk side. The MXP_2.5G_10E_C and Table 10-16 MXP_2.5G_10E Card-Level Indicators Card-Level LED Description Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready. This LED is on during reset. The FAIL LED flashes during the boot process. Replace the card if the red FAIL LED persists. ACT/STBY LED Green (Active) Amber (Standby) If the ACT/STBY LED is green, the card is operational (one or more ports active) and ready to carry traffic. If the ACT/STBY LED is amber, the card is operational and in standby (protect) mode. Amber SF LED The amber SF LED indicates a signal failure or condition such as LOS, LOF, or high BERs on one or more of the card’s ports. The amber SF LED is also on if the transmit and receive fibers are incorrectly connected. If the fibers are properly connected and the link is working, the light turns off. Table 10-17 MXP_2.5G_10E Port-Level Indicators Port-Level LED Description Green Client LED (four LEDs) A green Client LED indicates that the client port is in service and that it is receiving a recognized signal. The card has four client ports, and so has four Client LEDs. Green DWDM LED The green DWDM LED indicates that the DWDM port is in service and that it is receiving a recognized signal.10-41 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards MXP_2.5G_10E_C and MXP_2.5G_10E_L Cards MXP_2.5G_10E_L cards provide wavelength transmission service for the four incoming 2.5 Gbps client interfaces. The MXP_2.5G_10E_C and MXP_2.5G_10E_L muxponders pass all SONET/SDH overhead bytes transparently. The digital wrapper function (ITU-T G.709 compliant) formats the DWDM wavelength so that it can be used to set up GCCs for data communications, enable FEC, or facilitate PM. The MXP_2.5G_10E_C and MXP_2.5G_10E_L cards work with OTN devices defined in ITU-T G.709. The cards support ODU1 to OTU2 multiplexing, an industry standard method for asynchronously mapping a SONET/SDH payload into a digitally wrapped envelope. See the “10.8.5 Multiplexing Function” section on page 10-44. The MXP_2.5G_10E_C and MXP_2.5G_10E_L cards are not compatible with the MXP_2.5G_10G card, which does not support transparent termination mode. You can install MXP_2.5G_10E_C and MXP_2.5G_10E_L cards in Slots 1 to 6 and 12 to 17. You can provision a card in a linear configuration, as a BLSR/MS-SPRing, a path protection/SNCP, or a regenerator. The cards can be used in the middle of BLSR/MS-SPRing or 1+1 spans when the cards are configured for transparent termination mode. The MXP_2.5G_10E_C card features a tunable 1550-nm C-band laser on the trunk port. The laser is tunable across 82 wavelengths on the ITU grid with 50-GHz spacing between wavelengths. The MXP_2.5G_10E_L features a tunable 1580-nm L-band laser on the trunk port. The laser is tunable across 80 wavelengths on the ITU grid, also with 50-GHz spacing. Each card features four 1310-nm lasers on the client ports and contains five transmit and receive connector pairs (labeled) on the card faceplate. The cards uses dual LC connectors on the trunk side and use SFP modules on the client side for optical cable termination. The SFP pluggable modules are SR or IR and support an LC fiber connector. Note When you create a 4xOC-48 OCHCC circuit, you need to select the G.709 and Synchronous options. A 4xOC-48 OCHCC circuit is supported by G.709 and synchronous mode. This is necessary to provision a 4xOC-48 OCHCC circuit. 10.8.1 Key Features The MXP_2.5G_10E_C and MXP_2.5G_10E_L cards have the following high level features: • Four 2.5 Gbps client interfaces (OC-48/STM-16) and one 10 Gbps trunk. The four OC-48 signals are mapped into a ITU-T G.709 OTU2 signal using standard ITU-T G.709 multiplexing. • Onboard E-FEC processor: The processor supports both standard RS (specified in ITU-T G.709) and E-FEC, which allows an improved gain on trunk interfaces with a resultant extension of the transmission range on these interfaces. The E-FEC functionality increases the correction capability of the transponder to improve performance, allowing operation at a lower OSNR compared to the standard RS (237,255) correction algorithm. A new BCH algorithm implemented in E-FEC allows recovery of an input BER up to 1E-3. • Pluggable client interface optic modules: The MXP_2.5G_10E_C and MXP_2.5G_10E_L cards have modular interfaces. Two types of optics modules can be plugged into the card. These include an OC-48/STM 16 SR-1 interface with a 7-km (4.3-mile) nominal range (for short range and intra-office applications) and an IR-1 interface with a range up to 40 km (24.9 miles). SR-1 is defined in Telcordia GR-253-CORE and in I-16 (ITU-T G.957). IR-1 is defined in Telcordia GR-253-CORE and in S-16-1 (ITU-T G.957). • High level provisioning support: The cards are initially provisioned using Cisco TransportPlanner software. Subsequently, the card can be monitored and provisioned using CTC software.10-42 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards MXP_2.5G_10E_C and MXP_2.5G_10E_L Cards • Link monitoring and management: The cards use standard OC-48 OH (overhead) bytes to monitor and manage incoming interfaces. The cards pass the incoming SDH/SONET data stream and its overhead bytes transparently. • Control of layered SONET/SDH transport overhead: The cards are provisionable to terminate regenerator section overhead. This is used to eliminate forwarding of unneeded layer overhead. It can help reduce the number of alarms and help isolate faults in the network. • Automatic timing source synchronization: The MXP_2.5G_10E_C and MXP_2.5G_10E_L cards normally synchronize from the TCC2/TCC2P/TCC3 card. If for some reason, such as maintenance or upgrade activity, the TCC2/TCC2P/TCC3 is not available, the cards automatically synchronize to one of the input client interface clocks. • Configurable squelching policy: The cards can be configured to squelch the client interface output if there is LOS at the DWDM receiver or if there is a remote fault. In the event of a remote fault, the card manages MS-AIS insertion. • The cards are tunable across the full C band (MXP_2.5G_10E_C) or full L band (MXP_2.5G_10E_L), thus eliminating the need to use different versions of each card to provide tunability across specific wavelengths in a band. 10.8.2 Faceplate Figure 10-22 shows the MXP_2.5G_10E_C and MXP_2.5G_10E_L faceplates and block diagram. 10-43 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards MXP_2.5G_10E_C and MXP_2.5G_10E_L Cards Figure 10-22 MXP_2.5G_10E _C and MXP_2.5G_10E_L Faceplates and Block Diagram For information on safety labels for the cards, see the “10.2.1 Class 1 Laser Product Cards” section on page 10-8. 10.8.3 Client Interfaces The MXP_2.5G_10E_C and MXP_2.5G_10E_L cards provide four intermediate- or short-range OC-48/STM-16 ports per card on the client side. Both SR-1 and IR-1 optics can be supported and the ports use SFP connectors. The client interfaces use four wavelengths in the 1310-nm, ITU 100-GHz-spaced, channel grid. 10.8.4 DWDM Interface The MXP_2.5G_10E_C and MXP_2.5G_10E_L cards serve as OTN multiplexers, transparently mapping four OC-48 channels asynchronously to ODU1 into one 10-Gbps trunk. For the MXP_2.5G_10E_C card, the DWDM trunk is tunable for transmission over the entire C band and for the MXP_2.5G_10E_L card, the DWDM trunk is tunable for transmission over the entire L band. Channels are spaced at 50-GHz on the ITU grid. FAIL ACT/STBY SF 4x2.5 10 E MXP C RX TX TX RX TX RX TX RX TX RX FAIL ACT/STBY SF 4x2.5 10 E MXP L RX TX TX RX TX RX TX RX TX RX RAM Processor 145941 Optical transceiver Optical transceiver Optical transceiver Optical transceiver Optical transceiver B a c k p l a n e FEC/ Wrapper E-FEC Processor (G.709 FEC) Serial bus uP bus Onboard Flash memory Client LEDs DWDM LED SR-1 (short reach/intra-office) or IR-1 (intermediate range) SFP client optics modules DWDM (trunk) 10GE (10GBASE-LR)10-44 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards MXP_2.5G_10E_C and MXP_2.5G_10E_L Cards Caution You must use a 20-dB fiber attenuator (15 to 25 dB) when working with the cards in a loopback on the trunk port. Do not use direct fiber loopbacks with the cards. Using direct fiber loopbacks causes irreparable damage to the MXP_2.5G_10E_C and MXP_2.5G_10E_L cards. 10.8.5 Multiplexing Function The muxponder is an integral part of the ROADM network. The key function of the MXP_2.5G_10E_C and MXP_2.5G_10E_L cards is to multiplex four OC-48/STM16 signals onto one ITU-T G.709 OTU2 optical signal (DWDM transmission). The multiplexing mechanism allows the signal to be terminated at a far-end node by another similar card. Transparent termination on the muxponder is configured using OTUx and ODUx OH bytes. The ITU-T G.709 specification defines OH byte formats that are used to configure, set, and monitor frame alignment, FEC mode, section monitoring, tandem connection monitoring, and transparent termination mode. The MXP_2.5G_10E and MXP_2.5G_10E_L cards perform ODU to OTU multiplexing as defined in ITU-T G.709. The ODU is the framing structure and byte definition (ITU-T G.709 digital wrapper) used to define the data payload coming into one of the SONET/SDH client interfaces on the cards. The term ODU1 refers to an ODU that operates at 2.5-Gbps line rate. On the cards, there are four client interfaces that can be defined using ODU1 framing structure and format by asserting a ITU-T G.709 digital wrapper. The output of the muxponder is a single 10-Gbps DWDM trunk interface defined using OTU2. It is within the OTU2 framing structure that FEC or E-FEC information is appended to enable error checking and correction. 10.8.6 Timing Synchronization The MXP_2.5G_10E_C and MXP_2.5G_10E_L cards are synchronized to the TCC2/TCC2P/TCC3 clock during normal conditions and transmit the ITU-T G.709 frame using this clock. No holdover function is implemented. If neither TCC2/TCC2P/TCC3 clock is available, the card switches automatically (hitless) to the first of the four valid client clocks with no time restriction as to how long it can run on this clock. The card continues to monitor the TCC2/TCC2P/TCC3 card. If a TCC2/TCC2P/TCC3 card is restored to working order, the card reverts to the normal working mode of running from the TCC2/TCC2P/TCC3 clock. If there is no valid TCC2/TCC2P/TCC3 clock and all of the client channels become invalid, the card waits (no valid frames processed) until one of the TCC2/TCC2P/TCC3 cards supplies a valid clock. In addition, the card is allowed to select the recovered clock from one active and valid client channel and supply that clock to the TCC2/TCC2P/TCC3 card. 10.8.7 Enhanced FEC (E-FEC) Capability The MXP_2.5G_10E_C and MXP_2.5G_10E_L cards can configure the FEC in three modes: NO FEC, FEC, and E-FEC. The output bit rate is always 10.7092 Gbps as defined in ITU-T G.709, but the error coding performance can be provisioned as follows: • NO FEC—No FEC • FEC—Standard ITU-T G.975 Reed-Solomon algorithm10-45 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards MXP_2.5G_10E_C and MXP_2.5G_10E_L Cards • E-FEC—Standard ITU-T G.975.1 I.7, two orthogonally concatenated BCH super FEC code. This FEC scheme contains three parameterizations of the same scheme of two orthogonally interleaved block codes (BCH). The constructed code is decoded iteratively to achieve the expected performance. 10.8.8 FEC and E-FEC Modes As client side traffic passes through the card, it can be digitally wrapped using FEC mode error correction or E-FEC mode error correction (or no error correction at all). The FEC mode setting provides a lower level of error detection and correction than the E-FEC mode setting of the card. As a result, using E-FEC mode allows higher sensitivity (lower OSNR) with a lower BER than FEC mode. E-FEC enables longer distance trunk-side transmission than with FEC. The E-FEC feature is one of three basic modes of FEC operation. FEC can be turned off, FEC can be turned on, or E-FEC can be turned on to provide greater range and lower BER. The default mode is FEC on and E-FEC off. E-FEC is provisioned using CTC. 10.8.9 SONET/SDH Overhead Byte Processing The card passes the incoming SONET/SDH data stream and its overhead bytes for the client signal transparently. The card can be provisioned to terminate regenerator section overhead. This is used to eliminate forwarding of unneeded layer overhead. It can help reduce the number of alarms and help isolate faults in the network. 10.8.10 Client Interface Monitoring The following parameters are monitored on the MXP_2.5G_10E_C and MXP_2.5G_10E_L cards: • Laser bias current is measured as a PM parameter. • LOS is detected and signaled. • Rx and Tx power are monitored. The following parameters are monitored in real time mode (one second): • Optical power transmitted (client) • Optical power received (client) In case of LOC at the DWDM receiver or far-end LOS, the client interface behavior is configurable. AIS can be invoked or the client signal can be squelched. 10.8.11 Wavelength Identification The card uses trunk lasers that are wavelocked, which allows the trunk transmitter to operate on the ITU grid effectively. Both the MXP_2.5G_10E_C and MXP_2.5G_10E_L cards implement the UT2 module. The MXP_2.5G_10E_C card uses a C-band version of the UT2 and the MXP_2.5G_10E_L card uses an L-band version. Table 10-18 describes the required trunk transmit laser wavelengths for the MXP_2.5G_10E_C card. The laser is tunable over 82 wavelengths in the C band at 50-GHz spacing on the ITU grid.10-46 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards MXP_2.5G_10E_C and MXP_2.5G_10E_L Cards Table 10-18 MXP_2.5G_10E_C Trunk Wavelengths Channel Number Frequency (THz) Wavelength (nm) Channel Number Frequency (THz) Wavelength (nm) 1 196.00 1529.55 42 193.95 1545.72 2 195.95 1529.94 43 193.90 1546.119 3 195.90 1530.334 44 193.85 1546.518 4 195.85 1530.725 45 193.80 1546.917 5 195.80 1531.116 46 193.75 1547.316 6 195.75 1531.507 47 193.70 1547.715 7 195.70 1531.898 48 193.65 1548.115 8 195.65 1532.290 49 193.60 1548.515 9 195.60 1532.681 50 193.55 1548.915 10 195.55 1533.073 51 193.50 1549.32 11 195.50 1533.47 52 193.45 1549.71 12 195.45 1533.86 53 193.40 1550.116 13 195.40 1534.250 54 193.35 1550.517 14 195.35 1534.643 55 193.30 1550.918 15 195.30 1535.036 56 193.25 1551.319 16 195.25 1535.429 57 193.20 1551.721 17 195.20 1535.822 58 193.15 1552.122 18 195.15 1536.216 59 193.10 1552.524 19 195.10 1536.609 60 193.05 1552.926 20 195.05 1537.003 61 193.00 1553.33 21 195.00 1537.40 62 192.95 1553.73 22 194.95 1537.79 63 192.90 1554.134 23 194.90 1538.186 64 192.85 1554.537 24 194.85 1538.581 65 192.80 1554.940 25 194.80 1538.976 66 192.75 1555.343 26 194.75 1539.371 67 192.70 1555.747 27 194.70 1539.766 68 192.65 1556.151 28 194.65 1540.162 69 192.60 1556.555 29 194.60 1540.557 70 192.55 1556.959 30 194.55 1540.953 71 192.50 1557.36 31 194.50 1541.35 72 192.45 1557.77 32 194.45 1541.75 73 192.40 1558.173 33 194.40 1542.142 74 192.35 1558.578 34 194.35 1542.539 75 192.30 1558.983 35 194.30 1542.936 76 192.25 1559.38910-47 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards MXP_2.5G_10E_C and MXP_2.5G_10E_L Cards Table 10-19 describes the required trunk transmit laser wavelengths for the MXP_2.5G_10E_L card. The laser is fully tunable over 80 wavelengths in the L band at 50-GHz spacing on the ITU grid. 36 194.25 1543.333 77 192.20 1559.794 37 194.20 1543.730 78 192.15 1560.200 38 194.15 1544.128 79 192.10 1560.606 39 194.10 1544.526 80 192.05 1561.013 40 194.05 1544.924 81 192.00 1561.42 41 194.00 1545.32 82 191.95 1561.83 Table 10-18 MXP_2.5G_10E_C Trunk Wavelengths (continued) Channel Number Frequency (THz) Wavelength (nm) Channel Number Frequency (THz) Wavelength (nm) Table 10-19 MXP_2.5G_10E_L Trunk Wavelengths Channel Number Frequency (THz) Wavelength (nm) Channel Number Frequency (THz) Wavelength (nm) 1 190.85 1570.83 41 188.85 1587.46 2 190.8 1571.24 42 188.8 1587.88 3 190.75 1571.65 43 188.75 1588.30 4 190.7 1572.06 44 188.7 1588.73 5 190.65 1572.48 45 188.65 1589.15 6 190.6 1572.89 46 188.6 1589.57 7 190.55 1573.30 47 188.55 1589.99 8 190.5 1573.71 48 188.5 1590.41 9 190.45 1574.13 49 188.45 1590.83 10 190.4 1574.54 50 188.4 1591.26 11 190.35 1574.95 51 188.35 1591.68 12 190.3 1575.37 52 188.3 1592.10 13 190.25 1575.78 53 188.25 1592.52 14 190.2 1576.20 54 188.2 1592.95 15 190.15 1576.61 55 188.15 1593.37 16 190.1 1577.03 56 188.1 1593.79 17 190.05 1577.44 57 188.05 1594.22 18 190 1577.86 58 188 1594.64 19 189.95 1578.27 59 187.95 1595.06 20 189.9 1578.69 60 187.9 1595.49 21 189.85 1579.10 61 187.85 1595.91 22 189.8 1579.52 62 187.8 1596.34 23 189.75 1579.93 63 187.75 1596.7610-48 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards MXP_2.5G_10E_C and MXP_2.5G_10E_L Cards 10.8.12 Automatic Laser Shutdown The ALS procedure is supported on both client and trunk interfaces. On the client interface, ALS is compliant with ITU-T G.664 (6/99). On the data application and trunk interface, the switch on and off pulse duration is greater than 60 seconds. The on and off pulse duration is user-configurable. For details regarding ALS provisioning for the MXP_2.5G_10E_C and MXP_2.5G_10E_L cards, see the Cisco ONS 15454 DWDM Procedure Guide. 10.8.13 Jitter For SONET and SDH signals, the MXP_2.5G_10E_C and MXP_2.5G_10E_L cards comply with Telcordia GR-253-CORE, ITU-T G.825, and ITU-T G.873 for jitter generation, jitter tolerance, and jitter transfer. See the “10.21 Jitter Considerations” section on page 10-142 for more information. 10.8.14 Lamp Test The MXP_2.5G_10E_C and MXP_2.5G_10E_L cards support a lamp test function that is activated from the ONS 15454 front panel or through CTC to ensure that all LEDs are functional. 24 189.7 1580.35 64 187.7 1597.19 25 189.65 1580.77 65 187.65 1597.62 26 189.6 1581.18 66 187.6 1598.04 27 189.55 1581.60 67 187.55 1598.47 28 189.5 1582.02 68 187.5 1598.89 29 189.45 1582.44 69 187.45 1599.32 30 189.4 1582.85 70 187.4 1599.75 31 189.35 1583.27 71 187.35 1600.17 32 189.3 1583.69 72 187.3 1600.60 33 189.25 1584.11 73 187.25 1601.03 34 189.2 1584.53 74 187.2 1601.46 35 189.15 1584.95 75 187.15 1601.88 36 189.1 1585.36 76 187.1 1602.31 37 189.05 1585.78 77 187.05 1602.74 38 189 1586.20 78 187 1603.17 39 188.95 1586.62 79 186.95 1603.60 40 188.9 1587.04 80 186.9 1604.03 Table 10-19 MXP_2.5G_10E_L Trunk Wavelengths (continued) Channel Number Frequency (THz) Wavelength (nm) Channel Number Frequency (THz) Wavelength (nm)10-49 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards MXP_MR_2.5G and MXPP_MR_2.5G Cards 10.8.15 Onboard Traffic Generation The MXP_2.5G_10E_C and MXP_2.5G_10E_L cards provide internal traffic generation for testing purposes according to PRBS, SONET/SDH, or ITU-T G.709. 10.8.16 MXP_2.5G_10E_C and MXP_2.5G_10E_L Card-Level Indicators Table 10-20 describes the three card-level LEDs on the MXP_2.5G_10E_C and MXP_2.5G_10E_L cards. 10.8.17 MXP_2.5G_10E and MXP_2.5G_10E_L Port-Level Indicators Table 10-21 describes the port-level LEDs on the MXP_2.5G_10E_C and MXP_2.5G_10E_L cards. 10.9 MXP_MR_2.5G and MXPP_MR_2.5G Cards The MXP_MR_2.5G card aggregates a mix and match of client Storage Area Network (SAN) service client inputs (GE, FICON, Fibre Channel, and ESCON) into one 2.5 Gbps STM-16/OC-48 DWDM signal on the trunk side. It provides one long-reach STM-16/OC-48 port per card and is compliant with Telcordia GR-253-CORE. Table 10-20 MXP_2.5G_10E_C and MXP_2.5G_10E_L Card-Level Indicators Card-Level LED Description Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready. This LED is on during reset. The FAIL LED flashes during the boot process. Replace the card if the red FAIL LED persists. ACT/STBY LED Green (Active) Amber (Standby) If the ACT/STBY LED is green, the card is operational (one or more ports active) and ready to carry traffic. If the ACT/STBY LED is amber, the card is operational and in standby (protect) mode. Amber SF LED The amber SF LED indicates a signal failure or condition such as LOS, LOF, or high BERs on one or more of the card’s ports. The amber SF LED is also on if the transmit and receive fibers are incorrectly connected. If the fibers are properly connected and the link is working, the light turns off. Table 10-21 MXP_2.5G_10E_C and MXP_2.5G_10E_L Port-Level Indicators Port-Level LED Description Green Client LED (four LEDs) A green Client LED indicates that the client port is in service and that it is receiving a recognized signal. The card has four client ports, and so has four Client LEDs. Green DWDM LED The green DWDM LED indicates that the DWDM port is in service and that it is receiving a recognized signal.10-50 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards MXP_MR_2.5G and MXPP_MR_2.5G Cards Note In Software Release 7.0 and later, two additional operating modes have been made available to the user: pure ESCON (all 8 ports running ESCON), and mixed mode (Port 1 running FC/GE/FICON, and Ports 5 through 8 running ESCON). When the card is part of a system running Software Release 6.0 or below, only one operating mode, (FC/GE) is available for use. The 2.5-Gbps Multirate Muxponder–Protected–100 GHz–Tunable 15xx.xx-15yy.yy (MXPP_MR_2.5G) card aggregates various client SAN service client inputs (GE, FICON, Fibre Channel, and ESCON) into one 2.5 Gbps STM-16/OC-48 DWDM signal on the trunk side. It provides two long-reach STM-16/OC-48 ports per card and is compliant with ITU-T G.957 and Telcordia GR-253-CORE. Because the cards are tunable to one of four adjacent grid channels on a 100-GHz spacing, each card is available in eight versions, with 15xx.xx representing the first wavelength and 15yy.yy representing the last wavelength of the four available on the card. In total, 32 DWDM wavelengths are covered in accordance with the ITU-T 100-GHz grid standard, G.692, and Telcordia GR-2918-CORE, Issue 2. The card versions along with their corresponding wavelengths are shown in Table 10-22. The muxponders are intended to be used in applications with long DWDM metro or regional unregenerated spans. Long transmission distances are achieved through the use of flat gain optical amplifiers. The client interface supports the following payload types: • 2G FC • 1G FC • 2G FICON • 1G FICON • GE • ESCON Note Because the client payload cannot oversubscribe the trunk, a mix of client signals can be accepted, up to a maximum limit of 2.5 Gbps. Table 10-22 Card Versions Card Version Frequency Channels at 100 GHz (0.8 nm) Spacing 1530.33–1532.68 1530.33 nm 1531.12 nm 1531.90 nm 1532.68 nm 1534.25–1536.61 1534.25 nm 1535.04 nm 1535.82 nm 1536.61 nm 1538.19–1540.56 1538.19 nm 1538.98 nm 1539.77 nm 1540.56 nm 1542.14–1544.53 1542.14 nm 1542.94 nm 1543.73 nm 1544.53 nm 1546.12–1548.51 1546.12 nm 1546.92 nm 1547.72 nm 1548.51 nm 1550.12–1552.52 1550.12 nm 1550.92 nm 1551.72 nm 1552.52 nm 1554.13–1556.55 1554.13 nm 1554.94 nm 1555.75 nm 1556.55 nm 1558.17–1560.61 1558.17 nm 1558.98 nm 1559.79 nm 1560.61 nm10-51 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards MXP_MR_2.5G and MXPP_MR_2.5G Cards Table 10-23 shows the input data rate for each client interface, and the encapsulation method. The current version of the ITU-T Transparent Generic Framing Procedure (GFP-T) G.7041 supports transparent mapping of 8B/10B block-coded protocols, including Gigabit Ethernet, Fibre Channel, and FICON. In addition to the GFP mapping, 1-Gbps traffic on Port 1 or 2 of the high-speed serializer/deserializer (SERDES) is mapped to an STS-24c channel. If two 1-Gbps client signals are present at Port 1 and Port 2 of the SERDES, the Port 1 signal is mapped into the first STS-24c channel and the Port 2 signal into the second STS-24c channel. The two channels are then mapped into an OC-48 trunk channel. Table 10-24 shows some of the mix and match possibilities on the various client ports. The table is intended to show the full client payload configurations for the card. Table 10-23 MXP_MR_2.5G and MXPP_MR_2.5G Client Interface Data Rates and Encapsulation Client Interface Input Data Rate ITU-T GFP-T G.7041 Encapsulation 2G FC 2.125 Gbps Yes 1G FC 1.06 Gbps Yes 2G FICON 2.125 Gbps Yes 1G FICON 1.06 Gbps Yes GE 1.25 Gbps Yes ESCON 0.2 Gbps Yes Table 10-24 Client Data Rates and Ports Mode Port(s) Aggregate Data Rate 2G FC 1 2.125 Gbps 1G FC 1, 2 2.125 Gbps 2G FICON 1 2.125 Gbps 1G FICON 1, 2 2.125 Gbps GE 1, 2 2.5 Gbps 1G FC ESCON (mixed mode) 1 5, 6, 7, 8 1.06 Gbps 0.8 Gbps 1.86 Gbps total 1G FICON ESCON (mixed mode) 1 5, 6, 7, 8 1.06 Gbps 0.8 Gbps 1.86 Gbps total GE ESCON (mixed mode) 1 5, 6, 7, 8 1.25 Gbps 0.8 Gbps Total 2.05 Gbps ESCON 1, 2, 3, 4, 5, 6, 7, 8 1.6 Gbps10-52 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards MXP_MR_2.5G and MXPP_MR_2.5G Cards 10.9.1 Performance Monitoring GFP-T performance monitoring (GFP-T PM) is available via remote monitoring (RMON), and trunk PM is managed according to Telcordia GR-253-CORE and ITU G.783/826. Client PM is achieved through RMON for FC and GE. 10.9.2 Distance Extension A buffer-to-buffer credit management scheme provides FC flow control. With this feature enabled, a port indicates the number of frames that can be sent to it (its buffer credit), before the sender is required to stop transmitting and wait for the receipt of a “ready” indication The MXP_MR_2.5G and MXPP_MR_2.5 cards support FC credit-based flow control with a buffer-to-buffer credit extension of up to 1600 km (994.2 miles) for 1G FC and up to 800 km (497.1 miles) for 2G FC. The feature can be enabled or disabled. 10.9.3 Slot Compatibility You can install MXP_MR_2.5G and MXPP_MR_2.5G cards in Slots 1 to 6 and 12 to 17. The TCC2/TCC2P/TCC3/TNC/TSC card is the only other card required to be used with these muxponder cards. Cross-connect cards do not affect the operation of the muxponder cards. 10.9.4 Interoperability with Cisco MDS Switches You can provision a string (port name) for each fiber channel/FICON interface on the MXP_MR_2.5G and MXPP_MR_2.5G cards, which allows the MDS Fabric Manager to create a link association between that SAN port and a SAN port on a Cisco MDS 9000 switch. 10.9.5 Client and Trunk Ports The MXP_MR_2.5G card features a 1550-nm laser for the trunk/line port and a 1310-nm or 850-nm laser (depending on the SFP) for the client ports. The card contains eight 12.5 degree downward tilt SFP modules for the client interfaces. For optical termination, each SFP uses two LC connectors, which are labeled TX and RX on the faceplate. The trunk port is a dual-LC connector with a 45 degree downward angle. The MXPP_MR_2.5G card features a 1550-nm laser for the trunk/line port and a 1310-nm or 850-nm laser (depending on the SFP) for the client port. The card contains eight 12.5 degree downward tilt SFP modules for the client interfaces. For optical termination, each SFP uses two LC connectors, which are labeled TX and RX on the faceplate. There are two trunk port connectors (one for working and one for protect). Each is a dual-LC connector with a 45-degree downward angle. 10.9.6 Faceplates Figure 10-23 shows the MXP_MR_2.5G and MXPP_MR_2.5G faceplates.10-53 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards MXP_MR_2.5G and MXPP_MR_2.5G Cards Figure 10-23 MXP_MR_2.5G and MXPP_MR_2.5G Faceplates For information on safety labels for the cards, see the “10.2.2 Class 1M Laser Product Cards” section on page 10-10. 10.9.7 Block Diagram Figure 10-24 shows a block diagram of the MXP_MR_2.5G card. The card has eight SFP client interfaces. Ports 1 and 2 can be used for GE, FC, FICON, or ESCON. Ports 3 through 8 are used for ESCON client interfaces. There are two SERDES blocks dedicated to the high-speed interfaces (GE, FC, FICON, and ESCON) and two SERDES blocks for the ESCON interfaces. A FPGA is provided to support different configurations for different modes of operation. This FPGA has a Universal Test and MXP_MR_2.5G MXPP_MR_2.5G 124077 MXP MR 2.5G 15xx.xx 15xx.xx FAIL ACT/STBY SF MXPP MR 2.5G 15xx.xx 15xx.xx RX TX RX TX RX TX RX TX RX TX RX TX RX TX RX TX DWDMA DWDMB FAIL ACT/STBY SF RX TX RX TX RX TX RX TX RX TX RX TX RX TX RX TX RX TX RX TX DWDM RX TX10-54 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards MXP_MR_2.5G and MXPP_MR_2.5G Cards Operations Physical Interface for ATM (UTOPIA) interface. A transceiver add/drop multiplexer (TADM) chip supports framing. Finally, the output signal is serialized and connected to the trunk front end with a direct modulation laser. The trunk receive signal is converted into an electrical signal with an avalanche photodiode (APD), is deserialized, and is then sent to the TADM framer and FPGA. The MXPP_MR_2.5G is the same, except a 50/50 splitter divides the power at the trunk interface. In the receive direction, there are two APDs, two SERDES blocks, and two TADM framers. This is necessary to monitor both the working and protect paths. A switch selects one of the two paths to connect to the client interface. Figure 10-24 MXP_MR_2.5G and MXPP_MR_2.5G Block Diagram Caution You must use a 20-dB fiber attenuator (15 to 25 dB) when working with the MXP_MR_2.5G and MXPP_MR_2.5G cards in a loopback configuration on the trunk port. Do not use direct fiber loopbacks with the MXP_MR_2.5G and MXPP_MR_2.5G cards. Using direct fiber loopbacks causes irreparable damage to the MXP_MR_2.5G and MXPP_MR_2.5G cards. 10.9.8 Automatic Laser Shutdown The ALS procedure is supported on both client and trunk interfaces. On the client interface, ALS is compliant with ITU-T G.664 (6/99). On the data application and trunk interface, the switch on and off pulse duration is greater than 60 seconds. The on and off pulse duration is user-configurable. For details regarding ALS provisioning for the MXP_MR_2.5G and MXPP_MR_2.5G cards, refer to the Cisco ONS 15454 DWDM Procedure Guide. SFP 1 SFP 6 SFP 5 SFP 4 SFP 3 SFP 2 SFP 8 SERDES FPGA (for FC, GE, FICON, ESCON, PCS, B2B, GFP-T) SERDES SFP 7 High-speed SERDES QDR SRAM TADM framer Laser APD Serializer Deserializer ESCON ESCON ESCON ESCON ESCON ESCON Trunk interface 134986 GE, FC, FICON, ESCON GE, FC, FICON, ESCON10-55 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards MXP_MR_10DME_C and MXP_MR_10DME_L Cards 10.9.9 MXP_MR_2.5G and MXPP_MR_2.5G Card-Level Indicators Table 10-25 lists the card-level LEDs on the MXP_MR_2.5G and MXPP_MR_2.5G cards. 10.9.10 MXP_MR_2.5G and MXPP_MR_2.5G Port-Level Indicators Table 10-26 lists the port-level LEDs on the MXP_MR_2.5G and MXPP_MR_2.5G cards. 10.10 MXP_MR_10DME_C and MXP_MR_10DME_L Cards MXP_MR_10DME_L: (Cisco ONS 15454 only) Table 10-25 MXP_MR_2.5G and MXPP_MR_2.5G Card-Level Indicators Card-Level LED Description FAIL LED (Red) Red indicates that the card’s processor is not ready. This LED is on during reset. The FAIL LED flashes during the boot process. Replace the card if the red FAIL LED persists. ACT/STBY LED Green (Active) Amber (Standby) Green indicates that the card is operational (one or both ports active) and ready to carry traffic. Amber indicates that the card is operational and in standby (protect) mode. SF LED (Amber) Amber indicates a signal failure or condition such as LOS, LOF, or high BERs on one or more of the card’s ports. The amber SF LED is also illuminated if the transmit and receive fibers are incorrectly connected. If the fibers are properly connected and the link is working, the LED turns off. Table 10-26 MXP_MR_2.5G and MXPP_MR_2.5G Port-Level Indicators Port-Level LED Description Client LEDs (eight LEDs) Green indicates that the port is carrying traffic (active) on the interface. Amber indicates that the port is carrying protect traffic (MXPP_MR_2.5G). Red indicates that the port has detected a loss of signal. DWDM LED (MXP_MR_2.5G) Green (Active) Red (LOS) Green indicates that the card is carrying traffic (active) on the interface. A red LED indicates that the interface has detected an LOS or LOC. DWDMA and DWDMB LEDs (MXPP_MR_2.5G) Green (Active) Amber (Protect Traffic) Red (LOS) Green indicates that the card is carrying traffic (active) on the interface. When the LED is amber, it indicates that the interface is carrying protect traffic in a splitter protection card (MXPP_MR_2.5G). A red LED indicates that the interface has detected an LOS or LOC.10-56 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards MXP_MR_10DME_C and MXP_MR_10DME_L Cards The MXP_MR_10DME_C and MXP_MR_10DME_L cards aggregate a mix of client SAN service client inputs (GE, FICON, and Fibre Channel) into one 10.0 Gbps STM-64/OC-192 DWDM signal on the trunk side. It provides one long-reach STM-64/OC-192 port per card and is compliant with Telcordia GR-253-CORE and ITU-T G.957. The cards support aggregation of the following signal types: • 1-Gigabit Fibre Channel • 2-Gigabit Fibre Channel • 4-Gigabit Fibre Channel • 1-Gigabit Ethernet • 1-Gigabit ISC-Compatible (ISC-1) • 2-Gigabit ISC-Peer (ISC-3) Note On the card faceplates, the MXP_MR_10DME_C and MXP_MR_10DME_L cards are displayed as 10DME_C and 10DME_L, respectively. Caution The card can be damaged by dropping it. Handle it safely. The MXP_MR_10DME_C and MXP_MR_10DME_L muxponders pass all SONET/SDH overhead bytes transparently. The digital wrapper function (ITU-T G.709 compliant) formats the DWDM wavelength so that it can be used to set up GCCs for data communications, enable FEC, or facilitate PM. The MXP_MR_10DME_C and MXP_MR_10DME_L cards work with the OTN devices defined in ITU-T G.709. The cards support ODU1 to OTU2 multiplexing, an industry standard method for asynchronously mapping a SONET/SDH payload into a digitally wrapped envelope. See the “10.7.7 Multiplexing Function” section on page 10-36. Note Because the client payload cannot oversubscribe the trunk, a mix of client signals can be accepted, up to a maximum limit of 10 Gbps. You can install MXP_MR_10DME_C and MXP_MR_10DME_L cards in Slots 1 to 6 and 12 to 17. Note The MXP_MR_10DME_C and MXP_MR_10DME_L cards are not compatible with the MXP_2.5G_10G card, which does not support transparent termination mode. The MXP_MR_10DME_C card features a tunable 1550-nm C-band laser on the trunk port. The laser is tunable across 82 wavelengths on the ITU grid with 50-GHz spacing between wavelengths. The MXP_MR_10DME_L features a tunable 1580-nm L-band laser on the trunk port. The laser is tunable across 80 wavelengths on the ITU grid, also with 50-GHz spacing. Each card features four 1310-nm lasers on the client ports and contains five transmit and receive connector pairs (labeled) on the card faceplate. The cards uses dual LC connectors on the trunk side and use SFP modules on the client side for optical cable termination. The SFP pluggable modules are SR or IR and support an LC fiber connector.10-57 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards MXP_MR_10DME_C and MXP_MR_10DME_L Cards Table 10-27 shows the input data rate for each client interface, and the encapsulation method. The current version of the GFP-T G.7041 supports transparent mapping of 8B/10B block-coded protocols, including Gigabit Ethernet, Fibre Channel, ISC, and FICON. In addition to the GFP mapping, 1-Gbps traffic on Port 1 or 2 of the high-speed SERDES is mapped to an STS-24c channel. If two 1-Gbps client signals are present at Port 1 and Port 2 of the high-speed SERDES, the Port 1 signal is mapped into the first STS-24c channel and the Port 2 signal into the second STS-24c channel. The two channels are then mapped into an OC-48 trunk channel. There are two FPGAs on each MXP_MR_10DME_C and MXP_MR_10DME_L, and a group of four ports is mapped to each FPGA. Group 1 consists of Ports 1 through 4, and Group 2 consists of Ports 5 through 8. Table 10-28 shows some of the mix and match possibilities on the various client data rates for Ports 1 through 4, and Ports 5 through 8. An X indicates that the data rate is supported in that port. GFP-T PM is available through RMON and trunk PM is managed according to Telcordia GR-253-CORE and ITU G.783/826. Client PM is achieved through RMON for FC and GE. A buffer-to-buffer credit management scheme provides FC flow control. With this feature enabled, a port indicates the number of frames that can be sent to it (its buffer credit), before the sender is required to stop transmitting and wait for the receipt of a “ready” indication The MXP_MR_10DME_C and MXP_MR_10DME_L cards support FC credit-based flow control with a buffer-to-buffer credit extension of up to 1600 km (994.1 miles) for 1G FC, up to 800 km (497.1 miles) for 2G FC, or up to 400 km (248.5 miles) for 4G FC. The feature can be enabled or disabled. The MXP_MR_10DME_C and MXP_MR_10DME_L cards feature a 1550-nm laser for the trunk/line port and a 1310-nm or 850-nm laser (depending on the SFP) for the client ports. The cards contains eight 12.5 degree downward tilt SFP modules for the client interfaces. For optical termination, each SFP uses two LC connectors, which are labeled TX and RX on the faceplate. The trunk port is a dual-LC connector with a 45 degree downward angle. Table 10-27 MXP_MR_10DME_C and MXP_MR_10DME_L Client Interface Data Rates and Encapsulation Client Interface Input Data Rate GFP-T G.7041 Encapsulation 2G FC 2.125 Gbps Yes 1G FC 1.06 Gbps Yes 2G FICON/2G ISC-Compatible (ISC-1)/ 2G ISC-Peer (ISC-3) 2.125 Gbps Yes 1G FICON/1G ISC-Compatible (ISC-1)/ 1G ISC-Peer (ISC-3) 1.06 Gbps Yes Gigabit Ethernet 1.25 Gbps Yes Table 10-28 Supported Client Data Rates for Ports 1 through 4 and Ports 5 through 8 Port (Group 1) Port (Group 2) Gigabit Ethernet 1G FC 2G FC 4G FC 1 5 X XXX 2 6 X X —— 3 7 X XX— 4 8 X X ——10-58 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards MXP_MR_10DME_C and MXP_MR_10DME_L Cards The throughput of the MXP_MR_10DME_C and MXP_MR_10DME_L cards is affected by the following parameters: • Distance extension—If distance extension is enabled on the card, it provides more throughput but more latency. If distance extension is disabled on the card, the buffer to buffer credits on the storage switch affects the throughput; higher the buffer to buffer credits higher is the throughput. Note For each link to operate at the maximum throughput, it requires a minimum number of buffer credits to be available on the devices which the link connects to. The number of buffer credits required is a function of the distance between the storage switch extension ports and the link bandwidth, that is, 1G, 2G, or 4G. These buffer credits are provided by either the storage switch (if distance extension is disabled) or by both the storage switch and the card (if distance extension is enabled). • Forward Error Correction (FEC)—If Enhanced FEC (E-FEC) is enabled on the trunk port of the card, the throughout is significantly reduced in comparison to standard FEC being set on the trunk port. Note If distance extension is enabled on the card, the FEC status does not usually affect the throughput of the card. • Payload size—The throughput of the card decreases with decrease in payload size. The resultant throughput of the card is usually the combined effect of the above parameters. 10.10.1 Key Features The MXP_MR_10DME_C and MXP_MR_10DME_L cards have the following high-level features: • Onboard E-FEC processor: The processor supports both standard RS (specified in ITU-T G.709) and E-FEC, which allows an improved gain on trunk interfaces with a resultant extension of the transmission range on these interfaces. The E-FEC functionality increases the correction capability of the transponder to improve performance, allowing operation at a lower OSNR compared to the standard RS (237,255) correction algorithm. A new BCH algorithm implemented in E-FEC allows recovery of an input BER up to 1E-3. • Pluggable client interface optic modules: The MXP_MR_10DME_C and MXP_MR_10DME_L cards have modular interfaces. Two types of optics modules can be plugged into the card. These include an OC-48/STM 16 SR-1 interface with a 7-km (4.3-mile) nominal range (for short range and intra-office applications) and an IR-1 interface with a range up to 40 km (24.9 miles). SR-1 is defined in Telcordia GR-253-CORE and in I-16 (ITU-T G.957). IR-1 is defined in Telcordia GR-253-CORE and in S-16-1 (ITU-T G.957). • Y-cable protection: Supports Y-cable protection between the same card type only, on ports with the same port number and signal rate. See the “10.19.1 Y-Cable Protection” section on page 10-139 for more detailed information. • High level provisioning support: The cards are initially provisioned using Cisco TransportPlanner software. Subsequently, the card can be monitored and provisioned using CTC software. • ALS: A safety mechanism used in the event of a fiber cut. For details regarding ALS provisioning for the MXP_MR_10DME_C and MXP_MR_10DME_L cards, refer to the Cisco ONS 15454 DWDM Procedure Guide.10-59 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards MXP_MR_10DME_C and MXP_MR_10DME_L Cards • Link monitoring and management: The cards use standard OC-48 OH bytes to monitor and manage incoming interfaces. The cards pass the incoming SDH/SONET data stream and its OH bytes transparently. • Control of layered SONET/SDH transport overhead: The cards are provisionable to terminate regenerator section overhead. This is used to eliminate forwarding of unneeded layer overhead. It can help reduce the number of alarms and help isolate faults in the network. • Automatic timing source synchronization: The MXP_MR_10DME_C and MXP_MR_10DME_L cards normally synchronize from the TCC2/TCC2P/TCC3 card. If for some reason, such as maintenance or upgrade activity, the TCC2/TCC2P/TCC3 is not available, the cards automatically synchronize to one of the input client interface clocks. Note MXP_MR_10DME_C and MXP_MR_10DME_L cards cannot be used for line timing. • Configurable squelching policy: The cards can be configured to squelch the client interface output if there is LOS at the DWDM receiver or if there is a remote fault. In the event of a remote fault, the card manages MS-AIS insertion. • The cards are tunable across the full C band (MXP_MR_10DME_C) or full L band (MXP_MR_10DME_L), thus eliminating the need to use different versions of each card to provide tunability across specific wavelengths in a band. • You can provision a string (port name) for each fiber channel/FICON interface on the MXP_MR_10DME_C and MXP_MR_10DME_L cards, which allows the MDS Fabric Manager to create a link association between that SAN port and a SAN port on a Cisco MDS 9000 switch. • From Software Release 9.0, the fast switch feature of MXP_MR_10DME_C and MXP_MR_10DME_L cards along with the buffer-to-buffer credit recovery feature of MDS switches, prevents reinitialization of ISL links during Y-cable switchovers. 10.10.2 Faceplate Figure 10-25 shows the MXP_MR_10DME_C and MXP_MR_10DME_L faceplates and block diagram.10-60 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards MXP_MR_10DME_C and MXP_MR_10DME_L Cards Figure 10-25 MXP_MR_10DME_C and MXP_MR_10DME_L Faceplates and Block Diagram For information on safety labels for the cards, see the “10.2.2 Class 1M Laser Product Cards” section on page 10-10. Caution You must use a 20-dB fiber attenuator (15 to 25 dB) when working with the cards in a loopback on the trunk port. Do not use direct fiber loopbacks with the cards. Using direct fiber loopbacks causes irreparable damage to the MXP_MR_10DME_C and MXP_MR_10DME_L cards. 10.10.3 Wavelength Identification The card uses trunk lasers that are wavelocked, which allows the trunk transmitter to operate on the ITU grid effectively. Both the MXP_MR_10DME_C and MXP_MR_10DME_L cards implement the UT2 module. The MXP_MR_10DME_C card uses a C-band version of the UT2 and the MXP_MR_10DME_L card uses an L-band version. 10DME-C FAIL ACT/STBY SF 145767 RX TX 1 RX TX 2 RX TX 3 RX TX 4 RX TX 1 RX TX 2 RX TX 3 RX TX 4 DWDM RX TX 10DME-L FAIL ACT/STBY SF RX TX 1 RX TX 2 RX TX 3 RX TX 4 RX TX 1 RX TX 2 RX TX 3 RX TX 4 DWDM RX TX SPF 1/1 4G FC SerDes 1 x QDR 2M x 36bit Burst4 1/2/4G-FC B2B Credit Mgt FPGA Framer G.709/FEC OTN MXP UT2 Data path 5x I/O 5x I/O SPF 2/1 SPF 3/1 CPU Core FPGA Power supply DCC/GCC CPUC bus SPF 4/1 SPF 6/1 4G FC SerDes 1/2/4G-FC B2B Credit Mgt FPGA 5x I/O 5x I/O SPF 7/1 SPF 8/1 SPF 9/1 Client ports Group 1 Group 210-61 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards MXP_MR_10DME_C and MXP_MR_10DME_L Cards Table 10-29 describes the required trunk transmit laser wavelengths for the MXP_MR_10DME_C card. The laser is tunable over 82 wavelengths in the C band at 50-GHz spacing on the ITU grid. Table 10-29 MXP_MR_10DME_C Trunk Wavelengths Channel Number Frequency (THz) Wavelength (nm) Channel Number Frequency (THz) Wavelength (nm) 1 196.00 1529.55 42 193.95 1545.72 2 195.95 1529.94 43 193.90 1546.119 3 195.90 1530.334 44 193.85 1546.518 4 195.85 1530.725 45 193.80 1546.917 5 195.80 1531.116 46 193.75 1547.316 6 195.75 1531.507 47 193.70 1547.715 7 195.70 1531.898 48 193.65 1548.115 8 195.65 1532.290 49 193.60 1548.515 9 195.60 1532.681 50 193.55 1548.915 10 195.55 1533.073 51 193.50 1549.32 11 195.50 1533.47 52 193.45 1549.71 12 195.45 1533.86 53 193.40 1550.116 13 195.40 1534.250 54 193.35 1550.517 14 195.35 1534.643 55 193.30 1550.918 15 195.30 1535.036 56 193.25 1551.319 16 195.25 1535.429 57 193.20 1551.721 17 195.20 1535.822 58 193.15 1552.122 18 195.15 1536.216 59 193.10 1552.524 19 195.10 1536.609 60 193.05 1552.926 20 195.05 1537.003 61 193.00 1553.33 21 195.00 1537.40 62 192.95 1553.73 22 194.95 1537.79 63 192.90 1554.134 23 194.90 1538.186 64 192.85 1554.537 24 194.85 1538.581 65 192.80 1554.940 25 194.80 1538.976 66 192.75 1555.343 26 194.75 1539.371 67 192.70 1555.747 27 194.70 1539.766 68 192.65 1556.151 28 194.65 1540.162 69 192.60 1556.555 29 194.60 1540.557 70 192.55 1556.959 30 194.55 1540.953 71 192.50 1557.36 31 194.50 1541.35 72 192.45 1557.77 32 194.45 1541.75 73 192.40 1558.173 33 194.40 1542.142 74 192.35 1558.57810-62 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards MXP_MR_10DME_C and MXP_MR_10DME_L Cards Table 10-30 describes the required trunk transmit laser wavelengths for the MXP_MR_10DME_L card. The laser is fully tunable over 80 wavelengths in the L band at 50-GHz spacing on the ITU grid. 34 194.35 1542.539 75 192.30 1558.983 35 194.30 1542.936 76 192.25 1559.389 36 194.25 1543.333 77 192.20 1559.794 37 194.20 1543.730 78 192.15 1560.200 38 194.15 1544.128 79 192.10 1560.606 39 194.10 1544.526 80 192.05 1561.013 40 194.05 1544.924 81 192.00 1561.42 41 194.00 1545.32 82 191.95 1561.83 Table 10-29 MXP_MR_10DME_C Trunk Wavelengths (continued) Channel Number Frequency (THz) Wavelength (nm) Channel Number Frequency (THz) Wavelength (nm) Table 10-30 MXP_MR_10DME_L Trunk Wavelengths Channel Number Frequency (THz) Wavelength (nm) Channel Number Frequency (THz) Wavelength (nm) 1 190.85 1570.83 41 188.85 1587.46 2 190.8 1571.24 42 188.8 1587.88 3 190.75 1571.65 43 188.75 1588.30 4 190.7 1572.06 44 188.7 1588.73 5 190.65 1572.48 45 188.65 1589.15 6 190.6 1572.89 46 188.6 1589.57 7 190.55 1573.30 47 188.55 1589.99 8 190.5 1573.71 48 188.5 1590.41 9 190.45 1574.13 49 188.45 1590.83 10 190.4 1574.54 50 188.4 1591.26 11 190.35 1574.95 51 188.35 1591.68 12 190.3 1575.37 52 188.3 1592.10 13 190.25 1575.78 53 188.25 1592.52 14 190.2 1576.20 54 188.2 1592.95 15 190.15 1576.61 55 188.15 1593.37 16 190.1 1577.03 56 188.1 1593.79 17 190.05 1577.44 57 188.05 1594.22 18 190 1577.86 58 188 1594.64 19 189.95 1578.27 59 187.95 1595.06 20 189.9 1578.69 60 187.9 1595.49 21 189.85 1579.10 61 187.85 1595.9110-63 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards MXP_MR_10DME_C and MXP_MR_10DME_L Cards 10.10.4 MXP_MR_10DME_C and MXP_MR_10DME_L Card-Level Indicators Table 10-31 describes the three card-level LEDs on the MXP_MR_10DME_C and MXP_MR_10DME_L cards. 22 189.8 1579.52 62 187.8 1596.34 23 189.75 1579.93 63 187.75 1596.76 24 189.7 1580.35 64 187.7 1597.19 25 189.65 1580.77 65 187.65 1597.62 26 189.6 1581.18 66 187.6 1598.04 27 189.55 1581.60 67 187.55 1598.47 28 189.5 1582.02 68 187.5 1598.89 29 189.45 1582.44 69 187.45 1599.32 30 189.4 1582.85 70 187.4 1599.75 31 189.35 1583.27 71 187.35 1600.17 32 189.3 1583.69 72 187.3 1600.60 33 189.25 1584.11 73 187.25 1601.03 34 189.2 1584.53 74 187.2 1601.46 35 189.15 1584.95 75 187.15 1601.88 36 189.1 1585.36 76 187.1 1602.31 37 189.05 1585.78 77 187.05 1602.74 38 189 1586.20 78 187 1603.17 39 188.95 1586.62 79 186.95 1603.60 40 188.9 1587.04 80 186.9 1604.03 Table 10-30 MXP_MR_10DME_L Trunk Wavelengths (continued) Channel Number Frequency (THz) Wavelength (nm) Channel Number Frequency (THz) Wavelength (nm) Table 10-31 MXP_MR_10DME_C and MXP_MR_10DME_L Card-Level Indicators Card-Level LED Description Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready. This LED is on during reset. The FAIL LED flashes during the boot process. Replace the card if the red FAIL LED persists. ACT/STBY LED Green (Active) Amber (Standby) If the ACT/STBY LED is green, the card is operational (one or more ports active) and ready to carry traffic. If the ACT/STBY LED is amber, the card is operational and in standby (protect) mode. Amber SF LED The amber SF LED indicates a signal failure or condition such as LOS, LOF, or high BERs on one or more of the card’s ports. The amber SF LED is also on if the transmit and receive fibers are incorrectly connected. If the fibers are properly connected and the link is working, the light turns off.10-64 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards 40G-MXP-C Card 10.10.5 MXP_MR_10DME_C and MXP_MR_10DME_L Port-Level Indicators Table 10-32 describes the port-level LEDs on the MXP_MR_10DME_C and MXP_MR_10DME_L cards. 10.11 40G-MXP-C Card The 40G-MXP-C card aggregates a variety of client service inputs (GigabitEthernet, Fibre Channel, OTU2, OTU2e, and OC192) into one 40.0 Gbps OTU3/OTU3e signal on the trunk side. The 40G-MXP-C card supports aggregation of the following signals: • With overclock enabled on the trunk port: – 10-Gigabit Fibre Channel – OTU2e • With overclock disabled on the trunk port: – 8-Gigabit Fibre Channel – 10-GigabitEthernet LAN-Phy (GFP framing) – 10-GigabitEthernet LAN-Phy (WIS framing) – OC-192/STM-64 – OTU2 Caution Handle the card with care. Dropping or misuse of the card could result in permanent damage. The 40G-MXP-C muxponder passes all SONET/SDH overhead bytes transparently, section, or line termination. Table 10-32 MXP_MR_10DME_C and MXP_MR_10DME_L Port-Level Indicators Port-Level LED Description Port LED (eight LEDs, four for each group, one for each SFP) Green/Red/Amber/Off When green, the port LED indicates that the client port is either in service and receiving a recognized signal (that is, no signal fail), or Out of Service and Maintenance (OOS,MT or locked, maintenance) and the signal fail and alarms are being ignored. When red, the port LED indicates that the client port is in service but is receiving a signal fail (LOS). When amber, the port LED indicates that the port is provisioned and in a standby state. When off, the port LED indicates that the SFP is either not provisioned, out of service, not properly inserted, or the SFP hardware has failed. Green DWDM LED The green DWDM LED indicates that the DWDM port is in service and that it is receiving a recognized signal.10-65 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards 40G-MXP-C Card The digital wrapper function (ITU-T G.709 compliant) formats the DWDM wavelength so that it can be used to set up GCCs for data communications, enable FEC, or facilitate performance monitoring. The 40G-MXP-C card work with the OTN devices defined in ITU-T G.709. The card supports ODTU23 multiplexing, an industry standard method for asynchronously mapping client payloads into a digitally wrapped envelope. See the “10.7.7 Multiplexing Function” section on page 10-36. You can install and provision the 40G-MXP-C card in a linear configuration in: • Slots 1 to 5 and 12 to 16 in ONS 15454 DWDM chassis • Slot 2 in ONS 15454 M2 chassis • Slots 2 to 6 in ONS 15454 M6 chassis The 40G-MXP-C card client port interoperates with all the existing TXP/MXP (OTU2 trunk) cards. The 40G-MXP-C card client port does not interoperate with OTU2_XP card when the signal rate is OTU1e (11.049 Gbps) and the “No Fixed Stuff” option is enabled on the trunk port of OTU2_XP card. For OTU2 and OTU2e client protocols, Enhanced FEC (EFEC) is not supported in Port 1 of the 40G-MXP-C card. Table 10-33 lists the FEC configuration supported on OTU2/OTU2e protocol for 40G-MXP-C card. When setting up the card for the first time, or when the card comes up after clearing the LOS-P condition due to fiber cut, the trunk port of the 40G-MXP-C card takes a about six minutes to lock a signal. The trunk port of the 40G-MXP-C card raises an OTUK-LOF alarm when the card is comes up. The alarm clears when the trunk port locks the signal. When protection switch occurs on the 40G-MXP-C card, the recovery from PSM protection switch takes about 3 to 4 minutes. The 40G-MXP-C card is tunable over C-band on the trunk port. The 40G-MXP-C card supports pluggable XFPs on the client ports on the card faceplate. The card uses dual LC connectors on the trunk side, and XFP modules on the client side for optical cable termination. The XFP pluggable modules are SR, LR, MM, DWDM, or CWDM and support an LC fiber connector. The 40G-MXP-C card contains four XFP modules for the client interfaces. For optical termination, each XFP uses two LC connectors, which are labeled TX and RX on the faceplate. The trunk port is a dual-LC connector facing downward at 45 degrees. Table 10-34 shows the input data rate for each client interface. Table 10-33 40G-MXP-C Client Interface Data Rates 40G-MXP-C Client Port FEC Configuration Supported on OTU2/OTU2e Client Protocol Port 1 Only Standard FEC Port 2 Standard and Enhanced FEC Port 3 Standard and Enhanced FEC Port 4 Standard and Enhanced FEC Table 10-34 40G-MXP-C Client Interface Input Data Rates Client Interface Input Data Rate 8-Gigabit Fibre Channel 8.48 Gbps 10-Gigabit Fibre Channel 10.519 Gbps 10-GigabitEthernet LAN-Phy 10.312 Gbps10-66 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards 40G-MXP-C Card 10.11.1 Key Features The 40G-MXP-C card comprises of the following key features: • The 40G-MXP-C card uses the RZ-DQPSK 40G modulation format. • Onboard E-FEC processor: The E-FEC functionality improves the correction capability of the transponder to improve performance, allowing operation at a lower OSNR compared to the standard RS (239,255) correction algorithm. A new BCH algorithm implemented (according to G.975.1 I.7) in E-FEC allows recovery of an input BER up to 1E-3. The 40G-MXP-C card supports both standard RS (specified in ITU-T G.709) and E-FEC standard, which allows an improved gain on trunk interfaces with a resultant extension of the transmission range on these interfaces. • Y-cable protection: Supports Y-cable protection between the same card type only, on ports with the same port number and signal rate. For more information on Y-cable protection, see “10.19 Y-Cable and Splitter Protection” section on page 10-139. Note Y-cable cannot be created on 10 GE port when WIS framing is enabled on the 40G-MXP-C card. • Unidirectional regeneration: The 40G-MXP-C card supports unidirectional regeneration configuration. Each 40G-MXP-C card in the configuration regenerates the signal received from another 40G-MXP-C card in one direction. Note When you configure the 40G-MXP-C card in Unidirectional Regen mode, ensure that the payload is not configured on pluggable port modules of the 40G-MXP-C card. Figure 10-26 shows a typical unidirectional regeneration configuration. Figure 10-26 40G-MXP-C Cards in Unidirectional Regeneration Configuration • High level provisioning support: The cards are initially provisioned using Cisco Transport Planner software. Subsequently, the card can be monitored and provisioned using CTC software. 10-GigabitEthernet WAN-Phy 9.953 Gbps OC-192/STM-64 9.953 Gbps OTU2 10.709 Gbps OTU2e 11.096 Gbps Table 10-34 40G-MXP-C Client Interface Input Data Rates (continued) Client Interface Input Data Rate 278759 Client DWDM System DWDM System 40G-MXP-C 40G-MXP-C 40G-MXP-C 40G-MXP-C Client DWDM Trunk DWDM Trunk DWDM Trunk DWDM Trunk10-67 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards 40G-MXP-C Card • Automatic Laser Shutdown (ALS): A safety mechanism used in the event of a fiber cut. The Auto Restart ALS option is supported only for OC192/STM64 and OTU2 payloads. The Manual Restart ALS option is supported for all payloads. For more information on ALS provisioning for the 40G-MXP-C card, see the Cisco ONS 15454 DWDM Procedure Guide. • Control of layered SONET/SDH transport overhead: The cards are provisionable to terminate regenerator section overhead. This is used to eliminate forwarding of unneeded layer overhead. It can help reduce the number of alarms and help isolate faults in the network. • Automatic timing source synchronization: The 40G-MXP-C card synchronizes to the TCC2/TCC2P/TCC3/TNC/TSC card. If for some reason, such as maintenance or upgrade activity, the TCC2/TCC2P/TCC3/TNC/TSC card is not available, the cards automatically synchronize to one of the input client interface clocks. • Squelching policy: The cards are set to squelch the client interface output if there is LOS at the DWDM receiver, or if there is a remote fault. In the event of a remote fault, the card manages MS-AIS insertion. • The card is tunable across the full C band wavelength. 10.11.2 Faceplate and Block Diagram Figure 10-27 shows the 40G-MXP-C card faceplate and block diagram.10-68 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards 40G-MXP-C Card Figure 10-27 40G-MXP-C Faceplate and Block Diagram For information on safety labels for the cards, see the “10.2.2 Class 1M Laser Product Cards” section on page 10-10. Caution You must use a 20-dB fiber attenuator (15 to 25 dB) when working with the cards in a loopback on the trunk port. Do not use direct fiber loopbacks with the cards. Using direct fiber loopbacks causes irreparable damage to the 40G-MXP-C card. 10.11.3 Wavelength Identification The card uses trunk lasers that are wavelocked, which allows the trunk transmitter to operate on the ITU grid effectively. The 40G-MXP-C card implements the UT2 module. The 40G-MXP-C card uses a C-band version of the UT2. Table 10-35 lists the required trunk transmit laser wavelengths for the 40G-MXP-C card. The laser is tunable over 82 wavelengths in the C band at 50-GHz spacing on the ITU grid. 278757 XFP XFP XFP XFP MSA 100 40 G FEC/EF EC Trunk module TDC EDFA XFP Child card Tx Rx Trunk 4x XFI SFI 5.1 interface Threshold control 40G-MXP-C FAIL ACT/STBY SF XFP1 XFP2 XFP3 XFP4 TRUNK RX 2 TX RX 1 TX RX 3 TX RX 4 TX TRUNK TX MX RX HAZARD LEVEL 1 COMPLIES WITH 21 CFR 1040.10 AND 1040.11 EXCEPT FOR DEVIATIONS PURSUANT TO LASER NOTICE No.50, DATED JUNE 24, 200710-69 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards 40G-MXP-C Card Table 10-35 40G-MXP-C Trunk Wavelengths Channel Number Frequency (THz) Wavelength (nm) Channel Number Frequency (THz) Wavelength (nm) 1 196.00 1529.55 42 193.95 1545.72 2 195.95 1529.94 43 193.90 1546.119 3 195.90 1530.334 44 193.85 1546.518 4 195.85 1530.725 45 193.80 1546.917 5 195.80 1531.116 46 193.75 1547.316 6 195.75 1531.507 47 193.70 1547.715 7 195.70 1531.898 48 193.65 1548.115 8 195.65 1532.290 49 193.60 1548.515 9 195.60 1532.681 50 193.55 1548.915 10 195.55 1533.073 51 193.50 1549.32 11 195.50 1533.47 52 193.45 1549.71 12 195.45 1533.86 53 193.40 1550.116 13 195.40 1534.250 54 193.35 1550.517 14 195.35 1534.643 55 193.30 1550.918 15 195.30 1535.036 56 193.25 1551.319 16 195.25 1535.429 57 193.20 1551.721 17 195.20 1535.822 58 193.15 1552.122 18 195.15 1536.216 59 193.10 1552.524 19 195.10 1536.609 60 193.05 1552.926 20 195.05 1537.003 61 193.00 1553.33 21 195.00 1537.40 62 192.95 1553.73 22 194.95 1537.79 63 192.90 1554.134 23 194.90 1538.186 64 192.85 1554.537 24 194.85 1538.581 65 192.80 1554.940 25 194.80 1538.976 66 192.75 1555.343 26 194.75 1539.371 67 192.70 1555.747 27 194.70 1539.766 68 192.65 1556.151 28 194.65 1540.162 69 192.60 1556.555 29 194.60 1540.557 70 192.55 1556.959 30 194.55 1540.953 71 192.50 1557.36 31 194.50 1541.35 72 192.45 1557.77 32 194.45 1541.75 73 192.40 1558.173 33 194.40 1542.142 74 192.35 1558.578 34 194.35 1542.539 75 192.30 1558.983 35 194.30 1542.936 76 192.25 1559.38910-70 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards 40G-MXP-C Card 10.11.4 40G-MXP-C Card-Level Indicators Table 10-36 describes the three card-level indicators on the 40G-MXP-C card. 10.11.5 40G-MXP-C Card Port-Level Indicators Table 10-37 describes the port-level indicators on the 40G-MXP-C card. 36 194.25 1543.333 77 192.20 1559.794 37 194.20 1543.730 78 192.15 1560.200 38 194.15 1544.128 79 192.10 1560.606 39 194.10 1544.526 80 192.05 1561.013 40 194.05 1544.924 81 192.00 1561.42 41 194.00 1545.32 82 191.95 1561.83 Table 10-35 40G-MXP-C Trunk Wavelengths (continued) Channel Number Frequency (THz) Wavelength (nm) Channel Number Frequency (THz) Wavelength (nm) Table 10-36 40G-MXP-C Card-Level Indicators Card-Level Indicator Description Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready. This LED is on during reset. The FAIL LED flashes during the boot process. Replace the card if the red FAIL LED persists. ACT/STBY LED Green (Active) Amber (Standby) If the ACT/STBY LED is green, the card is operational (one or more ports active) and ready to carry traffic. If the ACT/STBY LED is amber, the card is operational and in standby (protect) mode. Amber SF LED The amber SF LED indicates a signal failure or condition such as LOS, LOF, or high BERs on one or more of the card’s ports. The amber SF LED is also on if the transmit and receive fibers are incorrectly connected. If the fibers are properly connected and the link is working, the light turns off.10-71 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE Cards 10.12 GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE Cards GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE cards are Gigabit Ethernet Xponders for the ONS 15454 ANSI and ETSI platforms. Note GE_XPE card is the enhanced version of the GE_XP card and 10GE_XPE card is the enhanced version of the 10GE_XP card. The cards aggregate Ethernet packets received on the client ports for transport on C-band trunk ports that operate on a 100-GHz grid. The trunk ports operate with ITU-T G.709 framing and either FEC or E-FEC. The GE_XP and 10GE_XP cards are designed for bulk point-to-point transport over 10GE LAN PHY wavelengths for Video-on-Demand (VOD), or broadcast video across protected 10GE LAN PHY wavelengths. The GE_XPE and 10GE_XPE cards are designed for bulk GE_XPE or 10GE_XPE point-to-point, point-to-multipoint, multipoint-to-multipoint transport over 10GE LAN PHY wavelengths for Video-on-Demand (VOD), or broadcast video across protected 10GE LAN PHY wavelengths. You can install and provision the GE_XP, and GE_XPE cards in a linear configuration in: • Slots 1 to 5 and 12 to 16 in ONS 15454 DWDM chassis • Slot 2 in ONS 15454 M2 chassis • Slots 2 to 6 in ONS 15454 M6 chassis The 10GE_XP and 10GE_XPE cards can be installed in Slots 1 through 6 or 12 through 17. The GE_XP and GE_XPE are double-slot cards with twenty Gigabit Ethernet client ports and two 10 Gigabit Ethernet trunk ports. The 10GE_XP and 10GE_XPE are single-slot cards with two 10 Gigabit Ethernet client ports and two 10 Gigabit Ethernet trunk ports. The client ports support SX, LX, and ZX SFPs and SR and 10GBASE-LR XFPs. (LR2 XFPs are not supported.) The trunk ports support a DWDM XFP. Table 10-37 40G-MXP-C Card Port-Level Indicators Port-Level Indicator Description Port LED (eight LEDs, four for each group, one for each XFP) Green/Red/Amber/Off The green port LED indicates that the client port is either in service and receiving a recognized signal (that is, no signal fail), or Out of Service and Maintenance (OOS,MT or locked, maintenance) and the signal fail and alarms are being ignored. The red port LED indicates that the client port is in service but is receiving a signal fail (LOS). The amber port LED indicates that the port is provisioned and in a standby state. The port LED, when switched off, indicates that the SFP is either not provisioned, out of service, not properly inserted, or the SFP hardware failed. Green DWDM LED The green DWDM LED indicates that the DWDM port is in service and that it is receiving a recognized signal.10-72 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE Cards The RAD pluggables (ONS-SC-E3-T3-PW= and ONS-SC-E1-T1-PW=) do not support: • No loopbacks (Terminal or Facility) • RAI (Remote Alarm Indication) alarm • AIS and LOS alarm Caution A fan-tray assembly (15454E-CC-FTA for the ETSI shelf, or 15454-CC-FTA for the ANSI shelf) must be installed in a shelf where a GE_XP, 10GE_XP, GE_XPE, or 10GE_XPE card is installed. GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE cards can be provisioned to perform different Gigabit Ethernet transport roles. All the cards can work as Layer 2 switches. However, the 10GE_XP and 10GE_XPE cards can also perform as a 10 Gigabit Ethernet transponders (10GE TXP mode), and the GE_XP and GE_XPE can perform as a 10 Gigabit Ethernet or 20 Gigabit Ethernet muxponders (10GE MXP or 20GE MXP mode). Table 10-38 shows the card modes supported by each card. Note Changing the GE_XP, 10GE_XP, GE_XPE, or 10GE_XPE card mode requires the ports to be in a OOS-DSBL (ANSI) or Locked, disabled (ETSI) service state. In addition, no circuits can be provisioned on the cards when the mode is being changed. 10.12.1 Key Features The GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE cards have the following high-level features: • Link Aggregation Control Protocol (LACP) that allows you to bundle several physical ports together to form a single logical channel. • Ethernet Connectivity Fault Management (CFM) protocol that facilitates proactive connectivity monitoring, fault verification, and fault isolation. Table 10-38 GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE Card Modes Card Mode Cards Description Layer 2 Ethernet switch GE_XP 10GE_XP GE_XPE 10GE_XPE Provides capability to switch between any two ports irrespective of client or trunk port. Supported Ethernet protocols and services include 1+1 protection, QoS (Quality of Service), CoS (Class of Service), QinQ, MAC learning, MAC address retrieval, service provider VLANs (SVLANs), IGMP snooping and Multicast VLAN Registration (MVR), link integrity, and other Ethernet switch services. 10GE TXP 10GE_XP 10GE_XPE Provides a point-to-point application in which each 10 Gigabit Ethernet client port is mapped to a 10 Gigabit Ethernet trunk port. 10GE MXP 20GE MXP GE_XP GE_XPE Provides the ability to multiplex the twenty Gigabit Ethernet client ports on the card to one or both of its 10 Gigabit Ethernet trunk ports. The card can be provisioned as a single MXP with twenty Gigabit Ethernet client ports mapped to one trunk port (Port 21) or as two MXPs with ten Gigabit Ethernet client ports mapped to a trunk port (Ports 1 to 10 mapped to Port 21, and Ports 11-20 mapped to Port 22).10-73 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE Cards • Ethernet Operations, Administration, and Maintenance (OAM) protocol that facilitates link monitoring, remote failure indication, and remote loopback. • Resilient Ethernet Protocol (REP) that controls network loops, handles link failures, and improves convergence time. • Configurable service VLANs (SVLANs) and customer VLANs (CVLANs). • Ingress rate limiting that can be applied on both SVLANs and CVLANs. You can create SVLAN and CVLAN profiles and can associate a SVLAN profile to both UNI and NNI ports; however, you can associate a CVLAN profile only to UNI ports. • CVLAN rate limiting that is supported for QinQ service in selective add mode. • Differentiated Services Code Point (DSCP) to class of service (CoS) mapping that you can configure for each port. You can configure the CoS of the outer VLAN based on the incoming DSCP bits. This feature is supported only on GE_XPE and 10GE_XPE cards. • Ports, in Layer 2 switch mode, can be provisioned as network-to-network interfaces (NNIs) or user-network interfaces (UNIs) to facilitate service provider to customer traffic management. • Broadcast drop-and-continue capability for VOD and broadcast video applications. • Gigabit Ethernet MXP, TXP, and Layer 2 switch capability over the ONS 15454 DWDM platform. • Compatible with the ONS 15454 ANSI high-density shelf assembly, the ONS 15454 ETSI shelf assembly, ONS 15454 ETSI high-density shelf assembly, ONS 15454 M2, and the ONS 15454 M6 shelf assemblies. Compatible with TCC2, TCC2P, TCC3, TNC, and TSC cards. • Far-End Laser Control (FELC) that is supported on copper SFPs from Release 8.52 and later releases. For more information on FELC, see the “10.20 Far-End Laser Control” section on page 10-142. • Layer 2 switch mode that provides VLAN translation, QinQ, ingress CoS, egress QoS, Fast Ethernet protection switching, and other Layer 2 Ethernet services. • Interoperable with TXP_MR_10E and TXP_MR_10E_C cards. Also interoperable with Cisco Catalyst 6500 and Cisco 7600 series Gigabit Ethernet, 10 GE interfaces and CRS-1 10GE interfaces. • The GE_XP and GE_XPE cards have twenty Gigabit Ethernet client ports and two 10 Gigabit Ethernet trunk ports. The 10GE_XP and 10GE_XPE cards have two 10 Gigabit Ethernet client ports and two 10 Gigabit Ethernet trunk ports. The client Gigabit Ethernet signals are mapped into an ITU-T G.709 OTU2 signal using standard ITU-T G.709 multiplexing when configured in one of the MXP modes (10GE MXP or 20GE MXP). • ITU-T G.709 framing with standard Reed-Soloman (RS) (255,237) FEC. Performance monitoring and ITU-T G.709 Optical Data Unit (ODU) synchronous and asynchronous mapping. E-FEC with ITU-T G.709 ODU and 2.7 Gbps with greater than 8 dB coding gain. • IEEE 802.3 frame format that is supported for 10 Gigabit Ethernet interfaces. The minimum frame size is 64 bytes. The maximum frame size is user-provisionable. • MAC learning capability in Layer 2 switch mode. • MAC address retrieval in cards provisioned in the L2-over-DWDM mode. • When a port is in UNI mode, tagging can be configured as transparent or selective. In transparent mode, only SVLANs in the VLAN database of the node can be configured. In selective mode, a CVLAN- to-SVLAN relationship can be defined. • Layer 2 VLAN port mapping that allows the cards to be configured as multiple Gigabit Ethernet TXPs and MXPs. • Y-cable protection is configurable in TXP and MXP modes.10-74 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE Cards • Two protection schemes are available in Layer 2 mode. They are: – 1+1 protection—Protection scheme to address card, port, or shelf failures for client ports. – Fast Automatic Protection—Protection scheme to address card, port, or shelf failures for trunk ports. • End-to-end Ethernet link integrity. • Pluggable client interface optic modules (SFPs and XFPs)—Client ports support tri-rate SX, LX, and ZX SFPs, and 10-Gbps SR1 XFPs. • Pluggable trunk interface optic modules; trunk ports support the DWDM XFP. • Internet Group Management Protocol (IGMP) snooping that restricts the flooding of multicast traffic by forwarding multicast traffic to those interfaces where a multicast device is present. • Multicast VLAN Registration (MVR) for applications using wide-scale deployment of multicast traffic across an Ethernet ring-based service provider network. • Ingress CoS that assigns a CoS value to the port from 0 (highest) to 7 (lowest) and accepts CoS of incoming frames. • Egress QoS that defines the QoS capabilities for the egress port. • MAC address learning that facilitates switch processing. • Storm Control that limits the number of packets passing through a port. You can define the maximum number of packets allowed per second for the following types of traffic: Broadcast, Multicast, and Unicast. The threshold for each type of traffic is independent and the maximum number of packets allowed per second for each type of traffic is 16777215. 10.12.2 Protocol Compatibility list Table 10-39 lists the protocol compatibility for GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE cards. 10.12.3 Faceplate and Block Diagram Figure 10-28 shows the GE_XP faceplate and block diagram. The GE_XPE faceplate and block diagram looks the same. Table 10-39 Protocol Compatibility List for GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE Cards Protocol L1 1+1 FAPS IGMP REP LACP CFM EFM L1 No Yes Yes No No Yes No 1+1 No Yes Yes No No Yes No FAPS Yes Yes Yes No No Yes No IGMP Yes Yes Yes Yes No Yes No REP No No No Yes No Yes No LACP No No No No No No No CFM Yes Yes Yes Yes Yes No No EFM No No No No No No No10-75 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE Cards Figure 10-28 GE_XP and GE_XPE Faceplates and Block Diagram The GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE cards have two trunk ports. The GE_XP and GE_XPE trunk ports are displayed as follows: • Trunk 1 and Trunk 2 on the faceplate • 21-1 and 22-1 on CTC • 21 (Trunk) and 22 (Trunk) on the Optics Thresholds table Figure 10-29 shows the 10GE_XP faceplate and block diagram. The 10 GE_XPE faceplate and block diagram looks the same. FAIL ACT SF GE-XP 1 TX RX 2 TX RX 3 TX RX 4 TX RX 5 TX RX 6 TX RX 7 TX RX 8 TX RX 9 TX RX 10 TX RX 11 TX RX 12 TX RX 13 TX RX 14 TX RX 15 TX RX 16 TX RX 17 TX RX 18 TX RX 19 TX RX 20 TX RX TX RX 2 TRUNK 1 CONSOLE T2 T1 TX RX ! MAX INPUT POWER LEVEL CLIENT: +3dBm TRUNK: +1dBm HAZARD LEVEL 1 159052 12GE Client ports CONN 8GE Client ports XAUI to SF14 XAUI to SF14 FEC SERDES XFP WDM FEC SERDES XFP WDM MPC8270 core Power supply Clocking BCM 5650x SCL FPGA COMPLIES WITH 21 CFR 1040.10 AND 1040.11 EXCEPT FOR DEVIATIONS PURSUANT TO LASER NOTICE No.50, DATED JULY 26, 2001 Client Ports 9-14 Client GE Ports 1-8 GE Client Ports 15-20 Trunk GE Ports 1-2 10GE BCM 5650x with Ethernet ASIC10-76 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE Cards Figure 10-29 10GE_XP and 10GE_XPE Faceplates and Block Diagram The 10GE_XP and 10GE_XPE card trunk ports are displayed as follows: • Trunk 1 and Trunk 2 on the faceplate • 3-1 and 4-1 on CTC • 3 (Trunk) and 4 (Trunk) on the Optics Thresholds table For information on safety labels for the cards, see the “10.2.2 Class 1M Laser Product Cards” section on page 10-10. Caution You must use a 20-dB fiber attenuator (15 to 25 dB) when working with the cards in a loopback on the trunk port. Do not use direct fiber loopbacks with the cards. Using direct fiber loopbacks causes irreparable damage to the GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE cards. ! MAX INPUT POWER LEVEL CLIENT: +3dBm TRUNK: +1dBm HAZARD LEVEL 1 10GE XP RX 2 TX TRUNK RX 1 TX RX 2 TX CLIENT RX 1 TX COMPLIES WITH 21 CFR 1040.10 AND 1040.11 EXCEPT FOR DEVIATIONS PURSUANT TO LASER NOTICE No.50, DATED JULY 26, 2001 FAIL ACT SF CONSOLE 159053 159053 XFP XAUI SERDES XFP XAUI SERDES XAUI to SF14 XAUI to SF14 FEC SERDES XFP WDM FEC SERDES XFP WDM MPC8270 core Power supply Clocking BCM 5650x with Ethernet ASIC SCL FPGA Client Ports 1-2 10GE Trunk Ports 1-2 10GE10-77 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE Cards 10.12.4 Client Interface The client interface is implemented with separately orderable SFP or XFP modules. The client interfaces support the following tri-rate SFPs and XFPs using dual LC connectors and multimode fiber: • SFP - GE/1G-FC/2G-FC - 850 nm - MM - LC (PID ONS-SE-G2F-SX) • SFP - GE/1G-FC/2G-FC 1300 nm - SM - LC (PID ONS-SE-G2F-LX) • SFP - GE/1G-FC/2G-FC 1300 nm - SM - LC (PID ONS-SE-G2F-ZX) • SFP - 10/100/1000Base-T - Copper (PID ONS-SE-ZE-EL) Intra office up to 100; Cable: RJ45 STP CAT5, CAT5E, and CAT6 • SFP - 1000Base BX D/Gigabit Ethernet 1550 nm - SM - LC (PID ONS-SE-GE-BXD) • SFP - 1000Base BX U/Gigabit Ethernet 1550 nm - SM - LC (PID ONS-SE-GE-BXU) • SFP - Fast Ethernet 1310 nm - SM - LC (PID ONS-SI-100-LX10) • SFP - Fast Ethernet 1310 nm - MM - LC (PID ONS-SI-100-FX) • SFP - Fast Ethernet over DS1/E1 - SM - LC (PID ONS-SC-EOP1) (GE_XPE only) • SFP - Fast Ethernet over DS3/E3 - SM - LC (PID ONS-SC-EOP3) (GE_XPE only) • SFP - E1/DS1 over Fast Ethernet - SM - LC (PID ONS-SC-E1-T1-PW) (GE_XPE only) • SFP - E3/DS3 PDH over Fast Ethernet - SM - LC (PID ONS-SC-E3-T3-PW) (GE_XPE only) Note The resommended topology for using ONS-SC-E1-T1-PW and ONS-SC-E3-T3-PW SFPs is shown in Figure 10-30. Figure 10-30 Recommended Topology for Using ONS-SC-E1-T1-PW and ONS -SC-E3-T3-PW SFPs The client interfaces support the following dual-rate XFP using dual LC connectors and single-mode fiber: • XFP - OC-192/STM-64/10GE/10-FC/OTU2 - 1310 SR - SM LC (PID: ONS-XC-10G-S1) • XFP - 10GE - 1550 nm - SM - LC (PID ONS-XC-10G-L2) • XFP - 10GE - 1550 nm - SM - LC (PID ONS-XC-10G-C) Note If ONS-XC-10G-C XFP is used on GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE cards on client port 1, the maximum temperature at which the system qualifies is +45 degree Celsius. 249504 Network A with Internal Timing Network B with LoopbackTiming Node A Ethernet Network ONS-SC-E1-T1-PW or ONS-SC-E3-T3-PW on Port n of GE_XPE Card in Node A with Loopback Timing ONS-SC-E1-T1-PW or ONS-SC-E3-T3-PW on Port n of GE_XPE Card in Node B with AdaptiveTiming Node B10-78 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE Cards The client interfaces support the following multimode XFP using dual LC connectors and multi-mode fiber: • XFP - OC-192/10GFC/10GE - 850 nm MM LC (PID ONS-XC-10G-SR-MM) 10.12.5 GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE Card-Level Indicators Table 10-40 describes the three card-level LEDs on the GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE cards. 10.12.6 GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE Port-Level Indicators Table 10-41 describes the port-level LEDs on the GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE cards. Table 10-40 GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE Card-Level Indicators Card-Level LED Description Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready. This LED is on during reset. The FAIL LED flashes during the boot process. Replace the card if the red FAIL LED persists. ACT LED Green (Active) If the ACT LED is green, the card is operational (one or more ports active) and ready to carry traffic. Amber SF LED The amber SF LED indicates that a signal failure or condition such as LOS, LOF, or high BERs is present one or more of the card’s ports. The amber SF LED is also on if the transmit and receive fibers are incorrectly connected. If the fibers are properly connected and the link is working, the light turns off. Table 10-41 GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE Port-Level Indicators Port-Level LED Description Port LEDs Green/Red/Amber/Off Green—The client port is either in service and receiving a recognized signal (that is, no signal fail), or Out of Service and Maintenance (OOS,MT or locked, maintenance) in which case the signal fail and alarms will be ignored. Red—The client port is in service but is receiving a signal fail (LOS). Amber—The port is provisioned and in a standby state. Off—The SFP is either not provisioned, out of service, not properly inserted, or the SFP hardware has failed. Green DWDM LED Green—The green DWDM LED indicates that the DWDM port is in service and receiving a recognized signal (that is, no signal fail), or Out of Service and Maintenance (OOS,MT or locked, maintenance) in which case the signal fail and alarms will be ignored. Red—The client port is in service but is receiving a signal fail (LOS). Amber—The port is provisioned and in a standby state. Off—The SFP is either not provisioned, out of service, not properly inserted, or the SFP hardware has failed.10-79 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE Cards 10.12.7 DWDM Trunk Interface The GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE cards have two 10 Gigabit Ethernet trunk ports operating at 10 Gigabit Ethernet (10.3125 Gbps) or 10 Gigabit Ethernet into OTU2 (nonstandard 11.0957 Gbps). The ports are compliant with ITU-T G.707, ITU-T G.709, and Telcordia GR-253-CORE standards. The ports are capable of carrying C-band and L-band wavelengths through insertion of DWDM XFPs. Forty channels are available in the 1550-nm C band 100-GHz ITU grid, and forty channels are available in the L band. The maximum system reach in filterless applications without the use of optical amplification or regenerators is nominally rated at 23 dB over C-SMF fiber. This rating is not a product specification, but is given for informational purposes. It is subject to change. 10.12.8 Configuration Management The GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE cards support the following configuration management parameters: • Port name—User-assigned text string. • Admin State/Service State—Administrative and service states to manage and view port status. • MTU—Provisionable maximum transfer unit (MTU) to set the maximum number of bytes per frames accepted on the port. • Mode—Provisional port mode, either Autonegotiation or the port speed. • Flow Control—Flow control according to IEEE 802.1x pause frame specification can be enabled or disabled for TX and RX ports. • Bandwidth—Provisionable maximum bandwidth allowed for the port. • Ingress CoS—Assigns a CoS value to the port from 0 (highest) to 7 (lowest) and accepts CoS of incoming frames. • Egress QoS—Defines the QoS capabilities at the egress port. • NIM—Defines the port network interface management type based on Metro Ethernet Forum specifications. Ports can be defined as UNI or NNI. • MAC Learning—MAC address learning to facilitate switch processing. • VLAN tagging provided according to the IEEE 802.1Q standard. Note When the GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE cards are provisioned in a MXP or TXP mode, only the following parameters are available: Port Name, State, MTU, Mode, Flow control, and Bandwidth. 10.12.9 Security GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE card ports can be provisioned to block traffic from a user-defined set of MAC addresses. The remaining traffic is normally switched. You can manually specify the set of blocked MAC addresses for each port. Each port of the card can receive traffic from a limited predefined set of MAC addresses. The remaining traffic will be dropped. This capability is a subset of the Cisco IOS “Port Security” feature. 10-80 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE Cards 10.12.10 Card Protection The following section describes various card protection schemes available for the GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE cards. 10.12.10.1 1+1 Protection 1+1 protection of GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE cards is provided in the Layer 2 (L2) card mode to protect against client port and card failure. 1+1 protection is supported in both single shelf and multishelf setup. This means that the working card can be in one shelf and the protect card can be in another shelf of a multishelf setup. Communication between the two cards is across 10 Gigabit Ethernet interconnection interface using Ethernet packets. The Inter link (ILK) trunk or internal pathcord must be provisioned on both the cards. This link is used to transmit protection switching messages and data. For information on how to provision ILK or internal patchcords, refer Cisco ONS 15454 DWDM Procedure Guide. Note With 1+1 protection mechanisms, the switch time of a copper SFP is 1 second. With 1+1 protection, ports on the protect card can be assigned to protect the corresponding ports on the working card. A working card must be paired with a protect card of the same type and number of ports. The protection takes place on the port level, and any number of ports on the protect card can be assigned to protect the corresponding ports on the working card. To make the 1+1 protection scheme fully redundant, enable L2 protection for the entire VLAN ring. This enables Fast Automatic Protection Switch (FAPS). The VLAN configured on the 1+1 port must be configured as protected SVLAN. For information on how to enable FAPS, see Cisco ONS 15454 DWDM Procedure Guide. 1+1 protection can be either revertive or nonrevertive. With nonrevertive 1+1 protection, when a failure occurs and the signal switches from the working card to the protect card, the signal remains on the protect card until it is manually changed. Revertive 1+1 protection automatically switches the signal back to the working card when the working card comes back online. 1+1 protection uses trunk ports to send control traffic between working and protect cards. This trunk port connection is known as ILK trunk ports and can be provisioned via CTC. For information on how to provision an ILK link, see “DLP-G460 Provision an ILK Link” in the Cisco ONS 15454 DWDM Procedure Guide. The standby port can be configured to turn ON or OFF but the traffic coming to and from the standby port will be down. If the laser is ON at the standby port, the other end port (where traffic originates) will not be down in a parallel connection. Traffic is blocked on the standby port. 1+1 protection is bidirectional and nonrevertive by default; revertive switching can be provisioned using CTC. For information on how to provision the cards, refer to the Cisco ONS 15454 DWDM Procedure Guide. 10.12.10.2 Y-Cable Protection The GE_XP and GE_XPE cards support Y-cable protection when they are provisioned in 10 Gigabit Ethernet or 20 Gigabit Ethernet MXP card mode. The 10GE_XP and 10GE_XPE cards support Y-cable protection when they are provisioned in 10GE TXP card mode. Two cards can be joined in a Y-cable protection group with one card assigned as the working card and the other defined as the protection card. This protection mechanism provides redundant bidirectional paths. See the “10.19.1 Y-Cable Protection” section on page 10-139 for more detailed information. The Y-cable protection mechanism is 10-81 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE Cards provisionable and can be set ON or OFF (OFF is the default mode). When a signal fault is detected (LOS, LOF, SD, or SF on the DWDM receiver port in the case of ITU-T G.709 mode) the protection mechanism software automatically switches between paths. Y-cable protection also supports revertive and nonrevertive mode. 10.12.10.3 Layer 2 Over DWDM Protection When the GE_XP, 10GE_XP, GE_XPE, or 10GE_XPE cards are in L2-over-DWDM card mode, protection is handled by the hardware at the Layer 1 and Layer 2 levels. Fault detection and failure propagation is communicated through the ITU-T G.709 frame overhead bytes. For protected VLANs, traffic is flooded around the 10 Gigabit Ethernet DWDM ring. To set up the Layer 2 protection, you identify a node and the GE_XP, 10GE_XP, GE_XPE, or 10GE_XPE port that is to serve as the master node and port for the VLAN ring on the card view Provisioning > Protection tab. If a failure occurs, the node and port are responsible for opening and closing VLAN loops. Note The Forced option in the Protection drop-down list converts all the SVLANs to protected SVLANs irrespective of the SVLAN protection configuration in the SVLAN database. This is applicable to a point-to-point linear topology. The SVLAN protection must be forced to move all SVLANs, including protected and unprotected SVLANs, to the protect path irrespective of provisioned SVLAN attributes. A FAPS switchover happens in the following failure scenarios: • DWDM line failures caused by a fiber cut • Unidirectional failure in the DWDM network caused by a fiber cut • Fiber pull on the master card trunk port followed by a hard reset on the master card • Hard reset on the master card • Hard reset on the slave card • An OTN failure is detected (LOS, OTUK-LOF, OTUK-LOM, OTUK-LOM, OTUK-SF, or OTUK-BDI on the DWDM receiver port in the case of ITU-T G.709 mode) • Trunk ports are moved to OOS,DSBLD (Locked,disabled) state • Improper removal of XFPs A FAPS switchover does not happen in the following scenarios: • Slave card trunk port in OOS,DSBLD (Locked,disabled) state followed by a hard reset of the slave card • OTN alarms raised on the slave card trunk port followed by a hard reset of the slave card 10.12.11 IGMP Snooping As networks increase in size, multicast routing becomes critically important as a means to determine which segments require multicast traffic and which do not. IP multicasting allows IP traffic to be propagated from one source to a number of destinations, or from many sources to many destinations. Rather than sending one packet to each destination, one packet is sent to the multicast group identified by a single IP destination group address. GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE cards can learn upto a maximum of 1024 multicast groups. This includes groups on all the VLANs. Internet Group Management Protocol (IGMP) snooping restricts the flooding of multicast traffic by forwarding multicast traffic to those interfaces where a multicast device is present.10-82 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE Cards When the GE_XP, 10GE_XP, GE_XPE, or 10GE_XPE card receives an IGMP leave group message from a host, it removes the host port from the multicast forwarding table after generating group specific queries to ensure that no other hosts interested in traffic for the particular group are present on that port. Even in the absence of any “leave” message, the cards have a timeout mechanism to update the group table with the latest information. After a card relays IGMP queries from the multicast router, it deletes entries periodically if it does not receive any IGMP membership reports from the multicast clients. In a multicast router, general queries are sent on a VLAN when Protocol Independent Multicast (PIM) is enabled on the VLAN. The GE_XP, 10GE_XP, GE_XPE, or 10GE_XPE card forwards queries to all ports belonging to the VLAN. All hosts interested in this multicast traffic send Join requests and are added to the forwarding table entry. The Join requests are forwarded only to router ports. By default, these router ports are learned dynamically. However, they can also be statically configured at the port level in which case the static configuration overrides dynamic learning. For information on interaction of IGMP with other protocols, see the 10.12.2 Protocol Compatibility list. 10.12.11.1 IGMP Snooping Guidelines and Restrictions The following guidelines and restrictions apply to IGMP snooping on GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE cards: • IGMP snooping V2 is supported as specified in RFC 4541. • IGMP snooping V3 is not supported and the packets are flooded in the SVLAN. • Layer 2 multicast groups learned through IGMP snooping are dynamic. • GE_XP and 10GE_XP cards support IGMP snooping on 128 stacked VLANs and GE_XPE and 10GE_XPE cards support up to 256 stacked VLANs that are enabled. • IGMP snooping can be configured per SVLAN or CVLAN. By default, IGMP snooping is disabled on all SVLANs and CVLANs. • IGMP snooping on CVLAN is enabled only when: – MVR is enabled. – UNI ports are in selective add and selective translate modes. For each UNI port, a CVLAN must be specified for which IGMP snooping is to be enabled. • IGMP snooping can be enabled only on one CVLAN per port. If you enable IGMP snooping on CVLAN, you cannot enable IGMP snooping on the associated SVLAN and vice versa. The number of VLANs that can be enabled for IGMP snooping cannot exceed 128. • When IGMP snooping is enabled on double-tagged packets, CVLAN has to be the same on all ports attached to the same SVLAN. • When IGMP snooping is working with the Fast Automatic Protection Switch (FAPS) in a ring-based setup, it is advisable to configure all NNI ports as static router ports. This minimizes the multicast traffic hit when a FAPS switchover occurs. The following conditions are raised from IGMP snooping at the card: • MCAST-MAC-TABLE-FULL—This condition is raised when the multicast table is full and a new join request is received. This table is cleared when at least one entry gets cleared from the multicast table after the alarm is raised. • MCAST-MAC-ALIASING—This condition is raised when there are multiple L3 addresses that map to the same L2 address in a VLAN. This is a transient condition.10-83 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE Cards For more information on severity level of these conditions and procedure to clear these alarms, refer to the Cisco ONS 15454 Troubleshooting Guide. 10.12.11.2 Fast-Leave Processing Note Fast-Leave processing is also known as Immediate-Leave. IGMP snooping Fast-Leave processing allows the GE_XP, 10GE_XP, GE_XPE, or 10GE_XPE to remove an interface that sends a leave message from the forwarding table without first sending group specific queries to the interface. When you enable IGMP Fast-Leave processing, the card immediately removes a port from the IP multicast group when it detects an IGMP, version 2 (IGMPv2) leave message on that port. 10.12.11.3 Static Router Port Configuration Multicast-capable ports are added to the forwarding table for every IP multicast entry. The card learns of such ports through the PIM method. 10.12.11.4 Report Suppression Report suppression is used to avoid a storm of responses to an IGMP query. When this feature is enabled, a single IGMP report is sent to each multicast group in response to a single query. Whenever an IGMP snooping report is received, report suppression happens if the report suppression timer is running. The Report suppression timer is started when the first report is received for a general query. Then this time is set to the response time specified in general query. 10.12.11.5 IGMP Statistics and Counters An entry in a counter contains multicasting statistical information for the IGMP snooping capable GE_XP, 10GE_XP, GE_XPE, or 10GE_XPE card. It provides statistical information about IGMP messages that have been transmitted and received. IGMP statistics and counters can be viewed via CTC from the Performance > Ether Ports > Statistics tab. This information can be stored in the following counters: • cisTxGeneralQueries—Number of general queries transmitted through an interface. • cisTxGroupSpecificQueries—Total group specific queries transmitted through an interface. • cisTxReports—Total membership reports transmitted through an interface. • cisTxLeaves—Total Leave messages transmitted through an interface. • cisRxGeneralQueries—Total general queries received at an interface. • cisRxGroupSpecificQueries—Total Group Specific Queries received at an interface. • cisRxReports—Total Membership Reports received at an interface. • cisRxLeaves—Total Leave messages received at an interface. • cisRxValidPackets—Total valid IGMP packets received at an interface. • cisRxInvalidPackets—Total number of packets that are not valid IGMP messages received at an interface.10-84 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE Cards 10.12.12 Multicast VLAN Registration Multicast VLAN Registration (MVR) is designed for applications using wide-scale deployment of multicast traffic across an Ethernet-ring-based service provider network (for example, the broadcast of multiple television channels over a service-provider network). MVR allows a subscriber on a port to subscribe and unsubscribe to a multicast stream on the network-wide multicast VLAN. It allows the single multicast VLAN to be shared in the network while subscribers remain in separate VLANs. MVR provides the ability to continuously send multicast streams in the multicast VLAN, but to isolate the streams from the subscriber VLANs for bandwidth and security reasons. MVR assumes that subscriber ports subscribe and unsubscribe (“Join” and “Leave”) these multicast streams by sending out IGMP Join and Leave messages. These messages can originate from an IGMP version-2-compatible host with an Ethernet connection. MVR operates on the underlying mechanism of IGMP snooping. MVR works only when IGMP snooping is enabled. The card identifies the MVR IP multicast streams and their associated MAC addresses in the card forwarding table, intercepts the IGMP messages, and modifies the forwarding table to include or remove the subscriber as a receiver of the multicast stream, even though the receivers is in a different VLAN than the source. This forwarding behavior selectively allows traffic to cross between different VLANs. Note When MVR is configured, the port facing the router must be configured as NNI in order to allow the router to generate or send multicast stream to the host with the SVLAN. If router port is configured as UNI, the MVR will not work properly. 10.12.13 MAC Address Learning The GE_XPE and 10 GE_XPE cards support 32K MAC addresses. MAC address learning can be enabled or disabled per SVLAN on GE_XPE and 10 GE_XPE cards. The cards learn the MAC address of packets they receive on each port and add the MAC address and its associated port number to the MAC address learning table. As stations are added or removed from the network, the GE_XPE and 10 GE_XPE cards update the MAC address learning table, adding new dynamic addresses and aging out those that are currently not in use. MAC address learning can be enabled or disabled per SVLAN. When the configuration is changed from enable to disable, all the related MAC addresses are cleared. The following conditions apply: • If MAC address learning is enabled on per port basis, the MAC address learning is not enabled on all VLANs, but only on VLANs that have MAC address learning enabled. • If per port MAC address learning is disabled then the MAC address learning is disabled on all VLANs, even if it is enabled on some of the VLAN supported by the port. • If the per port MAC address learning is configured on GE-XP and 10 GE-XP cards, before upgrading to GE-XPE or 10 GE-XPE cards, enable MAC address learning per SVLAN. Failing to do so disables MAC address learning. 10.12.14 MAC Address Retrieval MAC addresses learned can be retrieved or cleared on GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE cards provisioned in L2-over-DWDM mode. The MAC addresses can be retrieved using the CTC or TL1 interface.10-85 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE Cards GE_XPE and 10GE_XPE cards support 32K MAC addresses and GE_XP and 10GE_XP cards support 16K MAC addresses. To avoid delay in processing requests, the learned MAC addresses are retrieved using an SVLAN range. The valid SVLAN range is from 1 to 4093. The MAC addresses of the GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE cards can also be retrieved. The card MAC addresses are static and are used for troubleshooting activities. One MAC address is assigned to each client, trunk, and CPU ports of the GE_XP, 10GE_XP, GE_XPE, or 10GE_XPE card. These internal MAC addresses can be used to determine if the packets received on the far-end node are generated by GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE cards. For MAC address retrieval, the following conditions apply: • The cards must be provisioned in L2-over-DWDM mode. • MAC address learning must be enabled per SVLAN on GE_XPE or 10 GE_XPE cards. • MAC address learning must be enabled per port on GE_XP or 10 GE_XP cards. For information on how to retrieve or clear MAC addresses learned, refer to the “Provision Transponder and Muxponder Cards” chapter in the Cisco ONS 15454 DWDM Procedure Guide. 10.12.15 Link Integrity The GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE card support end-to-end Ethernet link integrity. This capability is integral to providing an Ethernet private line service and correct operation of Layer 2 and Layer 3 protocols on the attached Ethernet devices. The link integrity feature propagates a trunk fault on all the affected SVLAN circuits in order to squelch the far end client interface. Ethernet-Advanced IP Services (E-AIS) packets are generated on a per-port/SVLAN basis. An E-AIS format is compliant with ITU Y.1731. Note E-AIS packets are marked with a CoS value of 7 (also called .1p bits). Ensure that the network is not overloaded and there is sufficient bandwidth for this queue in order to avoid packet drops. When link integrity is enabled on a per-port SVLAN basis, E-AIS packets are generated when the following alarms are raised; • LOS-P • OTUKLOF/LOM • SIGLOSS • SYNCHLOSS • OOS • PPM not present When link integrity is enabled, GE_XP and 10 GE_XP card supports up to128 SVLANs and GE_XPE, 10 GE_XPE can support up to 256 SVLANs. 10.12.16 Ingress CoS Ingress CoS functionality enables differentiated services across the GE_XPE and 10GE_XPE cards. A wide range of networking requirements can be provisioned by specifying the class of service applicable to each transmitted traffic. 10-86 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE Cards When a CVLAN is configured as ingress CoS, the per-port settings are not considered. A maximum of 128 CVLAN and CoS relationships can be configured. 10.12.17 CVLAN Rate Limiting CVLAN rate limiting is supported on GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE cards. CVLAN rate limiting is supported for QinQ service in selective add mode. The following limitations and restrictions apply to CVLAN rate limiting: • CVLAN rate limiting is not supported for the following service types: – Selective translate mode – Transparent mode – Selective double add mode – Selective translate add mode – Untagged packets – CVLAN range – Services associated with the channel group • CVLAN rate limiting and SVLAN rate limiting cannot be applied to the same service instance. • Pseudo-IOS command line interface (PCLI) is not supported for CVLAN rate limiting. • A VLAN profile with Link Integrity option enabled cannot be used to perform CVLAN rate limiting. • On GE_XP and 10 GE_XP cards, CVLAN rate limiting can be applied to up to 128 services. However, the number of provisionable CVLAN rate limiting service instances is equal to 192 minus the number of SVLAN rate limiting service instances present on the card (subject to a minimum of 64 CVLAN rate limiting service instances). • On GE_XPE and 10 GE_XPE cards, CVLAN rate limiting can be applied to up to 256 services. However, the number of provisionable CVLAN rate limiting service instances is equal to 384 minus the number of SVLAN rate limiting service instances present on the card (subject to a minimum of 128 CVLAN rate limiting service instances). 10.12.18 DSCP to CoS Mapping DSCP to CoS mapping can be configured for each port. You can configure the CoS of the outer VLAN based on the incoming DSCP bits. This feature is supported only on GE_XPE and 10GE_XPE cards. PCLI is not supported for DSCP to CoS mapping. DSCP to CoS mapping is supported for the following service types: – Selectice add mode – Selective translate mode – Transparent mode – Selective double add mode – Selective translate add mode – Untagged packets – CVLAN range10-87 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE Cards – Services associated with the channel group 10.12.19 Link Aggregation Control Protocol Link Aggregation Control Protocol (LACP) is part of the IEEE802.3ad standard that allows you to bundle several physical ports together to form a single logical channel. LACP allows a network device such as a switch to negotiate an automatic bundling of links by sending LACP packets to the peer device. LACP allows you to form a single Layer 2 link automatically from two or more Ethernet links. This protocol ensures that both ends of the Ethernet link are functional and agree to be members of the aggregation group before the link is added to the group. LACP must be enabled at both ends of the link to be operational. For more information on LACP, refer to the IEEE802.3ad standard. For information on interaction of LACP with other protocols, see the 10.12.2 Protocol Compatibility list. 10.12.19.1 Advantages of LACP LACP provides the following advantages: • High-speed network that transfers more data than any single port or device. • High reliability and redundancy. If a port fails, traffic continues on the remaining ports. • Hashing algorithm that allows to apply load balancing policies on the bundled ports. 10.12.19.2 Functions of LACP LACP performs the following functions in the system: • Maintains configuration information to control aggregation. • Exchanges configuration information with other peer devices. • Attaches or detaches ports from the link aggregation group based on the exchanged configuration information. • Enables data flow when both sides of the aggregation group are synchronized. 10.12.19.3 Modes of LACP LACP can be configured in the following modes: • On — Default. In this mode, the ports do not exchange LACP packets with the partner ports. • Active — In this mode, the ports send LACP packets at regular intervals to the partner ports. • Passive — In this mode, the ports do not send LACP packets until the partner sends LACP packets. After receiving the LACP packets from the partner ports, the ports send LACP packets. 10.12.19.4 Parameters of LACP LACP uses the following parameters to control aggregation: • System Identifier—A unique identification assigned to each system. It is the concatenation of the system priority and a globally administered individual MAC address.10-88 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE Cards • Port Identification—A unique identifier for each physical port in the system. It is the concatenation of the port priority and the port number. • Port Capability Identification—An integer, called a key, that identifies the capability of one port to aggregate with another port. There are two types of keys: – Administrative key—The network administrator configures this key. – Operational key—The LACP assigns this key to a port, based on its aggregation capability. • Aggregation Identifier—A unique integer that is assigned to each aggregator and is used for identification within the system. 10.12.19.5 Unicast Hashing Schemes LACP supports the following unicast hashing schemes: • Ucast SA VLAN Incoming Port • Ucast DA VLAN Incoming Port • Ucast SA DA VLAN Incoming port • Ucast Src IP TCP UDP • Ucast Dst IP TCP UDP • Ucast Src Dst IP TCP UDP Note Unicast hashing schemes apply to unicast traffic streams only when the destination MAC address is already learned by the card. Hence, MAC learning must be enabled to support load balancing as per the configured hashing scheme. If the destination MAC address is not learned, the hashing scheme is Ucast Src Dst IP TCP UDP. 10.12.19.6 Supported LACP Features The GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE cards support the following LACP features as per the IEEE802.3ad standard: • DLP-G611 Create a Channel Group Using CTC • DLP-G612 Modify the Parameters of the Channel Group Using CTC • DLP-G613 Add or Remove Ports to or from an Existing Channel Group Using CTC • DLP-G614 Delete a Channel Group Using CTC See the Cisco ONS 15454 DWDM Procedure Guide for information on these procedures. 10.12.19.7 LACP Limitations and Restrictions The LACP on the GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE cards has the following limitations and restrictions: • Hot standby link state is not supported on the channel group. • Marker protocol generator is not supported. • ALS cannot be configured on the channel group. • Loopback configuration cannot be applied on the channel group.10-89 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE Cards 10.12.20 Ethernet Connectivity Fault Management Ethernet Connectivity Fault Management (CFM) is part of the IEEE 802.1ag standard. The Ethernet CFM is an end-to-end per service instance that supports the Ethernet layer Operations, Administration, and Management (OAM) protocol. It includes proactive connectivity monitoring, link trace on a per service basis, fault verification, and fault isolation for large Ethernet metropolitan-area networks (MANs) and WANs. CFM is disabled on the card by default. CFM is enabled on all the ports by default. For more information on CFM, refer to the IEEE 802.1ag standard. For information on interaction of CFM with other protocols, see the 10.12.2 Protocol Compatibility list. The following sections contain conceptual information about Ethernet CFM. 10.12.20.1 Maintenance Domain A maintenance domain is an administrative domain that manages and administers a network. You can assign a unique maintenance level (from 0 to 7) to define the hierarchical relationship between domains. The larger the domain, the higher the maintenance level for that domain. For example, a service provider domain would be larger than an operator domain and might have a maintenance level of 6, while the operator domain maintenance level would be 3 or 4. Maintenance domains cannot intersect or overlap because that would require more than one entity to manage it, which is not allowed. Domains can touch or nest if the outer domain has a higher maintenance level than the nested domain. Maintenance levels of nesting domains must be communicated among the administrating organizations. For example, one approach would be to have the service provider assign maintenance levels to operators. The CFM protocol supports up to eight maintenance domains on GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE cards. 10.12.20.2 Maintenance Association A maintenance association identifies a service within the maintenance domain. You can have any number of maintenance associations within each maintenance domain. The CFM protocol supports up to 1500 maintenance associations on GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE cards. Note Each maintenance association is mapped to a maintenance domain. This mapping is done to configure a Maintenance End Point (MEP). The CFM protocol supports up to 1000 mappings on GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE cards. 10.12.20.3 Maintenance End Points Maintenance End Points (MEPs) reside at the edge of the maintenance domain and are active elements of the Ethernet CFM. MEPs transmit Continuity Check messages at periodic intervals and receive similar messages from other MEPs within a domain. MEPs also transmit Loopback and Traceroute messages at the request of the administrator. MEPs confine CFM messages within the boundary of a maintenance domain through the maintenance level. There are two types of MEPs: • Up (Inwards, towards the bridge) • Down (Outwards, towards the wire).10-90 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE Cards You can create up to 255 MEPs and MIPs together on GE_XP and 10GE_XP cards. You can create up to 500 MEPs and MIPs together on GE_XPE and 10GE_XPE cards. The MEP continuity check database (CCDB) stores information that is received from other MEPs in the maintenance domain. The card can store up to 4000 MEP CCDB entries. 10.12.20.4 Maintenance Intermediate Points Maintenance Intermediate Points (MIPs) are internal to the maintenance domain and are passive elements of the Ethernet CFM. They store information received from MEPs and respond to Linktrace and Loopback CFM messages. MIPs forward CFM frames received from MEPs and other MIPs, drop all CFM frames at a lower level, and forward all CFM frames at a higher level. You can create up to 255 MEPs and MIPs together on GE_XP and 10GE_XP cards. You can create up to 500 MEPs and MIPs together on GE_XPE and 10GE_XPE cards. The MIP CCDB maintains the information received for all MEPs in the maintenance domain. The card can store up to 4000 MIP CCDB entries. 10.12.20.5 CFM Messages The Ethernet CFM on GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE cards supports the following messages: • Continuity Check—These messages are exchanged periodically among MEPs. They allow MEPs to discover other MEPs within a domain and allow MIPs to discover MEPs. These messages are confined to a domain. • Loopback—These messages are unicast messages that a MEP transmits, at the request of an administrator, to verify connectivity to a specific maintenance point. A reply to a loopback message indicates whether a destination is reachable. • Traceroute—These messages are multicast messages that a MEP transmits, at the request of an administrator, to track the path to a destination MEP. 10.12.20.6 Supported CFM Features The GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE cards support the following Ethernet CFM features as per the IEEE 802.1ag standard: • DLP-G621 Enable or Disable CFM on the Card Using CTC • DLP-G622 Enable or Disable CFM for Each Port Using CTC • DLP-G623 Create a Maintenance Domain Profile Using CTC • DLP-G625 Create a Maintenance Association Profile Using CTC • DLP-G628 Map a Maintenance Association Profile to a Maintenance Domain Profile Using CTC • DLP-G629 Create a MEP Using CTC • DLP-G631 Create a MIP Using CTC • DLP-G633 Ping MEP Using CTC • DLP-G634 Traceroute MEP Using CTC See the Cisco ONS 15454 DWDM Procedure Guide for information on these procedures.10-91 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE Cards 10.12.20.7 CFM Limitations and Restrictions The CFM on the GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE cards has the following limitations and restrictions: • CFM is not supported on channel groups. • CFM is not enabled on ptotected ports running REP, FAPS, and 1+1. • Y.1731 enhancements including AIS, LCK, and performance monitoring messages along with CFM are not supported. • IEEE CFM MIB is not supported. • L1 and CFM are mutually exclusive on a SVLAN because LI and CFM use the same MAC address. • MAC security and CFM are mutually exclusive on the card due to hardware resource constraints. 10.12.21 Ethernet OAM The Ethernet OAM protocol is part of the IEEE 802.3ah standard and is used for installing, monitoring, and troubleshooting Ethernet MANs and Ethernet WANs. This protocol relies on an optional sublayer in the data link layer of the OSI model. The Ethernet OAM protocol was developed for Ethernet in the First Mile (EFM) applications. The terms Ethernet OAM and EFM are interchangeably used and both mean the same. Normal link operation does not require Ethernet OAM. You can implement Ethernet OAM on any full-duplex point-to-point or emulated point-to-point Ethernet link for a network or part of a network (specified interfaces). OAM frames, called OAM Protocol Data Units (OAM PDUs), use the slow protocol destination MAC address 0180.c200.0002. OAM PDUs are intercepted by the MAC sublayer and cannot propagate beyond a single hop within an Ethernet network. Ethernet OAM is disabled on all interfaces by default. When Ethernet OAM is enabled on an interface, link monitoring is automatically turned on. For more information on Ethernet OAM protocol, refer to IEEE 802.3ah standard. For information on interaction of Ethernet OAM with other protocols, see the 10.12.2 Protocol Compatibility list. 10.12.21.1 Components of the Ethernet OAM Ethernet OAM consists of two major components, the OAM Client and the OAM Sublayer. 10.12.21.1.1 OAM Client The OAM client establishes and manages the Ethernet OAM on a link. The OAM client also enables and configures the OAM sublayer. During the OAM discovery phase, the OAM client monitors the OAM PDUs received from the remote peer and enables OAM functionality. After the discovery phase, the OAM client manages the rules of response to OAM PDUs and the OAM remote loopback mode. 10.12.21.1.2 OAM Sublayer The OAM sublayer presents two standard IEEE 802.3 MAC service interfaces: • One interface facing toward the superior sublayers, which include the MAC client (or link aggregation). • Other interface facing toward the subordinate MAC control sublayer.10-92 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE Cards The OAM sublayer provides a dedicated interface for passing OAM control information and OAM PDUs to and from the client. 10.12.21.2 Benefits of the Ethernet OAM Ethernet OAM provides the following benefits: • Competitive advantage for service providers • Standardized mechanism to monitor the health of a link and perform diagnostics 10.12.21.3 Features of the Ethernet OAM The Ethernet OAM protocol has the following OAM features: • Discovery—Identifies devices in the network and their OAM capabilities. The Discovery feature uses periodic OAM PDUs to advertise the OAM mode, configuration, and capabilities. An optional phase allows the local station to accept or reject the configuration of the peer OAM entity. • Link Monitoring—Detects and indicates link faults under a variety of conditions. It uses the event notification OAM PDU to notify the remote OAM device when it detects problems on the link. • Remote Failure Indication—Allows an OAM entity to convey the failure conditions to its peer through specific flags in the OAM PDU. • Remote Loopback—Ensures link quality with a remote peer during installation or troubleshooting. 10.12.21.4 Ethernet OAM Supported Features The GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE cards support the following Ethernet OAM features as per the IEEE 802.3ah standard: • DLP-G639 Enable or Disable EFM for Each Port Using CTC • DLP-G640 Configure EFM Parameters Using CTC • DLP-G641 Configure EFM Link Monitoring Parameters Using CTC • DLP-G642 Enable Remote Loopback for Each Port Using CTC See the Cisco ONS 15454 DWDM Procedure Guide for information on these procedures. 10.12.21.5 Ethernet OAM Limitations and Restrictions The Ethernet OAM on the GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE cards has the following limitations and restrictions: • CFM, REP, link integrity, LACP, FAPS, IGMP on SVLAN and L2 1+1 protection are not supported with EFM. • IEEE EFM MIB is not supported. • EFM cannot be enabled or disabled at the card level. • Unidirectional functionality is not supported. • Errored Symbol Period, Rx CRC errors, Tx CRC errors are not supported. • OAM PDUs are limited to 1 frame per second. • Dying Gasp and critical events are not supported.10-93 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE Cards Note Dying Gasp RFI is not generated on GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE cards. However, if the peer device sends a dying gasp RFI, the card detects it and raises an alarm. 10.12.22 Resilient Ethernet Protocol The Resilient Ethernet Protocol (REP) is a protocol used to control network loops, handle link failures, and improve convergence time. REP performs the following tasks: • Controls a group of ports connected in a segment. • Ensures that the segment does not create any bridging loops. • Responds to link failures within the segment. • Supports VLAN load balancing. For information on interaction of REP with other protocols, see the 10.12.2 Protocol Compatibility list. 10.12.22.1 REP Segments A REP segment is a chain of ports connected to each other and configured with a segment ID. Each segment consists of regular segment ports and two edge ports. A GE_XP, 10GE_XP, GE_XPE, or 10GE_XPE card can have up to 2 ports that belong to the same segment, and each segment port can have only one external neighbor port. A segment protects only against a single link failure. Any more failures within the segment result in loss of connectivity. 10.12.22.2 Characteristics of REP Segments REP segments have the following characteristics: • If all the ports in the segment are operational, one port blocks traffic for each VLAN. If VLAN load balancing is configured, two ports in the segment control the blocked state of VLANs. • If any port in the segment is not operational, all the other operational ports forward traffic on all VLANs to ensure connectivity. • In case of a link failure, the alternate ports are immediately unblocked. When the failed link comes up, a logically blocked port per VLAN is selected with minimal disruption to the network. 10.12.22.3 REP Port States Ports in REP segments take one of three roles or states: Failed, Open, or Alternate. • A port configured as a regular segment port starts as a failed port. • When the neighbor adjacencies are determined, the port transitions to the alternate port state, blocking all the VLANs on the interface. Blocked port negotiations occur and when the segment settles, one blocked port remains in the alternate role and all the other ports become open ports. • When a failure occurs in a link, all the ports move to the failed state. When the alternate port receives the failure notification, it changes to the open state, forwarding all VLANs.10-94 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE Cards 10.12.22.4 Link Adjacency Each segment port creates an adjacency with its immediate neighbor. Link failures are detected and acted upon locally. If a port detects a problem with its neighbor, the port declares itself non-operational and REP converges to a new topology. REP Link Status Layer (LSL) detects its neighbor port and establishes connectivity within the segment. All VLANs are blocked on an interface until the neighbor port is identified. After the neighbor port is identified, REP determines the neighbor port that must be the alternate port and the ports that must forward traffic. Each port in a segment has a unique port ID. When a segment port starts, the LSL layer sends packets that include the segment ID and the port ID. A segment port does not become operational if the following conditions are satisfied: • No neighbor port has the same segment ID or more than one neighbor port has the same segment ID. • The neighbor port does not acknowledge the local port as a peer. 10.12.22.5 Fast Reconvergence REP runs on a physical link and not on per VLAN. Only one hello message is required for all VLANs that reduces the load on the protocol. REP Hardware Flood Layer (HFL) is a transmission mechanism that floods packets in hardware on an admin VLAN. HFL avoids the delay that is caused by relaying messages in software. HFLis used for fast reconvergence in the order of 50 to 200 milliseconds. 10.12.22.6 VLAN Load Balancing You must configure two edge ports in the segment for VLAN load balancing. One edge port in the REP segment acts as the primary edge port; the other edge port as the secondary edge port. The primary edge port always participates in VLAN load balancing in the segment. VLAN load balancing is achieved by blocking certain VLANs at a configured alternate port and all the other VLANs at the primary edge port. 10.12.22.7 REP Configuration Sequence You must perform the following tasks in sequence to configure REP: • Configure the REP administrative VLAN or use the default VLAN 1. The range of REP admin VLAN is 1 to 4093. VLAN 4094 is not allowed. • Add ports to the segment in interface configuration mode. • Enable REP on ports and assign a segment ID to it. REP is disabled on all ports by default. The range of segment ID is 1 to 1024. • Configure two edge ports in the segment; one port as the primary edge port and the other as the secondary edge port. • If you configure two ports in a segment as the primary edge port, for example, ports on different switches, REP selects one of the ports to serve as the primary edge port based on port priority. The Primary option is enabled only on edge ports. • Configure the primary edge port to send segment topology change notifications (STCNs) and VLAN load balancing to another port or to other segments. STCNs and VLAN load balancing configurations are enabled only for edge ports.10-95 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE Cards Note A port can belong to only one segment. Only two ports can belong to the same segment. Both the ports must be either regular ports or edge ports. However, if the No-neighbor port is configured, one port can be an edge port and another port can be a regular port. 10.12.22.8 REP Supported Interfaces REP supports the following interfaces: • REP is supported on client (UNI) and trunk (NNI) ports. • Enabling REP on client ports allows protection at the access or aggregation layer when the cards are connected to the L2 network. • Enabling REP on trunk ports allows protection at the edge layer when the cards are connected in a ring. 10.12.22.9 REP Limitations and Restrictions The REP on the GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE cards has the following limitations and restrictions: • Fast re-convergence and VLAN load balancing are not supported on UNI ports in transparent mode. • Native VLAN is not supported. • CFM, EFM, link integrity, LACP, FAPS, and L2 1+1 protection are not supported on ports that are configured as part of REP segment and vice versa. • NNI ports cannot be configured as the primary edge port or blocking port at the access or aggregation layer. • Only three REP segments can be configured on GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE cards. • Consider the following configuration: More than one REP closed segment is configured on the GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE cards and the same HFL admin VLAN is enabled on the switches. If two different segments are configured on more than one common switch, the following consequences happen. – Layer 1 loop – Flooding of HFL packets across segments if one REP segment fails – Segment goes down due to LSL time out even if the segment does not have faults Hence, it is recommended not to configure two different segments on more than one common switch. • Consider the following configuration: – VLAN Load Balancing is configured on GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE cards by specifying the VLB preempt delay. – Primary and secondary edge ports are configured on the same switch. – HFL or LSL is activated. This configuration leads to high convergence time during manual premption, VLB activation, and deactivation (400 to 700 milliseconds).10-96 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards ADM-10G Card 10.13 ADM-10G Card The ADM-10G card operates on ONS 15454 SONET, ONS 15454 SDH, ONS 15454 M2, ONS 15454 M6, and DWDM networks to carry optical signals and Gigabit Ethernet signals over DWDM wavelengths for transport. The card aggregates lower bit-rate client SONET or SDH signals (OC-3/STM-1, OC-12/STM-4, OC-48/STM-16, or Gigabit Ethernet) onto a C-band tunable DWDM trunk operating at a higher OC-192/STM-64 rate. In a DWDM network, the ADM-10G card transports traffic over DWDM by mapping Gigabit Ethernet and SONET or SDH circuits onto the same wavelength with multiple protection options. You can install and provision the ADM-10G card in a linear configuration in: • Slots 1 to 5 and 12 to 16 in standard and high-density ONS 15454 ANSI shelves (15454-SA-ANSI or 15454-SA-HD), the ETSI ONS 15454 standard shelf assembly, or the ONS 15454 ETSI high-density shelf assembly • Slot 2 in ONS 15454 M2 chassis • Slots 2 to 6 in ONS 15454 M6 chassis Caution Fan-tray assembly 15454E-CC-FTA (ETSI shelf)/15454-CC-FTA (ANSI shelf) must be installed in a shelf where the ADM-10G card is installed. The card is compliant with ITU-T G.825 and ITU-T G.783 for SDH signals. It supports concatenated and nonconcatenated AU-4 mapped STM-1, STM-4, and STM-16 signals as specified in ITU-T G.707. The card also complies with Section 5.6 of Telcordia GR-253-CORE and supports synchronous transport signal (STS) mapped OC-3, OC-12, and OC-48 signals as specified in the standard. The client SFP and trunk XFP are compliant with interface requirements in Telcordia GR-253-CORE, ITU-T G.957 and/or ITU-T G.959.1, and IEEE 802.3. 10.13.1 Key Features The ADM-10G card has the following high-level features: • Operates with the TCC2, TCC2P, TCC3, TNC, or TSC. • Interoperable with TXP_MR_10E, TXP_MR_10E_C, TXP_MR_10EX_C, and OTU2_XP cards. • Has built-in OC-192/STM-64 add/drop multiplexing function including client, trunk, and STS cross-connect. • Supports both single-card and double-card (ADM-10G peer group) configuration. • Supports path protection/SNCP on client and trunk ports for both single-card and double-card configuration. The card does not support path protection/SNCP between a client port and a trunk port. Path protection/SNCP is supported only between two client ports or two trunk ports. • Supports 1+1 protection on client ports for double-card configuration only. • Supports SONET, SDH, and Gigabit Ethernet protocols on client SFPs. • Supports XFP DWDM trunk interface single wavelengths. • Returns zero bit errors when a TCC2/TCC2P/TCC3/TNC/TSC card switches from active to standby or when manual or forced protection switches occur. • Has 16 SFP-based client interfaces (gray, colored, coarse wavelength division multiplexing (CWDM), and DWDM optics available).10-97 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards ADM-10G Card • Supports STM1, STM4, STM16, and Gigabit Ethernet client signals (8 Gigabit Ethernet maximum). • Has one XFP-based trunk interface supporting E-FEC/FEC and ITU-T G.709 for double-card configuration. • Has two XFP-based trunk interface supporting E-FEC/FEC and ITU-T G.709 for single-card configuration. • Has two SR XFP interlink interfaces supporting redundancy connection with protection board and pass-through traffic for double-card configuration. • Supports frame-mapped generic framing procedure (GFP-F) and LEX mapping for Ethernet over SONET or SDH. • Can be installed or pulled from operation, in any slot, without impacting other service cards in the shelf. • Supports client to client hairpinning, that is, creation of circuits between two client ports for both single-card and double-card configuration. See the “10.13.11 Circuit Provisioning” section on page 10-104 for more detailed information. 10.13.2 ADM-10G POS Encapsulation, Framing, and CRC The ADM-10G card supports Cisco EoS LEX (LEX) and generic framing procedure framing (GFP-F) encapsulation on 8 POS ports corresponding to 8 GigE ports (Port 1 to Port 8) in both single-card and double-card (ADM-10G peer group) configuration. You can provision framing on the ADM-10G card as either the default GFP-F or LEX framing. With GFP-F framing, you can configure a 32-bit cyclic redundancy check (CRC) or none (no CRC) (the default). LEX framing supports 16-bit or 32-bit CRC configuration. The framing type cannot be changed when there is a circuit on the port. On the CTC, navigate to card view and click the Provisioning > Line> Ethernet Tab. To see the various parameters that can be configured on the ethernet ports, see “CTC Display of ethernet Port Provisioning Status”. Parameters such as, admin state, service state, framing type, CRC, MTU and soak time for a port can be configured. It is possible to create an end-to-end circuit between equipment supporting different kinds of encapsulation (for example, LEX on one side and GFP-F on other side). But, under such circumstances, traffic does not pass through, and an alarm is raised if there is a mismatch. 10.13.2.1 POS Overview Ethernet data packets need to be framed and encapsulated into a SONET/SDH frame for transport across the SONET/SDH network. This framing and encapsulation process is known as packet over SONET/SDH (POS). The Ethernet frame comes into the ADM-10G card on a standard Gigabit Ethernet port and is processed through the card’s framing mechanism and encapsulated into a POS frame. When the POS frame exits, the ADM-10G card is in a POS circuit, and this circuit is treated as any other SONET circuit (STS) or SDH circuit (VC) in the ONS node. It is cross-connected and rides the SONET/SDH signal out the port of an optical card and across the SONET/SDH network. The destination of the POS circuit is a card or a device that supports the POS interface. Data packets in the destination card frames are removed and processed into ethernet frames. The Ethernet frames are then sent to a standard Ethernet port of the card and transmitted onto an Ethernet network.10-98 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards ADM-10G Card 10.13.2.2 POS Framing Modes A POS framing mode is the type of framing mechanism employed by the ADM-10G card to frame and encapsulate data packets into a POS signal. These data packets were originally encapsulated in Ethernet frames that entered the standard Gigabit Ethernet interface of the ADM-10G card. 10.13.2.2.1 GFP-F Framing The GFP-F framing represent standard mapped Ethernet over GFP-F according to ITU-T G.7041. GFP-F defines a standard-based mapping of different types of services onto SONET/SDH. GFP-F maps one variable length data packet onto one GFP packet. GFP-F comprises of common functions and payload specific functions. Common functions are those shared by all payloads. Payload-specific functions are different depending on the payload type. GFP-F is detailed in the ITU recommendation G.7041. 10.13.2.2.2 LEX Framing LEX encapsulation is a HDLC frame based Cisco Proprietary protocol, where the field is set to values specified in Internet Engineering Task Force (IETF) RFC 1841. HDLC is one of the most popular Layer 2 protocols. The HDLC frame uses the zero insertion/deletion process (commonly known as bit stuffing) to ensure that the bit pattern of the delimiter flag does not occur in the fields between flags. The HDLC frame is synchronous and therefore relies on the physical layer to provide a method of clocking and synchronizing the transmission and reception of frames. The HDLC framing mechanism is detailed in the IETF’s RFC 1662, “PPP in HDLC-like Framing.” 10.13.2.3 GFP Interoperability The ADM-10G card defaults to GFP-F encapsulation that is compliant with ITU-T G.7041. This mode allows the card to operate with ONS 15310-CL, ONS 15310-MA, ONS 15310-MA SDH, or ONS 15454 data cards (for example, ONS 15454 CE100T-8 or ML1000-2 cards). GFP encapsulation also allows the ADM-10G card to interoperate with other vendors Gigabit Ethernet interfaces that adhere to the ITU-T G.7041 standard. 10.13.2.4 LEX Interoperability The LEX encapsulation is compliant with RFC 1841. This mode allows the card to operate with ONS 15310-CL, ONS 15310-MA, ONS 15310-MA SDH, or ONS 15454 data cards (for example, G1000-4/G1K-4 cards, CE-1000-4, ONS 15454 CE100T-8 or ML1000-2 cards). 10.13.3 Faceplate Figure 10-31 shows the ADM-10G card faceplate.10-99 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards ADM-10G Card Figure 10-31 ADM-10G Card Faceplate and Block Diagram 10.13.4 Port Configuration Rules ADM-10G card client and trunk port capacities are shown in Figure 10-32. FAIL ACT SF ADM-10G ILK1 TRK2/ILK2 TRK1 12 11 10 9 8 7 654 3 2 1 TX RX TX RX TX RX 16 15 14 13 TX RX TX RX TX RX TX RX TX RX TX RX TX RX TX RX TX RX TX RX TX RX TX RX TX RX TX RX TX RX TX RX COMPLIES WITH 21 CFR 1040.10 AND 1040.11 EXCEPT FOR DEVIATIONS PURSUANT TO LASER NOTICE No.50, DATED JULY 26, 2001 SFP SFP SFP SFP SFP SFP SFP SFP SFP SFP SFP SFP 10G SONET/SDH framer-pointer processor 10xGE MAC 10G GFP-over SONET/SDH framer 10G SONET/SDH framer-pointer processor 2 G.709-FEC framer 1 G.709-FEC framer 2 XFP DWDM TRUNK ILK XFP ILK XFP VCAT RLDR switch CPU-Core SCL FPGA alarm cpld alarm cpld Main board Daughter card 4 x OC48/STM16 4 x OC3/OC12 or 4 x STM1/STM4 12 x OC3/OC12 or 12 x STM1/STM4 10G SONET/SDH framer-pointer processor 3 10G SONET/SDH framer-pointer processor 4 13 SFP 14 15 16 12 11 10 9 8 7 6 5 4 3 2 1 SFP SFP SFP switch STS-1 cross-connect HAZARD LEVEL 1 250482 19 17 1810-100 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards ADM-10G Card Figure 10-32 ADM-10G Card Port Capacities Port 17 acts as trunk2 or ILK1 interface based on single-card or double-card configuration. 10.13.5 Client Interfaces The ADM-10G card uses LC optical port connectors and, as shown in Figure 10-32, supports up to 16 SFPs that can be utilized for OC-N/STM-N traffic. Eight of the SFPs can be used for Gigabit Ethernet. The interfaces can support any mix of OC-3/STM-1, OC-12/STM-4, OC-48/STM-16, or Gigabit Ethernet of any reach, such as SX, LX, ZX, SR, IR, or LR. The interfaces support a capacity of: • 4 x OC-48/STM-16 • 16 x OC-12/STM-4 • 16 x OC-3/STM-1 • 8 x GE The supported client SFPs and XFPs are: • Gray SFPs – 1000Base-SX SFP 850 nm (ONS-SE-G2F-SX=) – 1000Base-LX SFP 1310 nm (ONS-SE-G2F-LX=) – OC48/STM16 IR1, OC12/STM4 SR1, OC3/STM1 SR1, GE-LX multirate SFP 1310 nm (ONS-SE-Z1=) – OC3/STM1 IR1, OC12/STM4 IR1 multirate SFP 1310 nm (ONS-SI-622-I1=) – OC48/STM16 SR1 SFP 1310 nm (ONS-SI-2G-S1=) – OC48/STM16 IR1 SFP 1310 nm (ONS-SI-2G-I1=) – OC48/STM16, 1550 LR2, SM LC (ONS-SE-2G-L2=) GE G r ay SFP 1 13 14 15 16 ILK1/ TRK2(17) ILK2/ TRK2(18) TRK1 (19) 2 3 4 5 6 7 8 9 10 11 12 GE G r ay SFP GE G r ay SFP GE OC48/OC12/OC3 OC48/OC12/OC3 OC48/OC12/OC3 OC48/OC12/OC3 STM16/STM4/STM1 STM16/STM4/STM1 STM16/STM4/STM1 STM16/STM4/STM1 G r ay SFP G r ay SFP G r ay XFP *Gray/ DWDM XFP D WDM XFP O TU2/OC192/STM64 *OTU2/OC192/STM64 G r ay SFP G r ay SFP G r ay SFP GE G r ay SFP GE G r ay SFP GE G r ay SFP GE G r ay SFP or or or or or or or or or or or or or or or or or or or or G r ay SFP G r ay SFP G r ay SFP OC12/OC3 OC12/OC3 OC12/OC3 OC12/OC3 OC12/OC3 OC12/OC3 OC12/OC3 OC12/OC3 OC12/OC3 OC12/OC3 OC12/OC3 OC12/OC3 STM4/STM1 STM4/STM1 STM4/STM1 STM4/STM1 STM4/STM1 STM4/STM1 STM4/STM1 STM4/STM1 STM4/STM1 STM4/STM1 STM4/STM1 STM4/STM1 G r ay SFP OC192/STM64 243481 *DWDM XFP and OTU2 is supported only when Port 18 is configured as a trunk interface. 10-101 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards ADM-10G Card • Colored DWDM SFPs – 1000Base-ZX SFP 1550 nm (ONS-SI-GE-ZX=) – OC3/STM1 LR2 SFP 1550 nm (ONS-SI-155-L2=) – OC48/STM16 LR2 SFP 1550 nm (ONS-SI-2G-L2=) – OC48/STM16 SFP (ONS-SC-2G-xx.x) Note xx.x = 28.7 to 60.6. ONS-SC-2G-28.7, ONS-SC-2G-33.4, ONS-SC-2G-41.3, ONS-SC-2G-49.3, and ONS-SC-2G-57.3 are supported from Release 8.5 and later. • CWDM SFPs – OC48/STM16/GE CWDM SFP (ONS-SC-Z3-xxxx) • XFPs – OC-192/STM-64/10GE XFP 1550 nm (ONS-XC-10G-I2) 10.13.6 Interlink Interfaces Two 2R interlink interfaces, called ILK1 (Port 17) and ILK2 (Port 18), are provided for creation of ADM-10G peer groups in double-card configurations. In a single-card configuration, Port 17 (OC-192/STM-64) and Port 18 (OC-192/STM-64 or OTU2 payload) must be configured as trunk interfaces. In a double-card configuration (ADM-10G peer group), Ports 17 and 18 must be configured as ILK1 and ILK2 interfaces, respectively. Physically cabling these ports between two ADM-10G cards, located on the same shelf, allows you to configure them as an ADM-10G peer group.The ILK ports carry 10 Gb of traffic each. The interlink interfaces support STM64 SR1 (ONS-XC-10G-S1=) and 10GE BASE SR (ONS-XC-10G-SR-MM=) XFPs. 10.13.7 DWDM Trunk Interface The ADM-10G card supports OC-192/STM-64 signal transport and ITU-T G.709 digital wrapping according to the ITU-T G.709 standard.The ADM-10G card supports three trunk XFPs: • Two DWDM trunks, and one trunk interface in a single-card configuration. • One DWDM trunk XFP in a double-card configuration. The supported DWDM trunk XFPs are: • 10G DWDM (ONS-XC-10G-xx.x=) (colored XFP) • STM64 SR1 (ONS-XC-10G-S1=) (gray XFP) 10.13.8 Configuration Management When using OC-48/STM-16 traffic, some contiguous port configurations, listed in Table 10-42, are unavailable due to hardware limitations. This limitation does not impact the Gigabit Ethernet payload.10-102 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards ADM-10G Card Note The ADM-10G card cannot be used in the same shelf with SONET or SDH cross-connect cards. Note The total traffic rate for each trunk cannot exceed OC-192/STM-64 on each ADM-10G card, or for each ADM-10G peer group. Note Gigabit Ethernet is supported on Ports 1 through 8. Ports 9 through Port 12 support only OC-3/STM-1 or OC-12/STM-4. Additionally, the following guidelines apply to the ADM-10G card: • Trunk Port 17 supports OC-192/STM-64. • Trunk Ports 18 and 19 support OC-192/STM-64 and OTU2. • The interlink port supports OC-192/STM-64. • Up to six ADM-10G cards can be installed in one shelf. • Up to 24 ADM-10G cards can be installed per network element (NE) regardless of whether the card is installed in one shelf or in multiple shelves. • The card can be used in all 15454-SA-ANSI and 15454-SA-HD shelves as well as ETSI ONS 15454 standard and high-density shelves. • A lamp test function can be activated from CTC to ensure that all LEDs are functional. • The card can operate as a working protected or working nonprotected card. • In a redundant configuration, an active card hardware or software failure triggers a switch to the standby card. This switch is detected within 10 ms and is completed within 50 ms. • ADM-10G cards support jumbo frames with MTU sizes of 64 to 9,216 bytes; the maximum is 9,216. • After receiving a link or path failure, the ADM-10G card can shut down only the downstream Gigabit Ethernet port. Note In ADM-10G cards, the Gigabit Ethernet port does not support flow control. Table 10-42 OC-48/STM-16 Configuration Limitations OC-48/STM-16 Port Number Ports Restricted from Optical Traffic OC-48/STM-16 on Port 13 No OC-N/STM-N on Port 1 through Port 3 OC-48/STM-16 on Port 14 No OC-N/STM-N on Port 4 through Port 6 OC-48/STM-16 on Port 15 No OC-N/STM-N on Port 7 through Port 9 OC-48/STM-16 on Port 16 No OC-N/STM-N on Port 10 through Port 1210-103 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards ADM-10G Card 10.13.9 Security The ADM-10G card that an SFP or XFP is plugged into implements the Cisco Standard Security Code Check Algorithm that keys on the vendor ID and serial number. If a pluggable port module (PPM) is plugged into a port on the card but fails the security code check because it is not a Cisco PPM, a minor NON-CISCO-PPM alarm is raised. If a PPM with a nonqualified product ID is plugged into a port on this card—that is, the PPM passes the security code as a Cisco PPM but it has not been qualified for use on the ADM-10G card— a minor UNQUAL-PPM alarm is raised. 10.13.10 Protection The ADM-10G card supports 1+1 and SONET path protection and SDH SNCP protection architectures in compliance with Telcordia GR-253-CORE, Telcordia GR-1400-CORE, and ITU-T G.841 specifications. 10.13.10.1 Circuit Protection Schemes The ADM-10G card supports path protection/SNCP circuits at the STS/VC4 (high order) level and can be configured to switch based on signal degrade calculations. The card supports path protection/SNCP on client and trunk ports for both single-card and double-card configuration. Note The ADM-10G card supports path protection/SNCP between client ports and trunk port 17. The card does not support path protection/SNCP between client ports and trunk ports 18 or 19. The card does not support path protection/SNCP between port 17 and trunk ports 18 and 19. The card allows open-ended path protection/SNCP configurations incorporating other vendor equipment. In an open-ended path protection/SNCP, you can specify one source point and two possible endpoints (or two possible source points and one endpoint) and the legs can include other vendor equipment. The source and endpoints are part of the network discovered by CTC. For detailed information about path protection configurations and SNCPs, refer to the Cisco ONS 15454 Reference Manual. 10.13.10.2 Port Protection Schemes The ADM-10G card supports unidirectional and bidirectional 1+1 APS protection schemes on client ports for double-card configuration (ADM-10G peer group) only. 1+1 APS protection scheme is not supported in single-card configuration. For 1+1 optical client port protection, you can configure the system to use any pair of like facility interfaces that are on different cards of the ADM-10G peer group. For information on optical port protection, refer to the Cisco ONS 15454 Reference Manual. 10.13.10.3 Flexible Protection Mechanism The ADM-10G card can be provisioned as unidirectional path switched ring (UPSR2 ) or subnetwork connection protection (SNCP) on both Trunk and client side. UPSR or SNCP is supported both in single and double card operation. The ADM-10G card supports up to 288 unprotected high-order (HO) cross connect circuits and up to 192 protected (UPSR or SNCP) per card, resulting in 1728/1152 HO cross 10-104 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards ADM-10G Card connect circuits per shelf. The HO cross connect circuits provide grooming capabilities for STS level connections, such as STS-1, STS-3c, STS-9c, STS-12c, and STS-24c (CCAT or VCAT) with STS1 level granularity. When installed in a typical central-office bay assembly, a shelf can support up to 5178/3456 HO bidirectional cross connect circuits. 10.13.11 Circuit Provisioning The ADM-10G card supports STS circuit provisioning both in single-card and double-card (ADM-10G peer group) configuration. The card allows you to create STS circuits between: • Client and trunk ports • Two trunk ports • Two client ports (client-to-client hairpinning) Note Circuits between two trunk ports are called pass-through circuits. For an ADM-10G card in single-card configuration, if you are creating STS circuits between two client ports, the following limitation must be considered: • Gigabit Ethernet to Gigabit Ethernet connections are not supported. For an ADM-10G card that is part of an ADM-10G peer group, if you are creating STS circuits between two client ports or between client and trunk ports, the following limitations must be considered: • Gigabit Ethernet to Gigabit Ethernet connections are not supported. • Optical channel (OC) to OC, OC to Gigabit Ethernet, and Gigabit Ethernet to OC connections between two peer group cards are supported. Peer group connections use interlink port bandwidth, hence, depending on the availability/fragmentation of the interlink port bandwidth, it may not be possible to create an STS circuit from the Gigabit Ethernet/OC client port to the peer card trunk port. This is because, contiguous STSs (that is, STS-3c, STS-12c, STS-24c, and so on) must be available on the interlink port for circuit creation. Note There are no limitations to create an STS circuit between two trunk ports. 10.13.12 ADM-10G CCAT and VCAT Characteristics The ADM-10G card supports high-order (HO) contiguous concatenation (CCAT) and HO virtual concatenation (VCAT) circuits on 8 GigE ports (Port 1 to Port 8) in both single-card and double-card (ADM-10G peer group) configuration. To enable end-to-end connectivity in a VCAT circuit that traverses through a third-party network, you can use Open-Ended VCAT circuit creation. For more details, refer to the “Create Circuits and Provisionable Patchcords” chapter in the Cisco ONS 15454 Procedure Guide. The ADM-10G card supports flexible non-LCAS VCAT groups (VCGs). With flexible VCGs, the ADM-10G can perform the following operations: 2. The terms “Unidirectional Path Switched Ring” and “UPSR” may appear in Cisco literature. These terms do not refer to using Cisco ONS 15xxx products in a unidirectional path switched ring configuration. Rather, these terms, as well as “Path Protected Mesh Network” and “PPMN,” refer generally to Cisco’s path protection feature, which may be used in any topological network configuration. Cisco does not recommend using its path protection feature in any particular topological network configuration. 10-105 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards ADM-10G Card • Add or remove members from groups • Put members into or out of service, which also adds/removes them from the group • Add or remove cross-connect circuits from VCGs Any operation on the VCG member is service effecting (for instance, adding or removing members from the VCG). Adding or removing cross-connect circuits is not service-affecting, if the associated members are not in the group The ADM-10G card allows independent routing and protection preferences for each member of a VCAT circuit. You can also control the amount of VCAT circuit capacity that is fully protected, unprotected, or uses Protection Channel Access (PCA) (when PCA is available). Alarms are supported on a per-member as well as per virtual concatenation group (VCG) basis. The ADM-10G card supports both automatic and manual routing for VCAT circuit, that is, all members are manually or automatically routed. Bidirectional VCAT circuits are symmetric, which means that the same number of members travel in each direction. With automatic routing, you can specify the constraints for individual members; with manual routing, you can select different spans for different members. Two types of automatic and manual routing are available for VCAT members: common fiber routing and split routing. The ADM-10G card supports VCAT common fiber routing and VCAT split fiber (diverse) routing. With VCAT split fiber routing, each member can be routed independently through the SONET or SDH or DWDM network instead of having to follow the same path as required by CCAT and VCAT common fiber routing. This allows a more efficient use of network bandwidth, but the different path lengths and different delays encountered may cause slightly different arrival times for the individual members of the VCG. The VCAT differential delay is this relative arrival time measurement between members of a VCG. The maximum tolerable VCAT split fiber routing differential delay for the ADM-10G card is approximately 55 milliseconds. A loss of alignment alarm is generated if the maximum differential delay supported is exceeded. The differential delay compensation function is automatically enabled when you choose split fiber routing during the CTC circuit configuration process. CCAT and VCAT common fiber routing do not enable or need differential delay support. Caution Protection switches with switching time of less than 60 milliseconds are not guaranteed with the differential delay compensation function enabled. The compensation time is added to the switching time. Note For TL1, EXPBUFFERS parameter must be set to ON in the ENT-VCG command to enable support for split fiber routing. Available Circuit Sizes Table 10-43 and Table 10-44 show the circuit sizes available for the ADM-10G card. Table 10-43 Supported SONET Circuit Sizes of ADM-10G card on ONS 15454 CCAT VCAT High Order STS-1 STS-1-1nV (n= 1 to 21) STS-3c STS-3c-mv (m= 1 to 7) STS-6c10-106 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards ADM-10G Card 10.13.13 Automatic Laser Shutdown The ALS procedure is supported on both client and trunk interfaces. On the client interface, ALS is compliant with ITU-T G.664 (6/99). On the data application and trunk interface, the switch on and off pulse duration is greater than 60 seconds. The on and off pulse duration is user-configurable. For details on ALS provisioning for the card, refer to the Cisco ONS 15454 DWDM Procedure Guide. Intermediate Path Performance Monitoring Intermediate path performance monitoring (IPPM) allows a node to monitor the constituent channel of an incoming transmission signal. You can enable IPPM for STS/VC-4s payload on OCn and Trunk ports of ADM-10G card. The IPPM is complaint with GR253/G.826. Software Release 9.2 and higher enables the ADM-10G card to monitor the near-end and far-end PM data on individual STS/VC-4 payloads by enabling IPPM. After provisioning IPPM on the card, service providers can monitor large amounts of STS/VC-4 traffic through intermediate nodes, thus making troubleshooting and maintenance activities more efficient. IPPM occurs only on STS/VC-4 paths that have IPPM enabled, and TCAs are raised only for PM parameters on the selected IPPM paths. For a CCAT circuit, you can enable IPPM only on the first STS/VC-4 of the concatenation group. For a VCAT circuit, you can enable IPPM independently on each member STS/VC-4 of the concatenation group. Pointer Justification Count Performance Monitoring Pointers are used to compensate for frequency and phase variations. Pointer justification counts indicate timing errors on SONET networks. When a network is out of synchronization, jitter and wander occur on the transported signal. Excessive wander can cause terminating equipment to slip. STS-9c STS-12c STS-24c Table 10-44 Supported SDH Circuit Sizes of ADM-10G card on ONS 15454 SDH CCAT VCAT High Order VC-4 VC-4-mv (m= 1 to 7) VC-4-2c VC-4-3c VC-4-4c VC-4-8c Table 10-43 Supported SONET Circuit Sizes of ADM-10G card on ONS 15454 CCAT VCAT High Order10-107 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards ADM-10G Card Slips cause different effects in service. Voice service has intermittent audible clicks. Compressed voice technology has short transmission errors or dropped calls. Fax machines lose scanned lines or experience dropped calls. Digital video transmission has distorted pictures or frozen frames. Encryption service loses the encryption key, causing data to be transmitted again. Pointers provide a way to align the phase variations in STS and VC4 payloads. The STS payload pointer is located in the H1 and H2 bytes of the line overhead. Clocking differences are measured by the offset in bytes from the pointer to the first byte of the STS synchronous payload envelope (SPE) called the J1 byte. Clocking differences that exceed the normal range of 0 to 782 can cause data loss. There are positive (PPJC) and negative (NPJC) pointer justification count parameters. PPJC is a count of path-detected (PPJC-PDET-P) or path-generated (PPJC-PGEN-P) positive pointer justifications. NPJC is a count of path-detected (NPJC-PDET-P) or path-generated (NPJC-PGEN-P) negative pointer justifications depending on the specific PM name. PJCDIFF is the absolute value of the difference between the total number of detected pointer justification counts and the total number of generated pointer justification counts. PJCS-PDET-P is a count of the one-second intervals containing one or more PPJC-PDET or NPJC-PDET. PJCS-PGEN-P is a count of the one-second intervals containing one or more PPJC-PGEN or NPJC-PGEN. A consistent pointer justification count indicates clock synchronization problems between nodes. A difference between the counts means that the node transmitting the original pointer justification has timing variations with the node detecting and transmitting this count. Positive pointer adjustments occur when the frame rate of the SPE is too slow in relation to the rate of the STS-1. You must enable PPJC and NPJC performance monitoring parameters for ADM-10Gcard. In CTC, the count fields for PPJC and NPJC PMs appear white and blank unless they are enabled on the card view Provisioning tab. Performance Monitoring Parameter Definitions This section describes the STS and VC-4 path performance monitoring parameters that ADM-10G card support. Table 10-45 lists the STS near-end path performance monitoring parameters. Table 10-45 STS Near-end Path Performance Monitoring Parameters Parameter Definition CV-P Near-End STS Path Coding Violations (CV-P) is a count of BIP errors detected at the STS path layer (that is, using the B3 byte). Up to eight BIP errors can be detected per frame; each error increments the current CV-P second register. ES-P Near-End STS Path Errored Seconds (ES-P) is a count of the seconds when at least one STS path BIP error was detected. An AIS Path (AIS-P) defect (or a lower-layer, traffic-related, near-end defect) or a Loss of Pointer Path (LOP-P) defect can also cause an ES-P. SES-P Near-End STS Path Severely Errored Seconds (SES-P) is a count of the seconds when K (2400) or more STS path BIP errors were detected. An AIS-P defect (or a lower-layer, traffic-related, near-end defect) or an LOP-P defect can also cause an SES-P. 10-108 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards ADM-10G Card Table 10-46 gives the VC-4 near-end path performance monitoring parameters definition that ADM-10G card support. UAS-P Near-End STS Path Unavailable Seconds (UAS-P) is a count of the seconds when the STS path was unavailable. An STS path becomes unavailable when ten consecutive seconds occur that qualify as SES-Ps, and continues to be unavailable until ten consecutive seconds occur that do not qualify as SES-Ps. FC-P Near-End STS Path Failure Counts (FC-P) is a count of the number of near-end STS path failure events. A failure event begins when an AIS-P failure, an LOP-P failure, a UNEQ-P failure, or a Section Trace Identifier Mismatch Path (TIM-P) failure is declared. A failure event also begins if the STS PTE that is monitoring the path supports Three-Bit (Enhanced) Remote Failure Indication Path Connectivity (ERFI-P-CONN) for that path. The failure event ends when these failures are cleared. PPJC-PDET-P Positive Pointer Justification Count, STS Path Detected (PPJC-PDET-P) is a count of the positive pointer justifications detected on a particular path in an incoming SONET signal. PPJC-PGEN-P Positive Pointer Justification Count, STS Path Generated (PPJC-PGEN-P) is a count of the positive pointer justifications generated for a particular path to reconcile the frequency of the SPE with the local clock. NPJC-PDET-P Negative Pointer Justification Count, STS Path Detected (NPJC-PDET-P) is a count of the negative pointer justifications detected on a particular path in an incoming SONET signal. NPJC-PGEN-P Negative Pointer Justification Count, STS Path Generated (NPJC-PGEN-P) is a count of the negative pointer justifications generated for a particular path to reconcile the frequency of the SPE with the local clock. PJCDIFF-P Pointer Justification Count Difference, STS Path (PJCDIFF-P) is the absolute value of the difference between the total number of detected pointer justification counts and the total number of generated pointer justification counts. That is, PJCDiff-P is equal to (PPJC-PGEN-P - NPJC-PGEN-P) - (PPJC-PDET-P - NPJC-PDET-P). PJCS-PDET-P Pointer Justification Count Seconds, STS Path Detect (NPJCS-PDET-P) is a count of the one-second intervals containing one or more PPJC-PDET or NPJC-PDET. PJCS-PGEN-P Pointer Justification Count Seconds, STS Path Generate (PJCS-PGEN-P) is a count of the one-second intervals containing one or more PPJC-PGEN or NPJC-PGEN. Table 10-45 STS Near-end Path Performance Monitoring Parameters Parameter Definition10-109 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards ADM-10G Card Table 10-46 VC-4 Near-end Path Performance Monitoring Parameters Parameter Definition HP-EB High-Order Path Errored Block (HP-EB) indicates that one or more bits are in error within a block. HP-BBE High-Order Path Background Block Error (HP-BBE) is an errored block not occurring as part of an SES. HP-ES High-Order Path Errored Second (HP-ES) is a one-second period with one or more errored blocks or at least one defect. HP-SES High-Order Path Severely Errored Seconds (HP-SES) is a one-second period containing 30 percent or more errored blocks or at least one defect. SES is a subset of ES. HP-UAS High-Order Path Unavailable Seconds (HP-UAS) is a count of the seconds when the VC path was unavailable. A high-order path becomes unavailable when ten consecutive seconds occur that qualify as HP-SESs, and it continues to be unavailable until ten consecutive seconds occur that do not qualify as HP-SESs. HP-BBER High-Order Path Background Block Error Ratio (HP-BBER) is the ratio of BBE to total blocks in available time during a fixed measurement interval. The count of total blocks excludes all blocks during SESs. HP-ESR High-Order Path Errored Second Ratio (HP-ESR) is the ratio of errored seconds to total seconds in available time during a fixed measurement interval. HP-SESR High-Order Path Severely Errored Second Ratio (HP-SESR) is the ratio of SES to total seconds in available time during a fixed measurement interval. HP-PPJC-PDET High-Order, Positive Pointer Justification Count, Path Detected (HP-PPJC-Pdet) is a count of the positive pointer justifications detected on a particular path on an incoming SDH signal. HP-NPJC-PDET High-Order, Negative Pointer Justification Count, Path Detected (HP-NPJC-Pdet) is a count of the negative pointer justifications detected on a particular path on an incoming SDH signal. HP-PPJC-PGEN High-Order, Positive Pointer Justification Count, Path Generated (HP-PPJC-Pgen) is a count of the positive pointer justifications generated for a particular path. HP-NPJC-PGEN High-Order, Negative Pointer Justification Count, Path Generated (HP-NPJC-Pgen) is a count of the negative pointer justifications generated for a particular path. HP-PJCDIFF High-Order Path Pointer Justification Count Difference (HP-PJCDiff) is the absolute value of the difference between the total number of detected pointer justification counts and the total number of generated pointer justification counts. That is, HP-PJCDiff is equal to (HP-PPJC-PGen - HP-NPJC-PGen) - (HP-PPJC-PDet - HP-NPJC-PDet).10-110 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards ADM-10G Card 10.13.14 ADM-10G Card-Level Indicators Table 10-47 describes the card-level LEDs on the ADM-10G card. 10.13.15 ADM-10G Card Port-Level Indicators Table 10-48 describes the port-level LEDs on the ADM-10G card. Note Client or trunk ports can each be in active or standby mode as defined in the related section for each specific protection type. For example, fiber-switched protection has active or standby trunk ports; 1+1 APS protection has active or standby client ports, and client 1+1 protection does not utilize active or standby ports. HP-PJCS-PDET High-Order Path Pointer Justification Count Seconds (HP-PJCS-PDet) is a count of the one-second intervals containing one or more HP-PPJC-PDet or HP-NPJC-PDet. HP-PJCS-PGEN High-Order Path Pointer Justification Count Seconds (HP-PJCS-PGen) is a count of the one-second intervals containing one or more HP-PPJC-PGen or HP-NPJC-PGen. Table 10-46 VC-4 Near-end Path Performance Monitoring Parameters Parameter Definition Table 10-47 ADM-10G Card-Level Indicators Card-Level LED Description ACT LED Green (Active) Amber (Standby) Green indicates that the card is operational (one or both ports active) and ready to carry traffic. Amber indicates that the card is operational and in standby (protect) mode. Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready. This LED is on during reset. The FAIL LED flashes during the boot process. It the card is inserted in a slot that is preprovisioned for a different card, this LED flashes until a Missing Equipment Attribute (MEA) condition is raised. You might also need to replace the card if the red FAIL LED persists. Amber SF LED The amber SF LED indicates a signal failure or condition such as LOS, LOF, or high BER errors on one or more of the card’s ports. The amber SF LED is also on if the transmit and receive fibers are incorrectly connected. If the fibers are properly connected and the link is working, the light turns off.10-111 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards OTU2_XP Card 10.14 OTU2_XP Card The OTU2_XP card is a single-slot card with four ports with XFP-based multirate (OC-192/STM-64, 10GE, 10G FC, IB_5G) Xponder for the ONS 15454 ANSI and ETSI platforms. The OTU2_XP card supports multiple configurations. Table 10-49 describes the different configurations supported by the OTU2_XP card and the ports that must be used for these configurations. All the four ports are ITU-T G.709 compliant and support 40 channels (wavelengths) at 100-GHz channel spacing in the C-band (that is, the 1530.33 nm to 1561.42 nm wavelength range). The OTU2_XP card can be installed in Slots 1 through 6 or 12 through 17. The OTU2_XP card supports SONET SR1, IR2, and LR2 XFPs, 10GE BASE SR, SW, LR, LW, ER, EW, and ZR XFPs, and 10G FC MX-SN-I and SM-LL-L XFPs. Table 10-48 ADM-10G Card Port-Level LED Indications Port-Level Status Tri-color LED Description The port-level LED is active and unprotected. • If a port is in OOS/locked state for any reason, the LED is turned off. • If a port is in IS/unlocked state and the PPM is preprovisioned or is physically equipped with no alarms, the LED is green. • If a port is in IS state and the PPM is physically equipped but does have alarms, the LED is red. The port-level LED is in standby. • If a port is in OOS/locked state for any reason, the LED is turned off. • If a port is in the IS/unlocked state and the PPM is preprovisioned or is physically equipped with no alarms, the LED is amber. • If a port is in IS state and physically equipped but does have alarms, the LED is red. Table 10-49 OTU2_XP Card Configurations and Ports Configuration Port 1 Port 2 Port 3 Port 4 2 x 10G transponder Client port 1 Client port 2 Trunk port 1 Trunk port 2 2 x 10G standard regenerator (with enhanced FEC (E-FEC) only on one port) Trunk port 1 Trunk port 2 Trunk port 1 Trunk port 2 10 GE LAN Phy to WAN Phy Client port Client port in transponder or trunk port in regenerator configuration Trunk port Trunk port in transponder or regenerator configuration 1 x 10G E-FEC regenerator (with E-FEC on two ports) Not used Not used Trunk port Trunk port 1 x 10G splitter protected transponder Client port Not used Trunk port (working) Trunk port (protect)10-112 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards OTU2_XP Card Caution Fan-tray assembly 15454E-CC-FTA (ETSI shelf)/15454-CC-FTA (ANSI shelf) must be installed in a shelf where the OTU2_XP card is installed. 10.14.1 Key Features The OTU2_XP card has the following high-level features: • 10G transponder, regenerator, and splitter protection capability on the ONS 15454 DWDM platform. • Compatible with the ONS 15454 ANSI high-density shelf assembly, the ETSI ONS 15454 shelf assembly, and the ETSI ONS 15454 high-density shelf assembly. Compatible with TCC2/TCC2P/ TCC3/TNC/TSC cards. • Interoperable with TXP_MR_10E and TXP_MR_10E_C cards. • Four port, multirate (OC-192/STM-64, 10G Ethernet WAN Phy, 10G Ethernet LAN Phy, 10G Fibre Channel, IB_5G) client interface. The client signals are mapped into an ITU-T G.709 OTU2 signal using standard ITU-T G.709 multiplexing. • ITU-T G.709 framing with standard Reed-Soloman (RS) (255,237) FEC. Performance monitoring and ITU-T G.709 Optical Data Unit (ODU) synchronous mapping. Enhanced FEC (E-FEC) with ITU-T G.709 ODU with greater than 8 dB coding gain. • The trunk rate remains the same irrespective of the FEC configuration. The error coding performance can be provisioned as follows:: – FEC—Standard ITU-T G.709. – E-FEC—Standard ITU-T G.975.1 I.7. • IEEE 802.3 frame format supported for 10 Gigabit Ethernet interfaces. The minimum frame size is 64 bytes. The maximum frame size is user-provisionable. • Supports fixed/no fixed stuff mapping (insertion of stuffing bytes) for 10G Ethernet LAN Phy signals (only in transponder configuration). • Supports 10G Ethernet LAN Phy to 10G Ethernet WAN Phy conversion on Ports 1 (client port) and 3 (trunk port). • Supports 10G Ethernet LAN Phy to WAN Phy conversion using CTC and TL1. When enabled on the OTU2_XP card, the first Channel (Ports 1 and 3) supports LAN to WAN conversion. The second channel carries normal 10GE, 10G FC, and OC192/STM64 traffic. • The LAN Phy to WAN Phy conversion functions in accordance to WAN Interface Sublayer (WIS) mechanism as defined by IEEE802.3ae (IEEE Std 802.3ae-2002, Amendment to CSMA/CD). • Default configuration is transponder, with trunk ports configured as ITU-T G.709 standard FEC. • In transponder or regenerator configuration, if one of the ports is configured the corresponding port is automatically created. • In regenerator configuration, only Ports 3 and 4 can be configured as E-FEC. Ports 1 and 2 can be configured only with standard FEC. • When port pair 1-3 or 2-4 is configured as regenerator (that is, card mode is standard regenerator), the default configuration on Ports 3 and 4 is automatically set to standard FEC. • When Ports 3 and 4 are configured as regenerator (that is, card mode is E-FEC regenerator), the default configuration on both these ports is automatically set to E-FEC.10-113 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards OTU2_XP Card • In splitter protected transponder configuration, the trunk ports (Ports 3 and 4) are configured as ITU-T G.709 standard FECor E-FEC. • Supports protection through Y-cable protection scheme. Note When enabled, the 10G Ethernet LAN Phy to WAN Phy conversion feature does not support Y-cable protection on the LAN to WAN interface (ports 1 and 3). • Client ports support SONET SR1, IR2, and LR2 XFPs, 10GE BASE SR, SW, LR, LW, ER, EW, and ZR XFPs, and 10G FC MX-SN-I and SM-LL-L XFPs. • Following are the OTU2 link rates that are supported on the OTU2_XP trunk port: – Standard G.709 (10.70923 Gbps) when the client is provisioned as “SONET” (including 10G Ethernet WAN PHY) (9.95328 Gbps). – G.709 overclocked to transport 10GE as defined by ITU-T G. Sup43 Clause 7.2 (11.0491 Gbps) when the client is provisioned as “10G Ethernet LAN Phy” (10.3125 Gbps) with “No Fixed Stuff” enabled. – G.709 overclocked to transport 10GE as defined by ITU-T G. Sup43 Clause 7.1 (11.0957 Gbps) when the client is provisioned as “10G Ethernet LAN Phy” (10.3125 Gbps) with “No Fixed Stuff” disabled. – G.709 proprietary overclocking mode to transport 10G FC (11.3168 Gbps) when the client is provisioned as “10G Fiber Channel” (10.518 Gbps). – Proprietary rate at the trunk when the client is provisioned as IB_5G. • The MTU setting is used to display the ifInerrors and OverSizePkts counters on the receiving trunk and client port interfaces. Traffic of frame sizes up to 65535 bytes pass without any packet drops, from the client port to the trunk port and vice versa irrespective of the MTU setting. 10.14.2 Faceplate and Block Diagram Figure 10-33 shows the OTU2_XP card faceplate and block diagram.10-114 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards OTU2_XP Card Figure 10-33 OTU2_XP Card Faceplate and Block Diagram Note The Swan FPGA is automatically loaded when the LAN Phy to WAN Phy conversion feature is enabled on the OTU2_XP card. The Barile FPGA is automatically loaded when the LAN Phy to WAN Phy conversion feature is disabled on the OTU2_XP card. 241984 SERDES G.709-FEC framer SERDES Barile FPGA SWAN FPGA XFP 1 XFP 3 SERDES G.709-FEC framer SERDES MPC8360 core Power supply Clocking XFP 2 SCL FPGA XFP 410-115 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards OTU2_XP Card 10.14.3 OTU2_XP Card-Level Indicators Table 10-50 describes the card-level LEDs on the OTU2_XP card. 10.14.4 OTU2_XP Port-Level Indicators Table 10-51 describes the PPM port-level LEDs on the OTU2_XP card for both client and trunk ports. Note Client or trunk ports can each be in active or standby mode as defined in the related section for each specific protection type. For example, fiber-switched protection has active or standby trunk ports; 1+1 APS protection has active or standby client ports, and client 1+1 protection does not utilize active or standby ports. Table 10-50 OTU2_XP Card-Level Indicators Card-Level LED Description Red FAIL LED The red FAIL LED indicates that the card processor is not ready. This LED is on during reset. The FAIL LED flashes during the boot process. If the card is inserted in a slot that is preprovisioned for a different card, this LED flashes until a Missing Equipment Attribute (MEA) condition is raised. You might also need to replace the card if the red FAIL LED persists. ACT LED Green (Active) If the ACT LED is green, the card is operational (one or more ports active) and ready to carry traffic. Amber SF LED The amber SF LED indicates a signal failure or condition such as LOS, LOF, or high BER errors on one or more of the card ports. The amber SF LED is also on if the transmit and receive fibers are incorrectly connected. If the fibers are properly connected and the link is working, the light turns off. Table 10-51 OTU2_XP PPM Port-Level Indicators Port-Level Status Tri-color LED Description The port-level LED is active and unprotected. • If a port is in OOS/locked state for any reason, the LED is turned off. • If a port is in IS/unlocked state and the PPM is preprovisioned or is physically equipped with no alarms, the LED is green. • If a port is in IS state and the PPM is physically equipped but does have alarms, the LED is red. The port-level LED is in standby. • If a port is in OOS/locked state for any reason, the LED is turned off. • If a port is in the IS/unlocked state and the PPM is preprovisioned or is physically equipped with no alarms, the LED is amber. • If a port is in IS state and physically equipped but does have alarms, the LED is red.10-116 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards OTU2_XP Card 10.14.5 OTU2_XP Card Interface The OTU2_XP card is a multi-functional card that operates in different configurations, such as transponder, standard regenerator, E-FEC regenerator, and 10G Ethernet LAN Phy to WAN Phy conversion mode. The OTU2_XP card acts as a protected transponder, when the 10G Ethernet LAN Phy to WAN Phy is in splitter protected transponder configuration mode. Depending on the configuration of the OTU2_XP card, the ports act as client or trunk ports (see Table 10-49). This following section describes the client and trunk rates supported on the OTU2_XP card for different card configurations: 10.14.5.1 Client Interface In transponder and 10G Ethernet LAN Phy to WAN Phy card configurations, Ports 1 and 2 act as client ports and in splitter protected transponder configuration, Port 1 acts as a client port. For these card configurations, the client rates supported are: • OC-192/STM-64 • 10G Ethernet WAN Phy • 10G Ethernet LAN Phy • 10G Fibre Channel • IB_5G 10.14.5.2 Trunk Interface In transponder, 10G Ethernet LAN Phy to WAN Phy, and splitter protected transponder card configurations, Ports 3 and 4 act as trunk ports. For these card configurations, the trunk rates supported are: • OC-192/STM-64 • 10G Ethernet WAN Phy • 10G Ethernet LAN Phy • 10G Fibre Channel • OTU2 G.709 • Proprietary rate at the trunk when the client is provisioned as IB_5G. In standard regenerator card configuration, all four ports act as trunk ports and in E-FEC regenerator configuration, Ports 3 and 4 act as the trunk ports. For these card configurations, the trunk rate supported is OTU2 G.709 Note The above mentioned OTU2 signal must be an OC-192/STM-64, 10G Ethernet WAN Phy, 10G Ethernet LAN Phy, or 10G Fibre Channel signal packaged into an OTU2 G.709 frame. Additionally, the standard regenerator and E-FEC regenerator configuration supports an OTU2 signal that is OTU2 has been generated by multiplexing four ODU1 signals.10-117 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards OTU2_XP Card 10.14.6 Configuration Management The OTU2_XP card supports the following configuration management parameters: • Card Configuration—Provisionable card configuration: Transponder, Standard Regen, Enhanced FEC, or Mixed, or 10G Ethernet LAN Phy to WAN Phy. • Port Mode—Provisionable port mode when the card configuration is set as Mixed. The port mode can be chosen as either Transponder or Standard Regen for each port pair (1-3 and 2-4). For card configurations other than Mixed, CTC automatically sets the port mode depending on the selected card configuration. For 10G Ethernet LAN Phy to WAN Phy mode, CTC automatically selects the port pair (1-3) as 10G Ethernet LAN Phy to WAN Phy. Port pair (2-4) in 10G Ethernet LAN Phy to WAN Phy mode is selected as Transponder or Standard Regen. • Termination Mode—Provisionable termination mode when the card configuration is set as either Transponder or Mixed. The termination mode can be chosen as Transparent, Section, or Line. For Standard Regen and Enhanced FEC card configurations, CTC automatically sets the termination mode as Transparent. For 10G Ethernet LAN Phy to WAN Phy mode, CTC automatically selects the Termination Mode of port pair (1-3) as Line. You cannot provision the Termination Mode parameter. • AIS/Squelch—Provisionable AIS/Squelch mode configuration when the card configuration is set as either Transponder or Mixed. The termination mode configuration can be chosen as AIS or Squelch. For Standard Regen and Enhanced FEC card configurations, CTC automatically sets the termination mode configuration as AIS. For 10G Ethernet LAN Phy to WAN Phy mode, the CTC automatically selects the AIS/Squelch of port pair (1-3) as Squelch. You cannot provision the AIS/Squelch parameter. Note When you choose the 10G Ethernet LAN Phy to WAN Phy conversion, the Termination mode is automatically set to LINE. The AIS/Squelch is set to SQUELCH and ODU Transparency is set to Cisco Extended Use for Ports 1 and 3. • Regen Line Name—User-assigned text string for regeneration line name. • ODU Transparency—Provisionable ODU overhead byte configuration, either Transparent Standard Use or Cisco Extended Use. See the “10.14.10 ODU Transparency” section on page 10-120 for more detailed information. For 10G Ethernet LAN Phy to WAN Phy mode, CTC automatically selects the ODU Transparency as Cisco Extended Use. You cannot provision the ODU Transparency parameter. • Port name—User-assigned text string. • Admin State/Service State—Administrative and service states to manage and view port status. • ALS Mode—Provisionable ALS function. • Reach—Provisionable optical reach distance of the port. • Wavelength—Provisionable wavelength of the port. • AINS Soak—Provisionable automatic in-service soak period. 10.14.7 OTU2_XP Card Configuration Rules The following rules apply to OTU2_XP card configurations: • When you preprovision the card, port pairs 1-3 and 2-4 come up in the default Transponder configuration.10-118 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards OTU2_XP Card • The port pairs 1-3 and 2-4 can be configured in different modes only when the card configuration is Mixed. If the card configuration is Mixed, you must choose different modes on port pairs 1-3 and 2-4 (that is, one port pair in Transponder mode and the other port pair in Standard Regen mode). • If the card is in Transponder configuration, you can change the configuration to Standard Regen or Enhanced FEC. • If the card is in Standard Regen configuration and you have configured only one port pair, then configuring payload rates for the other port pair automatically changes the card configuration to Mixed, with the new port pair in Transponder mode. • If the card is in Standard Regen configuration, you cannot directly change the configuration to Enhanced FEC. You have to change to Transponder configuration and then configure the card as Enhanced FEC. • If the card is in Enhanced FEC configuration, Ports 1 and 2 are disabled. Hence, you cannot directly change the configuration to Standard Regen or Mixed. You must remove the Enhanced FEC group by moving the card to Transponder configuration, provision PPM on Ports 1 and 2, and then change the card configuration to Standard Regen or Mixed. • If the card is in Standard Regen or Enhanced FEC configuration, you cannot change the payload rate of the port pairs. You have to change the configuration to Transponder, change the payload rate, and then move the card configuration back to Standard Regen or Enhanced FEC. • If any of the affected ports are in IS (ANSI) or Unlocked-enabled (ETSI) state, you cannot change the card configuration. • If IB_5G payload has to be provisioned, the NE Default should match the values listed in the Table 10-52. For more information on editing the NE Default values, see the “NTP-G135 Edit Network Element Defaults” task. • If the card is changed to 10G Ethernet LAN Phy to WAN Phy, the first PPM port is deleted and replaced by a 10G Ethernet port; the third PPM port is deleted and automatically replaced with OC192/STM64 (SONET/SDH) port. The third PPM port is automatically deleted and the third PPM port is replaced with OC192/STM64 (SONET/SDH). Table 10-53 provides a summary of transitions allowed for the OTU2_XP card configurations. Table 10-52 OTU2_XP Card Configuration for IB_5G Payload Provisioning Parameter NE Default Name Value FEC OTU2-XP.otn.otnLines.FEC Standard ITU-T G.709 OTN OTU2-XP.otn.otnLines.G709OTN Enable Termination Mode OTU2-XP.config.port.TerminationMode Transparent ODU Transparency OTU2-XP.config.port.OduTransparency Cisco Extended Use AIS/Squelch OTU2-XP.config.port.AisSquelchMode Squelch Table 10-53 Card Configuration Transition Summary Card Configuration Transition To Transponder Standard Regen Enhanced FEC Mixed 10G Ethernet LAN Phy to WAN Phy Transponder — Yes Yes Yes Yes Standard Regen Yes — No Yes Yes10-119 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards OTU2_XP Card 10.14.8 Security The OTU2_XP card, when an XFP is plugged into it, implements the Cisco Standard Security Code Check Algorithm that keys on vendor ID and serial number. If a PPM is plugged into a port on the card but fails the security code check because it is not a Cisco PPM, a NON-CISCO-PPM Not Reported (NR) condition occurs. If a PPM with a nonqualified product ID is plugged into a port on this card, that is, the PPM passes the security code as a Cisco PPM but it has not been qualified for use on the OTU2_XP card, a UNQUAL-PPM NR condition occurs. 10.14.9 Automatic Laser Shutdown The ALS procedure is supported on both client and trunk interfaces. On the client interface, ALS is compliant with ITU-T G.664 (6/99). On the data application and trunk interface, the switch on and off pulse duration is greater than 60 seconds. The on and off pulse duration is user-configurable. For details on ALS provisioning for the card, refer to the Cisco ONS 15454 DWDM Procedure Guide. Enhanced FEC Yes No — No No Mixed Yes Yes No — Yes 10G Ethernet LAN Phy to WAN Phy Yes Yes No The 10G Ethernet LAN Phy to WAN Phy to Mixed is supported if the Port pair 1-3 is chosen as Transponder. The 10G Ethernet LAN Phy to WAN Phy to Mixed is not supported if the Port pair 1-3 is chosen as Standard Regen. — Table 10-53 Card Configuration Transition Summary (continued) Card Configuration Transition To Transponder Standard Regen Enhanced FEC Mixed 10G Ethernet LAN Phy to WAN Phy10-120 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards OTU2_XP Card 10.14.10 ODU Transparency A key feature of the OTU2_XP card is the ability to configure the ODU overhead bytes (EXP bytes and RES bytes 1 and 2) using the ODU Transparency parameter. The two options available for this parameter are: • Transparent Standard Use—ODU overhead bytes are transparently passed through the card. This option allows the OTU2_XP card to act transparently between two trunk ports (when the card is configured in Standard Regen or Enhanced FEC). • Cisco Extended Use—ODU overhead bytes are terminated and regenerated on both ports of the regenerator group. The ODU Transparency parameter is configurable only for Standard Regen and Enhanced FEC card configuration. For Transponder card configuration, this parameter defaults to Cisco Extended Use and cannot be changed. Note The Forward Error Correction (FEC) Mismatch (FEC-MISM) alarm will not be raised on OTU2_XP card when you choose Transparent Standard Use. 10.14.11 Protection The OTU2_XP card supports Y-cable and splitter protection. Y-cable protection is provided at the client port level. Splitter protection is provided at the trunk port level. 10.14.11.1 Y-Cable Protection The OTU2_XP card supports Y-cable protection on client ports when it is provisioned in the transponder card configuration. Two cards can be joined in a Y-cable protection group with one card assigned as the working card and the other defined as the protection card. This protection mechanism provides redundant bidirectional paths. See the “10.19.1 Y-Cable Protection” section on page 10-139 for more detailed information. When a signal fault is detected (LOS, LOF, SD, or SF on the DWDM receiver port in the case of ITU-T G.709 mode) the protection mechanism software automatically switches between paths. Note When the 10G Ethernet LAN Phy to WAN Phy conversion feature is enabled, Y-cable protection is not supported on the LAN to WAN interface (ports 1 and 3). 10.14.11.2 Splitter Protection The OTU2_XP card supports splitter protection on trunk ports that are not part of a regenerator group (see Table 10-49 for port details). You can create and delete splitter protection groups in OTU2_XP card. In splitter protection method, a client injects a single signal into the client RX port. An optical splitter internal to the card then splits the signal into two separate signals and routes them to the two trunk TX ports. See the “10.19.2 Splitter Protection” section on page 10-141 for more detailed information. In the splitter protected 10G Ethernet LAN Phy to WAN Phy mode, AIS-P and LOP-P acts as trigger (when G.709 is enabled) for the Protection Switch, in addition to the existing switching criteria. The STS parameters such as, SF /SD thresholds, Path PM thresholds, and Path Trace is set for the working path (Port 3). The same parameters are also applicable for the protected path (Port 4).10-121 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards MLSE UT 10.15 MLSE UT The maximum likelihood sequence estimation (MLSE) based universal transponder (UT) modules are added to the TXP_MR_10EX_C, MXP_2.5G_10EX_C, and MXP_MR_10DMEX_C cards to support the error decorrelator functionality to enhance system performance. 10.15.1 Error Decorrelator The MLSE feature uses the error decorrelator functionality to reduce the chromatic dispersion (CD) and polarization mode dispersion (PMD), thereby extending the transmission range on the trunk interface. You can enable or disable the error decorrelator functionality using CTC or TL1. The dispersion compensation unit (DCU) is also used to reduce CD and PMD. The MLSE-based UT module helps to reduce CD and PMD without the use of a DCU. 10.16 TXP_MR_10EX_C Card The TXP_MR_10EX_C card is a multirate transponder for the ONS 15454 platform. The card is fully backward compatible with TXP_MR_10E_C cards (only when the error decorrelator is disabled in the CTC on the TXP_MR_10EX_C card). It processes one 10-Gbps signal (client side) into one 10-Gbps, 100-GHz DWDM signal (trunk side). The TXP_MR_10EX_C card is tunable over the 82 channels of C-band (82 channels spaced at 50 GHz on the ITU grid). You can install TXP_MR_10EX_C card in Slots 1 to 6 and 12 to 17. The card can be provisioned in linear, BLSR/MS-SPRing, path protection/SNCP configurations or as a regenerator. The card can be used in the middle of BLSR/MS-SPRing or 1+1 spans when the card is configured for transparent termination mode. The TXP_MR_10EX_C card features an MLSE-based Universal Transponder 1550-nm tunable laser and a separately orderable ONS-XC-10G-S1 1310-nm or ONS-XC-10G-L2 1550-nm laser XFP module for the client port. Note The PRE FEC BER performance of the TXP_MR_10EX_C card may be significantly low when compared to the TXP_MR_10E card. However, this does not affect the Post FEC BER performance, but could possibly affect any specific monitoring application that relies on the PRE FEC BER value (for example, protection switching). In this case, the replacement of TXP_MR_10E card with the TXP_MR_10EX_C may not work properly. Note When the ONS-XC-10G-L2 XFP is installed, the TXP_MR_10EX_C card must be installed in a high-speed slot (slot 6, 7, 12, or 13) On its faceplate, the TXP_MR_10EX_C card contains two transmit and receive connector pairs, one for the trunk port and one for the client port. Each connector pair is labeled. 10.16.1 Key Features The key features of the TXP_MR_10EX_C card are: • A multi-rate client interface (available through the ONS-XC-10G-S1 XFP, ordered separately):10-122 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards TXP_MR_10EX_C Card – OC-192 (SR1) – 10GE (10GBASE-LR) – 10G-FC (1200-SM-LL-L) – (ONS-XC-10G-S1 version 3 only) IB_5G • An MLSE-based UT module tunable through 82 channels of C-band. The channels are spaced at 50 GHz on the ITU grid. • OC-192 to ITU-T G.709 OTU2 provisionable synchronous and asynchronous mapping. • Proprietary rate at the trunk when the client is provisioned as IB_5G. • The MTU setting is used to display the OverSizePkts counters on the receiving trunk and client port interfaces. Traffic of frame sizes up to 65535 bytes pass without any packet drops, from the client port to the trunk port and vice versa irrespective of the MTU setting. 10.16.2 Faceplate and Block Diagram Figure 10-34 shows the TXP_MR_10EX_C faceplate and block diagram. Figure 10-34 TXP_MR_10EX_C Faceplate and Block Diagram uP bus Serial bus uP Flash RAM Optical transceiver 247063 Framer/FEC/DWDM processor Client interface DWDM trunk (long range) Optical transceiver B a c k p l a n e FAIL ACT/STBY SF 10E MR TXP L TX RX RX TX DWDM trunk STM-64/OC-192 82 tunable channels (C-band) on the 50-GHz ITU Client interface STM-64/OC-192 or 10GE (10GBASE-LR) or 10G-FC (1200-SM-LL-L)10-123 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards TXP_MR_10EX_C Card For information on safety labels for the card, see the “10.2.2 Class 1M Laser Product Cards” section on page 10-10. Caution You must use a 15-dB fiber attenuator (10 to 20 dB) when working with the TXP_MR_10EX_C card in a loopback on the trunk port. Do not use direct fiber loopbacks with this card, because they can cause irreparable damage to the card. 10.16.3 Client Interface The client interface is implemented with a separately orderable XFP module. The module is a tri-rate transceiver, providing a single port that can be configured in the field to support an OC-192 SR-1 (Telcordia GR-253-CORE) or STM-64 I-64.1 (ITU-T G.691) optical interface, as well as 10GE LAN PHY (10GBASE-LR), 10GE WAN PHY (10GBASE-LW), 10G-FC signals, or IB_5G signals. The client-side XFP pluggable module supports LC connectors and is equipped with a 1310-nm laser. 10.16.4 DWDM Trunk Interface On the trunk side, the TXP_MR_10EX_C card provides a 10-Gbps STM-64/OC-192 interface. In the 1550-nm C-band on the 50-GHz ITU grid for the DWDM interface, 82 tunable channels are available. The TXP_MR_10EX_C card provides 3R transponder functionality for this 10-Gbps trunk interface. Therefore, the card is suited for use in long-range amplified systems. The DWDM interface is compliant with ITU-T G.707, ITU-T G.709, and Telcordia GR-253-CORE standards. The DWDM trunk port operates at a rate that depends on the input signal and the presence of the ITU-T G.709 Digital Wrapper/FEC. The possible trunk rates are: • OC192 (9.95328 Gbps) • OTU2 (10.70923 Gbps) • 10GE (10.3125 Gbps) or 10GE into OTU2 (ITU G.sup43 11.0957 Gbps) • 10G-FC (10.51875 Gbps) or 10G-FC into OTU2 (nonstandard 11.31764 Gbps) • Proprietary rate at the trunk when the client is provisioned as IB_5G. The maximum system reach in filterless applications without the use of optical amplification or regenerators is nominally rated at 23 dB over C-SMF fiber. This rating is not a product specification, but is given for informational purposes. It is subject to change. Note You cannot disable ITU-T G.709 on the trunk side. If ITU-T G.709 is enabled, then FEC cannot be disabled. 10.16.5 Enhanced FEC (E-FEC) Feature A key feature of the TXP_MR_10EX_C card is the availability to configure the forward error correction feature in two modes: FEC and E-FEC. The output bit rate is always 10.7092 Gbps as defined in ITU-T G.709, but the error coding performance can be provisioned as follows: • FEC—Standard ITU-T G.975 Reed-Solomon algorithm • E-FEC—Standard ITU-T G.975.1 I.7 algorithm, (a super FEC code)10-124 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards TXP_MR_10EX_C Card 10.16.6 FEC and E-FEC Modes As client-side traffic passes through the TXP_MR_10EX_C card, it can be digitally wrapped using FEC mode or E-FEC mode. The FEC mode setting provides a lower level of error detection and correction than the E-FEC mode setting of the card. As a result, using E-FEC mode allows higher sensitivity (lower OSNR) with a lower bit error rate than FEC mode. E-FEC enables longer distance trunk-side transmission than with FEC. The E-FEC feature is one of three basic modes of FEC operation. FEC can be turned on, or E-FEC can be turned on to provide greater range and lower BER. The default mode is FEC on and E-FEC off. E-FEC is provisioned using CTC. Caution Because the transponder has no visibility into the data payload and detect circuits, the TXP_MR_10EX_C card does not display circuits under the card view. 10.16.7 Client-to-Trunk Mapping The TXP_MR_10EX_C card can perform ODU2-to-OCh mapping, which allows operators to provision data payloads in a standard way across 10-Gbps optical links. Digital wrappers that define client-side interfaces are called ODU2 entities in ITU-T G.709. Digital wrappers that define trunk-side interfaces are called OCh in ITU-T G.709. ODU2 digital wrappers can include G-MPLS signaling extensions to ITU-T G.709 (such as LSP and G-PID values) to define client interfaces and payload protocols. 10.16.8 Automatic Laser Shutdown The ALS procedure is supported on both client and trunk interfaces. On the client interface, ALS is compliant with ITU-T G.664 (6/99). On the data application and trunk interface, the switch on and off pulse duration is greater than 60 seconds and is user-configurable. For details regarding ALS provisioning for the TXP_MR_10EX_C card, refer to the Cisco ONS 15454 DWDM Procedure Guide. 10.16.9 TXP_MR_10EX_C Card-Level Indicators Table 10-54 lists the card-level LEDs on the TXP_MR_10EX_C card. Table 10-54 TXP_MR_10EX_C Card-Level Indicators Card-Level LED Description Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready. This LED is on during reset. The FAIL LED flashes during the boot process. Replace the card if the red FAIL LED persists.10-125 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards MXP_2.5G_10EX_C card 10.16.10 TXP_MR_10EX_C Port-Level Indicators Table 10-55 lists the port-level LEDs on the TXP_MR_10EX_C card. 10.17 MXP_2.5G_10EX_C card The MXP_2.5G_10EX_C card is a DWDM muxponder for the ONS 15454 platform that supports transparent termination mode on the client side. The faceplate designation of the card is “4x2.5G 10EX MXP.” The card multiplexes four 2.5-Gbps client signals (4xOC48/STM-16 SFP) into a single 10-Gbps DWDM optical signal on the trunk side. The card provides wavelength transmission service for the four incoming 2.5-Gbps client interfaces. The MXP_2.5G_10EX_C muxponder passes all SONET/SDH overhead bytes transparently. The digital wrapper function (ITU-T G.709 compliant) formats the DWDM wavelength so that it can be used to set up GCCs for data communications, enable FEC, or facilitate PM. The MXP_2.5G_10EX_C card works with OTN devices defined in ITU-T G.709. The card supports ODU1 to OTU2 multiplexing, an industry standard method for asynchronously mapping a SONET/SDH payload into a digitally wrapped envelope. See the “10.8.5 Multiplexing Function” section on page 10-44. The MXP_2.5G_10EX_C card is not compatible with the MXP_2.5G_10G card, which does not support transparent termination mode. You can install the MXP_2.5G_10EX_C card in slots 1 to 6 and 12 to 17. You can provision a card in a linear configuration, a BLSR/MS-SPRing, a path protection/SNCP, or a regenerator. The card can be used in the middle of BLSR/MS-SPRing or 1+1 spans when the card is configured for transparent termination mode. The MXP_2.5G_10EX_C card features a tunable 1550-nm C-band laser on the trunk port. The laser is tunable across 82 wavelengths on the ITU grid with 50-GHz spacing between wavelengths. The card features four 1310-nm lasers on the client ports and contains five transmit and receive connector pairs ACT/STBY LED Green (Active) Amber (Standby) If the ACT/STBY LED is green, the card is operational (one or both ports active) and ready to carry traffic. If the ACT/STBY LED is amber, the card is operational and in standby (protect) mode. Amber SF LED The amber SF LED indicates a signal failure or condition such as LOS, LOF, or high BERs on one or more of the card’s ports. The amber SF LED is also on if the transmit and receive fibers are incorrectly connected. If the fibers are properly connected and the link is working, the light turns off. Table 10-54 TXP_MR_10EX_C Card-Level Indicators (continued) Card-Level LED Description Table 10-55 TXP_MR_10EX _C Port-Level Indicators Port-Level LED Description Green Client LED The green Client LED indicates that the client port is in service and that it is receiving a recognized signal. Green DWDM LED The green DWDM LED indicates that the DWDM port is in service and that it is receiving a recognized signal.10-126 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards MXP_2.5G_10EX_C card (labeled) on the card faceplate. The card uses dual LC connectors on the trunk side and SFP modules on the client side for optical cable termination. The SFP pluggable modules are SR or IR and support an LC fiber connector. Note When you create a 4xOC-48 OCHCC circuit, you need to select the G.709 and Synchronous options. A 4xOC-48 OCHCC circuit is supported by G.709 and synchronous mode, which are necessary to provision the 4xOC-48 OCHCC circuit. 10.17.1 Key Features The MXP_2.5G_10EX_C card has the following high-level features: • Four 2.5-Gbps client interfaces (OC-48/STM-16) and one 10-Gbps trunk. The four OC-48 signals are mapped into an ITU-T G.709 OTU2 signal using standard ITU-T G.709 multiplexing. • Onboard E-FEC processor: The processor supports both standard RS (specified in ITU-T G.709) and E-FEC, which allows an improved gain on trunk interfaces with a resultant extension of the transmission range on these interfaces. The E-FEC functionality increases the correction capability of the transponder to improve performance, allowing operation at a lower OSNR compared to the standard RS (237,255) correction algorithm. • Pluggable client-interface optic modules: The MXP_2.5G_10EX_C card has modular interfaces. Two types of optic modules can be plugged into the card. These modules include an OC-48/STM-16 SR-1 interface with a 7-km (4.3-mile) nominal range (for short range and intra-office applications) and an IR-1 interface with a range of up to 40 km (24.9 miles). SR-1 is defined in Telcordia GR-253-CORE and in I-16 (ITU-T G.957). IR-1 is defined in Telcordia GR-253-CORE and in S-16-1 (ITU-T G.957). • High-level provisioning support: The card is initially provisioned using Cisco TransportPlanner software. Subsequently, the card can be monitored and provisioned using CTC software. • Link monitoring and management: The card uses standard OC-48 OH (overhead) bytes to monitor and manage incoming interfaces. The card passes the incoming SDH/SONET data stream and its overhead bytes transparently. • Control of layered SONET/SDH transport overhead: The card is provisionable to terminate regenerator section overhead, which eliminates forwarding of unneeded layer overhead. It can help reduce the number of alarms and help isolate faults in the network. • Automatic timing source synchronization: The MXP_2.5G_10EX_C card normally synchronizes from the TCC2/TCC2P/TCC3/TNC/TSC card. If for some reason, such as maintenance or upgrade activity, the TCC2/TCC2P/TCC3/TNC/TSC is not available, the card automatically synchronize to one of the input client-interface clocks. • Configurable squelching policy: The card can be configured to squelch the client interface output if LOS occurs at the DWDM receiver or if a remote fault occurs. In the event of a remote fault, the card manages MS-AIS insertion. • The card is tunable across the full C-band, thus eliminating the need to use different versions of each card to provide tunability across specific wavelengths in a band. • The MTU setting is used to display the ifInerrors and OverSizePkts counters on the receiving trunk and client port interfaces. Traffic of frame sizes up to 65535 bytes pass without any packet drops, from the client port to the trunk port and vice versa irrespective of the MTU setting.10-127 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards MXP_2.5G_10EX_C card 10.17.2 Faceplate Figure 10-35 shows the MXP_2.5G_10EX_C faceplate and block diagram. Figure 10-35 MXP_2.5G_10EX_C Faceplate and Block Diagram For information on safety labels for the card, see the “10.2.1 Class 1 Laser Product Cards” section on page 10-8. 10.17.3 Client Interfaces The MXP_2.5G_10EX_C card provides four intermediate- or short-range OC-48/STM-16 ports per card on the client side. Both SR-1 and IR-1 optics can be supported and the ports use SFP connectors. The client interfaces use four wavelengths in the 1310-nm, ITU 100-GHz-spaced, channel grid. FAIL ACT/STBY SF 4x2.5 10 E MXP L RX TX TX RX TX RX TX RX TX RX RAM Processor 247064 Optical transceiver Optical transceiver Optical transceiver Optical transceiver Optical transceiver B a c k p l a n e FEC/ Wrapper E-FEC Processor (G.709 FEC) Serial bus uP bus Onboard Flash memory SR-1 (short reach/intra-office) or IR-1 (intermediate range) SFP client optics modules DWDM (trunk) 10GE (10GBASE-LR)10-128 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards MXP_2.5G_10EX_C card 10.17.4 DWDM Interface The MXP_2.5G_10EX_C card serves as OTN multiplexers, transparently mapping four OC-48 channels asynchronously to ODU1 into one 10-Gbps trunk. For the MXP_2.5G_10EX_C card, the DWDM trunk is tunable for transmission over the entire C-band. Channels are spaced at 50-GHz on the ITU grid. Caution You must use a 20-dB fiber attenuator (15 to 25 dB) when working with the card in a loopback on the trunk port. Do not use direct fiber loopbacks with the card, because they can cause irreparable damage to the MXP_2.5G_10EX_C card. Note You cannot disable ITU-T G.709 on the trunk side. If ITU-T G.709 is enabled, then FEC cannot be disabled. 10.17.5 Multiplexing Function The muxponder is an integral part of the ROADM network. The key function of the MXP_2.5G_10EX_C card is to multiplex four OC-48/STM-16 signals onto one ITU-T G.709 OTU2 optical signal (DWDM transmission). The multiplexing mechanism allows the signal to be terminated at a far-end node by another similar card. Transparent termination on the muxponder is configured using OTUx and ODUx OH bytes. The ITU-T G.709 specification defines OH byte formats that are used to configure, set, and monitor frame alignment, FEC mode, section monitoring, tandem connection monitoring, and transparent termination mode. The MXP_2.5G_10EX_C card performs ODU to OTU multiplexing as defined in ITU-T G.709. The ODU is the framing structure and byte definition (ITU-T G.709 digital wrapper) used to define the data payload coming into one of the SONET/SDH client interfaces on the card. The term ODU1 refers to an ODU that operates at 2.5-Gbps line rate. On the card, four client interfaces can be defined using ODU1 framing structure and format by asserting an ITU-T G.709 digital wrapper. The output of the muxponder is a single 10-Gbps DWDM trunk interface defined using OTU2. It is within the OTU2 framing structure that FEC or E-FEC information is appended to enable error checking and correction. 10.17.6 Timing Synchronization The MXP_2.5G_10EX_C card is synchronized to the TCC2/TCC2P /TCC3/TNC/TSC clock during normal conditions and transmits the ITU-T G.709 frame using this clock. No holdover function is implemented. If neither TCC2/TCC2P/TCC3/TNC/TSC clock is available, the card switches automatically (hitless) to the first of the four valid client clocks with no time restriction as to how long it can run on this clock. The card continues to monitor the TCC2/TCC2P/TCC3/TNC/TSC card. If a TCC2/TCC2P/TCC3/TNC/TSC card is restored to working order, the card reverts to the normal working mode of running from the TCC2/TCC2P/TCC3/TNC/TSC clock. If no valid TCC2/TCC2P/TCC3/TNC/TSC clock is available and all of the client channels become invalid, the card waits (no valid frames processed) until one of the TCC2/TCC2P/TCC3/TNC/TSC cards supplies a valid clock. In addition, the card is allowed to select the recovered clock from one active and valid client channel and supply that clock to the TCC2/TCC2P/TCC3/TNC/TSC card.10-129 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards MXP_2.5G_10EX_C card 10.17.7 Enhanced FEC (E-FEC) Capability The MXP_2.5G_10EX_C card can configure the FEC in two modes: FEC and E-FEC. The output bit rate is always 10.7092 Gbps as defined in ITU-T G.709, but the error coding performance can be provisioned as follows: • FEC—Standard ITU-T G.975 Reed-Solomon algorithm • E-FEC—Standard ITU-T G.975.1 I.7, two orthogonally concatenated BCH super FEC codes. This FEC scheme contains three parameterizations of the same scheme of two orthogonally interleaved block codes (BCH). The constructed code is decoded iteratively to achieve the expected performance. 10.17.8 FEC and E-FEC Modes As client-side traffic passes through the card, it can be digitally wrapped using FEC mode error correction or E-FEC mode error correction. The FEC mode setting provides a lower level of error detection and correction than the E-FEC mode setting of the card. As a result, using E-FEC mode allows higher sensitivity (lower OSNR) with a lower BER than FEC mode. E-FEC enables longer distance trunk-side transmission than with FEC. The E-FEC feature is one of three basic modes of FEC operation. FEC can be turned on, or E-FEC can be turned on to provide greater range and lower BER. The default mode is FEC on and E-FEC off. E-FEC is provisioned using CTC. 10.17.9 SONET/SDH Overhead Byte Processing The card passes the incoming SONET/SDH data stream and its overhead bytes for the client signal transparently. The card can be provisioned to terminate regenerator section overhead, which eliminates forwarding of unneeded layer overhead. It can help reduce the number of alarms and help isolate faults in the network. 10.17.10 Client Interface Monitoring The following parameters are monitored on the MXP_2.5G_10EX_C card: • Laser bias current is measured as a PM parameter. • LOS is detected and signaled. • Rx and Tx power are monitored. The following parameters are monitored in real-time mode (one second): • Optical power transmitted (client) • Optical power received (client) In the case of LOC at the DWDM receiver or far-end LOS, the client interface behavior is configurable. AIS can be invoked or the client signal can be squelched.10-130 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards MXP_2.5G_10EX_C card 10.17.11 Wavelength Identification The card uses trunk lasers that are wavelocked, which allows the trunk transmitter to operate on the ITU grid effectively. The MXP_2.5G_10EX_C card implements the MLSE-based UT module. The MXP_2.5G_10EX_C card uses a C-band version of the UT2. Table 10-56 describes the required trunk transmit laser wavelengths for the MXP_2.5G_10EX_C card. The laser is tunable over 82 wavelengths in the C-band at 50-GHz spacing on the ITU grid. Table 10-56 MXP_2.5G_10EX_C Trunk Wavelengths Channel Number Frequency (THz) Wavelength (nm) Channel Number Frequency (THz) Wavelength (nm) 1 196.00 1529.55 42 193.95 1545.72 2 195.95 1529.94 43 193.90 1546.119 3 195.90 1530.334 44 193.85 1546.518 4 195.85 1530.725 45 193.80 1546.917 5 195.80 1531.116 46 193.75 1547.316 6 195.75 1531.507 47 193.70 1547.715 7 195.70 1531.898 48 193.65 1548.115 8 195.65 1532.290 49 193.60 1548.515 9 195.60 1532.681 50 193.55 1548.915 10 195.55 1533.073 51 193.50 1549.32 11 195.50 1533.47 52 193.45 1549.71 12 195.45 1533.86 53 193.40 1550.116 13 195.40 1534.250 54 193.35 1550.517 14 195.35 1534.643 55 193.30 1550.918 15 195.30 1535.036 56 193.25 1551.319 16 195.25 1535.429 57 193.20 1551.721 17 195.20 1535.822 58 193.15 1552.122 18 195.15 1536.216 59 193.10 1552.524 19 195.10 1536.609 60 193.05 1552.926 20 195.05 1537.003 61 193.00 1553.33 21 195.00 1537.40 62 192.95 1553.73 22 194.95 1537.79 63 192.90 1554.134 23 194.90 1538.186 64 192.85 1554.537 24 194.85 1538.581 65 192.80 1554.940 25 194.80 1538.976 66 192.75 1555.343 26 194.75 1539.371 67 192.70 1555.747 27 194.70 1539.766 68 192.65 1556.151 28 194.65 1540.162 69 192.60 1556.555 29 194.60 1540.557 70 192.55 1556.95910-131 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards MXP_2.5G_10EX_C card 10.17.12 Automatic Laser Shutdown The ALS procedure is supported on both client and trunk interfaces. On the client interface, ALS is compliant with ITU-T G.664 (6/99). On the data application and trunk interface, the switch on and off pulse duration is greater than 60 seconds and is user-configurable. For details regarding ALS provisioning for the MXP_2.5G_10EX_C card, see the Cisco ONS 15454 DWDM Procedure Guide. 10.17.13 Jitter For SONET and SDH signals, the MXP_2.5G_10EX_C card complies with Telcordia GR-253-CORE, ITU-T G.825, and ITU-T G.873 for jitter generation, jitter tolerance, and jitter transfer. See the “10.21 Jitter Considerations” section on page 10-142 for more information. 10.17.14 Lamp Test The MXP_2.5G_10EX_C card supports a lamp test function that is activated from the ONS 15454 front panel or through CTC to ensure that all LEDs are functional. 10.17.15 Onboard Traffic Generation The MXP_2.5G_10EX_C card provides internal traffic generation for testing purposes according to PRBS, SONET/SDH, or ITU-T G.709. 30 194.55 1540.953 71 192.50 1557.36 31 194.50 1541.35 72 192.45 1557.77 32 194.45 1541.75 73 192.40 1558.173 33 194.40 1542.142 74 192.35 1558.578 34 194.35 1542.539 75 192.30 1558.983 35 194.30 1542.936 76 192.25 1559.389 36 194.25 1543.333 77 192.20 1559.794 37 194.20 1543.730 78 192.15 1560.200 38 194.15 1544.128 79 192.10 1560.606 39 194.10 1544.526 80 192.05 1561.013 40 194.05 1544.924 81 192.00 1561.42 41 194.00 1545.32 82 191.95 1561.83 Table 10-56 MXP_2.5G_10EX_C Trunk Wavelengths (continued) Channel Number Frequency (THz) Wavelength (nm) Channel Number Frequency (THz) Wavelength (nm)10-132 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards MXP_MR_10DMEX_C Card 10.17.16 MXP_2.5G_10EX_C Card-Level Indicators Table 10-57 describes the card-level LEDs on the MXP_2.5G_10EX_C card. 10.17.17 MXP_2.5G_10EX_C Port-Level Indicators Table 10-58 describes the port-level LEDs on the MXP_2.5G_10EX_C card. 10.18 MXP_MR_10DMEX_C Card The MXP_MR_10DMEX_C card aggregates a mix of client SAN service-client inputs (GE, FICON, and Fibre Channel) into one 10-Gbps STM-64/OC-192 DWDM signal on the trunk side. It provides one long-reach STM-64/OC-192 port per card and is compliant with Telcordia GR-253-CORE and ITU-T G.957. The card supports aggregation of the following signal types: • 1-Gigabit Fibre Channel • 2-Gigabit Fibre Channel • 4-Gigabit Fibre Channel • 1-Gigabit Ethernet • 1-Gigabit ISC-Compatible (ISC-1) • 2-Gigabit ISC-Peer (ISC-3) Table 10-57 MXP_2.5G_10EX_C Card-Level Indicators Card-Level LED Description Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready. This LED is on during reset. The FAIL LED flashes during the boot process. Replace the card if the red FAIL LED persists. ACT/STBY LED Green (Active) Amber (Standby) If the ACT/STBY LED is green, the card is operational (one or more ports active) and ready to carry traffic. If the ACT/STBY LED is amber, the card is operational and in standby (protect) mode. Amber SF LED The amber SF LED indicates a signal failure or condition such as LOS, LOF, or high BERs on one or more of the card’s ports. The amber SF LED is also on if the transmit and receive fibers are incorrectly connected. If the fibers are properly connected and the link is working, the light turns off. Table 10-58 MXP_2.5G_10E_C and MXP_2.5G_10E_L Port-Level Indicators Port-Level LED Description Green Client LED (four LEDs) A green Client LED indicates that the client port is in service and that it is receiving a recognized signal. The card has four client ports, and so has one Client LED for each port. Green DWDM LED The green DWDM LED indicates that the DWDM port is in service and that it is receiving a recognized signal.10-133 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards MXP_MR_10DMEX_C Card Caution The card can be damaged by dropping it. Handle it carefully. The MXP_MR_10DMEX_C muxponder passes all SONET/SDH overhead bytes transparently. The digital wrapper function (ITU-T G.709 compliant) formats the DWDM wavelength so that it can be used to set up GCCs for data communications, enable FEC, or facilitate PM. The MXP_MR_10DMEX_C card works with the OTN devices defined in ITU-T G.709. The card supports ODU1 to OTU2 multiplexing, an industry standard method for asynchronously mapping a SONET/SDH payload into a digitally wrapped envelope. See the “10.7.7 Multiplexing Function” section on page 10-36. Note You cannot disable ITU-T G.709 on the trunk side. If ITU-T G.709 is enabled, then FEC cannot be disabled. Note Because the client payload cannot oversubscribe the trunk, a mix of client signals can be accepted, up to a maximum limit of 10 Gbps. You can install the MXP_MR_10DMEX_C card in slots 1 to 6 and 12 to 17. Note The MXP_MR_10DMEX_C card is not compatible with the MXP_2.5G_10G card, which does not support transparent termination mode. The MXP_MR_10DMEX_C card features a tunable 1550-nm C-band laser on the trunk port. The laser is tunable across 82 wavelengths on the ITU grid with 50-GHz spacing between wavelengths. Each card features four 1310-nm lasers on the client ports and contains five transmit and receive connector pairs (labeled) on the card faceplate. The card uses dual LC connectors on the trunk side and SFP modules on the client side for optical cable termination. The SFP pluggable modules are SR or IR and support an LC fiber connector. Table 10-59 shows the input data rate for each client interface, and the encapsulation method. The current version of the GFP-T G.7041 supports transparent mapping of 8B/10B block-coded protocols, including Gigabit Ethernet, Fibre Channel, ISC, and FICON. In addition to the GFP mapping, 1-Gbps traffic on Port 1 or 2 of the high-speed SERDES is mapped to an STS-24c channel. If two 1-Gbps client signals are present at Port 1 and Port 2 of the high-speed SERDES, the Port 1 signal is mapped into the first STS-24c channel and the Port 2 signal into the second STS-24c channel. The two channels are then mapped into an OC-48 trunk channel. Table 10-59 MXP_MR_10DMEX_C Client Interface Data Rates and Encapsulation Client Interface Input Data Rate GFP-T G.7041 Encapsulation 2G FC 2.125 Gbps Yes 1G FC 1.06 Gbps Yes 2G FICON/2G ISC-Compatible (ISC-1)/ 2G ISC-Peer (ISC-3) 2.125 Gbps Yes10-134 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards MXP_MR_10DMEX_C Card The MXP_MR_10DMEX_C card includes two FPGAs, and a group of four ports is mapped to each FPGA. Group 1 consists of Ports 1 through 4, and Group 2 consists of Ports 5 through 8. Table 10-60 shows some of the mix and match possibilities on the various client data rates for Ports 1 through 4, and Ports 5 through 8. An X indicates that the data rate is supported in that port. GFP-T PM is available through RMON and trunk PM is managed according to Telcordia GR-253-CORE and ITU G.783/826. Client PM is achieved through RMON for FC and GE. A buffer-to-buffer credit management scheme provides FC flow control. With this feature enabled, a port indicates the number of frames that can be sent to it (its buffer credit), before the sender is required to stop transmitting and wait for the receipt of a “ready” indication. The MXP_MR_10DMEX_C card supports FC credit-based flow control with a buffer-to-buffer credit extension of up to 1600 km (994.1 miles) for 1G FC, up to 800 km (497.1 miles) for 2G FC, or up to 400 km (248.5 miles) for 4G FC. The feature can be enabled or disabled. The MXP_MR_10DMEX_C card features a 1550-nm laser for the trunk/line port and a 1310-nm or 850-nm laser (depending on the SFP) for the client ports. The card contains eight 12.5-degree downward-tilt SFP modules for the client interfaces. For optical termination, each SFP uses two LC connectors, which are labeled TX and RX on the faceplate. The trunk port is a dual-LC connector with a 45-degree downward angle. 10.18.1 Key Features The MXP_MR_10DMEX_C card has the following high-level features: • Onboard E-FEC processor: The processor supports both standard RS (specified in ITU-T G.709) and E-FEC, which allows an improved gain on trunk interfaces with a resultant extension of the transmission range on these interfaces. The E-FEC functionality increases the correction capability of the transponder to improve performance, allowing operation at a lower OSNR compared to the standard RS (237,255) correction algorithm. • Pluggable client-interface optic modules: The MXP_MR_10DMEX_C card has modular interfaces. Two types of optics modules can be plugged into the card. These modules include an OC-48/STM-16 SR-1 interface with a 7-km (4.3-mile) nominal range (for short range and 1G FICON/1G ISC-Compatible (ISC-1)/ 1G ISC-Peer (ISC-3) 1.06 Gbps Yes Gigabit Ethernet 1.25 Gbps Yes Table 10-59 MXP_MR_10DMEX_C Client Interface Data Rates and Encapsulation (continued) Client Interface Input Data Rate GFP-T G.7041 Encapsulation Table 10-60 Supported Client Data Rates for Ports 1 through 4 and Ports 5 through 8 Port (Group 1) Port (Group 2) Gigabit Ethernet 1G FC 2G FC 4G FC 1 5 X XXX 2 6 X X —— 3 7 X XX— 4 8 X X ——10-135 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards MXP_MR_10DMEX_C Card intra-office applications) and an IR-1 interface with a range of up to 40 km (24.9 miles). SR-1 is defined in Telcordia GR-253-CORE and in I-16 (ITU-T G.957). IR-1 is defined in Telcordia GR-253-CORE and in S-16-1 (ITU-T G.957). • Y-cable protection: The card supports Y-cable protection between the same card type only, on ports with the same port number and signal rate. See the “10.19.1 Y-Cable Protection” section on page 10-139 for more detailed information. • High-level provisioning support: The card is initially provisioned using Cisco TransportPlanner software. Subsequently, the card can be monitored and provisioned using CTC software. • ALS: This safety mechanism is used in the event of a fiber cut. For details regarding ALS provisioning for the MXP_MR_10DMEX_C card, refer to the Cisco ONS 15454 DWDM Procedure Guide. • Link monitoring and management: The card uses standard OC-48 OH(overhead) bytes to monitor and manage incoming interfaces. The card passes the incoming SDH/SONET data stream and its OH(overhead) bytes transparently. • Control of layered SONET/SDH transport overhead: The card is provisionable to terminate regenerator section overhead, which eliminates forwarding of unneeded layer overhead. It can help reduce the number of alarms and help isolate faults in the network. • Automatic timing source synchronization: The MXP_MR_10DMEX_C card normally synchronizes from the TCC2/TCC2P/TCC3/TNC/TSC card. If for some reason, such as maintenance or upgrade activity, the TCC2/TCC2P/TCC3/TNC/TSC is not available, the card automatically synchronizes to one of the input client-interface clocks. Note MXP_MR_10DMEX_C card cannot be used for line timing. • Configurable squelching policy: The card can be configured to squelch the client-interface output if LOS occurs at the DWDM receiver or if a remote fault occurs. In the event of a remote fault, the card manages MS-AIS insertion. • The card is tunable across the full C-band, thus eliminating the need to use different versions of each card to provide tunability across specific wavelengths in a band. • You can provision a string (port name) for each fiber channel/FICON interface on the MXP_MR_10DMEX_C card, which allows the MDS Fabric Manager to create a link association between that SAN port and a SAN port on a Cisco MDS 9000 switch. 10.18.2 Faceplate Figure 10-36 shows the MXP_MR_10DMEX_C faceplate and block diagram.10-136 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards MXP_MR_10DMEX_C Card Figure 10-36 MXP_MR_10DMEX_C Faceplate and Block Diagram For information on safety labels for the card, see the “10.2.2 Class 1M Laser Product Cards” section on page 10-10. Caution You must use a 20-dB fiber attenuator (15 to 25 dB) when working with the card in a loopback on the trunk port. Do not use direct fiber loopbacks with the card, because they can cause irreparable damage to the MXP_MR_10DMEX_C card. 10.18.3 Wavelength Identification The card uses trunk lasers that are wavelocked, which allows the trunk transmitter to operate on the ITU grid effectively. The MXP_MR_10DMEX_C card uses a C-band version of the MLSE-based UT module. 10DME-C FAIL ACT/STBY SF 247065 RX TX 1 RX TX 2 RX TX 3 RX TX 4 RX TX 1 RX TX 2 RX TX 3 RX TX 4 DWDM RX TX SPF 1/1 4G FC SerDes 1 x QDR 2M x 36bit Burst4 1/2/4G-FC B2B Credit Mgt FPGA Framer G.709/FEC OTN MXP UT2 5x I/O 5x I/O SPF 2/1 SPF 3/1 CPU Core FPGA Power supply SPF 4/1 SPF 6/1 4G FC SerDes 1/2/4G-FC B2B Credit Mgt FPGA 5x I/O 5x I/O SPF 7/1 SPF 8/1 SPF 9/1 Client ports Group 1 Group 210-137 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards MXP_MR_10DMEX_C Card Table 10-61 describes the required trunk transmit laser wavelengths for the MXP_MR_10DMEX_C card. The laser is tunable over 82 wavelengths in the C-band at 50-GHz spacing on the ITU grid. Table 10-61 MXP_MR_10DMEX_C Trunk Wavelengths Channel Number Frequency (THz) Wavelength (nm) Channel Number Frequency (THz) Wavelength (nm) 1 196.00 1529.55 42 193.95 1545.72 2 195.95 1529.94 43 193.90 1546.119 3 195.90 1530.334 44 193.85 1546.518 4 195.85 1530.725 45 193.80 1546.917 5 195.80 1531.116 46 193.75 1547.316 6 195.75 1531.507 47 193.70 1547.715 7 195.70 1531.898 48 193.65 1548.115 8 195.65 1532.290 49 193.60 1548.515 9 195.60 1532.681 50 193.55 1548.915 10 195.55 1533.073 51 193.50 1549.32 11 195.50 1533.47 52 193.45 1549.71 12 195.45 1533.86 53 193.40 1550.116 13 195.40 1534.250 54 193.35 1550.517 14 195.35 1534.643 55 193.30 1550.918 15 195.30 1535.036 56 193.25 1551.319 16 195.25 1535.429 57 193.20 1551.721 17 195.20 1535.822 58 193.15 1552.122 18 195.15 1536.216 59 193.10 1552.524 19 195.10 1536.609 60 193.05 1552.926 20 195.05 1537.003 61 193.00 1553.33 21 195.00 1537.40 62 192.95 1553.73 22 194.95 1537.79 63 192.90 1554.134 23 194.90 1538.186 64 192.85 1554.537 24 194.85 1538.581 65 192.80 1554.940 25 194.80 1538.976 66 192.75 1555.343 26 194.75 1539.371 67 192.70 1555.747 27 194.70 1539.766 68 192.65 1556.151 28 194.65 1540.162 69 192.60 1556.555 29 194.60 1540.557 70 192.55 1556.959 30 194.55 1540.953 71 192.50 1557.36 31 194.50 1541.35 72 192.45 1557.77 32 194.45 1541.75 73 192.40 1558.173 33 194.40 1542.142 74 192.35 1558.57810-138 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards MXP_MR_10DMEX_C Card 10.18.4 MXP_MR_10DMEX_C Card-Level Indicators Table 10-62 describes the card-level LEDs on the MXP_MR_10DMEX_C card. 10.18.5 MXP_MR_10DMEX_C Port-Level Indicators Table 10-63 describes the port-level LEDs on the MXP_MR_10DMEX_C card. 34 194.35 1542.539 75 192.30 1558.983 35 194.30 1542.936 76 192.25 1559.389 36 194.25 1543.333 77 192.20 1559.794 37 194.20 1543.730 78 192.15 1560.200 38 194.15 1544.128 79 192.10 1560.606 39 194.10 1544.526 80 192.05 1561.013 40 194.05 1544.924 81 192.00 1561.42 41 194.00 1545.32 82 191.95 1561.83 Table 10-61 MXP_MR_10DMEX_C Trunk Wavelengths (continued) Channel Number Frequency (THz) Wavelength (nm) Channel Number Frequency (THz) Wavelength (nm) Table 10-62 MXP_MR_10DMEX_C Card-Level Indicators Card-Level LED Description Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready. This LED is on during reset. The FAIL LED flashes during the boot process. Replace the card if the red FAIL LED persists. ACT/STBY LED Green (Active) Amber (Standby) If the ACT/STBY LED is green, the card is operational (one or more ports active) and ready to carry traffic. If the ACT/STBY LED is amber, the card is operational and in standby (protect) mode. Amber SF LED The amber SF LED indicates a signal failure or condition such as LOS, LOF, or high BERs on one or more of the card’s ports. The amber SF LED is also on if the transmit and receive fibers are incorrectly connected. If the fibers are properly connected and the link is working, the light turns off.10-139 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards Y-Cable and Splitter Protection 10.19 Y-Cable and Splitter Protection Y-cable and splitter protection are two main forms of card protection that are available for TXP, MXP, and Xponder (GE_XP, 10GE_XP, GE_XPE, 10GE_XPE, and OTU2_XP) cards when they are provisioned in TXP or MXP mode. Y-cable protection is provided at the client port level. Splitter protection is provided at the trunk port level. Note GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE cards use VLAN protection when they are provisioned in L2-over-DWDM mode. For information, see the “10.12.10.3 Layer 2 Over DWDM Protection” section on page 10-81. The ADM-10G card uses path protection and 1+1 protection. For more information, see the “10.13.10 Protection” section on page 10-103. 10.19.1 Y-Cable Protection Y-cable protection is available for the following ONS 15454 TXP, MXP, and Xponder cards: • TXP_MR_10G • TXP_MR_10E • TXP_MR_2.5G • 40G-TXP-C • MXP_2.5G_10G • MXP_2.5G_10E • MXP_2.5G_10E_C • MXP_2.5G_10E_L • MXP_MR_2.5G • MXP_MR_10DME_C • MXP_MR_10DME_L Table 10-63 MXP_MR_10DMEX_C Port-Level Indicators Port-Level LED Description Port LED (eight LEDs, four for each group, one for each SFP) Green/Red/Amber/Off When green, the port LED indicates that the client port is either in service and receiving a recognized signal (that is, no signal fail), or the port is in Out of Service and Maintenance (OOS,MT or locked, maintenance) state and the signal fail and alarms are being ignored. When red, the port LED indicates that the client port is in service but is receiving a signal fail (LOS). When amber, the port LED indicates that the port is provisioned and in a standby state. When off, the port LED indicates that the SFP is either not provisioned, out of service, not properly inserted, or the SFP hardware has failed. Green DWDM LED The green DWDM LED indicates that the DWDM port is in service and that it is receiving a recognized signal.10-140 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards Y-Cable and Splitter Protection • 40G-MXP-C • GE_XP and GE_XPE (when in 10GE or 20GE MXP card mode) • 10GE_XP and 10GE_XPE (when in 10GE TXP card mode) • OTU2_XP (when in Transponder card configuration) To create Y-cable protection, you create a Y-cable protection group for two TXP, MXP, or Xponder cards using the CTC software, then connect the client ports of the two cards physically with a Y-cable. The single client signal is sent into the RX Y-cable and is split between the two TXP, MXP, or Xponder cards. The two TX signals from the client side of the TXP, MXP, or Xponder cards are combined in the TX Y-cable into a single client signal. Only the active card signal passes through as the single TX client signal. The other card must have its laser turned off to avoid signal degradation where the Y-cable joins. When an MXP_MR_2.5G, MXP_MR_10DME_C, or MXP_MR_10DME_L card that is provisioned with Y-cable protection is used on a storage ISL link (FC1G, FC2G, FC4G, FICON1G, FICON2G, or FICON4G), a protection switchover resets the standby port to active. This reset reinitialises the end-to-end link to avoid any link degradation caused due to loss of buffer credits during switchover and results in an end-to-end traffic hit of 15 to 20 seconds. When using the MXP_MR_10DME_C or MXP_MR_10DME_L card, enable the fast switch feature and use it with a Cisco MDS storage switch to avoid this 15 to 20 second traffic hit. When enabling fast switch on the MXP_MR_10DME_C or MXP_MR_10DME_L card, ensure that the attached MDS switches have the buffer-to-buffer credit recovery feature enabled. You can also use the TXP_MR_2.5G card to avoid this 15 to 20 second traffic hit. When a Y-cable protection switchover occurs, the storage ISL link does not reinitialize and results in an end-to-end traffic hit of less than 50ms. Note Y-cable connectors will not work with copper SFPs because Y-cables are made up of optical connectors and there is no way to physically connect them to a copper SFP. Y-cable protection is not supported on IB_5G. Note There is a traffic hit of upto a couple hundred milliseconds on the MXP_MR_2.5G and MXP_MR_10DME cards in Y-cable configuration when a fiber cut or SFP failure occurs on one of the client ports. Note The OTU2_XP and 40E-MXP-C card cannot implement Y-cable protection for the client ports in 10 GE LAN PHY mode. Hence, a pair of OTU2_XP cards is used at each end in pass-through mode (Transponder mode with G.709 disabled) to implement Y-cable protection. The 40E-MXP-CE card can implement Y-cable protection without the OTU2_XP card for the client ports in LAN PHY GFP mode. However, the 40E-MXP-CE card cannot implement Y-cable protection without the OTU2_XP card for the client ports in LAN PHY WIS mode. Note If you create a GCC on either card of the protect group, the trunk port stays permanently active, regardless of the switch state. When you provision a GCC, you are provisioning unprotected overhead bytes. The GCC is not protected by the protect group. Figure 10-37 on page 10-141 shows the Y-cable signal flow.10-141 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards Y-Cable and Splitter Protection Note Loss of Signal–Payload (LOS-P) alarms, also called Incoming Payload Signal Absent alarms, can occur on a split signal if the ports are not in a Y-cable protection group. Note Removing an SFP from the client ports of a card in a Y-cable protection group card causes an IMPROPRMVL (PPM) alarm. The working port raises the IMPROPRMVL alarm and the protected port raises the IMPROPRMVL alarm. The severity on the client ports is changed according to the protection switch state. Figure 10-37 Y-Cable Protection 10.19.2 Splitter Protection Splitter protection, shown in Figure 10-38, is provided with TXPP cards, MXPP cards., and OTU2_XP cards (on trunk ports that are not part of a regenerator group). You can create and delete splitter protection groups in OTU2_XP card. To implement splitter protection, a client injects a single signal into the client RX port. An optical splitter internal to the card then splits the signal into two separate signals and routes them to the two trunk TX ports. The two signals are transmitted over diverse optical paths. The far-end MXPP or TXPP card uses an optical switch to choose one of the two trunk RX port signals and injects it into the TX client port. When using splitter protection with two MXPP or TXPP cards, there are two different optical signals that flow over diverse paths in each direction. In case of failure, the far-end switch must choose the appropriate signal using its built-in optical switch. The triggers for a protection switch are LOS, LOF, SF, or SD. Client "Working" card (TXP or MXP) "Protection" card (TXP or MXP) Y cables TX RX Working Protect Client Port Trunk Port Client Port Trunk Port 12408010-142 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards Far-End Laser Control Figure 10-38 Splitter Protection 10.20 Far-End Laser Control The 15454 DWDM cards provide a transparent mode that accurately conveys the client input signal to the far-end client output signal. The client signal is normally carried as payload over the DWDM signals. Certain client signals, however, cannot be conveyed as payload. In particular, client LOS or LOF cannot be carried. Far-end laser control (FELC) is the ability to convey an LOS or LOF from the near-end client input to the far-end client output. If an LOS is detected on the near-end client input, the near-end trunk sets the appropriate bytes in the OTN overhead of the DWDM line. These bytes are received by the far-end trunk, and cause the far-end client laser to be turned off. When the laser is turned off, it is said to be squelched. If the near-end LOS clears, the near-end trunk clears the appropriate bytes in the OTN overhead, the far-end detects the changed bytes, and the far-end client squelch is removed. FELC also covers the situation in which the trunk port detects that it has an invalid signal; the client is squelched so as not to propagate the invalid signal. Payload types with the 2R mode preclude the use of OTN overhead bytes. In 2R mode, an LOS on the client port causes the trunk laser to turn off. The far end detects the LOS on its trunk receiver and squelches the client. FELC is not provisionable. It is always enabled when the DWDM card is in transparent termination mode. However, FELC signaling to the far-end is only possible when ITU-T G.709 is enabled on both ends of the trunk span. 10.21 Jitter Considerations Jitter introduced by the SFPs used in the transponders and muxponders must be considered when cascading several cards. With TXP_MR_2.5G, TXPP_MR_2.5G, MXP_MR_2.5G, MXPP_MR_2.5G, and TXP_MR_10E cards, several transponders can be cascaded before the cumulative jitter violates the jitter specification. The recommended limit is 20 cards. With TXP_MR_10G cards, you can also cascade several cards, although the recommended limit is 12 cards. With MXP_2.5G_10G and MXP_2.5G_10E Client Protected Card Working Protect Client Port RX TX Splitter Switch Trunk Port Trunk Port 12407910-143 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards Termination Modes cards, any number of cards can be cascaded as long as the maximum reach between any two is not exceeded. This is because any time the signal is demultiplexed, the jitter is eliminated as a limiting factor. The maximum reach between one transponder and the other must be halved if a Y cable is used. For more information on Y-cable operation, see the “10.19.1 Y-Cable Protection” section on page 10-139. 10.22 Termination Modes Transponder and muxponder cards have various SONET and SDH termination modes that can be configured using CTC (see the “Provision Transponder and Muxponder Cards” chapter in the Cisco ONS 15454 DWDM Procedure Guide). The termination modes are summarized in Table 10-64. For TXP and MXP cards, adhere to the following conditions while DCC termination provisioning: • For SDCC/RS-DCC provisioning, the card should be in the Section/RS-DCC or Line/MS-DCC termination mode. • For LDCC/MS-DCC provisioning, the card should be in the Line/MS-DCC termination mode. Table 10-64 Termination Modes Cards Termination Mode Description All TXP, MXP, and OTU2_XP cards, with the exception of the MXP_2.5G_10G card (see next section of this table) Transparent Termination All the bytes of the payload pass transparently through the cards. Section Termination The SONET transport overhead (TOH) section bytes and the SDH regenerator section overhead (SOH) bytes are terminated. None of these SOH bytes are passed through. They are all regenerated, including the SONET TOH section DCC (SDCC) bytes and the SDH regenerator section DCC (RS-DCC) bytes. In the section termination mode, the SONET TOH line and SDH multiplex section overhead bytes are passed transparently. Line Termination In line termination mode, the section and line overhead bytes for SONET and the overhead bytes for the SDH multiplex and regenerator sections are terminated. None of the overhead bytes are passed through. They are all regenerated, including the SONET SDCC and line DCC (LDCC) bytes and the SDH RS-DCC and multiplexer section DCC (MS-DCC) bytes. MXP_2.5G_10G1 1. Clients operating at the OC48/STM16 rate are multiplexed into an OC192/STM64 frame before going to OTN or DWDM. Transparent Termination All client bytes pass transparently except the following: B1 is rebuilt, S1 is rewritten, A1 to A2 are regenerated, and H1 to H3 are regenerated. Section Termination The SONET TOH section bytes and the SDH regenerator section overhead bytes are terminated. None of these section overhead bytes are passed through. They are all regenerated, including the SONET TOH section DCC bytes and the SDH RS-DCC bytes. In the section termination mode, the SONET TOH line and SDH multiplex section overhead bytes are passed transparently. Line Termination In the line termination mode, the section and line overhead bytes for SONET and the overhead bytes for the SDH multiplex and regenerators sections are terminated. None of the overhead bytes are passed through. They are all regenerated, including the SONET SDCC and LDCC bytes and the SDH RS-DCC and MS-DCC bytes.10-144 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 10 Transponder and Muxponder Cards SFP and XFP Modules For more information on enabling termination modes, see the procedures for changing card setting in the “Provision Transponder and Muxponder Cards” chapter of the Cisco ONS 15454 DWDM Procedure Guide. 10.23 SFP and XFP Modules SFPs and 10-Gbps SFPs (XFPs) are integrated fiber optic transceivers that provide high-speed serial links from a port or slot to the network. For more information on SFPs/XFPs and for a list of SFPs/XFPs supported by the transponder and muxponder cards, see the Installing the GBIC, SFP, and XFP Optics Modules in Cisco ONS Platforms. In CTC, SFPs/XFPs are called pluggable port modules (PPMs). To provision SFPs/XFPs and change the line rate for multirate PPMs, see the Cisco ONS 15454 DWDM Procedure Guide.CHAPTER 11-1 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 11 Node Reference This chapter explains the ONS 15454 dense wavelength division multiplexing (DWDM) node types that are available for the ONS 15454. The DWDM node type is determined by the type of amplifier and filter cards that are installed in an ONS 15454. The chapter also explains the DWDM automatic power control (APC), reconfigurable optical add/drop multiplexing (ROADM) power equalization, span loss verification, and automatic node setup (ANS) functions. Note Unless otherwise specified, “ONS 15454” refers to both ANSI and ETSI shelf assemblies. Note In this chapter, “OPT-BST” refers to the OPT-BST, OPT-BST-E, OPT-BST-L cards, and to the OPT-AMP-L and OPT-AMP-17-C cards when they are provisioned in OPT-LINE (optical booster) mode. “OPT-PRE” refers to the OPT-PRE card and to the OPT-AMP-L and OPT-AMP-17-C cards provisioned in OPT-PRE (preamplifier) mode. Chapter topics include: • 11.1 DWDM Node Configurations, page 11-1 • 11.2 Supported Node Configurations for OPT-RAMP-C and OPT-RAMP-CE Cards, page 11-34 • 11.3 Supported Node Configurations for PSM Card, page 11-38 • 11.4 Multishelf Node, page 11-42 • 11.5 Optical Sides, page 11-44 • 11.6 Configuring Mesh DWDM Networks, page 11-53 • 11.7 DWDM Node Cabling, page 11-74 • 11.8 Automatic Node Setup, page 11-90 • 11.9 DWDM Functional View, page 11-96 • 11.10 DWDM Network Functional View, page 11-106 11.1 DWDM Node Configurations The ONS 15454 supports the following DWDM node configurations: hub, terminal, optical add/drop multiplexing (OADM), reconfigurable OADM (ROADM), anti-amplified spontaneous emission (anti-ASE), line amplifier, optical service channel (OSC) regeneration line, multishelf nodes, and node 11-2 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference DWDM Node Configurations configurations for mesh networks. All node configurations can be provisioned with C-band or L-band cards except the OADM and anti-ASE nodes. These nodes require AD-xB-xx.x or AD-xC-xx.x cards, which are C-band only. All node configurations can be single-shelf or multishelf. Note The Cisco TransportPlanner tool creates a plan for amplifier placement and proper node equipment. Note To support multiple optical sides in mesh DWDM networks, east and west are no longer used to reference the left and right sides of the ONS 15454 shelf. If a network running a previous software release is upgraded to this release, west will be mapped to A and east to B. In two-sided nodes, such as a hub or ROADM node, Side A refers to Slots 1 through 6 and Side B refers to Slots 12 through 17. Terminal nodes have one side labeled “A,” regardless of which slots have cards installed. For more information about configuring the ONS 15454 in mesh DWDM networks, see the “11.6 Configuring Mesh DWDM Networks” section on page 11-53. 11.1.1 Terminal Node A terminal node is a single ONS 15454 node equipped with two TCC2/TCC2P/TCC3/TNC/TSC cards and one of the following combinations: • One 32MUX-O card and one 32DMX-O card • One 32WSS card and either a 32DMX or a 32DMX-O card • One 40-WSS-C or 40-WSS-CE card and one 40-DMX-C or 40-DMX-CE card • One 40-MUX-C and one 40-DMX-C or 40-DMX-CE card • One 80-WXC-C card, one 15216-MD-40-ODD, 15216-EF-40-ODD, or 15216-MD-48-ODD patch panel, and one 15216-MD-40-EVEN, 15216-EF-40-EVEN, or 15216-MD-48-EVEN (ONS 15216 40 or 48-channel mux/demux patch panel), and 15216-MD-ID-50 or 15216-MD-48-CM • One 40-SMR1-C and one 15216-MD-40-ODD, 15216-EF-40-ODD, or 15216-MD-48-ODD patch panel • One 40-SMR2-C and one 15216-MD-40-ODD, 15216-EF-40-ODD, or 15216-MD-48-ODD patch panel Note Although it is recommended that you use the 15216-MD-40-ODD, 15216-EF-40-ODD, or 15216-MD-48-ODD patch panel along with the 40-SMR1-C and 40-SMR2-C cards, you can alternatively use the 40-MUX-C and 40-DMX-C cards instead of the 15216-EF-40-ODD, or 15216-MD-48-ODD patch panel. Cards in the terminal nodes can be installed in Slots 1 through 6 or Slots 12 through 17. The side where cards are installed is always assigned as Side A. Figure 11-1 shows an example of a terminal configuration with a 2MUX-O card installed. The channel flow for a terminal node is the same as the hub node (Figure 11-28).11-3 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference DWDM Node Configurations Figure 11-1 Terminal Node Configuration With 32MUX-O Cards Installed Figure 11-2 shows an example of a terminal configuration with a 40-WSS-C card installed. OPT-BST OPT-PRE 32MUX-O DCU Air ramp Available 32DMX-O TCC2/TCC2P/TCC3 OSCM AIC-I Available TCC2/TCC2P/TCC3 Available Available Available Available Available Available 24909511-4 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference DWDM Node Configurations Figure 11-2 Terminal Node Configuration with 40-WSS-C Cards Installed Figure 11-3 shows an example of a terminal configuration with a 40-MUX-C card installed. OPT-BST or OSC-CSM OPT-PRE or TXP/MXP 40-WSS-C DCM-xxx Air ramp DCM-xxx 40-DMX-C TCC2/TCC2P/TCC3 OSCM or Blank AIC-I Blank TCC2/TCC2P/TCC3 Blank or TXP/MXP Blank or TXP/MXP Blank or TXP/MXP Blank or TXP/MXP Blank or TXP/MXP 249104 Blank or TXP/MXP or MS-ISC-100T Blank or TXP/MXP or MS-ISC-100T11-5 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference DWDM Node Configurations Figure 11-3 Terminal Node with 40-MUX-C Cards Installed Figure 11-4 shows an example of a terminal configuration with a 40-SMR1-C card installed. OPT-BST or OSC-CSM OPT-PRE or TXP/MXP DCM-xxx Air ramp DCM-xxx 40-DMX-C 40-MUX-C Blank or TXP/MXP TCC2/TCC2P/TCC3 OSCM or Blank AIC-I Blank TCC2/TCC2P/TCC3 Blank or TXP/MXP Blank or TXP/MXP Blank or TXP/MXP Blank or TXP/MXP Blank or TXP/MXP 249105 Blank or TXP/MXP or MS-ISC-100T Blank or TXP/MXP or MS-ISC-100T11-6 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference DWDM Node Configurations Figure 11-4 Terminal Node with 40-SMR1-C Card Installed - Cisco ONS 15454 and Cisco ONS 15454 M6 Figure 11-5 shows an example of a terminal configuration with 40-SMR1-C and booster amplifier cards installed. 248993 ECU 1 2 3 4567 8 Fan tray TNC/TSC TNC/TSC Power module Power module Available Available Available 40-SMR1-C LCD Cisco ONS 15454 Cisco ONS 15454 M6 Available Available Cable guide Air filter 15216 Odd Patch Panel Booster 40-SMR1-C DCM-xxx Air Ramp DCM-xxx Av TCC2 ailable Available Available Available Available Available Available Available OSCM M AIC-I Empty TCC2 S-ISC MS-ISC 15216 Odd Patch Panel Fan Tray Fibre Routing Panel 1 2 3 4567 8 9 10 11 12 13 14 15 16 17 1 1 15216-MD-40-ODD, 15216-EF-40-ODD, or 15216-MD-48-ODD patch panel11-7 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference DWDM Node Configurations Figure 11-5 Terminal Node with 40-SMR1-C and Booster Amplifier Cards Installed - Cisco ONS 15454 and Cisco ONS 15454 M6 Note When you use the 40-SMR1-C card along with a booster amplifier, the OSCM card must be connected to the booster amplifier. Figure 11-6 shows an example of a terminal configuration with a 40-SMR2-C card installed. 248992 ECU 1 2 3 4567 8 Fan tray TNC/TSC TNC/TSC Power module Power module Available Available 40-SMR1-C Booster (A) LCD Cisco ONS 15454 M6 Available Available Cable guide Air filter 15216 Odd Patch Panel Cisco ONS 15454 Booster 40-SMR1-C DCM-xxx Air Ramp DCM-xxx Av TCC2 ailable Available Available Available Available Available Available Available OSCM M AIC-I Empty TCC2 S-ISC MS-ISC 15216 Odd Patch Panel Fan Tray Fibre Routing Panel 1 2 3 4567 8 9 10 11 12 13 14 15 16 17 1 1 15216-MD-40-ODD, 15216-EF-40-ODD, or 15216-MD-48-ODD patch panel11-8 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference DWDM Node Configurations Figure 11-6 Terminal Node with 40-SMR2-C Card Installed - Cisco ONS 15454 and Cisco ONS 15454 M6 11.1.2 OADM Node An OADM node is a single ONS 15454 node equipped with cards installed on both sides and at least one AD-xC-xx.x card or one AD-xB-xx.x card and two TCC2/TCC2P/TCC3/TNC/TSC cards. This configuration supports 32 channels. In an OADM node, channels can be added or dropped independently from each direction and then passed through the reflected bands of all OADMs in the DWDM node (called express path). They can also be passed through one OADM card to another OADM card without using a TDM ITU-T line card (called optical pass-through) if an external patchcord is installed. Unlike express path, an optical pass-through channel can be converted later to an add/drop channel in an altered ring without affecting another channel. OADM amplifier placement and required card placement is determined by the Cisco TransportPlanner tool or your site plan. OADM nodes can be amplified or passive. In amplified OADMs, booster and preamplifier cards are installed on bode sides of the node. Figure 11-7 shows an example of an amplified OADM node configuration. In addition, OADM nodes can be asymmetric. Amplifiers may be installed in one side, but not the other. Or preamplifiers may be installed in one side, and a booster in the other. 248994 ECU 1 2 3 4567 8 Fan tray TNC/TSC TNC/TSC Power module Power module Available Available Available 40-SMR2-C LCD Cisco ONS 15454 M6 Available Available Cable guide Air filter 15216 Odd Patch Panel Cisco ONS 15454 40-SMR2-C Available DCM-xxx Air Ramp DCM-xxx Av TCC2 ailable Available Available Available Available Available Available Available OSCM M AIC-I Empty TCC2 S-ISC MS-ISC 15216 Odd Patch Panel Fan Tray Fibre Routing Panel 1 2 3 4567 8 9 10 11 12 13 14 15 16 17 1 1 15216-MD-40-ODD, 15216-EF-40-ODD, or 15216-MD-48-ODD patch panel11-9 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference DWDM Node Configurations Figure 11-7 Amplified OADM Node Configuration Example Figure 11-8 shows an example of the channel flow on the amplified OADM node. Since the 32-wavelength plan is based on eight bands (each band contains four channels), optical adding and dropping can be performed at the band level and/or at the channel level (meaning individual channels can be dropped). OPT-BST OPT-PRE OADM or mux/demux DCU Air ramp DCU OADM or mux/demux OADM or mux/demux OADM TCC2/TCC2P/TCC3 OSCM AIC-I OSCM TCC2/TCC2P/TCC3 OADM OADM or mux/demux OADM or mux/demux OADM or mux/demux OPT-PRE OPT-BST 24909611-10 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference DWDM Node Configurations Figure 11-8 Amplified OADM Node Channel Flow Example 11.1.3 ROADM Node A ROADM node adds and drops wavelengths without changing the physical fiber connections. A ROADM node is equipped with two TCC2/TCC2P/TCC3/TNC/TSC cards and one of the following combinations: • Two 32WSS cards and optionally, two 32DMX or 32DMX-O cards • Two 40-WSS-C or 40-WSS-CE cards and optionally, two 40-DMX-C or 40-DMX-CE cards • Two 40-SMR1-C cards and two 15216-MD-40-ODD, 15216-EF-40-ODD, or 15216-MD-48-ODD (ONS 15216 40 or 48-channel mux/demux) patch panels • Two 40-SMR2-C cards and two 15216-MD-40-ODD, 15216-EF-40-ODD, or 15216-MD-48-ODD (ONS 15216 40 or 48-channel mux/demux) patch panels • Two 80-WXC-C cards and two 15216-MD-40-ODD, 15216-EF-40-ODD, 15216-MD-48-ODD, 15216-MD-40-EVEN, 15216-EF-40-EVEN, or 15216-MD-48-EVEN patch panels Note Although it is recommended that you use the 15216-MD-40-ODD, 15216-EF-40-ODD, or 15216-MD-48-ODD patch panel along with the 40-SMR1-C and 40-SMR2-C cards, you can alternatively use the 40-MUX-C and 40-DMX-C cards instead of the 15216-MD-40-ODD, 15216-EF-40-ODD, or 15216-MD-48-ODD patch panel. Transponders (TXPs) and muxponders (MXPs) can be installed in Slots 6 and 12 and, if amplification is not used, in any open slot. OPT-PRE 4-ch demux 4MD-xx.x OPT-PRE OPT-BST Line Line 96427 OPT-BST DCU DCU OSCM TCC TCC2 OSCM AIC-I AD-yB-xx.x AD-1C-xx.x AD-1C-xx.x AD-yB-xx.x By Ch Ch By 4-ch mux 4-ch demux 4MD-xx.x 4-ch mux11-11 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference DWDM Node Configurations Note Although not required, 32DMX-O can be used in a ROADM node. Cisco TransportPlanner automatically chooses the demultiplexer card that is best for the ROADM node based on the network requirements. Figure 11-9 shows an example of an amplified ROADM node configuration with 32DMX cards installed. Figure 11-9 ROADM Node with 32DMX Cards Installed Figure 11-10 shows an example of an amplified ROADM node configuration with 40-WSS-C cards installed. OPT-PRE OPT-BST 32WSS DCU W Air ramp DCU E 32DMX Available TCC2/TCC2P/TCC3 OSCM AIC-I OSCM TCC2/TCC2P/TCC3 Available 32DMX 32WSS OPT-BST OPT-PRE 24909811-12 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference DWDM Node Configurations Figure 11-10 ROADM Node with 40-WSS-C Cards Installed Figure 11-11 shows an example of a ROADM node with 40-SMR1-C cards installed. 249103 OPT-BST or OSC-CSM OPT-PRE or TXP/MXP 40-WSS-C DCM-xxx Air ramp DCM-xxx 40-DMX-C Blank or TXP/MXP or MS-ISC-100T TCC2/TCC2P/TCC3 OSCM or Blank AIC-I OSCM or Blank TCC2/TCC2P/TCC3 Blank or TXP/MXP or MS-ISC-100T 40-DMX-C 40-WSS-C OPT-PRE or TXP/MXP OPT-BST or OSC-CSM11-13 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference DWDM Node Configurations Figure 11-11 ROADM Node with 40-SMR1-C Cards Installed - Cisco ONS 15454 and Cisco ONS 15454 M6 Figure 11-12 shows an example of a ROADM node with 40-SMR1-C and booster amplifier cards installed. 248990 ECU 1 2 3 4567 8 Fan tray TNC/TSC TNC/TSC Power module Power module Available Available Available 40-SMR1-C LCD Cisco ONS 15454 Cisco ONS 15454 M6 40-SMR1-C Available Cable guide Air filter 15216 Odd Patch Panel 15216 Odd Patch Panel 40-SMR1-C Available DCM-xxx Air Ramp DCM-xxx Av TCC2 ailable Available Available Available Available Available 40-SMR1-C Available OSCM OSCM M AIC-I TCC2 S-ISC MS-ISC 15216 Odd Patch Panel 15216 Odd Patch Panel Fan Tray Fibre Routing Panel 1 2 3 4567 8 9 10 11 12 13 14 15 16 17 1 1 15216-MD-40-ODD, 15216-EF-40-ODD, or 15216-MD-48-ODD patch panel11-14 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference DWDM Node Configurations Figure 11-12 ROADM Node with 40-SMR1-C and Booster Amplifier Cards Installed - Cisco ONS 15454 and Cisco ONS 15454 M6 Note When you use the 40-SMR1-C card along with a booster amplifier, the OSCM card must be connected to the booster amplifier. Figure 11-13 shows an example of a ROADM node with 40-SMR2-C cards installed. 248992 ECU 1 2 3 4567 8 Fan tray TNC/TSC TNC/TSC Power module Power module Available Available 40-SMR1-C Booster (A) LCD Cisco ONS 15454 M6 Available Available Cable guide Air filter 15216 Odd Patch Panel Cisco ONS 15454 Booster 40-SMR1-C DCM-xxx Air Ramp DCM-xxx Av TCC2 ailable Available Available Available Available Available Available Available OSCM M AIC-I Empty TCC2 S-ISC MS-ISC 15216 Odd Patch Panel Fan Tray Fibre Routing Panel 1 2 3 4567 8 9 10 11 12 13 14 15 16 17 1 1 15216-MD-40-ODD, 15216-EF-40-ODD, or 15216-MD-48-ODD patch panel11-15 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference DWDM Node Configurations Figure 11-13 ROADM Node with 40-SMR2-C Cards Installed - 15454 - Cisco ONS 15454 and Cisco ONS 15454 M6 248991 ECU 1 2 3 4567 8 Fan tray TNC/TSC TNC/TSC Power module Power module Available Available Available 40-SMR2-C LCD Cisco ONS 15454 Cisco ONS 15454 M6 40-SMR2-C Available Cable guide Air filter 15216 Odd Patch Panel 15216 Odd Patch Panel 40-SMR2-C Available DCM-xxx Air Ramp DCM-xxx Av TCC2 ailable Available Available Available Available Available Available 40-SMR2-C OSCM OSCM M AIC-I TCC2 S-ISC MS-ISC Fibre Routing Panel 15216 Odd Patch Panel 15216 Odd Patch Panel 1 2 3 4567 8 9 10 11 12 13 14 15 16 17 Fan Tray 1 1 15216-MD-40-ODD, 15216-EF-40-ODD, or 15216-MD-48-ODD patch panel11-16 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference DWDM Node Configurations Figure 11-14 shows the layout of a 80-channel colored two-degree ROADM node. Figure 11-14 80-Channel Colored Two-Degree ROADM Node 248861 Booster Preamplifier DCM-xxx Air ramp DCM-xxx TCC2P Available Available Preamplifier Booster Available Available OSCM OSCM 8 AIC-I TCC2P 0-WXC-C 80-WXC-C Fiber routing panel 1 2 3 4567 8 9 10 11 12 13 14 15 16 17 Fan tray 15216 Even Patch Panel 15216 Odd Patch Panel 15216 Even Patch Panel 1 15216 Odd Patch Panel 1 2 2 1 1 2 2 1 15216-MD-40-ODD, 15216-EF-40-ODD, or 15216-MD-48-ODD patch panel 2 15216-MD-40-EVEN, 15216-EF-40-EVEN, or 15216-MD-48-EVEN patch panel11-17 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference DWDM Node Configurations The 80-WXC-C cards are inserted in Slots 3 and 14, and function in the bidirectional mode. Figure 11-15 shows the layout of an ONS 15454 M6 80-channel colored two-degree ROADM node. Figure 11-15 ONS 15454 M6 80-Channel Colored Two-degree ROADM Node 333812 Shelf 2 ECU 1 2 3 4567 8 Fan tray 15216 Odd Patch Panel Shelf 1 15216 Even Patch Panel TNC/TSC Booster Preamplifier 80-WXC-C TNC/TSC Power module LCD Power module Available Available ECU 1 2 3 4567 8 Fan tray 15216-MD-40-ODD 15216-MD-40-EVEN TNC/TSC Preamplifier Booster 80-WXC-C TNC/TSC Power module LCD Power module Available Available Cable guide Cable guide Air filter Air filter 15216 Odd Patch Panel 15216 Even Patch Panel 1 2 1 15216-MD-40-EVEN, 15216-EF-40-EVEN, or 15216-MD-48-EVEN patch panel 2 15216-MD-40-ODD, 15216-EF-40-ODD, or 15216-MD-48-ODD patch panel11-18 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference DWDM Node Configurations Figure 11-16 shows the layout of an 80-channel n-degree ROADM node with omni-directional side. Figure 11-16 80-Channel n-degree ROADM node with Omni-directional Side 248865 Preamplifier Preamplifier DCM-xxx Air ramp DCM-xxx Any other side TCC2 OSCM OSCM 8 AIC-I TCC2 0-WXC-C Fiber routing panel 1 2 3 4567 8 9 10 11 12 13 14 15 16 17 Fan tray 15216 Even Patch Panel 15216 Odd Patch Panel 1 2 1 15216-MD-40-ODD, 15216-EF-40-ODD, or 15216-MD-48-ODD patch panel 2 15216-MD-40-EVEN, 15216-EF-40-EVEN, or 15216-MD-48-EVEN patch panel11-19 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference DWDM Node Configurations Figure 11-17 shows the layout of an ONS 15454 M6 80-channel n-degree ROADM node with omni-directional side. Figure 11-17 ONS 15454 M6 80-Channel n-degree ROADM node with Omni-directional Side Figure 11-18 shows the layout of a 40-channel n-degree ROADM node with a 40-WXC-C based colorless side. 248882 ECU 1 2 3 4567 8 Fan tray 15216 Even Patch Panel 15216 Odd Patch Panel TNC/TSC TNC/TSC Power module Power module Preamplifier Preamplifier 80-WXC-C LCD Available Available Cable guide Air filter 1 2 1 15216-MD-40-ODD, 15216-EF-40-ODD, or 15216-MD-48-ODD patch panel 2 15216-MD-40-EVEN, 15216-EF-40-EVEN, or 15216-MD-48-EVEN patch panel11-20 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference DWDM Node Configurations Figure 11-18 40-Channel n-degree ROADM Node with 40-WXC-C Based Colorless Side The 80-WXC-C cards are connected to the ADD/DROP ports of the 40-WXC-C card and function as colorless multiplexer and demultiplexer units. 248858 Booster Preamplifier DCM-xxx Air ramp DCM-xxx TCC2P Available Available Available Available OSCM 8 AIC-I Empty TCC2P 0-WXC-C 8 40-WXC-C 0-WXC-C Fiber routing panel 1 2 3 4567 8 9 10 11 12 13 14 15 16 17 Fan tray11-21 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference DWDM Node Configurations Figure 11-19 shows the layout of a 40-channel four-degree ROADM node with a 40-SMR2-C based colorless side. Figure 11-19 40-Channel Four-degree ROADM Node with 40-SMR2-C Based Colorless Side The 80WXC-C (multiplexer) card is inserted in Slot 3 and the 80-WXC-C (demultiplexer) card is inserted in Slot 5. The 80-WXC-C cards are connected to the ADD/DROP ports of the 40-SMR2-C card and function as the colorless multiplexer and demultiplexer units. 248878 DCM-xxx Air ramp DCM-xxx TCC2P OSC-CSM OSC-CSM 40-SMR2-C 40-SMR2-C 40-SMR2-C 40-SMR2-C Available Available OSCM OSCM 8 AIC-I TCC2P 0-WXC-C 80-WXC-C Fiber routing panel 1 2 3 4567 8 9 10 11 12 13 14 15 16 17 Fan tray 15216 Odd Patch Panel 15216 Odd Patch Panel 15216 Odd Patch Panel 1 1 15216-MD-40-ODD, 15216-EF-40-ODD, or 15216-MD-48-ODD patch panel11-22 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference DWDM Node Configurations Figure 11-20 shows the layout for an 80-channel colorless ROADM node. Figure 11-20 80-Channel Colorless ROADM Node An 80 channel colorless two-degree ROADM node requires the following cards: 80-WXC-C, 15216-MD-40-ODD, 15216-EF-40-ODD, 15216-MD-48-ODD, 15216-MD-40-EVEN, 15216-EF-40-EVEN, 15216-MD-48-EVEN, preamplifiers, and boosters. The 80-WXC-C cards can be used at two levels; level1 (L1) and level2 (L2). The L1 80WXC-C (multiplexer) card is inserted in Slot 3 and the L1 80-WXC-C (demultiplexer) card is inserted in Slot 5. The L2 80WXC-C (multiplexer) card is inserted in Slot 12 and the L2 80-WXC-C (demultiplexer) card is inserted in Slot 14. 248863 Booster Preamplifier DCM-xxx Air ramp DCM-xxx TCC2P Available Available 8 Empty AIC-I Empty TCC2P 0-WXC-C 80-WXC-C 80-WXC-C 80-WXC-C Fiber routing ranel 1 2 3 4567 8 9 10 11 12 13 14 15 16 17 Fan tray Booster Preamplifier DCM-xxx Air ramp DCM-xxx TCC2P Available Available OSCM OSCM 8 AIC-I TCC2P 0-WXC-C 80-WXC-C 80-WXC-C 80-WXC-C Fiber routing panel 1 2 3 4567 8 9 10 11 12 13 14 15 16 17 Fan tray Side A Side B 15216 Odd Patch Panel 15216 Even Patch Panel 15216-MD-40-ODD 15216-MD-40-EVEN 15216Odd Patch Panel 15216 Even Patch Panel 1 2 1 15216-MD-40-EVEN, 15216-EF-40-EVEN, or 15216-MD-48-EVEN patch panel 2 15216-MD-40-ODD, 15216-EF-40-ODD, or 15216-MD-48-ODD patch panel11-23 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference DWDM Node Configurations Figure 11-21 shows an example of the optical signal flow in an 80-channel colorless two-degree ROADM node from Side A to Side B using 80-WXC-C cards. The optical signal flow from Side B to Side A follows an identical path. Figure 11-21 80-Channel Colorless Two-degree ROADM Node 248860 1x9 DMX L2 1x9 DMX L1 1x9 MUX L2 1x9 DMX L2 1x9 MUX L2 1x9 MUX L1 1x9 MUX L1 1x9 DMX L1 P Booster Side A Side B OSC Booster OSC DMX-E DMX-O MUX-E MUX-O DMX-O DMX-E MUX-O MUX-E P 1 The booster on Side A receives the composite optical signal. It separates the optical service channel from the optical payload and sends the payload to the preamplifier on Side A. 2 The preamplifier compensates for chromatic dispersion, amplifies the optical payload and sends it to the L1 80-WXC-C card (demultiplexer). 3 Up to eight colorless ports are available on the L1 80-WXC-C card if no colored wavelength is terminated. In Figure 11-21, two EAD ports are connected to 40-DMX-C or 40-DMX-CE cards, 15216-MD-40-ODD, 15216-EF-40-ODD, 15216-MD-48-ODD, 15216-MD-40-EVEN, 15216-EF-40-EVEN, or 15216-MD-48-EVEN units where the colored odd and even wavelengths are dropped. The express wavelengths are sent to the L1 80-WXC-C card (multiplexer) on Side B where the wavelengths are multiplexed with other colored or colorless wavelengths. 4 The L1-80-WXC-C card on Side B sends the composite signal to the booster on Side B. 5 The booster on Side B receives the composite optical signal, adds the optical service channel to the optical payload and sends it to the transmission line. 6 It is possible to configure more colorless ports by cascading the 80-WXC-C cards at two levels. For example, to get 14 colorless ports connect one of the EAD ports of the L1 80-WXC-C card to another 80-WXC-C cards at level 2. There are five colorless ports on the L1 80-WXC-C card and nine colorless ports on the L2 80-WXC-C card. To achieve an 80 channel colorless configuration, connect nine L2 80-WXC-C cards to the nine EAD ports of the L1 80-WXC-C card.11-24 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference DWDM Node Configurations Figure 11-22 shows the layout for an 80-channel colorless ROADM node with OPT-RAMP-C cards. Figure 11-22 80-Channel Colorless ROADM Node with OPT-RAMP-C Card 248874 Booster Preamplifier DCM-xxx Air ramp DCM-xxx TCC2P OSCM OSCM 8 AIC-I TCC2P 0-WXC-C OPT-RAMP-C 80-WXC-C 80-WXC-C 80-WXC-C Fiber routing panel 1 2 3 4567 8 9 10 11 12 13 14 15 16 17 Fan tray Side A Side B 15216-MD-40-ODD 15216-MD-40-EVEN Booster Preamplifier DCM-xxx Air ramp DCM-xxx TCC2P OSCM OSCM 8 AIC-I TCC2P 0-WXC-C OPT-RAMP-C 80-WXC-C 80-WXC-C 80-WXC-C Fiber routing panel 1 2 3 4567 8 9 10 11 12 13 14 15 16 17 Fan tray 15216 Odd Patch Panel 15216 Even Patch Panel 15216 Even Patch Panel 15216 Odd Patch Panel 1 2 1 15216-MD-40-EVEN, 15216-EF-40-EVEN, or 15216-MD-48-EVEN patch panel 2 15216-MD-40-ODD, 15216-EF-40-ODD, or 15216-MD-48-ODD patch panel11-25 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference DWDM Node Configurations Figure 11-23 shows an example of an ONS 15454 M6 80-channel two degree colorless ROADM node. Figure 11-23 ONS 15454 M6 80-Channel Two-degree Colorless ROADM Node The L1 80WXC-C (multiplexer) card is inserted in Slot 4 and the L1 80-WXC-C (demultiplexer) is inserted in Slot 6. The L2 80WXC-C (multiplexer) card is inserted in Slot 2 and the L2 80-WXC-C (demultiplexer) is inserted in Slot 4. 248873 Shelf 1 Shelf 2 ECU 1 2 3 4567 8 Fan tray 15216-MD-40-ODD 15216-MD-40-EVEN TNC/TSC Booster Preamplifier 80-WXC-C TNC/TSC Power module Power module 80-WXC-C LCD ECU 1 2 3 4567 8 Fan tray 15216 Odd Patch Panel 15216 Even Patch Panel TNC/TSC Preamplifier Booster 80-WXC-C TNC/TSC Power module Power module 80-WXC-C LCD Cable guide Air filter Cable guide Air filter 15216 Odd Patch Panel 15216 Even Patch Panel 1 2 1 15216-MD-40-EVEN, 15216-EF-40-EVEN, or 15216-MD-48-EVEN patch panel 2 15216-MD-40-ODD, 15216-EF-40-ODD, or 15216-MD-48-ODD patch panel11-26 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference DWDM Node Configurations Figure 11-24 shows an example of a ROADM optical signal flow from Side A to Side B using the 32WSS or 40-WSS-C cards. The optical signal flow from Side B to Side A follows an identical path through the Side B OSC-CSM and 32WSS or 40-WSS-C cards. In this example, OSC-CSM cards are installed, hence OPT-BSTs are not needed. Figure 11-24 ROADM Optical Signal Flow Example Using 32WSS or 40-WSS-C Card Figure 11-25 shows an example of an ROADM optical signal flow from Side A to Side B using the 40-SMR1-C card. The optical signal flow from Side B to Side A follows an identical path through the Side B booster and 40-SMR1-C card. 1 The OSC-CSM receives the optical signal. It separates the optical service channel from the optical payload and sends the payload to the OPT-PRE module. 2 The OPT-PRE compensates for chromatic dispersion, amplifies the optical payload, and sends it to the 32WSS or 40-WSS-C/40-WSS-CE. 3 The 32WSS or 40-WSS-C/40-WSS-CE splits the signal into two components. The 80 percent component is sent to the DROP-TX port and the 20 percent component is sent to the EXP-TX port. 4 The drop component goes to the 32DMX card or 40-DMX-C/40-DMX-CE card where it is demultiplexed and dropped. 5 The express wavelength aggregate signal goes to the 32WSS or 40-WSS-C/40-WSS-CE on the other side where it is demultiplexed. Channels are stopped or forwarded based upon their switch states. Forwarded wavelengths are merged with those coming from the ADD path and sent to the OSC-CSM module. 6 The OSC-CSM combines the multiplexed payload with the OSC and sends the signal out the transmission line. 32-ch demux Side B OSC-CSM 115228 Side A OSC-CSM OSC Side B 32WSS Side A 32WSS 80/20 Side B 32DMX Add Add Drop 2 slots 1 slot Side B OPT-PRE Side B Line Side A OPT-PRE Side A Line 32-ch demux Side A 32DMX Drop 1 slot 32R_OAM 80/20 2 slots 32R_OAM 1 1 2 2 3 3 5 5 6 6 4 4 OSC11-27 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference DWDM Node Configurations Figure 11-25 ROADM Optical Signal Flow Example Using 40-SMR1-C Card 11.1.4 Hub Node A hub node is a single ONS 15454 node equipped with two TCC2/TCC2P/TCC3/TNC/TSC cards and one of the following combinations: • Two 32MUX-O cards and two 32DMX-O or 32DMX cards • Two 32WSS cards and two 32DMX or 32DMX-O cards 1 The booster receives the optical signal. It separates the optical service channel from the optical payload and sends the payload to the preamplifier module within the 40-SMR1-C card. 2 The preamplifier module compensates for chromatic dispersion, amplifies the optical payload, and sends it to the 70/30 splitter within the 40-SMR1-C card. 3 The 70/30 splitter splits the signal into two components. The 70 percent component is sent to the DROP-TX port and the 30 percent component is sent to the EXP-TX port. 4 The drop component goes to the 15216-MD-40-ODD, 15216-EF-40-ODD, or 15216-MD-48-ODD card where it is demultiplexed and dropped. 5 The express wavelength aggregate signal goes to the 40-SMR1-C card on the other side where it is demultiplexed. Channels are stopped or forwarded based upon their switch states. Forwarded wavelengths are merged with those coming from the ADD path and sent to the booster module. 6 The booster combines the multiplexed payload with the OSC, amplifies it, and sends the signal out the transmission line. 276454 Side B Booster OSC Side B Line Side B 40-SMR1-C Side A 40-SMR1-C Side A Booster OSC Side A Line Side B MUX 15216-MD-40-ODD 70/30 70/30 Side A DMX 15216-MD-40-ODD Side B DMX 15216-MD-40-ODD Side A MUX 15216-MD-40-ODD Drop Drop 1 2 4 5 5 6 3 2 3 4 6 111-28 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference DWDM Node Configurations • Two 40-WSS-C or 40-WSS-CE cards and two 40-DMX-C or 40DMX-CE cards • Two 40-SMR1-C and two 15216-MD-40-ODD, 15216-EF-40-ODD, or 15216-MD-48-ODD (ONS 15216 40 or 48-channel mux/demux patch panel) • Two 40-SMR2-C and two 15216-MD-40-ODD, 15216-EF-40-ODD, or 15216-MD-48-ODD Note Although it is recommended that you use the 15216-MD-40-ODD, 15216-EF-40-ODD, or 15216-MD-48-ODD card along with the 40-SMR1-C and 40-SMR2-C cards, you can alternatively use the 40-MUX-C and 40-DMX-C cards instead of the 15216-MD-40-ODD, 15216-EF-40-ODD, or 15216-MD-48-ODD card. Note The configuration for a hub node using 40-SMR1-C or 40-SMR2-C cards is identical to the ROADM node, except that there is no patchcord connecting the two 40-SMR1-C or 40-SMR2-C cards. For more details on the ROADM node configuration, see the “11.1.3 ROADM Node” section on page 11-10. Note The 32WSS/40-WSS-C/40-WSS-CE and 32DMX/32DMX-L/40-DMX-C/ 40-DMX-CE cards are normally installed in ROADM nodes, but they can also be installed in hub and terminal nodes. If the cards are installed in a hub node, the 32WSS/32WSS-L/ 40-WSS-C/40-WSS-CE express ports (EXP RX and EXP TX) are not cabled. A dispersion compensation unit (DCU) can also be added, if necessary. Figure 11-26 shows a hub node configuration with 32MUX-O and 32DMX-O cards installed. 11-29 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference DWDM Node Configurations Figure 11-26 Hub Node Configuration Example with 32-Channel C-Band Cards Figure 11-27 shows a 40-channel hub node configuration with 40-WSS-C cards installed. OPT-BST W OPT-PRE W 32MUX-O DCU Air ramp DCU 32DMX-O TCC2/TCC2P/TCC3 OSCM W AIC-I OSCM E TCC2/TCC2P/TCC3 32DMX-O 32MUX-O OPT-PRE E OPT-BST E 24909411-30 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference DWDM Node Configurations Figure 11-27 Hub Node Configuration Example with 40-WSS-C Cards Figure 11-28 shows the channel flow for a hub node. Up to 32 channels from the client ports are multiplexed and equalized onto one fiber. Then, multiplexed channels are transmitted to the OPT-BST amplifier. The OPT-BST output is combined with an output signal from the OSCM card and transmitted to the other side. Received signals are divided between the OSCM card and an OPT-PRE card. Dispersion compensation is applied to the signal received by the OPT-PRE amplifier, and it is then sent to the 32DMX-O card, which demultiplexes and attenuates the input signal. OPT-BST or OSC-CSM OPT-PRE or TXP/MXP 40-WSS-C DCM-xxx Air ramp DCM-xxx 40-DMX-C TCC2/TCC2P/TCC3 OSCM or Blank AIC-I Blank TCC2/TCC2P/TCC3 Blank or TXP/MXP Blank or TXP/MXP Blank or TXP/MXP Blank or TXP/MXP Blank or TXP/MXP 249102 Blank or TXP/MXP or MS-ISC-100T Blank or TXP/MXP or MS-ISC-100T11-31 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference DWDM Node Configurations Figure 11-28 Hub Node Channel Flow Example 11.1.5 Anti-ASE Node In a mesh ring network, the ONS 15454 requires a node configuration that prevents ASE accumulation and lasing. An anti-ASE node can be created by configuring a hub node or an OADM node with some modifications. No channels can travel through the express path, but they can be demultiplexed and dropped at the channel level on one side and added and multiplexed on the other side. The hub node is the preferred node configuration when some channels are connected in pass-through mode. For rings that require a limited number of channels, combine AD-xB-xx.x and 4MD-xx.x cards, or cascade AD-xC-xx.x cards. See Figure 11-8 on page 11-10. Figure 11-29 shows an anti-ASE node that uses all wavelengths in the pass-through mode. Use Cisco TransportPlanner to determine the best configuration for anti-ASE nodes. Client equipment 32DMX-0 32MUX-0 32MUX-0 32DMX-0 OPT-PRE OPT-BST OPT-PRE West side East side OPT-BST Line Line 96426 DCU OSCM TCC TCC2 OSCM AIC-I DCU11-32 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference DWDM Node Configurations Figure 11-29 Anti-ASE Node Channel Flow Example 11.1.6 Line Amplifier Node A line amplifier node is a single ONS 15454 node that is used to amplify the optical signal in long spans. The line amplifier node can be equipped with one of the following sets of cards: • Two OPT-PRE cards, two OPT-BST cards, and two OSCM cards • Two OPT-PRE cards and two OSC-CSM cards • Two OPT-AMP-17-C cards and two OSCM cards • Two OPT-AMP-C cards and two OSCM cards Attenuators might also be required between each preamplifier and OPT-BST amplifier to match the optical input power value and to maintain the amplifier gain tilt value. Two OSCM cards are connected to the OPT-BST cards to multiplex the OSC signal with the pass-though channels. If the node does not contain a booster card, OSC-CSM cards must be installed instead of OSCM cards. Figure 11-30 shows an example of a line amplifier node configuration using OPT-BST, OPT-PRE, and OSCM cards. 4-ch demux 4MD-xx.x Line Express path open Line 96429 DCU DCU OSCM TCC TCC2 OSCM AIC-I B1 Ch Ch B1 4-ch mux 4-ch demux 4MD-xx.x 4-ch mux11-33 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference DWDM Node Configurations Figure 11-30 Line Amplifier Node Configuration Example - Cisco ONS 15454 M6 and Cisco ONS 15454 M2 11.1.7 OSC Regeneration Node The OSC regeneration node is added to the DWDM networks for two purposes: • To electrically regenerate the OSC channel whenever the span links are 37 dB or longer and payload amplification and add/drop capabilities are not present. Cisco TransportPlanner places an OSC regeneration node in spans longer than 37 dB. The span between the OSC regeneration node and the next DWDM network site cannot be longer than 31 dB. • To add data communications network (DCN) capability wherever needed within the network. OSC regeneration nodes require two OSC-CSM cards, as shown in Figure 11-31. The cards are installed in each side of the shelf. 248987 ECU 1 2 3 4567 8 Fan tray TNC/TSC TNC/TSC Power module Power module Available Available Preamplifier (A) Booster (A) LCD Cisco ONS 15454 M6 LCD Booster (B) Preamplifier (B) Cable guide 1 2 3 TNC/TSC Preamplifier (B) Preamplifier (A) Cisco ONS 15454 M2 LCD 1 2 3 TNC/TSC OPT-AMP-C (B) OPT-AMP-C (A) Air filter11-34 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference Supported Node Configurations for OPT-RAMP-C and OPT-RAMP-CE Cards Figure 11-31 OSC Regeneration Line Node Configuration Example - Cisco ONS 15454, Cisco ONS 15454 M6, and Cisco ONS 15454 M2 Figure 11-32 shows the OSC regeneration line node signal flow. Figure 11-32 OSC Regeneration Line Node Flow 11.2 Supported Node Configurations for OPT-RAMP-C and OPT-RAMP-CE Cards The OPT-RAMP-C and OPT-RAMP-CE cards can be equipped in the following network element type configurations: • C-band odd systems: 248988 ECU 1 2 3 4567 8 Fan tray TNC/TSC TNC/TSC Power module Power module Available Available Available OSC-CSM (A) LCD Cisco ONS 15454 M6 Cisco ONS 15454 M2 OSC-CSM (B) Available Cable guide LCD 1 2 3 TNC/TSC OSC-CSM (B) OSC-CSM-C (A) Air filter Cisco ONS 15454 OSC-CSM Available DCU Air Ramp DCU Av TCC2/TCC2P ailable Available Available Available Available Available OSC-CSM Available Available Available Av AIC-I TCC2/TCC2P ailable Available Fan Tray Fibre Routing Panel 1 2 3 4567 8 9 10 11 12 13 14 15 16 17 115255 Fiber Fiber Fiber Fiber Side B OSC-CSM Side A OSC-CSM Side B Side A COM-TX Line-TX Side B Side A COM-RX Line-RX Side B Side A COM-RX Side B Side A Side B Side A Side B Side A COM-TX11-35 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference Supported Node Configurations for OPT-RAMP-C and OPT-RAMP-CE Cards – C-band terminal site with 32-MUX-O and 32-DMX-O cards – C-band hub node with 32-MUX-O and 32-DMX-O cards – C-band fixed OADM node – C-band line site – C-band 32-channel reconfigurable OADM (ROADM) – C-band terminal site using a 32-WSS and 32-DMX cards – C-band flexible terminal site using AD-xC cards – C-band hub node using a 32-WSS and 32-DMX cards – C-band 40-channel ROADM – C-band terminal site using a 40-WSS-C and 40-DMX-C cards – C-band terminal site using 40-MUX-C and 40-DMX-C cards – C-band hub node using a 40-WSS-C and 40-DMX-C cards – C-band up to 4 degree mesh node – C-band up to 8 degree mesh node – C-band multiring/mesh with MMU node – C-band 4 degree multiring/mesh node (MMU based) • C-band odd and even systems: – C-band 64-channel terminal site – C-band 72-channel terminal site – C-band 80-channel terminal site – C-band 64-channel hub site – C-band 72-channel hub site – C-band 80-channel hub site – C-band 64-channel ROADM site – C-band 72-channel ROADM site – C-band 80-channel ROADM site The following amplifier cards are defined as booster or preamplifiers: • Booster: – OPT-BST – OPT-BST-E – OPT-AMP-17-C – OPT-AMP-C • Preamplifier: – OPT-PRE – OPT-AMP-C – OPT-BST – OPT-BST-E11-36 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference Supported Node Configurations for OPT-RAMP-C and OPT-RAMP-CE Cards Note When the booster is not needed, it must be replaced with an OSC-CSM card. The maximum number of shelves that can be aggregated in a multishelf node are: • Eight, if the MS-ISC-100T switch card is used. • Twelve, if an external Catalyst 2950 switch is used. 11.2.1 OPT-RAMP-C or OPT-RAMP-CE Card in an Add/Drop Node When the OPT-RAMP-C or OPT-RAMP-CE card is equipped in an add/drop node, the booster amplifier is mandatory and cannot be replaced by an OSC-CSM card. The preamplifier is an OPT-BST, OPT-BST-E, or OPT-AMP-C card, and must be cabled as an unidirectional card. Note that the COM-TX and LINE-RX ports must not be used for any other connections. If a single module ROADM 40-SMR-1-C is used as an add/drop card, a preamplifier is not required. If a single module ROADM 40-SMR-2-C is used as an add/drop card, both the preamplifier and booster are not required. Figure 11-33 shows the OPT-RAMP-C or OPT-RAMP-CE card in an add/drop node. Figure 11-33 OPT-RAMP-C or OPT-RAMP-CE Card in an Add/Drop Node When required, a DCN extension can be used on A/D Side (i) in Figure 11-33. Side (i) in Figure 11-33 can be equipped with the following cards: • WSS + DMX • AD-xC • 40-WXC-C or 80-WXC-C + MUX + DMX • Single module ROADM 11.2.2 OPT-RAMP-C or OPT-RAMP-CE Card in a Line Site Node with Booster Amplification The OPT-RAMP-C or OPT-RAMP-CE card can be equipped in a line site node with a booster amplifier in the following configurations: OSCM DCU OPT-RAMP A/D Side (i) Side (i) Booster 247380 DCU Pump Pre-amp11-37 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference Supported Node Configurations for OPT-RAMP-C and OPT-RAMP-CE Cards • OPT-BST and OPT-BST-E can be used as booster in a line site node with OPT-RAMP-C or OPT-RAMP-CE. The booster cards need to be cabled as bidirectional units. Figure 11-34 shows the OPT-RAMP-C or OPT-RAMP-CE card in a line site configuration. Figure 11-34 OPT-RAMP-C Card or OPT-RAMP-CE Card in a Line Site Configuration • The OPT-AMP-C can be used as a booster in a line site node with OPT-RAMP-C or OPT-RAMP-CE and needs to be cabled as a bidirectional unit. An additional DCU unit can be equipped between the OPT-AMP-C DC ports. Figure 11-35 shows a line site configured with OPT-AMP-C card and an additional DCU unit. Figure 11-35 Line Site Configured with OPT-AMP-C • A line site can be configured with OPT-RAMP-C or OPT-RAMP-CE card on one side only. Figure 11-36 shows the line site configured with OPT-RAMP-C or OPT-RAMP-CE on side A only. The booster is configured on side B. OSCM DCU OPT-RAMP Side B Booster Booster OPT-RAMP 247377 OSCM DCU Pump Pump OSCM DCU OPT-RAMP Side B Booster OPT-RAMP 247378 OSCM DCU DCU Pump Pump OPT-AMP-C11-38 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference Supported Node Configurations for PSM Card Figure 11-36 Line Site with OPT-RAMP-C or OPT-RAMP-CE On One Side In all configurations, the booster amplifier facing the OPT-RAMP-C or OPT-RAMP-CE card is mandatory for safety reasons. 11.3 Supported Node Configurations for PSM Card The PSM card supports the following node configurations: • 11.3.1 Channel Protection • 11.3.2 Multiplex Section Protection • 11.3.3 Line Protection • 11.3.4 Standalone 11.3.1 Channel Protection In a channel protection configuration, the PSM card is used in conjunction with a TXP/MXP card. The PSM card in a channel protection configuration can be used in any site apart from a terminal site. Figure 11-37 shows the DWDM functional view of a PSM card in channel protection configuration. OSCM DCU OPT-RAMP Side A Side B Booster 247379 DCU Pump OPT-AMP-C OSCM11-39 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference Supported Node Configurations for PSM Card Figure 11-37 PSM Channel Protection Configuration In this configuration, the COM-RX and COM-TX ports of the PSM card are connected to the TXP/MXP trunk ports. This configuration is applicable to an n-degree MSTP node, for example, a two-degree ROADM, an n-degree ROADM, or an OADM node. The example block diagram shows a two-degree node with Side A and Side B as the two sides. The Side A and Side B fiber-stage block can be DWDM cards that are used to amplify transmitted or received signal (see the “11.5.1.1 Fiber Stage” section on page 11-45 for the list of cards). The Side A and Side B add/drop stage block can be DWDM cards that can add and drop traffic (see the “11.5.1.2 A/D Stage” section on page 11-47 for the list of cards). In the transmit direction, the traffic originating from a TXP/MXP trunk port is split by the PSM card on to the W-TX and P-TX ports. The W-TX and P-TX ports are connected to the ADD-RX ports of the add/drop stage cards in Side A and Side B respectively. The add/drop stage cards multiplex traffic on Side A and Side B line ports that become the working and protect paths respectively. In the receive direction, the W-RX and P-RX ports of the PSM card are connected to the DROP-TX ports of the add/drop stage cards on Side A and Side B respectively. The add/drop stage cards demultiplex traffic received from Side A and Side B line ports that are the working and protect paths respectively. The PSM card selects one of the two input signals on the W-RX and P-RX ports to be transmitted to the COM-RX port of the PSM card. Note All traffic multiplexed or demultiplexed by the two add/drop stage cards is not protected. Fiber stage card COM-RX COM-TX COM-TX COM-RX EXP-RX DROP-TX ADD-RX Fiber stage card Side A Side A Side B Side B TXP/MXP TX RX Trunk port Working path Protect path W-RX PSM LINE-RX LINE-TX A/D stage card A/D stage card EXP-TX EXP-RX EXP-TX COM-RX COM-TX COM-RX COM-TX LINE-RX LINE-TX ADD-RX DROP-TX W-TX P-TX P-RX COM-RX COM-TX 1X2 Switch 50/50 Splitter 24308711-40 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference Supported Node Configurations for PSM Card 11.3.2 Multiplex Section Protection The PSM card performs multiplex section protection when connected between a multiplexer/demultiplexer card in a terminal site. The multiplexer/demultiplexer stage can be built using WSS and DMX or 40MUX and 40DMX cards. The terminal sites can be 50/100 Ghz band. The number of supported channels can therefore be 32/40 or 72/80. Figure 11-38 shows the block diagram of a PSM card in multiplex section protection configuration. Figure 11-38 PSM Multiplex Section Protection Configuration In the transmit direction, the traffic originating from a TXP trunk port is multiplexed by the Side A multiplexer. The PSM card splits traffic on to the W-TX and P-TX ports, which are independently amplified by two separated booster amplifiers. In the receive direction, the signal on the line ports is preamplified by two separate preamplifiers and the PSM card selects one of the two input signals on the W-RX and P-RX ports to be transmitted to the COM-RX port of the PSM card. The received signal is then demultiplexed to a TXP card. The presence of a booster amplifier is not mandatory. However, if a DCN extension is used, the W-TX and P-TX ports of the PSM card can be connected directly to the line. The presence of a preamplifier is also not mandatory. Note The PSM card cannot be used with Raman amplification in a line protection or section protection configuration. 11.3.3 Line Protection In a line protection configuration, the working and protect ports of the PSM card are connected directly to the external line. This configuration is applicable to any MSTP node that is configured as a terminal site. The multiplexer/demultiplexer stage can be built using WSS and DMX, 40MUX and 40DMX, COM-TX COM-RX ADD-RX DROP-TX Side A Mux/Demux Working Path Amplifier TXP/MXP TX RX Trunk port Working path Protect path W-RX PSM COM-RX COM-TX LINE-RX LINE-TX W-TX P-RX P-TX COM-TX COM-RX 1X2 Switch 50/50 Splitter Protect Path Amplifier COM-RX COM-TX LINE-RX LINE-TX 24308811-41 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference Supported Node Configurations for PSM Card 40-SMR1-C and 15216-MD-40-ODD, 15216-EF-40-ODD, or 15216-MD-48-ODD, or 40-SMR2-C and 15216-MD-40-ODD, 15216-EF-40-ODD, or 15216-MD-48-ODD units. The terminal sites can be 50/100 Ghz band. The number of supported channels can therefore be 32/40 or 72/80. Figure 11-39 shows the block diagram of a PSM card in line protection configuration. Figure 11-39 PSM Line Protection Configuration In the transmit direction, the traffic originating from a transponder trunk port is multiplexed by the Side A multiplexer and amplified by a booster amplifier. The Line-TX port of the amplifier is connected to the COM-RX port of the PSM card. The PSM card splits traffic received on the COM-RX port on to the W-TX and P-TX ports, which form the working and protect paths. In the receive direction, the PSM card selects one of the two input signals on the W-RX and P-RX ports to be transmitted to the COM-RX port of the PSM card. The received signal is then preamplified and demultiplexed to the TXP card. The presence of a booster amplifier is not mandatory. However, if a DCN extension is used, the COM-RX port of the PSM card is connected to the multiplex section. The presence of a preamplifier is also not mandatory; the COM-TX port of the PSM card can be connected to the demultiplexer. Note The PSM card cannot be used with Raman amplification in a line protection or section protection configuration. 11.3.4 Standalone In a standalone configuration, the PSM card can be equipped in any slot and supports all node configurations. In this configuration, the PSM card provides only basic functionality, such as, protection against a fiber cut, optical safety, and automatic laser shutdown (ALS). It does not provide other functionalities such as, automatic power control (APC), automatic node setup (ANS), network and node alarm correlation, circuit management, and so on. COM-TX COM-RX ADD-RX DROP-TX TXP/MXP Side A Mux/Demux TX RX Trunk port Working path Protect path W-RX PSM W-TX P-RX P-TX COM-TX COM-RX 1X2 Switch 50/50 Splitter LINE-RX COM-TX LINE-TX COM-RX Side A Amplifier 24308911-42 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference Multishelf Node 11.4 Multishelf Node In a multishelf configuration, the ONS 15454-M6 node or the ONS 15454-DWDM node with TCC3 card as the node controller can manage up to 29 subtending shelves as a single entity. The subtending shelves can be 15454-M6 or 15454-DWDM. The node controller is the main shelf with the TCC2/TCC2P/TCC3/TNC/TNCE/TSC/TSCE cards running the multishelf functions. Each subtending shelf must be equipped with TCC2/TCC2P/TCC3/TNC/TNCE/TSC/TSCE cards, which run the shelf functions. For internal data exchange between the node controller shelf and subtending shelves, the node controller shelf must be equipped with redundant MS-ISC-100T cards or, as an alternative, the Catalyst 2950 switch. We recommend that you use the MS-ISC-100T cards. If using the Catalyst 2950, it is installed on one of the multishelf racks. All subtending shelves must be located in the same site at a maximum distance of 100 meters or 328 feet from the Ethernet switches used to support the communication LAN. Figure 11-40 shows an example of a multishelf node configuration. Figure 11-40 Multishelf Node Configuration 145236 Air Ramp Storage Air Ramp PDP Air Ramp "Y" Cable 15216 "Y" Cable 15216 Storage DCU 15216 Patch panel Patch panel MSTP - TXP/MXP MSTP - DWDM ETSI MSTP - TXP/MXP or MSPP MSTP - TXP/MXP Air Ramp MSTP - TXP/MXP Air Ramp MSTP - TXP/MXP ETSI MSTP - TXP/MXP or MSPP MSTP - TXP/MXP Air Ramp MSTP - TXP/MXP Air Ramp MSTP - TXP/MXP11-43 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference Multishelf Node A multishelf node has a single public IP address for all client interfaces (Cisco Transport Controller [CTC], Transaction Language One [TL1], Simple Network Management Protocol [SNMP], and HTTP); a client can only connect to the node controller shelf, not to the subtending shelves. The user interface and subtending shelves are connected to a patch panel using straight-through (CAT-5) LAN cables. The node controller shelf has the following functions: • IP packet routing and network topology discovery at the node controller level. • Open Shortest Path First (OSPF) centralized on the node controller shelf. The subtending shelves have the following functions: • Overhead circuits are not routed within a multishelf node but are managed at the subtending controller shelf only. To use overhead bytes, the AIC-I must be installed on the subtending shelf where it is terminated. • Each subtending shelf will act as a single shelf node that can be used as a timing source line, TCC/TCC2P/TCC3/TNC/TSC clock, or building integrated timing supply (BITS) source line. 11.4.1 Multishelf Node Layout Multishelf configurations are configured by Cisco TransportPlanner and are automatically discovered by the CTC software. In a typical multishelf installation, all optical units are equipped on the node controller shelf and TXP/MXP cards are equipped in the aggregated subtended shelves. In addition, all empty slots in the node controller shelf can be equipped with TXP/MXP cards. In a DWDM mesh network, up to eight optical sides can be configured with client and optical cards installed in different shelves to support mesh and ring-protected signal output. Note When a DWDM ring or network has to be managed through a Telcordia operations support system (OSS), every node in the network must be set up as multi-shelf. OLA sites and nodes with one shelf must be set up as "multi-shelf stand-alone" to avoid the use of LAN switches. 11.4.2 DCC/GCC/OSC Terminations A multishelf node provides the same communication channels as a single-shelf node: • OSC links terminate on OSCM/OSC-CSM cards. Two links are required between each ONS 15454 node. An OSC link between two nodes cannot be substituted by an equivalent generic communications channel/data communications channel (GCC/DCC) link terminated on the same pair of nodes. OSC links are mandatory and they can be used to connect a node to a gateway network element (GNE). • GCC/DCC links terminate on TXP/MXP cards. The maximum number of DCC/GCC/OSC terminations that are supported in a multishelf node is 48. Note Optical Service Channel can be created on the OC3 port of the TNC card.11-44 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference Optical Sides 11.5 Optical Sides From a topological point of view, all DWDM units equipped in an MSTP node belongs to a side. A side can be identified by a letter (A, B, C, D, E, F, G, or H), or by the ports (called as side line ports, see 11.5.2 Side Line Ports, page 11-47) that are physically connected to the spans. An MSTP node can be connected to a maximum of 8 different spans. Each side identifies one of the spans the MSTP node is connected to. Note Side A and Side B replace “west” and “east” when referring to the two sides of the ONS 15454 shelf. Side A refers to Slots 1 through 6 (formerly “west”), and Side B refers to Slots 12 through 17 (formerly “east”). The line direction port parameter, East-to-West and West-to-East, has been removed. Sides are viewed and managed from the Provisioning > WDM-ANS > Optical Sides tab in CTC. 11.5.1 Optical Side Stages All MSTP nodes can be modelled according to Figure 11-41. Figure 11-41 Interconnecting Sides Conceptual View According to Figure 11-41, each MSTP node side includes DWDM units that can be conceptually divided into three stages. • Fiber stage—The set of DWDM cards with ports that directly or indirectly face the span. • A/D stage—The add/drop stage. 159460 Fiber Stage Side A A/D Stage Side E Interconnecting sides I/F TXP/MXP Stage Side F Side B Side G Side C Side H Side D11-45 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference Optical Sides • TXP/MXP stage—The virtual grouping of all TXP or MXP cards with signals multiplexed or demultiplexed to and from the physical fiber stage. 11.5.1.1 Fiber Stage The fiber stage includes DWDM cards that are used to amplify transmitted or received signals and cards that are used to add optical supervision channels. The fiber stage cards are: • Booster amplifier cards that directly connect to the span, such as: – OPT-BST – OPT-BST-E – OPT-BST-L – OPT-AMP-C, when provisioned in OPT-LINE (booster amplifier) mode – OPT-AMP-L, when provisioned in OPT-LINE (booster amplifier) mode – OPT-AMP-17-C, when provisioned in OPT-LINE (booster amplifier) mode • Preamplifier cards, such as: – OPT-PRE – OPT-AMP-C, when provisioned in OPT-PRE (preamplifier) mode – OPT-AMP-L, when provisioned in OPT-PRE (preamplifier) mode – OPT-AMP-17-C, when provisioned in OPT-PRE (preamplifier) mode • OSC cards, such as: – OSCM – OSC-CSM • OPT-RAMP-C card Table 11-1 shows the commonly deployed fiber stage layouts supported by DWDM mesh nodes. In the table, OPT-BST includes the OPT-BST, OPT-BST-E, and OPT-BST-L cards. OPT-AMP includes the OPT-AMP-L and OPT-AMP-17-C cards configured in either OPT-PRE or OPT-LINE mode. Note In the table, L and C suffix is not reported because C-band and L-band amplifiers cannot be mixed in the same layout.11-46 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference Optical Sides Table 11-1 Supported Fiber Stage Configurations Layout Cards Configurations A OPT-BST <-> OPT-PRE/OPT-AMP (OPT-PRE mode) • OPT-BST OSC ports connected to OSCM OSC ports or OSC-CSM LINE ports • OPT-BST LINE ports connected to the span • OPT-BST COM-TX ports connected to OPT-AMP (OPT-PRE mode) or OPT-PRE COM-RX ports • OPT-AMP (OPT-PRE mode) or OPT-PRE LINE-TX or COM-TX ports connected to the next stage (for example, a 40-WSS-C/40-WSS-CE COM-RX port in a ROADM node) • OPT-BST COM-RX ports connected to the next stage (for example, a 40-WSS-C/40-WSS-CE COM-TX port in a ROADM node) B OPT-AMP (OPT-BST mode) <-> OPT-PRE/OPT-AMP (OPT-PRE mode) • OPT-AMP (BST) OSC ports connected to OSCM OSC ports or OSC-CSM LINE ports • OPT-AMP (BST) LINE ports connected to the span • OPT-AMP (BST) COM-TX ports connected to OPT-AMP (PRE)/OPT-PRE COM-RX ports • OPT-AMP (PRE)/OPT-PRE LINE-TX/COM-TX port connected to the next stage (for example, a 40-WSS-C/40-WSS-CE COM-RX port in a ROADM node) • OPT-AMP (BST) COM-RX port connected to the next stage (for example, a 40-WSS-C/40-WSS-CE COM-TX port in a ROADM node) C OSC-CSM <-> OPT-PRE/OPT-AMP(OPT-PRE mode) • OSC-CSM LINE ports connected to the span • OSC-CSM COM-TX ports connected to OPT-AMP COM-RX ports • OPT-AMP(PRE)/OPT-PRE LINE-TX/COM-TX port connected to the next stage (for example, 40-WSS-C/40-WSS-CE COM-RX ports in ROADM) • OSC-CSM COM-RX port connected to the next stage (for example, a 40-WSS-C/40-WSS-CE COM-TX port in a ROADM node) D OPT-BST • OPT-BST OSC ports connected to OSCM OSC ports or OSC-CSM LINE ports • OPT-BST LINE ports connected to the span • OPT-BST COM ports connected to the next stage (for example, a 40-WSS-C/40-WSS-CE COM port in a ROADM node) 11-47 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference Optical Sides 11.5.1.2 A/D Stage The A/D stage includes DWDM cards that can add and drop traffic. The A/D stage is divided into three node types: • Mesh nodes—ONS 15454 nodes configured in multishelf mode can connect to eight different sides. For more detail on mesh node, see 11.6 Configuring Mesh DWDM Networks, page 11-53. • Legacy—Half of a ROADM node or an OADM node with cascaded AD-xB-xx-x or AD-xC-xx.x cards • Non-A/D—A line node or a side that does not have A/D capability is included in the A/D stage Stages are built by active cards and patchcords. However, the interconnecting sides are completed by the mesh patch panels (four-degree patch panel or eight-degree patch panel) in mesh nodes, or by patchcords connected to EXP-RX/EXP-TX ports in legacy nodes. 11.5.2 Side Line Ports Side line ports are ports that are physically connected to the spans. Side line ports can be: • All ports terminating the fiber stage and physically labeled as LINE, such as ports on the following cards: – Booster amplifier (OPT-BST, OPT-BST-E, or OPT-BST-L cards, and the OPT-AMP-C, OPT-AMP-L, or OPT-AMP-17-C cards when provisioned in OPT-LINE mode) – OSC-CSM – OPT-RAMP-C • All ports that can be physically connected to the external span using DCN terminations, such as: – Booster amplifier LINE-RX and LINE-TX ports – OSC-CSM LINE-RX and LINE-TX ports – 40-WXC-C COM-RX and COM-TX ports – MMU EXP-A-RX and EXP-A-TX ports • All ports that can be physically connected to the external span using DCN terminations in a line node, such as: E OPT-AMP (OPT-BST mode) • OPT-AMP OSC ports connected to OSCM OSC ports or OSC-CSM LINE ports • OPT-AMP LINE ports connected to the span • OPT-AMP COM ports connected to the next stage (for example, a 40-WSS-C/40-WSS-CE COM port in a ROADM node) F OSC-CSM • OSC-CSM LINE ports connected to the span • OSC-CSM COM ports connected to the next stage (for example, a 40-WSS-C/40-WSS-CE COM port in a ROADM node) Table 11-1 Supported Fiber Stage Configurations (continued) Layout Cards Configurations11-48 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference Optical Sides – Preamplifier (OPT-PRE card and the OPT-AMP-C, OPT-AMP-L, or OPT-AMP-17-C cards when provisioned in OPT-PRE mode) COM-RX and COM-TX ports – Booster amplifier COM-TX port – OSC-CSM COM-TX port • All ports that can be physically connected to the external span using DCN terminations in a 40-channel MUX/DMX terminal node, such as: – 40-MUX-C COM-TX port – 40-DMX-C COM-RX port • All ports that can be physically connected to the external span when PSM cards implement line protection: – PSM W-TX and W-RX ports – PSM P-TX and P-RX ports Note PSM card will support two sides A(w) and A(p). 11.5.3 Optical Side Configurations You can use the following Side IDs depending on the type of node layout: • In legacy nodes (that is, a node with no provisioned or installed 40-WXC-C cards), the permissible Side IDs are only A and B. • In four-degree mesh nodes with four or less 40-WXC-C cards installed, the permissible Side IDs are A, B, C, and D. • In eight-degree mesh nodes with eight or less 40-WXC-C cards installed, the allowed Side IDs are A, B, C, D, E, F, G, and H. The system automatically assigns Side IDs when you import the CTP XML configuration file into CTC. You can create a side manually using CTC or TL1 if the following conditions are met: • You use a permissible side identifier, A through H. • The shelf contains a TX and an RX side line port (see the “11.5.2 Side Line Ports” section on page 11-47). • The side line ports are not connected to an internal patchcord. Note We do not recommend that you manually create or modify ONS 15454 optical sides. The following tables show examples of how the system automatically assigns Side IDs for common DWDM layouts. Table 11-2 shows a standard ROADM shelf with Sides A and B provisioned. The shelf is connected to seven shelves containing TXP, MXP, ADM-10G, GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE cards.11-49 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference Optical Sides Table 11-3 shows a protected ROADM shelf. In this example, Side A and B are Slots 1 through 6 in Shelves 1 and 2. 40-WSS-C/40-WSS-CE/40-DMX-C or 40-WSS-CE/40-DMX-CE cards are installed in Sides A and B. Slots 12 through 17 in Shelves 1 and 2 contain TXP, MXP, ADM-10G, GE_XP, 10GE_XP, GE_XPE, or 10GE_XPE cards. Table 11-4 shows a four-degree mesh node. Side A is Shelf 1, Slots 1 through 6. Side B and C are Shelf 2, Slots 1 through 6 and 12 through 17, and Side D is Shelf 3, Slots 1 through 6. 40-WXC-C cards in line termination mode are installed in Sides A through D. Table 11-2 Multishelf ROADM Layout Example Shelf Slots 1–6 Side Slots 12–17 Side 1 WSS+DMX A WSS+DMX B 2 TXP/MXP — TXP/MXP — 3 TXP/MXP — TXP/MXP — 4 TXP/MXP — TXP/MXP — 5 TXP/MXP — TXP/MXP — 6 TXP/MXP — TXP/MXP — 7 TXP/MXP — TXP/MXP — 8 TXP/MXP — TXP/MXP — Table 11-3 Multishelf Protected ROADM Layout Example Shelf Slots 1–6 Side Slots 12–17 Side 1 WSS+DMX A TXP/MXP — 2 WSS+DMX B TXP/MXP — 3 TXP/MXP n/a TXP/MXP — 4 TXP/MXP n/a TXP/MXP — 5 TXP/MXP n/a TXP/MXP — 6 TXP/MXP n/a TXP/MXP — 7 TXP/MXP n/a TXP/MXP — 8 TXP/MXP n/a TXP/MXP — Table 11-4 Multishelf Four-Degree Mesh Node Layout Example Shelf Slots 1–6 Side Slots 12–17 Side 1 WXC Line Termination A TXP/MXP — 2 WXC Line Termination B WXC Line Termination C 3 WXC Line Termination D TXP/MXP — 4 TXP/MXP n/a TXP/MXP —11-50 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference Optical Sides Table 11-5 shows a protected four-degree mesh node example. In the example, Sides A through D are assigned to Slots 1 through 6 in Shelves 1 through 4. Table 11-6 shows a protected four-degree mesh node example. In the example, Sides A through D are assigned to Slots 1 through 4 in Shelves 1 through 4, and TXP, MXP, ADM-10G, GE_XP, 10GE_XP, GE_XPE, or 10GE_XPE cards are installed in Shelves 1 through 4, Slots 12-17, and Shelves 5 through 8, Slots 1 through 6 and 12 through 17. 5 TXP/MXP n/a TXP/MXP — 6 TXP/MXP n/a TXP/MXP — 7 TXP/MXP n/a TXP/MXP — 8 TXP/MXP n/a TXP/MXP — Table 11-4 Multishelf Four-Degree Mesh Node Layout Example (continued) Shelf Slots 1–6 Side Slots 12–17 Side Table 11-5 Multishelf Four-Degree Protected Mesh Node Layout Example Shelf Slots 1–6 Side Slots 12–17 Side 1 WXC Line Termination A TXP/MXP — 2 WXC Line Termination B TXP/MXP — 3 WXC Line Termination C TXP/MXP — 4 WXC Line Termination D TXP/MXP — 5 TXP/MXP — TXP/MXP — 6 TXP/MXP — TXP/MXP — 7 TXP/MXP — TXP/MXP — 8 TXP/MXP — TXP/MXP — Table 11-6 Multishelf Four-Degree Protected Mesh Node Layout Example Shelf Slots 1–6 Side Slots 12–17 Side 1 WXC Line Termination A TXP/MXP — 2 WXC Line Termination B TXP/MXP — 3 WXC Line Termination C TXP/MXP — 4 WXC Line Termination D TXP/MXP — 5 TXP/MXP — TXP/MXP — 6 TXP/MXP — TXP/MXP —11-51 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference Optical Sides Table 11-7 shows a four-degree mesh node provisioned as an upgrade. In the example, Sides A through D are assigned to Slots 1 through 4. and 12 through 17 in Shelves 1and 2. 40-WXC-C cards in XC termination mode are installed in Sides A and B, and 40-WXC-C cards in line termination mode are installed in Sides C and D. Table 11-8 shows an eight-degree mesh node. In the example, Sides A through H are assigned to Slots 1 through 6 in Shelf 1, Slots 1 through 6 and 12 through 17 in Shelves 2 through 4, and Slots 1 through 6 in Shelf 5. 40-WXC-C cards in line termination mode are installed in Sides A through H. 7 TXP/MXP — TXP/MXP — 8 TXP/MXP — TXP/MXP — Table 11-6 Multishelf Four-Degree Protected Mesh Node Layout Example (continued) Shelf Slots 1–6 Side Slots 12–17 Side Table 11-7 Multishelf Four-Degree Mesh Node Upgrade Layout Example Shelf Slots 1–6 Side Slots 12–17 Side 1 WXC XC Termination A WXC XC Termination B 2 WXC Line Termination C WXC Line Termination D 3 TXP/MXP — TXP/MXP — 4 TXP/MXP — TXP/MXP — 5 TXP/MXP — TXP/MXP — 6 TXP/MXP — TXP/MXP — 7 TXP/MXP — TXP/MXP — 8 TXP/MXP — TXP/MXP — Table 11-8 Multishelf Eight-Degree Mesh Node Layout Example Shelf Slots 1–6 Side Slots 12–17 Side 1 WXC Line Termination A TXP/MXP — 2 WXC Line Termination B WXC Line Termination C 3 WXC Line Termination D WXC Line Termination E 4 WXC Line Termination F WXC Line Termination G 5 WXC Line Termination H TXP/MXP — 6 TXP/MXP — TXP/MXP — 7 TXP/MXP — TXP/MXP — 8 TXP/MXP — TXP/MXP —11-52 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference Optical Sides Table 11-9 shows another eight-degree mesh node. In the example, Sides A through H are assigned to Slots 1 through 6 in all shelves (Shelves 1 through 8). 40-WXC-C cards in line termination mode are installed in Sides A through H. Table 11-10 shows a four-degree mesh node with a user-defined side. Because the software assigns sides consecutively, and because the mesh node is four-degrees, the side assigned to Shelf 5, Slots 1 through 6 is “Unknown.” Table 11-9 Multishelf Four-Degree Mesh Node Upgrade Layout Example Shelf Slots 1–6 Side Slots 12–17 Side 1 WXC Line Termination A TXP/MXP — 2 WXC Line Termination B TXP/MXP — 3 WXC Line Termination C TXP/MXP — 4 WXC Line Termination D TXP/MXP — 5 WXC Line Termination E TXP/MXP — 6 WXC Line Termination F TXP/MXP — 7 WXC Line Termination G TXP/MXP — 8 WXC Line Termination H TXP/MXP — Table 11-10 Multishelf Four-Degree Mesh Node User-Defined Layout Example Shelf Slots 1–6 Side Slots 12–17 Side 1 WXC Line Termination A TXP/MXP — 2 TXP/MXP — WXC Line Termination C 1 1. User-defined 3 WXC Line Termination D TXP/MXP — 4 TXP/MXP — TXP/MXP — 5 WXC Line Termination U 2 2. Unknown TXP/MXP — 6 TXP/MXP — TXP/MXP — 7 TXP/MXP — TXP/MXP — 8 TXP/MXP — TXP/MXP —11-53 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference Configuring Mesh DWDM Networks 11.6 Configuring Mesh DWDM Networks ONS 15454 shelves can be configured in mesh DWDM networks using the 40-WXC-C or 80-WXC-C wavelength cross-connect cards and four-degree patch panel or eight-degree patch panels. Mesh DWDM networks can also be configured using the 40-SMR2-C cards and the four-degree patch panel. ONS 15454 DWDM mesh configurations can be up to four degrees (four optical directions) when the four-degree patch panel is installed, and up to eight degrees (eight optical directions) when the eight-degree patch panel is installed. Two mesh node types are available, the line termination mesh node and the cross-connect (XC) termination mesh node. Note Mesh nodes using the 40-WXC-C or 80-WXC-C card requires multishelf management. 11.6.1 Line Termination Mesh Node Using 40-WXC-C Cards The line termination mesh node is installed in native Software Release 9.2 mesh networks. Line termination mesh nodes can support between one and eight line terminations. Each line direction requires the following cards: 40-WXC-C, 40-MUX-C, 40-DMX-C or 40-DMX-CE, a preamplifier and a booster. Within this configuration, the following substitutions can be used: • The 40-MUX-C cards can be replaced with 40-WSS-C/40-WSS-CE cards. • The OPT-BST cards can be replaced with OPT-AMP-17-C (in OPT-BST mode) and/or OPT-BST-E cards. • The OPT-PRE can be replaced with an OPT-AMP-17-C (in OPT-LINE mode) card. Each side of the line termination mesh node is connected as follows: • The 40-WXC-C COM-RX port is connected to the preamplifier output port. • The 40-WXC-C COM-TX port is connected to the booster amplifier COM-RX port. • The 40-WXC-C DROP TX port is connected to the 40-DMX-C or 40-DMX-CE COM-RX port. • The 40-WXC-C ADD-RX port is connected to the 40-MUX-C COM-TX port. • The 40-WXC-C EXP-TX port is connected to the mesh patch panel. • The 40-WXC-C EXP-RX port is connected to the mesh patch panel. Figure 11-42 shows one shelf from a line termination node.11-54 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference Configuring Mesh DWDM Networks Figure 11-42 Line Termination Mesh Node Shelf Figure 11-43 shows a functional block diagram of one line termination side using 40-WXC-C and 40-MUX-C cards. OPT-BST OPT-PRE 40-WXC-C DCU-xxx Air ramp DCU-xxx 40-MUX-C 40-DMX-C TCC2/TCC2P/TCC3 OSCM AIC-I OSCM TCC2/TCC2P/TCC3 40-DMX-C 40-MUX-C 40-WXC-C OPT-PRE OPT-BST 24910111-55 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference Configuring Mesh DWDM Networks Figure 11-43 Line Termination Mesh Node Side—40-MUX-C Cards Figure 11-44 shows a functional block diagram line termination side using 40-WXC-C and 40-WSS-C cards. 40WXC 40-DMX-C Drop Add to/from PP-MESH-4 or PP-MESH-8 OPT-PRE AMP-BST 159332 OSCM DCM 40-MUX-C 70/3011-56 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference Configuring Mesh DWDM Networks Figure 11-44 Line Termination Mesh Node Side—40-WSS-C Cards Figure 11-45 shows a functional block diagram of a node that interconnects a ROADM with MMU cards with two native line termination mesh sides. 40-WXC-C 40-DMX-C Drop Add OPT-PRE AMP-BST 159333 OSCM DCM 40-WSS-C 70/30 70/30 to/from PP-MESH-4 or PP-MESH-811-57 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference Configuring Mesh DWDM Networks Figure 11-45 Line Termination Mesh Nodes—ROADM With MMU Cards 159336 ADD OPT-PRE OPT-BST Line OSCM DCM xxWSS MMU 70/30 xxDMX DROP xxDMX DROP 40-DMX-C DROP 40-DMX-C DROP 40-MUX-C ADD 40-MUX-C ADD ADD OPT-BST Line DCN Extension OSCM TCC TCC OPT-PRE DCM xxWSS MMU 70/30 OPT-PRE OPT-BST Line OSCM DCM OPT-BST Line OSCM OPT-PRE DCM 40-WXC-C Node A Node B 40-WXC-C 40-WXC-C AMP-17-C PP-MESH-4 AMP-17-C 70/30 40-WXC-C 70/3011-58 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference Configuring Mesh DWDM Networks 11.6.1.1 40-Channel Omni-directional n-degree ROADM Node Any side in the line termination mesh node can be configured as an omni-directional side. The side that is configured as the omni-directional side is connected to a local multiplexer and demultiplexer that can add or drop traffic to or from any of the node directions. In Figure 11-46 side D is configured as the omni-directional side. Wavelengths from the local multiplexer on side D is routed to sides A, B, or C by the patch panel. Wavelengths from sides A, B, or C can be dropped on side D. The maximum number of omni-directional channels is 40. Figure 11-46 40-Channel Omni-directional Four-Degree ROADM Node 11.6.1.2 40-Channel Colorless n-Degree ROADM Node Any side in the line termination mesh node can be configured as a colorless side where any wavelength can be added or dropped. The side that is configured as the colorless side is connected to two 80-WXC-C cards configured as a multiplexer and demultiplexer respectively. In Figure 11-47 side D is configured as the colorless side. The 80-WXC-C cards are connected to the add and drop ports of the 40-WXC-C cards and function as a colorless multiplexer and demultiplexer. A combination of wavelengths from any of the nine ports is sent to the common output port of the 80-WXC-C card (multiplexer) that is connected to the 40-WXC-C card. The wavelengths entering the 40-WXC-C card are sent to the common input port of the 80-WXC-C card (demultiplexer) and dropped at any of the nine output ports. 40-WXC-C 40-WXC-C 40-WXC-C 40-WXC-C PP-MESH-4 248859 A C D B P P DMX MUX11-59 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference Configuring Mesh DWDM Networks Figure 11-47 40-Channel Colorless Four-Degree ROADM Node 11.6.1.3 40-Channel Colorless and Omni-directional n-Degree ROADM Node Any side in the line termination mesh node can be configured as a colorless and omni-directional side. The side that is configured as the colorless and omni-directional side is connected to a multiplexer (80-WXC-C) and demultiplexer (80-WXC-C) that can add or drop traffic to or from any of the node directions. Figure 11-48 shows the layout of a 40-channel n-degree ROADM node with colorless and omni-directional side. Colorless side 40-WXC-C 40-WXC-C 40-WXC-C 40-WXC-C 80-WXC-C 80-WXC-C PP-MESH-4 248856 A C D B11-60 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference Configuring Mesh DWDM Networks Figure 11-48 40-Channel n-Degree ROADM Node with Colorless and Omni-directional Side In Figure 11-49 side D is configured as the colorless and omni-directional side. A combination of wavelengths from any of the nine ports is sent to the common output port of the 80-WXC-C card (multiplexer) and then routed to the preamplifier. The preamplifier sends the wavelengths to the 40-WXC-C card that is connected to the patch panel. The patch panel routes the wavelengths to sides A, B, or C. Wavelengths from sides A, B, or C are dropped on side D. The incoming wavelengths from the 40-WXC-C card are sent to the preamplifier. The preamplifer amplifies the signal and sends it to the common input port of the 80-WXC-C card (demultiplexer). The wavelengths are then dropped at any of the nine output ports. 248876 DCM-xxx Air ramp DCM-xxx TCC2P Available Available Available Available Preamplifier Preamplifier 8 Empty AIC-I Empty TCC2P 0-WXC-C 80-WXC-C 40-WXC-C Fiber routing panel 1 2 3 4567 8 9 10 11 12 13 14 15 16 17 Fan tray11-61 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference Configuring Mesh DWDM Networks Figure 11-49 40-Channel Colorless and Omni-directional Four-Degree ROADM Node 11.6.2 Line Termination Mesh Node Using 80-WXC-C Cards Line termination mesh nodes using 80- WXC-C cards can support between one and eight line terminations. Each line direction requires the following units: 80-WXC-C, 15216-MD-40-ODD, 15216-EF-40-ODD, or 15216-MD-48-ODD, and 15216-MD-40-EVEN, 15216-EF-40-EVEN, or 15216-MD-48-EVEN, 15216-MD-ID-50 or 15216-MD-48-CM, a preamplifier, and a booster. • The OPT-BST cards can be replaced with OPT-AMP-17-C (in OPT-BST mode) or OPT-BST-E cards. • The OPT-PRE can be replaced with an OPT-AMP-17-C (in OPT-LINE mode) card. Each side of the line termination mesh node is connected as follows: • The 80-WXC-C COM-RX port is connected to the preamplifier output port. • The 80-WXC-C COM port is connected to the booster amplifier COM-RX port. • The 80-WXC-C DROP TX port is connected to the COM-RX (ODD+EVEN-RX) port of 15216-MD-ID-50 or 15216-MD-48-CM. The ODD-TX port of the 15216-MD-ID-50 or 15216-MD-48-CM is connected to the COM-RX port of 15216-MD-40-ODD, 15216-EF-40-ODD, or 15216-MD-48-ODD; and the EVEN-TX port of the 15216-MD-ID-50 or 15216-MD-48-CM is connected to the COM-RX port of 15216-MD-40-EVEN, 15216-EF-40-EVEN, or 15216-MD-48-EVEN. • The 80-WXC-C AD port is connected to the COM-TX (ODD+EVEN-TX) port of 15216-MD-ID-50 or 15216-MD-48-CM. The ODD-RX port of the 15216-MD-ID-50 or 15216-MD-48-CM is connected to the COM-TX port of 15216-MD-40-ODD, 15216-EF-40-ODD, or 15216-MD-48-ODD; and the EVEN-RX port of the 15216-MD-ID-50 or 15216-MD-48-CM is connected to the COM-TX port of 15216-MD-40-EVEN, 15216-EF-40-EVEN, or 15216-MD-48-EVEN. 80-WXC-C 40-WXC-C 40-WXC-C 40-WXC-C 40-WXC-C 80-WXC-C PP-MESH-4 248857 A C D B P P11-62 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference Configuring Mesh DWDM Networks • The 80-WXC-C EXP-TX port is connected to the mesh patch panel. Figure 11-50 shows the layout for a line termination node. Figure 11-50 Line Termination Node Figure 11-51 shows the functional block diagram of a four-degree line termination mesh node using 80-WXC-C, 15216-MD-40-ODD, 15216-EF-40-ODD, 15216-MD-48-ODD, 15216-MD-40-EVEN, 15216-EF-40-EVEN, or 15216-MD-48-EVEN. All the 80-WXC-C cards are in bidirectional mode. Wavelengths entering from side(i) can be routed to any of the other n-1 sides where n is defined by the PP MESH type. 248881 Booster Preamplifier DCM-xxx Air ramp DCM-xxx TCC2P Available Available Preamplifier Booster Available Available OSCM OSCM 8 AIC-I TCC2P 0-WXC-C 80-WXC-C Fiber routing panel 1 2 3 4567 8 9 10 11 12 13 14 15 16 17 Fan tray 15216 Odd Patch Panel 15216 Odd Patch Panel 15216 Even Patch Panel 15216 Even Patch Panel PP-MESH-4 1 1 2 2 1 15216-MD-40-EVEN, 15216-EF-40-EVEN, or 15216-MD-48-EVEN patch panel 2 15216-MD-40-ODD, 15216-EF-40-ODD, or 15216-MD-48-ODD patch panel11-63 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference Configuring Mesh DWDM Networks Figure 11-51 Four-Degree Line Termination Mesh Node Functional Diagram 11.6.2.1 80-Channel Omni-directional n-degree ROADM Node Any side in the line termination mesh node can be configured as a omni-directional side. The side that is configured as the omni-directional side is connected to a local multiplexer and demultiplexer that can add or drop traffic to or from any of the node directions. In Figure 11-52, side D is configured as the omni-directional side. Wavelengths from the local multiplexer on side D are routed to sides A, B, or C by the patch panel. Wavelengths from sides A, B, or C are dropped on side D. 248880 PP-MESH-4 80-WXC-C 80-WXC-C 80-WXC-C 80-WXC-C A C D B11-64 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference Configuring Mesh DWDM Networks Figure 11-52 80-Channel Omni-directional Four-Degree ROADM Node 11.6.2.2 80-Channel Colorless n-degree ROADM Node Any side in the line termination mesh node can be configured as a colorless side where any wavelength can be added or dropped. The side that is configured as the colorless side is connected to two 80-WXC-C cards configured as a multiplexer and demultiplexer respectively. In Figure 11-53, side D is configured as the colorless side. The 80-WXC-C cards are connected to the add and drop ports of the 80-WXC-C cards as a colorless multiplexer and demultiplexer. A combination of wavelengths from any of the nine ports is sent to the common output port of the 80-WXC-C card (multiplexer) that is connected to the 80-WXC-C card. The wavelengths entering the 80-WXC-C card is passed to the common input port of the 80-WXC-C card (demultiplexer) and dropped at any of the nine output ports. 248864 DMX MUX 80-WXC-C 80-WXC-C 80-WXC-C 80-WXC-C PP-MESH-4 A C D B P P11-65 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference Configuring Mesh DWDM Networks Figure 11-53 80-Channel Colorless Four-Degree ROADM Node 11.6.2.3 80-Channel Colorless and Omni-directional n-Degree ROADM Node Any side in the line termination mesh node can be configured as a colorless and omni-directional side. The side that is configured as the colorless and omni-directional side is connected to a multiplexer (80-WXC-C) and demultiplexer (80-WXC-C) that can add or drop traffic to or from any of the node directions. Figure 11-54 shows the layout of a 80-channel n-degree ROADM node with colorless and omnidirectional side. 249086 PP-MESH-4 80-WXC-C 80-WXC-C 80-WXC-C Colorless side 80-WXC-C 80-WXC-C 80-WXC-C A C D B11-66 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference Configuring Mesh DWDM Networks Figure 11-54 80-Channel n-degree ROADM Node with Colorless and Omnidirectional Side In Figure 11-55 side D is configured as the colorless and omni-directional side. A combination of wavelengths from any of the nine ports is sent to the common output port of the 80-WXC-C card (multiplexer) and is then routed to the preamplifier. The preamplifier sends the wavelengths to the 80-WXC-C card that is connected to the patch panel. The patch panel routes the wavelengths to sides A, B, or C. Wavelengths from sides A, B, or C can be dropped on side D. The incoming wavelengths from the 80-WXC-C card are sent to the preamplifier. The preamplifer amplifies the signal and sends it to the common input port of the 80-WXC-C card (demultiplexer). The wavelengths are then dropped at any of the nine output ports. 248875 DCM-xxx Air ramp DCM-xxx TCC2P Available Available Available Available Preamplifier Preamplifier OSCM OSCM 8 AIC-I TCC2P 0-WXC-C 80-WXC-C 80-WXC-C Fiber routing panel 1 2 3 4567 8 9 10 11 12 13 14 15 16 17 Fan tray11-67 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference Configuring Mesh DWDM Networks Figure 11-55 80-Channel Colorless and Omni-directional Four-Degree ROADM Node 11.6.3 Line Termination Mesh Node Using 40-SMR2-C Cards Line termination mesh nodes using the 40-SMR2-C cards can support between one and four line terminations. Each line direction requires the 40-SMR2-C and 15216-MD-40-ODD, 15216-EF-40-ODD, or 15216-MD-48-ODD cards. Although it is recommended that you use the 15216-MD-40-ODD, 15216-EF-40-ODD, or 15216-MD-48-ODD card along with the 40-SMR2-C card, you can alternatively use the 40-MUX-C and 40-DMX-C cards instead of the 15216-MD-40-ODD, 15216-EF-40-ODD, or 15216-MD-48-ODD card. Each side of the line termination mesh node is connected as follows: • The 40-SMR2-C LINE-RX port is connected to the external line. • The 40-SMR2-C LINE-TX port is connected to the external line. • The 40-SMR2-C DROP TX port is connected to the 15216-MD-40-ODD, 15216-EF-40-ODD, or 15216-MD-48-ODD (or 40-DMX-C) COM-RX port. • The 40-SMR2-C ADD-RX port is connected to the 15216-MD-40-ODD, 15216-EF-40-ODD, or 15216-MD-48-ODD (or 40-DMX-C) COM-TX port. • The 40-SMR2-C EXP-TX port is connected to the mesh patch panel. • The 40-SMR2-C EXPi-RX (where i = 1, 2, 3) port is connected to the mesh patch panel. Figure 11-56 shows the layout for a line termination node. PP-MESH-4 248862 A C D B P P 80-WXC-C 80-WXC-C 80-WXC-C 80-WXC-C 80-WXC-C 80-WXC-C11-68 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference Configuring Mesh DWDM Networks Figure 11-56 Line Termination Mesh Node Shelf Figure 11-57 shows the functional block diagram of a four-degree line termination mesh node using 40-SMR2-C, 15216-MD-40-ODD, 15216-EF-40-ODD, or 15216-MD-48-ODD, and 15454-PP-4-SMR patch panel. 276455 40-SMR2-C 40-SMR2-C DCM-xxx DCM-xxx Av TCC2 ailable OSC-CSM Available Available OSC-CSM 40-SMR2-C 40-SMR2-C Available OSCM OSCM M AIC-I TCC2 S-ISC MS-ISC Fibre Routing Panel 15216 Odd Patch Panel 15216 Odd Patch Panel 15216 Odd Patch Panel 15216 Odd Patch Panel 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 Air Ramp Fan Tray 1 1 15216-MD-40-ODD, 15216-EF-40-ODD, or 15216-MD-48-ODD patch panel11-69 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference Configuring Mesh DWDM Networks Figure 11-57 Four-Degree Line Termination Mesh Node Functional Diagram 11.6.4 XC Termination Mesh Node The XC termination mesh node, shown in Figure 11-58, is the second mesh node type. It is used to upgrade a non-mesh node to a mesh node or to interconnect two non-mesh nodes. The XC termination mesh nodes contain the following cards: • 40-WXC-C cards • OPT-AMP-17-C cards configured in OPT-PRE mode The XC termination mesh node is connected as follows: • The 40-WXC-C COM-RX port is connected to the MMU EXP-A-TX port. • The 40-WXC-C COM-TX port is connected to the MMU EXP-A-RX port. • The 40-WXC-C EXP-TX port is connected to the OPT-AMP-17-C COM-RX port. • The 40-WXC-C EXP-RX port is connected to the OPT-AMP-17-C COM-TX port. • The 40-WXC-C EXP-TX port is connected to the mesh patch panel. • The 40-WXC-C EXP-RX port is connected to the mesh patch panel. 276461 40-SMR2-C 40-SMR2-C 40-SMR2-C 40-SMR2-C 15454-PP-4-SMR MUX DDMUX DCU MUX MUX DCU MUX DDMUX DCU MUX MUX DCU 3 4 1 211-70 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference Configuring Mesh DWDM Networks Figure 11-58 XC Termination Mesh Node Shelf 11.6.5 Mesh Patch Panels and Shelf Layouts ONS 15454 mesh topologies require the installation of a four-degree patch panel, PP-MESH-4 (for 40-WXC-C cards) or 15454-PP-4-SMR (for 40-SMR2-C cards) or an eight-degree patch panel, PP-MESH-8 (for 40-WXC-C cards). If the four-degree patch panel is installed, mesh topologies of up to four degrees can be created. If the eight-degree patch panel is installed, mesh topologies of up to eight degrees can be created. The four-degree patch panel contains four 1x4 optical splitters, and the eight-degree patch panel contains eight 1x8 splitters. Each mesh patch panel contains a 2x8 splitter that is used for the test access transmit and receive ports. Figure 11-59 shows a block diagram for the PP-MESH-4 patch panel. OPT-AMP-xx OPT-AMP-xx 40-WXC-C 40-WXC-C 40-WXC-C DCU-xxx Air ramp DCU-xxx TCC2 Blank Blank Blank TCC2 40-WXC-C OPT-AMP-xx OPT-AMP-xx 15970011-71 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference Configuring Mesh DWDM Networks Figure 11-59 PP-MESH-4 Patch Panel Block Diagram At the mesh patch panel, the signal is split into four signals (if a four-degree patch panel is used) or eight signals (if an eight-degree patch panel is used). Figure 11-60 shows the signal flow at the four-degree PP-MESH-4 patch panel. 40-WXC-C cards connect to the four-degree patch panel at the EXP TX and COM RX ports. Figure 11-60 PP-MESH-4 Patch Panel Signal Flow 159335 EXP TX to all directions COM RX from all directions Test Access TX Ports Test Access RX Port 2x4 splitter #4 1x4 splitters LC connector MPO connector 159334 40-WXC-C Test Access RX Port Test Access TX Ports PP-MESH-4 EXP TX COM RX 40-WXC-C EXP TX COM RX 40-WXC-C EXP TX COM RX 40-WXC-C EXP TX COM RX11-72 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference Configuring Mesh DWDM Networks The mesh patch panels interconnect 40-WXC-C cards to create mesh networks, including four-degree and eight-degree mesh topologies. In addition, shelves with 40-WXC-C cards can be configured with mesh patch panels to create multiring, MMU-based mesh nodes. 40-WXC-C cards can be installed in ROADM nodes with MMU cards to upgrade a two-degree MMU-based ROADM node into four-degree or eight-degree mesh nodes. Figure 11-61 shows the block diagram of the four-degree 15454-PP-4-SMR patch panel connected to one 40-SMR2-C card. The 40-SMR2-C cards connect to the 15454-PP-4-SMR patch panel at the EXP RX ports. Figure 11-61 15454-PP-4-SMR Patch Panel Block Diagram You can use the 15454-PP-4-SMR patch panel to connect upto four 40-SMR2-C cards in a four-degree mesh node. The optical splitters inside the patch panel forward the output signal (EXP-TX port) of the 40-SMR2-C card on each side of the mesh node to the input port of the 40-SMR2-C cards on the other three sides of the mesh node. The 4x1 WXC block inside the 40-SMR2-C card selects which wavelength from which side must be propagated at the output of each side. Figure 11-60 shows the signal flow at the four-degree 15454-PP-4-SMR patch panel. 40-SMR2-C cards connect to the four-degree patch panel at the EXP-TX and EXP-RX ports. 276456 OSC-TX DC-TX DC-RX DROP-TX OSC-RX ADD-RX 6 ports OCM Block LINE TX LINE RX MONTX EXP-D EXP-B EXP-C EDFA 1 (Variable Gain) EDFA 2 (Fixed Gain) 30% 70% OSC DROP PD2 PD3 PD4 TAP TAP PD5 TAP PD8 PD7 OSC ADD TAP TAP TAP TAP PD6 4x1 WXC Block PD1 TAP TAP In D C B A In D C B A In C B A D In B A D C 4x PP 1x4 1x4 1x4 1x4 EXP-A11-73 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference Configuring Mesh DWDM Networks Figure 11-62 15454-PP-4-SMR Patch Panel Signal Flow 11.6.6 Using a Mesh Node With Omni-Directional Add/Drop Section Normally, multidegree mesh node use four or eight 40-WXC-C cards and a four-degree or eight-degree patch panel. Each of the 40-WXC-C cards uses a 40-MUX-C card to add wavelengths going to the span and a 40-DMX-C card to drop wavelengths coming in from the span. The 40-MUX-C and 40-DMX-C cards are connected to only one of the node directions. These cards can add/drop traffic only to/from the side that is associated to the 40-WXC-C card. The omni-directional configuration allows you to install a local multiplexer/demultiplexer that can add/drop traffic to/from any of the node directions. Figure 11-63 shows an example of how to set up a omni-directional add/drop configuration. By setting up a NE as shown in the figure, it is possible to connect the transmit ports of TXP or MXP cards to a 40-MUX-C card and then connect the output of the 40-MUX-C card to an OPT-BST card. The OPT-BST card then connects to a preferred 40-WXC-C card in the four-degree or eight-degree ROADM node (40-WXC-C connected to port 4 of PP-MESH-4, as shown in the figure). The patch panel splits the traffic coming from the OPT-BST card in all the node directions, through the software configuration. The wavelengths entering the 40-WXC-C cards (ports 1, 2, and 3) can be selectively sent out in any desired outbound direction. In the inbound direction, the patch panel on the preferred 40-WXC-C card, splits any of the wavelengths entering the NE through the 40-WXC-C cards (ports 1, 2, and 3). Through the software configuration, the wavelength can be passed to an OPT-PRE card or stopped. This whole configuration can be managed using a single IP address An example of using a mesh node for omni-directional add/drop section is shown in Figure 11-63. 276457 40-SMR2-C Test Access RX Port Test Access TX Ports EXP A EXP B EXP C EXP D 40-SMR2-C 40-SMR2-C 40-SMR2-C 15454-PP-4-SMR 11-74 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference DWDM Node Cabling Figure 11-63 Mesh Node With Omni-Directional Add/Drop Section 11.7 DWDM Node Cabling DWDM node cabling is specified by the Cisco TransportPlanner Internal Connections table. The following sections provide examples of the cabling that you will typically install for common DWDM node types. Note The cabling illustrations shown in the following sections are examples. Always install fiber-optic cables based on the Cisco TransportPlanner Internal Connections table for your site. 11.7.1 OSC Link Termination Fiber-Optic Cabling OSC link termination cabling include the following characteristics: • The OPT-BST and OSC-CSM cards are the only cards that directly interface with the line (span) fiber. • The OSCM card only carries optical service channels, not DWDM channels. • The OSCM and OSC-CSM cards cannot both be installed on the same side of the shelf (Side B or Side A). You can have different cards on each side, for example an OSCM card on Side A and an OSC-CSM card on Side B.11-75 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference DWDM Node Cabling • When an OPT-BST card and an OSC-CSM card are both used on the same side of the node, the OPT-BST card combines the supervision channel with the DWDM channels and the OSC-CSM card acts as an OSCM card; it does not carry DWDM traffic. • If an OPT-BST and an OSCM card are installed on Side B, the Side B OPT-BST OSC RX port is connected to the Side B OSCM TX port, and the Side B OPT-BST OSC TX port is connected to the Side B OSCM RX port. • If an OPT-BST and an OSC-CSM card are installed on Side B, the Side B OPT-BST OSC RX port is connected to the Side B OSC-CSM LINE TX port, and the Side B OPT-BST OSC TX port is connected to the Side B OSC-CSM LINE RX port. • If an OPT-BST and an OSCM card are installed on Side A, the Side A OPT-BST OSC TX port is connected to the Side A OSCM RX port, and the Side A OPT-BST OSC RX port is connected to the Side A OSCM TX port. • If an OPT-BST and an OSC-CSM card are installed on Side A, the Side A OPT-BST OSC TX port is connected to the Side A OSC-CSM LINE RX port, and the Side A OPT-BST OSC RX port is connected to the Side A OSC-CSM LINE TX port. Figure 11-64 shows an example of OSC fibering for a hub node with OSCM cards installed.11-76 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference DWDM Node Cabling Figure 11-64 Fibering OSC Terminations—Hub Node with OSCM Cards 1 Side A OPT-BST LINE RX to Side B OPT-BST or OSC-CSM LINE TX on adjacent node 5 Side B OSCM TX to Side B OPT-BST OSC RX 115710 DCU-xxx West DCU-xxx East FAIL ACT SF INPUT 1 INPUT 2 INPUT 3 INPUT 4 OUTPUT 1 OUTPUT 2 OUTPUT 3 OUTPUT 4 RING CALL LOCAL OW RING CALL EXPRESS OW CONTACT STATUS OPT AIC BST FAIL ACT SF RX MON TX RX COM TX RX OSC TX RX LINE TX OPT PRE FAIL ACT SF MON RX COM TX RX DC TX OPT BST FAIL ACT SF RX MON TX RX COM TX RX OSC TX RX LINE TX OPT PRE FAIL ACT SF MON RX COM TX RX DC TX OSCM FAIL ACT SF UC RX TX OSCM FAIL ACT SF UC RX TX 32DMX-0 FAIL ACT SF 30.3 - 34.2 38.1 - 42.1 46.1 - 50.1 TX 54.1 - 58.1 RX COM 32DMX-0 FAIL ACT SF 30.3 - 34.2 38.1 - 42.1 46.1 - 50.1 TX 54.1 - 58.1 RX COM 32MUX-0 FAIL ACT SF 30.3 - 34.2 38.1 - 42.1 46.1 - 50.1 RX 54.1 - 58.1 TX COM MON 32MUX-0 FAIL ACT SF 30.3 - 34.2 38.1 - 42.1 46.1 - 50.1 RX 54.1 - 58.1 TX COM MON TCC2 FAIL SF PWR A B CRIT MAJ MIN REM SYNC ACO ACO LAMP TEST RS-232 TCP/IP LINK ACT TCC2 FAIL SF PWR A B CRIT MAJ MIN REM SYNC ACO ACO LAMP TEST RS-232 TCP/IP LINK ACT RX TX RX TX 1 2 7 8 3 4 5 6 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 P P + +11-77 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference DWDM Node Cabling 11.7.2 Hub Node Fiber-Optic Cabling The following rules generally apply to hub node cabling: • The Side A OPT-BST or OSC-CSM card common (COM) TX port is connected to the Side A OPT-PRE COM RX port or the Side A 32DMX-O/40-DMX-C/40-DMX-CE COM RX port. • The Side A OPT-PRE COM TX port is connected to the Side A 32DMX-O/40-DMX-C/40-DMX-CE COM RX port. • The Side A 32MUX-O/32WSS/32WSS-L COM TX port is connected to the Side A OPT-BST or Side A OSC-CSM COM RX port. • The Side B 32MUX-O/32WSS/32WSS-L COM TX port is connected to the Side B OPT-BST or Side B OSC-CSM COM RX port. • The Side B OPT-BST or Side B OSC-CSM COM TX port is connected to the Side B OPT-PRE COM RX port or the Side B 32DMX-O/32DMX COM RX port. • The Side B OPT-PRE COM TX port is connected to the Side B 32DMX-O/32DMX COM RX port. Figure 11-65 shows an example of a hub node with cabling. In the example, OSCM cards are installed. If OSC-CSM cards are installed, they are usually installed in Slots 1 and 17. 2 Side A OPT-BST LINE TX to Side B OPT-BST or OSC-CSM LINE RX on adjacent node 6 Side B OSCM RX to Side B OPT-BST OSC TX 3 Side A OPT-BST OSC TX to Side A OSCM RX 7 Side B OPT-BST LINE TX to Side A OPT-BST or OSC-CSM LINE RX on adjacent node 4 Side A OPT-BST OSC RX to Side A OSCM TX 8 Side B OPT-BST LINE RX to Side A OPT-BST or OSC-CSM LINE TX on adjacent node11-78 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference DWDM Node Cabling Figure 11-65 Fibering a Hub Node 1 Side A DCU TX to Side A OPT-PRE DC RX1 6 Side B 32DMX-O COM RX to Side B OPT-PRE COM TX 2 Side A DCU RX to Side A OPT-PRE DC TX1 7 Side B 32MUX-O COM TX to Side B OPT-BST COM RX 115422 DCU-xxx West DCU-xxx East FAIL ACT SF INPUT 1 INPUT 2 INPUT 3 INPUT 4 OUTPUT 1 OUTPUT 2 OUTPUT 3 OUTPUT 4 RING CALL LOCAL OW RING CALL EXPRESS OW CONTACT STATUS OPT AIC BST FAIL ACT SF RX MON TX RX COM TX RX OSC TX RX LINE TX OPT PRE FAIL ACT SF MON RX COM TX RX DC TX OPT BST FAIL ACT SF RX MON TX RX COM TX RX OSC TX RX LINE TX OPT PRE FAIL ACT SF MON RX COM TX RX DC TX OSCM FAIL ACT SF UC RX TX OSCM FAIL ACT SF UC RX TX 32DMX-0 FAIL ACT SF 30.3 - 34.2 38.1 - 42.1 46.1 - 50.1 TX 54.1 - 58.1 RX COM 32DMX-0 FAIL ACT SF 30.3 - 34.2 38.1 - 42.1 46.1 - 50.1 TX 54.1 - 58.1 RX COM 32MUX-0 FAIL ACT SF 30.3 - 34.2 38.1 - 42.1 46.1 - 50.1 RX 54.1 - 58.1 TX COM MON 32MUX-0 FAIL ACT SF 30.3 - 34.2 38.1 - 42.1 46.1 - 50.1 RX 54.1 - 58.1 TX COM MON TCC2 FAIL SF PWR A B CRIT MAJ MIN REM SYNC ACO ACO LAMP TEST RS-232 TCP/IP LINK ACT TCC2 FAIL SF PWR A B CRIT MAJ MIN REM SYNC ACO ACO LAMP TEST RS-232 TCP/IP LINK ACT RX TX RX TX 3 1 2 9 10 4 5 6 7 8 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 P P + +11-79 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference DWDM Node Cabling 11.7.3 Terminal Node Fiber-Optic Cabling The following rules generally apply to terminal node cabling: • A terminal site has only one side (as compared to a hub node, which has two sides). The terminal side can be either Side B or Side A. • The terminal side OPT-BST or OSC-CSM card COM TX port is connected to the terminal side OPT-PRE COM RX port or the 32DMX-O/40-DMX-C/40-DMX-CE COM RX port. • The terminal side OPT-PRE COM TX port is connected to the terminal side 32DMX-O/40-DMX-C/40-DMX-CE COM RX port. • The terminal side 32MUX-O/40-MUX-C COM TX port is connected to the terminal side OPT-BST or OSC-CSM COM RX port. 11.7.4 Line Amplifier Node Fiber-Optic Cabling The following rules generally apply to line amplifier node cabling: • The line amplifier node layout allows all combinations of OPT-PRE and OPT-BST cards and allows you to use asymmetrical card choices in Side A-to-Side B and Side B-to-Side A configurations. For a given line direction, you can configure the four following possibilities: – Only preamplification (OPT-PRE) – Only booster amplification (OPT-BST) – Both preamplification and booster amplification (where a line amplifier node has amplification in at least one direction) – Neither preamplification nor booster amplification • If a Side A OPT-PRE card is installed: – The Side A OSC-CSM or OPT-BST COM TX is connected to the Side A OPT-PRE COM RX port. – The Side A OPT-PRE COM TX port is connected to the Side B OSC-CSM or OPT-BST COM RX port. • If a Side A OPT-PRE card is not installed, the Side A OSC-CSM or OPT-BST COM TX port is connected to the Side B OSC-CSM or OPT-BST COM RX port. • If a Side B OPT-PRE card is installed: – The Side B OSC-CSM or OPT-BST COM TX port is connected to the Side B OPT-PRE COM RX port. 3 Side A OPT-BST COM TX to Side A OPT-PRE COM RX 8 Side B OPT-PRE COM RX to Side B OPT-BST COM TX 4 Side A OPT-BST COM RX to Side A 32MUX-O COM TX 9 Side B DCU TX to Side B OPT-PRE DC RX1 5 Side A OPT-PRE COM TX to Side A 32DMX-O COM RX 10 Side B DCU RX to Side B OPT-PRE DC TX1 1. If a DCU is not installed, a 4-dB attenuator loop, +/– 1 dB must be installed between the OPT-PRE DC ports.11-80 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference DWDM Node Cabling – The Side B OPT-PRE COM TX port is connected to the Side A OSC-CSM or OPT-BST COM RX port. • If an Side B OPT-PRE card is not installed, the Side B OSC-CSM or OPT-BST COM TX port is connected to the Side A OSC-CSM or OPT-BST COM RX port. Figure 11-66 shows an example of a line amplifier node with cabling. Figure 11-66 Fibering a Line Amplifier Node 115423 DCU-xxx West DCU-xxx East FAIL ACT SF INPUT 1 INPUT 2 INPUT 3 INPUT 4 OUTPUT 1 OUTPUT 2 OUTPUT 3 OUTPUT 4 RING CALL LOCAL OW RING CALL EXPRESS OW CONTACT STATUS OPT AIC BST FAIL ACT SF RX MON TX RX COM TX RX OSC TX RX LINE TX OPT PRE FAIL ACT SF MON RX COM TX RX DC TX OPT BST FAIL ACT SF RX MON TX RX COM TX RX OSC TX RX LINE TX OPT PRE FAIL ACT SF MON RX COM TX RX DC TX OSCM FAIL ACT SF UC RX TX OSCM FAIL ACT SF UC RX TX TCC2 FAIL SF PWR A B CRIT MAJ MIN REM SYNC ACO ACO LAMP TEST RS-232 TCP/IP LINK ACT TCC2 FAIL SF PWR A B CRIT MAJ MIN REM SYNC ACO ACO LAMP TEST RS-232 TCP/IP LINK ACT RX TX RX TX 1 2 7 8 4 5 3 6 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 P P + +11-81 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference DWDM Node Cabling 11.7.5 OSC Regeneration Node Fiber-Optic Cabling The following rules generally apply to OSC regeneration node cabling: • The Side A OSC-CSM COM TX port connects to the Side B OSC-CSM COM RX port. • The Side A OSC-CSM COM RX port connects to the Side B OSC-CSM COM TX port. • Slots 2 through 5 and 12 through 16 can be used for TXP and MXP cards. Figure 11-67 shows an example of an OSC regeneration node with cabling. 1 Side A DCU TX to Side A OPT-PRE DC RX1 1. If a DCU is not installed, a 4-dB attenuator loop, +/– 1 dB, must be installed between the OPT-PRE DC ports. 5 Side A OPT-BST COM RX to Side B OPT-PRE COM TX 2 Side A DCU RX to Side A OPT-PRE DC TX1 6 Side A OPT-BST COM RX to Side B OPT-PRE COM TX 3 Side A OPT-BST COM TX to Side A OPT-PRE COM RX 7 Side B DCU TX to Side B OPT-PRE DC RX1 4 Side A OPT-PRE COM TX to Side B OPT-BST COM RX 8 Side B DCU RX to Side B OPT-PRE DC TX111-82 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference DWDM Node Cabling Figure 11-67 Fibering an OSC Regeneration Node 115484 FAIL ACT SF INPUT 1 INPUT 2 INPUT 3 INPUT 4 OUTPUT 1 OUTPUT 2 OUTPUT 3 OUTPUT 4 RING CALL LOCAL OW RING CALL EXPRESS OW CONTACT STATUS TCC2 AIC FAIL SF PWR A B CRIT MAJ MIN REM SYNC ACO ACO LAMP TEST RS-232 TCP/IP LINK ACT TCC2 FAIL SF PWR A B CRIT MAJ MIN REM SYNC ACO ACO LAMP TEST RS-232 TCP/IP LINK ACT OSC CSM FAIL ACT SF UC RX MON TX RX COM TX RX LINE TX OSC CSM FAIL ACT SF UC RX MON TX RX COM TX RX LINE TX 1 2 5 6 3 4 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 P P + +11-83 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference DWDM Node Cabling 11.7.6 Amplified or Passive OADM Node Fiber-Optic Cabling The two sides of the OADM node do not need to be symmetrical. On each side, Cisco TransportPlanner can create one of the following four configurations: • OPT-BST and OPT-PRE • OSC-CSM and OPT-PRE • Only OSC-CSM • Only OPT-BST Note Amplified OADM nodes contain OPT-PRE cards and/or OPT-BST cards. Passive OADM nodes do not. Both contain add/drop channel or band cards. The following rules generally apply for OADM node express path cabled connections: • TX ports should only be connected to RX ports. • EXP ports are connected only to COM ports in between AD-xC-xx.x or AD-xB-xx.x cards that all belong to Side B (that is, they are daisy-chained). • EXP ports are connected only to COM ports in between AD-xC-xx.x or AD-xB-xx.x cards that all belong to Side A (that is, they are daisy-chained). • The EXP port of the last AD-xC-xx.x or AD-xB-xx.x card on Side A is connected to the EXP port of the first AD-xC-xx.x or AD-xB-xx.x card on Side B. • The OPT-BST COM RX port is connected to the nearest (in slot position) AD-xC-xx.x or AD-xB-xx.x COM TX port. • The OPT-PRE COM TX port is connected to the nearest (in slot position) AD-xC-xx.x or AD-xB-xx.x COM RX port. • If OADM cards are located in adjacent slots, the TCC2/TCC2P/TCC3/TNC/TSC card assumes that they are connected in a daisy-chain between the EXP ports and COM ports as noted previously. • The first Side A AD-xC-xx.x or AD-xB-xx.x card COM RX port is connected to the Side A OPT-PRE or OSC-CSM COM TX port. • The first Side A AD-xC-xx.x or AD-xB-xx.x card COM TX port is connected to the Side A OPT-BST or OSC-CSM COM RX port. • The first Side B AD-xC-xx.x or AD-xB-xx.x card COM RX port is connected to the Side B OPT-PRE or OSC-CSM COM TX port. 1 Side A OSC-CSM LINE RX to Side B OSC-CSM or OPT-BST LINE TX on adjacent node 4 Side A OSC-CSM COM RX to Side B OSC-CSM COM TX 2 Side A OSC-CSM LINE TX to Side B OSC-CSM or OPT-BST LINE RX on adjacent node 5 Side B OSC-CSM LINE RX to Side A OSC-CSM or OPT-BST LINE TX on adjacent node 3 Side A OSC-CSM COM TX to Side B OSC-CSM COM RX 6 Side B OSC-CSM LINE TX to Side A OSC-CSM or OPT-BST LINE RX on adjacent node11-84 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference DWDM Node Cabling • The first Side B AD-xC-xx.x or AD-xB-xx.x card COM TX port is connected to the Side B OPT-BST or OSC-CSM RX port. • If a Side A OPT-PRE is present, the Side A OPT-BST or OSC-CSM COM TX port is connected to the Side A OPT-PRE COM RX port. • If a Side B OPT-PRE is present, the Side B OPT-BST or OSC-CSM COM TX port is connected to the Side B OPT-PRE COM RX port. The following rules generally apply for OADM node add/drop path cabled connections: • AD-xB-xx.x add/drop (RX or TX) ports are only connected to the following ports: – 4MD-xx.x COM TX or 4MD-xx.x COM RX ports – Another AD-xB-xx.x add/drop port (a pass-through configuration) • An AD-xB-xx.x add/drop band port is only connected to a 4MD-xx.x card belonging to the same band. • For each specific AD-xB-xx.x card, the add and drop ports for that band card are connected to the COM TX and COM RX ports of the same 4MD-xx.x card. • The AD-xB-xx.x and 4MD-xx.x cards are located in the same side (the connected ports all have the same line direction). The following rules generally apply for OADM node pass-through path cabled connections: • Pass-through connections are only established between add and drop ports on the same band or channel and in the same line direction. • AD-xC-xx.x or AD-xB-xx.x add/drop ports must be connected to other AD-xC-xx.x or AD-xB-xx.x add/drop ports (as pass-through configurations). • Add (RX) ports must be connected to drop (TX) ports. • 4MD-xx.x client input/output ports must be connected to other 4MD-xx.x client input/output ports. • A Side A AD-xB-xx.x drop (TX) port is connected to the corresponding Side A 4MD-xx.x COM RX port. • A Side A AD-xB-xx.x add (RX) port is connected to the corresponding Side A 4MD-xx.x COM TX port. • An Side B AD-xB-xx.x drop (TX) port is connected to the corresponding Side B 4MD-xx.x COM RX port. • An Side B AD-xB-xx.x add (RX) port is connected to the corresponding Side B 4MD-xx.x COM TX port. Figure 11-68 shows an example of an amplified OADM node with AD-1C-xx.x cards installed. Note Figure 11-68 is an example. Always install fiber-optic cables based on the Cisco TransportPlanner Internal Connections table for your site.11-85 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference DWDM Node Cabling Figure 11-68 Fibering an Amplified OADM Node 1 Side A DCU TX to Side A OPT-PRE DC RX1 9 Side A AD-1C-xx.x EXP RX to Side B AD-1C-xx.x EXP TX 2 Side A DCU RX to Side A OPT-PRE DC TX1 10 Side B TXP_MR_2.5G DWDM RX to Side B AD-1C-xx.x (15xx.xx) TX 3 Side A OPT-BST COM TX to Side A OPT-PRE COM RX 11 Side B TXP_MR_2.5G DWDM TX to Side B AD-1C-xx.x (15xx.xx) RX 115424 DCU-xxx West DCU-xxx East OPT BST FAIL ACT SF RX MON TX RX COM TX RX OSC TX RX LINE TX OPT PRE FAIL ACT SF MON RX COM TX RX DCC TX OPT BST FAIL ACT SF RX MON TX RX COM TX RX OSC TX RX LINE TX OPT PRE FAIL ACT SF MON RX COM TX RX DC TX OSCM FAIL ACT SF UC RX TX TCC2 FAIL SF PWR A B CRIT MAJ MIN REM SYNC ACO ACO LAMP TEST RS-232 TCP/IP LINK ACT TCC2 FAIL SF PWR A B CRIT MAJ MIN REM SYNC ACO ACO LAMP TEST RS-232 TCP/IP LINK ACT OSCM FAIL ACT SF UC RX TX TXP MR 2.5G FAIL ACT SF RX CLIENT DWDM TX RX TX TXP MR 2.5G FAIL ACT SF RX CLIENT DWDM TX RX TX RX TX RX TX AD-1C -XX.X FAIL ACT SF RX 15xx.xx TX RX EXP TX RX COM TX FAIL ACT SF RX 15xx.xx TX RX EXP TX RX COM TX AD-1C -XX.X FAIL ACT INPUT/OUTPUT AIC-I PWR A B ACC EOW LOW RING RING DCC-B DCC-A UDC-B UDC-A 1 2 4 5 13 12 15 16 3 14 6 7 10 11 8 9 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 P P + +11-86 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference DWDM Node Cabling Figure 11-69 shows an example of a passive OADM node with two AD-1C-xx.x cards installed. 4 Side A OPT-BST COM RX to Side A AD-1C-xx.x COM TX 12 Side B AD-1C-xx.x COM RX to OPT-PRE COM TX 5 Side A OPT-PRE COM TX to Side A AD-1C-xx.x COM RX 13 Side B AD-1C-xx.x COM TX to OPT-BST COM RX 6 Side A AD-1C-xx.x (15xx.xx) RX to Side A TXP_MR_2.5G DWDM TX 14 Side B OPT-PRE COM RX to Side B OPT-BST COM TX 7 Side A AD-1C-xx.x (15xx.xx) TX to Side A TXP_MR_2.5G DWDM RX 15 Side B DCU TX to Side B OPT-PRE DC RX1 8 Side A AD-1C-xx.x EXP TX to Side B AD-1C-xx.x EXP RX 16 Side B DCU RX to Side B OPT-PRE DC TX1 1. If a DCU is not installed, a 4-dB attenuator loop, +/ 1 dB, must be installed between the OPT-PRE DC ports.11-87 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference DWDM Node Cabling Figure 11-69 Fibering a Passive OADM Node 1 Side A OSC-CSM COM TX to Side A AD-1C-xx.x COM RX 4 Side A OSC-CSM EXP RX to Side B AD-1C-xx.x EXP TX 2 Side A OSC-CSM COM RX to Side A AD-1C-xx.x COM TX 5 Side B AD-1C-xx.x COM TX to Side B OSC-CSM COM RX 3 Side A OSC-CSM EXP TX to Side B AD-1C-xx.x EXP RX 6 Side B AD-1C-xx.x COM RX to Side B OSC-CSM COM TX 115425 FAIL ACT SF INPUT 1 INPUT 2 INPUT 3 INPUT 4 OUTPUT 1 OUTPUT 2 OUTPUT 3 OUTPUT 4 RING CALL LOCAL OW RING CALL EXPRESS OW CONTACT STATUS OSC AIC CSM FAIL ACT SF UC RX MON TX RX COM TX RX LINE TX OSC CSM FAIL ACT SF UC RX MON TX RX COM TX RX LINE TX TCC2 FAIL SF PWR A B CRIT MAJ MIN REM SYNC ACO ACO LAMP TEST RS-232 TCP/IP LINK ACT TCC2 FAIL SF PWR A B CRIT MAJ MIN REM SYNC ACO ACO LAMP TEST RS-232 TCP/IP LINK ACT AD-1C -XX.X FAIL ACT SF RX 15xx.xx TX RX EXP TX RX COM TX AD-1C -XX.X FAIL ACT SF RX 15xx.xx TX RX EXP TX RX COM TX 1 2 3 4 5 6 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 P P + +11-88 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference DWDM Node Cabling 11.7.7 ROADM Node Fiber-Optic Cabling The following rules generally apply to ROADM node cabling: • The Side A OPT-BST or OSC-CSM COM TX port is connected to the Side A OPT-PRE COM RX port. • The Side A OPT-PRE COM TX port is connected to the Side A 32WSS COM RX port. • The Side A OPT-BST or OSC-CSM COM RX port is connected to the Side A 32WSS COM TX port. • The Side A OPT-BST (if installed) OSC TX port is connected to the Side A OSCM RX port. • The Side A OPT-BST (if installed) OSC RX port is connected to the Side A OSCM TX port. • The Side A 32WSS EXP TX port is connected to the Side B 32WSS EXP RX port. • The Side A 32WSS EXP RX port is connected to the Side B 32WSS EXP TX port. • The Side A 32WSS DROP TX port is connected to the Side A 32DMX COM RX port. • The Side A 40-WSS-C/40-WSS-CE DROP TX port is connected to the Side A 40-DMX-C or 40-DMX-CE COM RX port. • The Side B OPT-BST or OSC-CSM COM TX port is connected to the Side B OPT-PRE COM RX port. • The Side B OPT-PRE COM TX port is connected to the Side B 32WSS COM RX port. • The Side B OPT-BST or OSC-CSM COM RX port is connected to the Side B 32WSS COM TX port. • The Side B OPT-BST (if installed) OSC TX port is connected to the Side B OSCM RX port. • The Side B OPT-BST (if installed) OSC RX port is connected to the Side B OSCM TX port. • The Side B 32WSS DROP TX port is connected to the Side B 32DMX COM RX port. • The Side B 40-WSS-C/40-WSS-CE DROP TX port is connected to the Side B 40-DMX-C or 40-DMX-CE COM RX port. Figure 11-70 shows an example of an amplified ROADM node with cabling. Note Figure 11-70 is an example. Always install fiber-optic cables based on the Cisco TransportPlanner Internal Connections table for your site.11-89 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference DWDM Node Cabling Figure 11-70 Fibering a ROADM Node 1 Side A DCU TX to Side A OPT-PRE DC RX1 8 Side A 32WSS EXP RX to Side B 32WSS EXP TX 2 Side A DCU RX to Side A OPT-PRE DC TX1 9 Side B 32DMX COM RX to Side B 32WSS DROP TX 3 Side A OPT-BST COM TX to Side A OPT-PRE COM RX 10 Side B 32WSS COM RX to Side B OPT-PRE COM TX 115473 DCU-xxx West DCU-xxx East FAIL ACT SF INPUT 1 INPUT 2 INPUT 3 INPUT 4 OUTPUT 1 OUTPUT 2 OUTPUT 3 OUTPUT 4 RING CALL LOCAL OW RING CALL EXPRESS OW CONTACT STATUS OPT AIC BST FAIL ACT SF RX MON TX RX COM TX RX OSC TX RX LINE TX OPT PRE FAIL ACT SF MON RX COM TX RX DC TX OPT BST FAIL ACT SF RX MON TX RX COM TX RX OSC TX RX LINE TX OPT PRE FAIL ACT SF MON RX COM TX RX DC TX OSCM FAIL ACT SF UC RX TX OSCM FAIL ACT SF UC RX TX TCC2 FAIL SF PWR A B CRIT MAJ MIN REM SYNC ACO ACO LAMP TEST RS-232 TCP/IP LINK ACT TCC2 FAIL SF PWR A B CRIT MAJ MIN REM SYNC ACO ACO LAMP TEST RS-232 TCP/IP LINK ACT RX TX RX TX FAIL ACT SF 54.1-60.6 46.1-52.5 38.1-44.5 30.3-36.6 DROP TX EXP RX TX COM RX TX ADD RX 32WSS FAIL ACT SF 54.1-60.6 46.1-52.5 38.1-44.5 30.3-36.6 DROP TX EXP RX TX COM RX TX ADD RX 32WSS FAIL ACT SF 32DMX 54.1-60.6 46.1-52.5 38.1-44.5 30.3-36.6 COM RX TX FAIL ACT SF 32DMX 54.1-60.6 46.1-52.5 38.1-44.5 30.3-36.6 COM RX TX 32DMX 32DMX 3 1 2 13 14 7 8 4 5 11 10 6 9 12 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 P P + +11-90 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference Automatic Node Setup 11.8 Automatic Node Setup Automatic node setup (ANS) is a TCC2/TCC2P/TCC3/TNC/TSC function that adjusts values of the variable optical attenuators (VOAs) on the DWDM channel paths to equalize the per channel power at the amplifier input. This power equalization means that at launch, all channels have the same amplifier power, independent of the input signal on the client interface and independent of the path crossed by the signal inside the node. This equalization is needed for two reasons: • Every path introduces a different penalty on the signal that crosses it. • Client interfaces add their signal to the ONS 15454 DWDM ring with different power levels. To support ANS, integrated VOAs and photodiodes are provided in the following cards: • AD-xB-xx.x card express and drop paths • AD-xC-xx.x card express and add paths • 4MD-xx.x card add paths • 32MUX-O card add paths • 32WSS/40-WSS-C/40-WSS-CE/40-WXC-C/80-WXC-C add, drop, and pass through paths • 32DMX-O card drop paths • 32DMX, 40-DMX-C, 40-DMX-CE card input port • 40-MUX-C card output port • 40-SMR1-C/40-SMR2-C add, drop, and pass through ports • PSM card input and output ports (both working and protect path) Optical power is equalized by regulating the VOAs. Based on the expected per channel power, ANS automatically calculates the VOA values by: • Reconstructing the different channel paths. • Retrieving the path insertion loss (stored in each DWDM transmission element). VOAs operate in one of three working modes: • Automatic VOA Shutdown—In this mode, the VOA is set at maximum attenuation value. Automatic VOA shutdown mode is set when the channel is not provisioned to ensure system reliability in the event that power is accidentally inserted. • Constant Attenuation Value—In this mode, the VOA is regulated to a constant attenuation independent from the value of the input signal. Constant attenuation value mode is set on VOAs associated to aggregated paths. 4 Side A 32WSS COM TX to Side A OPT-BST COM RX 11 Side B 32WSS COM TX to Side B OPT-BST COM RX 5 Side A 32WSS COM RX to Side A OPT-PRE COM TX 12 Side B OPT-BST COM TX to Side B OPT-PRE COM RX 6 Side A 32DMX COM RX to Side A 32WSS DROP TX 13 Side B DCU RX to Side B OPT-PRE DC TX1 7 Side A 32WSS EXP TX to Side B 32WSS EXP RX 14 Side B DCU TX to Side B OPT-PRE DC RX1 1. If a DCU is not installed, a 4-dB attenuator loop, +/–1 dB must be installed between the OPT-PRE DC ports.11-91 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference Automatic Node Setup • Constant Power Value—In this mode, the VOA values are automatically regulated to keep a constant output power when changes occur to the input power signal. This working condition is set on VOAs associated to a single channel path. ANS calculates the following VOA provisioning parameters: • Target attenuation • Target power Optical patchcords are passive devices that are modeled by the two termination points, each with an assigned slot and port. If user-provisioned optical patchcords exist, ANS checks if the new connection is feasible according to internal connection rules. If the user connection violates one of the rules, ANS returns a denied message. ANS requires the expected wavelength to be provisioned. When provisioning the expected wavelength, the following rules apply: • The card family generically characterizes the card name, and not the particular wavelengths supported (for example, AD-2C-xx.x for all two-channel OADMs). • At the provisioning layer, you can provision a generic card for a specific slot using CTC or TL1. • Wavelength assignment is done at the port level. • An equipment mismatch alarm is raised when a mismatch between the identified and provisioned value occurs. The default value for the provisioned attribute is AUTO. ONS 15454 ANS parameters set the values required for the node to operate successfully. Cisco TransportPlanner calculates the ANS parameters based on the requirements for a planned network. Cisco TransportPlanner exports the parameters to an ASCII, NE update file. When the NE update file is imported in CTC, the Provisioning > WDM-ANS > Provisioning tab is populated with the ANS parameters to provision the node for the network. These ANS parameters can be modified. All the ANS parameters are mapped to the physical ports of the cards. ANS parameters can also be manually added or deleted in the Provisioning tab. The ranges for the values of the ANS parameters is shown in Table 11-11. For more information on how to add an ANS parameter, refer to the “Turn Up a Node” chapter in the Cisco ONS 15454 DWDM Procedure Guide. Note The Provisioning > WDM-ANS > Provisioning tab in CTC is empty if the NE update file is not imported. Note It is recommended that you use the Cisco TransportPlanner NE Update file to provision the ANS parameters instead of manually adding all the parameters in CTC. ANS provisioning parameters must be manually changed by Cisco qualified personnel only. Setting incorrect ANS provisioning (either as preamplifier or booster input power thresholds) may impact traffic. Table 11-11 Ranges and Values for the ANS Parameters ANS Parameter Range/Value OSC LOS Threshold -50.0 to +30.0 dBm Channel LOS Threshold -50.0 to +30.0 dBm Amplifier Working Mode Control Power, Control Gain, Fixed Gain Amplifier Gain 0.0 to 40.0 dB Amplifier Tilt -15.0 to +15.0 dB OSC Power -24.0 to 0.0 dBm11-92 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference Automatic Node Setup ANS parameters can be viewed in the node view Provisioning > WDM-ANS > Provisioning tab, as shown in Figure 11-71. Figure 11-71 WDM-ANS Provisioning The Provisioning > WDM-ANS > Provisioning tab presents the following information: • Selector—Presents the ANS parameters in a tree view based on physical position. Clicking the + or – expands or collapses individual tree elements. Clicking a tree element displays the element parameters in the table on the right. For example, clicking the node name at the top displays all the node ANS parameters or clicking Slot 1 (PSM) displays the PSM amplifier parameters only. The ANS parameters can be sorted according to physical position. • Parameter—Displays the ANS parameter name. • Origin—Indicates how the parameter was calculated: – Imported—The value was set by importing the CTP XML file. Raman Ratio 0.0 to 100.0% Raman Total Power 100 to 450 mW Power -30.0 to +50 dBm WXC Dithering 0 to 33 Min Expected Span Loss 0.0 to 60.0 dB Max Expected Span Loss 0.0 to 60.0 dB VOA Attenuation 0 to 30 dB Table 11-11 Ranges and Values for the ANS Parameters ANS Parameter Range/Value11-93 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference Automatic Node Setup – Provisioned—The value was manually provisioned. – Automatic—The value is automatically calculated by the system using the Raman provisioning wizard. For more information on how to provision using a wizard, see the “DLP-G468 Configure the Raman Pump Using an Installation Wizard” task in the Cisco ONS 15454 DWDM Procedure Guide. • Value—Displays the ANS parameter value. The values can be modified manually, although manually modifying the ANS parameters is not recommended. • Note—Displays information for parameters that could not be calculated, that is, parameters with Unknown appearing in the Value column. • Port —Displays the port value. Port is represented as Slot.Port. • Active Value —Displays the active parameter value. The active value cannot be modified manually. When you modify the parameter value in the Value field, the active value is updated with the modified value after you run ANS. The Provisioning > WDM-ANS > Port Status tab presents the following information: • Port—Displays the port value. The port is represented as Slot.Port. • Parameter—Displays the ANS parameter name. • Result—After you run ANS, one of the following statuses is provided for each ANS parameter in the Result column: – Success - Changed—The parameter setpoint was recalculated successfully. – Success - Unchanged—The parameter setpoint did not need recalculation. – Unchanged - Port in IS state—ANS could not modify the setpoint because the port is in IS state. – Fail - Out of Range—The calculated setpoint is outside the expected range. – Fail - Missing Input Parameter—The parameter could not be calculated because the required provisioning data is unknown or unavailable. – Not Applicable State—Ports are not in use. • Value—Displays the parameter value. • Set By—Displays the application that sets this parameter. This field can take the following values: – ANS – APC – Circuit Creation – Raman Wizard. A parameter could be set by more than one application. For example, VOA Attenuation parameter could be set by both ANS and APC. In this case, individual entries will be displayed for ANS and APC. • Last Change—Displays the date and time when the parameter was last modified. 11.8.1 Raman Setup and Tuning Raman amplification occurs in the optical fiber and the consequent Raman gain depends on the characteristics of the span (attenuator presence, fiber type, junctions, etc.). As two Raman pumps at two different wavelengths are used to stimulate the Raman effect, not only is the total signal power 11-94 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference Automatic Node Setup calculation significant, but the right mix of power to ensure gain flatness is crucial. These setpoints of the total Raman power and Raman ratio can be configured on the OPT-RAMP-C or OPT-RAMP-CE card in three ways: • Raman installation wizard • CTP XML file • CTC/TL1 interface For information on how to configure the setpoints on the OPT-RAMP-C or OPT-RAMP-CE card, see the Cisco ONS 15454 DWDM Procedure Guide. Raman amplification on OPT-RAMP-C or OPT-RAMP-CE cards depends on the optical fiber installed. Therefore, Raman total power and Raman ratio values calculated using the Raman installation wizard via CTC is more accurate than the values provisioned by loading the CTP XML file. For this reason, the value provisioned using the wizard cannot be overridden by the CTP XML file. However, the values provisioned using the wizard or the CTP XML file can be overriden by manually provisioning the parameters. When the Raman installation is completed, a report of the status of Raman configuration on a node in the OPT-RAMP-C or OPT-RAMP-CE card can be viewed in the Maintenance > Installation tab when you are in card view. The Installation tab displays the following fields: • User—Name of user who configured the Raman pump. • Date—Date when the Raman pump was configured. • Status – Raman Not Tuned—The OPT-RAMP-C or OPT-RAMP-CE card was provisioned but ANS was not launched. – Tuned by ANS—ANS was run successfully and the basic ANS parameters were applied. – Tuned by Wizard—The Raman installation wizard was run successfully without errors. – Tuned by User Acceptance—The Raman installation wizard was completed with errors and the user accepted the values that the wizard calculated. – Raman is Tuning—The Raman installation wizard is running. • S1Low (dBm)—See Table 11-12. • S1High (dBm)—See Table 11-12. • S2Low (dBm)—See Table 11-12. • S2High (dBm)—See Table 11-12. • Power (mW)—Total Raman power setpoints. • Ratio—Raman pump ratio setpoint. • Gain—Expected Raman gain that the wizard calculated. • Actual Tilt—Expected Raman tilt that the wizard calculated. • Fiber Cut Recovery—Status of the fiber cut restoration. – Executed—The restore procedure was completed successfully. – Pending—The restore procedure is not complete. – Failed—The system failed to execute the procedure. • Fiber Cut Date—Date when the fiber cut occured.11-95 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference Automatic Node Setup The Raman pump is equipped with two different Raman pumps transmitting powers (P1 and P2) at two different wavelengths 1 and 2. During installation, the two pumps alternatively turn ON and OFF at two different power values. 1 and 2 signals are used as probes at the end of spans to measure Raman gain efficiency of the two Raman pumps separately. The example in Figure 11-72 shows the Raman gain on an OPT-RAMP-C or OPT-RAMP-CE card in Node B that was measured by setting the wavelength and power measurements as follows: 1=1530.33 nm signal probe at Node A 2=1560.61 nm signal probe at Node A P1 = 1425 nm power at Node B P2 = 1452 nm power at Node B Plow = 100 mW Phigh = 280 mW Pmin = 8 mW Pmax = 450 mW Figure 11-72 Raman Gain on Node B The S1low, S1high, S2low, and S2low values in the Maintenance > Installation tab are based on the power values read on the LINE-RX port of Node B. λ λ λ λ λ λ 247381 OSC Add Node A Node B Pump Add OSC Drop Pump Drop Pump Drop OSC LINE-RX Drop RAMAN-TX RAMAN-RX RAMAN-RX RAMAN-TX COM-TX COM-RX COM-RX COM-TX DC-RX OSC-RX OSC-TX OSC-RX LINE-TX Probe signals Raman signals Raman Pump Probe signal power LINE-RX LINE-TX DC-TX DC-TX DC-RX PD4 PD5 PD7 PD6 PD3 PD4 PD10 PD12 PD12 PD10 PD3 PD1 PD1 PD6 OSC-TX PD7 PD5 Pump Add OSC Add11-96 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference DWDM Functional View 11.9 DWDM Functional View DWDM functional view offers a graphical view of the DWDM cards and the internal connections between them in an MSTP node. The functional view also shows cards and connections for multidegree MSTP nodes (up to eight sides). To navigate to the functional view of a DWDM node, use the following navigational path in CTC when you are in node view: Provisioning > WDM-ANS > Internal Patchcords > Functional View An example of the functional view for an eight-sided node is shown in Figure 11-73. Table 11-12 Example of Raman Power Measurements Input P1 P2 Raman Power at Node B 1=1530.33 nm at Node A Plow = 100 mW Pmin = 8 mW S1low Phigh = 250 mW Pmin = 8 mW S1high 2=1560.61 nm at Node A Pmin = 8 mW Plow = 100 mW S2low Pmin = 8 mW Phigh = 250 mW S2low λ λ11-97 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference DWDM Functional View Figure 11-73 Functional View for an Eight-Sided Node 11.9.1 Navigating Functional View The functional view has two main panes. The upper pane contains a tree view of the shelves and a graphical view of the shelf equipment. The lower pane describes alarms and circuits in a tabular format. The upper pane in Figure 11-73 is divided into a left pane and a right pane. The left pane shows a tree structure view of the shelf or shelves in the MSTP system. You can expand the tree view of a shelf to show the slot usage in that shelf. The right pane is a graphical view of the sides in the shelf. In the case of Figure 11-73, there are eight sides (A through H). Side A is located as shown in the figure. All of the cards in each side are grouped together. 240752 Side A Fit to View Zoom Out Zoom In Select11-98 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference DWDM Functional View The meanings of the icons in the upper right corner are as follows: • Select—use this icon to select a graphical element in the graphical view pane. • Patchcord—Use this icon to create an internal patchcord between cards. Note The Patchcord icon is not functional for Software Release 8.5. • Zoom In/Zoom Out—Use these icons to zoom in or zoom out in the graphical display pane. • Fit to View—Use this icon to have the graphical view fit the space available on your screen. The bottom pane can be used to display alarms (using the Alarms tab) or Circuits (using the Circuits tab). Clicking the Alarms tab displays the same information as the Alarms tab in the network, node, or card view. Clicking the Circuits tab displays the same information as the Alarms tab in the network, node, or card view. 11.9.2 Using the Graphical Display This section explains how to use the graphical portion of the display to gather information about the cards and ports. 11.9.2.1 Displaying a Side Double-click a side to show the details of that side. For example, if you double-click Side A in Figure 11-73, the result is as shown in Figure 11-74. Figure 11-74 Side A Details 2 3 4 7 6 8 9 5 1 24075911-99 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference DWDM Functional View The green arrows in the diagram represent the DWDM optical path within the selected side. The optical path in this instance is summarized as follows: 1. The light enters the OPT-BST card LINE-RX port from the optical span. 2. The path continues out of the OPT-BST card COM-TX port to the COM-RX port of the OPT-PRE card. 3. The OPT-PRE card sends the optical signal out of its COM-TX port to the 40-WXC COM-RX input port. 4. The 40-WXC card sends the signal to be locally dropped out of its DROP-TX port to the 40-DMX/40-DMX-CE card COM-RX port. 5. The 40-DMX/40-DMX-CE card sends the dropped signal out on one of its multifiber push on (MPO) connectors to the block labeled MPO. When you expand the MPO block (double-click it or right-click it and select Down), you will see a muxponder (MUX) card inside the MPO block. One of the eight optical fibers in the MPO cable is connected to the MUX trunk port. 6. The optical signal from the trunk port of the MXP card inside the MPO block enters the 40-MUX card at one of its five MPO connectors. 7. The 40-MUX card sends the optical signal out of its COM-TX port to the ADD-RX port of the 40-WXC card. 8. The added signal from the MXP gets sent out on the COM-TX port of the 40-WXC card to the COM-RX port of the OPT-BST card. 9. Finally, the OPT-BST card sends the optical signal out onto the span from its LINE-TX port. 11.9.2.2 Displaying Card Information In the functional view graphical pane, you can double-click a card to bring up the usual CTC card view. You can also move the mouse over a card to display information about the card. For example, when the mouse is placed over the OPT-BST card in Side A, the tooltip text displays sh1/s1 (OPT-BST), indicating that the OPT-BST card for Side A is located in Shelf 1, Slot 1. See Figure 11-75.11-100 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference DWDM Functional View Figure 11-75 Side A OPT-BST Card Shelf and Slot Information 11.9.2.3 Displaying Port Information Move the mouse over a port on a card to display information about the port. For example, when the mouse is placed over the top left port of the 40-MUX card in Side A, the tooltip text displays CARD_PORT-BAND-1-RX, indicating that the 40-MUX port being pointed to is for the first band of wavelengths (wavelengths 1 to 8) to be added into the optical path at the 40-MUX card. These wavelengths come into the 40-MUX card from a transponder (TXP) or muxponder (MXP) on an MPO connector, which contains eight integrated optical fibers. See Figure 11-76.11-101 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference DWDM Functional View Figure 11-76 Side A 40-MUX Port Information 11.9.2.4 Displaying Patchcord Information Move the mouse over a patchcord to see the state of the output and input port associated with that patchcord. See Figure 11-77.11-102 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference DWDM Functional View Figure 11-77 Patchcord Input and Output Port State Information 11.9.2.5 Displaying MPO Information To show the details inside an MPO block, double-click it or right-click it and select Down. When the detailed view is visible, right-click inside the MPO block and select Upper View to collapse the block. When you move the mouse over the MPO block, the associated wavelengths are displayed as a tool tip (see Figure 11-78).11-103 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference DWDM Functional View Figure 11-78 MPO Information 11.9.2.6 Alarm Box Information Within the side display, an alarm box is shown that gives the alarm count for the Critical, Major, and Minor alarms that affect that side. This alarm summary is only for the side, and is different from the alarms under the Alarms tab, where all of the alarms for the system are summarized. If an alarm under the Alarms tab appears that has to do with Side A, for example, only the appropriate alarm count in the Alarm box for Side A is incremented. The alarm counts in the Alarm boxes for the other nodes (B through H) are not incremented. In the graphical view of a side, the card icon or port icon changes color to reflect the severity of an alarm associated with the card (red, orange, or yellow). The color of the MPO block reflects the color of highest alarm severity for the elements in the MPO block. 11.9.2.7 Transponder and Muxponder Information All of the TXP and MXP cards connected with patchcords are grouped together under the MPO icon. In the node shown in Figure 11-73, there is an MXP card in Side A that is connected to the 40-MUX card and to the 40-DMX/40-DMX-CE card. The MXP card is connected through the 40-MUX card to the add port on the 40-WXC card and it is also connected through the 40-DMX/40-DMX-CE card to the drop port on the 40-WXC card. To view the connections to the MXP card from the 40-MUX card, double-click the MPO icon. Figure 11-79 shows the MPO icon before double-clicking it and Figure 11-80 shows the result after double-clicking it. Note In the case of a protected TXP (TXPP) or MXP (MXPP) card, the card icon has a label indicating the active trunk and the protected trunk.11-104 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference DWDM Functional View Figure 11-79 Side A MPO Connection to an MXP Before Double-Clicking Figure 11-80 Side A MPO Connection to an MXP After Double-Clicking 11.9.2.8 Changing the Views When you right-click inside of a side view, a shortcut menu allows you to do the following (see Figure 11-81): • Fit to View—Fits the side view into the available display space. • Delete Side—Deletes the selected side. • Rotate Left—Rotates the side 90 degrees counterclockwise (all connections are maintained). • Rotate Right—Rotates the side 90 degrees clockwise (all connections are maintained). • Horizontal Flip—Flips the side horizontally (all connections are maintained). • Vertical Flip—Flips the side vertically (all connections are maintained). After you have selected Fit to View for a side, you can right-click in the side view to bring up a new menu with the following selections (see Figure 11-82): • Go to Upper View—Returns to the previous view. MPO block 240760 MXP card MPO connector 24076111-105 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference DWDM Functional View • Perform AutoLayout—Optimizes the placement of the cards and the connections between them. Figure 11-81 Side A View Options Figure 11-82 Side A View Options (after Selecting Fit to View) 11.9.2.9 Selecting Circuits When the Circuits tab is selected, the circuits for the functional view are shown. The patchcord lines in the graphical display are normally black in color. A patchcord line becomes green only when you select a circuit associated with the patchcord that carries the selected circuit. 11.9.2.10 Displaying Optical Path Power To show the optical power present in an optical path, move the mouse over the desired optical path (green line). A tooltip shows the power along the optical path in dBm (see Figure 11-83).11-106 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference DWDM Network Functional View Figure 11-83 Optical Path Power 11.10 DWDM Network Functional View The DWDM Network Functional View (NFV) displays a graphical representation of the circuit connections, optical power, and alarms in the DWDM network. The NFV allows you to view the circuit connections and flow of data at the network level. The NFV also helps to find an alternate network path if there is a loss of signal in the network. The NFV offers dual options to view the network: • Graphical view—Displays the circuit connections, optical power, and alarms of a circuit through a graphical representation. To view the graphical display of the circuit connections, select the circuit listed in the upper left pane. Click dB, SL, and PV button on the toolbar to view the optical power of the selected circuit, span loss of the desired span, and insertion loss of the patchchord respectively. For more information refer to 11.10.2 Using the Graphical Display, page 11-108. • Viewing the circuit details in tabular format—The circuit connections, optical power, and alarms of a circuit are displayed in a tabular format (seen in the left pane of the Network Functional View). For more information refer to 11.10.2.2 Selecting the Circuit, page 11-109. For information on how to view optical power values and alarms of the circuit selected in the Network Functional View, see the “View Optical Power Values and Alarms Using the Network Functional View” task in the Cisco ONS 15454 DWDM Procedure Guide.11-107 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference DWDM Network Functional View 11.10.1 Navigating Network Functional View This section explains how to navigate to the network functional view (NFV). To navigate to the NFV, go to the network view in the CTC and click the FV button on the toolbar. The DWDM Network Functional View window opens. The NFV is similar to the DWDM functional view in its graphical layout and behavior at the node level. For additional information, see “11.9 DWDM Functional View” section on page 11-96. The network functional view has two main panes (Figure 11-84): • Left pane—Is divided into an upper pane and a lower pane. The upper pane has three tabs that are listed in Table 11-13, and the lower pane displays the graphical overview of the network. • Right pane—Displays the graphical view of all the nodes and devices in the network. You can hide or close the upper and lower panes, and view only the network map in the NFV. Click the Close button on the title bar to close the pane or click the Toggle auto-hide button on the title bar to hide the pane. Click the Reset To Default button on the toolbar to restore (or view) all the panes. Table 11-13 Circuits, Optical Power, and Alarms tab Tab Description Circuits Displays the lists of circuits for the nodes present in the network. Optical Power Displays the optical link and span loss of the circuits. This tab lists the aggregated power-in and power-out of all the internal patchcords for the nodes that have the functional view open. Alarms Displays the alarms of all the circuits for the nodes present in the network.11-108 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference DWDM Network Functional View Figure 11-84 DWDM Network Functional View 11.10.2 Using the Graphical Display This section explains how to use the graphical display to gather information on circuits, optical power, and alarms for the nodes. To expand a node, click on the network functional view graph and Press F2. The node opens in a double zoom mode and you can read the power information in the zoom out view. Click F2 again to zoom-in or return to the normal view. Additionally, to zoom-in and zoom-out the graph on the network functional view, press the Ctrl key and scroll up and down with the scroll wheel on your mouse. Click Reset Nodes Zoom button on the toolbar to reset the graphical view to the default zoom size. The keystroke commands provide the keyboard shortcuts for graphical control of the NFV. To access the keystroke commands, click Help > Keystroke commands. Note To open and view the nodes in the network functional view, right-click the node and choose Open Node FV. Or double-click on the Node to open the node FV. To navigate to the node level, right-click FV > Node FV. To close all the opened nodes in the FV, click Close Expanded Nodes button on the toolbar. To zoom-in and zoom-out of the open node, press the Ctrl key and scroll up and down with the scroll wheel on your mouse. 274373 Circuits, Optical Power, and Alarms Tabs Title bar Toggle auto-hide Upper Pane Lower Pane Right Pane PV dB Reset Nodes Zoom Close Expanded Nodes Reset To Default SL Refresh Button11-109 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference DWDM Network Functional View When you have multiple node FVs opened, you cannot view the graphical details of the individual node due to overlapping of the map. To avoid overlapping of the map, do the following: 1. Select the entire expanded node (all sides), and move it out of the map (to the desired location). To select the entire node, click on the title bar of the node and Press Ctrl A. 2. Move the individual sides of the node one-by-one back to the proper position inside the network map. To move the individual sides of the node, select the side and move it to the desired location. 11.10.2.1 Displaying Optical Power The NFV toolbar has the following buttons that displays the optical power information of the circuits: • dB (Power)—Click the dB button on the toolbar to view the optical power information of the circuits. The optical power in the optical path in dBm is displayed in the power balloon. You can view the aggregated power only for those nodes that have the FV open. To open the node FV, right-click the node and choose Open Node FV. It also shows the per channel estimated power of the ports of the selected circuit. Right-click the internal patchcord link and select Flip Power Balloons to view the power balloon of the selected patchcord. The power balloon is flipped and you can see the power details of the selected patchcord without overlapping. • SL (Span Loss)—Click the SL button to see the loss of signal of the desired span. • PV (Patchcord Verification)—Click the PV button to display the insertion loss of the patchcord. The PV calculates the input and output power of the patchcord. You can view the insertion loss of the patchchord only for those nodes that have the FV open. To open the node FV, right-click the node and choose Open Node FV. The insertion loss should not exceed 2dBm. The patchcord lines are colored to indicate the insertion loss: – Red—Indicates that the insertion loss of the patchcords exceeded 2dBm. – White—Indicates that the system was not able to calculate the insertion loss of the patchcord. – Black—Indicates that the insertion loss of the patchcords is within the limit and not more than 2dBm. Note Click Refresh on the toolbar, to refresh the optical power and span loss information. The optical power and span loss information is calculated and is refreshed in the graphical display and optical power table. 11.10.2.2 Selecting the Circuit The Circuit tab in the NFV allows you to view the available circuits in the network. Click the Circuit tab to view the list of circuits in the selected network. Choose the circuit from the list to view the circuit level information. A graphical display of the selected circuit and the impacted span is visible in the map. Additionally, you can view the general information (type, source, and destination), status (IS,OOS [ANSI] or unlocked, locked [ETSI]), and physical connection details (wavelength, direction, and span) of the selected circuit. The circuit can be in any of the following states: • DISCOVERED • PARTIAL • DISCOVERED_TL1 • PARTIAL_TL111-110 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference DWDM Network Functional View When you switch the selection between the circuits, and if both the circuits are in DISCOVERED_TL1 state, the circuit details of the new selection is not displayed (it may still show the previously selected circuit details). If you find that the current selection is not refreshed, do either of the following: • Deselect the selected circuit before selecting the another circuit. Or • Update all the selected circuits using the Reconfigure Circuit option. Go to CTC Tools > Circuits > Reconfigure Circuits menu to reconfigure the selected circuits. During reconfiguration, CTC reassembles all connections of the selected circuits and VCAT members into circuits based on path size, direction, and alignment. Note If the information does not refresh when you switch the selection between the circuits in OCH_CC and its OCH_TRAIL (and vice-versa), follow the suggestion provided on how to view the current selection if the screen is not refreshed. To view the optical power and alarm details of a circuit, click Circuit and select the circuit name from the list to view the following details: • Optical Power—To view the optical power of the selected circuit, click the Optical Power tab. You can view the optical link status and the span loss of the selected circuit. • Alarms—To view the alarms of the selected circuit, click the Alarms tab. If a card has one or more alarms (that is part of the selected circuit), the node turns either yellow or red, depending on the severity of the alarm. The alarm in red indicates a major alarm and yellow indicates a minor alarm. If there is an alarm present in the card that is not part of the selected circuit, then the node appears gray. If a node has alarms that is not part of the selected circuits, then the alarms are not listed in the table, but the node is colored in the graphical view (right pane). Note At the circuit level, you can view both the node and network level information. 11.10.2.3 Exporting Reports You can also export the NFV reports of circuit level information in HTML or JPEG format. The export operation creates two files, an HTML and a JPEG format of the NFV information. The .jpg file provides a graphical representation of the site layout. For more information on exporting the reports, see the “Export Network Functional View Reports” task in the Cisco ONS 15454 DWDM Procedure Guide.11-111 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference Non-DWDM (TDM) Networks 11.11 Non-DWDM (TDM) Networks Non-DWDM (TDM) Networks take synchronous and asynchronous signals and multiplexes them to a single higher bit rate for transmission at a single wavelength over fiber. When the node is configured as a Non-DWDM Network, the supported MSTP cards — amplifiers, transponders, and muxponders, are used in the standalone mode. MSTP applications like Circuit Provisioning, NLAC and APC are not supported in amplified TDM networks. For more information on how to configure a node as a Non-DWDM network, see the “NTP-G320 Configure the Node as a Non-DWDM Network” section in “Turn Up a Node” chapter in the Cisco ONS 15454 DWDM Procedure Guide. When the node is configured as a Not-DWDM network, all the amplifiers are configured by default with the following values: • Working mode = Control Gain • Channel Power Ref. = +1dBm. Booster(LINE) amplifiers enable optical safety when used in Non-DWDM. ALS configuration is set to “Auto Restart” by default. A manual restart request is therefore needed to turn up the bidirectional link, in addition with an appropriated cabling (bi-directional) of LINE TX/RX ports. In NOT-DWDM mode, you must configure significant optical parameters and thresholds before launching the ANS application. For information on how to configure the amplifier, see the “DLP-G693 Configure the Amplifier” section in “Turn Up a Node” chapter in the Cisco ONS 15454 DWDM Procedure Guide. For information on how to configure the PSM behavior, see the “DLP-G694 Configure the PSM” section in “Turn Up a Node” chapter in the Cisco ONS 15454 DWDM Procedure Guide. When the ANS application is launched, amplifier ports move into IS state and Gain Setpoint is automatically calculated by the card, after initial APR cycle. Gain Setpoint must be equal to MAX [Min Gain Setpoint of the card ; (Power Ref-Pinput)]; where Pinput is the optical power value at the ingress port (COM-RX) of the amplification stage.11-112 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 11 Node Reference Non-DWDM (TDM) NetworksCHAPTER 12-1 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 12 Network Reference This chapter explains the Cisco ONS 15454 dense wavelength division multiplexing (DWDM) network applications and topologies. The chapter also provides network-level optical performance references. Note Unless otherwise specified, “ONS 15454” refers to both ANSI and ETSI shelf assemblies. Note In this chapter, “OPT-BST” refers to the OPT-BST, OPT-BST-E, OPT-BST-L cards, and to the OPT-AMP-L, OPT-AMP-C, and OPT-AMP-17-C cards when they are provisioned in OPT-LINE (optical booster) mode. “OPT-PRE” refers to the OPT-PRE card and to the OPT-AMP-L, OPT-AMP-C, and OPT-AMP-17-C cards provisioned in OPT-PRE (preamplifier) mode. Note OPT-BST-L, 32WSS-L, 32DMX-L, and OPT-AMP-L cards can be installed only in L-band compatible nodes and networks. OPT-BST, OPT-BST-E, 32WSS, 32DMX, 40-DMX-C, 40-DMX-CE, 40-MUX-C, 40-WSS-C, 40-WSS-CE, 40-WXC-C, 80-WXC-C, 40-SMR1-C, 40-SMR2-C, OPT-AMP-C, OPT-AMP-17-C, OPT-RAMP-C and OPT-RAMP-CE cards can be installed only in C-band compatible nodes and networks. Chapter topics include: • 12.1 Network Applications, page 12-2 • 12.2 Network Topologies, page 12-2 • 12.5 Network Topologies for the OPT-RAMP-C and OPT-RAMP-CE Cards, page 12-18 • 12.6 Network Topologies for the PSM Card, page 12-19 • 12.7 Optical Performance, page 12-19 • 12.8 Automatic Power Control, page 12-20 • 12.9 Power Side Monitoring, page 12-24 • 12.10 Span Loss Verification, page 12-25 • 12.11 Network Optical Safety, page 12-27 • 12.12 Network-Level Gain—Tilt Management of Optical Amplifiers, page 12-40 • 12.13 Optical Data Rate Derivations, page 12-46 • 12.14 Even Band Management, page 12-4812-2 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 12 Network Reference Network Applications 12.1 Network Applications Cisco ONS 15454 nodes can be provisioned for metro core DWDM network applications. Metro core networks often include multiple spans and amplifiers, so the optical signal-to-noise ratio (OSNR) is the limiting factor for channel performance. Within DWDM networks, the ONS 15454 uses a communications protocol, called Node Services Protocol (NSP), to communicate with other nodes. NSP automatically updates nodes whenever a change in the network occurs. Each ONS 15454 DWDM node can: • Identify other ONS 15454 DWDM nodes in the network. • Identify the different types of DWDM networks. • Identify when the DWDM network is complete and when it is incomplete. 12.2 Network Topologies The ONS 15454 DWDM network topologies include ring networks, linear networks, mesh networks, interconnected rings and spurs. 12.2.1 Ring Networks Ring networks support hubbed, multi-hubbed, any-to-any, and mesh traffic topologies. 12.2.1.1 Hubbed Traffic Topology In the hubbed traffic topology (Figure 12-1), a hub node terminates all the DWDM channels. A channel can be provisioned to support protected traffic between the hub node and any node in the ring. Both working and protected traffic use the same wavelength on both sides of the ring. Protected traffic can also be provisioned between any pair of optical add/drop multiplexing (OADM) nodes, except that either the working or the protected path must be regenerated in the hub node. Protected traffic saturates a channel in a hubbed topology, that is, no channel reuse is possible. However, the same channel can be reused in different sections of the ring by provisioning unprotected multihop traffic. From a transmission point of view, this network topology is similar to two bidirectional point-to-point links with OADM nodes. For more information about hub nodes, see the “11.1.4 Hub Node” section on page 11-27.12-3 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 12 Network Reference Network Topologies Figure 12-1 Hubbed Traffic Topology 12.2.1.2 Multihubbed Traffic Topology A multihubbed traffic topology (Figure 12-2) is based on the hubbed traffic topology, except that two or more hub nodes are added. Protected traffic can only be established between the two hub nodes. Protected traffic can be provisioned between a hub node and any OADM node only if the allocated wavelength channel is regenerated through the other hub node. Multihop traffic can be provisioned on this ring. From a transmission point of view, this network topology is similar to two or more point-to-point links with OADM nodes. Hub Amplified OADM Passive OADM Line amplifier 90995 Amplified OADM Passive OADM Amplified OADM OSC OSC12-4 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 12 Network Reference Network Topologies Figure 12-2 Multihubbed Traffic Topology 12.2.1.3 Any-to-Any Traffic Topology The any-to-any traffic topology (Figure 12-3) contains only reconfigurable OADM (ROADM) nodes (with or without optical service channel [OSC] regeneration) or optical amplifier nodes. This topology potentially allows you to route every wavelength from any source to any destination node inside the network. See the “11.1.3 ROADM Node” section on page 11-10 for more information. Hub Hub Passive OADM Line amplifier 90998 Amplified OADM Passive OADM Amplified OADM OSC OSC12-5 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 12 Network Reference Network Topologies Figure 12-3 Any-to-Any Traffic Topology 12.2.1.4 Meshed Traffic Topology The meshed traffic topology (Figure 12-4) does not use hubbed nodes; only amplified and passive OADM nodes are present. Protected traffic can be provisioned between any two nodes; however, the selected channel cannot be reused in the ring. Unprotected multihop traffic can be provisioned in the ring. A meshed ring must be designed to prevent amplified spontaneous emission (ASE) lasing. This is done by configuring a particular node as an anti-ASE node. An anti-ASE node can be created in two ways: • Equip an OADM node with 32MUX-O cards and 32DMX-O cards. This solution is adopted when the total number of wavelengths deployed in the ring is higher than ten. OADM nodes equipped with 32MUX-O cards and 32DMX-O cards are called full OADM nodes. • When the total number of wavelengths deployed in the ring is lower than ten, the anti-ASE node is configured by using an OADM node where all the channels that are not terminated in the node are configured as “optical pass-through.” In other words, no channels in the anti-ASE node can travel through the express path of the OADM node. For more information about OADM nodes, see the “11.1.2 OADM Node” section on page 11-8. For more information about anti-ASE nodes, see the “11.1.5 Anti-ASE Node” section on page 11-31. ROADM ROADM ROADM 115730 ROADM ROADM ROADM OSC OSC12-6 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 12 Network Reference Network Topologies Figure 12-4 Meshed Traffic Topology 12.2.2 Linear Networks Linear configurations are characterized by the use of two terminal nodes, east and west. The 32-channel terminal nodes can be equipped with a 32MUX-O card and a 32DMX-O card, or with a 32WSS card and a 32DMX or 32DMX-O card. The 40-channel terminal nodes can be equipped with a 40-MUX-C card and a 40-DMX-C/40-DMX-CE card, a 40-WSS-C/40-WSS-CE card with a 40-DMX-C/40-DMX-CE card, or a 40-SMR1-C/40-SMR2-C card with a 15216-MD-40-ODD card. OADM or line amplifier nodes can be installed between the two terminal nodes. Only unprotected traffic can be provisioned in a linear configuration. Figure 12-5 shows five ONS 15454 nodes in a linear configuration with an amplified and a passive OADM node. Figure 12-5 Linear Configuration with an OADM Node Figure 12-6 shows five ONS 15454 nodes in a linear configuration without an OADM node. See the “11.1.1 Terminal Node” section on page 11-2 for more information. Anti-ASE Amplified OADM Passive OADM Line amplifier 90997 Amplified OADM Passive OADM Amplified OADM OSC OSC Line amplifier Passive OADM 90996 West terminal Amplified OADM East terminal OSC OSC12-7 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 12 Network Reference Network Topologies Figure 12-6 Linear Configuration without an OADM Node A single-span link is a type of linear configuration characterized by a single-span link with preamplification and post-amplification. A single-span link is also characterized by the use of two terminal nodes, east and west. Only unprotected traffic can be provisioned on a single-span link. Figure 12-7 shows two ONS 15454s in a single-span link. Eight channels are carried on one span. Single-span link losses apply to OC-192/STM-64 LR ITU cards. The optical performance values are valid assuming that the sum of the OADM passive node insertion losses and the span losses does not exceed 35 dB. Figure 12-7 Single-Span Link 12.2.3 Mesh Networks A mesh network can be native or multiring. In a native mesh network (Figure 12-8), any combination of four-degree and eight-degree mesh nodes can work together. Four-degree mesh nodes transmit an optical signal in four directions, while an eight-degree mesh node transmits an optical signal in eight directions. For additional information about mesh nodes, see the “11.6 Configuring Mesh DWDM Networks” section on page 11-53. The intermediate nodes are ROADM nodes. In a mesh node, all wavelengths can be routed through four (four-degree mesh node) to eight (eight-degree mesh node) different optical line termination ports using a 40-WXC-C, 80-WXC-C, or 40-SMR2-C card without any optical-electrical-optical (OEO) regeneration. It is possible to combine 40-WSS-C/40-WSS-CE, 40-WXC-C, 40-SMR2-C, and 32WSS cards in the same mesh network without impacting system performance. For nodes equipped with 32WSS cards, the maximum system capacity is 32 channels. Terminal sites are connected to the mesh network as a spur. Line amplifier 96639 West terminal East terminal OSC OSC Line amplifier Line amplifier 90999 West terminal East terminal ~130/150 km OSC OSC12-8 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 12 Network Reference Network Topologies Figure 12-8 Mesh Network In a multiring mesh network (Figure 12-9), several rings are connected with four-degree or eight-degree mesh nodes. The intermediate ROADM nodes are equipped with MMU cards. All wavelengths can be routed among two or more rings using a 40-WXC-C or 40-SMR2-C card without any optical-electrical-optical (OEO) regeneration. As in a native mesh network, it is possible to combine 40-WSS-C/40-WSS-CE, 40-WXC-C, 40-SMR2-C, and 32WSS cards in the same multiring network without impacting system performance. For nodes equipped with 32WSS cards, maximum system capacity is limited to 32 channels. A terminal node is connected to a multiring node as a spur. For information on node configurations for both native mesh and multiring networks, see the “11.6 Configuring Mesh DWDM Networks” section on page 11-53. 159494 OLA Terminal N-degree mesh N-degree mesh N-degree mesh N-degree mesh N-degree mesh N-degree mesh N-degree mesh ROADM ROADM ROADM ROADM Terminal12-9 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 12 Network Reference Interconnected Rings Figure 12-9 Multiring Network 12.3 Interconnected Rings The interconnected ring configuration allows you to connect two different nodes using external ports to allow traffic flow between different subnets. In Figure 12-10, the main ring consists of nodes R, R1, and R2 and the tributary ring consists of nodes r, r1, and r2. It is possible to connect more than one tributary ring to the main ring at the same point. Node R of the main ring can forward wavelengths to the node r of the tributary ring and vice-versa. Node R is either a colorless and omni-directional n-degree ROADM node (Figure 12-11) or a two-degree colorless ROADM node (Figure 12-12) equipped with 80-WXC-C cards. See the “11.6 Configuring Mesh DWDM Networks” section on page 11-53 for more information about colorless and omni-directional n-degree ROADM nodes and two-degree colorless ROADM nodes. Node r of the tributary ring is a two-degree ROADM node equipped with 40-SMR1-C, 40-SMR2-C, 40-WSS-C, or 40-WSS-CE cards. OTS PPCs are provisioned between the EAD ports of the 80-WXC-C card on node R and the EXP or ADD/DROP ports of the 40-SMR1-C, 40-SMR2-C, 40-WSS-C, or 40-WSS-CE cards on node r. All the nodes are managed by different IP addresses. 249103 OPT-BST or OSC-CSM OPT-PRE or TXP/MXP 40-WSS-C DCM-xxx Air ramp DCM-xxx 40-DMX-C Blank or TXP/MXP or MS-ISC-100T TCC2/TCC2P/TCC3 OSCM or Blank AIC-I OSCM or Blank TCC2/TCC2P/TCC3 Blank or TXP/MXP or MS-ISC-100T 40-DMX-C 40-WSS-C OPT-PRE or TXP/MXP OPT-BST or OSC-CSM12-10 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 12 Network Reference Interconnected Rings Figure 12-10 Interconnected Rings Figure 12-11 Colorless and Omni-directional n- Degree ROADM Node 248900 B R1 R2 R1 r1 r2 r A C c D d a b Main ring Node interconnections Tributary ring 80-WXC-C PP-MESH-4 249088 A C D B P P Connection to tributary ring node (r)12-11 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 12 Network Reference Interconnected Rings Figure 12-12 Colorless Two-Degree ROADM Node 12.3.1 Interconnected Ring Scenarios In the following sections, three interconnected ring scenarios are given: 12.3.1.1 Scenario A: Interconnect Traffic from Tributary Ring to Main Ring without Local Add/Drop in the Tributary Ring In scenario A-1(Figure 12-13), node R is a three-degree colorless and omni-directional ROADM node and node r is a two-degree 40-SMR1-c based ROADM node. The EAD ports of the 80-WXC-C cards on node R are connected to the ADD/DROP ports of the 40-SMR1-C card on node r. Traffic from node r can be routed to side A or B of node R. Traffic from side a cannot be added or dropped at node r but can be routed to side b using the express path. 249085 1x9 DMX L2 1x9 DMX L1 1x9 MUX L2 1x9 DMX L2 1x9 MUX L2 1x9 MUX L1 1x9 MUX L1 1x9 DMX L1 P Booster Connection to tributary ring node (r) Side A Side B OSC Booster OSC DMX-E DMX-O MUX-E MUX-O DMX-O DMX-E MUX-O MUX-E P12-12 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 12 Network Reference Interconnected Rings Figure 12-13 Interconnected Ring - Scenario A-1 In scenario A-2 (Figure 12-14), node R is a two-degree colorless ROADM node and node r is a two-degree 40-SMR1-C based ROADM node. The EAD ports of the 80-WXC-C cards on node R are connected to the ADD/DROP ports of the 40-SMR1-C card on node r. Traffic from node r can be routed to one side of node R. For example, traffic can be routed from side a to side A or from side b to side B. Traffic from side a cannot be added or dropped at node r but can be routed to side b using the express path. Figure 12-14 Interconnected Ring - Scenario A-2 PP-MESH-4 248896 A A R r B C D a b c d a b B R r P P C-rx D-rx C-tx D-tx Main Ring Traffic c-rx d-tx d-rx c-tx 248895 A A R r B C D a b c d a b B R r C-tx D-rx C-rx D-tx d-tx d-rx c-rx c-tx Main Ring Traffic Booster Booster Tributary Ring Traffic P P12-13 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 12 Network Reference Interconnected Rings 12.3.1.2 Scenario B: Interconnect Traffic from Tributary Ring to Main Ring with Local Add/Drop in the Tributary Ring In scenario B-1(Figure 12-15), node R is a three-degree colorless and omni-directional ROADM node and node r is a hub node with two terminal sides equipped with 40-SMR1-C or 40-WSS-C cards. The EAD ports of the 80-WXC-C cards on node R are connected to the EXP ports of the 40-SMR1-C or40-WSS-C card on node r. Traffic from node r can be routed to side A or B of node R. Traffic local to the tributary ring can be added or dropped at node r. For example, traffic from side a can be dropped at node r but cannot be routed to side b since the EXP ports are not available. Figure 12-15 Interconnected Ring - Scenario B-1 In scenario B-2 (Figure 12-16), node R is a two-degree colorless ROADM node and node r is a hub node with two terminal sides equipped with 40-SMR1-C or 40-WSS-C cards. The EAD ports of the 80-WXC-C cards on node R are connected to the EXP ports of the 40-WSS-C card on node r. Traffic from node r can be routed to one side of node R. For example, traffic can be routed from side a to side A or from side b to side B. Traffic local to the tributary ring can be added or dropped at node r. For example, traffic from side a can be dropped at node r but cannot be routed to side b since the EXP ports are not available. PP-MESH-4 248896 A A R r B C D a b c d a b B R r P P C-rx D-rx C-tx D-tx Main Ring Traffic c-rx d-tx d-rx c-tx12-14 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 12 Network Reference Interconnected Rings Figure 12-16 Interconnected Ring - Scenario B-2 12.3.1.3 Scenario C: Interconnect Traffic Between Tributary Rings Using the Main Ring In scenario C-1(Figure 12-17), nodes R1 and R2 are n-degree colorless and omni-directional ROADM nodes. Node r is a terminal site. The EXP ports of the 40-SMR-1C card in node r are connected to the EAD ports of the 80-WXC-C card in nodes R1 and R2. Traffic from node r is routed to side A and B of nodes R1 and R2. Traffic local to the tributary ring can be added or dropped at node r. 248897 a b r c-rx d-tx d-rx c-tx A B R C-tx D-rx C-rx D-tx Booster Booster P P A R r B C D a b c d Main Ring Traffic12-15 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 12 Network Reference Interconnected Rings Figure 12-17 Interconnected Ring - Scenario C-1 In scenario C-2(Figure 12-18), node R is an n-degree colorless and omni-directional ROADM node with 2 omni-directional sides. Nodes r1 and r2 are hub sites. The ADD/DROP ports of 40-SMR-1-C cards in node r1 and r2 are connected to the EAD ports of 80-WXC-C cards in node R. Traffic can be routed from node r1 to node r2 through node R. Traffic local to the tributary ring can be added or dropped at node r1 and r2. Figure 12-18 Interconnected Ring - Scenario C-2 PP-MESH-4 248898 A A A R R R1 r r r r R2 B C B c a a B R P P C-rx C-tx c-rx c-tx Main Ring Tributary Ring r PP-MESH-4 248899 A a b B R r1 P P C-rx D-rx a b r2 P P C-tx D-tx F-rx F-rx E-tx E-tx A R r1 B C D E F a b r2 a b c d c d Main Ring Traffic Tributary Interring Traffic Tributary Interring Traffic Traffic Tributary to Main12-16 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 12 Network Reference Spur Configuration 12.4 Spur Configuration Remote terminal sites can be connected to the main network using a spur. In a spur configuration, the multiplexer (MUX) and demultiplexer (DMX) units associated with one of the sides of node R in the main network (Figure 12-19) are moved to the remote terminal site T. This helps to aggregate traffic from the terminal site. The MUX and DMX units in terminal site T are connected to node R with a single fibre couple. Node R is a n-degree ROADM node equipped with 40-SMR1-C, 40-SMR2-C, or 80-WXC-C cards. Traffic from terminal site T can be routed to side A or side B on node R. Amplification on the spur link is not allowed. PSM is not supported on terminal site T. Figure 12-19 Spur 12.4.1 Spur Configuration Scenarios In the following sections, three spur scenarios are provided: 12.4.1.1 Scenario A: Spur Configuration without 15454 Chassis in RemoteTerminal T In Figure 12-20, node R is a two-degree ROADM node equipped with 40-SMR1-C card. The remote terminal site T does not have a 15454 chassis and is not shown in the network map in CTC. The terminal site is built using passive MUX and DMX units. All OCHNC circuits originating from 40-SMR1-C on Side A of node R to the remote terminal site are terminated on 40-SMR1-C ADD/DROP ports. A T B Spur 249089 R H R12-17 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 12 Network Reference Spur Configuration Figure 12-20 Scenario A: Spur Without 15454 Chassis in RemoteTerminal T 12.4.1.2 Scenario B: Spur Configuration with Passive MUX and DMX Units in Remote Terminal T In Figure 12-21, node R is a two-degree ROADM node equipped with 40-SMR1-C card. The terminal site T is built with a 15454 chassis equipped with TXP units and passive MUX and DMX units. Terminal site T is connected to node R on the network map in CTC. All OCHNC circuits originating from 40-SMR1-C on Side A of node R to the remote site are terminated on 40-SMR1-C ADD/DROP ports. OCHCC and OCHTRAIL circuits are supported on the TXP units in terminal site T. Figure 12-21 Scenario B: Spur With Passive MUX and DMX Units in Remote Terminal T 249090 40-SMR-1-C T Side A node R Booster DMX MUX 249091 40-SMR-1-C T TXP TXP TXP TXP TXP TXP TXP TXP Side A node R Booster DMX MUX12-18 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 12 Network Reference Network Topologies for the OPT-RAMP-C and OPT-RAMP-CE Cards 12.4.1.3 Scenario C: Spur Configuration with Active MUX and DMX Units in Remote Terminal T In Figure 12-22, node R is a two-degree ROADM node equipped with 40-SMR1-C card. The terminal site T is built with a 15454 chassis equipped with TXP units and active MUX and DMX units. Terminal site T is connected to node R on the network map in CTC. DCN extension is supported between the ADD/DROP ports of 40-SMR1-C and the COM ports of the active MUX and DMX units. OCHNC circuits are terminated on the CHAN ports of the MUX and DMX units of terminal site T. OCHCC and OCHTRAIL circuits are supported on the TXP units in terminal site T. Figure 12-22 Scenario C: Spur with Active MUX and DMX Units in Remote Terminal T 12.5 Network Topologies for the OPT-RAMP-C and OPT-RAMP-CE Cards The OPT-RAMP-C or OPT-RAMP-CE card can be equipped in any of the following network topologies: • Open (hubbed) ring network • Multi-hubbed ring network • Closed (meshed) ring network • Any-to-any ring network • Linear network topology • Point-to-point linear network topology • Multi-ring network • Mesh network • Hybrid network For more information about the OPT-RAMP-C or OPT-RAMP-CE card, see Chapter 4, “Optical Amplifier Cards.”. 249091 40-SMR-1-C T TXP TXP TXP TXP TXP TXP TXP TXP Side A node R Booster DMX MUX12-19 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 12 Network Reference Network Topologies for the PSM Card 12.6 Network Topologies for the PSM Card The PSM card is supported in the following network topologies: • The PSM card in a channel protection configuration is supported in all network topologies except linear networks as it is not possible to configure a working and protect path. • The PSM card in a multiplex section protection configuration is supported in linear point-to-point network topologies. • The PSM card in a line protection configuration is supported in the following network topologies: – Linear point-to-point in a single span network (if the OSC card is used). – Linear point-to-point multispan network when a DCN extension is used (on all spans). In this case, the maximum number of span links can be divided into three according to the DCN extension optical safety requirements. • The PSM card in a standalone configuration is supported in all network topologies. 12.7 Optical Performance This section provides optical performance information for ONS 15454 DWDM networks. The performance data is a general guideline based upon the network topology, node type, client cards, fiber type, number of spans, and number of channels. The maximum number of nodes that can be in an ONS 15454 DWDM network is 16. The DWDM topologies and node types that are supported are shown in Table 12-1. Table 12-1 Supported Topologies and Node Types Number of Channels Fiber Topologies Node Types 32 channels SMF-281 E-LEAF2 TW-RS3 1. SMF-28 = single-mode fiber 28. 2. E-LEAF = enhanced large effective area fiber. 3. TW-RS = TrueWave reduced slope fiber. Ring Linear Linear without OADM Hub Active OADM Passive OADM Terminal Line OSC regeneration 16 channels SMF-28 Ring Linear Linear without OADM Hub Active OADM Passive OADM Terminal Line OSC regeneration 8 channels SMF-28 Linear without OADM Terminal Line12-20 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 12 Network Reference Automatic Power Control 12.8 Automatic Power Control The ONS 15454 automatic power control (APC) feature performs the following functions: • Maintains constant per channel power when desired or accidental changes to the number of channels occur. Constant per channel power increases optical network resilience. • Compensates for optical network degradation (aging effects). • Simplifies the installation and upgrade of DWDM optical networks by automatically calculating the amplifier setpoints. Note APC algorithms manage the optical parameters of the OPT-BST, OPT-PRE, OPT-AMP-17-C, 32DMX, 40-DMX-C, 40-DMX-CE, 40-SMR1-C, 40-SMR2-C, OPT-BST-L, OPT-AMP-L, OPT-AMP-C, and 32DMX-L cards. Amplifier software uses a control gain loop with fast transient suppression to keep the channel power constant regardless of any changes in the number of channels. Amplifiers monitor the changes to the input power and change the output power proportionately according to the calculated gain setpoint. The shelf controller software emulates the control output power loop to adjust for fiber degradation. To perform this function, the TCC2/TCC2P/TCC3/TNC/TSC needs to know the channel distribution, which is provided by a signaling protocol, and the expected per channel power, which you can provision. The TCC2/TCC2P/TCC3/TNC/TSC card compares the actual amplifier output power with the expected amplifier output power and modifies the setpoints if any discrepancies occur. 12.8.1 APC at the Amplifier Card Level In constant gain mode, the amplifier power out control loop performs the following input and output power calculations, where G represents the gain and t represents time. Pout (t) = G * Pin (t) (mW) Pout (t) = G + Pin (t) (dB) In a power-equalized optical system, the total input power is proportional to the number of channels. The amplifier software compensates for any variation of the input power due to changes in the number of channels carried by the incoming signal. Amplifier software identifies changes in the read input power in two different instances, t1 and t2, as a change in the traffic being carried. The letters m and n in the following formula represent two different channel numbers. Pin/ch represents the input power per channel. Pin (t1)= nPin/ch Pin (t2) = mPin/ch Amplifier software applies the variation in the input power to the output power with a reaction time that is a fraction of a millisecond. This keeps the power constant on each channel at the output amplifier, even during a channel upgrade or a fiber cut. The per channel power and working mode (gain or power) are set by automatic node setup (ANS). The provisioning is conducted on a per-side basis. A preamplifier or a booster amplifier facing Side i is provisioned using the Side i parameters present in the node database, where i - A, B, C, D, E, F, G, or H. Starting from the expected per channel power, the amplifiers automatically calculate the gain setpoint after the first channel is provisioned. An amplifier gain setpoint is calculated in order to make it equal to the loss of the span preceding the amplifier itself. After the gain is calculated, the setpoint is no longer 12-21 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 12 Network Reference Automatic Power Control changed by the amplifier. Amplifier gain is recalculated every time the number of provisioned channels returns to zero. If you need to force a recalculation of the gain, move the number of channels back to zero. 12.8.2 APC at the Shelf Controller Layer Amplifiers are managed through software to control changes in the input power caused by changes in the number of channels. The software adjusts the output total power to maintain a constant per channel power value when the number of input channel changes. Changes in the network characteristics have an impact on the amplifier input power. Changes in the input power are compensated for only by modifying the original calculated gain, because input power changes imply changes in the span loss. As a consequence, the gain to span loss established at amplifier start-up is no longer satisfied, as shown in Figure 12-23. Figure 12-23 Using Amplifier Gain Adjustment to Compensate for System Degradation In Figure 12-23, Node 1 and Node 2 are equipped with booster amplifiers and preamplifiers. The input power received at the preamplifier on Node 2 (Pin2) depends on the total power launched by the booster amplifier on Node1, Pout1(n) (where n is the number of channels), and the effect of the span attenuation (L) between the two nodes. Span loss changes due to aging fiber and components or changes in operating conditions. The power into Node 2 is given by the following formula: Pin2 = LPout1(n) The phase gain of the preamplifier on Node 2 (GPre-2) is set during provisioning in order to compensate for the span loss so that the Node 2 preamplifier output power (Pout-Pre-2) is equal to the original transmitted power, as represented in the following formula: Pout-Pre-2 = L x GPre-2 x Pout1(n) In cases of system degradation, the power received at Node 2 decreases due to the change of span insertion loss (from L to L'). As a consequence of the preamplifier gain control working mode, the Node 2 preamplifier output power (Pout-Pre-2) also decreases. The goal of APC at the shelf controller layer is simply to detect if an amplifier output change is needed because of changes in the number of channels or to other factors. If factors other than changes in the number of channels occur, APC provisions a new gain at the Node 2 preamplifier (GPre-2') to compensate for the new span loss, as shown in the formula: GPre-2' = GPre-2 (L/ L') = GPre-2 + [Pout-Pre-2 –Exp(Pout-Pre-2)] Generalizing on the above relationship, APC is able to compensate for system degradation by adjusting working amplifier gain or variable optical attenuation (VOA) and to eliminate the difference between the power value read by the photodiodes and the expected power value. The expected power values are calculated using: • Provisioned per channel power value • Channel distribution (the number of express, add, and drop channels in the node) • ASE estimation 159501 Node 1 G1 Node 2 G2 P P L out1 P in2 out212-22 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 12 Network Reference Automatic Power Control Channel distribution is determined by the sum of the provisioned and failed channels. Information about provisioned wavelengths is sent to APC on the applicable nodes during circuit creation. Information about failed channels is collected through a signaling protocol that monitors alarms on ports in the applicable nodes and distributes that information to all the other nodes in the network. ASE calculations purify the noise from the power level reported from the photodiode. Each amplifier can compensate for its own noise, but cascaded amplifiers cannot compensate for ASE generated by preceding nodes. The ASE effect increases when the number of channels decreases; therefore, a correction factor must be calculated in each amplifier of the ring to compensate for ASE build-up. APC is a network-level feature that is distributed among different nodes. An APC domain is a set of nodes that is controlled by the same instance of APC at the network level. An APC domain optically identifies a portion of the network that can be independently regulated. An optical network can be divided into several different domains, with the following characteristics: • Every domain is terminated by two node sides. The node sides terminating domains are: – Terminal node (any type) – ROADM node – Hub node – Cross-connect (XC) termination mesh node – Line termination mesh node • APC domains are shown in both Cisco Transport Controller (CTC) and Transaction Language One (TL1). • In CTC, domains are shown in the network view and reported as a list of spans. Each span is identified by a node/side pair, for example: APC Domain Node_1 Side A, Node_4 Side B + Span 1: Node_1 Side A, Node_2 Side B + Span 2: Node_2 Side A, Node_3 Side B + Span 3: Node_3 Side A, Node_4 Side B • APC domains are not refreshed automatically; instead, they are refreshed using a Refresh button. Inside a domain, the APC algorithm designates a master node that is responsible for starting APC hourly or every time a new circuit is provisioned or removed. Every time the master node signals APC to start, gain and VOA setpoints are evaluated on all nodes in the network. If corrections are needed in different nodes, they are always performed sequentially following the optical paths starting from the master node. APC corrects the power level only if the variation exceeds the hysteresis thresholds of +/– 0.5 dB. Any power level fluctuation within the threshold range is skipped since it is considered negligible. Because APC is designed to follow slow time events, it skips corrections greater than 3 dB. This is the typical total aging margin that is provisioned during the network design phase. After you provision the first channel or the amplifiers are turned up for the first time, APC does not apply the 3 dB rule. In this case, APC corrects all the power differences to turn up the node. To avoid large power fluctuations, APC adjusts power levels incrementally. The maximum power correction is +/– 0.5 dB. This is applied to each iteration until the optimal power level is reached. For example, a gain deviation of 2 dB is corrected in four steps. Each of the four steps requires a complete APC check on every node in the network. APC can correct up to a maximum of 3 dB on an hourly basis. If degradation occurs over a longer time period, APC compensates for it by using all margins that you provision during installation. If no margin is available, adjustments cannot be made because setpoints exceed the ranges. APC communicates the event to CTC, Cisco Transport Manager (CTM), and TL1 through an APC Fail condition. APC clears the APC fail condition when the setpoints return to the allowed ranges.12-23 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 12 Network Reference Automatic Power Control APC can be manually disabled. In addition, APC automatically disables itself when: • An Hardware Fail (HF) alarm is raised by any card in any of the domain nodes. • A Mismatch Equipment Alarm (MEA) is raised by any card in any of the domain nodes. • An Improper Removal (IMPROPRMVL) alarm is raised by any card in any of the domain nodes. • Gain Degrade (GAIN-HDEG), Power Degrade (OPWR-HDEG), and Power Fail (PWR-FAIL) alarms are raised by the output port of any amplifier card in any of the domain nodes. • A VOA degrade or fail alarm is raised by any of the cards in any of the domain nodes. • The signaling protocol detects that one of the APC instances in any of the domain nodes is no longer reachable. The APC state (Enable/Disable) is located on every node and can be retrieved by the CTC or TL1 interface. If an event that disables APC occurs in one of the network nodes, APC is disabled on all the other nodes and the APC state changes to DISABLE - INTERNAL. The disabled state is raised only by the node where the problem occurred to simplify troubleshooting. APC raises the following minor, non-service-affecting alarms at the port level in CTC, TL1, and Simple Network Management Protocol (SNMP): • APC Out of Range—APC cannot assign a new setpoint for a parameter that is allocated to a port because the new setpoint exceeds the parameter range. • APC Correction Skipped—APC skipped a correction to one parameter allocated to a port because the difference between the expected and current values exceeds the +/– 3 dB security range. • APC Disabled—APC is disabled, either by a user or internal action. After the error condition is cleared, the signaling protocol enables APC on the network and the APC DISABLE - INTERNAL condition is cleared. Because APC is required after channel provisioning to compensate for ASE effects, all optical channel network connection (OCHNC) and optical channel client connection (OCHCC) circuits that you provision during the disabled APC state are kept in the Out-of-Service and Autonomous, Automatic In-Service (OOS-AU,AINS) (ANSI) or Unlocked-disabled,automaticInService (ETSI) service state until APC is enabled. OCHNCs and OCHCCs automatically go into the In-Service and Normal (IS-NR) (ANSI) or Unlocked-enabled (ETSI) service state only after APC is enabled. 12.8.3 Managing APC The APC status is indicated by four APC states shown in the node view status area: • Enabled—APC is enabled. • Disabled—APC was disabled manually by a user. • Disable - Internal—APC has been automatically disabled for an internal cause. • Not Applicable—The node is provisioned to Not DWDM, which does not support APC. You can view the APC information and disable and enable APC manually on the Maintenance > DWDM > APC tab. Caution When APC is disabled, aging compensation is not applied and circuits cannot be activated. Do not disable APC unless it is required for specific maintenance or troubleshooting tasks. Always enable APC as soon as the tasks are completed. The APC subtab provides the following information:12-24 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 12 Network Reference Power Side Monitoring • Position—The slot number, card, and port for which APC information is shown. • Last Modification—Date and time APC parameter setpoints were last modified. • Parameter—The parameter that APC last modified. • Last Check—Date and time APC parameter setpoints were last verified. • Side—The side where the APC information for the card and port is shown. • State—The APC state. A wrong use of maintenance procedures (for example, the procedures to be applied in case of fiber cut repair) can lead the system to raise the APC Correction Skipped alarm. The APC Correction Skipped alarm strongly limits network management (for example, a new circuit cannot be turned into IS). The Force APC Correction button helps to restore normal conditions by clearing the APC Correction Skipped alarm. The Force APC Correction button must be used under the Cisco TAC surveillance since its misuse can lead to traffic loss. The Force APC Correction button is available in the Card View > Maintenance > APC tab pane in CTC for the following cards: • OPT-PRE • OPT-BST-E • OPT-BST • OPT-AMP-C • OPT-AMP-17C • AD-xB • AD-xC • 40-SMR1-C • 40-SMR2-C This feature is not available for the TL1 interface. 12.9 Power Side Monitoring DWDM nodes allow you to view the side power levels on the Maintenance > DWDM > Side Power Monitoring > Optical Side n tab, where n is A, B, C, D(Figure 12-24). Each existing channel will have an IN and OUT power on each node side in the case of bidirectional circuits. OUT indicates the power on the output port with respect to the side to which it is referred to. It is the last port of the side before the first amplified port in the direction going from the node to the span or the output port of the side itself if there are no amplified ports. IN indicates the power on the input port with respect to the side to which is referred to. It is the first port of the side after the last amplified port in the direction going from the span to the node or the input port of the side itself if there are no amplified ports.12-25 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 12 Network Reference Span Loss Verification Figure 12-24 ROADM Power Monitoring Subtab 12.10 Span Loss Verification Span loss measurements can be performed from the Maintenance > DWDM > WDM Span Check tab. The CTC span check compares the far-end OSC power with the near-end OSC power. A Span Loss Out of Range condition is raised when the measured span loss is higher than the maximum expected span loss. It is also raised when the measured span loss is lower than the minimum expected span loss and the difference between the minimum and maximum span loss values is greater than 1 dB. The minimum and maximum expected span loss values are calculated by Cisco TransportPlanner for the network and imported into CTC. However, you can manually change the minimum and expected span loss values. CTC span loss measurements provide a quick span loss check and are useful whenever changes to the network occur, for example after you install equipment or repair a broken fiber. CTC span loss measurement resolutions are: • +/– 1.5 dB for measured span losses between 0 and 25 dB • +/– 2.5 dB for measured span losses between 25 and 38 dB For ONS 15454 span loss measurements with higher resolutions, an optical time domain reflectometer (OTDR) must be used. 12-26 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 12 Network Reference Span Loss Verification Note From Software Release 9.0 onwards, span loss measurement is performed using C-band channels (whenever available), instead of OSC signals. Software Release 9.0 is not interoperable with earlier releases that are only OSC-based. Therefore, span loss measurement cannot be done on a span if the adjacent nodes are running different software releases; for example one node running Software Release 8.0 or an earlier release and the second node running Software Release 9.0 or a later release. 12.10.1 Span Loss Measurements on Raman Links Span loss measurement when Raman amplification is active is less accurate than a standard link as it is based on a mathematical formula that uses the Raman noise and Raman gain. Span loss on a Raman link is measured in the following states: • Automatically during Raman link setup (without Raman amplification) • Automatically during fiber cut restore (without Raman amplification) • Periodically or upon request (with Raman amplification) CTC reports three values in the Maintenance > DWDM > WDM Span Check tab: • Current Span Measure with Raman—Estimated span loss with Raman pump turned ON. • Wizard Span Measure with Raman Off—Span loss with Raman pump turned OFF, during Raman installation. • Last Span Measure with Raman—Span loss after a fiber cut restoration procedure. Measurements are performed automatically on an hourly basis. A Span Loss Out of Range condition is raised under the following conditions: • Span loss is greater than the maximum expected span loss + resolution • Span loss is less than the minimum expected span loss – resolution The minimum and maximum expected span loss values are calculated by Cisco Transport Planner for the network and imported into CTC. However, you can manually change the minimum and maximum expected span loss values. Note During Raman installation using a wizard, the Span Loss Out of Range alarm is not raised when the out of range condition is raised. In such a case, the wizard fails and an error message is displayed, and the span is not tuned. CTC span loss measurements provide a quick span loss check and are useful whenever changes to the network occur, for example after you install equipment or repair a broken fiber. CTC span loss measurement resolutions are: • +/– 1.5 dB for span loss measurements between 0 and 26 dB • +/– 2.0 dB for span loss measurements between 26 and 31 dB • +/– 3.0 dB for span loss measurements between 31 and 34 dB • +/– 4.0 dB for span loss measurements between 34 and 36 dB12-27 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 12 Network Reference Network Optical Safety 12.11 Network Optical Safety If a fiber break occurs on the network, automatic laser shutdown (ALS) automatically shuts down the OSCM and OSC-CSM OSC laser output power and the optical amplifiers contained in the OPT-BST, OPT-BST-E, OPT-BST-L, OPT-AMP-L, OPT-AMP-C, OPT-AMP-17-C, OPT-RAMP-C, OPT-RAMP-CE, 40-SMR1-C, and 40-SMR2-C cards, and the TX VOA in the protect path of the PSM card (in line protection configuration only). (Instead, the PSM active path will use optical safety mechanism implemented by the booster amplifier or OSC-CSM card that are mandatory in the line protection configuration.) The Maintenance > ALS tab in CTC card view provide the following ALS management options for OSCM, OSC-CSM, OPT-BST, OPT-BST-E, OPT-BST-L, OPT-AMP-L, OPT-AMP-C, OPT-AMP-17-C, OPT-RAMP-C, OPT-RAMP-CE, 40-SMR1-C, 40-SMR2-C, and PSM (on the protect path, only in line protection configuration) cards: • Disable—ALS is off. The OSC laser transmitter and optical amplifiers are not automatically shut down when a traffic outage loss of signal (LOS) occurs. • Auto Restart—ALS is on. The OSC laser transmitter and optical amplifiers automatically shut down when traffic outages (LOS) occur. It automatically restarts when the conditions that caused the outage are resolved. Auto Restart is the default ALS provisioning for OSCM, OSC-CSM, OPT-BST, OPT-BST-E, OPT-BST-L, OPT-AMP-L, OPT-AMP-C, OPT-AMP-17-C, OPT-RAMP-C, OPT-RAMP-CE, 40-SMR1-C, 40-SMR2-C, and PSM (on the protect path, only in line protection configuration) cards. • Manual Restart—ALS is on. The OSC laser transmitter and optical amplifiers automatically shut down when traffic outages (LOS) occur. However, the laser must be manually restarted when conditions that caused the outage are resolved. • Manual Restart for Test—Manually restarts the OSC laser transmitter and optical amplifiers for testing. 12.11.1 Automatic Laser Shutdown When ALS is enabled on OPT-BST, OPT-BST-E, OPT-BST-L, OPT-AMP-L, OPT-AMP-C, OPT-AMP-17-C, OPT-RAMP-C, OPT-RAMP-CE, 40-SMR1-C, 40-SMR2-C, PSM (on the protect path, only in line protection configuration), OSCM, OSC-CSM, and TNC cards, a network safety mechanism will occur in the event of a system failure. ALS provisioning is also provided on the transponder (TXP) and muxponder (MXP) cards. However, if a network uses ALS-enabled OPT-BST, OPT-BST-E, OPT-BST-L, OPT-AMP-L, OPT-AMP-C, OPT-AMP-17-C, OPT-RAMP-C, OPT-RAMP-CE, 40-SMR1-C, 40-SMR2-C, PSM (on the protect path, only in line protection configuration), OSCM, and OSC-CSM cards, ALS does not need to be enabled on the TXP cards or MXP cards. ALS is disabled on TXP and MXP cards by default and the network optical safety is not impacted. If TXP and MXP cards are connected directly to each other without passing through a DWDM layer, ALS should be enabled on them. The ALS protocol goes into effect when a fiber is cut, enabling some degree of network point-to-point bidirectional traffic management between the cards. If ALS is disabled on the OPT-BST, OPT-BST-E, OPT-BST-L, OPT-AMP-L, OPT-AMP-C, OPT-AMP-17-C, OPT-RAMP-C, OPT-RAMP-CE, 40-SMR1-C, 40-SMR2-C, PSM (on the protect path, only in line protection configuration), OSCM, and OSC-CSM cards (the DWDM network), ALS can be enabled on the TXP and MXP cards to provide laser management in the event of a fiber break in the network between the cards.12-28 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 12 Network Reference Network Optical Safety 12.11.2 Automatic Power Reduction Automatic power reduction (APR) is controlled by the software and is not user configurable. During amplifier restart after a system failure, the amplifier (OPT-BST, for example) operates in pulse mode and an APR level is activated so that the Hazard Level 1 power limit is not exceeded. This is done to ensure personnel safety. When a system failure occurs (cut fiber or equipment failure, for example) and ALS Auto Restart is enabled, a sequence of events is placed in motion to shut down the amplifier laser power, then automatically restart the amplifier after the system problem is corrected. As soon as a loss of optical payload and OSC is detected at the far end, the far-end amplifier shuts down. The near-end amplifier then shuts down because it detects a loss of payload and the OSC shuts down due to the far-end amplifier shutdown. At this point, the near end attempts to establish communication to the far end using the OSC laser transmitter. To do this, the OSC emits a two-second pulse at very low power (maximum of 0 dBm) and waits for a similar two-second pulse in response from the far-end OSC laser transmitter. If no response is received within 100 seconds, the near end tries again. This process continues until the near end receives a two-second response pulse from the far end, indicating the system failure is corrected and full continuity in the fiber between the two ends exists. After the OSC communication is established, the near-end amplifier is configured by the software to operate in pulse mode at a reduced power level. It emits a nine-second laser pulse with an automatic power reduction to +8 dBm. (For 40-SMR1-C and 40-SMR2-C cards, the pulse is not +8 dBm but it is the per channel power setpoint.) This level assures that Hazard Level 1 is not exceeded, for personnel safety, even though the establishment of successful OSC communication is assurance that any broken fiber is fixed. If the far-end amplifier responds with a nine-second pulse within 100 seconds, both amplifiers are changed from pulse mode at reduced power to normal operating power mode. For a direct connection between TXP or MXP cards, when ALS Auto Restart is enabled and the connections do not pass through a DWDM layer, a similar process takes place. However, because the connections do not go through any amplifier or OSC cards, the TXP or MXP cards attempt to establish communication directly between themselves after a system failure. This is done using a two-second restart pulse, in a manner similar to that previously described between OSCs at the DWDM layer. The power emitted during the pulse is below Hazard Level 1. APR is also implemented on the PSM card (on the protect path, only in line protection configuration). In the PSM line protection configuration, when a system failure occurs on the working path (cut fiber or equipment failure, for example), the ALS and APR mechanisms are implemented by the booster amplifier or the OSC-CSM card. Alternately, when a system failure occurs on the protect path, and ALS Auto Restart is enabled on the PSM card, a sequence of events is placed in motion to shut down the TX VOA on the protect path, and then automatically restart it after the system failure is corrected. During protect path restart, the TX VOA on the protect path operates in pulse mode and limits the power to maximum +8 dBm so that the Hazard Level 1 power limit is not exceeded on protect TX path. When ALS is disabled, the warning Statement 1056 is applicable. Warning Invisible laser radiation may be emitted from the end of the unterminated fiber cable or connector. Do not view directly with optical instruments. Viewing the laser output with certain optical instruments (for example, eye loupes, magnifiers, and microscopes) within a distance of 100 mm may pose an eye hazard. Statement 1056 Note If you must disable ALS, verify that all fibers are installed in a restricted location. Enable ALS immediately after finishing the maintenance or installation process.12-29 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 12 Network Reference Network Optical Safety Note For the line amplifier to start up automatically, disable the ALS on the terminal node that is unidirectional. 12.11.3 Network Optical Safety on OPT-RAMP-C and OPT-RAMP-CE Cards Optical safety on the OPT-RAMP-C and OPT-RAMP-CE cards is implemented in the RAMAN-TX and COM-TX ports. RAMAN-TX will report safety settings associated to the Raman pump while the COM-TX port will report safety settings associated with the embedded EDFA. 12.11.3.1 RAMAN-TX Settings on Raman Pump The Raman pump is automatically turned off as soon as the LOS alarm is detected on the LINE-RX port. The Raman pump is automatically turned on at APR power every 100 secs for a duration of 9 seconds at a pulse power of at 8 dBm, as soon as the LINE-RX port is set to IS-NR/unlocked-enabled. Note Optical safety cannot be disabled on the OPT-RAMP-C and OPT-RAMP-CE cards and cannot be disabled on OSCM cards when connected to a OPT-RAMP-C or OPT-RAMP-CE card. The system periodically verifies if the signal power is present on the LINE-RX port. If signal power is present, the following occurs: • Pulse duration is extended. • Raman pumps are turned on at APR power, if the laser was shut down. The Raman power is then moved to setpoint if power is detected for more than 10 seconds. During Automatic Laser Restart (ALR) the safety is enabled. The laser is automatically shut down if LOS is detected on the receiving fiber. In general Raman pump turns on only when Raman signals are detected. However, the Raman pump can be configured to turn on to full power even when OSC power is detected for more than 9 seconds on OSC-RX port. 12.11.3.2 COM-TX Safety Setting on EDFA EDFA is shutdown automatically under the following conditions: • The Raman pumps shut down. • An LOS-P alarm is detected on the COM-RX port. If EDFA was shut down because of Raman pump shut down, the EDFA restarts by automatically turning on the EDFA lasers as soon as the Raman loop is closed. • Pulse duration: 9 seconds • Pulse power: 8 dB (maximum APR power foreseen by safety regulation) • Exit condition: Received power detected on the DC-RX port at the end of APR pulse. If power is detected on DC-RX (so DCU is connected) EDFA moves to set-point; otherwise, it keeps 9 dB as the output power at restart • EDFA moves to the power set point when power is detected on the DC-RX port. If EDFA was shutdown because of an LOS-P alarm. The EDFA restarts by automatically turning on the EDFA laser as soon as an LOS-P alarm on the COM-RX port is cleared, and the Raman loop is closed.12-30 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 12 Network Reference Network Optical Safety • Pulse duration: 9 seconds • Pulse power: 8 dB (maximum APR power foreseen by safety regulation) • Exit condition: Received power detected on the LINE-RX port at the end of the APR pulse Warning All ONS 15454 users must be properly trained on laser safety hazards in accordance with IEC 60825-2, or ANSI Z136.1. 12.11.4 Fiber Cut Scenarios In the following paragraphs, four ALS scenarios are given: • 12.11.4.1 Scenario 1: Fiber Cut in Nodes Using OPT-BST/OPT-BST-E Cards, page 12-30 • 12.11.4.2 Scenario 2: Fiber Cut in Nodes Using OSC-CSM Cards, page 12-32 • 12.11.4.3 Scenario 3: Fiber Cut in Nodes Using OPT-BST-L Cards, page 12-34 • 12.11.4.4 Scenario 4: Fiber Cut in Nodes Using OPT-AMP-L, OPT-AMP-C, OPT-AMP-17-C (OPT-LINE Mode), 40-SMR1-C, or 40-SMR2-C Cards, page 12-35 • 12.11.4.5 Scenario 5: Fiber Cut in Nodes Using DCN Extension, page 12-37 • 12.11.4.6 Scenario 6: Fiber Cut in Nodes Using OPT-RAMP-C or OPT-RAMP-CE Cards, page 12-39 12.11.4.1 Scenario 1: Fiber Cut in Nodes Using OPT-BST/OPT-BST-E Cards Figure 12-25 shows nodes using OPT-BST/OPT-BST-E cards with a fiber cut between them.12-31 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 12 Network Reference Network Optical Safety Figure 12-25 Nodes Using OPT-BST/OPT-BST-E Cards Two photodiodes at Node B monitor the received signal strength for the optical payload and OSC signals. When the fiber is cut, an LOS is detected at both of the photodiodes. The AND function then indicates an overall LOS condition, which causes the OPT-BST/OPT-BST-E transmitter, OPT-PRE transmitter, and OSCM lasers to shut down. This in turn leads to an LOS for both the optical payload and OSC at Node A, which causes Node A to turn off the OSCM, OPT-PRE transmitter, and OPT-BST/OPT-BST-E transmitter lasers. The sequence of events after a fiber cut is as follows (refer to the numbered circles in Figure 12-25): 1. Fiber is cut. 2. The Node B power monitoring photodiode detects a Loss of Incoming Payload (LOS-P) on the OPT-BST/OPT-BST-E card. Refer to the Cisco ONS 15454 DWDM Troubleshooting Guide. 3. On the OPT-BST/OPT-BST-E card, the simultaneous LOS-O and LOS-P detection triggers a command to shut down the amplifier. CTC reports an LOS alarm (loss of continuity), while LOS-O and LOS-P are demoted. Refer to the Cisco ONS 15454 DWDM Troubleshooting Guide. 4. The OPT-BST/OPT-BST-E card amplifier is shut down within one second. 5. The OSCM laser is shut down. 6. The OPT-PRE card automatically shuts down due to a loss of incoming optical power. 7. The Node A power monitoring photodiode detects a LOS-O on the OPT-BST/OPT-BST-E card and the OSCM card detects a LOS (OC3) at the SONET layer. Refer to the Cisco ONS 15454 DWDM Troubleshooting Guide. 8. The Node A power monitoring photodiode detects a LOS-P on the OPT-BST/OPT-BST-E card. Refer to the Cisco ONS 15454 DWDM Troubleshooting Guide. OPT-BST/OPT-BST-E OPT-BST/OPT-BST-E P P P OSCM P P OSCM = power monitoring photodiode = logical AND function Node A Side B Node B Side A X 11 1 7 13 10 9 8 12 6 2 3 4 5 2 8 120988 OPT-PRE OPT-PRE12-32 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 12 Network Reference Network Optical Safety 9. On the OPT-BST/OPT-BST-E, the simultaneous LOS-O and LOS-P detection triggers a command to shut down the amplifier. CTC reports an LOS alarm (loss of continuity), while LOS-O and LOS-P are demoted. Refer to the Cisco ONS 15454 DWDM Troubleshooting Guide. 10. The OPT-BST/OPT-BST-E card amplifier is shut down within one second. 11. The OSCM laser is shut down. 12. The Node A OPT-PRE card automatically shuts down due to a loss of incoming optical power. When the fiber is repaired, either an automatic or manual restart at the Node A OPT-BST/OPT-BST-E transmitter or at the Node B OPT-BST/OPT-BST-E transmitter is required. A system that has been shut down is reactivated through the use of a restart pulse. The pulse is used to signal that the optical path has been restored and transmission can begin. For example, when the far end, Node B, receives a pulse, it signals to the Node B OPT-BST/OPT-BST-E transmitter to begin transmitting an optical signal. The OPT-BST/OPT-BST-E receiver at Node A receives that signal and signals the Node A OPT-BST/OPT-BST-E transmitter to resume transmitting. Note During a laser restart pulse, APR ensures that the laser power does not exceed Class 1 limits. See the “12.11.2 Automatic Power Reduction” section on page 12-28 for more information about APR. 12.11.4.2 Scenario 2: Fiber Cut in Nodes Using OSC-CSM Cards Figure 12-26 shows nodes using OSC-CSM cards with a fiber cut between them.12-33 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 12 Network Reference Network Optical Safety Figure 12-26 Nodes Using OSC-CSM Cards Two photodiodes at the Node B OSC-CSM card monitor the received signal strength for the received optical payload and OSC signals. When the fiber is cut, LOS is detected at both of the photodiodes. The AND function then indicates an overall LOS condition, which causes the Node B OSC laser to shut down and the optical switch to block traffic. This in turn leads to LOS for both the optical payload and OSC signals at Node A, which causes Node A to turn off the OSC laser and the optical switch to block outgoing traffic. The sequence of events after a fiber cut is as follows (refer to the numbered circles in Figure 12-26): 1. Fiber is cut. 2. The Node B power monitoring photodiode detects a LOS-P on the OSC-CSM card. Refer to the Cisco ONS 15454 DWDM Troubleshooting Guide. 3. On the OSC-CSM, the simultaneous LOS-O and LOS-P detection triggers a change in the position of the optical switch. CTC reports a LOS alarm (loss of continuity), while LOS-O and LOS-P are demoted. Refer to the Cisco ONS 15454 DWDM Troubleshooting Guide. 4. The optical switch blocks outgoing traffic. 5. The OSC laser is shut down. 6. The Node A power monitoring photodiode detects a LOS-O on the OSC-CSM card. Refer to the Cisco ONS 15454 DWDM Troubleshooting Guide. 7. The Node A power monitoring photodiode detects a LOS-P on the OSC-CSM card. Refer to the Cisco ONS 15454 DWDM Troubleshooting Guide. OSC-CSM P P P OSC OSC-CSM P P OSC = power monitoring photodiode = logical AND function Node A Side B Node B Side A X 11 1 9 8 7 10 6 2 3 4 5 2 7 12098712-34 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 12 Network Reference Network Optical Safety 8. On the OSC-CSM, the simultaneous LOS-O and LOS-P detection triggers a change in the position of the optical switch. CTC reports a LOS alarm (loss of continuity), while LOS-O and LOS-P are demoted. Refer to the Cisco ONS 15454 DWDM Troubleshooting Guide. 9. The OSC laser is shut down. 10. The optical switch blocks outgoing traffic. When the fiber is repaired, either an automatic or manual restart at the Node A OSC-CSM card OSC or at the Node B OSC-CSM card OSC is required. A system that has been shut down is reactivated through the use of a restart pulse. The pulse indicates the optical path is restored and transmission can begin. For example, when the far-end Node B receives a pulse, it signals to the Node B OSC to begin transmitting its optical signal and for the optical switch to pass incoming traffic. The OSC-CSM at Node A then receives the signal and tells the Node A OSC to resume transmitting and for the optical switch to pass incoming traffic. 12.11.4.3 Scenario 3: Fiber Cut in Nodes Using OPT-BST-L Cards Figure 12-27 shows nodes using OPT-BST-L cards with a fiber cut between them. Figure 12-27 Nodes Using OPT-BST-L Cards Two photodiodes at Node B monitor the received signal strength for the optical payload and OSC signals. When the fiber is cut, an LOS is detected at both of the photodiodes. The AND function then indicates an overall LOS condition, which causes the OPT-BST-L transmitter and OSCM lasers to shut down. This OPT-BST-L OPT-BST-L P P P OSCM P P OSCM = power monitoring photodiode = logical AND function Node A Side B Node B Side A X 11 1 7 13 10 9 8 12 6 2 3 4 5 2 8 145950 OPT-AMP-L OPT-AMP-L12-35 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 12 Network Reference Network Optical Safety in turn leads to an LOS for both the optical payload and the OSC at Node A, which causes Node A to turn off the OSCM OSC transmitter and OPT-BST-L amplifier lasers. The sequence of events after a fiber cut is as follows (refer to the numbered circles in Figure 12-27): 1. Fiber is cut. 2. The Node B power monitoring photodiode detects an LOS-P on the OPT-BST-L card. For more information on alarms, refer to the Cisco ONS 15454 DWDM Troubleshooting Guide. 3. On the OPT-BST-L card, the simultaneous LOS-O and LOS-P detection triggers a command to shut down the amplifier. CTC reports an LOS alarm (loss of continuity), while LOS-O and LOS-P are demoted. For more information on alarms, refer to the Cisco ONS 15454 DWDM Troubleshooting Guide. 4. The OPT-BST-L card amplifier is shut down within one second. 5. The OSCM laser is shut down. 6. The OPT-AMP-L, OPT-AMP-C, or OPT-AMP-17-C card automatically shuts down due to a loss of incoming optical power. 7. The Node A power monitoring photodiode detects an LOS-O on the OPT-BST-L card and the OSCM card detects an LOS (OC3) at the SONET layer. For more information on alarms, refer to the Cisco ONS 15454 DWDM Troubleshooting Guide. 8. The Node A power monitoring photodiode detects an LOS-P on the OPT-BST-L card. For more information on alarms, refer to the Cisco ONS 15454 DWDM Troubleshooting Guide. 9. On the OPT-BST-L, the simultaneous LOS-O and LOS-P detection triggers a command to shut down the amplifier. CTC reports an LOS alarm (loss of continuity), while the LOS-O and LOS-P are demoted. For more information on alarms, refer to the Cisco ONS 15454 DWDM Troubleshooting Guide. 10. The OPT-BST-L card amplifier is shut down within one second. 11. The OSCM laser is shut down. 12. The Node A OPT-AMP-L, OPT-AMP-C, or OPT-AMP-17-C card automatically shuts down due to an LOS for the incoming optical power. When the fiber is repaired, either an automatic or manual restart at the Node A OPT-BST-L transmitter or at the Node B OPT-BST-L transmitter is required. A system that has been shut down is reactivated through the use of a restart pulse. The pulse indicates the optical path is restored and transmission can begin. For example, when the far end, Node B, receives a pulse, it signals to the Node B OPT-BST-L transmitter to begin transmitting an optical signal. The OPT-BST-L receiver at Node A receives that signal and signals the Node A OPT-BST-L transmitter to resume transmitting. Note During a laser restart pulse, APR ensures that the laser power does not exceed Class 1 limits. See the “12.11.2 Automatic Power Reduction” section on page 12-28 for more information about APR. 12.11.4.4 Scenario 4: Fiber Cut in Nodes Using OPT-AMP-L, OPT-AMP-C, OPT-AMP-17-C (OPT-LINE Mode), 40-SMR1-C, or 40-SMR2-C Cards Figure 12-28 shows nodes using OPT-AMP-L, OPT-AMP-C, OPT-AMP-17-C (in OPT-LINE mode), 40-SMR1-C, or 40-SMR2-C cards with a fiber cut between them. 12-36 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 12 Network Reference Network Optical Safety Note A generic reference to the OPT-AMP card refers to the OPT-AMP-L, OPT-AMP-17-C, OPT-AMP-C, 40-SMR1-C, or 40-SMR2-C cards. Figure 12-28 Nodes Using OPT-AMP Cards Two photodiodes at Node B monitor the received signal strength for the optical payload and OSC signals. When the fiber is cut, an LOS is detected at both of the photodiodes. The AND function then indicates an overall LOS condition, which causes the OPT-AMP card amplifier transmitter and OSCM card OSC lasers to shut down. This in turn leads to an LOS for both the optical payload and OSC at Node A, which causes Node A to turn off the OSCM card OSC and OPT-AMP card amplifier lasers. The sequence of events after a fiber cut is as follows (refer to the numbered circles in Figure 12-28): 1. Fiber is cut. 2. The Node B power monitoring photodiode detects an LOS-P on the OPT-AMP card. For more information on alarms, refer to the Cisco ONS 15454 DWDM Troubleshooting Guide. 3. On the OPT-AMP card, the simultaneous LOS-O and LOS-P detection triggers a command to shut down the amplifier. CTC reports an LOS alarm (loss of continuity), while LOS-O and LOS-P are demoted. For more information on alarms, refer to the Cisco ONS 15454 DWDM Troubleshooting Guide. 4. The OPT-AMP card amplifier is shut down within one second. 5. The OSCM card laser is shut down. OPT-AMP-L OPT-AMP-L P P P OSCM P P OSCM = power monitoring photodiode = logical AND function Node A Side B Node B Side A X 10 1 7 9 8 11 6 2 3 4 5 2 8 14594912-37 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 12 Network Reference Network Optical Safety 6. The Node A power monitoring photodiode detects an LOS-O on the OPT-AMP card and the OSCM card detects an LOS (OC3) at the SONET layer. For more information on alarms, refer to the Cisco ONS 15454 DWDM Troubleshooting Guide. 7. The Node A power monitoring photodiode detects an LOS-P on the OPT-AMP card. For more information on alarms, refer to the Cisco ONS 15454 DWDM Troubleshooting Guide. 8. On the OPT-AMP card, the simultaneous LOS-O and LOS-P detection triggers a command to shut down the amplifier. CTC reports an LOS alarm (loss of continuity), while LOS-O and LOS-P are demoted. For more information on alarms, refer to the Cisco ONS 15454 DWDM Troubleshooting Guide. 9. The OPT-AMP card amplifier is shut down within one second. 10. The OSCM card laser is shut down. When the fiber is repaired, either an automatic or manual restart at the Node A OPT-AMP card transmitter or at the Node B OPT-AMP card transmitter is required. A system that has been shut down is reactivated through the use of a restart pulse. The pulse indicates that the optical path is restored and transmission can begin. For example, when the far end, Node B, receives a pulse, it signals to the Node B OPT-AMP card transmitter to begin transmitting an optical signal. The OPT-AMP card receiver at Node A receives that signal and signals the Node A OPT-AMP card transmitter to resume transmitting. Note During a laser restart pulse, APR ensures that the laser power does not exceed Class 1 limits. See the “12.11.2 Automatic Power Reduction” section on page 12-28 for more information about APR. 12.11.4.5 Scenario 5: Fiber Cut in Nodes Using DCN Extension Figure 12-29 shows a fiber cut scenario for nodes that do not have OSC connectivity. In the scenario, references to the OPT-BST cards refers to the OPT-BST, OPT-BST-L, OPT-BST-E, OPT-AMP-L, OPT-AMP-C, OPT-AMP-17-C, 40-SMR1-C, and 40-SMR2-C cards when provisioned in OPT-LINE mode.12-38 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 12 Network Reference Network Optical Safety Figure 12-29 Fiber Cut With DCN Extension Two photodiodes at Node B monitor the received signal strength for the optical payload. When the fiber is cut, an LOS is detected on the channel photodiode while the other one never gets a signal because the OSC is not present. The AND function then indicates an overall LOS condition, which causes the OPT-BST amplifier transmitter to shut down. This in turn leads to a LOS for the optical payload at Node A, which causes Node A to turn off the OPT-BST amplifier lasers. The sequence of events after a fiber cut is as follows (refer to the numbered circles in Figure 12-29): 1. Fiber is cut. 2. The Node B power monitoring photodiode detects an LOS on the OPT-BST card. Refer to the Cisco ONS 15454 DWDM Troubleshooting Guide for LOS troubleshooting procedures. 3. On the OPT-BST card, the LOS detection triggers a command to shut down the amplifier. Refer to the Cisco ONS 15454 DWDM Troubleshooting Guide for alarm troubleshooting procedures. 4. The OPT-BST card amplifier is shut down within one second. 5. The Node A power monitoring photodiode detects a LOS on the OPT-BST card. Refer to the Cisco ONS 15454 DWDM Troubleshooting Guide for alarm troubleshooting procedures. 6. On the OPT-BST, the LOS detection triggers a command to shut down the amplifier. Refer to the Cisco ONS 15454 DWDM Troubleshooting Guide. 7. The OPT-BST card amplifier is shut down within one second. When the fiber is repaired, a manual restart with 9 sec restart pulse time (MANUAL RESTART) is required at the Node A OPT-BST transmitter and at the Node B OPT-BST transmitter. A system that has been shut down is reactivated through the use of a 9 sec restart pulse. The pulse indicates that the optical path is restored and transmission can begin. P P P = power monitoring photodiode = logical AND function X 7 1 6 5 2 3 4 159799 Node A Side B Node B Side A12-39 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 12 Network Reference Network Optical Safety For example, when the far end, Node B, receives a pulse, it signals to the Node B OPT-BST transmitter to begin transmitting an optical signal. The OPT-BST receiver at Node A receives that signal and signals the Node A OPT-BST transmitter to resume transmitting. Note During a laser restart pulse, APR ensures that the laser power does not exceed Class 1 limits. See the “12.11.2 Automatic Power Reduction” section on page 12-28 for more information about APR. 12.11.4.6 Scenario 6: Fiber Cut in Nodes Using OPT-RAMP-C or OPT-RAMP-CE Cards Figure 12-30 shows a fiber cut scenario for nodes that do not have OSC connectivity. In this scenario, OPT-RAMP-C or OPT-RAMP-CE cards are provisioned in OPT-LINE mode. Figure 12-30 Nodes Using OPT-RAMP-C or OPT-RAMP-CE Cards The following types of photodiodes monitor the received signal strength for the optical payload: • OSC-RX photodiodes • LINE-RX C-band photodiode • Line-TX Raman pump photodiode • COM-RX C-band photodiode The sequence of events after a fiber cut is as follows (refer to the numbered circles in Figure 12-30): 1. Fiber is cut in the direction of Node B to Node A. 2. On Node A, the RAMAN-RX port detects an LOS-R alarm on the OPT-RAMP-C or OPT-RAMP-CE card. Refer to the Cisco ONS 15454 DWDM Troubleshooting Guide for LOS-R troubleshooting procedures. 3. On the OPT-RAMP-C or OPT-RAMP-CE card, the LOS-R alarm triggers a command to shut down the Raman pump on Node A. LINE-TX Raman remnant pump photodiode OSC-RX photodiode LINE-RX C-band photodiode COM-RX C-band photodiode 1 8 4 3 2 272075 Raman pumps Embedded EDFA Node A Node B 7 9 10 11 14 1512-40 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 12 Network Reference Network-Level Gain—Tilt Management of Optical Amplifiers 4. On Node B, the RAMAN-RX port detects an LOS-R alarm. 5. The LOS-R alarm triggers a command to shut down the Raman pump on Node B. 6. Simultaneously, an LOS alarm is detected on Node B, LINE-RX port. 7. The LOS alarm triggers a command to shut down the embedded EDFA. 8. The LINE-RX port detects a LOS alarm and causes the booster amplifier to shut down. 9. On Node A, the LINE-RX port detects a LOS alarm and triggers a command to shut down the embedded EDFA and then the Booster amplifier. Automatic Laser Restart (ALR) on the Raman pump is detected as soon as the fiber is restored. This turns both the Raman pumps to ON state, on both nodes. When power on the Raman pump is restored, it turns on the embedded EDFA also. The booster amplifiers on both Node A and Node B detects power on LINE-RX port. This restarts the booster amplifier. Once the APR cycle is completed, all the lasers move to full power. Note During a laser restart pulse, APR ensures that the laser power does not exceed Class 1 limits. See the “12.11.2 Automatic Power Reduction” section on page 12-28 for more information about APR. 12.12 Network-Level Gain—Tilt Management of Optical Amplifiers The ability to control and adjust per channel optical power equalization is a principal feature of ONS 15454 DWDM metro core network applications. A critical parameter to assure optical spectrum equalization throughout the DWDM system is the gain flatness of erbium-doped fiber amplifiers (EDFAs). Two items, gain tilt and gain ripple, are factors in the power equalization of optical amplifier cards such as the OPT-BST and OPT-PRE. Figure 12-31 shows a graph of the amplifier output power spectrum and how it is affected by gain tilt and gain ripple.12-41 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 12 Network Reference Network-Level Gain—Tilt Management of Optical Amplifiers Figure 12-31 Effect of Gain Ripple and Gain Tilt on Amplifier Output Power Gain ripple and gain tilt are defined as follows: • Gain ripple is random and depends on the spectral shape of the amplifier optical components. • Gain tilt is systematic and depends on the gain setpoint (Gstp) of the optical amplifier, which is a mathematical function F(Gstp) that relates to the internal amplifier design. Gain tilt is the only contribution to the power spectrum disequalization that can be compensated at the card level. A VOA internal to the amplifier can be used to compensate for gain tilt. An optical spectrum analyzer (OSA) is used to acquire the output power spectrum of an amplifier. The OSA shows the peak-to-peak difference between the maximum and minimum power levels, and takes into account the contributions of both gain tilt and gain ripple. Note Peak-to-peak power acquisition using an OSA cannot be used to measure the gain tilt, because gain ripple itself is a component of the actual measurement. 12.12.1 Gain Tilt Control at the Card Level The OPT-BST and OPT-PRE amplifier cards have a flat output (gain tilt = 0 dB) for only a specific gain value (Gdesign), based on the internal optical design (see Figure 12-32). -4 -2 0 2 4 1530.3 1560.6 Wavelength [nm] Gain Tilt Amplifier Output Spectrum 1550 Gain Ripple Per-Channel power [dB] 13439312-42 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 12 Network Reference Network-Level Gain—Tilt Management of Optical Amplifiers Figure 12-32 Flat Gain (Gain Tilt = 0 dB) If the working gain setpoint of the amplifier is different from Gdesign, the output spectrum begins to suffer a gain tilt variation. In order to compensate for the absolute value of the increase of the spectrum tilt, the OPT-BST and OPT-PRE cards automatically adjust the attenuation of the VOA to maintain a flat power profile at the output, as shown in Figure 12-33. Figure 12-33 Effect of VOA Attenuation on Gain Tilt The VOA attenuator automatic regulation guarantees (within limits) a zero tilt condition in the EDFA for a wide range of possible gain setpoint values. -3 -2 0 1 1528 1536 1544 1552 1560 -1 Gdesign VOAatt = 0dB 2 -3 -2 0 1 1528 1536 1544 1552 1560 Wavelength [nm] Gain Tilt = 0 dB -1 Gdesign VOAatt = 0 dB Gain Ripple ~ 2dB 2 134394 Per Channel Power [dB] -6 -4 -2 0 2 4 1528 1536 1544 1552 1560 Wavelength [nm] -6 -4 -2 0 2 4 1528 1536 1544 1552 1560 Wavelength [nm] G < Gdesign VOAatt adjustment VOAat = 0dB VOAatt = Gdesign - G Per Channel Power [dB] 13439512-43 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 12 Network Reference Network-Level Gain—Tilt Management of Optical Amplifiers Table 12-2 shows the flat output gain range limits for the OPT-BST and OPT-PRE cards, as well as the maximum (worst case) values of gain tilt and gain ripple expected in the specific gain range. If the operating gain value is outside of the range shown in Table 12-2, the EDFA introduces a tilt contribution for which the card itself cannot directly compensate. This condition is managed in different ways, depending the amplifier card type: • OPT-BST—The OPT-BST amplifier is, by design, not allowed to work outside the zero tilt range. Cisco TransportPlanner network designs use the OPT-BST amplifier card only when the gain is less than or equal to 20 dB. • OPT-PRE—Cisco TransportPlanner allows network designs even if the operating gain value is equal to or greater than 21 dB. In this case, a system-level tilt compensation strategy is adopted by the DWDM system. A more detailed explanation is given in 12.12.2 System Level Gain Tilt Control, page 12-43. 12.12.2 System Level Gain Tilt Control System level gain tilt control for OPT-PRE cards is achievable with two main scenarios: • Without an ROADM node • With an ROADM node 12.12.2.1 System Gain Tilt Compensation Without ROADM Nodes When an OPT-PRE card along a specific line direction (Side A-to-Side B or Side B-to-Side A) is working outside the flat output gain range (G > 21 dB), the unregulated tilt is compensated for in spans that are not connected to ROADM nodes by configuring an equal but opposite tilt on one or more of the amplifiers in the downstream direction. The number of downstream amplifiers involved depends on the amount of tilt compensation needed and the gain setpoint of the amplifiers that are involved. See Figure 12-34. Table 12-2 Flat Output Gain Range Limits Amplifier Card Type Flat Output Gain Range Gain Tilt (Maximum) Gain Ripple (Maximum) OPT-BST G < 20 dB 0.5 dB 1.5 dB OPT-PRE G < 21 dB 0.5 dB 1.5 dB12-44 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 12 Network Reference Network-Level Gain—Tilt Management of Optical Amplifiers Figure 12-34 System Tilt Compensation Without an ROADM Node The proper Tilt Reference value is calculated by Cisco TransportPlanner and inserted in the Installation Parameter List imported during the node turn-up process (see the “Turn Up a Node” chapter in the Cisco ONS 15454 DWDM Procedure Guide). For both OPT-PRE and OPT-BST cards, the provisionable Gain Tilt Reference range is between –3 dB and +3 dB. During the ANS procedure, the Tilt value for the OPT-BST or OPT-PRE card is provisioned by the TCC2/TCC2P/TCC3/TNC/TSC card (see Figure 12-35). The provisioned Tilt Reference Value is reported in the CTC OPT-PRE or OPT-BST card view (in the Provisioning > Opt. Ampli. Line > Parameters > Tilt Reference tab). OPT-BST GOPT-PRE > 21dB Unregulated Tilt SPAN 1= 25 dB SPAN 2= 15 dB OPT-PRE DCU Tilt Reference 0 Provisioned Tilt 134396 =12-45 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 12 Network Reference Network-Level Gain—Tilt Management of Optical Amplifiers Figure 12-35 Cisco TransportPlanner Installation Parameters 12.12.2.2 System Gain Tilt Compensation With ROADM Nodes When a ROADM node is present in the network, as shown in Figure 12-36, a per channel dynamic gain equalization can be performed. Both gain tilt and gain ripple are completely compensated using the following techniques: • Implementing the per channel VOAs present inside the 32WSS card • Operating in Power Control Mode with the specific power setpoint designed by Cisco TransportPlanner12-46 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 12 Network Reference Optical Data Rate Derivations Figure 12-36 System Tilt Compensation With an ROADM Node 12.13 Optical Data Rate Derivations This section discusses the derivation of several data rates commonly used in optical networking. 12.13.1 OC-192/STM-64 Data Rate (9.95328 Gbps) The SONET OC-1 rate is 51.84 Mbps. This rate results from a standard SONET frame, which consists of 9 rows of 90 columns of 8-bit bytes (810 bytes total). The transmission rate is 8000 frames per second (125 microseconds per frame). This works out to 51.84 Mbps, as follows: (9) x (90 bytes/frame) x (8 bits/byte) x (8000 frames/sec) = 51.84 Mbps OC-192 is 192 x 51.84 Mbps = 9953.28 Mbps = 9.95328 Gbps STM-64 is an SDH rate that is equivalent to the SONET OC-192 data rate. 12.13.2 10GE Data Rate (10.3125 Gbps) 10.3125 Gbps is the standard 10 Gbps Ethernet LAN rate. The reason the rate is higher than 10.000 Gbps is due to the 64-bit to 66-bit data encoding. The result is 10 Gbps x 66/64 = 10.3125 Gbps. The reason for 64-bit to 66-bit encoding is to ensure that there are adequate data transitions to ensure proper operation of a clock and data recovery circuit at the far end. Additionally, the encoding assures a data stream that is DC balanced. 12.13.3 10G FC Data Rate (10.51875 Gbps) The Fibre Channel rate is based on the OC-192 rate of 9.95328 Gbps, with the addition of 64-bit to 66-bit encoding and WAN Interconnect Sublayer (WIS) overhead bytes. SPAN 1= 25 dB DCU 32 WSS SPAN 2 SPAN3 SPAN4 OPT-BST GOPT-PRE > 21dB Unregulated Tilt SPAN 1= 25 dB OPT-PRE Per-channel Tilt Reference = 0 Power Equalization 32 WSS SPAN 2 SPAN3 SPAN4 13439712-47 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 12 Network Reference Optical Data Rate Derivations The rate is derived from the basic 9.95328 Gbps OC-192 rate. First, it has the 64-bit to 66-bit encoding added, which brings it to the 10.3125 Gbps rate (10 Gbps x 66/64 = 10.3125 Gbps). Beyond that, the WIS overhead is added, which is an additional two percent on top of the 10.3125 Gbps. This yields: 10.3125 Gbps x .02 = 0.20625 Gbps 10.3125 Gbps + 0.20625 Gbps = 10.51875 Gbps 12.13.4 ITU-T G.709 Optical Data Rates To understand optical networking data rates, an understanding of the ITU-T G.709 frame structure, shown in Figure 12-37, is needed. Figure 12-37 ITU-T G.709 Frame Structure Each of the sub-rows in Figure 12-37 contains 255 bytes. Sixteen are interleaved horizontally (16 x 255 = 4080). This is repeated four times to make up the complete ITU-T G.709 frame. The Reed Solomon (RS) (255,239) designation indicates the forward error correction (FEC) bytes. There are 16 FEC, or parity, bytes. The ITU-T G.709 protocol uses one overhead byte and 238 data bytes to compute 16 parity bytes to form 255 byte blocks—the RS (255,239) algorithm. Interleaving the information provides two key advantages. First, the encoding rate of each stream is reduced relative to the line transmission rate and, second, it reduces the sensitivity to bursts of error. The interleaving combined with the inherent correction strength of the RS (255,239) algorithm enables the correction of transmission bursts of up to 128 consecutive errored bytes. As a result, the ITU-T G.709 contiguous burst error correcting capability is enhanced 16 times above the capacity of the RS(255,239) algorithm by itself. ITU-T G.709 defines the Optical Transport Unit 2 (OTU2) rate as 10.70923 Gbps. ITU-T G.709 defines three line rates: 1. 2,666,057.143 kbps—Optical Transport Unit 1 (OTU1) 159457 Sub Row 3 1 239 240 255 Info Bytes RS (255, 239) Sub Row 2 Info Bytes RS (255, 239) Sub Row 1 Rows: 1 2 3 4 Columns: 1 17 3825 4080 Info Bytes RS (255, 239) Info Bytes Payload FEC12-48 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 12 Network Reference Even Band Management 2. 10,709,225.316 kbps—Optical Transport Unit 2 (OTU2) 3. 43,018,413.559 kbps—Optical Transport Unit 3 (OTU3) The OTU2 rate is higher than OC-192 because the OTU2 has to carry overhead and FEC bytes in its frame; the bits must be sent faster to carry the payload information at the OC-192 rate. The ITU-T G.709 frame has two parts. Two are similar to a SDH/SONET frame: 1. Overhead area for operation, administration, and maintenance functions 2. Payload area for customer data In addition, the ITU-T G.709 frame also includes FEC bytes. 12.13.4.1 OC-192 Packaged Into OTU2 G.709 Frame Data Rate (10.70923 Gbps) In this case, an OC-192 frame is being transported over a OTU2 G.709 frame, which adds the benefit of FEC. The OC-192 data rate (9.95328 Gbps) must increase in order to transport more bytes (OC-192 plus ITU-T G.709 overhead plus ITU-T G.709 FEC bytes) in the same amount of time. In an OTU2 transmission, 237 of the 255 bytes are OC-192 payload. This means the resultant data rate is: 9.95328 x 255/237 = 10.70923 Gbps 12.13.4.2 10GE Packaged Into OTU2 G.709 Frame Data Rate (Nonstandard 11.0957 Gbps) Encapsulating Ethernet data into an OTU2 G.709 frame is considered nonstandard. The goal is to add the benefit of ITU-T G.709 encapsulation to achieve better burst error performance. However, this means adding overhead and FEC bytes, so more bytes must be transmitted in the same amount of time, so the data rate must increase. The new date rate is: 10.3215 x 255/237 = 11.0957 Gbps 12.13.4.3 10G FC Packaged Into OTU2 G.709 Frame Data Rate (Nonstandard 11.31764 Gbps) Encapsulating Fibre Channel in an OTU2 frame is considered nonstandard. The rate is higher than the 10.51875 rate because OTU2 includes FEC bytes. The bits must run at a faster rate so that the payload is provided at the standard Fibre Channel rate. The rate is: 10.51875 x 255/237 = 11.31764 Gbps 12.14 Even Band Management With the introduction of the following cards, it is now possible to transport 72, 80, 104, or 112 wavelength channels in the same network: • 40-WSS-CE (40-channel Wavelength Selective Switch, C-band, even channels) • 40-DMX-CE (40-channel Demultiplexer, C-band, even channels) By using these new cards along with the 40-WSS-C and 40-DMX-C cards (which handle 40 C-band odd channels), the 32WSS and 32DMX cards (which handle 32 C-band odd channels), and the 32WSS-L and 32DMX-L (which handle 32 L-band odd channels), it is possible to cover 80 C-band channels (40 even and 40 odd channels) and 32 L-band odd channels, for a maximum of 112 channels. The following channel coverage combinations are possible: • 72 C-band channels, using the 32WSS, 32DMX, 40-WSS-CE, and 40-DMX-CE cards12-49 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 12 Network Reference Even Band Management • 80 C-band channels, using the 40-WSS-C, 40-DMX-C, 40-WSS-CE, and 40-DMX-CE cards • 104 channels (32 L-band odd channels and 72 C-band channels), using the 32WSS-L and 32DMX-L cards as a set to cover 32 L-band odd channels and the 32WSS, 32DMX, 40-WSS-CE, and 40-DMX-CE cards as a set to cover 72 C-band odd and even channels • 112 channels (32 L-band odd channels and 80 C-band even channels), using the 32WSS-L and 32DMX-L cards as a set to cover 32 L-band odd channels and the 40-WSS-C, 40-DMX-C, 40-WSS-CE, and 40-DMX-CE, cards as a set to cover 80 C-band odd and even channels The following node topologies are available for even channel management or odd-plus-even channel management: • Terminal node • Hub node • ROADM node • OSC regeneration and optical line amplification node The external ONS 15216-ID-50 module is a 50 GHz/100GHz optical interleaver/deinterleaver that is required to combine or separate odd and even C-band channels. This module increases capacity by combining two optical data streams into a single, more densely spaced stream. The module can be used in multiplexer mode to combine two 100-GHz optical signal streams into one 50-GHz stream, and in demultiplexer mode to separate the 50-GHz stream into two 100-GHz streams. The ONS 15216-SC-CL module is an external C-band and L-band splitter/combiner module that combines and separates the C-band odd/even channels and the L-band odd channels. An example of a 104-channel C-band plus L-band ROADM node is shown in Figure 12-38 on page 12-50. There are 72 C-band even channels and 32 L-band odd channels. The signal flow from the left side of the diagram to the right side is given in the following steps. The signal flow from the right side to the left is identical. 1. All the C-band and L-band signals enter the ONS 15216-SC-CL. 2. When the signals exit the ONS 15216-SC-CL, the 72 C-band even and odd channel signals are sent to the upper set of blocks and the 32 L-band odd channel signals are sent to the lower set of blocks. 3. The 72 C-band even and odd channel signals pass through a preamplifier, then through an ONS 15261-ID-50 and wavelength selective switch (WSS). Only the channels to be dropped are sent to the demultiplexer (DMX) block. There are two such sets of blocks, one set for the 32 odd C-band channels, and one set for the 40 even C-band channels. 4. The 32 L-band odd channel signals pass through a preamplifier, then through two 32-channel wavelength selective switch (32WSS-L) cards. Only the channels to be dropped are sent to the 32-channel demultiplexer (32DMX-L) card. 5. At the upper set of blocks, the ONS 15261-ID-50 deinterleaves the 32 C-band odd channels from the 40 C-band even channels. The 32 C-band odd channels are routed through the top blocks (two 32WSS cards and one 32DMX card), while the 40 C-band even channels are routed through the lower blocks (two 40-WSS-CE cards and one 40-DMX-CE card). 6. When a signal enters a 32WSS-L or 40-WSS-CE card, it is split. Part of the signal (the channels that are to be dropped) goes to the32 DMX-L card or 40-DMX-CE card so that channels can be dropped for use by the client equipment. The other part of the signal goes to the next 32WSS-L card or 40_DMX-CE card, where the channels can be passed through or blocked, and channels can be added to the stream from the client equipment.12-50 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 12 Network Reference Even Band Management 7. After the channels leave the last 32WSS-L card or 40-WSS-CE card, the C-band even and odd channels are interleaved back into a single stream by the ONS 15216-ID-50 module, sent through a booster amplifier, and then they enter the ONS 15216-SC-CL module, where they are combined with the L-band signals from the lower set of blocks and sent out onto the optical fiber. Figure 12-38 104-Channel C-Band plus L-Band ROADM Node Interleaver/Deinterleaver (ONS 15216-ID-50) Interleaver/Deinterleaver (ONS 15216-ID-50) C-Band/L-Band Splitter/Combiner (ONS 15216-SC-CL) 40-WSS-CE 40-DMX-CE 1 40 1 40 Add Even Channels Drop Even Channels . . . . . . . . . . . . . . 32WSS 32DMX 1 32 1 32 Add Odd Channels Drop Odd Channels . . . . . . . . . . . . . . 32WSS 32DMX 1 32 . . . . . . . Add Odd Channels 1 32 Drop Odd Channels . . . . . . . 32WSS-L 32DMX-L 1 32 1 32 Add Odd Channels Drop Odd Channels . . . . . . . . . . . . . . 32WSS-L 32DMX-L 1 32 . . . . . . . Add Odd Channels 1 32 Drop Odd Channels . . . . . . . 40-WSS-CE 40-DMX-CE 1 40 . . . . . . . Add Even Channels 1 40 Drop Even Channels . . . . . . . Preamp Preamp Booster Amplifier Preamp Booster Amplifier Booster Amplifier Preamp Booster Amplifier C-Band/L-Band Splitter/Combiner (ONS 15216-SC-CL) C-Band Even and Odd Channels C-Band Even and Odd Channels L-Band Odd Channels L-Band Odd Channels 24063812-51 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 12 Network Reference Even Band Management An example of a 112-channel C-band plus L-band ROADM node is shown in Figure 12-39. It operates in a similar manner to the 104-channel ROADM node shown in Figure 12-38 on page 12-50, except that there are 40 odd C-band channels instead of 32. Figure 12-39 112-Channel C-Band plus L-Band ROADM Node Interleaver/Deinterleaver (ONS 15216-ID-50) Interleaver/Deinterleaver (ONS 15216-ID-50) C-Band/L-Band Splitter/Combiner (ONS 15216-SC-CL) 40-WSS-CE 40-DMX-CE 1 40 1 40 Add Even Channels Drop Even Channels . . . . . . . . . . . . . . 40-WSS-C 40-DMX-C 1 32 1 40 Add Odd Channels Drop Odd Channels . . . . . . . . . . . . . . 40-WSS-C 40-DMX-C 1 40 . . . . . . . Add Odd Channels 1 40 Drop Odd Channels . . . . . . . 32WSS-L 32DMX-L 1 32 1 32 Add Odd Channels Drop Odd Channels . . . . . . . . . . . . . . 32WSS-L 32DMX-L 1 32 . . . . . . . Add Odd Channels 1 32 Drop Odd Channels . . . . . . . 40-WSS-CE 40-DMX-CE 1 40 . . . . . . . Add Even Channels 1 40 Drop Even Channels . . . . . . . Preamp Preamp Booster Amplifier Preamp Booster Amplifier Booster Amplifier Preamp Booster Amplifier C-Band/L-Band Splitter/Combiner (ONS 15216-SC-CL) C-Band Even and Odd Channels C-Band Even and Odd Channels L-Band Odd Channels L-Band Odd Channels 24063912-52 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 12 Network Reference Wavelength Drifted Channel Automatic Shutdown 12.15 Wavelength Drifted Channel Automatic Shutdown The wavelength drifted channel automatic shutdown feature detects wavelength instability or wavelength drift in the Trunk-TX port of the card connected to an MSTP multiplexer. The channel photodiode or optical channel monitor (OCM) associated with a variable optical attenuator (VOA) is used to detect the power fluctuation. The wavelength drifted channel automatic shutdown feature is supported on 40-SMR1-C, 40-SMR2-C, 80-WXC-C, 40-WXC-C, and 40-WSS-C cards. The 40-WSS and 40-WXC cards do not detect the power fluctuation on their ADD ports because the Add Photodiode is located before the filtering stage. The 40-SMR1-C, 40-SMR2-C, and 80-WXC-C cards have the OCM devices installed on the ADD port. The OCM device detects the wavelength sensitive signal so that an alarm is raised on the ADD port at the source node. The power fluctuation is detected on different ports for each card. Table 12-3 lists the ports on which the power fluctuation is detected: The detection mechanism leverages on the repeated crossing of the embedded OPT-PWR-DEG-LOW threshold value associated to the port. When the card exceeds the OPT-PWR-DEG-LOW threshold value 16 times in 24 hours, the WVL-DRIFT-CHAN-OFF alarm is raised. For more information on severity level of the conditions and procedure to clear the alarms, refer to the Cisco ONS 15454 DWDM Troubleshooting Guide. Note The automatic shutdown of a channel when the WVL-DRIFT-CHAN-OFF is raised will be implemented in later releases. Table 12-3 Detection of Power Fluctuation Card Port Circuit 40-SMR1-C 40-SMR2-C LINE-TX ADD/DROP EXP/PT 80-WXC-C COM-TX ADD/DROP EXP/PT 40-WXC-C COM-TX ADD/DROP EXP/PT 40-WSS-C CHAN-RX ADD/DROP PT PTCHAPTER 13-1 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 13 Optical Channel Circuits and Virtual Patchcords Reference This chapter explains the Cisco ONS 15454 dense wavelength division multiplexing (DWDM) optical channel (OCH) circuit types and virtual patchcords that can be provisioned on the ONS 15454. Circuit types include the OCH client connection (OCHCC), the OCH trail, and the OCH network connection (OCHNC). Virtual patchcords include internal patchcords and provisionable (external) patchcords (PPCs). This chapter also describes 13.3 End-to-End SVLAN Circuit that can be created between GE_XP, 10GE_XP, GE_XPE, or 10GE_XPE cards. Note Unless otherwise specified, “ONS 15454" refers to both ANSI and ETSI shelf assemblies. 13.1 Optical Channel Circuits The ONS 15454 DWDM optical circuits provide end-to-end connectivity using three OCH circuit types: • Optical Channel Network Connections (OCHNC) • Optical Channel Client Connections (OCHCC) • Optical Channel Trails (OCH Trails) A graphical representation of OCH circuits is shown in Figure 13-1. Figure 13-1 Optical Channel Circuits R-OADM Transponder Muxponder Transponder R OADM R-OADM Muxponder To client To client R OADM DWDM Network OCH NC OCH Trail OCH CC 33333313-2 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 13 Optical Channel Circuits and Virtual Patchcords Reference Optical Channel Circuits 13.1.1 OCHNC Circuits OCHNC circuits establish connectivity between two optical nodes on a specified C-band wavelength. The connection is made through the ports present on the wavelength selective switches, multiplexers, demultiplexer, and add/drop cards. In an OCHNC circuit, the wavelength from a source OCH port ingresses to a DWDM system and then egresses from the DWDM system to the destination OCH port. The source and destination OCH port details are listed in Table 13-1. Note When the 40-SMR1-C or 40-SMR2-C card operates along with the 15216-MD-40-ODD, 15216-EF-40-ODD, or 15216-MD-48-ODD (ONS 15216 40 or 48-channel mux/demux), the OCH ports on the patch panel are the endpoints of the OCHNC circuit. When the 40-SMR1-C or 40-SMR2-C card operates along with the 40-MUX-C and 40-DMX-C cards, the endpoints of the OCHNC circuit are on the MUX/DMX cards. Table 13-1 OCHNC Ports Card Source Ports Destination Ports 32WSS 32WSS-L 40-WSS-C 40-WSS-CE ADD-RX — 32MUX-O 40-MUX-C CHAN-RX — 32DMX-O 32DMX 32DMX-L 40-DMX-C 40-DMX-CE — CHAN-TX 4MD AD-1C-xx.x AD-4C-xx.x CHAN-RX CHAN-TX 40-SMR1-C 40-SMR2-C ADD-RX DROP-TX 15216-MD-40-ODD 15216-MD-40-EVEN CHAN-RX CHAN-TX 15216-EF-40-ODD 15216-EF-40-EVEN CHAN-RX CHAN-TX 15216-MD-48-ODD 15216-MD-48-EVEN CHAN-RX CHAN-TX13-3 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 13 Optical Channel Circuits and Virtual Patchcords Reference Optical Channel Circuits 13.1.2 OCHCC Circuits OCHCC circuits extend the OCHNC to create an optical connection from the source client port to the destination client port of the TXP/MXP cards. An OCHCC circuit represents the actual end-to-end client service passing through the DWDM system. Each OCHCC circuit is associated to a pair of client or trunk ports on the transponder (TXP), muxponder (MXP), GE_XP (in layer-1 DWDM mode), 10GE_XP (in layer-1 DWDM mode), or ITU-T line card. The OCHCCs can manage splitter protection as a single protected circuit. However, for the Y-Cable protection, two OCHCC circuits and two protection groups are required. 13.1.3 OCH Trail Circuits OCH trail circuits transport the OCHCCs. The OCH trail circuit creates an optical connection from the source trunk port to the destination trunk port of the Transponder (TXP), Muxponder (MXP), GE_XP, 10GE_XP, or ITU-T line card. The OCH trail represents the common connection between the two cards, over which all the client OCHCC circuits, SVLAN circuits or STS circuits are carried. Once an OCHCC is created, a corresponding OCH Trail is automatically created. If the OCHCC is created between two TXP, MXP, GE_XP, or 10GE_XP cards, two circuits are created in the CTC. These are: One OCHCC (at client port endpoints) One OCH trail (at trunk port endpoints) If the OCHCC is created between two TXPP or two MXPP cards, three circuits are created in the CTC. These are: • One OCHCC (at client port endpoints) • Two OCH Trails (at trunk port endpoints) One for the working and other for the protect trunk. Note On a TXP, MXP, and GE_XP card (in layer 1 DWDM mode), additional OCHCC circuits are created over the same OCH trail. Note On a TXP, MXP, GE_XP (in layer 1 DWDM mode), and 10GE_XP (in layer 1 DWDM mode) card, the OCH trail cannot be created independently, and is created along with the first OCHCC creation on the card. However, on a GE_XP card (in layer-2 DWDM mode), 10GE_XP card (in layer-2 DWDM mode), and ADM_10G card, an OCH trail can be created between the trunk ports for the upper layer circuits (SVLAN in GE_XP/10GE_XP and STS in ADM_10G). No OCHCC is supported in these cases. If the OCHCC is created between two ITU-T line cards, only one trunk port belongs to the OCHCC at each end of the circuit. Table 13-2 lists the ports that can be OCHCC and OCH trail endpoints.13-4 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 13 Optical Channel Circuits and Virtual Patchcords Reference Optical Channel Circuits Figure 13-2 shows the relationships and optical flow between the OCHCC, OCH trail, and OCHNC circuits. Figure 13-2 Optical Channel Management Table 13-2 OCHCC and OCH Trail Ports Card OCHCC OCH Trail TXPs MXPs GE_XP 10GE_XP ADM-10G Any client port Any trunk port ITU-T line cards: • OC48/STM64 EH • OC192 SR/STM64 • MRC-12 • MRC-2.5-12 • MRC-2.5G-4 Any trunk port Any trunk port OCHCC Optical Shelf STS/VT Back Panel OCN Line Card TXP/MXP ITU-T Line Card OCN Port Back Panel Trunk Port Trunk Port Client Port 159473 LINE TX LINE RX OCH RX OCH TX OCHNC OCH Trail Optical Shelf LINE TX LINE RX OCH RX OCH TX 13-5 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 13 Optical Channel Circuits and Virtual Patchcords Reference Optical Channel Circuits 13.1.4 Administrative and Service States OCHCCs, OCH trails, and OCHNCs occupy three different optical layers. Each OCH circuit has its own administrative and service states. The OCHCCs impose additional restrictions on changes that can be made to client card port administrative state. The OCHCC service state is the sum of the OCHCC service state and the OCH trail service state. When creating an OCHCC circuit, you can specify an initial state for both the OCHCC and the OCH trail layers, including the source and destination port states. The ANSI/ETSI administrative states for the OCHCC circuits and connections are: • IS/Unlocked • IS,AINS/Unlocked,AutomaticInService • OOS,DSBLD/Locked,disabled OCHCC service states and source and destination port states can be changed independently. You can manually modify client card port states in all traffic conditions. Setting an OCHCC circuit to OOS,DSBLD/Locked,disabled state has no effect on OCHCC client card ports. An OCH trail is created automatically when you create an OCHCC. OCH trails can be created independently between OCH-10G cards and GE_XP and 10GE_XP when they are provisioned in Layer 2 Over DWDM mode. The OCH trail ANSI/ETSI administrative states include: • IS/Unlocked • IS,AINS/Unlocked,automaticInService • OOS,DSBLD/Locked,disabled You can modify OCH trail circuit states from the Edit Circuit window. Placing an OCH trail OOS,DSBLD/Locked,disabled causes the following state changes: • The state of the OCH trail ports changes to OOS,DSBLD/Locked,disabled. • The OCHNC state changes to OOS,DSBLD/Locked,disabled. Changing the OCH trail state to IS,AINS/Unlocked,automaticInService causes the following state changes: • The state of the OCH trail trunk ports changes to IS/Unlocked. • The OCHNC state changes to IS,AINS/Unlocked,automaticInService. The OCH trail service state is the sum of the OCHCC trunk port state and the OCHNC (if applicable) state. Changing the client card trunk ports to OOS,DSBLD/Locked,disabled when the OCH trail state IS/Unlocked will cause the OCH trail state to change to OOS,DSBLD/Locked,disabled and its status to change to Partial. The OCHNC circuit states are not linked to the OCHCC circuit states. The administrative states for the OCHNC circuit layer are: • IS,AINS/Unlocked,AutomaticInService • OOS,DSBLD/Locked,disabled When you create an OCHNC, you can set the target OCHNC circuit state to IS/Unlocked or OOS,DSBLD/Locked,disabled. You can create an OCHNC even if OCHNC source and destination ports are OOS,MT/Locked,maintenance. The OCHNC circuit state will remain OOS-AU,AINS/Unlocked-disabled,automaticInService until the port maintenance state is removed. During maintenance or laser shutdown, the following behavior occurs: 13-6 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 13 Optical Channel Circuits and Virtual Patchcords Reference Optical Channel Circuits • If OCHNCs or their end ports move into an AINS/AutomaticInService state because of user maintenance activity on an OCHCC circuit (for example, you change an optical transport section (OTS) port to OOS,DSBLD/Locked,disabled), Cisco Transport Controller (CTC) suppresses the loss of service (LOS) alarms on the TXP, MXP, GE_XP, 10GE_XP, or ITU-T line card trunk ports and raises a Trail Signal Fail condition. Line card trunk port alarms are not changed, however. • If TXP client or trunk port are set to OOS,DSBLD/Locked,disabled state (for example, a laser is turned off) and the OCH trunk and OCH filter ports are located in the same node, the OCH filter LOS alarm is demoted by a Trail Signal Fail condition. OCHCCs are associated with the client card end ports. Therefore, the following port parameters cannot be changed when they carry an OCHCC: • Wavelength • Service (or payload type) • Splitter protection • ITU-T G.709 • Forward error correction (FEC) • Mapping Certain OCHCC parameters, such as service type, service size, and OCHNC wavelength can only be modified by deleting and recreating the OCHCC. If the OCHCC has MXP end ports, you can modify services and parameters on client ports that are not allocated to the OCHCC. Some client port parameters, such as Ethernet frame size and distance extension, are not part of an OCHCC so they can be modified if not restricted by the port state. For addition information about administrative and service states, see Appendix B, “Administrative and Service States.” 13.1.5 Creating and Deleting OCHCCs To create an OCHCC, you must know the client port states and their parameters. If the client port state is IS/Unlocked, OCHCC creation will fail if the OTN line parameters (ITU-T G.709, FEC, signal fail bit error rate (SF BER), and signal degrade bit error rate (SD BER) on the OCHCC differ from what is provisioned on the trunk port. The port state must be changed to OOS-DSLB/Locked,disabled in order to complete the OCHCC. If you delete an OCHCC, you can specify the administrative state to apply to the client card ports. For example, you can have the ports placed in OOS,DSBLD/Locked,disabled state after an OCHCC is deleted. If you delete an OCHCC that originates and terminates on MXP cards, the MXP trunk port states can only be changed if the trunk ports do not carry other OCHCCs. 13.1.6 OCHCCs and Service and Communications Channels Although optical service channels (OSCs), generic communications channels (GCCs), and data communications channels (DCCs) are not managed by OCHCCs, the following restrictions must be considered when creating or deleting OCHCCs on ports with service or communication channels: • Creating an OCHCC when the port has a service or a communications channel is present—OCHCC creation will fail if the OCHCC parameters are incompatible with the GCC/DCC/GCC. For example, you cannot disable ITU-T G.709 on the OCHCC if a GCC carried by the port requires the parameter to be enabled. 13-7 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 13 Optical Channel Circuits and Virtual Patchcords Reference Virtual Patchcords • Creating a service or communications channel on ports with OCHCCs—OCHCC creation will fail if the GCC/DCC/GCC parameters are incompatible with the OCHCC. • Deleting an OCHCC on ports with service or communications channels—If an OSC/GCC/DCC is present on a TXP, MXP, GE_XP, 20GE_XP, or ITU-T line card client or trunk port, you cannot set these ports to the OOS,DSBLD/Locked,disabled state after the OCHCC circuit is deleted. 13.2 Virtual Patchcords The TXP, MXP, TXPP, MXPP, GE_XP, 10GE_XP, and ADM-10G client ports and DWDM filter ports can be located in different nodes or in the same single-shelf or multishelf node. ITU-T line card trunk ports and the corresponding DWDM filter ports are usually located in different nodes. OCHCC provisioning requires a virtual patchcord between the client card trunk ports and the DWDM filter ports. Depending on the physical layout, this can be an internal patchcord or a provisionable (external) patchcord (PPC). Both patchcord types are bidirectional. However, each direction is managed as a separate patchcord. Internal patchcords provide virtual links between the two sides of a DWDM shelf, either in single-shelf or multishelf mode. They are viewed and managed in the Provisioning > WDM-ANS > Internal Patchcords tab. When the NE update file is imported in CTC, the Provisioning > WDM-ANS > Internal Patchcord tab is populated with the internal patchcords. When you create an internal patchcord manually, the Internal Patchcord Creation wizard prompts you to choose one of the following internal patchcord types: • Trunk to Trunk (L2)—Creates an internal patchcord between two trunk ports (in NNI mode) of a GE_XP, 10GE_XP, GE_XPE, or 10GE_XPE card provisioned in the L2-over-DWDM mode. • OCH-Trunk to OCH-Filter—Creates an internal patchcord between the trunk port of a TXP, MXP, GE_XP, 10GE_XP, or ITU-T line card, and an OCH filter card (wavelength selective switch, multiplexer, or demultiplexer). • OCH-Filter to OCH-Filter—Creates an internal patchcord between a MUX input port and a DMX output port. • OTS to OTS—Creates an internal patchcord between two OTS ports. • Optical Path—Creates an internal patchcord between two optical cards, or between an optical card and a passive card. Note If a Side-to-Side PPC is created between nodes, it will no longer function if the node Security Mode mode is enabled (see the “DLP-G264 Enable Node Security Mode” task in the Cisco ONS 15454 DWDM Procedure Guide). When the Secure mode is enabled, it is no longer possible for the DCN extension feature to use the LAN interface to extend the internal network (due to the network isolation in this configuration mode). The result is that the topology discovery on the Side-to-Side PPC no longer operates. Table 13-3 shows the internal patchcord Trunk (L2), OCH trunk, OCH filter, and OTS/OCH ports.13-8 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 13 Optical Channel Circuits and Virtual Patchcords Reference Virtual Patchcords Table 13-3 Internal Patchcord Ports Card Trunk (L2) Port OCH Trunk Ports OCH Filter Ports OTS/OCH Ports GE_XP 10GE_XP GE_XPE 10GE_XPE Trunk port in NNI mode Any trunk port — — TXPs MXPs ADM-10G ITU-T line cards — Any trunk port — — OPT-BST OPT-BST-E OPT-BST-L — — — COM-TX COM-RX OSC-TX OSC-RX OPT-AMP-17-C OPT-AMP-L — — — COM-TX COM-RX OSC-TX1 OSC-RX1 DC-TX1 DC-RX1 OPT-PRE — — — COM-TX COM-RX DC-TX DC-RX OSCM OSC-CSM — — — COM-TX COM-RX OSC-TX OSC-RX 32MUX 32MUX-O 40-MUX-C — — Any CHAN RX port COM-TX 32DMX 32DMX-L 32DMX-O 40-DMX-C 40-DMX-CE — — Any CHAN TX port COM-RX13-9 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 13 Optical Channel Circuits and Virtual Patchcords Reference Virtual Patchcords 32WSS 32WSS-L 40-WSS-C 40-WSS-CE — — Any ADD port COM-TX COM-RX EXP-TX EXP-RX DROP-TX 40-WXC-C — — — ADD-RX DROP-TX COM TX COM RX 80-WXC-C — — — EAD i, i=1 to 8 AD COM COM-RX DROP-TX EXP-TX MMU — — — EXP A TX EXP A RX 40-SMR2-C — — — ADD-RX DROP-RX EXP-TX EXPi-RX 40-SMR1-C — — — ADD-RX DROP-RX EXP-TX EXP-RX LINE-RX LINE-TX TDC-CC TDC-FC — — — DC-RX DC-TX XT-40G XM-40G — Any trunk port — — PASSIVE-MD-40-ODD PASSIVE-MD-40-EVEN — — Any CHAN TX port COM-RX COM-TX PASSIVE-MD-ID-50 PASSIVE-15216-ID-50 — — — COM-RX COM-TX Table 13-3 Internal Patchcord Ports (continued) Card Trunk (L2) Port OCH Trunk Ports OCH Filter Ports OTS/OCH Ports13-10 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 13 Optical Channel Circuits and Virtual Patchcords Reference Virtual Patchcords PPCs are created and managed from the network view Provisioning > Provisionable Patchcord (PPC) tab (Figure 13-3), or from the node view (single-shelf mode) or multiself view (multishelf mode) Provisioning > Comm Channel > PPC tab. Figure 13-3 Network View Provisionable Patchcords Tab PPCs are required when the TXP, MXP, GE_XP, 10GE_XP, ADM-10G, or ITU-T line card is installed in a different node than the OCH filter ports. They can also be used to create OTS-to-OTS links between shelves that do not have OSC connectivity. PPCs are routable and can be used to discover network topologies using Open Shortest Path First (OSPF). GCCs and DCCs are not required for PPC creation. When you create a PPC, the PPC Creation wizard asks you to choose one of the following PPC types: PASSIVE-PP-4-SMR PASSIVE-PP-MESH-4 PASSIVE-PP-MESH-8 — — — EXP-RX EXP-TX PASSIVE_DCU — — — DC-RX DC-TX 1. When provisioned in OPT-PRE mode. Table 13-3 Internal Patchcord Ports (continued) Card Trunk (L2) Port OCH Trunk Ports OCH Filter Ports OTS/OCH Ports13-11 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 13 Optical Channel Circuits and Virtual Patchcords Reference Virtual Patchcords • Client/Trunk to Client/Trunk (L2)—Creates a PPC between two client or trunk ports (in NNI mode) on GE_XP, 10GE_XP, GE_XPE, or 10GE_XPE cards provisioned in the L2-over-DWDM mode. • Client/Trunk to Client/Trunk—Creates a PPC between two client or trunk ports on TXP, MXP, GE_XP, 10GE_XP, ADM_10G, or ITU-T line cards. • Side to Side (OTS)—Creates a PPC between two OTS ports that belong to a Side. This option establishes data communications network (DCN) connectivity between nodes that do not have OSCM or OSC-CSM cards installed and therefore do not have OSC connectivity. CTC selects the OTS ports after you choose the origination and termination sides. • OCH Trunk to OCH Filter—Creates a PPC between a OCH trunk port on a TXP, MXP, GE_XP, 10GE_XP, ADM-10G, or ITU-T line card and an OCH filter port on a multiplexer, demultiplexer, or wavelength selective switch card. Table 13-4 shows the PPC Client/Trunk (L2), Client/Trunk, OTS, and OCH Filter ports. Table 13-4 Provisionable Patchcord Ports Card Client/Trunk (L2) Port Client/Trunk Port OTS Port OCH Filter Port GE_XP 10GE_XP GE_XPE 10GE_XPE Client or trunk port in NNI mode Any trunk port — — TXPs MXPs ADM-10G ITU-T line cards — Any trunk port — — OPT-BST OPT-BST-E OPT-BST-L — — COM RX1 LINE RX LINE TX — OPT-AMP-17-C OPT-AMP-L — — COM RX2 COM TX3 LINE RX3 LINE TX3 — OPT-PRE — — COM RX4 COM TX4 — OSC-CSM — — COM RX1 LINE RX LINE TX — 32MUX 32MUX-O 40-MUX-C — — — Any CHAN RX port13-12 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 13 Optical Channel Circuits and Virtual Patchcords Reference Virtual Patchcords 13.2.1 PPC Provisioning Rules For Client/Trunk to Client/Trunk (L2) PPCs, the following provisioning rules and conditions apply: • The card must be provisioned in the L2-over-DWDM mode. • The client or trunk ports must be in the NNI mode. • PPCs can be created only between NNI ports of the same size (1GE-1GE or 10GE-10GE). For Client/Trunk to Client/Trunk PPCs, the following provisioning rules and conditions apply: • Patchcords can be created on preprovisioned or physically installed cards. • Trunk-to-trunk connections require compatible wavelengths if the port is equipped. A check is automatically performed during patchcord provisioning to ensure wavelength compatibility of ports. 32DMX 32DMX-L 32DMX-O 40-DMX-C 40-DMX-CE — — — Any CHAN TX port 32WSS 32WSS-L 40-WSS-C 40-WSS-CE — — — Any ADD port 40-WXC-C — — COM RX COM TX — 80-WXC-C — — EAD i, i=1 to 8 AD COM COM-RX DROP-TX EXP-TX — 40-SMR1-C 40-SMR2-C — — LINE RX LINE TX — MMU — — EXP A RX EXP A TX — 1. Line nodes only. 2. When card mode is OPT-PRE. 3. When card mode is OPT-LINE. 4. Line nodes with two OPT-PRE cards and no BST cards installed. Table 13-4 Provisionable Patchcord Ports (continued) Card Client/Trunk (L2) Port Client/Trunk Port OTS Port OCH Filter Port13-13 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 13 Optical Channel Circuits and Virtual Patchcords Reference End-to-End SVLAN Circuit • For connections involving one or more preprovisioned ports, no compatibility check is performed. For OCH Trunk to OCH Filter PPCs, the following provisioning rules and conditions apply: • GCC and DCC links are not required to create a PPC. • PPCs can be created for preprovisioned or physically installed cards. • OCH trunk and OCH filter ports must be on the same wavelength. CTC checks the ports for wavelength compatibility automatically during PPC provisioning. • For OC-48/STM-16 and OC-192/STM-64 ITU-T line cards, the wavelength compatibility check is performed only when the cards are installed. The check is not performed for preprovisioned cards. • For all other preprovisioned cards, a wavelength compatibility check is not performed if card is set to first tunable wavelength. The wavelength is automatically provisioned on the port, according to the add/drop port that you chose when you created the PPC. 13.3 End-to-End SVLAN Circuit An end-to-end SVLAN circuit can be created between GE_XP, 10GE_XP, GE_XPE, or 10GE_XPE cards through a wizard in CTC. SVLAN circuits created this way are only a snapshot of the SVLAN settings (NNI and QinQ) of each card in the network. If an end-to-end SVLAN circuit is created via CTC and the SVLAN settings of the cards are changed manually, CTC does not update the SVLAN circuit created with the new settings. To update the SVLAN circuit in CTC, the circuit must be refreshed. However, any changes made to subtended OCH trail circuits are reflected in the SVLAN circuit in CTC. If an OCH trail becomes incomplete and the current SVLAN circuit snapshot has some SVLAN circuits that are using it, they remain incomplete. If the snapshot contains incomplete SVLAN circuits and an OCH trail circuit becomes available, the incomplete SVLAN circuit snapshot in CTC appears to be complete. When the destination port of the SVLAN circuit facing the router is configured as a NNI client port, the outgoing ethernet packets do not drop the SVLAN tag when they exit the MSTP network allowing the router to determine the origin of the ethernet packet. SVLAN circuits are stateless circuits; an administrative or service state need not be set. Note During SVLAN provisioning, if a SVLAN circuit span using UNI ports in transparent mode is over subscribed, a warning message is displayed. However, the circuit is created. This is supported on channel groups on GE_XP, 10GE_XP, GE_XPE, or 10GE_XPE cards. 13.3.1 End-to-End SVLAN Provisioning Rules The following provisioning rules and conditions apply to end-to-end SVLAN circuits: • GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE cards must be provisioned in L2-over-DWDM mode. • SVLAN database must be loaded with the SVLAN. • SVLAN circuits are routed through OCH trail circuits or PPC; Client/Trunk to Client/Trunk (L2). Therefore, before creating an SVLAN circuit, make sure that the subtended OCH trail circuits between GE_XP, 10GE_XP, GE_XPE, and 10GE_XPE cards or PPC links are created. • For protected SVLAN circuits, create a ring (through OCH trail circuits), define a master node, and enable the protection role.13-14 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 13 Optical Channel Circuits and Virtual Patchcords Reference End-to-End SVLAN Circuit For information on how to create end-to-end SVLAN circuit, see the “NTP-G203 Create End to End SVLAN Circuits” procedure in the Cisco ONS 15454 DWDM Procedure Guide.CHAPTER 14-1 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 14 Cisco Transport Controller Operation This chapter describes operations of the Cisco Transport Controller (CTC), the software interface for Cisco ONS 15454, Cisco ONS 15454 M2, and Cisco ONS 15454 M6 shelf assemblies. For CTC setup and login information, refer to the Cisco ONS 15454 DWDM Procedure Guide. Note Unless otherwise specified, ONS 15454, ONS 15454 M2, and ONS 15454 M6 refers to both ANSI and ETSI shelf assemblies. Chapter topics include: • 14.1 CTC Software Delivery Methods, page 14-1 • 14.2 CTC Installation Overview, page 14-2 • 14.3 PC and UNIX Workstation Requirements, page 14-3 • 14.4 ONS 15454 Connections, page 14-5 • 14.5 CTC Window, page 14-8 • 14.6 Using the CTC Launcher Application to Manage Multiple ONS Nodes, page 14-19 • 14.7 TCC2/TCC2P/TCC3/TNC/TSC Card Reset, page 14-22 • 14.8 TCC2/TCC2P/TCC3/TNC/TSC Card Database, page 14-23 • 14.9 Software Revert, page 14-23 14.1 CTC Software Delivery Methods ONS 15454, ONS 15454 M2, and ONS 15454 M6 provisioning and administration is performed using the CTC software. CTC is a Java application that resides on the control cards: TCC2/TCC2P/TCC3/TNC/TSC. CTC is downloaded to your workstation the first time you log into 15454-DWDM, 15454-M2, or 15454-M6 shelf assemblies with a new software release using the web interface. You can also log into CTC using the CTC launcher application (StartCTC.exe). Refer to the “14.6 Using the CTC Launcher Application to Manage Multiple ONS Nodes” section on page 14-19 for more information.14-2 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 14 Cisco Transport Controller Operation CTC Installation Overview 14.1.1 CTC Software Installed on the TCC2/TCC2P/TCC3/TNC/TSC Card The CTC software is preloaded on the TCC2/TCC2P/TCC3/TNC/TSC cards; therefore, you do not need to install software on these cards. When a new CTC software version is released, use the release-specific software upgrade document to upgrade the ONS 15454, 15454-M2, or 15454-M6 software on the TCC2/TCC2P/TCC3/TNC/TSC cards. When you upgrade the CTC software, the control cards store the new CTC version as the protect CTC version. When you activate the new CTC software, the control cards store the older CTC version as the protect CTC version, and the newer CTC release becomes the working version. You can view the software versions that are installed on an ONS 15454, 15454-M2, or 15454-M6 shelf assemblies by selecting the Maintenance > Software tabs in node view (single-shelf mode) or multishelf view (multishelf mode). Select the Maintenance > Software tabs in network view to display the software versions installed on all the network nodes. 14.1.2 CTC Software Installed on the PC or UNIX Workstation CTC software is downloaded from the TCC2/TCC2P/TCC3/TNC/TSC cards and installed on your computer automatically after you connect to the ONS 15454, 15454-M2, or 15454-M6 with a new software release for the first time. Downloading the CTC software files automatically ensures that your computer is running the same CTC software version as the TCC2/TCC2P/TCC3/TNC/TSC cards you are accessing. The CTC files are stored in the temporary directory designated by your computer operating system. Click the Delete CTC Cache button to remove files stored in the temporary directory. If the files are deleted, they download the next time you connect to ONS 15454, 15454-M2, or 15454-M6. Downloading the Java archive (JAR) files for CTC takes several minutes depending on the bandwidth of the connection between your workstation and ONS 15454, 15454-M2, or 15454-M6. For example, JAR files downloaded from a modem or a data communications channel (DCC) network link require more time than JAR files downloaded over a LAN connection. During network topology discovery, CTC polls each node in the network to determine which one contains the most recent version of the CTC software. If CTC discovers a node in the network that has a more recent version of the CTC software than the version you are currently running, CTC generates a message stating that a later version of the CTC has been found in the network and offers to install the CTC software upgrade. After the node view appears, you can upgrade CTC by using the Tools > Update CTC menu option. If you have network discovery disabled, CTC will not seek more recent versions of the software. Unreachable nodes are not included in the upgrade discovery. Note Upgrading the CTC software will overwrite your existing software. You must restart CTC after the upgrade is complete. 14.2 CTC Installation Overview To connect to ONS 15454, 15454-M2, or 15454-M6 using CTC, you enter the IP address in the URL field of Microsoft Internet Explorer. After connecting to ONS 15454, 15454-M2, or 15454-M6, the following occurs automatically: 1. A CTC launcher applet is downloaded from the TCC2/TCC2P/TCC3/TNC/TSC card to your computer.14-3 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 14 Cisco Transport Controller Operation PC and UNIX Workstation Requirements 2. The launcher determines whether your computer has a CTC release matching the release on the TCC2/TCC2P/TCC3/TNC/TSC card. 3. If the computer does not have CTC installed, or if the installed release is older than the TCC2/TCC2P/TCC3/TNC/TSC card’s version, the launcher downloads the CTC program files from the TCC2/TCC2P/TCC3/TNC/TSC card. 4. The launcher starts CTC. The CTC session is separate from the web browser session, so the web browser is no longer needed. Always log into nodes having the latest software release. If you log into an ONS 15454, 15454-M2, or 15454-M6 that is connected with older versions of CTC, or to Cisco ONS 15327s or Cisco ONS 15600s, CTC files are downloaded automatically to enable you to interact with those nodes. The CTC file download occurs only when necessary, such as during your first login. You cannot interact with nodes on the network that have a software version later than the node that you used to launch CTC. Each ONS 15454, 15454-M2, or 15454-M6 can handle up to five concurrent CTC sessions. CTC performance can vary, depending upon the volume of activity in each session, network bandwidth, and TCC2/TCC2P/TCC3/TNC/TSC card load. Note You can also use TL1 commands to communicate with ONS 15454, 15454-M2, or 15454-M6 through VT100 terminals and VT100 emulation software, or you can telnet to ONS 15454, 15454-M2, or 15454-M6 using TL1 ports 2361 and 3083. Refer to the Cisco ONS SONET TL1 Command Guide or Cisco ONS 15454 SDH and Cisco ONS 15600 SDH TL1 Command Guide for a comprehensive list of TL1 commands. 14.3 PC and UNIX Workstation Requirements To use CTC for ONS 15454, 15454-M2, or 15454-M6, your computer must have a web browser with the correct Java Runtime Environment (JRE) installed. The correct JRE for each CTC software release is included on the ONS 15454, 15454-M2, or 15454-M6 software CD. If you are running multiple CTC software releases on a network, the JRE installed on the computer must be compatible with the different software releases. When you change the JRE version on the JRE tab, you must exit and restart CTC for the new JRE version to take effect. Table 14-1 shows JRE compatibility with ONS 15454 software releases. Table 14-1 JRE Compatibility ONS Software Release JRE 1.2.2 Compatible JRE 1.3 Compatible JRE 1.4 Compatible JRE 5.0 Compatible JRE 1.6 Compatible ONS 15454 Release 4.5 No Yes No No No ONS 15454 Release 4.6 No Yes Yes No No ONS 15454 Release 4.7 No No Yes No No ONS 15454 Release 5.0 No No Yes No No ONS 15454 Release 6.0 No No Yes No No ONS 15454 Release 7.0 No No Yes Yes No ONS 15454 Release 7.2 No No Yes Yes No ONS 15454 Release 8.0 No No No Yes No ONS 15454 Release 8.5 No No No Yes No14-4 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 14 Cisco Transport Controller Operation PC and UNIX Workstation Requirements Note To avoid network performance issues, Cisco recommends managing a maximum of 50 nodes concurrently with CTC. The 50 nodes can be on a single DCC or split across multiple DCCs. Cisco does not recommend running multiple CTC sessions when managing two or more large networks. To manage more than 50 nodes, Cisco recommends using Cisco Transport Manager (CTM). If you do use CTC to manage more than 50 nodes, you can improve performance by adjusting the heap size; see the “General Troubleshooting” chapter of the Cisco ONS 15454 DWDM Troubleshooting Guide. You can also create login node groups; see the “Connect the PC and Log Into the GUI” chapter of the Cisco ONS 15454 DWDM Procedure Guide. Table 14-2 lists the requirements for PCs and UNIX workstations. In addition to the JRE, the Java plug-in is also included on the ONS 15454 software CD. ONS 15454 Release 9.0 No No No Yes No ONS 15454 Release 9.1 No No No Yes No ONS 15454 Release 9.2 No No No No Yes Table 14-1 JRE Compatibility (continued) ONS Software Release JRE 1.2.2 Compatible JRE 1.3 Compatible JRE 1.4 Compatible JRE 5.0 Compatible JRE 1.6 Compatible Table 14-2 Computer Requirements for CTC Area Requirements Notes Processor (PC only) Pentium 4 processor or equivalent A faster CPU is recommended if your workstation runs multiple applications or if CTC manages a network with a large number of nodes and circuits. RAM 1 GB RAM or more A minimum of 1 GB is recommended if your workstation runs multiple applications or if CTC manages a network with a large number of nodes and circuits. Hard drive 20 GB hard drive with 250 MB of free space required CTC application files are downloaded from the TCC2/TCC2P/TCC3/TNC/TSC to your computer. These files occupy around 100MB (250MB to be safer) or more space depending on the number of versions in the network.14-5 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 14 Cisco Transport Controller Operation ONS 15454 Connections 14.4 ONS 15454 Connections You can connect to the ONS 15454, 15454-M2, or 15454-M6 shelf assemblies in multiple ways. Operating System • PC: Windows 2000, Windows XP, Windows Vista, Windows 7, Windows Server 2003, Windows Server 2008 • Workstation: Solaris Version 9 or 10 on an UltraSPARC-III or faster processor, with a minimum of 1 GB RAM and 250 MB of available hard drive space • Apple Mac OS X. CTC needs to be installed using the CacheInstaller available on the CCO or the ONS CD Use the latest Patch/Service Pack released by the OS vendor. Check with the vendor for the information about the latest Patch/Service Pack. Java Runtime Environment JRE 1.6 JRE 1.6 is installed by the CTC Installation Wizard included on the ONS 15454, 15454-M2, or 15454-M6 software CD. JRE 1.6 provides enhancements to the CTC’s performance, especially for large networks with numerous circuits. We recommend that you use JRE 1.6 for networks with Software R9.2 nodes. If CTC must be launched directly from nodes running software R7.0 or R7.2, we recommend JRE 1.4.2 or JRE 5.0. If CTC must be launched directly from nodes running software R5.0 or R6.0, we recommend JRE 1.4.2. If CTC must be launched directly from nodes running software earlier than R5.0, we recommend JRE 1.3.1_02. Web browser • PC: Internet Explorer 6.x, 7.x, 8.x • UNIX Workstation: Mozilla 1.7 • MacOS-X PC: Safari For the PC, use JRE 1.6 with any supported web browser. The supported browser can be downloaded from the Web. Cable User-supplied CAT-5 straight-through cable with RJ-45 connectors on each end to connect the computer to ONS 15454, 15454-M2, or 15454-M6 directly or through a LAN. User-supplied cross-over CAT-5 cable to the DCN port on the ONS 15454 patch panel or to the Catalyst 2950 (multishelf mode). — Table 14-2 Computer Requirements for CTC (continued) Area Requirements Notes14-6 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 14 Cisco Transport Controller Operation ONS 15454 Connections (ONS 15454) You can connect your PC directly to the ONS 15454 shelf using the RJ-45(LAN) port on the faceplate of TCC2/TCC2P/TCC3 card or using the backplane RJ-45 LAN port. (ONS 15454 M6) You can connect your PC directly to the ONS 15454 M6 shelf using the RJ-45(LAN) port on the faceplate of TNC/TSC card or using the EMS RJ-45 port or using the RJ-45 Craft port. The EMS RJ-45 port and RJ-45 Craft port are present on the external connection unit (ECU). (ONS 15454 M2) You can connect your PC directly to the ONS 15454 M2 shelf using the RJ-45(LAN) port on the faceplate of TNC/TSC card or using the EMS RJ-45 port on the power module. For the ANSI shelf, you can connect using the LAN pins on the backplane (the ETSI shelf provides a LAN connection through the RJ-45 jack on the MIC-T/C/P Front Mount Electrical Connection [FMEC]). Alternatively, you can connect your PC to a hub or switch that is connected to the ONS 15454, connect to the ONS 15454 through a LAN or modem, or establish TL1 connections from a PC or TL1 terminal. Table 14-3 lists the connection methods and requirements for ONS 15454, 15454-M2, or 15454-M6 shelves. Note The TNC/TSC card supports multi-shelf connections through three FE RJ45 connections on the ECU. The TNC card supports one GE connection for CRS-1 router through the SFP port on the card. This SFP port can act as a secondary OSC supporting only FE and GE interfaces. The TNC/TSC card in ONS 15454 M6 shelf can connect to CTC through the EMS RJ-45 port or Craft port on the ECU. The TNC/TSC card in ONS 15454 M2 shelf can connect to CTC through the EMS RJ-45 port on the power module.14-7 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 14 Cisco Transport Controller Operation ONS 15454 Connections Table 14-3 Connection Methods for ONS 15454, ONS 15454 M2, and ONS 15454 M6 Method Description Requirements Local craft Refers to onsite network connections between the CTC computer and the ONS 15454, 15454-M2, or 15454-M6 using one of the following: • The RJ-45 (LAN) port on the TCC2/TCC2P/TCC3/TNC/TSC card • The RJ-45 (LAN) port on the patch panel (multishelf mode) • Port 23 or 24 of the Catalyst 3560-V2-24TS-SD and 2950 (multishelf mode) • The LAN pins on the 15454-DWDM backplane (ANSI) • The RJ-45 jack on the MIC-T/C/P FMEC (ETSI) • (ONS 15454 M6) EMS RJ-45 port on the ECU • (ONS 15454 M6) RJ-45 Craft port on the ECU • (ONS 15454 M2) EMS RJ-45 port on the power module • A hub or switch to which the ONS 15454 is connected If you do not use Dynamic Host Configuration Protocol (DHCP), you must change the computer IP address, subnet mask, and default router, or use automatic host detection. Corporate LAN Refers to a connection to the ONS 15454, 15454-M2, or 15454-M6 through a corporate or network operations center (NOC) LAN. • The ONS 15454, 15454-M2, or 15454-M6 must be provisioned for LAN connectivity, including IP address, subnet mask, and default gateway. • The ONS 15454, 15454-M2, or 15454-M6 must be physically connected to the corporate LAN. • The CTC computer must be connected to the corporate LAN that has connectivity to ONS 15454, 15454-M2, or 15454-M6.14-8 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 14 Cisco Transport Controller Operation CTC Window 14.5 CTC Window When you log into a single-shelf ONS 15454, 15454-M2, or 15454-M6, the CTC window appears in node view (Figure 14-1). When you log into a multishelf ONS 15454 or 15454-M6, meaning that two or more ONS 15454 or 15454-M6 shelves are configured to operate as one node, the multishelf view (Figure 14-2) appears in the CTC window. The window includes a menu bar, a toolbar, and a top and bottom pane. The top pane provides status information about the selected objects and a graphic of the current view. The bottom pane provides tabs and subtabs to view ONS 15454 information and perform ONS 15454 provisioning and maintenance tasks. From the CTC window, you can display the other ONS 15454 views. In single-shelf mode, these are the network, node, and card views. In multishelf mode, these are the network, multishelf, shelf, and card views. TL1 Refers to a connection to the ONS 15454, 15454-M2, or 15454-M6 using TL1 rather than CTC. TL1 sessions can be started from CTC, or you can use a TL1 terminal. The physical connection can be a craft connection, corporate LAN, or a TL1 terminal. Refer to the Cisco ONS SONET TL1 Reference Guide or the Cisco ONS 15454 SDH and Cisco ONS 15600 SDH TL1 Reference Guide. Remote Refers to a connection made to the ONS 15454, 15454-M2, or 15454-M6 using a modem. • A modem must be connected to the ONS 15454, 15454-M2, or 15454-M6. • The modem must be provisioned for the ONS 15454, 15454-M2, or 15454-M6. To run CTC, the modem must be provisioned for Ethernet access. Table 14-3 Connection Methods for ONS 15454, ONS 15454 M2, and ONS 15454 M6 Method Description Requirements14-9 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 14 Cisco Transport Controller Operation CTC Window Figure 14-1 Node View (Default Login View for Single-Shelf Mode) 249384 Menu bar Tool bar Status area Graphic area Status bar Sub tabs Tabs Top pane Bottom pane14-10 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 14 Cisco Transport Controller Operation CTC Window Figure 14-2 Multishelf View (Default Login View for Multishelf Mode) 14.5.1 Summary Pane The Summary pane on the left has the following fields: • Node Addr—IP address of the node. • Booted—The Booted field indicates one of the following: – Date and time of the node reboot. The node reboot is caused by complete power cycle, software upgrade, or software downgrade. – Date and time of reset of the control cards one after the other. • User—Login user name. • Authority—Security level of users. The possible security levels are Retrieve, Maintanence, Provisioning, and Superuser. • SW Version—CTC software version. • Defaults—Name provided to identify the defaults list.14-11 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 14 Cisco Transport Controller Operation CTC Window 14.5.2 Node View (Multishelf Mode), Node View (Single-Shelf Mode), and Shelf View (Multishelf Mode) Node view, shown in Figure 14-1, is the first view that appears after you log into a single-shelf ONS 15454. Multishelf view, shown in Figure 14-2, is the first view that appears after you log into a multishelf ONS 15454. The login node is the first node shown, and it is the “home view” for the session. Multishelf view and node view allow you to manage one ONS 15454 node. The status area shows the node name; IP address; session boot date and time; number of Critical (CR), Major (MJ), and Minor (MN) alarms; name and security level of the current logged-in user; software version; and network element default setup. (On ONS 15454 and 15454-M6) In a multishelf mode, up to 30 shelves operate as a single node. Note The reason for extending the number of subtending shelves to 30 is to accommodate and manage the new optical and DWDM cards that operate in the even band frequency grid. When you open a shelf from multishelf view, shelf view appears, which looks similar to node view but does not contain the tabs and subtabs that are used for node-level operations. 14.5.2.1 CTC Card Colors The graphic area of the CTC window depicts the ONS 15454 shelf assembly. The colors of the cards in the graphic reflect the real-time status of the physical card and slot (Table 14-4). On the ONS 15454 ETSI, the colors of the FMEC cards reflect the real-time status of the physical FMEC cards. Table 14-5 lists the FMEC card colors. The FMEC ports shown in CTC do not change color. Note You cannot preprovision FMECs. Table 14-4 Multishelf View (Multishelf Mode), Node View (Single-Shelf Mode), and Shelf View (Multishelf Mode) Card Colors Card Color Status Gray Slot is not provisioned; no card is installed. Violet Slot is provisioned; no card is installed. White Slot is provisioned; a functioning card is installed. Yellow Slot is provisioned; a Minor alarm condition exists. Orange Slot is provisioned; a Major alarm condition exists. Red Slot is provisioned; a Critical alarm exists.14-12 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 14 Cisco Transport Controller Operation CTC Window The wording on a card in node view (single-shelf mode) or shelf view (multishelf mode) shows the status of a card (Active, Standby, Loading, or Not Provisioned). Table 14-6 lists the card statuses. Port color in card view, node view (single-shelf mode), and shelf view (multishelf mode) indicates the port service state. Table 14-7 lists the port colors and their service states. For more information about port service states, see Appendix B, “Administrative and Service States.” Table 14-5 Multishelf View (Multishelf Mode) and Node View (Single-Shelf Mode) FMEC Color Upper Shelf FMEC Color Status White Functioning card is installed. Yellow Minor alarm condition exists. Orange (Amber) Major alarm condition exists. Red Critical alarm exists. Table 14-6 Node View (Single-Shelf Mode) or Shelf View (Multishelf Mode) Card Statuses Card Status Description Act Card is active. Sty Card is in standby mode. Ldg Card is resetting. NP Card is not present. Table 14-7 Node View (Single-Shelf Mode) or Shelf View (Multishelf Mode) Card Port Colors and Service States Port Color Service State Description Cyan (blue) Out-of-Service and Management, Loopback (OOS-MA,LPBK) (ANSI) Locked-enabled,loopback (ETSI) Port is in a loopback state. On the card in node or shelf view, a line between ports indicates that the port is in terminal or facility loopback (see Figure 14-3 and Figure 14-4). Traffic is carried and alarm reporting is suppressed. Raised fault conditions, whether or not their alarms are reported, can be retrieved on the CTC Conditions tab or by using the TL1 RTRV-COND command. Cyan (blue) Out-of-Service and Management, Maintenance (OOS-MA,MT) (ANSI) Locked-enabled,maintenance (ETSI) Port is out-of-service for maintenance. Traffic is carried and loopbacks are allowed. Alarm reporting is suppressed. Raised fault conditions, whether or not their alarms are reported, can be retrieved on the CTC Conditions tab or by using the TL1 RTRV-COND command. Use this service state for testing or to suppress alarms temporarily. Change the state to IS-NR/Unlocked-enabled; OOS-MA,DSBLD/Locked-enabled,disabled; or OOS-AU,AINS/Unlocked-disabled,automaticInService when testing is complete.14-13 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 14 Cisco Transport Controller Operation CTC Window Figure 14-3 Terminal Loopback Indicator Figure 14-4 Facility Loopback Indicator 14.5.2.2 Multishelf View Card Shortcuts If you move your mouse over cards in the multishelf view graphic, popups display additional information about the card including the card type; the card status (active or standby); the type of alarm, such as Critical, Major, or Minor (if any); the alarm profile used by the card; and for transponder (TXP) or muxponder (MXP) cards, the wavelength of the dense wavelength division multiplexing (DWDM) port. 14.5.2.3 Node View (Single-Shelf Mode) or Shelf View (Multishelf Mode) Card Shortcuts If you move your mouse over cards in the node view (single-shelf mode) or shelf view (multishelf mode) graphic, popups display additional information about the card including the card type; the card status (active or standby); the type of alarm, such as Critical, Major, or Minor (if any); the alarm profile used by the card; and for TXP or MXP cards, the wavelength of the DWDM port. Right-click a card to reveal a shortcut menu, which you can use to open, reset, delete, or change a card. Right-click a slot to preprovision a card (that is, provision a slot before installing the card). Gray Out-of-Service and Management, Disabled (OOS-MA,DSBLD) (ANSI) Locked-enabled,disabled (ETSI) The port is out-of-service and unable to carry traffic. Loopbacks are not allowed in this service state. Green In-Service and Normal (IS-NR) (ANSI) Unlocked-enabled (ETSI) The port is fully operational and performing as provisioned. The port transmits a signal and displays alarms; loopbacks are not allowed. Violet Out-of-Service and Autonomous, Automatic In-Service (OOS-AU,AINS) (ANSI) Unlocked-disabled,automaticInService (ETSI) The port is out-of-service, but traffic is carried. Alarm reporting is suppressed. The node monitors the ports for an error-free signal. After an error-free signal is detected, the port stays in this service state for the duration of the soak period. After the soak period ends, the port service state changes to IS-NR/Unlocked-enabled. Raised fault conditions, whether or not their alarms are reported, can be retrieved on the CTC Conditions tab or by using the TL1 RTRV-COND command. The AINS port will automatically transition to IS-NR/Unlocked-enabled when a signal is received for the length of time provisioned in the soak field. Table 14-7 Node View (Single-Shelf Mode) or Shelf View (Multishelf Mode) Card Port Colors and Service States Port Color Service State Description14-14 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 14 Cisco Transport Controller Operation CTC Window 14.5.2.4 Node View (Single-Shelf Mode) or Shelf View (Multishelf Mode) Port Shortcuts If you move your mouse over the ports in the node view (single-shelf mode) or shelf view (multishelf mode), the popup message displays information about the port type, service state, and the alarm profile used by the port. For example, the popup message displays "((EXP-RX-1-4) Service State: IS-NR, Alarm Profile: Inherited)". 14.5.2.5 Card View (Single-Shelf Mode) or Shelf View (Multishelf Mode) Port Shortcuts If you right-click the ports in the card view (single-shelf mode or multishelf mode), the popup message displays the side information along with shelf, slot, and port information. For example, the popup message displays "Shelf 1, Slot 3 (40 SMR2 C), Port EXP-TX 1-1, Side C". 14.5.2.6 Multishelf View Tabs Table 14-8 lists the tabs and subtabs available in the multishelf view. The actions on these tabs apply to the multishelf node and its subtending shelves. 14.5.2.7 Node View (Single-Shelf Mode) or Shelf View (Multishelf Mode) Tabs Table 14-9 lists the tabs and subtabs available in node view (single-shelf mode) or shelf view (multishelf mode). Table 14-8 Multishelf View Tabs and Subtabs Tab Description Subtabs Alarms Lists current alarms (CR, MJ, MN) for the multishelf node and updates them in real time. — Conditions Displays a list of standing conditions on the multishelf node. — History Provides a history of multishelf node alarms including the date, type, and severity of each alarm. The Session subtab displays alarms and events for the current session. The Node subtab displays alarms and events retrieved from a fixed-size log on the node. Session, Node Circuits Creates, deletes, edits, and maps circuits. Circuits, Rolls Provisioning Provisions the ONS 15454 multishelf node. General, Network, OSI, Security, SNMP, Comm Channels, Alarm Profiles, Defaults, WDM-ANS Inventory Provides inventory information (part number, serial number, and Common Language Equipment Identification [CLEI] codes) for cards installed on all shelves in the multishelf node. Allows you to delete and reset cards and change the card service state. — Maintenance Performs maintenance tasks for the multishelf node. Database, Network, OSI, Software, Diagnostic, Audit, DWDM14-15 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 14 Cisco Transport Controller Operation CTC Window 14.5.3 Network View Network view allows you to view and manage ONS 15454, 15454-M2, or 15454-M6 that have DCC connections to the node that you logged into and any login node groups you have selected (Figure 14-5). Table 14-9 Node View (Single-Shelf Mode) or Shelf View (Multishelf Mode) Tabs and Subtabs Tab Description Subtabs Alarms Lists current alarms (CR, MJ, MN) for the node or shelf and updates them in real time. — Conditions Displays a list of standing conditions on the node or shelf. — History Provides a history of node or shelf alarms including the date, type, and severity of each alarm. The Session subtab displays alarms and events for the current session. The Node subtab displays alarms and events retrieved from a fixed-size log on the node. Session, Node Circuits Creates, deletes, edits, and maps circuits. Circuits, Rolls Provisioning Provisions the ONS 15454 single-shelf or multishelf node. Single-shelf mode: General, Network, OSI, Security, SNMP, Comm Channels, Alarm Profiles, Defaults, WDM-ANS Multishelf mode: General, Protection, Timing, Alarm Profiles Inventory Provides inventory information (part number, serial number, and CLEI codes) for cards installed in the single-shelf or multishelf node. Allows you to delete and reset cards and change the card service state. Note Each card has bootstrap and boot code. After the card is upgraded using the boot code upgrade procedure, the bootstrap version is displayed in the Inventory tab in CTC; However, the boot code version is not displayed in the Inventory tab. — Maintenance Performs maintenance tasks for the single-shelf or multishelf node. Single-shelf mode: Database, Network, OSI, Software, Diagnostic, Audit, DWDM Multishelf mode: Protection, Overhead XConnect, Diagnostic, Timing14-16 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 14 Cisco Transport Controller Operation CTC Window Figure 14-5 Network in CTC Network View Note Nodes with DCC connections to the login node do not appear if you checked the Disable Network Discovery check box in the Login dialog box. The graphic area displays a background image with colored ONS 15454 icons. A Superuser can set up the logical network view feature, which enables each user to see the same network view. 14.5.3.1 Network View Tabs Table 14-10 lists the tabs and subtabs available in network view. 96939 Bold letters indicate login node, asterisk indicates topology host Icon color indicates node status Dots indicate selected node Table 14-10 Network View Tabs and Subtabs Tab Description Subtabs Alarms Lists current alarms (CR, MJ, MN) for the network and updates them in real time. — Conditions Displays a list of standing conditions on the network. — History Provides a history of network alarms including date, type, and severity of each alarm. — Circuits Creates, deletes, edits, filters, and searches for network circuits. —14-17 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 14 Cisco Transport Controller Operation CTC Window 14.5.3.2 CTC Node Colors The color of a node in network view, shown in Table 14-11, indicates the node alarm status. 14.5.3.3 DCC Links The lines show DCC connections between the nodes (Table 14-12). DCC connections can be green (active) or gray (fail). The lines can also be solid (circuits can be routed through this link) or dashed (circuits cannot be routed through this link). Circuit provisioning uses active/routable links. Selecting a node or span in the graphic area displays information about the node and span in the status area. 14.5.3.4 Link Consolidation CTC provides the ability to consolidate the DCC, generic communications channel (GCC), optical transmission section (OTS), and PPC links shown in the network view into a more streamlined view. Link consolidation allows you to condense multiple inter-nodal links into a single link. The link Provisioning Provisions security, alarm profiles, bidirectional line switched rings (BLSRs) (ANSI), multiplex section-shared protection rings (MS-SPRing) (ETSI), and overhead circuits. Security, Alarm Profiles, BLSR (ANSI), MS-SPRing (ETSI), Overhead Circuits, Provisionable Patchcords Maintenance Displays the type of equipment and the status of each node in the network; displays working and protect software versions; and allows software to be downloaded. Software Table 14-10 Network View Tabs and Subtabs (continued) Tab Description Subtabs Table 14-11 Node Status Shown in Network View Color Alarm Status Green No alarms Yellow Minor alarms Orange Major alarms Red Critical alarms Gray with Unknown# Node initializing for the first time (CTC displays Unknown# because CTC has not discovered the name of the node yet) Table 14-12 DCC Colors Indicating State in Network View Color and Line Style State Green and solid Active/Routable Green and dashed Active/Nonroutable Gray and solid Failed/Routable Gray and dashed Failed/Nonroutable14-18 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 14 Cisco Transport Controller Operation CTC Window consolidation sorts links by class, meaning that all DCC links are consolidated together, for example.You can access individual links within consolidated links using the right-click shortcut menu.Each link has an associated icon (Table 14-13). Note Link consolidation is only available on non-detailed maps. Non-detailed maps display nodes in icon form instead of detailed form, meaning that the nodes appear as rectangles with ports on the sides. Refer to the Cisco ONS 15454 DWDM Procedure Guide for more information about consolidated links. 14.5.4 Card View The card view provides information about individual ONS 15454 cards. Use this window to perform card-specific maintenance and provisioning. A graphic showing the ports on the card is shown in the graphic area. The status area displays the node name, slot, number of alarms, card type, equipment type, card status (active or standby), card service state if the card is present, and port service state (described in Table 14-7 on page 14-12). The information that appears and the actions that you can perform depend on the card. For more information about card service states, refer to Appendix B, “Administrative and Service States.” Note CTC provides a card view for all cards except the TCC2/TCC2P/TCC3/TSC cards. Use the card view tabs and subtabs shown in Table 14-14 to provision and manage the ONS 15454. The subtabs, fields, and information shown under each tab depend on the card type selected. Table 14-13 Link Icons Icon Description DCC icon GCC icon OTS icon PPC icon Table 14-14 Card View Tabs and Subtabs Tab Description Subtabs Alarms Lists current alarms (CR, MJ, MN) for the card and updates them in real time. — Conditions Displays a list of standing conditions on the card. —14-19 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 14 Cisco Transport Controller Operation Using the CTC Launcher Application to Manage Multiple ONS Nodes 14.6 Using the CTC Launcher Application to Manage Multiple ONS Nodes The CTC Launcher application is an executable file, StartCTC.exe, that is provided on Software Release 9.2 CDs for Cisco ONS products. You can use CTC Launcher to log into multiple ONS nodes that are running CTC Software Release 3.3 or higher, without using a web browser. The CTC launcher application provides an advantage particularly when you have more than one NE version on the network, because it allows you to pick from all available CTC software versions. It also starts more quickly than the browser version of CTC and has a dedicated node history list. History Provides a history of card alarms including date, object, port, and severity of each alarm. Session (displays alarms and events for the current session), Card (displays alarms and events retrieved from a fixed-size log on the card) Circuits Creates, deletes, edits, and search circuits. — Provisioning Provisions an ONS 15454 card. DS-N and OC-N cards: Line, Line Thresholds (different threshold options are available for DS-N and OC-N cards), Elect Path Thresholds, SONET Thresholds, SONET STS, Alarm Profiles TXP and MXP cards: Card, Line, Line Thresholds, Optics Thresholds, OTN, Alarm Profiles DWDM cards (subtabs depend on card type): Optical Line, Optical Chn, Optical Amplifier, Parameters, Optics Thresholds, Alarm Profiles Maintenance Performs maintenance tasks for the card. Loopback, Info, Protection, J1 Path Trace, AINS Soak (options depend on the card type), Automatic Laser Shutdown Performance (Not available for the AIC-I cards) Performs performance monitoring for the card. DS-N and OC-N cards: no subtabs TXP and MXP cards: Optics PM, Payload PM, OTN PM DWDM cards (subtabs depend on card type): Optical Line, Optical Chn, Optical Amplifier Line, OC3 Line, Parameters, Optics Thresholds Inventory (40-WSS, 40-WXC, OPT-PRE and OPT-BST cards) Displays an Inventory screen of the ports. — Table 14-14 Card View Tabs and Subtabs (continued) Tab Description Subtabs14-20 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 14 Cisco Transport Controller Operation Using the CTC Launcher Application to Manage Multiple ONS Nodes CTC Launcher provides two connection options. The first option is used to connect to ONS NEs that have an IP connection to the CTC computer. The second option is used to connect to ONS NEs that reside behind third party, OSI-based GNEs. For this option, CTC Launcher creates a TL1 tunnel to transport the TCP traffic through the OSI-based GNE. The TL1 tunnel transports the TCP traffic to and from ONS ENEs through the OSI-based GNE. TL1 tunnels are similar to the existing static IP-over-CLNS tunnels, GRE, and Cisco IP, that can be created at ONS NEs using CTC. (Refer to the Cisco ONS product documentation for information about static IP-over-CLNS tunnels.) However, unlike the static IP-over-CLNS tunnels, TL1 tunnels require no provisioning at the ONS ENE, the third-party GNE, or DCN routers. All provisioning occurs at the CTC computer when the CTC Launcher is started. Figure 14-6 shows examples of two static IP-over-CLNS tunnels. A static Cisco IP tunnel is created from ENE 1 through other vendor GNE 1 to a DCN router, and a static GRE tunnel is created from ONS ENE 2 to the other vender, GNE 2. For both static tunnels, provisioning is required on the ONS ENEs. In addition, a Cisco IP tunnel must be provisioned on the DCN router and a GRE tunnel provisioned on GNE 2. Figure 14-6 Static IP-Over-CLNS Tunnels Figure 14-7 shows the same network using TL1 tunnels. Tunnel provisioning occurs at the CTC computer when the tunnel is created with the CTC Launcher. No provisioning is needed at ONS NEs, GNEs, or routers. Other vendor GNE 1 Other vendor GNE 2 Central office IP+ OSI IP-over-CLNS tunnel IP-over-CLNS tunnel IP OSI/DCC OSI/DCC IP/DCC IP/DCC 140174 IP DCN CTC Tunnel provisioning Tunnel provisioning ONS ENE 1 ONS ENE 2 Tunnel provisioning Tunnel provisioning14-21 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 14 Cisco Transport Controller Operation Using the CTC Launcher Application to Manage Multiple ONS Nodes Figure 14-7 TL1 Tunnels TL1 tunnels provide several advantages over static IP-over-CLNS tunnels. Because tunnel provisioning is needed only at the CTC computer, they are faster to set up. Because they use TL1 for TCP transport, they are more secure. TL1 tunnels also provide better flow control. On the other hand, IP over CLNS tunnels require less overhead and usually provide a slight performance edge over TL1 Tunnels (depending on network conditions). TL1 tunnels do not support all IP applications such as SNMP and RADIUS Authentication. Table 14-15 shows a comparison between the two types of tunnels. Other vendor GNE 1 Other vendor GNE 2 Central office IP + OSI TL1 tunnel IP OSI/DCC OSI/DCC IP/DCC IP/DCC Tunnel provisioning 140175 IP DCN CTC ONS ENE 1 ONS ENE 2 TL1 tunnel Table 14-15 TL1 and Static IP-Over-CLNS Tunnels Comparison Category Static IP-Over-CLNS TL1 Tunnel Comments Setup Complex Simple Requires provisioning at ONS NE, GNE, and DCN routers. For TL1 tunnels, provisioning is needed at CTC computer. Performance Best Average to good Static tunnels generally provide better performance than TL1 tunnels, depending on TL1 encoding used. LV+Binary provides the best performance. Other encoding will produce slightly slower TL1 tunnel performance. Support all IP applications Yes No TL1 tunnels do not support SNMP or RADIUS Server IP applications. ITU Standard Yes No Only the static IP-over-CLNS tunnels meet ITU standards. TL1 tunnels are new. Tunnel traffic control Good Very good Both tunnel types provide good traffic control Security setup Complex No setup needed Static IP-over-CLNS tunnels require careful planning. Because TL1 tunnels are carried by TL1, no security provisioning is needed.14-22 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 14 Cisco Transport Controller Operation TCC2/TCC2P/TCC3/TNC/TSC Card Reset TL1 tunnel specifications and general capabilities include: • Each tunnel generally supports between six to eight ENEs, depending on the number of tunnels at the ENE. • Each CTC session can support up to 32 tunnels. • The TL1 tunnel database is stored locally in the CTC Preferences file. • Automatic tunnel reconnection when the tunnel goes down. • Each ONS NE can support at least 16 concurrent tunnels. 14.7 TCC2/TCC2P/TCC3/TNC/TSC Card Reset You can soft reset the TCC2/TCC2P/TCC3/TNC/TSC card by using CTC or by physically resetting the card (a hard reset). A soft reset reboots the TCC2/TCC2P/TCC3/TNC/TSC card and reloads the operating system and the application software. Additionally, a hard reset temporarily removes power from the TCC2/TCC2P/TCC3/TNC/TSC card and clears all the buffer memory. You can apply a soft reset from CTC to either an active or standby TCC2/TCC2P/TCC3/TNC/TSC card without affecting traffic. If you need to perform a hard reset on an active TCC2/TCC2P/TCC3/TNC/TSC card, put the TCC2/TCC2P/TCC3/TNC/TSC card into standby mode first by performing a soft reset. Note Hard reset can also be performed on the TNC/TSC card through CTC and TL1 interface. Before performing the hard reset, bring the TNC/TSC card to maintenance mode. When you reset the standby TCC2/TCC2P/TCC3/TNC/TSC card, the system traffic is not affected. When you reset the active TCC2/TCC2P/TCC3/TNC/TSC card, traffic switches to the standby card if the standby card is present and in the ready standby state. If the standby card is not in the ready standby state, traffic does not switch, and results in loss of system traffic and management connectivity until the card reboots completely. Potential to breach DCN from DCC using IP. Possible Not possible A potential exists to breach a DCN from a DCC using IP. This potential does not exist for TL1 tunnels. IP route management Expensive Automatic For static IP-over-CLNS tunnels, route changes require manual provisioning at network routers, GNEs, and ENEs. For TL1 tunnels, route changes are automatic. Flow control Weak Strong TL1 tunnels provide the best flow control. Bandwidth sharing among multiple applications Weak Best — Tunnel lifecycle Fixed CTC session TL1 tunnels are terminated when the CTC session ends. Static IP-over-CLNS tunnels exist until they are deleted in CTC. Table 14-15 TL1 and Static IP-Over-CLNS Tunnels Comparison (continued) Category Static IP-Over-CLNS TL1 Tunnel Comments14-23 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 14 Cisco Transport Controller Operation TCC2/TCC2P/TCC3/TNC/TSC Card Database Caution When you reset the TNC/TSC card on the ONS 15454 or 15454-M6 shelves in simplex control mode, loss of management connectivity happens until the card reboots. The system traffic loss may occur depending on the line card and traffic type. Note (Cisco ONS 15454 shelf) When a CTC reset is performed on an active TCC2/TCC2P/TCC3 card, the AIC-I card goes through an initialization process and also resets because it is controlled by the active TCC2/TCC2P/TCC3 card. 14.8 TCC2/TCC2P/TCC3/TNC/TSC Card Database When dual TCC2/TCC2P/TCC3/TNC/TSC cards are installed in the ONS 15454, 15454-M2, or 15454-M6 shelves, each TCC2/TCC2P/TCC3/TNC/TSC card hosts a separate database; therefore, the protect card database is available if the database on the working TCC2/TCC2P/TCC3/TNC/TSC card fails. You can also store a backup version of the database on the workstation running CTC. This operation should be part of a regular ONS 15454, 15454-M2, or 15454-M6 maintenance program at approximately weekly intervals, and should also be completed when preparing ONS 15454, 15454-M2, or 15454-M6 for a pending natural disaster, such as a flood or fire. The TNC card provides 4GB of nonvolatile database storage for communication, provisioning, and system control. This allows full database recovery during power failure. The configuration details are stored in the database of the TCC2/TCC2P/TCC3/TNC/TSC card. The database restore from a TNC card to a TSC card or vice versa is not supported. Note The following parameters are not backed up and restored: node name, IP address, mask and gateway, and Internet Inter-ORB Protocol (IIOP) port. If you change the node name and then restore a backed up database with a different node name, the circuits map to the new node name. We recommend keeping a record of the old and new node names. 14.9 Software Revert When you click the Activate button after a software upgrade, the TCC2/TCC2P/TCC3/TNC/TSC card copies the current working database and saves it in a reserved location in the TCC2/TCC2P/TCC3/TNC/TSC card flash memory. If later during the upgrade you need to revert to the original working software load from the protect software load, the saved database installs automatically. You do not need to restore the database manually or recreate circuits. The revert feature is useful if the maintenance window in which you were performing an upgrade closes while you are still upgrading CTC software. You can revert to the protect software load without losing traffic. During the next maintenance window, you can complete the upgrade and activate the new software load. Circuits created or provisioning done after you activate a new software load (upgrade to a higher release) will be lost with a revert. The database configuration at the time of activation is reinstated after a revert. (This does not apply to maintenance reverts, such as Software R5.0.1 to Software R5.0.2, because maintenance releases retain the database during activation.) 14-24 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 14 Cisco Transport Controller Operation Software Revert Caution Cisco does not recommend reverting after changing provisioning on the node. Depending upon the particular provisioning, reverting in this case can be traffic affecting. To perform a supported (non-service-affecting) revert from a software release that you have just activated, the release you revert to must have been working at the time you first activated the new software on that node. Because a supported revert automatically restores the node configuration at the time of the previous activation, any configuration changes made after activation will be lost when you revert the software. Downloading the software release that you are upgrading to a second time after you have activated the new load ensures that no actual revert to a previous load can take place (the TCC2/TCC2P/TCC3/TNC/TSC resets, but it does not affect the traffic and does not change your database). Note To perform a supported software upgrade or revert, you must consult the specific upgrade document and release notes for the release you are upgrading to (or reverting from).CHAPTER 15-1 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 15 Security Reference This chapter provides information about Cisco ONS 15454 users and security. Note Unless otherwise specified, “ONS 15454” refers to both ANSI and ETSI shelf assemblies. Chapter topics include: • 15.1 User IDs and Security Levels, page 15-1 • 15.2 User Privileges and Policies, page 15-2 • 15.3 Audit Trail, page 15-8 • 15.4 RADIUS Security, page 15-9 15.1 User IDs and Security Levels The Cisco Transport Controller (CTC) ID is provided with the ONS 15454 system, but the system does not display the user ID when you sign into CTC. This ID can be used to set up other ONS 15454 users. You can have up to 500 user IDs on one ONS 15454. Each CTC or TL1 user can be assigned one of the following security levels: • Retrieve—Users can retrieve and view CTC information but cannot set or modify parameters. • Maintenance—Users can access only the ONS 15454 maintenance options. • Provisioning—Users can access provisioning and maintenance options. • Superusers—Users can perform all of the functions of the other security levels as well as set names, passwords, and security levels for other users. See Table 15-3 on page 15-7 for idle user timeout information for each security level. By default, multiple concurrent user ID sessions are permitted on the node, that is, multiple users can log into a node using the same user ID. However, you can provision the node to allow only a single login per user and prevent concurrent logins for all users. Note You must add the same user name and password to each node the user accesses.15-2 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 15 Security Reference User Privileges and Policies Note Maintenance, Provisioning, and Superusers must be properly trained on the hazards of laser safety and be aware of safety-related instructions, labels, and warnings. Refer to the Cisco Optical Products Safety and Compliance Information document for a current list of safety labels and warnings, including laser warnings. Refer to IEC 60825-2 for international laser safety standards, or to ANSI Z136.1 for U.S. laser safety standards. The Cisco ONS 15454 DWDM Procedure Guide explains how users can disable laser safety during maintenance or installation; when following these procedures, adhere to all posted warnings and cautions to avoid unsafe conditions or abnormal exposure to optical radiation. 15.2 User Privileges and Policies This section lists user privileges for each CTC task and describes the security policies available to Superusers for provisioning. 15.2.1 User Privileges by CTC Task Table 15-1 shows the actions that each user privilege level can perform in node view. Table 15-1 ONS 15454 Security Levels—Node View CTC Tab Subtab [Subtab]:Actions Retrieve Maintenance Provisioning Superuser Alarms — Synchronize/Filter/Delete Cleared Alarms XX X X Conditions — Retrieve/Filter X X X X History Session Filter X X X X Node Retrieve/Filter X X X X Circuits Circuits Create/Edit/Delete — — X X Filter/Search X X X X Rolls Complete/ Force Valid Signal/ Finish —— X X15-3 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 15 Security Reference User Privileges and Policies Provisioning General General: Edit — — Partial1 X Multishelf Config: Edit — — — X Network General: Edit — — — X Static Routing: Create/Edit/ Delete —— X X OSPF: Create/Edit/Delete — — X X RIP: Create/Edit/Delete — — X X Proxy: Create/Edit/Delete — — — X Firewall: Create/Edit/Delete — — — X OSI Main Setup:Edit — — — X TARP: Config: Edit — — — X TARP: Static TDC: Add/Edit/Delete —— X X TARP: MAT: Add/Edit/Remove — — X X Routers: Setup: Edit — — — X Routers: Subnets: Edit/Enable/Disable —— X X Tunnels: Create/Edit/Delete — — X X Table 15-1 ONS 15454 Security Levels—Node View (continued) CTC Tab Subtab [Subtab]:Actions Retrieve Maintenance Provisioning Superuser15-4 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 15 Security Reference User Privileges and Policies Security Users: Create/Delete/Clear Security Intrusion Alarm —— — X Users: Change Same user Same user Same user All users Active Logins: View/Logout/ Retrieve Last Activity Time —— — X Policy: Edit/View — — — X Access: Edit/View — — — X RADIUS Server: Create/Edit/Delete/Move Up/M ove Down/View —— — X Legal Disclaimer: Edit — — — X SNMP Create/Edit/Delete — — X X Browse trap destinations X X X X Comm Channels SDCC: Create/Edit/Delete — — X X LDCC: Create/Edit/Delete — — X X GCC: Create/Edit/Delete — — X X OSC: Create/Edit/Delete — — X X PPC: Create/Edit/Delete — — X X LMP: General: Edit X X X X LMP: Control Channels: Create/Edit/Delete —— — X LMP: TE Links: Create/Edit/Delete —— — X LMP: Data Links: Create/Edit/Delete —— — X Alarm Profiles Load/Store/Delete2 —— X X New/Compare/Available/Usage X X X X Defaults Edit/Import — — — X Reset/Export X X X X WDM-ANS Provisioning: Edit — — — X Provisioning: Reset X X X X Internal Patchcords: Create/Edit/Delete/Commit/ Default Patchcords —— X X Port Status: Launch ANS — — — X Node Setup: Setup/Edit X X X X Optical Side: Create/Edit/Delete X X X X Inventory — Delete — — X X Reset — X X X Table 15-1 ONS 15454 Security Levels—Node View (continued) CTC Tab Subtab [Subtab]:Actions Retrieve Maintenance Provisioning Superuser15-5 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 15 Security Reference User Privileges and Policies Table 15-2 shows the actions that each user privilege level can perform in network view. Maintenance Database Backup — X X X Restore — — — X Network Routing Table: Retrieve X X X X RIP Routing Table: Retrieve X X X X OSI IS-IS RIB: Refresh X X X X ES-IS RIB: Refresh X X X X TDC: TID to NSAP/Flush Dynamic Entries —X X X TDC: Refresh X X X X Software Download/Cancel — X X X Activate/Revert — — — X Diagnostic Node Diagnostic Logs — — X X Audit Retrieve — — — X Archive — — X X DWDM APC: Run/Disable/Refresh — X X X WDM Span Check: Retrieve Span Loss values/ Edit/Reset XX X X ROADM Power Monitoring: Refresh XX X X PP-MESH Internal Patchcord: Refresh XX X X Install Without Metro Planner: Retrieve Installation values XX X X All Facilities: Mark/Refresh X X X X 1. A Provisioning user cannot change node name, contact, location and AIS-V insertion on STS-1 signal degrade (SD) parameters. 2. The action buttons in the subtab are active for all users, but the actions can be completely performed only by the users assigned with the required security levels. Table 15-1 ONS 15454 Security Levels—Node View (continued) CTC Tab Subtab [Subtab]:Actions Retrieve Maintenance Provisioning Superuser Table 15-2 ONS 15454 Security Levels—Network View CTC Tab Subtab [Subtab]: Actions Retrieve Maintenance Provisioning Superuser Alarms — Synchronize/Filter/Delete cleared alarms XX X X Conditions — Retrieve/Filter X X X X History — Filter X X X X15-6 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 15 Security Reference User Privileges and Policies 15.2.2 Security Policies Superusers can provision security policies on the ONS 15454. These security policies include idle user timeouts, password changes, password aging, and user lockout parameters. In addition, Superusers can access the ONS 15454 through the TCC2/TCC2P/TCC3 RJ-45 port, the backplane LAN connection, or both. Circuits Circuits Create/Edit/Delete — — X X Filter/Search X X X X Rolls Complete/ Force Valid Signal/ Finish —— X X Provisioning Security Users: Create/Delete/Clear Security Intrusion Alarm —— — X Users: Change Same User Same User Same User All Users Active logins: Logout/Retrieve Last Activity Time —— — X Policy: Change — — — X Alarm Profiles New/Load/Store/Delete1 —— X X Compare/Available/Usage X X X X BLSR (ANSI) MS-SPRing (ETSI) Create/Edit/Delete/Upgrade — — X X Overhead Circuits Create/Delete/Edit/Merge — — X X Search X X X X Provisionable Patchcords (PPC) Create/Edit/Delete — — X X Server Trails Create/Edit/Delete — — X X VLAN DB Profile Load/Store/Merge/Circuits X X X X Add/Remove Rows — — X X Maintenance Software Download/Cancel — X X X Diagnostic OSPF Node Information: Retrieve/Clear XX X X APC Run APC/Disable APC — — — X Refresh X X X X 1. The action buttons in the subtab are active for all users, but the actions can be completely performed only by the users assigned with the required security levels. Table 15-2 ONS 15454 Security Levels—Network View (continued) CTC Tab Subtab [Subtab]: Actions Retrieve Maintenance Provisioning Superuser15-7 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 15 Security Reference User Privileges and Policies 15.2.2.1 Superuser Privileges for Provisioning Users Superusers can grant permission to Provisioning users to perform a set of tasks. The tasks include retrieving audit logs, restoring databases, clearing PMs, and activating and reverting software loads. These privileges can be set only through CTC network element (NE) defaults, except the PM clearing privilege, which can be granted to Provisioning users using CTC Provisioning> Security > Access tabs. For more information on setting up Superuser privileges, refer to the Cisco ONS 15454 DWDM Procedure Guide. 15.2.2.2 Idle User Timeout Each ONS 15454 CTC or TL1 user can be idle during his or her login session for a specified amount of time before the CTC window is locked. The lockouts prevent unauthorized users from making changes. Higher-level users have shorter default idle periods and lower-level users have longer or unlimited default idle periods, as shown in Table 15-3. 15.2.2.3 User Password, Login, and Access Policies Superusers can view real-time lists of users who are logged into CTC or TL1 user logins by node. Superusers can also provision the following password, login, and node access policies: • Password length, expiration and reuse—Superusers can configure the password length by using NE defaults. The password length, by default, is set to a minimum of six and a maximum of 20 characters. You can configure the default values in CTC node view with the Provisioning > NE Defaults > Node > security > password Complexity tabs. The minimum length can be set to eight, ten or twelve characters, and the maximum length to 80 characters. The password must be a combination of alphanumeric (a-z, A-Z, 0-9) and special (+, #,%) characters, where at least two characters are nonalphabetic and at least one character is a special character. Superusers can specify when users must change their passwords and when they can reuse them. • Locking out and disabling users—Superusers can provision the number of invalid logins that are allowed before locking out users and the length of time before inactive users are disabled. The number of allowed lockout attempts is set to the number of allowed login attempts. • Node access and user sessions—Superusers can limit the number of CTC sessions one user can have, and they can prohibit access to the ONS 15454 using the LAN or TCC2/TCC2P/TCC3 RJ-45 connections. In addition, a Superuser can select secure shell (SSH) instead of Telnet at the CTC Provisioning > Security > Access tabs. SSH is a terminal-remote host Internet protocol that uses encrypted links. It provides authentication and secure communication over unsecure channels. Port 22 is the default port and cannot be changed. Table 15-3 ONS 15454 Default User Idle Times Security Level Idle Time Superuser 15 minutes Provisioning 30 minutes Maintenance 60 minutes Retrieve Unlimited15-8 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 15 Security Reference Audit Trail 15.3 Audit Trail The Cisco ONS 15454 maintains a Telcordia GR-839-CORE-compliant audit trail log that resides on the TCC2/TCC2P/TCC3/TNC/TSC card. Audit trails are useful for maintaining security, recovering lost transactions and enforcing accountability. Accountability refers to tracing user activities; that is, associating a process or action with a specific user. This record shows who has accessed the system and what operations were performed during a given period of time. The log includes authorized Cisco logins and logouts using the operating system command line interface, CTC, and TL1; the log also includes FTP actions, circuit creation/deletion, and user/system generated actions. Event monitoring is also recorded in the audit log. An event is defined as the change in status of an element within the network. External events, internal events, attribute changes, and software upload/download activities are recorded in the audit trail. The audit trail is stored in persistent memory and is not corrupted by processor switches, resets or upgrades. However, if a user pulls both TCC2/TCC2P/TCC3/TNC/TSC cards, the audit trail log is lost. 15.3.1 Audit Trail Log Entries Table 15-4 contains the columns listed in Audit Trail window. Audit trail records capture the following activities: • User—Name of the user performing the action • Host—Host from where the activity is logged • Device ID—IP address of the device involved in the activity • Application—Name of the application involved in the activity • Task—Name of the task involved in the activity (view a dialog box, apply configuration, and so on) • Connection Mode—Telnet, Console, Simple Network Management Protocol (SNMP) • Category—Type of change: Hardware, Software, Configuration • Status—Status of the user action: Read, Initial, Successful, Timeout, Failed • Time—Time of change • Message Type—Denotes whether the event is Success/Failure type • Message Details—Description of the change Table 15-4 Audit Trail Window Columns Heading Explanation Date Date when the action occurred Num Incrementing count of actions User User ID that initiated the action P/F Pass/Fail (whether or not the action was executed) Operation Action that was taken15-9 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 15 Security Reference RADIUS Security 15.3.2 Audit Trail Capacities The system is able to store 640 log entries.When this limit is reached, the oldest entries are overwritten with new events. When the log server is 80 percent full, an AUD-LOG-LOW condition is raised and logged (by way of Common Object Request Broker Architecture [CORBA]/CTC). When the log server reaches a maximum capacity of 640 entries and begins overwriting records that were not archived, an AUD-LOG-LOSS condition is raised and logged. This event indicates that audit trail records have been lost. Until the user off-loads the file, this event occurs only once regardless of the amount of entries that are overwritten by the system. 15.4 RADIUS Security Superusers can configure nodes to use Remote Authentication Dial In User Service (RADIUS) authentication. RADIUS uses a strategy known as authentication, authorization, and accounting (AAA) for verifying the identity of, granting access to, and tracking the actions of remote users. To configure RADIUS authentication, refer to the Cisco ONS 15454 DWDM Procedure Guide. RADIUS server supports IPv6 addresses and can process authentication requests from a GNE or an ENE that uses IPv6 addresses. 15.4.1 RADIUS Authentication RADIUS is a system of distributed security that secures remote access to networks and network services against unauthorized access. RADIUS comprises three components: • A protocol with a frame format that utilizes User Datagram Protocol (UDP)/IP • A server • A client The server runs on a central computer typically at the customer's site, while the clients reside in the dial-up access servers and can be distributed throughout the network. An ONS 15454 node operates as a client of RADIUS. The client is responsible for passing user information to designated RADIUS servers, and then acting on the response that is returned. RADIUS servers are responsible for receiving user connection requests, authenticating the user, and returning all configuration information necessary for the client to deliver service to the user. The RADIUS servers can act as proxy clients to other kinds of authentication servers. Transactions between the client and RADIUS server are authenticated through the use of a shared secret, which is never sent over the network. In addition, any user passwords are sent encrypted between the client and RADIUS server. This eliminates the possibility that someone snooping on an unsecured network could determine a user's password. 15.4.2 Shared Secrets A shared secret is a text string that serves as a password between: • A RADIUS client and RADIUS server • A RADIUS client and a RADIUS proxy • A RADIUS proxy and a RADIUS server15-10 Cisco ONS 15454 DWDM Reference Manual, Release 9.2 78-19285-02 Chapter 15 Security Reference RADIUS Security For a configuration that uses a RADIUS client, a RADIUS proxy, and a RADIUS server, the shared secret that is used between the RADIUS client and the RADIUS proxy can be different than the shared secret used between the RADIUS proxy and the RADIUS server. Shared secrets are used to verify that RADIUS messages, with the exception of the Access-Request message, are sent by a RADIUS-enabled device that is configured with the same shared secret. Shared secrets also verify that the RADIUS message has not been modified in transit (message integrity). The shared secret is also used to encrypt some RADIUS attributes, such as User-Password and Tunnel-Password. When creating and using a shared secret: • Use the same case-sensitive shared secret on both RADIUS devices. • Use a different shared secret for each RADIUS server-RADIUS client pair. • To ensure a random shared secret, generate a random sequence at least 22 characters long. • You can use any standard alphanumeric and special characters. • You can use a shared secret of up to 128 characters in length. To protect your server and your RADIUS clients from brute force attacks, use long shared secrets (more than 22 characters). • Make the shared secret a random sequence of letters, numbers, and punctuation and change it often to protect your server and your RADIUS clients from dictionary attacks. Shared secrets should contain characters from each of the three groups listed in Table 15-5. The stronger your shared secret, the more secure the attributes (for example, those used for passwords and encryption keys) that are encrypted with it. An example of a strong shared secret is 8d#>9fq4bV)H7%a3-zE13sW$hIa32M#m
and
security
reasons. By
proceeding,
you consent to
this
monitoring.
Free form field
NODE.security.other.DisableInactiveUser FALSE FALSE, TRUE
NODE.security.other.InactiveDuration 45 (days) 1, 2, 3 .. 99 when
nothing TRUE;
45 when nothing
FALSE
NODE.security.other.SingleSessionPerUser FALSE TRUE, FALSE
NODE.security.passwordAging.EnforcePasswordAging FALSE TRUE, FALSE
NODE.security.passwordAging.maintenance.AgingPeriod 45 (days) 20 - 90
NODE.security.passwordAging.maintenance.WarningPeriod 5 (days) 2 - 20
NODE.security.passwordAging.provisioning.AgingPeriod 45 (days) 20 - 90
Table C-21 Node Default Settings (continued)
Default Name Default Value Default DomainC-109
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.3 Node Default Settings
NODE.security.passwordAging.provisioning.WarningPeriod 5 (days) 2 - 20
NODE.security.passwordAging.retrieve.AgingPeriod 45 (days) 20 - 90
NODE.security.passwordAging.retrieve.WarningPeriod 5 (days) 2 - 20
NODE.security.passwordAging.superuser.AgingPeriod 45 (days) 20 - 90
NODE.security.passwordAging.superuser.WarningPeriod 5 (days) 2 - 20
NODE.security.passwordChange.CannotChangeNewPassword FALSE TRUE, FALSE
NODE.security.passwordChange.CannotChangeNewPasswordForNDays 20 (days) 20 - 95
NODE.security.passwordChange.NewPasswordMustDifferFromOldByNCharacters 1 (characters) 1 - 5
NODE.security.passwordChange.PreventReusingLastNPasswords 1 (times) 1 - 10
NODE.security.passwordChange.RequirePasswordChangeOnFirstLoginToNewAccou
nt
FALSE TRUE, FALSE
NODE.security.passwordComplexity.IdenticalConsecutiveCharactersAllowed 3 or more 0-2, 3 or more
NODE.security.passwordComplexity.MaximumLength 20 20, 80
NODE.security.passwordComplexity.MinimumLength 6 6, 8, 10, 12
NODE.security.passwordComplexity.MinimumRequiredCharacters 1 num, 1 letter
& 1 TL1
special
1 num, 1 letter &
1 TL1 special, 1
num, 1 letter & 1
special, 2 each of
any 2 of num,
upper, lower &
TL1 special, 2
each of any 2 of
num, upper,
lower & special
NODE.security.passwordComplexity.ReverseUserIdAllowed TRUE TRUE, FALSE
NODE.security.radiusServer.AccountingPort 1813 (port) 0 - 32767
NODE.security.radiusServer.AuthenticationPort 1812 (port) 0 - 32767
NODE.security.radiusServer.EnableNodeAsFinalAuthenticator TRUE FALSE, TRUE
NODE.security.serialCraftAccess.EnableCraftPort TRUE TRUE, FALSE
NODE.security.shellAccess.AccessState NonSecure Disabled,
NonSecure,
Secure
NODE.security.shellAccess.EnableShellPassword FALSE TRUE, FALSE
NODE.security.shellAccess.TelnetPort 23 23 - 9999
NODE.security.snmpAccess.AccessState NonSecure Disabled,
NonSecure
NODE.security.tl1Access.AccessState NonSecure Disabled,
NonSecure,
Secure
NODE.security.userLockout.FailedLoginsAllowedBeforeLockout 5 (times) 0 - 10
Table C-21 Node Default Settings (continued)
Default Name Default Value Default DomainC-110
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.3 Node Default Settings
NODE.security.userLockout.LockoutDuration 00:30
(mins:secs)
00:00, 00:05,
00:10 .. 10:00
NODE.security.userLockout.ManualUnlockBySuperuser FALSE TRUE, FALSE
NODE.software.AllowDelayedUpgrades FALSE FALSE, TRUE
NODE.software.DefaultDelayedUpgrades FALSE FALSE, TRUE
when
AllowDelayedUp
grades TRUE;
FALSE when
AllowDelayedUp
grades FALSE
NODE.timing.bits-1.AdminSSMIn STU PRS, STU, ST2,
ST3, SMC, ST4,
DUS, RES when
//.general.SSMM
essageSet
Generation 1;
PRS, STU, ST2,
TNC, ST3E, ST3,
SMC, ST4, DUS,
RES when
//.general.SSMM
essageSet
Generation 2;
G811, STU,
G812T, G812L,
SETS, DUS when
//.general.SSMM
essageSet N/A
NODE.timing.bits-1.AISThreshold SMC PRS, STU, ST2,
ST3, SMC, ST4,
DUS, RES when
//.general.SSMM
essageSet
Generation 1;
PRS, STU, ST2,
TNC, ST3E, ST3,
SMC, ST4, DUS,
RES when
//.general.SSMM
essageSet
Generation 2;
G811, STU,
G812T, G812L,
SETS, DUS when
//.general.SSMM
essageSet N/A
Table C-21 Node Default Settings (continued)
Default Name Default Value Default DomainC-111
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.3 Node Default Settings
NODE.timing.bits-1.Coding B8ZS B8ZS, AMI when
FacilityType
DS1; HDB3,
AMI when
FacilityType E1;
N/A when
FacilityType
2MHz; AMI
when
FacilityType
64kHz+8kHz
NODE.timing.bits-1.CodingOut B8ZS B8ZS, AMI when
FacilityTypeOut
DS1; HDB3,
AMI when
FacilityTypeOut
E1; N/A when
FacilityTypeOut
2MHz; AMI
when
FacilityTypeOut
6MHz
NODE.timing.bits-1.FacilityType DS1 DS1,
64kHz+8kHz
when
//.general.Timing
Standard
SONET; E1,
64kHz+8kHz,
2MHz when
//.general.Timing
Standard SDH
NODE.timing.bits-1.FacilityTypeOut DS1 DS1, 6MHz when
//.general.Timing
Standard
SONET; E1,
6MHz, 2MHz
when
//.general.Timing
Standard SDH
Table C-21 Node Default Settings (continued)
Default Name Default Value Default DomainC-112
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.3 Node Default Settings
NODE.timing.bits-1.Framing ESF ESF, D4 when
FacilityType
DS1; FAS+CRC,
FAS+CAS,
FAS+CAS+CRC,
FAS, Unframed
when
FacilityType E1;
N/A when
FacilityType
2MHz; N/A when
FacilityType
64kHz+8kHz
NODE.timing.bits-1.FramingOut ESF ESF, D4 when
FacilityTypeOut
DS1; FAS+CRC,
FAS+CAS,
FAS+CAS+CRC,
FAS, Unframed
when
FacilityTypeOut
E1; N/A when
FacilityTypeOut
2MHz; N/A when
FacilityTypeOut
6MHz
NODE.timing.bits-1.LBO 0-133 0-133, 134-266,
267-399,
400-533,
534-655
NODE.timing.bits-1.SaBit N/A N/A when
FacilityType
DS1; 4, 5, 6, 7, 8
when
FacilityType E1;
N/A when
FacilityType
2MHz; N/A when
FacilityType
64kHz+8kHz
NODE.timing.bits-1.State OOS,DSBLD IS, OOS,DSBLD
NODE.timing.bits-1.StateOut OOS,DSBLD IS, OOS,DSBLD
Table C-21 Node Default Settings (continued)
Default Name Default Value Default DomainC-113
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.3 Node Default Settings
NODE.timing.bits-2.AdminSSMIn STU PRS, STU, ST2,
ST3, SMC, ST4,
DUS, RES when
//.general.SSMM
essageSet
Generation 1;
PRS, STU, ST2,
TNC, ST3E, ST3,
SMC, ST4, DUS,
RES when
//.general.SSMM
essageSet
Generation 2;
G811, STU,
G812T, G812L,
SETS, DUS when
//.general.SSMM
essageSet N/A
NODE.timing.bits-2.AISThreshold SMC PRS, STU, ST2,
ST3, SMC, ST4,
DUS, RES when
//.general.SSMM
essageSet
Generation 1;
PRS, STU, ST2,
TNC, ST3E, ST3,
SMC, ST4, DUS,
RES when
//.general.SSMM
essageSet
Generation 2;
G811, STU,
G812T, G812L,
SETS, DUS when
//.general.SSMM
essageSet N/A
NODE.timing.bits-2.Coding B8ZS B8ZS, AMI when
FacilityType
DS1; HDB3,
AMI when
FacilityType E1;
N/A when
FacilityType
2MHz; AMI
when
FacilityType
64kHz+8kHz
Table C-21 Node Default Settings (continued)
Default Name Default Value Default DomainC-114
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.3 Node Default Settings
NODE.timing.bits-2.CodingOut B8ZS B8ZS, AMI when
FacilityTypeOut
DS1; HDB3,
AMI when
FacilityTypeOut
E1; N/A when
FacilityTypeOut
2MHz; AMI
when
FacilityTypeOut
6MHz
NODE.timing.bits-2.FacilityType DS1 DS1,
64kHz+8kHz
when
//.general.Timing
Standard
SONET; E1,
64kHz+8kHz,
2MHz when
//.general.Timing
Standard SDH
NODE.timing.bits-2.FacilityTypeOut DS1 DS1, 6MHz when
//.general.Timing
Standard
SONET; E1,
6MHz, 2MHz
when
//.general.Timing
Standard SDH
NODE.timing.bits-2.Framing ESF ESF, D4 when
FacilityType
DS1; FAS+CRC,
FAS+CAS,
FAS+CAS+CRC,
FAS, Unframed
when
FacilityType E1;
N/A when
FacilityType
2MHz; N/A when
FacilityType
64kHz+8kHz
Table C-21 Node Default Settings (continued)
Default Name Default Value Default DomainC-115
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.3 Node Default Settings
NODE.timing.bits-2.FramingOut ESF ESF, D4 when
FacilityTypeOut
DS1; FAS+CRC,
FAS+CAS,
FAS+CAS+CRC,
FAS, Unframed
when
FacilityTypeOut
E1; N/A when
FacilityTypeOut
2MHz; N/A when
FacilityTypeOut
6MHz
NODE.timing.bits-2.LBO 0-133 0-133, 134-266,
267-399,
400-533,
534-655
NODE.timing.bits-2.SaBit N/A N/A when
FacilityType
DS1; 4, 5, 6, 7, 8
when
FacilityType E1;
N/A when
FacilityType
2MHz; N/A when
FacilityType
64kHz+8kHz
NODE.timing.bits-2.State OOS,DSBLD IS, OOS,DSBLD
NODE.timing.bits-2.StateOut OOS,DSBLD IS, OOS,DSBLD
NODE.timing.general.Mode Line External, Line,
Mixed
Table C-21 Node Default Settings (continued)
Default Name Default Value Default DomainC-116
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.3.1 Time Zones
C.3.1 Time Zones
Table C-22 lists the time zones that apply for node time zone defaults. Time zones in the table are
ordered by their relative relationships to Greenwich Mean Time (GMT), and the default values are
displayed in the correct format for valid default input.
NODE.timing.general.QualityOfRES RES=DUS PRS
!
interface Ethernet2/1
ip address 11.11.11.11 255.255.255.0
half−duplex
!−−− Apply crypto map.
crypto map testcase
!
ip http server
no ip http secure−server
ip classless
ip route 0.0.0.0 0.0.0.0 11.11.11.12
!
!
!−−− Traffic to encrypt
access−list 100 permit ip host 12.12.12.12 host 14.14.14.14
!
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
!
!
House Configuration
house#show running−configCurrent configuration : 1194 bytes
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password−encryption
!
hostname house
!
!
logging buffered 50000 debugging
enable password cisco
!
no aaa new−model
ip subnet−zero
ip domain name cisco.com
!
ip cef
!
!
no crypto isakmp enable
!
!
!−−− IPsec configuration
crypto ipsec transform−set encrypt−des esp−des esp−sha−hmac
!
crypto map testcase 8 ipsec−manual
set peer 11.11.11.11
set session−key inbound esp 1000 cipher abcd1234abcd1234 authenticator 20
set session−key outbound esp 1001 cipher 1234abcd1234abcd authenticator 20
set transform−set encrypt−des
!−−− Traffic to encrypt
match address 100
!
!
interface Ethernet0
ip address 11.11.11.12 255.255.255.0
!−−− Apply crypto map.
crypto map testcase
!
interface Ethernet1
ip address 14.14.14.14 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 11.11.11.11
no ip http server
no ip http secure−server
!
!
!−−− Traffic to encrypt
access−list 100 permit ip host 14.14.14.14 host 12.12.12.12
!
!
line con 0
exec−timeout 0 0
transport preferred none
transport output noneline vty 0 4
exec−timeout 0 0
password cisco
login
transport preferred none
transport input none
transport output none
!
!
end
Verify
This section provides information you can use to confirm your configuration functions properly.
The Output Interpreter Tool (registered customers only) (OIT) supports certain show commands. Use the OIT
to view an analysis of show command output.
• show crypto ipsec saShows the phase two security associations.
Troubleshoot
This section provides information you can use to troubleshoot your configuration.
Troubleshooting Commands
The Output Interpreter Tool (registered customers only) (OIT) supports certain show commands. Use the OIT
to view an analysis of show command output.
Note: Refer to Important Information on Debug Commands before you use debug commands.
• debug crypto ipsecDisplays the IPsec negotiations of phase two.
• debug crypto engineDisplays the traffic that is encrypted.
Transform Sets Do Not Match
Light has ah−sha−hmac and House has esp−des.
*Mar 2 01:16:09.849: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 11.11.11.11, remote= 11.11.11.12,
local_proxy= 12.12.12.12/255.255.255.255/0/0 (type=1),
remote_proxy= 14.14.14.14/255.255.255.255/0/0 (type=1),
protocol= AH, transform= ah−sha−hmac ,
lifedur= 3600s and 4608000kb,
spi= 0xACD76816(2899798038), conn_id= 0, keysize= 0, flags= 0x400A
*Mar 2 01:16:09.849: IPSEC(manual_key_stuffing):
keys missing for addr 11.11.11.12/prot 51/spi 0.....
ACLs Do Not Match
On side_A (the "light" router) there is an inside host−to−inside−host and on side_B (the "house" router) there
is an interface−to−interface. ACLs must always be symmetric (these are not).
hostname house
match address 101
access−list 101 permit ip host 11.11.11.12 host 11.11.11.11!
hostname light
match address 100
access−list 100 permit ip host 12.12.12.12 host 14.14.14.14
This output is taken from the side_A initiating ping:
nothing
light#show crypto engine connections active
ID Interface IP−Address State Algorithm Encrypt Decrypt
2000 Ethernet2/1 11.11.11.11 set DES_56_CBC 5 0
2001 Ethernet2/1 11.11.11.11 set DES_56_CBC 0 0
This output is taken from the side_B when side_A is initiating ping:
house#
1d00h: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
1d00h: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
1d00h: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
1d00h: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
1d00h: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
house#show crypto engine connections active
ID Interface IP−Address State Algorithm Encrypt Decrypt
2000 Ethernet0 11.11.11.12 set DES_56_CBC 0 0
2001 Ethernet0 11.11.11.12 set DES_56_CBC 0 5
This output is taken from the side_B initiating ping:
side_ B
%CRYPTO−4−RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
(ip) vrf/dest_addr= /12.12.12.12, src_addr= 14.14.14.14, prot= 1
One Side has crypto map and the Other Does Not
%CRYPTO−4−RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
(ip) vrf/dest_addr= /14.14.14.14, src_addr= 12.12.12.12, prot= 1
This output is taken from the side_B that has a crypto map:
house#show crypto engine connections active
ID Interface IP−Address State Algorithm Encrypt Decrypt
2000 Ethernet0 11.11.11.12 set DES_56_CBC 5 0
2001 Ethernet0 11.11.11.12 set DES_56_CBC 0 0
The Crypto Engine Accelerator Card is Enabled
1d05h: %HW_VPN−1−HPRXERR: Hardware VPN0/13: Packet
Encryption/Decryption error, status=4098.....
Related Information
• IPsec Negotiation/IKE Protocols
• Technical Support & Documentation − Cisco SystemsContacts & Feedback | Help | Site Map
© 2012 − 2013 Cisco Systems, Inc. All rights reserved. Terms & Conditions | Privacy Statement | Cookie Policy | Trademarks of
Cisco Systems, Inc.
Updated: Oct 29, 2006 Document ID: 14140
Description de la gamme Cisco ASA Description de la gamme Cisco ASA 5500
Les serveurs de sécurité adaptatifs de la gamme Cisco® ASA
5500 s’appuient sur une plate-forme modulaire capable de
fournir des services de sécurité et de VPN de prochaine
génération à tous les environnements, depuis les petits bureaux,
les bureaux à domicile et les PME/PMI jusqu’aux grandes
entreprises. La gamme Cisco ASA 5500 met à la disposition de
l’entreprise une gamme complète de services personnalisés au
travers de ses diverses éditions spécifiquement conçues pour le
pare-feu, la prévention des intrusions, la protection des contenus
et les VPN.
Ces éditions offrent une protection de haute qualité en
fournissant les services adaptés à chaque site. Chaque édition
associe un ensemble spécialisé de services Cisco ASA qui
répondent très exactement aux besoins des environnements
spécifiques du réseau de l’entreprise. En satisfaisant aux besoins
de sécurité de chaque domaine du réseau, c’est la sécurité de
l’ensemble du réseau qui se trouve renforcée.
La gamme Cisco ASA 5500 permet la normalisation sur une
unique plate-forme afin de réduire les frais opérationnels
associés à la sécurité. L’environnement commun de configuration
simplifie la gestion et réduit les coûts de formation du personnel
tandis que la plate-forme matérielle commune de la gamme
permet de réaliser des économies sur les pièces de rechange.
Chaque édition répond aux besoins spécifiques d’un
environnement du réseau de l’entreprise :
• Firewall Edition : grâce à cette édition pare-feu, l’entreprise
peut déployer ses applications et ses réseaux vitaux de
manière fiable et sécurisée. La conception modulaire unique
du Cisco ASA 5500 garantit une remarquable protection de
l’investissement et des frais d’exploitation réduits.
• IPS Edition : dotée d’un ensemble de services de pare-feu, de
sécurité applicative et de prévention des intrusions, cette
édition protège les serveurs et l’infrastructure essentiels de
l’entreprise contre les vers, les pirates et les autres
menaces.
• Content Security Edition : avec son ensemble complet de
services de sécurité, cette édition protège les utilisateurs
des petits sites et des sites distants. Les services de parefeu et de VPN de qualité entreprise assurent une
connectivité sécurisée vers le réseau du siège social. A la
pointe de la technologie actuelle, les services de protection
des contenus de Trend Micro mettent le système client à
l’abri des sites Web malveillants et des autres menaces à
base de contenus comme les virus, les logiciels espions et le
phishing.
• SSL/IPsec VPN Edition : cette édition protège l’accès des
utilisateurs distants vers les systèmes et les équipements du
réseau interne et supporte la mise en grappe des VPN pour
les déploiements de grande taille en entreprise. Les
technologies d’accès VPN à distance protégées par les
normes SSL (Secure Sockets Layer) et IPSec (IP Security)
sont renforcées par des technologies de réduction des
menaces, comme Cisco Secure Desktop, et des services de
pare-feu et de prévention des intrusions qui garantissent
que le trafic VPN ne fera pas courir de risques au réseau de
l’entreprise.
Cinq raisons d’acheter les serveurs de sécurité
adaptatifs de la gamme Cisco ASA 5500 adaptatifs de la gamme Cisco ASA 5500
1. .. Technologie de pare 1. Technologie de pare Technologie de pare----feu sécurisé et de protection feu sécurisé et de protection
des VPN contre les menaces des VPN contre les menaces
Développée autour de la même technologie éprouvée qui a fait
le succès du serveur de sécurité Cisco PIX et de la gamme des
concentrateurs Cisco VPN 3000, la gamme Cisco ASA 5500 est
la première solution à proposer des services VPN SSL et IPSec
protégés par la première technologie de pare-feu du marché.
2. .. Services de protection des contenus à la pointe de 2. Services de protection des contenus à la pointe de
l’industrie l’industrie
Réunit la maîtrise de Trend Micro en matière de protection
contre les menaces et de contrôle des contenus à la périphérie
Internet et les solutions éprouvées de Cisco pour fournir des
services anti-X complets – protection contre les virus, les
logiciels espions, le courrier indésirable et le phishing, ainsi que
le blocage de fichiers, le blocage et le filtrage des URL et le
filtrage des contenus.
3. .. Services 3. Services Services évolués de prévention des intrusions évolués de prévention des intrusions évolués de prévention des intrusions
Les services proactifs de prévention des intrusions offrent toutes
les fonctionnalités qui permettent de bloquer un large éventail de
menaces – vers, attaques sur la couche applicative ou au niveau
du système d'exploitation, rootkits, logiciels espions, partages de
fichiers en « peer-to-peer » et messagerie instantanée.
4. .. Services multifonctions de gestion et de surveillance 4. Services multifonctions de gestion et de surveillance Services multifonctions de gestion et de surveillance
Sur une même plate-forme, la gamme Cisco ASA 5500 fournit
des services de gestion et de surveillance utilisables de manière
intuitive grâce au gestionnaire Cisco ASDM (Adaptive Security
Device Manager) ainsi que des services de gestion de catégorie
entreprise avec Cisco Security Management Suite.
5. .. Réduction des frais de déploiement et d’exploitati 5. Réduction des frais de déploiement et d’exploitati Réduction des frais de déploiement et d’exploitationononon
Développée autour d’un concept et d’une interface analogues à
ceux des solutions de sécurité existantes de Cisco, la gamme
Cisco ASA 5500 permet de réduire considérablement le coût
d’acquisition que ce soit dans le cadre d’un premier déploiement
d’une solution de sécurité ou d’une gestion au jour le jour.
Serveurs de sécurité adaptatifs de la gamme Cisco ASA 5500
PRESENTATION SYNOPTIQUEACRONYMES ACRONYMES
SSC : Security Services Card, SSM SSC SSM :::: Security Services Module, AIP----SSM :::: Advanced Inspection and Prevention Security Services Module, CSC----SSM :::: Content Security and Control Security
Services Module, 4GE----SSM :::: Module de services de sécurité à 4 ports Ethernet Gigabit
Modèles et licences de la gamme Cisco ASA Modèles et licences de la gamme Cisco ASA 5500
Cisco ASA 5505 Base /
Security Plus
Cisco ASA 5510 Base /
Security Plus
Cisco ASA 5520 Cisco ASA 5520 Cisco ASA 5550 Cisco ASA 5550 Cisco ASA 5540 Cisco ASA 5540
Utilisateur type
Petit bureau / bureau à
domicile ROBO / MSSP /
Télétravailleur d’entreprise
PME / Petite société Petite société
Entreprise de taille
moyenne
Grande entreprise
Résumé des performances Résumé des performances
Débit maximal du pare-feu (Mbits/s) 150 300 450 650 1200
Débit maximal des VPN 3DES ou AES (Mbits/s) 100 170 225 325 425
Nombre maximal connexions VPN à distance et de site à
site
10 / 25 250 750 5000 5000
Nombre maximal de connexions VPN SSL 1 25 250 750 2500 5000
Nombre maximal de connexions 10 000 / 25 000 50 000 / 130 000 280 000 400 000 650 000
Nombre maximal de connexions / seconde 3000 6000 9000 20 000 28 000
Paquets par seconde (64 octets) 85 000 190 000 320 000 500 000 600 000
Récapitulatif technique Récapitulatif technique
Mémoire (Mo) 256 256 512 1024 4096
Mémoire Flash système (Mo) 64 64 64 64 64
Ports intégrés
Commutateur 10/100 8
ports avec 2 ports à
alimentation en ligne (PoE)
5-10/100 4-10/100/1000,1-10/100 4-10/100/1000,1-10/100 8-10/100/1000,1-10/100
Nombre maximal d’interfaces virtuelles (VLAN)
3 (ligne réseau désactivée)
/ 20 (ligne réseau activée)
50 /100 150 200 250
Emplacement d’extension SSC ou SSM Emplacement d’extension SSC ou SSM Oui (SSC) Oui (SSC) Oui (SSC) Oui (SSM) Oui (SSM) Oui (SSM) Oui (SSM) Oui (SSM) Oui (SSM) Oui (SSM) Oui (SSM) Oui (SSM) Nononon
Capacités SSC/SSM
Modules SSC/SSM supportés Ultérieurement, SSC
CSC-SSM, AIP-SSM,4GESSM
CSC-SSM, AIP-SSM,4GESSM
CSC-SSM, AIP-SSM, 4GESSM
Non
Prévention des intrusions Non disponible Oui avec AIP-SSM Oui avec AIP-SSM Oui avec AIP-SSM Non
Débit des services simultanés de limitation des risques
(pare-feu et services IPS) (Mbits/s)
Non disponible
150 (avec AIP-SSM-10)
300 (avec AIP-SSM-20)
225 (avec AIP-SSM-10)
375 (avec AIP-SSM-20)
450 avec AIP-SSM-20 Non disponible
Protection des contenus (antivirus, anti-logiciel espion,
blocage de fichiers, anti-courrier indésirable, anti-phishing,
et filtrage des URL)
Non disponible Oui avec CSC-SSM Oui avec CSC-SSM Oui avec CSC-SSM Non disponible
Nombre maximal d’utilisateurs antivirus, anti-logiciel espion,
blocage de fichiers (CSC-SSM seulement)
Non disponible
500 (avec CSC-SSM-10)
1000 (avec CSC-SSM-20)
500 (avec CSC-SSM-10)
1000 (avec CSC-SSM-20)
500 (avec CSC-SSM-10)
1000 (avec CSC-SSM-20)
Non disponible
Fonctionnalités de la licence CSC SSM Plus Non disponible
Anti-spam, anti-phishing,
filtrage des URL
Anti-spam, anti-phishing,
filtrage des URL
Anti-spam, anti-phishing,
filtrage des URL
Non disponible
Caractéristiques Caractéristiques
Protection de la couche applicative Oui Oui Oui Oui Oui
Pare-feu de couche 2 transparent Oui Oui Oui Oui Oui
Contextes de sécurité (intégrés / maximum) 2 0/0 0/0 / 2/5 2/20 2/50 2/50
Inspection GTP/GPRS 2 Non disponible Non disponible Oui Oui Oui
Haute disponibilité 3
Non disponible / A/V à
inspection d’état
Non disponible / A/A et
A/V
A/A et A/V A/A et A/V A/A et A/V
équilibrage de charge et mise en grappe des VPN Non disponible Non disponible / Oui Oui Oui Oui
1 A partir de la version v7.1 du logiciel Cisco ASA, la fonctionnalité VPN SSL (WebVPN) nécessite une licence. Les systèmes autorisent par défaut 2 utilisateurs VPN SSL pour évaluation et gestion à distance
2 Fonctionnalités sous licence
3 A/V= Actif/Veille ; A/A = Actif/Actif
Copyright © 2007, Cisco Systems, Inc. Tous droits réservés. Cisco, Cisco IOS, Cisco Systems et le logo Cisco Systèmes sont des marques déposées de Cisco Systems, Inc. ou de ses filiales aux Etats-Unis et dans
certains autres pays. C45-345380-04 6/07
Serveurs de sécurité adaptatifs de la gamme Cisco ASA 5500
PRESENTATION SYNOPTIQUE
© 2007 Cisco Systems, Inc. Tous droits réservés.Les mentions légales, la charte sur la vie privée et les marques de Cisco
Systems, Inc. sont fournies sur cisco.com
Page 1/24
Description des Serveurs de Sécurité Adaptatifs de
la gamme
Cisco ASA 5500
Les Serveurs de Sécurité Adaptatifs Cisco® ASA 5500 combinent les meilleurs services de
VPN et de sécurité, et l’architecture évolutive AIM (Adaptive Identification and Mitigation),
pour constituer une solution de sécurité spécifique. Conçue comme l’élément principal de la
solution Self-Defending Network de Cisco (le réseau qui se défend tout seul), la gamme
Cisco ASA 5500 permet de mettre en place une défense proactive face aux menaces et de
bloquer les attaques avant qu’elles ne se diffusent à travers le réseau, de contrôler l’activité
du réseau et le trafic applicatif et d’offrir une connectivité VPN flexible. Le résultat est une
gamme de puissants serveurs de sécurité réseau multifonctions capables d’assurer en
profondeur la protection élargie des réseaux des PME/PMI et des grandes entreprises tout
en réduisant l’ensemble des frais de déploiement et d’exploitation et en simplifiant les tâches
généralement associées à un tel niveau de sécurité.
Réunissant sur une même plate-forme une combinaison puissante de nombreuses
technologies éprouvées, la gamme Cisco ASA 5500 vous donne les moyens opérationnels et
économiques de déployer des services de sécurité complets vers un plus grand nombre de
sites. La gamme complète des services disponibles avec la famille Cisco ASA 5500 permet
de répondre aux besoins spécifiques de chaque site grâce à des éditions produits conçues
pour les PME comme pour les grandes entreprises. Ces différentes éditions offrent une
protection de qualité supérieure en apportant à chaque installation les services dont elle a
besoin. Chaque édition de la gamme Cisco ASA 5500 regroupe un ensemble spécialisé de
services – firewall, VPN SSL et IPSec, protection contre les intrusions, services Anti-X, etc. –
qui répondent exactement aux besoins des différents environnements du réseau d’entreprise.
Et lorsque les besoins de sécurité de chaque site sont correctement assurés, c’est l’ensemble
de la sécurité du réseau qui en bénéficie.
Figure 1. Les serveurs de sécurité adaptatifs de la gamme Cisco ASA 5500
Fiche Technique © 2007 Cisco Systems, Inc. Tous droits réservés.Les mentions légales, la charte sur la vie privée et les marques de Cisco
Systems, Inc. sont fournies sur cisco.com
Page 2/24
La gamme Cisco ASA 5500 aide les entreprises à protéger plus efficacement leurs réseaux
tout en garantissant une exceptionnelle protection de leurs investissements grâce
notamment, aux éléments clés suivants :
• Des fonctionnalités éprouvées de sécurité et de connectivité VPN. Le système de
prévention des intrusions (IPS) et de firewall multifonctions, ainsi que les technologies
anti-X et VPN IPSec ou SSL (IP Security/Secure Sockets Layer) garantissent la
robustesse de la sécurité des applications, le contrôle d’accès par utilisateur et par
application, la protection contre les vers, les virus et les logiciels malveillants, le filtrage
des contenus ainsi qu’une connectivité à distance par site ou par utilisateur.
• L’architecture évolutive des services AIM (Adaptive Identification and Mitigation).
Exploitant un cadre modulaire de traitement et de politique de services, l’architecture
AIM de Cisco ASA 5500 autorise l’application, par flux de trafic, de services spécifiques
de sécurité ou de réseau qui permettent des contrôles de politiques d’une très grande
précision ainsi que la protection anti-X tout en accélérant le traitement du trafic. Les
avantages en termes de performances et d’économies offerts par l’architecture AIM de
la gamme Cisco ASA 5500, ainsi que l’évolutivité logicielle et matérielle garantie par les
modules SSM (Security Service Module), permettent de faire évoluer les services
existants et d’en déployer de nouveaux, sans remplacer la plate-forme et sans réduire
les performances.
Fondement architectural de la gamme Cisco ASA 5500, AIM permet l’application de
politiques de sécurité hautement personnalisables ainsi qu’une évolutivité de service
sans précédent qui renforce la protection des entreprises contre l’environnement
toujours plus dangereux qui les menace.
• La réduction des frais de déploiement et d’exploitation. La solution multifonctions
Cisco ASA 5500 permet la normalisation de la plate-forme, de la configuration et de la
gestion, contribuant à réduire les frais de déploiement et d’exploitation récurrents.
PRÉSENTATION DE LA GAMME CISCO ASA 5500
La gamme Cisco ASA 5500 inclut les boîtiers de sécurité adaptatifs Cisco ASA 5505, 5510,
5520 et 5540. Il s’agit de quatre serveurs de sécurité ultra-performants issus de l’expertise
de Cisco Systems® en matière de développement de solutions de sécurité et VPN
reconnues et leaders sur leur marché. Cette gamme utilise les dernières technologies des
serveurs de sécurité Cisco PIX® 500, des capteurs Cisco IPS 4200 et des concentrateurs
Cisco VPN 3000. . Conçue comme l’élément principal de la solution Self-Defending Network
de Cisco (réseau qui se défend tout seul), la gamme Cisco ASA 5500 permet de mettre en © 2007 Cisco Systems, Inc. Tous droits réservés.Les mentions légales, la charte sur la vie privée et les marques de Cisco
Systems, Inc. sont fournies sur cisco.com
Page 3/24
place une défense proactive face aux menaces et de bloquer les attaques avant qu’elles ne
se diffusent à travers le réseau, de contrôler l’activité du réseau et le trafic applicatif et d’offrir
une connectivité VPN flexible. Le résultat est une gamme de puissants serveurs de sécurité
réseau multifonctions capables d’assurer en profondeur la protection élargie des réseaux
des PME/PMI et des grandes entreprises tout en réduisant l’ensemble des frais de
déploiement et d’exploitation et en simplifiant les tâches généralement associées à un tel
niveau de sécurité.
L’architecture extensible de services AIM de Cisco et la conception multiprocesseurs flexible
de la gamme Cisco ASA 5500 offrent aux Serveurs de Sécurité Adaptatifs des performances
sans précédent pour de multiples services de sécurité simultanés, tout en offrant une
protection exceptionnelle des investissements. Les serveurs de sécurité adaptatifs de la
gamme Cisco ASA 5500 associent plusieurs processeurs ultra-performants qui travaillent de
concert pour fournir des services de firewall évolués. L’entreprise peut également installer
les modules de services de sécurité de Cisco ASA 5500 : le module AIP-SSM (Advanced
Inspection and Prevention Security Services Module) pour les services de prévention des
intrusions ou le module CSC-SSM (Content Security and Control Security Services Module)
pour les services anti-X évolués. Grâce à cette conception flexible, la gamme Cisco ASA
5500 est la seule capable de s’adapter pour protéger les réseaux face à des menaces
évoluant sans cesse. Elle offre également une protection des investissements exceptionnelle
grâce à du matériel programmable rendant la plate-forme évolutive à long terme. Ces
fonctionnalités de sécurité et VPN ultra-performantes et éprouvées, se combinent à la
connectivité Gigabit Ethernet intégrée et à une architecture sans disque dur local et à
mémoire flash. Ainsi, la gamme Cisco ASA 5500 représente le choix idéal pour les
entreprises qui recherchent la meilleure solution de sécurité haute performance, flexible,
fiable et protégeant les investissements.
.Chaque serveur de la gamme Cisco ASA 5500 accepte, sur le système de base, le nombre
maximal d’utilisateurs de VPN IPSec. L’achat et l’octroi de licences des services VPN SSL se
font séparément. En faisant converger les services VPN IPSec et SSL VPN avec les
technologies complètes de défense contre les menaces, la gamme Cisco ASA 5500 fournit
un accès réseau personnalisable adapté aux besoins de différents environnements de
déploiement. Et cela en proposant un VPN totalement sécurisé avec une sécurité complète
au niveau du réseau et du point d’extrémité.
SERVEUR DE SÉCURITÉ ADAPTATIF CISCO ASA 5505
Le Cisco ASA 5505 est un Serveur de Sécurité Adaptatif complet de prochaine génération
destiné aux petites entreprises, aux agences d’entreprise et aux environnements de
télétravail. De conception modulaire et utilisable dès l’installation (« plug and pay »),il offre des
services haute performance de firewall, de VPN SSL et IPSec ainsi que des services de © 2007 Cisco Systems, Inc. Tous droits réservés.Les mentions légales, la charte sur la vie privée et les marques de Cisco
Systems, Inc. sont fournies sur cisco.com
Page 4/24
réseau multifonctions. Son gestionnaire Web intégré, Cisco Adaptive Security Device
Manager, permet de déployer rapidement et de gérer en toute simplicité le Cisco ASA 5505,
contribuant ainsi à réduire les frais d’exploitation de l’entreprise. Le Cisco ASA 5505 est doté
d’un commutateur Fast Ethernet à 8 ports qui peuvent être groupés dynamiquement afin de
créer jusqu’à trois VLAN distincts pour l’utilisation domestique, les besoins professionnels et
le trafic Internet – une répartition qui améliore la segmentation du trafic et la sécurité du
réseau. Le Cisco ASA 5505 dispose également de deux ports à alimentation en ligne PoE
(Power over Ethernet) pour simplifier le déploiement de téléphones IP Cisco avec leurs
fonctionnalités VoIP automatiques sécurisées, et celui de points d’accès extérieurs sans fil
pour apporter la mobilité au réseau. Particulièrement évolutif, comme les autres modèles de
la gamme, le Cisco ASA 5505 protège les investissements grâce à sa conception modulaire
et dispose d’un emplacement d’extension et de plusieurs ports USB en prévision de futurs
services.
A mesure que les besoins de l’entreprise augmenteront, vous pourrez installer une licence
Security Plus complémentaire qui permettra au Serveur de Sécurité Adaptatif Cisco ASA
5505 d’évoluer pour supporter des capacités plus importantes de connexion et un plus grand
nombre d’utilisateurs VPN IPSec, le support d’une zone démilitarisée (DMZ) et l’intégration
aux environnements de réseau commuté avec le support des lignes réseaux VLAN. Plus
encore, cette licence de mise à niveau maximise la continuité de l’entreprise en offrant un
support pour les connexions redondantes vers les fournisseurs d’accès Internet et des
services de haute disponibilité à inspection d’état Actif/Veille. Grâce à cette combinaison de
services de sécurité et VPN à la pointe de l’industrie, de fonctionnalités réseaux évoluées, de
gestion à distance et d’extensibilité, le Cisco ASA 5505 constitue la solution idéale de
sécurité haut de gamme pour les petites entreprises, les agences et les télétravailleurs.
Le Tableau 1 décrit les caractéristiques du Cisco ASA 5505.
Tableau 1 : Fonctionnalités et capacités du Serveur de Sécurité Adaptatif Cisco ASA 5505
Fonction Description
Débit du firewall Jusqu’à 150 Mbits/s
Débit du VPN Jusqu’à 100 Mbits/s
Connexions 10 000 ; 25 000*
Homologues VPN IPSec 10 ; 25 *
Niveaux de licence des
homologues VPN SSL**
10, ou 25
Interfaces Commutateur Fast Ethernet 8 ports avec
groupage dynamique des ports (dont 2
ports PoE) © 2007 Cisco Systems, Inc. Tous droits réservés.Les mentions légales, la charte sur la vie privée et les marques de Cisco
Systems, Inc. sont fournies sur cisco.com
Page 5/24
Interfaces virtuelles (VLAN) 3 (sans support de l’aggrégation de
VLAN)/20 (avec support de l’aggrégation
de VLAN) *
Haute disponibilité Non prise en charge ; mode actif/veille à
inspection d’état et support ISP
redondant *
* Mise à niveau disponible avec la licence Security Plus de Cisco ASA 5505
** Fonction fournie sous licence distincte ; licence pour 2 homologues incluse dans le système de base
SERVEUR DE SÉCURITÉ ADAPTATIF CISCO ASA 5510
Le Serveur de Sécurité Adaptatif Cisco ASA 5510 propose des services évolués de réseau
et de sécurité aux PME et aux filiales et agences des grandes entreprises, sous la forme
d’une solution économique et facile à déployer. L’application Web Adaptive Security Device
Manager de Cisco, intégrée à la solution, permet de gérer et de surveiller facilement ces
services. Les coûts de déploiement et d’exploitation liés à un tel niveau de sécurité sont ainsi
réduits. Le serveur de sécurité adaptatif Cisco ASA 5510 fournit des services ultraperformants de firewall et VPN, trois interfaces 10/100 Fast Ethernet intégrées, des services
optionnels de lutte contre les vers et de prévention des intrusions via le module AIP-SSM ou
des services complets de protection contre les programmes nuisibles via le module CSCSSM.
La combinaison exceptionnelle de ces services sur une plate-forme unique fait de Cisco ASA
5510 un choix idéal pour les entreprises cherchant une solution de sécurité économique et
extensible avec DMZ. Pour répondre à la multiplication des besoins des entreprises, le
serveur Cisco ASA 5510 peut évoluer vers une densité d’interfaces supérieure et s’intégrer
dans des environnements de réseau commuté via la prise en charge VLAN, grâce à
l’installation d’une licence de mise à niveau Security Plus. Cette licence de mise à niveau
optimise également la continuité des activités grâce aux services de haute disponibilité de
type actif/veille.
Le tableau 2 dresse la liste des fonctionnalités du Cisco ASA 5510.
Tableau 2 : Fonctionnalités et capacité de la plate-forme Cisco ASA 5510
Fonction Description
Débit du firewall Jusqu’à 300 Mbits/s
Débit de protection simultanée
contre les menaces
(firewall + services IPS)
Jusqu’à 150 Mbits/s avec l’AIP-SSM-10
Débit du VPN Jusqu’à 170 Mbits/s © 2007 Cisco Systems, Inc. Tous droits réservés.Les mentions légales, la charte sur la vie privée et les marques de Cisco
Systems, Inc. sont fournies sur cisco.com
Page 6/24
Connexions 50 000 ; 130 000*
Homologues VPN IPSec 250
Niveaux de licence des
homologues VPN SSL**
10, 25, 50, 100 ou 250
Contextes de sécurité Jusqu’à 5 ***
Interfaces 3 ports Fast Ethernet + 1 port de
gestion ; 5 ports Fast Ethernet*
Interfaces virtuelles (VLAN) 0 ; 25 *
Haute disponibilité Non prise en charge ; mode actif/veille*
* Mise à niveau disponible avec la licence Security Plus de Cisco ASA 5510
** Fonction fournie sous licence distincte ; licence pour deux homologues incluse dans le système de
base
*** Fonction fournie sous licence distincte ; deux niveaux inclus avec la licence Cisco ASA 5010 Security
Plus
SERVEUR DE SÉCURITÉ ADAPTATIF CISCO ASA 5520
Le Serveur de Sécurité Adaptatif Cisco ASA 5520 fournit des services de sécurité à haute
disponibilité de type actif/actif et une connectivité Gigabit Ethernet pour les réseaux des
PME, dans une solution modulaire ultra-performante. Les quatre interfaces Gigabit Ethernet et
la prise en charge de 100 VLAN permettent aux entreprises de déployer facilement le Cisco
ASA 5520 dans plusieurs zones au sein de leur réseau.
Ce serveur évolue avec l’entreprise, au rythme de ses besoins de sécurité réseau, et offre
une solide protection des investissements.
Les entreprises peuvent étendre leur capacité VPN IPSec et SSL pour gérer un plus grand
nombre de travailleurs nomades, de sites distants et de partenaires commerciaux. Les
fonctionnalités intégrées d’équilibrage de charge et de mise en grappe des VPN offertes par
le Cisco ASA 5520 permettent d’augmenter la capacité des VPN. Il est également possible
de mettre à niveau la capacité VPN SSL de chaque plate-forme via l’installation des licences
de mise à niveau, au fur et à mesure de l’évolution des besoins de l’entreprise. Pour étendre
les fonctions évoluées de sécurité de la couche applicative et de défenses anti-X offertes par
ce serveur, il convient de déployer les fonctionnalités ultra-performantes de lutte contre les
vers et de prévention des intrusions du module AIP-SSM ou la protection complète contre les
programmes nuisibles du module CSC-SSM. Grâce aux fonctionnalités optionnelles de
contexte de sécurité du Cisco ASA 5520, les entreprises peuvent déployer jusqu’à 10
firewall virtuels dans un serveur afin d’activer le contrôle compartimenté des règles de
sécurité au niveau de leurs services. Cette virtualisation permet de renforcer la sécurité et de
réduire les frais d’administration et d’assistance technique, en regroupant les multiples
solutions de sécurité dans un seul serveur. © 2007 Cisco Systems, Inc. Tous droits réservés.Les mentions légales, la charte sur la vie privée et les marques de Cisco
Systems, Inc. sont fournies sur cisco.com
Page 7/24
Le tableau 3 dresse la liste des fonctionnalités du Cisco ASA 5520.
Tableau 3 : Fonctionnalités et capacité de la plate-forme Cisco ASA 5520
Fonction Description
Débit du firewall Jusqu’à 450 Mbits/s
Débit de protection simultanée
contre les menaces
(firewall + services IPS)
Jusqu’à 225 Mbits/s avec l’AIP-SSM-10
Jusqu’à 375 Mbits/s avec l’AIP-SSM-20
Débit du VPN Jusqu’à 225 Mbits/s
Connexions 280 000
Homologues VPN IPSec 750
Niveaux de licence des homologues
VPN SSL*
10, 25, 50, 100, 250, 500 ou 750
Contextes de sécurité Jusqu’à 20 *
Interfaces 4 ports Gigabit Ethernet et 1 port Fast
Ethernet
Interfaces virtuelles (VLAN) 100
Évolutivité Équilibrage de charge et mise en grappe
des VPN
Haute disponibilité Actif/actif, actif/veille
*Fonction fournie sous licence distincte ; licences pour 2 homologues incluse dans le système de base
SERVEUR DE SÉCURITÉ ADAPTATIF CISCO ASA 5540
Le serveur de sécurité adaptatif Cisco ASA 5540 fournit des services de sécurité haute
performance et haute densité, avec une haute disponibilité de type actif/actif et une
connectivité Gigabit Ethernet. Il est destiné aux réseaux des grandes et moyennes
entreprises et des fournisseurs d’accès, dans une solution modulaire et fiable. Grâce à quatre
interfaces Gigabit Ethernet et à la prise en charge de 200 VLAN, le Cisco ASA 5540 permet
aux entreprises de segmenter leur réseau en plusieurs zones, pour une plus grande sécurité.
Ce serveur évolue avec l’entreprise, au rythme de ses besoins de sécurité, offrant une
protection des investissements et une évolutivité des services exceptionnelles. Pour étendre
les fonctions évoluées de sécurité au niveau de la couche applicative et du réseau, et de
défenses anti-X offertes par le serveur, il convient de déployer le module AIP-SSM pour les
fonctions ultra-performantes de prévention des intrusions et de lutte contre les vers.
Les entreprises peuvent dimensionner leur capacité VPN IPSec et SSL de différentes façons
pour gérer un plus grand nombre de travailleurs nomades, de sites distants et de partenaires
commerciaux. Les fonctionnalités intégrées d’équilibrage de charge et de mise en grappe
des VPN offertes par le Cisco ASA 5540 permettent d’augmenter la résistance et la capacité
des VPN. Il prend en charge jusqu’à 10 serveurs par grappe, pour un maximum de 50 000 © 2007 Cisco Systems, Inc. Tous droits réservés.Les mentions légales, la charte sur la vie privée et les marques de Cisco
Systems, Inc. sont fournies sur cisco.com
Page 8/24
homologues VPN IPSec par grappe. Les entreprises peuvent aller jusqu’à 2 500 homologues
VPN SSL sur chaque Cisco ASA 5540, en installant une licence de mise à niveau VPN SSL. La
plate-forme de base peut prendre en charge 5 000 homologues VPN IPSec. Grâce aux
fonctionnalités optionnelles de contexte de sécurité du Cisco ASA 5540, les entreprises
peuvent déployer jusqu’à 50 firewall virtuels dans un serveur afin d’activer le contrôle
compartimenté des règles de sécurité par service ou par client et générer une réduction des
coûts de gestion et d’assistance technique.
Le tableau 4 dresse la liste des fonctionnalités du Cisco ASA 5540.
Tableau 4 : Fonctionnalités et capacité de la plate-forme Cisco ASA 5540
Fonction Description
Débit du firewall Jusqu’à 650 Mbits/s
Débit de protection simultanée
contre les menaces
(firewall + services IPS)
Jusqu’à 450 Mbits/s avec l’AIP-SSM-20
Débit du VPN Jusqu’à 325 Mbits/s
Connexions 400 000
Homologues VPN IPSec 5 000
Niveaux de licence des
homologues VPN SSL*
10, 25, 50, 100, 250, 500, 750, 1000 et
2500
Contextes de sécurité Jusqu’à 50*
Interfaces 4 ports Gigabit Ethernet et 1 port Fast
Ethernet
Interfaces virtuelles (VLAN) 200
Évolutivité Équilibrage des charges et mise en grappe
des VPN
Haute disponibilité Actif/actif, actif/veille
*Fonction fournie sous licence distincte ; licence pour 2 homologues incluse dans le système de base
SERVEUR DE SÉCURITÉ ADAPTATIF CISCO ASA 5550
De format compact (1 RU), le Serveur de Sécurité Adaptatif Cisco ASA 5550 fournit de
manière fiable des services de sécurité de classe Gigabit avec haute disponibilité actif/actif
et une connectivité fibre et Ethernet Gigabit pour les réseaux des grandes entreprises et des
fournisseurs de services. Grâce à ses huit interfaces Ethernet Gigabit, ses quatre interfaces
fibres SFP (Small Form-Factor Pluggable) et sa capacité à supporter jusqu’à 200 VLAN, il
donne à l’entreprise les moyens de segmenter son réseau en un grand nombre de zones
haute performance pour plus de sécurité. © 2007 Cisco Systems, Inc. Tous droits réservés.Les mentions légales, la charte sur la vie privée et les marques de Cisco
Systems, Inc. sont fournies sur cisco.com
Page 9/24
A mesure que les besoins de sécurité de l’entreprise augmentent, le Serveur de Sécurité
Adaptatif Cisco ASA 5550 évolue avec eux pour garantir une exceptionnelle protection de
l’investissement et des niveaux de services toujours adaptés. L’entreprise peut augmenter sa
capacité VPN IPSec et SSL pour servir un nombre croissant de travailleurs mobiles, de sites
distants et de partenaires : une licence de mise à niveau permet de supporter jusqu’à 5000
homologues VPN SSL sur chaque Cisco ASA 5550, tandis que la plate-forme de base
accepte jusqu’à 5000 homologues VPN IPSec. Les fonctionnalités intégrées d’équilibrage de
charge et de mise en grappes des VPN contribuent encore à augmenter la capacité et la
robustesse VPN du Cisco ASA 5550 : jusqu’à 10 serveurs peuvent être mis en grappe pour
une capacité maximale de 50 000 homologues VPN SSL et 50 000 homologues VPN IPSec
par grappe. Grâce aux fonctionnalités de sécurité contextuelles en option du Serveur de
Sécurité Adaptatif Cisco ASA 5550, l’entreprise peut déployer jusqu’à 50 firewall virtuels sur
un même appareil afin de permettre le contrôle compartimenté des politiques de sécurité par
service ou par client, ce qui réduit considérablement les frais de gestion et d’assistance.
Note : Le système dispose de douze ports Ethernet Gigabit au total, dont huit peuvent être
utilisés en même temps. Pour donner encore plus de souplesse à la connectivité de data
centre, de réseau campus ou de périphérie de l’entreprise, le serveur de sécurité adaptatif
Cisco ASA 5550 accepte les connectivités cuivre et fibre.
Le Tableau 5 donne la liste des caractéristiques du Cisco ASA 5550
Tableau 5 : Fonctionnalités et capacité de la plate-forme Cisco ASA 5550
Fonction Description
Débit du firewall Jusqu’à 1,2 Gbits/s
Débit du VPN Jusqu’à 425 Mbits/s
Connexions 650 000
Homologues VPN IPSec 5 000
Niveaux de licence des
homologues VPN SSL*
10, 25, 50, 100, 250, 500, 750, 1000, 2500
et 5000
Contextes de sécurité Jusqu’à 50*
Interfaces 8 ports Gigabit Ethernet, 4 ports fibres SFP
et 1 port Fast Ethernet
Interfaces virtuelles (VLAN) 200
Évolutivité Équilibrage de charge et mise en grappe
des VPN
Haute disponibilité Actif/actif, actif/veille
*Fonction fournie sous licence distincte ; licence pour 2 homologues incluse dans le système de base © 2007 Cisco Systems, Inc. Tous droits réservés.Les mentions légales, la charte sur la vie privée et les marques de Cisco
Systems, Inc. sont fournies sur cisco.com
Page 10/24
CARACTÉRISTIQUES DES PRODUITS
Le tableau 6 permet de comparer les Serveurs de Sécurité Adaptatifs Cisco ASA 5510, 5520
et 5540.
Tableau 6 : Caractéristiques des Serveurs de Sécurité Adaptatifs de la gamme Cisco ASA
5500
Cisco ASA
5505
Cisco ASA
5510
Cisco ASA
5520
Cisco ASA
5540
Cisco ASA
5550
Utilisateurs/nœ
uds
10, 50 ou illimité Illimité Illimité Illimité Illimité
Débit du
firewall
Débit de
protection
simultanée
contre les
menaces
(firewall +
services IPS)
Jusqu’à 150
Mbits/s
Non disponible
Jusqu’à 300
Mbits/s
Jusqu’à 150
Mbits/s avec
l’AIP-SSM-10
Jusqu’à 375
Mbits/s avec
l’AIP-SSM-20
Jusqu’à 450 M
Jusqu’à 225
Mbits/s avec
l’AIP-SSM-
10bits/s
Jusqu’à 650
Jusqu’à 450
Mbits/s avec
l’AIP-SSM-
20Mbits/s
Jusqu’à 1,2
Gbits/s
Non
disponible
Débit du VPN
3DES/AES
Jusqu’à 100
Mbits/s
Jusqu’à 170
Mbits/s
Jusqu’à 225
Mbits/s
Jusqu’à 325
Mbits/s
Jusqu’à 425
Mbits/s
Homologues
VPN IPSec
10 ; 25 * 250 750 5000 5000
Homologues
VPN SSL*
(inclus/maximu
m)
2/25 2 /250 2/750 2/2 500 2/5000
Connexions
Nouvelles
sessions/secon
de
10 000 ; 25 000 *
3 000
50 000 ;
130 000*
6 000
280 000
9 000
400 000
20 000
650000
28 000
Ports réseau
intégrés
Commutateur
Fast Ethernet 8
ports (dont deux
ports PoE)
3 ports Fast
Ethernet + ;
1 port de
gestion ;
5 ports Fast
Ethernet*
4 ports Gigabit
Ethernet ; 1 port
Fast Ethernet
4 ports Gigabit
Ethernet ;
1 port Fast
Ethernet
8 ports
Gigabit
Ethernet, 4
ports fibres
SFP ;
1 port Fast
Ethernet
Interfaces
virtuelles
(VLAN)
3 (sans support
de ligne
réseau)/20 (avec
support de lignes
réseaux) *
50/100* 100 200 250 © 2007 Cisco Systems, Inc. Tous droits réservés.Les mentions légales, la charte sur la vie privée et les marques de Cisco
Systems, Inc. sont fournies sur cisco.com
Page 11/24
Contextes de
sécurité
(inclus/max.)
0/0 0/0 (base) ; 2/5
(Security Plus)
2/20 2/50 2/50
Haute
disponibilité
Non prise en
charge ; mode
actif/veille à
inspection d’état
et support ISP
redondant *
Non prise en
charge ; mode
actif/veille*
Actif/actif et
actif/veille
Actif/actif et
actif/veille
Actif/actif et
actif/veille
Emplacement
d’extension
SSM
1, SSC 1, SSM 1, SSM 1, SSM 0
Emplacement
accessible
mémoire flash
0 1 1 1 1
Ports USB 2.0
Ports série
3 (1 à l’avant, 2 à
l’arrière)
1 RJ-45 console
2
2 RJ-45,
console et
auxiliaire
2
2 RJ-45, console
et auxiliaire
2
2 RJ-45, console
et auxiliaire
2
2 RJ-45,
console et
auxiliaire
Ports série 1 RJ-45 console 2 RJ-45,
console et
auxiliaire
2 RJ-45, console
et auxiliaire
2 RJ-45, console
et auxiliaire
2 RJ-45,
console et
auxiliaire
Montage sur
rack
Oui, avec kit de
montage sur rack
(disponible
ultérieurement)
Oui Oui Oui Oui
Montage au
mur
Oui, avec kit de
montage au mur
(disponible
ultérieurement)
Non Non Non Non
Spécifications techniques
Mémoire 256 Mo 256 Mo 512 Mo 1024 Mo 4096 Mo
Mémoire flash
système
minimum
64 Mo 64 Mo 64 Mo 64 Mo 64 Mo
Bus système Architecture
multi-bus
Architecture
multi-bus
Architecture
multi-bus
Architecture
multi-bus
Architecture
multi-bus
Conditions de fonctionnement
En fonctionnement
Température 0 à 40ºC 0 à 40ºC
Humidité
relative
5 à 95 % sans
condensation
5 à 95 % sans condensation
Altitude 0 à 3000 m 0 à 3000 m
Tolérance aux
chocs
1/2 sinusoïdale à
1,14 m/s
1/2 sinusoïdale à 1,14 m/s
Vibrations Aléatoire, 0,41
Grms2 (3 à 500
Hz)
Aléatoire, 0,41 Grms2 (3 à 500 Hz) © 2007 Cisco Systems, Inc. Tous droits réservés.Les mentions légales, la charte sur la vie privée et les marques de Cisco
Systems, Inc. sont fournies sur cisco.com
Page 12/24
Bruit
acoustique
0 dBa maximum 60 dBa maximum
En mode stockage
Température -25 à 70ºC -25 à 70ºC
Humidité
relative
5 à 95 % sans
condensation
5 à 95 % sans condensation
Altitude 0 à 4570 m 0 à 4570 m
Tolérance aux
chocs
30 G 30 G
Vibrations Aléatoire, 0,41
Grms2 (3 à 500
Hz)
Aléatoire, 0,41 Grms2 (3 à 500 Hz)
Alimentation électrique
Entrée (par alimentation électrique)
Plage de
tension
100 à 240 V c.a. 100 à 240 V c.a.
Tension
normale
100 à 240 V c.a. 100 à 240 V c.a.
Courant 1,8 A 3 A
Fréquence 50 à 60 Hz,
monophasé
47 à 63 Hz, monophasé
Sortie
Régime
permanent
20 W 150 W
Pic maximal 96 W 190 W
Dissipation
thermique
maximale
72 BTU/h 648 BTU/h
Données physiques
Facteur de
forme
Ordinateur de
bureau
Montage en rack 1 U de 19 pouces
Dimensions (H
x L x P)
4,45 x 20,04x
17,45 cm
4,45 x 44,5 x 33,5 cm
Poids (avec
l’alimentation)
1,8 kg 9,07 kg
Conformité à la réglementation et aux normes
Sécurité UL 60950, CSA
C22.2 No. 60950,
EN 60950, IEC
60950,
AS/NZS3260
UL 1950, CSA C22.2 No. 950, EN 60950 IEC 60950, AS/NZS3260,
TS001
Compatibilité
électromagnéti
que
Marquage CE,
FCC Part 15
Classe B,
AS/NZS 3548
Classe B, VCCI
Classe B,
Marquage CE, FCC Part 15 Classe A, AS/NZS 3548 Classe A, VCCI
Classe A, © 2007 Cisco Systems, Inc. Tous droits réservés.Les mentions légales, la charte sur la vie privée et les marques de Cisco
Systems, Inc. sont fournies sur cisco.com
Page 13/24
(EMC) EN55022 Classe
B, CISPR22
Classe B,
EN61000-3-2,
EN61000-3-3
EN55022 Classe A, CISPR22 Classe A, EN61000-3-2, EN61000-3-3
Certifications
industrielles
En cours : ICSA
Firewall, ICSA
IPSec, Common
Criteria EAL4,
FIPS 140-2 Level
2
Common Criteria EAL4+ US DoD Application-Level Firewall for
Medium- Robustness Environnements, FIPS 140-2 Level 2, NEBS Level
3, ICSA Firewall, ICSA IPSec, ICSA Gateway Anti-Virus (couplé à CSC
SSM-10 ou CSC SSM-20). En cours: Common Criteria EAL4 for VPN,
Common Criteria EAL2 for IPS on AIP SSM.
*Disponible par l’intermédiaire d’une licence de mise à niveau
MODULES DE SERVICES DE SÉCURITÉ
La gamme Cisco ASA 5500 permet aux réseaux de franchir un nouveau palier en matière de
sécurité intégrée, grâce à son architecture matérielle multi-processeurs et des services AIM
exceptionnels. Cette architecture permet aux entreprises d’adapter et d’élargir le profil de
services de sécurité haute performance de la gamme Cisco ASA 5500. Les clients peuvent
ajouter des services de sécurité haute performance supplémentaires à l’aide des modules de
services de sécurité associés à des coprocesseurs de sécurité dédiés. Ils peuvent
également personnaliser les règles propres aux flux à l’aide d’une infrastructure extrêmement
souple de définitions des règles. Cette architecture adaptable permet aux entreprises de
déployer de nouveaux services de sécurité dès qu’elles en ont besoin. Par exemple, elles
peuvent ajouter la vaste gamme de services évolués de lutte contre les vers et de prévention
des intrusions fournis par le module AIP-SSM ou les services complets anti-X et de
protection contre les programmes nuisibles offerts par le module CSC-SSM. D’autre part,
cette architecture permet à Cisco de lancer de nouveaux services répondant à de nouvelles
menaces, offrant aux entreprises une excellente protection des investissements pour la
gamme Cisco ASA 5500.
Module adaptatif de prévention et d’inspection
Le module Cisco ASA 5500 AIP-SSM est une solution réseau en ligne conçue pour identifier
avec précision, classifier et bloquer le trafic malveillant, avant qu’il n’entraîne des
répercussions sur votre activité. Utilisant le logiciel IPS pour Cisco ASA 5500, le module AIPSSM combine les services de prévention en ligne et des technologies innovantes. Cela
permet une confiance totale vis-à-vis de la protection offerte par la solution IPS déployée,
sans crainte de suppression du trafic légitime. Le module AIP-SSM propose également une
protection complète du réseau grâce à sa capacité exceptionnelle à collaborer avec d’autres
ressources de sécurité, offrant une approche proactive de la protection du réseau. Il utilise
des technologies précises de prévention en ligne, qui permettent de prendre des mesures
préventives vis-à-vis d’un panel plus vaste de menaces, sans risque de suppression du trafic
légitime. Ces technologies exceptionnelles offrent une analyse intelligente, automatisée et
contextuelle des données, permettant de s’assurer que les entreprises exploitent au © 2007 Cisco Systems, Inc. Tous droits réservés.Les mentions légales, la charte sur la vie privée et les marques de Cisco
Systems, Inc. sont fournies sur cisco.com
Page 14/24
maximum leurs solutions de prévention des intrusions. Le module AIP-SSM utilise également
une identification des menaces liées aux attaques multivecteurs pour protéger le réseau
contre les violations de règles, l’exploitation des vulnérabilités et les activités anormales,
grâce à une inspection minutieuse du trafic sur les couches 2 à 7.
Le tableau 7 détaille les deux modèles AIP-SSM proposés, ainsi que leurs caractéristiques
physiques et leurs performances respectives.
Tableau 7 : Caractéristiques du module AIP-SSM pour la gamme Cisco ASA 5500
Cisco ASA 5500 AIP-SSM-10 Cisco ASA 5500 AIP-SSM-
20
Débit de protection
simultanée
contre les
menaces
(firewall + services
IPS)
150 Mbits/s avec le Cisco ASA
5510
225 Mbits/s avec le Cisco ASA
5520
300 Mbits/s avec le Cisco
ASA 5510
375 Mbits/s avec le Cisco
ASA 5520
450 Mbits/s avec le Cisco
ASA 5540
Spécifications techniques
Mémoire 1 Go 2 Go
Mémoire flash 256 Mo 256 Mo
Conditions de fonctionnement
En fonctionnement
Température 0 à 40ºC
Humidité relative 5 à 95 % sans condensation
En mode stockage
Température -25 à 70ºC
Consommation
électrique
90 W maximum
Données physiques
Dimensions (H x L x
P)
4,32 x 17,27 x 27,.94 cm
Poids (avec
l’alimentation)
1,36 kg © 2007 Cisco Systems, Inc. Tous droits réservés.Les mentions légales, la charte sur la vie privée et les marques de Cisco
Systems, Inc. sont fournies sur cisco.com
Page 15/24
Conformité à la réglementation et aux normes
Sécurité UL 1950, CSA C22.2 No. 950, EN 60950 IEC 60950,
AS/NZS3260, TS001
Compatibilité
électromagnétique
(EMC)
Marquage CE, FCC Part 15 Classe A, AS/NZS 3548 Classe A,
VCCI Classe A, EN55022 Classe A, CISPR22 Classe A, EN61000-
3-2, EN61000-3-3
Module de contrôle et de sécurité du contenu
Le module CSC-SSM de la gamme Cisco ASA 5500 offre le meilleur service du marché en
matière de contrôle du contenu et de protection contre les menaces Internet à la périphérie
du réseau. Cette solution facile à administrer comporte des fonctions complètes d’antivirus,
d’antilogiciels espions, de blocage de fichiers, d’antispam, d’antiphishing, de blocage et
filtrage d’URL et de filtrage du contenu.
Le module CSC-SSM ajoute des fonctionnalités de sécurité performantes à la gamme Cisco
ASA 5500, offrant aux clients une protection supplémentaire et le contrôle du contenu de
leurs communications d’entreprise. Ce module procure une souplesse et un choix
supplémentaire vis-à-vis du fonctionnement et du déploiement des serveurs de la gamme
Cisco ASA 5500. Les options de licence permettent aux entreprises de personnaliser les
fonctionnalités conformément aux besoins de chaque groupe d’utilisateurs, grâce à des
fonctions incluant des services de contenu évolués et un nombre d’utilisateurs accru. Le
module CSC-SSM est livré avec un ensemble de fonctions par défaut offrant des services
d’antivirus, d’antilogiciels espions et de blocage des fichiers. Une licence «Plus» est
disponible pour chaque module CSC-SSM ,à un coût additionnel. Cette licence permet de
bénéficier de fonctionnalités d’antispam, d’antiphishing, de blocage et de filtrage d’URL et de
contrôle du contenu. Pour augmenter la capacité utilisateur du module CSC-SSM, les
entreprises peuvent acheter et installer des licences utilisateurs supplémentaires. Le tableau
ci-dessous contient la liste détaillée de ces options, que vous retrouverez également dans la
fiche technique du module CSC-SSM.
Tableau 8 : Caractéristiques du module CSC-SSM pour la gamme Cisco ASA 5500
Cisco ASA 5500 CSC-SSM-
10
Cisco ASA 5500 CSC-SSM-
20
Plates-formes
prises en charge
• Serveur de Sécurité
Adaptatif
Cisco ASA 5510
• Serveur de Sécurité
Adaptatif Cisco ASA 5510 © 2007 Cisco Systems, Inc. Tous droits réservés.Les mentions légales, la charte sur la vie privée et les marques de Cisco
Systems, Inc. sont fournies sur cisco.com
Page 16/24
• Serveur de Sécurité
Adaptatif
Cisco ASA 5520
• Serveur de Sécurité
Adaptatif Cisco ASA 5520
• Serveur de Sécurité
Adaptatif Cisco ASA 5540
Fonctionnalités standard et optionnelles
Licence utilisateur
standard
50 utilisateurs 500 utilisateurs
Fonctionnalités
standard
Antivirus, antilogiciels espions, blocage des fichiers
Mises à niveau
facultatives du
nombre
d’utilisateurs
(nombre total)
• 100 utilisateurs
• 250 utilisateurs
• 500 utilisateurs
• 750 utilisateurs
• 1 000 utilisateurs
Fonctionnalités en
option
Licence Plus : permet d’ajouter l’antispam, l’antiphishing, le
blocage et le
filtrage d’URL et le contrôle du contenu
Spécifications techniques
Mémoire 1 Go 2 Go
Mémoire flash
système
256 Mo 256 Mo
Mémoire cache 256 Ko 512 Ko
Conditions de fonctionnement
En fonctionnement
Température 0 à 40ºC
Humidité relative 10 à 90 %, sans condensation
En mode stockage
Température -25 à 70ºC
Consommation
électrique
90 W maximum
Données physiques
Dimensions (H x L x
P)
4,32 x 17,27 x 27,.94 cm
Poids (avec
l’alimentation)
1,36 kg
Conformité à la réglementation et aux normes
Sécurité UL 1950, CSA C22.2 No. 950, EN 60950 IEC 60950,
AS/NZS3260, TS001 © 2007 Cisco Systems, Inc. Tous droits réservés.Les mentions légales, la charte sur la vie privée et les marques de Cisco
Systems, Inc. sont fournies sur cisco.com
Page 17/24
Compatibilité
électromagnétique
(EMC)
Marquage CE, FCC Part 15 Classe A, AS/NZS 3548 Classe A,
VCCI Classe A,
EN55022 Classe A, CISPR22 Classe A, EN61000-3-2, EN61000-
3-3
Module Gigabit Ethernet 4 ports Cisco ASA
Le module de services de sécurité Gigabit Ethernet 4 ports de Cisco ASA permet aux
responsables de sécurité de mieux segmenter le trafic réseau et de créer des zones de
sécurité séparées, chacune étant associée à son propre ensemble de règles de sécurité
personnalisées. Ces séparations peuvent aller d’Internet aux sites/services internes
d’entreprise, en passant par les zones démilitarisées (DMZ). Ce module ultra-performant
prend en charge les options de connexion cuivre et optique via la sélection des quatre ports
RJ-45 cuivre 10/100/1000 standard ou des quatre ports compacts enfichables (SFP, Small
Form-Factor Pluggable) pour le SFP optique Gigabit Ethernet. Il offre une grande flexibilité
pour la connectivité des centres de données, des campus ou à la périphérie de l’entreprise. Il
est possible de configurer un mélange de types de port cuivre ou optique (jusqu’à 4 ports).
Ce module étend le profil d’E/S de la gamme Cisco ASA 5500 à un total de cinq ports Fast
Ethernet et quatre ports Gigabit Ethernet sur le Cisco ASA 5510, huit ports Gigabit Ethernet
et un port Fast Ethernet sur les serveurs Cisco ASA 5520 et 5540 (Tableau 9).
Tableau 9 : Caractéristiques du module SSM Ethernet Gigabit 4 ports de la gamme Cisco
ASA 5500
Cisco ASA 5500 SSM-4GE
Spécifications techniques
Ports LAN intégrés Quatre 10/100/1000BASE-T (RJ-45)
Ports SFP intégrés Quatre (SFP optique Gigabit Ethernet 1000BASE-SX ou
émetteur-récepteur LX/LH pris en charge)
Conditions de fonctionnement
En fonctionnement
Température 0 à 40ºC
Humidité relative 5 à 95 % sans condensation
En mode stockage
Température -25 à 70ºC
Consommation
électrique
25 W maximum © 2007 Cisco Systems, Inc. Tous droits réservés.Les mentions légales, la charte sur la vie privée et les marques de Cisco
Systems, Inc. sont fournies sur cisco.com
Page 18/24
Données physiques
Dimensions (H x L x
P)
3,81 x 17,27 x 27,.94 cm
Poids (avec
l’alimentation)
0,91 kg
Conformité à la réglementation et aux normes
Sécurité UL 1950, CSA C22.2 No. 950, EN 60950 IEC 60950,
AS/NZS3260, TS001
Compatibilité
électromagnétique
(EMC)
Marquage CE, FCC Part 15 Classe A, AS/NZS 3548 Classe A,
VCCI Classe A,
EN55022 Classe A, CISPR22 Classe A, EN61000-3-2, EN61000-
3-3
© 2007 Cisco Systems, Inc. Tous droits réservés.Les mentions légales, la charte sur la vie privée et les marques de Cisco
Systems, Inc. sont fournies sur cisco.com
Page 19/24
INFORMATIONS DE COMMANDE
Pour passer une commande, rendez-vous sur le site Cisco
(http://www.cisco.com/web/FR/acheter/acheter_home.html). Le tableau 8 fournit des
informations nécessaires à l’achat de produits de la gamme Cisco ASA 5500.
Tableau 10 : Informations de commande
Nom du produit
Packs Cisco ASA 5500 Firewall Edition
Référence produit
Pack Cisco ASA 5505 10 utilisateurs avec commutateur
Fast Ethernet 8 ports, 10 homologues VPN IPsec, 2
homologues VPN SSL, licence 3DES/AES (Triple Data
Encryption Standard/Advanced Encryption Standard)
ASA5505-BUN-K9
Pack Cisco ASA 5505 50 utilisateurs avec commutateur
Fast Ethernet 8 ports, 10 homologues VPN IPsec, 2
homologues VPN SSL, licence 3DES/AES
ASA5505-50-BUN-K9
Pack Cisco ASA 5505 nombre illimité d’utilisateurs avec
commutateur Fast Ethernet 8 ports, 10 homologues VPN
IPsec, 2 homologues VPN SSL, licence 3DES/AES
ASA5505-UL-BUN-K9
Pack Cisco ASA 5505 nombre illimité d’utilisateurs avec
Security Plus, commutateur Fast Ethernet 8 ports, 25
homologues VPN IPsec, 2 homologues VPN SSL, zone
démilitarisée (DMZ), haute disponibilité actif/veille à
inspection d’état, licence 3DES/AES
ASA5505-SEC-BUN-K9
Cisco ASA 5510 Firewall Edition, avec 3 interfaces Fast
Ethernet, 250 homologues VPN IPSec, 2 homologues VPN
SSL, licence 3DES/AES
ASA5510-BUN-K9
Cisco ASA 5510 Security Plus Firewall Edition, avec 5
interfaces Fast Ethernet, 250 homologues VPN IPSec,
2 homologues VPN SSL, haute disponibilité actif/veille,
licence 3DES/AES
ASA5510-SEC-BUN-K9
Cisco ASA 5520 Firewall Edition, avec 4 interfaces Gigabit
Ethernet et 1 interface Fast Ethernet, 750 homologues
VPN IPSec et 2 homologues VPN
SSL, , haute disponibilité actif/veille et actif/actif, licence
3DES/AES
ASA5520-BUN-K9
Cisco ASA 5540 Firewall Edition, avec 4 interfaces Gigabit
Ethernet et 1 interface Fast Ethernet, 5 000 homologues
VPN IPSec et 2 homologues
ASA5540-BUN-K9 © 2007 Cisco Systems, Inc. Tous droits réservés.Les mentions légales, la charte sur la vie privée et les marques de Cisco
Systems, Inc. sont fournies sur cisco.com
Page 20/24
VPN SSL, licence 3DES/AES
Cisco ASA 5550 Firewall Edition, avec 8 interfaces Gigabit
Ethernet et 1 interface Fast Ethernet, 4 interfaces SFP
Gigabit, 5 000 homologues VPN IPSec et 2 homologues
VPN SSL, licence 3DES/AES
ASA5550-BUN-K9
Packs Cisco ASA 5500 IPS Edition
Cisco ASA 5510 IPS Edition, avec le module AIP-SSM-10,
les services de firewall,
250 homologues VPN IPSec, 2 homologues VPN SSL, 3
interfaces Fast Ethernet
ASA5510-AIP10-K9
Cisco ASA 5520 IPS Edition, avec le module AIP-SSM-10,
les services de firewall,
250 homologues VPN IPSec, 2 homologues VPN SSL, 4
interfaces Gigabit Ethernet et 1 interface Fast Ethernet
ASA5520-AIP10-K9
Cisco ASA 5520 IPS Edition, avec le module AIP-SSM-20,
les services de firewall,
750 homologues VPN IPSec, 2 homologues VPN SSL, 4
interfaces Gigabit Ethernet et 1 interface Fast Ethernet
ASA5520-AIP20-K9
Cisco ASA 5540 IPS Edition, avec le module AIP-SSM-20,
les services de firewall,
5 000 homologues VPN IPSec, 2 homologues VPN SSL, 4
interfaces Gigabit Ethernet et 1 interface Fast Ethernet
ASA5540-AIP20-K9
Packs Cisco ASA 5500 Anti-X Edition
Cisco ASA 5510 Anti-X Edition, avec le module CSC-SSM-
10, un antivirus/antilogiciels
espions pour 50 utilisateurs avec abonnement d’un an, des
services de firewall,
250 homologues VPN IPSec, 2 homologues VPN SSL, 3
interfaces Fast Ethernet
ASA5510-CSC10-K9
Cisco ASA 5510 Anti-X Edition, avec le module CSC-SSM-
20, un antivirus/antilogiciels
espions pour 500 utilisateurs avec abonnement d’un an,
des services de firewall,
250 homologues VPN IPSec, 2 homologues VPN SSL, 3
interfaces Fast Ethernet
ASA5510-CSC20-K9
Cisco ASA 5520 Anti-X Edition, avec le module CSC-SSM-
10, un antivirus/antilogiciels
espions pour 50 utilisateurs avec abonnement d’un an, des
services de firewall,
ASA5520-CSC10-K9 © 2007 Cisco Systems, Inc. Tous droits réservés.Les mentions légales, la charte sur la vie privée et les marques de Cisco
Systems, Inc. sont fournies sur cisco.com
Page 21/24
750 homologues VPN IPSec, 2 homologues VPN SSL, 4
interfaces Gigabit Ethernet et 1 interface Fast Ethernet
Cisco ASA 5520 Anti-X Edition, avec le module CSC-SSM-
20, un antivirus/antilogiciels
espions pour 500 utilisateurs avec abonnement d’un an,
des services de firewall,
750 homologues VPN IPSec, 2 homologues VPN SSL, 4
interfaces Gigabit Ethernet et 1 interface Fast Ethernet
ASA5520-CSC20-K9
Packs Cisco ASA 5500 VPN Edition
Cisco ASA 5505 SSL/IPsec VPN Edition, avec 10
homologues VPN Ipsec, 10 homologues VPN SSL, 50
utilisateurs de services de firewall, commutateur Fast
Ethernet 8 ports
ASA5505-SSL10-K9
Cisco ASA 5505 SSL/IPsec VPN Edition, avec 25
homologues VPN Ipsec, 25 homologues VPN SSL, 50
utilisateurs de services de firewall, commutateur Fast
Ethernet 8 ports, licence Security Plus
ASA5505-SSL25-K9
Cisco ASA 5510 SSL/IPsec VPN Edition, 250 homologues
VPN IPsec et 50 homologues VPN SSL, services de
firewall, 3 interfaces Fast Ethernet
ASA5510-SSL50-K9
Cisco ASA 5510 SSL/IPsec VPN Edition, 250 homologues
VPN IPsec, 100 homologues VPN SSL, services de firewall,
3 interfaces Fast Ethernet
ASA5510-SSL100-K9
Cisco ASA 5510 SSL/IPsec VPN Edition, 250 homologues
VPN IPsec et 250 homologues VPN SSL, services de
firewall, 3 interfaces Fast Ethernet
ASA5510-SSL250-K9
Cisco ASA 5520 SSL/IPsec VPN Edition, 750 homologues
VPN IPsec et 500 homologues VPN SSL, services de
firewall, 4 interfaces Ethernet Gigabit, 1 interface Fast
Ethernet
ASA5520-SSL500-K9
Cisco ASA 5540 SSL/IPsec VPN Edition, 5000 homologues
VPN IPsec et 1000 homologues VPN SSL, services de
firewall, 4 interfaces Ethernet Gigabit, 1 interface Fast
Ethernet
ASA5540-SSL1000-K9
Cisco ASA 5540 SSL/IPsec VPN Edition, 5000 homologues
VPN IPsec et 2500 homologues VPN SSL, services de
firewall, 4 interfaces Ethernet Gigabit, 1 interface Fast
Ethernet
ASA5540-SSL2500-K9
Cisco ASA 5550 SSL/IPsec VPN Edition, 5000 homologues ASA5550-SSL2500-K9 © 2007 Cisco Systems, Inc. Tous droits réservés.Les mentions légales, la charte sur la vie privée et les marques de Cisco
Systems, Inc. sont fournies sur cisco.com
Page 22/24
VPN IPsec et 2500 homologues VPN SSL, services de
firewall, 8 interfaces Ethernet Gigabit, 1 interface Fast
Ethernet
Cisco ASA 5550 SSL/IPsec VPN Edition, 5000 homologues
VPN IPsec et 5000 homologues VPN SSL, services de
firewall, 8 interfaces Ethernet Gigabit, 1 interface Fast
Ethernet
ASA5550-SSL5000-K9
Modules de services de sécurité
Cisco ASA Advanced Inspection and Prevention Security
Services Module 10
ASA-SSM-AIP-10-K9=
Cisco ASA Advanced Inspection and Prevention Security
Services Module 20
ASA-SSM-AIP-20-K9=
Cisco ASA Content Security and Control Security Services
Module 10 pour 50 utilisateurs
Antivirus/antilogiciels espions, abonnement d’un an
ASA-SSM-CSC-10-K9=
Cisco ASA Content Security and Control Security Services
Module 20 pour 500 utilisateurs
Antivirus/antilogiciels espions, abonnement d’un an
ASA-SSM-CSC-20-K9=
Cisco ASA 4-Port Gigabit Ethernet Security Services
Module
SSM-4GE=
Logiciels de la gamme Cisco ASA 5500
Mise à niveau unique du logiciel Cisco ASA pour les clients
non pris en charge
ASA-SW-UPGRADE=
Accessoires de la gamme Cisco ASA 5500
Mémoire compact flash pour la gamme Cisco ASA 5500,
256 Mo
ASA5500-CF-256MB=
Mémoire compact flash pour la gamme Cisco ASA 5500,
512 Mo
ASA5500-CF-512MB=
Bloc d’alimentation 180 W c.a. pour la gamme Cisco ASA ASA-180W-PWR-AC=
Connecteur SFP Gigabit Ethernet optique, émetteurrécepteur 1000BASE-SX à courte longueur d’onde
GLC-SX-MM=
Connecteur SFP Gigabit Ethernet optique, émetteurrécepteur 1000BASE-LX/LH longue distance/à grande
longueur d’onde
GLC-LH-SM=
© 2007 Cisco Systems, Inc. Tous droits réservés.Les mentions légales, la charte sur la vie privée et les marques de Cisco
Systems, Inc. sont fournies sur cisco.com
Page 23/24
POUR TÉLÉCHARGER LE LOGICIEL
Pour télécharger le logiciel Cisco ASA, visitez le Centre de téléchargement Cisco.
MAINTENANCE ET ASSISTANCE
Cisco propose une large gamme de programmes de services pour accélérer la réussite de
ses clients. Ces programmes de services innovants sont proposés grâce à une combinaison
unique de personnes, de processus, d’outils et de partenaires pour augmenter la satisfaction
de nos clients. Cisco Services vous aide à protéger votre investissement en matière de
réseaux, à optimiser leur exploitation et à les préparer aux nouvelles applications afin d’en
étendre l’intelligence et d’accroître le succès de votre activité. Pour plus d’informations sur
Cisco Services, consultez les services d’assistance technique de Cisco ou Cisco Advanced
Services. Pour les services propres aux fonctionnalités de prévention des intrusions (IPS)
offertes via le module AIP-SSM, visitez le site Cisco Services for IPS.
POUR PLUS D’INFORMATIONS
Pour plus d’informations, consultez les sites suivants :
• Serveur de Sécurité Adaptatif Cisco ASA 5500 : http://www.cisco.com/go/asa
• Cisco Adaptive Security Device Manager : http://www.cisco.com/go/asdm© 2007 Cisco Systems, Inc. Tous droits réservés.Les mentions légales, la charte sur la vie privée et les marques de Cisco
Systems, Inc. sont fournies sur cisco.com
Page 24/24
Siège social
Cisco Systems, Inc.
170 West Tasman
Drive
San Jose, CA 95134
1706
Etats-Unis
www.cisco.com
Tél. : 408 526-4000
800 553-NETS (6387)
Fax : 408 526-4100
Siège Europe
Cisco Systems
International BV
Haarlerbergpark
Haarlerbergweg 13-19
1101 CH Amsterdam
Pays-Bas
wwweurope.cisco.com
Tél. : 31 0 20 357 1000
Fax : 31 0 20 357 1100
Siège Etats-Unis
Cisco Systems, Inc.
170 West Tasman
Drive
San Jose, CA 95134
1706
Etats-Unis
www.cisco.com
Tél. : 408 526-7660
Fax : 408 527-0883
Siège Asie Pacifi que
Cisco Systems, Inc.
168 Robinson Road
#28-01 Capital
Tower
Singapour 068912
www.cisco.com
Tél. : +65 6317 7777
Fax : +65 6317 7799
Cisco has more than 200 offi ces in the following countries and regions. Addresses, phone numbers, and fax numbers are listed
on the Cisco Website at www.cisco.com/go/offices
Copyright©2007 Cisco Systems, Inc. Tous droits réservés. CCSP, CCVP, le logo Cisco Square Bridge, Follow Me Browsing et
StackWise sont des marques de Cisco Systems, Inc. ; Changing the Way We Work, Live, Play, and Learn, et iQuick Study sont des
marques de service de Cisco Systems, Inc. ; et Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco,
le logo Cisco Certifi ed Internetwork Expert, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, le logo Cisco Systems,
Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, FormShare, GigaDrive, GigaStack, HomeLink, Internet
Quotient, IOS, IP/TV, iQ Expertise, le logo iQ, iQ Net Readiness Scorecard, LightStream, Linksys, MeetingPlace, MGX, le logo Networkers,
Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, ProConnect, RateMUX, ScriptShare, SlideCast,
SMARTnet, The Fastest Way to Increase Your Internet Quotient et TransPath sont des marques déposées de Cisco Systems, Inc. et/ou
de ses fi liales aux États-Unis et dans d’autres pays.
Toutes les autres marques mentionnées dans ce document ou sur le site Web appartiennent à leurs propriétaires respectifs. L’emploi du
mot partenaire n’implique pas nécessairement une relation de partenariat entre Cisco et une autre société. (0601R)
Manuel de migration de Cisco PIX 500
vers la gamme Cisco ASA 5500
PRESENTATION SYNOPTIQUE
Réunissant sur une même plate- Réunissant sur une même plate---forme une combinaison puissante de nombreuses forme une combinaison puissante de nombreuses
technologies éprouvées, la gamme Cisco ASA 5500 (Adaptive Security Appliance)
donne à l’entreprise les moyens opérationnels et économiques de déployer des
services de sécurité complets vers un plus grand nom services de sécurité complets vers un plus grand nombre de sites. plets vers un plus grand nombre de sites. bre de sites. Faites migrer dès Faites migrer dès
maintenant vos serveurs de sécurité Cisco PIX® vers la gamme Cisco ASA 5500 pour
bénéficier, sur une même plate- bénéficier, sur une même plate---forme, de services de sécurité et de VPN convergen forme, de services de sécurité et de VPN convergents s
et multifonctions. et multifonctions.
Principaux avantages économiques Principaux avantages économiques avantages économiques
Options souples de déploiement Options souples de déploiement
Editions produits personnalisées qui s’adaptent exactement aux besoins spécifiques de
l’entreprise
• Firewall Edition - Firewall
• IPS Edition - système de prévention d'intrusions
• Anti-X Edition - protection antivirus, anti logiciels espions, etc.
• SSL/IPsec VPN Edition - VPN sécurisés
Frais d’exploitations réduits Frais d’exploitations réduits
Gestion et surveillance unifiée des équipements pour diminuer les frais généraux
d’installation et de maintenance. Plate-forme unique qui réduit la complexité et simplifie
les opérations de déploiement et d’assistance technique courantes.
Frais d’investissements réduits Frais d’investissements réduits
La convergence et les crédits de reprise d’ancien matériel TMP (Technology Migration
Plan) renforcés font dès maintenant baisser le coût total de migration.
Avantage du leasing Avantage du leasing
Avec Cisco Finance, bénéficiez de nos promotions en leasing pour réduire encore plus
vos coûts et obtenir dès maintenant votre nouvelle solution.
Principaux avantages technologiques et nouveautés d Principaux avantages technologiques et nouveautés de la gamme ASA 5500 e la gamme ASA 5500
Technologie reconnue de firewall et VPN protégé contre les menaces tre les menaces
Développée autour de la même technologie éprouvée qui a fait le succès du serveur de
sécurité Cisco PIX et de la gamme des concentrateurs Cisco VPN 3000, la gamme
Cisco ASA 5500 est la première solution à proposer des services VPN SSL (Secure
Sockets Layer) et IPSec (IP Security) protégés par la première technologie de firewall
du marché. Avec le VPN SSL, l’ASA 5500 est une passerelle SSL performante qui
permet l’accès distant sécurisé au réseau au travers d’un navigateur web banalisé pour
les utilisateurs nomades.
Service évolué de prévention des intrusions Service évolué de prévention des intrusions
Les services proactifs de prévention des intrusions offrent toutes les fonctionnalités qui
permettent de bloquer un large éventail de menaces – vers, attaques sur la couche
applicative ou au niveau du système d'exploitation, rootkits, logiciels espions,
messagerie instantanée, P2P, et bien plus encore. En combinant plusieurs méthodes
d’analyse détaillée du trafic, l’IPS de l’ASA 5500 protège le réseau des violations de
politique de sécurité, de l’exploitation des vulnérabilités des systèmes et du trafic
anormal. L’IPS collabore avec d’autres systèmes Cisco de gestion de la sécurité pour
assurer une mise à jour constante de la posture de sécurité du réseau et une réactivité
totale aux nouvelles attaques ou vulnérabilités.
Services Anti- Services Anti---X à la pointe de l’industrie X à la pointe de l’industrie X à la pointe de l’industrie
La gamme Cisco ASA 5500 offre des services complets anti-X à la pointe de la
technologie – protection contre les virus, les logiciels espions, le courrier indésirable et
le phishing ainsi que le blocage de fichiers, le blocage et le filtrage des URL et le filtrage
de contenu – en associant le savoir-faire de Trend Micro en matière de protection
informatique à une solution Cisco de sécurité réseau éprouvée. Ces services anti-X
embarqués dans le module d’extension hardware CSC SSM et le renouvellement des
abonnements Trend Micro pour la gamme ASA sont commercialisés par Cisco au
travers de ses partenaires agréés.
Migration transparente pour l’utilisateur Migration transparente pour l’utilisateur
Les utilisateurs actuels des serveurs de sécurité Cisco PIX n’auront aucune difficulté à
s’adapter aux solutions Cisco ASA 5500. Les fichiers de configuration des Cisco PIX
sont transposables sur les serveurs ASA 5500. Le logiciel d’administration graphique
Cisco Adaptive Security Device Manager (ASDM) livré avec la gamme ASA est un
logiciel puissant et facile à utiliser Il accélère la création de politiques de sécurité, et
réduit la charge de travail et les erreurs humaines, grâce à des assistants graphiques,
des outils de débogage et de surveillance. ASDM permet de gérer aussi bien des
serveurs Cisco PIX que des serveurs ASA 5500, facilitant la migration vers la dernière
génération de matériel et ses nouvelles fonctions. Manuel de migration de Cisco PIX 500
vers la gamme Cisco ASA 5500
PRESENTATION SYNOPTIQUE
Chemins de migration Chemins de migration
Firewall IPS Anti-X VPN
Modèle de serveur de
sécurité Cisco PIX sécurité Cisco PIX
Référence de la gamme
Cisco ASA Cisco ASA 5500
Description du Cisco ASA Description du Cisco ASA 5500
ASA5505-K8 Cisco ASA 5505 Firewall Edition 10 utilisateurs, commutateur Fast Ethernet 8 ports, 10 homologues VPN IPsec et 2 SSL, DES
ASA5505-BUN-K9 Cisco ASA 5505 Firewall Edition 10 utilisateurs, commutateur Fast Ethernet 8 ports, 10 homologues VPN IPsec et 2 SSL,
3DES/AES
ASA5505-50-BUN-K9 Cisco ASA 5505 Firewall Edition 50 utilisateurs, commutateur Fast Ethernet 8 ports, 10 homologues VPN IPsec et 2 SSL,
3DES/AES
Cisco PIX 501 pour
10 utilisateurs 10 utilisateurs
ASA5505-SSL10-K9 Cisco ASA 5505 SSL/IPsec VPN Edition, 10 homologues VPN IPsec et 10 SSL, services de firewall, commutateur Fast Ethernet
8 ports
ASA5505-50-BUN-K9 Cisco ASA 5505 Firewall Edition 50 utilisateurs, commutateur Fast Ethernet 8 ports, 10 homologues VPN IPsec et 2 SSL,
3DES/AES
ASA5505-UL-BUN-K9 Cisco ASA 5505 Firewall Edition nombre d’utilisateurs illimité, commutateur Fast Ethernet 8 ports, 10 homologues VPN IPsec et
2 SSL, 3DES/AES
Cisco PIX 501 pour
50 utilisateurs 50 utilisateurs
ASA5505-SSL10-K9 Cisco ASA 5505 SSL/IPsec VPN Edition, 10 homologues VPN IPsec et 10 SSL, services de firewall, commutateur Fast Ethernet
8 ports
ASA5505-UL-BUN-K9 Cisco ASA 5505 Firewall Edition nombre d’utilisateurs illimité, commutateur Fast Ethernet 8 ports, 10 homologues VPN IPsec et
2 SSL, 3DES/AES
ASA5505-SEC-BUN-K9 Cisco ASA 5505 Firewall Edition nombre d’utilisateurs illimité Security Plus, commutateur Fast Ethernet 8 ports, 25 homologues
VPN IPsec et 2 SSL,DMZ, haute disponibilité Actif / Veille à inspection d’état, 3DES/AES
Cisco PIX 501 pour un
nombre d’utilisateurs
illimité illimité
ASA5505-SSL10-K9 Cisco ASA 5505 SSL/IPsec VPN Edition, 10 homologues VPN IPsec et 10 SSL, services de firewall, commutateur Fast Ethernet
8 ports
ASA5505-SEC-BUN-K9 Cisco ASA 5505 Firewall Edition nombre d’utilisateurs illimité Security Plus, commutateur Fast Ethernet 8 ports, 25 homologues
VPN IPsec et 2 SSL,DMZ, haute disponibilité Actif / Veille à inspection d’état, 3DES/AES
ASA5505-SSL25-K9 Cisco ASA 5505 SSL/IPsec VPN Edition, 25 homologues VPN IPsec et 25 SSL, services de firewall, commutateur Fast Ethernet
8 ports, licence Security Plus
ASA5510-K8 Cisco ASA 5510 Firewall Edition, 3 ports Fast Ethernet, 250 homologues VPN IPsec et 2 SSL, DES
ASA5510-BUN-K9 Cisco ASA 5510 Firewall Edition, 3 ports Fast Ethernet, 250 homologues VPN IPsec et 2 SSL, 3DES/AES
ASA5510-AIP10-K9 Cisco ASA 5510 IPS Edition, module AIP SSM 10, services de firewall, 250 homologues VPN IPsec et 2 SSL, 3 ports Fast
Ethernet
ASA5510-CSC10-K9 Cisco ASA 5510 Anti X Edition, module CSC SSM 10, 50 utilisateurs antivirus / anti logiciels espions avec un an d’abonnement,
services de firewall, 250 homologues VPN IPsec et 2 SSL, 3 ports Fast Ethernet
ASA5510-CSC20-K9 Cisco ASA 5510 Anti X Edition, module CSC SSM 20, 500 utilisateurs antivirus / anti logiciels espions avec un an d’abonnement,
services de firewall, 250 homologues VPN IPsec et 2 SSL, 3 ports Fast Ethernet
ASA5510-SSL50-K9 Cisco ASA 5510 SSL/IPsec VPN Edition, 250 homologues VPN IPsec et 50 SSL, services de firewall, 3 ports Fast Ethernet
ASA5510-SSL100-K9 Cisco ASA 5510 SSL/IPsec VPN Edition, 250 homologues VPN IPsec et 100 SSL, services de firewall, 3 ports Fast Ethernet
Cisco PIX 506E Cisco PIX 506E
ASA5510-SSL250-K9 Cisco ASA 5510 SSL/IPsec VPN Edition, 250 homologues VPN IPsec et 250 SSL, services de firewall, 3 ports Fast Ethernet
ASA5510-K8 Cisco ASA 5510 Firewall Edition, 3 ports Fast Ethernet, 250 homologues VPN IPsec et 2 SSL, DES
ASA5510-BUN-K9 Cisco ASA 5510 Firewall Edition, 3 ports Fast Ethernet, 250 homologues VPN IPsec et 2 SSL, 3DES/AES
ASA5510-SEC-BUN-K9 Cisco ASA 5510 Firewall Edition Security Plus, 5 ports Fast Ethernet, 250 homologues VPN IPsec et 2 SSL, haute disponibilité
Actif / Veille, 3DES/AES
ASA5510-AIP10-K9 Cisco ASA 5510 IPS Edition, module AIP SSM 10, services de firewall, 250 homologues VPN IPsec et 2 SSL, 3 ports Fast
Ethernet
Cisco PIX 515E
R/DMZ
ASA5510-CSC10-K9 Cisco ASA 5510 Anti X Edition, module CSC SSM 10, 50 utilisateurs antivirus / anti logiciels espions avec un an d’abonnement, Manuel de migration de Cisco PIX 500
vers la gamme Cisco ASA 5500
PRESENTATION SYNOPTIQUE
services de firewall, 250 homologues VPN IPsec et 2 SSL, 3 ports Fast Ethernet
ASA5510-CSC20-K9 Cisco ASA 5510 Anti X Edition, module CSC SSM 20, 500 utilisateurs antivirus / anti logiciels espions avec un an d’abonnement,
services de firewall, 250 homologues VPN IPsec et 2 SSL, 3 ports Fast Ethernet
ASA5510-SSL50-K9 Cisco ASA 5510 SSL/IPsec VPN Edition, 250 homologues VPN IPsec et 50 SSL, services de firewall, 3 ports Fast Ethernet
ASA5510-SSL100-K9 Cisco ASA 5510 SSL/IPsec VPN Edition, 250 homologues VPN IPsec et 100 SSL, services de firewall, 3 ports Fast Ethernet
ASA5510-SSL250-K9 Cisco ASA 5510 SSL/IPsec VPN Edition, 250 homologues VPN IPsec et 250 SSL, services de firewall, 3 ports Fast Ethernet
ASA5510-SEC-BUN-K9 Cisco ASA 5510 Firewall Edition Security Plus, 5 ports Fast Ethernet, 250 homologues VPN IPsec et 2 SSL, haute disponibilité
Actif / Veille, 3DES/AES
ASA5510-AIP10-K9 Cisco ASA 5510 IPS Edition, module AIP SSM 10, services de firewall, 250 homologues VPN IPsec et 2 SSL, 3 ports Fast
Ethernet
ASA5510-CSC10-K9 Cisco ASA 5510 Anti X Edition, module CSC SSM 10, 50 utilisateurs antivirus / anti logiciels espions avec un an d’abonnement,
services de firewall, 250 homologues VPN IPsec et 2 SSL, 3 ports Fast Ethernet
ASA5510-CSC20-K9 Cisco ASA 5510 Anti X Edition, module CSC SSM 20, 500 utilisateurs antivirus / anti logiciels espions avec un an d’abonnement,
services de firewall, 250 homologues VPN IPsec et 2 SSL, 3 ports Fast Ethernet
ASA5510-SSL50-K9 Cisco ASA 5510 SSL/IPsec VPN Edition, 250 homologues VPN IPsec et 50 SSL, services de firewall, 3 ports Fast Ethernet
ASA5510-SSL100-K9 Cisco ASA 5510 SSL/IPsec VPN Edition, 250 homologues VPN IPsec et 100 SSL, services de firewall, 3 ports Fast Ethernet
Cisco PIX 515E
UR/FO/FO AA UR/FO/FO AA
ASA5510-SSL250-K9 Cisco ASA 5510 SSL/IPsec VPN Edition, 250 homologues VPN IPsec et 250 SSL, services de firewall, 3 ports Fast Ethernet
ASA5520-K8 Cisco ASA 5520 Firewall Edition, 4 ports Ethernet Gigabit + 1 interface Fast Ethernet, 750 homologues VPN IPsec et 2 SSL,
haute disponibilité Actif / Actif et Actif / Veille, DES
ASA5520-BUN-K9 Cisco ASA 5520 Firewall Edition, 4 ports Ethernet Gigabit + 1 interface Fast Ethernet, 750 homologues VPN IPsec et 2 SSL,
haute disponibilité Actif / Actif et Actif / Veille, 3DES/AES
ASA5520-AIP10-K9 Cisco ASA 5520 IPS Edition, module AIP SSM 10, services de firewall, 750 homologues VPN IPsec et 2 SSL, 4 ports Ethernet
Gigabit, 1 interface Fast Ethernet
ASA5520-AIP20-K9 Cisco ASA 5520 IPS Edition, module AIP SSM 20, services de firewall, 750 homologues VPN IPsec et 2 SSL, 4 ports Ethernet
Gigabit, 1 interface Fast Ethernet
ASA5520-CSC10-K9 Cisco ASA 5520 Anti X Edition, module CSC SSM 10, 50 utilisateurs antivirus / anti logiciels espions avec un an d’abonnement,
services de firewall, 750 homologues VPN IPsec et 2 SSL, 4 ports Ethernet Gigabit, 1 interface Fast Ethernet
ASA5520-CSC20-K9 Cisco ASA 5520 Anti X Edition, module CSC SSM 20, 500 utilisateurs antivirus / anti logiciels espions avec un an d’abonnement,
services de firewall, 750 homologues VPN IPsec et 2 SSL, 4 ports Ethernet Gigabit, 1 interface Fast Ethernet
Cisco PIX 520 (Fin de
vie – ve ––– juin 2006) juin 2006) juin 2006)
ASA5520-SSL500-K9 Cisco ASA 5520 SSL/IPsec VPN Edition, 750 homologues VPN IPsec et 500 SSL, services de firewall, 4 ports Ethernet Gigabit,
1 interface Fast Ethernet
ASA5520-K8 Cisco ASA 5520 Firewall Edition, 4 ports Ethernet Gigabit + 1 interface Fast Ethernet, 750 homologues VPN IPsec et 2 SSL,
haute disponibilité Actif / Actif et Actif / Veille, DES
ASA5520-BUN-K9 Cisco ASA 5520 Firewall Edition, 4 ports Ethernet Gigabit + 1 interface Fast Ethernet, 750 homologues VPN IPsec et 2 SSL,
haute disponibilité Actif / Actif et Actif / Veille, 3DES/AES
ASA5520-AIP10-K9 Cisco ASA 5520 IPS Edition, module AIP SSM 10, services de firewall, 750 homologues VPN IPsec et 2 SSL, 4 ports Ethernet
Gigabit, 1 interface Fast Ethernet
ASA5520-AIP20-K9 Cisco ASA 5520 IPS Edition, module AIP SSM 20, services de firewall, 750 homologues VPN IPsec et 2 SSL, 4 ports Ethernet
Gigabit, 1 interface Fast Ethernet
ASA5520-CSC10-K9 Cisco ASA 5520 Anti X Edition, module CSC SSM 10, 50 utilisateurs antivirus / anti logiciels espions avec un an d’abonnement,
services de firewall, 750 homologues VPN IPsec et 2 SSL, 4 ports Ethernet Gigabit, 1 interface Fast Ethernet
ASA5520-CSC20-K9 Cisco ASA 5520 Anti X Edition, module CSC SSM 20, 500 utilisateurs antivirus / anti logiciels espions avec un an d’abonnement,
services de firewall, 750 homologues VPN IPsec et 2 SSL, 4 ports Ethernet Gigabit, 1 interface Fast Ethernet
Cisco PIX 525R Cisco PIX 525R
ASA5520-SSL500-K9 Cisco ASA 5520 SSL/IPsec VPN Edition, 750 homologues VPN IPsec et 500 SSL, services de firewall, 4 ports Ethernet Gigabit,
1 interface Fast Ethernet
ASA5520-K8 Cisco ASA 5520 Firewall Edition, 4 ports Ethernet Gigabit + 1 interface Fast Ethernet, 750 homologues VPN IPsec et 2 SSL,
haute disponibilité Actif / Actif et Actif / Veille, DES
Cisco PIX 525
UR/FO/FO AA UR/FO/FO AA
ASA5520-BUN-K9 Cisco ASA 5520 Firewall Edition, 4 ports Ethernet Gigabit + 1 interface Fast Ethernet, 750 homologues VPN IPsec et 2 SSL,
haute disponibilité Actif / Actif et Actif / Veille, 3DES/AES Manuel de migration de Cisco PIX 500
vers la gamme Cisco ASA 5500
PRESENTATION SYNOPTIQUE
ASA5520-AIP10-K9 Cisco ASA 5520 IPS Edition, module AIP SSM 10, services de firewall, 750 homologues VPN IPsec et 2 SSL, 4 ports Ethernet
Gigabit, 1 interface Fast Ethernet
ASA5520-AIP20-K9 Cisco ASA 5520 IPS Edition, module AIP SSM 20, services de firewall, 750 homologues VPN IPsec et 2 SSL, 4 ports Ethernet
Gigabit, 1 interface Fast Ethernet
ASA5520-CSC10-K9 Cisco ASA 5520 Anti X Edition, module CSC SSM 10, 50 utilisateurs antivirus / anti logiciels espions avec un an d’abonnement,
services de firewall, 750 homologues VPN IPsec et 2 SSL, 4 ports Ethernet Gigabit, 1 interface Fast Ethernet
ASA5520-CSC20-K9 Cisco ASA 5520 Anti X Edition, module CSC SSM 20, 500 utilisateurs antivirus / anti logiciels espions avec un an d’abonnement,
services de firewall, 750 homologues VPN IPsec et 2 SSL, 4 ports Ethernet Gigabit, 1 interface Fast Ethernet
ASA5520-SSL500-K9 Cisco ASA 5520 SSL/IPsec VPN Edition, 750 homologues VPN IPsec et 500 SSL, services de firewall, 4 ports Ethernet Gigabit,
1 interface Fast Ethernet
ASA5540-K8 Cisco ASA 5540 Firewall Edition, 4 ports Ethernet Gigabit, 1 interface Fast Ethernet, 5000 homologues VPN IPsec et 2 SSL, DES
ASA5540-BUN-K9 Cisco ASA 5540 Firewall Edition, 4 ports Ethernet Gigabit, 1 interface Fast Ethernet, 5000 homologues VPN IPsec et 2 SSL,
3DES/AES
ASA5540-AIP20-K9 Cisco ASA 5540 IPS Edition, module AIP SSM 20, services de firewall, 5000 homologues VPN IPsec et 2 SSL, 4 ports Ethernet
Gigabit, 1 interface Fast Ethernet
ASA5540-SSL1000-K9 Cisco ASA 5540 SSL/IPsec VPN Edition, 5000 homologues VPN IPsec et 1000 SSL, services de firewall, 4 ports Ethernet
Gigabit, 1 interface Fast Ethernet
ASA5540-SSL2500-K9 Cisco ASA 5540 SSL/IPsec VPN Edition, 5000 homologues VPN IPsec et 2500 SSL, services de firewall, 4 ports Ethernet
Gigabit, 1 interface Fast Ethernet
ASA5550-K8 Cisco ASA 5550 Firewall Edition, 8 ports Ethernet Gigabit, 1 interface Fast Ethernet, 4 ports SFP Gigabit, 5000 homologues VPN
IPsec et 2 SSL, DES
ASA5550-BUN-K9 Cisco ASA 5550 Firewall Edition, 8 ports Ethernet Gigabit, 1 interface Fast Ethernet, 4 ports SFP Gigabit, 5000 homologues VPN
IPsec et 2 SSL, 3DES/AES
ASA5550-SSL2500-K9 Cisco ASA 5550 SSL/IPsec VPN Edition, 5000 homologues VPN IPsec et 2500 SSL, services de firewall, 8 ports Ethernet
Gigabit, 1 interface Fast Ethernet
Cisco PIX 535 Cisco PIX 535
ASA5550-SSL5000-K9 Cisco ASA 5550 SSL/IPsec VPN Edition, 5000 homologues VPN IPsec et 5000 SSL, services de firewall, 8 ports Ethernet
Gigabit, 1 interface Fast Ethernet
Caractéristiques techniques Caractéristiques techniques
Cisco ASA 5505 Cisco ASA 5505 Cisco ASA 5510 Cisco ASA 5510 Cisco ASA 5520 Cisco ASA 5520 Cisco ASA 5540 Cisco ASA 5540 Cisco ASA 5550 Cisco ASA 5550
Utilisateurs et nœuds Utilisateurs et nœuds 10, 50 ou illimité Illimité Illimité Illimité Illimité
Débit du firewall Débit du firewall Jusqu’à 150 Mbits/s Jusqu’à 300 Mbits/s Jusqu’à 450 Mbits/s Jusqu’à 650 Mbits/s Jusqu’à 1,2 Gbits/s
Débit des services
simultanés de
limitation des risques
(firewall et services
IPS)
Non disponible Jusqu’à 150 Mbits/s avec le
module AIP SSM (Advanced
Inspection and Prevention
Security Services Module) 10
(référence AIP SSM 10) pour
la gamme Cisco ASA 5500 –
Jusqu’à 300 Mbits/s avec le
module AIP SSM 20
(référence AIP SSM 20) pour
la gamme Cisco ASA 5500
Jusqu’à 225 Mbits/s avec le
module AIP SSM 10 – Jusqu’à
375 225 Mbits/s avec le
module AIP SSM 20
Jusqu‘à 450 Mbits/s, avec le
module AIP-SSM20
Non disponible
Débit des VPN 3DES
ou AES ou
Jusqu’à 100 Mbits/s Jusqu’à 170 Mbits/s Jusqu’à 225 Mbits/s Jusqu’à 325 Mbits/s Jusqu’à 360 Mbits/s
Homologues VPN
IPSecec
10 ; 25* 250 750 5000 5000
Homologues VPN 2/25 2/250 2/750 2/2500 2/5000 Homologues VPN Manuel de migration de Cisco PIX 500
vers la gamme Cisco ASA 5500
PRESENTATION SYNOPTIQUE
SSL *
(inclus/maximum) (inclus/maximum)
Sessions simultanées 10 000 ; 25 000* 50 000 ; 130 Sessions simultanées 000* 280 000 400 000 650 000
Nouvelles sessions
par seconde par seconde
3 000 6 000 9 000 20 000 28 000
Port s réseaux Port s réseaux
intégrés intégrés
Commutateur Fast Ethernet 8
ports (dont 2 ports PoE)
5 ports Fast Ethernet 4 ports Ethernet Gigabit + 1
port Fast Ethernet
4 ports Ethernet Gigabit + 1
port Fast Ethernet
8 ports Ethernet Gigabit, fibre
SFP et 1 port Fast Ethernet
Interfaces virtuelles Interfaces virtuelles
(VLAN)
3 (ligne réseau désactivée) /
20* (ligne réseau activée)
50/100 * 150 200 250
Contextes de sécurité
(intégrés / maximum) (intégrés / maximum)
0/0 0/0 (Base) ; 2/5 (Security
Plus)
2/20 2/50 2/50
Haute disponibilité Haute disponibilité Non supportée / Actif/Veille*
à inspection d’état
Non supportée / Actif/Actif et
Actif/Veille*
Actif/Actif et Actif/Veille Actif/Actif et Actif/Veille Actif/Actif et Actif/Veille
Emplacement
d'extension d'extension
1, SSC 1, SSM 1, SSM 1, SSM 0
* Exige une licence de mise à niveau.
Copyright © 2007, Cisco Systems, Inc. Tous droits réservés. Cisco, Cisco IOS, Cisco Systems et le logo Cisco Systèmes sont des marques déposées de Cisco Systems, Inc. ou de ses
filiales aux Etats-Unis et dans certains autres pays. C45 364598 01 01/07
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
Cisco Security Appliance Command Line
Configuration Guide
For the Cisco ASA 5500 Series and Cisco PIX 500 Series
Software Version 7.2
Customer Order Number: N/A, Online only
Text Part Number: OL-10088-02THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL
STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public
domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
CCDE, CCSI, CCENT, Cisco Eos, Cisco HealthPresence, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect, Cisco Stackpower, Cisco StadiumVision,
Cisco TelePresence, Cisco WebEx, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are
service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the
Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without
Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study,
IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar,
PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath,
WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship
between Cisco and any other company. (0903R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the
document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
Cisco Security Appliance Command Line Configuration Guide
Copyright © 2008 Cisco Systems, Inc. All rights reserved.iii
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
C O N T E N T S
About This Guide xxxv
Document Objectives xxxv
Audience xxxv
Related Documentation xxxvi
Document Organization xxxvi
Document Conventions xxxix
Obtaining Documentation and Submitting a Service Request xxxix
1-xl
P A R T 1 Getting Started and General Information
C H A P T E R 1 Introduction to the Security Appliance 1-1
Firewall Functional Overview 1-1
Security Policy Overview 1-2
Permitting or Denying Traffic with Access Lists 1-2
Applying NAT 1-2
Using AAA for Through Traffic 1-2
Applying HTTP, HTTPS, or FTP Filtering 1-3
Applying Application Inspection 1-3
Sending Traffic to the Advanced Inspection and Prevention Security Services Module 1-3
Sending Traffic to the Content Security and Control Security Services Module 1-3
Applying QoS Policies 1-3
Applying Connection Limits and TCP Normalization 1-3
Firewall Mode Overview 1-3
Stateful Inspection Overview 1-4
VPN Functional Overview 1-5
Intrusion Prevention Services Functional Overview 1-5
Security Context Overview 1-6
C H A P T E R 2 Getting Started 2-1
Getting Started with Your Platform Model 2-1
Factory Default Configurations 2-1
Restoring the Factory Default Configuration 2-2Contents
iv
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
ASA 5505 Default Configuration 2-2
ASA 5510 and Higher Default Configuration 2-3
PIX 515/515E Default Configuration 2-4
Accessing the Command-Line Interface 2-4
Setting Transparent or Routed Firewall Mode 2-5
Working with the Configuration 2-6
Saving Configuration Changes 2-6
Saving Configuration Changes in Single Context Mode 2-7
Saving Configuration Changes in Multiple Context Mode 2-7
Copying the Startup Configuration to the Running Configuration 2-8
Viewing the Configuration 2-8
Clearing and Removing Configuration Settings 2-9
Creating Text Configuration Files Offline 2-9
C H A P T E R 3 Enabling Multiple Context Mode 3-1
Security Context Overview 3-1
Common Uses for Security Contexts 3-1
Unsupported Features 3-2
Context Configuration Files 3-2
Context Configurations 3-2
System Configuration 3-2
Admin Context Configuration 3-2
How the Security Appliance Classifies Packets 3-3
Valid Classifier Criteria 3-3
Invalid Classifier Criteria 3-4
Classification Examples 3-5
Cascading Security Contexts 3-8
Management Access to Security Contexts 3-9
System Administrator Access 3-9
Context Administrator Access 3-10
Enabling or Disabling Multiple Context Mode 3-10
Backing Up the Single Mode Configuration 3-10
Enabling Multiple Context Mode 3-10
Restoring Single Context Mode 3-11
C H A P T E R 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security
Appliance 4-1
Interface Overview 4-1
Understanding ASA 5505 Ports and Interfaces 4-2Contents
v
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Maximum Active VLAN Interfaces for Your License 4-2
Default Interface Configuration 4-4
VLAN MAC Addresses 4-4
Power Over Ethernet 4-4
Monitoring Traffic Using SPAN 4-4
Security Level Overview 4-5
Configuring VLAN Interfaces 4-5
Configuring Switch Ports as Access Ports 4-9
Configuring a Switch Port as a Trunk Port 4-11
Allowing Communication Between VLAN Interfaces on the Same Security Level 4-13
C H A P T E R 5 Configuring Ethernet Settings and Subinterfaces 5-1
Configuring and Enabling RJ-45 Interfaces 5-1
Configuring and Enabling Fiber Interfaces 5-3
Configuring and Enabling VLAN Subinterfaces and 802.1Q Trunking 5-3
C H A P T E R 6 Adding and Managing Security Contexts 6-1
Configuring Resource Management 6-1
Classes and Class Members Overview 6-1
Resource Limits 6-2
Default Class 6-3
Class Members 6-4
Configuring a Class 6-4
Configuring a Security Context 6-7
Automatically Assigning MAC Addresses to Context Interfaces 6-11
Changing Between Contexts and the System Execution Space 6-11
Managing Security Contexts 6-12
Removing a Security Context 6-12
Changing the Admin Context 6-13
Changing the Security Context URL 6-13
Reloading a Security Context 6-14
Reloading by Clearing the Configuration 6-14
Reloading by Removing and Re-adding the Context 6-15
Monitoring Security Contexts 6-15
Viewing Context Information 6-15
Viewing Resource Allocation 6-16
Viewing Resource Usage 6-19
Monitoring SYN Attacks in Contexts 6-20Contents
vi
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
C H A P T E R 7 Configuring Interface Parameters 7-1
Security Level Overview 7-1
Configuring the Interface 7-2
Allowing Communication Between Interfaces on the Same Security Level 7-6
C H A P T E R 8 Configuring Basic Settings 8-1
Changing the Login Password 8-1
Changing the Enable Password 8-1
Setting the Hostname 8-2
Setting the Domain Name 8-2
Setting the Date and Time 8-2
Setting the Time Zone and Daylight Saving Time Date Range 8-3
Setting the Date and Time Using an NTP Server 8-4
Setting the Date and Time Manually 8-5
Setting the Management IP Address for a Transparent Firewall 8-5
C H A P T E R 9 Configuring IP Routing 9-1
How Routing Behaves Within the ASA Security Appliance 9-1
Egress Interface Selection Process 9-1
Next Hop Selection Process 9-2
Configuring Static and Default Routes 9-2
Configuring a Static Route 9-3
Configuring a Default Route 9-4
Configuring Static Route Tracking 9-5
Defining Route Maps 9-7
Configuring OSPF 9-8
OSPF Overview 9-9
Enabling OSPF 9-10
Redistributing Routes Into OSPF 9-10
Configuring OSPF Interface Parameters 9-11
Configuring OSPF Area Parameters 9-13
Configuring OSPF NSSA 9-14
Configuring Route Summarization Between OSPF Areas 9-15
Configuring Route Summarization When Redistributing Routes into OSPF 9-16
Defining Static OSPF Neighbors 9-16
Generating a Default Route 9-17
Configuring Route Calculation Timers 9-17
Logging Neighbors Going Up or Down 9-18Contents
vii
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Displaying OSPF Update Packet Pacing 9-19
Monitoring OSPF 9-19
Restarting the OSPF Process 9-20
Configuring RIP 9-20
Enabling and Configuring RIP 9-20
Redistributing Routes into the RIP Routing Process 9-22
Configuring RIP Send/Receive Version on an Interface 9-22
Enabling RIP Authentication 9-23
Monitoring RIP 9-23
The Routing Table 9-24
Displaying the Routing Table 9-24
How the Routing Table is Populated 9-24
Backup Routes 9-26
How Forwarding Decisions are Made 9-26
Dynamic Routing and Failover 9-26
C H A P T E R 10 Configuring DHCP, DDNS, and WCCP Services 10-1
Configuring a DHCP Server 10-1
Enabling the DHCP Server 10-2
Configuring DHCP Options 10-3
Using Cisco IP Phones with a DHCP Server 10-4
Configuring DHCP Relay Services 10-5
Configuring Dynamic DNS 10-6
Example 1: Client Updates Both A and PTR RRs for Static IP Addresses 10-7
Example 2: Client Updates Both A and PTR RRs; DHCP Server Honors Client Update Request; FQDN
Provided Through Configuration 10-7
Example 3: Client Includes FQDN Option Instructing Server Not to Update Either RR; Server Overrides
Client and Updates Both RRs. 10-8
Example 4: Client Asks Server To Perform Both Updates; Server Configured to Update PTR RR Only;
Honors Client Request and Updates Both A and PTR RR 10-8
Example 5: Client Updates A RR; Server Updates PTR RR 10-9
Configuring Web Cache Services Using WCCP 10-9
WCCP Feature Support 10-9
WCCP Interaction With Other Features 10-10
Enabling WCCP Redirection 10-10
C H A P T E R 11 Configuring Multicast Routing 11-13
Multicast Routing Overview 11-13
Enabling Multicast Routing 11-14Contents
viii
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Configuring IGMP Features 11-14
Disabling IGMP on an Interface 11-15
Configuring Group Membership 11-15
Configuring a Statically Joined Group 11-15
Controlling Access to Multicast Groups 11-15
Limiting the Number of IGMP States on an Interface 11-16
Modifying the Query Interval and Query Timeout 11-16
Changing the Query Response Time 11-17
Changing the IGMP Version 11-17
Configuring Stub Multicast Routing 11-17
Configuring a Static Multicast Route 11-17
Configuring PIM Features 11-18
Disabling PIM on an Interface 11-18
Configuring a Static Rendezvous Point Address 11-19
Configuring the Designated Router Priority 11-19
Filtering PIM Register Messages 11-19
Configuring PIM Message Intervals 11-20
Configuring a Multicast Boundary 11-20
Filtering PIM Neighbors 11-20
Supporting Mixed Bidirectional/Sparse-Mode PIM Networks 11-21
For More Information about Multicast Routing 11-22
C H A P T E R 12 Configuring IPv6 12-1
IPv6-enabled Commands 12-1
Configuring IPv6 12-2
Configuring IPv6 on an Interface 12-3
Configuring a Dual IP Stack on an Interface 12-4
Enforcing the Use of Modified EUI-64 Interface IDs in IPv6 Addresses 12-4
Configuring IPv6 Duplicate Address Detection 12-4
Configuring IPv6 Default and Static Routes 12-5
Configuring IPv6 Access Lists 12-6
Configuring IPv6 Neighbor Discovery 12-7
Configuring Neighbor Solicitation Messages 12-7
Configuring Router Advertisement Messages 12-9
Multicast Listener Discovery Support 12-11
Configuring a Static IPv6 Neighbor 12-11
Verifying the IPv6 Configuration 12-11
The show ipv6 interface Command 12-12
The show ipv6 route Command 12-12Contents
ix
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
The show ipv6 mld traffic Command 12-13
C H A P T E R 13 Configuring AAA Servers and the Local Database 13-1
AAA Overview 13-1
About Authentication 13-1
About Authorization 13-2
About Accounting 13-2
AAA Server and Local Database Support 13-2
Summary of Support 13-3
RADIUS Server Support 13-3
Authentication Methods 13-4
Attribute Support 13-4
RADIUS Authorization Functions 13-4
TACACS+ Server Support 13-4
SDI Server Support 13-4
SDI Version Support 13-5
Two-step Authentication Process 13-5
SDI Primary and Replica Servers 13-5
NT Server Support 13-5
Kerberos Server Support 13-5
LDAP Server Support 13-6
Authentication with LDAP 13-6
Authorization with LDAP for VPN 13-7
LDAP Attribute Mapping 13-8
SSO Support for WebVPN with HTTP Forms 13-9
Local Database Support 13-9
User Profiles 13-10
Fallback Support 13-10
Configuring the Local Database 13-10
Identifying AAA Server Groups and Servers 13-12
Using Certificates and User Login Credentials 13-15
Using User Login Credentials 13-15
Using certificates 13-16
Supporting a Zone Labs Integrity Server 13-16
Overview of Integrity Server and Security Appliance Interaction 13-17
Configuring Integrity Server Support 13-17
C H A P T E R 14 Configuring Failover 14-1
Understanding Failover 14-1Contents
x
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Failover System Requirements 14-2
Hardware Requirements 14-2
Software Requirements 14-2
License Requirements 14-2
The Failover and Stateful Failover Links 14-3
Failover Link 14-3
Stateful Failover Link 14-5
Active/Active and Active/Standby Failover 14-6
Active/Standby Failover 14-6
Active/Active Failover 14-10
Determining Which Type of Failover to Use 14-15
Regular and Stateful Failover 14-15
Regular Failover 14-16
Stateful Failover 14-16
Failover Health Monitoring 14-16
Unit Health Monitoring 14-17
Interface Monitoring 14-17
Failover Feature/Platform Matrix 14-18
Failover Times by Platform 14-18
Configuring Failover 14-19
Failover Configuration Limitations 14-19
Configuring Active/Standby Failover 14-19
Prerequisites 14-20
Configuring Cable-Based Active/Standby Failover (PIX Security Appliance Only) 14-20
Configuring LAN-Based Active/Standby Failover 14-21
Configuring Optional Active/Standby Failover Settings 14-25
Configuring Active/Active Failover 14-27
Prerequisites 14-27
Configuring Cable-Based Active/Active Failover (PIX security appliance) 14-27
Configuring LAN-Based Active/Active Failover 14-29
Configuring Optional Active/Active Failover Settings 14-33
Configuring Unit Health Monitoring 14-39
Configuring Failover Communication Authentication/Encryption 14-39
Verifying the Failover Configuration 14-40
Using the show failover Command 14-40
Viewing Monitored Interfaces 14-48
Displaying the Failover Commands in the Running Configuration 14-48
Testing the Failover Functionality 14-49
Controlling and Monitoring Failover 14-49
Forcing Failover 14-49Contents
xi
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Disabling Failover 14-50
Restoring a Failed Unit or Failover Group 14-50
Monitoring Failover 14-50
Failover System Messages 14-51
Debug Messages 14-51
SNMP 14-51
P A R T 2 Configuring the Firewall
C H A P T E R 15 Firewall Mode Overview 15-1
Routed Mode Overview 15-1
IP Routing Support 15-1
Network Address Translation 15-2
How Data Moves Through the Security Appliance in Routed Firewall Mode 15-3
An Inside User Visits a Web Server 15-3
An Outside User Visits a Web Server on the DMZ 15-4
An Inside User Visits a Web Server on the DMZ 15-6
An Outside User Attempts to Access an Inside Host 15-7
A DMZ User Attempts to Access an Inside Host 15-8
Transparent Mode Overview 15-8
Transparent Firewall Network 15-9
Allowing Layer 3 Traffic 15-9
Allowed MAC Addresses 15-9
Passing Traffic Not Allowed in Routed Mode 15-9
MAC Address Lookups 15-10
Using the Transparent Firewall in Your Network 15-10
Transparent Firewall Guidelines 15-10
Unsupported Features in Transparent Mode 15-11
How Data Moves Through the Transparent Firewall 15-13
An Inside User Visits a Web Server 15-14
An Outside User Visits a Web Server on the Inside Network 15-15
An Outside User Attempts to Access an Inside Host 15-16
C H A P T E R 16 Identifying Traffic with Access Lists 16-1
Access List Overview 16-1
Access List Types 16-2
Access Control Entry Order 16-2
Access Control Implicit Deny 16-3
IP Addresses Used for Access Lists When You Use NAT 16-3Contents
xii
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Adding an Extended Access List 16-5
Extended Access List Overview 16-5
Allowing Broadcast and Multicast Traffic through the Transparent Firewall 16-6
Adding an Extended ACE 16-6
Adding an EtherType Access List 16-8
EtherType Access List Overview 16-8
Supported EtherTypes 16-8
Implicit Permit of IP and ARPs Only 16-9
Implicit and Explicit Deny ACE at the End of an Access List 16-9
IPv6 Unsupported 16-9
Using Extended and EtherType Access Lists on the Same Interface 16-9
Allowing MPLS 16-9
Adding an EtherType ACE 16-10
Adding a Standard Access List 16-11
Adding a Webtype Access List 16-11
Simplifying Access Lists with Object Grouping 16-11
How Object Grouping Works 16-12
Adding Object Groups 16-12
Adding a Protocol Object Group 16-13
Adding a Network Object Group 16-13
Adding a Service Object Group 16-14
Adding an ICMP Type Object Group 16-15
Nesting Object Groups 16-15
Using Object Groups with an Access List 16-16
Displaying Object Groups 16-17
Removing Object Groups 16-17
Adding Remarks to Access Lists 16-18
Scheduling Extended Access List Activation 16-18
Adding a Time Range 16-18
Applying the Time Range to an ACE 16-19
Logging Access List Activity 16-20
Access List Logging Overview 16-20
Configuring Logging for an Access Control Entry 16-21
Managing Deny Flows 16-22
C H A P T E R 17 Applying NAT 17-1
NAT Overview 17-1
Introduction to NAT 17-2
NAT Control 17-3Contents
xiii
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
NAT Types 17-5
Dynamic NAT 17-5
PAT 17-7
Static NAT 17-7
Static PAT 17-8
Bypassing NAT When NAT Control is Enabled 17-9
Policy NAT 17-9
NAT and Same Security Level Interfaces 17-13
Order of NAT Commands Used to Match Real Addresses 17-14
Mapped Address Guidelines 17-14
DNS and NAT 17-14
Configuring NAT Control 17-16
Using Dynamic NAT and PAT 17-17
Dynamic NAT and PAT Implementation 17-17
Configuring Dynamic NAT or PAT 17-23
Using Static NAT 17-26
Using Static PAT 17-27
Bypassing NAT 17-29
Configuring Identity NAT 17-30
Configuring Static Identity NAT 17-30
Configuring NAT Exemption 17-32
NAT Examples 17-33
Overlapping Networks 17-34
Redirecting Ports 17-35
C H A P T E R 18 Permitting or Denying Network Access 18-1
Inbound and Outbound Access List Overview 18-1
Applying an Access List to an Interface 18-2
C H A P T E R 19 Applying AAA for Network Access 19-1
AAA Performance 19-1
Configuring Authentication for Network Access 19-1
Authentication Overview 19-2
One-Time Authentication 19-2
Applications Required to Receive an Authentication Challenge 19-2
Security Appliance Authentication Prompts 19-2
Static PAT and HTTP 19-3
Enabling Network Access Authentication 19-3Contents
xiv
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Enabling Secure Authentication of Web Clients 19-5
Authenticating Directly with the Security Appliance 19-6
Enabling Direct Authentication Using HTTP and HTTPS 19-6
Enabling Direct Authentication Using Telnet 19-6
Configuring Authorization for Network Access 19-6
Configuring TACACS+ Authorization 19-7
Configuring RADIUS Authorization 19-8
Configuring a RADIUS Server to Send Downloadable Access Control Lists 19-9
Configuring a RADIUS Server to Download Per-User Access Control List Names 19-12
Configuring Accounting for Network Access 19-13
Using MAC Addresses to Exempt Traffic from Authentication and Authorization 19-14
C H A P T E R 20 Applying Filtering Services 20-1
Filtering Overview 20-1
Filtering ActiveX Objects 20-2
ActiveX Filtering Overview 20-2
Enabling ActiveX Filtering 20-2
Filtering Java Applets 20-3
Filtering URLs and FTP Requests with an External Server 20-4
URL Filtering Overview 20-4
Identifying the Filtering Server 20-4
Buffering the Content Server Response 20-6
Caching Server Addresses 20-6
Filtering HTTP URLs 20-7
Configuring HTTP Filtering 20-7
Enabling Filtering of Long HTTP URLs 20-7
Truncating Long HTTP URLs 20-7
Exempting Traffic from Filtering 20-8
Filtering HTTPS URLs 20-8
Filtering FTP Requests 20-9
Viewing Filtering Statistics and Configuration 20-9
Viewing Filtering Server Statistics 20-10
Viewing Buffer Configuration and Statistics 20-11
Viewing Caching Statistics 20-11
Viewing Filtering Performance Statistics 20-11
Viewing Filtering Configuration 20-12Contents
xv
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
C H A P T E R 21 Using Modular Policy Framework 21-1
Modular Policy Framework Overview 21-1
Modular Policy Framework Features 21-1
Modular Policy Framework Configuration Overview 21-2
Default Global Policy 21-3
Identifying Traffic (Layer 3/4 Class Map) 21-4
Default Class Maps 21-4
Creating a Layer 3/4 Class Map for Through Traffic 21-5
Creating a Layer 3/4 Class Map for Management Traffic 21-7
Configuring Special Actions for Application Inspections (Inspection Policy Map) 21-7
Inspection Policy Map Overview 21-8
Defining Actions in an Inspection Policy Map 21-8
Identifying Traffic in an Inspection Class Map 21-11
Creating a Regular Expression 21-12
Creating a Regular Expression Class Map 21-14
Defining Actions (Layer 3/4 Policy Map) 21-15
Layer 3/4 Policy Map Overview 21-15
Policy Map Guidelines 21-16
Supported Feature Types 21-16
Hierarchical Policy Maps 21-16
Feature Directionality 21-17
Feature Matching Guidelines within a Policy Map 21-17
Feature Matching Guidelines for multiple Policy Maps 21-18
Order in Which Multiple Feature Actions are Applied 21-18
Default Layer 3/4 Policy Map 21-18
Adding a Layer 3/4 Policy Map 21-19
Applying Actions to an Interface (Service Policy) 21-21
Modular Policy Framework Examples 21-21
Applying Inspection and QoS Policing to HTTP Traffic 21-22
Applying Inspection to HTTP Traffic Globally 21-22
Applying Inspection and Connection Limits to HTTP Traffic to Specific Servers 21-23
Applying Inspection to HTTP Traffic with NAT 21-24
C H A P T E R 22 Managing AIP SSM and CSC SSM 22-1
Managing the AIP SSM 22-1
About the AIP SSM 22-1
Getting Started with the AIP SSM 22-2
Diverting Traffic to the AIP SSM 22-2
Sessioning to the AIP SSM and Running Setup 22-4Contents
xvi
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Managing the CSC SSM 22-5
About the CSC SSM 22-5
Getting Started with the CSC SSM 22-7
Determining What Traffic to Scan 22-9
Limiting Connections Through the CSC SSM 22-11
Diverting Traffic to the CSC SSM 22-11
Checking SSM Status 22-13
Transferring an Image onto an SSM 22-14
C H A P T E R 23 Preventing Network Attacks 23-1
Configuring TCP Normalization 23-1
TCP Normalization Overview 23-1
Enabling the TCP Normalizer 23-2
Configuring Connection Limits and Timeouts 23-6
Connection Limit Overview 23-7
TCP Intercept Overview 23-7
Disabling TCP Intercept for Management Packets for Clientless SSL Compatibility 23-7
Dead Connection Detection (DCD) Overview 23-7
TCP Sequence Randomization Overview 23-8
Enabling Connection Limits and Timeouts 23-8
Preventing IP Spoofing 23-10
Configuring the Fragment Size 23-11
Blocking Unwanted Connections 23-11
Configuring IP Audit for Basic IPS Support 23-12
C H A P T E R 24 Configuring QoS 24-1
QoS Overview 24-1
Supported QoS Features 24-2
What is a Token Bucket? 24-2
Policing Overview 24-3
Priority Queueing Overview 24-3
Traffic Shaping Overview 24-4
How QoS Features Interact 24-4
DSCP and DiffServ Preservation 24-5
Creating the Standard Priority Queue for an Interface 24-5
Determining the Queue and TX Ring Limits 24-6
Configuring the Priority Queue 24-7
Identifying Traffic for QoS Using Class Maps 24-8Contents
xvii
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Creating a QoS Class Map 24-8
QoS Class Map Examples 24-8
Creating a Policy for Standard Priority Queueing and/or Policing 24-9
Creating a Policy for Traffic Shaping and Hierarchical Priority Queueing 24-11
Viewing QoS Statistics 24-13
Viewing QoS Police Statistics 24-13
Viewing QoS Standard Priority Statistics 24-14
Viewing QoS Shaping Statistics 24-14
Viewing QoS Standard Priority Queue Statistics 24-15
C H A P T E R 25 Configuring Application Layer Protocol Inspection 25-1
Inspection Engine Overview 25-2
When to Use Application Protocol Inspection 25-2
Inspection Limitations 25-2
Default Inspection Policy 25-3
Configuring Application Inspection 25-5
CTIQBE Inspection 25-9
CTIQBE Inspection Overview 25-9
Limitations and Restrictions 25-10
Verifying and Monitoring CTIQBE Inspection 25-10
DCERPC Inspection 25-11
DCERPC Overview 25-11
Configuring a DCERPC Inspection Policy Map for Additional Inspection Control 25-12
DNS Inspection 25-13
How DNS Application Inspection Works 25-13
How DNS Rewrite Works 25-14
Configuring DNS Rewrite 25-15
Using the Static Command for DNS Rewrite 25-15
Using the Alias Command for DNS Rewrite 25-16
Configuring DNS Rewrite with Two NAT Zones 25-16
DNS Rewrite with Three NAT Zones 25-17
Configuring DNS Rewrite with Three NAT Zones 25-19
Verifying and Monitoring DNS Inspection 25-20
Configuring a DNS Inspection Policy Map for Additional Inspection Control 25-20
ESMTP Inspection 25-23
Configuring an ESMTP Inspection Policy Map for Additional Inspection Control 25-24
FTP Inspection 25-26
FTP Inspection Overview 25-27Contents
xviii
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Using the strict Option 25-27
Configuring an FTP Inspection Policy Map for Additional Inspection Control 25-28
Verifying and Monitoring FTP Inspection 25-31
GTP Inspection 25-32
GTP Inspection Overview 25-32
Configuring a GTP Inspection Policy Map for Additional Inspection Control 25-33
Verifying and Monitoring GTP Inspection 25-37
H.323 Inspection 25-38
H.323 Inspection Overview 25-38
How H.323 Works 25-38
Limitations and Restrictions 25-39
Configuring an H.323 Inspection Policy Map for Additional Inspection Control 25-40
Configuring H.323 and H.225 Timeout Values 25-42
Verifying and Monitoring H.323 Inspection 25-43
Monitoring H.225 Sessions 25-43
Monitoring H.245 Sessions 25-43
Monitoring H.323 RAS Sessions 25-44
HTTP Inspection 25-44
HTTP Inspection Overview 25-44
Configuring an HTTP Inspection Policy Map for Additional Inspection Control 25-45
Instant Messaging Inspection 25-49
IM Inspection Overview 25-49
Configuring an Instant Messaging Inspection Policy Map for Additional Inspection Control 25-49
ICMP Inspection 25-52
ICMP Error Inspection 25-52
ILS Inspection 25-53
IPSec Pass Through Inspection 25-54
IPSec Pass Through Inspection Overview 25-54
Configuring an IPSec Pass Through Inspection Policy Map for Additional Inspection Control 25-54
MGCP Inspection 25-56
MGCP Inspection Overview 25-56
Configuring an MGCP Inspection Policy Map for Additional Inspection Control 25-58
Configuring MGCP Timeout Values 25-59
Verifying and Monitoring MGCP Inspection 25-59
NetBIOS Inspection 25-60
Configuring a NetBIOS Inspection Policy Map for Additional Inspection Control 25-60
PPTP Inspection 25-62
RADIUS Accounting Inspection 25-62Contents
xix
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Configuring a RADIUS Inspection Policy Map for Additional Inspection Control 25-63
RSH Inspection 25-63
RTSP Inspection 25-63
RTSP Inspection Overview 25-63
Using RealPlayer 25-64
Restrictions and Limitations 25-64
SIP Inspection 25-65
SIP Inspection Overview 25-65
SIP Instant Messaging 25-65
Configuring a SIP Inspection Policy Map for Additional Inspection Control 25-66
Configuring SIP Timeout Values 25-70
Verifying and Monitoring SIP Inspection 25-70
Skinny (SCCP) Inspection 25-71
SCCP Inspection Overview 25-71
Supporting Cisco IP Phones 25-71
Restrictions and Limitations 25-72
Verifying and Monitoring SCCP Inspection 25-72
Configuring a Skinny (SCCP) Inspection Policy Map for Additional Inspection Control 25-73
SMTP and Extended SMTP Inspection 25-74
SNMP Inspection 25-76
SQL*Net Inspection 25-76
Sun RPC Inspection 25-77
Sun RPC Inspection Overview 25-77
Managing Sun RPC Services 25-77
Verifying and Monitoring Sun RPC Inspection 25-78
TFTP Inspection 25-79
XDMCP Inspection 25-80
C H A P T E R 26 Configuring ARP Inspection and Bridging Parameters 26-1
Configuring ARP Inspection 26-1
ARP Inspection Overview 26-1
Adding a Static ARP Entry 26-2
Enabling ARP Inspection 26-2
Customizing the MAC Address Table 26-3
MAC Address Table Overview 26-3
Adding a Static MAC Address 26-3
Setting the MAC Address Timeout 26-4
Disabling MAC Address Learning 26-4Contents
xx
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Viewing the MAC Address Table 26-4
P A R T 3 Configuring VPN
C H A P T E R 27 Configuring IPsec and ISAKMP 27-1
Tunneling Overview 27-1
IPsec Overview 27-2
Configuring ISAKMP 27-2
ISAKMP Overview 27-2
Configuring ISAKMP Policies 27-5
Enabling ISAKMP on the Outside Interface 27-6
Disabling ISAKMP in Aggressive Mode 27-6
Determining an ID Method for ISAKMP Peers 27-6
Enabling IPsec over NAT-T 27-7
Using NAT-T 27-7
Enabling IPsec over TCP 27-8
Waiting for Active Sessions to Terminate Before Rebooting 27-9
Alerting Peers Before Disconnecting 27-9
Configuring Certificate Group Matching 27-9
Creating a Certificate Group Matching Rule and Policy 27-10
Using the Tunnel-group-map default-group Command 27-11
Configuring IPsec 27-11
Understanding IPsec Tunnels 27-11
Understanding Transform Sets 27-12
Defining Crypto Maps 27-12
Applying Crypto Maps to Interfaces 27-20
Using Interface Access Lists 27-20
Changing IPsec SA Lifetimes 27-22
Creating a Basic IPsec Configuration 27-22
Using Dynamic Crypto Maps 27-24
Providing Site-to-Site Redundancy 27-26
Viewing an IPsec Configuration 27-26
Clearing Security Associations 27-27
Clearing Crypto Map Configurations 27-27
Supporting the Nokia VPN Client 27-28
C H A P T E R 28 Configuring L2TP over IPSec 28-1
L2TP Overview 28-1Contents
xxi
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
IPSec Transport and Tunnel Modes 28-2
Configuring L2TP over IPSec Connections 28-2
Tunnel Group Switching 28-5
Viewing L2TP over IPSec Connection Information 28-5
Using L2TP Debug Commands 28-7
Enabling IPSec Debug 28-7
Getting Additional Information 28-8
C H A P T E R 29 Setting General IPSec VPN Parameters 29-1
Configuring VPNs in Single, Routed Mode 29-1
Configuring IPSec to Bypass ACLs 29-1
Permitting Intra-Interface Traffic 29-2
NAT Considerations for Intra-Interface Traffic 29-3
Setting Maximum Active IPSec VPN Sessions 29-3
Using Client Update to Ensure Acceptable Client Revision Levels 29-3
Understanding Load Balancing 29-5
Implementing Load Balancing 29-6
Prerequisites 29-6
Eligible Platforms 29-7
Eligible Clients 29-7
VPN Load-Balancing Cluster Configurations 29-7
Some Typical Mixed Cluster Scenarios 29-8
Scenario 1: Mixed Cluster with No WebVPN Connections 29-8
Scenario 2: Mixed Cluster Handling WebVPN Connections 29-8
Configuring Load Balancing 29-9
Configuring the Public and Private Interfaces for Load Balancing 29-9
Configuring the Load Balancing Cluster Attributes 29-10
Configuring VPN Session Limits 29-11
C H A P T E R 30 Configuring Tunnel Groups, Group Policies, and Users 30-1
Overview of Tunnel Groups, Group Policies, and Users 30-1
Tunnel Groups 30-2
General Tunnel-Group Connection Parameters 30-2
IPSec Tunnel-Group Connection Parameters 30-3
WebVPN Tunnel-Group Connection Parameters 30-4
Configuring Tunnel Groups 30-5
Maximum Tunnel Groups 30-5
Default IPSec Remote Access Tunnel Group Configuration 30-5Contents
xxii
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Configuring IPSec Tunnel-Group General Attributes 30-6
Configuring IPSec Remote-Access Tunnel Groups 30-6
Specifying a Name and Type for the IPSec Remote Access Tunnel Group 30-6
Configuring IPSec Remote-Access Tunnel Group General Attributes 30-7
Configuring IPSec Remote-Access Tunnel Group IPSec Attributes 30-10
Configuring IPSec Remote-Access Tunnel Group PPP Attributes 30-12
Configuring LAN-to-LAN Tunnel Groups 30-13
Default LAN-to-LAN Tunnel Group Configuration 30-13
Specifying a Name and Type for a LAN-to-LAN Tunnel Group 30-14
Configuring LAN-to-LAN Tunnel Group General Attributes 30-14
Configuring LAN-to-LAN IPSec Attributes 30-15
Configuring WebVPN Tunnel Groups 30-17
Specifying a Name and Type for a WebVPN Tunnel Group 30-17
Configuring WebVPN Tunnel-Group General Attributes 30-17
Configuring WebVPN Tunnel-Group WebVPN Attributes 30-20
Customizing Login Windows for WebVPN Users 30-23
Configuring Microsoft Active Directory Settings for Password Management 30-24
Using Active Directory to Force the User to Change Password at Next Logon 30-25
Using Active Directory to Specify Maximum Password Age 30-27
Using Active Directory to Override an Account Disabled AAA Indicator 30-28
Using Active Directory to Enforce Minimum Password Length 30-29
Using Active Directory to Enforce Password Complexity 30-30
Group Policies 30-31
Default Group Policy 30-32
Configuring Group Policies 30-34
Configuring an External Group Policy 30-34
Configuring an Internal Group Policy 30-35
Configuring Group Policy Attributes 30-35
Configuring WINS and DNS Servers 30-35
Configuring VPN-Specific Attributes 30-36
Configuring Security Attributes 30-39
Configuring the Banner Message 30-41
Configuring IPSec-UDP Attributes 30-41
Configuring Split-Tunneling Attributes 30-42
Configuring Domain Attributes for Tunneling 30-43
Configuring Attributes for VPN Hardware Clients 30-45
Configuring Backup Server Attributes 30-48
Configuring Microsoft Internet Explorer Client Parameters 30-49
Configuring Network Admission Control Parameters 30-51
Configuring Address Pools 30-54Contents
xxiii
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Configuring Firewall Policies 30-55
Configuring Client Access Rules 30-58
Configuring Group-Policy WebVPN Attributes 30-59
Configuring User Attributes 30-70
Viewing the Username Configuration 30-71
Configuring Attributes for Specific Users 30-71
Setting a User Password and Privilege Level 30-71
Configuring User Attributes 30-72
Configuring VPN User Attributes 30-72
Configuring WebVPN for Specific Users 30-76
C H A P T E R 31 Configuring IP Addresses for VPNs 31-1
Configuring an IP Address Assignment Method 31-1
Configuring Local IP Address Pools 31-2
Configuring AAA Addressing 31-2
Configuring DHCP Addressing 31-3
C H A P T E R 32 Configuring Remote Access IPSec VPNs 32-1
Summary of the Configuration 32-1
Configuring Interfaces 32-2
Configuring ISAKMP Policy and Enabling ISAKMP on the Outside Interface 32-3
Configuring an Address Pool 32-4
Adding a User 32-4
Creating a Transform Set 32-4
Defining a Tunnel Group 32-5
Creating a Dynamic Crypto Map 32-6
Creating a Crypto Map Entry to Use the Dynamic Crypto Map 32-7
C H A P T E R 33 Configuring Network Admission Control 33-1
Uses, Requirements, and Limitations 33-1
Configuring Basic Settings 33-1
Specifying the Access Control Server Group 33-2
Enabling NAC 33-2
Configuring the Default ACL for NAC 33-3
Configuring Exemptions from NAC 33-4
Changing Advanced Settings 33-5
Changing Clientless Authentication Settings 33-5
Enabling and Disabling Clientless Authentication 33-5Contents
xxiv
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Changing the Login Credentials Used for Clientless Authentication 33-6
Configuring NAC Session Attributes 33-7
Setting the Query-for-Posture-Changes Timer 33-8
Setting the Revalidation Timer 33-9
C H A P T E R 34 Configuring Easy VPN Services on the ASA 5505 34-1
Specifying the Client/Server Role of the Cisco ASA 5505 34-1
Specifying the Primary and Secondary Servers 34-2
Specifying the Mode 34-3
NEM with Multiple Interfaces 34-3
Configuring Automatic Xauth Authentication 34-4
Configuring IPSec Over TCP 34-4
Comparing Tunneling Options 34-5
Specifying the Tunnel Group or Trustpoint 34-6
Specifying the Tunnel Group 34-6
Specifying the Trustpoint 34-7
Configuring Split Tunneling 34-7
Configuring Device Pass-Through 34-8
Configuring Remote Management 34-8
Guidelines for Configuring the Easy VPN Server 34-9
Group Policy and User Attributes Pushed to the Client 34-9
Authentication Options 34-11
C H A P T E R 35 Configuring the PPPoE Client 35-1
PPPoE Client Overview 35-1
Configuring the PPPoE Client Username and Password 35-2
Enabling PPPoE 35-3
Using PPPoE with a Fixed IP Address 35-3
Monitoring and Debugging the PPPoE Client 35-4
Clearing the Configuration 35-5
Using Related Commands 35-5
C H A P T E R 36 Configuring LAN-to-LAN IPsec VPNs 36-1
Summary of the Configuration 36-1
Configuring Interfaces 36-2
Configuring ISAKMP Policy and Enabling ISAKMP on the Outside Interface 36-2
Creating a Transform Set 36-4Contents
xxv
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Configuring an ACL 36-4
Defining a Tunnel Group 36-5
Creating a Crypto Map and Applying It To an Interface 36-6
Applying Crypto Maps to Interfaces 36-7
C H A P T E R 37 Configuring WebVPN 37-1
Getting Started with WebVPN 37-1
Observing WebVPN Security Precautions 37-2
Understanding Features Not Supported for WebVPN 37-2
Using SSL to Access the Central Site 37-3
Using HTTPS for WebVPN Sessions 37-3
Configuring WebVPN and ASDM on the Same Interface 37-3
Setting WebVPN HTTP/HTTPS Proxy 37-4
Configuring SSL/TLS Encryption Protocols 37-4
Authenticating with Digital Certificates 37-5
Enabling Cookies on Browsers for WebVPN 37-5
Managing Passwords 37-5
Using Single Sign-on with WebVPN 37-6
Configuring SSO with HTTP Basic or NTLM Authentication 37-6
Configuring SSO Authentication Using SiteMinder 37-7
Configuring SSO with the HTTP Form Protocol 37-9
Authenticating with Digital Certificates 37-15
Creating and Applying WebVPN Policies 37-15
Creating Port Forwarding, URL, and Access Lists in Global Configuration Mode 37-16
Assigning Lists to Group Policies and Users in Group-Policy or User Mode 37-16
Enabling Features for Group Policies and Users 37-16
Assigning Users to Group Policies 37-16
Using the Security Appliance Authentication Server 37-16
Using a RADIUS Server 37-16
Configuring WebVPN Tunnel Group Attributes 37-17
Configuring WebVPN Group Policy and User Attributes 37-17
Configuring Application Access 37-18
Downloading the Port-Forwarding Applet Automatically 37-18
Closing Application Access to Prevent hosts File Errors 37-18
Recovering from hosts File Errors When Using Application Access 37-18
Understanding the hosts File 37-19
Stopping Application Access Improperly 37-19
Reconfiguring a hosts File 37-20
Configuring File Access 37-22Contents
xxvi
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Configuring Access to Citrix MetaFrame Services 37-24
Using WebVPN with PDAs 37-25
Using E-Mail over WebVPN 37-26
Configuring E-mail Proxies 37-26
E-mail Proxy Certificate Authentication 37-27
Configuring MAPI 37-27
Configuring Web E-mail: MS Outlook Web Access 37-27
Optimizing WebVPN Performance 37-28
Configuring Caching 37-28
Configuring Content Transformation 37-28
Configuring a Certificate for Signing Rewritten Java Content 37-29
Disabling Content Rewrite 37-29
Using Proxy Bypass 37-29
Configuring Application Profile Customization Framework 37-30
APCF Syntax 37-30
APCF Example 37-32
WebVPN End User Setup 37-32
Defining the End User Interface 37-32
Viewing the WebVPN Home Page 37-33
Viewing the WebVPN Application Access Panel 37-33
Viewing the Floating Toolbar 37-34
Customizing WebVPN Pages 37-35
Using Cascading Style Sheet Parameters 37-35
Customizing the WebVPN Login Page 37-36
Customizing the WebVPN Logout Page 37-37
Customizing the WebVPN Home Page 37-38
Customizing the Application Access Window 37-40
Customizing the Prompt Dialogs 37-41
Applying Customizations to Tunnel Groups, Groups and Users 37-42
Requiring Usernames and Passwords 37-43
Communicating Security Tips 37-44
Configuring Remote Systems to Use WebVPN Features 37-44
Capturing WebVPN Data 37-50
Creating a Capture File 37-51
Using a Browser to Display Capture Data 37-51
C H A P T E R 38 Configuring SSL VPN Client 38-1
Installing SVC 38-1
Platform Requirements 38-1Contents
xxvii
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Installing the SVC Software 38-2
Enabling SVC 38-3
Enabling Permanent SVC Installation 38-4
Enabling Rekey 38-5
Enabling and Adjusting Dead Peer Detection 38-5
Enabling Keepalive 38-6
Using SVC Compression 38-6
Viewing SVC Sessions 38-7
Logging Off SVC Sessions 38-8
Updating SVCs 38-8
C H A P T E R 39 Configuring Certificates 39-1
Public Key Cryptography 39-1
About Public Key Cryptography 39-1
Certificate Scalability 39-2
About Key Pairs 39-2
About Trustpoints 39-3
About Revocation Checking 39-3
About CRLs 39-3
About OCSP 39-4
Supported CA Servers 39-5
Certificate Configuration 39-5
Preparing for Certificates 39-5
Configuring Key Pairs 39-6
Generating Key Pairs 39-6
Removing Key Pairs 39-7
Configuring Trustpoints 39-7
Obtaining Certificates 39-9
Obtaining Certificates with SCEP 39-9
Obtaining Certificates Manually 39-11
Configuring CRLs for a Trustpoint 39-13
Exporting and Importing Trustpoints 39-14
Exporting a Trustpoint Configuration 39-15
Importing a Trustpoint Configuration 39-15
Configuring CA Certificate Map Rules 39-15
P A R T 4 System AdministrationContents
xxviii
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
C H A P T E R 40 Managing System Access 40-1
Allowing Telnet Access 40-1
Allowing SSH Access 40-2
Configuring SSH Access 40-2
Using an SSH Client 40-3
Allowing HTTPS Access for ASDM 40-3
Configuring ASDM and WebVPN on the Same Interface 40-4
Configuring AAA for System Administrators 40-5
Configuring Authentication for CLI Access 40-5
Configuring Authentication To Access Privileged EXEC Mode 40-6
Configuring Authentication for the Enable Command 40-6
Authenticating Users Using the Login Command 40-6
Configuring Command Authorization 40-7
Command Authorization Overview 40-7
Configuring Local Command Authorization 40-8
Configuring TACACS+ Command Authorization 40-11
Configuring Command Accounting 40-14
Viewing the Current Logged-In User 40-14
Recovering from a Lockout 40-15
Configuring a Login Banner 40-16
C H A P T E R 41 Managing Software, Licenses, and Configurations 41-1
Managing Licenses 41-1
Obtaining an Activation Key 41-1
Entering a New Activation Key 41-2
Viewing Files in Flash Memory 41-2
Retrieving Files from Flash Memory 41-3
Downloading Software or Configuration Files to Flash Memory 41-3
Downloading a File to a Specific Location 41-4
Downloading a File to the Startup or Running Configuration 41-4
Configuring the Application Image and ASDM Image to Boot 41-5
Configuring the File to Boot as the Startup Configuration 41-6
Performing Zero Downtime Upgrades for Failover Pairs 41-6
Upgrading an Active/Standby Failover Configuration 41-7
Upgrading and Active/Active Failover Configuration 41-8
Backing Up Configuration Files 41-8
Backing up the Single Mode Configuration or Multiple Mode System Configuration 41-9
Backing Up a Context Configuration in Flash Memory 41-9Contents
xxix
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Backing Up a Context Configuration within a Context 41-9
Copying the Configuration from the Terminal Display 41-10
Configuring Auto Update Support 41-10
Configuring Communication with an Auto Update Server 41-10
Configuring Client Updates as an Auto Update Server 41-12
Viewing Auto Update Status 41-13
C H A P T E R 42 Monitoring the Security Appliance 42-1
Using SNMP 42-1
SNMP Overview 42-1
Enabling SNMP 42-3
Configuring and Managing Logs 42-5
Logging Overview 42-5
Logging in Multiple Context Mode 42-5
Enabling and Disabling Logging 42-6
Enabling Logging to All Configured Output Destinations 42-6
Disabling Logging to All Configured Output Destinations 42-6
Viewing the Log Configuration 42-6
Configuring Log Output Destinations 42-7
Sending System Log Messages to a Syslog Server 42-7
Sending System Log Messages to the Console Port 42-8
Sending System Log Messages to an E-mail Address 42-9
Sending System Log Messages to ASDM 42-10
Sending System Log Messages to a Telnet or SSH Session 42-11
Sending System Log Messages to the Log Buffer 42-12
Filtering System Log Messages 42-14
Message Filtering Overview 42-15
Filtering System Log Messages by Class 42-15
Filtering System Log Messages with Custom Message Lists 42-17
Customizing the Log Configuration 42-18
Customizing the Log Configuration 42-18
Configuring the Logging Queue 42-19
Including the Date and Time in System Log Messages 42-19
Including the Device ID in System Log Messages 42-19
Generating System Log Messages in EMBLEM Format 42-20
Disabling a System Log Message 42-20
Changing the Severity Level of a System Log Message 42-21
Changing the Amount of Internal Flash Memory Available for Logs 42-22
Understanding System Log Messages 42-23Contents
xxx
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
System Log Message Format 42-23
Severity Levels 42-23
C H A P T E R 43 Troubleshooting the Security Appliance 43-1
Testing Your Configuration 43-1
Enabling ICMP Debug Messages and System Messages 43-1
Pinging Security Appliance Interfaces 43-2
Pinging Through the Security Appliance 43-4
Disabling the Test Configuration 43-5
Traceroute 43-6
Packet Tracer 43-6
Reloading the Security Appliance 43-6
Performing Password Recovery 43-7
Performing Password Recovery for the ASA 5500 Series Adaptive Security Appliance 43-7
Password Recovery for the PIX 500 Series Security Appliance 43-8
Disabling Password Recovery 43-9
Resetting the Password on the SSM Hardware Module 43-10
Other Troubleshooting Tools 43-10
Viewing Debug Messages 43-11
Capturing Packets 43-11
Viewing the Crash Dump 43-11
Common Problems 43-11
P A R T 2 Reference
Supported Platforms and Feature Licenses A-1
Security Services Module Support A-9
VPN Specifications A-10
Cisco VPN Client Support A-11
Cisco Secure Desktop Support A-11
Site-to-Site VPN Compatibility A-11
Cryptographic Standards A-12
Example 1: Multiple Mode Firewall With Outside Access B-1
Example 1: System Configuration B-2
Example 1: Admin Context Configuration B-4
Example 1: Customer A Context Configuration B-4
Example 1: Customer B Context Configuration B-4
Example 1: Customer C Context Configuration B-5
Example 2: Single Mode Firewall Using Same Security Level B-6Contents
xxxi
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Example 3: Shared Resources for Multiple Contexts B-8
Example 3: System Configuration B-9
Example 3: Admin Context Configuration B-9
Example 3: Department 1 Context Configuration B-10
Example 3: Department 2 Context Configuration B-11
Example 4: Multiple Mode, Transparent Firewall with Outside Access B-12
Example 4: System Configuration B-13
Example 4: Admin Context Configuration B-14
Example 4: Customer A Context Configuration B-15
Example 4: Customer B Context Configuration B-15
Example 4: Customer C Context Configuration B-16
Example 5: WebVPN Configuration B-16
Example 6: IPv6 Configuration B-18
Example 7: Cable-Based Active/Standby Failover (Routed Mode) B-20
Example 8: LAN-Based Active/Standby Failover (Routed Mode) B-21
Example 8: Primary Unit Configuration B-21
Example 8: Secondary Unit Configuration B-22
Example 9: LAN-Based Active/Active Failover (Routed Mode) B-22
Example 9: Primary Unit Configuration B-23
Example 9: Primary System Configuration B-23
Example 9: Primary admin Context Configuration B-24
Example 9: Primary ctx1 Context Configuration B-25
Example 9: Secondary Unit Configuration B-25
Example 10: Cable-Based Active/Standby Failover (Transparent Mode) B-26
Example 11: LAN-Based Active/Standby Failover (Transparent Mode) B-27
Example 11: Primary Unit Configuration B-27
Example 11: Secondary Unit Configuration B-28
Example 12: LAN-Based Active/Active Failover (Transparent Mode) B-28
Example 12: Primary Unit Configuration B-29
Example 12: Primary System Configuration B-29
Example 12: Primary admin Context Configuration B-30
Example 12: Primary ctx1 Context Configuration B-31
Example 12: Secondary Unit Configuration B-31
Example 13: Dual ISP Support Using Static Route Tracking B-31
Example 14: ASA 5505 Base License B-33
Example 15: ASA 5505 Security Plus License with Failover and Dual-ISP Backup B-35
Example 15: Primary Unit Configuration B-35
Example 15: Secondary Unit Configuration B-37Contents
xxxii
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Example 16: Network Traffic Diversion B-37
Inspecting All Traffic with the AIP SSM B-43
Inspecting Specific Traffic with the AIP SSM B-44
Verifying the Recording of Alert Events B-45
Troubleshooting the Configuration B-47
Firewall Mode and Security Context Mode C-1
Command Modes and Prompts C-2
Syntax Formatting C-3
Abbreviating Commands C-3
Command-Line Editing C-3
Command Completion C-4
Command Help C-4
Filtering show Command Output C-4
Command Output Paging C-5
Adding Comments C-6
Text Configuration Files C-6
How Commands Correspond with Lines in the Text File C-6
Command-Specific Configuration Mode Commands C-6
Automatic Text Entries C-7
Line Order C-7
Commands Not Included in the Text Configuration C-7
Passwords C-7
Multiple Security Context Files C-7
IPv4 Addresses and Subnet Masks D-1
Classes D-1
Private Networks D-2
Subnet Masks D-2
Determining the Subnet Mask D-3
Determining the Address to Use with the Subnet Mask D-3
IPv6 Addresses D-5
IPv6 Address Format D-5
IPv6 Address Types D-6
Unicast Addresses D-6
Multicast Address D-8
Anycast Address D-9
Required Addresses D-10
IPv6 Address Prefixes D-10
Protocols and Applications D-11Contents
xxxiii
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
TCP and UDP Ports D-11
Local Ports and Protocols D-14
ICMP Types D-15
Selecting LDAP, RADIUS, or Local Authentication and Authorization E-1
Understanding Policy Enforcement of Permissions and Attributes E-2
Configuring an External LDAP Server E-2
Reviewing the LDAP Directory Structure and Configuration Procedure E-3
Organizing the Security Appliance LDAP Schema E-3
Searching the Hierarchy E-4
Binding the Security Appliance to the LDAP Server E-5
Defining the Security Appliance LDAP Schema E-5
Cisco -AV-Pair Attribute Syntax E-14
Example Security Appliance Authorization Schema E-15
Loading the Schema in the LDAP Server E-18
Defining User Permissions E-18
Example User File E-18
Reviewing Examples of Active Directory Configurations E-19
Example 1: Configuring LDAP Authorization with Microsoft Active Directory (ASA/PIX) E-19
Example 2: Configuring LDAP Authentication with Microsoft Active Directory E-20
Example 3: LDAP Authentication and LDAP Authorization with Microsoft Active Directory E-22
Configuring an External RADIUS Server E-24
Reviewing the RADIUS Configuration Procedure E-24
Security Appliance RADIUS Authorization Attributes E-25
Security Appliance TACACS+ Attributes E-32
GL O S S A R Y
I N D E XContents
xxxiv
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02xxxv
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
About This Guide
This preface introduce the Cisco Security Appliance Command Line Configuration Guide, and includes
the following sections:
• Document Objectives, page xxxv
• Audience, page xxxv
• Related Documentation, page xxxvi
• Document Organization, page xxxvi
• Document Conventions, page xxxix
• , page xxxix
Document Objectives
The purpose of this guide is to help you configure the security appliance using the command-line
interface. This guide does not cover every feature, but describes only the most common configuration
scenarios.
You can also configure and monitor the security appliance by using ASDM, a web-based GUI
application. ASDM includes configuration wizards to guide you through some common configuration
scenarios, and online Help for less common scenarios. For more information, see:
http://www.cisco.com/univercd/cc/td/doc/product/netsec/secmgmt/asdm/index.htm
This guide applies to the Cisco PIX 500 series security appliances (PIX 515E, PIX 525, and PIX 535)
and the Cisco ASA 5500 series security appliances (ASA 5505, ASA 5510, ASA 5520, ASA 5540, and
ASA 5550). Throughout this guide, the term “security appliance” applies generically to all supported
models, unless specified otherwise. The PIX 501, PIX 506E, and PIX 520 security appliances are not
supported.
Audience
This guide is for network managers who perform any of the following tasks:
• Manage network security
• Install and configure firewalls/security appliances
• Configure VPNs
• Configure intrusion detection softwarexxxvi
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
About This Guide
Related Documentation
For more information, refer to the following documentation:
• Cisco PIX Security Appliance Release Notes
• Cisco ASDM Release Notes
• Cisco PIX 515E Quick Start Guide
• Guide for Cisco PIX 6.2 and 6.3 Users Upgrading to Cisco PIX Software Version 7.0
• Migrating to ASA for VPN 3000 Series Concentrator Administrators
• Cisco Security Appliance Command Reference
• Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
• Cisco ASA 5500 Series Release Notes
• Cisco Security Appliance Logging Configuration and System Log Messages
• Cisco Secure Desktop Configuration Guide for Cisco ASA 5500 Series Administrators
Document Organization
This guide includes the chapters and appendixes described in Table 1.
Table 1 Document Organization
Chapter/Appendix Definition
Part 1: Getting Started and General Information
Chapter 1, “Introduction to the
Security Appliance”
Provides a high-level overview of the security appliance.
Chapter 2, “Getting Started” Describes how to access the command-line interface, configure the firewall mode, and
work with the configuration.
Chapter 3, “Enabling Multiple
Context Mode”
Describes how to use security contexts and enable multiple context mode.
Chapter 4, “Configuring Switch
Ports and VLAN Interfaces for
the Cisco ASA 5505 Adaptive
Security Appliance”
Describes how to configure switch ports and VLAN interfaces for the ASA 5505 adaptive
security appliance.
Chapter 5, “Configuring
Ethernet Settings and
Subinterfaces”
Describes how to configure Ethernet settings for physical interfaces and add subinterfaces.
Chapter 6, “Adding and
Managing Security Contexts”
Describes how to configure multiple security contexts on the security appliance.
Chapter 7, “Configuring
Interface Parameters”
Describes how to configure each interface and subinterface for a name, security, level, and
IP address.
Chapter 8, “Configuring Basic
Settings”
Describes how to configure basic settings that are typically required for a functioning
configuration.
Chapter 9, “Configuring IP
Routing”
Describes how to configure IP routing.xxxvii
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
About This Guide
Chapter 10, “Configuring
DHCP, DDNS, and WCCP
Services”
Describes how to configure the DHCP server and DHCP relay.
Chapter 11, “Configuring
Multicast Routing”
Describes how to configure multicast routing.
Chapter 12, “Configuring IPv6” Describes how to enable and configure IPv6.
Chapter 13, “Configuring AAA
Servers and the Local Database”
Describes how to configure AAA servers and the local database.
Chapter 14, “Configuring
Failover”
Describes the failover feature, which lets you configure two security appliances so that one
will take over operation if the other one fails.
Part 2: Configuring the Firewall
Chapter 15, “Firewall Mode
Overview”
Describes in detail the two operation modes of the security appliance, routed and
transparent mode, and how data is handled differently with each mode.
Chapter 16, “Identifying Traffic
with Access Lists”
Describes how to identify traffic with access lists.
Chapter 17, “Applying NAT” Describes how address translation is performed.
Chapter 18, “Permitting or
Denying Network Access”
Describes how to control network access through the security appliance using access lists.
Chapter 19, “Applying AAA for
Network Access”
Describes how to enable AAA for network access.
Chapter 20, “Applying Filtering
Services”
Describes ways to filter web traffic to reduce security risks or prevent inappropriate use.
Chapter 21, “Using Modular
Policy Framework”
Describes how to use the Modular Policy Framework to create security policies for TCP,
general connection settings, inspection, and QoS.
Chapter 22, “Managing AIP
SSM and CSC SSM”
Describes how to configure the security appliance to send traffic to an AIP SSM or a CSC
SSM, how to check the status of an SSM, and how to update the software image on an
intelligent SSM.
Chapter 23, “Preventing
Network Attacks”
Describes how to configure protection features to intercept and respond to network attacks.
Chapter 24, “Configuring QoS” Describes how to configure the network to provide better service to selected network
traffic over various technologies, including Frame Relay, Asynchronous Transfer Mode
(ATM), Ethernet and 802.1 networks, SONET, and IP routed networks.
Chapter 25, “Configuring
Application Layer Protocol
Inspection”
Describes how to use and configure application inspection.
Chapter 26, “Configuring
ARP Inspection and Bridging
Parameters”
Describes how to enable ARP inspection and how to customize bridging operations.
Part 3: Configuring VPN
Chapter 27, “Configuring IPsec
and ISAKMP”
Describes how to configure ISAKMP and IPSec tunneling to build and manage VPN
“tunnels,” or secure connections between remote users and a private corporate network.
Table 1 Document Organization (continued)
Chapter/Appendix Definitionxxxviii
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
About This Guide
Chapter 28, “Configuring L2TP
over IPSec”
Describes how to configure IPSec over L2TP on the security appliance.
Chapter 29, “Setting General
IPSec VPN Parameters”
Describes miscellaneous VPN configuration procedures.
Chapter 30, “Configuring
Tunnel Groups, Group Policies,
and Users”
Describes how to configure VPN tunnel groups, group policies, and users.
Chapter 31, “Configuring IP
Addresses for VPNs”
Describes how to configure IP addresses in your private network addressing scheme, which
let the client function as a tunnel endpoint.
Chapter 32, “Configuring
Remote Access IPSec VPNs”
Describes how to configure a remote access VPN connection.
Chapter 33, “Configuring
Network Admission Control”
Describes how to configure Network Admission Control (NAC).
Chapter 34, “Configuring Easy
VPN Services on the ASA 5505”
Describes how to configure Easy VPN on the ASA 5505 adaptive security appliance.
Chapter 35, “Configuring the
PPPoE Client”
Describes how to configure the PPPoE client provided with the security appliance.
Chapter 36, “Configuring
LAN-to-LAN IPsec VPNs”
Describes how to build a LAN-to-LAN VPN connection.
Chapter 37, “Configuring
WebVPN”
Describes how to establish a secure, remote-access VPN tunnel to a security appliance
using a web browser.
Chapter 38, “Configuring SSL
VPN Client”
Describes how to install and configure the SSL VPN Client.
Chapter 39, “Configuring
Certificates”
Describes how to configure a digital certificates, which contains information that identifies
a user or device. Such information can include a name, serial number, company,
department, or IP address. A digital certificate also contains a copy of the public key for
the user or device.
Part 4: System Administration
Chapter 40, “Managing System
Access”
Describes how to access the security appliance for system management through Telnet,
SSH, and HTTPS.
Chapter 41, “Managing
Software, Licenses, and
Configurations”
Describes how to enter license keys and download software and configurations files.
Chapter 42, “Monitoring the
Security Appliance”
Describes how to monitor the security appliance.
Chapter 43, “Troubleshooting
the Security Appliance”
Describes how to troubleshoot the security appliance.
Part 4: Reference
Appendix A, “Feature Licenses
and Specifications”
Describes the feature licenses and specifications.
Appendix B, “Sample
Configurations”
Describes a number of common ways to implement the security appliance.
Table 1 Document Organization (continued)
Chapter/Appendix Definitionxxxix
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
About This Guide
Document Conventions
Command descriptions use these conventions:
• Braces ({ }) indicate a required choice.
• Square brackets ([ ]) indicate optional elements.
• Vertical bars ( | ) separate alternative, mutually exclusive elements.
• Boldface indicates commands and keywords that are entered literally as shown.
• Italics indicate arguments for which you supply values.
Examples use these conventions:
• Examples depict screen displays and the command line in screen font.
• Information you need to enter in examples is shown in boldface screen font.
• Variables for which you must supply a value are shown in italic screen font.
Note Means reader take note. Notes contain helpful suggestions or references to material not covered in the
manual.
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional
information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and
revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What’s New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed
and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free
service and Cisco currently supports RSS Version 2.0.
Appendix C, “Using the
Command-Line Interface”
Describes how to use the CLI to configure the the security appliance.
Appendix D, “Addresses,
Protocols, and Ports”
Provides a quick reference for IP addresses, protocols, and applications.
Appendix E, “Configuring an
External Server for
Authorization and
Authentication”
Provides information about configuring LDAP and RADIUS authorization servers.
“Glossary” Provides a handy reference for commonly-used terms and acronyms.
“Index” Provides an index for the guide.
Table 1 Document Organization (continued)
Chapter/Appendix Definitionxl
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
About This Guide
P A R T 1
Getting Started and General InformationC H A P T E R
1-1
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
1
Introduction to the Security Appliance
The security appliance combines advanced stateful firewall and VPN concentrator functionality in one
device, and for some models, an integrated intrusion prevention module called the AIP SSM or an
integrated content security and control module called the CSC SSM. The security appliance includes
many advanced features, such as multiple security contexts (similar to virtualized firewalls), transparent
(Layer 2) firewall or routed (Layer 3) firewall operation, advanced inspection engines, IPSec and
WebVPN support, and many more features. See Appendix A, “Feature Licenses and Specifications,” for
a list of supported platforms and features. For a list of new features, see the Cisco ASA 5500 Series
Release Notes or the Cisco PIX Security Appliance Release Notes.
Note The Cisco PIX 501 and PIX 506E security appliances are not supported.
This chapter includes the following sections:
• Firewall Functional Overview, page 1-1
• VPN Functional Overview, page 1-5
• Intrusion Prevention Services Functional Overview, page 1-5
• Security Context Overview, page 1-6
Firewall Functional Overview
Firewalls protect inside networks from unauthorized access by users on an outside network. A firewall
can also protect inside networks from each other, for example, by keeping a human resources network
separate from a user network. If you have network resources that need to be available to an outside user,
such as a web or FTP server, you can place these resources on a separate network behind the firewall,
called a demilitarized zone (DMZ). The firewall allows limited access to the DMZ, but because the DMZ
only includes the public servers, an attack there only affects the servers and does not affect the other
inside networks. You can also control when inside users access outside networks (for example, access to
the Internet), by allowing only certain addresses out, by requiring authentication or authorization, or by
coordinating with an external URL filtering server.
When discussing networks connected to a firewall, the outside network is in front of the firewall, the
inside network is protected and behind the firewall, and a DMZ, while behind the firewall, allows limited
access to outside users. Because the security appliance lets you configure many interfaces with varied
security policies, including many inside interfaces, many DMZs, and even many outside interfaces if
desired, these terms are used in a general sense only.1-2
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 1 Introduction to the Security Appliance
Firewall Functional Overview
This section includes the following topics:
• Security Policy Overview, page 1-2
• Firewall Mode Overview, page 1-3
• Stateful Inspection Overview, page 1-4
Security Policy Overview
A security policy determines which traffic is allowed to pass through the firewall to access another
network. By default, the security appliance allows traffic to flow freely from an inside network (higher
security level) to an outside network (lower security level). You can apply actions to traffic to customize
the security policy. This section includes the following topics:
• Permitting or Denying Traffic with Access Lists, page 1-2
• Applying NAT, page 1-2
• Using AAA for Through Traffic, page 1-2
• Applying HTTP, HTTPS, or FTP Filtering, page 1-3
• Applying Application Inspection, page 1-3
• Sending Traffic to the Advanced Inspection and Prevention Security Services Module, page 1-3
• Sending Traffic to the Content Security and Control Security Services Module, page 1-3
• Applying QoS Policies, page 1-3
• Applying Connection Limits and TCP Normalization, page 1-3
Permitting or Denying Traffic with Access Lists
You can apply an access list to limit traffic from inside to outside, or allow traffic from outside to inside.
For transparent firewall mode, you can also apply an EtherType access list to allow non-IP traffic.
Applying NAT
Some of the benefits of NAT include the following:
• You can use private addresses on your inside networks. Private addresses are not routable on the
Internet.
• NAT hides the local addresses from other networks, so attackers cannot learn the real address of a
host.
• NAT can resolve IP routing problems by supporting overlapping IP addresses.
Using AAA for Through Traffic
You can require authentication and/or authorization for certain types of traffic, for example, for HTTP.
The security appliance also sends accounting information to a RADIUS or TACACS+ server.1-3
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 1 Introduction to the Security Appliance
Firewall Functional Overview
Applying HTTP, HTTPS, or FTP Filtering
Although you can use access lists to prevent outbound access to specific websites or FTP servers,
configuring and managing web usage this way is not practical because of the size and dynamic nature of
the Internet. We recommend that you use the security appliance in conjunction with a separate server
running one of the following Internet filtering products:
• Websense Enterprise
• Secure Computing SmartFilter
Applying Application Inspection
Inspection engines are required for services that embed IP addressing information in the user data packet
or that open secondary channels on dynamically assigned ports. These protocols require the security
appliance to do a deep packet inspection.
Sending Traffic to the Advanced Inspection and Prevention Security Services Module
If your model supports the AIP SSM for intrusion prevention, then you can send traffic to the AIP SSM
for inspection.
Sending Traffic to the Content Security and Control Security Services Module
If your model supports it, the CSC SSM provides protection against viruses, spyware, spam, and other
unwanted traffic. It accomplishes this by scanning the FTP, HTTP, POP3, and SMTP traffic that you
configure the adaptive security appliance to send to it.
Applying QoS Policies
Some network traffic, such as voice and streaming video, cannot tolerate long latency times. QoS is a
network feature that lets you give priority to these types of traffic. QoS refers to the capability of a
network to provide better service to selected network traffic.
Applying Connection Limits and TCP Normalization
You can limit TCP and UDP connections and embryonic connections. Limiting the number of
connections and embryonic connections protects you from a DoS attack. The security appliance uses the
embryonic limit to trigger TCP Intercept, which protects inside systems from a DoS attack perpetrated
by flooding an interface with TCP SYN packets. An embryonic connection is a connection request that
has not finished the necessary handshake between source and destination.
TCP normalization is a feature consisting of advanced TCP connection settings designed to drop packets
that do not appear normal.
Firewall Mode Overview
The security appliance runs in two different firewall modes:
• Routed
• Transparent 1-4
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 1 Introduction to the Security Appliance
Firewall Functional Overview
In routed mode, the security appliance is considered to be a router hop in the network.
In transparent mode, the security appliance acts like a “bump in the wire,” or a “stealth firewall,” and is
not considered a router hop. The security appliance connects to the same network on its inside and
outside interfaces.
You might use a transparent firewall to simplify your network configuration. Transparent mode is also
useful if you want the firewall to be invisible to attackers. You can also use a transparent firewall for
traffic that would otherwise be blocked in routed mode. For example, a transparent firewall can allow
multicast streams using an EtherType access list.
Stateful Inspection Overview
All traffic that goes through the security appliance is inspected using the Adaptive Security Algorithm
and either allowed through or dropped. A simple packet filter can check for the correct source address,
destination address, and ports, but it does not check that the packet sequence or flags are correct. A filter
also checks every packet against the filter, which can be a slow process.
A stateful firewall like the security appliance, however, takes into consideration the state of a packet:
• Is this a new connection?
If it is a new connection, the security appliance has to check the packet against access lists and
perform other tasks to determine if the packet is allowed or denied. To perform this check, the first
packet of the session goes through the “session management path,” and depending on the type of
traffic, it might also pass through the “control plane path.”
The session management path is responsible for the following tasks:
– Performing the access list checks
– Performing route lookups
– Allocating NAT translations (xlates)
– Establishing sessions in the “fast path”
Note The session management path and the fast path make up the “accelerated security path.”
Some packets that require Layer 7 inspection (the packet payload must be inspected or altered) are
passed on to the control plane path. Layer 7 inspection engines are required for protocols that have
two or more channels: a data channel, which uses well-known port numbers, and a control channel,
which uses different port numbers for each session. These protocols include FTP, H.323, and SNMP.
• Is this an established connection?
If the connection is already established, the security appliance does not need to re-check packets;
most matching packets can go through the fast path in both directions. The fast path is responsible
for the following tasks:
– IP checksum verification
– Session lookup
– TCP sequence number check
– NAT translations based on existing sessions
– Layer 3 and Layer 4 header adjustments1-5
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 1 Introduction to the Security Appliance
VPN Functional Overview
For UDP or other connectionless protocols, the security appliance creates connection state
information so that it can also use the fast path.
Data packets for protocols that require Layer 7 inspection can also go through the fast path.
Some established session packets must continue to go through the session management path or the
control plane path. Packets that go through the session management path include HTTP packets that
require inspection or content filtering. Packets that go through the control plane path include the
control packets for protocols that require Layer 7 inspection.
VPN Functional Overview
A VPN is a secure connection across a TCP/IP network (such as the Internet) that appears as a private
connection. This secure connection is called a tunnel. The security appliance uses tunneling protocols to
negotiate security parameters, create and manage tunnels, encapsulate packets, transmit or receive them
through the tunnel, and unencapsulate them. The security appliance functions as a bidirectional tunnel
endpoint: it can receive plain packets, encapsulate them, and send them to the other end of the tunnel
where they are unencapsulated and sent to their final destination. It can also receive encapsulated
packets, unencapsulate them, and send them to their final destination. The security appliance invokes
various standard protocols to accomplish these functions.
The security appliance performs the following functions:
• Establishes tunnels
• Negotiates tunnel parameters
• Authenticates users
• Assigns user addresses
• Encrypts and decrypts data
• Manages security keys
• Manages data transfer across the tunnel
• Manages data transfer inbound and outbound as a tunnel endpoint or router
The security appliance invokes various standard protocols to accomplish these functions.
Intrusion Prevention Services Functional Overview
The Cisco ASA 5500 series adaptive security appliance supports the AIP SSM, an intrusion prevention
services module that monitors and performs real-time analysis of network traffic by looking for
anomalies and misuse based on an extensive, embedded signature library. When the system detects
unauthorized activity, it can terminate the specific connection, permanently block the attacking host, log
the incident, and send an alert to the device manager. Other legitimate connections continue to operate
independently without interruption. For more information, see Configuring the Cisco Intrusion
Prevention System Sensor Using the Command Line Interface.1-6
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 1 Introduction to the Security Appliance
Security Context Overview
Security Context Overview
You can partition a single security appliance into multiple virtual devices, known as security contexts.
Each context is an independent device, with its own security policy, interfaces, and administrators.
Multiple contexts are similar to having multiple standalone devices. Many features are supported in
multiple context mode, including routing tables, firewall features, IPS, and management. Some features
are not supported, including VPN and dynamic routing protocols.
In multiple context mode, the security appliance includes a configuration for each context that identifies
the security policy, interfaces, and almost all the options you can configure on a standalone device. The
system administrator adds and manages contexts by configuring them in the system configuration,
which, like a single mode configuration, is the startup configuration. The system configuration identifies
basic settings for the security appliance. The system configuration does not include any network
interfaces or network settings for itself; rather, when the system needs to access network resources (such
as downloading the contexts from the server), it uses one of the contexts that is designated as the admin
context.
The admin context is just like any other context, except that when a user logs into the admin context,
then that user has system administrator rights and can access the system and all other contexts.
Note You can run all your contexts in routed mode or transparent mode; you cannot run some contexts in one
mode and others in another.
Multiple context mode supports static routing only.C H A P T E R
2-1
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
2
Getting Started
This chapter describes how to access the command-line interface, configure the firewall mode, and work
with the configuration. This chapter includes the following sections:
• Getting Started with Your Platform Model, page 2-1
• Factory Default Configurations, page 2-1
• Accessing the Command-Line Interface, page 2-4
• Setting Transparent or Routed Firewall Mode, page 2-5
• Working with the Configuration, page 2-6
Getting Started with Your Platform Model
This guide applies to multiple security appliance platforms and models: the PIX 500 series security
appliances and the ASA 5500 series adaptive security appliances. There are some hardware differences
between the PIX and the ASA security appliance. Moreover, the ASA 5505 includes a built-in switch,
and requires some special configuration. For these hardware-based differences, the platforms or models
supported are noted directly in each section.
Some models do not support all features covered in this guide. For example, the ASA 5505 adaptive
security appliance does not support security contexts. This guide might not list each supported model
when discussing a feature. To determine the features that are supported for your model before you start
your configuration, see the “Supported Platforms and Feature Licenses” section on page A-1 for a
detailed list of the features supported for each model.
Factory Default Configurations
The factory default configuration is the configuration applied by Cisco to new security appliances. The
factory default configuration is supported on all models except for the PIX 525 and PIX 535 security
appliances.
For the PIX 515/515E and the ASA 5510 and higher security appliances, the factory default
configuration configures an interface for management so you can connect to it using ASDM, with which
you can then complete your configuration.
For the ASA 5505 adaptive security appliance, the factory default configuration configures interfaces
and NAT so that the security appliance is ready to use in your network immediately.2-2
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 2 Getting Started
Factory Default Configurations
The factory default configuration is available only for routed firewall mode and single context mode. See
Chapter 3, “Enabling Multiple Context Mode,” for more information about multiple context mode. See
the “Setting Transparent or Routed Firewall Mode” section on page 2-5 for more information about
routed and transparent firewall mode.
This section includes the following topics:
• Restoring the Factory Default Configuration, page 2-2
• ASA 5505 Default Configuration, page 2-2
• ASA 5510 and Higher Default Configuration, page 2-3
• PIX 515/515E Default Configuration, page 2-4
Restoring the Factory Default Configuration
To restore the factory default configuration, enter the following command:
hostname(config)# configure factory-default [ip_address [mask]]
If you specify the ip_address, then you set the inside or management interface IP address, depending on
your model, instead of using the default IP address of 192.168.1.1. The http command uses the subnet
you specify. Similarly, the dhcpd address command range consists of addresses within the subnet that
you specify.
After you restore the factory default configuration, save it to internal Flash memory using the write
memory command. The write memory command saves the running configuration to the default location
for the startup configuration, even if you previously configured the boot config command to set a
different location; when the configuration was cleared, this path was also cleared.
Note This command also clears the boot system command, if present, along with the rest of the configuration.
The boot system command lets you boot from a specific image, including an image on the external Flash
memory card. The next time you reload the security appliance after restoring the factory configuration,
it boots from the first image in internal Flash memory; if you do not have an image in internal Flash
memory, the security appliance does not boot.
To configure additional settings that are useful for a full configuration, see the setup command.
ASA 5505 Default Configuration
The default factory configuration for the ASA 5505 adaptive security appliance configures the
following:
• An inside VLAN 1 interface that includes the Ethernet 0/1 through 0/7 switch ports. If you did not
set the IP address in the configure factory-default command, then the VLAN 1 IP address and mask
are 192.168.1.1 and 255.255.255.0.
• An outside VLAN 2 interface that includes the Ethernet 0/0 switch port. VLAN 2 derives its IP
address using DHCP.
• The default route is also derived from DHCP.
• All inside IP addresses are translated when accessing the outside using interface PAT.
• By default, inside users can access the outside with an access list, and outside users are prevented
from accessing the inside.2-3
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 2 Getting Started
Factory Default Configurations
• The DHCP server is enabled on the security appliance, so a PC connecting to the VLAN 1 interface
receives an address between 192.168.1.2 and 192.168.1.254.
• The HTTP server is enabled for ASDM and is accessible to users on the 192.168.1.0 network.
The configuration consists of the following commands:
interface Ethernet 0/0
switchport access vlan 2
no shutdown
interface Ethernet 0/1
switchport access vlan 1
no shutdown
interface Ethernet 0/2
switchport access vlan 1
no shutdown
interface Ethernet 0/3
switchport access vlan 1
no shutdown
interface Ethernet 0/4
switchport access vlan 1
no shutdown
interface Ethernet 0/5
switchport access vlan 1
no shutdown
interface Ethernet 0/6
switchport access vlan 1
no shutdown
interface Ethernet 0/7
switchport access vlan 1
no shutdown
interface vlan2
nameif outside
no shutdown
ip address dhcp setroute
interface vlan1
nameif inside
ip address 192.168.1.1 255.255.255.0
security-level 100
no shutdown
global (outside) 1 interface
nat (inside) 1 0 0
http server enable
http 192.168.1.0 255.255.255.0 inside
dhcpd address 192.168.1.2-192.168.1.254 inside
dhcpd auto_config outside
dhcpd enable inside
logging asdm informational
ASA 5510 and Higher Default Configuration
The default factory configuration for the ASA 5510 and higher adaptive security appliance configures
the following:
• The management interface, Management 0/0. If you did not set the IP address in the configure
factory-default command, then the IP address and mask are 192.168.1.1 and 255.255.255.0.
• The DHCP server is enabled on the security appliance, so a PC connecting to the interface receives
an address between 192.168.1.2 and 192.168.1.254.
• The HTTP server is enabled for ASDM and is accessible to users on the 192.168.1.0 network.2-4
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 2 Getting Started
Accessing the Command-Line Interface
The configuration consists of the following commands:
interface management 0/0
ip address 192.168.1.1 255.255.255.0
nameif management
security-level 100
no shutdown
asdm logging informational 100
asdm history enable
http server enable
http 192.168.1.0 255.255.255.0 management
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable management
PIX 515/515E Default Configuration
The default factory configuration for the PIX 515/515E security appliance configures the following:
• The inside Ethernet1 interface. If you did not set the IP address in the configure factory-default
command, then the IP address and mask are 192.168.1.1 and 255.255.255.0.
• The DHCP server is enabled on the security appliance, so a PC connecting to the interface receives
an address between 192.168.1.2 and 192.168.1.254.
• The HTTP server is enabled for ASDM and is accessible to users on the 192.168.1.0 network.
The configuration consists of the following commands:
interface ethernet 1
ip address 192.168.1.1 255.255.255.0
nameif management
security-level 100
no shutdown
asdm logging informational 100
asdm history enable
http server enable
http 192.168.1.0 255.255.255.0 management
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable management
Accessing the Command-Line Interface
For initial configuration, access the command-line interface directly from the console port. Later, you
can configure remote access using Telnet or SSH according to Chapter 40, “Managing System Access.”
If your system is already in multiple context mode, then accessing the console port places you in the
system execution space. See Chapter 3, “Enabling Multiple Context Mode,” for more information about
multiple context mode.
Note If you want to use ASDM to configure the security appliance instead of the command-line interface, you
can connect to the default management address of 192.168.1.1 (if your security appliance includes a
factory default configuration. See the “Factory Default Configurations” section on page 2-1.). On the 2-5
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 2 Getting Started
Setting Transparent or Routed Firewall Mode
ASA 5510 and higher adaptive security appliances, the interface to which you connect with ASDM is
Management 0/0. For the ASA 5505 adaptive security appliance, the switch port to which you connect
with ASDM is any port, except for Ethernet 0/0. For the PIX 515/515E security appliance, the interface
to which you connect with ASDM is Ethernet 1. If you do not have a factory default configuration, follow
the steps in this section to access the command-line interface. You can then configure the minimum
parameters to access ASDM by entering the setup command.
To access the command-line interface, perform the following steps:
Step 1 Connect a PC to the console port using the provided console cable, and connect to the console using a
terminal emulator set for 9600 baud, 8 data bits, no parity, 1 stop bit, no flow control.
See the hardware guide that came with your security appliance for more information about the console
cable.
Step 2 Press the Enter key to see the following prompt:
hostname>
This prompt indicates that you are in user EXEC mode.
Step 3 To access privileged EXEC mode, enter the following command:
hostname> enable
The following prompt appears:
Password:
Step 4 Enter the enable password at the prompt.
By default, the password is blank, and you can press the Enter key to continue. See the “Changing the
Enable Password” section on page 8-1 to change the enable password.
The prompt changes to:
hostname#
To exit privileged mode, enter the disable, exit, or quit command.
Step 5 To access global configuration mode, enter the following command:
hostname# configure terminal
The prompt changes to the following:
hostname(config)#
To exit global configuration mode, enter the exit, quit, or end command.
Setting Transparent or Routed Firewall Mode
You can set the security appliance to run in routed firewall mode (the default) or transparent firewall
mode.
For multiple context mode, you can use only one firewall mode for all contexts. You must set the mode
in the system execution space.2-6
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 2 Getting Started
Working with the Configuration
When you change modes, the security appliance clears the configuration because many commands are
not supported for both modes. If you already have a populated configuration, be sure to back up your
configuration before changing the mode; you can use this backup for reference when creating your new
configuration. See the “Backing Up Configuration Files” section on page 41-8. For multiple context
mode, the system configuration is erased. This action removes any contexts from running. If you then
re-add a context that has an existing configuration that was created for the wrong mode, the context
configuration will not work correctly. Be sure to recreate your context configurations for the correct
mode before you re-add them, or add new contexts with new paths for the new configurations.
If you download a text configuration to the security appliance that changes the mode with the
firewall transparent command, be sure to put the command at the top of the configuration; the security
appliance changes the mode as soon as it reads the command and then continues reading the
configuration you downloaded. If the command is later in the configuration, the security appliance clears
all the preceding lines in the configuration. See the “Downloading Software or Configuration Files to
Flash Memory” section on page 41-3 for information about downloading text files.
• To set the mode to transparent, enter the following command in the system execution space:
hostname(config)# firewall transparent
This command also appears in each context configuration for informational purposes only; you
cannot enter this command in a context.
• To set the mode to routed, enter the following command in the system execution space:
hostname(config)# no firewall transparent
Working with the Configuration
This section describes how to work with the configuration. The security appliance loads the
configuration from a text file, called the startup configuration. This file resides by default as a hidden
file in internal Flash memory. You can, however, specify a different path for the startup configuration.
(For more information, see Chapter 41, “Managing Software, Licenses, and Configurations.”)
When you enter a command, the change is made only to the running configuration in memory. You must
manually save the running configuration to the startup configuration for your changes to remain after a
reboot.
The information in this section applies to both single and multiple security contexts, except where noted.
Additional information about contexts is in Chapter 3, “Enabling Multiple Context Mode.”
This section includes the following topics:
• Saving Configuration Changes, page 2-6
• Copying the Startup Configuration to the Running Configuration, page 2-8
• Viewing the Configuration, page 2-8
• Clearing and Removing Configuration Settings, page 2-9
• Creating Text Configuration Files Offline, page 2-9
Saving Configuration Changes
This section describes how to save your configuration, and includes the following topics:
• Saving Configuration Changes in Single Context Mode, page 2-72-7
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 2 Getting Started
Working with the Configuration
• Saving Configuration Changes in Multiple Context Mode, page 2-7
Saving Configuration Changes in Single Context Mode
To save the running configuration to the startup configuration, enter the following command:
hostname# write memory
Note The copy running-config startup-config command is equivalent to the write memory command.
Saving Configuration Changes in Multiple Context Mode
You can save each context (and system) configuration separately, or you can save all context
configurations at the same time. This section includes the following topics:
• Saving Each Context and System Separately, page 2-7
• Saving All Context Configurations at the Same Time, page 2-7
Saving Each Context and System Separately
To save the system or context configuration, enter the following command within the system or context:
hostname# write memory
Note The copy running-config startup-config command is equivalent to the write memory command.
For multiple context mode, context startup configurations can reside on external servers. In this case, the
security appliance saves the configuration back to the server you identified in the context URL, except
for an HTTP or HTTPS URL, which do not let you save the configuration to the server.
Saving All Context Configurations at the Same Time
To save all context configurations at the same time, as well as the system configuration, enter the
following command in the system execution space:
hostname# write memory all [/noconfirm]
If you do not enter the /noconfirm keyword, you see the following prompt:
Are you sure [Y/N]:
After you enter Y, the security appliance saves the system configuration and each context. Context
startup configurations can reside on external servers. In this case, the security appliance saves the
configuration back to the server you identified in the context URL, except for an HTTP or HTTPS URL,
which do not let you save the configuration to the server.
After the security appliance saves each context, the following message appears:
‘Saving context ‘b’ ... ( 1/3 contexts saved ) ’
Sometimes, a context is not saved because of an error. See the following information for errors:
• For contexts that are not saved because of low memory, the following message appears:
The context 'context a' could not be saved due to Unavailability of resources2-8
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 2 Getting Started
Working with the Configuration
• For contexts that are not saved because the remote destination is unreachable, the following message
appears:
The context 'context a' could not be saved due to non-reachability of destination
• For contexts that are not saved because the context is locked, the following message appears:
Unable to save the configuration for the following contexts as these contexts are
locked.
context ‘a’ , context ‘x’ , context ‘z’ .
A context is only locked if another user is already saving the configuration or in the process of
deleting the context.
• For contexts that are not saved because the startup configuration is read-only (for example, on an
HTTP server), the following message report is printed at the end of all other messages:
Unable to save the configuration for the following contexts as these contexts have
read-only config-urls:
context ‘a’ , context ‘b’ , context ‘c’ .
• For contexts that are not saved because of bad sectors in the Flash memory, the following message
appears:
The context 'context a' could not be saved due to Unknown errors
Copying the Startup Configuration to the Running Configuration
Copy a new startup configuration to the running configuration using one of these options:
• To merge the startup configuration with the running configuration, enter the following command:
hostname(config)# copy startup-config running-config
A merge adds any new commands from the new configuration to the running configuration. If the
configurations are the same, no changes occur. If commands conflict or if commands affect the
running of the context, then the effect of the merge depends on the command. You might get errors,
or you might have unexpected results.
• To load the startup configuration and discard the running configuration, restart the security
appliance by entering the following command:
hostname# reload
Alternatively, you can use the following commands to load the startup configuration and discard the
running configuration without requiring a reboot:
hostname/contexta(config)# clear configure all
hostname/contexta(config)# copy startup-config running-config
Viewing the Configuration
The following commands let you view the running and startup configurations.
• To view the running configuration, enter the following command:
hostname# show running-config2-9
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 2 Getting Started
Working with the Configuration
• To view the running configuration of a specific command, enter the following command:
hostname# show running-config command
• To view the startup configuration, enter the following command:
hostname# show startup-config
Clearing and Removing Configuration Settings
To erase settings, enter one of the following commands.
• To clear all the configuration for a specified command, enter the following command:
hostname(config)# clear configure configurationcommand [level2configurationcommand]
This command clears all the current configuration for the specified configuration command. If you
only want to clear the configuration for a specific version of the command, you can enter a value for
level2configurationcommand.
For example, to clear the configuration for all aaa commands, enter the following command:
hostname(config)# clear configure aaa
To clear the configuration for only aaa authentication commands, enter the following command:
hostname(config)# clear configure aaa authentication
• To disable the specific parameters or options of a command, enter the following command:
hostname(config)# no configurationcommand [level2configurationcommand] qualifier
In this case, you use the no command to remove the specific configuration identified by qualifier.
For example, to remove a specific nat command, enter enough of the command to identify it
uniquely as follows:
hostname(config)# no nat (inside) 1
• To erase the startup configuration, enter the following command:
hostname(config)# write erase
• To erase the running configuration, enter the following command:
hostname(config)# clear configure all
Note In multiple context mode, if you enter clear configure all from the system configuration, you
also remove all contexts and stop them from running.
Creating Text Configuration Files Offline
This guide describes how to use the CLI to configure the security appliance; when you save commands,
the changes are written to a text file. Instead of using the CLI, however, you can edit a text file directly
on your PC and paste a configuration at the configuration mode command-line prompt in its entirety, or
line by line. Alternatively, you can download a text file to the security appliance internal Flash memory.
See Chapter 41, “Managing Software, Licenses, and Configurations,” for information on downloading
the configuration file to the security appliance.2-10
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 2 Getting Started
Working with the Configuration
In most cases, commands described in this guide are preceded by a CLI prompt. The prompt in the
following example is “hostname(config)#”:
hostname(config)# context a
In the text configuration file you are not prompted to enter commands, so the prompt is omitted as
follows:
context a
For additional information about formatting the file, see Appendix C, “Using the Command-Line
Interface.”C H A P T E R
3-1
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
3
Enabling Multiple Context Mode
This chapter describes how to use security contexts and enable multiple context mode. This chapter
includes the following sections:
• Security Context Overview, page 3-1
• Enabling or Disabling Multiple Context Mode, page 3-10
Security Context Overview
You can partition a single security appliance into multiple virtual devices, known as security contexts.
Each context is an independent device, with its own security policy, interfaces, and administrators.
Multiple contexts are similar to having multiple standalone devices. Many features are supported in
multiple context mode, including routing tables, firewall features, IPS, and management. Some features
are not supported, including VPN and dynamic routing protocols.
This section provides an overview of security contexts, and includes the following topics:
• Common Uses for Security Contexts, page 3-1
• Unsupported Features, page 3-2
• Context Configuration Files, page 3-2
• How the Security Appliance Classifies Packets, page 3-3
• Cascading Security Contexts, page 3-8
• Management Access to Security Contexts, page 3-9
Common Uses for Security Contexts
You might want to use multiple security contexts in the following situations:
• You are a service provider and want to sell security services to many customers. By enabling
multiple security contexts on the security appliance, you can implement a cost-effective,
space-saving solution that keeps all customer traffic separate and secure, and also eases
configuration.
• You are a large enterprise or a college campus and want to keep departments completely separate.
• You are an enterprise that wants to provide distinct security policies to different departments.
• You have any network that requires more than one security appliance.3-2
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 3 Enabling Multiple Context Mode
Security Context Overview
Unsupported Features
Multiple context mode does not support the following features:
• Dynamic routing protocols
Security contexts support only static routes. You cannot enable OSPF or RIP in multiple context
mode.
• VPN
• Multicast
Context Configuration Files
This section describes how the security appliance implements multiple context mode configurations and
includes the following sections:
• Context Configurations, page 3-2
• System Configuration, page 3-2
• Admin Context Configuration, page 3-2
Context Configurations
The security appliance includes a configuration for each context that identifies the security policy,
interfaces, and almost all the options you can configure on a standalone device. You can store context
configurations on the internal Flash memory or the external Flash memory card, or you can download
them from a TFTP, FTP, or HTTP(S) server.
System Configuration
The system administrator adds and manages contexts by configuring each context configuration location,
allocated interfaces, and other context operating parameters in the system configuration, which, like a
single mode configuration, is the startup configuration. The system configuration identifies basic
settings for the security appliance. The system configuration does not include any network interfaces or
network settings for itself; rather, when the system needs to access network resources (such as
downloading the contexts from the server), it uses one of the contexts that is designated as the admin
context. The system configuration does include a specialized failover interface for failover traffic only.
Admin Context Configuration
The admin context is just like any other context, except that when a user logs in to the admin context,
then that user has system administrator rights and can access the system and all other contexts. The
admin context is not restricted in any way, and can be used as a regular context. However, because
logging into the admin context grants you administrator privileges over all contexts, you might need to
restrict access to the admin context to appropriate users. The admin context must reside on Flash
memory, and not remotely.
If your system is already in multiple context mode, or if you convert from single mode, the admin context
is created automatically as a file on the internal Flash memory called admin.cfg. This context is named
“admin.” If you do not want to use admin.cfg as the admin context, you can change the admin context.3-3
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 3 Enabling Multiple Context Mode
Security Context Overview
How the Security Appliance Classifies Packets
Each packet that enters the security appliance must be classified, so that the security appliance can
determine to which context to send a packet. This section includes the following topics:
• Valid Classifier Criteria, page 3-3
• Invalid Classifier Criteria, page 3-4
• Classification Examples, page 3-5
Note If the destination MAC address is a multicast or broadcast MAC address, the packet is duplicated and
delivered to each context.
Valid Classifier Criteria
This section describes the criteria used by the classifier, and includes the following topics:
• Unique Interfaces, page 3-3
• Unique MAC Addresses, page 3-3
• NAT Configuration, page 3-3
Unique Interfaces
If only one context is associated with the ingress interface, the security appliance classifies the packet
into that context. In transparent firewall mode, unique interfaces for contexts are required, so this method
is used to classify packets at all times.
Unique MAC Addresses
If multiple contexts share an interface, then the classifier uses the interface MAC address. The security
appliance lets you assign a different MAC address in each context to the same shared interface, whether
it is a shared physical interface or a shared subinterface. By default, shared interfaces do not have unique
MAC addresses; the interface uses the physical interface burned-in MAC address in every context. An
upstream router cannot route directly to a context without unique MAC addresses. You can set the MAC
addresses manually when you configure each interface (see the “Configuring the Interface” section on
page 7-2), or you can automatically generate MAC addresses (see the “Automatically Assigning MAC
Addresses to Context Interfaces” section on page 6-11).
NAT Configuration
If you do not have unique MAC addresses, then the classifier intercepts the packet and performs a
destination IP address lookup. All other fields are ignored; only the destination IP address is used. To
use the destination address for classification, the classifier must have knowledge about the subnets
located behind each security context. The classifier relies on the NAT configuration to determine the
subnets in each context. The classifier matches the destination IP address to either a static command or
a global command. In the case of the global command, the classifier does not need a matching nat
command or an active NAT session to classify the packet. Whether the packet can communicate with the
destination IP address after classification depends on how you configure NAT and NAT control.
For example, the classifier gains knowledge about subnets 10.10.10.0, 10.20.10.0 and 10.30.10.0 when
the context administrators configure static commands in each context:
• Context A:3-4
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 3 Enabling Multiple Context Mode
Security Context Overview
static (inside,shared) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
• Context B:
static (inside,shared) 10.20.10.0 10.20.10.0 netmask 255.255.255.0
• Context C:
static (inside,shared) 10.30.10.0 10.30.10.0 netmask 255.255.255.0
Note For management traffic destined for an interface, the interface IP address is used for classification.
Invalid Classifier Criteria
The following configurations are not used for packet classification:
• NAT exemption—The classifier does not use a NAT exemption configuration for classification
purposes because NAT exemption does not identify a mapped interface.
• Routing table—If a context includes a static route that points to an external router as the next-hop
to a subnet, and a different context includes a static command for the same subnet, then the classifier
uses the static command to classify packets destined for that subnet and ignores the static route.3-5
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 3 Enabling Multiple Context Mode
Security Context Overview
Classification Examples
Figure 3-2 shows multiple contexts sharing an outside interface. The classifier assigns the packet to
Context B because Context B includes the MAC address to which the router sends the packet.
Figure 3-1 Packet Classification with a Shared Interface using MAC Addresses
Classifier
Context A Context B
MAC 000C.F142.4CDA MAC 000C.F142.4CDB MAC 000C.F142.4CDC
GE 0/1.2 GE 0/1.3
GE 0/0.1 (Shared Interface)
Admin
Context
GE 0/1.1
Host
209.165.201.1
Host
209.165.200.225
Host
209.165.202.129
Packet Destination:
209.165.201.1 via MAC 000C.F142.4CDC
Internet
Inside
Customer A
Inside
Customer B
Admin
Network
1533673-6
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 3 Enabling Multiple Context Mode
Security Context Overview
Figure 3-2 shows multiple contexts sharing an outside interface without MAC addresses assigned. The
classifier assigns the packet to Context B because Context B includes the address translation that
matches the destination address.
Figure 3-2 Packet Classification with a Shared Interface using NAT
Note that all new incoming traffic must be classified, even from inside networks. Figure 3-3 shows a host
on the Context B inside network accessing the Internet. The classifier assigns the packet to Context B
because the ingress interface is Gigabit Ethernet 0/1.3, which is assigned to Context B.
Note If you share an inside interface and do not use unique MAC addresses, the classifier imposes some major
restrictions. The classifier relies on the address translation configuration to classify the packet within a
context, and you must translate the destination addresses of the traffic. Because you do not usually
perform NAT on outside addresses, sending packets from inside to outside on a shared interface is not
always possible; the outside network is large, (the Web, for example), and addresses are not predictable
for an outside NAT configuration. If you share an inside interface, we suggest you use unique MAC
addresses.
Classifier
Context A Context B
GE 0/1.2 GE 0/1.3
GE 0/0.1 (Shared Interface)
Admin
Context
GE 0/1.1
Host
10.1.1.13
Host
10.1.1.13
Host
10.1.1.13
Dest Addr Translation
209.165.201.3
Packet Destination:
209.165.201.3
10.1.1.13
Internet
Inside
Customer A
Inside
Customer B
Admin
Network
923993-7
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 3 Enabling Multiple Context Mode
Security Context Overview
Figure 3-3 Incoming Traffic from Inside Networks
Host
10.1.1.13
Host
10.1.1.13
Host
10.1.1.13
Classifier
Context A Context B
GE 0/1.2 GE 0/1.3
GE 0/0.1
Admin
Context
GE 0/1.1
Inside
Customer A
Inside
Customer B
Internet
Admin
Network
923953-8
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 3 Enabling Multiple Context Mode
Security Context Overview
For transparent firewalls, you must use unique interfaces. Figure 3-4 shows a host on the Context B
inside network accessing the Internet. The classifier assigns the packet to Context B because the ingress
interface is Gigabit Ethernet 1/0.3, which is assigned to Context B.
Figure 3-4 Transparent Firewall Contexts
Cascading Security Contexts
Placing a context directly in front of another context is called cascading contexts; the outside interface
of one context is the same interface as the inside interface of another context. You might want to cascade
contexts if you want to simplify the configuration of some contexts by configuring shared parameters in
the top context.
Note Cascading contexts requires that you configure unique MAC addresses for each context interface.
Because of the limitations of classifying packets on shared interfaces without MAC addresses, we do not
recommend using cascading contexts without unique MAC addresses.
Host
10.1.3.13
Host
10.1.2.13
Host
10.1.1.13
Context A Context B
GE 1/0.2 GE 1/0.3
Admin
Context
GE 1/0.1
GE 0/0.1 GE 0/0.3
GE 0/0.2
Classifier
Inside
Customer A
Inside
Customer B
Internet
Admin
Network
924013-9
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 3 Enabling Multiple Context Mode
Security Context Overview
Figure 3-5 shows a gateway context with two contexts behind the gateway.
Figure 3-5 Cascading Contexts
Management Access to Security Contexts
The security appliance provides system administrator access in multiple context mode as well as access
for individual context administrators. The following sections describe logging in as a system
administrator or as a a context administrator:
• System Administrator Access, page 3-9
• Context Administrator Access, page 3-10
System Administrator Access
You can access the security appliance as a system administrator in two ways:
• Access the security appliance console.
From the console, you access the system execution space.
• Access the admin context using Telnet, SSH, or ASDM.
See Chapter 40, “Managing System Access,” to enable Telnet, SSH, and SDM access.
As the system administrator, you can access all contexts.
When you change to a context from admin or the system, your username changes to the default
“enable_15” username. If you configured command authorization in that context, you need to either
configure authorization privileges for the “enable_15” user, or you can log in as a different name for
which you provide sufficient privileges in the command authorization configuration for the context. To
log in with a username, enter the login command. For example, you log in to the admin context with the
Admin
Context
Context A
Gateway
Context
GE 1/1.43
GE 0/0.2
Outside
GE 1/1.8
GE 0/0.1
(Shared Interface)
Internet
Inside Inside
Outside
Inside
Outside
1533663-10
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 3 Enabling Multiple Context Mode
Enabling or Disabling Multiple Context Mode
username “admin.” The admin context does not have any command authorization configuration, but all
other contexts include command authorization. For convenience, each context configuration includes a
user “admin” with maximum privileges. When you change from the admin context to context A, your
username is altered, so you must log in again as “admin” by entering the login command. When you
change to context B, you must again enter the login command to log in as “admin.”
The system execution space does not support any AAA commands, but you can configure its own enable
password, as well as usernames in the local database to provide individual logins.
Context Administrator Access
You can access a context using Telnet, SSH, or ASDM. If you log in to a non-admin context, you can
only access the configuration for that context. You can provide individual logins to the context. See See
Chapter 40, “Managing System Access,” to enable Telnet, SSH, and SDM access and to configure
management authentication.
Enabling or Disabling Multiple Context Mode
Your security appliance might already be configured for multiple security contexts depending on how
you ordered it from Cisco. If you are upgrading, however, you might need to convert from single mode
to multiple mode by following the procedures in this section. ASDM does not support changing modes,
so you need to change modes using the CLI.
This section includes the following topics:
• Backing Up the Single Mode Configuration, page 3-10
• Enabling Multiple Context Mode, page 3-10
• Restoring Single Context Mode, page 3-11
Backing Up the Single Mode Configuration
When you convert from single mode to multiple mode, the security appliance converts the running
configuration into two files. The original startup configuration is not saved, so if it differs from the
running configuration, you should back it up before proceeding.
Enabling Multiple Context Mode
The context mode (single or multiple) is not stored in the configuration file, even though it does endure
reboots. If you need to copy your configuration to another device, set the mode on the new device to
match using the mode command.
When you convert from single mode to multiple mode, the security appliance converts the running
configuration into two files: a new startup configuration that comprises the system configuration, and
admin.cfg that comprises the admin context (in the root directory of the internal Flash memory). The
original running configuration is saved as old_running.cfg (in the root directory of the internal Flash
memory). The original startup configuration is not saved. The security appliance automatically adds an
entry for the admin context to the system configuration with the name “admin.”
To enable multiple mode, enter the following command:
hostname(config)# mode multiple3-11
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 3 Enabling Multiple Context Mode
Enabling or Disabling Multiple Context Mode
You are prompted to reboot the security appliance.
Restoring Single Context Mode
If you convert from multiple mode to single mode, you might want to first copy a full startup
configuration (if available) to the security appliance; the system configuration inherited from multiple
mode is not a complete functioning configuration for a single mode device. Because the system
configuration does not have any network interfaces as part of its configuration, you must access the
security appliance from the console to perform the copy.
To copy the old running configuration to the startup configuration and to change the mode to single
mode, perform the following steps in the system execution space:
Step 1 To copy the backup version of your original running configuration to the current startup configuration,
enter the following command in the system execution space:
hostname(config)# copy flash:old_running.cfg startup-config
Step 2 To set the mode to single mode, enter the following command in the system execution space:
hostname(config)# mode single
The security appliance reboots.3-12
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 3 Enabling Multiple Context Mode
Enabling or Disabling Multiple Context ModeC H A P T E R
4-1
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
4
Configuring Switch Ports and VLAN Interfaces
for the Cisco ASA 5505 Adaptive Security
Appliance
This chapter describes how to configure the switch ports and VLAN interfaces of the ASA 5505 adaptive
security appliance.
Note To configure interfaces of other models, see Chapter 5, “Configuring Ethernet Settings and
Subinterfaces,” and Chapter 7, “Configuring Interface Parameters.”
This chapter includes the following sections:
• Interface Overview, page 4-1
• Configuring VLAN Interfaces, page 4-5
• Configuring Switch Ports as Access Ports, page 4-9
• Configuring a Switch Port as a Trunk Port, page 4-11
• Allowing Communication Between VLAN Interfaces on the Same Security Level, page 4-13
Interface Overview
This section describes the ports and interfaces of the ASA 5505 adaptive security appliance, and includes
the following topics:
• Understanding ASA 5505 Ports and Interfaces, page 4-2
• Maximum Active VLAN Interfaces for Your License, page 4-2
• Default Interface Configuration, page 4-4
• VLAN MAC Addresses, page 4-4
• Power Over Ethernet, page 4-4
• Security Level Overview, page 4-54-2
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance
Interface Overview
Understanding ASA 5505 Ports and Interfaces
The ASA 5505 adaptive security appliance supports a built-in switch. There are two kinds of ports and
interfaces that you need to configure:
• Physical switch ports—The adaptive security appliance has eight Fast Ethernet switch ports that
forward traffic at Layer 2, using the switching function in hardware. Two of these ports are PoE
ports. See the “Power Over Ethernet” section on page 4-4 for more information. You can connect
these interfaces directly to user equipment such as PCs, IP phones, or a DSL modem. Or you can
connect to another switch.
• Logical VLAN interfaces—In routed mode, these interfaces forward traffic between VLAN
networks at Layer 3, using the configured security policy to apply firewall and VPN services. In
transparent mode, these interfaces forward traffic between the VLANs on the same network at Layer
2, using the configured security policy to apply firewall services. See the “Maximum Active VLAN
Interfaces for Your License” section for more information about the maximum VLAN interfaces.
VLAN interfaces let you divide your equipment into separate VLANs, for example, home, business,
and Internet VLANs.
To segregate the switch ports into separate VLANs, you assign each switch port to a VLAN interface.
Switch ports on the same VLAN can communicate with each other using hardware switching. But when
a switch port on VLAN 1 wants to communicate with a switch port on VLAN 2, then the adaptive
security appliance applies the security policy to the traffic and routes or bridges between the two
VLANs.
Note Subinterfaces are not available for the ASA 5505 adaptive security appliance.
Maximum Active VLAN Interfaces for Your License
In transparent firewall mode, you can configure two active VLANs in the Base license and three active
VLANs in the Security Plus license, one of which must be for failover.
In routed mode, you can configure up to three active VLANs with the Base license, and up to 20 active
VLANs with the Security Plus license.
An active VLAN is a VLAN with a nameif command configured.4-3
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance
Interface Overview
With the Base license, the third VLAN can only be configured to initiate traffic to one other VLAN. See
Figure 4-1 for an example network where the Home VLAN can communicate with the Internet, but
cannot initiate contact with Business.
Figure 4-1 ASA 5505 Adaptive Security Appliance with Base License
With the Security Plus license, you can configure 20 VLAN interfaces. You can configure trunk ports to
accomodate multiple VLANs per port.
Note The ASA 5505 adaptive security appliance supports Active/Standby failover, but not Stateful failover.
See Figure 4-2 for an example network.
Figure 4-2 ASA 5505 Adaptive Security Appliance with Security Plus License
ASA 5505
with Base License
Business
Internet
Home
153364
ASA 5505
with Security Plus
License
Failover
ASA 5505
Inside
Backup ISP
Primary ISP
DMZ
Failover Link
1533654-4
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance
Interface Overview
Default Interface Configuration
If your adaptive security appliance includes the default factory configuration, your interfaces are
configured as follows:
• The outside interface (security level 0) is VLAN 2.
Ethernet0/0 is assigned to VLAN 2 and is enabled.
The VLAN 2 IP address is obtained from the DHCP server.
• The inside interface (security level 100) is VLAN 1
Ethernet 0/1 through Ethernet 0/7 are assigned to VLAN 1 and is enabled.
VLAN 1 has IP address 192.168.1.1.
Restore the default factory configuration using the configure factory-default command.
Use the procedures in this chapter to modify the default configuration, for example, to add VLAN
interfaces.
If you do not have a factory default configuration, all switch ports are in VLAN 1, but no other
parameters are configured.
VLAN MAC Addresses
In routed firewall mode, all VLAN interfaces share a MAC address. Ensure that any connected switches
can support this scenario. If the connected switches require unique MAC addresses, you can manually
assign MAC addresses.
In transparent firewall mode, each VLAN has a unique MAC address. You can override the generated
MAC addresses if desired by manually assigning MAC addresses.
Power Over Ethernet
Ethernet 0/6 and Ethernet 0/7 support PoE for devices such as IP phones or wireless access points. If you
install a non-PoE device or do not connect to these switch ports, the adaptive security appliance does not
supply power to the switch ports.
If you shut down the switch port using the shutdown command, you disable power to the device. Power
is restored when you enter no shutdown. See the “Configuring Switch Ports as Access Ports” section on
page 4-9 for more information about shutting down a switch port.
To view the status of PoE switch ports, including the type of device connected (Cisco or IEEE 802.3af),
use the show power inline command.
Monitoring Traffic Using SPAN
If you want to monitor traffic that enters or exits one or more switch ports, you can enable SPAN, also
known as switch port monitoring. The port for which you enable SPAN (called the destination port)
receives a copy of every packet transmitted or received on a specified source port. The SPAN feature lets
you attach a sniffer to the destination port so you can monitor all traffic; without SPAN, you would have
to attach a sniffer to every port you want to monitor. You can only enable SPAN for one destination port. 4-5
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance
Configuring VLAN Interfaces
See the switchport monitor command in the Cisco Security Appliance Command Reference for more
information.
Security Level Overview
Each VLAN interface must have a security level in the range 0 to 100 (from lowest to highest). For
example, you should assign your most secure network, such as the inside business network, to level 100.
The outside network connected to the Internet can be level 0. Other networks, such as a home network
can be in-between. You can assign interfaces to the same security level.
The level controls the following behavior:
• Network access—By default, there is an implicit permit from a higher security interface to a lower
security interface (outbound). Hosts on the higher security interface can access any host on a lower
security interface. You can limit access by applying an access list to the interface.
• If you enable communication for same security interfaces, there is an implicit permit for interfaces
to access other interfaces on the same security level or lower. See the “Allowing Communication
Between VLAN Interfaces on the Same Security Level” section on page 4-13 for more information.
• Inspection engines—Some application inspection engines are dependent on the security level. For
same security interfaces, inspection engines apply to traffic in either direction.
– NetBIOS inspection engine—Applied only for outbound connections.
– SQL*Net inspection engine—If a control connection for the SQL*Net (formerly OraServ) port
exists between a pair of hosts, then only an inbound data connection is permitted through the
adaptive security appliance.
• Filtering—HTTP(S) and FTP filtering applies only for outbound connections (from a higher level
to a lower level).
For same security interfaces, you can filter traffic in either direction.
• NAT control—When you enable NAT control, you must configure NAT for hosts on a higher security
interface (inside) when they access hosts on a lower security interface (outside).
Without NAT control, or for same security interfaces, you can choose to use NAT between any
interface, or you can choose not to use NAT. Keep in mind that configuring NAT for an outside
interface might require a special keyword.
• established command—This command allows return connections from a lower security host to a
higher security host if there is already an established connection from the higher level host to the
lower level host.
For same security interfaces, you can configure established commands for both directions.
Configuring VLAN Interfaces
For each VLAN to pass traffic, you need to configure an interface name (the nameif command), and for
routed mode, an IP address. You should also change the security level from the default, which is 0. If
you name an interface “inside” and you do not set the security level explicitly, then the adaptive security
appliance sets the security level to 100.
For information about how many VLANs you can configure, see the “Maximum Active VLAN
Interfaces for Your License” section on page 4-2.4-6
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance
Configuring VLAN Interfaces
Note If you are using failover, do not use this procedure to name interfaces that you are reserving for failover
communications. See Chapter 14, “Configuring Failover,” to configure the failover link.
If you change the security level of an interface, and you do not want to wait for existing connections to
time out before the new security information is used, you can clear the connections using the
clear local-host command.
To configure a VLAN interface, perform the following steps:
Step 1 To specify the VLAN ID, enter the following command:
hostname(config)# interface vlan number
Where the number is between 1 and 4090.
For example, enter the following command:
hostname(config)# interface vlan 100
To remove this VLAN interface and all associated configuration, enter the no interface vlan command.
Because this interface also includes the interface name configuration, and the name is used in other
commands, those commands are also removed.
Step 2 (Optional) For the Base license, allow this interface to be the third VLAN by limiting it from initiating
contact to one other VLAN using the following command:
hostname(config-if)# no forward interface vlan number
Where number specifies the VLAN ID to which this VLAN interface cannot initiate traffic.
With the Base license, you can only configure a third VLAN if you use this command to limit it.
For example, you have one VLAN assigned to the outside for Internet access, one VLAN assigned to an
inside business network, and a third VLAN assigned to your home network. The home network does not
need to access the business network, so you can use the no forward interface command on the home
VLAN; the business network can access the home network, but the home network cannot access the
business network.
If you already have two VLAN interfaces configured with a nameif command, be sure to enter the no
forward interface command before the nameif command on the third interface; the adaptive security
appliance does not allow three fully functioning VLAN interfaces with the Base license on the ASA 5505
adaptive security appliance.
Note If you upgrade to the Security Plus license, you can remove this command and achieve full
functionality for this interface. If you leave this command in place, this interface continues to be
limited even after upgrading.
Step 3 To name the interface, enter the following command:
hostname(config-if)# nameif name
The name is a text string up to 48 characters, and is not case-sensitive. You can change the name by
reentering this command with a new value. Do not enter the no form, because that command causes all
commands that refer to that name to be deleted.
Step 4 To set the security level, enter the following command:
hostname(config-if)# security-level number4-7
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance
Configuring VLAN Interfaces
Where number is an integer between 0 (lowest) and 100 (highest).
Step 5 (Routed mode only) To set the IP address, enter one of the following commands.
Note To set an IPv6 address, see the “Configuring IPv6 on an Interface” section on page 12-3.
To set the management IP address for transparent firewall mode, see the “Setting the
Management IP Address for a Transparent Firewall” section on page 8-5. In transparent mode,
you do not set the IP address for each interface, but rather for the whole adaptive security
appliance or context.
For failover, you must set the IP address an standby address manually; DHCP and PPPoE are not
supported.
• To set the IP address manually, enter the following command:
hostname(config-if)# ip address ip_address [mask] [standby ip_address]
The standby keyword and address is used for failover. See Chapter 14, “Configuring Failover,” for
more information.
• To obtain an IP address from a DHCP server, enter the following command:
hostname(config-if)# ip address dhcp [setroute]
Reenter this command to reset the DHCP lease and request a new lease.
If you do not enable the interface using the no shutdown command before you enter the ip address
dhcp command, some DHCP requests might not be sent.
• To obtain an IP address from a PPPoE server, see Chapter 35, “Configuring the PPPoE Client.”
Step 6 (Optional) To assign a private MAC address to this interface, enter the following command:
hostname(config-if)# mac-address mac_address [standby mac_address]
By default in routed mode, all VLANs use the same MAC address. In transparent mode, the VLANs use
unique MAC addresses. You might want to set unique VLANs or change the generated VLANs if your
switch requires it, or for access control purposes.
Step 7 (Optional) To set an interface to management-only mode, so that it does not allow through traffic, enter
the following command:
hostname(config-if)# management-only
Step 8 By default, VLAN interfaces are enabled. To enable the interface, if it is not already enabled, enter the
following command:
hostname(config-if)# no shutdown
To disable the interface, enter the shutdown command.
The following example configures seven VLAN interfaces, including the failover interface which is
configured separately using the failover lan command:
hostname(config)# interface vlan 100
hostname(config-if)# nameif outside
hostname(config-if)# security-level 0
hostname(config-if)# ip address 10.1.1.1 255.255.255.04-8
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance
Configuring VLAN Interfaces
hostname(config-if)# no shutdown
hostname(config-if)# interface vlan 200
hostname(config-if)# nameif inside
hostname(config-if)# security-level 100
hostname(config-if)# ip address 10.2.1.1 255.255.255.0
hostname(config-if)# no shutdown
hostname(config-if)# interface vlan 201
hostname(config-if)# nameif dept1
hostname(config-if)# security-level 90
hostname(config-if)# ip address 10.2.2.1 255.255.255.0
hostname(config-if)# no shutdown
hostname(config-if)# interface vlan 202
hostname(config-if)# nameif dept2
hostname(config-if)# security-level 90
hostname(config-if)# ip address 10.2.3.1 255.255.255.0
hostname(config-if)# no shutdown
hostname(config-if)# interface vlan 300
hostname(config-if)# nameif dmz
hostname(config-if)# security-level 50
hostname(config-if)# ip address 10.3.1.1 255.255.255.0
hostname(config-if)# no shutdown
hostname(config-if)# interface vlan 400
hostname(config-if)# nameif backup-isp
hostname(config-if)# security-level 50
hostname(config-if)# ip address 10.1.2.1 255.255.255.0
hostname(config-if)# no shutdown
hostname(config-if)# failover lan faillink vlan500
hostname(config)# failover interface ip faillink 10.4.1.1 255.255.255.0 standby 10.4.1.2
255.255.255.0
The following example configures three VLAN interfaces for the Base license. The third home interface
cannot forward traffic to the business interface.
hostname(config)# interface vlan 100
hostname(config-if)# nameif outside
hostname(config-if)# security-level 0
hostname(config-if)# ip address dhcp
hostname(config-if)# no shutdown
hostname(config-if)# interface vlan 200
hostname(config-if)# nameif business
hostname(config-if)# security-level 100
hostname(config-if)# ip address 10.1.1.1 255.255.255.0
hostname(config-if)# no shutdown
hostname(config-if)# interface vlan 300
hostname(config-if)# no forward interface vlan 200
hostname(config-if)# nameif home
hostname(config-if)# security-level 50
hostname(config-if)# ip address 10.2.1.1 255.255.255.0
hostname(config-if)# no shutdown4-9
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance
Configuring Switch Ports as Access Ports
Configuring Switch Ports as Access Ports
By default, all switch ports are shut down. To assign a switch port to one VLAN, configure it as an access
port. To create a trunk port to carry multiple VLANs, see the “Configuring a Switch Port as a Trunk Port”
section on page 4-11.
By default, the speed and duplex for switch ports are set to auto-negotiate. The default auto-negotiation
setting also includes the Auto-MDI/MDIX feature. Auto-MDI/MDIX eliminates the need for crossover
cabling by performing an internal crossover when a straight cable is detected during the auto-negotiation
phase. Either the speed or duplex must be set to auto-negotiate to enable Auto-MDI/MDIX for the
interface. If you explicitly set both the speed and duplex to a fixed value, thus disabling auto-negotiation
for both settings, then Auto-MDI/MDIX is also disabled.
Caution The ASA 5505 adaptive security appliance does not support Spanning Tree Protocol for loop detection
in the network. Therefore you must ensure that any connection with the adaptive security appliance does
not end up in a network loop.
To configure a switch port, perform the following steps:
Step 1 To specify the switch port you want to configure, enter the following command:
hostname(config)# interface ethernet0/port
Where port is 0 through 7. For example, enter the following command:
hostname(config)# interface ethernet0/1
Step 2 To assign this switch port to a VLAN, enter the following command:
hostname(config-if)# switchport access vlan number
Where number is the VLAN ID, between 1 and 4090.
Note You might assign multiple switch ports to the primary or backup VLANs if the Internet access device
includes Layer 2 redundancy.
Step 3 (Optional) To prevent the switch port from communicating with other protected switch ports on the same
VLAN, enter the following command:
hostname(config-if)# switchport protected
You might want to prevent switch ports from communicating with each other if the devices on those
switch ports are primarily accessed from other VLANs, you do not need to allow intra-VLAN access,
and you want to isolate the devices from each other in case of infection or other security breach. For
example, if you have a DMZ that hosts three web servers, you can isolate the web servers from each other
if you apply the switchport protected command to each switch port. The inside and outside networks
can both communicate with all three web servers, and vice versa, but the web servers cannot
communicate with each other.
Step 4 (Optional) To set the speed, enter the following command:
hostname(config-if)# speed {auto | 10 | 100}4-10
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance
Configuring Switch Ports as Access Ports
The auto setting is the default. If you set the speed to anything other than auto on PoE ports Ethernet
0/6 or 0/7, then Cisco IP phones and Cisco wireless access points that do not support IEEE 802.3af will
not be detected and supplied with power.
Step 5 (Optional) To set the duplex, enter the following command:
hostname(config-if)# duplex {auto | full | half}
The auto setting is the default. If you set the duplex to anything other than auto on PoE ports Ethernet
0/6 or 0/7, then Cisco IP phones and Cisco wireless access points that do not support IEEE 802.3af will
not be detected and supplied with power.
Step 6 To enable the switch port, if it is not already enabled, enter the following command:
hostname(config-if)# no shutdown
To disable the switch port, enter the shutdown command.
The following example configures five VLAN interfaces, including the failover interface which is
configured using the failover lan command:
hostname(config)# interface vlan 100
hostname(config-if)# nameif outside
hostname(config-if)# security-level 0
hostname(config-if)# ip address 10.1.1.1 255.255.255.0
hostname(config-if)# no shutdown
hostname(config-if)# interface vlan 200
hostname(config-if)# nameif inside
hostname(config-if)# security-level 100
hostname(config-if)# ip address 10.2.1.1 255.255.255.0
hostname(config-if)# no shutdown
hostname(config-if)# interface vlan 300
hostname(config-if)# nameif dmz
hostname(config-if)# security-level 50
hostname(config-if)# ip address 10.3.1.1 255.255.255.0
hostname(config-if)# no shutdown
hostname(config-if)# interface vlan 400
hostname(config-if)# nameif backup-isp
hostname(config-if)# security-level 50
hostname(config-if)# ip address 10.1.2.1 255.255.255.0
hostname(config-if)# no shutdown
hostname(config-if)# failover lan faillink vlan500
hostname(config)# failover interface ip faillink 10.4.1.1 255.255.255.0 standby 10.4.1.2
255.255.255.0
hostname(config)# interface ethernet 0/0
hostname(config-if)# switchport access vlan 100
hostname(config-if)# no shutdown
hostname(config-if)# interface ethernet 0/1
hostname(config-if)# switchport access vlan 200
hostname(config-if)# no shutdown
hostname(config-if)# interface ethernet 0/2
hostname(config-if)# switchport access vlan 300
hostname(config-if)# no shutdown
hostname(config-if)# interface ethernet 0/34-11
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance
Configuring a Switch Port as a Trunk Port
hostname(config-if)# switchport access vlan 400
hostname(config-if)# no shutdown
hostname(config-if)# interface ethernet 0/4
hostname(config-if)# switchport access vlan 500
hostname(config-if)# no shutdown
Configuring a Switch Port as a Trunk Port
By default, all switch ports are shut down. This procedure tells how to create a trunk port that can carry
multiple VLANs using 802.1Q tagging. Trunk mode is available only with the Security Plus license.
To create an access port, where an interface is assigned to only one VLAN, see the “Configuring Switch
Ports as Access Ports” section on page 4-9.
By default, the speed and duplex for switch ports are set to auto-negotiate. The default auto-negotiation
setting also includes the Auto-MDI/MDIX feature. Auto-MDI/MDIX eliminates the need for crossover
cabling by performing an internal crossover when a straight cable is detected during the auto-negotiation
phase. Either the speed or duplex must be set to auto-negotiate to enable Auto-MDI/MDIX for the
interface. If you explicitly set both the speed and duplex to a fixed value, thus disabling auto-negotiation
for both settings, then Auto-MDI/MDIX is also disabled.
To configure a trunk port, perform the following steps:
Step 1 To specify the switch port you want to configure, enter the following command:
hostname(config)# interface ethernet0/port
Where port is 0 through 7. For example, enter the following command:
hostname(config)# interface ethernet0/1
Step 2 To assign VLANs to this trunk, enter one or more of the following commands.
• To assign native VLANs, enter the following command:
hostname(config-if)# switchport trunk native vlan vlan_id
where the vlan_id is a single VLAN ID between 1 and 4090.
Packets on the native VLAN are not modified when sent over the trunk. For example, if a port has
VLANs 2, 3 and 4 assigned to it, and VLAN 2 is the native VLAN, then packets on VLAN 2 that
egress the port are not modified with an 802.1Q header. Frames which ingress (enter) this port and
have no 802.1Q header are put into VLAN 2.
Each port can only have one native VLAN, but every port can have either the same or a different
native VLAN.
• To assign VLANs, enter the following command:
hostname(config-if)# switchport trunk allowed vlan vlan_range
where the vlan_range (with VLANs between 1 and 4090) can be identified in one of the following
ways:
A single number (n)
A range (n-x)
Separate numbers and ranges by commas, for example:4-12
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance
Configuring a Switch Port as a Trunk Port
5,7-10,13,45-100
You can enter spaces instead of commas, but the command is saved to the configuration with
commas.
You can include the native VLAN in this command, but it is not required; the native VLAN is passed
whether it is included in this command or not.
This switch port cannot pass traffic until you assign at least one VLAN to it, native or non-native.
Step 3 To make this switch port a trunk port, enter the following command:
hostname(config-if)# switchport mode trunk
To restore this port to access mode, enter the switchport mode access command.
Step 4 (Optional) To prevent the switch port from communicating with other protected switch ports on the same
VLAN, enter the following command:
hostname(config-if)# switchport protected
You might want to prevent switch ports from communicating with each other if the devices on those
switch ports are primarily accessed from other VLANs, you do not need to allow intra-VLAN access,
and you want to isolate the devices from each other in case of infection or other security breach. For
example, if you have a DMZ that hosts three web servers, you can isolate the web servers from each other
if you apply the switchport protected command to each switch port. The inside and outside networks
can both communicate with all three web servers, and vice versa, but the web servers cannot
communicate with each other.
Step 5 (Optional) To set the speed, enter the following command:
hostname(config-if)# speed {auto | 10 | 100}
The auto setting is the default.
Step 6 (Optional) To set the duplex, enter the following command:
hostname(config-if)# duplex {auto | full | half}
The auto setting is the default.
Step 7 To enable the switch port, if it is not already enabled, enter the following command:
hostname(config-if)# no shutdown
To disable the switch port, enter the shutdown command.
The following example configures seven VLAN interfaces, including the failover interface which is
configured using the failover lan command. VLANs 200, 201, and 202 are trunked on Ethernet 0/1.
hostname(config)# interface vlan 100
hostname(config-if)# nameif outside
hostname(config-if)# security-level 0
hostname(config-if)# ip address 10.1.1.1 255.255.255.0
hostname(config-if)# no shutdown
hostname(config-if)# interface vlan 200
hostname(config-if)# nameif inside
hostname(config-if)# security-level 100
hostname(config-if)# ip address 10.2.1.1 255.255.255.0
hostname(config-if)# no shutdown
hostname(config-if)# interface vlan 201
hostname(config-if)# nameif dept14-13
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance
Allowing Communication Between VLAN Interfaces on the Same Security Level
hostname(config-if)# security-level 90
hostname(config-if)# ip address 10.2.2.1 255.255.255.0
hostname(config-if)# no shutdown
hostname(config-if)# interface vlan 202
hostname(config-if)# nameif dept2
hostname(config-if)# security-level 90
hostname(config-if)# ip address 10.2.3.1 255.255.255.0
hostname(config-if)# no shutdown
hostname(config-if)# interface vlan 300
hostname(config-if)# nameif dmz
hostname(config-if)# security-level 50
hostname(config-if)# ip address 10.3.1.1 255.255.255.0
hostname(config-if)# no shutdown
hostname(config-if)# interface vlan 400
hostname(config-if)# nameif backup-isp
hostname(config-if)# security-level 50
hostname(config-if)# ip address 10.1.2.1 255.255.255.0
hostname(config-if)# no shutdown
hostname(config-if)# failover lan faillink vlan500
hostname(config)# failover interface ip faillink 10.4.1.1 255.255.255.0 standby 10.4.1.2
255.255.255.0
hostname(config)# interface ethernet 0/0
hostname(config-if)# switchport access vlan 100
hostname(config-if)# no shutdown
hostname(config-if)# interface ethernet 0/1
hostname(config-if)# switchport mode trunk
hostname(config-if)# switchport trunk allowed vlan 200-202
hostname(config-if)# switchport trunk native vlan 5
hostname(config-if)# no shutdown
hostname(config-if)# interface ethernet 0/2
hostname(config-if)# switchport access vlan 300
hostname(config-if)# no shutdown
hostname(config-if)# interface ethernet 0/3
hostname(config-if)# switchport access vlan 400
hostname(config-if)# no shutdown
hostname(config-if)# interface ethernet 0/4
hostname(config-if)# switchport access vlan 500
hostname(config-if)# no shutdown
Allowing Communication Between VLAN Interfaces on the
Same Security Level
By default, interfaces on the same security level cannot communicate with each other. Allowing
communication between same security interfaces lets traffic flow freely between all same security
interfaces without access lists.4-14
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance
Allowing Communication Between VLAN Interfaces on the Same Security Level
Note If you enable NAT control, you do not need to configure NAT between same security level interfaces.
See the “NAT and Same Security Level Interfaces” section on page 17-13 for more information on NAT
and same security level interfaces.
If you enable same security interface communication, you can still configure interfaces at different
security levels as usual.
To enable interfaces on the same security level so that they can communicate with each other, enter the
following command:
hostname(config)# same-security-traffic permit inter-interface
To disable this setting, use the no form of this command.C H A P T E R
5-1
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
5
Configuring Ethernet Settings and Subinterfaces
This chapter describes how to configure and enable physical Ethernet interfaces and how to add
subinterfaces. If you have both fiber and copper Ethernet ports (for example, on the 4GE SSM for the
ASA 5510 and higher series adaptive security appliance), this chapter describes how to configure the
inteface media type.
In single context mode, complete the procedures in this chapter and then continue your interface
configuration in Chapter 7, “Configuring Interface Parameters.” In multiple context mode, complete the
procedures in this chapter in the system execution space, then assign interfaces and subinterfaces to
contexts according to Chapter 6, “Adding and Managing Security Contexts,” and finally configure the
interface parameters within each context according to Chapter 7, “Configuring Interface Parameters.”
Note To configure interfaces for the ASA 5505 adaptive security appliance, see Chapter 4, “Configuring
Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance.”
This chapter includes the following sections:
• Configuring and Enabling RJ-45 Interfaces, page 5-1
• Configuring and Enabling Fiber Interfaces, page 5-3
• Configuring and Enabling VLAN Subinterfaces and 802.1Q Trunking, page 5-3
Configuring and Enabling RJ-45 Interfaces
This section describes how to configure Ethernet settings for physical interfaces, and how to enable the
interface. By default, all physical interfaces are shut down. You must enable the physical interface before
any traffic can pass through it or through a subinterface. For multiple context mode, if you allocate a
physical interface or subinterface to a context, the interfaces are enabled by default in the context.
However, before traffic can pass through the context interface, you must also enable the interface in the
system configuration according to this procedure.
By default, the speed and duplex for copper (RJ-45) interfaces are set to auto-negotiate.
The ASA 5550 adaptive security appliance and the 4GE SSM for the ASA 5510 and higher adaptive
security appliance includes two connector types: copper RJ-45 and fiber SFP. RJ-45 is the default. If you
want to configure the security appliance to use the fiber SFP connectors, see the “Configuring and
Enabling Fiber Interfaces” section on page 5-3.
For RJ-45 interfaces on the ASA 5500 series adaptive security appliance, the default auto-negotiation
setting also includes the Auto-MDI/MDIX feature. Auto-MDI/MDIX eliminates the need for crossover
cabling by performing an internal crossover when a straight cable is detected during the auto-negotiation 5-2
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 5 Configuring Ethernet Settings and Subinterfaces
Configuring and Enabling RJ-45 Interfaces
phase. Either the speed or duplex must be set to auto-negotiate to enable Auto-MDI/MDIX for the
interface. If you explicitly set both the speed and duplex to a fixed value, thus disabling auto-negotiation
for both settings, then Auto-MDI/MDIX is also disabled. For Gigabit Ethernet, when the speed and
duplex are set to 1000 and full, then the interface always auto-negotiates; therefore Auto-MDI/MDIX is
always enabled and you cannot disable it.
To enable the interface, or to set a specific speed and duplex, perform the following steps:
Step 1 To specify the interface you want to configure, enter the following command:
hostname(config)# interface physical_interface
The physical_interface ID includes the type, slot, and port number as type[slot/]port.
The physical interface types include the following:
• ethernet
• gigabitethernet
For the PIX 500 series security appliance, enter the type followed by the port number, for example,
ethernet0.
For the ASA 5500 series adaptive security appliance, enter the type followed by slot/port, for example,
gigabitethernet0/1. Interfaces that are built into the chassis are assigned to slot 0, while interfaces on
the 4GE SSM are assigned to slot 1.
The ASA 5500 series adaptive security appliance also includes the following type:
• management
The management interface is a Fast Ethernet interface designed for management traffic only, and is
specified as management0/0. You can, however, use it for through traffic if desired (see the
management-only command). In transparent firewall mode, you can use the management interface
in addition to the two interfaces allowed for through traffic. You can also add subinterfaces to the
management interface to provide management in each security context for multiple context mode.
Step 2 (Optional) To set the speed, enter the following command:
hostname(config-if)# speed {auto | 10 | 100 | 1000 | nonegotiate}
The auto setting is the default. The speed nonegotiate command disables link negotiation.
Step 3 (Optional) To set the duplex, enter the following command:
hostname(config-if)# duplex {auto | full | half}
The auto setting is the default.
Step 4 To enable the interface, enter the following command:
hostname(config-if)# no shutdown
To disable the interface, enter the shutdown command. If you enter the shutdown command for a
physical interface, you also shut down all subinterfaces. If you shut down an interface in the system
execution space, then that interface is shut down in all contexts that share it.5-3
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 5 Configuring Ethernet Settings and Subinterfaces
Configuring and Enabling Fiber Interfaces
Configuring and Enabling Fiber Interfaces
This section describes how to configure Ethernet settings for physical interfaces, and how to enable the
interface. By default, all physical interfaces are shut down. You must enable the physical interface before
any traffic can pass through it or through a subinterface. For multiple context mode, if you allocate a
physical interface or subinterface to a context, the interfaces are enabled by default in the context.
However, before traffic can pass through the context interface, you must also enable the interface in the
system configuration according to this procedure.
By default, the connectors used on the 4GE SSM or for built-in interfaces in slot 1 on the ASA 5550
adaptive security appliance are the RJ-45 connectors. To use the fiber SFP connectors, you must set the
media type to SFP. The fiber interface has a fixed speed and does not support duplex, but you can set the
interface to negotiate link parameters (the default) or not to negotiate.
To enable the interface, set the media type, or to set negotiation settings, perform the following steps:
Step 1 To specify the interface you want to configure, enter the following command:
hostname(config)# interface gigabitethernet 1/port
The 4GE SSM interfaces are assigned to slot 1, as shown in the interface ID in the syntax (the interfaces
built into the chassis are assigned to slot 0).
Step 2 To set the media type to SFP, enter the following command:
hostname(config-if)# media-type sfp
To restore the defaukt RJ-45, enter the media-type rj45 command.
Step 3 (Optional) To disable link negotiation, enter the following command:
hostname(config-if)# speed nonegotiate
For fiber Gigabit Ethernet interfaces, the default is no speed nonegotiate, which sets the speed to 1000
Mbps and enables link negotiation for flow-control parameters and remote fault information. The speed
nonegotiate command disables link negotiation.
Step 4 To enable the interface, enter the following command:
hostname(config-if)# no shutdown
To disable the interface, enter the shutdown command. If you enter the shutdown command for a
physical interface, you also shut down all subinterfaces. If you shut down an interface in the system
execution space, then that interface is shut down in all contexts that share it.
Configuring and Enabling VLAN Subinterfaces and 802.1Q
Trunking
This section describes how to configure and enable a VLAN subinterface. An interface with one or more
VLAN subinterfaces is automatically configured as an 802.1Q trunk.5-4
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 5 Configuring Ethernet Settings and Subinterfaces
Configuring and Enabling VLAN Subinterfaces and 802.1Q Trunking
You must enable the physical interface before any traffic can pass through an enabled subinterface (see
the “Configuring and Enabling RJ-45 Interfaces” section on page 5-1 or the “Configuring and Enabling
Fiber Interfaces” section on page 5-3). For multiple context mode, if you allocate a subinterface to a
context, the interfaces are enabled by default in the context. However, before traffic can pass through the
context interface, you must also enable the interface in the system configuration with this procedure.
Subinterfaces let you divide a physical interface into multiple logical interfaces that are tagged with
different VLAN IDs. Because VLANs allow you to keep traffic separate on a given physical interface,
you can increase the number of interfaces available to your network without adding additional physical
interfaces or security appliances. This feature is particularly useful in multiple context mode so you can
assign unique interfaces to each context.
To determine how many subinterfaces are allowed for your platform, see Appendix A, “Feature Licenses
and Specifications.”
Note If you use subinterfaces, you typically do not also want the physical interface to pass traffic, because the
physical interface passes untagged packets. Because the physical interface must be enabled for the
subinterface to pass traffic, ensure that the physical interface does not pass traffic by leaving out the
nameif command. If you want to let the physical interface pass untagged packets, you can configure the
nameif command as usual. See the “Configuring Interface Parameters” section on page 7-1 for more
information about completing the interface configuration.
To add a subinterface and assign a VLAN to it, perform the following steps:
Step 1 To specify the new subinterface, enter the following command:
hostname(config)# interface physical_interface.subinterface
See the “Configuring and Enabling RJ-45 Interfaces” section for a description of the physical interface
ID.
The subinterface ID is an integer between 1 and 4294967293.
For example, enter the following command:
hostname(config)# interface gigabitethernet0/1.100
Step 2 To specify the VLAN for the subinterface, enter the following command:
hostname(config-subif)# vlan vlan_id
The vlan_id is an integer between 1 and 4094. Some VLAN IDs might be reserved on connected
switches, so check the switch documentation for more information.
You can only assign a single VLAN to a subinterface, and not to the physical interface. Each subinterface
must have a VLAN ID before it can pass traffic. To change a VLAN ID, you do not need to remove the
old VLAN ID with the no option; you can enter the vlan command with a different VLAN ID, and the
security appliance changes the old ID.
Step 3 To enable the subinterface, enter the following command:
hostname(config-subif)# no shutdown
To disable the interface, enter the shutdown command. If you shut down an interface in the system
execution space, then that interface is shut down in all contexts that share it.C H A P T E R
6-1
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
6
Adding and Managing Security Contexts
This chapter describes how to configure multiple security contexts on the security appliance, and
includes the following sections:
• Configuring Resource Management, page 6-1
• Configuring a Security Context, page 6-7
• Automatically Assigning MAC Addresses to Context Interfaces, page 6-11
• Changing Between Contexts and the System Execution Space, page 6-11
• Managing Security Contexts, page 6-12
For information about how contexts work and how to enable multiple context mode, see Chapter 3,
“Enabling Multiple Context Mode.”
Configuring Resource Management
By default, all security contexts have unlimited access to the resources of the security appliance, except
where maximum limits per context are enforced. However, if you find that one or more contexts use too
many resources, and they cause other contexts to be denied connections, for example, then you can
configure resource management to limit the use of resources per context.
This section includes the following topics:
• Classes and Class Members Overview, page 6-1
• Configuring a Class, page 6-4
Classes and Class Members Overview
The security appliance manages resources by assigning contexts to resource classes. Each context uses
the resource limits set by the class. This section includes the following topics:
• Resource Limits, page 6-2
• Default Class, page 6-3
• Class Members, page 6-46-2
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 6 Adding and Managing Security Contexts
Configuring Resource Management
Resource Limits
When you create a class, the security appliance does not set aside a portion of the resources for each
context assigned to the class; rather, the security appliance sets the maximum limit for a context. If you
oversubscribe resources, or allow some resources to be unlimited, a few contexts can “use up” those
resources, potentially affecting service to other contexts.
You can set the limit for individual resources, as a percentage (if there is a hard system limit) or as an
absolute value.
You can oversubscribe the security appliance by assigning more than 100 percent of a resource across
all contexts. For example, you can set the Bronze class to limit connections to 20 percent per context,
and then assign 10 contexts to the class for a total of 200 percent. If contexts concurrently use more than
the system limit, then each context gets less than the 20 percent you intended. (See Figure 6-1.)
Figure 6-1 Resource Oversubscription
If you assign an absolute value to a resource across all contexts that exceeds the practical limit of the
security appliance, then the performance of the security appliance might be impaired.
The security appliance lets you assign unlimited access to one or more resources in a class, instead of a
percentage or absolute number. When a resource is unlimited, contexts can use as much of the resource
as the system has available or that is practically available. For example, Context A, B, and C are in the
Silver Class, which limits each class member to 1 percent of the connections, for a total of 3 percent; but
the three contexts are currently only using 2 percent combined. Gold Class has unlimited access to
connections. The contexts in the Gold Class can use more than the 97 percent of “unassigned”
connections; they can also use the 1 percent of connections not currently in use by Context A, B, and C,
even if that means that Context A, B, and C are unable to reach their 3 percent combined limit. (See
Figure 6-2.) Setting unlimited access is similar to oversubscribing the security appliance, except that you
have less control over how much you oversubscribe the system.
Total Number of System Connections = 999,900
Maximum connections
allowed.
Connections denied
because system limit
was reached.
Connections in use.
1 2 3 4 5 6 7 8 9 10
Max. 20%
(199,800)
16%
(159,984)
12%
(119,988)
8%
(79,992)
4%
(39,996)
Contexts in Class
1048956-3
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 6 Adding and Managing Security Contexts
Configuring Resource Management
Figure 6-2 Unlimited Resources
Default Class
All contexts belong to the default class if they are not assigned to another class; you do not have to
actively assign a context to the default class.
If a context belongs to a class other than the default class, those class settings always override the default
class settings. However, if the other class has any settings that are not defined, then the member context
uses the default class for those limits. For example, if you create a class with a 2 percent limit for all
concurrent connections, but no other limits, then all other limits are inherited from the default class.
Conversely, if you create a class with a limit for all resources, the class uses no settings from the default
class.
By default, the default class provides unlimited access to resources for all contexts, except for the
following limits, which are by default set to the maximum allowed per context:
• Telnet sessions—5 sessions.
• SSH sessions—5 sessions.
• IPSec sessions—5 sessions.
• MAC addresses—65,535 entries.
Maximum connections
allowed.
Connections denied
because system limit
was reached.
Connections in use.
A B C 1 2 3
1%
2%
3%
5%
4%
Contexts Silver Class Contexts Gold Class
50% 43%
1532116-4
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 6 Adding and Managing Security Contexts
Configuring Resource Management
Figure 6-3 shows the relationship between the default class and other classes. Contexts A and C belong
to classes with some limits set; other limits are inherited from the default class. Context B inherits no
limits from default because all limits are set in its class, the Gold class. Context D was not assigned to
a class, and is by default a member of the default class.
Figure 6-3 Resource Classes
Class Members
To use the settings of a class, assign the context to the class when you define the context. All contexts
belong to the default class if they are not assigned to another class; you do not have to actively assign a
context to default. You can only assign a context to one resource class. The exception to this rule is that
limits that are undefined in the member class are inherited from the default class; so in effect, a context
could be a member of default plus another class.
Configuring a Class
To configure a class in the system configuration, perform the following steps. You can change the value
of a particular resource limit by reentering the command with a new value.
Step 1 To specify the class name and enter the class configuration mode, enter the following command in the
system execution space:
hostname(config)# class name
The name is a string up to 20 characters long. To set the limits for the default class, enter default for the
name.
Step 2 To set the resource limits, see the following options:
• To set all resource limits (shown in Table 6-1) to be unlimited, enter the following command:
hostname(config-resmgmt)# limit-resource all 0
Default Class
Class Gold
(All Limits
Set)
Class Silver
(Some Limits
Set)
Class
Bronze
(Some
Limits
Set)
Context A
Context B
Context C
Context D
1046896-5
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 6 Adding and Managing Security Contexts
Configuring Resource Management
For example, you might want to create a class that includes the admin context that has no limitations.
The default class has all resources set to unlimited by default.
• To set a particular resource limit, enter the following command:
hostname(config-resmgmt)# limit-resource [rate] resource_name number[%]
For this particular resource, the limit overrides the limit set for all. Enter the rate argument to set
the rate per second for certain resources. For resources that do not have a system limit, you cannot
set the percentage (%) between 1 and 100; you can only set an absolute value. See Table 6-1 for
resources for which you can set the rate per second and which to not have a system limit.
Table 6-1 lists the resource types and the limits. See also the show resource types command.6-6
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 6 Adding and Managing Security Contexts
Configuring Resource Management
For example, to set the default class limit for conns to 10 percent instead of unlimited, enter the
following commands:
hostname(config)# class default
hostname(config-class)# limit-resource conns 10%
All other resources remain at unlimited.
To add a class called gold, enter the following commands:
hostname(config)# class gold
Table 6-1 Resource Names and Limits
Resource Name
Rate or
Concurrent
Minimum and
Maximum Number
per Context System Limit
1
1. If this column value is N/A, then you cannot set a percentage of the resource because there is no hard system limit for the resource.
Description
mac-addresses Concurrent N/A 65,535 For transparent firewall mode, the number of
MAC addresses allowed in the MAC address
table.
conns Concurrent
or Rate
N/A Concurrent connections:
See the “Supported
Platforms and Feature
Licenses” section on
page A-1 for the
connection limit for your
platform.
Rate: N/A
TCP or UDP connections between any two
hosts, including connections between one
host and multiple other hosts.
inspects Rate N/A N/A Application inspections.
hosts Concurrent N/A N/A Hosts that can connect through the security
appliance.
asdm Concurrent 1 minimum
5 maximum
32 ASDM management sessions.
Note ASDM sessions use two HTTPS
connections: one for monitoring that
is always present, and one for making
configuration changes that is present
only when you make changes. For
example, the system limit of 32
ASDM sessions represents a limit of
64 HTTPS sessions.
ssh Concurrent 1 minimum
5 maximum
100 SSH sessions.
syslogs Rate N/A N/A System log messages.
telnet Concurrent 1 minimum
5 maximum
100 Telnet sessions.
xlates Concurrent N/A N/A Address translations.6-7
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 6 Adding and Managing Security Contexts
Configuring a Security Context
hostname(config-class)# limit-resource mac-addresses 10000
hostname(config-class)# limit-resource conns 15%
hostname(config-class)# limit-resource rate conns 1000
hostname(config-class)# limit-resource rate inspects 500
hostname(config-class)# limit-resource hosts 9000
hostname(config-class)# limit-resource asdm 5
hostname(config-class)# limit-resource ssh 5
hostname(config-class)# limit-resource rate syslogs 5000
hostname(config-class)# limit-resource telnet 5
hostname(config-class)# limit-resource xlates 36000
Configuring a Security Context
The security context definition in the system configuration identifies the context name, configuration file
URL, and interfaces that a context can use.
Note If you do not have an admin context (for example, if you clear the configuration) then you must first
specify the admin context name by entering the following command:
hostname(config)# admin-context name
Although this context name does not exist yet in your configuration, you can subsequently enter the
context name command to match the specified name to continue the admin context configuration.
To add or change a context in the system configuration, perform the following steps:
Step 1 To add or modify a context, enter the following command in the system execution space:
hostname(config)# context name
The name is a string up to 32 characters long. This name is case sensitive, so you can have two contexts
named “customerA” and “CustomerA,” for example. You can use letters, digits, or hyphens, but you
cannot start or end the name with a hyphen.
“System” or “Null” (in upper or lower case letters) are reserved names, and cannot be used.
Step 2 (Optional) To add a description for this context, enter the following command:
hostname(config-ctx)# description text
Step 3 To specify the interfaces you can use in the context, enter the command appropriate for a physical
interface or for one or more subinterfaces.
• To allocate a physical interface, enter the following command:
hostname(config-ctx)# allocate-interface physical_interface [map_name]
[visible | invisible]
• To allocate one or more subinterfaces, enter the following command:
hostname(config-ctx)# allocate-interface
physical_interface.subinterface[-physical_interface.subinterface]
[map_name[-map_name]] [visible | invisible]6-8
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 6 Adding and Managing Security Contexts
Configuring a Security Context
You can enter these commands multiple times to specify different ranges. If you remove an allocation
with the no form of this command, then any context commands that include this interface are removed
from the running configuration.
Transparent firewall mode allows only two interfaces to pass through traffic; however, on the ASA
adaptive security appliance, you can use the dedicated management interface, Management 0/0, (either
the physical interface or a subinterface) as a third interface for management traffic.
Note The management interface for transparent mode does not flood a packet out the interface when that
packet is not in the MAC address table.
You can assign the same interfaces to multiple contexts in routed mode, if desired. Transparent mode
does not allow shared interfaces.
The map_name is an alphanumeric alias for the interface that can be used within the context instead of
the interface ID. If you do not specify a mapped name, the interface ID is used within the context. For
security purposes, you might not want the context administrator to know which interfaces are being used
by the context.
A mapped name must start with a letter, end with a letter or digit, and have as interior characters only
letters, digits, or an underscore. For example, you can use the following names:
int0
inta
int_0
For subinterfaces, you can specify a range of mapped names.
If you specify a range of subinterfaces, you can specify a matching range of mapped names. Follow these
guidelines for ranges:
• The mapped name must consist of an alphabetic portion followed by a numeric portion. The
alphabetic portion of the mapped name must match for both ends of the range. For example, enter
the following range:
int0-int10
If you enter gigabitethernet0/1.1-gigabitethernet0/1.5 happy1-sad5, for example, the command
fails.
• The numeric portion of the mapped name must include the same quantity of numbers as the
subinterface range. For example, both ranges include 100 interfaces:
gigabitethernet0/0.100-gigabitethernet0/0.199 int1-int100
If you enter gigabitethernet0/0.100-gigabitethernet0/0.199 int1-int15, for example, the command
fails.
Specify visible to see physical interface properties in the show interface command even if you set a
mapped name. The default invisible keyword specifies to only show the mapped name.
The following example shows gigabitethernet0/1.100, gigabitethernet0/1.200, and
gigabitethernet0/2.300 through gigabitethernet0/1.305 assigned to the context. The mapped names are
int1 through int8.
hostname(config-ctx)# allocate-interface gigabitethernet0/1.100 int1
hostname(config-ctx)# allocate-interface gigabitethernet0/1.200 int2
hostname(config-ctx)# allocate-interface gigabitethernet0/2.300-gigabitethernet0/2.305
int3-int86-9
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 6 Adding and Managing Security Contexts
Configuring a Security Context
Step 4 To identify the URL from which the system downloads the context configuration, enter the following
command:
hostname(config-ctx)# config-url url
When you add a context URL, the system immediately loads the context so that it is running, if the
configuration is available.
Note Enter the allocate-interface command(s) before you enter the config-url command. The security
appliance must assign interfaces to the context before it loads the context configuration; the context
configuration might include commands that refer to interfaces (interface, nat, global...). If you enter the
config-url command first, the security appliance loads the context configuration immediately. If the
context contains any commands that refer to interfaces, those commands fail.
See the following URL syntax:
• disk:/[path/]filename
This URL indicates the internal Flash memory. The filename does not require a file extension,
although we recommend using “.cfg”. If the configuration file is not available, you see the following
message:
WARNING: Could not fetch the URL disk:/url
INFO: Creating context with default config
You can then change to the context, configure it at the CLI, and enter the write memory command
to write the file to Flash memory.
Note The admin context file must be stored on the internal Flash memory.
• ftp://[user[:password]@]server[:port]/[path/]filename[;type=xx]
The type can be one of the following keywords:
– ap—ASCII passive mode
– an—ASCII normal mode
– ip—(Default) Binary passive mode
– in—Binary normal mode
The server must be accessible from the admin context. The filename does not require a file
extension, although we recommend using “.cfg”. If the configuration file is not available, you see
the following message:
WARNING: Could not fetch the URL ftp://url
INFO: Creating context with default config
You can then change to the context, configure it at the CLI, and enter the write memory command
to write the file to the FTP server.
• http[s]://[user[:password]@]server[:port]/[path/]filename
The server must be accessible from the admin context. The filename does not require a file
extension, although we recommend using “.cfg”. If the configuration file is not available, you see
the following message:
WARNING: Could not fetch the URL http://url
INFO: Creating context with default config6-10
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 6 Adding and Managing Security Contexts
Configuring a Security Context
If you change to the context and configure the context at the CLI, you cannot save changes back to
HTTP or HTTPS servers using the write memory command. You can, however, use the copy tftp
command to copy the running configuration to a TFTP server.
• tftp://[user[:password]@]server[:port]/[path/]filename[;int=interface_name]
The server must be accessible from the admin context. Specify the interface name if you want to
override the route to the server address. The filename does not require a file extension, although we
recommend using “.cfg”. If the configuration file is not available, you see the following message:
WARNING: Could not fetch the URL tftp://url
INFO: Creating context with default config
You can then change to the context, configure it at the CLI, and enter the write memory command
to write the file to the TFTP server.
To change the URL, reenter the config-url command with a new URL.
See the “Changing the Security Context URL” section on page 6-13 for more information about
changing the URL.
For example, enter the following command:
hostname(config-ctx)# config-url ftp://joe:passw0rd1@10.1.1.1/configlets/test.cfg
Step 5 (Optional) To assign the context to a resource class, enter the following command:
hostname(config-ctx)# member class_name
If you do not specify a class, the context belongs to the default class. You can only assign a context to
one resource class.
For example, to assign the context to the gold class, enter the following command:
hostname(config-ctx)# member gold
Step 6 To view context information, see the show context command in the Cisco Security Appliance Command
Reference.
The following example sets the admin context to be “administrator,” creates a context called
“administrator” on the internal Flash memory, and then adds two contexts from an FTP server:
hostname(config)# admin-context administrator
hostname(config)# context administrator
hostname(config-ctx)# allocate-interface gigabitethernet0/0.1
hostname(config-ctx)# allocate-interface gigabitethernet0/1.1
hostname(config-ctx)# config-url flash:/admin.cfg
hostname(config-ctx)# context test
hostname(config-ctx)# allocate-interface gigabitethernet0/0.100 int1
hostname(config-ctx)# allocate-interface gigabitethernet0/0.102 int2
hostname(config-ctx)# allocate-interface gigabitethernet0/0.110-gigabitethernet0/0.115
int3-int8
hostname(config-ctx)# config-url ftp://user1:passw0rd@10.1.1.1/configlets/test.cfg
hostname(config-ctx)# member gold
hostname(config-ctx)# context sample
hostname(config-ctx)# allocate-interface gigabitethernet0/1.200 int1
hostname(config-ctx)# allocate-interface gigabitethernet0/1.212 int2
hostname(config-ctx)# allocate-interface gigabitethernet0/1.230-gigabitethernet0/1.235
int3-int86-11
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 6 Adding and Managing Security Contexts
Automatically Assigning MAC Addresses to Context Interfaces
hostname(config-ctx)# config-url ftp://user1:passw0rd@10.1.1.1/configlets/sample.cfg
hostname(config-ctx)# member silver
Automatically Assigning MAC Addresses to Context Interfaces
To allow contexts to share interfaces, we suggest that you assign unique MAC addresses to each context
interface. The MAC address is used to classify packets within a context. If you share an interface, but do
not have unique MAC addresses for the interface in each context, then the destination IP address is used
to classify packets. The destination address is matched with the context NAT configuration, and this
method has some limitations compared to the MAC address method. See the “How the Security
Appliance Classifies Packets” section on page 3-3 for information about classifying packets.
By default, the physical interface uses the burned-in MAC address, and all subinterfaces of a physical
interface use the same burned-in MAC address.
You can automatically assign private MAC addresses to each shared context interface by entering the
following command in the system configuration:
hostname(config)# mac-address auto
For use with failover, the security appliance generates both an active and standby MAC address for each
interface. If the active unit fails over and the standby unit becomes active, the new active unit starts using
the active MAC addresses to minimize network disruption.
When you assign an interface to a context, the new MAC address is generated immediately. If you enable
this command after you create context interfaces, then MAC addresses are generated for all interfaces
immediately after you enter the command. If you use the no mac-address auto command, the MAC
address for each interface reverts to the default MAC address. For example, subinterfaces of
GigabitEthernet 0/1 revert to using the MAC address of GigabitEthernet 0/1.
The MAC address is generated using the following format:
• Active unit MAC address: 12_slot.port_subid.contextid.
• Standby unit MAC address: 02_slot.port_subid.contextid.
For platforms with no interface slots, the slot is always 0. The port is the interface port. The subid is an
internal ID for the subinterface, which is not viewable. The contextid is an internal ID for the context,
viewable with the show context detail command. For example, the interface GigabitEthernet 0/1.200 in
the context with the ID 1 has the following generated MAC addresses, where the internal ID for
subinterface 200 is 31:
• Active: 1200.0131.0001
• Standby: 0200.0131.0001
In the rare circumstance that the generated MAC address conflicts with another private MAC address in
your network, you can manually set the MAC address for the interface within the context. See the
“Configuring the Interface” section on page 7-2 to manually set the MAC address.
Changing Between Contexts and the System Execution Space
If you log in to the system execution space (or the admin context using Telnet or SSH), you can change
between contexts and perform configuration and monitoring tasks within each context. The running
configuration that you edit in a configuration mode, or that is used in the copy or write commands, 6-12
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 6 Adding and Managing Security Contexts
Managing Security Contexts
depends on your location. When you are in the system execution space, the running configuration
consists only of the system configuration; when you are in a context, the running configuration consists
only of that context. For example, you cannot view all running configurations (system plus all contexts)
by entering the show running-config command. Only the current configuration displays.
To change between the system execution space and a context, or between contexts, see the following
commands:
• To change to a context, enter the following command:
hostname# changeto context name
The prompt changes to the following:
hostname/name#
• To change to the system execution space, enter the following command:
hostname/admin# changeto system
The prompt changes to the following:
hostname#
Managing Security Contexts
This section describes how to manage security contexts, and includes the following topics:
• Removing a Security Context, page 6-12
• Changing the Admin Context, page 6-13
• Changing the Security Context URL, page 6-13
• Reloading a Security Context, page 6-14
• Monitoring Security Contexts, page 6-15
Removing a Security Context
You can only remove a context by editing the system configuration. You cannot remove the current
admin context, unless you remove all contexts using the clear context command.
Note If you use failover, there is a delay between when you remove the context on the active unit and when
the context is removed on the standby unit. You might see an error message indicating that the number
of interfaces on the active and standby units are not consistent; this error is temporary and can be
ignored.
Use the following commands for removing contexts:
• To remove a single context, enter the following command in the system execution space:
hostname(config)# no context name
All context commands are also removed.
• To remove all contexts (including the admin context), enter the following command in the system
execution space:6-13
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 6 Adding and Managing Security Contexts
Managing Security Contexts
hostname(config)# clear context
Changing the Admin Context
The system configuration does not include any network interfaces or network settings for itself; rather,
when the system needs to access network resources (such as downloading the contexts from the server),
it uses one of the contexts that is designated as the admin context.
The admin context is just like any other context, except that when a user logs in to the admin context,
then that user has system administrator rights and can access the system and all other contexts. The
admin context is not restricted in any way, and can be used as a regular context. However, because
logging into the admin context grants you administrator privileges over all contexts, you might need to
restrict access to the admin context to appropriate users.
You can set any context to be the admin context, as long as the configuration file is stored in the internal
Flash memory. To set the admin context, enter the following command in the system execution space:
hostname(config)# admin-context context_name
Any remote management sessions, such as Telnet, SSH, or HTTPS, that are connected to the admin
context are terminated. You must reconnect to the new admin context.
Note A few system commands, including ntp server, identify an interface name that belongs to the admin
context. If you change the admin context, and that interface name does not exist in the new admin
context, be sure to update any system commands that refer to the interface.
Changing the Security Context URL
You cannot change the security context URL without reloading the configuration from the new URL.
The security appliance merges the new configuration with the current running configuration. Reentering
the same URL also merges the saved configuration with the running configuration. A merge adds any
new commands from the new configuration to the running configuration. If the configurations are the
same, no changes occur. If commands conflict or if commands affect the running of the context, then the
effect of the merge depends on the command. You might get errors, or you might have unexpected
results. If the running configuration is blank (for example, if the server was unavailable and the
configuration was never downloaded), then the new configuration is used. If you do not want to merge
the configurations, you can clear the running configuration, which disrupts any communications through
the context, and then reload the configuration from the new URL.
To change the URL for a context, perform the following steps:
Step 1 If you do not want to merge the configuration, change to the context and clear its configuration by
entering the following commands. If you want to perform a merge, skip to Step 2.
hostname# changeto context name
hostname/name# configure terminal
hostname/name(config)# clear configure all
Step 2 If required, change to the system execution space by entering the following command:
hostname/name(config)# changeto system6-14
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 6 Adding and Managing Security Contexts
Managing Security Contexts
Step 3 To enter the context configuration mode for the context you want to change, enter the following
command:
hostname(config)# context name
Step 4 To enter the new URL, enter the following command:
hostname(config)# config-url new_url
The system immediately loads the context so that it is running.
Reloading a Security Context
You can reload the context in two ways:
• Clear the running configuration and then import the startup configuration.
This action clears most attributes associated with the context, such as connections and NAT tables.
• Remove the context from the system configuration.
This action clears additional attributes, such as memory allocation, which might be useful for
troubleshooting. However, to add the context back to the system requires you to respecify the URL
and interfaces.
This section includes the following topics:
• Reloading by Clearing the Configuration, page 6-14
• Reloading by Removing and Re-adding the Context, page 6-15
Reloading by Clearing the Configuration
To reload the context by clearing the context configuration, and reloading the configuration from the
URL, perform the following steps:
Step 1 To change to the context that you want to reload, enter the following command:
hostname# changeto context name
Step 2 To access configuration mode, enter the following command:
hostname/name# configure terminal
Step 3 To clear the running configuration, enter the following command:
hostname/name(config)# clear configure all
This command clears all connections.
Step 4 To reload the configuration, enter the following command:
hostname/name(config)# copy startup-config running-config
The security appliance copies the configuration from the URL specified in the system configuration. You
cannot change the URL from within a context.6-15
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 6 Adding and Managing Security Contexts
Managing Security Contexts
Reloading by Removing and Re-adding the Context
To reload the context by removing the context and then re-adding it, perform the steps in the following
sections:
1. “Automatically Assigning MAC Addresses to Context Interfaces” section on page 6-11
2. “Configuring a Security Context” section on page 6-7
Monitoring Security Contexts
This section describes how to view and monitor context information, and includes the following topics:
• Viewing Context Information, page 6-15
• Viewing Resource Allocation, page 6-16
• Viewing Resource Usage, page 6-19
• Monitoring SYN Attacks in Contexts, page 6-20
Viewing Context Information
From the system execution space, you can view a list of contexts including the name, allocated
interfaces, and configuration file URL.
From the system execution space, view all contexts by entering the following command:
hostname# show context [name | detail| count]
The detail option shows additional information. See the following sample displays below for more
information.
If you want to show information for a particular context, specify the name.
The count option shows the total number of contexts.
The following is sample output from the show context command. The following sample display shows
three contexts:
hostname# show context
Context Name Interfaces URL
*admin GigabitEthernet0/1.100 disk0:/admin.cfg
GigabitEthernet0/1.101
contexta GigabitEthernet0/1.200 disk0:/contexta.cfg
GigabitEthernet0/1.201
contextb GigabitEthernet0/1.300 disk0:/contextb.cfg
GigabitEthernet0/1.301
Total active Security Contexts: 3
Table 6-2 shows each field description.
Table 6-2 show context Fields
Field Description
Context Name Lists all context names. The context name with the asterisk (*) is the admin context.
Interfaces The interfaces assigned to the context.
URL The URL from which the security appliance loads the context configuration.6-16
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 6 Adding and Managing Security Contexts
Managing Security Contexts
The following is sample output from the show context detail command:
hostname# show context detail
Context "admin", has been created, but initial ACL rules not complete
Config URL: disk0:/admin.cfg
Real Interfaces: Management0/0
Mapped Interfaces: Management0/0
Flags: 0x00000013, ID: 1
Context "ctx", has been created, but initial ACL rules not complete
Config URL: ctx.cfg
Real Interfaces: GigabitEthernet0/0.10, GigabitEthernet0/1.20,
GigabitEthernet0/2.30
Mapped Interfaces: int1, int2, int3
Flags: 0x00000011, ID: 2
Context "system", is a system resource
Config URL: startup-config
Real Interfaces:
Mapped Interfaces: Control0/0, GigabitEthernet0/0,
GigabitEthernet0/0.10, GigabitEthernet0/1, GigabitEthernet0/1.10,
GigabitEthernet0/1.20, GigabitEthernet0/2, GigabitEthernet0/2.30,
GigabitEthernet0/3, Management0/0, Management0/0.1
Flags: 0x00000019, ID: 257
Context "null", is a system resource
Config URL: ... null ...
Real Interfaces:
Mapped Interfaces:
Flags: 0x00000009, ID: 258
See the Cisco Security Appliance Command Reference for more information about the detail output.
The following is sample output from the show context count command:
hostname# show context count
Total active contexts: 2
Viewing Resource Allocation
From the system execution space, you can view the allocation for each resource across all classes and
class members.
To view the resource allocation, enter the following command:
hostname# show resource allocation [detail]
This command shows the resource allocation, but does not show the actual resources being used. See the
“Viewing Resource Usage” section on page 6-19 for more information about actual resource usage.
The detail argument shows additional information. See the following sample displays for more
information.
The following sample display shows the total allocation of each resource as an absolute value and as a
percentage of the available system resources:
hostname# show resource allocation
Resource Total % of Avail
Conns [rate] 35000 N/A
Inspects [rate] 35000 N/A
Syslogs [rate] 10500 N/A
Conns 305000 30.50%
Hosts 78842 N/A6-17
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 6 Adding and Managing Security Contexts
Managing Security Contexts
SSH 35 35.00%
Telnet 35 35.00%
Xlates 91749 N/A
All unlimited
Table 6-3 shows each field description.
The following is sample output from the show resource allocation detail command:
hostname# show resource allocation detail
Resource Origin:
A Value was derived from the resource 'all'
C Value set in the definition of this class
D Value set in default class
Resource Class Mmbrs Origin Limit Total Total %
Conns [rate] default all CA unlimited
gold 1 C 34000 34000 N/A
silver 1 CA 17000 17000 N/A
bronze 0 CA 8500
All Contexts: 3 51000 N/A
Inspects [rate] default all CA unlimited
gold 1 DA unlimited
silver 1 CA 10000 10000 N/A
bronze 0 CA 5000
All Contexts: 3 10000 N/A
Syslogs [rate] default all CA unlimited
gold 1 C 6000 6000 N/A
silver 1 CA 3000 3000 N/A
bronze 0 CA 1500
All Contexts: 3 9000 N/A
Conns default all CA unlimited
gold 1 C 200000 200000 20.00%
silver 1 CA 100000 100000 10.00%
bronze 0 CA 50000
All Contexts: 3 300000 30.00%
Hosts default all CA unlimited
gold 1 DA unlimited
silver 1 CA 26214 26214 N/A
bronze 0 CA 13107
All Contexts: 3 26214 N/A
SSH default all C 5
gold 1 D 5 5 5.00%
Table 6-3 show resource allocation Fields
Field Description
Resource The name of the resource that you can limit.
Total The total amount of the resource that is allocated across all contexts. The amount
is an absolute number of concurrent instances or instances per second. If you
specified a percentage in the class definition, the security appliance converts the
percentage to an absolute number for this display.
% of Avail The percentage of the total system resources that is allocated across all contexts, if
the resource has a hard system limit. If a resource does not have a system limit, this
column shows N/A.6-18
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 6 Adding and Managing Security Contexts
Managing Security Contexts
silver 1 CA 10 10 10.00%
bronze 0 CA 5
All Contexts: 3 20 20.00%
Telnet default all C 5
gold 1 D 5 5 5.00%
silver 1 CA 10 10 10.00%
bronze 0 CA 5
All Contexts: 3 20 20.00%
Xlates default all CA unlimited
gold 1 DA unlimited
silver 1 CA 23040 23040 N/A
bronze 0 CA 11520
All Contexts: 3 23040 N/A
mac-addresses default all C 65535
gold 1 D 65535 65535 100.00%
silver 1 CA 6553 6553 9.99%
bronze 0 CA 3276
All Contexts: 3 137623 209.99%
Table 6-4 shows each field description.
Table 6-4 show resource allocation detail Fields
Field Description
Resource The name of the resource that you can limit.
Class The name of each class, including the default class.
The All contexts field shows the total values across all classes.
Mmbrs The number of contexts assigned to each class.
Origin The origin of the resource limit, as follows:
• A—You set this limit with the all option, instead of as an individual resource.
• C—This limit is derived from the member class.
• D—This limit was not defined in the member class, but was derived from the
default class. For a context assigned to the default class, the value will be “C”
instead of “D.”
The security appliance can combine “A” with “C” or “D.”
Limit The limit of the resource per context, as an absolute number. If you specified a
percentage in the class definition, the security appliance converts the percentage to
an absolute number for this display.
Total The total amount of the resource that is allocated across all contexts in the class.
The amount is an absolute number of concurrent instances or instances per second.
If the resource is unlimited, this display is blank.
% of Avail The percentage of the total system resources that is allocated across all contexts in
the class. If the resource is unlimited, this display is blank. If the resource does not
have a system limit, then this column shows N/A.6-19
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 6 Adding and Managing Security Contexts
Managing Security Contexts
Viewing Resource Usage
From the system execution space, you can view the resource usage for each context and display the
system resource usage.
From the system execution space, view the resource usage for each context by entering the following
command:
hostname# show resource usage [context context_name | top n | all | summary | system]
[resource {resource_name | all} | detail] [counter counter_name [count_threshold]]
By default, all context usage is displayed; each context is listed separately.
Enter the top n keyword to show the contexts that are the top n users of the specified resource. You must
specify a single resource type, and not resource all, with this option.
The summary option shows all context usage combined.
The system option shows all context usage combined, but shows the system limits for resources instead
of the combined context limits.
For the resource resource_name, see Table 6- 1 for available resource names. See also the show resource
type command. Specify all (the default) for all types.
The detail option shows the resource usage of all resources, including those you cannot manage. For
example, you can view the number of TCP intercepts.
The counter counter_name is one of the following keywords:
• current—Shows the active concurrent instances or the current rate of the resource.
• denied—Shows the number of instances that were denied because they exceeded the resource limit
shown in the Limit column.
• peak—Shows the peak concurrent instances, or the peak rate of the resource since the statistics were
last cleared, either using the clear resource usage command or because the device rebooted.
• all—(Default) Shows all statistics.
The count_threshold sets the number above which resources are shown. The default is 1. If the usage of
the resource is below the number you set, then the resource is not shown. If you specify all for the
counter name, then the count_threshold applies to the current usage.
Note To show all resources, set the count_threshold to 0.
The following is sample output from the show resource usage context command, which shows the
resource usage for the admin context:
hostname# show resource usage context admin
Resource Current Peak Limit Denied Context
Telnet 1 1 5 0 admin
Conns 44 55 N/A 0 admin
Hosts 45 56 N/A 0 admin
The following is sample output from the show resource usage summary command, which shows the
resource usage for all contexts and all resources. This sample shows the limits for 6 contexts.
hostname# show resource usage summary
Resource Current Peak Limit Denied Context
Syslogs [rate] 1743 2132 N/A 0 Summary
Conns 584 763 280000(S) 0 Summary6-20
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 6 Adding and Managing Security Contexts
Managing Security Contexts
Xlates 8526 8966 N/A 0 Summary
Hosts 254 254 N/A 0 Summary
Conns [rate] 270 535 N/A 1704 Summary
Inspects [rate] 270 535 N/A 0 Summary
S = System: Combined context limits exceed the system limit; the system limit is shown.
The following is sample output from the show resource usage summary command, which shows the
limits for 25 contexts. Because the context limit for Telnet and SSH connections is 5 per context, then
the combined limit is 125. The system limit is only 100, so the system limit is shown.
hostname# show resource usage summary
Resource Current Peak Limit Denied Context
Telnet 1 1 100[S] 0 Summary
SSH 2 2 100[S] 0 Summary
Conns 56 90 N/A 0 Summary
Hosts 89 102 N/A 0 Summary
S = System: Combined context limits exceed the system limit; the system limit is shown.
The following is sample output from the show resource usage system command, which shows the
resource usage for all contexts, but it shows the system limit instead of the combined context limits. The
counter all 0 option is used to show resources that are not currently in use. The Denied statistics indicate
how many times the resource was denied due to the system limit, if available.
hostname# show resource usage system counter all 0
Resource Current Peak Limit Denied Context
Telnet 0 0 100 0 System
SSH 0 0 100 0 System
ASDM 0 0 32 0 System
Syslogs [rate] 1 18 N/A 0 System
Conns 0 1 280000 0 System
Xlates 0 0 N/A 0 System
Hosts 0 2 N/A 0 System
Conns [rate] 1 1 N/A 0 System
Inspects [rate] 0 0 N/A 0 System
Monitoring SYN Attacks in Contexts
The security appliance prevents SYN attacks using TCP Intercept. TCP Intercept uses the SYN cookies
algorithm to prevent TCP SYN-flooding attacks. A SYN-flooding attack consists of a series of SYN
packets usually originating from spoofed IP addresses. The constant flood of SYN packets keeps the
server SYN queue full, which prevents it from servicing connection requests. When the embryonic
connection threshold of a connection is crossed, the security appliance acts as a proxy for the server and
generates a SYN-ACK response to the client SYN request. When the security appliance receives an ACK
back from the client, it can then authenticate the client and allow the connection to the server.
You can monitor the rate of attacks for individual contexts using the show perfmon command; you can
monitor the amount of resources being used by TCP intercept for individual contexts using the show
resource usage detail command; you can monitor the resources being used by TCP intercept for the
entire system using the show resource usage summary detail command.
The following is sample output from the show perfmon command that shows the rate of TCP intercepts
for a context called admin.
hostname/admin# show perfmon
Context:admin
PERFMON STATS: Current Average
Xlates 0/s 0/s6-21
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 6 Adding and Managing Security Contexts
Managing Security Contexts
Connections 0/s 0/s
TCP Conns 0/s 0/s
UDP Conns 0/s 0/s
URL Access 0/s 0/s
URL Server Req 0/s 0/s
WebSns Req 0/s 0/s
TCP Fixup 0/s 0/s
HTTP Fixup 0/s 0/s
FTP Fixup 0/s 0/s
AAA Authen 0/s 0/s
AAA Author 0/s 0/s
AAA Account 0/s 0/s
TCP Intercept 322779/s 322779/s
The following is sample output from the show resource usage detail command that shows the amount
of resources being used by TCP Intercept for individual contexts. (Sample text in italics shows the TCP
intercept information.)
hostname(config)# show resource usage detail
Resource Current Peak Limit Denied Context
memory 843732 847288 unlimited 0 admin
chunk:channels 14 15 unlimited 0 admin
chunk:fixup 15 15 unlimited 0 admin
chunk:hole 1 1 unlimited 0 admin
chunk:ip-users 10 10 unlimited 0 admin
chunk:list-elem 21 21 unlimited 0 admin
chunk:list-hdr 3 4 unlimited 0 admin
chunk:route 2 2 unlimited 0 admin
chunk:static 1 1 unlimited 0 admin
tcp-intercepts 328787 803610 unlimited 0 admin
np-statics 3 3 unlimited 0 admin
statics 1 1 unlimited 0 admin
ace-rules 1 1 unlimited 0 admin
console-access-rul 2 2 unlimited 0 admin
fixup-rules 14 15 unlimited 0 admin
memory 959872 960000 unlimited 0 c1
chunk:channels 15 16 unlimited 0 c1
chunk:dbgtrace 1 1 unlimited 0 c1
chunk:fixup 15 15 unlimited 0 c1
chunk:global 1 1 unlimited 0 c1
chunk:hole 2 2 unlimited 0 c1
chunk:ip-users 10 10 unlimited 0 c1
chunk:udp-ctrl-blk 1 1 unlimited 0 c1
chunk:list-elem 24 24 unlimited 0 c1
chunk:list-hdr 5 6 unlimited 0 c1
chunk:nat 1 1 unlimited 0 c1
chunk:route 2 2 unlimited 0 c1
chunk:static 1 1 unlimited 0 c1
tcp-intercept-rate 16056 16254 unlimited 0 c1
globals 1 1 unlimited 0 c1
np-statics 3 3 unlimited 0 c1
statics 1 1 unlimited 0 c1
nats 1 1 unlimited 0 c1
ace-rules 2 2 unlimited 0 c1
console-access-rul 2 2 unlimited 0 c1
fixup-rules 14 15 unlimited 0 c1
memory 232695716 232020648 unlimited 0 system
chunk:channels 17 20 unlimited 0 system
chunk:dbgtrace 3 3 unlimited 0 system
chunk:fixup 15 15 unlimited 0 system
chunk:ip-users 4 4 unlimited 0 system
chunk:list-elem 1014 1014 unlimited 0 system
chunk:list-hdr 1 1 unlimited 0 system
chunk:route 1 1 unlimited 0 system6-22
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 6 Adding and Managing Security Contexts
Managing Security Contexts
block:16384 510 885 unlimited 0 system
block:2048 32 34 unlimited 0 system
The following sample output shows the resources being used by TCP intercept for the entire system.
(Sample text in italics shows the TCP intercept information.)
hostname(config)# show resource usage summary detail
Resource Current Peak Limit Denied Context
memory 238421312 238434336 unlimited 0 Summary
chunk:channels 46 48 unlimited 0 Summary
chunk:dbgtrace 4 4 unlimited 0 Summary
chunk:fixup 45 45 unlimited 0 Summary
chunk:global 1 1 unlimited 0 Summary
chunk:hole 3 3 unlimited 0 Summary
chunk:ip-users 24 24 unlimited 0 Summary
chunk:udp-ctrl-blk 1 1 unlimited 0 Summary
chunk:list-elem 1059 1059 unlimited 0 Summary
chunk:list-hdr 10 11 unlimited 0 Summary
chunk:nat 1 1 unlimited 0 Summary
chunk:route 5 5 unlimited 0 Summary
chunk:static 2 2 unlimited 0 Summary
block:16384 510 885 unlimited 0 Summary
block:2048 32 35 unlimited 0 Summary
tcp-intercept-rate 341306 811579 unlimited 0 Summary
globals 1 1 unlimited 0 Summary
np-statics 6 6 unlimited 0 Summary
statics 2 2 N/A 0 Summary
nats 1 1 N/A 0 Summary
ace-rules 3 3 N/A 0 Summary
console-access-rul 4 4 N/A 0 Summary
fixup-rules 43 44 N/A 0 SummaryC H A P T E R
7-1
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
7
Configuring Interface Parameters
This chapter describes how to configure each interface and subinterface for a name, security level, and
IP address. For single context mode, the procedures in this chapter continue the interface configuration
started in Chapter 5, “Configuring Ethernet Settings and Subinterfaces.” For multiple context mode, the
procedures in Chapter 5, “Configuring Ethernet Settings and Subinterfaces,” are performed in the system
execution space, while the procedures in this chapter are performed within each security context.
Note To configure interfaces for the ASA 5505 adaptive security appliance, see Chapter 4, “Configuring
Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance.”
This chapter includes the following sections:
• Security Level Overview, page 7-1
• Configuring the Interface, page 7-2
• Allowing Communication Between Interfaces on the Same Security Level, page 7-6
Security Level Overview
Each interface must have a security level from 0 (lowest) to 100 (highest). For example, you should
assign your most secure network, such as the inside host network, to level 100. While the outside
network connected to the Internet can be level 0. Other networks, such as DMZs can be in between. You
can assign interfaces to the same security level. See the “Allowing Communication Between Interfaces
on the Same Security Level” section on page 7-6 for more information.
The level controls the following behavior:
• Network access—By default, there is an implicit permit from a higher security interface to a lower
security interface (outbound). Hosts on the higher security interface can access any host on a lower
security interface. You can limit access by applying an access list to the interface.
If you enable communication for same security interfaces (see the “Allowing Communication
Between Interfaces on the Same Security Level” section on page 7-6), there is an implicit permit for
interfaces to access other interfaces on the same security level or lower.
• Inspection engines—Some application inspection engines are dependent on the security level. For
same security interfaces, inspection engines apply to traffic in either direction.
– NetBIOS inspection engine—Applied only for outbound connections.7-2
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 7 Configuring Interface Parameters
Configuring the Interface
– SQL*Net inspection engine—If a control connection for the SQL*Net (formerly OraServ) port
exists between a pair of hosts, then only an inbound data connection is permitted through the
security appliance.
• Filtering—HTTP(S) and FTP filtering applies only for outbound connections (from a higher level
to a lower level).
For same security interfaces, you can filter traffic in either direction.
• NAT control—When you enable NAT control, you must configure NAT for hosts on a higher security
interface (inside) when they access hosts on a lower security interface (outside).
Without NAT control, or for same security interfaces, you can choose to use NAT between any
interface, or you can choose not to use NAT. Keep in mind that configuring NAT for an outside
interface might require a special keyword.
• established command—This command allows return connections from a lower security host to a
higher security host if there is already an established connection from the higher level host to the
lower level host.
For same security interfaces, you can configure established commands for both directions.
Configuring the Interface
By default, all physical interfaces are shut down. You must enable the physical interface before any
traffic can pass through an enabled subinterface. For multiple context mode, if you allocate a physical
interface or subinterface to a context, the interfaces are enabled by default in the context. However,
before traffic can pass through the context interface, you must also enable the interface in the system
configuration. If you shut down an interface in the system execution space, then that interface is down
in all contexts that share it.
Before you can complete your configuration and allow traffic through the security appliance, you need
to configure an interface name, and for routed mode, an IP address. You should also change the security
level from the default, which is 0. If you name an interface “inside” and you do not set the security level
explicitly, then the security appliance sets the security level to 100.
Note If you are using failover, do not use this procedure to name interfaces that you are reserving for failover
and Stateful Failover communications. See Chapter 14, “Configuring Failover.” to configure the failover
and state links.
For multiple context mode, follow these guidelines:
• Configure the context interfaces from within each context.
• You can only configure context interfaces that you already assigned to the context in the system
configuration.
• The system configuration only lets you configure Ethernet settings and VLANs. The exception is
for failover interfaces; do not configure failover interfaces with this procedure. See the Failover
chapter for more information.
Note If you change the security level of an interface, and you do not want to wait for existing connections to
time out before the new security information is used, you can clear the connections using the
clear local-host command.7-3
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 7 Configuring Interface Parameters
Configuring the Interface
To configure an interface or subinterface, perform the following steps:
Step 1 To specify the interface you want to configure, enter the following command:
hostname(config)# interface {physical_interface[.subinterface] | mapped_name}
The physical_interface ID includes the type, slot, and port number as type[slot/]port.
The physical interface types include the following:
• ethernet
• gigabitethernet
For the PIX 500 series security appliance, enter the type followed by the port number, for example,
ethernet0.
For the ASA 5500 series adaptive security appliance, enter the type followed by slot/port, for example,
gigabitethernet0/1. Interfaces that are built into the chassis are assigned to slot 0, while interfaces on
the 4GE SSM are assigned to slot 1. For the ASA 5550 adaptive security appliance, for maximum
throughput, be sure to balance your traffic over the two interface slots; for example, assign the inside
interface to slot 1 and the outside interface to slot 0.
The ASA 5510 and higher adaptive security appliance also includes the following type:
• management
The management interface is a Fast Ethernet interface designed for management traffic only, and is
specified as management0/0. You can, however, use it for through traffic if desired (see the
management-only command). In transparent firewall mode, you can use the management interface
in addition to the two interfaces allowed for through traffic. You can also add subinterfaces to the
management interface to provide management in each security context for multiple context mode.
Append the subinterface ID to the physical interface ID separated by a period (.).
In multiple context mode, enter the mapped name if one was assigned using the allocate-interface
command.
For example, enter the following command:
hostname(config)# interface gigabitethernet0/1.1
Step 2 To name the interface, enter the following command:
hostname(config-if)# nameif name
The name is a text string up to 48 characters, and is not case-sensitive. You can change the name by
reentering this command with a new value. Do not enter the no form, because that command causes all
commands that refer to that name to be deleted.
Step 3 To set the security level, enter the following command:
hostname(config-if)# security-level number
Where number is an integer between 0 (lowest) and 100 (highest).
Step 4 (Optional) To set an interface to management-only mode, enter the following command:
hostname(config-if)# management-only
The ASA 5510 and higher adaptive security appliance includes a dedicated management interface called
Management 0/0, which is meant to support traffic to the security appliance. However, you can configure
any interface to be a management-only interface using the management-only command. Also, for
Management 0/0, you can disable management-only mode so the interface can pass through traffic just
like any other interface.7-4
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 7 Configuring Interface Parameters
Configuring the Interface
Note Transparent firewall mode allows only two interfaces to pass through traffic; however, on the
The ASA 5510 and higher adaptive security appliance, you can use the Management 0/0
interface (either the physical interface or a subinterface) as a third interface for management
traffic. The mode is not configurable in this case and must always be management-only.
Step 5 To set the IP address, enter one of the following commands.
In routed firewall mode, you set the IP address for all interfaces. In transparent firewall mode, you do
not set the IP address for each interface, but rather for the whole security appliance or context. The
exception is for the Management 0/0 management-only interface, which does not pass through traffic.
To set the management IP address for transparent firewall mode, see the “Setting the Management IP
Address for a Transparent Firewall” section on page 8-5. To set the IP address of the Management 0/0
interface or subinterface, use one of the following commands.
To set an IPv6 address, see the “Configuring IPv6 on an Interface” section on page 12-3.
For failover, you must set the IP address an standby address manually; DHCP and PPPoE are not
supported.
• To set the IP address manually, enter the following command:
hostname(config-if)# ip address ip_address [mask] [standby ip_address]
The standby keyword and address is used for failover. See Chapter 14, “Configuring Failover,” for
more information.
• To obtain an IP address from a DHCP server, enter the following command:
hostname(config-if)# ip address dhcp [setroute]
Reenter this command to reset the DHCP lease and request a new lease.
If you do not enable the interface using the no shutdown command before you enter the ip address
dhcp command, some DHCP requests might not be sent.
• To obtain an IP address from a PPPoE server, see Chapter 35, “Configuring the PPPoE Client.”
Step 6 (Optional) To assign a private MAC address to this interface, enter the following command:
hostname(config-if)# mac-address mac_address [standby mac_address]
The mac_address is in H.H.H format, where H is a 16-bit hexadecimal digit. For example, the
MAC address 00-0C-F1-42-4C-DE would be entered as 000C.F142.4CDE.
By default, the physical interface uses the burned-in MAC address, and all subinterfaces of a physical
interface use the same burned-in MAC address.
For use with failover, set the standby MAC address. If the active unit fails over and the standby unit
becomes active, the new active unit starts using the active MAC addresses to minimize network
disruption, while the old active unit uses the standby address.
In multiple context mode, if you share an interface between contexts, you can assign a unique MAC
address to the interface in each context. This feature lets the security appliance easily classify packets
into the appropriate context. Using a shared interface without unique MAC addresses is possible, but has
some limitations. See the “How the Security Appliance Classifies Packets” section on page 3-3 for more
information. You can assign each MAC address manually, or you can automatically generate MAC
addresses for shared interfaces in contexts. See the “Automatically Assigning MAC Addresses to
Context Interfaces” section on page 6-11 to automatically generate MAC addresses. If you automatically
generate MAC addresses, you can use the mac-address command to override the generated address.7-5
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 7 Configuring Interface Parameters
Configuring the Interface
For single context mode, or for interfaces that are not shared in multiple context mode, you might want
to assign unique MAC addresses to subinterfaces. For example, your service provider might perform
access control based on the MAC address.
Step 7 To enable the interface, if it is not already enabled, enter the following command:
hostname(config-if)# no shutdown
To disable the interface, enter the shutdown command. If you enter the shutdown command for a
physical interface, you also shut down all subinterfaces. If you shut down an interface in the system
execution space, then that interface is shut down in all contexts that share it, even though the context
configurations show the interface as enabled.
The following example configures parameters for the physical interface in single mode:
hostname(config)# interface gigabitethernet0/1
hostname(config-if)# speed 1000
hostname(config-if)# duplex full
hostname(config-if)# nameif inside
hostname(config-if)# security-level 100
hostname(config-if)# ip address 10.1.1.1 255.255.255.0
hostname(config-if)# no shutdown
The following example configures parameters for a subinterface in single mode:
hostname(config)# interface gigabitethernet0/1.1
hostname(config-subif)# vlan 101
hostname(config-subif)# nameif dmz1
hostname(config-subif)# security-level 50
hostname(config-subif)# ip address 10.1.2.1 255.255.255.0
hostname(config-subif)# mac-address 000C.F142.4CDE standby 020C.F142.4CDE
hostname(config-subif)# no shutdown
The following example configures interface parameters in multiple context mode for the system
configuration, and allocates the gigabitethernet 0/1.1 subinterface to contextA:
hostname(config)# interface gigabitethernet0/1
hostname(config-if)# speed 1000
hostname(config-if)# duplex full
hostname(config-if)# no shutdown
hostname(config-if)# interface gigabitethernet0/1.1
hostname(config-subif)# vlan 101
hostname(config-subif)# no shutdown
hostname(config-subif)# context contextA
hostname(config-ctx)# ...
hostname(config-ctx)# allocate-interface gigabitethernet0/1.1
The following example configures parameters in multiple context mode for the context configuration:
hostname/contextA(config)# interface gigabitethernet0/1.1
hostname/contextA(config-if)# nameif inside
hostname/contextA(config-if)# security-level 100
hostname/contextA(config-if)# ip address 10.1.2.1 255.255.255.0
hostname/contextA(config-if)# mac-address 030C.F142.4CDE standby 040C.F142.4CDE
hostname/contextA(config-if)# no shutdown7-6
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 7 Configuring Interface Parameters
Allowing Communication Between Interfaces on the Same Security Level
Allowing Communication Between Interfaces on the Same
Security Level
By default, interfaces on the same security level cannot communicate with each other. Allowing
communication between same security interfaces provides the following benefits:
• You can configure more than 101 communicating interfaces.
If you use different levels for each interface and do not assign any interfaces to the same security
level, you can configure only one interface per level (0 to 100).
• You want traffic to flow freely between all same security interfaces without access lists.
Note If you enable NAT control, you do not need to configure NAT between same security level interfaces.
See the “NAT and Same Security Level Interfaces” section on page 17-13 for more information on NAT
and same security level interfaces.
If you enable same security interface communication, you can still configure interfaces at different
security levels as usual.
To enable interfaces on the same security level so that they can communicate with each other, enter the
following command:
hostname(config)# same-security-traffic permit inter-interface
To disable this setting, use the no form of this command.C H A P T E R
8-1
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
8
Configuring Basic Settings
This chapter describes how to configure basic settings on your security appliance that are typically
required for a functioning configuration. This chapter includes the following sections:
• Changing the Login Password, page 8-1
• Changing the Enable Password, page 8-1
• Setting the Hostname, page 8-2
• Setting the Domain Name, page 8-2
• Setting the Date and Time, page 8-2
• Setting the Management IP Address for a Transparent Firewall, page 8-5
Changing the Login Password
The login password is used for Telnet and SSH connections. By default, the login password is “cisco.”
To change the password, enter the following command:
hostname(config)# {passwd | password} password
You can enter passwd or password. The password is a case-sensitive password of up to 16 alphanumeric
and special characters. You can use any character in the password except a question mark or a space.
The password is saved in the configuration in encrypted form, so you cannot view the original password
after you enter it. Use the no password command to restore the password to the default setting.
Changing the Enable Password
The enable password lets you enter privileged EXEC mode. By default, the enable password is blank. To
change the enable password, enter the following command:
hostname(config)# enable password password
The password is a case-sensitive password of up to 16 alphanumeric and special characters. You can use
any character in the password except a question mark or a space.
This command changes the password for the highest privilege level. If you configure local command
authorization, you can set enable passwords for each privilege level from 0 to 15.8-2
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 8 Configuring Basic Settings
Setting the Hostname
The password is saved in the configuration in encrypted form, so you cannot view the original password
after you enter it. Enter the enable password command without a password to set the password to the
default, which is blank.
Setting the Hostname
When you set a hostname for the security appliance, that name appears in the command line prompt. If
you establish sessions to multiple devices, the hostname helps you keep track of where you enter
commands. The default hostname depends on your platform.
For multiple context mode, the hostname that you set in the system execution space appears in the
command line prompt for all contexts. The hostname that you optionally set within a context does not
appear in the command line, but can be used by the banner command $(hostname) token.
To specify the hostname for the security appliance or for a context, enter the following command:
hostname(config)# hostname name
This name can be up to 63 characters. A hostname must start and end with a letter or digit, and have as
interior characters only letters, digits, or a hyphen.
This name appears in the command line prompt. For example:
hostname(config)# hostname farscape
farscape(config)#
Setting the Domain Name
The security appliance appends the domain name as a suffix to unqualified names. For example, if you
set the domain name to “example.com,” and specify a syslog server by the unqualified name of “jupiter,”
then the security appliance qualifies the name to “jupiter.example.com.”
The default domain name is default.domain.invalid.
For multiple context mode, you can set the domain name for each context, as well as within the system
execution space.
To specify the domain name for the security appliance, enter the following command:
hostname(config)# domain-name name
For example, to set the domain as example.com, enter the following command:
hostname(config)# domain-name example.com
Setting the Date and Time
This section describes how to set the date and time, either manually or dynamically using an NTP server.
Time derived from an NTP server overrides any time set manually. This section also describes how to
set the time zone and daylight saving time date range.
Note In multiple context mode, set the time in the system configuration only.8-3
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 8 Configuring Basic Settings
Setting the Date and Time
This section includes the following topics:
• Setting the Time Zone and Daylight Saving Time Date Range, page 8-3
• Setting the Date and Time Using an NTP Server, page 8-4
• Setting the Date and Time Manually, page 8-5
Setting the Time Zone and Daylight Saving Time Date Range
By default, the time zone is UTC and the daylight saving time date range is from 2:00 a.m. on the first
Sunday in April to 2:00 a.m. on the last Sunday in October. To change the time zone and daylight saving
time date range, perform the following steps:
Step 1 To set the time zone, enter the following command in global configuration mode:
hostname(config)# clock timezone zone [-]hours [minutes]
Where zone specifies the time zone as a string, for example, PST for Pacific Standard Time.
The [-]hours value sets the number of hours of offset from UTC. For example, PST is -8 hours.
The minutes value sets the number of minutes of offset from UTC.
Step 2 To change the date range for daylight saving time from the default, enter one of the following commands.
The default recurring date range is from 2:00 a.m. on the first Sunday in April to 2:00 a.m. on the last
Sunday in October.
• To set the start and end dates for daylight saving time as a specific date in a specific year, enter the
following command:
hostname(config)# clock summer-time zone date {day month | month day} year hh:mm {day
month | month day} year hh:mm [offset]
If you use this command, you need to reset the dates every year.
The zone value specifies the time zone as a string, for example, PDT for Pacific Daylight Time.
The day value sets the day of the month, from 1 to 31. You can enter the day and month as April 1
or as 1 April, for example, depending on your standard date format.
The month value sets the month as a string. You can enter the day and month as April 1 or as 1 April,
for example, depending on your standard date format.
The year value sets the year using four digits, for example, 2004. The year range is 1993 to 2035.
The hh:mm value sets the hour and minutes in 24-hour time.
The offset value sets the number of minutes to change the time for daylight saving time. By default,
the value is 60 minutes.
• To specify the start and end dates for daylight saving time, in the form of a day and time of the
month, and not a specific date in a year, enter the following command.
hostname(config)# clock summer-time zone recurring [week weekday month hh:mm week
weekday month hh:mm] [offset]
This command lets you set a recurring date range that you do not need to alter yearly.
The zone value specifies the time zone as a string, for example, PDT for Pacific Daylight Time.
The week value specifies the week of the month as an integer between 1 and 4 or as the words first
or last. For example, if the day might fall in the partial fifth week, then specify last.8-4
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 8 Configuring Basic Settings
Setting the Date and Time
The weekday value specifies the day of the week: Monday, Tuesday, Wednesday, and so on.
The month value sets the month as a string.
The hh:mm value sets the hour and minutes in 24-hour time.
The offset value sets the number of minutes to change the time for daylight saving time. By default,
the value is 60 minutes.
Setting the Date and Time Using an NTP Server
To obtain the date and time from an NTP server, perform the following steps:
Step 1 To configure authentication with an NTP server, perform the following steps:
a. To enable authentication, enter the following command:
hostname(config)# ntp authenticate
b. To specify an authentication key ID to be a trusted key, which is required for authentication with an
NTP server, enter the following command:
hostname(config)# ntp trusted-key key_id
Where the key_id is between 1 and 4294967295. You can enter multiple trusted keys for use with
multiple servers.
c. To set a key to authenticate with an NTP server, enter the following command:
hostname(config)# ntp authentication-key key_id md5 key
Where key_id is the ID you set in Step 1b using the ntp trusted-key command, and key is a string
up to 32 characters in length.
Step 2 To identify an NTP server, enter the following command:
hostname(config)# ntp server ip_address [key key_id] [source interface_name] [prefer]
Where the key_id is the ID you set in Step 1b using the ntp trusted-key command.
The source interface_name identifies the outgoing interface for NTP packets if you do not want to use
the default interface in the routing table. Because the system does not include any interfaces in multiple
context mode, specify an interface name defined in the admin context.
The prefer keyword sets this NTP server as the preferred server if multiple servers have similar
accuracy. NTP uses an algorithm to determine which server is the most accurate and synchronizes to that
one. If servers are of similar accuracy, then the prefer keyword specifies which of those servers to use.
However, if a server is significantly more accurate than the preferred one, the security appliance uses the
more accurate one. For example, the security appliance uses a server of stratum 2 over a server of
stratum 3 that is preferred.
You can identify multiple servers; the security appliance uses the most accurate server.
Note SNTP is not supported; only NTP is supported.8-5
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 8 Configuring Basic Settings
Setting the Management IP Address for a Transparent Firewall
Setting the Date and Time Manually
To set the date time manually, enter the following command:
hostname# clock set hh:mm:ss {month day | day month} year
Where hh:mm:ss sets the hour, minutes, and seconds in 24-hour time. For example, set 20:54:00 for 8:54
pm.
The day value sets the day of the month, from 1 to 31. You can enter the day and month as april 1 or as
1 april, for example, depending on your standard date format.
The month value sets the month. Depending on your standard date format, you can enter the day and
month as april 1 or as 1 april.
The year value sets the year using four digits, for example, 2004. The year range is 1993 to 2035.
The default time zone is UTC. If you change the time zone after you enter the clock set command using
the clock timezone command, the time automatically adjusts to the new time zone.
This command sets the time in the hardware chip, and does not save the time in the configuration file.
This time endures reboots. Unlike the other clock commands, this command is a privileged EXEC
command. To reset the clock, you need to set a new time for the clock set command.
Setting the Management IP Address for a Transparent Firewall
Transparent firewall mode only
A transparent firewall does not participate in IP routing. The only IP configuration required for the
security appliance is to set the management IP address. This address is required because the security
appliance uses this address as the source address for traffic originating on the security appliance, such
as system messages or communications with AAA servers. You can also use this address for remote
management access.
For multiple context mode, set the management IP address within each context.
To set the management IP address, enter the following command:
hostname(config)# ip address ip_address [mask] [standby ip_address]
This address must be on the same subnet as the upstream and downstream routers. You cannot set the
subnet to a host subnet (255.255.255.255). This address must be IPv4; the transparent firewall does not
support IPv6.
The standby keyword and address is used for failover. See Chapter 14, “Configuring Failover,” for more
information.8-6
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 8 Configuring Basic Settings
Setting the Management IP Address for a Transparent FirewallC H A P T E R
9-1
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
9
Configuring IP Routing
This chapter describes how to configure IP routing on the security appliance. This chapter includes the
following sections:
• How Routing Behaves Within the ASA Security Appliance, page 9-1
• Configuring Static and Default Routes, page 9-2
• Defining Route Maps, page 9-7
• Configuring OSPF, page 9-8
• Configuring RIP, page 9-20
• The Routing Table, page 9-24
• Dynamic Routing and Failover, page 9-26
How Routing Behaves Within the ASA Security Appliance
The ASA security appliance uses both routing table and XLATE tables for routing decisions. To handle
destination IP translated traffic, that is, untranslated traffic, ASA searches for existing XLATE, or static
translation to select the egress interface. The selection process is as follows:
Egress Interface Selection Process
1. If destination IP translating XLATE already exists, the egress interface for the packet is determined
from the XLATE table, but not from the routing table.
2. If destination IP translating XLATE does not exist, but a matching static translation exists, then the
egress interface is determined from the static route and an XLATE is created, and the routing table
is not used.
3. If destination IP translating XLATE does not exist and no matching static translation exists, the
packet is not destination IP translated. The security appliance processes this packet by looking up
the route to select egress interface, then source IP translation is performed (if necessary).
For regular dynamic outbound NAT, initial outgoing packets are routed using the route table and
then creating the XLATE. Incoming return packets are forwarded using existing XLATE only. For
static NAT, destination translated incoming packets are always forwarded using existing XLATE or
static translation rules.9-2
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 9 Configuring IP Routing
Configuring Static and Default Routes
Next Hop Selection Process
After selecting egress interface using any method described above, an additional route lookup is
performed to find out suitable next hop(s) that belong to previously selected egress interface. If there are
no routes in routing table that explicitly belong to selected interface, the packet is dropped with level 6
error message 110001 "no route to host", even if there is another route for a given destination network
that belongs to different egress interface. If the route that belongs to selected egress interface is found,
the packet is forwarded to corresponding next hop.
Load sharing on the security appliance is possible only for multiple next-hops available using single
egress interface. Load sharing cannot share multiple egress interfaces.
If dynamic routing is in use on security appliance and route table changes after XLATE creation, for
example route flap, then destination translated traffic is still forwarded using old XLATE, not via route
table, until XLATE times out. It may be either forwarded to wrong interface or dropped with message
110001 "no route to host" if old route was removed from the old interface and attached to another one
by routing process.
The same problem may happen when there is no route flaps on the security appliance itself, but some
routing process is flapping around it, sending source translated packets that belong to the same flow
through the security appliance using different interfaces. Destination translated return packets may be
forwarded back using the wrong egress interface.
This issue has a high probability in same security traffic configuration, where virtually any traffic may
be either source-translated or destination-translated, depending on direction of initial packet in the flow.
When this issue occurs after a route flap, it can be resolved manually by using the clear xlate
command, or automatically resolved by an XLATE timeout. XLATE timeout may be decreased if
necessary. To ensure that this rarely happens, make sure that there is no route flaps on security appliance
and around it. That is, ensure that destination translated packets that belong to the same flow are always
forwarded the same way through the security appliance.
Configuring Static and Default Routes
This section describes how to configure static and default routes on the security appliance.
Multiple context mode does not support dynamic routing, so you must use static routes for any networks
to which the security appliance is not directly connected; for example, when there is a router between a
network and the security appliance.
You might want to use static routes in single context mode in the following cases:
• Your networks use a different router discovery protocol from RIP or OSPF.
• Your network is small and you can easily manage static routes.
• You do not want the traffic or CPU overhead associated with routing protocols.
The simplest option is to configure a default route to send all traffic to an upstream router, relying on the
router to route the traffic for you. However, in some cases the default gateway might not be able to reach
the destination network, so you must also configure more specific static routes. For example, if the
default gateway is outside, then the default route cannot direct traffic to any inside networks that are not
directly connected to the security appliance.
In transparent firewall mode, for traffic that originates on the security appliance and is destined for a
non-directly connected network, you need to configure either a default route or static routes so the
security appliance knows out of which interface to send traffic. Traffic that originates on the security 9-3
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 9 Configuring IP Routing
Configuring Static and Default Routes
appliance might include communications to a syslog server, Websense or N2H2 server, or AAA server.
If you have servers that cannot all be reached through a single default route, then you must configure
static routes.
The security appliance supports up to three equal cost routes on the same interface for load balancing.
This section includes the following topics:
• Configuring a Static Route, page 9-3
• Configuring a Default Route, page 9-4
• Configuring Static Route Tracking, page 9-5
For information about configuring IPv6 static and default routes, see the “Configuring IPv6 Default and
Static Routes” section on page 12-5.
Configuring a Static Route
To add a static route, enter the following command:
hostname(config)# route if_name dest_ip mask gateway_ip [distance]
The dest_ip and mask is the IP address for the destination network and the gateway_ip is the address of
the next-hop router.The addresses you specify for the static route are the addresses that are in the packet
before entering the security appliance and performing NAT.
The distance is the administrative distance for the route. The default is 1 if you do not specify a value.
Administrative distance is a parameter used to compare routes among different routing protocols. The
default administrative distance for static routes is 1, giving it precedence over routes discovered by
dynamic routing protocols but not directly connect routes. The default administrative distance for routes
discovered by OSPF is 110. If a static route has the same administrative distance as a dynamic route, the
static routes take precedence. Connected routes always take precedence over static or dynamically
discovered routes.
Static routes remain in the routing table even if the specified gateway becomes unavailable. If the
specified gateway becomes unavailable, you need to remove the static route from the routing table
manually. However, static routes are removed from the routing table if the specified interface goes down.
They are reinstated when the interface comes back up.
Note If you create a static route with an administrative distance greater than the administrative distance of the
routing protocol running on the security appliance, then a route to the specified destination discovered
by the routing protocol takes precedence over the static route. The static route is used only if the
dynamically discovered route is removed from the routing table.
The following example creates a static route that sends all traffic destined for 10.1.1.0/24 to the router
(10.1.2.45) connected to the inside interface:
hostname(config)# route inside 10.1.1.0 255.255.255.0 10.1.2.45 1
You can define up to three equal cost routes to the same destination per interface. ECMP is not supported
across multiple interfaces. With ECMP, the traffic is not necessarily divided evenly between the routes;
traffic is distributed among the specified gateways based on an algorithm that hashes the source and
destination IP addresses.
The following example shows static routes that are equal cost routes that direct traffic to three different
gateways on the outside interface. The security appliance distributes the traffic among the specified
gateways.9-4
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 9 Configuring IP Routing
Configuring Static and Default Routes
hostname(config)# route outside 10.10.10.0 255.255.255.0 192.168.1.1
hostname(config)# route outside 10.10.10.0 255.255.255.0 192.168.1.2
hostname(config)# route outside 10.10.10.0 255.255.255.0 192.168.1.3
Configuring a Default Route
A default route identifies the gateway IP address to which the security appliance sends all IP packets for
which it does not have a learned or static route. A default route is simply a static route with 0.0.0.0/0 as
the destination IP address. Routes that identify a specific destination take precedence over the default
route.
Note In ASA software Versions 7.0 and later, if you have two default routes configured on different interfaces
that have different metrics, the connection to the ASA firewall that is made from the higher metric
interface fails, but connections to the ASA firewall from the lower metric interface succeed as expected.
PIX software Version 6.3 supports connections from both the the higher and the lower metric interfaces.
You can define up to three equal cost default route entries per device. Defining more than one equal cost
default route entry causes the traffic sent to the default route to be distributed among the specified
gateways. When defining more than one default route, you must specify the same interface for each
entry.
If you attempt to define more than three equal cost default routes, or if you attempt to define a default
route with a different interface than a previously defined default route, you receive the message
“ERROR: Cannot add route entry, possible conflict with existing routes.”
You can define a separate default route for tunneled traffic along with the standard default route. When
you create a default route with the tunneled option, all traffic from a tunnel terminating on the security
appliance that cannot be routed using learned or static routes, is sent to this route. For traffic emerging
from a tunnel, this route overrides over any other configured or learned default routes.
The following restrictions apply to default routes with the tunneled option:
• Do not enable unicast RPF (ip verify reverse-path) on the egress interface of tunneled route.
Enabling uRPF on the egress interface of a tunneled route causes the session to fail.
• Do not enable TCP intercept on the egress interface of the tunneled route. Doing so causes the
session to fail.
• Do not use the VoIP inspection engines (CTIQBE, H.323, GTP, MGCP, RTSP, SIP, SKINNY), the
DNS inspect engine, or the DCE RPC inspection engine with tunneled routes. These inspection
engines ignore the tunneled route.
You cannot define more than one default route with the tunneled option; ECMP for tunneled traffic is
not supported.
To define the default route, enter the following command:
hostname(config)# route if_name 0.0.0.0 0.0.0.0 gateway_ip [distance | tunneled]
Tip You can enter 0 0 instead of 0.0.0.0 0.0.0.0 for the destination network address and mask, for example:
hostname(config)# route outside 0 0 192.168.1 19-5
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 9 Configuring IP Routing
Configuring Static and Default Routes
The following example shows a security appliance configured with three equal cost default routes and a
default route for tunneled traffic. Unencrypted traffic received by the security appliance for which there
is no static or learned route is distributed among the gateways with the IP addresses 192.168.2.1,
192.168.2.2, 192.168.2.3. Encrypted traffic receive by the security appliance for which there is no static
or learned route is passed to the gateway with the IP address 192.168.2.4.
hostname(config)# route outside 0 0 192.168.2.1
hostname(config)# route outside 0 0 192.168.2.2
hostname(config)# route outside 0 0 192.168.2.3
hostname(config)# route outside 0 0 192.168.2.4 tunneled
Configuring Static Route Tracking
One of the problems with static routes is that there is no inherent mechanism for determining if the route
is up or down. They remain in the routing table even if the next hop gateway becomes unavailable. Static
routes are only removed from the routing table if the associated interface on the security appliance goes
down.
The static route tracking feature provides a method for tracking the availability of a static route and
installing a backup route if the primary route should fail. This allows you to, for example, define a
default route to an ISP gateway and a backup default route to a secondary ISP in case the primary ISP
becomes unavailable.
The security appliance does this by associating a static route with a monitoring target that you define. It
monitors the target using ICMP echo requests. If an echo reply is not received within a specified time
period, the object is considered down and the associated route is removed from the routing table. A
previously configured backup route is used in place of the removed route.
When selecting a monitoring target, you need to make sure it can respond to ICMP echo requests. The
target can be any network object that you choose, but you should consider using:
• the ISP gateway (for dual ISP support) address
• the next hop gateway address (if you are concerned about the availability of the gateway)
• a server on the target network, such as a AAA server, that the security appliance needs to
communicate with
• a persistent network object on the destination network (a desktop or notebook computer that may be
shut down at night is not a good choice)
You can configure static route tracking for statically defined routes or default routes obtained through
DHCP or PPPoE. You can only enable PPPoE clients on multiple interface with route tracking.
To configure static route tracking, perform the following steps:
Step 1 Configure the tracked object monitoring parameters:
a. Define the monitoring process:
hostname(config)# sla monitor sla_id
If you are configuring a new monitoring process, you are taken to SLA monitor configuration mode.
If you are changing the monitoring parameters for an unscheduled monitoring process that already
has a type defined, you are taken directly to the SLA protocol configuration mode.
b. Specify the monitoring protocol. If you are changing the monitoring parameters for an unscheduled
monitoring process that already has a type defined, you are taken directly to SLA protocol
configuration mode and cannot change this setting.9-6
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 9 Configuring IP Routing
Configuring Static and Default Routes
hostname(config-sla-monitor)# type echo protocol ipIcmpEcho target_ip interface
if_name
The target_ip is the IP address of the network object whose availability the tracking process
monitors. While this object is available, the tracking process route is installed in the routing table.
When this object becomes unavailable, the tracking process removed the route and the backup route
is used in its place.
c. Schedule the monitoring process:
hostname(config)# sla monitor schedule sla_id [life {forever | seconds}] [start-time
{hh:mm[:ss] [month day | day month] | pending | now | after hh:mm:ss}] [ageout
seconds] [recurring]
Typically, you will use sla monitor schedule sla_id life forever start-time now for the monitoring
schedule, and allow the monitoring configuration determine how often the testing occurs. However,
you can schedule this monitoring process to begin in the future and to only occur at specified times.
Step 2 Associate a tracked static route with the SLA monitoring process by entering the following command:
hostname(config)# track track_id rtr sla_id reachability
The track_id is a tracking number you assign with this command. The sla_id is the ID number of the
SLA process you defined in Step 1.
Step 3 Define the static route to be installed in the routing table while the tracked object is reachable using one
of the following options:
• To track a static route, enter the following command:
hostname(config)# route if_name dest_ip mask gateway_ip [admin_distance] track
track_id
You cannot use the tunneled option with the route command with static route tracking.
• To track a default route obtained through DHCP, enter the following commands:
hostname(config)# interface phy_if
hostname(config-if)# dhcp client route track track_id
hostname(config-if)# ip addresss dhcp setroute
hostname(config-if)# exit
Note You must use the setroute argument with the ip address dhcp command to obtain the
default route using DHCP.
• To track a default route obtained through PPPoE, enter the following commands:
hostname(config)# interface phy_if
hostname(config-if)# pppoe client route track track_id
hostname(config-if)# ip addresss pppoe setroute
hostname(config-if)# exit
Note You must use the setroute argument with the ip address pppoe command to obtain the
default route using PPPoE.
Step 4 Define the backup route to use when the tracked object is unavailable using one of the following options.
The administrative distance of the backup route must be greater than the administrative distance of the
tracked route. If it is not, the backup route will be installed in the routing table instead of the tracked
route.9-7
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 9 Configuring IP Routing
Defining Route Maps
• To use a static route, enter the following command:
hostname(config)# route if_name dest_ip mask gateway_ip [admin_distance]
The static route must have the same destination and mask as the tracked route. If you are tracking a
default route obtained through DHCP or PPPoE, then the address and mask would be 0.0.0.0 0.0.0.0.
• To use a default route obtained through DHCP, enter the following commands:
hostname(config)# interface phy_if
hostname(config-if)# dhcp client route track track_id
hostname(config-if)# dhcp client route distance admin_distance
hostname(config-if)# ip addresss dhcp setroute
hostname(config-if)# exit
You must use the setroute argument with the ip address dhcp command to obtain the default route
using DHCP. Make sure the administrative distance is greater than the administrative distance of the
tracked route.
• To use a default route obtained through PPPoE, enter the following commands:
hostname(config)# interface phy_if
hostname(config-if)# pppoe client route track track_id
hostname(config-if)# pppoe client route distance admin_distance
hostname(config-if)# ip addresss pppoe setroute
hostname(config-if)# exit
You must use the setroute argument with the ip address pppoe command to obtain the default route
using PPPoE. Make sure the administrative distance is greater than the administrative distance of
the tracked route.
Defining Route Maps
Route maps are used when redistributing routes into an OSPF or RIP routing process. They are also used
when generating a default route into an OSPF routing process. A route map defines which of the routes
from the specified routing protocol are allowed to be redistributed into the target routing process.
To define a route map, perform the following steps:
Step 1 To create a route map entry, enter the following command:
hostname(config)# route-map name {permit | deny} [sequence_number]
Route map entries are read in order. You can identify the order using the sequence_number option, or
the security appliance uses the order in which you add the entries.
Step 2 Enter one or more match commands:
• To match any routes that have a destination network that matches a standard ACL, enter the
following command:
hostname(config-route-map)# match ip address acl_id [acl_id] [...]
If you specify more than one ACL, then the route can match any of the ACLs.
• To match any routes that have a specified metric, enter the following command:
hostname(config-route-map)# match metric metric_value9-8
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 9 Configuring IP Routing
Configuring OSPF
The metric_value can be from 0 to 4294967295.
• To match any routes that have a next hop router address that matches a standard ACL, enter the
following command:
hostname(config-route-map)# match ip next-hop acl_id [acl_id] [...]
If you specify more than one ACL, then the route can match any of the ACLs.
• To match any routes with the specified next hop interface, enter the following command:
hostname(config-route-map)# match interface if_name
If you specify more than one interface, then the route can match either interface.
• To match any routes that have been advertised by routers that match a standard ACL, enter the
following command:
hostname(config-route-map)# match ip route-source acl_id [acl_id] [...]
If you specify more than one ACL, then the route can match any of the ACLs.
• To match the route type, enter the following command:
hostname(config-route-map)# match route-type {internal | external [type-1 | type-2]}
Step 3 Enter one or more set commands.
If a route matches the match commands, then the following set commands determine the action to
perform on the route before redistributing it.
• To set the metric, enter the following command:
hostname(config-route-map)# set metric metric_value
The metric_value can be a value between 0 and 294967295
• To set the metric type, enter the following command:
hostname(config-route-map)# set metric-type {type-1 | type-2}
The following example shows how to redistribute routes with a hop count equal to 1 into OSPF. The
security appliance redistributes these routes as external LSAs with a metric of 5, metric type of Type 1.
hostname(config)# route-map 1-to-2 permit
hostname(config-route-map)# match metric 1
hostname(config-route-map)# set metric 5
hostname(config-route-map)# set metric-type type-1
Configuring OSPF
This section describes how to configure OSPF. This section includes the following topics:
• OSPF Overview, page 9-9
• Enabling OSPF, page 9-10
• Redistributing Routes Into OSPF, page 9-10
• Configuring OSPF Interface Parameters, page 9-11
• Configuring OSPF Area Parameters, page 9-139-9
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 9 Configuring IP Routing
Configuring OSPF
• Configuring OSPF NSSA, page 9-14
• Defining Static OSPF Neighbors, page 9-16
• Configuring Route Summarization Between OSPF Areas, page 9-15
• Configuring Route Summarization When Redistributing Routes into OSPF, page 9-16
• Generating a Default Route, page 9-17
• Configuring Route Calculation Timers, page 9-17
• Logging Neighbors Going Up or Down, page 9-18
• Displaying OSPF Update Packet Pacing, page 9-19
• Monitoring OSPF, page 9-19
• Restarting the OSPF Process, page 9-20
OSPF Overview
OSPF uses a link-state algorithm to build and calculate the shortest path to all known destinations. Each
router in an OSPF area contains an identical link-state database, which is a list of each of the router
usable interfaces and reachable neighbors.
The advantages of OSPF over RIP include the following:
• OSPF link-state database updates are sent less frequently than RIP updates, and the link-state
database is updated instantly rather than gradually as stale information is timed out.
• Routing decisions are based on cost, which is an indication of the overhead required to send packets
across a certain interface. The security appliance calculates the cost of an interface based on link
bandwidth rather than the number of hops to the destination. The cost can be configured to specify
preferred paths.
The disadvantage of shortest path first algorithms is that they require a lot of CPU cycles and memory.
The security appliance can run two processes of OSPF protocol simultaneously, on different sets of
interfaces. You might want to run two processes if you have interfaces that use the same IP addresses
(NAT allows these interfaces to coexist, but OSPF does not allow overlapping addresses). Or you might
want to run one process on the inside, and another on the outside, and redistribute a subset of routes
between the two processes. Similarly, you might need to segregate private addresses from public
addresses.
You can redistribute routes into an OSPF routing process from another OSPF routing process, a RIP
routing process, or from static and connected routes configured on OSPF-enabled interfaces.
The security appliance supports the following OSPF features:
• Support of intra-area, interarea, and external (Type I and Type II) routes.
• Support of a virtual link.
• OSPF LSA flooding.
• Authentication to OSPF packets (both password and MD5 authentication).
• Support for configuring the security appliance as a designated router or a designated backup router.
The security appliance also can be set up as an ABR; however, the ability to configure the security
appliance as an ASBR is limited to default information only (for example, injecting a default route).
• Support for stub areas and not-so-stubby-areas.9-10
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 9 Configuring IP Routing
Configuring OSPF
• Area boundary router type-3 LSA filtering.
• Advertisement of static and global address translations.
Enabling OSPF
To enable OSPF, you need to create an OSPF routing process, specify the range of IP addresses
associated with the routing process, then assign area IDs associated with that range of IP addresses.
To enable OSPF, perform the following steps:
Step 1 To create an OSPF routing process, enter the following command:
hostname(config)# router ospf process_id
This command enters the router configuration mode for this OSPF process.
The process_id is an internally used identifier for this routing process. It can be any positive integer. This
ID does not have to match the ID on any other device; it is for internal use only. You can use a maximum
of two processes.
Step 2 To define the IP addresses on which OSPF runs and to define the area ID for that interface, enter the
following command:
hostname(config-router)# network ip_address mask area area_id
The following example shows how to enable OSPF:
hostname(config)# router ospf 2
hostname(config-router)# network 10.0.0.0 255.0.0.0 area 0
Redistributing Routes Into OSPF
The security appliance can control the redistribution of routes between OSPF routing processes. The
security appliance matches and changes routes according to settings in the redistribute command or by
using a route map. See also the “Generating a Default Route” section on page 9-17 for another use for
route maps.
To redistribute static, connected, RIP, or OSPF routes into an OSPF process, perform the following steps:
Step 1 (Optional) Create a route-map to further define which routes from the specified routing protocol are
redistributed in to the OSPF routing process. See the “Defining Route Maps” section on page 9-7.
Step 2 If you have not already done so, enter the router configuration mode for the OSPF process you want to
redistribute into by entering the following command:
hostname(config)# router ospf process_id
Step 3 To specify the routes you want to redistribute, enter the following command:
hostname(config-router)# redistribute {ospf process_id
[match {internal | external 1 | external 2}] | static | connected | rip}
[metric metric-value] [metric-type {type-1 | type-2}] [tag tag_value] [subnets] [route-map
map_name]9-11
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 9 Configuring IP Routing
Configuring OSPF
The ospf process_id, static, connected, and rip keywords specify from where you want to redistribute
routes.
You can either use the options in this command to match and set route properties, or you can use a route
map. The tag and subnets options do not have equivalents in the route-map command. If you use both
a route map and options in the redistribute command, then they must match.
The following example shows route redistribution from OSPF process 1 into OSPF process 2 by
matching routes with a metric equal to 1. The security appliance redistributes these routes as external
LSAs with a metric of 5, metric type of Type 1, and a tag equal to 1.
hostname(config)# route-map 1-to-2 permit
hostname(config-route-map)# match metric 1
hostname(config-route-map)# set metric 5
hostname(config-route-map)# set metric-type type-1
hostname(config-route-map)# set tag 1
hostname(config-route-map)# router ospf 2
hostname(config-router)# redistribute ospf 1 route-map 1-to-2
The following example shows the specified OSPF process routes being redistributed into OSPF
process 109. The OSPF metric is remapped to 100.
hostname(config)# router ospf 109
hostname(config-router)# redistribute ospf 108 metric 100 subnets
The following example shows route redistribution where the link-state cost is specified as 5 and the
metric type is set to external, indicating that it has lower priority than internal metrics.
hostname(config)# router ospf 1
hostname(config-router)# redistribute ospf 2 metric 5 metric-type external
Configuring OSPF Interface Parameters
You can alter some interface-specific OSPF parameters as necessary. You are not required to alter any
of these parameters, but the following interface parameters must be consistent across all routers in an
attached network: ospf hello-interval, ospf dead-interval, and ospf authentication-key. Be sure that if
you configure any of these parameters, the configurations for all routers on your network have
compatible values.
To configure OSPF interface parameters, perform the following steps:
Step 1 To enter the interface configuration mode, enter the following command:
hostname(config)# interface interface_name
Step 2 Enter any of the following commands:
• To specify the authentication type for an interface, enter the following command:
hostname(config-interface)# ospf authentication [message-digest | null]
• To assign a password to be used by neighboring OSPF routers on a network segment that is using
the OSPF simple password authentication, enter the following command:
hostname(config-interface)# ospf authentication-key key
The key can be any continuous string of characters up to 8 bytes in length.9-12
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 9 Configuring IP Routing
Configuring OSPF
The password created by this command is used as a key that is inserted directly into the OSPF header
when the security appliance software originates routing protocol packets. A separate password can
be assigned to each network on a per-interface basis. All neighboring routers on the same network
must have the same password to be able to exchange OSPF information.
• To explicitly specify the cost of sending a packet on an OSPF interface, enter the following
command:
hostname(config-interface)# ospf cost cost
The cost is an integer from 1 to 65535.
• To set the number of seconds that a device must wait before it declares a neighbor OSPF router down
because it has not received a hello packet, enter the following command:
hostname(config-interface)# ospf dead-interval seconds
The value must be the same for all nodes on the network.
• To specify the length of time between the hello packets that the security appliance sends on an OSPF
interface, enter the following command:
hostname(config-interface)# ospf hello-interval seconds
The value must be the same for all nodes on the network.
• To enable OSPF MD5 authentication, enter the following command:
hostname(config-interface)# ospf message-digest-key key_id md5 key
Set the following values:
– key_id—An identifier in the range from 1 to 255.
– key—Alphanumeric password of up to 16 bytes.
Usually, one key per interface is used to generate authentication information when sending packets
and to authenticate incoming packets. The same key identifier on the neighbor router must have the
same key value.
We recommend that you not keep more than one key per interface. Every time you add a new key,
you should remove the old key to prevent the local system from continuing to communicate with a
hostile system that knows the old key. Removing the old key also reduces overhead during rollover.
• To set the priority to help determine the OSPF designated router for a network, enter the following
command:
hostname(config-interface)# ospf priority number_value
The number_value is between 0 to 255.
• To specify the number of seconds between LSA retransmissions for adjacencies belonging to an
OSPF interface, enter the following command:
hostname(config-interface)# ospf retransmit-interval seconds
The seconds must be greater than the expected round-trip delay between any two routers on the
attached network. The range is from 1 to 65535 seconds. The default is 5 seconds.
• To set the estimated number of seconds required to send a link-state update packet on an OSPF
interface, enter the following command:
hostname(config-interface)# ospf transmit-delay seconds9-13
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 9 Configuring IP Routing
Configuring OSPF
The seconds is from 1 to 65535 seconds. The default is 1 second.
The following example shows how to configure the OSPF interfaces:
hostname(config)# router ospf 2
hostname(config-router)# network 2.0.0.0 255.0.0.0 area 0
hostname(config-router)# interface inside
hostname(config-interface)# ospf cost 20
hostname(config-interface)# ospf retransmit-interval 15
hostname(config-interface)# ospf transmit-delay 10
hostname(config-interface)# ospf priority 20
hostname(config-interface)# ospf hello-interval 10
hostname(config-interface)# ospf dead-interval 40
hostname(config-interface)# ospf authentication-key cisco
hostname(config-interface)# ospf message-digest-key 1 md5 cisco
hostname(config-interface)# ospf authentication message-digest
The following is sample output from the show ospf command:
hostname(config)# show ospf
Routing Process "ospf 2" with ID 20.1.89.2 and Domain ID 0.0.0.2
Supports only single TOS(TOS0) routes
Supports opaque LSA
SPF schedule delay 5 secs, Hold time between two SPFs 10 secs
Minimum LSA interval 5 secs. Minimum LSA arrival 1 secs
Number of external LSA 5. Checksum Sum 0x 26da6
Number of opaque AS LSA 0. Checksum Sum 0x 0
Number of DCbitless external and opaque AS LSA 0
Number of DoNotAge external and opaque AS LSA 0
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
External flood list length 0
Area BACKBONE(0)
Number of interfaces in this area is 1
Area has no authentication
SPF algorithm executed 2 times
Area ranges are
Number of LSA 5. Checksum Sum 0x 209a3
Number of opaque link LSA 0. Checksum Sum 0x 0
Number of DCbitless LSA 0
Number of indication LSA 0
Number of DoNotAge LSA 0
Flood list length 0
Configuring OSPF Area Parameters
You can configure several area parameters. These area parameters (shown in the following task table)
include setting authentication, defining stub areas, and assigning specific costs to the default summary
route. Authentication provides password-based protection against unauthorized access to an area.
Stub areas are areas into which information on external routes is not sent. Instead, there is a default
external route generated by the ABR, into the stub area for destinations outside the autonomous system.
To take advantage of the OSPF stub area support, default routing must be used in the stub area. To further
reduce the number of LSAs sent into a stub area, you can configure the no-summary keyword of the
area stub command on the ABR to prevent it from sending summary link advertisement (LSA type 3)
into the stub area.
To specify area parameters for your network, perform the following steps:9-14
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 9 Configuring IP Routing
Configuring OSPF
Step 1 If you have not already done so, enter the router configuration mode for the OSPF process you want to
configure by entering the following command:
hostname(config)# router ospf process_id
Step 2 Enter any of the following commands:
• To enable authentication for an OSPF area, enter the following command:
hostname(config-router)# area area-id authentication
• To enable MD5 authentication for an OSPF area, enter the following command:
hostname(config-router)# area area-id authentication message-digest
• To define an area to be a stub area, enter the following command:
hostname(config-router)# area area-id stub [no-summary]
• To assign a specific cost to the default summary route used for the stub area, enter the following
command:
hostname(config-router)# area area-id default-cost cost
The cost is an integer from 1 to 65535. The default is 1.
The following example shows how to configure the OSPF area parameters:
hostname(config)# router ospf 2
hostname(config-router)# area 0 authentication
hostname(config-router)# area 0 authentication message-digest
hostname(config-router)# area 17 stub
hostname(config-router)# area 17 default-cost 20
Configuring OSPF NSSA
The OSPF implementation of an NSSA is similar to an OSPF stub area. NSSA does not flood type 5
external LSAs from the core into the area, but it can import autonomous system external routes in a
limited way within the area.
NSSA imports type 7 autonomous system external routes within an NSSA area by redistribution. These
type 7 LSAs are translated into type 5 LSAs by NSSA ABRs, which are flooded throughout the whole
routing domain. Summarization and filtering are supported during the translation.
You can simplify administration if you are an ISP or a network administrator that must connect a central
site using OSPF to a remote site that is using a different routing protocol using NSSA.
Before the implementation of NSSA, the connection between the corporate site border router and the
remote router could not be run as an OSPF stub area because routes for the remote site could not be
redistributed into the stub area, and two routing protocols needed to be maintained. A simple protocol
such as RIP was usually run and handled the redistribution. With NSSA, you can extend OSPF to cover
the remote connection by defining the area between the corporate router and the remote router as an
NSSA.9-15
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 9 Configuring IP Routing
Configuring OSPF
To specify area parameters for your network as needed to configure OSPF NSSA, perform the following
steps:
Step 1 If you have not already done so, enter the router configuration mode for the OSPF process you want to
configure by entering the following command:
hostname(config)# router ospf process_id
Step 2 Enter any of the following commands:
• To define an NSSA area, enter the following command:
hostname(config-router)# area area-id nssa [no-redistribution]
[default-information-originate]
• To summarize groups of addresses, enter the following command:
hostname(config-router)# summary address ip_address mask [not-advertise] [tag tag]
This command helps reduce the size of the routing table. Using this command for OSPF causes an
OSPF ASBR to advertise one external route as an aggregate for all redistributed routes that are
covered by the address.
OSPF does not support summary-address 0.0.0.0 0.0.0.0.
In the following example, the summary address 10.1.0.0 includes address 10.1.1.0, 10.1.2.0,
10.1.3.0, and so on. Only the address 10.1.0.0 is advertised in an external link-state advertisement:
hostname(config-router)# summary-address 10.1.1.0 255.255.0.0
Before you use this feature, consider these guidelines:
– You can set a type 7 default route that can be used to reach external destinations. When
configured, the router generates a type 7 default into the NSSA or the NSSA area boundary
router.
– Every router within the same area must agree that the area is NSSA; otherwise, the routers will
not be able to communicate.
Configuring Route Summarization Between OSPF Areas
Route summarization is the consolidation of advertised addresses. This feature causes a single summary
route to be advertised to other areas by an area boundary router. In OSPF, an area boundary router
advertises networks in one area into another area. If the network numbers in an area are assigned in a
way such that they are contiguous, you can configure the area boundary router to advertise a summary
route that covers all the individual networks within the area that fall into the specified range.
To define an address range for route summarization, perform the following steps:
Step 1 If you have not already done so, enter the router configuration mode for the OSPF process you want to
configure by entering the following command:
hostname(config)# router ospf process_id9-16
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 9 Configuring IP Routing
Configuring OSPF
Step 2 To set the address range, enter the following command:
hostname(config-router)# area area-id range ip-address mask [advertise | not-advertise]
The following example shows how to configure route summarization between OSPF areas:
hostname(config)# router ospf 1
hostname(config-router)# area 17 range 12.1.0.0 255.255.0.0
Configuring Route Summarization When Redistributing Routes into OSPF
When routes from other protocols are redistributed into OSPF, each route is advertised individually in
an external LSA. However, you can configure the security appliance to advertise a single route for all
the redistributed routes that are covered by a specified network address and mask. This configuration
decreases the size of the OSPF link-state database.
To configure the software advertisement on one summary route for all redistributed routes covered by a
network address and mask, perform the following steps:
Step 1 If you have not already done so, enter the router configuration mode for the OSPF process you want to
configure by entering the following command:
hostname(config)# router ospf process_id
Step 2 To set the summary address, enter the following command:
hostname(config-router)# summary-address ip_address mask [not-advertise] [tag tag]
Note OSPF does not support summary-address 0.0.0.0 0.0.0.0.
The following example shows how to configure route summarization. The summary address 10.1.0.0
includes address 10.1.1.0, 10.1.2.0, 10.1.3.0, and so on. Only the address 10.1.0.0 is advertised in an
external link-state advertisement:
hostname(config)# router ospf 1
hostname(config-router)# summary-address 10.1.0.0 255.255.0.0
Defining Static OSPF Neighbors
You need to define static OSPF neighbors to advertise OSPF routes over a point-to-point, non-broadcast
network. This lets you broadcast OSPF advertisements across an existing VPN connection without
having to encapsulate the advertisements in a GRE tunnel.
To define a static OSPF neighbor, perform the following tasks:
Step 1 Create a static route to the OSPF neighbor. See the “Configuring Static and Default Routes” section on
page 9-2 for more information about creating static routes.9-17
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 9 Configuring IP Routing
Configuring OSPF
Step 2 Define the OSPF neighbor by performing the following tasks:
a. Enter router configuration mode for the OSPF process. Enter the following command:
hostname(config)# router ospf pid
b. Define the OSPF neighbor by entering the following command:
hostname(config-router)# neighbor addr [interface if_name]
The addr argument is the IP address of the OSPF neighbor. The if_name is the interface used to
communicate with the neighbor. If the OSPF neighbor is not on the same network as any of the
directly-connected interfaces, you must specify the interface.
Generating a Default Route
You can force an autonomous system boundary router to generate a default route into an OSPF routing
domain. Whenever you specifically configure redistribution of routes into an OSPF routing domain, the
router automatically becomes an autonomous system boundary router. However, an autonomous system
boundary router does not by default generate a default route into the OSPF routing domain.
To generate a default route, perform the following steps:
Step 1 If you have not already done so, enter the router configuration mode for the OSPF process you want to
configure by entering the following command:
hostname(config)# router ospf process_id
Step 2 To force the autonomous system boundary router to generate a default route, enter the following
command:
hostname(config-router)# default-information originate [always] [metric metric-value]
[metric-type {1 | 2}] [route-map map-name]
The following example shows how to generate a default route:
hostname(config)# router ospf 2
hostname(config-router)# default-information originate always
Configuring Route Calculation Timers
You can configure the delay time between when OSPF receives a topology change and when it starts an
SPF calculation. You also can configure the hold time between two consecutive SPF calculations.
To configure route calculation timers, perform the following steps:
Step 1 If you have not already done so, enter the router configuration mode for the OSPF process you want to
configure by entering the following command:
hostname(config)# router ospf process_id9-18
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 9 Configuring IP Routing
Configuring OSPF
Step 2 To configure the route calculation time, enter the following command:
hostname(config-router)# timers spf spf-delay spf-holdtime
The spf-delay is the delay time (in seconds) between when OSPF receives a topology change and when
it starts an SPF calculation. It can be an integer from 0 to 65535. The default time is 5 seconds. A value
of 0 means that there is no delay; that is, the SPF calculation is started immediately.
The spf-holdtime is the minimum time (in seconds) between two consecutive SPF calculations. It can be
an integer from 0 to 65535. The default time is 10 seconds. A value of 0 means that there is no delay;
that is, two SPF calculations can be done, one immediately after the other.
The following example shows how to configure route calculation timers:
hostname(config)# router ospf 1
hostname(config-router)# timers spf 10 120
Logging Neighbors Going Up or Down
By default, the system sends a system message when an OSPF neighbor goes up or down.
Configure this command if you want to know about OSPF neighbors going up or down without turning
on the debug ospf adjacency command. The log-adj-changes router configuration command provides
a higher level view of the peer relationship with less output. Configure log-adj-changes detail if you
want to see messages for each state change.
To log neighbors going up or down, perform the following steps:
Step 1 If you have not already done so, enter the router configuration mode for the OSPF process you want to
configure by entering the following command:
hostname(config)# router ospf process_id
Step 2 To configure logging for neighbors going up or down, enter the following command:
hostname(config-router)# log-adj-changes [detail]
Note Logging must be enabled for the the neighbor up/down messages to be sent.
The following example shows how to log neighbors up/down messages:
hostname(config)# router ospf 1
hostname(config-router)# log-adj-changes detail9-19
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 9 Configuring IP Routing
Configuring OSPF
Displaying OSPF Update Packet Pacing
OSPF update packets are automatically paced so they are not sent less than 33 milliseconds apart.
Without pacing, some update packets could get lost in situations where the link is slow, a neighbor could
not receive the updates quickly enough, or the router could run out of buffer space. For example, without
pacing packets might be dropped if either of the following topologies exist:
• A fast router is connected to a slower router over a point-to-point link.
• During flooding, several neighbors send updates to a single router at the same time.
Pacing is also used between resends to increase efficiency and minimize lost retransmissions. You also
can display the LSAs waiting to be sent out an interface. The benefit of the pacing is that OSPF update
and retransmission packets are sent more efficiently.
There are no configuration tasks for this feature; it occurs automatically.
To observe OSPF packet pacing by displaying a list of LSAs waiting to be flooded over a specified
interface, enter the following command:
hostname# show ospf flood-list if_name
Monitoring OSPF
You can display specific statistics such as the contents of IP routing tables, caches, and databases. You
can use the information provided to determine resource utilization and solve network problems. You can
also display information about node reachability and discover the routing path that your device packets
are taking through the network.
To display various OSPF routing statistics, perform one of the following tasks, as needed:
• To display general information about OSPF routing processes, enter the following command:
hostname# show ospf [process-id [area-id]]
• To display the internal OSPF routing table entries to the ABR and ASBR, enter the following
command:
hostname# show ospf border-routers
• To display lists of information related to the OSPF database for a specific router, enter the following
command:
hostname# show ospf [process-id [area-id]] database
• To display a list of LSAs waiting to be flooded over an interface (to observe OSPF packet pacing),
enter the following command:
hostname# show ospf flood-list if-name
• To display OSPF-related interface information, enter the following command:
hostname# show ospf interface [if_name]
• To display OSPF neighbor information on a per-interface basis, enter the following command:
hostname# show ospf neighbor [interface-name] [neighbor-id] [detail]
• To display a list of all LSAs requested by a router, enter the following command:
hostname# show ospf request-list neighbor if_name9-20
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 9 Configuring IP Routing
Configuring RIP
• To display a list of all LSAs waiting to be resent, enter the following command:
hostname# show ospf retransmission-list neighbor if_name
• To display a list of all summary address redistribution information configured under an OSPF
process, enter the following command:
hostname# show ospf [process-id] summary-address
• To display OSPF-related virtual links information, enter the following command:
hostname# show ospf [process-id] virtual-links
Restarting the OSPF Process
To restart an OSPF process, clear redistribution, or counters, enter the following command:
hostname(config)# clear ospf pid {process | redistribution | counters
[neighbor [neighbor-interface] [neighbor-id]]}
Configuring RIP
Devices that support RIP send routing-update messages at regular intervals and when the network
topology changes. These RIP packets contain information about the networks that the devices can reach,
as well as the number of routers or gateways that a packet must travel through to reach the destination
address. RIP generates more traffic than OSPF, but is easier to configure.
RIP has advantages over static routes because the initial configuration is simple, and you do not need to
update the configuration when the topology changes. The disadvantage to RIP is that there is more
network and processing overhead than static routing.
The security appliance supports RIP Version 1 and RIP Version 2.
This section describes how to configure RIP. This section includes the following topics:
• Enabling and Configuring RIP, page 9-20
• Redistributing Routes into the RIP Routing Process, page 9-22
• Configuring RIP Send/Receive Version on an Interface, page 9-22
• Enabling RIP Authentication, page 9-23
• Monitoring RIP, page 9-23
Enabling and Configuring RIP
You can only enable one RIP routing process on the security appliance. After you enable the RIP routing
process, you must define the interfaces that will participate in that routing process using the network
command. By default, the security appliance sends RIP Version 1 updates and accepts RIP Version 1 and
Version 2 updates.9-21
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 9 Configuring IP Routing
Configuring RIP
To enable and configure the RIP routing process, perform the following steps:
Step 1 Start the RIP routing process by entering the following command in global configuration mode:
hostname(config): router rip
You enter router configuration mode for the RIP routing process.
Step 2 Specify the interfaces that will participate in the RIP routing process. Enter the following command for
each interface that will participate in the RIP routing process:
hostname(config-router): network network_address
If an interface belongs to a network defined by this command, the interface will participate in the RIP
routing process. If an interface does not belong to a network defined by this command, it will not send
or receive RIP updates.
Step 3 (Optional) Specify the version of RIP used by the security appliance by entering the following command:
hostname(config-router): version [1 | 2]
You can override this setting on a per-interface basis.
Step 4 (Optional) To generate a default route into RIP, enter the following command:
hostname(config-router): default-information originate
Step 5 (Optional) To specify an interface to operate in passive mode, enter the following command:
hostname(config-router): passive-interface [default | if_name]
Using the default keyword causes all interfaces to operate in passive mode. Specifying an interface name
sets only that interface to passive RIP mode. In passive mode, RIP routing updates are accepted by but
not sent out of the specified interface. You can enter this command for each interface you want to set to
passive mode.
Step 6 (Optional) Disable automatic route summarization by entering the following command:
hostname(config-router): no auto-summarize
RIP Version 1 always uses automatic route summarization; you cannot disable it for RIP Version 1. RIP
Version 2 uses route summarization by default; you can disable it using this command.
Step 7 (Optional) To filter the networks received in updates, perform the following steps:
a. Create a standard access list permitting the networks you want the RIP process to allow in the
routing table and denying the networks you want the RIP process to discard.
b. Enter the following command to apply the filter. You can specify an interface to apply the filter to
only those updates received by that interface.
hostname(config-router): distribute-list acl in [interface if_name]
You can enter this command for each interface you want to apply a filter to. If you do not specify an
interface name, the filter is applied to all RIP updates.
Step 8 (Optional) To filter the networks sent in updates, perform the following steps:
a. Create a standard access list permitting the networks you want the RIP process to advertise and
denying the networks you do not want the RIP process to advertise.
b. Enter the following command to apply the filter. You can specify an interface to apply the filter to
only those updates sent by that interface.
hostname(config-router): distribute-list acl out [interface if_name]9-22
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 9 Configuring IP Routing
Configuring RIP
You can enter this command for each interface you want to apply a filter to. If you do not specify an
interface name, the filter is applied to all RIP updates.
Redistributing Routes into the RIP Routing Process
You can redistribute routes from the OSPF, static, and connected routing processes into the RIP routing
process.
To redistribute a routes into the RIP routing process, perform the following steps:
Step 1 (Optional) Create a route-map to further define which routes from the specified routing protocol are
redistributed in to the RIP routing process. See the “Defining Route Maps” section on page 9-7 for more
information about creating a route map.
Step 2 Choose one of the following options to redistribute the selected route type into the RIP routing process.
• To redistribute connected routes into the RIP routing process, enter the following command:
hostname(config-router): redistribute connected [metric {metric_value | transparent}]
[route-map map_name]
• To redistribute static routes into the RIP routing process, enter the following command:
hostname(config-router): redistribute static [metric {metric_value | transparent}]
[route-map map_name]
• To redistribute routes from an OSPF routing process into the RIP routing process, enter the
following command:
hostname(config-router): redistribute ospf pid [match {internal | external [1 | 2] |
nssa-external [1 | 2]}] [metric {metric_value | transparent}] [route-map map_name]
Configuring RIP Send/Receive Version on an Interface
You can override the globally-set version of RIP the security appliance uses to send and receive RIP
updates on a per-interface basis.
To configure the RIP send and receive
Step 1 (Optional) To specify the version of RIP advertisements sent from an interface, perform the following
steps:
a. Enter interface configuration mode for the interface you are configuring by entering the following
command:
hostname(config)# interface phy_if
b. Specify the version of RIP to use when sending RIP updates out of the interface by entering the
following command:
hostname(config-if)# rip send version {[1] [2]}9-23
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 9 Configuring IP Routing
Configuring RIP
Step 2 (Optional) To specify the version of RIP advertisements permitted to be received by an interface,
perform the following steps:
a. Enter interface configuration mode for the interface you are configuring by entering the following
command:
hostname(config)# interface phy_if
b. Specify the version of RIP to allow when receiving RIP updates on the interface by entering the
following command:
hostname(config-if)# rip receive version {[1] [2]}
RIP updates received on the interface that do not match the allowed version are dropped.
Enabling RIP Authentication
The security appliance supports RIP message authentication for RIP Version 2 messages.
To enable RIP message authentication, perform the following steps:
Step 1 Enter interface configuration mode for the interface you are configuring by entering the following
command:
hostname(config)# interface phy_if
Step 2 (Optional) Set the authentication mode by entering the following command. By default, text
authentication is used. MD5 authentication is recommended.
hostname(config-if)# rip authentication mode {text | md5}
Step 3 Enable authentication and configure the authentication key by entering the following command:
hostname(config-if)# rip authentication key key key_id key-id
Monitoring RIP
To display various RIP routing statistics, perform one of the following tasks, as needed:
• To display the contents of the RIP routing database, enter the following command:
hostname# show rip database
• To display the RIP commands in the running configuration, enter the following command:
hostname# show running-config router rip
Use the following debug commands only to troubleshoot specific problems or during troubleshooting
sessions with Cisco TAC. Debugging output is assigned high priority in the CPU process and can render
the system unusable. It is best to use debug commands during periods of lower network traffic and fewer
users. Debugging during these periods decreases the likelihood that increased debug command
processing overhead will affect system performance.
• To display RIP processing events, enter the following command:
hostname# debug rip events9-24
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 9 Configuring IP Routing
The Routing Table
• To display RIP database events, enter the following command:
hostname# debug rip database
The Routing Table
This section contains the following topics:
• Displaying the Routing Table, page 9-24
• How the Routing Table is Populated, page 9-24
• How Forwarding Decisions are Made, page 9-26
Displaying the Routing Table
To view the entries in the routing table, enter the following command:
hostname# show route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 10.86.194.1 to network 0.0.0.0
S 10.1.1.0 255.255.255.0 [3/0] via 10.86.194.1, outside
C 10.86.194.0 255.255.254.0 is directly connected, outside
S* 0.0.0.0 0.0.0.0 [1/0] via 10.86.194.1, outside
On the ASA 5505 adaptive security appliance, the following route is also shown. It is the internal
loopback interface, which is used by the VPN Hardware Client feature for individual user authentication.
C 127.1.0.0 255.255.0.0 is directly connected, _internal_loopback
How the Routing Table is Populated
The security appliance routing table can be populated by statically defined routes, directly connected
routes, and routes discovered by the RIP and OSPF routing protocols. Because the security appliance
can run multiple routing protocols in addition to having static and connected routed in the routing table,
it is possible that the same route is discovered or entered in more than one manner. When two routes to
the same destination are put into the routing table, the one that remains in the routing table is determined
as follows:
• If the two routes have different network prefix lengths (network masks), then both routes are
considered unique and are entered in to the routing table. The packet forwarding logic then
determines which of the two to use.
For example, if the RIP and OSPF processes discovered the following routes:
– RIP: 192.168.32.0/249-25
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 9 Configuring IP Routing
The Routing Table
– OSPF: 192.168.32.0/19
Even though OSPF routes have the better administrative distance, both routes are installed in the
routing table because each of these routes has a different prefix length (subnet mask). They are
considered different destinations and the packet forwarding logic determine which route to use.
• If the security appliance learns about multiple paths to the same destination from a single routing
protocol, such as RIP, the route with the better metric (as determined by the routing protocol) is
entered into the routing table.
Metrics are values associated with specific routes, ranking them from most preferred to least
preferred. The parameters used to determine the metrics differ for different routing protocols. The
path with the lowest metric is selected as the optimal path and installed in the routing table. If there
are multiple paths to the same destination with equal metrics, load balancing is done on these equal
cost paths.
• If the security appliance learns about a destination from more than one routing protocol, the
administrative distances of the routes are compared and the routes with lower administrative
distance is entered into the routing table.
Administrative distance is a route parameter that security appliance uses to select the best path when
there are two or more different routes to the same destination from two different routing protocols.
Because the routing protocols have metrics based on algorithms that are different from the other
protocols, it is not always possible to determine the “best path” for two routes to the same destination
that were generated by different routing protocols.
Each routing protocol is prioritized using an administrative distance value. Table 9-1 shows the default
administrative distance values for the routing protocols supported by the security appliance.
The smaller the administrative distance value, the more preference is given to the protocol. For example,
if the security appliance receives a route to a certain network from both an OSPF routing process (default
administrative distance - 110) and a RIP routing process (default administrative distance - 100), the
security appliance chooses the OSPF route because OSPF has a higher preference. This means the router
adds the OSPF version of the route to the routing table.
In the above example, if the source of the OSPF-derived route was lost (for example, due to a power
shutdown), the security appliance would then use the RIP-derived route until the OSPF-derived route
reappears.
The administrative distance is a local setting. For example, if you use the distance-ospf command to
change the administrative distance of routes obtained through OSPF, that change would only affect the
routing table for the security appliance the command was entered on. The administrative distance is not
advertised in routing updates.
Administrative distance does not affect the routing process. The OSPF and RIP routing processes only
advertise the routes that have been discovered by the routing process or redistributed into the routing
process. For example, the RIP routing process advertises RIP routes, even if routes discovered by the
OSPF routing process are used in the security appliance routing table.
Table 9-1 Default Administrative Distance for Supported Routing Protocols
Route Source Default Administrative Distance
Connected interface 0
Static route 1
OSPF 110
RIP 1209-26
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 9 Configuring IP Routing
Dynamic Routing and Failover
Backup Routes
A backup route is registered when the initial attempt to install the route in the routing table fails because
another route was installed instead. If the route that was installed in the routing table fails, the routing
table maintenance process calls each routing protocol process that has registered a backup route and
requests them to reinstall the route in the routing table. If there are multiple protocols with registered
backup routes for the failed route, the preferred route is chosen based on administrative distance.
Because of this process, you can create “floating” static routes that are installed in the routing table when
the route discovered by a dynamic routing protocol fails. A floating static route is simply a static route
configured with a greater administrative distance than the dynamic routing protocols running on the
security appliance. When the corresponding route discover by a dynamic routing process fails, the static
route is installed in the routing table.
How Forwarding Decisions are Made
Forwarding decisions are made as follows:
• If the destination does not match an entry in the routing table, the packet is forwarded through the
interface specified for the default route. If a default route has not been configured, the packet is
discarded.
• If the destination matches a single entry in the routing table, the packet is forwarded through the
interface associated with that route.
• If the destination matches more than one entry in the routing table, and the entries all have the same
network prefix length, the packets for that destination are distributed among the interfaces
associated with that route.
• If the destination matches more than one entry in the routing table, and the entries have different
network prefix lengths, then the packet is forwarded out of the interface associated with the route
that has the longer network prefix length.
For example, a packet destined for 192.168.32.1 arrives on an interface of a security appliance with the
following routes in the routing table:
hostname# show route
....
R 192.168.32.0/24 [120/4] via 10.1.1.2
O 192.168.32.0/19 [110/229840] via 10.1.1.3
....
In this case, a packet destined to 192.168.32.1 is directed toward 10.1.1.2, because 192.168.32.1 falls
within the 192.168.32.0/24 network. It also falls within the other route in the routing table, but the
192.168.32.0/24 has the longest prefix within the routing table (24 bits verses 19 bits). Longer prefixes
are always preferred over shorter ones when forwarding a packet.
Dynamic Routing and Failover
Dynamic routes are not replicated to the standby unit or failover group in a failover configuration.
Therefore, immediately after a failover occurs, some packets received by the security appliance may be
dropped because of a lack of routing information or routed to a default static route while the routing table
is repopulated by the configured dynamic routing protocols.C H A P T E R
10-1
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
10
Configuring DHCP, DDNS, and WCCP Services
This chapter describes how to configure the DHCP server, dynamic DNS (DDNS) update methods, and
WCCP on the security appliance. DHCP provides network configuration parameters, such as IP
addresses, to DHCP clients. The security appliance can provide a DHCP server or DHCP relay services
to DHCP clients attached to security appliance interfaces. The DHCP server provides network
configuration parameters directly to DHCP clients. DHCP relay passes DHCP requests received on one
interface to an external DHCP server located behind a different interface.
DDNS update integrates DNS with DHCP. The two protocols are complementary: DHCP centralizes and
automates IP address allocation; DDNS update automatically records the association between assigned
addresses and hostnames at pre-defined intervals. DDNS allows frequently changing address-hostname
associations to be updated frequently. Mobile hosts, for example, can then move freely on a network
without user or administrator intervention. DDNS provides the necessary dynamic updating and
synchronizing of the name to address and address to name mappings on the DNS server.
WCCP specifies interactions between one or more routers, Layer 3 switches, or security appliances and
one or more web caches. The feature transparently redirects selected types of traffic to a group of web
cache engines to optimize resource usage and lower response times.
This chapter includes the following sections:
• Configuring a DHCP Server, page 10-1
• Configuring DHCP Relay Services, page 10-5
• Configuring Dynamic DNS, page 10-6
• Configuring Web Cache Services Using WCCP, page 10-9
Configuring a DHCP Server
This section describes how to configure DHCP server provided by the security appliance. This section
includes the following topics:
• Enabling the DHCP Server, page 10-2
• Configuring DHCP Options, page 10-3
• Using Cisco IP Phones with a DHCP Server, page 10-410-2
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 10 Configuring DHCP, DDNS, and WCCP Services
Configuring a DHCP Server
Enabling the DHCP Server
The security appliance can act as a DHCP server. DHCP is a protocol that supplies network settings to
hosts including the host IP address, the default gateway, and a DNS server.
Note The security appliance DHCP server does not support BOOTP requests.
In multiple context mode, you cannot enable the DHCP server or DHCP relay on an interface that is used
by more than one context.
You can configure a DHCP server on each interface of the security appliance. Each interface can have
its own pool of addresses to draw from. However the other DHCP settings, such as DNS servers, domain
name, options, ping timeout, and WINS servers, are configured globally and used by the DHCP server
on all interfaces.
You cannot configure a DHCP client or DHCP Relay services on an interface on which the server is
enabled. Additionally, DHCP clients must be directly connected to the interface on which the server is
enabled.
To enable the DHCP server on a given security appliance interface, perform the following steps:
Step 1 Create a DHCP address pool. Enter the following command to define the address pool:
hostname(config)# dhcpd address ip_address-ip_address interface_name
The security appliance assigns a client one of the addresses from this pool to use for a given length of time.
These addresses are the local, untranslated addresses for the directly connected network.
The address pool must be on the same subnet as the security appliance interface.
Step 2 (Optional) To specify the IP address(es) of the DNS server(s) the client will use, enter the following
command:
hostname(config)# dhcpd dns dns1 [dns2]
You can specify up to two DNS servers.
Step 3 (Optional) To specify the IP address(es) of the WINS server(s) the client will use, enter the following
command:
hostname(config)# dhcpd wins wins1 [wins2]
You can specify up to two WINS servers.
Step 4 (Optional) To change the lease length to be granted to the client, enter the following command:
hostname(config)# dhcpd lease lease_length
This lease equals the amount of time (in seconds) the client can use its allocated IP address before the
lease expires. Enter a value between 300 to 1,048,575. The default value is 3600 seconds.
Step 5 (Optional) To configure the domain name the client uses, enter the following command:
hostname(config)# dhcpd domain domain_name
Step 6 (Optional) To configure the DHCP ping timeout value, enter the following command:
hostname(config)# dhcpd ping_timeout milliseconds
To avoid address conflicts, the security appliance sends two ICMP ping packets to an address before
assigning that address to a DHCP client. This command specifies the timeout value for those packets.10-3
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 10 Configuring DHCP, DDNS, and WCCP Services
Configuring a DHCP Server
Step 7 (Transparent Firewall Mode) Define a default gateway. To define the default gateway that is sent to
DHCP clients, enter the following command.
hostname(config)# dhcpd option 3 ip gateway_ip
If you do not use the DHCP option 3 to define the default gateway, DHCP clients use the IP address of
the management interface. The management interface does not route traffic.
Step 8 To enable the DHCP daemon within the security appliance to listen for DHCP client requests on the
enabled interface, enter the following command:
hostname(config)# dhcpd enable interface_name
For example, to assign the range 10.0.1.101 to 10.0.1.110 to hosts connected to the inside interface, enter
the following commands:
hostname(config)# dhcpd address 10.0.1.101-10.0.1.110 inside
hostname(config)# dhcpd dns 209.165.201.2 209.165.202.129
hostname(config)# dhcpd wins 209.165.201.5
hostname(config)# dhcpd lease 3000
hostname(config)# dhcpd domain example.com
hostname(config)# dhcpd enable inside
Configuring DHCP Options
You can configure the security appliance to send information for the DHCP options listed in RFC 2132.
The DHCP options fall into one of three categories:
• Options that return an IP address.
• Options that return a text string.
• Options that return a hexadecimal value.
The security appliance supports all three categories of DHCP options. To configure a DHCP option, do
one of the following:
• To configure a DHCP option that returns one or two IP addresses, enter the following command:
hostname(config)# dhcpd option code ip addr_1 [addr_2]
• To configure a DHCP option that returns a text string, enter the following command:
hostname(config)# dhcpd option code ascii text
• To configure a DHCP option that returns a hexadecimal value, enter the following command:
hostname(config)# dhcpd option code hex value
Note The security appliance does not verify that the option type and value that you provide match the expected
type and value for the option code as defined in RFC 2132. For example, you can enter the dhcpd option
46 ascii hello command and the security appliance accepts the configuration although option 46 is
defined in RFC 2132 as expecting a single-digit, hexadecimal value. For more information about the
option codes and their associated types and expected values, refer to RFC 2132.
Table 10-1 shows the DHCP options that are not supported by the dhcpd option command.10-4
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 10 Configuring DHCP, DDNS, and WCCP Services
Configuring a DHCP Server
Specific options, DHCP option 3, 66, and 150, are used to configure Cisco IP Phones. See the “Using
Cisco IP Phones with a DHCP Server” section on page 10-4 topic for more information about
configuring those options.
Using Cisco IP Phones with a DHCP Server
Enterprises with small branch offices that implement a Cisco IP Telephony Voice over IP solution
typically implement Cisco CallManager at a central office to control Cisco IP Phones at small branch
offices. This implementation allows centralized call processing, reduces the equipment required, and
eliminates the administration of additional Cisco CallManager and other servers at branch offices.
Cisco IP Phones download their configuration from a TFTP server. When a Cisco IP Phone starts, if it
does not have both the IP address and TFTP server IP address preconfigured, it sends a request with
option 150 or 66 to the DHCP server to obtain this information.
• DHCP option 150 provides the IP addresses of a list of TFTP servers.
• DHCP option 66 gives the IP address or the hostname of a single TFTP server.
Cisco IP Phones might also include DHCP option 3 in their requests, which sets the default route.
Cisco IP Phones might include both option 150 and 66 in a single request. In this case, the security
appliance DHCP server provides values for both options in the response if they are configured on the
security appliance.
You can configure the security appliance to send information for most options listed in RFC 2132. The
following example shows the syntax for any option number, as well as the syntax for commonly-used
options 66, 150, and 3:
• To provide information for DHCP requests that include an option number as specified in RFC-2132,
enter the following command:
Table 10-1 Unsupported DHCP Options
Option Code Description
0 DHCPOPT_PAD
1 HCPOPT_SUBNET_MASK
12 DHCPOPT_HOST_NAME
50 DHCPOPT_REQUESTED_ADDRESS
51 DHCPOPT_LEASE_TIME
52 DHCPOPT_OPTION_OVERLOAD
53 DHCPOPT_MESSAGE_TYPE
54 DHCPOPT_SERVER_IDENTIFIER
58 DHCPOPT_RENEWAL_TIME
59 DHCPOPT_REBINDING_TIME
61 DHCPOPT_CLIENT_IDENTIFIER
67 DHCPOPT_BOOT_FILE_NAME
82 DHCPOPT_RELAY_INFORMATION
255 DHCPOPT_END10-5
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 10 Configuring DHCP, DDNS, and WCCP Services
Configuring DHCP Relay Services
hostname(config)# dhcpd option number value
• To provide the IP address or name of a TFTP server for option 66, enter the following command:
hostname(config)# dhcpd option 66 ascii server_name
• To provide the IP address or names of one or two TFTP servers for option 150, enter the following
command:
hostname(config)# dhcpd option 150 ip server_ip1 [server_ip2]
The server_ip1 is the IP address or name of the primary TFTP server while server_ip2 is the
IP address or name of the secondary TFTP server. A maximum of two TFTP servers can be
identified using option 150.
• To set the default route, enter the following command:
hostname(config)# dhcpd option 3 ip router_ip1
Configuring DHCP Relay Services
A DHCP relay agent allows the security appliance to forward DHCP requests from clients to a router
connected to a different interface.
The following restrictions apply to the use of the DHCP relay agent:
• The relay agent cannot be enabled if the DHCP server feature is also enabled.
• Clients must be directly connected to the security appliance and cannot send requests through
another relay agent or a router.
• For multiple context mode, you cannot enable DHCP relay on an interface that is used by more than
one context.
Note DHCP Relay services are not available in transparent firewall mode. A security appliance in transparent
firewall mode only allows ARP traffic through; all other traffic requires an access list. To allow DHCP
requests and replies through the security appliance in transparent mode, you need to configure two
access lists, one that allows DCHP requests from the inside interface to the outside, and one that allows
the replies from the server in the other direction.
Note When DHCP relay is enabled and more than one DHCP relay server is defined, the security appliance
forwards client requests to each defined DHCP relay server. Replies from the servers are also forwarded
to the client until the client DHCP relay binding is removed. The binding is removed when the security
appliance receives any of the following DHCP messages: ACK, NACK, or decline.
To enable DHCP relay, perform the following steps:
Step 1 To set the IP address of a DHCP server on a different interface from the DHCP client, enter the following
command:
hostname(config)# dhcprelay server ip_address if_name
You can use this command up to 4 times to identify up to 4 servers.
Step 2 To enable DHCP relay on the interface connected to the clients, enter the following command:10-6
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 10 Configuring DHCP, DDNS, and WCCP Services
Configuring Dynamic DNS
hostname(config)# dhcprelay enable interface
Step 3 (Optional) To set the number of seconds allowed for relay address negotiation, enter the following
command:
hostname(config)# dhcprelay timeout seconds
Step 4 (Optional) To change the first default router address in the packet sent from the DHCP server to the
address of the security appliance interface, enter the following command:
hostname(config)# dhcprelay setroute interface_name
This action allows the client to set its default route to point to the security appliance even if the DHCP
server specifies a different router.
If there is no default router option in the packet, the security appliance adds one containing the interface
address.
The following example enables the security appliance to forward DHCP requests from clients connected
to the inside interface to a DHCP server on the outside interface:
hostname(config)# dhcprelay server 201.168.200.4
hostname(config)# dhcprelay enable inside
hostname(config)# dhcprelay setroute inside
Configuring Dynamic DNS
This section describes examples for configuring the security appliance to support Dynamic DNS. DDNS
update integrates DNS with DHCP. The two protocols are complementary—DHCP centralizes and
automates IP address allocation, while dynamic DNS update automatically records the association
between assigned addresses and hostnames. When you use DHCP and dynamic DNS update, this
configures a host automatically for network access whenever it attaches to the IP network. You can locate
and reach the host using its permanent, unique DNS hostname. Mobile hosts, for example, can move
freely without user or administrator intervention.
DDNS provides address and domain name mappings so hosts can find each other even though their
DHCP-assigned IP addresses change frequently. The DDNS name and address mappings are held on the
DHCP server in two resource records: the A RR contains the name to IP address mapping while the PTR
RR maps addresses to names. Of the two methods for performing DDNS updates—the IETF standard
defined by RFC 2136 and a generic HTTP method—the security appliance supports the IETF method in
this release.
The two most common DDNS update configurations are:
• The DHCP client updates the A RR while the DHCP server updates PTR RR.
• The DHCP server updates both the A and PTR RRs.
In general, the DHCP server maintains DNS PTR RRs on behalf of clients. Clients may be configured
to perform all desired DNS updates. The server may be configured to honor these updates or not. To
update the PTR RR, the DHCP server must know the Fully Qualified Domain Name of the client. The
client provides an FQDN to the server using a DHCP option called Client FQDN.
The following examples present these common scenarios:
• Example 1: Client Updates Both A and PTR RRs for Static IP Addresses, page 10-710-7
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 10 Configuring DHCP, DDNS, and WCCP Services
Configuring Dynamic DNS
• Example 2: Client Updates Both A and PTR RRs; DHCP Server Honors Client Update Request;
FQDN Provided Through Configuration, page 10-7
• Example 3: Client Includes FQDN Option Instructing Server Not to Update Either RR; Server
Overrides Client and Updates Both RRs., page 10-8
• Example 4: Client Asks Server To Perform Both Updates; Server Configured to Update PTR RR
Only; Honors Client Request and Updates Both A and PTR RR, page 10-8
• Example 5: Client Updates A RR; Server Updates PTR RR, page 10-9
Example 1: Client Updates Both A and PTR RRs for Static IP Addresses
The following example configures the client to request that it update both A and PTR resource records
for static IP addresses. To configure this example, perform the following steps:
Step 1 To define a DDNS update method called ddns-2 that requests that the client update both the A and PTR
RRs, enter the following commands:
hostname(config)# ddns update method ddns-2
hostname(DDNS-update-method)# ddns both
Step 2 To associate the method ddns-2 with the eth1 interface, enter the following commands:
hostname(DDNS-update-method)# interface eth1
hostname(config-if)# ddns update ddns-2
hostname(config-if)# ddns update hostname asa.example.com
Step 3 To configure a static IP address for eth1, enter the following commands:
hostname(config-if)# ip address 10.0.0.40 255.255.255.0
Example 2: Client Updates Both A and PTR RRs; DHCP Server Honors Client
Update Request; FQDN Provided Through Configuration
The following example configures 1) the DHCP client to request that it update both the A and PTR RRs,
and 2) the DHCP server to honor the requests. To configure this example, perform the following steps:
Step 1 To configure the DHCP client to request that the DHCP server perform no updates, enter the following
command:
hostname(config)# dhcp-client update dns server none
Step 2 To create a DDNS update method named ddns-2 on the DHCP client that requests that the client perform
both A and PTR updates, enter the following commands:
hostname(config)# ddns update method ddns-2
hostname(DDNS-update-method)# ddns both
Step 3 To associate the method named ddns-2 with the security appliance interface named Ethernet0, and enable
DHCP on the interface, enter the following commands:
hostname(DDNS-update-method)# interface Ethernet0
hostname(if-config)# ddns update ddns-2
hostname(if-config)# ddns update hostname asa.example.com
hostname(if-config)# ip address dhcp10-8
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 10 Configuring DHCP, DDNS, and WCCP Services
Configuring Dynamic DNS
Step 4 To configure the DHCP server, enter the following command:
hostname(if-config)# dhcpd update dns
Example 3: Client Includes FQDN Option Instructing Server Not to Update Either
RR; Server Overrides Client and Updates Both RRs.
The following example configures the DHCP client to include the FQDN option instructing the DHCP
server not to update either the A or PTR updates. The example also configures the server to override the
client request. As a result, the client backs off without performing any updates.
To configure this scenario, perform the following steps:
Step 1 To configure the update method named ddns-2 to request that it make both A and PTR RR updates, enter
the following commands:
hostname(config)# ddns update method ddns-2
hostname(DDNS-update-method)# ddns both
Step 2 To assign the DDNS update method named ddns-2 on interface Ethernet0 and provide the client
hostname (asa), enter the following commands:
hostname(DDNS-update-method)# interface Ethernet0
hostname(if-config)# ddns update ddns-2
hostname(if-config)# ddns update hostname asa.example.com
Step 3 To enable the DHCP client feature on the interface, enter the following commands:
hostname(if-config)# dhcp client update dns server none
hostname(if-config)# ip address dhcp
Step 4 To configure the DHCP server to override the client update requests, enter the following command:
hostname(if-config)# dhcpd update dns both override
Example 4: Client Asks Server To Perform Both Updates; Server Configured to
Update PTR RR Only; Honors Client Request and Updates Both A and PTR RR
The following example configures the server to perform only PTR RR updates by default. However, the
server honors the client request that it perform both A and PTR updates. The server also forms the FQDN
by appending the domain name (example.com) to the hostname provided by the client (asa).
To configure this scenario, perform the following steps:
Step 1 To configure the DHCP client on interface Ethernet0, enter the following commands:
hostname(config)# interface Ethernet0
hostname(config-if)# dhcp client update dns both
hostname(config-if)# ddns update hostname asa
Step 2 To configure the DHCP server, enter the following commands:
hostname(config-if)# dhcpd update dns10-9
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 10 Configuring DHCP, DDNS, and WCCP Services
Configuring Web Cache Services Using WCCP
hostname(config-if)# dhcpd domain example.com
Example 5: Client Updates A RR; Server Updates PTR RR
The following example configures the client to update the A resource record and the server to update the
PTR records. Also, the client uses the domain name from the DHCP server to form the FQDN.
To configure this scenario, perform the following steps:
Step 1 To define the DDNS update method named ddns-2, enter the following commands:
hostname(config)# ddns update method ddns-2
hostname(DDNS-update-method)# ddns
Step 2 To configure the DHCP client for interface Ethernet0 and assign the update method to the interface, enter
the following commands:
hostname(DDNS-update-method)# interface Ethernet0
hostname(config-if)# dhcp client update dns
hostname(config-if)# ddns update ddns-2
hostname(config-if)# ddns update hostname asa
Step 3 To configure the DHCP server, enter the following commands:
hostname(config-if)# dhcpd update dns
hostname(config-if)# dhcpd domain example.com
Configuring Web Cache Services Using WCCP
The purpose of web caching is to reduce latency and network traffic. Previously-accessed web pages are
stored in a cache buffer, so if a user needs the page again, they can retrieve it from the cache instead of
the web server.
WCCP specifies interactions between the security appliance and external web caches. The feature
transparently redirects selected types of traffic to a group of web cache engines to optimize resource
usage and lower response times. The security appliance only supports WCCP version 2.
Using a security appliance as an intermediary eliminates the need for a separate router to do the WCCP
redirect because the security appliance takes care of redirecting requests to cache engines. When the
security appliance knows when a packet needs redirection, it skips TCP state tracking, TCP sequence
number randomization, and NAT on these traffic flows.
This section includes the following topics:
• WCCP Feature Support, page 10-9
• WCCP Interaction With Other Features, page 10-10
• Enabling WCCP Redirection, page 10-10
WCCP Feature Support
The following WCCPv2 features are supported with the security appliance:10-10
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 10 Configuring DHCP, DDNS, and WCCP Services
Configuring Web Cache Services Using WCCP
• Redirection of multiple TCP/UDP port-destined traffic.
• Authentication for cache engines in a service group.
The following WCCPv2 features are not supported with the security appliance:
• Multiple routers in a service group is not supported. Multiple Cache Engines in a service group is
still supported.
• Multicast WCCP is not supported.
• The Layer 2 redirect method is not supported; only GRE encapsulation is supported.
• WCCP source address spoofing.
WCCP Interaction With Other Features
In the security appliance implementation of WCCP, the following applies as to how the protocol interacts
with other configurable features:
• An ingress access list entry always takes higher priority over WCCP. For example, if an access list
does not permit a client to communicate with a server then traffic will not be redirected to a cache
engine. Both ingress interface access lists and egress interface access lists will be applied.
• TCP intercept, authorization, URL filtering, inspect engines, and IPS features are not applied to a
redirected flow of traffic.
• When a cache engine cannot service a request and packet is returned, or when a cache miss happens
on a cache engine and it requests data from a web server, then the contents of the traffic flow will
be subject to all the other configured features of the security appliance.
• In failover, WCCP redirect tables are not replicated to standby units. After a failover, packets will
not be redirected until the tables are rebuilt. Sessions redirected prior to failover will likely be reset
by the web server.
Enabling WCCP Redirection
There are two steps to configuring WCCP redirection on the security appliance. The first involves
identifying the service to be redirected with the wccp command, and the second is defining on which
interface the redirection occurs with the wccp redirect command. The wccp command can optionally
also define which cache engines can participate in the service group, and what traffic should be
redirected to the cache engine.
WCCP redirect is supported only on the ingress of an interface. The only topology that the security
appliance supports is when client and cache engine are behind the same interface of the security
appliance and the cache engine can directly communicate with the client without going through the
security appliance.
The following configuration tasks assume you have already installed and configured the cache engines
you wish to include in your network.
To configure WCCP redirection, perform the following steps:
Step 1 To enable a WCCP service group, enter the following command:
hostname(config)# wccp {web-cache | service_number} [redirect-list access_list]
[group-list access_list] [password password]10-11
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 10 Configuring DHCP, DDNS, and WCCP Services
Configuring Web Cache Services Using WCCP
The standard service is web-cache, which intercepts TCP port 80 (HTTP) traffic and redirects that traffic
to the cache engines, but you can identify a service number if desired between 0 and 254. For example,
to transparently redirect native FTP traffic to a cache engine, use WCCP service 60. You can enter this
command multiple times for each service group you want to enable.
The redirect-list access_list argument controls traffic redirected to this service group.
The group-list access_list argument determines which web cache IP addresses are allowed to participate
in the service group.
The password password argument specifies MD5 authentication for messages received from the service
group. Messages that are not accepted by the authentication are discarded.
Step 2 To enable WCCP redirection on an interface, enter the following command:
hostname(config)# wccp interface interface_name {web-cache | service_number} redirect in
The standard service is web-cache, which intercepts TCP port 80 (HTTP) traffic and redirects that traffic
to the cache engines, but you can identify a service number if desired between 0 and 254. For example,
to transparently redirect native FTP traffic to a cache engine, use WCCP service 60. You can enter this
command multiple times for each service group you want to participate in.
For example, to enable the standard web-cache service and redirect HTTP traffic that enters the inside
interface to a web cache, enter the following commands:
hostname(config)# wccp web-cache
hostname(config)# wccp interface inside web-cache redirect in10-12
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 10 Configuring DHCP, DDNS, and WCCP Services
Configuring Web Cache Services Using WCCPC H A P T E R
11-13
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
11
Configuring Multicast Routing
This chapter describes how to configure multicast routing. This section includes the following topics:
• Multicast Routing Overview, page 11-13
• Enabling Multicast Routing, page 11-14
• Configuring IGMP Features, page 11-14
• Configuring Stub Multicast Routing, page 11-17
• Configuring a Static Multicast Route, page 11-17
• Configuring PIM Features, page 11-18
• For More Information about Multicast Routing, page 11-22
Multicast Routing Overview
The security appliance supports both stub multicast routing and PIM multicast routing. However, you
cannot configure both concurrently on a single security appliance.
Stub multicast routing provides dynamic host registration and facilitates multicast routing. When
configured for stub multicast routing, the security appliance acts as an IGMP proxy agent. Instead of
fully participating in multicast routing, the security appliance forwards IGMP messages to an upstream
multicast router, which sets up delivery of the multicast data. When configured for stub multicast
routing, the security appliance cannot be configured for PIM.
The security appliance supports both PIM-SM and bi-directional PIM. PIM-SM is a multicast routing
protocol that uses the underlying unicast routing information base or a separate multicast-capable
routing information base. It builds unidirectional shared trees rooted at a single Rendezvous Point per
multicast group and optionally creates shortest-path trees per multicast source.
Bi-directional PIM is a variant of PIM-SM that builds bi-directional shared trees connecting multicast
sources and receivers. Bi-directional trees are built using a DF election process operating on each link
of the multicast topology. With the assistance of the DF, multicast data is forwarded from sources to the
Rendezvous Point, and therefore along the shared tree to receivers, without requiring source-specific
state. The DF election takes place during Rendezvous Point discovery and provides a default route to the
Rendezvous Point.
Note If the security appliance is the PIM RP, use the untranslated outside address of the security appliance as
the RP address.11-14
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 11 Configuring Multicast Routing
Enabling Multicast Routing
Enabling Multicast Routing
Enabling multicast routing lets the security appliance forward multicast packets. Enabling multicast
routing automatically enables PIM and IGMP on all interfaces. To enable multicast routing, enter the
following command:
hostname(config)# multicast-routing
The number of entries in the multicast routing tables are limited by the amount of RAM on the system.
Table 11-1 lists the maximum number of entries for specific multicast tables based on the amount of
RAM on the security appliance. Once these limits are reached, any new entries are discarded.
Configuring IGMP Features
IP hosts use IGMP to report their group memberships to directly connected multicast routers. IGMP uses
group addresses (Class D IP address) as group identifiers. Host group address can be in the range
224.0.0.0 to 239.255.255.255. The address 224.0.0.0 is never assigned to any group. The address
224.0.0.1 is assigned to all systems on a subnet. The address 224.0.0.2 is assigned to all routers on a
subnet.
When you enable multicast routing on the security appliance, IGMP Version 2 is automatically enabled
on all interfaces.
Note Only the no igmp command appears in the interface configuration when you use the show run
command. If the multicast-routing command appears in the device configuration, then IGMP is
automatically enabled on all interfaces.
This section describes how to configure optional IGMP setting on a per-interface basis. This section
includes the following topics:
• Disabling IGMP on an Interface, page 11-15
• Configuring Group Membership, page 11-15
• Configuring a Statically Joined Group, page 11-15
• Controlling Access to Multicast Groups, page 11-15
• Limiting the Number of IGMP States on an Interface, page 11-16
• Modifying the Query Interval and Query Timeout, page 11-16
• Changing the Query Response Time, page 11-17
• Changing the IGMP Version, page 11-17
Table 11-1 Entry Limits for Multicast Tables
Table 16 MB 128 MB 128+ MB
MFIB 1000 3000 5000
IGMP Groups 1000 3000 5000
PIM Routes 3000 7000 1200011-15
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 11 Configuring Multicast Routing
Configuring IGMP Features
Disabling IGMP on an Interface
You can disable IGMP on specific interfaces. This is useful if you know that you do not have any
multicast hosts on a specific interface and you want to prevent the security appliance from sending host
query messages on that interface.
To disable IGMP on an interface, enter the following command:
hostname(config-if)# no igmp
To reenable IGMP on an interface, enter the following command:
hostname(config-if)# igmp
Note Only the no igmp command appears in the interface configuration.
Configuring Group Membership
You can configure the security appliance to be a member of a multicast group. Configuring the security
appliance to join a multicast group causes upstream routers to maintain multicast routing table
information for that group and keep the paths for that group active.
To have the security appliance join a multicast group, enter the following command:
hostname(config-if)# igmp join-group group-address
Configuring a Statically Joined Group
Sometimes a group member cannot report its membership in the group, or there may be no members of
a group on the network segment, but you still want multicast traffic for that group to be sent to that
network segment. You can have multicast traffic for that group sent to the segment in one of two ways:
• Using the igmp join-group command (see Configuring Group Membership, page 11-15). This
causes the security appliance to accept and to forward the multicast packets.
• Using the igmp static-group command. The security appliance does not accept the multicast
packets but rather forwards them to the specified interface.
To configure a statically joined multicast group on an interface, enter the following command:
hostname(config-if)# igmp static-group group-address
Controlling Access to Multicast Groups
To control the multicast groups that hosts on the security appliance interface can join, perform the
following steps:
Step 1 Create an access list for the multicast traffic. You can create more than one entry for a single access list.
You can use extended or standard access lists.
• To create a standard access list, enter the following command:11-16
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 11 Configuring Multicast Routing
Configuring IGMP Features
hostname(config)# access-list name standard [permit | deny] ip_addr mask
The ip_addr argument is the IP address of the multicast group being permitted or denied.
• To create an extended access list, enter the following command:
hostname(config)# access-list name extended [permit | deny] protocol src_ip_addr
src_mask dst_ip_addr dst_mask
The dst_ip_addr argument is the IP address of the multicast group being permitted or denied.
Step 2 Apply the access list to an interface by entering the following command:
hostname(config-if)# igmp access-group acl
The acl argument is the name of a standard or extended IP access list.
Limiting the Number of IGMP States on an Interface
You can limit the number of IGMP states resulting from IGMP membership reports on a per-interface
basis. Membership reports exceeding the configured limits are not entered in the IGMP cache and traffic
for the excess membership reports is not forwarded.
To limit the number of IGMP states on an interface, enter the following command:
hostname(config-if)# igmp limit number
Valid values range from 0 to 500, with 500 being the default value. Setting this value to 0 prevents
learned groups from being added, but manually defined memberships (using the igmp join-group and
igmp static-group commands) are still permitted. The no form of this command restores the default
value.
Modifying the Query Interval and Query Timeout
The security appliance sends query messages to discover which multicast groups have members on the
networks attached to the interfaces. Members respond with IGMP report messages indicating that they
want to receive multicast packets for specific groups. Query messages are addressed to the all-systems
multicast group, which has an address of 224.0.0.1, with a time-to-live value of 1.
These messages are sent periodically to refresh the membership information stored on the security
appliance. If the security appliance discovers that there are no local members of a multicast group still
attached to an interface, it stops forwarding multicast packet for that group to the attached network and
it sends a prune message back to the source of the packets.
By default, the PIM designated router on the subnet is responsible for sending the query messages. By
default, they are sent once every 125 seconds. To change this interval, enter the following command:
hostname(config-if)# igmp query-interval seconds
If the security appliance does not hear a query message on an interface for the specified timeout value
(by default, 255 seconds), then the security appliance becomes the designated router and starts sending
the query messages. To change this timeout value, enter the following command:
hostname(config-if)# igmp query-timeout seconds11-17
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 11 Configuring Multicast Routing
Configuring Stub Multicast Routing
Note The igmp query-timeout and igmp query-interval commands require IGMP Version 2.
Changing the Query Response Time
By default, the maximum query response time advertised in IGMP queries is 10 seconds. If the security
appliance does not receive a response to a host query within this amount of time, it deletes the group.
To change the maximum query response time, enter the following command:
hostname(config-if)# igmp query-max-response-time seconds
Changing the IGMP Version
By default, the security appliance runs IGMP Version 2, which enables several additional features such
as the igmp query-timeout and igmp query-interval commands.
All multicast routers on a subnet must support the same version of IGMP. The security appliance does
not automatically detect version 1 routers and switch to version 1. However, a mix of IGMP Version 1
and 2 hosts on the subnet works; the security appliance running IGMP Version 2 works correctly when
IGMP Version 1 hosts are present.
To control which version of IGMP is running on an interface, enter the following command:
hostname(config-if)# igmp version {1 | 2}
Configuring Stub Multicast Routing
A security appliance acting as the gateway to the stub area does not need to participate in PIM. Instead,
you can configure it to act as an IGMP proxy agent and forward IGMP messages from hosts connected
on one interface to an upstream multicast router on another. To configure the security appliance as an
IGMP proxy agent, forward the host join and leave messages from the stub area interface to an upstream
interface.
To forward the host join and leave messages, enter the following command from the interface attached
to the stub area:
hostname(config-if)# igmp forward interface if_name
Note Stub Multicast Routing and PIM are not supported concurrently.
Configuring a Static Multicast Route
When using PIM, the security appliance expects to receive packets on the same interface where it sends
unicast packets back to the source. In some cases, such as bypassing a route that does not support
multicast routing, you may want unicast packets to take one path and multicast packets to take another.
Static multicast routes are not advertised or redistributed.11-18
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 11 Configuring Multicast Routing
Configuring PIM Features
To configure a static multicast route for PIM, enter the following command:
hostname(config)# mroute src_ip src_mask {input_if_name | rpf_addr) [distance]
To configure a static multicast route for a stub area, enter the following command:
hostname(config)# mroute src_ip src_mask input_if_name [dense output_if_name] [distance]
Note The dense output_if_name keyword and argument pair is only supported for stub multicast routing.
Configuring PIM Features
Routers use PIM to maintain forwarding tables for forwarding multicast diagrams. When you enable
multicast routing on the security appliance, PIM and IGMP are automatically enabled on all interfaces.
Note PIM is not supported with PAT. The PIM protocol does not use ports and PAT only works with protocols
that use ports.
This section describes how to configure optional PIM settings. This section includes the following
topics:
• Disabling PIM on an Interface, page 11-18
• Configuring a Static Rendezvous Point Address, page 11-19
• Configuring the Designated Router Priority, page 11-19
• Filtering PIM Register Messages, page 11-19
• Configuring PIM Message Intervals, page 11-20
• Configuring a Multicast Boundary, page 11-20
• Filtering PIM Neighbors, page 11-20
• Supporting Mixed Bidirectional/Sparse-Mode PIM Networks, page 11-21
Disabling PIM on an Interface
You can disable PIM on specific interfaces. To disable PIM on an interface, enter the following
command:
hostname(config-if)# no pim
To reenable PIM on an interface, enter the following command:
hostname(config-if)# pim
Note Only the no pim command appears in the interface configuration.11-19
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 11 Configuring Multicast Routing
Configuring PIM Features
Configuring a Static Rendezvous Point Address
All routers within a common PIM sparse mode or bidir domain require knowledge of the PIM RP
address. The address is statically configured using the pim rp-address command.
Note The security appliance does not support Auto-RP or PIM BSR; you must use the pim rp-address
command to specify the RP address.
You can configure the security appliance to serve as RP to more than one group. The group range
specified in the access list determines the PIM RP group mapping. If an access list is not specified, then
the RP for the group is applied to the entire multicast group range (224.0.0.0/4).
To configure the address of the PIM PR, enter the following command:
hostname(config)# pim rp-address ip_address [acl] [bidir]
The ip_address argument is the unicast IP address of the router to be a PIM RP. The acl argument is the
name or number of a standard access list that defines which multicast groups the RP should be used with.
Do not use a host ACL with this command. Excluding the bidir keyword causes the groups to operate
in PIM sparse mode.
Note The security appliance always advertises the bidir capability in the PIM hello messages regardless of the
actual bidir configuration.
Configuring the Designated Router Priority
The DR is responsible for sending PIM register, join, and prune messaged to the RP. When there is more
than one multicast router on a network segment, there is an election process to select the DR based on
DR priority. If multiple devices have the same DR priority, then the device with the highest IP address
becomes the DR.
By default, the security appliance has a DR priority of 1. You can change this value by entering the
following command:
hostname(config-if)# pim dr-priority num
The num argument can be any number from 1 to 4294967294.
Filtering PIM Register Messages
You can configure the security appliance to filter PIM register messages. To filter PIM register messages,
enter the following command:
hostname(config)# pim accept-register {list acl | route-map map-name}11-20
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 11 Configuring Multicast Routing
Configuring PIM Features
Configuring PIM Message Intervals
Router query messages are used to elect the PIM DR. The PIM DR is responsible for sending router
query messages. By default, router query messages are sent every 30 seconds. You can change this value
by entering the following command:
hostname(config-if)# pim hello-interval seconds
Valid values for the seconds argument range from 1 to 3600 seconds.
Every 60 seconds, the security appliance sends PIM join/prune messages. To change this value, enter the
following command:
hostname(config-if)# pim join-prune-interval seconds
Valid values for the seconds argument range from 10 to 600 seconds.
Configuring a Multicast Boundary
Address scoping defines domain boundaries so that domains with RPs that have the same IP address do
not leak into each other. Scoping is performed on the subnet boundaries within large domains and on the
boundaries between the domain and the Internet.
You can set up an administratively scoped boundary on an interface for multicast group addresses using
the multicast boundary command. IANA has designated the multicast address range 239.0.0.0 to
239.255.255.255 as the administratively scoped addresses. This range of addresses can be reused in
domains administered by different organizations. They would be considered local, not globally unique.
To configure a multicast boundary, enter the following command:
hostname(config-if)# multicast boundary acl [filter-autorp]
A standard ACL defines the range of addresses affected. When a boundary is set up, no multicast data
packets are allowed to flow across the boundary from either direction. The boundary allows the same
multicast group address to be reused in different administrative domains.
You can configure the filter-autorp keyword to examine and filter Auto-RP discovery and
announcement messages at the administratively scoped boundary. Any Auto-RP group range
announcements from the Auto-RP packets that are denied by the boundary access control list (ACL) are
removed. An Auto-RP group range announcement is permitted and passed by the boundary only if all
addresses in the Auto-RP group range are permitted by the boundary ACL. If any address is not
permitted, the entire group range is filtered and removed from the Auto-RP message before the Auto-RP
message is forwarded.
Filtering PIM Neighbors
You can define the routers that can become PIM neighbors with the pim neighbor-filter command. By
filtering the routers that can become PIM neighbors, you can:
• Prevent unauthorized routers from becoming PIM neighbors.
• Prevent attached stub routers from participating in PIM.
To define the neighbors that can become a PIM neighbor, perform the following steps:11-21
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 11 Configuring Multicast Routing
Configuring PIM Features
Step 1 Use the access-list command to define a standard access list defines the routers you want to participate
in PIM.
For example the following access list, when used with the pim neighbor-filter command, prevents the
10.1.1.1 router from becoming a PIM neighbor:
hostname(config)# access-list pim_nbr deny 10.1.1.1 255.255.255.255
Step 2 Use the pim neighbor-filter command on an interface to filter the neighbor routers.
For example, the following commands prevent the 10.1.1.1 router from becoming a PIM neighbor on
interface GigabitEthernet0/3:
hostname(config)# interface GigabitEthernet0/3
hostname(config-if)# pim neighbor-filter pim_nbr
Supporting Mixed Bidirectional/Sparse-Mode PIM Networks
Bidirectional PIM allows multicast routers to keep reduced state information. All of the multicast routers
in a segment must be bidirectionally enabled in order for bidir to elect a DF.
The pim bidir-neighbor-filter command enables the transition from a sparse-mode-only network to a
bidir network by letting you specify the routers that should participate in DF election while still allowing
all routers to participate in the sparse-mode domain. The bidir-enabled routers can elect a DF from
among themselves, even when there are non-bidir routers on the segment. Multicast boundaries on the
non-bidir routers prevent PIM messages and data from the bidir groups from leaking in or out of the bidir
subset cloud.
When the pim bidir-neighbor-filter command is enabled, the routers that are permitted by the ACL are
considered to be bidir-capable. Therefore:
• If a permitted neighbor does not support bidir, the DF election does not occur.
• If a denied neighbor supports bidir, then DF election does not occur.
• If a denied neighbor des not support bidir, the DF election occurs.
To control which neighbors can participate in the DF election, perform the following steps:
Step 1 Use the access-list command to define a standard access list that permits the routers you want to
participate in the DF election and denies all others.
For example, the following access list permits the routers at 10.1.1.1 and 10.2.2.2 to participate in the
DF election and denies all others:
hostname(config)# access-list pim_bidir permit 10.1.1.1 255.255.255.255
hostname(config)# access-list pim_bidir permit 10.1.1.2 255.255.255.255
hostname(config)# access-list pim_bidir deny any
Step 2 Enable the pim bidir-neighbor-filter command on an interface.
The following example applies the access list created previous step to the interface GigabitEthernet0/3.
hostname(config)# interface GigabitEthernet0/3
hostname(config-if)# pim bidir-neighbor-filter pim_bidir11-22
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 11 Configuring Multicast Routing
For More Information about Multicast Routing
For More Information about Multicast Routing
The following RFCs from the IETF provide technical details about the IGMP and multicast routing
standards used for implementing the SMR feature:
• RFC 2236 IGMPv2
• RFC 2362 PIM-SM
• RFC 2588 IP Multicast and Firewalls
• RFC 2113 IP Router Alert Option
• IETF draft-ietf-idmr-igmp-proxy-01.txtC H A P T E R
12-1
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
12
Configuring IPv6
This chapter describes how to enable and configure IPv6 on the security appliance. IPv6 is available in
Routed firewall mode only.
This chapter includes the following sections:
• IPv6-enabled Commands, page 12-1
• Configuring IPv6, page 12-2
• Verifying the IPv6 Configuration, page 12-11
For an sample IPv6 configuration, see Appendix B, “Sample Configurations.”
IPv6-enabled Commands
The following security appliance commands can accept and display IPv6 addresses:
• capture
• configure
• copy
• http
• name
• object-group
• ping
• show conn
• show local-host
• show tcpstat
• ssh
• telnet
• tftp-server
• who
• write12-2
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 12 Configuring IPv6
Configuring IPv6
Note Failover does not support IPv6. The ipv6 address command does not support setting standby addresses
for failover configurations. The failover interface ip command does not support using IPv6 addresses
on the failover and Stateful Failover interfaces.
When entering IPv6 addresses in commands that support them, simply enter the IPv6 address using
standard IPv6 notation, for example ping fe80::2e0:b6ff:fe01:3b7a. The security appliance correctly
recognizes and processes the IPv6 address. However, you must enclose the IPv6 address in square
brackets ([ ]) in the following situations:
• You need to specify a port number with the address, for example
[fe80::2e0:b6ff:fe01:3b7a]:8080.
• The command uses a colon as a separator, such as the write net and config net commands, for
example configure net [fe80::2e0:b6ff:fe01:3b7a]:/tftp/config/pixconfig.
The following commands were modified to work for IPv6:
• debug
• fragment
• ip verify
• mtu
• icmp (entered as ipv6 icmp)
The following inspection engines support IPv6:
• FTP
• HTTP
• ICMP
• SMTP
• TCP
• UDP
Configuring IPv6
This section contains the following topics:
• Configuring IPv6 on an Interface, page 12-3
• Configuring a Dual IP Stack on an Interface, page 12-4
• Enforcing the Use of Modified EUI-64 Interface IDs in IPv6 Addresses, page 12-4
• Configuring IPv6 Duplicate Address Detection, page 12-4
• Configuring IPv6 Default and Static Routes, page 12-5
• Configuring IPv6 Access Lists, page 12-6
• Configuring IPv6 Neighbor Discovery, page 12-7
• Configuring a Static IPv6 Neighbor, page 12-1112-3
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 12 Configuring IPv6
Configuring IPv6
Configuring IPv6 on an Interface
At a minimum, each interface needs to be configured with an IPv6 link-local address. Additionally, you
can add a site-local and global address to the interface.
Note The security appliance does not support IPv6 anycast addresses.
You can configure both IPv6 and IPv4 addresses on an interface.
To configure IPv6 on an interface, perform the following steps:
Step 1 Enter interface configuration mode for the interface on which you are configuring the IPv6 addresses:
hostname(config)# interface if
Step 2 Configure an IPv6 address on the interface. You can assign several IPv6 addresses to an interface, such
as an IPv6 link-local, site-local, and global address. However, at a minimum, you must configure a
link-local address.
There are several methods for configuring IPv6 addresses. Pick the method that suits your needs from
the following:
• The simplest method is to enable stateless autoconfiguration on the interface. Enabling stateless
autoconfiguration on the interface configures IPv6 addresses based on prefixes received in Router
Advertisement messages. A link-local address, based on the Modified EUI-64 interface ID, is
automatically generated for the interface when stateless autoconfiguration is enabled. To enable
stateless autoconfiguration, enter the following command:
hostname(config-if)# ipv6 address autoconfig
• If you only need to configure a link-local address on the interface and are not going to assign any
other IPv6 addresses to the interface, you have the option of manually defining the link-local address
or generating one based on the interface MAC address (Modified EUI-64 format):
– Enter the following command to manually specify the link-local address:
hostname(config-if)# ipv6 address ipv6-address link-local
– Enter the following command to enable IPv6 on the interface and automatically generate the
link-local address using the Modified EUI-64 interface ID based on the interface MAC address:
hostname(config-if)# ipv6 enable
Note You do not need to use the ipv6 enable command if you enter any other ipv6 address
commands on an interface; IPv6 support is automatically enabled as soon as you assign an
IPv6 address to the interface.
• Assign a site-local or global address to the interface. When you assign a site-local or global address,
a link-local address is automatically created. Enter the following command to add a global or
site-local address to the interface. Use the optional eui-64 keyword to use the Modified EUI-64
interface ID in the low order 64 bits of the address.
hostname(config-if)# ipv6 address ipv6-address [eui-64]12-4
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 12 Configuring IPv6
Configuring IPv6
Step 3 (Optional) Suppress Router Advertisement messages on an interface. By default, Router Advertisement
messages are automatically sent in response to router solicitation messages. You may want to disable
these messages on any interface for which you do not want the security appliance to supply the IPv6
prefix (for example, the outside interface).
Enter the following command to suppress Router Advertisement messages on an interface:
hostname(config-if)# ipv6 nd suppress-ra
Configuring a Dual IP Stack on an Interface
The security appliance supports the configuration of both IPv6 and IPv4 on an interface. You do not need
to enter any special commands to do so; simply enter the IPv4 configuration commands and IPv6
configuration commands as you normally would. Make sure you configure a default route for both IPv4
and IPv6.
Enforcing the Use of Modified EUI-64 Interface IDs in IPv6 Addresses
RFC 3513: Internet Protocol Version 6 (IPv6) Addressing Architecture requires that the interface
identifier portion of all unicast IPv6 addresses, except those that start with binary value 000, be 64 bits
long and be constructed in Modified EUI-64 format. The security appliance can enforce this requirement
for hosts attached to the local link.
To enforce the use of Modified EUI-64 format interface identifiers in IPv6 addresses on a local link,
enter the following command:
hostname(config)# ipv6 enforce-eui64 if_name
The if_name argument is the name of the interface, as specified by the namif command, on which you
are enabling the address format enforcement.
When this command is enabled on an interface, the source addresses of IPv6 packets received on that
interface are verified against the source MAC addresses to ensure that the interface identifiers use the
Modified EUI-64 format. If the IPv6 packets do not use the Modified EUI-64 format for the interface
identifier, the packets are dropped and the following system log message is generated:
%PIX|ASA-3-325003: EUI-64 source address check failed.
The address format verification is only performed when a flow is created. Packets from an existing flow
are not checked. Additionally, the address verification can only be performed for hosts on the local link.
Packets received from hosts behind a router will fail the address format verification, and be dropped,
because their source MAC address will be the router MAC address and not the host MAC address.
Configuring IPv6 Duplicate Address Detection
During the stateless autoconfiguration process, duplicate address detection verifies the uniqueness of
new unicast IPv6 addresses before the addresses are assigned to interfaces (the new addresses remain in
a tentative state while duplicate address detection is performed). Duplicate address detection is
performed first on the new link-local address. When the link local address is verified as unique, then
duplicate address detection is performed all the other IPv6 unicast addresses on the interface. 12-5
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 12 Configuring IPv6
Configuring IPv6
Duplicate address detection is suspended on interfaces that are administratively down. While an
interface is administratively down, the unicast IPv6 addresses assigned to the interface are set to a
pending state. An interface returning to an administratively up state restarts duplicate address detection
for all of the unicast IPv6 addresses on the interface.
When a duplicate address is identified, the state of the address is set to DUPLICATE, the address is not
used, and the following error message is generated:
%PIX|ASA-4-325002: Duplicate address ipv6_address/MAC_address on interface
If the duplicate address is the link-local address of the interface, the processing of IPv6 packets is
disabled on the interface. If the duplicate address is a global address, the address is not used. However,
all configuration commands associated with the duplicate address remain as configured while the state
of the address is set to DUPLICATE.
If the link-local address for an interface changes, duplicate address detection is performed on the new
link-local address and all of the other IPv6 address associated with the interface are regenerated
(duplicate address detection is performed only on the new link-local address).
The security appliance uses neighbor solicitation messages to perform duplicate address detection. By
default, the number of times an interface performs duplicate address detection is 1.
To change the number of duplicate address detection attempts, enter the following command:
hostname(config-if)# ipv6 nd dad attempts value
The value argument can be any value from 0 to 600. Setting the value argument to 0 disables duplicate
address detection on the interface.
When you configure an interface to send out more than one duplicate address detection attempt, you can
also use the ipv6 nd ns-interval command to configure the interval at which the neighbor solicitation
messages are sent out. By default, they are sent out once every 1000 milliseconds.
To change the neighbor solicitation message interval, enter the following command:
hostname(config-if)# ipv6 nd ns-interval value
The value argument can be from 1000 to 3600000 milliseconds.
Note Changing this value changes it for all neighbor solicitation messages sent out on the interface, not just
those used for duplicate address detection.
Configuring IPv6 Default and Static Routes
The security appliance automatically routes IPv6 traffic between directly connected hosts if the
interfaces to which the hosts are attached are enabled for IPv6 and the IPv6 ACLs allow the traffic.
The security appliance does not support dynamic routing protocols. Therefore, to route IPv6 traffic to a
non-connected host or network, you need to define a static route to the host or network or, at a minimum,
a default route. Without a static or default route defined, traffic to non-connected hosts or networks
generate the following error message:
%PIX|ASA-6-110001: No route to dest_address from source_address
You can add a default route and static routes using the ipv6 route command.
To configure an IPv6 default route and static routes, perform the following steps:12-6
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 12 Configuring IPv6
Configuring IPv6
Step 1 To add the default route, use the following command:
hostname(config)# ipv6 route if_name ::/0 next_hop_ipv6_addr
The address ::/0 is the IPv6 equivalent of “any.”
Step 2 (Optional) Define IPv6 static routes. Use the following command to add an IPv6 static route to the IPv6
routing table:
hostname(config)# ipv6 route if_name destination next_hop_ipv6_addr [admin_distance]
Note The ipv6 route command works like the route command used to define IPv4 static routes.
Configuring IPv6 Access Lists
Configuring an IPv6 access list is similar configuring an IPv4 access, but with IPv6 addresses.
To configure an IPv6 access list, perform the following steps:
Step 1 Create an access entry. To create an access list, use the ipv6 access-list command to create entries for
the access list. There are two main forms of this command to choose from, one for creating access list
entries specifically for ICMP traffic, and one to create access list entries for all other types of IP traffic.
• To create an IPv6 access list entry specifically for ICMP traffic, enter the following command:
hostname(config)# ipv6 access-list id [line num] {permit | deny} icmp source
destination [icmp_type]
• To create an IPv6 access list entry, enter the following command:
hostname(config)# ipv6 access-list id [line num] {permit | deny} protocol source
[src_port] destination [dst_port]
The following describes the arguments for the ipv6 access-list command:
• id—The name of the access list. Use the same id in each command when you are entering multiple
entries for an access list.
• line num—When adding an entry to an access list, you can specify the line number in the list where
the entry should appear.
• permit | deny—Determines whether the specified traffic is blocked or allowed to pass.
• icmp—Indicates that the access list entry applies to ICMP traffic.
• protocol—Specifies the traffic being controlled by the access list entry. This can be the name (ip,
tcp, or udp) or number (1-254) of an IP protocol. Alternatively, you can specify a protocol object
group using object-group grp_id.
• source and destination—Specifies the source or destination of the traffic. The source or destination
can be an IPv6 prefix, in the format prefix/length, to indicate a range of addresses, the keyword any,
to specify any address, or a specific host designated by host host_ipv6_addr. 12-7
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 12 Configuring IPv6
Configuring IPv6
• src_port and dst_port—The source and destination port (or service) argument. Enter an operator (lt
for less than, gt for greater than, eq for equal to, neq for not equal to, or range for an inclusive
range) followed by a space and a port number (or two port numbers separated by a space for the
range keyword).
• icmp_type—Specifies the ICMP message type being filtered by the access rule. The value can be a
valid ICMP type number (from 0 to 155) or one of the ICMP type literals as shown in Appendix D,
“Addresses, Protocols, and Ports”. Alternatively, you can specify an ICMP object group using
object-group id.
Step 2 To apply the access list to an interface, enter the following command:
hostname(config)# access-group access_list_name {in | out} interface if_name
Configuring IPv6 Neighbor Discovery
The IPv6 neighbor discovery process uses ICMPv6 messages and solicited-node multicast addresses to
determine the link-layer address of a neighbor on the same network (local link), verify the reachability
of a neighbor, and keep track of neighboring routers.
This section contains the following topics:
• Configuring Neighbor Solicitation Messages, page 12-7
• Configuring Router Advertisement Messages, page 12-9
• Multicast Listener Discovery Support, page 12-11
Configuring Neighbor Solicitation Messages
Neighbor solicitation messages (ICMPv6 Type 135) are sent on the local link by nodes attempting to
discover the link-layer addresses of other nodes on the local link. The neighbor solicitation message is
sent to the solicited-node multicast address.The source address in the neighbor solicitation message is
the IPv6 address of the node sending the neighbor solicitation message. The neighbor solicitation
message also includes the link-layer address of the source node.
After receiving a neighbor solicitation message, the destination node replies by sending a neighbor
advertisement message (ICPMv6 Type 136) on the local link. The source address in the neighbor
advertisement message is the IPv6 address of the node sending the neighbor advertisement message; the
destination address is the IPv6 address of the node that sent the neighbor solicitation message. The data
portion of the neighbor advertisement message includes the link-layer address of the node sending the
neighbor advertisement message.
After the source node receives the neighbor advertisement, the source node and destination node can
communicate. Figure 12-1 shows the neighbor solicitation and response process.12-8
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 12 Configuring IPv6
Configuring IPv6
Figure 12-1 IPv6 Neighbor Discovery—Neighbor Solicitation Message
Neighbor solicitation messages are also used to verify the reachability of a neighbor after the link-layer
address of a neighbor is identified. When a node wants to verifying the reachability of a neighbor, the
destination address in a neighbor solicitation message is the unicast address of the neighbor.
Neighbor advertisement messages are also sent when there is a change in the link-layer address of a node
on a local link. When there is such a change, the destination address for the neighbor advertisement is
the all-nodes multicast address.
You can configure the neighbor solicitation message interval and neighbor reachable time on a
per-interface basis. See the following topics for more information:
• Configuring the Neighbor Solicitation Message Interval, page 12-8
• Configuring the Neighbor Reachable Time, page 12-8
Configuring the Neighbor Solicitation Message Interval
To configure the interval between IPv6 neighbor solicitation retransmissions on an interface, enter the
following command:
hostname(config-if)# ipv6 nd ns-interval value
Valid values for the value argument range from 1000 to 3600000 milliseconds. The default value is 1000
milliseconds.
This setting is also sent in router advertisement messages.
Configuring the Neighbor Reachable Time
The neighbor reachable time enables detecting unavailable neighbors. Shorter configured times enable
detecting unavailable neighbors more quickly; however, shorter times consume more IPv6 network
bandwidth and processing resources in all IPv6 network devices. Very short configured times are not
recommended in normal IPv6 operation.
To configure the amount of time that a remote IPv6 node is considered reachable after a reachability
confirmation event has occurred, enter the following command:
hostname(config-if)# ipv6 nd reachable-time value
132958
A and B can now exchange
packets on this link
ICMPv6 Type = 135
Src = A
Dst = solicited-node multicast of B
Data = link-layer address of A
Query = what is your link address?
ICMPv6 Type = 136
Src = B
Dst = A
Data = link-layer address of B12-9
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 12 Configuring IPv6
Configuring IPv6
Valid values for the value argument range from 0 to 3600000 milliseconds. The default is 0.
This information is also sent in router advertisement messages.
When 0 is used for the value, the reachable time is sent as undetermined. It is up to the receiving devices
to set and track the reachable time value. To see the time used by the security appliance when this value
is set to 0, use the show ipv6 interface command to display information about the IPv6 interface,
including the ND reachable time being used.
Configuring Router Advertisement Messages
Router advertisement messages (ICMPv6 Type 134) are periodically sent out each IPv6 configured
interface of security appliance. The router advertisement messages are sent to the all-nodes multicast
address.
Figure 12-2 IPv6 Neighbor Discovery—Router Advertisement Message
Router advertisement messages typically include the following information:
• One or more IPv6 prefix that nodes on the local link can use to automatically configure their IPv6
addresses.
• Lifetime information for each prefix included in the advertisement.
• Sets of flags that indicate the type of autoconfiguration (stateless or stateful) that can be completed.
• Default router information (whether the router sending the advertisement should be used as a default
router and, if so, the amount of time (in seconds) the router should be used as a default router).
• Additional information for hosts, such as the hop limit and MTU a host should use in packets that it
originates.
• The amount of time between neighbor solicitation message retransmissions on a given link.
• The amount of time a node considers a neighbor reachable.
Router advertisements are also sent in response to router solicitation messages (ICMPv6 Type 133).
Router solicitation messages are sent by hosts at system startup so that the host can immediately
autoconfigure without needing to wait for the next scheduled router advertisement message. Because
router solicitation messages are usually sent by hosts at system startup, and the host does not have a
configured unicast address, the source address in router solicitation messages is usually the unspecified
IPv6 address (0:0:0:0:0:0:0:0). If the host has a configured unicast address, the unicast address of the
interface sending the router solicitation message is used as the source address in the message. The
destination address in router solicitation messages is the all-routers multicast address with a scope of the
link. When a router advertisement is sent in response to a router solicitation, the destination address in
the router advertisement message is the unicast address of the source of the router solicitation message.
132917
Router advertisement packet definitions:
ICMPv6 Type = 134
Src = router link-local address
Dst = all-nodes multicast address
Data = options, prefix, lifetime, autoconfig flag
Router
advertisement
Router
advertisement12-10
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 12 Configuring IPv6
Configuring IPv6
You can configure the following settings for router advertisement messages:
• The time interval between periodic router advertisement messages.
• The router lifetime value, which indicates the amount of time IPv6 nodes should consider security
appliance to be the default router.
• The IPv6 network prefixes in use on the link.
• Whether or not an interface transmits router advertisement messages.
Unless otherwise noted, the router advertisement message settings are specific to an interface and are
entered in interface configuration mode. See the following topics for information about changing these
settings:
• Configuring the Router Advertisement Transmission Interval, page 12-10
• Configuring the Router Lifetime Value, page 12-10
• Configuring the IPv6 Prefix, page 12-10
• Suppressing Router Advertisement Messages, page 12-11
Configuring the Router Advertisement Transmission Interval
By default, router advertisements are sent out every 200 seconds. To change the interval between router
advertisement transmissions on an interface, enter the following command:
ipv6 nd ra-interval [msec] value
Valid values range from 3 to 1800 seconds (or 500 to 1800000 milliseconds if the msec keyword is used).
The interval between transmissions should be less than or equal to the IPv6 router advertisement lifetime
if security appliance is configured as a default router by using the ipv6 nd ra-lifetime command. To
prevent synchronization with other IPv6 nodes, randomly adjust the actual value used to within 20
percent of the desired value.
Configuring the Router Lifetime Value
The router lifetime value specifies how long nodes on the local link should consider security appliance
as the default router on the link.
To configure the router lifetime value in IPv6 router advertisements on an interface, enter the following
command:
hostname(config-if)# ipv6 nd ra-lifetime seconds
Valid values range from 0 to 9000 seconds. The default is 1800 seconds. Entering 0 indicates that
security appliance should not be considered a default router on the selected interface.
Configuring the IPv6 Prefix
Stateless autoconfiguration uses IPv6 prefixes provided in router advertisement messages to create the
global unicast address from the link-local address.
To configure which IPv6 prefixes are included in IPv6 router advertisements, enter the following
command:
hostname(config-if)# ipv6 nd prefix ipv6-prefix/prefix-length
Note For stateless autoconfiguration to work properly, the advertised prefix length in router advertisement
messages must always be 64 bits. 12-11
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 12 Configuring IPv6
Verifying the IPv6 Configuration
Suppressing Router Advertisement Messages
By default, Router Advertisement messages are automatically sent in response to router solicitation
messages. You may want to disable these messages on any interface for which you do not want security
appliance to supply the IPv6 prefix (for example, the outside interface).
To suppress IPv6 router advertisement transmissions on an interface, enter the following command:
hostname(config-if)# ipv6 nd suppress-ra
Entering this command causes the security appliance to appear as a regular IPv6 neighbor on the link
and not as an IPv6 router.
Multicast Listener Discovery Support
Multicast Listener Discovery Protocol (MLD) Version 2 is supported to discover the presence of
multicast address listeners on their directly attached links, and to discover specifically which multicast
addresses are of interest to those neighboring nodes. ASA becomes a multicast address listener, or a
host, but not a multicast router, and responds to Multicast Listener Queries and sends Multicast Listener Reports only.
The following commands were added or enhanced to support MLD:
• clear ipv6 mld traffic Command
• show ipv6 mld Command
Configuring a Static IPv6 Neighbor
You can manually define a neighbor in the IPv6 neighbor cache. If an entry for the specified IPv6 address
already exists in the neighbor discovery cache—learned through the IPv6 neighbor discovery
process—the entry is automatically converted to a static entry. Static entries in the IPv6 neighbor
discovery cache are not modified by the neighbor discovery process.
To configure a static entry in the IPv6 neighbor discovery cache, enter the following command:
hostname(config-if)# ipv6 neighbor ipv6_address if_name mac_address
The ipv6_address argument is the link-local IPv6 address of the neighbor, the if_name argument is the
interface through which the neighbor is available, and the mac_address argument is the MAC address of
the neighbor interface.
Note The clear ipv6 neighbors command does not remove static entries from the IPv6 neighbor discovery
cache; it only clears the dynamic entries.
Verifying the IPv6 Configuration
This section describes how to verify your IPv6 configuration. You can use various clear, and show
commands to verify your IPv6 settings.
This section includes the following topics:
• The show ipv6 interface Command, page 12-1212-12
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 12 Configuring IPv6
Verifying the IPv6 Configuration
• The show ipv6 route Command, page 12-12
• The show ipv6 mld traffic Command, page 12-13
The show ipv6 interface Command
To display the IPv6 interface settings, enter the following command:
hostname# show ipv6 interface [if_name]
Including the interface name, such as “outside”, displays the settings for the specified interface.
Excluding the name from the command displays the setting for all interfaces that have IPv6 enabled on
them. The output for the command shows the following:
• The name and status of the interface.
• The link-local and global unicast addresses.
• The multicast groups the interface belongs to.
• ICMP redirect and error message settings.
• Neighbor discovery settings.
The following is sample output from the show ipv6 interface command:
hostname# show ipv6 interface
ipv6interface is down, line protocol is down
IPv6 is enabled, link-local address is fe80::20d:88ff:feee:6a82 [TENTATIVE]
No global unicast address is configured
Joined group address(es):
ff02::1
ff02::1:ffee:6a82
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
Note The show interface command only displays the IPv4 settings for an interface. To see the IPv6
configuration on an interface, you need to use the show ipv6 interface command. The show ipv6
interface command does not display any IPv4 settings for the interface (if both types of addresses are
configured on the interface).
The show ipv6 route Command
To display the routes in the IPv6 routing table, enter the following command:
hostname# show ipv6 route
The output from the show ipv6 route command is similar to the IPv4 show route command. It displays
the following information:
• The protocol that derived the route.
• The IPv6 prefix of the remote network.
• The administrative distance and metric for the route.
• The address of the next-hop router.12-13
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 12 Configuring IPv6
Verifying the IPv6 Configuration
• The interface through which the next hop router to the specified network is reached.
The following is sample output from the show ipv6 route command:
hostname# show ipv6 route
IPv6 Routing Table - 7 entries
Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP
U - Per-user Static route
I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea
O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
L fe80::/10 [0/0]
via ::, inside
L fec0::a:0:0:a0a:a70/128 [0/0]
via ::, inside
C fec0:0:0:a::/64 [0/0]
via ::, inside
L ff00::/8 [0/0]
via ::, inside
The show ipv6 mld traffic Command
To display the MLD traffic counters in the IPv6 routing table, enter the following command:
hostname# show ipv6 mld traffic
The output from the show ipv6 mld traffic command displays whether the expected number of MLD
protocol messages have been received and sent.
The following is sample output from the show ipv6 mld traffic command:
hostname# show ipv6 mld traffic
show ipv6 mld traffic
MLD Traffic Counters
Elapsed time since counters cleared: 00:01:19
Received Sent
Valid MLD Packets 1 3
Queries 1 0
Reports 0 3
Leaves 0 0
Mtrace packets 0 0
Errors:
Malformed Packets 0
Martian source 0
Non link-local source 0
Hop limit is not equal to 1 012-14
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 12 Configuring IPv6
Verifying the IPv6 ConfigurationC H A P T E R
13-1
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
13
Configuring AAA Servers and the Local Database
This chapter describes support for AAA (pronounced “triple A”) and how to configure AAA servers and
the local database.
This chapter contains the following sections:
• AAA Overview, page 13-1
• AAA Server and Local Database Support, page 13-2
• Configuring the Local Database, page 13-10
• Identifying AAA Server Groups and Servers, page 13-12
• Using Certificates and User Login Credentials, page 13-15
• Supporting a Zone Labs Integrity Server, page 13-16
AAA Overview
AAA enables the security appliance to determine who the user is (authentication), what the user can do
(authorization), and what the user did (accounting).
AAA provides an extra level of protection and control for user access than using access lists alone. For
example, you can create an access list allowing all outside users to access Telnet on a server on the DMZ
network. If you want only some users to access the server and you might not always know IP addresses
of these users, you can enable AAA to allow only authenticated and/or authorized users to make it
through the security appliance. (The Telnet server enforces authentication, too; the security appliance
prevents unauthorized users from attempting to access the server.)
You can use authentication alone or with authorization and accounting. Authorization always requires a
user to be authenticated first. You can use accounting alone, or with authentication and authorization.
This section includes the following topics:
• About Authentication, page 13-1
• About Authorization, page 13-2
• About Accounting, page 13-2
About Authentication
Authentication controls access by requiring valid user credentials, which are typically a username and
password. You can configure the security appliance to authenticate the following items:13-2
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 13 Configuring AAA Servers and the Local Database
AAA Server and Local Database Support
• All administrative connections to the security appliance including the following sessions:
– Telnet
– SSH
– Serial console
– ASDM (using HTTPS)
– VPN management access
• The enable command
• Network access
• VPN access
About Authorization
Authorization controls access per user after users authenticate. You can configure the security appliance
to authorize the following items:
• Management commands
• Network access
• VPN access
Authorization controls the services and commands available to each authenticated user. Were you not to
enable authorization, authentication alone would provide the same access to services for all
authenticated users.
If you need the control that authorization provides, you can configure a broad authentication rule, and
then have a detailed authorization configuration. For example, you authenticate inside users who attempt
to access any server on the outside network and then limit the outside servers that a particular user can
access using authorization.
The security appliance caches the first 16 authorization requests per user, so if the user accesses the same
services during the current authentication session, the security appliance does not resend the request to
the authorization server.
About Accounting
Accounting tracks traffic that passes through the security appliance, enabling you to have a record of
user activity. If you enable authentication for that traffic, you can account for traffic per user. If you do
not authenticate the traffic, you can account for traffic per IP address. Accounting information includes
when sessions start and stop, username, the number of bytes that pass through the security appliance for
the session, the service used, and the duration of each session.
AAA Server and Local Database Support
The security appliance supports a variety of AAA server types and a local database that is stored on the
security appliance. This section describes support for each AAA server type and the local database.
This section contains the following topics:
• Summary of Support, page 13-313-3
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 13 Configuring AAA Servers and the Local Database
AAA Server and Local Database Support
• RADIUS Server Support, page 13-3
• TACACS+ Server Support, page 13-4
• SDI Server Support, page 13-4
• NT Server Support, page 13-5
• Kerberos Server Support, page 13-5
• LDAP Server Support, page 13-6
• SSO Support for WebVPN with HTTP Forms, page 13-9
• Local Database Support, page 13-9
Summary of Support
Table 13-1 summarizes the support for each AAA service by each AAA server type, including the local
database. For more information about support for a specific AAA server type, refer to the topics
following the table.
RADIUS Server Support
The security appliance supports RADIUS servers.
Table 13-1 Summary of AAA Support
AAA Service
Database Type
Local RADIUS TACACS+ SDI NT Kerberos LDAP
HTTP
Form
Authentication of...
VPN u s er s Yes Yes Yes Yes Yes Yes Yes Yes
1
1. HTTP Form protocol supports single sign-on authentication for WebVPN users only.
Fir ewall s es s ion s Yes Yes Yes Yes Yes Yes Yes No
Administrators Yes Yes Yes Yes
2
2. SDI is not supported for HTTP administrative access.
Yes Yes Yes No
Authorization of...
VPN users Yes Yes No No No No Yes No
Firewall sessions No Yes
3
3. For firewall sessions, RADIUS authorization is supported with user-specific access lists only, which are received or
specified in a RADIUS authentication response.
Yes No No No No No
Administrators Yes
4
4. Local command authorization is supported by privilege level only.
No Yes No No No No No
Accounting of...
VPN connections No Yes Yes No No No No No
Firewall sessions No Yes Yes No No No No No
Administrators No Yes
5
5. Command accounting is available for TACACS+ only.
Yes No No No No No13-4
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 13 Configuring AAA Servers and the Local Database
AAA Server and Local Database Support
This section contains the following topics:
• Authentication Methods, page 13-4
• Attribute Support, page 13-4
• RADIUS Authorization Functions, page 13-4
Authentication Methods
The security appliance supports the following authentication methods with RADIUS:
• PAP—For all connection types.
• CHAP—For L2TP-over-IPSec.
• MS-CHAPv1—For L2TP-over-IPSec.
• MS-CHAPv2—For L2TP-over-IPSec, and for regular IPSec remote access connections when the
password management feature is enabled.
Attribute Support
The security appliance supports the following sets of RADIUS attributes:
• Authentication attributes defined in RFC 2138.
• Accounting attributes defined in RFC 2139.
• RADIUS attributes for tunneled protocol support, defined in RFC 2868.
• Cisco IOS VSAs, identified by RADIUS vendor ID 9.
• Cisco VPN-related VSAs, identified by RADIUS vendor ID 3076.
• Microsoft VSAs, defined in RFC 2548.
RADIUS Authorization Functions
The security appliance can use RADIUS servers for user authorization for network access using dynamic
access lists or access list names per user. To implement dynamic access lists, you must configure the
RADIUS server to support it. When the user authenticates, the RADIUS server sends a downloadable
access list or access list name to the security appliance. Access to a given service is either permitted or
denied by the access list. The security appliance deletes the access list when the authentication session
expires.
TACACS+ Server Support
The security appliance supports TACACS+ authentication with ASCII, PAP, CHAP, and MS-CHAPv1.
SDI Server Support
The RSA SecureID servers are also known as SDI servers.
This section contains the following topics:
• SDI Version Support, page 13-513-5
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 13 Configuring AAA Servers and the Local Database
AAA Server and Local Database Support
• Two-step Authentication Process, page 13-5
• SDI Primary and Replica Servers, page 13-5
SDI Version Support
The security appliance supports SDI Version 5.0 and 6.0. SDI uses the concepts of an SDI primary and
SDI replica servers. Each primary and its replicas share a single node secret file. The node secret file has
its name based on the hexadecimal value of the ACE/Server IP address with .sdi appended.
A version 5.0 or 6.0 SDI server that you configure on the security appliance can be either the primary or
any one of the replicas. See the “SDI Primary and Replica Servers” section on page 13-5 for information
about how the SDI agent selects servers to authenticate users.
Two-step Authentication Process
SDI version 5.0 and 6.0 uses a two-step process to prevent an intruder from capturing information from
an RSA SecurID authentication request and using it to authenticate to another server. The Agent first
sends a lock request to the SecurID server before sending the user authentication request. The server
locks the username, preventing another (replica) server from accepting it. This means that the same user
cannot authenticate to two security appliances using the same authentication servers simultaneously.
After a successful username lock, the security appliance sends the passcode.
SDI Primary and Replica Servers
The security appliance obtains the server list when the first user authenticates to the configured server,
which can be either a primary or a replica. The security appliance then assigns priorities to each of the
servers on the list, and subsequent server selection derives at random from those assigned priorities. The
highest priority servers have a higher likelihood of being selected.
NT Server Support
The security appliance supports Microsoft Windows server operating systems that support NTLM
version 1, collectively referred to as NT servers.
Note NT servers have a maximum length of 14 characters for user passwords. Longer passwords are truncated.
This is a limitation of NTLM version 1.
Kerberos Server Support
The security appliance supports 3DES, DES, and RC4 encryption types.
Note The security appliance does not support changing user passwords during tunnel negotiation. To avoid
this situation happening inadvertently, disable password expiration on the Kerberos/Active Directory
server for users connecting to the security appliance.
For a simple Kerberos server configuration example, see Example 13-2.13-6
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 13 Configuring AAA Servers and the Local Database
AAA Server and Local Database Support
LDAP Server Support
This section describes using an LDAP directory with the security appliance for user authentication and
VPN authorization. This section includes the following topics:
• Authentication with LDAP, page 13-6
• Authorization with LDAP for VPN, page 13-7
• LDAP Attribute Mapping, page 13-8
For example configuration procedures used to set up LDAP authentication or authorization, see
Appendix E, “Configuring an External Server for Authorization and Authentication”.
Authentication with LDAP
During authentication, the security appliance acts as a client proxy to the LDAP server for the user, and
authenticates to the LDAP server in either plain text or using the Simple Authentication and Security
Layer (SASL) protocol. By default, the security appliance passes authentication parameters, usually a
username and password, to the LDAP server in plain text. Whether using SASL or plain text, you can
secure the communications between the security appliance and the LDAP server with SSL using the
ldap-over-ssl command.
Note If you do not configure SASL, we strongly recommend that you secure LDAP communications with
SSL. See the ldap-over-ssl command in the Cisco Security Appliance Command Reference.
When user LDAP authentication has succeeded, the LDAP server returns the attributes for the
authenticated user. For VPN authentication, these attributes generally include authorization data which
is applied to the VPN session. Thus, using LDAP accomplishes authentication and authorization in a
single step.
Securing LDAP Authentication with SASL
The security appliance supports the following SASL mechanisms, listed in order of increasing strength:
• Digest-MD5 — The security appliance responds to the LDAP server with an MD5 value computed
from the username and password.
• Kerberos — The security appliance responds to the LDAP server by sending the username and realm
using the GSSAPI (Generic Security Services Application Programming Interface) Kerberos
mechanism.
You can configure the security appliance and LDAP server to support any combination of these SASL
mechanisms. If you configure multiple mechanisms, the security appliance retrieves the list of SASL
mechanisms configured on the server and sets the authentication mechanism to the strongest mechanism
configured on both the security appliance and the server. For example, if both the LDAP server and the
security appliance support both mechanisms, the security appliance selects Kerberos, the stronger of the
mechanisms.
The following example configures the security appliance for authentication to an LDAP directory server
named ldap_dir_1 using the digest-MD5 SASL mechanism, and communicating over an SSL-secured
connection:
hostname(config)# aaa-server ldap_dir_1 protocol ldap
hostname(config-aaa-server-group)# aaa-server ldap_dir_1 host 10.1.1.4
hostname(config-aaa-server-host)# sasl-mechanism digest-md5
hostname(config-aaa-server-host)# ldap-over-ssl enable13-7
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 13 Configuring AAA Servers and the Local Database
AAA Server and Local Database Support
hostname(config-aaa-server-host)#
Setting the LDAP Server Type
The security appliance supports LDAP Version 3. In the current release, it is compatible only with the
Sun Microsystems JAVA System Directory Server (formerly named the Sun ONE Directory Server) and
the Microsoft Active Directory. In later releases, the security appliance will support other OpenLDAP
servers.
By default, the security appliance auto-detects whether it is connected to a Microsoft or a Sun LDAP
directory server. However, if auto-detection fails to determine the LDAP server type, and you know the
server is either a Microsoft or Sun server, you can manually configure the server type. The following
example sets the LDAP directory server ldap_dir_1 to the Sun Microsystems type:
hostname(config)# aaa-server ldap_dir_1 protocol ldap
hostname(config-aaa-server-group)# aaa-server ldap_dir_1 host 10.1.1.4
hostname(config-aaa-server-host)# server-type sun
hostname(config-aaa-server-host)#
Note • Sun—The DN configured on the security appliance to access a Sun directory server must be able to
access the default password policy on that server. We recommend using the directory administrator,
or a user with directory administrator privileges, as the DN. Alternatively, you can place an ACI on
the default password policy.
• Microsoft—You must configure LDAP over SSL to enable password management with Microsoft
Active Directory.
Authorization with LDAP for VPN
When user LDAP authentication for VPN access has succeeded, the security appliance queries the LDAP
server which returns LDAP attributes. These attributes generally include authorization data that applies
to the VPN session. Thus, using LDAP accomplishes authentication and authorization in a single step.
There may be cases, however, where you require authorization from an LDAP directory server that is
separate and distinct from the authentication mechanism. For example, if you use an SDI or certificate
server for authentication, no authorization information is passed back. For user authorizations in this
case, you can query an LDAP directory after successful authentication, accomplishing authentication
and authorization in two steps.
To set up VPN user authorization using LDAP, you must first create a AAA server group and a tunnel
group. You then associate the server and tunnel groups using the tunnel-group general-attributes
command. While there are other authorization-related commands and options available for specific
requirements, the following example shows fundamental commands for enabling user authorization with
LDAP. This example then creates an IPSec remote access tunnel group named remote-1, and assigns that
new tunnel group to the previously created ldap_dir_1 AAA server for authorization.
hostname(config)# tunnel-group remote-1 type ipsec-ra
hostname(config)# tunnel-group remote-1 general-attributes
hostname(config-general)# authorization-server-group ldap_dir_1
hostname(config-general)#13-8
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 13 Configuring AAA Servers and the Local Database
AAA Server and Local Database Support
After you complete this fundamental configuration work, you can configure additional LDAP
authorization parameters such as a directory password, a starting point for searching a directory, and the
scope of a directory search:
hostname(config)# aaa-server ldap_dir_1 protocol ldap
hostname(config-aaa-server-group)# aaa-server ldap_dir_1 host 10.1.1.4
hostname(config-aaa-server-host)# ldap-login-dn obscurepassword
hostname(config-aaa-server-host)# ldap-base-dn starthere
hostname(config-aaa-server-host)# ldap-scope subtree
hostname(config-aaa-server-host)#
See LDAP commands in the Cisco Security Appliance Command Reference for more information.
LDAP Attribute Mapping
If you are introducing a security appliance to an existing LDAP directory, your existing LDAP attribute
names and values are probably different from the existing ones. You must create LDAP attribute maps
that map your existing user-defined attribute names and values to Cisco attribute names and values that
are compatible with the security appliance. You can then bind these attribute maps to LDAP servers or
remove them as needed. You can also show or clear attribute maps.
Note To use the attribute mapping features correctly, you need to understand the Cisco LDAP attribute names
and values as well as the user-defined attribute names and values.
The following command, entered in global configuration mode, creates an unpopulated LDAP attribute
map table named att_map_1:
hostname(config)# ldap attribute-map att_map_1
hostname(config-ldap-attribute-map)#
The following commands map the user-defined attribute name department to the Cisco attribute name
cVPN3000-IETF-Radius-Class. The second command maps the user-defined attribute value Engineering
to the user-defined attribute department and the Cisco-defined attribute value group1.
hostname(config)# ldap attribute-map att_map_1
hostname(config-ldap-attribute-map)# map-name department cVPN3000-IETF-Radius-Class
hostname(config-ldap-attribute-map)# map-value department Engineering group1
hostname(config-ldap-attribute-map)#
The following commands bind the attribute map att_map_1 to the LDAP server ldap_dir_1:
hostname(config)# aaa-server ldap_dir_1 host 10.1.1.4
hostname(config-aaa-server-host)# ldap-attribute-map att_map_1
hostname(config-aaa-server-host)#
Note The command to create an attribute map (ldap attribute-map) and the command to bind it to an LDAP
server (ldap-attribute-map) differ only by a hyphen and the mode.
The following commands display or clear all LDAP attribute maps in the running configuration:
hostname# show running-config all ldap attribute-map
hostname(config)# clear configuration ldap attribute-map
hostname(config)#
The names of frequently mapped Cisco LDAP attributes and the type of user-defined attributes they
would commonly be mapped to include:13-9
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 13 Configuring AAA Servers and the Local Database
AAA Server and Local Database Support
cVPN3000-IETF-Radius-Class — Department or user group
cVPN3000-IETF-Radius-Filter-Id — Access control list
cVPN3000-IETF-Radius-Framed-IP-Address — A static IP address
cVPN3000-IPSec-Banner1 — A organization title
cVPN3000-Tunneling-Protocols — Allow or deny dial-in
For a list of Cisco LDAP attribute names and values, see Appendix E, “Configuring an External Server
for Authorization and Authentication”. Alternatively, you can enter “?” within ldap-attribute-map mode
to display the complete list of Cisco LDAP attribute names, as shown in the following example:
hostname(config)# ldap attribute-map att_map_1
hostname(config-ldap-attribute-map)# map-name att_map_1 ?
ldap mode commands/options:
cisco-attribute-names:
cVPN3000-Access-Hours
cVPN3000-Allow-Network-Extension-Mode
cVPN3000-Auth-Service-Type
cVPN3000-Authenticated-User-Idle-Timeout
cVPN3000-Authorization-Required
cVPN3000-Authorization-Type
:
:
cVPN3000-X509-Cert-Data
hostname(config-ldap-attribute-map)#
SSO Support for WebVPN with HTTP Forms
The security appliance can use the HTTP Form protocol for single sign-on (SSO) authentication of
WebVPN users only. Single sign-on support lets WebVPN users enter a username and password only
once to access multiple protected services and Web servers. The WebVPN server running on the security
appliance acts as a proxy for the user to the authenticating server. When a user logs in, the WebVPN
server sends an SSO authentication request, including username and password, to the authenticating
server using HTTPS. If the server approves the authentication request, it returns an SSO authentication
cookie to the WebVPN server. The security appliance keeps this cookie on behalf of the user and uses it
to authenticate the user to secure websites within the domain protected by the SSO server.
In addition to the HTTP Form protocol, WebVPN administrators can choose to configure SSO with the
HTTP Basic and NTLM authentication protocols (the auto-signon command), or with Computer
Associates eTrust SiteMinder SSO server (formerly Netegrity SiteMinder) as well. For an in-depth
discussion of configuring SSO with either HTTP Forms, auto-signon or SiteMinder, see the Configuring
WebVPN chapter.
Local Database Support
The security appliance maintains a local database that you can populate with user profiles.
This section contains the following topics:
• User Profiles, page 13-10
• Fallback Support, page 13-1013-10
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 13 Configuring AAA Servers and the Local Database
Configuring the Local Database
User Profiles
User profiles contain, at a minimum, a username. Typically, a password is assigned to each username,
although passwords are optional.
The username attributes command lets you enter the username mode. In this mode, you can add other
information to a specific user profile. The information you can add includes VPN-related attributes, such
as a VPN session timeout value.
Fallback Support
The local database can act as a fallback method for several functions. This behavior is designed to help
you prevent accidental lockout from the security appliance.
For users who need fallback support, we recommend that their usernames and passwords in the local
database match their usernames and passwords in the AAA servers. This provides transparent fallback
support. Because the user cannot determine whether a AAA server or the local database is providing the
service, using usernames and passwords on AAA servers that are different than the usernames and
passwords in the local database means that the user cannot be certain which username and password
should be given.
The local database supports the following fallback functions:
• Console and enable password authentication—When you use the aaa authentication console
command, you can add the LOCAL keyword after the AAA server group tag. If the servers in the
group all are unavailable, the security appliance uses the local database to authenticate
administrative access. This can include enable password authentication, too.
• Command authorization—When you use the aaa authorization command command, you can
add the LOCAL keyword after the AAA server group tag. If the TACACS+ servers in the group all
are unavailable, the local database is used to authorize commands based on privilege levels.
• VPN authentication and authorization—VPN authentication and authorization are supported to
enable remote access to the security appliance if AAA servers that normally support these VPN
services are unavailable. The authentication-server-group command, available in tunnel-group
general attributes mode, lets you specify the LOCAL keyword when you are configuring attributes
of a tunnel group. When VPN client of an administrator specifies a tunnel group configured to
fallback to the local database, the VPN tunnel can be established even if the AAA server group is
unavailable, provided that the local database is configured with the necessary attributes.
Configuring the Local Database
This section describes how to manage users in the local database. You can use the local database for
CLI access authentication, privileged mode authentication, command authorization, network access
authentication, and VPN authentication and authorization. You cannot use the local database for network
access authorization. The local database does not support accounting.
For multiple context mode, you can configure usernames in the system execution space to provide
individual logins using the login command; however, you cannot configure any aaa commands in the
system execution space.
Caution If you add to the local database users who can gain access to the CLI but who should not be allowed to
enter privileged mode, enable command authorization. (See the “Configuring Local Command
Authorization” section on page 40-8.) Without command authorization, users can access privileged 13-11
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 13 Configuring AAA Servers and the Local Database
Configuring the Local Database
mode (and all commands) at the CLI using their own password if their privilege level is 2 or greater (2 is
the default). Alternatively, you can use RADIUS or TACACS+ authentication so that the user cannot use
the login command, or you can set all local users to level 1 so you can control who can use the system
enable password to access privileged mode.
To define a user account in the local database, perform the following steps:
Step 1 Create the user account. To do so, enter the following command:
hostname(config)# username name {nopassword | password password [mschap]} [privilege
priv_level]
where the options are as follows:
• username—A string from 4 to 64 characters long.
• password password—A string from 3 to 16 characters long.
• mschap—Specifies that the password will be converted to unicode and hashed using MD4 after you
enter it. Use this keyword if users are authenticated using MSCHAPv1 or MSCHAPv2.
• privilege level—The privilege level that you want to assign to the new user account (from 0 to 15).
The default is 2. This privilege level is used with command authorization.
• nopassword—Creates a user account with no password.
The encrypted and nt-encrypted keywords are typically for display only. When you define a password
in the username command, the security appliance encrypts it when it saves it to the configuration for
security purposes. When you enter the show running-config command, the username command does
not show the actual password; it shows the encrypted password followed by the encrypted or
nt-encrypted keyword (when you specify mschap). For example, if you enter the password “test,” the
show running-config display would appear to be something like the following:
username pat password DLaUiAX3l78qgoB5c7iVNw== nt-encrypted
The only time you would actually enter the encrypted or nt-encrypted keyword at the CLI is if you are
cutting and pasting a configuration to another security appliance and you are using the same password.
Step 2 To configure a local user account with VPN attributes, follow these steps:
a. Enter the following command:
hostname(config)# username username attributes
When you enter a username attributes command, you enter username mode. The commands
available in this mode are as follows:
• group-lock
• password-storage
• vpn-access-hours
• vpn-filter
• vpn-framed-ip-address
• vpn-group-policy
• vpn-idle-timeout
• vpn-session-timeout
• vpn-simultaneous-logins
• vpn-tunnel-protocol13-12
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 13 Configuring AAA Servers and the Local Database
Identifying AAA Server Groups and Servers
• webvpn
Use these commands as needed to configure the user profile. For more information about these
commands, see the Cisco Security Appliance Command Reference.
b. When you have finished configuring the user profiles, enter exit to return to config mode.
For example, the following command assigns a privilege level of 15 to the admin user account:
hostname(config)# username admin password passw0rd privilege 15
The following command creates a user account with no password:
hostname(config)# username bcham34 nopassword
The following commands creates a user account with a password, enters username mode, and specifies
a few VPN attributes:
hostname(config)# username rwilliams password gOgeOus
hostname(config)# username rwilliams attributes
hostname(config-username)# vpn-tunnel-protocol IPSec
hostname(config-username)# vpn-simultaneous-logins 6
hostname(config-username)# exit
Identifying AAA Server Groups and Servers
If you want to use an external AAA server for authentication, authorization, or accounting, you must first
create at least one AAA server group per AAA protocol and add one or more servers to each group. You
identify AAA server groups by name. Each server group is specific to one type of server: Kerberos,
LDAP, NT, RADIUS, SDI, or TACACS+.
The security appliance contacts the first server in the group. If that server is unavailable, the security
appliance contacts the next server in the group, if configured. If all servers in the group are unavailable,
the security appliance tries the local database if you configured it as a fallback method (management
authentication and authorization only). If you do not have a fallback method, the security appliance
continues to try the AAA servers.
To create a server group and add AAA servers to it, follow these steps:
Step 1 For each AAA server group you need to create, follow these steps:
a. Identify the server group name and the protocol. To do so, enter the following command:
hostname(config)# aaa-server server_group protocol {kerberos | ldap | nt | radius |
sdi | tacacs+}
For example, to use RADIUS to authenticate network access and TACACS+ to authenticate CLI
access, you need to create at least two server groups, one for RADIUS servers and one for TACACS+
servers.
You can have up to 15 single-mode server groups or 4 multi-mode server groups. Each server group
can have up to 16 servers in single mode or up to 4 servers in multi-mode.
When you enter a aaa-server protocol command, you enter group mode.
b. If you want to specify the maximum number of requests sent to a AAA server in the group before
trying the next server, enter the following command:13-13
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 13 Configuring AAA Servers and the Local Database
Identifying AAA Server Groups and Servers
hostname(config-aaa-server-group)# max-failed-attempts number
The number can be between 1 and 5. The default is 3.
If you configured a fallback method using the local database (for management access only; see the
“Configuring AAA for System Administrators” section on page 40-5 and the “Configuring
TACACS+ Command Authorization” section on page 40-11 to configure the fallback mechanism),
and all the servers in the group fail to respond, then the group is considered to be unresponsive, and
the fallback method is tried. The server group remains marked as unresponsive for a period of 10
minutes (by default) so that additional AAA requests within that period do not attempt to contact
the server group, and the fallback method is used immediately. To change the unresponsive period
from the default, see the reactivation-mode command in the following step.
If you do not have a fallback method, the security appliance continues to retry the servers in the
group.
c. If you want to specify the method (reactivation policy) by which failed servers in a group are
reactivated, enter the following command:
hostname(config-aaa-server-group)# # reactivation-mode {depletion [deadtime minutes] |
timed}
Where the depletion keyword reactivates failed servers only after all of the servers in the group are
inactive.
The deadtime minutes argument specifies the amount of time in minutes, between 0 and 1440, that
elapses between the disabling of the last server in the group and the subsequent re-enabling of all
servers. The default is 10 minutes.
The timed keyword reactivates failed servers after 30 seconds of down time.
d. If you want to send accounting messages to all servers in the group (RADIUS or TACACS+ only),
enter the following command:
hostname(config-aaa-server-group)# accounting-mode simultaneous
To restore the default of sending messages only to the active server, enter the accounting-mode
single command.
Step 2 For each AAA server on your network, follow these steps:
a. Identify the server, including the AAA server group it belongs to. To do so, enter the following
command:
hostname(config)# aaa-server server_group (interface_name) host server_ip
When you enter a aaa-server host command, you enter host mode.
b. As needed, use host mode commands to further configure the AAA server.
The commands in host mode do not apply to all AAA server types. Table 13-2 lists the available
commands, the server types they apply to, and whether a new AAA server definition has a default
value for that command. Where a command is applicable to the server type you specified and no
default value is provided (indicated by “—”), use the command to specify the value. For more
information about these commands, see the Cisco Security Appliance Command Reference.13-14
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 13 Configuring AAA Servers and the Local Database
Identifying AAA Server Groups and Servers
Example 13-1 shows commands that add one TACACS+ group with one primary and one backup server,
one RADIUS group with a single server, and an NT domain server.
Example 13-1 Multiple AAA Server Groups and Servers
hostname(config)# aaa-server AuthInbound protocol tacacs+
hostname(config-aaa-server-group)# max-failed-attempts 2
hostname(config-aaa-server-group)# reactivation-mode depletion deadtime 20
hostname(config-aaa-server-group)# exit
hostname(config)# aaa-server AuthInbound (inside) host 10.1.1.1
hostname(config-aaa-server-host)# key TACPlusUauthKey
Table 13-2 Host Mode Commands, Server Types, and Defaults
Command Applicable AAA Server Types Default Value
accounting-port RADIUS 1646
acl-netmask-convert RADIUS standard
authentication-port RADIUS 1645
kerberos-realm Kerberos —
key RADIUS —
TACACS+ —
ldap-attribute-map LDAP —
ldap-base-dn LDAP —
ldap-login-dn LDAP —
ldap-login-password LDAP —
ldap-naming-attribute LDAP —
ldap-over-ssl LDAP —
ldap-scope LDAP —
nt-auth-domain-controller NT —
radius-common-pw RADIUS —
retry-interval Kerberos 10 seconds
RADIUS 10 seconds
SDI 10 seconds
sasl-mechanism LDAP —
server-port Kerberos 88
LDAP 389
NT 139
SDI 5500
TACACS+ 49
server-type LDAP auto-discovery
timeout All 10 seconds13-15
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 13 Configuring AAA Servers and the Local Database
Using Certificates and User Login Credentials
hostname(config-aaa-server-host)# exit
hostname(config)# aaa-server AuthInbound (inside) host 10.1.1.2
hostname(config-aaa-server-host)# key TACPlusUauthKey2
hostname(config-aaa-server-host)# exit
hostname(config)# aaa-server AuthOutbound protocol radius
hostname(config-aaa-server-group)# exit
hostname(config)# aaa-server AuthOutbound (inside) host 10.1.1.3
hostname(config-aaa-server-host)# key RadUauthKey
hostname(config-aaa-server-host)# exit
hostname(config)# aaa-server NTAuth protocol nt
hostname(config-aaa-server-group)# exit
hostname(config)# aaa-server NTAuth (inside) host 10.1.1.4
hostname(config-aaa-server-host)# nt-auth-domain-controller primary1
hostname(config-aaa-server-host)# exit
Example 13-2 shows commands that configure a Kerberos AAA server group named watchdogs, add a
AAA server to the group, and define the Kerberos realm for the server. Because Example 13-2 does not
define a retry interval or the port that the Kerberos server listens to, the security appliance uses the
default values for these two server-specific parameters. Table 13-2 lists the default values for all AAA
server host mode commands.
Note Kerberos realm names use numbers and upper-case letters only. Although the security appliance accepts
lower-case letters for a realm name, it does not translate lower-case letters to upper-case letters. Be sure
to use upper-case letters only.
Example 13-2 Kerberos Server Group and Server
hostname(config)# aaa-server watchdogs protocol kerberos
hostname(config-aaa-server-group)# aaa-server watchdogs host 192.168.3.4
hostname(config-aaa-server-host)# kerberos-realm EXAMPLE.COM
hostname(config-aaa-server-host)# exit
hostname(config)#
Using Certificates and User Login Credentials
The following section describes the different methods of using certificates and user login credentials
(username and password) for authentication and authorization. This applies to both IPSec and WebVPN.
In all cases, LDAP authorization does not use the password as a credential. RADIUS authorization uses
either a common password for all users or the username as a password.
Using User Login Credentials
The default method for authentication and authorization uses the user login credentials.
• Authentication
– Enabled by authentication server group setting
– Uses the username and password as credentials
• Authorization
– Enabled by authorization server group setting
– Uses the username as a credential13-16
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 13 Configuring AAA Servers and the Local Database
Supporting a Zone Labs Integrity Server
Using certificates
If user digital certificates are configured, the security appliance first validates the certificate. It does not,
however, use any of the DNs from the certificates as a username for the authentication.
If both authentication and authorization are enabled, the security appliance uses the user login
credentials for both user authentication and authorization.
• Authentication
– Enabled by authentication server group setting
– Uses the username and password as credentials
• Authorization
– Enabled by authorization server group setting
– Uses the username as a credential
If authentication is disabled and authorization is enabled, the security appliance uses the primary DN
field for authorization.
• Authentication
– DISABLED (set to None) by authentication server group setting
– No credentials used
• Authorization
– Enabled by authorization server group setting
– Uses the username value of the certificate primary DN field as a credential
Note If the primary DN field is not present in the certificate, the security appliance uses the secondary DN
field value as the username for the authorization request.
For example, consider a user certificate that contains the following Subject DN fields and values:
Cn=anyuser,OU=sales;O=XYZCorporation;L=boston;S=mass;C=us;ea=anyuser@example.com.
If the Primary DN = EA (E-mail Address) and the Secondary DN = CN (Common Name), then the
username used in the authorization request would be anyuser@example.com.
Supporting a Zone Labs Integrity Server
This section introduces the Zone Labs Integrity Server, also called Check Point Integrity Server, and
presents an example procedure for configuring the security appliance to support the Zone Labs Integrity
Server. The Integrity server is a central management station for configuring and enforcing security
policies on remote PCs. If a remote PC does not conform to the security policy dictated by the Integrity
Server, it will not be granted access to the private network protected by the Integrity Server and security
appliance.
This section includes the following topics:
• Overview of Integrity Server and Security Appliance Interaction, page 13-17
• Configuring Integrity Server Support, page 13-1713-17
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 13 Configuring AAA Servers and the Local Database
Supporting a Zone Labs Integrity Server
Overview of Integrity Server and Security Appliance Interaction
The VPN client software and the Integrity client software are co-resident on a remote PC. The following
steps summarize the actions of the remote PC, security appliance, and Integrity server in the
establishment of a session between the PC and the enterprise private network:
1. The VPN client software (residing on the same remote PC as the Integrity client software) connects
to the security appliance and tells the security appliance what type of firewall client it is.
2. Once it approves the client firewall type, the security appliance passes Integrity server address
information back to the Integrity client.
3. With the security appliance acting as a proxy, the Integrity client establishes a restricted connection
with the Integrity server. A restricted connection is only between the Integrity client and server.
4. The Integrity server determines if the Integrity client is in compliance with the mandated security
policies. If the client is in compliance with security policies, the Integrity server instructs the
security appliance to open the connection and provide the client with connection details.
5. On the remote PC, the VPN client passes connection details to the Integrity client and signals that
policy enforcement should begin immediately and the client can no enter the private network.
6. Once the connection is established, the server continues to monitor the state of the client using client
heartbeat messages.
Note The current release of the security appliance supports one Integrity Server at a time even though the user
interfaces support the configuration of up to five Integrity Servers. If the active Server fails, configure
another Integrity Server on the security appliance and then reestablish the client VPN session.
Configuring Integrity Server Support
This section describes an example procedure for configuring the security appliance to support the Zone
Labs Integrity Servers. The procedure involves configuring address, port, connection fail timeout and
fail states, and SSL certificate parameters.
First, you must configure the hostname or IP address of the Integrity server. The following example
commands, entered in global configuration mode, configure an Integrity server using the IP address
10.0.0.5. They also specify port 300 (the default port is 5054) and the inside interface for
communications with the Integrity server.
hostname(config)# zonelabs-integrity server-address 10.0.0.5
hostname(config)# zonelabs-integrity port 300
hostname(config)# zonelabs-integrity interface inside
hostname(config)#
If the connection between the security appliance and the Integrity server fails, the VPN client
connections remain open by default so that the enterprise VPN is not disrupted by the failure of an
Integrity server. However, you may want to close the VPN connections if the Zone Labs Integrity Server
fails. The following commands ensure that the security appliance waits 12 seconds for a response from
either the active or standby Integrity servers before declaring an the Integrity server as failed and closing
the VPN client connections:
hostname(config)# zonelabs-integrity fail-timeout 12
hostname(config)# zonelabs-integrity fail-close
hostname(config)# 13-18
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 13 Configuring AAA Servers and the Local Database
Supporting a Zone Labs Integrity Server
The following command returns the configured VPN client connection fail state to the default and
ensures the client connections remain open:
hostname(config)# zonelabs-integrity fail-open
hostname(config)#
The following example commands specify that the Integrity server connects to port 300 (default is port
80) on the security appliance to request the server SSL certificate. While the server SSL certificate is
always authenticated, these commands also specify that the client SSL certificate of the Integrity server
be authenticated.
hostname(config)# zonelabs-integrity ssl-certificate-port 300
hostname(config)# zonelabs-integrity ssl-client-authentication
hostname(config)#
To set the firewall client type to the Zone Labs Integrity type, use the client-firewall command as
described in the “Configuring Firewall Policies” section on page 30-55. The command arguments that
specify firewall policies are not used when the firewall type is zonelabs-integrity because the Integrity
server determines the policies.C H A P T E R
14-1
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
14
Configuring Failover
This chapter describes the security appliance failover feature, which lets you configure two security
appliances so that one takes over operation if the other one fails.
Note The ASA 5505 series adaptive security appliance does not support Stateful Failover or Active/Active
failover.
This chapter includes the following sections:
• Understanding Failover, page 14-1
• Configuring Failover, page 14-19
• Controlling and Monitoring Failover, page 14-49
For failover configuration examples, see Appendix B, “Sample Configurations.”
Understanding Failover
The failover configuration requires two identical security appliances connected to each other through a
dedicated failover link and, optionally, a Stateful Failover link. The health of the active interfaces and
units is monitored to determine if specific failover conditions are met. If those conditions are met,
failover occurs.
The security appliance supports two failover configurations, Active/Active failover and Active/Standby
failover. Each failover configuration has its own method for determining and performing failover.
With Active/Active failover, both units can pass network traffic. This lets you configure load balancing
on your network. Active/Active failover is only available on units running in multiple context mode.
With Active/Standby failover, only one unit passes traffic while the other unit waits in a standby state.
Active/Standby failover is available on units running in either single or multiple context mode.
Both failover configurations support stateful or stateless (regular) failover.
Note VPN failover is not supported on units running in multiple context mode. VPN failover available for
Active/Standby failover configurations only. 14-2
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Understanding Failover
This section includes the following topics:
• Failover System Requirements, page 14-2
• The Failover and Stateful Failover Links, page 14-3
• Active/Active and Active/Standby Failover, page 14-6
• Regular and Stateful Failover, page 14-15
• Failover Health Monitoring, page 14-16
• Failover Feature/Platform Matrix, page 14-18
• Failover Times by Platform, page 14-18
Failover System Requirements
This section describes the hardware, software, and license requirements for security appliances in a
failover configuration. This section contains the following topics:
• Hardware Requirements, page 14-2
• Software Requirements, page 14-2
• License Requirements, page 14-2
Hardware Requirements
The two units in a failover configuration must have the same hardware configuration. They must be the
same model, have the same number and types of interfaces, and the same amount of RAM.
Note The two units do not have to have the same size Flash memory. If using units with different Flash
memory sizes in your failover configuration, make sure the unit with the smaller Flash memory has
enough space to accommodate the software image files and the configuration files. If it does not,
configuration synchronization from the unit with the larger Flash memory to the unit with the smaller
Flash memory will fail.
Software Requirements
The two units in a failover configuration must be in the operating modes (routed or transparent, single
or multiple context). They have the same major (first number) and minor (second number) software
version. However, you can use different versions of the software during an upgrade process; for example,
you can upgrade one unit from Version 7.0(1) to Version 7.0(2) and have failover remain active. We
recommend upgrading both units to the same version to ensure long-term compatibility.
See “Performing Zero Downtime Upgrades for Failover Pairs” section on page 41-6 for more
information about upgrading the software on a failover pair.
License Requirements
On the PIX 500 series security appliance, at least one of the units must have an unrestricted (UR) license.
The other unit can have a Failover Only (FO) license, a Failover Only Active-Active (FO_AA) license,
or another UR license. Units with a Restricted license cannot be used for failover, and two units with FO
or FO_AA licenses cannot be used together as a failover pair.14-3
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Understanding Failover
Note The FO license does not support Active/Active failover.
The FO and FO_AA licenses are intended to be used solely for units in a failover configuration and not
for units in standalone mode. If a failover unit with one of these licenses is used in standalone mode, the
unit reboots at least once every 24 hours until the unit is returned to failover duty. A unit with an FO or
FO_AA license operates in standalone mode if it is booted without being connected to a failover peer
with a UR license. If the unit with a UR license in a failover pair fails and is removed from the
configuration, the unit with the FO or FO_AA license does not automatically reboot every 24 hours; it
operates uninterrupted unless the it is manually rebooted.
When the unit automatically reboots, the following message displays on the console:
=========================NOTICE=========================
This machine is running in secondary mode without
a connection to an active primary PIX. Please
check your connection to the primary system.
REBOOTING....
========================================================
The ASA 5500 series adaptive security appliance platform does not have this restriction.
The Failover and Stateful Failover Links
This section describes the failover and the Stateful Failover links, which are dedicated connections
between the two units in a failover configuration. This section includes the following topics:
• Failover Link, page 14-3
• Stateful Failover Link, page 14-5
Failover Link
The two units in a failover pair constantly communicate over a failover link to determine the operating
status of each unit. The following information is communicated over the failover link:
• The unit state (active or standby).
• Power status (cable-based failover only—available only on the PIX 500 series security appliance).
• Hello messages (keep-alives).
• Network link status.
• MAC address exchange.
• Configuration replication and synchronization.
Caution All information sent over the failover and Stateful Failover links is sent in clear text unless you secure
the communication with a failover key. If the security appliance is used to terminate VPN tunnels, this
information includes any usernames, passwords and preshared keys used for establishing the tunnels.
Transmitting this sensitive data in clear text could pose a significant security risk. We recommend
securing the failover communication with a failover key if you are using the security appliance to
terminate VPN tunnels.14-4
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Understanding Failover
On the PIX 500 series security appliance, the failover link can be either a LAN-based connection or a
dedicated serial Failover cable. On the ASA 5500 series adaptive security appliance, the failover link can
only be a LAN-based connection.
This section includes the following topics:
• LAN-Based Failover Link, page 14-4
• Serial Cable Failover Link (PIX Security Appliance Only), page 14-4
LAN-Based Failover Link
You can use any unused Ethernet interface on the device as the failover link; however, you cannot specify
an interface that is currently configured with a name. The LAN failover link interface is not configured
as a normal networking interface. It exists for failover communication only. This interface should only
be used for the LAN failover link (and optionally for the stateful failover link).
Connect the LAN failover link in one of the following two ways:
• Using a switch, with no other device on the same network segment (broadcast domain or VLAN) as
the LAN failover interfaces of the ASA.
• Using a crossover Ethernet cable to connect the appliances directly, without the need for an external
switch.
Note When you use a crossover cable for the LAN failover link, if the LAN interface fails, the link is brought
down on both peers. This condition may hamper troubleshooting efforts because you cannot easily
determine which interface failed and caused the link to come down.
Note The ASA supports Auto-MDI/MDIX on its copper Ethernet ports, so you can either use a crossover cable
or a straight-through cable. If you use a straight-through cable, the interface automatically detects the
cable and swaps one of the transmit/receive pairs to MDIX.
Serial Cable Failover Link (PIX Security Appliance Only)
The serial Failover cable, or “cable-based failover,” is only available on the PIX 500 series security
appliance. If the two units are within six feet of each other, then we recommend that you use the serial
Failover cable.
The cable that connects the two units is a modified RS-232 serial link cable that transfers data at
117,760 bps (115 Kbps). One end of the cable is labeled “Primary”. The unit attached to this end of the
cable automatically becomes the primary unit. The other end of the cable is labeled “Secondary”. The
unit attached to this end of the cable automatically becomes the secondary unit. You cannot override
these designations in the PIX 500 series security appliance software. If you purchased a PIX 500 series
security appliance failover bundle, this cable is included. To order a spare, use part number PIX-FO=.
The benefits of using cable-based failover include:
• The PIX 500 series security appliance can immediately detect a power loss on the peer unit and
differentiate between a power loss from an unplugged cable.
• The standby unit can communicate with the active unit and can receive the entire configuration
without having to be bootstrapped for failover. In LAN-based failover you need to configure the
failover link on the standby unit before it can communicate with the active unit.
• The switch between the two units in LAN-based failover can be another point of hardware failure;
cable-based failover eliminates this potential point of failure.14-5
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Understanding Failover
• You do not have to dedicate an Ethernet interface (and switch) to the failover link.
• The cable determines which unit is primary and which is secondary, eliminating the need to
manually enter that information in the unit configurations.
The disadvantages include:
• Distance limitation—the units cannot be separated by more than 6 feet.
• Slower configuration replication.
Stateful Failover Link
To use Stateful Failover, you must configure a Stateful Failover link to pass all state information. You
have three options for configuring a Stateful Failover link:
• You can use a dedicated Ethernet interface for the Stateful Failover link.
• If you are using LAN-based failover, you can share the failover link.
• You can share a regular data interface, such as the inside interface. However, this option is not
recommended.
If you are using a dedicated Ethernet interface for the Stateful Failover link, you can use either a switch
or a crossover cable to directly connect the units. If you use a switch, no other hosts or routers should be
on this link.
Note Enable the PortFast option on Cisco switch ports that connect directly to the security appliance.
If you use a data interface as the Stateful Failover link, you receive the following warning when you
specify that interface as the Stateful Failover link:
******* WARNING ***** WARNING ******* WARNING ****** WARNING *********
Sharing Stateful failover interface with regular data interface is not
a recommended configuration due to performance and security concerns.
******* WARNING ***** WARNING ******* WARNING ****** WARNING *********
Sharing a data interface with the Stateful Failover interface can leave you vulnerable to replay attacks.
Additionally, large amounts of Stateful Failover traffic may be sent on the interface, causing
performance problems on that network segment.
Note Using a data interface as the Stateful Failover interface is only supported in single context, routed mode.
In multiple context mode, the Stateful Failover link resides in the system context. This interface and the
failover interface are the only interfaces in the system context. All other interfaces are allocated to and
configured from within security contexts.
Note The IP address and MAC address for the Stateful Failover link does not change at failover unless the
Stateful Failover link is configured on a regular data interface.
Caution All information sent over the failover and Stateful Failover links is sent in clear text unless you secure
the communication with a failover key. If the security appliance is used to terminate VPN tunnels, this
information includes any usernames, passwords and preshared keys used for establishing the tunnels. 14-6
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Understanding Failover
Transmitting this sensitive data in clear text could pose a significant security risk. We recommend
securing the failover communication with a failover key if you are using the security appliance to
terminate VPN tunnels.
Failover Interface Speed for Stateful Links
If you use the failover link as the Stateful Failover link, you should use the fastest Ethernet interface
available. If you experience performance problems on that interface, consider dedicating a separate
interface for the Stateful Failover interface.
Use the following failover interface speed guidelines for Cisco PIX security appliances and Cisco ASA
adaptive security appliances:
• Cisco ASA 5520/5540/5550 and PIX 515E/535
– The stateful link speed should match the fastest data link
• Cisco ASA 5510 and PIX 525
– Stateful link speed can be 100 Mbps, even though the data interface can operate at 1 Gigabit due
to the CPU speed limitation.
For optimum performance when using long distance LAN failover, the latency for the failover link
should be less than 10 milliseconds and no more than 250 milliseconds. If latency is less than 10
milliseconds, some performance degradation occurs due to retransmission of failover messages.
All platforms support sharing of failover heartbeat and stateful link, but we recommend using a separate
heartbeat link on systems with high Stateful Failover traffic.
Active/Active and Active/Standby Failover
This section describes each failover configuration in detail. This section includes the following topics:
• Active/Standby Failover, page 14-6
• Active/Active Failover, page 14-10
• Determining Which Type of Failover to Use, page 14-15
Active/Standby Failover
This section describes Active/Standby failover and includes the following topics:
• Active/Standby Failover Overview, page 14-6
• Primary/Secondary Status and Active/Standby Status, page 14-7
• Device Initialization and Configuration Synchronization, page 14-7
• Command Replication, page 14-8
• Failover Triggers, page 14-9
• Failover Actions, page 14-9
Active/Standby Failover Overview
Active/Standby failover lets you use a standby security appliance to take over the functionality of a failed
unit. When the active unit fails, it changes to the standby state while the standby unit changes to the
active state. The unit that becomes active assumes the IP addresses (or, for transparent firewall, the 14-7
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Understanding Failover
management IP address) and MAC addresses of the failed unit and begins passing traffic. The unit that
is now in standby state takes over the standby IP addresses and MAC addresses. Because network
devices see no change in the MAC to IP address pairing, no ARP entries change or time out anywhere
on the network.
Note For multiple context mode, the security appliance can fail over the entire unit (including all contexts)
but cannot fail over individual contexts separately.
Primary/Secondary Status and Active/Standby Status
The main differences between the two units in a failover pair are related to which unit is active and which
unit is standby, namely which IP addresses to use and which unit actively passes traffic.
However, a few differences exist between the units based on which unit is primary (as specified in the
configuration) and which unit is secondary:
• The primary unit always becomes the active unit if both units start up at the same time (and are of
equal operational health).
• The primary unit MAC addresses are always coupled with the active IP addresses. The exception to
this rule occurs when the secondary unit is active, and cannot obtain the primary unit MAC addresses
over the failover link. In this case, the secondary unit MAC addresses are used.
Device Initialization and Configuration Synchronization
Configuration synchronization occurs when one or both devices in the failover pair boot. Configurations
are always synchronized from the active unit to the standby unit. When the standby unit completes its
initial startup, it clears its running configuration (except for the failover commands needed to
communicate with the active unit), and the active unit sends its entire configuration to the standby unit.
The active unit is determined by the following:
• If a unit boots and detects a peer already running as active, it becomes the standby unit.
• If a unit boots and does not detect a peer, it becomes the active unit.
• If both units boot simultaneously, then the primary unit becomes the active unit and the secondary
unit becomes the standby unit.
Note If the secondary unit boots without detecting the primary unit, it becomes the active unit. It uses its own
MAC addresses for the active IP addresses. However, when the primary unit becomes available, the
secondary unit changes the MAC addresses to those of the primary unit, which can cause an interruption
in your network traffic. To avoid this, configure the failover pair with virtual MAC addresses. See the
“Configuring Virtual MAC Addresses” section on page 14-26 for more information.
When the replication starts, the security appliance console on the active unit displays the message
“Beginning configuration replication: Sending to mate,” and when it is complete, the security appliance
displays the message “End Configuration Replication to mate.” During replication, commands entered
on the active unit may not replicate properly to the standby unit, and commands entered on the standby
unit may be overwritten by the configuration being replicated from the active unit. Avoid entering
commands on either unit in the failover pair during the configuration replication process. Depending
upon the size of the configuration, replication can take from a few seconds to several minutes.
On the standby unit, the configuration exists only in running memory. To save the configuration to Flash
memory after synchronization:14-8
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Understanding Failover
• For single context mode, enter the write memory command on the active unit. The command is
replicated to the standby unit, which proceeds to write its configuration to Flash memory.
• For multiple context mode, enter the write memory all command on the active unit from the system
execution space. The command is replicated to the standby unit, which proceeds to write its
configuration to Flash memory. Using the all keyword with this command causes the system and all
context configurations to be saved.
Note Startup configurations saved on external servers are accessible from either unit over the network and do
not need to be saved separately for each unit. Alternatively, you can copy the contexts on disk from the
active unit to an external server, and then copy them to disk on the standby unit, where they become
available when the unit reloads.
Command Replication
Command replication always flows from the active unit to the standby unit. As commands are entered
on the active unit, they are sent across the failover link to the standby unit. You do not have to save the
active configuration to Flash memory to replicate the commands.
The following commands are replicated to the standby unit:
• all configuration commands except for the mode, firewall, and failover lan unit commands
• copy running-config startup-config
• delete
• mkdir
• rename
• rmdir
• write memory
The following commands are not replicated to the standby unit:
• all forms of the copy command except for copy running-config startup-config
• all forms of the write command except for write memory
• debug
• failover lan unit
• firewall
• mode
• show
Note Changes made on the standby unit are not replicated to the active unit. If you enter a command on the
standby unit, the security appliance displays the message **** WARNING **** Configuration
Replication is NOT performed from Standby unit to Active unit. Configurations are no
longer synchronized. This message displays even when you enter many commands that do not affect
the configuration.
If you enter the write standby command on the active unit, the standby unit clears its running
configuration (except for the failover commands used to communicate with the active unit), and the
active unit sends its entire configuration to the standby unit.14-9
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Understanding Failover
For multiple context mode, when you enter the write standby command in the system execution space,
all contexts are replicated. If you enter the write standby command within a context, the command
replicates only the context configuration.
Replicated commands are stored in the running configuration. To save the replicated commands to the
Flash memory on the standby unit:
• For single context mode, enter the copy running-config startup-config command on the active unit.
The command is replicated to the standby unit, which proceeds to write its configuration to Flash
memory.
• For multiple context mode, enter the copy running-config startup-config command on the active
unit from the system execution space and within each context on disk. The command is replicated
to the standby unit, which proceeds to write its configuration to Flash memory. Contexts with startup
configurations on external servers are accessible from either unit over the network and do not need
to be saved separately for each unit. Alternatively, you can copy the contexts on disk from the active
unit to an external server, and then copy them to disk on the standby unit.
Failover Triggers
The unit can fail if one of the following events occurs:
• The unit has a hardware failure or a power failure.
• The unit has a software failure.
• Too many monitored interfaces fail.
• The no failover active command is entered on the active unit or the failover active command is
entered on the standby unit.
Failover Actions
In Active/Standby failover, failover occurs on a unit basis. Even on systems running in multiple context
mode, you cannot fail over individual or groups of contexts.
Table 14-1 shows the failover action for each failure event. For each failure event, the table shows the
failover policy (failover or no failover), the action taken by the active unit, the action taken by the
standby unit, and any special notes about the failover condition and actions.
Table 14-1 Failover Behavior
Failure Event Policy Active Action Standby Action Notes
Active unit failed (power or
hardware)
Failover n/a Become active
Mark active as
failed
No hello messages are received on
any monitored interface or the
failover link.
Formerly active unit recovers No failover Become standby No action None.
Standby unit failed (power or
hardware)
No failover Mark standby as
failed
n/a When the standby unit is marked as
failed, then the active unit does not
attempt to fail over, even if the
interface failure threshold is
surpassed.
Failover link failed during
operation
No failover Mark failover
interface as failed
Mark failover
interface as failed
You should restore the failover link
as soon as possible because the
unit cannot fail over to the standby
unit while the failover link is down.14-10
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Understanding Failover
Active/Active Failover
This section describes Active/Active failover. This section includes the following topics:
• Active/Active Failover Overview, page 14-10
• Primary/Secondary Status and Active/Standby Status, page 14-11
• Device Initialization and Configuration Synchronization, page 14-11
• Command Replication, page 14-12
• Failover Triggers, page 14-13
• Failover Actions, page 14-14
Active/Active Failover Overview
Active/Active failover is only available to security appliances in multiple context mode. In an
Active/Active failover configuration, both security appliances can pass network traffic.
In Active/Active failover, you divide the security contexts on the security appliance into failover groups.
A failover group is simply a logical group of one or more security contexts. You can create a maximum
of two failover groups on the security appliance. The admin context is always a member of failover
group 1. Any unassigned security contexts are also members of failover group 1 by default.
The failover group forms the base unit for failover in Active/Active failover. Interface failure monitoring,
failover, and active/standby status are all attributes of a failover group rather than the unit. When an
active failover group fails, it changes to the standby state while the standby failover group becomes
active. The interfaces in the failover group that becomes active assume the MAC and IP addresses of the
interfaces in the failover group that failed. The interfaces in the failover group that is now in the standby
state take over the standby MAC and IP addresses.
Note A failover group failing on a unit does not mean that the unit has failed. The unit may still have another
failover group passing traffic on it.
When creating the failover groups, you should create them on the unit that will have failover group 1 in
the active state.
Failover link failed at startup No failover Mark failover
interface as failed
Become active If the failover link is down at
startup, both units become active.
Stateful Failover link failed No failover No action No action State information becomes out of
date, and sessions are terminated if
a failover occurs.
Interface failure on active unit
above threshold
Failover Mark active as
failed
Become active None.
Interface failure on standby
unit above threshold
No failover No action Mark standby as
failed
When the standby unit is marked as
failed, then the active unit does not
attempt to fail over even if the
interface failure threshold is
surpassed.
Table 14-1 Failover Behavior (continued)
Failure Event Policy Active Action Standby Action Notes14-11
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Understanding Failover
Note Active/Active failover generates virtual MAC addresses for the interfaces in each failover group. If you
have more than one Active/Active failover pair on the same network, it is possible to have the same
default virtual MAC addresses assigned to the interfaces on one pair as are assigned to the interfaces of
the other pairs because of the way the default virtual MAC addresses are determined. To avoid having
duplicate MAC addresses on your network, make sure you assign each physical interface a virtual active
and standby MAC address.
Primary/Secondary Status and Active/Standby Status
As in Active/Standby failover, one unit in an Active/Active failover pair is designated the primary unit,
and the other unit the secondary unit. Unlike Active/Standby failover, this designation does not indicate
which unit becomes active when both units start simultaneously. Instead, the primary/secondary
designation does two things:
• Determines which unit provides the running configuration to the pair when they boot
simultaneously.
• Determines on which unit each failover group appears in the active state when the units boot
simultaneously. Each failover group in the configuration is configured with a primary or secondary
unit preference. You can configure both failover groups be in the active state on a single unit in the
pair, with the other unit containing the failover groups in the standby state. However, a more typical
configuration is to assign each failover group a different role preference to make each one active on
a different unit, distributing the traffic across the devices.
Note The security appliance does not provide load balancing services. Load balancing must be
handled by a router passing traffic to the security appliance.
Which unit each failover group becomes active on is determined as follows:
• When a unit boots while the peer unit is not available, both failover groups become active on the
unit.
• When a unit boots while the peer unit is active (with both failover groups in the active state), the
failover groups remain in the active state on the active unit regardless of the primary or secondary
preference of the failover group until one of the following:
– A failover occurs.
– You manually force the failover group to the other unit with the no failover active command.
– You configured the failover group with the preempt command, which causes the failover group
to automatically become active on the preferred unit when the unit becomes available.
• When both units boot at the same time, each failover group becomes active on its preferred unit after
the configurations have been synchronized.
Device Initialization and Configuration Synchronization
Configuration synchronization occurs when one or both units in a failover pair boot. The configurations
are synchronized as follows:
• When a unit boots while the peer unit is active (with both failover groups active on it), the booting
unit contacts the active unit to obtain the running configuration regardless of the primary or
secondary designation of the booting unit. 14-12
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Understanding Failover
• When both units boot simultaneously, the secondary unit obtains the running configuration from the
primary unit.
When the replication starts, the security appliance console on the unit sending the configuration displays
the message “Beginning configuration replication: Sending to mate,” and when it is complete, the
security appliance displays the message “End Configuration Replication to mate.” During replication,
commands entered on the unit sending the configuration may not replicate properly to the peer unit, and
commands entered on the unit receiving the configuration may be overwritten by the configuration being
received. Avoid entering commands on either unit in the failover pair during the configuration
replication process. Depending upon the size of the configuration, replication can take from a few
seconds to several minutes.
On the unit receiving the configuration, the configuration exists only in running memory. To save the
configuration to Flash memory after synchronization enter the write memory all command in the system
execution space on the unit that has failover group 1 in the active state. The command is replicated to
the peer unit, which proceeds to write its configuration to Flash memory. Using the all keyword with this
command causes the system and all context configurations to be saved.
Note Startup configurations saved on external servers are accessible from either unit over the network and do
not need to be saved separately for each unit. Alternatively, you can copy the contexts configuration files
from the disk on the primary unit to an external server, and then copy them to disk on the secondary unit,
where they become available when the unit reloads.
Command Replication
After both units are running, commands are replicated from one unit to the other as follows:
• Commands entered within a security context are replicated from the unit on which the security
context appears in the active state to the peer unit.
Note A context is considered in the active state on a unit if the failover group to which it belongs is
in the active state on that unit.
• Commands entered in the system execution space are replicated from the unit on which failover
group 1 is in the active state to the unit on which failover group 1 is in the standby state.
• Commands entered in the admin context are replicated from the unit on which failover group 1 is in
the active state to the unit on which failover group 1 is in the standby state.
All configuration and file commands (copy, rename, delete, mkdir, rmdir, and so on) are replicated,
with the following exceptions. The show, debug, mode, firewall, and failover lan unit commands are
not replicated.
Failure to enter the commands on the appropriate unit for command replication to occur causes the
configurations to be out of synchronization. Those changes may be lost the next time the initial
configuration synchronization occurs.
The following commands are replicated to the standby unit:
• all configuration commands except for the mode, firewall, and failover lan unit commands
• copy running-config startup-config
• delete
• mkdir
• rename14-13
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Understanding Failover
• rmdir
• write memory
The following commands are not replicated to the standby unit:
• all forms of the copy command except for copy running-config startup-config
• all forms of the write command except for write memory
• debug
• failover lan unit
• firewall
• mode
• show
You can use the write standby command to resynchronize configurations that have become out of sync.
For Active/Active failover, the write standby command behaves as follows:
• If you enter the write standby command in the system execution space, the system configuration
and the configurations for all of the security contexts on the security appliance is written to the peer
unit. This includes configuration information for security contexts that are in the standby state. You
must enter the command in the system execution space on the unit that has failover group 1 in the
active state.
Note If there are security contexts in the active state on the peer unit, the write standby command
causes active connections through those contexts to be terminated. Use the failover active
command on the unit providing the configuration to make sure all contexts are active on that
unit before entering the write standby command.
• If you enter the write standby command in a security context, only the configuration for the security
context is written to the peer unit. You must enter the command in the security context on the unit
where the security context appears in the active state.
Replicated commands are not saved to the Flash memory when replicated to the peer unit. They are
added to the running configuration. To save replicated commands to Flash memory on both units, use
the write memory or copy running-config startup-config command on the unit that you made the
changes on. The command is replicated to the peer unit and cause the configuration to be saved to Flash
memory on the peer unit.
Failover Triggers
In Active/Active failover, failover can be triggered at the unit level if one of the following events occurs:
• The unit has a hardware failure.
• The unit has a power failure.
• The unit has a software failure.
• The no failover active or the failover active command is entered in the system execution space.
Failover is triggered at the failover group level when one of the following events occurs:
• Too many monitored interfaces in the group fail.
• The no failover active group group_id or failover active group group_id command is entered. 14-14
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Understanding Failover
You configure the failover threshold for each failover group by specifying the number or percentage of
interfaces within the failover group that must fail before the group fails. Because a failover group can
contain multiple contexts, and each context can contain multiple interfaces, it is possible for all
interfaces in a single context to fail without causing the associated failover group to fail.
See the “Failover Health Monitoring” section on page 14-16 for more information about interface and
unit monitoring.
Failover Actions
In an Active/Active failover configuration, failover occurs on a failover group basis, not a system basis.
For example, if you designate both failover groups as active on the primary unit, and failover group 1
fails, then failover group 2 remains active on the primary unit while failover group 1 becomes active on
the secondary unit.
Note When configuring Active/Active failover, make sure that the combined traffic for both units is within the
capacity of each unit.
Table 14-2 shows the failover action for each failure event. For each failure event, the policy (whether
or not failover occurs), actions for the active failover group, and actions for the standby failover group
are given.
Table 14-2 Failover Behavior for Active/Active Failover
Failure Event Policy
Active Group
Action
Standby Group
Action Notes
A unit experiences a power or
software failure
Failover Become standby
Mark as failed
Become active
Mark active as
failed
When a unit in a failover pair fails,
any active failover groups on that
unit are marked as failed and
become active on the peer unit.
Interface failure on active failover
group above threshold
Failover Mark active
group as failed
Become active None.
Interface failure on standby failover
group above threshold
No failover No action Mark standby
group as failed
When the standby failover group is
marked as failed, the active failover
group does not attempt to fail over,
even if the interface failure
threshold is surpassed.
Formerly active failover group
recovers
No failover No action No action Unless configured with the
preempt command, the failover
groups remain active on their
current unit.
Failover link failed at startup No failover Become active Become active If the failover link is down at
startup, both failover groups on
both units become active.14-15
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Understanding Failover
Determining Which Type of Failover to Use
The type of failover you choose depends upon your security appliance configuration and how you plan
to use the security appliances.
If you are running the security appliance in single mode, then you can only use Active/Standby failover.
Active/Active failover is only available to security appliances running in multiple context mode.
If you are running the security appliance in multiple context mode, then you can configure either
Active/Active failover or Active/Standby failover.
• To provide load balancing, use Active/Active failover.
• If you do not want to provide load balancing, use Active/Standby or Active/Active failover.
Table 14-3 provides a comparison of some of the features supported by each type of failover
configuration:
Regular and Stateful Failover
The security appliance supports two types of failover, regular and stateful. This section includes the
following topics:
• Regular Failover, page 14-16
• Stateful Failover, page 14-16
Stateful Failover link failed No failover No action No action State information becomes out of
date, and sessions are terminated if
a failover occurs.
Failover link failed during operation No failover n/a n/a Each unit marks the failover
interface as failed. You should
restore the failover link as soon as
possible because the unit cannot fail
over to the standby unit while the
failover link is down.
Table 14-2 Failover Behavior for Active/Active Failover (continued)
Failure Event Policy
Active Group
Action
Standby Group
Action Notes
Table 14-3 Failover Configuration Feature Support
Feature Active/Active Active/Standby
Single Context Mode No Yes
Multiple Context Mode Yes Yes
Load Balancing Network Configurations Yes No
Unit Failover Yes Yes
Failover of Groups of Contexts Yes No
Failover of Individual Contexts No No14-16
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Understanding Failover
Regular Failover
When a failover occurs, all active connections are dropped. Clients need to reestablish connections when
the new active unit takes over.
Stateful Failover
When Stateful Failover is enabled, the active unit continually passes per-connection state information to
the standby unit. After a failover occurs, the same connection information is available at the new active
unit. Supported end-user applications are not required to reconnect to keep the same communication
session.
The state information passed to the standby unit includes the following:
• NAT translation table.
• TCP connection states.
• UDP connection states.
• The ARP table.
• The Layer 2 bridge table (when running in transparent firewall mode).
• The HTTP connection states (if HTTP replication is enabled).
• The ISAKMP and IPSec SA table.
• GTP PDP connection database.
The information that is not passed to the standby unit when Stateful Failover is enabled includes the
following:
• The HTTP connection table (unless HTTP replication is enabled).
• The user authentication (uauth) table.
• The routing tables. After a failover occurs, some packets may be lost our routed out of the wrong
interface (the default route) while the dynamic routing protocols rediscover routes.
• State information for Security Service Modules.
• DHCP server address leases.
• L2TP over IPSec sessions.
Note If failover occurs during an active Cisco IP SoftPhone session, the call remains active because the call
session state information is replicated to the standby unit. When the call is terminated, the IP SoftPhone
client loses connection with the Call Manager. This occurs because there is no session information for
the CTIQBE hangup message on the standby unit. When the IP SoftPhone client does not receive a
response back from the Call Manager within a certain time period, it considers the Call Manager
unreachable and unregisters itself.
Failover Health Monitoring
The security appliance monitors each unit for overall health and for interface health. See the following
sections for more information about how the security appliance performs tests to determine the state of
each unit:
• Unit Health Monitoring, page 14-1714-17
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Understanding Failover
• Interface Monitoring, page 14-17
Unit Health Monitoring
The security appliance determines the health of the other unit by monitoring the failover link. When a
unit does not receive three consecutive hello messages on the failover link, the unit sends an ARP request
on all interfaces, including the failover interface. The action the security appliance takes depends on the
response from the other unit. See the following possible actions:
• If the security appliance receives a response on the failover interface, then it does not fail over.
• If the security appliance does not receive a response on the failover link, but receives a response on
another interface, then the unit does not failover. The failover link is marked as failed. You should
restore the failover link as soon as possible because the unit cannot fail over to the standby while
the failover link is down.
• If the security appliance does not receive a response on any interface, then the standby unit switches
to active mode and classifies the other unit as failed.
Note If a failed unit does not recover and you believe it should not be failed, you can reset the state by entering
the failover reset command. If the failover condition persists, however, the unit will fail again.
You can configure the frequency of the hello messages and the hold time before failover occurs. A faster
poll time and shorter hold time speed the detection of unit failures and make failover occur more quickly,
but it can also cause “false” failures due to network congestion delaying the keepalive packets. See
Configuring Unit Health Monitoring, page 14-39 for more information about configuring unit health
monitoring.
Interface Monitoring
You can monitor up to 250 interfaces divided between all contexts. You should monitor important
interfaces, for example, you might configure one context to monitor a shared interface (because the
interface is shared, all contexts benefit from the monitoring).
When a unit does not receive hello messages on a monitored interface for half of the configured hold
time, it runs the following tests:
1. Link Up/Down test—A test of the interface status. If the Link Up/Down test indicates that the
interface is operational, then the security appliance performs network tests. The purpose of these
tests is to generate network traffic to determine which (if either) unit has failed. At the start of each
test, each unit clears its received packet count for its interfaces. At the conclusion of each test, each
unit looks to see if it has received any traffic. If it has, the interface is considered operational. If one
unit receives traffic for a test and the other unit does not, the unit that received no traffic is
considered failed. If neither unit has received traffic, then the next test is used.
2. Network Activity test—A received network activity test. The unit counts all received packets for up
to 5 seconds. If any packets are received at any time during this interval, the interface is considered
operational and testing stops. If no traffic is received, the ARP test begins.
3. ARP test—A reading of the unit ARP cache for the 2 most recently acquired entries. One at a time,
the unit sends ARP requests to these machines, attempting to stimulate network traffic. After each
request, the unit counts all received traffic for up to 5 seconds. If traffic is received, the interface is
considered operational. If no traffic is received, an ARP request is sent to the next machine. If at the
end of the list no traffic has been received, the ping test begins.14-18
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Understanding Failover
4. Broadcast Ping test—A ping test that consists of sending out a broadcast ping request. The unit then
counts all received packets for up to 5 seconds. If any packets are received at any time during this
interval, the interface is considered operational and testing stops.
If all network tests fail for an interface, but this interface on the other unit continues to successfully pass
traffic, then the interface is considered to be failed. If the threshold for failed interfaces is met, then a
failover occurs. If the other unit interface also fails all the network tests, then both interfaces go into the
“Unknown” state and do not count towards the failover limit.
An interface becomes operational again if it receives any traffic. A failed security appliance returns to
standby mode if the interface failure threshold is no longer met.
Note If a failed unit does not recover and you believe it should not be failed, you can reset the state by entering
the failover reset command. If the failover condition persists, however, the unit will fail again.
Failover Feature/Platform Matrix
Table 14-4 shows the failover features supported by each hardware platform.
Failover Times by Platform
Table 14-5 shows the minimum, default, and maximum failover times for the PIX 500 series security
appliance.
Table 14-6 shows the minimum, default, and maximum failover times for the ASA 5500 series adaptive
security appliance.
Table 14-4 Failover Feature Support by Platform
Platform Cable-Base Failover LAN-Based Failover Stateful Failover
ASA 5505 series adaptive
security appliance
No Yes No
ASA 5500 series adaptive
security appliance (other than
the ASA 5505)
No Yes Yes
PIX 500 series security
appliance
Yes Yes Yes
Table 14-5 PIX 500 series security appliance failover times.
Failover Condition Minimum Default Maximum
Active unit loses power or stops normal operation. 800 milliseconds 45 seconds 45 seconds
Active unit interface link down. 500 milliseconds 5 seconds 15 seconds
Active unit interface up, but connection problem
causes interface testing.
5 seconds 25 seconds 75 seconds14-19
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
Configuring Failover
This section describes how to configure failover and includes the following topics:
• Failover Configuration Limitations, page 14-19
• Configuring Active/Standby Failover, page 14-19
• Configuring Active/Active Failover, page 14-27
• Configuring Unit Health Monitoring, page 14-39
• Configuring Failover Communication Authentication/Encryption, page 14-39
• Verifying the Failover Configuration, page 14-40
Failover Configuration Limitations
You cannot configure failover with the following type of IP addresses:
• IP addresses obtained through DHCP
• IP addresses obtained through PPPoE
• IPv6 addresses
Additionally, the following restrictions apply:
• Stateful Failover is not supported on the ASA 5505 adaptive security appliance.
• Active/Active failover is not supported on the ASA 5505 adaptive security appliance.
• You cannot configure failover when Easy VPN Remote is enabled on the ASA 5505 adaptive
security appliance.
• VPN failover is not supported in multiple context mode.
Configuring Active/Standby Failover
This section provides step-by-step procedures for configuring Active/Standby failover. This section
includes the following topics:
• Prerequisites, page 14-20
• Configuring Cable-Based Active/Standby Failover (PIX Security Appliance Only), page 14-20
Table 14-6 ASA 5500 series adaptive security appliance failover times.
Failover Condition Minimum Default Maximum
Active unit loses power or stops normal operation. 800 milliseconds 15 seconds 45 seconds
Active unit main board interface link down. 500 milliseconds 5 seconds 15 seconds
Active unit 4GE card interface link down. 2 seconds 5 seconds 15 seconds
Active unit IPS or CSC card fails. 2 seconds 2 seconds 2 seconds
Active unit interface up, but connection problem
causes interface testing.
5 seconds 25 seconds 75 seconds14-20
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
• Configuring LAN-Based Active/Standby Failover, page 14-21
• Configuring Optional Active/Standby Failover Settings, page 14-25
Prerequisites
Before you begin, verify the following:
• Both units have the same hardware, software configuration, and proper license.
• Both units are in the same mode (single or multiple, transparent or routed).
Configuring Cable-Based Active/Standby Failover (PIX Security Appliance Only)
Follow these steps to configure Active/Standby failover using a serial cable as the failover link. The
commands in this task are entered on the primary unit in the failover pair. The primary unit is the unit
that has the end of the cable labeled “Primary” plugged into it. For devices in multiple context mode, the
commands are entered in the system execution space unless otherwise noted.
You do not need to bootstrap the secondary unit in the failover pair when you use cable-based failover.
Leave the secondary unit powered off until instructed to power it on.
Cable-based failover is only available on the PIX 500 series security appliance.
To configure cable-based Active/Standby failover, perform the following steps:
Step 1 Connect the Failover cable to the PIX 500 series security appliances. Make sure that you attach the end
of the cable marked “Primary” to the unit you use as the primary unit, and that you attach the end of the
cable marked “Secondary” to the other unit.
Step 2 Power on the primary unit.
Step 3 If you have not done so already, configure the active and standby IP addresses for each data interface
(routed mode), for the management IP address (transparent mode), or for the management-only
interface. To receive packets from both units in a failover pair, standby IP addresses need to be
configured on all interfaces. The standby IP address is used on the security appliance that is currently
the standby unit, and it must be in the same subnet as the active IP address.
Note Do not configure an IP address for the Stateful Failover link if you are going to use a dedicated
Stateful Failover interface. You use the failover interface ip command to configure a dedicated
Stateful Failover interface in a later step.
hostname(config-if)# ip address active_addr netmask standby standby_addr
In routed firewall mode and for the management-only interface, this command is entered in interface
configuration mode for each interface. In transparent firewall mode, the command is entered in global
configuration mode.
In multiple context mode, you must configure the interface addresses from within each context. Use the
changeto context command to switch between contexts. The command prompt changes to
hostname/context(config-if)#, where context is the name of the current context. You must enter a
management IP address for each context in transparent firewall multiple context mode.
Step 4 (Optional) To enable Stateful Failover, configure the Stateful Failover link. 14-21
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
Note Stateful Failover is not available on the ASA 5505 series adaptive security appliance.
a. Specify the interface to be used as the Stateful Failover link:
hostname(config)# failover link if_name phy_if
The if_name argument assigns a logical name to the interface specified by the phy_if argument. The
phy_if argument can be the physical port name, such as Ethernet1, or a previously created
subinterface, such as Ethernet0/2.3. This interface should not be used for any other purpose.
b. Assign an active and standby IP address to the Stateful Failover link:
hostname(config)# failover interface ip if_name ip_addr mask standby ip_addr
Note If the Stateful Failover link uses a data interface, skip this step. You have already defined the
active and standby IP addresses for the interface.
The standby IP address must be in the same subnet as the active IP address. You do not need to
identify the standby IP address subnet mask.
The Stateful Failover link IP address and MAC address do not change at failover unless it uses a data
interface. The active IP address always stays with the primary unit, while the standby IP address
stays with the secondary unit.
c. Enable the interface:
hostname(config)# interface phy_if
hostname(config-if)# no shutdown
Step 5 Enable failover:
hostname(config)# failover
Step 6 Power on the secondary unit and enable failover on the unit if it is not already enabled:
hostname(config)# failover
The active unit sends the configuration in running memory to the standby unit. As the configuration
synchronizes, the messages “Beginning configuration replication: sending to mate.” and “End
Configuration Replication to mate” appear on the primary console.
Step 7 Save the configuration to Flash memory on the primary unit. Because the commands entered on the
primary unit are replicated to the secondary unit, the secondary unit also saves its configuration to Flash
memory.
hostname(config)# copy running-config startup-config
Configuring LAN-Based Active/Standby Failover
This section describes how to configure Active/Standby failover using an Ethernet failover link. When
configuring LAN-based failover, you must bootstrap the secondary device to recognize the failover link
before the secondary device can obtain the running configuration from the primary device.14-22
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
Note If you are changing from cable-based failover to LAN-based failover, you can skip any steps, such as
assigning the active and standby IP addresses for each interface, that you completed for the cable-based
failover configuration.
This section includes the following topics:
• Configuring the Primary Unit, page 14-22
• Configuring the Secondary Unit, page 14-24
Configuring the Primary Unit
Follow these steps to configure the primary unit in a LAN-based, Active/Standby failover configuration.
These steps provide the minimum configuration needed to enable failover on the primary unit. For
multiple context mode, all steps are performed in the system execution space unless otherwise noted.
To configure the primary unit in an Active/Standby failover pair, perform the following steps:
Step 1 If you have not done so already, configure the active and standby IP addresses for each data interface
(routed mode), for the management IP address (transparent mode), or for the management-only
interface. To receive packets from both units in a failover pair, standby IP addresses need to be
configured on all interfaces. The standby IP address is used on the security appliance that is currently
the standby unit, and it must be in the same subnet as the active IP address.
Note Do not configure an IP address for the Stateful Failover link if you are going to use a dedicated
Stateful Failover interface. You use the failover interface ip command to configure a dedicated
Stateful Failover interface in a later step.
hostname(config-if)# ip address active_addr netmask standby standby_addr
In routed firewall mode and for the management-only interface, this command is entered in interface
configuration mode for each interface. In transparent firewall mode, the command is entered in global
configuration mode.
In multiple context mode, you must configure the interface addresses from within each context. Use the
changeto context command to switch between contexts. The command prompt changes to
hostname/context(config-if)#, where context is the name of the current context. You must enter a
management IP address for each context in transparent firewall multiple context mode.
Step 2 (PIX security appliance only) Enable LAN-based failover:
hostname(config)# failover lan enable
Step 3 Designate the unit as the primary unit:
hostname(config)# failover lan unit primary
Step 4 Define the failover interface:
a. Specify the interface to be used as the failover interface:
hostname(config)# failover lan interface if_name phy_if
The if_name argument assigns a name to the interface specified by the phy_if argument. The phy_if
argument can be the physical port name, such as Ethernet1, or a previously created subinterface,
such as Ethernet0/2.3. On the ASA 5505 adaptive security appliance, the phy_if specifies a VLAN.14-23
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
b. Assign the active and standby IP address to the failover link:
hostname(config)# failover interface ip if_name ip_addr mask standby ip_addr
The standby IP address must be in the same subnet as the active IP address. You do not need to
identify the standby address subnet mask.
The failover link IP address and MAC address do not change at failover. The active IP address for
the failover link always stays with the primary unit, while the standby IP address stays with the
secondary unit.
c. Enable the interface:
hostname(config)# interface phy_if
hostname(config-if)# no shutdown
Step 5 (Optional) To enable Stateful Failover, configure the Stateful Failover link.
Note Stateful Failover is not available on the ASA 5505 series adaptive security appliance.
a. Specify the interface to be used as Stateful Failover link:
hostname(config)# failover link if_name phy_if
Note If the Stateful Failover link uses the failover link or a data interface, then you only need to
supply the if_name argument.
The if_name argument assigns a logical name to the interface specified by the phy_if argument. The
phy_if argument can be the physical port name, such as Ethernet1, or a previously created
subinterface, such as Ethernet0/2.3. This interface should not be used for any other purpose (except,
optionally, the failover link).
b. Assign an active and standby IP address to the Stateful Failover link.
Note If the Stateful Failover link uses the failover link or data interface, skip this step. You have
already defined the active and standby IP addresses for the interface.
hostname(config)# failover interface ip if_name ip_addr mask standby ip_addr
The standby IP address must be in the same subnet as the active IP address. You do not need to
identify the standby address subnet mask.
The Stateful Failover link IP address and MAC address do not change at failover unless it uses a data
interface. The active IP address always stays with the primary unit, while the standby IP address
stays with the secondary unit.
c. Enable the interface.
Note If the Stateful Failover link uses the failover link or data interface, skip this step. You have
already enabled the interface.
hostname(config)# interface phy_if
hostname(config-if)# no shutdown
Step 6 Enable failover:14-24
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
hostname(config)# failover
Step 7 Save the system configuration to Flash memory:
hostname(config)# copy running-config startup-config
Configuring the Secondary Unit
The only configuration required on the secondary unit is for the failover interface. The secondary unit
requires these commands to initially communicate with the primary unit. After the primary unit sends
its configuration to the secondary unit, the only permanent difference between the two configurations is
the failover lan unit command, which identifies each unit as primary or secondary.
For multiple context mode, all steps are performed in the system execution space unless noted otherwise.
To configure the secondary unit, perform the following steps:
Step 1 (PIX security appliance only) Enable LAN-based failover:
hostname(config)# failover lan enable
Step 2 Define the failover interface. Use the same settings as you used for the primary unit.
a. Specify the interface to be used as the failover interface:
hostname(config)# failover lan interface if_name phy_if
The if_name argument assigns a name to the interface specified by the phy_if argument.
b. Assign the active and standby IP address to the failover link. To receive packets from both units in
a failover pair, standby IP addresses need to be configured on all interfaces.
hostname(config)# failover interface ip if_name ip_addr mask standby ip_addr
Note Enter this command exactly as you entered it on the primary unit when you configured the
failover interface on the primary unit.
c. Enable the interface:
hostname(config)# interface phy_if
hostname(config-if)# no shutdown
Step 3 (Optional) Designate this unit as the secondary unit:
hostname(config)# failover lan unit secondary
Note This step is optional because by default units are designated as secondary unless previously
configured.
Step 4 Enable failover:
hostname(config)# failover
After you enable failover, the active unit sends the configuration in running memory to the standby unit.
As the configuration synchronizes, the messages “Beginning configuration replication: Sending to mate”
and “End Configuration Replication to mate” appear on the active unit console.14-25
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
Step 5 After the running configuration has completed replication, save the configuration to Flash memory:
hostname(config)# copy running-config startup-config
Configuring Optional Active/Standby Failover Settings
You can configure the following optional Active/Standby failover setting when you are initially
configuring failover or after failover has already been configured. Unless otherwise noted, the
commands should be entered on the active unit.
This section includes the following topics:
• Enabling HTTP Replication with Stateful Failover, page 14-25
• Disabling and Enabling Interface Monitoring, page 14-25
• Configuring Interface Health Monitoring, page 14-26
• Configuring Failover Criteria, page 14-26
• Configuring Virtual MAC Addresses, page 14-26
Enabling HTTP Replication with Stateful Failover
To allow HTTP connections to be included in the state information replication, you need to enable HTTP
replication. Because HTTP connections are typically short-lived, and because HTTP clients typically
retry failed connection attempts, HTTP connections are not automatically included in the replicated state
information.
Enter the following command in global configuration mode to enable HTTP state replication when
Stateful Failover is enabled:
hostname(config)# failover replication http
Disabling and Enabling Interface Monitoring
By default, monitoring physical interfaces is enabled and monitoring subinterfaces is disabled. You can
monitor up to 250 interfaces on a unit. You can control which interfaces affect your failover policy by
disabling the monitoring of specific interfaces and enabling the monitoring of others. This lets you
exclude interfaces attached to less critical networks from affecting your failover policy.
For units in multiple configuration mode, use the following commands to enable or disable health
monitoring for specific interfaces:
• To disable health monitoring for an interface, enter the following command within a context:
hostname/context(config)# no monitor-interface if_name
• To enable health monitoring for an interface, enter the following command within a context:
hostname/context(config)# monitor-interface if_name
For units in single configuration mode, use the following commands to enable or disable health
monitoring for specific interfaces:
• To disable health monitoring for an interface, enter the following command in global configuration
mode:
hostname(config)# no monitor-interface if_name14-26
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
• To enable health monitoring for an interface, enter the following command in global configuration
mode:
hostname(config)# monitor-interface if_name
Configuring Interface Health Monitoring
The security appliance sends hello packets out of each data interface to monitor interface health. If the
security appliance does not receive a hello packet from the corresponding interface on the peer unit for
over half of the hold time, then the additional interface testing begins. If a hello packet or a successful
test result is not received within the specified hold time, the interface is marked as failed. Failover occurs
if the number of failed interfaces meets the failover criteria.
Decreasing the poll and hold times enables the security appliance to detect and respond to interface
failures more quickly, but may consume more system resources.
To change the interface poll time, enter the following command in global configuration mode:
hostname(config)# failover polltime interface [msec] time [holdtime time]
Valid values for the poll time are from 1 to 15 seconds or, if the optional msec keyword is used, from
500 to 999 milliseconds. The hold time determines how long it takes from the time a hello packet is
missed to when the interface is marked as failed. Valid values for the hold time are from 5 to 75 seconds.
You cannot enter a hold time that is less than 5 times the poll time.
Note If the interface link is down, interface testing is not conducted and the standby unit could become active
in just one interface polling period if the number of failed interface meets or exceeds the configured
failover criteria.
Configuring Failover Criteria
By default, a single interface failure causes failover. You can specify a specific number of interfaces or
a percentage of monitored interfaces that must fail before a failover occurs.
To change the default failover criteria, enter the following command in global configuration mode:
hostname(config)# failover interface-policy num[%]
When specifying a specific number of interfaces, the num argument can be from 1 to 250. When
specifying a percentage of interfaces, the num argument can be from 1 to 100.
Configuring Virtual MAC Addresses
In Active/Standby failover, the MAC addresses for the primary unit are always associated with the active
IP addresses. If the secondary unit boots first and becomes active, it uses the burned-in MAC address for
its interfaces. When the primary unit comes online, the secondary unit obtains the MAC addresses from
the primary unit. The change can disrupt network traffic.
You can configure virtual MAC addresses for each interface to ensure that the secondary unit uses the
correct MAC addresses when it is the active unit, even if it comes online before the primary unit. If you
do not specify virtual MAC addresses the failover pair uses the burned-in NIC addresses as the MAC
addresses.
Note You cannot configure a virtual MAC address for the failover or Stateful Failover links. The MAC and IP
addresses for those links do not change during failover.14-27
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
Enter the following command on the active unit to configure the virtual MAC addresses for an interface:
hostname(config)# failover mac address phy_if active_mac standby_mac
The phy_if argument is the physical name of the interface, such as Ethernet1. The active_mac and
standby_mac arguments are MAC addresses in H.H.H format, where H is a 16-bit hexadecimal digit. For
example, the MAC address 00-0C-F1-42-4C-DE would be entered as 000C.F142.4CDE.
The active_mac address is associated with the active IP address for the interface, and the standby_mac
is associated with the standby IP address for the interface.
There are multiple ways to configure virtual MAC addresses on the security appliance. When more than
one method has been used to configure virtual MAC addresses, the security appliance uses the following
order of preference to determine which virtual MAC address is assigned to an interface:
1. The mac-address command (in interface configuration mode) address.
2. The failover mac address command address.
3. The mac-address auto command generated address.
4. The burned-in MAC address.
Use the show interface command to display the MAC address used by an interface.
Configuring Active/Active Failover
This section describes how to configure Active/Active failover.
Note Active/Active failover is not available on the ASA 5505 series adaptive security appliance.
This section includes the following topics:
• Prerequisites, page 14-27
• Configuring Cable-Based Active/Active Failover (PIX security appliance), page 14-27
• Configuring LAN-Based Active/Active Failover, page 14-29
• Configuring Optional Active/Active Failover Settings, page 14-33
Prerequisites
Before you begin, verify the following:
• Both units have the same hardware, software configuration, and proper license.
• Both units are in multiple context mode.
Configuring Cable-Based Active/Active Failover (PIX security appliance)
Follow these steps to configure Active/Active failover using a serial cable as the failover link. The
commands in this task are entered on the primary unit in the failover pair. The primary unit is the unit
that has the end of the cable labeled “Primary” plugged into it. For devices in multiple context mode, the
commands are entered in the system execution space unless otherwise noted.
You do not need to bootstrap the secondary unit in the failover pair when you use cable-based failover.
Leave the secondary unit powered off until instructed to power it on.14-28
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
Cable-based failover is only available on the PIX 500 series security appliance.
To configure cable-based, Active/Active failover, perform the following steps:
Step 1 Connect the failover cable to the PIX 500 series security appliances. Make sure that you attach the end
of the cable marked “Primary” to the unit you use as the primary unit, and that you attach the end of the
cable marked “Secondary” to the unit you use as the secondary unit.
Step 2 Power on the primary unit.
Step 3 If you have not done so already, configure the active and standby IP addresses for each data interface
(routed mode), for the management IP address (transparent mode), or for the management-only
interface. To receive packets from both units in a failover pair, standby IP addresses need to be
configured on all interfaces. The standby IP address is used on the security appliance that is currently
the standby unit, and it must be in the same subnet as the active IP address.
You must configure the interface addresses from within each context. Use the changeto context
command to switch between contexts. The command prompt changes to
hostname/context(config-if)#, where context is the name of the current context. You must enter a
management IP address for each context in transparent firewall multiple context mode.
Note Do not configure an IP address for the Stateful Failover link if you are going to use a dedicated
Stateful Failover interface. You use the failover interface ip command to configure a dedicated
Stateful Failover interface in a later step.
hostname/context(config-if)# ip address active_addr netmask standby standby_addr
In routed firewall mode and for the management-only interface, this command is entered in interface
configuration mode for each interface. In transparent firewall mode, the command is entered in global
configuration mode.
Step 4 (Optional) To enable Stateful Failover, configure the Stateful Failover link.
a. Specify the interface to be used as Stateful Failover link:
hostname(config)# failover link if_name phy_if
The if_name argument assigns a logical name to the interface specified by the phy_if argument. The
phy_if argument can be the physical port name, such as Ethernet1, or a previously created
subinterface, such as Ethernet0/2.3. This interface should not be used for any other purpose (except,
optionally, the failover link).
b. Assign an active and standby IP address to the Stateful Failover link:
hostname(config)# failover interface ip if_name ip_addr mask standby ip_addr
The standby IP address must be in the same subnet as the active IP address. You do not need to
identify the standby IP address subnet mask.
The Stateful Failover link IP address and MAC address do not change at failover except for when
Stateful Failover uses a regular data interface. The active IP address always stays with the primary
unit, while the standby IP address stays with the secondary unit.
c. Enable the interface:
hostname(config)# interface phy_if
hostname(config-if)# no shutdown
Step 5 Configure the failover groups. You can have at most two failover groups. The failover group command
creates the specified failover group if it does not exist and enters the failover group configuration mode.14-29
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
For each failover group, you need to specify whether the failover group has primary or secondary
preference using the primary or secondary command. You can assign the same preference to both
failover groups. For load balancing configurations, you should assign each failover group a different unit
preference.
The following example assigns failover group 1 a primary preference and failover group 2 a secondary
preference:
hostname(config)# failover group 1
hostname(config-fover-group)# primary
hostname(config-fover-group)# exit
hostname(config)# failover group 2
hostname(config-fover-group)# secondary
hostname(config-fover-group)# exit
Step 6 Assign each user context to a failover group using the join-failover-group command in context
configuration mode.
Any unassigned contexts are automatically assigned to failover group 1. The admin context is always a
member of failover group 1.
Enter the following commands to assign each context to a failover group:
hostname(config)# context context_name
hostname(config-context)# join-failover-group {1 | 2}
hostname(config-context)# exit
Step 7 Enable failover:
hostname(config)# failover
Step 8 Power on the secondary unit and enable failover on the unit if it is not already enabled:
hostname(config)# failover
The active unit sends the configuration in running memory to the standby unit. As the configuration
synchronizes, the messages “Beginning configuration replication: Sending to mate” and “End
Configuration Replication to mate” appear on the primary console.
Step 9 Save the configuration to Flash memory on the Primary unit. Because the commands entered on the
primary unit are replicated to the secondary unit, the secondary unit also saves its configuration to Flash
memory.
hostname(config)# copy running-config startup-config
Step 10 If necessary, force any failover group that is active on the primary to the active state on the secondary.
To force a failover group to become active on the secondary unit, issue the following command in the
system execution space on the primary unit:
hostname# no failover active group group_id
The group_id argument specifies the group you want to become active on the secondary unit.
Configuring LAN-Based Active/Active Failover
This section describes how to configure Active/Active failover using an Ethernet failover link. When
configuring LAN-based failover, you must bootstrap the secondary device to recognize the failover link
before the secondary device can obtain the running configuration from the primary device.
This section includes the following topics:14-30
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
• Configure the Primary Unit, page 14-30
• Configure the Secondary Unit, page 14-32
Configure the Primary Unit
To configure the primary unit in an Active/Active failover configuration, perform the following steps:
Step 1 If you have not done so already, configure the active and standby IP addresses for each data interface
(routed mode), for the management IP address (transparent mode), or for the management-only
interface.To receive packets from both units in a failover pair, standby IP addresses need to be configured
on all interfaces. The standby IP address is used on the security appliance that is currently the standby
unit, and it must be in the same subnet as the active IP address.
You must configure the interface addresses from within each context. Use the changeto context
command to switch between contexts. The command prompt changes to
hostname/context(config-if)#, where context is the name of the current context. In transparent
firewall mode, you must enter a management IP address for each context.
Note Do not configure an IP address for the Stateful Failover link if you are going to use a dedicated
Stateful Failover interface. You use the failover interface ip command to configure a dedicated
Stateful Failover interface in a later step.
hostname/context(config-if)# ip address active_addr netmask standby standby_addr
In routed firewall mode and for the management-only interface, this command is entered in interface
configuration mode for each interface. In transparent firewall mode, the command is entered in global
configuration mode.
Step 2 Configure the basic failover parameters in the system execution space.
a. (PIX security appliance only) Enable LAN-based failover:
hostname(config)# hostname(config)# failover lan enable
b. Designate the unit as the primary unit:
hostname(config)# failover lan unit primary
c. Specify the failover link:
hostname(config)# failover lan interface if_name phy_if
The if_name argument assigns a logical name to the interface specified by the phy_if argument. The
phy_if argument can be the physical port name, such as Ethernet1, or a previously created
subinterface, such as Ethernet0/2.3. On the ASA 5505 adaptive security appliance, the phy_if
specifies a VLAN. This interface should not be used for any other purpose (except, optionally, the
Stateful Failover link).
d. Specify the failover link active and standby IP addresses:
hostname(config)# failover interface ip if_name ip_addr mask standby ip_addr
The standby IP address must be in the same subnet as the active IP address. You do not need to
identify the standby IP address subnet mask. The failover link IP address and MAC address do not
change at failover. The active IP address always stays with the primary unit, while the standby IP
address stays with the secondary unit. 14-31
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
Step 3 (Optional) To enable Stateful Failover, configure the Stateful Failover link:
a. Specify the interface to be used as Stateful Failover link:
hostname(config)# failover link if_name phy_if
The if_name argument assigns a logical name to the interface specified by the phy_if argument. The
phy_if argument can be the physical port name, such as Ethernet1, or a previously created
subinterface, such as Ethernet0/2.3. This interface should not be used for any other purpose (except,
optionally, the failover link).
Note If the Stateful Failover link uses the failover link or a regular data interface, then you only
need to supply the if_name argument.
b. Assign an active and standby IP address to the Stateful Failover link.
Note If the Stateful Failover link uses the failover link or a regular data interface, skip this step.
You have already defined the active and standby IP addresses for the interface.
hostname(config)# failover interface ip if_name ip_addr mask standby ip_addr
The standby IP address must be in the same subnet as the active IP address. You do not need to
identify the standby address subnet mask.
The state link IP address and MAC address do not change at failover. The active IP address always
stays with the primary unit, while the standby IP address stays with the secondary unit.
c. Enable the interface.
Note If the Stateful Failover link uses the failover link or regular data interface, skip this step. You
have already enabled the interface.
hostname(config)# interface phy_if
hostname(config-if)# no shutdown
Step 4 Configure the failover groups. You can have at most two failover groups. The failover group command
creates the specified failover group if it does not exist and enters the failover group configuration mode.
For each failover group, specify whether the failover group has primary or secondary preference using
the primary or secondary command. You can assign the same preference to both failover groups. For
load balancing configurations, you should assign each failover group a different unit preference.
The following example assigns failover group 1 a primary preference and failover group 2 a secondary
preference:
hostname(config)# failover group 1
hostname(config-fover-group)# primary
hostname(config-fover-group)# exit
hostname(config)# failover group 2
hostname(config-fover-group)# secondary
hostname(config-fover-group)# exit
Step 5 Assign each user context to a failover group using the join-failover-group command in context
configuration mode.
Any unassigned contexts are automatically assigned to failover group 1. The admin context is always a
member of failover group 1.14-32
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
Enter the following commands to assign each context to a failover group:
hostname(config)# context context_name
hostname(config-context)# join-failover-group {1 | 2}
hostname(config-context)# exit
Step 6 Enable failover:
hostname(config)# failover
Configure the Secondary Unit
When configuring LAN-based Active/Active failover, you need to bootstrap the secondary unit to
recognize the failover link. This allows the secondary unit to communicate with and receive the running
configuration from the primary unit.
To bootstrap the secondary unit in an Active/Active failover configuration, perform the following steps:
Step 1 (PIX security appliance only) Enable LAN-based failover:
hostname(config)# failover lan enable
Step 2 Define the failover interface. Use the same settings as you used for the primary unit:
a. Specify the interface to be used as the failover interface:
hostname(config)# failover lan interface if_name phy_if
The if_name argument assigns a logical name to the interface specified by the phy_if argument. The
phy_if argument can be the physical port name, such as Ethernet1, or a previously created
subinterface, such as Ethernet0/2.3. On the ASA 5505 adaptive security appliance, the phy_if
specifies a VLAN.
b. Assign the active and standby IP address to the failover link. To receive packets from both units in
a failover pair, standby IP addresses need to be configured on all interfaces.
hostname(config)# failover interface ip if_name ip_addr mask standby ip_addr
Note Enter this command exactly as you entered it on the primary unit when you configured the
failover interface.
The standby IP address must be in the same subnet as the active IP address. You do not need to
identify the standby address subnet mask.
c. Enable the interface:
hostname(config)# interface phy_if
hostname(config-if)# no shutdown
Step 3 (Optional) Designate this unit as the secondary unit:
hostname(config)# failover lan unit secondary
Note This step is optional because by default units are designated as secondary unless previously
configured otherwise.14-33
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
Step 4 Enable failover:
hostname(config)# failover
After you enable failover, the active unit sends the configuration in running memory to the standby unit.
As the configuration synchronizes, the messages Beginning configuration replication: Sending to
mate and End Configuration Replication to mate appear on the active unit console.
Step 5 After the running configuration has completed replication, enter the following command to save the
configuration to Flash memory:
hostname(config)# copy running-config startup-config
Step 6 If necessary, force any failover group that is active on the primary to the active state on the secondary
unit. To force a failover group to become active on the secondary unit, enter the following command in
the system execution space on the primary unit:
hostname# no failover active group group_id
The group_id argument specifies the group you want to become active on the secondary unit.
Configuring Optional Active/Active Failover Settings
The following optional Active/Active failover settings can be configured when you are initially
configuring failover or after you have already established failover. Unless otherwise noted, the
commands should be entered on the unit that has failover group 1 in the active state.
This section includes the following topics:
• Configuring Failover Group Preemption, page 14-33
• Enabling HTTP Replication with Stateful Failover, page 14-34
• Disabling and Enabling Interface Monitoring, page 14-34
• Configuring Interface Health Monitoring, page 14-34
• Configuring Failover Criteria, page 14-34
• Configuring Virtual MAC Addresses, page 14-35
• Configuring Asymmetric Routing Support, page 14-35
Configuring Failover Group Preemption
Assigning a primary or secondary priority to a failover group specifies which unit the failover group
becomes active on when both units boot simultaneously. However, if one unit boots before the other, then
both failover groups become active on that unit. When the other unit comes online, any failover groups
that have the unit as a priority do not become active on that unit unless manually forced over, a failover
occurs, or the failover group is configured with the preempt command. The preempt command causes
a failover group to become active on the designated unit automatically when that unit becomes available.
Enter the following commands to configure preemption for the specified failover group:
hostname(config)# failover group {1 | 2}
hostname(config-fover-group)# preempt [delay]
You can enter an optional delay value, which specifies the number of seconds the failover group remains
active on the current unit before automatically becoming active on the designated unit.14-34
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
Enabling HTTP Replication with Stateful Failover
To allow HTTP connections to be included in the state information, you need to enable HTTP
replication. Because HTTP connections are typically short-lived, and because HTTP clients typically
retry failed connection attempts, HTTP connections are not automatically included in the replicated state
information. You can use the replication http command to cause a failover group to replicate HTTP state
information when Stateful Failover is enabled.
To enable HTTP state replication for a failover group, enter the following command. This command only
affects the failover group in which it was configured. To enable HTTP state replication for both failover
groups, you must enter this command in each group. This command should be entered in the system
execution space.
hostname(config)# failover group {1 | 2}
hostname(config-fover-group)# replication http
Disabling and Enabling Interface Monitoring
You can monitor up to 250 interfaces on a unit. By default, monitoring of physical interfaces is enabled
and the monitoring of subinterfaces is disabled. You can control which interfaces affect your failover
policy by disabling the monitoring of specific interfaces and enabling the monitoring of others. This lets
you exclude interfaces attached to less critical networks from affecting your failover policy.
To disable health monitoring on an interface, enter the following command within a context:
hostname/context(config)# no monitor-interface if_name
To enable health monitoring on an interface, enter the following command within a context:
hostname/context(config)# monitor-interface if_name
Configuring Interface Health Monitoring
The security appliance sends hello packets out of each data interface to monitor interface health. If the
security appliance does not receive a hello packet from the corresponding interface on the peer unit for
over half of the hold time, then the additional interface testing begins. If a hello packet or a successful
test result is not received within the specified hold time, the interface is marked as failed. Failover occurs
if the number of failed interfaces meets the failover criteria.
Decreasing the poll and hold times enables the security appliance to detect and respond to interface
failures more quickly, but may consume more system resources.
To change the default interface poll time, enter the following commands:
hostname(config)# failover group {1 | 2}
hostname(config-fover-group)# polltime interface seconds
Valid values for the poll time are from 1 to 15 seconds or, if the optional msec keyword is used, from
500 to 999 milliseconds. The hold time determines how long it takes from the time a hello packet is
missed to when the interface is marked as failed. Valid values for the hold time are from 5 to 75 seconds.
You cannot enter a hold time that is less than 5 times the poll time.
Configuring Failover Criteria
By default, if a single interface fails failover occurs. You can specify a specific number of interfaces or
a percentage of monitored interfaces that must fail before a failover occurs. The failover criteria is
specified on a failover group basis.14-35
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
To change the default failover criteria for the specified failover group, enter the following commands:
hostname(config)# failover group {1 | 2}
hostname(config-fover-group)# interface-policy num[%]
When specifying a specific number of interfaces, the num argument can be from 1 to 250. When
specifying a percentage of interfaces, the num argument can be from 1 to 100.
Configuring Virtual MAC Addresses
Active/Active failover uses virtual MAC addresses on all interfaces. If you do not specify the virtual
MAC addresses, then they are computed as follows:
• Active unit default MAC address: 00a0.c9physical_port_number.failover_group_id01.
• Standby unit default MAC address: 00a0.c9physical_port_number.failover_group_id02.
Note If you have more than one Active/Active failover pair on the same network, it is possible to have the
same default virtual MAC addresses assigned to the interfaces on one pair as are assigned to the
interfaces of the other pairs because of the way the default virtual MAC addresses are determined. To
avoid having duplicate MAC addresses on your network, make sure you assign each physical interface
a virtual active and standby MAC address for all failover groups.
You can configure specific active and standby MAC addresses for an interface by entering the following
commands:
hostname(config)# failover group {1 | 2}
hostname(config-fover-group)# mac address phy_if active_mac standby_mac
The phy_if argument is the physical name of the interface, such as Ethernet1. The active_mac and
standby_mac arguments are MAC addresses in H.H.H format, where H is a 16-bit hexadecimal digit. For
example, the MAC address 00-0C-F1-42-4C-DE would be entered as 000C.F142.4CDE.
The active_mac address is associated with the active IP address for the interface, and the standby_mac
is associated with the standby IP address for the interface.
There are multiple ways to configure virtual MAC addresses on the security appliance. When more than
one method has been used to configure virtual MAC addresses, the security appliance uses the following
order of preference to determine which virtual MAC address is assigned to an interface:
1. The mac-address command (in interface configuration mode) address.
2. The failover mac address command address.
3. The mac-address auto command generate address.
4. The automatically generated failover MAC address.
Use the show interface command to display the MAC address used by an interface.
Configuring Asymmetric Routing Support
When running in Active/Active failover, a unit may receive a return packet for a connection that
originated through its peer unit. Because the security appliance that receives the packet does not have
any connection information for the packet, the packet is dropped. This most commonly occurs when the
two security appliances in an Active/Active failover pair are connected to different service providers and
the outbound connection does not use a NAT address.14-36
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
You can prevent the return packets from being dropped using the asr-group command on interfaces
where this is likely to occur. When an interface configured with the asr-group command receives a
packet for which it has no session information, it checks the session information for the other interfaces
that are in the same group. If it does not find a match, the packet is dropped. If it finds a match, then one
of the following actions occurs:
• If the incoming traffic originated on a peer unit, some or all of the layer 2 header is rewritten and
the packet is redirected to the other unit. This redirection continues as long as the session is active.
• If the incoming traffic originated on a different interface on the same unit, some or all of the layer
2 header is rewritten and the packet is reinjected into the stream.
Note Using the asr-group command to configure asymmetric routing support is more secure than using the
static command with the nailed option.
The asr-group command does not provide asymmetric routing; it restores asymmetrically routed packets
to the correct interface.
Prerequisites
You must have to following configured for asymmetric routing support to function properly:
• Active/Active Failover
• Stateful Failover—passes state information for sessions on interfaces in the active failover group to
the standby failover group.
• replication http—HTTP session state information is not passed to the standby failover group, and
therefore is not present on the standby interface. For the security appliance to be able re-route
asymmetrically routed HTTP packets, you need to replicate the HTTP state information.
You can configure the asr-group command on an interface without having failover configured, but it
does not have any effect until Stateful Failover is enabled.
Configuring Support for Asymmetrically Routed Packets
To configure support for asymmetrically routed packets, perform the following steps:
Step 1 Configure Active/Active Stateful Failover for the failover pair. See Configuring Active/Active Failover,
page 14-27.
Step 2 For each interface that you want to participate in asymmetric routing support enter the following
command. You must enter the command on the unit where the context is in the active state so that the
command is replicated to the standby failover group. For more information about command replication,
see Command Replication, page 14-12.
hostname/ctx(config)# interface phy_if
hostname/ctx(config-if)# asr-group num
Valid values for num range from 1 to 32. You need to enter the command for each interface that
participates in the asymmetric routing group. You can view the number of ASR packets transmitted,
received, or dropped by an interface using the show interface detail command. You can have more than
one ASR group configured on the security appliance, but only one per interface. Only members of the
same ASR group are checked for session information.14-37
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
Example
Figure 14-1 shows an example of using the asr-group command for asymmetric routing support.
Figure 14-1 ASR Example
The two units have the following configuration (configurations show only the relevant commands). The
device labeled SecAppA in the diagram is the primary unit in the failover pair.
Example 14-1 Primary Unit System Configuration
hostname primary
interface GigabitEthernet0/1
description LAN/STATE Failover Interface
interface GigabitEthernet0/2
no shutdown
interface GigabitEthernet0/3
no shutdown
interface GigabitEthernet0/4
no shutdown
interface GigabitEthernet0/5
no shutdown
failover
failover lan unit primary
failover lan interface folink GigabitEthernet0/1
failover link folink
failover interface ip folink 10.0.4.1 255.255.255.0 standby 10.0.4.11
failover group 1
primary
failover group 2
secondary
admin-context admin
context admin
description admin
250093
192.168.1.1 192.168.2.2
SecAppA SecAppB
ISP A
Inside
network
Failover/State link
Outbound Traffic
Return Traffic
ISP B
192.168.2.1 192.168.1.214-38
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
allocate-interface GigabitEthernet0/2
allocate-interface GigabitEthernet0/3
config-url flash:/admin.cfg
join-failover-group 1
context ctx1
description context 1
allocate-interface GigabitEthernet0/4
allocate-interface GigabitEthernet0/5
config-url flash:/ctx1.cfg
join-failover-group 2
Example 14-2 admin Context Configuration
hostname SecAppA
interface GigabitEthernet0/2
nameif outsideISP-A
security-level 0
ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
asr-group 1
interface GigabitEthernet0/3
nameif inside
security-level 100
ip address 10.1.0.1 255.255.255.0 standby 10.1.0.11
monitor-interface outside
Example 14-3 ctx1 Context Configuration
hostname SecAppB
interface GigabitEthernet0/4
nameif outsideISP-B
security-level 0
ip address 192.168.2.2 255.255.255.0 standby 192.168.2.1
asr-group 1
interface GigabitEthernet0/5
nameif inside
security-level 100
ip address 10.2.20.1 255.255.255.0 standby 10.2.20.11
Figure 14-1 on page 14-37 shows the ASR support working as follows:
1. An outbound session passes through security appliance SecAppA. It exits interface outsideISP-A
(192.168.1.1).
2. Because of asymmetric routing configured somewhere upstream, the return traffic comes back
through the interface outsideISP-B (192.168.2.2) on security appliance SecAppB.
3. Normally the return traffic would be dropped because there is no session information for the traffic
on interface 192.168.2.2. However, the interface is configure with the command asr-group 1. The
unit looks for the session on any other interface configured with the same ASR group ID.
4. The session information is found on interface outsideISP-A (192.168.1.2), which is in the standby
state on the unit SecAppB. Stateful Failover replicated the session information from SecAppA to
SecAppB.
5. Instead of being dropped, the layer 2 header is re-written with information for interface 192.168.1.1
and the traffic is redirected out of the interface 192.168.1.2, where it can then return through the
interface on the unit from which it originated (192.168.1.1 on SecAppA). This forwarding continues
as needed until the session ends.14-39
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
Configuring Unit Health Monitoring
The security appliance sends hello packets over the failover interface to monitor unit health. If the
standby unit does not receive a hello packet from the active unit for two consecutive polling periods, it
sends additional testing packets through the remaining device interfaces. If a hello packet or a response
to the interface test packets is not received within the specified hold time, the standby unit becomes
active.
You can configure the frequency of hello messages when monitoring unit health. Decreasing the poll
time allows a unit failure to be detected more quickly, but consumes more system resources.
To change the unit poll time, enter the following command in global configuration mode:
hostname(config)# failover polltime [msec] time [holdtime [msec] time]
You can configure the polling frequency from 1 to 15 seconds or, if the optional msec keyword is used,
from 200 to 999 milliseconds. The hold time determines how long it takes from the time a hello packet
is missed to when failover occurs. The hold time must be at least 3 times the poll time. You can configure
the hold time from 1 to 45 seconds or, if the optional msec keyword is used, from 800 to 990
milliseconds.
Setting the security appliance to use the minimum poll and hold times allows it to detect and respond to
unit failures in under a second, but it also increases system resource usage and can cause false failure
detection in cases where the networks are congested or where the security appliance is running near full
capacity.
Configuring Failover Communication Authentication/Encryption
You can encrypt and authenticate the communication between failover peers by specifying a shared
secret or hexadecimal key.
Note On the PIX 500 series security appliance, if you are using the dedicated serial failover cable to connect
the units, then communication over the failover link is not encrypted even if a failover key is configured.
The failover key only encrypts LAN-based failover communication.
Caution All information sent over the failover and Stateful Failover links is sent in clear text unless you secure
the communication with a failover key. If the security appliance is used to terminate VPN tunnels, this
information includes any usernames, passwords and preshared keys used for establishing the tunnels.
Transmitting this sensitive data in clear text could pose a significant security risk. We recommend
securing the failover communication with a failover key if you are using the security appliance to
terminate VPN tunnels.
Enter the following command on the active unit of an Active/Standby failover pair or on the unit that has
failover group 1 in the active state of an Active/Active failover pair:
hostname(config)# failover key {secret | hex key}
The secret argument specifies a shared secret that is used to generate the encryption key. It can be from
1 to 63 characters. The characters can be any combination of numbers, letters, or punctuation. The hex
key argument specifies a hexadecimal encryption key. The key must be 32 hexadecimal characters (0-9,
a-f).14-40
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
Note To prevent the failover key from being replicated to the peer unit in clear text for an existing failover
configuration, disable failover on the active unit (or in the system execution space on the unit that has
failover group 1 in the active state), enter the failover key on both units, and then re-enable failover.
When failover is re-enabled, the failover communication is encrypted with the key.
For new LAN-based failover configurations, the failover key command should be part of the failover
pair bootstrap configuration.
Verifying the Failover Configuration
This section describes how to verify your failover configuration. This section includes the following
topics:
• Using the show failover Command, page 14-40
• Viewing Monitored Interfaces, page 14-48
• Displaying the Failover Commands in the Running Configuration, page 14-48
• Testing the Failover Functionality, page 14-49
Using the show failover Command
This section describes the show failover command output. On each unit you can verify the failover status
by entering the show failover command. The information displayed depends upon whether you are using
Active/Standby or Active/Active failover.
This section includes the following topics:
• show failover—Active/Standby, page 14-40
• Show Failover—Active/Active, page 14-44
show failover—Active/Standby
The following is sample output from the show failover command for Active/Standby Failover.
Table 14-7 provides descriptions for the information shown.
hostname# show failover
Failover On
Cable status: N/A - LAN-based failover enabled
Failover unit Primary
Failover LAN Interface: fover Ethernet2 (up)
Unit Poll frequency 1 seconds, holdtime 3 seconds
Interface Poll frequency 15 seconds
Interface Policy 1
Monitored Interfaces 2 of 250 maximum
failover replication http
Last Failover at: 22:44:03 UTC Dec 8 2004
This host: Primary - Active
Active time: 13434 (sec)
Interface inside (10.130.9.3): Normal
Interface outside (10.132.9.3): Normal
Other host: Secondary - Standby Ready
Active time: 0 (sec)
Interface inside (10.130.9.4): Normal
Interface outside (10.132.9.4): Normal 14-41
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
Stateful Failover Logical Update Statistics
Link : fover Ethernet2 (up)
Stateful Obj xmit xerr rcv rerr
General 1950 0 1733 0
sys cmd 1733 0 1733 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 6 0 0 0
UDP conn 0 0 0 0
ARP tbl 106 0 0 0
Xlate_Timeout 0 0 0 0
VPN IKE upd 15 0 0 0
VPN IPSEC upd 90 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 2 1733
Xmit Q: 0 2 15225
In multiple context mode, using the show failover command in a security context displays the failover
information for that context. The information is similar to the information shown when using the
command in single context mode. Instead of showing the active/standby status of the unit, it displays the
active/standby status of the context. Table 14-7 provides descriptions for the information shown.
Failover On
Last Failover at: 04:03:11 UTC Jan 4 2003
This context: Negotiation
Active time: 1222 (sec)
Interface outside (192.168.5.121): Normal
Interface inside (192.168.0.1): Normal
Peer context: Not Detected
Active time: 0 (sec)
Interface outside (192.168.5.131): Normal
Interface inside (192.168.0.11): Normal
Stateful Failover Logical Update Statistics
Status: Configured.
Stateful Obj xmit xerr rcv rerr
RPC services 0 0 0 0
TCP conn 99 0 0 0
UDP conn 0 0 0 0
ARP tbl 22 0 0 0
Xlate_Timeout 0 0 0 0
GTP PDP 0 0 0 0
GTP PDPMCB 0 0 0 0 14-42
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
Table 14-7 Show Failover Display Description
Field Options
Failover • On
• Off
Cable status: • Normal—The cable is connected to both units, and they both have
power.
• My side not connected—The serial cable is not connected to this
unit. It is unknown if the cable is connected to the other unit.
• Other side is not connected—The serial cable is connected to this
unit, but not to the other unit.
• Other side powered off—The other unit is turned off.
• N/A—LAN-based failover is enabled.
Failover Unit Primary or Secondary.
Failover LAN Interface Displays the logical and physical name of the failover link.
Unit Poll frequency Displays the number of seconds between hello messages sent to the
peer unit and the number of seconds during which the unit must receive
a hello message on the failover link before declaring the peer failed.
Interface Poll frequency n seconds
The number of seconds you set with the failover polltime interface
command. The default is 15 seconds.
Interface Policy Displays the number or percentage of interfaces that must fail to trigger
failover.
Monitored Interfaces Displays the number of interfaces monitored out of the maximum
possible.
failover replication http Displays if HTTP state replication is enabled for Stateful Failover.
Last Failover at: The date and time of the last failover in the following form:
hh:mm:ss UTC DayName Month Day yyyy
UTC (Coordinated Universal Time) is equivalent to GMT (Greenwich
Mean Time).
This host:
Other host:
For each host, the display shows the following information.
Primary or Secondary • Active
• Standby
Active time: n (sec)
The amount of time the unit has been active. This time is cumulative,
so the standby unit, if it was active in the past, also shows a value.
slot x Information about the module in the slot or empty.14-43
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
Interface name (n.n.n.n): For each interface, the display shows the IP address currently being
used on each unit, as well as one of the following conditions:
• Failed—The interface has failed.
• No Link—The interface line protocol is down.
• Normal—The interface is working correctly.
• Link Down—The interface has been administratively shut down.
• Unknown—The security appliance cannot determine the status of
the interface.
• Waiting—Monitoring of the network interface on the other unit has
not yet started.
Stateful Failover Logical
Update Statistics
The following fields relate to the Stateful Failover feature. If the Link
field shows an interface name, the Stateful Failover statistics are shown.
Link • interface_name—The interface used for the Stateful Failover link.
• Unconfigured—You are not using Stateful Failover.
• up—The interface is up and functioning.
• down—The interface is either administratively shutdown or is
physically down.
• failed—The interface has failed and is not passing stateful data.
Stateful Obj For each field type, the following statistics are shown. They are
counters for the number of state information packets sent between the
two units; the fields do not necessarily show active connections through
the unit.
• xmit—Number of transmitted packets to the other unit.
• xerr—Number of errors that occurred while transmitting packets to
the other unit.
• rcv—Number of received packets.
• rerr—Number of errors that occurred while receiving packets from
the other unit.
General Sum of all stateful objects.
sys cmd Logical update system commands; for example, LOGIN and Stay
Alive.
up time Up time, which the active unit passes to the standby unit.
RPC services Remote Procedure Call connection information.
TCP conn TCP connection information.
UDP conn Dynamic UDP connection information.
ARP tbl Dynamic ARP table information.
L2BRIDGE tbl Layer 2 bridge table information (transparent firewall mode only).
Xlate_Timeout Indicates connection translation timeout information.
VPN IKE upd IKE connection information.
Table 14-7 Show Failover Display Description (continued)
Field Options14-44
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
Show Failover—Active/Active
The following is sample output from the show failover command for Active/Active Failover. Table 14-8
provides descriptions for the information shown.
hostname# show failover
Failover On
Failover unit Primary
Failover LAN Interface: third GigabitEthernet0/2 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 4 seconds
Interface Policy 1
Monitored Interfaces 8 of 250 maximum
failover replication http
Group 1 last failover at: 13:40:18 UTC Dec 9 2004
Group 2 last failover at: 13:40:06 UTC Dec 9 2004
This host: Primary
Group 1 State: Active
Active time: 2896 (sec)
Group 2 State: Standby Ready
Active time: 0 (sec)
slot 0: ASA-5530 hw/sw rev (1.0/7.0(0)79) status (Up Sys)
slot 1: SSM-IDS-20 hw/sw rev (1.0/5.0(0.11)S91(0.11)) status (Up)
admin Interface outside (10.132.8.5): Normal
admin Interface third (10.132.9.5): Normal
admin Interface inside (10.130.8.5): Normal
admin Interface fourth (10.130.9.5): Normal
ctx1 Interface outside (10.1.1.1): Normal
ctx1 Interface inside (10.2.2.1): Normal
ctx2 Interface outside (10.3.3.2): Normal
ctx2 Interface inside (10.4.4.2): Normal
Other host: Secondary
VPN IPSEC upd IPSec connection information.
VPN CTCP upd cTCP tunnel connection information.
VPN SDI upd SDI AAA connection information.
VPN DHCP upd Tunneled DHCP connection information.
GTP PDP GTP PDP update information. This information appears only if inspect
GTP is enabled.
GTP PDPMCB GTP PDPMCB update information. This information appears only if
inspect GTP is enabled.
Logical Update Queue
Information
For each field type, the following statistics are used:
• Cur—Current number of packets
• Max—Maximum number of packets
• Total—Total number of packets
Recv Q The status of the receive queue.
Xmit Q The status of the transmit queue.
Table 14-7 Show Failover Display Description (continued)
Field Options14-45
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
Group 1 State: Standby Ready
Active time: 190 (sec)
Group 2 State: Active
Active time: 3322 (sec)
slot 0: ASA-5530 hw/sw rev (1.0/7.0(0)79) status (Up Sys)
slot 1: SSM-IDS-20 hw/sw rev (1.0/5.0(0.1)S91(0.1)) status (Up)
admin Interface outside (10.132.8.6): Normal
admin Interface third (10.132.9.6): Normal
admin Interface inside (10.130.8.6): Normal
admin Interface fourth (10.130.9.6): Normal
ctx1 Interface outside (10.1.1.2): Normal
ctx1 Interface inside (10.2.2.2): Normal
ctx2 Interface outside (10.3.3.1): Normal
ctx2 Interface inside (10.4.4.1): Normal
Stateful Failover Logical Update Statistics
Link : third GigabitEthernet0/2 (up)
Stateful Obj xmit xerr rcv rerr
General 1973 0 1895 0
sys cmd 380 0 380 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 1435 0 1450 0
UDP conn 0 0 0 0
ARP tbl 124 0 65 0
Xlate_Timeout 0 0 0 0
VPN IKE upd 15 0 0 0
VPN IPSEC upd 90 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 1 1895
Xmit Q: 0 0 1940
The following is sample output from the show failover group command for Active/Active Failover. The
information displayed is similar to that of the show failover command, but limited to the specified
group. Table 14-8 provides descriptions for the information shown.
hostname# show failover group 1
Last Failover at: 04:09:59 UTC Jan 4 2005
This host: Secondary
State: Active
Active time: 186 (sec)
admin Interface outside (192.168.5.121): Normal
admin Interface inside (192.168.0.1): Normal
Other host: Primary
State: Standby
Active time: 0 (sec)
admin Interface outside (192.168.5.131): Normal
admin Interface inside (192.168.0.11): Normal
Stateful Failover Logical Update Statistics
Status: Configured.14-46
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
RPC services 0 0 0 0
TCP conn 33 0 0 0
UDP conn 0 0 0 0
ARP tbl 12 0 0 0
Xlate_Timeout 0 0 0 0
GTP PDP 0 0 0 0
GTP PDPMCB 0 0 0 0
Table 14-8 Show Failover Display Description
Field Options
Failover • On
• Off
Failover Unit Primary or Secondary.
Failover LAN Interface Displays the logical and physical name of the failover link.
Unit Poll frequency Displays the number of seconds between hello messages sent to the
peer unit and the number of seconds during which the unit must receive
a hello message on the failover link before declaring the peer failed.
Interface Poll frequency n seconds
The number of seconds you set with the failover polltime interface
command. The default is 15 seconds.
Interface Policy Displays the number or percentage of interfaces that must fail before
triggering failover.
Monitored Interfaces Displays the number of interfaces monitored out of the maximum
possible.
Group 1 Last Failover at:
Group 2 Last Failover at:
The date and time of the last failover for each group in the following
form:
hh:mm:ss UTC DayName Month Day yyyy
UTC (Coordinated Universal Time) is equivalent to GMT (Greenwich
Mean Time).
This host:
Other host:
For each host, the display shows the following information.
Role Primary or Secondary
System State • Active or Standby Ready
• Active Time in seconds
Group 1 State
Group 2 State
• Active or Standby Ready
• Active Time in seconds
slot x Information about the module in the slot or empty.14-47
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
context Interface name
(n.n.n.n):
For each interface, the display shows the IP address currently being
used on each unit, as well as one of the following conditions:
• Failed—The interface has failed.
• No link—The interface line protocol is down.
• Normal—The interface is working correctly.
• Link Down—The interface has been administratively shut down.
• Unknown—The security appliance cannot determine the status of
the interface.
• Waiting—Monitoring of the network interface on the other unit has
not yet started.
Stateful Failover Logical
Update Statistics
The following fields relate to the Stateful Failover feature. If the Link
field shows an interface name, the Stateful Failover statistics are shown.
Link • interface_name—The interface used for the Stateful Failover link.
• Unconfigured—You are not using Stateful Failover.
• up—The interface is up and functioning.
• down—The interface is either administratively shutdown or is
physically down.
• failed—The interface has failed and is not passing stateful data.
Stateful Obj For each field type, the following statistics are used. They are counters
for the number of state information packets sent between the two units;
the fields do not necessarily show active connections through the unit.
• xmit—Number of transmitted packets to the other unit
• xerr—Number of errors that occurred while transmitting packets to
the other unit
• rcv—Number of received packets
• rerr—Number of errors that occurred while receiving packets from
the other unit
General Sum of all stateful objects.
sys cmd Logical update system commands; for example, LOGIN and Stay
Alive.
up time Up time, which the active unit passes to the standby unit.
RPC services Remote Procedure Call connection information.
TCP conn TCP connection information.
UDP conn Dynamic UDP connection information.
ARP tbl Dynamic ARP table information.
L2BRIDGE tbl Layer 2 bridge table information (transparent firewall mode only).
Xlate_Timeout Indicates connection translation timeout information.
VPN IKE upd IKE connection information.
Table 14-8 Show Failover Display Description (continued)
Field Options14-48
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
Viewing Monitored Interfaces
To view the status of monitored interfaces, enter the following command. In single context mode, enter
this command in global configuration mode. In multiple context mode, enter this command within a
context.
primary/context(config)# show monitor-interface
For example:
hostname/context(config)# show monitor-interface
This host: Primary - Active
Interface outside (192.168.1.2): Normal
Interface inside (10.1.1.91): Normal
Other host: Secondary - Standby
Interface outside (192.168.1.3): Normal
Interface inside (10.1.1.100): Normal
Displaying the Failover Commands in the Running Configuration
To view the failover commands in the running configuration, enter the following command:
hostname(config)# show running-config failover
All of the failover commands are displayed. On units running multiple context mode, enter this command
in the system execution space. Entering show running-config all failover displays the failover
commands in the running configuration and includes commands for which you have not changed the
default value.
VPN IPSEC upd IPSec connection information.
VPN CTCP upd cTCP tunnel connection information.
VPN SDI upd SDI AAA connection information.
VPN DHCP upd Tunneled DHCP connection information.
GTP PDP GTP PDP update information. This information appears only if inspect
GTP is enabled.
GTP PDPMCB GTP PDPMCB update information. This information appears only if
inspect GTP is enabled.
Logical Update Queue
Information
For each field type, the following statistics are used:
• Cur—Current number of packets
• Max—Maximum number of packets
• Total—Total number of packets
Recv Q The status of the receive queue.
Xmit Q The status of the transmit queue.
Table 14-8 Show Failover Display Description (continued)
Field Options14-49
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Controlling and Monitoring Failover
Testing the Failover Functionality
To test failover functionality, perform the following steps:
Step 1 Test that your active unit or failover group is passing traffic as expected by using FTP (for example) to
send a file between hosts on different interfaces.
Step 2 Force a failover to the standby unit by entering the following command:
• For Active/Standby failover, enter the following command on the active unit:
hostname(config)# no failover active
• For Active/Active failover, enter the following command on the unit where the failover group
containing the interface connecting your hosts is active:
hostname(config)# no failover active group group_id
Step 3 Use FTP to send another file between the same two hosts.
Step 4 If the test was not successful, enter the show failover command to check the failover status.
Step 5 When you are finished, you can restore the unit or failover group to active status by enter the following
command:
• For Active/Standby failover, enter the following command on the active unit:
hostname(config)# failover active
• For Active/Active failover, enter the following command on the unit where the failover group
containing the interface connecting your hosts is active:
hostname(config)# failover active group group_id
Controlling and Monitoring Failover
This sections describes how to control and monitor failover. This section includes the following topics:
• Forcing Failover, page 14-49
• Disabling Failover, page 14-50
• Restoring a Failed Unit or Failover Group, page 14-50
• Monitoring Failover, page 14-50
Forcing Failover
To force the standby unit or failover group to become active, enter one of the following commands:
• For Active/Standby failover:
Enter the following command on the standby unit:
hostname# failover active
Or, enter the following command on the active unit:14-50
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Controlling and Monitoring Failover
hostname# no failover active
• For Active/Active failover:
Enter the following command in the system execution space of the unit where the failover group is
in the standby state:
hostname# failover active group group_id
Or, enter the following command in the system execution space of the unit where the failover group
is in the active state:
hostname# no failover active group group_id
Entering the following command in the system execution space causes all failover groups to become
active:
hostname# failover active
Disabling Failover
To disable failover, enter the following command:
hostname(config)# no failover
Disabling failover on an Active/Standby pair causes the active and standby state of each unit to be
maintained until you restart. For example, the standby unit remains in standby mode so that both units
do not start passing traffic. To make the standby unit active (even with failover disabled), see the
“Forcing Failover” section on page 14-49.
Disabling failover on an Active/Active pair causes the failover groups to remain in the active state on
whichever unit they are currently active on, no matter which unit they are configured to prefer. The no
failover command should be entered in the system execution space.
Restoring a Failed Unit or Failover Group
To restore a failed unit to an unfailed state, enter the following command:
hostname(config)# failover reset
To restore a failed Active/Active failover group to an unfailed state, enter the following command:
hostname(config)# failover reset group group_id
Restoring a failed unit or group to an unfailed state does not automatically make it active; restored units
or groups remain in the standby state until made active by failover (forced or natural). An exception is a
failover group configured with the preempt command. If previously active, a failover group becomes
active if it is configured with the preempt command and if the unit on which it failed is the preferred
unit.
Monitoring Failover
When a failover occurs, both security appliances send out system messages. This section includes the
following topics:
• Failover System Messages, page 14-5114-51
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Controlling and Monitoring Failover
• Debug Messages, page 14-51
• SNMP, page 14-51
Failover System Messages
The security appliance issues a number of system messages related to failover at priority level 2, which
indicates a critical condition. To view these messages, see the Cisco Security Appliance Logging
Configuration and System Log Messages to enable logging and to see descriptions of the system
messages.
Note During switchover, failover logically shuts down and then bring up interfaces, generating syslog 411001
and 411002 messages. This is normal activity.
Debug Messages
To see debug messages, enter the debug fover command. See the Cisco Security Appliance Command
Reference for more information.
Note Because debugging output is assigned high priority in the CPU process, it can drastically affect system
performance. For this reason, use the debug fover commands only to troubleshoot specific problems or
during troubleshooting sessions with Cisco TAC.
SNMP
To receive SNMP syslog traps for failover, configure the SNMP agent to send SNMP traps to SNMP
management stations, define a syslog host, and compile the Cisco syslog MIB into your SNMP
management station. See the snmp-server and logging commands in the Cisco Security Appliance
Command Reference for more information. 14-52
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Controlling and Monitoring FailoverP A R T 2
Configuring the FirewallC H A P T E R
15-1
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
15
Firewall Mode Overview
This chapter describes how the firewall works in each firewall mode. To set the firewall mode, see the
“Setting Transparent or Routed Firewall Mode” section on page 2-5.
Note In multiple context mode, you cannot set the firewall mode separately for each context; you can only set
the firewall mode for the entire security appliance.
This chapter includes the following sections:
• Routed Mode Overview, page 15-1
• Transparent Mode Overview, page 15-8
Routed Mode Overview
In routed mode, the security appliance is considered to be a router hop in the network. It can perform
NAT between connected networks, and can use OSPF or RIP (in single context mode). Routed mode
supports many interfaces. Each interface is on a different subnet. You can share interfaces between
contexts.
This section includes the following topics:
• IP Routing Support, page 15-1
• Network Address Translation, page 15-2
• How Data Moves Through the Security Appliance in Routed Firewall Mode, page 15-3
IP Routing Support
The security appliance acts as a router between connected networks, and each interface requires an
IP address on a different subnet. In single context mode, the routed firewall supports OSPF and RIP.
Multiple context mode supports static routes only. We recommend using the advanced routing
capabilities of the upstream and downstream routers instead of relying on the security appliance for
extensive routing needs.15-2
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 15 Firewall Mode Overview
Routed Mode Overview
Network Address Translation
NAT substitutes the local address on a packet with a global address that is routable on the destination
network. By default, NAT is not required. If you want to enforce a NAT policy that requires hosts on a
higher security interface (inside) to use NAT when communicating with a lower security interface
(outside), you can enable NAT control (see the nat-control command).
Note NAT control was the default behavior for software versions earlier than Version 7.0. If you upgrade a
security appliance from an earlier version, then the nat-control command is automatically added to your
configuration to maintain the expected behavior.
Some of the benefits of NAT include the following:
• You can use private addresses on your inside networks. Private addresses are not routable on the
Internet.
• NAT hides the local addresses from other networks, so attackers cannot learn the real address of a
host.
• NAT can resolve IP routing problems by supporting overlapping IP addresses.
Figure 15-1 shows a typical NAT scenario, with a private network on the inside. When the inside user
sends a packet to a web server on the Internet, the local source address of the packet is changed to a
routable global address. When the web server responds, it sends the response to the global address, and
the security appliance receives the packet. The security appliance then translates the global address to
the local address before sending it on to the user.
Figure 15-1 NAT Example
Web Server
www.example.com
209.165.201.2
10.1.2.1
10.1.2.27
Source Addr Translation
10.1.2.27 209.165.201.10
Originating
Packet
Dest Addr Translation
209.165.201.10 10.1.2.27
Responding
Packet
Outside
Inside
9240515-3
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 15 Firewall Mode Overview
Routed Mode Overview
How Data Moves Through the Security Appliance in Routed Firewall Mode
This section describes how data moves through the security appliance in routed firewall mode, and
includes the following topics:
• An Inside User Visits a Web Server, page 15-3
• An Outside User Visits a Web Server on the DMZ, page 15-4
• An Inside User Visits a Web Server on the DMZ, page 15-6
• An Outside User Attempts to Access an Inside Host, page 15-7
• A DMZ User Attempts to Access an Inside Host, page 15-8
An Inside User Visits a Web Server
Figure 15-2 shows an inside user accessing an outside web server.
Figure 15-2 Inside to Outside
The following steps describe how data moves through the security appliance (see Figure 15-2):
1. The user on the inside network requests a web page from www.example.com.
2. The security appliance receives the packet and because it is a new session, the security appliance
verifies that the packet is allowed according to the terms of the security policy (access lists, filters,
AAA).
Web Server
10.1.1.3
www.example.com
User
10.1.2.27
209.165.201.2
10.1.2.1 10.1.1.1
Source Addr Translation
10.1.2.27 209.165.201.10
Outside
Inside DMZ
9240415-4
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 15 Firewall Mode Overview
Routed Mode Overview
For multiple context mode, the security appliance first classifies the packet according to either a
unique interface or a unique destination address associated with a context; the destination address
is associated by matching an address translation in a context. In this case, the interface would be
unique; the www.example.com IP address does not have a current address translation in a context.
3. The security appliance translates the local source address (10.1.2.27) to the global address
209.165.201.10, which is on the outside interface subnet.
The global address could be on any subnet, but routing is simplified when it is on the outside
interface subnet.
4. The security appliance then records that a session is established and forwards the packet from the
outside interface.
5. When www.example.com responds to the request, the packet goes through the security appliance,
and because the session is already established, the packet bypasses the many lookups associated
with a new connection. The security appliance performs NAT by translating the global destination
address to the local user address, 10.1.2.27.
6. The security appliance forwards the packet to the inside user.
An Outside User Visits a Web Server on the DMZ
Figure 15-3 shows an outside user accessing the DMZ web server.
Figure 15-3 Outside to DMZ
Web Server
10.1.1.3
User
209.165.201.2
10.1.2.1 10.1.1.1
Dest Addr Translation
209.165.201.3 10.1.1.13
Outside
Inside DMZ
9240615-5
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 15 Firewall Mode Overview
Routed Mode Overview
The following steps describe how data moves through the security appliance (see Figure 15-3):
1. A user on the outside network requests a web page from the DMZ web server using the global
destination address of 209.165.201.3, which is on the outside interface subnet.
2. The security appliance receives the packet and because it is a new session, the security appliance
verifies that the packet is allowed according to the terms of the security policy (access lists, filters,
AAA).
For multiple context mode, the security appliance first classifies the packet according to either a
unique interface or a unique destination address associated with a context; the destination address
is associated by matching an address translation in a context. In this case, the classifier “knows” that
the DMZ web server address belongs to a certain context because of the server address translation.
3. The security appliance translates the destination address to the local address 10.1.1.3.
4. The security appliance then adds a session entry to the fast path and forwards the packet from the
DMZ interface.
5. When the DMZ web server responds to the request, the packet goes through the security appliance
and because the session is already established, the packet bypasses the many lookups associated
with a new connection. The security appliance performs NAT by translating the local source address
to 209.165.201.3.
6. The security appliance forwards the packet to the outside user.15-6
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 15 Firewall Mode Overview
Routed Mode Overview
An Inside User Visits a Web Server on the DMZ
Figure 15-4 shows an inside user accessing the DMZ web server.
Figure 15-4 Inside to DMZ
The following steps describe how data moves through the security appliance (see Figure 15-4):
1. A user on the inside network requests a web page from the DMZ web server using the destination
address of 10.1.1.3.
2. The security appliance receives the packet and because it is a new session, the security appliance
verifies that the packet is allowed according to the terms of the security policy (access lists, filters,
AAA).
For multiple context mode, the security appliance first classifies the packet according to either a
unique interface or a unique destination address associated with a context; the destination address
is associated by matching an address translation in a context. In this case, the interface is unique;
the web server IP address does not have a current address translation.
3. The security appliance then records that a session is established and forwards the packet out of the
DMZ interface.
4. When the DMZ web server responds to the request, the packet goes through the fast path, which lets
the packet bypass the many lookups associated with a new connection.
5. The security appliance forwards the packet to the inside user.
Web Server
10.1.1.3
User
10.1.2.27
209.165.201.2
10.1.2.1 10.1.1.1
Inside DMZ
Outside
9240315-7
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 15 Firewall Mode Overview
Routed Mode Overview
An Outside User Attempts to Access an Inside Host
Figure 15-5 shows an outside user attempting to access the inside network.
Figure 15-5 Outside to Inside
The following steps describe how data moves through the security appliance (see Figure 15-5):
1. A user on the outside network attempts to reach an inside host (assuming the host has a routable
IP address).
If the inside network uses private addresses, no outside user can reach the inside network without
NAT. The outside user might attempt to reach an inside user by using an existing NAT session.
2. The security appliance receives the packet and because it is a new session, the security appliance
verifies if the packet is allowed according to the security policy (access lists, filters, AAA).
3. The packet is denied, and the security appliance drops the packet and logs the connection attempt.
If the outside user is attempting to attack the inside network, the security appliance employs many
technologies to determine if a packet is valid for an already established session.
www.example.com
User
10.1.2.27
209.165.201.2
10.1.2.1 10.1.1.1
Outside
Inside DMZ
9240715-8
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 15 Firewall Mode Overview
Transparent Mode Overview
A DMZ User Attempts to Access an Inside Host
Figure 15-6 shows a user in the DMZ attempting to access the inside network.
Figure 15-6 DMZ to Inside
The following steps describe how data moves through the security appliance (see Figure 15-6):
1. A user on the DMZ network attempts to reach an inside host. Because the DMZ does not have to
route the traffic on the internet, the private addressing scheme does not prevent routing.
2. The security appliance receives the packet and because it is a new session, the security appliance
verifies if the packet is allowed according to the security policy (access lists, filters, AAA).
3. The packet is denied, and the security appliance drops the packet and logs the connection attempt.
Transparent Mode Overview
Traditionally, a firewall is a routed hop and acts as a default gateway for hosts that connect to one of its
screened subnets. A transparent firewall, on the other hand, is a Layer 2 firewall that acts like a “bump
in the wire,” or a “stealth firewall,” and is not seen as a router hop to connected devices.
This section describes transparent firewall mode, and includes the following topics:
• Transparent Firewall Network, page 15-9
• Allowing Layer 3 Traffic, page 15-9
• Passing Traffic Not Allowed in Routed Mode, page 15-9
• MAC Address Lookups, page 15-10
• Using the Transparent Firewall in Your Network, page 15-10
• Transparent Firewall Guidelines, page 15-10
Web Server
10.1.1.3
User
10.1.2.27
209.165.201.2
10.1.2.1 10.1.1.1
Outside
Inside DMZ
9240215-9
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 15 Firewall Mode Overview
Transparent Mode Overview
• Unsupported Features in Transparent Mode, page 15-11
• How Data Moves Through the Transparent Firewall, page 15-13
Transparent Firewall Network
The security appliance connects the same network on its inside and outside interfaces. Because the
firewall is not a routed hop, you can easily introduce a transparent firewall into an existing network; IP
readdressing is unnecessary.
Allowing Layer 3 Traffic
IPv4 traffic is allowed through the transparent firewall automatically from a higher security interface to
a lower security interface, without an access list. ARPs are allowed through the transparent firewall in
both directions without an access list. ARP traffic can be controlled by ARP inspection. For Layer 3
traffic travelling from a low to a high security interface, an extended access list is required.
Allowed MAC Addresses
The following destination MAC addresses are allowed through the transparent firewall. Any MAC
address not on this list is dropped.
• TRUE broadcast destination MAC address equal to FFFF.FFFF.FFFF
• IPv4 multicast MAC addresses from 0100.5E00.0000 to 0100.5EFE.FFFF
• IPv6 multicast MAC addresses from 3333.0000.0000 to 3333.FFFF.FFFF
• BPDU multicast address equal to 0100.0CCC.CCCD
• Appletalk multicast MAC addresses from 0900.0700.0000 to 0900.07FF.FFFF
Passing Traffic Not Allowed in Routed Mode
In routed mode, some types of traffic cannot pass through the security appliance even if you allow it in
an access list. The transparent firewall, however, can allow almost any traffic through using either an
extended access list (for IP traffic) or an EtherType access list (for non-IP traffic).
Note The transparent mode security appliance does not pass CDP packets or IPv6 packets, or any packets that
do not have a valid EtherType greater than or equal to 0x600. For example, you cannot pass IS-IS
packets. An exception is made for BPDUs, which are supported.
For example, you can establish routing protocol adjacencies through a transparent firewall; you can
allow OSPF, RIP, EIGRP, or BGP traffic through based on an extended access list. Likewise, protocols
like HSRP or VRRP can pass through the security appliance.
Non-IP traffic (for example AppleTalk, IPX, BPDUs, and MPLS) can be configured to go through using
an EtherType access list.15-10
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 15 Firewall Mode Overview
Transparent Mode Overview
For features that are not directly supported on the transparent firewall, you can allow traffic to pass
through so that upstream and downstream routers can support the functionality. For example, by using
an extended access list, you can allow DHCP traffic (instead of the unsupported DHCP relay feature) or
multicast traffic such as that created by IP/TV.
MAC Address Lookups
When the security appliance runs in transparent mode, the outgoing interface of a packet is determined
by performing a MAC address lookup instead of a route lookup. Route statements can still be configured,
but they only apply to security appliance-originated traffic. For example, if your syslog server is located
on a remote network, you must use a static route so the security appliance can reach that subnet.
Using the Transparent Firewall in Your Network
Figure 15-7 shows a typical transparent firewall network where the outside devices are on the same
subnet as the inside devices. The inside router and hosts appear to be directly connected to the outside
router.
Figure 15-7 Transparent Firewall Network
Transparent Firewall Guidelines
Follow these guidelines when planning your transparent firewall network:
10.1.1.1
10.1.1.2
Management IP
10.1.1.3
192.168.1.2
Network A
Network B
Internet
9241115-11
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 15 Firewall Mode Overview
Transparent Mode Overview
• A management IP address is required; for multiple context mode, an IP address is required for each
context.
Unlike routed mode, which requires an IP address for each interface, a transparent firewall has an
IP address assigned to the entire device. The security appliance uses this IP address as the source
address for packets originating on the security appliance, such as system messages or AAA
communications.
The management IP address must be on the same subnet as the connected network. You cannot set
the subnet to a host subnet (255.255.255.255).
You can configure an IP address for the Management 0/0 management-only interface. This IP
address can be on a separate subnet from the main management IP address.
Note If the management IP address is not configured, transient traffic does not pass through the
transparent firewall. For multiple context mode, transient traffic does not pass through virtual
contexts.
• The transparent security appliance uses an inside interface and an outside interface only. If your
platform includes a dedicated management interface, you can also configure the management
interface or subinterface for management traffic only.
In single mode, you can only use two data interfaces (and the dedicated management interface, if
available) even if your security appliance includes more than two interfaces.
• Each directly connected network must be on the same subnet.
• Do not specify the security appliance management IP address as the default gateway for connected
devices; devices need to specify the router on the other side of the security appliance as the default
gateway.
• For multiple context mode, each context must use different interfaces; you cannot share an interface
across contexts.
• For multiple context mode, each context typically uses a different subnet. You can use overlapping
subnets, but your network topology requires router and NAT configuration to make it possible from
a routing standpoint.
Unsupported Features in Transparent Mode
Table 15-1 lists the features are not supported in transparent mode.
Table 15-1 Unsupported Features in Transparent Mode
Feature Description
Dynamic DNS —
DHCP relay The transparent firewall can act as a DHCP server, but it does not
support the DHCP relay commands. DHCP relay is not required
because you can allow DHCP traffic to pass through using two
extended access lists: one that allows DCHP requests from the inside
interface to the outside, and one that allows the replies from the server
in the other direction.15-12
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 15 Firewall Mode Overview
Transparent Mode Overview
Dynamic routing protocols You can, however, add static routes for traffic originating on the
security appliance. You can also allow dynamic routing protocols
through the security appliance using an extended access list.
IPv6 You also cannot allow IPv6 using an EtherType access list.
Multicast You can allow multicast traffic through the security appliance by
allowing it in an extended access list.
NAT NAT is performed on the upstream router.
QoS —
VPN termination for through
traffic
The transparent firewall supports site-to-site VPN tunnels for
management connections only. It does not terminate VPN connections
for traffic through the security appliance. You can pass VPN traffic
through the security appliance using an extended access list, but it
does not terminate non-management connections. WebVPN is also not
supported.
Table 15-1 Unsupported Features in Transparent Mode (continued)
Feature Description15-13
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 15 Firewall Mode Overview
Transparent Mode Overview
How Data Moves Through the Transparent Firewall
Figure 15-8 shows a typical transparent firewall implementation with an inside network that contains a
public web server. The security appliance has an access list so that the inside users can access Internet
resources. Another access list lets the outside users access only the web server on the inside network.
Figure 15-8 Typical Transparent Firewall Data Path
This section describes how data moves through the security appliance, and includes the following topics:
• An Inside User Visits a Web Server, page 15-14
• An Outside User Visits a Web Server on the Inside Network, page 15-15
• An Outside User Attempts to Access an Inside Host, page 15-16
www.example.com
209.165.201.2
Management IP
209.165.201.6
209.165.200.230
Web Server
209.165.200.225
Host
209.165.201.3
Internet
9241215-14
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 15 Firewall Mode Overview
Transparent Mode Overview
An Inside User Visits a Web Server
Figure 15-9 shows an inside user accessing an outside web server.
Figure 15-9 Inside to Outside
The following steps describe how data moves through the security appliance (see Figure 15-9):
1. The user on the inside network requests a web page from www.example.com.
2. The security appliance receives the packet and adds the source MAC address to the MAC address
table, if required. Because it is a new session, it verifies that the packet is allowed according to the
terms of the security policy (access lists, filters, AAA).
For multiple context mode, the security appliance first classifies the packet according to a unique
interface.
3. The security appliance records that a session is established.
4. If the destination MAC address is in its table, the security appliance forwards the packet out of the
outside interface. The destination MAC address is that of the upstream router, 209.186.201.2.
If the destination MAC address is not in the security appliance table, the security appliance attempts
to discover the MAC address by sending an ARP request and a ping. The first packet is dropped.
5. The web server responds to the request; because the session is already established, the packet
bypasses the many lookups associated with a new connection.
6. The security appliance forwards the packet to the inside user.
Management IP
209.165.201.6
www.example.com
209.165.201.2
Host
209.165.201.3
Internet
9240815-15
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 15 Firewall Mode Overview
Transparent Mode Overview
An Outside User Visits a Web Server on the Inside Network
Figure 15-10 shows an outside user accessing the inside web server.
Figure 15-10 Outside to Inside
The following steps describe how data moves through the security appliance (see Figure 15-10):
1. A user on the outside network requests a web page from the inside web server.
2. The security appliance receives the packet and adds the source MAC address to the MAC address
table, if required. Because it is a new session, it verifies that the packet is allowed according to the
terms of the security policy (access lists, filters, AAA).
For multiple context mode, the security appliance first classifies the packet according to a unique
interface.
3. The security appliance records that a session is established.
4. If the destination MAC address is in its table, the security appliance forwards the packet out of the
inside interface. The destination MAC address is that of the downstream router, 209.186.201.1.
If the destination MAC address is not in the security appliance table, the security appliance attempts
to discover the MAC address by sending an ARP request and a ping. The first packet is dropped.
5. The web server responds to the request; because the session is already established, the packet
bypasses the many lookups associated with a new connection.
Host
209.165.201.2
209.165.201.1
209.165.200.230
Web Server
209.165.200.225
Management IP
209.165.201.6
Internet
9240915-16
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 15 Firewall Mode Overview
Transparent Mode Overview
6. The security appliance forwards the packet to the outside user.
An Outside User Attempts to Access an Inside Host
Figure 15-11 shows an outside user attempting to access a host on the inside network.
Figure 15-11 Outside to Inside
The following steps describe how data moves through the security appliance (see Figure 15-11):
1. A user on the outside network attempts to reach an inside host.
2. The security appliance receives the packet and adds the source MAC address to the MAC address
table, if required. Because it is a new session, it verifies if the packet is allowed according to the
terms of the security policy (access lists, filters, AAA).
For multiple context mode, the security appliance first classifies the packet according to a unique
interface.
3. The packet is denied, and the security appliance drops the packet.
4. If the outside user is attempting to attack the inside network, the security appliance employs many
technologies to determine if a packet is valid for an already established session.
Management IP
209.165.201.6
Host
209.165.201.2
Host
209.165.201.3
Internet
92410C H A P T E R
16-1
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
16
Identifying Traffic with Access Lists
This chapter describes how to identify traffic with access lists. This chapter includes the following
topics:
• Access List Overview, page 16-1
• Adding an Extended Access List, page 16-5
• Adding an EtherType Access List, page 16-8
• Adding a Standard Access List, page 16-11
• Adding a Webtype Access List, page 16-11
• Simplifying Access Lists with Object Grouping, page 16-11
• Adding Remarks to Access Lists, page 16-18
• Scheduling Extended Access List Activation, page 16-18
• Logging Access List Activity, page 16-20
For information about IPv6 access lists, see the “Configuring IPv6 Access Lists” section on page 12-6.
Access List Overview
Access lists are made up of one or more Access Control Entries. An ACE is a single entry in an access
list that specifies a permit or deny rule, and is applied to a protocol, a source and destination IP address
or network, and optionally the source and destination ports.
Access lists are used in a variety of features. If your feature uses Modular Policy Framework, you can
use an access list to identify traffic within a traffic class map. For more information on Modular Policy
Framework, see Chapter 21, “Using Modular Policy Framework.”
This section includes the following topics:
• Access List Types, page 16-2
• Access Control Entry Order, page 16-2
• Access Control Implicit Deny, page 16-3
• IP Addresses Used for Access Lists When You Use NAT, page 16-316-2
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 16 Identifying Traffic with Access Lists
Access List Overview
Access List Types
Table 16-1 lists the types of access lists and some common uses for them.
Access Control Entry Order
An access list is made up of one or more Access Control Entries. Depending on the access list type, you
can specify the source and destination addresses, the protocol, the ports (for TCP or UDP), the ICMP
type (for ICMP), or the EtherType.
Each ACE that you enter for a given access list name is appended to the end of the access list.
The order of ACEs is important. When the security appliance decides whether to forward or drop a
packet, the security appliance tests the packet against each ACE in the order in which the entries are
listed. After a match is found, no more ACEs are checked. For example, if you create an ACE at the
beginning of an access list that explicitly permits all traffic, no further statements are ever checked.
Table 16-1 Access List Types and Common Uses
Access List Use Access List Type Description
Control network access for IP traffic
(routed and transparent mode)
Extended The security appliance does not allow any traffic from a
lower security interface to a higher security interface
unless it is explicitly permitted by an extended access list.
Note To access the security appliance interface for
management access, you do not also need an
access list allowing the host IP address. You only
need to configure management access according
to Chapter 40, “Managing System Access.”
Identify traffic for AAA rules Extended AAA rules use access lists to identify traffic.
Control network access for IP traffic for a
given user
Extended,
downloaded from a
AAA server per user
You can configure the RADIUS server to download a
dynamic access list to be applied to the user, or the server
can send the name of an access list that you already
configured on the security appliance.
Identify addresses for NAT (policy NAT
and NAT exemption)
Extended Policy NAT lets you identify local traffic for address
translation by specifying the source and destination
addresses in an extended access list.
Establish VPN access Extended You can use an extended access list in VPN commands.
Identify traffic in a traffic class map for
Modular Policy Framework
Extended
EtherType
Access lists can be used to identify traffic in a class map,
which is used for features that support Modular Policy
Framework. Features that support Modular Policy
Framework include TCP and general connection settings,
and inspection.
For transparent firewall mode, control
network access for non-IP traffic
EtherType You can configure an access list that controls traffic based
on its EtherType.
Identify OSPF route redistribution Standard Standard access lists include only the destination address.
You can use a standard access list to control the
redistribution of OSPF routes.
Filtering for WebVPN Webtype You can configure a Webtype access list to filter URLs.16-3
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 16 Identifying Traffic with Access Lists
Access List Overview
You can disable an ACE by specifying the keyword inactive in the access-list command.
Access Control Implicit Deny
Access lists have an implicit deny at the end of the list, so unless you explicitly permit it, traffic cannot
pass. For example, if you want to allow all users to access a network through the security appliance
except for particular addresses, then you need to deny the particular addresses and then permit all others.
For EtherType access lists, the implicit deny at the end of the access list does not affect IP traffic or
ARPs; for example, if you allow EtherType 8037, the implicit deny at the end of the access list does not
now block any IP traffic that you previously allowed with an extended access list (or implicitly allowed
from a high security interface to a low security interface). However, if you explicitly deny all traffic with
an EtherType ACE, then IP and ARP traffic is denied.
IP Addresses Used for Access Lists When You Use NAT
When you use NAT, the IP addresses you specify for an access list depend on the interface to which the
access list is attached; you need to use addresses that are valid on the network connected to the interface.
This guideline applies for both inbound and outbound access lists: the direction does not determine the
address used, only the interface does.
For example, you want to apply an access list to the inbound direction of the inside interface. You
configure the security appliance to perform NAT on the inside source addresses when they access outside
addresses. Because the access list is applied to the inside interface, the source addresses are the original
untranslated addresses. Because the outside addresses are not translated, the destination address used in
the access list is the real address (see Figure 16-1).
Figure 16-1 IP Addresses in Access Lists: NAT Used for Source Addresses
See the following commands for this example:
hostname(config)# access-list INSIDE extended permit ip 10.1.1.0 255.255.255.0 host
209.165.200.225
209.165.200.225
Inside
Outside
Inbound ACL
Permit from 10.1.1.0/24 to 209.165.200.225
10.1.1.0/24
PAT
10.1.1.0/24 209.165.201.4:port
10463416-4
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 16 Identifying Traffic with Access Lists
Access List Overview
hostname(config)# access-group INSIDE in interface inside
If you want to allow an outside host to access an inside host, you can apply an inbound access list on the
outside interface. You need to specify the translated address of the inside host in the access list because
that address is the address that can be used on the outside network (see Figure 16-2).
Figure 16-2 IP Addresses in Access Lists: NAT used for Destination Addresses
See the following commands for this example:
hostname(config)# access-list OUTSIDE extended permit ip host 209.165.200.225 host
209.165.201.5
hostname(config)# access-group OUTSIDE in interface outside
209.165.200.225
Inside
Outside
Static NAT
10.1.1.34 209.165.201.5
ACL
Permit from 209.165.200.225 to 209.165.201.5
10463616-5
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 16 Identifying Traffic with Access Lists
Adding an Extended Access List
If you perform NAT on both interfaces, keep in mind the addresses that are visible to a given interface.
In Figure 16-3, an outside server uses static NAT so that a translated address appears on the inside
network.
Figure 16-3 IP Addresses in Access Lists: NAT used for Source and Destination Addresses
See the following commands for this example:
hostname(config)# access-list INSIDE extended permit ip 10.1.1.0 255.255.255.0 host
10.1.1.56
hostname(config)# access-group INSIDE in interface inside
Adding an Extended Access List
This section describes how to add an extended access list, and includes the following sections:
• Extended Access List Overview, page 16-5
• Allowing Broadcast and Multicast Traffic through the Transparent Firewall, page 16-6
• Adding an Extended ACE, page 16-6
Extended Access List Overview
An extended access list is made up of one or more ACEs, in which you can specify the line number to
insert the ACE, source and destination addresses, and, depending on the ACE type, the protocol, the
ports (for TCP or UDP), or the ICMP type (for ICMP). You can identify all of these parameters within
the access-list command, or you can use object groups for each parameter. This section describes how
to identify the parameters within the command. To use object groups, see the “Simplifying Access Lists
with Object Grouping” section on page 16-11.
209.165.200.225
10.1.1.0/24
Inside
Outside
Static NAT
10.1.1.56
ACL
Permit from 10.1.1.0/24 to 10.1.1.56
PAT
10.1.1.0/24 209.165.201.4:port
10463516-6
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 16 Identifying Traffic with Access Lists
Adding an Extended Access List
For information about logging options that you can add to the end of the ACE, see the “Logging Access
List Activity” section on page 16-20. For information about time range options, see “Scheduling
Extended Access List Activation” section on page 16-18.
For TCP and UDP connections, you do not need an access list to allow returning traffic, because the
FWSM allows all returning traffic for established, bidirectional connections. For connectionless
protocols such as ICMP, however, the security appliance establishes unidirectional sessions, so you
either need access lists to allow ICMP in both directions (by applying access lists to the source and
destination interfaces), or you need to enable the ICMP inspection engine. The ICMP inspection engine
treats ICMP sessions as bidirectional connections.
You can apply only one access list of each type (extended and EtherType) to each direction of an
interface. You can apply the same access lists on multiple interfaces. See Chapter 18, “Permitting or
Denying Network Access,” for more information about applying an access list to an interface.
Note If you change the access list configuration, and you do not want to wait for existing connections to time
out before the new access list information is used, you can clear the connections using the clear
local-host command.
Allowing Broadcast and Multicast Traffic through the Transparent Firewall
In routed firewall mode, broadcast and multicast traffic is blocked even if you allow it in an access list,
including unsupported dynamic routing protocols and DHCP (unless you configure DHCP relay).
Transparent firewall mode can allow any IP traffic through. This feature is especially useful in multiple
context mode, which does not allow dynamic routing, for example.
Note Because these special types of traffic are connectionless, you need to apply an extended access list to
both interfaces, so returning traffic is allowed through.
Table 16-2 lists common traffic types that you can allow through the transparent firewall.
Adding an Extended ACE
When you enter the access-list command for a given access list name, the ACE is added to the end of
the access list unless you specify the line number.
Table 16-2 Transparent Firewall Special Traffic
Traffic Type Protocol or Port Notes
DHCP UDP ports 67 and 68 If you enable the DHCP server, then the security
appliance does not pass DHCP packets.
EIGRP Protocol 88 —
OSPF Protocol 89 —
Multicast streams The UDP ports vary depending
on the application.
Multicast streams are always destined to a
Class D address (224.0.0.0 to 239.x.x.x).
RIP (v1 or v2) UDP port 520 —16-7
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 16 Identifying Traffic with Access Lists
Adding an Extended Access List
To add an ACE, enter the following command:
hostname(config)# access-list access_list_name [line line_number] [extended]
{deny | permit} protocol source_address mask [operator port] dest_address mask
[operator port | icmp_type] [inactive]
Tip Enter the access list name in upper case letters so the name is easy to see in the configuration. You might
want to name the access list for the interface (for example, INSIDE), or for the purpose for which it is
created (for example, NO_NAT or VPN).
Typically, you identify the ip keyword for the protocol, but other protocols are accepted. For a list of
protocol names, see the “Protocols and Applications” section on page D-11.
Enter the host keyword before the IP address to specify a single address. In this case, do not enter a mask.
Enter the any keyword instead of the address and mask to specify any address.
You can specify the source and destination ports only for the tcp or udp protocols. For a list of permitted
keywords and well-known port assignments, see the “TCP and UDP Ports” section on page D-11. DNS,
Discard, Echo, Ident, NTP, RPC, SUNRPC, and Talk each require one definition for TCP and one for
UDP. TACACS+ requires one definition for port 49 on TCP.
Use an operator to match port numbers used by the source or destination. The permitted operators are
as follows:
• lt—less than
• gt—greater than
• eq—equal to
• neq—not equal to
• range—an inclusive range of values. When you use this operator, specify two port numbers, for
example:
range 100 200
You can specify the ICMP type only for the icmp protocol. Because ICMP is a connectionless protocol,
you either need access lists to allow ICMP in both directions (by applying access lists to the source and
destination interfaces), or you need to enable the ICMP inspection engine (see the “Adding an ICMP
Type Object Group” section on page 16-15). The ICMP inspection engine treats ICMP sessions as
stateful connections. To control ping, specify echo-reply (0) (security appliance to host) or echo (8)
(host to security appliance). See the “Adding an ICMP Type Object Group” section on page 16-15 for a
list of ICMP types.
When you specify a network mask, the method is different from the Cisco IOS software access-list
command. The security appliance uses a network mask (for example, 255.255.255.0 for a Class C mask).
The Cisco IOS mask uses wildcard bits (for example, 0.0.0.255).
To make an ACE inactive, use the inactive keyword. To reenable it, enter the entire ACE without the
inactive keyword. This feature lets you keep a record of an inactive ACE in your configuration to make
reenabling easier.
To remove an ACE, enter the no access-list command with the entire command syntax string as it
appears in the configuration:
hostname(config)# no access-list access_list_name [line line_number] [extended]
{deny | permit} protocol source_address mask [operator port] dest_address mask
[operator port | icmp_type] [inactive]
If the entry that you are removing is the only entry in the access list, the entire access list is removed.16-8
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 16 Identifying Traffic with Access Lists
Adding an EtherType Access List
See the following examples:
The following access list allows all hosts (on the interface to which you apply the access list) to go
through the security appliance:
hostname(config)# access-list ACL_IN extended permit ip any any
The following sample access list prevents hosts on 192.168.1.0/24 from accessing the 209.165.201.0/27
network. All other addresses are permitted.
hostname(config)# access-list ACL_IN extended deny tcp 192.168.1.0 255.255.255.0
209.165.201.0 255.255.255.224
hostname(config)# access-list ACL_IN extended permit ip any any
If you want to restrict access to only some hosts, then enter a limited permit ACE. By default, all other
traffic is denied unless explicitly permitted.
hostname(config)# access-list ACL_IN extended permit ip 192.168.1.0 255.255.255.0
209.165.201.0 255.255.255.224
The following access list restricts all hosts (on the interface to which you apply the access list) from
accessing a website at address 209.165.201.29. All other traffic is allowed.
hostname(config)# access-list ACL_IN extended deny tcp any host 209.165.201.29 eq www
hostname(config)# access-list ACL_IN extended permit ip any any
Adding an EtherType Access List
Transparent firewall mode only
This section describes how to add an EtherType access list, and includes the following sections:
• EtherType Access List Overview, page 16-8
• Adding an EtherType ACE, page 16-10
EtherType Access List Overview
An EtherType access list is made up of one or more ACEs that specify an EtherType. This section
includes the following topics:
• Supported EtherTypes, page 16-8
• Implicit Permit of IP and ARPs Only, page 16-9
• Implicit and Explicit Deny ACE at the End of an Access List, page 16-9
• IPv6 Unsupported, page 16-9
• Using Extended and EtherType Access Lists on the Same Interface, page 16-9
• Allowing MPLS, page 16-9
Supported EtherTypes
An EtherType ACE controls any EtherType identified by a 16-bit hexadecimal number.
EtherType access lists support Ethernet V2 frames.16-9
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 16 Identifying Traffic with Access Lists
Adding an EtherType Access List
802.3-formatted frames are not handled by the access list because they use a length field as opposed to
a type field.
BPDUs, which are handled by the access list, are the only exception: they are SNAP-encapsulated, and
the security appliance is designed to specifically handle BPDUs.
The security appliance receives trunk port (Cisco proprietary) BPDUs. Trunk BPDUs have VLAN
information inside the payload, so the security appliance modifies the payload with the outgoing VLAN
if you allow BPDUs.
Note If you use failover, you must allow BPDUs on both interfaces with an EtherType access list to avoid
bridging loops.
Implicit Permit of IP and ARPs Only
IPv4 traffic is allowed through the transparent firewall automatically from a higher security interface to
a lower security interface, without an access list. ARPs are allowed through the transparent firewall in
both directions without an access list. ARP traffic can be controlled by ARP inspection.
However, to allow any traffic with EtherTypes other than IPv4 and ARP, you need to apply an EtherType
access list, even from a high security to a low security interface.
Because EtherTypes are connectionless, you need to apply the access list to both interfaces if you want
traffic to pass in both directions.
Implicit and Explicit Deny ACE at the End of an Access List
For EtherType access lists, the implicit deny at the end of the access list does not affect IP traffic or
ARPs; for example, if you allow EtherType 8037, the implicit deny at the end of the access list does not
now block any IP traffic that you previously allowed with an extended access list (or implicitly allowed
from a high security interface to a low security interface). However, if you explicitly deny all traffic with
an EtherType ACE, then IP and ARP traffic is denied.
IPv6 Unsupported
EtherType ACEs do not allow IPv6 traffic, even if you specify the IPv6 EtherType.
Using Extended and EtherType Access Lists on the Same Interface
You can apply only one access list of each type (extended and EtherType) to each direction of an
interface. You can also apply the same access lists on multiple interfaces.
Allowing MPLS
If you allow MPLS, ensure that Label Distribution Protocol and Tag Distribution Protocol TCP
connections are established through the security appliance by configuring both MPLS routers connected
to the security appliance to use the IP address on the security appliance interface as the router-id for LDP
or TDP sessions. (LDP and TDP allow MPLS routers to negotiate the labels (addresses) used to forward
packets.)
On Cisco IOS routers, enter the appropriate command for your protocol, LDP or TDP. The interface is
the interface connected to the security appliance.16-10
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 16 Identifying Traffic with Access Lists
Adding an EtherType Access List
hostname(config)# mpls ldp router-id interface force
Or
hostname(config)# tag-switching tdp router-id interface force
Adding an EtherType ACE
To add an EtherType ACE, enter the following command:
hostname(config)# access-list access_list_name ethertype {permit | deny} {ipx | bpdu |
mpls-unicast | mpls-multicast | any | hex_number}
The hex_number is any EtherType that can be identified by a 16-bit hexadecimal number greater than or
equal to 0x600. See RFC 1700, “Assigned Numbers,” at http://www.ietf.org/rfc/rfc1700.txt for a list of
EtherTypes.
To remove an ACE, enter the no access-list command with the entire command syntax string as it
appears in the configuration:
hostname(config)# no access-list access_list_name [line line_number] [extended]
{deny | permit} protocol source_address mask [operator port] dest_address mask
[operator port | icmp_type] [inactive]
To remove an EtherType ACE, enter the no access-list command with the entire command syntax string
as it appears in the configuration:
ehostname(config)# no access-list access_list_name ethertype {permit | deny} {ipx | bpdu |
mpls-unicast | mpls-multicast | any | hex_number}
Note If an EtherType access list is configured to deny all, all ethernet frames are discarded. Only physical
protocol traffic, such as auto-negotiation, is still allowed.
When you enter the access-list command for a given access list name, the ACE is added to the end of
the access list.
Tip Enter the access_list_name in upper case letters so the name is easy to see in the configuration. You
might want to name the access list for the interface (for example, INSIDE), or for the purpose (for
example, MPLS or IPX).
For example, the following sample access list allows common EtherTypes originating on the inside
interface:
hostname(config)# access-list ETHER ethertype permit ipx
hostname(config)# access-list ETHER ethertype permit bpdu
hostname(config)# access-list ETHER ethertype permit mpls-unicast
hostname(config)# access-group ETHER in interface inside
The following access list allows some EtherTypes through the security appliance, but denies IPX:
hostname(config)# access-list ETHER ethertype deny ipx
hostname(config)# access-list ETHER ethertype permit 0x1234
hostname(config)# access-list ETHER ethertype permit bpdu
hostname(config)# access-list ETHER ethertype permit mpls-unicast
hostname(config)# access-group ETHER in interface inside
hostname(config)# access-group ETHER in interface outside16-11
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 16 Identifying Traffic with Access Lists
Adding a Standard Access List
The following access list denies traffic with EtherType 0x1256, but allows all others on both interfaces:
hostname(config)# access-list nonIP ethertype deny 1256
hostname(config)# access-list nonIP ethertype permit any
hostname(config)# access-group ETHER in interface inside
hostname(config)# access-group ETHER in interface outside
Adding a Standard Access List
Single context mode only
Standard access lists identify the destination IP addresses of OSPF routes, and can be used in a route
map for OSPF redistribution. Standard access lists cannot be applied to interfaces to control traffic.
The following command adds a standard ACE. To add another ACE at the end of the access list, enter
another access-list command specifying the same access list name. Apply the access list using the
“Defining Route Maps” section on page 9-7.
To add an ACE, enter the following command:
hostname(config)# access-list access_list_name standard {deny | permit} {any | ip_address
mask}
To remove an ACE, enter the no access-list command with the entire command syntax string as it
appears in the configuration:
hostname(config)# no access-list access_list_name standard {deny | permit} {any |
ip_address mask}
The following sample access list identifies routes to 192.168.1.0/24:
hostname(config)# access-list OSPF standard permit 192.168.1.0 255.255.255.0
Adding a Webtype Access List
To add an access list to the configuration that supports filtering for WebVPN, enter the following
command:
hostname(config)# access-list access_list_name webtype {deny | permit} url [url_string | any]
To remove a Webtype access list, enter the no access-list command with the entire syntax string as it
appears in the configuration:
hostname(config)# access-list access_list_name webtype {deny | permit} url [url_string | any]
For information about logging options that you can add to the end of the ACE, see the “Logging Access
List Activity” section on page 16-20.
Simplifying Access Lists with Object Grouping
This section describes how to use object grouping to simplify access list creation and maintenance.
This section includes the following topics:
• How Object Grouping Works, page 16-12
• Adding Object Groups, page 16-1216-12
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 16 Identifying Traffic with Access Lists
Simplifying Access Lists with Object Grouping
• Nesting Object Groups, page 16-15
• Displaying Object Groups, page 16-17
• Removing Object Groups, page 16-17
• Using Object Groups with an Access List, page 16-16
How Object Grouping Works
By grouping like-objects together, you can use the object group in an ACE instead of having to enter an
ACE for each object separately. You can create the following types of object groups:
• Protocol
• Network
• Service
• ICMP type
For example, consider the following three object groups:
• MyServices—Includes the TCP and UDP port numbers of the service requests that are allowed
access to the internal network
• TrustedHosts—Includes the host and network addresses allowed access to the greatest range of
services and servers
• PublicServers—Includes the host addresses of servers to which the greatest access is provided
After creating these groups, you could use a single ACE to allow trusted hosts to make specific service
requests to a group of public servers.
You can also nest object groups in other object groups.
Note The ACE system limit applies to expanded access lists. If you use object groups in ACEs, the number of
actual ACEs that you enter is fewer, but the number of expanded ACEs is the same as without object
groups. In many cases, object groups create more ACEs than if you added them manually, because
creating ACEs manually leads you to summarize addresses more than an object group does. To view the
number of expanded ACEs in an access list, enter the show access-list access_list_name command.
Adding Object Groups
This section describes how to add object groups.
This section includes the following topics:
• Adding a Protocol Object Group, page 16-13
• Adding a Network Object Group, page 16-13
• Adding a Service Object Group, page 16-14
• Adding an ICMP Type Object Group, page 16-1516-13
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 16 Identifying Traffic with Access Lists
Simplifying Access Lists with Object Grouping
Adding a Protocol Object Group
To add or change a protocol object group, follow these steps. After you add the group, you can add more
objects as required by following this procedure again for the same group name and specifying additional
objects. You do not need to reenter existing objects; the commands you already set remain in place unless
you remove them with the no form of the command.
To add a protocol group, follow these steps:
Step 1 To add a protocol group, enter the following command:
hostname(config)# object-group protocol grp_id
The grp_id is a text string up to 64 characters in length.
The prompt changes to protocol configuration mode.
Step 2 (Optional) To add a description, enter the following command:
hostname(config-protocol)# description text
The description can be up to 200 characters.
Step 3 To define the protocols in the group, enter the following command for each protocol:
hostname(config-protocol)# protocol-object protocol
The protocol is the numeric identifier of the specific IP protocol (1 to 254) or a keyword identifier (for
example, icmp, tcp, or udp). To include all IP protocols, use the keyword ip. For a list of protocols you
can specify, see the “Protocols and Applications” section on page D-11.
For example, to create a protocol group for TCP, UDP, and ICMP, enter the following commands:
hostname(config)# object-group protocol tcp_udp_icmp
hostname(config-protocol)# protocol-object tcp
hostname(config-protocol)# protocol-object udp
hostname(config-protocol)# protocol-object icmp
Adding a Network Object Group
To add or change a network object group, follow these steps. After you add the group, you can add more
objects as required by following this procedure again for the same group name and specifying additional
objects. You do not need to reenter existing objects; the commands you already set remain in place unless
you remove them with the no form of the command.
Note A network object group supports IPv4 and IPv6 addresses, depending on the type of access list. For more
information about IPv6 access lists, see “Configuring IPv6 Access Lists” section on page 12-6.
To add a network group, follow these steps:
Step 1 To add a network group, enter the following command:
hostname(config)# object-group network grp_id
The grp_id is a text string up to 64 characters in length.
The prompt changes to network configuration mode.16-14
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 16 Identifying Traffic with Access Lists
Simplifying Access Lists with Object Grouping
Step 2 (Optional) To add a description, enter the following command:
hostname(config-network)# description text
The description can be up to 200 characters.
Step 3 To define the networks in the group, enter the following command for each network or address:
hostname(config-network)# network-object {host ip_address | ip_address mask}
For example, to create network group that includes the IP addresses of three administrators, enter the
following commands:
hostname(config)# object-group network admins
hostname(config-network)# description Administrator Addresses
hostname(config-network)# network-object host 10.1.1.4
hostname(config-network)# network-object host 10.1.1.78
hostname(config-network)# network-object host 10.1.1.34
Adding a Service Object Group
To add or change a service object group, follow these steps. After you add the group, you can add more
objects as required by following this procedure again for the same group name and specifying additional
objects. You do not need to reenter existing objects; the commands you already set remain in place unless
you remove them with the no form of the command.
To add a service group, follow these steps:
Step 1 To add a service group, enter the following command:
hostname(config)# object-group service grp_id {tcp | udp | tcp-udp}
The grp_id is a text string up to 64 characters in length.
Specify the protocol for the services (ports) you want to add, either tcp, udp, or tcp-udp keywords.
Enter tcp-udp keyword if your service uses both TCP and UDP with the same port number, for example,
DNS (port 53).
The prompt changes to service configuration mode.
Step 2 (Optional) To add a description, enter the following command:
hostname(config-service)# description text
The description can be up to 200 characters.
Step 3 To define the ports in the group, enter the following command for each port or range of ports:
hostname(config-service)# port-object {eq port | range begin_port end_port}
For a list of permitted keywords and well-known port assignments, see the “Protocols and Applications”
section on page D-11.
For example, to create service groups that include DNS (TCP/UDP), LDAP (TCP), and RADIUS (UDP),
enter the following commands:
hostname(config)# object-group service services1 tcp-udp
hostname(config-service)# description DNS Group
hostname(config-service)# port-object eq domain16-15
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 16 Identifying Traffic with Access Lists
Simplifying Access Lists with Object Grouping
hostname(config-service)# object-group service services2 udp
hostname(config-service)# description RADIUS Group
hostname(config-service)# port-object eq radius
hostname(config-service)# port-object eq radius-acct
hostname(config-service)# object-group service services3 tcp
hostname(config-service)# description LDAP Group
hostname(config-service)# port-object eq ldap
Adding an ICMP Type Object Group
To add or change an ICMP type object group, follow these steps. After you add the group, you can add
more objects as required by following this procedure again for the same group name and specifying
additional objects. You do not need to reenter existing objects; the commands you already set remain in
place unless you remove them with the no form of the command.
To add an ICMP type group, follow these steps:
Step 1 To add an ICMP type group, enter the following command:
hostname(config)# object-group icmp-type grp_id
The grp_id is a text string up to 64 characters in length.
The prompt changes to ICMP type configuration mode.
Step 2 (Optional) To add a description, enter the following command:
hostname(config-icmp-type)# description text
The description can be up to 200 characters.
Step 3 To define the ICMP types in the group, enter the following command for each type:
hostname(config-icmp-type)# icmp-object icmp_type
See the “ICMP Types” section on page D-15 for a list of ICMP types.
For example, to create an ICMP type group that includes echo-reply and echo (for controlling ping),
enter the following commands:
hostname(config)# object-group icmp-type ping
hostname(config-service)# description Ping Group
hostname(config-icmp-type)# icmp-object echo
hostname(config-icmp-type)# icmp-object echo-reply
Nesting Object Groups
To nest an object group within another object group of the same type, first create the group that you want
to nest according to the “Adding Object Groups” section on page 16-12. Then follow these steps:
Step 1 To add or edit an object group under which you want to nest another object group, enter the following
command:
hostname(config)# object-group {{protocol | network | icmp-type} grp_id | service grp_id
{tcp | udp | tcp-udp}}16-16
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 16 Identifying Traffic with Access Lists
Simplifying Access Lists with Object Grouping
Step 2 To add the specified group under the object group you specified in Step 1, enter the following command:
hostname(config-group_type)# group-object grp_id
The nested group must be of the same type.
You can mix and match nested group objects and regular objects within an object group.
For example, you create network object groups for privileged users from various departments:
hostname(config)# object-group network eng
hostname(config-network)# network-object host 10.1.1.5
hostname(config-network)# network-object host 10.1.1.9
hostname(config-network)# network-object host 10.1.1.89
hostname(config-network)# object-group network hr
hostname(config-network)# network-object host 10.1.2.8
hostname(config-network)# network-object host 10.1.2.12
hostname(config-network)# object-group network finance
hostname(config-network)# network-object host 10.1.4.89
hostname(config-network)# network-object host 10.1.4.100
You then nest all three groups together as follows:
hostname(config)# object-group network admin
hostname(config-network)# group-object eng
hostname(config-network)# group-object hr
hostname(config-network)# group-object finance
You only need to specify the admin object group in your ACE as follows:
hostname(config)# access-list ACL_IN extended permit ip object-group admin host
209.165.201.29
Using Object Groups with an Access List
To use object groups in an access list, replace the normal protocol (protocol), network
(source_address mask, etc.), service (operator port), or ICMP type (icmp_type) parameter with
object-group grp_id parameter.
For example, to use object groups for all available parameters in the access-list {tcp | udp} command,
enter the following command:
hostname(config)# access-list access_list_name [line line_number] [extended] {deny |
permit} {tcp | udp} object-group nw_grp_id [object-group svc_grp_id] object-group
nw_grp_id [object-group svc_grp_id] [log [[level] [interval secs] | disable | default]]
[inactive | time-range time_range_name]
You do not have to use object groups for all parameters; for example, you can use an object group for
the source address, but identify the destination address with an address and mask.
The following normal access list that does not use object groups restricts several hosts on the inside
network from accessing several web servers. All other traffic is allowed.
hostname(config)# access-list ACL_IN extended deny tcp host 10.1.1.4 host 209.165.201.29
eq www
hostname(config)# access-list ACL_IN extended deny tcp host 10.1.1.78 host 209.165.201.29
eq www
hostname(config)# access-list ACL_IN extended deny tcp host 10.1.1.89 host 209.165.201.29
eq www16-17
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 16 Identifying Traffic with Access Lists
Simplifying Access Lists with Object Grouping
hostname(config)# access-list ACL_IN extended deny tcp host 10.1.1.4 host 209.165.201.16
eq www
hostname(config)# access-list ACL_IN extended deny tcp host 10.1.1.78 host 209.165.201.16
eq www
hostname(config)# access-list ACL_IN extended deny tcp host 10.1.1.89 host 209.165.201.16
eq www
hostname(config)# access-list ACL_IN extended deny tcp host 10.1.1.4 host 209.165.201.78
eq www
hostname(config)# access-list ACL_IN extended deny tcp host 10.1.1.78 host 209.165.201.78
eq www
hostname(config)# access-list ACL_IN extended deny tcp host 10.1.1.89 host 209.165.201.78
eq www
hostname(config)# access-list ACL_IN extended permit ip any any
hostname(config)# access-group ACL_IN in interface inside
If you make two network object groups, one for the inside hosts, and one for the web servers, then the
configuration can be simplified and can be easily modified to add more hosts:
hostname(config)# object-group network denied
hostname(config-network)# network-object host 10.1.1.4
hostname(config-network)# network-object host 10.1.1.78
hostname(config-network)# network-object host 10.1.1.89
hostname(config-network)# object-group network web
hostname(config-network)# network-object host 209.165.201.29
hostname(config-network)# network-object host 209.165.201.16
hostname(config-network)# network-object host 209.165.201.78
hostname(config-network)# access-list ACL_IN extended deny tcp object-group denied
object-group web eq www
hostname(config)# access-list ACL_IN extended permit ip any any
hostname(config)# access-group ACL_IN in interface inside
Displaying Object Groups
To display a list of the currently configured object groups, enter the following command:
hostname(config)# show object-group [protocol | network | service | icmp-type | id grp_id]
If you enter the command without any parameters, the system displays all configured object groups.
The following is sample output from the show object-group command:
hostname# show object-group
object-group network ftp_servers
description: This is a group of FTP servers
network-object host 209.165.201.3
network-object host 209.165.201.4
object-group network TrustedHosts
network-object host 209.165.201.1
network-object 192.168.1.0 255.255.255.0
group-object ftp_servers
Removing Object Groups
To remove an object group, enter one of the following commands.
Note You cannot remove an object group or make an object group empty if it is used in an access list.16-18
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 16 Identifying Traffic with Access Lists
Adding Remarks to Access Lists
• To remove a specific object group, enter the following command:
hostname(config)# no object-group grp_id
• To remove all object groups of the specified type, enter the following command:
hostname(config)# clear object-group [protocol | network | services | icmp-type]
If you do not enter a type, all object groups are removed.
Adding Remarks to Access Lists
You can include remarks about entries in any access list, including extended, EtherType, and standard
access lists. The remarks make the access list easier to understand.
To add a remark after the last access-list command you entered, enter the following command:
hostname(config)# access-list access_list_name remark text
If you enter the remark before any access-list command, then the remark is the first line in the access list.
If you delete an access list using the no access-list access_list_name command, then all the remarks are
also removed.
The text can be up to 100 characters in length. You can enter leading spaces at the beginning of the text.
Trailing spaces are ignored.
For example, you can add remarks before each ACE, and the remark appears in the access list in this
location. Entering a dash (-) at the beginning of the remark helps set it apart from ACEs.
hostname(config)# access-list OUT remark - this is the inside admin address
hostname(config)# access-list OUT extended permit ip host 209.168.200.3 any
hostname(config)# access-list OUT remark - this is the hr admin address
hostname(config)# access-list OUT extended permit ip host 209.168.200.4 any
Scheduling Extended Access List Activation
You can schedule each ACE to be activated at specific times of the day and week by applying a time
range to the ACE. This section includes the following topics:
• Adding a Time Range, page 16-18
• Applying the Time Range to an ACE, page 16-19
Adding a Time Range
To add a time range to implement a time-based access list, perform the following steps:
Step 1 Identify the time-range name by entering the following command:
hostname(config)# time-range name
Step 2 Specify the time range as either a recurring time range or an absolute time range.16-19
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 16 Identifying Traffic with Access Lists
Scheduling Extended Access List Activation
Note Users could experience a delay of approximately 80 to 100 seconds after the specified end time
for the ACL to become inactive. For example, if the specified end time is 3:50, because the end
time is inclusive, the command is picked up anywhere between 3:51:00 and 3:51:59. After the
command is picked up, the security appliance finishes any currently running task and then
services the command to deactivate the ACL.
Multiple periodic entries are allowed per time-range command. If a time-range command has both
absolute and periodic values specified, then the periodic commands are evaluated only after the
absolute start time is reached, and are not further evaluated after the absolute end time is reached.
• Recurring time range:
hostname(config-time-range)# periodic days-of-the-week time to [days-of-the-week] time
You can specify the following values for days-of-the-week:
– monday, tuesday, wednesday, thursday, friday, saturday, and sunday.
– daily
– weekdays
– weekend
The time is in the format hh:mm. For example, 8:00 is 8:00 a.m. and 20:00 is 8:00 p.m.
• Absolute time range:
hostname(config-time-range)# absolute start time date [end time date]
The time is in the format hh:mm. For example, 8:00 is 8:00 a.m. and 20:00 is 8:00 p.m.
The date is in the format day month year; for example, 1 january 2006.
The following is an example of an absolute time range beginning at 8:00 a.m. on January 1, 2006.
Because no end time and date are specified, the time range is in effect indefinitely.
hostname(config)# time-range for2006
hostname(config-time-range)# absolute start 8:00 1 january 2006
The following is an example of a weekly periodic time range from 8:00 a.m. to 6:00 p.m on weekdays.:
hostname(config)# time-range workinghours
hostname(config-time-range)# periodic weekdays 8:00 to 18:00
Applying the Time Range to an ACE
To apply the time range to an ACE, use the following command:
hostname(config)# access-list access_list_name [extended] {deny | permit}...[time-range
name]
See the “Adding an Extended Access List” section on page 16-5 for complete access-list command
syntax.16-20
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 16 Identifying Traffic with Access Lists
Logging Access List Activity
Note If you also enable logging for the ACE, use the log keyword before the time-range keyword. If you
disable the ACE using the inactive keyword, use the inactive keyword as the last keyword.
The following example binds an access list named “Sales” to a time range named “New_York_Minute.”
hostname(config)# access-list Sales line 1 extended deny tcp host 209.165.200.225 host
209.165.201.1 time-range New_York_Minute
Logging Access List Activity
This section describes how to configure access list logging for extended access lists and Webtype access
lists.
This section includes the following topics:
• Access List Logging Overview, page 16-20
• Configuring Logging for an Access Control Entry, page 16-21
• Managing Deny Flows, page 16-22
Access List Logging Overview
By default, when traffic is denied by an extended ACE or a Webtype ACE, the security appliance
generates system message 106023 for each denied packet, in the following form:
%ASA|PIX-4-106023: Deny protocol src [interface_name:source_address/source_port] dst
interface_name:dest_address/dest_port [type {string}, code {code}] by access_group acl_id
If the security appliance is attacked, the number of system messages for denied packets can be very large.
We recommend that you instead enable logging using system message 106100, which provides statistics
for each ACE and lets you limit the number of system messages produced. Alternatively, you can disable
all logging.
Note Only ACEs in the access list generate logging messages; the implicit deny at the end of the access list
does not generate a message. If you want all denied traffic to generate messages, add the implicit ACE
manually to the end of the access list, as follows.
hostname(config)# access-list TEST deny ip any any log
The log options at the end of the extended access-list command lets you to set the following behavior:
• Enable message 106100 instead of message 106023
• Disable all logging
• Return to the default logging using message 106023
System message 106100 is in the following form:
%ASA|PIX-n-106100: access-list acl_id {permitted | denied} protocol
interface_name/source_address(source_port) -> interface_name/dest_address(dest_port)
hit-cnt number ({first hit | number-second interval})16-21
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 16 Identifying Traffic with Access Lists
Logging Access List Activity
When you enable logging for message 106100, if a packet matches an ACE, the security appliance
creates a flow entry to track the number of packets received within a specific interval. The security
appliance generates a system message at the first hit and at the end of each interval, identifying the total
number of hits during the interval. At the end of each interval, the security appliance resets the hit count
to 0. If no packets match the ACE during an interval, the security appliance deletes the flow entry.
A flow is defined by the source and destination IP addresses, protocols, and ports. Because the source
port might differ for a new connection between the same two hosts, you might not see the same flow
increment because a new flow was created for the connection. See the “Managing Deny Flows” section
on page 16-22 to limit the number of logging flows.
Permitted packets that belong to established connections do not need to be checked against access lists;
only the initial packet is logged and included in the hit count. For connectionless protocols, such as
ICMP, all packets are logged even if they are permitted, and all denied packets are logged.
See the Cisco Security Appliance Logging Configuration and System Log Messages for detailed
information about this system message.
Configuring Logging for an Access Control Entry
To configure logging for an ACE, see the following information about the log option:
hostname(config)# access-list access_list_name [extended] {deny | permit}...[log [[level]
[interval secs] | disable | default]]
See the “Adding an Extended Access List” section on page 16-5 and “Adding a Webtype Access List”
section on page 16-11 for complete access-list command syntax.
If you enter the log option without any arguments, you enable system log message 106100 at the default
level (6) and for the default interval (300 seconds). See the following options:
• level—A severity level between 0 and 7. The default is 6.
• interval secs—The time interval in seconds between system messages, from 1 to 600. The default
is 300. This value is also used as the timeout value for deleting an inactive flow.
• disable—Disables all access list logging.
• default—Enables logging to message 106023. This setting is the same as having no log option.
For example, you configure the following access list:
hostname(config)# access-list outside-acl permit ip host 1.1.1.1 any log 7 interval 600
hostname(config)# access-list outside-acl permit ip host 2.2.2.2 any
hostname(config)# access-list outside-acl deny ip any any log 2
hostname(config)# access-group outside-acl in interface outside
When a packet is permitted by the first ACE of outside-acl, the security appliance generates the
following system message:
%ASA|PIX-7-106100: access-list outside-acl permitted tcp outside/1.1.1.1(12345) ->
inside/192.168.1.1(1357) hit-cnt 1 (first hit)
Although 20 additional packets for this connection arrive on the outside interface, the traffic does not
have to be checked against the access list, and the hit count does not increase.
If one more connection by the same host is initiated within the specified 10 minute interval (and the
source and destination ports remain the same), then the hit count is incremented by 1 and the following
message is displayed at the end of the 10 minute interval:
%ASA|PIX-7-106100: access-list outside-acl permitted tcp outside/1.1.1.1(12345)->
inside/192.168.1.1(1357) hit-cnt 2 (600-second interval)16-22
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 16 Identifying Traffic with Access Lists
Logging Access List Activity
When a packet is denied by the third ACE, the security appliance generates the following system
message:
%ASA|PIX-2-106100: access-list outside-acl denied ip outside/3.3.3.3(12345) ->
inside/192.168.1.1(1357) hit-cnt 1 (first hit)
20 additional attempts within a 5 minute interval (the default) result in the following message at the end
of 5 minutes:
%ASA|PIX-2-106100: access-list outside-acl denied ip outside/3.3.3.3(12345) ->
inside/192.168.1.1(1357) hit-cnt 21 (300-second interval)
Managing Deny Flows
When you enable logging for message 106100, if a packet matches an ACE, the security appliance
creates a flow entry to track the number of packets received within a specific interval. The security
appliance has a maximum of 32 K logging flows for ACEs. A large number of flows can exist
concurrently at any point of time. To prevent unlimited consumption of memory and CPU resources, the
security appliance places a limit on the number of concurrent deny flows; the limit is placed only on deny
flows (and not permit flows) because they can indicate an attack. When the limit is reached, the security
appliance does not create a new deny flow for logging until the existing flows expire.
For example, if someone initiates a DoS attack, the security appliance can create a large number of deny
flows in a short period of time. Restricting the number of deny flows prevents unlimited consumption of
memory and CPU resources.
When you reach the maximum number of deny flows, the security appliance issues system message
106100:
%ASA|PIX-1-106101: The number of ACL log deny-flows has reached limit (number).
To configure the maximum number of deny flows and to set the interval between deny flow alert
messages (106101), enter the following commands:
• To set the maximum number of deny flows permitted per context before the security appliance stops
logging, enter the following command:
hostname(config)# access-list deny-flow-max number
The number is between 1 and 4096. 4096 is the default.
• To set the amount of time between system messages (number 106101) that identify that the
maximum number of deny flows was reached, enter the following command:
hostname(config)# access-list alert-interval secs
The seconds are between 1 and 3600. 300 is the default.C H A P T E R
17-1
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
17
Applying NAT
This chapter describes Network Address Translation (NAT). In routed firewall mode, the security
appliance can perform NAT between each network.
Note In transparent firewall mode, the security appliance does not support NAT.
This chapter contains the following sections:
• NAT Overview, page 17-1
• Configuring NAT Control, page 17-16
• Using Dynamic NAT and PAT, page 17-17
• Using Static NAT, page 17-26
• Using Static PAT, page 17-27
• Bypassing NAT, page 17-29
• NAT Examples, page 17-33
NAT Overview
This section describes how NAT works on the security appliance, and includes the following topics:
• Introduction to NAT, page 17-2
• NAT Control, page 17-3
• NAT Types, page 17-5
• Policy NAT, page 17-9
• NAT and Same Security Level Interfaces, page 17-13
• Order of NAT Commands Used to Match Real Addresses, page 17-14
• Mapped Address Guidelines, page 17-14
• DNS and NAT, page 17-1417-2
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
NAT Overview
Introduction to NAT
Address translation substitutes the real address in a packet with a mapped address that is routable on the
destination network. NAT is comprised of two steps: the process in which a real address is translated into
a mapped address, and then the process to undo translation for returning traffic.
The security appliance translates an address when a NAT rule matches the traffic. If no NAT rule
matches, processing for the packet continues. The exception is when you enable NAT control.
NAT control requires that packets traversing from a higher security interface (inside) to a lower security
interface (outside) match a NAT rule, or else processing for the packet stops. (See the “Security Level
Overview” section on page 7-1 for more information about security levels, and see “NAT Control”
section on page 17-3 for more information about NAT control).
Note In this document, all types of translation are generally referred to as NAT. When discussing NAT, the
terms inside and outside are relative, and represent the security relationship between any two interfaces.
The higher security level is inside and the lower security level is outside; for example, interface 1 is at
60 and interface 2 is at 50, so interface 1 is “inside” and interface 2 is “outside.”
Some of the benefits of NAT are as follows:
• You can use private addresses on your inside networks. Private addresses are not routable on the
Internet. (See the “Private Networks” section on page D-2 for more information.)
• NAT hides the real addresses from other networks, so attackers cannot learn the real address of a
host.
• You can resolve IP routing problems such as overlapping addresses.
See Table 25-1 on page 25-3 for information about protocols that do not support NAT.
Figure 17-1 shows a typical NAT scenario, with a private network on the inside. When the inside host at
10.1.2.27 sends a packet to a web server, the real source address, 10.1.2.27, of the packet is changed to
a mapped address, 209.165.201.10. When the server responds, it sends the response to the mapped
address, 209.165.201.10, and the security appliance receives the packet. The security appliance then
undoes the translation of the mapped address, 209.165.201.10 back to the real address, 10.1.2.27 before
sending it on to the host.17-3
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
NAT Overview
Figure 17-1 NAT Example
See the following commands for this example:
hostname(config)# nat (inside) 1 10.1.2.0 255.255.255.0
hostname(config)# global (outside) 1 209.165.201.1-209.165.201.15
NAT Control
NAT control requires that packets traversing from an inside interface to an outside interface match a NAT
rule; for any host on the inside network to access a host on the outside network, you must configure NAT
to translate the inside host address (see Figure 17-2).
Figure 17-2 NAT Control and Outbound Traffic
Web Server
www.cisco.com
Outside
Inside
209.165.201.2
10.1.2.1
10.1.2.27 130023
Translation
10.1.2.27 209.165.201.10
Originating
Packet
Undo Translation
209.165.201.10 10.1.2.27
Responding
Security Packet
Appliance
10.1.1.1 NAT
No NAT
209.165.201.1
Inside Outside
10.1.2.1
Security
Appliance
13221217-4
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
NAT Overview
Interfaces at the same security level are not required to use NAT to communicate. However, if you
configure dynamic NAT or PAT on a same security interface, then all traffic from the interface to a same
security interface or an outside interface must match a NAT rule (see Figure 17-3).
Figure 17-3 NAT Control and Same Security Traffic
Similarly, if you enable outside dynamic NAT or PAT, then all outside traffic must match a NAT rule
when it accesses an inside interface (see Figure 17-4).
Figure 17-4 NAT Control and Inbound Traffic
Static NAT does not cause these restrictions.
By default, NAT control is disabled, so you do not need to perform NAT on any networks unless you
choose to perform NAT. If you upgraded from an earlier version of software, however, NAT control
might be enabled on your system. Even with NAT control disabled, you need to perform NAT on any
addresses for which you configure dynamic NAT. See the “Dynamic NAT and PAT Implementation”
section on page 17-17 for more information on how dynamic NAT is applied.
If you want the added security of NAT control but do not want to translate inside addresses in some cases,
you can apply a NAT exemption or identity NAT rule on those addresses. (See the “Bypassing NAT”
section on page 17-29 for more information).
To configure NAT control, see the “Configuring NAT Control” section on page 17-16.
Note In multiple context mode, the packet classifier might rely on the NAT configuration to assign packets to
contexts if you do not enable unique MAC addresses for shared interfaces. See the “How the Security
Appliance Classifies Packets” section on page 3-3 for more information about the relationship between
the classifier and NAT.
10.1.1.1 Dyn. NAT
No NAT
209.165.201.1
Level 50 Level 50
or
Outside
10.1.2.1
Security
Appliance
10.1.1.1 10.1.1.1 No NAT
Level 50 Level 50
Security
Appliance
132215
209.165.202.129 No NAT 209.165.202.129
Outside Inside
Security
Appliance
209.165.202.129
209.165.200.240
Dyn. NAT 10.1.1.50
Outside Inside
Security
Appliance
No NAT
13221317-5
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
NAT Overview
NAT Types
This section describes the available NAT types. You can implement address translation as dynamic NAT,
Port Address Translation, static NAT, or static PAT or as a mix of these types. You can also configure
rules to bypass NAT, for example, if you enable NAT control but do not want to perform NAT. This
section includes the following topics:
• Dynamic NAT, page 17-5
• PAT, page 17-7
• Static NAT, page 17-7
• Static PAT, page 17-8
• Bypassing NAT When NAT Control is Enabled, page 17-9
Dynamic NAT
Dynamic NAT translates a group of real addresses to a pool of mapped addresses that are routable on the
destination network. The mapped pool can include fewer addresses than the real group. When a host you
want to translate accesses the destination network, the security appliance assigns it an IP address from
the mapped pool. The translation is added only when the real host initiates the connection. The
translation is in place only for the duration of the connection, and a given user does not keep the same
IP address after the translation times out (see the timeout xlate command in the Cisco Security
Appliance Command Reference). Users on the destination network, therefore, cannot reliably initiate a
connection to a host that uses dynamic NAT (even if the connection is allowed by an access list), and the
security appliance rejects any attempt to connect to a real host address directly. See the following “Static
NAT” or “Static PAT” sections for reliable access to hosts.
Note In some cases, a translation is added for a connection (see the show xlate command) even though the
session is denied by the security appliance. This condition occurs with an outbound access list, a
management-only interface, or a backup interface. The translation times out normally.
Figure 17-5 shows a remote host attempting to connect to the real address. The connection is denied
because the security appliance only allows returning connections to the mapped address.17-6
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
NAT Overview
Figure 17-5 Remote Host Attempts to Connect to the Real Address
Figure 17-6 shows a remote host attempting to initiate a connection to a mapped address. This address
is not currently in the translation table, so the security appliance drops the packet.
Figure 17-6 Remote Host Attempts to Initiate a Connection to a Mapped Address
Note For the duration of the translation, a remote host can initiate a connection to the translated host if an
access list allows it. Because the address is unpredictable, a connection to the host is unlikely. However
in this case, you can rely on the security of the access list.
Web Server
www.example.com
Outside
Inside
209.165.201.2
10.1.2.1
10.1.2.27
Translation
10.1.2.27 209.165.201.10
10.1.2.27
Security
Appliance
132216
Web Server
www.example.com
Outside
Inside
209.165.201.2
10.1.2.1
10.1.2.27
Security
Appliance
209.165.201.10
13221717-7
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
NAT Overview
Dynamic NAT has these disadvantages:
• If the mapped pool has fewer addresses than the real group, you could run out of addresses if the
amount of traffic is more than expected.
Use PAT if this event occurs often, because PAT provides over 64,000 translations using ports of a
single address.
• You have to use a large number of routable addresses in the mapped pool; if the destination network
requires registered addresses, such as the Internet, you might encounter a shortage of usable
addresses.
The advantage of dynamic NAT is that some protocols cannot use PAT. For example, PAT does not work
with IP protocols that do not have a port to overload, such as GRE version 0. PAT also does not work
with some applications that have a data stream on one port and the control path on another and are not
open standard, such as some multimedia applications. See the “When to Use Application Protocol
Inspection” section on page 25-2 for more information about NAT and PAT support.
PAT
PAT translates multiple real addresses to a single mapped IP address. Specifically, the security appliance
translates the real address and source port (real socket) to the mapped address and a unique port above
1024 (mapped socket). Each connection requires a separate translation, because the source port differs
for each connection. For example, 10.1.1.1:1025 requires a separate translation from 10.1.1.1:1026.
After the connection expires, the port translation also expires after 30 seconds of inactivity. The timeout
is not configurable. Users on the destination network cannot reliably initiate a connection to a host that
uses PAT (even if the connection is allowed by an access list). Not only can you not predict the real or
mapped port number of the host, but the security appliance does not create a translation at all unless the
translated host is the initiator. See the following “Static NAT” or “Static PAT” sections for reliable access
to hosts.
PAT lets you use a single mapped address, thus conserving routable addresses. You can even use the
security appliance interface IP address as the PAT address. PAT does not work with some multimedia
applications that have a data stream that is different from the control path. See the “When to Use
Application Protocol Inspection” section on page 25-2 for more information about NAT and PAT
support.
Note For the duration of the translation, a remote host can initiate a connection to the translated host if an
access list allows it. Because the port address (both real and mapped) is unpredictable, a connection to
the host is unlikely. Nevertheless, in this case, you can rely on the security of the access list. However,
policy PAT does not support time-based ACLs.
Static NAT
Static NAT creates a fixed translation of real address(es) to mapped address(es).With dynamic NAT and
PAT, each host uses a different address or port for each subsequent translation. Because the mapped
address is the same for each consecutive connection with static NAT, and a persistent translation rule
exists, static NAT allows hosts on the destination network to initiate traffic to a translated host (if there
is an access list that allows it).
The main difference between dynamic NAT and a range of addresses for static NAT is that static NAT
allows a remote host to initiate a connection to a translated host (if there is an access list that allows it),
while dynamic NAT does not. You also need an equal number of mapped addresses as real addresses with
static NAT.17-8
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
NAT Overview
Static PAT
Static PAT is the same as static NAT, except it lets you specify the protocol (TCP or UDP) and port for
the real and mapped addresses.
This feature lets you identify the same mapped address across many different static statements, so long
as the port is different for each statement (you cannot use the same mapped address for multiple static
NAT statements).
For applications that require application inspection for secondary channels (FTP, VoIP, etc.), the security
appliance automatically translates the secondary ports.
For example, if you want to provide a single address for remote users to access FTP, HTTP, and SMTP,
but these are all actually different servers on the real network, you can specify static PAT statements for
each server that uses the same mapped IP address, but different ports (see Figure 17-7).
Figure 17-7 Static PAT
See the following commands for this example:
hostname(config)# static (inside,outside) tcp 209.165.201.3 ftp 10.1.2.27 ftp netmask
255.255.255.255
hostname(config)# static (inside,outside) tcp 209.165.201.3 http 10.1.2.28 http netmask
255.255.255.255
hostname(config)# static (inside,outside) tcp 209.165.201.3 smtp 10.1.2.29 smtp netmask
255.255.255.255
You can also use static PAT to translate a well-known port to a non-standard port or vice versa. For
example, if your inside web servers use port 8080, you can allow outside users to connect to port 80, and
then undo translation to the original port 8080. Similarly, if you want to provide extra security, you can
tell your web users to connect to non-standard port 6785, and then undo translation to port 80.
Host
Outside
Inside
Undo Translation
209.165.201.3:21 10.1.2.27
Undo Translation
209.165.201.3:80 10.1.2.28
Undo Translation
209.165.201.3:25 10.1.2.29
FTP server
10.1.2.27
HTTP server
10.1.2.28
SMTP server
10.1.2.29
13003117-9
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
NAT Overview
Bypassing NAT When NAT Control is Enabled
If you enable NAT control, then inside hosts must match a NAT rule when accessing outside hosts. If
you do not want to perform NAT for some hosts, then you can bypass NAT for those hosts (alternatively,
you can disable NAT control). You might want to bypass NAT, for example, if you are using an
application that does not support NAT (see the “When to Use Application Protocol Inspection” section
on page 25-2 for information about inspection engines that do not support NAT).
You can configure traffic to bypass NAT using one of three methods. All methods achieve compatibility
with inspection engines. However, each method offers slightly different capabilities, as follows:
• Identity NAT (nat 0 command)—When you configure identity NAT (which is similar to dynamic
NAT), you do not limit translation for a host on specific interfaces; you must use identity NAT for
connections through all interfaces. Therefore, you cannot choose to perform normal translation on
real addresses when you access interface A, but use identity NAT when accessing interface B.
Regular dynamic NAT, on the other hand, lets you specify a particular interface on which to translate
the addresses. Make sure that the real addresses for which you use identity NAT are routable on all
networks that are available according to your access lists.
For identity NAT, even though the mapped address is the same as the real address, you cannot initiate
a connection from the outside to the inside (even if the interface access list allows it). Use static
identity NAT or NAT exemption for this functionality.
• Static identity NAT (static command)—Static identity NAT lets you specify the interface on which
you want to allow the real addresses to appear, so you can use identity NAT when you access
interface A, and use regular translation when you access interface B. Static identity NAT also lets
you use policy NAT, which identifies the real and destination addresses when determining the real
addresses to translate (see the “Policy NAT” section on page 17-9 for more information about policy
NAT). For example, you can use static identity NAT for an inside address when it accesses the
outside interface and the destination is server A, but use a normal translation when accessing the
outside server B.
• NAT exemption (nat 0 access-list command)—NAT exemption allows both translated and remote
hosts to initiate connections. Like identity NAT, you do not limit translation for a host on specific
interfaces; you must use NAT exemption for connections through all interfaces. However,
NAT exemption does let you specify the real and destination addresses when determining the real
addresses to translate (similar to policy NAT), so you have greater control using NAT exemption.
However unlike policy NAT, NAT exemption does not consider the ports in the access list.
Policy NAT
Policy NAT lets you identify real addresses for address translation by specifying the source and
destination addresses in an extended access list. You can also optionally specify the source and
destination ports. Regular NAT can only consider the real addresses. For example, you can use translate
the real address to mapped address A when it accesses server A, but translate the real address to mapped
address B when it accesses server B.
Note Policy NAT does not support time-based ACLs.
When you specify the ports in policy NAT for applications that require application inspection for
secondary channels (FTP, VoIP, etc.), the security appliance automatically translates the secondary ports.17-10
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
NAT Overview
Note All types of NAT support policy NAT except for NAT exemption. NAT exemption uses an access list to
identify the real addresses, but differs from policy NAT in that the ports are not considered. See the
“Bypassing NAT” section on page 17-29 for other differences. You can accomplish the same result as
NAT exemption using static identity NAT, which does support policy NAT.
Figure 17-8 shows a host on the 10.1.2.0/24 network accessing two different servers. When the host
accesses the server at 209.165.201.11, the real address is translated to 209.165.202.129. When the host
accesses the server at 209.165.200.225, the real address is translated to 209.165.202.130 so that the host
appears to be on the same network as the servers, which can help with routing.
Figure 17-8 Policy NAT with Different Destination Addresses
See the following commands for this example:
hostname(config)# access-list NET1 permit ip 10.1.2.0 255.255.255.0 209.165.201.0
255.255.255.224
hostname(config)# access-list NET2 permit ip 10.1.2.0 255.255.255.0 209.165.200.224
255.255.255.224
hostname(config)# nat (inside) 1 access-list NET1
hostname(config)# global (outside) 1 209.165.202.129
hostname(config)# nat (inside) 2 access-list NET2
hostname(config)# global (outside) 2 209.165.202.130
Server 1
209.165.201.11
Server 2
209.165.200.225
DMZ
Inside
10.1.2.27
10.1.2.0/24
130039
209.165.201.0/27 209.165.200.224/27
Translation
10.1.2.27 209.165.202.129
Translation
10.1.2.27 209.165.202.130
Packet
Dest. Address:
209.165.201.11
Packet
Dest. Address:
209.165.200.22517-11
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
NAT Overview
Figure 17-9 shows the use of source and destination ports. The host on the 10.1.2.0/24 network accesses
a single host for both web services and Telnet services. When the host accesses the server for web
services, the real address is translated to 209.165.202.129. When the host accesses the same server for
Telnet services, the real address is translated to 209.165.202.130.
Figure 17-9 Policy NAT with Different Destination Ports
See the following commands for this example:
hostname(config)# access-list WEB permit tcp 10.1.2.0 255.255.255.0 209.165.201.11
255.255.255.255 eq 80
hostname(config)# access-list TELNET permit tcp 10.1.2.0 255.255.255.0 209.165.201.11
255.255.255.255 eq 23
hostname(config)# nat (inside) 1 access-list WEB
hostname(config)# global (outside) 1 209.165.202.129
hostname(config)# nat (inside) 2 access-list TELNET
hostname(config)# global (outside) 2 209.165.202.130
For policy static NAT (and for NAT exemption, which also uses an access list to identify traffic), both
translated and remote hosts can originate traffic. For traffic originated on the translated network, the
NAT access list specifies the real addresses and the destination addresses, but for traffic originated on
the remote network, the access list identifies the real addresses and the source addresses of remote hosts
who are allowed to connect to the host using this translation.
Web and Telnet server:
209.165.201.11
Internet
Inside
Translation
10.1.2.27:80 209.165.202.129
10.1.2.27
10.1.2.0/24
Translation
10.1.2.27:23 209.165.202.130
Web Packet
Dest. Address:
209.165.201.11:80
Telnet Packet
Dest. Address:
209.165.201.11:23
13004017-12
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
NAT Overview
Figure 17-10 shows a remote host connecting to a translated host. The translated host has a policy static
NAT translation that translates the real address only for traffic to and from the 209.165.201.0/27
network. A translation does not exist for the 209.165.200.224/27 network, so the translated host cannot
connect to that network, nor can a host on that network connect to the translated host.
Figure 17-10 Policy Static NAT with Destination Address Translation
See the following commands for this example:
hostname(config)# access-list NET1 permit ip 10.1.2.0 255.255.255.224 209.165.201.0
255.255.255.224
hostname(config)# static (inside,outside) 209.165.202.128 access-list NET1
Note For policy static NAT, in undoing the translation, the ACL in the static command is not used. If the
destination address in the packet matches the mapped address in the static rule, the static rule is used to
untranslate the address.
Note Policy NAT does not support SQL*Net, but it is supported by regular NAT. See the “When to Use
Application Protocol Inspection” section on page 25-2 for information about NAT support for other
protocols.
You cannot use policy static NAT to translate different real addresses to the same mapped address. For
example, Figure 17-11 shows two inside hosts, 10.1.1.1 and 10.1.1.2, that you want to be translated to
209.165.200.225. When outside host 209.165.201.1 connects to 209.165.200.225, then the connection
goes to 10.1.1.1. When outside host 209.165.201.2 connects to the same mapped address,
209.165.200.225, you want the connection to go to 10.1.1.2. However, only one source address in the
access list can be used. Since the first ACE is for 10.1.1.1, then all inbound connections sourced from
209.165.201.1 and 209.165.201.2 and destined to 209.165.200.255 will have their destination address
translated to 10.1.1.1.
209.165.201.11 209.165.200.225
DMZ
Inside
No Translation
10.1.2.27
10.1.2.27
10.1.2.0/27
209.165.201.0/27 209.165.200.224/27
Undo Translation
209.165.202.128
13003717-13
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
NAT Overview
Figure 17-11 Real Addresses Cannot Share the Same Mapped Address
See the following commands for this example. (Although the second ACE in the example does allow
209.165.201.2 to connect to 209.165.200.225, it only allows 209.165.200.225 to be translated to
10.1.1.1.)
hostname(config)# static (in,out) 209.165.200.225 access-list policy-nat
hostname(config)# access-list policy-nat permit ip host 10.1.1.1 host 209.165.201.1
hostname(config)# access-list policy-nat permit ip host 10.1.1.2 host 209.165.201.2
NAT and Same Security Level Interfaces
NAT is not required between same security level interfaces even if you enable NAT control. You can
optionally configure NAT if desired. However, if you configure dynamic NAT when NAT control is
enabled, then NAT is required. See the “NAT Control” section on page 17-3 for more information. Also,
when you specify a group of IP address(es) for dynamic NAT or PAT on a same security interface, then
you must perform NAT on that group of addresses when they access any lower or same security level
interface (even when NAT control is not enabled). Traffic identified for static NAT is not affected.
See the “Allowing Communication Between Interfaces on the Same Security Level” section on page 7-6
to enable same security communication.
Note The security appliance does not support VoIP inspection engines when you configure NAT on same
security interfaces. These inspection engines include Skinny, SIP, and H.323. See the “When to Use
Application Protocol Inspection” section on page 25-2 for supported inspection engines.
209.165.201.1
Outside
Inside
10.1.1.1
209.165.201.2
10.1.1.2
Undo Translation
209.165.200.225 10.1.1.1
209.165.200.225 10.1.1.2
No Undo Translation
24298117-14
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
NAT Overview
Order of NAT Commands Used to Match Real Addresses
The security appliance matches real addresses to NAT commands in the following order:
1. NAT exemption (nat 0 access-list)—In order, until the first match. Identity NAT is not included in
this category; it is included in the regular static NAT or regular NAT category. We do not recommend
overlapping addresses in NAT exemption statements because unexpected results can occur.
2. Static NAT and Static PAT (regular and policy) (static)—In order, until the first match. Static
identity NAT is included in this category.
3. Policy dynamic NAT (nat access-list)—In order, until the first match. Overlapping addresses are
allowed.
4. Regular dynamic NAT (nat)—Best match. Regular identity NAT is included in this category. The
order of the NAT commands does not matter; the NAT statement that best matches the real address
is used. For example, you can create a general statement to translate all addresses (0.0.0.0) on an
interface. If you want to translate a subset of your network (10.1.1.1) to a different address, then you
can create a statement to translate only 10.1.1.1. When 10.1.1.1 makes a connection, the specific
statement for 10.1.1.1 is used because it matches the real address best. We do not recommend using
overlapping statements; they use more memory and can slow the performance of the security
appliance.
Mapped Address Guidelines
When you translate the real address to a mapped address, you can use the following mapped addresses:
• Addresses on the same network as the mapped interface.
If you use addresses on the same network as the mapped interface (through which traffic exits the
security appliance), the security appliance uses proxy ARP to answer any requests for mapped
addresses, and thus intercepts traffic destined for a real address. This solution simplifies routing,
because the security appliance does not have to be the gateway for any additional networks.
However, this approach does put a limit on the number of available addresses used for translations.
For PAT, you can even use the IP address of the mapped interface.
• Addresses on a unique network.
If you need more addresses than are available on the mapped interface network, you can identify
addresses on a different subnet. The security appliance uses proxy ARP to answer any requests for
mapped addresses, and thus intercepts traffic destined for a real address. If you use OSPF, and you
advertise routes on the mapped interface, then the security appliance advertises the mapped
addresses. If the mapped interface is passive (not advertising routes) or you are using static routing,
then you need to add a static route on the upstream router that sends traffic destined for the mapped
addresses to the security appliance.
DNS and NAT
You might need to configure the security appliance to modify DNS replies by replacing the address in
the reply with an address that matches the NAT configuration. You can configure DNS modification
when you configure each translation.
For example, a DNS server is accessible from the outside interface. A server, ftp.cisco.com, is on the
inside interface. You configure the security appliance to statically translate the ftp.cisco.com real address
(10.1.3.14) to a mapped address (209.165.201.10) that is visible on the outside network (see 17-15
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
NAT Overview
Figure 17-12). In this case, you want to enable DNS reply modification on this static statement so that
inside users who have access to ftp.cisco.com using the real address receive the real address from the
DNS server, and not the mapped address.
When an inside host sends a DNS request for the address of ftp.cisco.com, the DNS server replies with
the mapped address (209.165.201.10). The security appliance refers to the static statement for the inside
server and translates the address inside the DNS reply to 10.1.3.14. If you do not enable DNS reply
modification, then the inside host attempts to send traffic to 209.165.201.10 instead of accessing
ftp.cisco.com directly.
Figure 17-12 DNS Reply Modification
See the following command for this example:
hostname(config)# static (inside,outside) 209.165.201.10 10.1.3.14 netmask 255.255.255.255
dns
Note If a user on a different network (for example, DMZ) also requests the IP address for ftp.cisco.com from
the outside DNS server, then the IP address in the DNS reply is also modified for this user, even though
the user is not on the Inside interface referenced by the static command.
DNS Server
Outside
Inside
User
130021
1
2
3
4
5
DNS Reply Modification
209.165.201.10 10.1.3.14
DNS Reply
209.165.201.10
DNS Reply
10.1.3.14
DNS Query
ftp.cisco.com?
FTP Request
10.1.3.14
Security
Appliance
ftp.cisco.com
10.1.3.14
Static Translation
on Outside to:
209.165.201.1017-16
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
Configuring NAT Control
Figure 17-13 shows a web server and DNS server on the outside. The security appliance has a static
translation for the outside server. In this case, when an inside user requests the address for ftp.cisco.com
from the DNS server, the DNS server responds with the real address, 209.165.20.10. Because you want
inside users to use the mapped address for ftp.cisco.com (10.1.2.56) you need to configure DNS reply
modification for the static translation.
Figure 17-13 DNS Reply Modification Using Outside NAT
See the following command for this example:
hostname(config)# static (outside,inside) 10.1.2.56 209.165.201.10 netmask 255.255.255.255
dns
Configuring NAT Control
NAT control requires that packets traversing from an inside interface to an outside interface match a NAT
rule. See the “NAT Control” section on page 17-3 for more information.
To enable NAT control, enter the following command:
hostname(config)# nat-control
To disable NAT control, enter the no form of the command.
ftp.cisco.com
209.165.201.10
DNS Server
Outside
Inside
User
10.1.2.27
Static Translation on Inside to:
10.1.2.56
130022
1
2
7
6
5
4
3
DNS Query
ftp.cisco.com?
DNS Reply
209.165.201.10
DNS Reply Modification
209.165.201.10 10.1.2.56
DNS Reply
10.1.2.56
FTP Request
209.165.201.10
Dest Addr. Translation
10.1.2.56 209.165.201.10
FTP Request
10.1.2.56
Security
Appliance17-17
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
Using Dynamic NAT and PAT
Using Dynamic NAT and PAT
This section describes how to configure dynamic NAT and PAT, and includes the following topics:
• Dynamic NAT and PAT Implementation, page 17-17
• Configuring Dynamic NAT or PAT, page 17-23
Dynamic NAT and PAT Implementation
For dynamic NAT and PAT, you first configure a nat command identifying the real addresses on a given
interface that you want to translate. Then you configure a separate global command to specify the
mapped addresses when exiting another interface (in the case of PAT, this is one address). Each nat
command matches a global command by comparing the NAT ID, a number that you assign to each
command (see Figure 17-14).
Figure 17-14 nat and global ID Matching
See the following commands for this example:
hostname(config)# nat (inside) 1 10.1.2.0 255.255.255.0
hostname(config)# global (outside) 1 209.165.201.3-209.165.201.10
130027
Web Server:
www.cisco.com
Outside
Inside
Global 1: 209.165.201.3-
209.165.201.10
NAT 1: 10.1.2.0/24
10.1.2.27
Translation
10.1.2.27 209.165.201.317-18
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
Using Dynamic NAT and PAT
You can enter a nat command for each interface using the same NAT ID; they all use the same global
command when traffic exits a given interface. For example, you can configure nat commands for Inside
and DMZ interfaces, both on NAT ID 1. Then you configure a global command on the Outside interface
that is also on ID 1. Traffic from the Inside interface and the DMZ interface share a mapped pool or a
PAT address when exiting the Outside interface (see Figure 17-15).
Figure 17-15 nat Commands on Multiple Interfaces
See the following commands for this example:
hostname(config)# nat (inside) 1 10.1.2.0 255.255.255.0
hostname(config)# nat (dmz) 1 10.1.1.0 255.255.255.0
hostname(config)# global (outside) 1 209.165.201.3-209.165.201.10
Web Server:
www.cisco.com
Outside
DMZ
Inside
Global 1: 209.165.201.3-
209.165.201.10
NAT 1: 10.1.2.0/24
NAT 1: 10.1.1.0/24
10.1.1.15
10.1.2.27
130028
Translation
10.1.2.27 209.165.201.3
Translation
10.1.1.15 209.165.201.417-19
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
Using Dynamic NAT and PAT
You can also enter a global command for each interface using the same NAT ID. If you enter a global
command for the Outside and DMZ interfaces on ID 1, then the Inside nat command identifies traffic to
be translated when going to both the Outside and the DMZ interfaces. Similarly, if you also enter a nat
command for the DMZ interface on ID 1, then the global command on the Outside interface is also used
for DMZ traffic. (See Figure 17-16).
Figure 17-16 global and nat Commands on Multiple Interfaces
See the following commands for this example:
hostname(config)# nat (inside) 1 10.1.2.0 255.255.255.0
hostname(config)# nat (dmz) 1 10.1.1.0 255.255.255.0
hostname(config)# global (outside) 1 209.165.201.3-209.165.201.10
hostname(config)# global (dmz) 1 10.1.1.23
If you use different NAT IDs, you can identify different sets of real addresses to have different mapped
addresses. For example, on the Inside interface, you can have two nat commands on two different
NAT IDs. On the Outside interface, you configure two global commands for these two IDs. Then, when
traffic from Inside network A exits the Outside interface, the IP addresses are translated to pool A
addresses; while traffic from Inside network B are translated to pool B addresses (see Figure 17-17). If
you use policy NAT, you can specify the same real addresses for multiple nat commands, as long as the
the destination addresses and ports are unique in each access list.
Web Server:
www.cisco.com
Outside
DMZ
Inside
Global 1: 209.165.201.3-
209.165.201.10
NAT 1: 10.1.2.0/24
NAT 1: 10.1.1.0/24
Global 1: 10.1.1.23
10.1.1.15
10.1.2.27
130024
Translation
10.1.2.27 209.165.201.3
Translation
10.1.1.15 209.165.201.4
Translation
10.1.2.27 10.1.1.23:2024
Security
Appliance17-20
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
Using Dynamic NAT and PAT
Figure 17-17 Different NAT IDs
See the following commands for this example:
hostname(config)# nat (inside) 1 10.1.2.0 255.255.255.0
hostname(config)# nat (inside) 2 192.168.1.0 255.255.255.0
hostname(config)# global (outside) 1 209.165.201.3-209.165.201.10
hostname(config)# global (outside) 2 209.165.201.11
You can enter multiple global commands for one interface using the same NAT ID; the security
appliance uses the dynamic NAT global commands first, in the order they are in the configuration, and
then uses the PAT global commands in order. You might want to enter both a dynamic NAT global
command and a PAT global command if you need to use dynamic NAT for a particular application, but
want to have a backup PAT statement in case all the dynamic NAT addresses are depleted. Similarly, you
might enter two PAT statements if you need more than the approximately 64,000 PAT sessions that a
single PAT mapped statement supports (see Figure 17-18).
Web Server:
www.cisco.com
Outside
Inside
Global 1: 209.165.201.3-
209.165.201.10
Global 2: 209.165.201.11
NAT 1: 10.1.2.0/24
NAT 2: 192.168.1.0/24
10.1.2.27
192.168.1.14
Translation
10.1.2.27 209.165.201.3
Translation
192.168.1.14 209.165.201.11:4567
130025
Security
Appliance17-21
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
Using Dynamic NAT and PAT
Figure 17-18 NAT and PAT Together
See the following commands for this example:
hostname(config)# nat (inside) 1 10.1.2.0 255.255.255.0
hostname(config)# global (outside) 1 209.165.201.3-209.165.201.4
hostname(config)# global (outside) 1 209.165.201.5
For outside NAT, you need to identify the nat command for outside NAT (the outside keyword). If you
also want to translate the same traffic when it accesses an inside interface (for example, traffic on a DMZ
is translated when accessing the Inside and the Outside interfaces), then you must configure a separate
nat command without the outside option. In this case, you can identify the same addresses in both
statements and use the same NAT ID (see Figure 17-19). Note that for outside NAT (DMZ interface to
Inside interface), the inside host uses a static command to allow outside access, so both the source and
destination addresses are translated.
Web Server:
www.cisco.com
Outside
Inside
Global 1: 209.165.201.3-
209.165.201.4
Global 1: 209.165.201.5
NAT 1: 10.1.2.0/24
10.1.2.27
10.1.2.28
10.1.2.29
130026
Translation
10.1.2.27 209.165.201.3
Translation
10.1.2.28 209.165.201.4
Translation
10.1.2.29 209.165.201.5:609617-22
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
Using Dynamic NAT and PAT
Figure 17-19 Outside NAT and Inside NAT Combined
See the following commands for this example:
hostname(config)# nat (dmz) 1 10.1.1.0 255.255.255.0 outside
hostname(config)# nat (dmz) 1 10.1.1.0 255.255.255.0
hostname(config)# static (inside,dmz) 10.1.1.5 10.1.2.27 netmask 255.255.255.255
hostname(config)# global (outside) 1 209.165.201.3-209.165.201.4
hostname(config)# global (inside) 1 10.1.2.30-1-10.1.2.40
When you specify a group of IP address(es) in a nat command, then you must perform NAT on that group
of addresses when they access any lower or same security level interface; you must apply a global
command with the same NAT ID on each interface, or use a static command. NAT is not required for
that group when it accesses a higher security interface, because to perform NAT from outside to inside,
you must create a separate nat command using the outside keyword. If you do apply outside NAT, then
the NAT requirements preceding come into effect for that group of addresses when they access all higher
security interfaces. Traffic identified by a static command is not affected.
Outside
DMZ
Inside
Global 1: 209.165.201.3-
209.165.201.10
Global 1: 10.1.2.30-
10.1.2.40 Static to DMZ: 10.1.2.27 10.1.1.5
Outside NAT 1: 10.1.1.0/24
NAT 1: 10.1.1.0/24
10.1.1.15
10.1.2.27
Translation
10.1.1.15 209.165.201.4
Translation
10.1.1.15 10.1.2.30
Undo Translation
10.1.1.5 10.1.2.27
13003817-23
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
Using Dynamic NAT and PAT
Configuring Dynamic NAT or PAT
This section describes how to configure dynamic NAT or dynamic PAT. The configuration for dynamic
NAT and PAT are almost identical; for NAT you specify a range of mapped addresses, and for PAT you
specify a single address.
Figure 17-20 shows a typical dynamic NAT scenario. Only translated hosts can create a NAT session,
and responding traffic is allowed back. The mapped address is dynamically assigned from a pool defined
by the global command.
Figure 17-20 Dynamic NAT
Figure 17-21 shows a typical dynamic PAT scenario. Only translated hosts can create a NAT session, and
responding traffic is allowed back. The mapped address defined by the global command is the same for
each translation, but the port is dynamically assigned.
Figure 17-21 Dynamic PAT
For more information about dynamic NAT, see the “Dynamic NAT” section on page 17-5. For more
information about PAT, see the “PAT” section on page 17-7.
Note If you change the NAT configuration, and you do not want to wait for existing translations to time out
before the new NAT information is used, you can clear the translation table using the clear xlate
command. However, clearing the translation table disconnects all current connections that use
translations.
10.1.1.1 209.165.201.1
Inside Outside
10.1.1.2 209.165.201.2
130032
Security
Appliance
10.1.1.1:1025 209.165.201.1:2020
Inside Outside
10.1.1.1:1026 209.165.201.1:2021
10.1.1.2:1025 209.165.201.1:2022
130034
Security
Appliance17-24
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
Using Dynamic NAT and PAT
To configure dynamic NAT or PAT, perform the following steps:
Step 1 To identify the real addresses that you want to translate, enter one of the following commands:
• Policy NAT:
hostname(config)# nat (real_interface) nat_id access-list acl_name [dns] [outside]
[norandomseq] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns]
You can identify overlapping addresses in other nat commands. For example, you can identify
10.1.1.0 in one command, but 10.1.1.1 in another. The traffic is matched to a policy NAT command
in order, until the first match, or for regular NAT, using the best match.
See the following description about options for this command:
– access-list acl_name—Identify the real addresses and destination addresses using an extended
access list. Create the access list using the access-list command (see the “Adding an Extended
Access List” section on page 16-5). This access list should include only permit ACEs. You can
optionally specify the real and destination ports in the access list using the eq operator. Policy
NAT considers the inactive and time-range keywords, but it does not support ACL with all
inactive and time-range ACEs.
– nat_id—An integer between 1 and 65535. The NAT ID should match a global command NAT
ID. See the “Dynamic NAT and PAT Implementation” section on page 17-17 for more
information about how NAT IDs are used. 0 is reserved for NAT exemption. (See the
“Configuring NAT Exemption” section on page 17-32 for more information about NAT
exemption.)
– dns—If your nat command includes the address of a host that has an entry in a DNS server, and
the DNS server is on a different interface from a client, then the client and the DNS server need
different addresses for the host; one needs the mapped address and one needs the real address.
This option rewrites the address in the DNS reply to the client. The translated host needs to be
on the same interface as either the client or the DNS server. Typically, hosts that need to allow
access from other interfaces use a static translation, so this option is more likely to be used with
the static command. (See the “DNS and NAT” section on page 17-14 for more information.)
– outside—If this interface is on a lower security level than the interface you identify by the
matching global statement, then you must enter outside to identify the NAT instance as
outside NAT.
– norandomseq, tcp tcp_max_conns, udp udp_max_conns, and emb_limit—These keywords set
connection limits. However, we recommend using a more versatile method for setting
connection limits; see the “Configuring Connection Limits and Timeouts” section on page 23-6.
• Regular NAT:
hostname(config)# nat (real_interface) nat_id real_ip [mask [dns] [outside]
[norandomseq] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns]]
The nat_id is an integer between 1 and 2147483647. The NAT ID must match a global command
NAT ID. See the “Dynamic NAT and PAT Implementation” section on page 17-17 for more
information about how NAT IDs are used. 0 is reserved for identity NAT. See the “Configuring
Identity NAT” section on page 17-30 for more information about identity NAT.
See the preceding policy NAT command for information about other options.
Step 2 To identify the mapped address(es) to which you want to translate the real addresses when they exit a
particular interface, enter the following command:
hostname(config)# global (mapped_interface) nat_id {mapped_ip[-mapped_ip] | interface}17-25
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
Using Dynamic NAT and PAT
This NAT ID should match a nat command NAT ID. The matching nat command identifies the addresses
that you want to translate when they exit this interface.
You can specify a single address (for PAT) or a range of addresses (for NAT). The range can go across
subnet boundaries if desired. For example, you can specify the following “supernet”:
192.168.1.1-192.168.2.254
For example, to translate the 10.1.1.0/24 network on the inside interface, enter the following command:
hostname(config)# nat (inside) 1 10.1.1.0 255.255.255.0
hostname(config)# global (outside) 1 209.165.201.1-209.165.201.30
To identify a pool of addresses for dynamic NAT as well as a PAT address for when the NAT pool is
exhausted, enter the following commands:
hostname(config)# nat (inside) 1 10.1.1.0 255.255.255.0
hostname(config)# global (outside) 1 209.165.201.5
hostname(config)# global (outside) 1 209.165.201.10-209.165.201.20
To translate the lower security dmz network addresses so they appear to be on the same network as the
inside network (10.1.1.0), for example, to simplify routing, enter the following commands:
hostname(config)# nat (dmz) 1 10.1.2.0 255.255.255.0 outside dns
hostname(config)# global (inside) 1 10.1.1.45
To identify a single real address with two different destination addresses using policy NAT, enter the
following commands (see Figure 17-8 on page 17-10 for a related figure):
hostname(config)# access-list NET1 permit ip 10.1.2.0 255.255.255.0 209.165.201.0
255.255.255.224
hostname(config)# access-list NET2 permit ip 10.1.2.0 255.255.255.0 209.165.200.224
255.255.255.224
hostname(config)# nat (inside) 1 access-list NET1 tcp 0 2000 udp 10000
hostname(config)# global (outside) 1 209.165.202.129
hostname(config)# nat (inside) 2 access-list NET2 tcp 1000 500 udp 2000
hostname(config)# global (outside) 2 209.165.202.130
To identify a single real address/destination address pair that use different ports using policy NAT, enter
the following commands (see Figure 17-9 on page 17-11 for a related figure):
hostname(config)# access-list WEB permit tcp 10.1.2.0 255.255.255.0 209.165.201.11
255.255.255.255 eq 80
hostname(config)# access-list TELNET permit tcp 10.1.2.0 255.255.255.0 209.165.201.11
255.255.255.255 eq 23
hostname(config)# nat (inside) 1 access-list WEB
hostname(config)# global (outside) 1 209.165.202.129
hostname(config)# nat (inside) 2 access-list TELNET
hostname(config)# global (outside) 2 209.165.202.13017-26
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
Using Static NAT
Using Static NAT
This section describes how to configure a static translation.
Figure 17-22 shows a typical static NAT scenario. The translation is always active so both translated and
remote hosts can originate connections, and the mapped address is statically assigned by the static
command.
Figure 17-22 Static NAT
You cannot use the same real or mapped address in multiple static commands between the same two
interfaces. Do not use a mapped address in the static command that is also defined in a global command
for the same mapped interface.
For more information about static NAT, see the “Static NAT” section on page 17-7.
Note If you remove a static command, existing connections that use the translation are not affected. To remove
these connections, enter the clear local-host command.
You cannot clear static translations from the translation table with the clear xlate command; you must
remove the static command instead. Only dynamic translations created by the nat and global commands
can be removed with the clear xlate command.
To configure static NAT, enter one of the following commands.
• For policy static NAT, enter the following command:
hostname(config)# static (real_interface,mapped_interface) {mapped_ip | interface}
access-list acl_name [dns] [norandomseq] [[tcp] tcp_max_conns [emb_limit]]
[udp udp_max_conns]
Create the access list using the access-list command (see the “Adding an Extended Access List”
section on page 16-5). This access list should include only permit ACEs. The source subnet mask
used in the access list is also used for the mapped addresses. You can also specify the real and
destination ports in the access list using the eq operator. Policy NAT does not consider the inactive
or time-range keywords; all ACEs are considered to be active for policy NAT configuration. See the
“Policy NAT” section on page 17-9 for more information.
If you specify a network for translation (for example, 10.1.1.0 255.255.255.0), then the security
appliance translates the .0 and .255 addresses. If you want to prevent access to these addresses, be
sure to configure an access list to deny access.
See the “Configuring Dynamic NAT or PAT” section on page 17-23 for information about the other
options.
10.1.1.1 209.165.201.1
Inside Outside
10.1.1.2 209.165.201.2
130035
Security
Appliance17-27
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
Using Static PAT
• To configure regular static NAT, enter the following command:
hostname(config)# static (real_interface,mapped_interface) {mapped_ip | interface}
real_ip [netmask mask] [dns] [norandomseq] [[tcp] tcp_max_conns [emb_limit]]
[udp udp_max_conns]
See the “Configuring Dynamic NAT or PAT” section on page 17-23 for information about the
options.
For example, the following policy static NAT example shows a single real address that is translated to
two mapped addresses depending on the destination address (see Figure 17-8 on page 17-10 for a related
figure):
hostname(config)# access-list NET1 permit ip host 10.1.2.27 209.165.201.0 255.255.255.224
hostname(config)# access-list NET2 permit ip host 10.1.2.27 209.165.200.224
255.255.255.224
hostname(config)# static (inside,outside) 209.165.202.129 access-list NET1
hostname(config)# static (inside,outside) 209.165.202.130 access-list NET2
The following command maps an inside IP address (10.1.1.3) to an outside IP address (209.165.201.12):
hostname(config)# static (inside,outside) 209.165.201.12 10.1.1.3 netmask 255.255.255.255
The following command maps the outside address (209.165.201.15) to an inside address (10.1.1.6):
hostname(config)# static (outside,inside) 10.1.1.6 209.165.201.15 netmask 255.255.255.255
The following command statically maps an entire subnet:
hostname(config)# static (inside,dmz) 10.1.1.0 10.1.2.0 netmask 255.255.255.0
Using Static PAT
This section describes how to configure a static port translation. Static PAT lets you translate the real IP
address to a mapped IP address, as well as the real port to a mapped port. You can choose to translate
the real port to the same port, which lets you translate only specific types of traffic, or you can take it
further by translating to a different port.
Figure 17-23 shows a typical static PAT scenario. The translation is always active so both translated and
remote hosts can originate connections, and the mapped address and port is statically assigned by the
static command.
Figure 17-23 Static PAT
For applications that require application inspection for secondary channels (FTP, VoIP, etc.), the security
appliance automatically translates the secondary ports.
10.1.1.1:23 209.165.201.1:23
Inside Outside
10.1.1.2:8080 209.165.201.2:80
130044
Security
Appliance17-28
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
Using Static PAT
You cannot use the same real or mapped address in multiple static statements between the same two
interfaces. Do not use a mapped address in the static command that is also defined in a global command
for the same mapped interface.
For more information about static PAT, see the “Static PAT” section on page 17-8.
Note If you remove a static command, existing connections that use the translation are not affected. To remove
these connections, enter the clear local-host command.
You cannot clear static translations from the translation table with the clear xlate command; you must
remove the static command instead. Only dynamic translations created by the nat and global commands
can be removed with the clear xlate command.
To configure static PAT, enter one of the following commands.
• For policy static PAT, enter the following command:
hostname(config)# static (real_interface,mapped_interface) {tcp | udp}
{mapped_ip | interface} mapped_port access-list acl_name [dns] [norandomseq]
[[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns]
Create the access list using the access-list command (see the “Adding an Extended Access List”
section on page 16-5). The protocol in the access list must match the protocol you set in this
command. For example, if you specify tcp in the static command, then you must specify tcp in the
access list. Specify the port using the eq operator. This access list should include only permit ACEs.
The source subnet mask used in the access list is also used for the mapped addresses. Policy NAT
does not consider the inactive or time-range keywords; all ACEs are considered to be active for
policy NAT configuration.
If you specify a network for translation (for example, 10.1.1.0 255.255.255.0), then the security
appliance translates the .0 and .255 addresses. If you want to prevent access to these addresses, be
sure to configure an access list to deny access.
See the “Configuring Dynamic NAT or PAT” section on page 17-23 for information about the other
options.
• To configure regular static PAT, enter the following command:
hostname(config)# static (real_interface,mapped_interface) {tcp | udp} {mapped_ip |
interface} mapped_port real_ip real_port [netmask mask] [dns] [norandomseq] [[tcp]
tcp_max_conns [emb_limit]] [udp udp_max_conns]
See the “Configuring Dynamic NAT or PAT” section on page 17-23 for information about the
options.
Note When configuring static PAT with FTP, you need to add entries for both TCP ports 20 and 21. You must
specify port 20 so that the source port for the active transfer is not modified to another port, which may
interfere with other devices that perform NAT on FTP traffic.
For example, for Telnet traffic initiated from hosts on the 10.1.3.0 network to the security appliance
outside interface (10.1.2.14), you can redirect the traffic to the inside host at 10.1.1.15 by entering the
following commands:
hostname(config)# access-list TELNET permit tcp host 10.1.1.15 eq telnet 10.1.3.0
255.255.255.0 eq telnet
hostname(config)# static (inside,outside) tcp 10.1.2.14 telnet access-list TELNET17-29
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
Bypassing NAT
For HTTP traffic initiated from hosts on the 10.1.3.0 network to the security appliance outside interface
(10.1.2.14), you can redirect the traffic to the inside host at 10.1.1.15 by entering:
hostname(config)# access-list HTTP permit tcp host 10.1.1.15 eq http 10.1.3.0
255.255.255.0 eq http
hostname(config)# static (inside,outside) tcp 10.1.2.14 http access-list HTTP
To redirect Telnet traffic from the security appliance outside interface (10.1.2.14) to the inside host at
10.1.1.15, enter the following command:
hostname(config)# static (inside,outside) tcp 10.1.2.14 telnet 10.1.1.15 telnet netmask
255.255.255.255
If you want to allow the preceding real Telnet server to initiate connections, though, then you need to
provide additional translation. For example, to translate all other types of traffic, enter the following
commands. The original static command provides translation for Telnet to the server, while the nat and
global commands provide PAT for outbound connections from the server.
hostname(config)# static (inside,outside) tcp 10.1.2.14 telnet 10.1.1.15 telnet netmask
255.255.255.255
hostname(config)# nat (inside) 1 10.1.1.15 255.255.255.255
hostname(config)# global (outside) 1 10.1.2.14
If you also have a separate translation for all inside traffic, and the inside hosts use a different mapped
address from the Telnet server, you can still configure traffic initiated from the Telnet server to use the
same mapped address as the static statement that allows Telnet traffic to the server. You need to create
a more exclusive nat statement just for the Telnet server. Because nat statements are read for the best
match, more exclusive nat statements are matched before general statements. The following example
shows the Telnet static statement, the more exclusive nat statement for initiated traffic from the Telnet
server, and the statement for other inside hosts, which uses a different mapped address.
hostname(config)# static (inside,outside) tcp 10.1.2.14 telnet 10.1.1.15 telnet netmask
255.255.255.255
hostname(config)# nat (inside) 1 10.1.1.15 255.255.255.255
hostname(config)# global (outside) 1 10.1.2.14
hostname(config)# nat (inside) 2 10.1.1.0 255.255.255.0
hostname(config)# global (outside) 2 10.1.2.78
To translate a well-known port (80) to another port (8080), enter the following command:
hostname(config)# static (inside,outside) tcp 10.1.2.45 80 10.1.1.16 8080 netmask
255.255.255.255
Bypassing NAT
This section describes how to bypass NAT. You might want to bypass NAT when you enable NAT control.
You can bypass NAT using identity NAT, static identity NAT, or NAT exemption. See the “Bypassing
NAT When NAT Control is Enabled” section on page 17-9 for more information about these methods.
This section includes the following topics:
• Configuring Identity NAT, page 17-30
• Configuring Static Identity NAT, page 17-30
• Configuring NAT Exemption, page 17-3217-30
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
Bypassing NAT
Configuring Identity NAT
Identity NAT translates the real IP address to the same IP address. Only “translated” hosts can create
NAT translations, and responding traffic is allowed back.
Figure 17-24 shows a typical identity NAT scenario.
Figure 17-24 Identity NAT
Note If you change the NAT configuration, and you do not want to wait for existing translations to time out
before the new NAT information is used, you can clear the translation table using the clear xlate
command. However, clearing the translation table disconnects all current connections that use
translations.
To configure identity NAT, enter the following command:
hostname(config)# nat (real_interface) 0 real_ip [mask [dns] [outside] [norandomseq]
[[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns]
See the “Configuring Dynamic NAT or PAT” section on page 17-23 for information about the options.
For example, to use identity NAT for the inside 10.1.1.0/24 network, enter the following command:
hostname(config)# nat (inside) 0 10.1.1.0 255.255.255.0
Configuring Static Identity NAT
Static identity NAT translates the real IP address to the same IP address. The translation is always active,
and both “translated” and remote hosts can originate connections. Static identity NAT lets you use
regular NAT or policy NAT. Policy NAT lets you identify the real and destination addresses when
determining the real addresses to translate (see the “Policy NAT” section on page 17-9 for more
209.165.201.1 209.165.201.1
Inside Outside
209.165.201.2 209.165.201.2
130033
Security
Appliance17-31
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
Bypassing NAT
information about policy NAT). For example, you can use policy static identity NAT for an inside address
when it accesses the outside interface and the destination is server A, but use a normal translation when
accessing the outside server B.
Figure 17-25 shows a typical static identity NAT scenario.
Figure 17-25 Static Identity NAT
Note If you remove a static command, existing connections that use the translation are not affected. To remove
these connections, enter the clear local-host command.
You cannot clear static translations from the translation table with the clear xlate command; you must
remove the static command instead. Only dynamic translations created by the nat and global commands
can be removed with the clear xlate command.
To configure static identity NAT, enter one of the following commands:
• To configure policy static identity NAT, enter the following command:
hostname(config)# static (real_interface,mapped_interface) real_ip access-list acl_id
[dns] [norandomseq] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns]
Create the access list using the access-list command (see the “Adding an Extended Access List”
section on page 16-5). This access list should include only permit ACEs. Make sure the source
address in the access list matches the real_ip in this command. Policy NAT does not consider the
inactive or time-range keywords; all ACEs are considered to be active for policy NAT
configuration. See the “Policy NAT” section on page 17-9 for more information.
See the “Configuring Dynamic NAT or PAT” section on page 17-23 for information about the other
options.
• To configure regular static identity NAT, enter the following command:
hostname(config)# static (real_interface,mapped_interface) real_ip real_ip [netmask
mask] [dns] [norandomseq] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns]
Specify the same IP address for both real_ip arguments.
See the “Configuring Dynamic NAT or PAT” section on page 17-23 for information about the other
options.
For example, the following command uses static identity NAT for an inside IP address (10.1.1.3) when
accessed by the outside:
hostname(config)# static (inside,outside) 10.1.1.3 10.1.1.3 netmask 255.255.255.255
209.165.201.1 209.165.201.1
Inside Outside
209.165.201.2 209.165.201.2
130036
Security
Appliance17-32
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
Bypassing NAT
The following command uses static identity NAT for an outside address (209.165.201.15) when accessed
by the inside:
hostname(config)# static (outside,inside) 209.165.201.15 209.165.201.15 netmask
255.255.255.255
The following command statically maps an entire subnet:
hostname(config)# static (inside,dmz) 10.1.2.0 10.1.2.0 netmask 255.255.255.0
The following static identity policy NAT example shows a single real address that uses identity NAT
when accessing one destination address, and a translation when accessing another:
hostname(config)# access-list NET1 permit ip host 10.1.2.27 209.165.201.0 255.255.255.224
hostname(config)# access-list NET2 permit ip host 10.1.2.27 209.165.200.224
255.255.255.224
hostname(config)# static (inside,outside) 10.1.2.27 access-list NET1
hostname(config)# static (inside,outside) 209.165.202.130 access-list NET2
Configuring NAT Exemption
NAT exemption exempts addresses from translation and allows both real and remote hosts to originate
connections. NAT exemption lets you specify the real and destination addresses when determining the
real traffic to exempt (similar to policy NAT), so you have greater control using NAT exemption than
identity NAT. However unlike policy NAT, NAT exemption does not consider the ports in the access list.
Use static identity NAT to consider ports in the access list.
Figure 17-26 shows a typical NAT exemption scenario.
Figure 17-26 NAT Exemption
Note If you remove a NAT exemption configuration, existing connections that use NAT exemption are not
affected. To remove these connections, enter the clear local-host command.
To configure NAT exemption, enter the following command:
hostname(config)# nat (real_interface) 0 access-list acl_name [outside] [norandomseq]
[[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns]
Create the access list using the access-list command (see the “Adding an Extended Access List” section
on page 16-5). This access list can include both permit ACEs and deny ACEs. Do not specify the real
and destination ports in the access list; NAT exemption does not consider the ports. NAT exemption
considers the inactive and time-range keywords, but it does not support ACL with all inactive and
time-range ACEs.
209.165.201.1 209.165.201.1
Inside Outside
209.165.201.2 209.165.201.2
130036
Security
Appliance17-33
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
NAT Examples
See the “Configuring Dynamic NAT or PAT” section on page 17-23 for information about the other
options.
By default, this command exempts traffic from inside to outside. If you want traffic from outside to
inside to bypass NAT, then add an additional nat command and enter outside to identify the NAT
instance as outside NAT. You might want to use outside NAT exemption if you configure dynamic NAT
for the outside interface and want to exempt other traffic.
For example, to exempt an inside network when accessing any destination address, enter the following
command:
hostname(config)# access-list EXEMPT permit ip 10.1.2.0 255.255.255.0 any
hostname(config)# nat (inside) 0 access-list EXEMPT
To use dynamic outside NAT for a DMZ network, and exempt another DMZ network, enter the following
command:
hostname(config)# nat (dmz) 1 10.1.2.0 255.255.255.0 outside dns
hostname(config)# global (inside) 1 10.1.1.45
hostname(config)# access-list EXEMPT permit ip 10.1.3.0 255.255.255.0 any
hostname(config)# nat (dmz) 0 access-list EXEMPT
To exempt an inside address when accessing two different destination addresses, enter the following
commands:
hostname(config)# access-list NET1 permit ip 10.1.2.0 255.255.255.0 209.165.201.0
255.255.255.224
hostname(config)# access-list NET1 permit ip 10.1.2.0 255.255.255.0 209.165.200.224
255.255.255.224
hostname(config)# nat (inside) 0 access-list NET1
NAT Examples
This section describes typical scenarios that use NAT solutions, and includes the following topics:
• Overlapping Networks, page 17-34
• Redirecting Ports, page 17-3517-34
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
NAT Examples
Overlapping Networks
In Figure 17-27, the security appliance connects two private networks with overlapping address ranges.
Figure 17-27 Using Outside NAT with Overlapping Networks
Two networks use an overlapping address space (192.168.100.0/24), but hosts on each network must
communicate (as allowed by access lists). Without NAT, when a host on the inside network tries to access
a host on the overlapping DMZ network, the packet never makes it past the security appliance, which
sees the packet as having a destination address on the inside network. Moreover, if the destination
address is being used by another host on the inside network, that host receives the packet.
To solve this problem, use NAT to provide non-overlapping addresses. If you want to allow access in
both directions, use static NAT for both networks. If you only want to allow the inside interface to access
hosts on the DMZ, then you can use dynamic NAT for the inside addresses, and static NAT for the DMZ
addresses you want to access. This example shows static NAT.
To configure static NAT for these two interfaces, perform the following steps. The 10.1.1.0/24 network
on the DMZ is not translated.
Step 1 Translate 192.168.100.0/24 on the inside to 10.1.2.0 /24 when it accesses the DMZ by entering the
following command:
hostname(config)# static (inside,dmz) 10.1.2.0 192.168.100.0 netmask 255.255.255.0
Step 2 Translate the 192.168.100.0/24 network on the DMZ to 10.1.3.0/24 when it accesses the inside by
entering the following command:
hostname(config)# static (dmz,inside) 10.1.3.0 192.168.100.0 netmask 255.255.255.0
Step 3 Configure the following static routes so that traffic to the dmz network can be routed correctly by the
security appliance:
hostname(config)# route dmz 192.168.100.128 255.255.255.128 10.1.1.2 1
hostname(config)# route dmz 192.168.100.0 255.255.255.128 10.1.1.2 1
192.168.100.2
inside
192.168.100.0/24
outside
10.1.1.2
192.168.100.1
192.168.100.2
dmz
192.168.100.0/24
192.168.100.3
10.1.1.1
130029
192.168.100.317-35
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
NAT Examples
The security appliance already has a connected route for the inside network. These static routes allow
the security appliance to send traffic for the 192.168.100.0/24 network out the DMZ interface to the
gateway router at 10.1.1.2. (You need to split the network into two because you cannot create a static
route with the exact same network as a connected route.) Alternatively, you could use a more broad route
for the DMZ traffic, such as a default route.
If host 192.168.100.2 on the DMZ network wants to initiate a connection to host 192.168.100.2 on the
inside network, the following events occur:
1. The DMZ host 192.168.100.2 sends the packet to IP address 10.1.2.2.
2. When the security appliance receives this packet, the security appliance translates the source address
from 192.168.100.2 to 10.1.3.2.
3. Then the security appliance translates the destination address from 10.1.2.2 to 192.168.100.2, and
the packet is forwarded.
Redirecting Ports
Figure 17-28 illustrates a typical network scenario in which the port redirection feature might be useful.
Figure 17-28 Port Redirection Using Static PAT
In the configuration described in this section, port redirection occurs for hosts on external networks as
follows:
• Telnet requests to IP address 209.165.201.5 are redirected to 10.1.1.6.
• FTP requests to IP address 209.165.201.5 are redirected to 10.1.1.3.
• HTTP request to security appliance outside IP address 209.165.201.25 are redirected to 10.1.1.5.
• HTTP port 8080 requests to PAT address 209.165.201.15 are redirected to 10.1.1.7 port 80.
Telnet Server
10.1.1.6
209.165.201.25
209.165.201.5
209.165.201.15
10.1.1.1
Inside
FTP Server
10.1.1.3
Web Server
10.1.1.5
Web Server
10.1.1.7
Outside
13003017-36
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
NAT Examples
To implement this scenario, perform the following steps:
Step 1 Configure PAT for the inside network by entering the following commands:
hostname(config)# nat (inside) 1 0.0.0.0 0.0.0.0 0 0
hostname(config)# global (outside) 1 209.165.201.15
Step 2 Redirect Telnet requests for 209.165.201.5 to 10.1.1.6 by entering the following command:
hostname(config)# static (inside,outside) tcp 209.165.201.5 telnet 10.1.1.6 telnet netmask
255.255.255.255
Step 3 Redirect FTP requests for IP address 209.165.201.5 to 10.1.1.3 by entering the following command:
hostname(config)# static (inside,outside) tcp 209.165.201.5 ftp 10.1.1.3 ftp netmask
255.255.255.255
Step 4 Redirect HTTP requests for the security appliance outside interface address to 10.1.1.5 by entering the
following command:
hostname(config)# static (inside,outside) tcp interface www 10.1.1.5 www netmask
255.255.255.255
Step 5 Redirect HTTP requests on port 8080 for PAT address 209.165.201.15 to 10.1.1.7 port 80 by entering
the following command:
hostname(config)# static (inside,outside) tcp 209.165.201.15 8080 10.1.1.7 www netmask
255.255.255.255C H A P T E R
18-1
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
18
Permitting or Denying Network Access
This chapter describes how to control network access through the security appliance using access lists.
To create an extended access lists or an EtherType access list, see Chapter 16, “Identifying Traffic with
Access Lists.”
Note You use ACLs to control network access in both routed and transparent firewall modes. In transparent
mode, you can use both extended ACLs (for Layer 3 traffic) and EtherType ACLs (for Layer 2 traffic).
To access the security appliance interface for management access, you do not also need an access list
allowing the host IP address. You only need to configure management access according to Chapter 40,
“Managing System Access.”
This chapter includes the following sections:
• Inbound and Outbound Access List Overview, page 18-1
• Applying an Access List to an Interface, page 18-2
Inbound and Outbound Access List Overview
By default, all traffic from a higher-security interface to a lower-security interface is allowed. Access
lists let you either allow traffic from lower-security interfaces, or restrict traffic from higher-security
interfaces.
The security appliance supports two types of access lists:
• Inbound—Inbound access lists apply to traffic as it enters an interface.
• Outbound—Outbound access lists apply to traffic as it exits an interface.
Note “Inbound” and “outbound” refer to the application of an access list on an interface, either to traffic
entering the security appliance on an interface or traffic exiting the security appliance on an interface.
These terms do not refer to the movement of traffic from a lower security interface to a higher security
interface, commonly known as inbound, or from a higher to lower interface, commonly known as
outbound.
An outbound access list is useful, for example, if you want to allow only certain hosts on the inside
networks to access a web server on the outside network. Rather than creating multiple inbound access
lists to restrict access, you can create a single outbound access list that allows only the specified hosts 18-2
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 18 Permitting or Denying Network Access
Applying an Access List to an Interface
(see Figure 18-1). See the “IP Addresses Used for Access Lists When You Use NAT” section on
page 16-3 for information about NAT and IP addresses. The outbound access list prevents any other hosts
from reaching the outside network.
Figure 18-1 Outbound Access List
See the following commands for this example:
hostname(config)# access-list OUTSIDE extended permit tcp host 209.165.201.4
host 209.165.200.225 eq www
hostname(config)# access-list OUTSIDE extended permit tcp host 209.165.201.6
host 209.165.200.225 eq www
hostname(config)# access-list OUTSIDE extended permit tcp host 209.165.201.8
host 209.165.200.225 eq www
hostname(config)# access-group OUTSIDE out interface outside
Applying an Access List to an Interface
To apply an extended access list to the inbound or outbound direction of an interface, enter the following
command:
hostname(config)# access-group access_list_name {in | out} interface interface_name
[per-user-override]
You can apply one access list of each type (extended and EtherType) to both directions of the interface.
See the “Inbound and Outbound Access List Overview” section on page 18-1 for more information about
access list directions.
Web Server:
209.165.200.225
Inside HR Eng
Outside
Static NAT
10.1.1.14 209.165.201.4
Static NAT
10.1.2.67 209.165.201.6
Static NAT
10.1.3.34 209.165.201.8
ACL Outbound
Permit HTTP from 209.165.201.4, 209.165.201.6,
and 209.165.201.8 to 209.165.200.225
Deny all others
132210
ACL Inbound
Permit from any to any
ACL Inbound
Permit from any to any
ACL Inbound
Permit from any to any
Security
appliance18-3
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 18 Permitting or Denying Network Access
Applying an Access List to an Interface
The per-user-override keyword allows dynamic access lists that are downloaded for user authorization
to override the access list assigned to the interface. For example, if the interface access list denies all
traffic from 10.0.0.0, but the dynamic access list permits all traffic from 10.0.0.0, then the dynamic
access list overrides the interface access list for that user. See the “Configuring RADIUS Authorization”
section for more information about per-user access lists. The per-user-override keyword is only
available for inbound access lists.
For connectionless protocols, you need to apply the access list to the source and destination interfaces
if you want traffic to pass in both directions.
The following example illustrates the commands required to enable access to an inside web server with
the IP address 209.165.201.12 (this IP address is the address visible on the outside interface after NAT):
hostname(config)# access-list ACL_OUT extended permit tcp any host 209.165.201.12 eq www
hostname(config)# access-group ACL_OUT in interface outside
You also need to configure NAT for the web server.
The following access lists allow any hosts to communicate between the inside and hr networks, but only
specific hosts (209.168.200.3 and 209.168.200.4) to access the outside network, as shown in the last line
below:
hostname(config)# access-list ANY extended permit ip any any
hostname(config)# access-list OUT extended permit ip host 209.168.200.3 any
hostname(config)# access-list OUT extended permit ip host 209.168.200.4 any
hostname(config)# access-group ANY in interface inside
hostname(config)# access-group ANY in interface hr
hostname(config)# access-group OUT out interface outside
For example, the following sample access list allows common EtherTypes originating on the inside
interface:
hostname(config)# access-list ETHER ethertype permit ipx
hostname(config)# access-list ETHER ethertype permit bpdu
hostname(config)# access-list ETHER ethertype permit mpls-unicast
hostname(config)# access-group ETHER in interface inside
The following access list allows some EtherTypes through the security appliance, but denies all others:
hostname(config)# access-list ETHER ethertype permit 0x1234
hostname(config)# access-list ETHER ethertype permit bpdu
hostname(config)# access-list ETHER ethertype permit mpls-unicast
hostname(config)# access-group ETHER in interface inside
hostname(config)# access-group ETHER in interface outside
The following access list denies traffic with EtherType 0x1256 but allows all others on both interfaces:
hostname(config)# access-list nonIP ethertype deny 1256
hostname(config)# access-list nonIP ethertype permit any
hostname(config)# access-group ETHER in interface inside
hostname(config)# access-group ETHER in interface outside18-4
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 18 Permitting or Denying Network Access
Applying an Access List to an InterfaceC H A P T E R
19-1
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
19
Applying AAA for Network Access
This chapter describes how to enable AAA (pronounced “triple A”) for network access.
For information about AAA for management access, see the “Configuring AAA for System
Administrators” section on page 40-5.
This chapter contains the following sections:
• AAA Performance, page 19-1
• Configuring Authentication for Network Access, page 19-1
• Configuring Authorization for Network Access, page 19-6
• Configuring Accounting for Network Access, page 19-13
• Using MAC Addresses to Exempt Traffic from Authentication and Authorization, page 19-14
AAA Performance
The security appliance uses “cut-through proxy” to significantly improve performance compared to a
traditional proxy server. The performance of a traditional proxy server suffers because it analyzes every
packet at the application layer of the OSI model. The security appliance cut-through proxy challenges a
user initially at the application layer and then authenticates against standard AAA servers or the local
database. After the security appliance authenticates the user, it shifts the session flow, and all traffic
flows directly and quickly between the source and destination while maintaining session state
information.
Configuring Authentication for Network Access
This section includes the following topics:
• Authentication Overview, page 19-2
• Enabling Network Access Authentication, page 19-3
• Enabling Secure Authentication of Web Clients, page 19-5
• Authenticating Directly with the Security Appliance, page 19-619-2
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 19 Applying AAA for Network Access
Configuring Authentication for Network Access
Authentication Overview
The security appliance lets you configure network access authentication using AAA servers. This section
includes the following topics:
• One-Time Authentication, page 19-2
• Applications Required to Receive an Authentication Challenge, page 19-2
• Security Appliance Authentication Prompts, page 19-2
• Static PAT and HTTP, page 19-3
• Enabling Network Access Authentication, page 19-3
One-Time Authentication
A user at a given IP address only needs to authenticate one time for all rules and types, until the
authentication session expires. (See the timeout uauth command in the Cisco Security Appliance
Command Reference for timeout values.) For example, if you configure the security appliance to
authenticate Telnet and FTP, and a user first successfully authenticates for Telnet, then as long as the
authentication session exists, the user does not also have to authenticate for FTP.
Applications Required to Receive an Authentication Challenge
Although you can configure the security appliance to require authentication for network access to any
protocol or service, users can authenticate directly with HTTP, HTTPS, Telnet, or FTP only. A user must
first authenticate with one of these services before the security appliance allows other traffic requiring
authentication.
The authentication ports that the security appliance supports for AAA are fixed:
• Port 21 for FTP
• Port 23 for Telnet
• Port 80 for HTTP
• Port 443 for HTTPS
Security Appliance Authentication Prompts
For Telnet and FTP, the security appliance generates an authentication prompt.
For HTTP, the security appliance uses basic HTTP authentication by default, and provides an
authentication prompt. You can optionally configure the security appliance to redirect users to an
internal web page where they can enter their username and password (configured with the aaa
authentication listener command).
For HTTPS, the security appliance generates a custom login screen. You can optionally configure the
security appliance to redirect users to an internal web page where they can enter their username and
password (configured with the aaa authentication listener command).
Redirection is an improvement over the basic method because it provides an improved user experience
when authenticating, and an identical user experience for HTTP and HTTPS in both Easy VPN and
firewall modes. It also supports authenticating directly with the security appliance.19-3
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 19 Applying AAA for Network Access
Configuring Authentication for Network Access
You might want to continue to use basic HTTP authentication if: you do not want the security appliance
to open listening ports; if you use NAT on a router and you do not want to create a translation rule for
the web page served by the security appliance; basic HTTP authentication might work better with your
network. For example non-browser applications, like when a URL is embedded in email, might be more
compatible with basic authentication.
After you authenticate correctly, the security appliance redirects you to your original destination. If the
destination server also has its own authentication, the user enters another username and password. If you
use basic HTTP authentication and need to enter another username and password for the destination
server, then you need to configure the virtual http command.
Note If you use HTTP authentication without using the aaa authentication secure-http-client command, the
username and password are sent from the client to the security appliance in clear text. We recommend
that you use the aaa authentication secure-http-client command whenever you enable HTTP
authentication. For more information about the aaa authentication secure-http-client command, see
the “Enabling Secure Authentication of Web Clients” section on page 19-5.
For FTP, a user has the option of entering the security appliance username followed by an at sign (@)
and then the FTP username (name1@name2). For the password, the user enters the security appliance
password followed by an at sign (@) and then the FTP password (password1@password2). For example,
enter the following text.
name> jamiec@jchrichton
password> letmein@he110
This feature is useful when you have cascaded firewalls that require multiple logins. You can separate
several names and passwords by multiple at signs (@).
Static PAT and HTTP
For HTTP authentication, the security appliance checks real ports when static PAT is configured. If it
detects traffic destined for real port 80, regardless of the mapped port, the security appliance intercepts
the HTTP connection and enforces authentication.
For example, assume that outside TCP port 889 is translated to port 80 (www) and that any relevant
access lists permit the traffic:
static (inside,outside) tcp 10.48.66.155 889 192.168.123.10 www netmask 255.255.255.255
Then when users try to access 10.48.66.155 on port 889, the security appliance intercepts the traffic and
enforces HTTP authentication. Users see the HTTP authentication page in their web browsers before the
security appliance allows HTTP connection to complete.
If the local port is different than port 80, as in the following example:
static (inside,outside) tcp 10.48.66.155 889 192.168.123.10 111 netmask 255.255.255.255
Then users do not see the authentication page. Instead, the security appliance sends to the web browser
an error message indicating that the user must be authenticated prior using the requested service.
Enabling Network Access Authentication
To enable network access authentication, perform the following steps:19-4
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 19 Applying AAA for Network Access
Configuring Authentication for Network Access
Step 1 Using the aaa-server command, identify your AAA servers. If you have already identified your AAA
servers, continue to the next step.
For more information about identifying AAA servers, see the “Identifying AAA Server Groups and
Servers” section on page 13-12.
Step 2 Using the access-list command, create an access list that identifies the source addresses and destination
addresses of traffic you want to authenticate. For steps, see the “Adding an Extended Access List”
section on page 16-5.
The permit ACEs mark matching traffic for authentication, while deny entries exclude matching traffic
from authentication. Be sure to include the destination ports for either HTTP, HTTPS, Telnet, or FTP in
the access list because the user must authenticate with one of these services before other services are
allowed through the security appliance.
Step 3 To configure authentication, enter the following command:
hostname(config)# aaa authentication match acl_name interface_name server_group
Where acl_name is the name of the access list you created in Step 2, interface_name is the name of the
interface as specified with the nameif command, and server_group is the AAA server group you created
in Step 1.
Note You can alternatively use the aaa authentication include command (which identifies traffic within the
command). However, you cannot use both methods in the same configuration. See the Cisco Security
Appliance Command Reference for more information.
Step 4 (Optional) To enable the redirection method of authentication for HTTP or HTTPS connections, enter
the following command:
hostname(config)# aaa authentication listener http[s] interface_name [port portnum]
redirect
where the interface_name argument is the interface on which you want to enable listening ports.
The port portnum argument specifies the port number that the security appliance listens on; the defaults
are 80 (HTTP) and 443 (HTTPS).
Enter this command separately for HTTP and for HTTPS.
Step 5 (Optional) If you are using the local database for network access authentication and you want to limit
the number of consecutive failed login attempts that the security appliance allows any given user
account, use the following command:
hostname(config)# aaa local authentication attempts max-fail number
Where number is between 1 and 16.
For example:
hostname(config)# aaa local authentication attempts max-fail 7
Tip To clear the lockout status of a specific user or all users, use the clear aaa local user lockout command.
For example, the following commands authenticate all inside HTTP traffic and SMTP traffic:
hostname(config)# aaa-server AuthOutbound protocol tacacs+19-5
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 19 Applying AAA for Network Access
Configuring Authentication for Network Access
hostname(config-aaa-server-group)# exit
hostname(config)# aaa-server AuthOutbound (inside) host 10.1.1.1
hostname(config-aaa-server-host)# key TACPlusUauthKey
hostname(config-aaa-server-host)# exit
hostname(config)# access-list MAIL_AUTH extended permit tcp any any eq smtp
hostname(config)# access-list MAIL_AUTH extended permit tcp any any eq www
hostname(config)# aaa authentication match MAIL_AUTH inside AuthOutbound
hostname(config)# aaa authentication listener http inside redirect
The following commands authenticate Telnet traffic from the outside interface to a particular server
(209.165.201.5):
hostname(config)# aaa-server AuthInbound protocol tacacs+
hostname(config-aaa-server-group)# exit
hostname(config)# aaa-server AuthInbound (inside) host 10.1.1.1
hostname(config-aaa-server-host)# key TACPlusUauthKey
hostname(config-aaa-server-host)# exit
hostname(config)# access-list TELNET_AUTH extended permit tcp any host 209.165.201.5 eq
telnet
hostname(config)# aaa authentication match TELNET_AUTH outside AuthInbound
Enabling Secure Authentication of Web Clients
The security appliance provides a method of securing HTTP authentication. Without securing HTTP
authentication, usernames and passwords from the client to the security appliance would be passed as
clear text. By using the aaa authentication secure-http-client command, you enable the exchange of
usernames and passwords between a web client and the security appliance with HTTPS.
After enabling this feature, when a user requires authentication when using HTTP, the security appliance
redirects the HTTP user to an HTTPS prompt. After you authenticate correctly, the security appliance
redirects you to the original HTTP URL.
To enable secure authentication of web clients, enter the following command:
hostname(config)# aaa authentication secure-http-client
Secured web-client authentication has the following limitations:
• A maximum of 16 concurrent HTTPS authentication sessions are allowed. If all 16 HTTPS
authentication processes are running, a new connection requiring authentication will not succeed.
• When uauth timeout 0 is configured (the uauth timeout is set to 0), HTTPS authentication might
not work. If a browser initiates multiple TCP connections to load a web page after HTTPS
authentication, the first connection is let through, but the subsequent connections trigger
authentication. As a result, users are continuously presented with an authentication page, even if the
correct username and password are entered each time. To work around this, set the uauth timeout
to 1 second with the timeout uauth 0:0:1 command. However, this workaround opens a 1-second
window of opportunity that might allow non-authenticated users to go through the firewall if they
are coming from the same source IP address.
• Because HTTPS authentication occurs on the SSL port 443, users must not configure an access-list
command statement to block traffic from the HTTP client to HTTP server on port 443. Furthermore,
if static PAT is configured for web traffic on port 80, it must also be configured for the SSL port. In
the following example, the first line configures static PAT for web traffic and the second line must
be added to support the HTTPS authentication configuration.
static (inside,outside) tcp 10.132.16.200 www 10.130.16.10 www
static (inside,outside) tcp 10.132.16.200 443 10.130.16.10 44319-6
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 19 Applying AAA for Network Access
Configuring Authorization for Network Access
Authenticating Directly with the Security Appliance
If you do not want to allow HTTP, HTTPS, Telnet, or FTP through the security appliance but want to
authenticate other types of traffic, you can authenticate with the security appliance directly using HTTP,
HTTPS, or Telnet.
This section includes the following topics:
• Enabling Direct Authentication Using HTTP and HTTPS, page 19-6
• Enabling Direct Authentication Using Telnet, page 19-6
Enabling Direct Authentication Using HTTP and HTTPS
If you enabled the redirect method of HTTP and HTTPS authentication in the “Enabling Network Access
Authentication” section on page 19-3, then you also automatically enabled direct authentication. If you
want to continue to use basic HTTP authentication, but want to enable direct authentication for HTTP
and HTTPS, then enter the following command:
hostname(config)# aaa authentication listener http[s] interface_name [port portnum]
where the interface_name argument is the interface on which you want to enable direct authentication.
The port portnum argument specifies the port number that the security appliance listens on; the defaults
are 80 (HTTP) and 443 (HTTPS).
Enter this command separately for HTTP and for HTTPS.
You can authenticate directly with the security appliance at the following URLs when you enable AAA
for the interface:
http://interface_ip[:port]/netaccess/connstatus.html
https://interface_ip[:port]/netaccess/connstatus.html
Enabling Direct Authentication Using Telnet
To enable direct authentication with Telnet, configure a virtual Telnet server. With virtual Telnet, the user
Telnets to a given IP address configured on the security appliance, and the security appliance provides a
Telnet prompt. To configure a virtual Telnet server, enter the following command:
hostname(config)# virtual telnet ip_address
where the ip_address argument sets the IP address for the virtual Telnet server. Make sure this address
is an unused address that is routed to the security appliance. For example, if you perform NAT for inside
addresses when they access the outside, and you want to provide outside access to the virtual Telnet
server, you can use one of the global NAT addresses for the virtual Telnet server address.
Configuring Authorization for Network Access
After a user authenticates for a given connection, the security appliance can use authorization to further
control traffic from the user.
This section includes the following topics:
• Configuring TACACS+ Authorization, page 19-7
• Configuring RADIUS Authorization, page 19-819-7
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 19 Applying AAA for Network Access
Configuring Authorization for Network Access
Configuring TACACS+ Authorization
You can configure the security appliance to perform network access authorization with TACACS+. You
identify the traffic to be authorized by specifying access lists that authorization rules must match.
Alternatively, you can identify the traffic directly in authorization rules themselves.
Tip Using access lists to identify traffic to be authorized can greatly reduced the number of authorization
commands you must enter. This is because each authorization rule you enter can specify only one source
and destination subnet and service, whereas an access list can include many entries.
Authentication and authorization statements are independent; however, any unauthenticated traffic
matched by an authorization statement will be denied. For authorization to succeed, a user must first
authenticate with the security appliance. Because a user at a given IP address only needs to authenticate
one time for all rules and types, if the authentication session hasn’t expired, authorization can occur even
if the traffic is matched by an authentication statement.
After a user authenticates, the security appliance checks the authorization rules for matching traffic. If
the traffic matches the authorization statement, the security appliance sends the username to the
TACACS+ server. The TACACS+ server responds to the security appliance with a permit or a deny for
that traffic, based on the user profile. The security appliance enforces the authorization rule in the
response.
See the documentation for your TACACS+ server for information about configuring network access
authorizations for a user.
To configure TACACS+ authorization, perform the following steps:
Step 1 Enable authentication. For more information, see the “Enabling Network Access Authentication” section
on page 19-3. If you have already enabled authentication, continue to the next step.
Step 2 Using the access-list command, create an access list that identifies the source addresses and destination
addresses of traffic you want to authorize. For steps, see the “Adding an Extended Access List” section
on page 16-5.
The permit ACEs mark matching traffic for authorization, while deny entries exclude matching traffic
from authorization. The access list you use for authorization matching should contain rules that are equal
to or a subset of the rules in the access list used for authentication matching.
Note If you have configured authentication and want to authorize all the traffic being authenticated,
you can use the same access list you created for use with the aaa authentication match
command.
Step 3 To enable authorization, enter the following command:
hostname(config)# aaa authorization match acl_name interface_name server_group
where acl_name is the name of the access list you created in Step 2, interface_name is the name of the
interface as specified with the nameif command or by default, and server_group is the AAA server group
you created when you enabled authentication.19-8
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 19 Applying AAA for Network Access
Configuring Authorization for Network Access
Note Alternatively, you can use the aaa authorization include command (which identifies traffic
within the command) but you cannot use both methods in the same configuration. See the Cisco
Security Appliance Command Reference for more information.
The following commands authenticate and authorize inside Telnet traffic. Telnet traffic to servers other
than 209.165.201.5 can be authenticated alone, but traffic to 209.165.201.5 requires authorization.
hostname(config)# access-list TELNET_AUTH extended permit tcp any any eq telnet
hostname(config)# access-list SERVER_AUTH extended permit tcp any host 209.165.201.5 eq
telnet
hostname(config)# aaa-server AuthOutbound protocol tacacs+
hostname(config-aaa-server-group)# exit
hostname(config)# aaa-server AuthOutbound (inside) host 10.1.1.1
hostname(config-aaa-server-host)# key TACPlusUauthKey
hostname(config-aaa-server-host)# exit
hostname(config)# aaa authentication match TELNET_AUTH inside AuthOutbound
hostname(config)# aaa authorization match SERVER_AUTH inside AuthOutbound
Configuring RADIUS Authorization
When authentication succeeds, the RADIUS protocol returns user authorizations in the access-accept
message sent by a RADIUS server. For more information about configuring authentication, see the
“Configuring Authentication for Network Access” section on page 19-1.
When you configure the security appliance to authenticate users for network access, you are also
implicitly enabling RADIUS authorizations; therefore, this section contains no information about
configuring RADIUS authorization on the security appliance. It does provide information about how the
security appliance handles access list information received from RADIUS servers.
You can configure a RADIUS server to download an access list to the security appliance or an access list
name at the time of authentication. The user is authorized to do only what is permitted in the
user-specific access list.
Note If you have used the access-group command to apply access lists to interfaces, be aware of the following
effects of the per-user-override keyword on authorization by user-specific access lists:
• Without the per-user-override keyword, traffic for a user session must be permitted by both the
interface access list and the user-specific access list.
• With the per-user-override keyword, the user-specific access list determines what is permitted.
For more information, see the access-group command entry in the Cisco Security Appliance Command
Reference.
This section includes the following topics:
• Configuring a RADIUS Server to Send Downloadable Access Control Lists, page 19-9
• Configuring a RADIUS Server to Download Per-User Access Control List Names, page 19-1219-9
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 19 Applying AAA for Network Access
Configuring Authorization for Network Access
Configuring a RADIUS Server to Send Downloadable Access Control Lists
This section describes how to configure Cisco Secure ACS or a third-party RADIUS server, and includes
the following topics:
• About the Downloadable Access List Feature and Cisco Secure ACS, page 19-9
• Configuring Cisco Secure ACS for Downloadable Access Lists, page 19-10
• Configuring Any RADIUS Server for Downloadable Access Lists, page 19-11
• Converting Wildcard Netmask Expressions in Downloadable Access Lists, page 19-12
About the Downloadable Access List Feature and Cisco Secure ACS
Downloadable access lists is the most scalable means of using Cisco Secure ACS to provide the
appropriate access lists for each user. It provides the following capabilities:
• Unlimited access list size—Downloadable access lists are sent using as many RADIUS packets as
required to transport the full access list from Cisco Secure ACS to the security appliance.
• Simplified and centralized management of access lists—Downloadable access lists enable you to
write a set of access lists once and apply it to many user or group profiles and distribute it to many
security appliances.
This approach is most useful when you have very large access list sets that you want to apply to more
than one Cisco Secure ACS user or group; however, its ability to simplify Cisco Secure ACS user and
group management makes it useful for access lists of any size.
The security appliance receives downloadable access lists from Cisco Secure ACS using the following
process:
1. The security appliance sends a RADIUS authentication request packet for the user session.
2. If Cisco Secure ACS successfully authenticates the user, Cisco Secure ACS returns a RADIUS
access-accept message that contains the internal name of the applicable downloadable access list.
The Cisco IOS cisco-av-pair RADIUS VSA (vendor 9, attribute 1) contains the following
attribute-value pair to identify the downloadable access list set:
ACS:CiscoSecure-Defined-ACL=acl-set-name
where acl-set-name is the internal name of the downloadable access list, which is a combination of
the name assigned to the access list by the Cisco Secure ACS administrator and the date and time
that the access list was last modified.
3. The security appliance examines the name of the downloadable access list and determines if it has
previously received the named downloadable access list.
– If the security appliance has previously received the named downloadable access list,
communication with Cisco Secure ACS is complete and the security appliance applies the
access list to the user session. Because the name of the downloadable access list includes the
date and time it was last modified, matching the name sent by Cisco Secure ACS to the name of
an access list previous downloaded means that the security appliance has the most recent
version of the downloadable access list.
– If the security appliance has not previously received the named downloadable access list, it may
have an out-of-date version of the access list or it may not have downloaded any version of the
access list. In either case, the security appliance issues a RADIUS authentication request using
the downloadable access list name as the username in the RADIUS request and a null password
attribute. In a cisco-av-pair RADIUS VSA, the request also includes the following
attribute-value pairs:19-10
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 19 Applying AAA for Network Access
Configuring Authorization for Network Access
AAA:service=ip-admission
AAA:event=acl-download
In addition, the security appliance signs the request with the Message-Authenticator attribute
(IETF RADIUS attribute 80).
4. Upon receipt of a RADIUS authentication request that has a username attribute containing the name
of a downloadable access list, Cisco Secure ACS authenticates the request by checking the
Message-Authenticator attribute. If the Message-Authenticator attribute is missing or incorrect,
Cisco Secure ACS ignores the request. The presence of the Message-Authenticator attribute
prevents malicious use of a downloadable access list name to gain unauthorized network access. The
Message-Authenticator attribute and its use are defined in RFC 2869, RADIUS Extensions,
available at http://www.ietf.org.
5. If the access list required is less than approximately 4 KB in length, Cisco Secure ACS responds
with an access-accept message containing the access list. The largest access list that can fit in a
single access-accept message is slightly less than 4 KB because some of the message must be other
required attributes.
Cisco Secure ACS sends the downloadable access list in a cisco-av-pair RADIUS VSA. The access
list is formatted as a series of attribute-value pairs that each contain an ACE and are numbered
serially:
ip:inacl#1=ACE-1
ip:inacl#2=ACE-2
.
.
.
ip:inacl#n=ACE-n
An example of an attribute-value pair follows:
ip:inacl#1=permit tcp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0
6. If the access list required is more than approximately 4 KB in length, Cisco Secure ACS responds
with an access-challenge message that contains a portion of the access list, formatted as described
above, and an State attribute (IETF RADIUS attribute 24), which contains control data used by
Cisco Secure ACS to track the progress of the download. Cisco Secure ACS fits as many complete
attribute-value pairs into the cisco-av-pair RADIUS VSA as it can without exceeding the maximum
RADIUS message size.
The security appliance stores the portion of the access list received and responds with another
access-request message containing the same attributes as the first request for the downloadable
access list plus a copy of the State attribute received in the access-challenge message.
This repeats until Cisco Secure ACS sends the last of the access list in an access-accept message.
Configuring Cisco Secure ACS for Downloadable Access Lists
You can configure downloadable access lists on Cisco Secure ACS as a shared profile component and
then assign the access list to a group or to an individual user.
The access list definition consists of one or more security appliance commands that are similar to the
extended access-list command (see the “Adding an Extended Access List” section on page 16-5), except
without the following prefix:
access-list acl_name extended
The following example is a downloadable access list definition on Cisco Secure ACS version 3.3:
+--------------------------------------------+19-11
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 19 Applying AAA for Network Access
Configuring Authorization for Network Access
| Shared profile Components |
| |
| Downloadable IP ACLs Content |
| |
| Name: acs_ten_acl |
| |
| ACL Definitions |
| |
| permit tcp any host 10.0.0.254 |
| permit udp any host 10.0.0.254 |
| permit icmp any host 10.0.0.254 |
| permit tcp any host 10.0.0.253 |
| permit udp any host 10.0.0.253 |
| permit icmp any host 10.0.0.253 |
| permit tcp any host 10.0.0.252 |
| permit udp any host 10.0.0.252 |
| permit icmp any host 10.0.0.252 |
| permit ip any any |
+--------------------------------------------+
For more information about creating downloadable access lists and associating them with users, see the
user guide for your version of Cisco Secure ACS.
On the security appliance, the downloaded access list has the following name:
#ACSACL#-ip-acl_name-number
The acl_name argument is the name that is defined on Cisco Secure ACS (acs_ten_acl in the preceding
example), and number is a unique version ID generated by Cisco Secure ACS.
The downloaded access list on the security appliance consists of the following lines:
access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 permit tcp any host 10.0.0.254
access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 permit udp any host 10.0.0.254
access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 permit icmp any host 10.0.0.254
access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 permit tcp any host 10.0.0.253
access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 permit udp any host 10.0.0.253
access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 permit icmp any host 10.0.0.253
access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 permit tcp any host 10.0.0.252
access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 permit udp any host 10.0.0.252
access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 permit icmp any host 10.0.0.252
access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 permit ip any any
Configuring Any RADIUS Server for Downloadable Access Lists
You can configure any RADIUS server that supports Cisco IOS RADIUS VSAs to send user-specific
access lists to the security appliance in a Cisco IOS RADIUS cisco-av-pair VSA (vendor 9, attribute 1).
In the cisco-av-pair VSA, configure one or more ACEs that are similar to the access-list extended
command (see the “Adding an Extended Access List” section on page 16-5), except that you replace the
following command prefix:
access-list acl_name extended
with the following text:
ip:inacl#nnn=
The nnn argument is a number in the range from 0 to 999999999 that identifies the order of the command
statement to be configured on the security appliance. If this parameter is omitted, the sequence value is
0, and the order of the ACEs inside the cisco-av-pair RADIUS VSA is used.19-12
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 19 Applying AAA for Network Access
Configuring Authorization for Network Access
The following example is an access list definition as it should be configured for a cisco-av-pair VSA on
a RADIUS server:
ip:inacl#1=permit tcp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0
ip:inacl#99=deny tcp any any
ip:inacl#2=permit udp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0
ip:inacl#100=deny udp any any
ip:inacl#3=permit icmp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0
For information about making unique per user the access lists that are sent in the cisco-av-pair attribute,
see the documentation for your RADIUS server.
On the security appliance, the downloaded access list name has the following format:
AAA-user-username
The username argument is the name of the user that is being authenticated.
The downloaded access list on the security appliance consists of the following lines. Notice the order
based on the numbers identified on the RADIUS server.
access-list AAA-user-bcham34-79AD4A08 permit tcp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0
access-list AAA-user-bcham34-79AD4A08 permit udp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0
access-list AAA-user-bcham34-79AD4A08 permit icmp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0
access-list AAA-user-bcham34-79AD4A08 deny tcp any any
access-list AAA-user-bcham34-79AD4A08 deny udp any any
Downloaded access lists have two spaces between the word “access-list” and the name. These spaces
serve to differentiate a downloaded access list from a local access list. In this example, “79AD4A08” is
a hash value generated by the security appliance to help determine when access list definitions have
changed on the RADIUS server.
Converting Wildcard Netmask Expressions in Downloadable Access Lists
If a RADIUS server provides downloadable access lists to Cisco VPN 3000 Series Concentrators as well
as to the security appliance, you may need the security appliance to convert wildcard netmask
expressions to standard netmask expressions. This is because Cisco VPN 3000 Series Concentrators
support wildcard netmask expressions but the security appliance only supports standard netmask
expressions. Configuring the security appliance to convert wildcard netmask expressions helps minimize
the effects of these differences upon how you configure downloadable access lists on your RADIUS
servers. Translation of wildcard netmask expressions means that downloadable access lists written for
Cisco VPN 3000 Series Concentrators can be used by the security appliance without altering the
configuration of the downloadable access lists on the RADIUS server.
You configure access list netmask conversion on a per server basis, using the acl-netmask-convert
command, available in the AAA-server configuration mode. For more information about configuring a
RADIUS server, see “Identifying AAA Server Groups and Servers” section on page 13-12. For more
information about the acl-netmask-convert command, see the Cisco Security Appliance Command
Reference.
Configuring a RADIUS Server to Download Per-User Access Control List Names
To download a name for an access list that you already created on the security appliance from the
RADIUS server when a user authenticates, configure the IETF RADIUS filter-id attribute (attribute
number 11) as follows:
filter-id=acl_name19-13
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 19 Applying AAA for Network Access
Configuring Accounting for Network Access
Note In Cisco Secure ACS, the value for filter-id attributes are specified in boxes in the HTML interface,
omitting filter-id= and entering only acl_name.
For information about making unique per user the filter-id attribute value, see the documentation for your
RADIUS server.
See the “Adding an Extended Access List” section on page 16-5 to create an access list on the security
appliance.
Configuring Accounting for Network Access
The security appliance can send accounting information to a RADIUS or TACACS+ server about any
TCP or UDP traffic that passes through the security appliance. If that traffic is also authenticated, then
the AAA server can maintain accounting information by username. If the traffic is not authenticated, the
AAA server can maintain accounting information by IP address. Accounting information includes when
sessions start and stop, username, the number of bytes that pass through the security appliance for the
session, the service used, and the duration of each session.
To configure accounting, perform the following steps:
Step 1 If you want the security appliance to provide accounting data per user, you must enable authentication.
For more information, see the “Enabling Network Access Authentication” section on page 19-3. If you
want the security appliance to provide accounting data per IP address, enabling authentication is not
necessary and you can continue to the next step.
Step 2 Using the access-list command, create an access list that identifies the source addresses and destination
addresses of traffic you want accounted. For steps, see the “Adding an Extended Access List” section on
page 16-5.
The permit ACEs mark matching traffic for authorization, while deny entries exclude matching traffic
from authorization.
Note If you have configured authentication and want accounting data for all the traffic being
authenticated, you can use the same access list you created for use with the aaa authentication
match command.
Step 3 To enable accounting, enter the following command:
hostname(config)# aaa accounting match acl_name interface_name server_group
Note Alternatively, you can use the aaa accounting include command (which identifies traffic within
the command) but you cannot use both methods in the same configuration. See the Cisco
Security Appliance Command Reference for more information.
The following commands authenticate, authorize, and account for inside Telnet traffic. Telnet traffic to
servers other than 209.165.201.5 can be authenticated alone, but traffic to 209.165.201.5 requires
authorization and accounting.19-14
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 19 Applying AAA for Network Access
Using MAC Addresses to Exempt Traffic from Authentication and Authorization
hostname(config)# aaa-server AuthOutbound protocol tacacs+
hostname(config-aaa-server-group)# exit
hostname(config)# aaa-server AuthOutbound (inside) host 10.1.1.1
hostname(config-aaa-server-host)# key TACPlusUauthKey
hostname(config-aaa-server-host)# exit
hostname(config)# access-list TELNET_AUTH extended permit tcp any any eq telnet
hostname(config)# access-list SERVER_AUTH extended permit tcp any host 209.165.201.5 eq
telnet
hostname(config)# aaa authentication match TELNET_AUTH inside AuthOutbound
hostname(config)# aaa authorization match SERVER_AUTH inside AuthOutbound
hostname(config)# aaa accounting match SERVER_AUTH inside AuthOutbound
Using MAC Addresses to Exempt Traffic from Authentication
and Authorization
The security appliance can exempt from authentication and authorization any traffic from specific MAC
addresses. For example, if the security appliance authenticates TCP traffic originating on a particular
network but you want to allow unauthenticated TCP connections from a specific server, you would use
a MAC exempt rule to exempt from authentication and authorization any traffic from the server specified
by the rule.
This feature is particularly useful to exempt devices such as IP phones that cannot respond to
authentication prompts.
To use MAC addresses to exempt traffic from authentication and authorization, perform the following
steps:
Step 1 To configure a MAC list, enter the following command:
hostname(config)# mac-list id {deny | permit} mac macmask
Where the id argument is the hexadecimal number that you assign to the MAC list. To group a set of
MAC addresses, enter the mac-list command as many times as needed with the same ID value. Because
you can only use one MAC list for AAA exemption, be sure that your MAC list includes all the MAC
addresses you want to exempt. You can create multiple MAC lists, but you can only use one at a time.
The order of entries matters, because the packet uses the first entry it matches, as opposed to a best match
scenario. If you have a permit entry, and you want to deny an address that is allowed by the permit entry,
be sure to enter the deny entry before the permit entry.
The mac argument specifies the source MAC address in 12-digit hexadecimal form; that is,
nnnn.nnnn.nnnn.
The macmask argument specifies the portion of the MAC address that should be used for matching. For
example, ffff.ffff.ffff matches the MAC address exactly. ffff.ffff.0000 matches only the first 8 digits.
Step 2 To exempt traffic for the MAC addresses specified in a particular MAC list, enter the following
command:
hostname(config)# aaa mac-exempt match id
Where id is the string identifying the MAC list containing the MAC addresses whose traffic is to be
exempt from authentication and authorization. You can only enter one instance of the aaa mac-exempt
command.19-15
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 19 Applying AAA for Network Access
Using MAC Addresses to Exempt Traffic from Authentication and Authorization
The following example bypasses authentication for a single MAC address:
hostname(config)# mac-list abc permit 00a0.c95d.0282 ffff.ffff.ffff
hostname(config)# aaa mac-exempt match abc
The following entry bypasses authentication for all Cisco IP Phones, which have the hardware ID
0003.E3:
hostname(config)# mac-list acd permit 0003.E300.0000 FFFF.FF00.0000
hostname(config)# aaa mac-exempt match acd
The following example bypasses authentication for a a group of MAC addresses except for
00a0.c95d.02b2. Enter the deny statement before the permit statement, because 00a0.c95d.02b2 matches
the permit statement as well, and if it is first, the deny statement will never be matched.
hostname(config)# mac-list 1 deny 00a0.c95d.0282 ffff.ffff.ffff
hostname(config)# mac-list 1 permit 00a0.c95d.0000 ffff.ffff.0000
hostname(config)# aaa mac-exempt match 119-16
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 19 Applying AAA for Network Access
Using MAC Addresses to Exempt Traffic from Authentication and AuthorizationC H A P T E R
20-1
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
20
Applying Filtering Services
This chapter describes ways to filter web traffic to reduce security risks or prevent inappropriate use.
This chapter contains the following sections:
• Filtering Overview, page 20-1
• Filtering ActiveX Objects, page 20-2
• Filtering Java Applets, page 20-3
• Filtering URLs and FTP Requests with an External Server, page 20-4
• Viewing Filtering Statistics and Configuration, page 20-9
Filtering Overview
This section describes how filtering can provide greater control over traffic passing through the security
appliance. Filtering can be used in two distinct ways:
• Filtering ActiveX objects or Java applets
• Filtering with an external filtering server
Instead of blocking access altogether, you can remove specific undesirable objects from HTTP traffic,
such as ActiveX objects or Java applets, that may pose a security threat in certain situations.
You can also use URL filtering to direct specific traffic to an external filtering server, such an Secure
Computing SmartFilter (formerly N2H2) or Websense filtering server. Long URL, HTTPS, and FTP
filtering can now be enabled using both Websense and Secure Computing SmartFilter for URL filtering.
Filtering servers can block traffic to specific sites or types of sites, as specified by the security policy.
Note URL caching will only work if the version of the URL server software from the URL server vender
supports it.
Because URL filtering is CPU-intensive, using an external filtering server ensures that the throughput of
other traffic is not affected. However, depending on the speed of your network and the capacity of your
URL filtering server, the time required for the initial connection may be noticeably slower when filtering
traffic with an external filtering server.20-2
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 20 Applying Filtering Services
Filtering ActiveX Objects
Filtering ActiveX Objects
This section describes how to apply filtering to remove ActiveX objects from HTTP traffic passing
through the firewall. This section includes the following topics:
• ActiveX Filtering Overview, page 20-2
• Enabling ActiveX Filtering, page 20-2
ActiveX Filtering Overview
ActiveX objects may pose security risks because they can contain code intended to attack hosts and
servers on a protected network. You can disable ActiveX objects with ActiveX filtering.
ActiveX controls, formerly known as OLE or OCX controls, are components you can insert in a web
page or other application. These controls include custom forms, calendars, or any of the extensive
third-party forms for gathering or displaying information. As a technology, ActiveX creates many
potential problems for network clients including causing workstations to fail, introducing network
security problems, or being used to attack servers.
The filter activex command blocks the HTML