Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
Retour à l'accueil, cliquez ici
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
Book-level PDFs are generated periodically and therefore may not reflect the latest updates to documentation as contained in the chapter-level HTML or PDF documents below. This book-level PDF was last generated on August 29, 2012. Suggest ways Cisco technical documentation can be improved and better serve your needs. Participate in the Technical Documentation Ideas forum.
Click the links on the left to view the individual chapters in HTML format.
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
Cisco ONS 15454 Reference Manual
Product and Documentation Releases 9.1, 9.2 and 9.2.1
August 2012
Text Part Number: 78-19870-01THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL
STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant
to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial
environment. This equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause
harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required
to correct the interference at their own expense.
The following information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency energy. If it is not
installed in accordance with Cisco’s installation instructions, it may cause interference with radio and television reception. This equipment has been tested and found to
comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules. These specifications are designed to provide reasonable
protection against such interference in a residential installation. However, there is no guarantee that interference will not occur in a particular installation.
Modifying the equipment without Cisco’s written authorization may result in the equipment no longer complying with FCC requirements for Class A or Class B digital
devices. In that event, your right to use the equipment may be limited by FCC regulations, and you may be required to correct any interference to radio or television
communications at your own expense.
You can determine whether your equipment is causing interference by turning it off. If the interference stops, it was probably caused by the Cisco equipment or one of its
peripheral devices. If the equipment causes interference to radio or television reception, try to correct the interference by using one or more of the following measures:
• Turn the television or radio antenna until the interference stops.
• Move the equipment to one side or the other of the television or radio.
• Move the equipment farther away from the television or radio.
• Plug the equipment into an outlet that is on a different circuit from the television or radio. (That is, make certain the equipment and the television or radio are on circuits
controlled by different circuit breakers or fuses.)
Modifications to this product not authorized by Cisco Systems, Inc. could void the FCC approval and negate your authority to operate the product.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public
domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this
URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership
relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the
document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
Cisco ONS 15454 Reference Manual, Release 9.1, 9.2 and 9.2.1
© 2007–2012 Cisco Systems, Inc. All rights reserved.iii
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
CONTENTS
About this Manual xliii
Revision History xliii
Document Objectives xlv
Audience xlv
Related Documentation xlv
Document Conventions xlvi
Obtaining Optical Networking Information lii
Where to Find Safety and Warning Information lii
Cisco Optical Networking Product Documentation CD-ROM lii
Obtaining Documentation and Submitting a Service Request liii
Cisco ONS Documentation Roadmap for Release 9.2.1 lv
CHAPTER 1 Shelf and Backplane Hardware 1-1
1.1 Overview 1-2
1.2 Rack Installation 1-3
1.2.1 Reversible Mounting Bracket 1-5
1.2.2 Mounting a Single Node 1-5
1.2.3 Mounting Multiple Nodes 1-6
1.2.4 ONS 15454 Bay Assembly 1-6
1.3 Front Door 1-6
1.4 Backplane Covers 1-11
1.4.1 Lower Backplane Cover 1-12
1.4.2 Rear Cover 1-13
1.4.3 Alarm Interface Panel 1-14
1.4.4 Alarm Interface Panel Replacement 1-15
1.5 Electrical Interface Assemblies 1-15
1.5.1 EIA Installation 1-16
1.5.2 EIA Configurations 1-16
1.5.3 BNC EIA 1-18
1.5.3.1 BNC Connectors 1-19
1.5.3.2 BNC Insertion and Removal Tool 1-20
1.5.4 High-Density BNC EIA 1-20
1.5.5 MiniBNC EIA 1-21Contents
iv
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
1.5.5.1 MiniBNC Connectors 1-22
1.5.5.2 MiniBNC Insertion and Removal Tool 1-27
1.5.6 SMB EIA 1-28
1.5.7 AMP Champ EIA 1-29
1.5.8 UBIC-V EIA 1-33
1.5.9 UBIC-H EIA 1-34
1.5.10 EIA Replacement 1-38
1.6 Coaxial Cable 1-38
1.7 DS-1 Cable 1-38
1.7.1 Twisted Pair Wire-Wrap Cables 1-38
1.7.2 Electrical Interface Adapters 1-39
1.8 UBIC-V Cables 1-40
1.9 UBIC-H Cables 1-45
1.10 Ethernet Cables 1-51
1.11 Cable Routing and Management 1-53
1.11.1 Fiber Management 1-54
1.11.2 Fiber Management Using the Tie-Down Bar 1-55
1.11.3 Coaxial Cable Management 1-56
1.11.4 DS-1 Twisted-Pair Cable Management 1-56
1.11.5 AMP Champ Cable Management 1-56
1.12 Alarm Expansion Panel 1-56
1.12.1 Wire-Wrap and Pin Connections 1-57
1.13 Filler Card 1-61
1.14 Filler Plus Cards 1-62
1.15 Fan-Tray Assembly 1-64
1.15.1 Fan Tray Units for ONS 15454 Cards 1-65
1.15.2 1Fan Speed 1-67
1.15.3 Fan Failure 1-67
1.15.4 Air Filter 1-67
1.15.5 Pilot Fuse 1-68
1.16 Power and Ground Description 1-68
1.17 Shelf Voltage and Temperature 1-69
1.18 Alarm, Timing, LAN, and Craft Pin Connections 1-70
1.18.1 Alarm Contact Connections 1-72
1.18.2 Timing Connections 1-73
1.18.3 LAN Connections 1-73
1.18.4 TL1 Craft Interface Installation 1-74
1.19 Cards and Slots 1-74Contents
v
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
1.19.1 Card Slot Requirements 1-75
1.19.2 Card Replacement 1-79
1.20 Software and Hardware Compatibility 1-79
CHAPTER 2 Common Control Cards 2-1
2.1 Common Control Card Overview 2-1
2.1.1 Cards Summary 2-1
2.1.2 Card Compatibility 2-3
2.1.3 Cross-Connect Card Compatibility 2-3
2.2 TCC2 Card 2-7
2.2.1 TCC2 Card Functionality 2-8
2.2.2 TCC2 Card-Level Indicators 2-9
2.2.3 Network-Level Indicators 2-10
2.2.4 Power-Level Indicators 2-11
2.3 TCC2P Card 2-11
2.3.1 TCC2P Functionality 2-12
2.3.1.1 System Timing Functions 2-13
2.3.2 TCC2P Card-Level Indicators 2-14
2.3.3 Network-Level Indicators 2-15
2.3.4 Power-Level Indicators 2-16
2.4 TCC3 Card 2-16
2.5 XCVT Card 2-16
2.5.1 XCVT Functionality 2-17
2.5.2 VT Mapping 2-18
2.5.3 XCVT Hosting DS3XM-6 or DS3XM-12 2-19
2.5.4 XCVT Card-Level Indicators 2-19
2.6 XC10G Card 2-20
2.6.1 XC10G Functionality 2-21
2.6.2 VT Mapping 2-22
2.6.3 XC10G Hosting DS3XM-6 or DS3XM-12 2-23
2.6.4 XC10G Card-Level Indicators 2-23
2.6.5 XCVT/XC10G/XC-VXC-10G Compatibility 2-24
2.7 XC-VXC-10G Card 2-24
2.7.1 XC-VXC-10G Functionality 2-25
2.7.2 VT Mapping 2-27
2.7.3 XC-VXC-10G Hosting DS3XM-6 or DS3XM-12 2-28
2.7.4 XC-VXC-10G Card-Level Indicators 2-28
2.7.5 XC-VXC-10G Compatibility 2-29
2.8 AIC-I Card 2-29Contents
vi
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
2.8.1 AIC-I Card-Level Indicators 2-30
2.8.2 External Alarms and Controls 2-31
2.8.3 Orderwire 2-32
2.8.4 Power Monitoring 2-33
2.8.5 User Data Channel 2-33
2.8.6 Data Communications Channel 2-34
CHAPTER 3 Electrical Cards 3-1
3.1 Electrical Card Overview 3-1
3.1.1 Card Summary 3-1
3.1.2 Card Compatibility 3-3
3.2 Bit Error Rate Testing 3-4
3.3 EC1-12 Card 3-5
3.3.1 EC1-12 Slots and Connectors 3-6
3.3.2 EC1-12 Faceplate and Block Diagram 3-6
3.3.3 EC1-12 Hosted by XCVT, XC10G, or XC-VXC-10G 3-7
3.3.4 EC1-12 Card-Level Indicators 3-7
3.3.5 EC1-12 Port-Level Indicators 3-7
3.4 DS1-14 and DS1N-14 Cards 3-7
3.4.1 DS1N-14 Features and Functions 3-8
3.4.2 DS1-14 and DS1N-14 Slot Compatibility 3-8
3.4.3 DS1-14 and DS1N-14 Faceplate and Block Diagram 3-8
3.4.4 DS1-14 and DS1N-14 Hosted by XCVT, XC10G, or XC-VXC-10G 3-10
3.4.5 DS1-14 and DS1N-14 Card-Level Indicators 3-10
3.4.6 DS1-14 and DS1N-14 Port-Level Indicators 3-11
3.5 DS1/E1-56 Card 3-11
3.5.1 DS1/E1-56 Slots and Connectors 3-11
3.5.2 DS1/E1-56 Faceplate and Block Diagram 3-12
3.5.3 DS1/E1-56 Card-Level Indicators 3-13
3.5.4 DS1/E1-56 Port-Level Indicators 3-14
3.6 DS3-12 and DS3N-12 Cards 3-14
3.6.1 DS3-12 and DS3N-12 Slots and Connectors 3-15
3.6.2 DS3-12 and DS3N-12 Faceplate and Block Diagram 3-15
3.6.3 DS3-12 and DS3N-12 Card-Level Indicators 3-16
3.6.4 DS3-12 and DS3N-12 Port-Level Indicators 3-17
3.7 DS3/EC1-48 Card 3-17
3.7.1 DS3/EC1-48 Slots and Connectors 3-17
3.7.2 DS3/EC1-48 Faceplate and Block Diagram 3-18
3.7.3 DS3/EC1-48 Card-Level Indicators 3-19Contents
vii
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
3.7.4 DS3/EC1-48 Port-Level Indicators 3-20
3.8 DS3i-N-12 Card 3-20
3.8.1 DS3i-N-12 Slots and Connectors 3-20
3.8.2 DS3i-N-12 Card-Level Indicators 3-22
3.8.3 DS3i-N-12 Port-Level Indicators 3-22
3.9 DS3-12E and DS3N-12E Cards 3-22
3.9.1 DS3-12E and DS3N-12E Slots and Connectors 3-23
3.9.2 DS3-12E Faceplate and Block Diagram 3-23
3.9.3 DS3-12E and DS3N-12E Card-Level Indicators 3-25
3.9.4 DS3-12E and DS3N-12E Port-Level Indicators 3-26
3.10 DS3XM-6 Card 3-26
3.10.1 DS3XM-6 Slots and Connectors 3-26
3.10.2 DS3XM-6 Faceplate and Block Diagram 3-26
3.10.3 DS3XM-6 Hosted By XCVT, XC10G, or XC-VXC-10G 3-27
3.10.4 DS3XM-6 Card-Level Indicators 3-27
3.10.5 DS3XM-6 Port-Level Indicators 3-28
3.11 DS3XM-12 Card 3-28
3.11.1 Backplane Configurations 3-28
3.11.2 Ported Mode 3-29
3.11.3 Portless Mode 3-29
3.11.4 Shelf Configurations 3-29
3.11.5 Protection Modes 3-30
3.11.6 Card Features 3-30
3.11.7 DS3XM-12 Slots and Connectors 3-31
3.11.8 DS3XM-12 Faceplate and Block Diagram 3-31
3.11.9 DS3XM-12 Card-Level Indicators 3-32
3.11.10 DS3XM-12 Port-Level Indicators 3-33
3.12 Interoperability Rules for Electrical Cards 3-33
3.12.1 Half Shelf Compatibility 3-33
3.12.2 Slot Compatibility 3-34
CHAPTER 4 Optical Cards 4-1
4.1 Optical Card Overview 4-2
4.1.1 Card Summary 4-2
4.1.2 Card Compatibility 4-4
4.2 OC3 IR 4/STM1 SH 1310 Card 4-6
4.2.1 OC3 IR 4/STM1 SH 1310 Card-Level Indicators 4-7
4.2.2 OC3 IR 4/STM1 SH 1310 Port-Level Indicators 4-8
4.3 OC3 IR/STM1 SH 1310-8 Card 4-8Contents
viii
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
4.3.1 OC3 IR/STM1 SH 1310-8 Card-Level Indicators 4-10
4.3.2 OC3 IR/STM1 SH 1310-8 Port-Level Indicators 4-10
4.4 OC12 IR/STM4 SH 1310 Card 4-10
4.4.1 OC12 IR/STM4 SH 1310 Card-Level Indicators 4-11
4.4.2 OC12 IR/STM4 SH 1310 Port-Level Indicators 4-12
4.5 OC12 LR/STM4 LH 1310 Card 4-12
4.5.1 OC12 LR/STM4 LH 1310 Card-Level Indicators 4-13
4.5.2 OC12 LR/STM4 LH 1310 Port-Level Indicators 4-14
4.6 OC12 LR/STM4 LH 1550 Card 4-14
4.6.1 OC12 LR/STM4 LH 1550 Card-Level Indicators 4-15
4.6.2 OC12 LR/STM4 LH 1550 Port-Level Indicators 4-16
4.7 OC12 IR/STM4 SH 1310-4 Card 4-16
4.7.1 OC12 IR/STM4 SH 1310-4 Card-Level Indicators 4-18
4.7.2 OC12 IR/STM4 SH 1310-4 Port-Level Indicators 4-18
4.8 OC48 IR 1310 Card 4-18
4.8.1 OC48 IR 1310 Card-Level Indicators 4-19
4.8.2 OC48 IR 1310 Port-Level Indicators 4-20
4.9 OC48 LR 1550 Card 4-20
4.9.1 OC48 LR 1550 Card-Level Indicators 4-21
4.9.2 OC48 LR 1550 Port-Level Indicators 4-22
4.10 OC48 IR/STM16 SH AS 1310 Card 4-22
4.10.1 OC48 IR/STM16 SH AS 1310 Card-Level Indicators 4-23
4.10.2 OC48 IR/STM16 SH AS 1310 Port-Level Indicators 4-24
4.11 OC48 LR/STM16 LH AS 1550 Card 4-24
4.11.1 OC48 LR/STM16 LH AS 1550 Card-Level Indicators 4-25
4.11.2 OC48 LR/STM16 LH AS 1550 Port-Level Indicators 4-26
4.12 OC48 ELR/STM16 EH 100 GHz Cards 4-26
4.12.1 OC48 ELR 100 GHz Card-Level Indicators 4-28
4.12.2 OC48 ELR 100 GHz Port-Level Indicators 4-28
4.13 OC48 ELR 200 GHz Cards 4-28
4.13.1 OC48 ELR 200 GHz Card-Level Indicators 4-30
4.13.2 OC48 ELR 200 GHz Port-Level Indicators 4-30
4.14 OC192 SR/STM64 IO 1310 Card 4-30
4.14.1 OC192 SR/STM64 IO 1310 Card-Level Indicators 4-31
4.14.2 OC192 SR/STM64 IO 1310 Port-Level Indicators 4-32
4.15 OC192 IR/STM64 SH 1550 Card 4-32
4.15.1 OC192 IR/STM64 SH 1550 Card-Level Indicators 4-33
4.15.2 OC192 IR/STM64 SH 1550 Port-Level Indicators 4-34Contents
ix
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
4.16 OC192 LR/STM64 LH 1550 Card 4-34
4.16.1 OC192 LR/STM64 LH 1550 Card-Level Indicators 4-39
4.16.2 OC192 LR/STM64 LH 1550 Port-Level Indicators 4-39
4.17 OC192 LR/STM64 LH ITU 15xx.xx Card 4-39
4.17.1 OC192 LR/STM64 LH ITU 15xx.xx Card-Level Indicators 4-41
4.17.2 OC192 LR/STM64 LH ITU 15xx.xx Port-Level Indicators 4-42
4.18 15454_MRC-12 Multirate Card 4-42
4.18.1 Slot Compatibility by Cross-Connect Card 4-43
4.18.2 Ports and Line Rates 4-44
4.18.3 15454_MRC-12 Card-Level Indicators 4-46
4.18.4 15454_MRC-12 Port-Level Indicators 4-47
4.19 MRC-2.5G-4 Multirate Card 4-47
4.19.1 Slot Compatibility by Cross-Connect Card 4-49
4.19.2 Ports and Line Rates 4-49
4.19.3 MRC-2.5G-4 Card-Level Indicators 4-50
4.19.4 MRC-2.5G-4 Port-Level Indicators 4-50
4.20 OC192SR1/STM64IO Short Reach and OC192/STM64 Any Reach Cards 4-51
4.20.1 OC192SR1/STM64IO Short Reach and OC192/STM64 Any Reach Card-Level Indicators 4-53
4.20.2 OC192SR1/STM64IO Short Reach and OC-192/STM-64 Any Reach Port-Level
Indicators 4-53
4.21 Optical Card SFPs and XFPs 4-53
4.21.1 Compatibility by Card 4-53
4.21.2 SFP Description 4-55
4.21.3 XFP Description 4-56
4.21.4 PPM Provisioning 4-57
CHAPTER 5 Ethernet Cards 5-1
5.1 Ethernet Card Overview 5-2
5.1.1 Ethernet Cards 5-2
5.1.2 Card Compatibility 5-3
5.2 E100T-12 Card 5-4
5.2.1 Slot Compatibility 5-5
5.2.2 E100T-12 Card-Level Indicators 5-6
5.2.3 E100T-12 Port-Level Indicators 5-6
5.2.4 Cross-Connect Compatibility 5-6
5.3 E100T-G Card 5-6
5.3.1 Slot Compatibility 5-8
5.3.2 E100T-G Card-Level Indicators 5-8
5.3.3 E100T-G Port-Level Indicators 5-8Contents
x
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
5.3.4 Cross-Connect Compatibility 5-8
5.4 E1000-2 Card 5-9
5.4.1 Slot Compatibility 5-10
5.4.2 E1000-2 Card-Level Indicators 5-10
5.4.3 E1000-2 Port-Level Indicators 5-10
5.4.4 Cross-Connect Compatibility 5-11
5.5 E1000-2-G Card 5-11
5.5.1 E1000-2-G Card-Level Indicators 5-13
5.5.2 E1000-2-G Port-Level Indicators 5-13
5.5.3 Cross-Connect Compatibility 5-13
5.6 G1K-4 Card 5-14
5.6.1 STS-24c Restriction 5-15
5.6.2 G1K-4 Compatibility 5-15
5.6.3 G1K-4 Card-Level Indicators 5-15
5.6.4 G1K-4 Port-Level Indicators 5-16
5.7 ML100T-12 Card 5-16
5.7.1 ML100T-12 Card-Level Indicators 5-17
5.7.2 ML100T-12 Port-Level Indicators 5-18
5.7.3 Cross-Connect and Slot Compatibility 5-18
5.8 ML100X-8 Card 5-18
5.8.1 ML100X-8 Card-Level Indicators 5-20
5.8.2 ML100X-8 Port-Level Indicators 5-20
5.8.3 Cross-Connect and Slot Compatibility 5-20
5.9 ML1000-2 Card 5-20
5.9.1 ML1000-2 Card-Level Indicators 5-22
5.9.2 ML1000-2 Port-Level Indicators 5-22
5.9.3 Cross-Connect and Slot Compatibility 5-22
5.10 ML-MR-10 Card 5-22
5.10.1 ML-MR-10 Card-Level Indicators 5-24
5.10.2 ML-MR-10 Port-Level Indicators 5-24
5.10.3 Cross-Connect and Slot Compatibility 5-25
5.10.4 ML-MR-10 Card-Differential Delay 5-25
5.11 CE-100T-8 Card 5-25
5.11.1 CE-100T-8 Card-Level Indicators 5-27
5.11.2 CE-100T-8 Port-Level Indicators 5-27
5.11.3 Cross-Connect and Slot Compatibility 5-27
5.12 CE-1000-4 Card 5-27
5.12.1 CE-1000-4 Card-Level Indicators 5-29
5.12.2 CE-1000-4 Port-Level Indicators 5-30Contents
xi
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
5.12.3 Cross-Connect and Slot Compatibility 5-30
5.13 CE-MR-10 Card 5-30
5.13.1 CE-MR-10 Card-Level Indicators 5-32
5.13.2 CE-MR-10 Port-Level Indicators 5-33
5.13.3 Cross-Connect and Slot Compatibility 5-33
5.13.4 CE-MR-10 Card- Differential Delay 5-33
5.14 Ethernet Card GBICs and SFPs 5-34
5.14.1 Compatibility by Card 5-34
5.14.2 Speed-Duplex Combinations on SFPs 5-35
5.14.3 GBIC Description 5-37
5.14.4 G1K-4 DWDM and CWDM GBICs 5-38
5.14.5 SFP Description 5-39
CHAPTER 6 Storage Access Networking Cards 6-1
6.1 FC_MR-4 Card Overview 6-1
6.1.1 FC_MR-4 Card-Level Indicators 6-3
6.1.2 FC_MR-4 Port-Level Indicators 6-4
6.1.3 FC_MR-4 Compatibility 6-4
6.2 FC_MR-4 Card Modes 6-4
6.2.1 Line-Rate Card Mode 6-4
6.2.2 Enhanced Card Mode 6-5
6.2.2.1 Mapping 6-5
6.2.2.2 SW -LCAS 6-5
6.2.2.3 Distance Extension 6-5
6.2.2.4 Differential Delay Features 6-6
6.2.2.5 Interoperability Features 6-6
6.2.3 Link Integrity 6-7
6.2.4 Link Recovery 6-7
6.3 FC_MR-4 Card Application 6-7
6.4 FC_MR-4 Card GBICs and SFPs 6-8
CHAPTER 7 Card Protection 7-1
7.1 Electrical Card Protection 7-1
7.1.1 1:1 Protection 7-2
7.1.2 1:N Protection 7-3
7.1.2.1 Revertive Switching 7-4
7.1.2.2 1:N Protection Guidelines 7-4
7.2 Electrical Card Protection and the Backplane 7-5
7.2.1 Standard BNC Protection 7-11Contents
xii
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
7.2.2 High-Density BNC Protection 7-11
7.2.3 MiniBNC Protection 7-12
7.2.4 SMB Protection 7-12
7.2.5 AMP Champ Protection 7-12
7.2.6 UBIC Protection 7-12
7.3 OC-N Card Protection 7-13
7.3.1 1+1 Protection 7-13
7.3.2 Optimized 1+1 Protection 7-13
7.4 Unprotected Cards 7-14
7.5 External Switching Commands 7-14
CHAPTER 8 Cisco Transport Controller Operation 8-1
8.1 CTC Software Delivery Methods 8-1
8.1.1 CTC Software Installed on the TCC2/TCC2P Card 8-1
8.1.2 CTC Software Installed on the PC or UNIX Workstation 8-3
8.2 CTC Installation Overview 8-4
8.3 PC and UNIX Workstation Requirements 8-4
8.4 ONS 15454 Connection 8-7
8.5 CTC Login 8-8
8.5.1 Legal Disclaimer 8-9
8.5.2 Login Node Group 8-9
8.6 CTC Window 8-9
8.6.1 Node View 8-10
8.6.1.1 CTC Card Colors 8-10
8.6.1.2 Node View Card Shortcuts 8-12
8.6.1.3 Node View Tabs 8-12
8.6.2 Network View 8-13
8.6.2.1 Network View Tabs 8-14
8.6.2.2 CTC Node Colors 8-15
8.6.2.3 DCC Links 8-15
8.6.2.4 Link Consolidation 8-16
8.6.3 Card View 8-16
8.6.4 Print or Export CTC Data 8-18
8.7 Using the CTC Launcher Application to Manage Multiple ONS Nodes 8-19
8.8 TCC2/TCC2P Card Reset 8-22
8.9 TCC2/TCC2P Card Database 8-22
8.10 Software Revert 8-23Contents
xiii
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
CHAPTER 9 Security 9-1
9.1 User IDs and Security Levels 9-1
9.2 User Privileges and Policies 9-1
9.2.1 User Privileges by CTC Action 9-2
9.2.2 Security Policies 9-7
9.2.2.1 Superuser Privileges for Provisioning Users 9-7
9.2.2.2 Idle User Timeout 9-8
9.2.2.3 User Password, Login, and Access Policies 9-8
9.2.2.4 Secure Access 9-8
9.3 Audit Trail 9-9
9.3.1 Audit Trail Log Entries 9-9
9.3.2 Audit Trail Capacities 9-10
9.4 RADIUS Security 9-10
9.4.1 RADIUS Authentication 9-10
9.4.2 Shared Secrets 9-10
CHAPTER 10 Timing 10-1
10.1 Timing Parameters 10-1
10.2 Network Timing 10-2
10.3 Synchronization Status Messaging 10-3
10.3.1 SONET SSM Messages 10-3
10.3.2 SDH SSM Messages 10-4
CHAPTER 11 SONET Topologies and Upgrades 11-1
11.1 SONET Rings and TCC2/TCC2P Cards 11-1
11.2 Bidirectional Line Switched Rings 11-2
11.2.1 Two-Fiber BLSRs 11-2
11.2.2 Four-Fiber BLSRs 11-5
11.2.3 BLSR Bandwidth 11-8
11.2.4 BLSR Application Example 11-9
11.2.5 BLSR Fiber Connections 11-12
11.3 Path Protection 11-13
11.4 Dual-Ring Interconnect 11-18
11.4.1 BLSR DRI 11-18
11.4.2 Path Protection DRI 11-22
11.4.3 Path Protection/BLSR DRI Handoff Configurations 11-25
11.5 Comparison of the Protection Schemes 11-27
11.6 Subtending Rings 11-28Contents
xiv
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
11.7 Linear ADM Configurations 11-30
11.8 Path-Protected Mesh Networks 11-30
11.9 Four-Shelf Node Configurations 11-32
11.10 STS around the Ring 11-33
11.11 OC-N Speed Upgrades 11-34
11.11.1 Span Upgrade Wizard 11-37
11.11.2 Manual Span Upgrades 11-37
11.11.3 In-Service MRC Card Upgrades 11-37
11.11.3.1 MRC-12 Multirate Card 11-38
11.11.3.2 MRC-2.5G-4 Multirate Card 11-39
11.12 In-Service Topology Upgrades 11-40
11.12.1 Unprotected Point-to-Point or Linear ADM to Path Protection 11-41
11.12.2 Point-to-Point or Linear ADM to Two-Fiber BLSR 11-42
11.12.3 Path Protection to Two-Fiber BLSR 11-42
11.12.4 Two-Fiber BLSR to Four-Fiber BLSR 11-43
11.12.5 Add or Remove a Node from a Topology 11-43
11.13 Overlay Ring Circuits 11-43
CHAPTER 12 Circuits and Tunnels 12-1
12.1 Overview 12-2
12.2 Circuit Properties 12-2
12.2.1 Concatenated STS Time Slot Assignments 12-4
12.2.2 Circuit Status 12-6
12.2.3 Circuit States 12-7
12.2.4 Circuit Protection Types 12-9
12.2.5 Circuit Information in the Edit Circuit Window 12-10
12.3 Cross-Connect Card Bandwidth 12-12
12.4 Portless Transmux 12-15
12.5 DCC Tunnels 12-16
12.5.1 Traditional DCC Tunnels 12-17
12.5.2 IP-Encapsulated Tunnels 12-18
12.6 SDH Tunneling 12-18
12.7 Multiple Destinations for Unidirectional Circuits 12-18
12.8 Monitor Circuits 12-18
12.8.1 Monitor Circuits using portless ports as a source on DS3XM-12 12-19
12.9 Path Protection Circuits 12-19
12.9.1 Open-Ended Path Protection Circuits 12-20
12.9.2 Go-and-Return Path Protection Routing 12-21Contents
xv
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
12.10 BLSR Protection Channel Access Circuits 12-21
12.11 BLSR STS and VT Squelch Tables 12-22
12.11.1 BLSR STS Squelch Table 12-22
12.11.2 BLSR VT Squelch Table 12-23
12.12 IEEE 802.17 Resilient Packet Ring Circuit Display 12-23
12.13 Section and Path Trace 12-24
12.14 Path Signal Label, C2 Byte 12-25
12.15 Automatic Circuit Routing 12-27
12.15.1 Bandwidth Allocation and Routing 12-28
12.15.2 Secondary Sources and Destinations 12-28
12.16 Manual Circuit Routing 12-29
12.17 Constraint-Based Circuit Routing 12-33
12.18 Virtual Concatenated Circuits 12-34
12.18.1 VCAT Circuit States 12-34
12.18.2 VCAT Member Routing 12-34
12.18.3 Link Capacity Adjustment 12-36
12.18.4 VCAT Circuit Size 12-37
12.18.5 Open-Ended VCAT 12-38
12.19 Bridge and Roll 12-39
12.19.1 Rolls Window 12-39
12.19.2 Roll Status 12-41
12.19.3 Single and Dual Rolls 12-42
12.19.4 Two Circuit Bridge and Roll 12-44
12.19.5 Protected Circuits 12-45
12.20 Merged Circuits 12-45
12.21 Reconfigured Circuits 12-46
12.22 VLAN Management 12-46
12.23 Server Trails 12-46
12.23.1 Server Trail Protection Types 12-47
12.23.2 VCAT Circuit Routing over Server Trails 12-47
12.23.2.1 Shared Resource Link Group 12-48
CHAPTER 13 Alarm Monitoring and Management 13-1
13.1 Overview 13-1
13.2 LCD Alarm Counts 13-1
13.3 Alarm Information 13-2
13.3.1 Viewing Alarms With Each Node’s Time Zone 13-4
13.3.2 Controlling Alarm Display 13-4Contents
xvi
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
13.3.3 Filtering Alarms 13-4
13.3.4 Viewing Alarm-Affected Circuits 13-5
13.3.5 Conditions Tab 13-5
13.3.6 Controlling the Conditions Display 13-6
13.3.6.1 Retrieving and Displaying Conditions 13-6
13.3.6.2 Conditions Column Descriptions 13-6
13.3.6.3 Filtering Conditions 13-7
13.3.7 Viewing History 13-7
13.3.7.1 History Column Descriptions 13-8
13.3.7.2 Retrieving and Displaying Alarm and Condition History 13-8
13.3.8 Alarm History and Log Buffer Capacities 13-9
13.4 Alarm Severities 13-9
13.5 Alarm Profiles 13-9
13.5.1 Creating and Modifying Alarm Profiles 13-10
13.5.2 Alarm Profile Buttons 13-11
13.5.3 Alarm Profile Editing 13-12
13.5.4 Alarm Severity Options 13-12
13.5.5 Row Display Options 13-12
13.5.6 Applying Alarm Profiles 13-13
13.6 Alarm Suppression 13-13
13.6.1 Alarms Suppressed for Maintenance 13-13
13.6.2 Alarms Suppressed by User Command 13-14
13.7 External Alarms and Controls 13-14
13.7.1 External Alarms 13-14
13.7.2 User Defined Alarm Types 13-15
13.7.3 External Controls 13-15
CHAPTER 14 Management Network Connectivity 14-1
14.1 IP Networking Overview 14-2
14.2 IP Addressing Scenarios 14-2
14.2.1 IP Scenario 1: CTC and ONS 15454s on Same Subnet 14-3
14.2.2 IP Scenario 2: CTC and ONS 15454 Nodes Connected to a Router 14-3
14.2.3 IP Scenario 3: Using Proxy ARP to Enable an ONS 15454 Gateway 14-4
14.2.4 IP Scenario 4: Default Gateway on a CTC Computer 14-6
14.2.5 IP Scenario 5: Using Static Routes to Connect to LANs 14-7
14.2.6 IP Scenario 6: Using OSPF 14-10
14.2.7 IP Scenario 7: Provisioning the ONS 15454 SOCKS Proxy Server 14-12
14.2.8 IP Scenario 8: Dual GNEs on a Subnet 14-18
14.2.9 IP Scenario 9: IP Addressing with Secure Mode Enabled 14-20Contents
xvii
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
14.2.9.1 Secure Mode Behavior 14-20
14.2.9.2 Secure Node Locked and Unlocked Behavior 14-23
14.3 Routing Table 14-24
14.4 External Firewalls 14-25
14.5 Open GNE 14-27
14.6 TCP/IP and OSI Networking 14-29
14.6.1 Point-to-Point Protocol 14-30
14.6.2 Link Access Protocol on the D Channel 14-31
14.6.3 OSI Connectionless Network Service 14-31
14.6.4 OSI Routing 14-34
14.6.4.1 End System-to-Intermediate System Protocol 14-36
14.6.4.2 Intermediate System-to-Intermediate System Protocol 14-36
14.6.5 TARP 14-37
14.6.5.1 TARP Processing 14-38
14.6.5.2 TARP Loop Detection Buffer 14-39
14.6.5.3 Manual TARP Adjacencies 14-39
14.6.5.4 Manual TID to NSAP Provisioning 14-40
14.6.6 TCP/IP and OSI Mediation 14-40
14.6.7 OSI Virtual Routers 14-41
14.6.8 IP-over-CLNS Tunnels 14-43
14.6.8.1 Provisioning IP-over-CLNS Tunnels 14-44
14.6.8.2 IP-over-CLNS Tunnel Scenario 1: ONS Node to Other Vendor GNE 14-45
14.6.8.3 IP-over-CLNS Tunnel Scenario 2: ONS Node to Router 14-46
14.6.8.4 IP-over-CLNS Tunnel Scenario 3: ONS Node to Router Across an OSI DCN 14-47
14.6.9 OSI/IP Networking Scenarios 14-49
14.6.9.1 OSI/IP Scenario 1: IP OSS, IP DCN, ONS GNE, IP DCC, and ONS ENE 14-50
14.6.9.2 OSI/IP Scenario 2: IP OSS, IP DCN, ONS GNE, OSI DCC, and Other Vendor ENE 14-50
14.6.9.3 OSI/IP Scenario 3: IP OSS, IP DCN, Other Vendor GNE, OSI DCC, and ONS ENE 14-52
14.6.9.4 OSI/IP Scenario 4: Multiple ONS DCC Areas 14-54
14.6.9.5 OSI/IP Scenario 5: GNE Without an OSI DCC Connection 14-55
14.6.9.6 OSI/IP Scenario 6: IP OSS, OSI DCN, ONS GNE, OSI DCC, and Other Vendor ENE 14-56
14.6.9.7 OSI/IP Scenario 7: OSI OSS, OSI DCN, Other Vender GNE, OSI DCC, and ONS
NEs 14-57
14.6.9.8 OSI/IP Scenario 8: OSI OSS, OSI DCN, ONS GNE, OSI DCC, and Other Vender
NEs 14-59
14.6.10 Provisioning OSI in CTC 14-61
14.7 IPv6 Network Compatibility 14-62
14.8 IPv6 Native Support 14-62
14.8.1 IPv6 Enabled Mode 14-63Contents
xviii
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
14.8.2 IPv6 Disabled Mode 14-63
14.8.3 IPv6 in Non-secure Mode 14-63
14.8.4 IPv6 in Secure Mode 14-64
14.8.5 IPv6 Limitations 14-64
14.9 FTP Support for ENE Database Backup 14-64
CHAPTER 15 Performance Monitoring 15-1
15.1 Threshold Performance Monitoring 15-2
15.2 Intermediate Path Performance Monitoring 15-3
15.3 Pointer Justification Count Performance Monitoring 15-4
15.4 Performance Monitoring Parameter Definitions 15-5
15.5 Performance Monitoring for Electrical Cards 15-12
15.5.1 EC1-12 Card Performance Monitoring Parameters 15-12
15.5.2 DS1/E1-56 Card Performance Monitoring Parameters 15-14
15.5.3 DS1-14 and DS1N-14 Card Performance Monitoring Parameters 15-16
15.5.3.1 DS-1 Facility Data Link Performance Monitoring 15-18
15.5.4 DS3-12 and DS3N-12 Card Performance Monitoring Parameters 15-18
15.5.5 DS3-12E and DS3N-12E Card Performance Monitoring Parameters 15-19
15.5.6 DS3i-N-12 Card Performance Monitoring Parameters 15-21
15.5.7 DS3XM-6 Card Performance Monitoring Parameters 15-23
15.5.8 DS3XM-12 Card Performance Monitoring Parameters 15-25
15.5.9 DS3/EC1-48 Card Performance Monitoring Parameters 15-27
15.6 Performance Monitoring for Ethernet Cards 15-29
15.6.1 E-Series Ethernet Card Performance Monitoring Parameters 15-29
15.6.1.1 E-Series Ethernet Statistics Window 15-29
15.6.1.2 E-Series Ethernet Utilization Window 15-31
15.6.1.3 E-Series Ethernet History Window 15-31
15.6.2 G-Series Ethernet Card Performance Monitoring Parameters 15-32
15.6.2.1 G-Series Ethernet Statistics Window 15-32
15.6.2.2 G-Series Ethernet Utilization Window 15-33
15.6.2.3 G-Series Ethernet History Window 15-34
15.6.3 ML-Series Ethernet Card Performance Monitoring Parameters 15-34
15.6.3.1 ML-Series Ether Ports Statistics Window 15-34
15.6.3.2 ML-Series Card Ether Ports Utilization Window 15-36
15.6.3.3 ML-Series Card Ether Ports History Window 15-37
15.6.3.4 ML-Series POS Ports Window 15-37
15.6.3.5 ML-Series RPR Span Window 15-38
15.6.4 CE-Series Ethernet Card Performance Monitoring Parameters 15-43
15.6.4.1 CE-Series Card Ether Port Statistics Window 15-44Contents
xix
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
15.6.4.2 CE-Series Card Ether Ports Utilization Window 15-47
15.6.4.3 CE-Series Card Ether Ports History Window 15-47
15.6.4.4 CE-Series Card POS Ports Statistics Parameters 15-47
15.6.4.5 CE-Series Card POS Ports Utilization Window 15-48
15.6.4.6 CE-Series Card POS Ports History Window 15-49
15.7 Performance Monitoring for Optical Cards 15-49
15.8 Performance Monitoring for Optical Multirate Cards 15-52
15.9 Performance Monitoring for Storage Access Networking Cards 15-53
15.9.1 FC_MR-4 Statistics Window 15-53
15.9.2 FC_MR-4 Utilization Window 15-55
15.9.3 FC_MR-4 History Window 15-56
CHAPTER 16 SNMP 16-1
16.1 SNMP Overview 16-1
16.2 Basic SNMP Components 16-2
16.3 SNMP External Interface Requirement 16-4
16.4 SNMP Version Support 16-4
16.4.1 SNMPv3 Support 16-4
16.5 SNMP Message Types 16-5
16.6 SNMP Management Information Bases 16-5
16.6.1 IETF-Standard MIBs for the ONS 15454 16-6
16.6.2 Proprietary ONS 15454 MIBs 16-7
16.6.3 Generic Threshold and Performance Monitoring MIBs 16-11
16.7 SNMP Trap Content 16-13
16.7.1 Generic and IETF Traps 16-14
16.7.2 Variable Trap Bindings 16-14
16.8 SNMPv1/v2 Community Names 16-21
16.9 SNMPv1/v2 Proxy Over Firewalls 16-21
16.10 SNMPv3 Proxy Configuration 16-21
16.11 Remote Monitoring 16-22
16.11.1 64-Bit RMON Monitoring over DCC 16-23
16.11.1.1 Row Creation in MediaIndependentTable 16-23
16.11.1.2 Row Creation in cMediaIndependentHistoryControlTable 16-23
16.11.2 HC-RMON-MIB Support 16-24
16.11.3 Ethernet Statistics RMON Group 16-24
16.11.3.1 Row Creation in etherStatsTable 16-24
16.11.3.2 Get Requests and GetNext Requests 16-24
16.11.3.3 Row Deletion in etherStatsTable 16-24Contents
xx
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
16.11.3.4 64-Bit etherStatsHighCapacityTable 16-25
16.11.4 History Control RMON Group 16-25
16.11.4.1 History Control Table 16-25
16.11.4.2 Row Creation in historyControlTable 16-25
16.11.4.3 Get Requests and GetNext Requests 16-26
16.11.4.4 Row Deletion in historyControl Table 16-26
16.11.5 Ethernet History RMON Group 16-26
16.11.5.1 64-Bit etherHistoryHighCapacityTable 16-26
16.11.6 Alarm RMON Group 16-26
16.11.6.1 Alarm Table 16-26
16.11.6.2 Row Creation in alarmTable 16-26
16.11.6.3 Get Requests and GetNext Requests 16-28
16.11.6.4 Row Deletion in alarmTable 16-28
16.11.7 Event RMON Group 16-28
16.11.7.1 Event Table 16-28
16.11.7.2 Log Table 16-29
APPENDIX A Hardware Specifications A-1
A.1 Shelf Specifications A-1
A.1.1 Bandwidth A-1
A.1.2 Configurations A-2
A.1.3 Cisco Transport Controller A-2
A.1.4 External LAN Interface A-2
A.1.5 TL1 Craft Interface A-2
A.1.6 Modem Interface A-2
A.1.7 Alarm Interface A-3
A.1.8 EIA Interface A-3
A.1.9 BITS Interface A-3
A.1.10 System Timing A-3
A.1.11 System Power A-3
A.1.12 Fan Tray A-4
A.1.13 System Environmental Specifications A-4
A.1.14 Dimensions A-4
A.2 SFP, XFP, and GBIC Specifications A-5
A.3 General Card Specifications A-7
A.3.1 Power A-7
A.3.2 Temperature A-10
A.4 Common Control Card Specifications A-12
A.4.1 TCC2 Card Specifications A-12Contents
xxi
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
A.4.2 TCC2P Card Specifications A-13
A.4.3 XCVT Card Specifications A-14
A.4.4 XC10G Card Specifications A-14
A.4.5 XC-VXC-10G Card Specifications A-15
A.4.6 AIC-I Card Specifications A-15
A.4.7 AEP Specifications A-16
A.5 Electrical Card Specifications A-17
A.5.1 EC1-12 Card Specifications A-17
A.5.2 DS1-14 and DS1N-14 Card Specifications A-18
A.5.3 DS1/E1-56 Card Specifications A-19
A.5.4 DS3/EC1-48 Card Specifications A-21
A.5.5 DS3-12 and DS3N-12 Card Specifications A-22
A.5.6 DS3i-N-12 Card Specifications A-23
A.5.7 DS3-12E and DS3N-12E Card Specifications A-24
A.5.8 DS3XM-12 Card Specifications A-25
A.5.9 DS3XM-6 Card Specifications A-26
A.5.10 FILLER Card Specifications A-27
A.6 Optical Card Specifications A-28
A.6.1 OC3 IR 4/STM1 SH 1310 Card Specifications A-28
A.6.2 OC3 IR/STM1SH 1310-8 Card Specifications A-29
A.6.3 OC12 IR/STM4 SH 1310 Card Specifications A-30
A.6.4 OC12 LR/STM4 LH 1310 Card Specifications A-31
A.6.5 OC12 LR/STM4 LH 1550 Card Specifications A-32
A.6.6 OC12 IR/STM4 SH 1310-4 Specifications A-33
A.6.7 OC48 IR 1310 Card Specifications A-34
A.6.8 OC48 LR 1550 Card Specifications A-35
A.6.9 OC48 IR/STM16 SH AS 1310 Card Specifications A-36
A.6.10 OC48 LR/STM16 LH AS 1550 Card Specifications A-37
A.6.11 OC48 ELR/STM 16 EH 100 GHz Card Specifications A-38
A.6.12 OC48 ELR 200 GHz Card Specifications A-38
A.6.13 OC192 SR/STM64 IO 1310 Card Specifications A-39
A.6.14 OC192 IR/STM64 SH 1550 Card Specifications A-40
A.6.15 OC192 LR/STM64 LH 1550 Card Specifications A-41
A.6.16 OC192 LR/STM64 LH ITU 15xx.xx Card Specifications A-43
A.6.17 15454_MRC-12 Card Specifications A-44
A.6.18 MRC-2.5G-4 Card Specifications A-46
A.6.19 OC192SR1/STM64IO Short Reach Card Specifications A-47
A.6.20 OC192/STM64 Any Reach Card Specifications A-48
A.7 Ethernet Card Specifications A-49Contents
xxii
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
A.7.1 E100T-12 Card Specifications A-49
A.7.2 E100T-G Card Specifications A-49
A.7.3 E1000-2 Card Specifications A-49
A.7.4 E1000-2-G Card Specifications A-50
A.7.5 CE-1000-4 Card Specifications A-50
A.7.6 CE-100T-8 Card Specifications A-51
A.7.7 CE-MR-10 Card Specifications A-51
A.7.8 G1K-4 Card Specifications A-51
A.7.9 ML100T-12 Card Specifications A-52
A.7.10 ML1000-2 Card Specifications A-52
A.7.11 ML100X-8 Card Specifications A-53
A.7.12 ML-MR-10 Card Specifications A-53
A.8 Storage Access Networking Card Specifications A-53
APPENDIX B Administrative and Service States B-1
B.1 Service States B-1
B.2 Administrative States B-2
B.3 Service State Transitions B-3
B.3.1 Card Service State Transitions B-3
B.3.2 Port and Cross-Connect Service State Transitions B-5
B.3.3 Pluggable Equipment Service State Transitions B-10
APPENDIX C Network Element Defaults C-1
C.1 Network Element Defaults Description C-1
C.2 Card Default Settings C-2
C.2.1 Configuration Defaults C-2
C.2.2 Threshold Defaults C-3
C.2.3 Defaults by Card C-4
C.2.3.1 DS-1 Card Default Settings C-4
C.2.3.2 DS1/E1-56 Card Default Settings C-7
C.2.3.3 DS-3 Card Default Settings C-13
C.2.3.4 DS3/EC1-48 Card Default Settings C-14
C.2.3.5 DS3E Card Default Settings C-19
C.2.3.6 DS3I Card Default Settings C-21
C.2.3.7 DS3XM-6 Card Default Settings C-23
C.2.3.8 DS3XM-12 Card Default Settings C-26
C.2.3.9 EC1-12 Card Default Settings C-30
C.2.3.10 FC_MR-4 Card Default Settings C-32
C.2.3.11 Ethernet Card Default Settings C-33Contents
xxiii
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
C.2.3.12 OC-3 Card Default Settings C-35
C.2.3.13 OC3-8 Card Default Settings C-38
C.2.3.14 OC-12 Card Default Settings C-42
C.2.3.15 OC12-4 Card Default Settings C-45
C.2.3.16 OC-48 Card Default Settings C-49
C.2.3.17 OC-192 Card Default Settings C-54
C.2.3.18 OC192-XFP Default Settings C-59
C.2.3.19 MRC-12 Card Default Settings C-65
C.2.3.20 MRC-2.5G-4 Card Default Settings C-82
C.3 Node Default Settings C-99
C.3.1 Time Zones C-116
C.4 CTC Default Settings C-119
INDEXContents
xxiv
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01FIGURES
xxv
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Figure 1-1 Optical Fiber With Exposed Ferrule 1-3
Figure 1-2 Optical Fiber Without Exposed Ferrule 1-3
Figure 1-3 Cisco ONS 15454 ANSI Dimensions 1-4
Figure 1-4 Mounting an ONS 15454 in a Rack 1-5
Figure 1-5 The ONS 15454 Front Door 1-7
Figure 1-6 Cisco ONS 15454 Deep Door 1-8
Figure 1-7 ONS 15454 Front Door Ground Strap 1-9
Figure 1-8 Removing the ONS 15454 Front Door 1-10
Figure 1-9 Front-Door Erasable Label 1-11
Figure 1-10 Laser Warning on the Front-Door Label 1-11
Figure 1-11 Backplane Covers 1-12
Figure 1-12 Removing the Lower Backplane Cover 1-12
Figure 1-13 Backplane Attachment for Cover 1-13
Figure 1-14 Installing the Plastic Rear Cover with Spacers 1-14
Figure 1-15 BNC Backplane for Use in 1:1 Protection Schemes 1-19
Figure 1-16 BNC Insertion and Removal Tool 1-20
Figure 1-17 High-Density BNC Backplane for Use in 1:N Protection Schemes 1-21
Figure 1-18 MiniBNC Backplane for Use in 1:N Protection Schemes 1-23
Figure 1-19 MiniBNC Insertion and Removal Tool 1-28
Figure 1-20 SMB EIA Backplane 1-29
Figure 1-21 AMP Champ EIA Backplane 1-30
Figure 1-22 UBIC-V Slot Designations 1-33
Figure 1-23 UBIC-H EIA Connector Labeling 1-35
Figure 1-24 DS-1 Electrical Interface Adapter (Balun) 1-39
Figure 1-25 Cable Connector Pins 1-40
Figure 1-26 UBIC-V DS-1 Cable Schematic Diagram 1-42
Figure 1-27 UBIC-V DS-3/EC-1 Cable Schematic Diagram 1-45
Figure 1-28 Cable Connector Pins 1-47
Figure 1-29 UBIC-H DS-1 Cable Schematic Diagram 1-48
Figure 1-30 UBIC-H DS-3/EC-1 Cable Schematic Diagram 1-51Figures
xxvi
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Figure 1-31 100BaseT Connector Pins 1-52
Figure 1-32 Straight-Through Cable 1-52
Figure 1-33 Crossover Cable 1-53
Figure 1-34 Managing Cables on the Front Panel 1-54
Figure 1-35 Fiber Capacity 1-54
Figure 1-36 Tie-Down Bar 1-55
Figure 1-37 AEP Printed Circuit Board Assembly 1-57
Figure 1-38 AEP Block Diagram 1-57
Figure 1-39 AEP Wire-Wrap Connections to Backplane Pins 1-58
Figure 1-40 Alarm Input Circuit Diagram 1-59
Figure 1-41 Alarm Output Circuit Diagram 1-60
Figure 1-42 Detectable Filler Card Faceplate 1-62
Figure 1-43 Filler Plus Card Faceplate 1-63
Figure 1-44 Filler Plus Card with Fiber Storage Bracket 1-64
Figure 1-45 Ground Posts on the ONS 15454 Backplane 1-69
Figure 1-46 ONS 15454 Backplane Pinouts (Release 3.4 or Later) 1-71
Figure 1-47 ONS 15454 Backplane Pinouts 1-72
Figure 1-48 Installing Cards in the ONS 15454 1-75
Figure 2-1 TCC2 Card Faceplate and Block Diagram 2-8
Figure 2-2 TCC2P Faceplate and Block Diagram 2-12
Figure 2-3 XCVT Faceplate and Block Diagram 2-17
Figure 2-4 XCVT Cross-Connect Matrix 2-18
Figure 2-5 XC10G Faceplate and Block Diagram 2-21
Figure 2-6 XC10G Cross-Connect Matrix 2-22
Figure 2-7 XC-VXC-10G Faceplate and Block Diagram 2-25
Figure 2-8 XC-VXC-10G Cross-Connect Matrix 2-27
Figure 2-9 AIC-I Faceplate and Block Diagram 2-30
Figure 2-10 RJ-11 Connector 2-33
Figure 3-1 EC1-12 Faceplate and Block Diagram 3-6
Figure 3-2 DS1-14 Faceplate and Block Diagram 3-9
Figure 3-3 DS1N-14 Faceplate and Block Diagram 3-10
Figure 3-4 DS1/E1-56 Faceplate and Block Diagram 3-13
Figure 3-5 DS3-12 Faceplate and Block Diagram 3-15
Figure 3-6 DS3N-12 Faceplate and Block Diagram 3-16
Figure 3-7 DS3/EC1-48 Faceplate and Block Diagram 3-19Figures
xxvii
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Figure 3-8 DS3i-N-12 Faceplate and Block Diagram 3-21
Figure 3-9 DS3-12E Faceplate and Block Diagram 3-24
Figure 3-10 DS3N-12E Faceplate and Block Diagram 3-25
Figure 3-11 DS3XM-6 Faceplate and Block Diagram 3-27
Figure 3-12 DS3XM-12 Faceplate and Block Diagram 3-32
Figure 4-1 OC3 IR 4/STM1 SH 1310 Faceplate and Block Diagram 4-7
Figure 4-2 OC3IR/STM1 SH 1310-8 Faceplate and Block Diagram 4-9
Figure 4-3 OC12 IR/STM4 SH 1310 Faceplate and Block Diagram 4-11
Figure 4-4 OC12 LR/STM4 LH 1310 Faceplate and Block Diagram 4-13
Figure 4-5 OC12 LR/STM4 LH 1550 Faceplate and Block Diagram 4-15
Figure 4-6 OC12 IR/STM4 SH 1310-4 Faceplate and Block Diagram 4-17
Figure 4-7 OC48 IR 1310 Faceplate and Block Diagram 4-19
Figure 4-8 OC48 LR 1550 Faceplate and Block Diagram 4-21
Figure 4-9 OC48 IR/STM16 SH AS 1310 Faceplate and Block Diagram 4-23
Figure 4-10 OC48 LR/STM16 LH AS 1550 Faceplate and Block Diagram 4-25
Figure 4-11 OC48 ELR/STM16 EH 100 GHz Faceplate and Block Diagram 4-27
Figure 4-12 OC48 ELR 200 GHz Faceplate and Block Diagram 4-29
Figure 4-13 OC192 SR/STM64 IO 1310 Faceplate and Block Diagram 4-31
Figure 4-14 OC192 IR/STM64 SH 1550 Faceplate and Block Diagram 4-33
Figure 4-15 OC192 LR/STM64 LH 1550 (15454-OC192LR1550) Faceplate and Block Diagram 4-35
Figure 4-16 Enlarged Section of the OC192 LR/STM64 LH 1550 (15454-OC192LR1550) Faceplate 4-36
Figure 4-17 OC192 LR/STM64 LH 1550 (15454-OC192-LR2) Faceplate and Block Diagram 4-37
Figure 4-18 Enlarged Section of the OC192 LR/STM64 LH 1550 (15454-OC192-LR2) Faceplate 4-38
Figure 4-19 OC192 LR/STM64 LH ITU 15xx.xx Faceplate 4-40
Figure 4-20 OC192 LR/STM64 LH ITU 15xx.xx Block Diagram 4-41
Figure 4-21 15454_MRC-12 Card Faceplate and Block Diagram 4-43
Figure 4-22 MRC-2.5G-4 Card Faceplate and Block Diagram 4-48
Figure 4-23 OC192SR1/STM64IO Short Reach and OC192/STM64 Any Reach Card Faceplates and Block Diagram 4-52
Figure 4-24 Mylar Tab SFP 4-55
Figure 4-25 Actuator/Button SFP 4-55
Figure 4-26 Bail Clasp SFP 4-55
Figure 4-27 Bail Clasp XFP (Unlatched) 4-56
Figure 4-28 Bail Clasp XFP (Latched) 4-56
Figure 5-1 E100T-12 Faceplate and Block Diagram 5-5
Figure 5-2 E100T-G Faceplate and Block Diagram 5-7Figures
xxviii
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Figure 5-3 E1000-2 Faceplate and Block Diagram 5-9
Figure 5-4 E1000-2-G Faceplate and Block Diagram 5-12
Figure 5-5 G1K-4 Faceplate and Block Diagram 5-14
Figure 5-6 ML100T-12 Faceplate and Block Diagram 5-17
Figure 5-7 ML100X-8 Faceplate and Block Diagram 5-19
Figure 5-8 ML1000-2 Faceplate and Block Diagram 5-21
Figure 5-9 ML-MR-10 Faceplate and Block Diagram 5-23
Figure 5-10 CE-100T-8 Faceplate and Block Diagram 5-26
Figure 5-11 CE-1000-4 Faceplate and Block Diagram 5-29
Figure 5-12 CE-MR-10 Faceplate and Block Diagram 5-32
Figure 5-13 GBICs with Clips (left) and with a Handle (right) 5-37
Figure 5-14 CWDM GBIC with Wavelength Appropriate for Fiber-Connected Device 5-39
Figure 5-15 G-Series with CWDM/DWDM GBICs in Cable Network 5-39
Figure 5-16 Mylar Tab SFP 5-40
Figure 5-17 Actuator/Button SFP 5-40
Figure 5-18 Bail Clasp SFP 5-40
Figure 6-1 FC_MR-4 Faceplate and Block Diagram 6-3
Figure 7-1 Example: ONS 15454 Cards in a 1:1 Protection Configuration (SMB EIA) 7-2
Figure 7-2 Example: ONS 15454 Cards in a 1:N Protection Configuration (SMB EIA) 7-3
Figure 7-3 Unprotected Low-Density Electrical Card Schemes for EIA Types 7-7
Figure 7-4 Unprotected High-Density Electrical Card Schemes for EIA Types 7-8
Figure 7-5 1:1 Protection Schemes for Low-Density Electrical Cards with EIA Types 7-9
Figure 7-6 1:N Protection Schemes for Low-Density Electrical Cards with EIA Types 7-10
Figure 7-7 1:1 Protection Schemes for High-Density Electrical Cards with UBIC or MiniBNC EIA Types 7-11
Figure 7-8 ONS 15454 in an Unprotected Configuration 7-14
Figure 8-1 CTC Software Versions, Node View 8-2
Figure 8-2 CTC Software Versions, Network View 8-3
Figure 8-3 Node View (Default Login View) 8-10
Figure 8-4 Terminal Loopback Indicator 8-12
Figure 8-5 Facility Loopback Indicator 8-12
Figure 8-6 Network in CTC Network View 8-14
Figure 8-7 CTC Card View Showing a DS1 Card 8-17
Figure 8-8 Static IP-Over-CLNS Tunnels 8-20
Figure 8-9 TL1 Tunnels 8-21
Figure 10-1 ONS 15454 Timing Example 10-2Figures
xxix
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Figure 11-1 Four-Node, Two-Fiber BLSR 11-3
Figure 11-2 Four-Node, Two-Fiber BLSR Traffic Pattern Sample 11-4
Figure 11-3 Four-Node, Two-Fiber BLSR Traffic Pattern Following Line Break 11-5
Figure 11-4 Four-Node, Four-Fiber BLSR 11-6
Figure 11-5 Four-Fiber BLSR Span Switch 11-7
Figure 11-6 Four-Fiber BLSR Ring Switch 11-8
Figure 11-7 BLSR Bandwidth Reuse 11-9
Figure 11-8 Five-Node Two-Fiber BLSR 11-10
Figure 11-9 Shelf Assembly Layout for Node 0 in Figure 11-8 11-11
Figure 11-10 Shelf Assembly Layout for Nodes 1 to 4 in Figure 11-8 11-11
Figure 11-11 Connecting Fiber to a Four-Node, Two-Fiber BLSR 11-12
Figure 11-12 Connecting Fiber to a Four-Node, Four-Fiber BLSR 11-13
Figure 11-13 Basic Four-Node Path Protection 11-14
Figure 11-14 Path Protection with a Fiber Break 11-15
Figure 11-15 Four-Port, OC-3 Path Protection 11-16
Figure 11-16 Layout of Node ID 0 in the OC-3 Path Protection Example in Figure 11-15 11-17
Figure 11-17 Layout of Node IDs 1 to 3 in the OC-3 Path Protection Example in Figure 11-15 11-17
Figure 11-18 ONS 15454 Traditional BLSR Dual-Ring Interconnect (Same-Side Routing) 11-19
Figure 11-19 ONS 15454 Traditional BLSR Dual-Ring Interconnect (Opposite-Side Routing) 11-20
Figure 11-20 ONS 15454 Integrated BLSR Dual-Ring Interconnect 11-21
Figure 11-21 Integrated BLSR DRI on the Edit Circuits Window 11-22
Figure 11-22 ONS 15454 Traditional Path Protection Dual-Ring Interconnect 11-23
Figure 11-23 ONS 15454 Integrated Path Protection Dual-Ring Interconnect 11-24
Figure 11-24 ONS 15454 Path Protection to BLSR Traditional DRI Handoff 11-25
Figure 11-25 ONS 15454 Path Protection to BLSR Integrated DRI Handoff 11-26
Figure 11-26 Path Protection to BLSR Integrated DRI Handoff on the Detailed Circuit Map 11-27
Figure 11-27 ONS 15454 with Multiple Subtending Rings 11-28
Figure 11-28 Path Protection Subtending from a BLSR 11-29
Figure 11-29 BLSR Subtending from a BLSR 11-29
Figure 11-30 Linear (Point-to-Point) ADM Configuration 11-30
Figure 11-31 Path-Protected Mesh Network 11-31
Figure 11-32 PPMN Virtual Ring 11-32
Figure 11-33 Four-Shelf Node Configuration 11-33
Figure 11-34 STS Around the Ring 11-34
Figure 11-35 Unprotected Point-to-Point ADM to Path Protection Conversion 11-42Figures
xxx
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Figure 11-36 Overlay Ring Circuit 11-44
Figure 12-1 ONS 15454 Circuit Window in Network View 12-4
Figure 12-2 BLSR Circuit Displayed on the Detailed Circuit Map 12-12
Figure 12-3 One VT1.5 Circuit on One STS 12-13
Figure 12-4 Two VT1.5 Circuits in a BLSR 12-14
Figure 12-5 Traditional DCC Tunnel 12-17
Figure 12-6 VT1.5 Monitor Circuit Received at an EC1-12 Port 12-19
Figure 12-7 Editing Path Protection Selectors 12-20
Figure 12-8 Path Protection Go-and-Return Routing 12-21
Figure 12-9 Secondary Sources and Destinations 12-29
Figure 12-10 Alternate Paths for Virtual Path Protection Segments 12-30
Figure 12-11 Mixing 1+1 or BLSR Protected Links With a Path Protection Configuration 12-30
Figure 12-12 Ethernet Shared Packet Ring Routing 12-31
Figure 12-13 Ethernet and Path Protection 12-31
Figure 12-14 VCAT Common Fiber Routing 12-35
Figure 12-15 VCAT Split Fiber Routing 12-35
Figure 12-16 Open-Ended VCAT 12-39
Figure 12-17 Rolls Window 12-40
Figure 12-18 Single Source Roll 12-42
Figure 12-19 Single Destination Roll 12-43
Figure 12-20 Single Roll from One Circuit to Another Circuit (Destination Changes) 12-43
Figure 12-21 Single Roll from One Circuit to Another Circuit (Source Changes) 12-43
Figure 12-22 Dual Roll to Reroute a Link 12-44
Figure 12-23 Dual Roll to Reroute to a Different Node 12-44
Figure 13-1 Shelf LCD Panel 13-2
Figure 13-2 Select Affected Circuits Option 13-5
Figure 13-3 Network View Alarm Profiles Window 13-10
Figure 13-4 DS1 Card Alarm Profile 13-13
Figure 14-1 IP Scenario 1: CTC and ONS 15454s on Same Subnet 14-3
Figure 14-2 IP Scenario 2: CTC and ONS 15454 Nodes Connected to a Router 14-4
Figure 14-3 IP Scenario 3: Using Proxy ARP 14-5
Figure 14-4 IP Scenario 3: Using Proxy ARP with Static Routing 14-6
Figure 14-5 IP Scenario 4: Default Gateway on a CTC Computer 14-7
Figure 14-6 IP Scenario 5: Static Route With One CTC Computer Used as a Destination 14-8
Figure 14-7 IP Scenario 5: Static Route With Multiple LAN Destinations 14-9Figures
xxxi
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Figure 14-8 IP Scenario 6: OSPF Enabled 14-11
Figure 14-9 IP Scenario 6: OSPF Not Enabled 14-12
Figure 14-10 SOCKS Proxy Server Gateway Settings 14-13
Figure 14-11 IP Scenario 7: ONS 15454 SOCKS Proxy Server with GNE and ENEs on the Same Subnet 14-15
Figure 14-12 IP Scenario 7: ONS 15454 SOCKS Proxy Server with GNE and ENEs on Different Subnets 14-16
Figure 14-13 IP Scenario 7: ONS 15454 SOCKS Proxy Server With ENEs on Multiple Rings 14-17
Figure 14-14 IP Scenario 8: Dual GNEs on the Same Subnet 14-19
Figure 14-15 IP Scenario 8: Dual GNEs on Different Subnets 14-20
Figure 14-16 IP Scenario 9: ONS 15454 GNE and ENEs on the Same Subnet with Secure Mode Enabled 14-22
Figure 14-17 IP Scenario 9: ONS 15454 GNE and ENEs on Different Subnets with Secure Mode Enabled 14-23
Figure 14-18 Proxy and Firewall Tunnels for Foreign Terminations 14-28
Figure 14-19 Foreign Node Connection to an ENE Ethernet Port 14-29
Figure 14-20 ISO-DCC NSAP Address 14-33
Figure 14-21 OSI Main Setup 14-34
Figure 14-22 Level 1 and Level 2 OSI Routing 14-35
Figure 14-23 Manual TARP Adjacencies 14-40
Figure 14-24 T–TD Protocol Flow 14-41
Figure 14-25 FT–TD Protocol Flow 14-41
Figure 14-26 Provisioning OSI Routers 14-42
Figure 14-27 IP-over-CLNS Tunnel Flow 14-44
Figure 14-28 IP-over-CLNS Tunnel Scenario 1: ONS NE to Other Vender GNE 14-46
Figure 14-29 IP-over-CLNS Tunnel Scenario 2: ONS Node to Router 14-47
Figure 14-30 IP-over-CLNS Tunnel Scenario 3: ONS Node to Router Across an OSI DCN 14-49
Figure 14-31 OSI/IP Scenario 1: IP OSS, IP DCN, ONS GNE, IP DCC, and ONS ENE 14-50
Figure 14-32 OSI/IP Scenario 2: IP OSS, IP DCN, ONS GNE, OSI DCC, and Other Vendor ENE 14-51
Figure 14-33 OSI/IP Scenario 3: IP OSS, IP DCN, Other Vendor GNE, OSI DCC, and ONS ENE 14-53
Figure 14-34 OSI/IP Scenario 3 with OSI/IP-over-CLNS Tunnel Endpoint at the GNE 14-54
Figure 14-35 OSI/IP Scenario 4: Multiple ONS DCC Areas 14-55
Figure 14-36 OSI/IP Scenario 5: GNE Without an OSI DCC Connection 14-56
Figure 14-37 OSI/IP Scenario 6: IP OSS, OSI DCN, ONS GNE, OSI DCC, and Other Vendor ENE 14-57
Figure 14-38 OSI/IP Scenario 7: OSI OSS, OSI DCN, Other Vender GNE, OSI DCC, and ONS NEs 14-58
Figure 14-39 OSI/IP Scenario 8: OSI OSS, OSI DCN, ONS GNE, OSI DCC, and Other Vender NEs 14-60
Figure 14-40 IPv6-IPv4 Interaction 14-62
Figure 15-1 TCAs Displayed in CTC 15-2
Figure 15-2 Monitored Signal Types for the EC1-12 Card 15-13Figures
xxxii
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Figure 15-3 PM Read Points on the EC1-12 Card 15-13
Figure 15-4 Monitored Signal Types for the DS1/E1-56 Card 15-14
Figure 15-5 PM Read Points on the DS1/E1-56 Card 15-15
Figure 15-6 Monitored Signal Types for the DS1-14 and DS1N-14 Cards 15-16
Figure 15-7 PM Read Points on the DS1-14 and DS1N-14 Cards 15-17
Figure 15-8 Monitored Signal Types for the DS3-12 and DS3N-12 Cards 15-18
Figure 15-9 PM Read Points on the DS3-12 and DS3N-12 Cards 15-19
Figure 15-10 Monitored Signal Types for the DS3-12E and DS3N-12E Cards 15-20
Figure 15-11 PM Read Points on the DS3-12E and DS3N-12E Cards 15-20
Figure 15-12 Monitored Signal Types for the DS3i-N-12 Cards 15-21
Figure 15-13 PM Read Points on the DS3i-N-12 Cards 15-22
Figure 15-14 Monitored Signal Types for the DS3XM-6 Card 15-23
Figure 15-15 PM Read Points on the DS3XM-6 Card 15-24
Figure 15-16 Monitored Signal Types for the DS3XM-12 Card 15-25
Figure 15-17 PM Read Points on the DS3XM-12 Card 15-26
Figure 15-18 Monitored Signal Types for the DS3/EC1-48 Card 15-27
Figure 15-19 PM Read Points on the DS3/EC1-48 Card 15-28
Figure 15-20 Monitored Signal Types for the OC-3 Cards 15-49
Figure 15-21 PM Read Points on the OC-3 Cards 15-50
Figure 15-22 PM Read Points for the MRC-12 and the MRC-2.5G-4 Cards 15-52
Figure 16-1 Basic Network Managed by SNMP 16-2
Figure 16-2 Example of the Primary SNMP Components 16-3
Figure 16-3 Agent Gathering Data from a MIB and Sending Traps to the Manager 16-3TABLES
xxxiii
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Table 1-1 EIA Types Compatible with the 15454-SA-ANSI Only 1-16
Table 1-2 EIA Configurations Compatible with the 15454-SA-ANSI and the 15454-SA-HD 1-17
Table 1-3 MiniBNC Protection Types and Slots 1-22
Table 1-4 J-Labeling Port Assignments for a Shelf Assembly Configure with Low-Density Electrical Cards (A Side) 1-24
Table 1-5 J-Labeling Port Assignments for a Shelf Assembly Configured with Low-Density Electrical Cards (B Side) 1-25
Table 1-6 J-Labeling Port Assignments for a Shelf Configured with High-Density Electrical Cards (A Side) 1-26
Table 1-7 J-Labeling Port Assignments for a Shelf Configured with High-Density Electrical Cards (B Side) 1-27
Table 1-8 AMP Champ Connector Pin Assignments 1-31
Table 1-9 AMP Champ Connector Pin Assignments (Shielded DS-1 Cable) 1-32
Table 1-10 UBIC-V Protection Types and Slots 1-34
Table 1-11 J-Labeling Port Assignments for a Shelf Assembly Configured with Low-Density Electrical Cards (A Side) 1-36
Table 1-12 J-Labeling Port Assignments for a Shelf Assembly Configured with Low-Density Electrical Cards (B Side) 1-36
Table 1-13 J-Labeling Port Assignments for a Shelf Configured with High-Density Electrical Cards (A Side) 1-37
Table 1-14 J-Labeling Port Assignments for a Shelf Configured with High-Density Electrical Cards (B Side) 1-37
Table 1-15 UBIC-H Protection Types and Slots 1-38
Table 1-16 UBIC-V DS-1 SCSI Connector Pin Out 1-41
Table 1-17 UBIC-V DS-1 Tip/Ring Color Coding 1-43
Table 1-18 UBIC-V DS-3/EC-1 SCSI Connector Pin Out 1-43
Table 1-19 UBIC-H DS-1 SCSI Connector Pin Out 1-47
Table 1-20 UBIC-H DS-1 Tip/Ring Color Coding 1-49
Table 1-21 UBIC-H DS-3/EC-1 SCSI Connector Pin Out 1-49
Table 1-22 E100-TX Connector Pinout 1-52
Table 1-23 Fiber Channel Capacity (One Side of the Shelf) 1-55
Table 1-24 Pin Assignments for the AEP 1-58
Table 1-25 Alarm Input Pin Association 1-59
Table 1-26 Pin Association for Alarm Output Pins 1-60
Table 1-27 Fan Tray Units for ONS 15454 Cards 1-65
Table 1-28 Pilot Fuse Ratings 1-68
Table 1-29 BITS External Timing Pin Assignments 1-73
Table 1-30 LAN Pin Assignments 1-74Tables
xxxiv
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Table 1-31 Craft Interface Pin Assignments 1-74
Table 1-32 Slot and Card Symbols 1-76
Table 1-33 Card Ports, Line Rates, and Connectors 1-77
Table 1-34 ONS 15454 Software and Hardware Compatibility—XC and XCVT Configurations 1-80
Table 1-35 ONS 15454 Software and Hardware Compatibility—XC10G and XC-VXC-10G Configurations 1-84
Table 2-1 Common Control Card Functions 2-2
Table 2-2 Common-Control Card Software Release Compatibility 2-3
Table 2-3 Common-Control Card Cross-Connect Compatibility 2-4
Table 2-4 Electrical Card Cross-Connect Compatibility 2-5
Table 2-5 Optical Card Cross-Connect Compatibility 2-6
Table 2-6 Ethernet Card Cross-Connect Compatibility 2-6
Table 2-7 SAN Card Cross-Connect Compatibility 2-7
Table 2-8 TCC2 Card-Level Indicators 2-10
Table 2-9 TCC2 Network-Level Indicators 2-10
Table 2-10 TCC2 Power-Level Indicators 2-11
Table 2-11 TCC2P Card-Level Indicators 2-15
Table 2-12 TCC2P Network-Level Indicators 2-15
Table 2-13 TCC2P Power-Level Indicators 2-16
Table 2-14 VT Mapping 2-18
Table 2-15 XCVT Card-Level Indicators 2-20
Table 2-16 VT Mapping 2-22
Table 2-17 XC10G Card-Level Indicators 2-23
Table 2-18 VT Mapping 2-27
Table 2-19 XC-VXC-10G Card-Level Indicators 2-28
Table 2-20 AIC-I Card-Level Indicators 2-30
Table 2-21 Orderwire Pin Assignments 2-33
Table 2-22 UDC Pin Assignments 2-34
Table 2-23 DCC Pin Assignments 2-34
Table 3-1 Cisco ONS 15454 Electrical Cards 3-2
Table 3-2 Electrical Card Software Release Compatibility 3-3
Table 3-3 Enabling BERT on Line Side and Backplane Side 3-5
Table 3-4 EC1-12 Card-Level Indicators 3-7
Table 3-5 DS1-14 and DS1N-14 Card-Level Indicators 3-11
Table 3-6 DS1/E1-56 Slot Restrictions 3-12
Table 3-7 DS1/E1-56 Card-Level Indicators 3-14Tables
xxxv
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Table 3-8 DS3-12 and DS3N-12 Card-Level Indicators 3-16
Table 3-9 DS3/EC1-48 Slot Restrictions 3-17
Table 3-10 DS3/EC1-48 Card-Level Indicators 3-20
Table 3-11 DS3i-N-12 Card-Level Indicators 3-22
Table 3-12 DS3-12E and DS3N-12E Card-Level Indicators 3-25
Table 3-13 DS3XM-6 Card-Level Indicators 3-28
Table 3-14 DS3XM-12 Shelf Configurations 3-29
Table 3-15 DS3XM-12 Features 3-30
Table 3-16 DS3XM-12 Card-Level Indicators 3-33
Table 4-1 Optical Cards for the ONS 15454 4-2
Table 4-2 Optical Card Software Release Compatibility 4-5
Table 4-3 OC3 IR 4/STM1 SH 1310 Card-Level Indicators 4-8
Table 4-4 OC3IR/STM1 SH 1310-8 Card-Level Indicators 4-10
Table 4-5 OC12 IR/STM4 SH 1310 Card-Level Indicators 4-12
Table 4-6 OC12 LR/STM4 LH 1310 Card-Level Indicators 4-14
Table 4-7 OC12 LR/STM4 LH 1550 Card-Level Indicators 4-16
Table 4-8 OC12 IR/STM4 SH 1310-4 Card-Level Indicators 4-18
Table 4-9 OC48 IR 1310 Card-Level Indicators 4-20
Table 4-10 OC48 LR 1550 Card-Level Indicators 4-22
Table 4-11 OC48 IR/STM16 SH AS 1310 Card-Level Indicators 4-24
Table 4-12 OC48 LR/STM16 LH AS 1550 Card-Level Indicators 4-26
Table 4-13 OC48 ELR/STM16 EH 100 GHz Card-Level Indicators 4-28
Table 4-14 OC48 ELR 200 GHz Card-Level Indicators 4-30
Table 4-15 OC192 SR/STM64 IO 1310 Card-Level Indicators 4-32
Table 4-16 OC192 IR/STM64 SH 1550 Card-Level Indicators 4-34
Table 4-17 OC192 LR/STM64 LH 1550 Card-Level Indicators 4-39
Table 4-18 OC192 LR/STM64 LH ITU 15xx.xx Card-Level Indicators 4-42
Table 4-19 Maximum Bandwidth by Shelf Slot for the 15454_MRC-12 in Different Cross-Connect Configurations 4-44
Table 4-20 Line Rate Configurations Per 15454_MRC-12 Port, Based on Available Bandwidth 4-45
Table 4-21 15454_MRC-12 Card-Level Indicators 4-47
Table 4-22 Maximum Bandwidth by Shelf Slot for the MRC-2.5G-4 in Different Cross-Connect Configurations 4-49
Table 4-23 Line Rate Configurations Per 15454_MRC- 4 Port, Based on Available Bandwidth 4-50
Table 4-24 MRC-2.5G-4 Card-Level Indicators 4-50
Table 4-25 OC192SR1/STM64IO Short Reach and OC192/STM64 Any Reach Card-Level Indicators 4-53
Table 4-26 SFP and XFP Card Compatibility 4-54Tables
xxxvi
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Table 4-27 LED Based SFPs 4-54
Table 5-1 Ethernet Cards for the ONS 15454 5-2
Table 5-2 Ethernet Card Software Compatibility 5-3
Table 5-3 E100T-12 Card-Level Indicators 5-6
Table 5-4 E100T-12 Port-Level Indicators 5-6
Table 5-5 E100T-G Card-Level Indicators 5-8
Table 5-6 E100T-G Port-Level Indicators 5-8
Table 5-7 E1000-2 Card-Level Indicators 5-10
Table 5-8 E1000-2 Port-Level Indicators 5-11
Table 5-9 E1000-2-G Card-Level Indicators 5-13
Table 5-10 E1000-2-G Port-Level Indicators 5-13
Table 5-11 G1K-4 Card-Level Indicators 5-15
Table 5-12 G1K-4 Port-Level Indicators 5-16
Table 5-13 ML100T-12 Card-Level Indicators 5-18
Table 5-14 ML100T-12 Port-Level Indicators 5-18
Table 5-15 ML100X-8 Card-Level Indicators 5-20
Table 5-16 ML100X-8 Port-Level Indicators 5-20
Table 5-17 ML1000-2 Card-Level Indicators 5-22
Table 5-18 ML1000-2 Port-Level Indicators 5-22
Table 5-19 ML-MR-10 Card-Level Indicators 5-24
Table 5-20 ML-MR-10 Port-Level Indicators 5-24
Table 5-21 CE-100T-8 Card-Level Indicators 5-27
Table 5-22 CE-100T-8 Port-Level Indicators 5-27
Table 5-23 CE-1000-4 Card-Level Indicators 5-30
Table 5-24 CE-1000-4 Port-Level Indicators 5-30
Table 5-25 CE-MR-10 Card-Level Indicators 5-33
Table 5-26 CE-MR-10 Port-Level Indicators 5-33
Table 5-27 Available GBICs 5-34
Table 5-28 Available SFPs and XFPs 5-34
Table 5-29 Speed-Duplex Matrix for Electrical 10/100/1000Base-T SFPs 5-35
Table 5-30 Speed-Duplex Matrix for Optical 1000BaseSX/LX/ZX SFPs 5-36
Table 5-31 Speed-Duplex Matrix for Optical 100Base FX/LX10/BX-D/BX-U SFPs 5-36
Table 5-32 Speed-Duplex Matrix for E1/DS1 over Fast Ethernet SFP 5-36
Table 5-33 Speed-Duplex Matrix for E3/DS3 PDH over Fast Ethernet SFP 5-37
Table 5-34 Supported Wavelengths for CWDM GBICs 5-38Tables
xxxvii
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Table 5-35 Supported Wavelengths for DWDM GBICs 5-38
Table 6-1 FC_MR-4 Card-Level Indicators 6-3
Table 6-2 GBIC and SFP Compatibility 6-8
Table 7-1 Supported 1:1 Protection by Electrical Card 7-2
Table 7-2 Supported 1:N Protection by Electrical Card 7-3
Table 7-3 EIA Connectors Per Side 7-5
Table 7-4 Electrical Card Protection By EIA Type 7-6
Table 8-1 JRE Compatibility 8-5
Table 8-2 CTC Computer Requirements 8-5
Table 8-3 ONS 15454 Connection Methods 8-8
Table 8-4 Node View Card Colors 8-10
Table 8-5 Node View Card Statuses 8-11
Table 8-6 Node View Card Port Colors and Service States 8-11
Table 8-7 Node View Tabs and Subtabs 8-12
Table 8-8 Network View Tabs and Subtabs 8-14
Table 8-9 Node Status Shown in Network View 8-15
Table 8-10 DCC Colors Indicating State in Network View 8-15
Table 8-11 Link Icons 8-16
Table 8-12 Card View Tabs and Subtabs 8-17
Table 8-13 TL1 and Static IP-Over-CLNS Tunnels Comparison 8-21
Table 9-1 ONS 15454 Security Levels—Node View 9-2
Table 9-2 ONS 15454 Security Levels—Network View 9-6
Table 9-3 ONS 15454 Default User Idle Times 9-8
Table 9-4 Audit Trail Window Columns 9-9
Table 9-5 Shared Secret Character Groups 9-11
Table 10-1 SONET SSM Generation 1 Message Set 10-3
Table 10-2 SONET SSM Generation 2 Message Set 10-3
Table 10-3 SDH SSM Messages 10-4
Table 11-1 ONS 15454 Rings with Redundant TCC2/TCC2P Cards 11-2
Table 11-2 Two-Fiber BLSR Capacity 11-8
Table 11-3 Four-Fiber BLSR Capacity 11-9
Table 11-4 Comparison of the Protection Schemes 11-27
Table 11-5 Slot 5, 6, 12, and 13 Upgrade Options 11-35
Table 11-6 Upgrade Options for Slots 1 through 4 and 14 through 17 11-36
Table 11-7 MRC-12 Card Upgrade Matrix 11-38Tables
xxxviii
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Table 11-8 MRC-2.5G-4 Card Upgrade Matrix 11-39
Table 12-1 STS Mapping Using CTC 12-4
Table 12-2 ONS 15454 Circuit Status 12-6
Table 12-3 Circuit Protection Types 12-9
Table 12-4 Port State Color Indicators 12-11
Table 12-5 VT Matrix Port Usage for One VT1.5 Circuit 12-15
Table 12-6 Portless Transmux Mapping for XCVT Drop Ports 12-16
Table 12-7 Portless Transmux Mapping for XCVT Trunk and XC10G/XC-VXC-10G Any-Slot Ports 12-16
Table 12-8 DCC Tunnels 12-17
Table 12-9 ONS 15454 Cards Capable of J1 Path Trace 12-25
Table 12-10 STS Path Signal Label Assignments for Signals 12-26
Table 12-11 STS Path Signal Label Assignments for Signals with Payload Defects 12-26
Table 12-12 Bidirectional STS/VT/Regular Multicard EtherSwitch/Point-to-Point (Straight) Ethernet Circuits 12-31
Table 12-13 Unidirectional STS/VT Circuit 12-32
Table 12-14 Multicard Group Ethernet Shared Packet Ring Circuit 12-32
Table 12-15 Bidirectional VT Tunnels 12-32
Table 12-16 Switch Times 12-36
Table 12-17 ONS 15454 Card VCAT Circuit Rates and Members 12-37
Table 12-18 ONS 15454 VCAT Card Capabilities 12-38
Table 12-19 Roll Statuses 12-41
Table 13-1 Alarms Column Descriptions 13-2
Table 13-2 Color Codes for Alarm and Condition Severities 13-3
Table 13-3 Alarm Display 13-4
Table 13-4 Conditions Display 13-6
Table 13-5 Conditions Column Description 13-6
Table 13-6 History Column Description 13-8
Table 13-7 Alarm Profile Buttons 13-11
Table 13-8 Alarm Profile Editing Options 13-12
Table 14-1 General ONS 15454 IP Troubleshooting Checklist 14-2
Table 14-2 ONS 15454 Gateway and End NE Settings 14-15
Table 14-3 SOCKS Proxy Server Firewall Filtering Rules 14-17
Table 14-4 SOCKS Proxy Server Firewall Filtering Rules When Packet Addressed to the ONS 15454 14-18
Table 14-5 Sample Routing Table Entries 14-24
Table 14-6 Ports Used by the TCC2/TCC2P 14-25
Table 14-7 TCP/IP and OSI Protocols 14-30Tables
xxxix
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Table 14-8 NSAP Fields 14-32
Table 14-9 TARP PDU Fields 14-37
Table 14-10 TARP PDU Types 14-37
Table 14-11 TARP Timers 14-38
Table 14-12 TARP Processing Flow 14-39
Table 14-13 OSI Virtual Router Constraints 14-43
Table 14-14 IP-over-CLNS Tunnel IOS Commands 14-45
Table 14-15 OSI Actions from the CTC Provisioning Tab 14-61
Table 14-16 OSI Actions from the CTC Maintenance Tab 14-61
Table 14-17 Differences Between an IPv6 Node and an IPv4 Node 14-63
Table 15-1 Electrical Cards that Report RX and TX Direction for TCAs 15-3
Table 15-2 ONS 15454 Line Terminating Equipment 15-3
Table 15-3 Performance Monitoring Parameters 15-5
Table 15-4 EC1-12 Card PMs 15-14
Table 15-5 DS1/E1-56 Card PMs 15-16
Table 15-6 DS1-14 and DS1N-14 Card PMs 15-17
Table 15-7 DS3-12 and DS3N-12 Card PMs 15-19
Table 15-8 DS3-12E and DS3N-12E Card PMs 15-21
Table 15-9 DS3i-N-12 Card PMs 15-22
Table 15-10 DS3XM-6 Card PMs 15-24
Table 15-11 DS3XM-12 Card PMs 15-26
Table 15-12 DS3/EC1-48 Card PMs 15-28
Table 15-13 E-Series Ethernet Statistics Parameters 15-29
Table 15-14 maxBaseRate for STS Circuits 15-31
Table 15-15 Ethernet History Statistics per Time Interval 15-31
Table 15-16 G-Series Ethernet Statistics Parameters 15-32
Table 15-17 ML-Series Ether Ports PM Parameters 15-34
Table 15-18 ML-Series POS Ports Parameters for HDLC Mode 15-37
Table 15-19 ML-Series POS Ports Parameters for GFP-F Mode 15-38
Table 15-20 ML-Series RPR Span Parameters for 802.17 MIB 15-38
Table 15-21 CE-Series Ether Port PM Parameters 15-44
Table 15-22 CE-Series Card POS Ports Parameters 15-47
Table 15-23 OC-3 Card PMs 15-50
Table 15-24 OC3-8 Card PMs 15-51
Table 15-25 OC-12, OC-48, OC-192, OC-192-XFP Card PMs 15-51Tables
xl
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Table 15-26 Table of Border Error Rates 15-52
Table 15-27 MRC Card PMs 15-53
Table 15-28 FC_MR-4 Card Statistics 15-53
Table 15-29 maxBaseRate for STS Circuits 15-55
Table 15-30 FC_MR-4 History Statistics per Time Interval 15-56
Table 16-1 ONS 15454 SNMP Message Types 16-5
Table 16-2 IETF Standard MIBs Implemented in the ONS 15454 System 16-6
Table 16-3 ONS 15454 Proprietary MIBs 16-7
Table 16-4 cerentGenericPmThresholdTable 16-12
Table 16-5 32-Bit cerentGenericPmStatsCurrentTable 16-13
Table 16-6 32-Bit cerentGenericPmStatsIntervalTable 16-13
Table 16-7 Supported Generic IETF Traps 16-14
Table 16-8 Supported ONS 15454 SNMPv2 Trap Variable Bindings 16-15
Table 16-9 RMON History Control Periods and History Categories 16-25
Table 16-10 OIDs Supported in the AlarmTable 16-27
Table A-1 Fan Tray Assembly Power Requirements A-4
Table A-2 SFP, XFP, and GBIC Specifications A-5
Table A-3 Individual Card Power Requirements A-8
Table A-4 Card Temperature Ranges and Product Names A-10
Table B-1 ONS 15454 Service State Primary States and Primary State Qualifiers B-1
Table B-2 ONS 15454 Secondary States B-2
Table B-3 ONS 15454 Administrative States B-3
Table B-4 ONS 15454 Card Service State Transitions B-3
Table B-5 ONS 15454 Port and Cross-Connect Service State Transitions B-6
Table B-6 ONS 15454 Pluggable Equipment Service State Transitions B-10
Table C-1 DS-1 Card Default Settings C-4
Table C-2 DS1/E1-56 Card Default Settings C-7
Table C-3 DS-3 Card Default Settings C-13
Table C-4 DS3/EC1-48 Card Default Settings C-14
Table C-5 DS3E Card Default Settings C-19
Table C-6 DS3I Card Default Settings C-21
Table C-7 DS3XM-6 Card Default Settings C-24
Table C-8 DS3XM-12 Card Default Settings C-26
Table C-9 EC1-12 Card Default Settings C-30
Table C-10 FC_MR-4 Card Default Settings C-33Tables
xli
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Table C-11 Ethernet Card Default Settings C-34
Table C-12 OC-3 Card Default Settings C-35
Table C-13 OC3-8 Card Default Settings C-38
Table C-14 OC-12 Card Default Settings C-42
Table C-15 OC12-4 Card Default Settings C-46
Table C-16 OC-48 Card Default Settings C-50
Table C-17 OC-192 Card Default Settings C-54
Table C-18 OC192-XFP Default Settings C-59
Table C-19 MRC-12 Card Default Settings C-65
Table C-20 MRC-2.5G-4 Card Default Settings C-82
Table C-21 Node Default Settings C-101
Table C-22 Time Zones C-117
Table C-23 CTC Default Settings C-120Tables
xlii
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01xliii
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
About this Manual
Note The terms “Unidirectional Path Switched Ring” and “UPSR” may appear in Cisco literature. These terms
do not refer to using Cisco ONS 15xxx products in a unidirectional path switched ring configuration.
Rather, these terms, as well as “Path Protected Mesh Network” and “PPMN,” refer generally to Cisco's
path protection feature, which may be used in any topological network configuration. Cisco does not
recommend using its path protection feature in any particular topological network configuration.
This section explains the objectives, intended audience, and organization of this publication and
describes the conventions that convey instructions and other information.
This section provides the following information:
• Revision History
• Document Objectives
• Audience
• Related Documentation
• Document Conventions
• Obtaining Optical Networking Information
• Obtaining Documentation and Submitting a Service Request
Revision History
Date Notes
November 2009 Updated the table “Line Rate Configurations Per 15454_MRC-12 Port, Based on
Available Bandwidth” in the chapter, “Optical Cards”.
December 2009 Added the section, Filler Plus Cards in the chapter, Shelf and Backplane Hardware.
January 2010 Updated the section “OC-N Speed Upgrades” in the chapter SONET Topologies and
Upgrades.
February 2010 Updated the table “SFP, XFP, and GBIC Specifications” in the appendix Hardware
Specifications.xliv
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
About this Manual
April 2010 • Updated Span Upgrade Wizard section and In-Service MRC Card Upgrades
section content.
• Updated the section “SNMP Overview” in the chapter “SNMP”.
• Created a section “Fan Tray Units for ONS 15454 Cards” in the chapter “Shelf
and Backplane Hardware”.
• Added tables “Speed-Duplex Matrix for E1/DS1 over Fast Ethernet SFP” and
“Speed-Duplex Matrix for E3/DS3 PDH over Fast Ethernet SFP” in the section
“Speed-Duplex Combinations on SFPs” and updated table “Available
SFPs/XFPs” in the chapter “Ethernet Cards”.
• Added footnote and note for ONS-SC-2G-28.7 SFP in the chapter “Optical
Cards” and appendix “Hardware Specifications”.
May 2010 Updated the note in the section “DS3/EC1-48 Card” in the chapter “Electrical
Cards”.
June 2010 • Updated the caution in the section “DS1/E1-56 Card” in the chapter “Electrical
Cards”.
• Updated the “OC-N Speed Upgrades” section in the chapter “SONET
Topologies and Upgrades”.
August 2010 • Updated the section “Bridge and Roll” in the chapter “Circuits and Tunnels”.
• Removed the reference to G1000 card support in the chapters “Shelf and
Backplane Hardware”, “Network Element Defaults”, and “Ethernet Cards”.
November 2010 Updated the figure “ML1000-2 Faceplate and Block Diagram” under the section
“ML1000-2 Card” in the chapter “Ethernet Cards”.
December 2010 • Updated the section “MRC-12 Multirate Card” and the table “MRC-12 Card
Upgrade Matrix” in the chapter “SONET Topologies and Upgrades”.
• Updated the section “CE-MR-10 Card” in the chapter “Ethernet Cards”.
• Updated the table "ONS 15454 Security Levels—Node View" in the chapter
"Security".
January 2011 Updated the sections “CE-100T-8 Card” and “CE-MR-10 Card” in the chapter
“Ethernet Cards”.
April 2011 Updated the table “SFP and XFP Card Compatibility” in the chapter “Optical Cards”.
May 2011 Updated the “Common-Control Card Software Release Compatibility” table in the
chapter “Common Control Cards”.
May 2011 • Updated the sections “Link Capacity Adjustment” and “VCAT Circuit Size” in
the chapter “Circuits and Tunnels”.
• Updated the tables “ONS 15454 Card VCAT Circuit Rates and Members” and
“ONS 15454 VCAT Card Capabilities” in the chapter “Circuits and Tunnels”.
June 2011 • Updated the section “AIC-I Card” in the chapter “Common Control Cards”.
• Updated the table “ONS 15454 Software and Hardware Compatibility—XC1
and XCVT Configurations” in the chapter “Shelf and Backplane Hardware”.
Date Notesxlv
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
About this Manual
Document Objectives
This manual provides reference information for the Cisco ONS 15454.
Audience
To use this publication, you should be familiar with Cisco or equivalent optical transmission hardware
and cabling, telecommunications hardware and cabling, electronic circuitry and wiring practices, and
preferably have experience as a telecommunications technician.
Related Documentation
Use the Cisco ONS 15454 Reference Manual with the following referenced Release 9.1 and Release 9.2
publications:
• Cisco ONS 15454 Procedure Guide
Provides procedures to install, turn up, provision, and maintain a Cisco ONS 15454 node and
network.
• Cisco ONS 15454 Troubleshooting Guide
Provides general troubleshooting procedures, alarm descriptions and troubleshooting procedures,
error messages, and transient conditions.
July 2011 • Added a note in the “PC and UNIX Workstation Requirements” section of
Chapter, “Cisco Transport Controller Operation”.
• Updated the tables “DS3XM-6 Card PMs” and “DS3XM-12 Card PMs” in the
chapter “Performance Monitoring”.
September 2011 Added a note to Performance Monitoring Parameters table in “Performance
Monitoring Parameter Definitions” section.
October 2011 Updated the section “AMP Champ EIA” in the chapter, “Shelf and Backplane
Hardware”.
January 2012 Updated the privileges for the Download/Cancel operations in the table, "ONS 15454
SDH Security Levels—Network View " in the chapter, “Security”.
February 2012 Updated the table “SFP and XFP Card Compatibility” in the chapter “Optical Cards”.
March 2012 • Updated the software release compatibility tables in the chapters, “Common
Control Cards”, “Optical Cards”, “Electrical Cards”, and “Ethernet Cards”.
• Updated the section “SONET Timing Operation” for TCC2P card in the chapter,
“Common Control Cards”.
• Updated the section "DS3/EC1-48 Card Specifications" in the appendix
"Hardware Specifications".
August 2012 • Updated the table “Common-Control Card Software Release Compatibility” in
the chapter “Common Control Cards”.
• The full length book-PDF was generated.
Date Notesxlvi
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
About this Manual
• Cisco ONS SONET TL1 Command Guide
Provides a full TL1 command and autonomous message set including parameters, AIDs, conditions
and modifiers for the Cisco ONS 15454, ONS 15600, ONS 15310-CL, and ONS 15310-MA
systems.
• Cisco ONS SONET TL1 Reference Guide
Provides general information, procedures, and errors for TL1 in the Cisco ONS 15454, ONS 15600,
ONS 15310-CL, and ONS 15310-MA systems.
• Cisco ONS 15454 and Cisco ONS 15454 SDH Ethernet Card Software Feature and Configuration
Guide
Provides software features for all Ethernet cards and configuration information for Cisco IOS on
ML-Series cards.
• Release Notes for the Cisco ONS 15454 Release 9.1
Provides caveats, closed issues, and new features and functionality information.
• Release Notes for Cisco ONS 15454 SONET and SDH, Release 9.2
Provides caveats, closed issues, and new features and functionality information.
• Release Notes for Cisco ONS 15454 SONET and SDH, Release 9.2.1
Provides caveats, closed issues, and new features and functionality information.
For an update on End-of-Life and End-of-Sale notices, refer to
http://www.cisco.com/en/US/products/hw/optical/ps2006/prod_eol_notices_list.html.
Document Conventions
This publication uses the following conventions:
Convention Application
boldface Commands and keywords in body text.
italic Command input that is supplied by the user.
[ ] Keywords or arguments that appear within square brackets are optional.
{ x | x | x } A choice of keywords (represented by x) appears in braces separated by
vertical bars. The user must select one.
Ctrl The control key. For example, where Ctrl + D is written, hold down the
Control key while pressing the D key.
screen font Examples of information displayed on the screen.
boldface screen font Examples of information that the user must enter.
< > Command parameters that must be replaced by module-specific codes.xlvii
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
About this Manual
Note Means reader take note. Notes contain helpful suggestions or references to material not covered in the
document.
Caution Means reader be careful. In this situation, the user might do something that could result in equipment
damage or loss of data.
Warning IMPORTANT SAFETY INSTRUCTIONS
This warning symbol means danger. You are in a situation that could cause bodily injury. Before you
work on any equipment, be aware of the hazards involved with electrical circuitry and be familiar
with standard practices for preventing accidents. Use the statement number provided at the end of
each warning to locate its translation in the translated safety warnings that accompanied this
device. Statement 1071
SAVE THESE INSTRUCTIONS
Waarschuwing BELANGRIJKE VEILIGHEIDSINSTRUCTIES
Dit waarschuwingssymbool betekent gevaar. U verkeert in een situatie die lichamelijk letsel kan
veroorzaken. Voordat u aan enige apparatuur gaat werken, dient u zich bewust te zijn van de bij
elektrische schakelingen betrokken risico's en dient u op de hoogte te zijn van de standaard
praktijken om ongelukken te voorkomen. Gebruik het nummer van de verklaring onderaan de
waarschuwing als u een vertaling van de waarschuwing die bij het apparaat wordt geleverd, wilt
raadplegen.
BEWAAR DEZE INSTRUCTIES
Varoitus TÄRKEITÄ TURVALLISUUSOHJEITA
Tämä varoitusmerkki merkitsee vaaraa. Tilanne voi aiheuttaa ruumiillisia vammoja. Ennen kuin
käsittelet laitteistoa, huomioi sähköpiirien käsittelemiseen liittyvät riskit ja tutustu
onnettomuuksien yleisiin ehkäisytapoihin. Turvallisuusvaroitusten käännökset löytyvät laitteen
mukana toimitettujen käännettyjen turvallisuusvaroitusten joukosta varoitusten lopussa näkyvien
lausuntonumeroiden avulla.
SÄILYTÄ NÄMÄ OHJEET
Attention IMPORTANTES INFORMATIONS DE SÉCURITÉ
Ce symbole d'avertissement indique un danger. Vous vous trouvez dans une situation pouvant
entraîner des blessures ou des dommages corporels. Avant de travailler sur un équipement, soyez
conscient des dangers liés aux circuits électriques et familiarisez-vous avec les procédures
couramment utilisées pour éviter les accidents. Pour prendre connaissance des traductions des
avertissements figurant dans les consignes de sécurité traduites qui accompagnent cet appareil,
référez-vous au numéro de l'instruction situé à la fin de chaque avertissement.
CONSERVEZ CES INFORMATIONSxlviii
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
About this Manual
Warnung WICHTIGE SICHERHEITSHINWEISE
Dieses Warnsymbol bedeutet Gefahr. Sie befinden sich in einer Situation, die zu Verletzungen führen
kann. Machen Sie sich vor der Arbeit mit Geräten mit den Gefahren elektrischer Schaltungen und
den üblichen Verfahren zur Vorbeugung vor Unfällen vertraut. Suchen Sie mit der am Ende jeder
Warnung angegebenen Anweisungsnummer nach der jeweiligen Übersetzung in den übersetzten
Sicherheitshinweisen, die zusammen mit diesem Gerät ausgeliefert wurden.
BEWAHREN SIE DIESE HINWEISE GUT AUF.
Avvertenza IMPORTANTI ISTRUZIONI SULLA SICUREZZA
Questo simbolo di avvertenza indica un pericolo. La situazione potrebbe causare infortuni alle
persone. Prima di intervenire su qualsiasi apparecchiatura, occorre essere al corrente dei pericoli
relativi ai circuiti elettrici e conoscere le procedure standard per la prevenzione di incidenti.
Utilizzare il numero di istruzione presente alla fine di ciascuna avvertenza per individuare le
traduzioni delle avvertenze riportate in questo documento.
CONSERVARE QUESTE ISTRUZIONI
Advarsel VIKTIGE SIKKERHETSINSTRUKSJONER
Dette advarselssymbolet betyr fare. Du er i en situasjon som kan føre til skade på person. Før du
begynner å arbeide med noe av utstyret, må du være oppmerksom på farene forbundet med
elektriske kretser, og kjenne til standardprosedyrer for å forhindre ulykker. Bruk nummeret i slutten
av hver advarsel for å finne oversettelsen i de oversatte sikkerhetsadvarslene som fulgte med denne
enheten.
TA VARE PÅ DISSE INSTRUKSJONENE
Aviso INSTRUÇÕES IMPORTANTES DE SEGURANÇA
Este símbolo de aviso significa perigo. Você está em uma situação que poderá ser causadora de
lesões corporais. Antes de iniciar a utilização de qualquer equipamento, tenha conhecimento dos
perigos envolvidos no manuseio de circuitos elétricos e familiarize-se com as práticas habituais de
prevenção de acidentes. Utilize o número da instrução fornecido ao final de cada aviso para
localizar sua tradução nos avisos de segurança traduzidos que acompanham este dispositivo.
GUARDE ESTAS INSTRUÇÕES
¡Advertencia! INSTRUCCIONES IMPORTANTES DE SEGURIDAD
Este símbolo de aviso indica peligro. Existe riesgo para su integridad física. Antes de manipular
cualquier equipo, considere los riesgos de la corriente eléctrica y familiarícese con los
procedimientos estándar de prevención de accidentes. Al final de cada advertencia encontrará el
número que le ayudará a encontrar el texto traducido en el apartado de traducciones que acompaña
a este dispositivo.
GUARDE ESTAS INSTRUCCIONESxlix
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
About this Manual
Varning! VIKTIGA SÄKERHETSANVISNINGAR
Denna varningssignal signalerar fara. Du befinner dig i en situation som kan leda till personskada.
Innan du utför arbete på någon utrustning måste du vara medveten om farorna med elkretsar och
känna till vanliga förfaranden för att förebygga olyckor. Använd det nummer som finns i slutet av
varje varning för att hitta dess översättning i de översatta säkerhetsvarningar som medföljer denna
anordning.
SPARA DESSA ANVISNINGARl
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
About this Manual
Aviso INSTRUÇÕES IMPORTANTES DE SEGURANÇA
Este símbolo de aviso significa perigo. Você se encontra em uma situação em que há risco de lesões
corporais. Antes de trabalhar com qualquer equipamento, esteja ciente dos riscos que envolvem os
circuitos elétricos e familiarize-se com as práticas padrão de prevenção de acidentes. Use o
número da declaração fornecido ao final de cada aviso para localizar sua tradução nos avisos de
segurança traduzidos que acompanham o dispositivo.
GUARDE ESTAS INSTRUÇÕES
Advarsel VIGTIGE SIKKERHEDSANVISNINGER
Dette advarselssymbol betyder fare. Du befinder dig i en situation med risiko for
legemesbeskadigelse. Før du begynder arbejde på udstyr, skal du være opmærksom på de
involverede risici, der er ved elektriske kredsløb, og du skal sætte dig ind i standardprocedurer til
undgåelse af ulykker. Brug erklæringsnummeret efter hver advarsel for at finde oversættelsen i de
oversatte advarsler, der fulgte med denne enhed.
GEM DISSE ANVISNINGERli
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
About this Manuallii
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
About this Manual
Obtaining Optical Networking Information
This section contains information that is specific to optical networking products. For information that
pertains to all of Cisco, refer to the Obtaining Documentation and Submitting a Service Request section.
Where to Find Safety and Warning Information
For safety and warning information, refer to the Cisco Optical Transport Products Safety and
Compliance Information document that accompanied the product. This publication describes the
international agency compliance and safety information for the Cisco ONS 15454 system. It also
includes translations of the safety warnings that appear in the ONS 15454 system documentation.
Cisco Optical Networking Product Documentation CD-ROM
Optical networking-related documentation, including Cisco ONS 15xxx product documentation, is
available in a CD-ROM package that ships with your product. The Optical Networking Product
Documentation CD-ROM is updated periodically and may be more current than printed documentation.liii
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
About this Manual
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional
information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and
revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What’s New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed
and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free
service and Cisco currently supports RSS Version 2.0.liv
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
About this Manuallv
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Cisco ONS Documentation Roadmap for
Release 9.2.1
To quickly access publications of Cisco ONS Release 9.2.1, see the
Cisco ONS Documentation Roadmap for Release 9.2.1.lvi
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-18908-01
Cisco ONS Documentation Roadmap for Release 9.2.1CHAPTER
1-1
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
1
Shelf and Backplane Hardware
Note The terms “Unidirectional Path Switched Ring” and “UPSR” may appear in Cisco literature. These terms
do not refer to using Cisco ONS 15xxx products in a unidirectional path switched ring configuration.
Rather, these terms, as well as “Path Protected Mesh Network” and “PPMN,” refer generally to Cisco's
path protection feature, which may be used in any topological network configuration. Cisco does not
recommend using its path protection feature in any particular topological network configuration.
This chapter provides a description of Cisco ONS 15454 shelf and backplane hardware. Card
descriptions are provided in Chapter 2, “Common Control Cards,” Chapter 3, “Electrical Cards,”
Chapter 4, “Optical Cards,” Chapter 5, “Ethernet Cards,” and Chapter 6, “Storage Access Networking
Cards.” To install equipment, refer to the Cisco ONS 15454 Procedure Guide.
Chapter topics include:
• 1.1 Overview, page 1-2
• 1.2 Rack Installation, page 1-3
• 1.3 Front Door, page 1-6
• 1.4 Backplane Covers, page 1-11
• 1.5 Electrical Interface Assemblies, page 1-15
• 1.6 Coaxial Cable, page 1-38
• 1.7 DS-1 Cable, page 1-38
• 1.8 UBIC-V Cables, page 1-40
• 1.9 UBIC-H Cables, page 1-45
• 1.11 Cable Routing and Management, page 1-53
• 1.12 Alarm Expansion Panel, page 1-56
• 1.13 Filler Card, page 1-61
• 1.15 Fan-Tray Assembly, page 1-64
• 1.16 Power and Ground Description, page 1-68
• 1.17 Shelf Voltage and Temperature, page 1-69
• 1.18 Alarm, Timing, LAN, and Craft Pin Connections, page 1-70
• 1.19 Cards and Slots, page 1-74
• 1.20 Software and Hardware Compatibility, page 1-791-2
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.1 Overview
Caution Unused card slots should be filled with a detectable filler card (Cisco P/N 15454-FILLER) or a
non-detectable filler card (Cisco P/N 15454-BLANK). The filler card ensures proper airflow when
operating the ONS 15454 without the front door attached, although Cisco recommends that the front
door remain attached.
Note The ONS 15454 is designed to comply with Telcordia GR-1089-CORE Type 2 and Type 4. Install and
operate the ONS 15454 only in environments that do not expose wiring or cabling to the outside plant.
Acceptable applications include Central Office Environments (COEs), Electronic Equipment Enclosures
(EEEs), Controlled Environment Vaults (CEVs), huts, and Customer Premise Environments (CPEs).
Note The Cisco ONS 15454 assembly is intended for use with telecommunications equipment only.
Note You can search for cross-referenced Cisco part numbers and CLEI (Common Language Equipment
Identification) codes at the following link: http://www.cisco.com/cgi-bin/front.x/clei/code_search.cgi.
1.1 Overview
When installed in an equipment rack, the ONS 15454 assembly is typically connected to a fuse and alarm
panel to provide centralized alarm connection points and distributed power for the ONS 15454. Fuse and
alarm panels are third-party equipment and are not described in this documentation. If you are unsure
about the requirements or specifications for a fuse and alarm panel, consult the user documentation for
the related equipment. The front door of the ONS 15454 allows access to the shelf assembly, fan-tray
assembly, and cable-management area. The backplanes provide access to alarm contacts, external
interface contacts, power terminals, and BNC/SMB connectors.
You can mount the ONS 15454 in a 19- or 23-inch rack (482.6 or 584.2 mm). The shelf assembly weighs
approximately 55 pounds (24.94 kg) with no cards installed. The shelf assembly includes a front door
for added security, a fan tray module for cooling, and extensive cable-management space.
ONS 15454 optical cards have SC and LC connectors on the card faceplate. Fiber-optic cables are routed
into the front of the destination cards. Electrical cards (DS-1, DS-3, DS3XM, and EC-1) require
electrical interface assemblies (EIAs) to provide the cable connection points for the shelf assembly. In
most cases, EIAs are ordered with the ONS 15454 and come preinstalled on the backplane. See the
“1.5 Electrical Interface Assemblies” section on page 1-15 for more information about the EIAs.
The ONS 15454 is powered using –48 VDC power. Negative, return, and ground power terminals are
accessible on the backplane.
Optical fibers without exposed metallic ferrule must be used with all the products and platforms covered
by this document (see Figure 1-1 and Figure 1-2). Electrostatic discharge is more easily coupled into the
equipment through exposed metallic ferrules near the fiber connectors.1-3
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.2 Rack Installation
Figure 1-1 Optical Fiber With Exposed Ferrule
Figure 1-2 Optical Fiber Without Exposed Ferrule
Note In this chapter, the terms “ONS 15454” and “shelf assembly” are used interchangeably. In the
installation context, these terms have the same meaning. Otherwise, shelf assembly refers to the physical
steel enclosure that holds cards and connects power, and ONS 15454 refers to the entire system, both
hardware and software.
Install the ONS 15454 in compliance with your local and national electrical codes:
• United States: National Fire Protection Association (NFPA) 70; United States National Electrical
Code
• Canada: Canadian Electrical Code, Part I, CSA C22.1
• Other countries: If local and national electrical codes are not available refer to IEC 364, Part 1
through Part 7
1.2 Rack Installation
The ONS 15454 is mounted in a 19- or 23-in. (482.6- or 584.2-mm) equipment rack. The shelf assembly
projects five inches (127 mm) from the front of the rack. It mounts in both Electronic Industries Alliance
(EIA) standard and Telcordia-standard racks. The shelf assembly is a total of 17 inches (431.8 mm) wide
with no mounting ears attached. Ring runs are not provided by Cisco and might hinder side-by-side
installation of shelves where space is limited.
The ONS 15454 measures 18.25 inches (463.5 mm) high, 19 or 23 inches (482.6 or 584.2 mm) wide
(depending on which way the mounting ears are attached), 12.018 inches (305.2 mm) deep for standard
door and 13.810 inches (350.7 mm) for deep door. You can install up to four ONS 15454 shelves in a
seven-foot (2133.6 mm) equipment rack. The ONS 15454 must have one inch (25.4 mm) of airspace
below the installed shelf assembly to allow air flow to the fan intake. If a second ONS 15454 is
249381
Exposed ferrule
249382
No exposed ferrule1-4
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.2 Rack Installation
installed underneath the shelf assembly, the air ramp on top of the lower shelf assembly provides
the air spacing needed and should not be modified in any way. Figure 1-3 shows the dimensions of
the ONS 15454.
Note A 10-Gbps-compatible shelf assembly (15454-SA-ANSI or 15454-SA-HD) and fan-tray assembly
(15454-FTA3, 15454-FTA3-T, or 15454-CC-FTA) are required if ONS 15454 XC10G and ONS 15454
XC-VXC-10G cards are installed in the shelf.
Figure 1-3 Cisco ONS 15454 ANSI Dimensions
Standard Door - Front View Side View
240922
18.25 in.
(46.35 cm)
Height
19 in. (48.26 cm) or 23 in. (58.42 cm)
between mounting screw holes
Width
16.78 in.
(42.62 cm)
5.015 in.
(12.73 cm)
12.018 in.
(30.52 cm)
Depth
Deep Door - Front View Side View
18.25 in.
(46.35 cm)
Height
19 in. (48.26 cm) or 23 in. (58.42 cm)
between mounting screw holes
Width
16.78 in.
(42.62 cm)
4.807 in.
(12.20 cm)
13.810 in.
(35.07 cm)
Depth1-5
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.2.1 Reversible Mounting Bracket
1.2.1 Reversible Mounting Bracket
Caution Use only the fastening hardware provided with the ONS 15454 to prevent loosening, deterioration, and
electromechanical corrosion of the hardware and joined material.
Caution When mounting the ONS 15454 in a frame with a nonconductive coating (such as paint, lacquer, or
enamel) either use the thread-forming screws provided with the ONS 15454 shipping kit, or remove the
coating from the threads to ensure electrical continuity.
The shelf assembly comes preset for installation in a 23-inch (584.2 mm) rack, but you can reverse the
mounting bracket to fit the smaller 19-inch (482.6 mm) rack.
1.2.2 Mounting a Single Node
Mounting the ONS 15454 in a rack requires a minimum of 18.5 inches (469.9 mm) of vertical rack space
and one additional inch (25.4 mm) for air flow. To ensure the mounting is secure, use two to four
#12-24 mounting screws for each side of the shelf assembly. Figure 1-4 shows the rack mounting
position for the ONS 15454.
Figure 1-4 Mounting an ONS 15454 in a Rack
Two people should install the shelf assembly; however, one person can install it using the temporary set
screws included. The shelf assembly should be empty for easier lifting. The front door can also be
removed to lighten the shelf assembly.
FAN FAIL CRIT MAJ MIN
Equipment rack
Universal
ear mounts
(reversible)
393921-6
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.2.3 Mounting Multiple Nodes
If you are installing the fan-tray air filter using the bottom (external) brackets provided, mount the
brackets on the bottom of the shelf assembly before installing the ONS 15454 in a rack.
1.2.3 Mounting Multiple Nodes
Most standard (Telcordia GR-63-CORE, 19-inch [482.6 mm] or 23-inch [584.2 mm]) seven-foot
(2,133 mm) racks can hold four ONS 15454 shelves and a fuse and alarm panel. However, unequal flange
racks are limited to three ONS 15454 shelves and a fuse and alarm panel or four ONS 15454 shelves and
a fuse and alarm panel from an adjacent rack.
If you are using the external (bottom) brackets to install the fan-tray air filter, you can install three shelf
assemblies in a standard seven-foot (2.133 m) rack. If you are not using the external (bottom) brackets,
you can install four shelf assemblies in a rack. The advantage to using the bottom brackets is that you
can replace the filter without removing the fan tray.
1.2.4 ONS 15454 Bay Assembly
The Cisco ONS 15454 bay assembly simplifies ordering and installing the ONS 15454 because it allows
you to order shelf assemblies preinstalled in a seven-foot (2.133 m) rack. The bay assembly is available
in a three- or four-shelf configuration. The three-shelf configuration includes three ONS 15454 shelf
assemblies, a prewired fuse and alarm panel, and two cable-management trays. The four-shelf
configuration includes four ONS 15454 shelf assemblies and a prewired fuse and alarm panel. You can
order optional fiber channels with either configuration. Installation procedures are included in the
Unpacking and Installing the Cisco ONS 15454 Four-Shelf and Zero-Shelf Bay Assembly document that
ships with the Bay Assembly,
1.3 Front Door
The Critical, Major, and Minor alarm LEDs visible through the front door indicate whether a critical,
major, or minor alarm is present anywhere on the ONS 15454. These LEDs must be visible so
technicians can quickly determine if any alarms are present on the ONS 15454 shelf or the network. You
can use the LCD to further isolate alarms. The front door (Figure 1-5) provides access to the shelf
assembly, cable-management tray, fan-tray assembly, and LCD screen. 1-7
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.3 Front Door
Figure 1-5 The ONS 15454 Front Door
The ONS 15454 ships with a standard door but can also accommodate a deep door and extended fiber
clips (15454-DOOR-KIT) to provide additional room for cabling (Figure 1-6).
Door lock Door button
Viewholes for Critical, Major and Minor alarm LEDs
33923
CISCO ONS 15454
Optical Network System1-8
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.3 Front Door
Figure 1-6 Cisco ONS 15454 Deep Door
.
The ONS 15454 door locks with a pinned hex key that ships with the ONS 15454. A button on the right
side of the shelf assembly releases the door. You can remove the front door of the ONS 15454 to provide
unrestricted access to the front of the shelf assembly. Before you remove the front door, you have to
remove the ground strap of the front door (Figure 1-7).
1150111-9
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.3 Front Door
Figure 1-7 ONS 15454 Front Door Ground Strap
Figure 1-8 shows how to remove the front door.
710481-10
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.3 Front Door
Figure 1-8 Removing the ONS 15454 Front Door
An erasable label is pasted on the inside of the front door (Figure 1-9). You can use the label to record
slot assignments, port assignments, card types, node ID, rack ID, and serial number for the ONS 15454.
Door hinge
Assembly hinge pin
Assembly hinge
Translucent
circles
for LED
viewing
38831
FAN FAIL CRIT MAJ MIN1-11
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.4 Backplane Covers
Figure 1-9 Front-Door Erasable Label
Note The front door label also includes the Class I and Class 1M laser warning (Figure 1-10).
Figure 1-10 Laser Warning on the Front-Door Label
1.4 Backplane Covers
If a backplane does not have an EIA panel installed, it should have two sheet metal backplane covers
(one on each side of the backplane) as shown in Figure 1-11 on page 1-12. Each cover is held in place
with nine 6-32 x 3/8 inch Phillips screws.
Note See the “1.5 Electrical Interface Assemblies” section on page 1-15 for information on EIAs.
61840
675751-12
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.4.1 Lower Backplane Cover
Figure 1-11 Backplane Covers
1.4.1 Lower Backplane Cover
The lower section of the ONS 15454 backplane is covered by either a clear plastic protector
(15454-SA-ANSI) or a sheet metal cover (15454-SA-HD), which is held in place by five 6-32 x 1/2 inch
screws. Remove the lower backplane cover to access the alarm interface panel (AIP), alarm pin fields,
frame ground, and power terminals (Figure 1-12).
Figure 1-12 Removing the Lower Backplane Cover
B A
32074
Lower Backplane
Cover
Backplane Sheet Metal
Covers
32069
Retaining
screws1-13
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.4.2 Rear Cover
1.4.2 Rear Cover
The ONS 15454 has an optional clear plastic rear cover. This clear plastic cover provides additional
protection for the cables and connectors on the backplane. Figure 1-13 shows the rear cover screw
locations.
Figure 1-13 Backplane Attachment for Cover
You can also install the optional spacers if more space is needed between the cables and rear cover
(Figure 1-14).
32073
Screw locations
for attaching the
rear cover1-14
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.4.3 Alarm Interface Panel
Figure 1-14 Installing the Plastic Rear Cover with Spacers
1.4.3 Alarm Interface Panel
The AIP is located above the alarm contacts on the lower section of the backplane. The AIP provides
surge protection for the ONS 15454. It also provides an interface from the backplane to the fan-tray
assembly and LCD. The AIP plugs into the backplane using a 96-pin DIN connector and is held in place
with two retaining screws. The panel has a nonvolatile memory chip that stores the unique node address
(MAC address).
Note The MAC address identifies the nodes that support circuits. It allows Cisco Transport Controller (CTC)
to determine circuit sources, destinations, and spans. The TCC2/TCC2P cards in the ONS 15454 also
use the MAC address to store the node database.
Note Read all references of “TCC2/TCC2P cards” in this document as “TCC2/TCC2P/TCC3 cards”.
The 5-A AIP (73-7665-XX) is required when installing fan-tray assembly 15454-FTA3 or
15454-CC-FTA, which comes preinstalled on the shelf assembly (15454-SA-ANSI or 15454-SA-HD).
Note A blown fuse on the AIP board can cause the LCD display to go blank.
55374
RET 1
CAUTION: Remove power from both
the BAT1 and terminal blocks
prior to servicing
SUITABLE FOR MOUNTING ON
A NON-COMBUSTIBLE SURFACE.
PLEASE REFER TO INSTALLATION
INSTRUCTIONS.
-42 TO -57Vdc
650 Watts Maximum
BAT 1 RET 2 BAT 21-15
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.4.4 Alarm Interface Panel Replacement
1.4.4 Alarm Interface Panel Replacement
If the alarm interface panel (AIP) fails, a MAC Fail alarm appears on the CTC Alarms menu and/or the
LCD display on the fan-tray assembly goes blank. To perform an in-service replacement of the AIP, you
must contact Cisco Technical Assistance Center (TAC). For contact information, go to the TAC website
at http://www.cisco.com/tac.
You can replace the AIP on an in-service system without affecting traffic (except Ethernet traffic on
nodes running a software release earlier than Release 4.0). The circuit repair feature allows you to repair
circuits affected by MAC address changes on one node at a time. Circuit repair works when all nodes are
running the same software version. Each individual AIP upgrade requires an individual circuit repair; if
AIPs are replaced on two nodes, the circuit repair must be performed twice.
Caution Do not use a 2-A AIP with a 5-A fan-tray assembly; doing so causes a blown fuse on the AIP.
Note Ensure that all nodes in the affected network are running the same software version before replacing the
AIP and repairing circuits. If you need to upgrade nodes to the same software version, do not change any
hardware or repair circuits until after the software upgrade is complete. Replace an AIP during a
maintenance window. Resetting the active TCC2/TCC2P card can cause a service disruption of less then
50 ms to optical or electrical traffic. Resetting the active TCC2/TCC2P card causes a service disruption
of three to five minutes on all E-Series Ethernet traffic due to spanning tree reconvergence. Refer to the
Cisco ONS 15454 Troubleshooting Guide for an AIP replacement procedure.
1.5 Electrical Interface Assemblies
Optional EIA backplane covers are typically preinstalled when ordered with the ONS 15454. EIAs must
be ordered when using DS-1, DS-3, DS3XM, or EC-1 cards. This section describes each EIA.
Six different EIA backplane covers are available for the ONS 15454: BNC, High-Density BNC,
MiniBNC, SMB, AMP Champ, UBIC-H (Universal Backplane Interface Connector-Horizontal), and
UBIC-V (Vertical). If the shelf was not shipped with the correct EIA interface, you must order and install
the correct EIA.
EIAs are attached to the shelf assembly backplane to provide electrical interface cable connections. EIAs
are available with SMB and BNC connectors for DS-3 or EC-1 cards. EIAs are available with
AMP Champ connectors for DS-1 cards. You must use SMB EIAs for DS-1 twisted-pair cable
installation. UBIC-V EIAs have SCSI connectors. They are available for use with any DS-1, DS-3, or
EC-1 card, but are intended for use with high-density electrical cards.
Note The MiniBNC EIAs only support cables using the Trompetor connectors for termination.
You can install EIAs on one or both sides of the ONS 15454 backplane in any combination (in other
words, AMP Champ on Side A and BNC on Side B or High-Density BNC on Side A and SMB on Side B,
and so forth). As you face the rear of the ONS 15454 shelf assembly, the right side is the A side and the
left side is the B side. The top of the EIA connector columns are labeled with the corresponding slot
number, and EIA connector pairs are marked transmit (Tx) and receive (Rx) to correspond to transmit
and receive cables. 1-16
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.5.1 EIA Installation
Note For information about EIA types, protection schemes, and card slots, see Chapter 7, “Card Protection.”
1.5.1 EIA Installation
Optional EIA backplane covers are typically preinstalled when ordered with the ONS 15454. A minimal
amount of assembly might be required when EIAs are ordered separately from the ONS 15454. If you
are installing EIAs after the shelf assembly is installed, plug the EIA into the backplane. The EIA has
six electrical connectors that plug into six corresponding backplane connectors. The EIA backplane must
replace the standard sheet metal cover to provide access to the coaxial cable connectors. The EIA sheet
metal covers use the same screw holes as the solid backplane panels, but they have 12 additional 6-32 x
1/2 inch Phillips screw holes so you can screw down the cover and the board using standoffs on the EIA
board.
When using the RG-179 coaxial cable on an EIA, the maximum distance available (122 feet [37 meters])
is less than the maximum distance available with standard RG-59 (734A) cable (306 feet [93 meters]).
The maximum distance when using the RG-59 (734A) cable is 450 feet (137 meters). The shorter
maximum distance available with the RG179 is due to a higher attenuation rate for the thinner cable.
Attenuation rates are calculated using a DS-3 signal:
• For RG-179, the attenuation rate is 59 dB/kft at 22 MHz.
• For RG-59 (734A) the attenuation rate is 11.6 dB/kft at 22 MHz.
1.5.2 EIA Configurations
Table 1-1 shows the EIA types supported only by ONS 15454 shelf assembly 15454-SA-ANSI.
Table 1-1 EIA Types Compatible with the 15454-SA-ANSI Only
EIA Type
Cards
Supported
A-Side
Hosts
A-Side
Columns
Map to A-Side Product Number
B-Side
Hosts
B-Side
Columns
Map to B-Side Product Number
BNC DS-3
DS3XM-6
EC-1
24 pairs of
BNC
connectors
Slot 2
Slot 4
15454-EIA-BNC-A24= 24 pairs of
BNC
connectors
Slot 14
Slot 16
15454-EIA-BNC-B24=
High-
Density
BNC
DS-3
DS3XM-6
EC-1
48 pairs of
BNC
connectors
Slot 1
Slot 2
Slot 4
Slot 5
15454-EIA-BNC-A48= 48 pairs of
BNC
Slot 13
Slot 14
Slot 16
Slot 17
15454-EIA-BNC-B48=1-17
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.5.2 EIA Configurations
Table 1-2 shows the EIA types supported by both the 15454-SA-ANSI and the 15454-SA-HD (high
density) shelf assemblies.
SMB DS-1
DS-3
EC-1
DS3XM-6
84 pairs of
SMB
connectors
Slot 1
Slot 2
Slot 3
Slot 4
Slot 5
Slot 6
15454-EIA-SMB-A84= 84 pairs of
SMB
connectors
Slot 12
Slot 13
Slot 14
Slot 15
Slot 16
Slot 17
15454-EIA-SMB-B84=
AMP
Champ
DS-1 6 AMP
Champ
connectors
Slot 1
Slot 2
Slot 3
Slot 4
Slot 5
Slot 6
15454-EIA-AMP-A84= 6 AMP
Champ
connectors
Slot 12
Slot 13
Slot 14
Slot 15
Slot 16
Slot 17
15454-EIA-AMP-B84=
Table 1-1 EIA Types Compatible with the 15454-SA-ANSI Only (continued)
EIA Type
Cards
Supported
A-Side
Hosts
A-Side
Columns
Map to A-Side Product Number
B-Side
Hosts
B-Side
Columns
Map to B-Side Product Number
Table 1-2 EIA Configurations Compatible with the 15454-SA-ANSI and the 15454-SA-HD
EIA
Type
Cards
Supported
A-Side
Hosts
A-Side
Columns
Map to A-Side Product Number
B-Side
Hosts
B-Side
Columns
Map to B-Side Product Number
BNC DS-3
DS3XM-6
DS3XM-12
EC-1
24 pairs of
BNC
connectors
Slot 2
Slot 4
15454-EIA-1BNCA24= 24 pairs of
BNC
connectors
Slot 14
Slot 16
15454-EIA-1BNCB24=
High-
Density
BNC
DS-3
DS3XM-6
DS3XM-12
EC-1
48 pairs of
BNC
connectors
Slot 1
Slot 2
Slot 4
Slot 5
15454-EIA-1BNCA48= 48 pairs of
BNC
connectors
Slot 13
Slot 14
Slot 16
Slot 17
15454-EIA-1BNCB48=
Mini
BNC
DS-3
DS-3/EC1-48
DS3XM-6
DS3XM-12
EC-1
96 pairs of
MiniBNC
connectors
Slot 1
Slot 2
Slot 4
Slot 5
Slot 6
15454-EIA-HDBNC-A9
6=
96 pairs of
MiniBNC
connectors
Slot 12
Slot 13
Slot 14
Slot 16
Slot 17
15454-EIA-HDBNC-B96
=1-18
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.5.3 BNC EIA
1.5.3 BNC EIA
The ONS 15454 BNC EIA supports 24 DS-3 circuits on each side of the ONS 15454 (24 transmit and
24 receive connectors). If you install BNC EIAs on both sides of the shelf assembly, the ONS 15454
hosts up to 48 circuits. The BNC connectors on the EIA supports Trompeter UCBJ224 (75-ohm) 4-leg
connectors (King or ITT are also compatible). Right-angle mating connectors for the connecting cable
are AMP 413588-2 (75-ohm) connectors. If preferred, you can also use a straight connector of the same
SMB DS-1
DS-3
EC-1
DS3XM-6
DS3XM-12
84 pairs of
SMB
connectors
Slot 1
Slot 2
Slot 3
Slot 4
Slot 5
Slot 6
15454-EIA-1SMBA84= 84 pairs of
SMB
connectors
Slot 12
Slot 13
Slot 14
Slot 15
Slot 16
Slot 17
15454-EIA-1SMBB84=
AMP
Champ
DS-1 6 AMP
Champ
connectors
Slot 1
Slot 2
Slot 3
Slot 4
Slot 5
Slot 6
15454-EIA-1AMPA84= 6 AMP
Champ
connectors
Slot 12
Slot 13
Slot 14
Slot 15
Slot 16
Slot 17
15454-EIA-1AMPB84=
UBICV
DS-1
DS-3
EC-1
DS3XM-6
DS3XM-12
DS3/EC1-48
DS1/E1-56
8 pairs of
SCSI
connectors
Slot 1
Slot 2
Slot 3
Slot 4
Slot 5
Slot 6
15454-EIA-UBICV-A 8 pairs of
SCSI
connectors
Slot 12
Slot 13
Slot 14
Slot 15
Slot 16
Slot 17
15454-EIA-UBICV-B
UBICH
DS-1
DS-3
EC-1
DS3XM-6
DS3XM-12
DS3/EC1-48
DS1/E1-56
8 pairs of
SCSI
connectors
Slot 1
Slot 2
Slot 3
Slot 4
Slot 5
Slot 6
15454-EIA-UBICH-A 8 pairs of
SCSI
connectors
Slot 12
Slot 13
Slot 14
Slot 15
Slot 16
Slot 17
15454-EIA-UBICH-B
Table 1-2 EIA Configurations Compatible with the 15454-SA-ANSI and the 15454-SA-HD (continued)
EIA
Type
Cards
Supported
A-Side
Hosts
A-Side
Columns
Map to A-Side Product Number
B-Side
Hosts
B-Side
Columns
Map to B-Side Product Number1-19
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.5.3 BNC EIA
type. Use RG-59/U cable to connect to the ONS 15454 BNC EIA. These cables are recommended to
connect to a patch panel and are designed for long runs. You can use BNC EIAs for DS-3 (including the
DS3XM-6 and DS3XM-12) or EC-1 cards.
Figure 1-15 shows the ONS 15454 with preinstalled BNC EIAs.
To install coaxial cable with BNC connectors, refer to the “Install Shelf and Backplane Cable” chapter
in the Cisco ONS 15454 Procedure Guide.
Figure 1-15 BNC Backplane for Use in 1:1 Protection Schemes
1.5.3.1 BNC Connectors
The EIA side marked “A” has 24 pairs of BNC connectors. The first 12 pairs of BNC connectors
correspond to Ports 1 to 12 for a 12-port card and map to Slot 2 on the shelf assembly. The BNC
connector pairs are marked “Tx” and “Rx” to indicate transmit and receive cables for each port. You can
install an additional card in Slot 1 as a protect card for the card in Slot 2. The second 12 BNC connector
pairs correspond to Ports 1 to 12 for a 12-port card and map to Slot 4 on the shelf assembly. You can
install an additional card in Slot 3 as a protect card for the card in Slot 4. Slots 5 and 6 do not support
DS-3 cards when the standard BNC EIA panel connectors are used.
The EIA side marked “B” provides an additional 24 pairs of BNC connectors. The first 12 BNC
connector pairs correspond to Ports 1 to 12 for a 12-port card and map to Slot 14 on the shelf assembly.
The BNC connector pairs are marked “Tx” and “Rx” to indicate transmit and receive cables for each
port. You can install an additional card in Slot 15 as a protect card for the card in Slot 14. The second
12 BNC connector pairs correspond to Ports 1 to 12 for a 12-port card and map to Slot 16 on the shelf
assembly. You can install an additional card in Slot 17 as a protect card for the card in Slot 16. Slots 12
and 13 do not support DS-3 cards when the standard BNC EIA panel connectors are used.
When BNC connectors are used with a DS3N-12 card in Slot 3 or 15, the 1:N card protection extends
only to the two slots adjacent to the 1:N card due to BNC wiring constraints.
B A
BNC backplane
connectors
Tie wrap posts
32076
1717
2 8 2 8
3 9 3 9
4 10 4 10
5 11 5 11
6 12 6 12
16
TX RX TX RX TX RX TX RX
TX RX TX RX TX RX TX RX
1717
2 8 2 8
3 9 3 9
4 10 4 10
5 11 5 11
6 12 6 12
TX RX TX RX TX RX TX RX
TX RX TX RX TX RX TX RX
14 4 21-20
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.5.4 High-Density BNC EIA
1.5.3.2 BNC Insertion and Removal Tool
Due to the large number of BNC connectors on the high-density BNC EIA, you might require a special
tool for inserting and removing BNC EIAs (Figure 1-16). This tool also helps with ONS 15454 patch
panel connections.
Figure 1-16 BNC Insertion and Removal Tool
This tool can be obtained with P/N 227-T1000 from:
Amphenol USA (www.amphenol.com)
One Kennedy Drive
Danbury, CT 06810
Phone: 203 743-9272 Fax: 203 796-2032
This tool can be obtained with P/N RT-4L from:
Trompeter Electronics Inc. (www.trompeter.com)
31186 La Baya Drive
Westlake Village, CA 91362-4047
Phone: 800 982-2629 Fax: 818 706-1040
1.5.4 High-Density BNC EIA
The ONS 15454 high-density BNC EIA supports 48 DS-3 circuits on each side of the ONS 15454
(48 transmit and 48 receive connectors). If you install BNC EIAs on both sides of the unit, the
ONS 15454 hosts up to 96 circuits. The high-density BNC EIA supports Trompeter UCBJ224 (75-ohm)
4-leg connectors (King or ITT are also compatible). Use straight connectors on RG-59/U cable to
connect to the high-density BNC EIA. Cisco recommends these cables for connection to a patch panel;
they are designed for long runs. You can use high-density BNC EIAs for DS-3 (including the DS3XM-6
and DS3XM-12) or EC-1 cards. Figure 1-17 shows the ONS 15454 with preinstalled high-density BNC
EIAs.
To install coaxial cable with high-density BNC connectors, refer to the “Install Shelf and Backplane
Cable” in the Cisco ONS 15454 Procedure Guide.
445521-21
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.5.5 MiniBNC EIA
Figure 1-17 High-Density BNC Backplane for Use in 1:N Protection Schemes
The EIA side marked “A” hosts 48 pairs of BNC connectors. Each column of connector pairs is
numbered and corresponds to the slot of the same number. The first column (12 pairs) of BNC connectors
corresponds to Slot 1 on the shelf assembly, the second column to Slot 2, the third column to Slot 4, and
the fourth column to Slot 5. The rows of connectors correspond to Ports 1 to 12 of a 12-port card.
The EIA side marked “B” provides an additional 48 pairs of BNC connectors. The first column (12 pairs)
of BNC connectors corresponds to Slot 13 on the shelf assembly, the second column to Slot 14, the third
column to Slot 16, and the fourth column to Slot 17. The rows of connectors correspond to Ports 1 to 12
of a 12-port card. The BNC connector pairs are marked “Tx” and “Rx” to indicate transmit and receive
cables for each port. The High-Density BNC EIA supports both 1:1 and 1:N protection across all slots
except Slots 6 and 12.
1.5.5 MiniBNC EIA
The ONS 15454 MiniBNC EIA supports a maximum of 192 transmit and receive DS-3 connections, 96
per side (A and B) through 192 miniBNC connectors on each side. If you install BNC EIAs on both sides
of the unit, the ONS 15454 hosts up to 192 circuits. The MiniBNC EIAs are designed to support DS-3
and EC-1 signals.
The MiniBNC EIA supports the following cards:
• DS3-12, DS3N-12
• DS3i-N-12
• DS3-12E, DS3N-12E
• EC1-12
• DS3XM-6
• DS3XM-12
B A
BNC backplane
connectors
39141
1111
3333
4444
5555
6666
7777
8888
9999
10 10 10 10
11 11 11 11
12 12 12 12
2222
TX RX TX RX TX RX TX RX
TX RX TX RX TX RX TX RX
1111
3333
4444
5555
6666
7777
8888
9999
10 10 10 10
11 11 11 11
12 12 12 12
2222
TX RX TX RX TX RX TX RX
TX RX TX RX TX RX TX RX
17 16 14 13 54211-22
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.5.5 MiniBNC EIA
• DS3/EC1-48
MiniBNCs support available high-density cards in unprotected and 1:N protection (where N < 2)
protection groups.
Table 1-3 shows protection groups and their applicable slot assignments.
1.5.5.1 MiniBNC Connectors
You can install MiniBNCs on one or both sides of the ONS 15454. As you face the rear of the ONS 15454
shelf assembly, the right side is the A side (15454-EIA-HDBNC-A96) and the left side is the B side
(15454-EIA-HDBNC-B96). The diagrams adjacent to each row of connectors indicate the slots and ports
that correspond with each connector in that row, depending on whether you are using a high density (HD)
or low density (LD) configuration. The MiniBNC connector pairs are marked Tx and Rx to indicate
transmit and receive cables for each port.
Figure 1-18 shows the ONS 15454 with preinstalled MiniBNC EIAs.
To install coaxial cable with MiniBNC connectors, refer to the “Install the Shelf and Backplane Cable”
chapter in the Cisco ONS 15454 Procedure Guide.
Table 1-3 MiniBNC Protection Types and Slots
Protection Type Working Slots Protection Slots
Unprotected 1–6, 12–17 —
1:1 2, 4, 6, 12, 14, 16 1, 3, 5, 13, 15, 17
1:N (HD, where N < 5) 1, 2, 16, 17 3, 15
1:N (LD, where N < 2) 1, 2, 4, 5, 6, 12, 13, 14, 16, 17 3, 151-23
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.5.5 MiniBNC EIA
Figure 1-18 MiniBNC Backplane for Use in 1:N Protection Schemes1-24
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.5.5 MiniBNC EIA
Table 1-4 and Table 1-5 show the J-labeling and corresponding card ports for a shelf assembly
configured with low-density electrical cards.
Table 1-4 J-Labeling Port Assignments for a Shelf Assembly Configure with Low-Density
Electrical Cards (A Side)
Slot Port Type
TX J4 J3 J2 J1 J5 J6 J7 J8
T1 T13 T25 T37 T1 T13 T25 T37
T2 T14 T26 T38 T2 T14 T26 T38
T3 T15 T27 T39 T3 T15 T27 T39
T4 T16 T28 T40 T4 T16 T28 T40
T5 T17 T29 T41 T5 T17 T29 T41
T6 T18 T30 T42 T6 T18 T30 T42
T7 T19 T31 T43 T7 T19 T31 T43
T8 T20 T32 T44 T8 T20 T32 T44
T9 T21 T33 T45 T9 T21 T33 T45
T10 T22 T34 T46 T10 T22 T34 T46
T11 T23 T35 T47 T11 T23 T35 T47
T12 T24 T36 T48 T12 T24 T36 T48
RX J12 J11 J10 J9 J13 J14 J15 J16
R1 R13 R25 R37 R1 R13 R25 R37
R2 R14 R26 R38 R2 R14 R26 R38
R3 R15 R27 R39 R3 R15 R27 R39
R4 R16 R28 R40 R4 R16 R28 R40
R5 R17 R29 R41 R5 R17 R29 R41
R6 R18 R30 R42 R6 R18 R30 R42
R7 R19 R31 R43 R7 R19 R31 R43
R8 R20 R32 R44 R8 R20 R32 R44
R9 R21 R33 R45 R9 R21 R33 R45
R10 R22 R34 R46 R10 R22 R34 R46
R11 R23 R35 R47 R11 R23 R35 R47
R12 R24 R36 R48 R12 R24 R36 R48
Ports Ports Ports Ports Ports Ports Ports Ports
1 LD DS-3 1–12 — — — — — — —
2 LD DS-3 — — — — 1–12 — — —
3 LD DS-3 — — — — — — 1–12 —
4 LD DS-3 — — — — — 1–12 — —
5 LD DS-3 — 1–12 — — — — — —
6 LD DS-3 — — 1–12 — — — —1-25
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.5.5 MiniBNC EIA
Table 1-6 and Table 1-7 show the J-labeling and corresponding card ports for a shelf assembly
configured with high-density 48-port DS-3/EC-1electrical cards.
Table 1-5 J-Labeling Port Assignments for a Shelf Assembly Configured with Low-Density
Electrical Cards (B Side)
Slot Port Type
TX J20 J19 J18 J17 J21 J22 J23 J24
T1 T13 T25 T37 T1 T13 T25 T37
T2 T14 T26 T38 T2 T14 T26 T38
T3 T15 T27 T39 T3 T15 T27 T39
T4 T16 T28 T40 T4 T16 T28 T40
T5 T17 T29 T41 T5 T17 T29 T41
T6 T18 T30 T42 T6 T18 T30 T42
T7 T19 T31 T43 T7 T19 T31 T43
T8 T20 T32 T44 T8 T20 T32 T44
T9 T21 T33 T45 T9 T21 T33 T45
T10 T22 T34 T46 T10 T22 T34 T46
T11 T23 T35 T47 T11 T23 T35 T47
T12 T24 T36 T48 T12 T24 T36 T48
RX J28 J27 J26 J25 J29 J30 J31 J32
R1 R13 R25 R37 R1 R13 R25 R37
R2 R14 R26 R38 R2 R14 R26 R38
R3 R15 R27 R39 R3 R15 R27 R39
R4 R16 R28 R40 R4 R16 R28 R40
R5 R17 R29 R41 R5 R17 R29 R41
R6 R18 R30 R42 R6 R18 R30 R42
R7 R19 R31 R43 R7 R19 R31 R43
R8 R20 R32 R44 R8 R20 R32 R44
R9 R21 R33 R45 R9 R21 R33 R45
R10 R22 R34 R46 R10 R22 R34 R46
R11 R23 R35 R47 R11 R23 R35 R47
R12 R24 R36 R48 R12 R24 R36 R48
Ports Ports Ports Ports Ports Ports Ports Ports
17 LD DS-3 1–12 — — — — — — —
16 LD DS-3 — — — — 1–12 — — —
15 LD DS-3 — — — — — — 1–12 —
14 LD DS-3 — — — — — 1–12 — —
13 LD DS-3 — 1–12 — — — — — —
12 LD DS-3 — — 1–12 — — — —1-26
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.5.5 MiniBNC EIA
Table 1-6 J-Labeling Port Assignments for a Shelf Configured with High-Density Electrical
Cards (A Side)
Slot Port Type
TX J4 J3 J2 J1 J5 J6 J7 J8
T1 T13 T25 T37 T1 T13 T25 T37
T2 T14 T26 T38 T2 T14 T26 T38
T3 T15 T27 T39 T3 T15 T27 T39
T4 T16 T28 T40 T4 T16 T28 T40
T5 T17 T29 T41 T5 T17 T29 T41
T6 T18 T30 T42 T6 T18 T30 T42
T7 T19 T31 T43 T7 T19 T31 T43
T8 T20 T32 T44 T8 T20 T32 T44
T9 T21 T33 T45 T9 T21 T33 T45
T10 T22 T34 T46 T10 T22 T34 T46
T11 T23 T35 T47 T11 T23 T35 T47
T12 T24 T36 T48 T12 T24 T36 T48
RX J12 J11 J10 J9 J13 J14 J15 J16
R1 R13 R25 R37 R1 R13 R25 R37
R2 R14 R26 R38 R2 R14 R26 R38
R3 R15 R27 R39 R3 R15 R27 R39
R4 R16 R28 R40 R4 R16 R28 R40
R5 R17 R29 R41 R5 R17 R29 R41
R6 R18 R30 R42 R6 R18 R30 R42
R7 R19 R31 R43 R7 R19 R31 R43
R8 R20 R32 R44 R8 R20 R32 R44
R9 R21 R33 R45 R9 R21 R33 R45
R10 R22 R34 R46 R10 R22 R34 R46
R11 R23 R35 R47 R11 R23 R35 R47
R12 R24 R36 R48 R12 R24 R36 R48
Ports Ports Ports Ports Ports Ports Ports Ports
1 HD DS-3 1–12 13–24 25–36 37–48 — — — —
2 HD DS-3 — — — — 1–12 13–24 25–36 37–481-27
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.5.5 MiniBNC EIA
1.5.5.2 MiniBNC Insertion and Removal Tool
Due to the large number of MiniBNC connectors on the MiniBNC EIA, you might require a special tool
for inserting and removing MiniBNC EIAs (Figure 1-19). This tool also helps with ONS 15454 patch
panel connections.
Table 1-7 J-Labeling Port Assignments for a Shelf Configured with High-Density Electrical
Cards (B Side)
Slot Port Type
TX J20 J19 J18 J17 J21 J22 J23 J24
T1 T13 T25 T37 T1 T13 T25 T37
T2 T14 T26 T38 T2 T14 T26 T38
T3 T15 T27 T39 T3 T15 T27 T39
T4 T16 T28 T40 T4 T16 T28 T40
T5 T17 T29 T41 T5 T17 T29 T41
T6 T18 T30 T42 T6 T18 T30 T42
T7 T19 T31 T43 T7 T19 T31 T43
T8 T20 T32 T44 T8 T20 T32 T44
T9 T21 T33 T45 T9 T21 T33 T45
T10 T22 T34 T46 T10 T22 T34 T46
T11 T23 T35 T47 T11 T23 T35 T47
T12 T24 T36 T48 T12 T24 T36 T48
RX J28 J27 J26 J25 J29 J30 J31 J32
R1 R13 R25 R37 R1 R13 R25 R37
R2 R14 R26 R38 R2 R14 R26 R38
R3 R15 R27 R39 R3 R15 R27 R39
R4 R16 R28 R40 R4 R16 R28 R40
R5 R17 R29 R41 R5 R17 R29 R41
R6 R18 R30 R42 R6 R18 R30 R42
R7 R19 R31 R43 R7 R19 R31 R43
R8 R20 R32 R44 R8 R20 R32 R44
R9 R21 R33 R45 R9 R21 R33 R45
R10 R22 R34 R46 R10 R22 R34 R46
R11 R23 R35 R47 R11 R23 R35 R47
R12 R24 R36 R48 R12 R24 R36 R48
Ports Ports Ports Ports Ports Ports Ports Ports
17 HD DS-3 1–12 13–24 25–36 37–48 — — — —
16 HD DS-3 — — — — 1–12 13–24 25–36 37–481-28
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.5.6 SMB EIA
Figure 1-19 MiniBNC Insertion and Removal Tool
This tool can be obtained with P/N 227-T1000 from:
Amphenol USA (www.amphenol.com)
One Kennedy Drive
Danbury, CT 06810
Phone: 203 743-9272 Fax: 203 796-2032
This tool can be obtained with P/N RT-1L from:
Trompeter Electronics Inc. (www.trompeter.com)
31186 La Baya Drive
Westlake Village, CA 91362-4047
Phone: 800 982-2629 Fax: 818 706-1040
1.5.6 SMB EIA
The ONS 15454 SMB EIA supports AMP 415484-1 75-ohm 4-leg connectors. Right-angle mating
connectors for the connecting cable are AMP 415484-2 (75-ohm) connectors. Use RG-179/U cable to
connect to the ONS 15454 EIA. Cisco recommends these cables for connection to a patch panel; they
are not designed for long runs. Range does not affect loopback testing.
You can use SMB EIAs with DS-1, DS-3 (including the DS3XM-6 and DS3XM-12), and EC-1 cards. If
you use DS-1 cards, use the DS-1 electrical interface adapter (balun) to terminate the twisted pair DS-1
cable to the SMB EIA (see the “1.7.2 Electrical Interface Adapters” section on page 1-39). SMB EIAs
support 14 ports per slot when used with a DS-1 card, 12 ports per slot when used with a DS-3 or EC-1
card, and 6 ports per slot when used with a DS3XM-6 card.
Figure 1-20 shows the ONS 15454 with preinstalled SMB EIAs and the sheet metal cover and screw
locations for the EIA. The SMB connectors on the EIA are AMP 415504-3 (75-ohm) 4-leg connectors.
To install SMB connectors, refer to the “Install Shelf and Backplane Cable” chapter in the
Cisco ONS 15454 Procedure Guide.
1154191-29
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.5.7 AMP Champ EIA
Figure 1-20 SMB EIA Backplane
The SMB EIA has 84 transmit and 84 receive connectors on each side of the ONS 15454 for a total of
168 SMB connectors (84 circuits).
The EIA side marked “A” hosts 84 SMB connectors in six columns of 14 connectors. The “A” side
columns are numbered 1 to 6 and correspond to Slots 1 to 6 on the shelf assembly. The EIA side marked
“B” hosts an additional 84 SMB connectors in six columns of 14 connectors. The “B” side columns are
numbered 12 to 17 and correspond to Slots 12 to 17 on the shelf assembly. The connector rows are
numbered 1 to 14 and correspond to the 14 ports on a DS-1 card.
For DS-3 or EC-1 cards, the EIA supports 72 transmit and 72 receive connectors, for a total of 144 SMB
connectors (72 circuits). If you use a DS-3 or EC-1 card, only Ports 1 to 12 are active. If you use a
DS3XM-6 card, only Ports 1 to 6 are active. The SMB connector pairs are marked “Tx” and “Rx” to
identify transmit and receive cables for each port. If you use SMB connectors, you can install DS-1,
DS-3, or EC-1 cards in Slots 1 to 4 or 14 to 17.
1.5.7 AMP Champ EIA
The ONS 15454 AMP Champ EIA supports 64-pin (32 pair) AMP Champ connectors for each slot on
both sides of the shelf assembly where the EIA is installed. Cisco AMP Champ connectors are female
AMP # 552246-1 with AMP # 552562-2 bail locks. Each AMP Champ connector supports 14 DS-1 ports.
You can use AMP Champ EIAs with DS-1 cards only. Figure 1-21 shows the ONS 15454 with
preinstalled AMP Champ EIAs and the corresponding sheet metal cover and screw locations for the EIA.
To install AMP Champ connector DS-1 cables, you must use 64-pin bundled cable connectors with a
64-pin male AMP Champ connector. You need an AMP Champ connector #552276-1 for the receptacle
side and #1-552496-1 (for cable diameter 0.475 in. to 0.540 in.) or #2-552496-1 (for cable diameter
0.540 in. to 0.605 in.) for the right-angle shell housing (or their functional equivalent). The
corresponding 64-pin female AMP Champ connector on the AMP Champ EIA supports one receive and
one transmit for each DS-1 port for the corresponding card slot.
B A
Reserved
for DS-1s
12x DS-3s
32101
1
2
3
4
5
6
7
8
9
10
11
12
13
14
1
2
3
4
5
6
7
8
9
10
11
12
13
14
17 16 15 14 13 12
TX RX TX RX TX RX TX RX TX RX TX RX
TX RX TX RX TX RX TX RX TX RX TX RX
1
2
3
4
5
6
7
8
9
10
11
12
13
14
1
2
3
4
5
6
7
8
9
10
11
12
13
14
6 54 3 2 1
TX RX TX RX TX RX TX RX TX RX TX RX
TX RX TX RX TX RX TX RX TX RX TX RX
SMB backplane
connectors
Tie wrap posts1-30
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.5.7 AMP Champ EIA
Because each DS1-14 card supports 14 DS-1 ports, only 56 pins (28 pairs) of the 64-pin connector are
used. Prepare one 56-wire cable for each DS-1 facility installed.
Figure 1-21 AMP Champ EIA Backplane
Table 1-8 shows the pin assignments for the AMP Champ connectors on the ONS 15454 AMP Champ
EIA. The EIA side marked “A” hosts six AMP Champ connectors. The connectors are numbered 1 to 6
for the corresponding slots on the shelf assembly. Each AMP Champ connector on the backplane
supports 14 DS-1 ports for a DS1-14 card, and each connector features 28 live pairs—one transmit pair
and one receive pair—for each DS-1 port.
The EIA side marked “B” hosts six AMP Champ connectors. The connectors are labeled 12 to 17 for the
corresponding slots on the shelf assembly. Each AMP Champ connector on the backplane supports
14 DS-1 ports for a DS1-14 card, and each connector features 28 live pairs—one transmit pair and one
receive pair—for each DS-1 port.
Note EIAs are hot-swappable. You do not need to disconnect power to install or remove EIAs.
Caution Always use an electrostatic discharge (ESD) wristband when working with a powered ONS 15454. For
detailed instructions on how to wear the ESD wristband, refer to the Cisco ONS Electrostatic Discharge
(ESD) and Grounding Guide.
AMP CHAMP
connector
320701-31
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.5.7 AMP Champ EIA
Caution
Table 1-9 shows the pin assignments for the AMP Champ connectors on the ONS 15454 AMP Champ
EIA for a shielded DS-1 cable.
Table 1-8 AMP Champ Connector Pin Assignments
Signal/Wire Pin Pin Signal/Wire Signal/Wire Pin Pin Signal/Wire
Tx Tip 1
white/blue
1 33 Tx Ring 1
blue/white
Rx Tip 1
yellow/orange
17 49 Rx Ring 1
orange/yellow
Tx Tip 2
white/orange
2 34 Tx Ring 2
orange/white
Rx Tip 2
yellow/green
18 50 Rx Ring 2
green/yellow
Tx Tip 3
white/green
3 35 Tx Ring 3
green/white
Rx Tip 3
yellow/brown
19 51 Rx Ring 3
brown/yellow
Tx Tip 4
white/brown
4 36 Tx Ring 4
brown/white
Rx Tip 4
yellow/slate
20 52 Rx Ring 4
slate/yellow
Tx Tip 5
white/slate
5 37 Tx Ring 5
slate/white
Rx Tip 5
violet/blue
21 53 Rx Ring 5
blue/violet
Tx Tip 6
red/blue
6 38 Tx Ring 6
blue/red
Rx Tip 6
violet/orange
22 54 Rx Ring 6
orange/violet
Tx Tip 7
red/orange
7 39 Tx Ring 7
orange/red
Rx Tip 7
violet/green
23 55 Rx Ring 7
green/violet
Tx Tip 8
red/green
8 40 Tx Ring 8
green/red
Rx Tip 8
violet/brown
24 56 Rx Ring 8
brown/violet
Tx Tip 9
red/brown
9 41 Tx Ring 9
brown/red
Rx Tip 9
violet/slate
25 57 Rx Ring 9
slate/violet
Tx Tip 10
red/slate
10 42 Tx Ring 10
slate/red
Rx Tip 10
white/blue
26 58 Rx Ring 10
blue/white
Tx Tip 11
black/blue
11 43 Tx Ring 11
blue/black
Rx Tip 11
white/orange
27 59 Rx Ring 11
orange/white
Tx Tip 12
black/orange
12 44 Tx Ring 12
orange/black
Rx Tip 12
white/green
28 60 Rx Ring 12
green/white
Tx Tip 13
black/green
13 45 Tx Ring 13
green/black
Rx Tip 13
white/brown
29 61 Rx Ring 13
brown/white
Tx Tip 14
black/brown
14 46 Tx Ring 14
brown/black
Rx Tip 14
white/slate
30 62 Rx Ring 14
slate/white
Tx Spare0+ N/A 15 47 Tx Spare0– N/A Rx Spare0+ N/A 31 63 Rx Spare0– N/A
Tx Spare1+ N/A 16 48 Tx Spare1– N/A Rx Spare1+ N/A 32 64 Rx Spare1– N/A1-32
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.5.7 AMP Champ EIA
When using DS-1 AMP Champ cables, you must equip the ONS 15454 with an AMP Champ connector
EIA on each side of the backplane where DS-1 cables will terminate. Each AMP Champ connector on
the EIA corresponds to a slot in the shelf assembly and is numbered accordingly. The AMP Champ
connectors have screw-down tooling at each end of the connector.
When the DS1N-14 card is installed in an ONS 15454 shelf that has an AMP Champ EIA, the cable that
connects the AMP Champ connector with the traffic source must be connected to the ground on both
the sides to meet the EMC standard.
Table 1-9 AMP Champ Connector Pin Assignments (Shielded DS-1 Cable)
64-Pin Blue Bundle 64-Pin Orange Bundle
Signal/Wire Pin Pin Signal/Wire Signal/Wire Pin Pin Signal/Wire
Tx Tip 1
white/blue
1 33 Tx Ring 1
blue/white
Rx Tip 1
white/blue
17 49 Rx Ring 1
blue/white
Tx Tip 2
white/orange
2 34 Tx Ring 2
orange/white
Rx Tip 2
white/orange
18 50 Rx Ring 2
orange/white
Tx Tip 3
white/green
3 35 Tx Ring 3
green/white
Rx Tip 3
white/green
19 51 Rx Ring 3
green/white
Tx Tip 4
white/brown
4 36 Tx Ring 4
brown/white
Rx Tip 4
white/brown
20 52 Rx Ring 4
brown/white
Tx Tip 5
white/slate
5 37 Tx Ring 5
slate/white
Rx Tip 5
white/slate
21 53 Rx Ring 5
slate/white
Tx Tip 6
red/blue
6 38 Tx Ring 6
blue/red
Rx Tip 6
red/blue
22 54 Rx Ring 6
blue/red
Tx Tip 7
red/orange
7 39 Tx Ring 7
orange/red
Rx Tip 7
red/orange
23 55 Rx Ring 7
orange/red
Tx Tip 8
red/green
8 40 Tx Ring 8
green/red
Rx Tip 8
red/green
24 56 Rx Ring 8
green/red
Tx Tip 9
red/brown
9 41 Tx Ring 9
brown/red
Rx Tip 9
red/brown
25 57 Rx Ring 9
brown/red
Tx Tip 10
red/slate
10 42 Tx Ring 10
slate/red
Rx Tip 10
red/slate
26 58 Rx Ring 10
slate/red
Tx Tip 11
black/blue
11 43 Tx Ring 11
blue/black
Rx Tip 11
black/blue
27 59 Rx Ring 11
blue/black
Tx Tip 12
black/orange
12 44 Tx Ring 12
orange/black
Rx Tip 12
black/orange
28 60 Rx Ring 12
orange/black
Tx Tip 13
black/green
13 45 Tx Ring 13
green/black
Rx Tip 13
black/green
29 61 Rx Ring 13
green/black
Tx Tip 14
black/brown
14 46 Tx Ring 14
brown/black
Rx Tip 14
black/brown
30 62 Rx Ring 14
brown/black
Tx Tip 15
black/slate
15 47 Tx Tip 15
slate/black
Rx Tip 15
black/slate
31 63 Rx Tip 15
slate/black
Tx Tip 16
yellow/blue
16 48 Tx Tip 16
blue/yellow
Rx Tip 16
yellow/blue
32 64 Rx Tip 16
blue/yellow1-33
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.5.8 UBIC-V EIA
1.5.8 UBIC-V EIA
UBIC-V EIAs are attached to the shelf assembly backplane to provide up to 112 transmit and receive
connections through 16 SCSI connectors per side (A and B). The UBIC-V EIAs are designed to support
DS-1, DS-3, and EC-1 signals. The appropriate cable assembly is required depending on the type of
signal.
You can install UBIC-Vs on one or both sides of the ONS 15454. As you face the rear of the ONS 15454
shelf assembly, the right side is the A side (15454-EIA-UBICV-A) and the left side is the B side
(15454-EIA-UBICV-B). The diagrams adjacent to each row of SCSI connectors indicate the slots and
ports that correspond with each SCSI connector in that row, depending on whether you are using a
high-density (HD) or low-density (LD) configuration.
UBIC-V EIAs will support high-density electrical cards (DS3/EC1-48, DS1/E1-56), as well as
low-density electrical cards.
Figure 1-22 shows the A- and B-side slot assignments.
Figure 1-22 UBIC-V Slot Designations
102176
B
DS1/DS3
Tx
Tx
Rx
Rx
HD(SLOT 17) HD(SLOT 16)
DS3 37-48
DS1 43-56
DS3 1-12
DS1 1-14
DS3 1-12
DS1 1-14
DS3 25-36
DS1 29-42
HD(SLOT 17) HD(SLOT 16)
DS3 37-48
DS1 43-56
DS3 1-12
DS1 1-14
DS3 1-12
DS1 1-14
DS3 25-36
DS1 29-42
HD(SLOT 16) HD(SLOT 17)
DS3 37-48
DS1 43-56
DS3 13-24
DS1 15-28
DS3 13-24
DS1 15-28
DS3 25-36
DS1 29-42
HD(SLOT 16) HD(SLOT 17)
DS3 37-48
DS1 43-56
DS3 13-24
DS1 15-28
DS3 13-24
DS1 15-28
DS3 25-36
DS1 29-42
JACKSCREW SHOULD BE
INSTALLED FIRST AND
REMOVED LAST
JACKSCREW SHOULD BE
INSTALLED FIRST AND
REMOVED LAST
JACKSCREW SHOULD BE
INSTALLED FIRST AND
REMOVED LAST
REAR COVER
BRACKET
LOCATION
REAR COVER
BRACKET
LOCATION
LD
DS3 1-12
DS1 1-14
DS3 1-12
DS1 1-14
DS3 1-12
DS1 1-14
(SLOT 14)(SLOT 13)(SLOT 12)
DS3 1-12
DS1 1-14
DS3 1-12
DS1 1-14
DS3 1-12
DS1 1-14
UNUSED
UNUSED
TX
RX
LD
DS3 1-12
DS1 1-14
DS3 1-12
DS1 1-14
(SLOT 17)(SLOT 16)(SLOT 15)
DS3 1-12
DS1 1-14
DS3 1-12
DS1 1-14
UNUSED
UNUSED
TX
RX
P
P
J17 J20 J21 J23
J25 J28 J29 J31
J24 J22 J19 J18
J32 J30 J27 J26
A
Tx
Tx
Rx
Rx
DS1/DS3
DS3 25-36
DS1 29-42
DS3 1-12
DS1 1-14
DS3 1-12
DS1 1-14
DS3 37-48
DS1 43-56
HD(SLOT 2) HD(SLOT 1)
DS3 25-36
DS1 29-42
DS3 1-12
DS1 1-14
DS3 1-12
DS1 1-14
DS3 37-48
DS1 43-56
HD(SLOT 1) HD(SLOT 2)
DS3 25-36
DS1 29-42
DS3 13-24
DS1 15-28
DS3 13-24
DS1 15-28
DS3 37-48
DS1 43-56
HD(SLOT 1) HD(SLOT 2)
DS3 25-36
DS1 29-42
DS3 13-24
DS1 15-28
DS3 13-24
DS1 15-28
DS3 37-48
DS1 43-56
JACKSCREW SHOULD BE
INSTALLED FIRST AND
REMOVED LAST
REAR COVER
BRACKET
LOCATION
JACKSCREW SHOULD BE
INSTALLED FIRST AND
REMOVED LAST
JACKSCREW SHOULD BE
INSTALLED FIRST AND
REMOVED LAST
REAR COVER
BRACKET
LOCATION
HD(SLOT 2) HD(SLOT 1)
LD
DS3 1-12
DS1 1-14
DS3 1-12
DS1 1-14
DS3 1-12
DS1 1-14
(SLOT 6) (SLOT 5) (SLOT 4)
DS3 1-12
DS1 1-14
DS3 1-12
DS1 1-14
DS3 1-12
DS1 1-14
UNUSED
UNUSED
TX
RX
LD
DS3 1-12
DS1 1-14
DS3 1-12
DS1 1-14
(SLOT 3) (SLOT 2) (SLOT 1)
DS3 1-12
DS1 1-14
DS3 1-12
DS1 1-14
UNUSED
UNUSED
P
P
TX
RX
J7 J5 J4 J1
J15 J13 J12 J9
J2 J3 J6 J8
J10 J11 J14 J161-34
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.5.9 UBIC-H EIA
The UBIC-V sheet metal covers use the same screw holes as the standard sheet metal covers, but they
have 12 additional holes for pan-head screws and three holes for jack screws, so you can screw down the
cover and the board using standoffs on the UBIC-V board.
When installed with the standard door and cabling on the backplane, the ONS 15454 shelf measures
approximately 15.7 inches (399 mm) deep when partially populated with backplane cables, 16.1 inches
(409 mm) deep when fully populated, and 16.75 inches (425 mm) deep with the rear cover installed.
When installed with the deep door and cabling on the backplane, the ONS 15454 shelf measures
approximately 17.5 inches (445 mm) deep when partially populated with backplane cables, 17.9 inches
(455 mm) deep when fully populated, and 18.55 inches (471 mm) deep with the rear cover installed.
The UBIC-V EIA supports the following cards:
• DS1-14, DS1N-14
• DS3-12, DS3N-12
• DS3i-N-12
• DS3-12E, DS3N-12E
• EC1-12
• DS3XM-6
• DS3XM-12
• DS3/EC1-48
• DS1/E1-56
The A and B sides each host 16 high-density, 50-pin SCSI connectors. The A-side maps to
Slots 1 through 6 and the B-side maps to Slots 12 through 17.
In Software Releases 4.1.x and 4.6, UBIC-Vs support unprotected, 1:1, and 1:N (N < 5) protection
groups. In Software R5.0 and later, UBIC-Vs also support available high-density cards in unprotected
and 1:N (N < 2) protection groups.
Table 1-10 shows the UBIC-V protection types and their applicable slot assignments.
1.5.9 UBIC-H EIA
UBIC-H EIAs are attached to the shelf assembly backplane to provide up to 112 transmit and receive
DS-1 connections through 16 SCSI connectors per side (A and B) or 96 transmit and receive DS-3
connections. The UBIC-H EIAs are designed to support DS-1, DS-3, and EC-1 signals. The appropriate
cable assembly is required depending on the type of signal.
Table 1-10 UBIC-V Protection Types and Slots
Protection Type Working Slots Protection Slots
Unprotected 1–6, 12–17 —
1:1 2, 4, 6, 12, 14, 16 1, 3, 5, 13, 15, 17
1:2 1, 2, 16, 17 3, 15
1:5 1, 2, 4, 5, 6, 12, 13, 14, 16, 17 3, 151-35
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.5.9 UBIC-H EIA
You can install UBIC-Hs on one or both sides of the ONS 15454. As you face the rear of the ONS 15454
shelf assembly, the right side is the A side (15454-EIA-UBICH-A) and the left side is the B side
(15454-EIA-UBICH-B). The diagrams adjacent to each row of SCSI connectors indicate the slots and
ports that correspond with each SCSI connector in that row, depending on whether you are using a high
density (HD) or low density (LD) configuration.
Note UBIC-H EIAs will support use with the high-density (DS3/EC1-48, DS1/E1-56, and DS3XM-12)
electrical cards, as well as existing low-density electrical cards.
Figure 1-23 shows the A- and B-side connector labeling.
Figure 1-23 UBIC-H EIA Connector Labeling
Tables 1-11 and 1-12 show the J-labeling and corresponding card ports for a shelf assembly configured
with low-density electrical cards.
1245331-36
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.5.9 UBIC-H EIA
Tables 1-13 and 1-14 show the J-labeling and corresponding card ports for a shelf assembly configured
with high-density 48-port DS-3/EC-1 or 56-port DS-1 electrical cards.
Table 1-11 J-Labeling Port Assignments for a Shelf Assembly Configured with Low-Density
Electrical Cards (A Side)
Slot Port Type
TX J4 J3 J2 J1 J5 J6 J7 J8
RX J12 J11 J10 J9 J13 J14 J15 J16
Ports Ports Ports Ports Ports Ports Ports Ports
1 DS-1 1–14 — — — — — — —
DS-3 1–12 — — — — — — —
2 DS-1 — — — — 1–14 — — —
DS-3 — — — — 1–12 — — —
3 DS-1 — — — — — — 1–14 —
DS-3 — — — — — — 1–12 —
4 DS-1 — — — — — 1–14 — —
DS-3 — — — — — 1–12 — —
5 DS-1 — 1–14 — — — — — —
DS-3 — 1–12 — — — — — —
6 DS-1 — — 1–14 — — — — —
DS-3 — — 1–12 — — — — —
Table 1-12 J-Labeling Port Assignments for a Shelf Assembly Configured with Low-Density
Electrical Cards (B Side)
Slot Port Type
TX J20 J19 J18 J17 J21 J22 J23 24
RX J28 J27 J26 J25 J29 J30 J31 J32
Ports Ports Ports Ports Ports Ports Ports Ports
17 DS-1 1–14 — — — — — — —
DS-3 1–12 — — — — — — —
16 DS-1 — — — — 1–14 — — —
DS-3 — — — — 1–12 — — —
15 DS-1 — — — — — — 1–14 —
DS-3 — — — — — — 1–12 —
14 DS-1 — — — — — 1–14 — —
DS-3 — — — — — 1–12 — —
13 DS-1 — 1–14 — — — — — —
DS-3 — 1–12 — — — — — —
12 DS-1 — — 1–14 — — — — —
DS-3 — — 1–12 — — — — —1-37
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.5.9 UBIC-H EIA
If you are installing UBIC-H EIAs after the shelf assembly is installed, plug the UBIC-H EIA into the
backplane. The UBIC-H backplane must replace the standard sheet metal cover to provide access to the
cable connectors. The UBIC-H sheet metal covers use the same screw holes as the standard sheet metal
covers, but they have 12 additional holes for panhead screws and three holes for jack screws so you can
screw down the cover and the board using standoffs on the UBIC-H board.
When installed with the standard door and cabling on the backplane, the ONS 15454 shelf measures
approximately 14.5 inches deep when fully populated with backplane cables, and 15.0 inches deep with
the rear cover installed. When installed with the deep door and cabling on the backplane, the ONS 15454
shelf measures approximately 16.5 inches deep when fully populated with backplane cables, and 17.0
inches deep with the rear cover installed.
The UBIC-H EIA supports the following cards:
• DS1-14, DS1N-14
• DS3-12, DS3N-12
• DS3-12E, DS3N-12E
• EC1-12
• DS3XM-6
• DS3XM-12
• DS3/EC1-48
• DS1/E1-56
Table 1-13 J-Labeling Port Assignments for a Shelf Configured with High-Density Electrical
Cards (A Side)
Slot Port Type
TX J4 J3 J2 J1 J5 J6 J7 J8
RX J12 J11 J10 J9 J13 J14 J15 J16
Ports Ports Ports Ports Ports Ports Ports Ports
1 DS-1 1–14 15–28 29–42 43–56 — — — —
DS-3 1–12 13–24 25–36 37–48 — — — —
2 DS-1 — — — — 1–14 15–28 29–42 43–56
DS-3 — — — — 1–12 13–24 25–36 37–48
Table 1-14 J-Labeling Port Assignments for a Shelf Configured with High-Density Electrical
Cards (B Side)
Slot Port Type
TX J20 J19 J18 J17 J21 J22 J23 24
RX J28 J27 J26 J25 J29 J30 J31 J32
Ports Ports Ports Ports Ports Ports Ports Ports
17 DS-1 1–14 15–28 29–42 43–56 — — — —
DS-3 1–12 13–24 25–36 37–48 — — — —
16 DS-1 — — — — 1–14 15–28 29–42 43–56
DS-3 — — — — 1–12 13–24 25–36 37–481-38
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.5.10 EIA Replacement
The A and B sides each host 16 high-density, 50-pin SCSI connectors. The A-side maps to
Slots 1 through 6 and the B-side maps to Slots 12 through 17.
In Software Releases prior to Release 5.0, UBIC-Hs support unprotected, 1:1, and 1:N (where N < 5)
protection groups. In Software R5.0 and greater, UBIC-Hs additionally support available high-density
cards in unprotected and 1:N protection (where N < 2) protection groups.
Table 1-15 shows protection groups and their applicable slot assignments.
1.5.10 EIA Replacement
Before you attach a new EIA, you must remove the backplane cover or EIA already installed on the
ONS 15454. Refer to the spare document(s) for the EIA type(s) you are removing and replacing for
specific information.
1.6 Coaxial Cable
Caution Always use the supplied ESD wristband when working with a powered ONS 15454. For detailed
instructions on how to wear the ESD wristband, refer to the Cisco ONS Electrostatic Discharge (ESD)
and Grounding Guide.
When using ONS 15454 DS-3 electrical cables, the cables must terminate on an EIA installed on the
ONS 15454 backplane. All DS-3 cables connected to the ONS 15454 DS-3 card must terminate with
coaxial cables using the desired connector type to connect to the specified EIA.
The electromagnetic compatibility (EMC) performance of the node depends on good-quality DS-3
coaxial cables, such as Shuner Type G 03233 D, or the equivalent.
1.7 DS-1 Cable
DS-1 cables support AMP Champ connectors and twisted-pair wire-wrap cabling. Twisted-pair
wire-wrap cables require SMB EIAs.
1.7.1 Twisted Pair Wire-Wrap Cables
Installing twisted-pair, wire-wrap DS-1 cables requires separate pairs of grounded twisted-pair cables
for receive (in) and transmit (out). Prepare four cables, two for receive and two for transmit, for each
DS-1 facility to be installed.
Table 1-15 UBIC-H Protection Types and Slots
Protection Type Working Slots Protection Slots
Unprotected 1–6, 12–17 —
1:1 2, 4, 6, 12, 14, 16 1, 3, 5, 13, 15, 17
1:2 1, 2, 16, 17 3, 15
1:5 1, 2, 4, 5, 6, 12, 13, 14, 16, 17 3, 151-39
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.7.2 Electrical Interface Adapters
Caution Always use the supplied ESD wristband when working with a powered ONS 15454. For detailed
instructions on how to wear the ESD wristband, refer to the Cisco ONS Electrostatic Discharge (ESD)
and Grounding Guide.
If you use DS-1 electrical twisted-pair cables, equip the ONS 15454 with an SMB EIA on each side of
the backplane where DS-1 cables will terminate. You must install special DS-1 electrical interface
adapters, commonly referred to as a balun, on every transmit and receive connector for each DS-1
termination.
1.7.2 Electrical Interface Adapters
Note DS-1 electrical interface adapters project an additional 1.72 inches (43.7 mm) from the ONS 15454
backplane.
If you install DS-1 cards in the ONS 15454, you must fit the corresponding transmit and receive SMB
connectors on the EIA with a DS-1 electrical interface adapter. You can install the adapter on the SMB
connector for the port. The adapter has wire-wrap posts for DS-1 transmit and receive cables.
Figure 1-24 shows the DS-1 electrical interface adapter.
Note “EIA” refers to electrical interface assemblies and not electrical interface adapters. Electrical interface
adapters are also known as baluns.
Figure 1-24 DS-1 Electrical Interface Adapter (Balun)
Each DS-1 electrical interface adapter has a female SMB connector on one end and a pair of 0.045 inch
(1.14 mm) square wire-wrap posts on the other end. The wire-wrap posts are 0.200 inches (5.08 mm)
apart.
Caution Always use the supplied ESD wristband when working with a powered ONS 15454. For detailed
instructions on how to wear the ESD wristband, refer to the Cisco ONS Electrostatic Discharge (ESD)
and Grounding Guide.
SMB Connector
Wire wrap posts
DS-1
Electrical
interface
adapter
Ring
Tip
320711-40
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.8 UBIC-V Cables
1.8 UBIC-V Cables
Note Cisco Systems announced the end-of-sale and end-of-life dates for the Cisco ONS 15454 MSPP
Universal BackPlane Interface Adapter, Vertical Orientation (UBIC-V), and its DS1 and DS3 Cables.
For further details, refer to Product Bulletin No. EOL5039 at
http://www.cisco.com/en/US/prod/collateral/optical/ps5724/ps2006/prod_end-of-life_notice0900aecd8
052a481.html.
The UBIC-V EIA is designed to support DS-1, DS-3, or EC-1 signals. The type of signal supported is
determined by the respective UBIC-V cable assembly.
DS-1 cables for the UBIC-V have a maximum supported distance of 655 feet (199.6 m). DS-1 cables
arrive with unterminated #24 AWG twisted pairs on the far end and are color coded as identified in
Table 1-17.
The following DS-1 cables are no longer available from Cisco Systems for use with the UBIC-V EIA:
• DS-1 cable, 150 feet: 15454-CADS1-SD
• DS-1 cable, 250 feet: 15454-CADS1-ID
• DS-1 cable, 655 feet: 15454-CADS1-LD
DS-3/EC-1 cables for the UBIC-V have a maximum supported distance of 450 feet (137.2 m).
DS-3/EC-1 cables arrive with unterminated coaxial cable at the far end and labeled with the respective
port number. 75-ohm BNC connectors for each port (qty. 12) are supplied and require that they be
crimped on.
The following DS-3/EC-1 cables are no longer available from Cisco Systems for use with the UBIC-V
EIA:
• DS-3/EC-1 cable, 75 feet: 15454-CADS3-SD
• DS-3/EC-1 cable, 225 feet: 15454-CADS3-ID
• DS-3/EC-1 cable, 450 feet: 15454-CADS3-LD
Figure 1-25 identifies the pin numbers for the DS-1 and DS-3/EC-1 cables as referenced from the SCSI
connector.
Figure 1-25 Cable Connector Pins
Table 1-16 identifies the UBIC-V SCSI connector pin assignments for the DS-1 cables as referenced
from the EIA backplane to the SCSI connector.
Note Conversion from the back plane’s single ended (unbalanced) 75-ohm signal to a differential (balanced)
100-ohm signal happens through the embedded transformer within the SCSI connector. The cable's
shield is connected to the connector shell. This conversion is illustrated in Figure 1-26.
115171
Pin 1 Pin 25
Pin 26 Pin 501-41
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.8 UBIC-V Cables
Table 1-16 UBIC-V DS-1 SCSI Connector Pin Out
Port SCSI Pin SCSI Pin Port
#1 1 26 #7
FGnd 2 27 FGnd
FGnd 3 28 FGnd
FGnd 4 29 FGnd
#2 5 30 #8
FGnd 6 31 FGnd
FGnd 7 32 FGnd
FGnd 8 33 FGnd
#3 9 34 #9
FGnd 10 35 FGnd
FGnd 11 36 FGnd
FGnd 12 37 FGnd
#4 13 38 #10
FGnd 14 39 FGnd
FGnd 15 40 FGnd
FGnd 16 41 FGnd
#5 17 42 #11
FGnd 18 43 FGnd
FGnd 19 44 FGnd
FGnd 20 45 FGnd
#6 21 46 #12
FGnd 22 47 FGnd
FGnd 23 48 FGnd
FGnd 24 49 FGnd
#13 25 50 #141-42
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.8 UBIC-V Cables
Figure 1-26 UBIC-V DS-1 Cable Schematic Diagram
Table 1-17 shows the UBIC-V DS-1 Tip/Ring color coding.
UBIC-V DS-1 Cable
Shield to connector shell
Tip DS1 #1
Ring DS1 #1
Tip DS1 #2
Ring DS1 #2
100Ω Differential DS-1
To/From DSx
100Ω Differential DS-1
To/From DSx
Shield to connector shell
Tip DS1 #13
Ring DS1 #13
Tip DS1 #14
Ring DS1 #14
100Ω Differential DS-1
To/From DSx
100Ω Differential DS-1
To/From DSx
DS1 75Ω
Port #1
DS1 75Ω
Port #2
FGND
FGND
FGND
Pin 1
Pin 5
DS1 75Ω
Port #13
Pin 25
Pin 2 — FGnd
Pin 3 — FGnd
Pin 4 — FGnd
75Ω Signal
To/From UBIC-V
75Ω Signal
To/From UBIC-V
75Ω Signal
To/From UBIC-V
FGND
DS1 75Ω
Port #14 Pin 50
75Ω Signal
To/From UBIC-V
1:1.15
1:1.15
1:1.15
1:1.15
To/From
Customer DSX
To/From SCSI
connector on the
UBIC-V EIA
2738101-43
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.8 UBIC-V Cables
Table 1-18 identifies the UBIC-V SCSI connector pin assignments for the DS-3/EC-1 cables as
referenced from the EIA backplane to the SCSI connector.
Table 1-17 UBIC-V DS-1 Tip/Ring Color Coding
Wire Color Signal Signal Wire Color
White/blue Tip DS-1 #1 Ring DS-1 #1 Blue/white
White/orange Tip DS-1 #2 Ring DS-1 #2 Orange/white
White/green Tip DS-1 #3 Ring DS-1 #3 Green/white
White/brown Tip DS-1 #4 Ring DS-1 #4 Brown/white
White/slate Tip DS-1 #5 Ring DS-1 #5 Slate/white
Red/blue Tip DS-1 #6 Ring DS-1 #6 Blue/red
Red/orange Tip DS-1 #7 Ring DS-1 #7 Orange/red
Red/green Tip DS-1 #8 Ring DS-1 #8 Green/red
Red/brown Tip DS-1 #9 Ring DS-1 #9 Brown/red
Red/slate Tip DS-1 #10 Ring DS-1 #10 Slate/red
Black/blue Tip DS-1 #11 Ring DS-1 #11 Blue/black
Black/orange Tip DS-1 #12 Ring DS-1 #12 Orange/black
Black/green Tip DS-1 #13 Ring DS-1 #13 Green/black
Black/brown Tip DS-1 #14 Ring DS-1 #14 Brown/black
Table 1-18 UBIC-V DS-3/EC-1 SCSI Connector Pin Out
Port SCSI Pin SCSI Pin Port
#1 1 26 #7
FGnd 2 27 FGnd
FGnd 3 28 FGnd
FGnd 4 29 FGnd
#2 5 30 #8
FGnd 6 31 FGnd
FGnd 7 32 FGnd
FGnd 8 33 FGnd
#3 9 34 #9
FGnd 10 35 FGnd
FGnd 11 36 FGnd
FGnd 12 37 FGnd
#4 13 38 #10
FGnd 14 39 FGnd
FGnd 15 40 FGnd
FGnd 16 41 FGnd1-44
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.8 UBIC-V Cables
Figure 1-27 shows the UBIC-V DS-3/EC-1 cable schematic diagram.
#5 17 42 #11
FGnd 18 43 FGnd
FGnd 19 44 FGnd
FGnd 20 45 FGnd
#6 21 46 #12
FGnd 22 47 FGnd
FGnd 23 48 FGnd
FGnd 24 49 FGnd
Not connected 25 50 Not connected
Table 1-18 UBIC-V DS-3/EC-1 SCSI Connector Pin Out (continued)
Port SCSI Pin SCSI Pin Port1-45
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.9 UBIC-H Cables
Figure 1-27 UBIC-V DS-3/EC-1 Cable Schematic Diagram
1.9 UBIC-H Cables
The UBIC-H EIA is designed to support DS-1, DS-3, or EC-1 signals. The type of signal supported is
determined by the UBIC-H cable assembly that you order.
To support DS-1 signals, select the DS-1 UBIC-H cable assembly (part number
15454-CADS1-H-).
DS-3 75Ω
Port #1
DS-3 75Ω
Port #2
FGND
FGND
FGND
Pin 1
Pin 5
DS-3 75Ω
Port #11
Pin 42
75Ω Signal
To/From UBIC
75Ω Signal To/From
75Ω Signal To/From
DS-3 75Ω
Port #12
Pin 46
75Ω Signal To/From
From/To
Customer DSx
273811
DS-3/EC1 Cable
Port #1
Port #2
Port #11
Port #12
75Ω DS-3/EC1 signal coming to/from Tyco SCSI
connector and being placed on 735A (or 735C) Coax
Frame GND from
shield to connector1-46
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.9 UBIC-H Cables
To support DS-3 or EC-1 signals, select the DS-3/EC-1 UBIC-H cable assembly (part number
15454-CADS3-H-).
DS-1 cables for the UBIC-H have a maximum supported distance of 655 feet (199.6 m). DS-1 cables
arrive with unterminated #24 AWG twisted pairs on the far end and are color coded as identified in
Table 1-20.
The following DS-1 cables are available from Cisco Systems for use with the UBIC-H EIA:
• 25 feet: 15454-CADS1-H-25
• 50 feet: 15454-CADS1-H-50
• 75 feet: 15454-CADS1-H-75
• 100 feet: 15454-CADS1-H-100
• 150 feet: 15454-CADS1-H-150
• 200 feet: 15454-CADS1-H-200
• 250 feet: 15454-CADS1-H-250
• 350 feet: 15454-CADS1-H-350
• 450 feet: 15454-CADS1-H-450
• 550 feet: 15454-CADS1-H-550
• 655 feet: 15454-CADS1-H-655
DS-3/EC-1 cables for the UBIC-H have a maximum supported distance of 450 feet (137.2 m).
DS-3/EC-1 cables arrive with unterminated coaxial cable at the far end and labeled with the respective
port number. 75-ohm BNC connectors for each port (qty. 12) are supplied and require that they be
crimped on.
The following DS-3/EC-1 cables are available from Cisco Systems for use with the UBIC-H EIA:
• 25 feet: 15454-CADS3-H-25
• 50 feet: 15454-CADS3-H-50
• 75 feet: 15454-CADS3-H-75
• 100 feet: 15454-CADS3-H-100
• 125 feet: 15454-CADS3-H-125
• 150 feet: 15454-CADS3-H-150
• 175 feet: 15454-CADS3-H-175
• 200 feet: 15454-CADS3-H-200
• 225 feet: 15454-CADS3-H-225
• 250 feet: 15454-CADS3-H-250
• 300 feet: 15454-CADS3-H-300
• 350 feet: 15454-CADS3-H-350
• 450 feet: 15454-CADS3-H-450
Figure 1-28 identifies the pin numbers for the DS-1 and DS-3/EC-1 cables as referenced from the SCSI
connector.1-47
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.9 UBIC-H Cables
Figure 1-28 Cable Connector Pins
Table 1-19 identifies the UBIC-H SCSI connector pin assignments for the DS-1 cables as referenced
from the EIA backplane to the SCSI connector.
Note Conversion from the back plane’s single ended (unbalanced) 75-ohm signal to a differential (balanced)
100-ohm signal happens through the embedded transformer within the SCSI connector. The cable's
shield is connected to the connector shell. This conversion is illustrated in Figure 1-29.
115171
Pin 1 Pin 25
Pin 26 Pin 50
Table 1-19 UBIC-H DS-1 SCSI Connector Pin Out
Port SCSI Pin SCSI Pin Port
#1 1 26 #7
FGnd 2 27 FGnd
FGnd 3 28 FGnd
FGnd 4 29 FGnd
#2 5 30 #8
FGnd 6 31 FGnd
FGnd 7 32 FGnd
FGnd 8 33 FGnd
#3 9 34 #9
FGnd 10 35 FGnd
FGnd 11 36 FGnd
FGnd 12 37 FGnd
#4 13 38 #10
FGnd 14 39 FGnd
FGnd 15 40 FGnd
FGnd 16 41 FGnd
#5 17 42 #11
FGnd 18 43 FGnd
FGnd 19 44 FGnd
FGnd 20 45 FGnd
#6 21 46 #12
FGnd 22 47 FGnd1-48
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.9 UBIC-H Cables
Figure 1-29 UBIC-H DS-1 Cable Schematic Diagram
Table 1-20 shows the UBIC-H DS-1 Tip/Ring color coding.
FGnd 23 48 FGnd
FGnd 24 49 FGnd
#13 25 50 #14
Table 1-19 UBIC-H DS-1 SCSI Connector Pin Out (continued)
Port SCSI Pin SCSI Pin Port
UBIC-H DS-1 Cable
Shield to connector shell
Tip DS1 #1
Ring DS1 #1
Tip DS1 #2
Ring DS1 #2
100Ω Differential DS-1
To/From DSx
100Ω Differential DS-1
To/From DSx
Shield to connector shell
Tip DS1 #13
Ring DS1 #13
Tip DS1 #14
Ring DS1 #14
100Ω Differential DS-1
To/From DSx
DS1 75Ω
Port #1
DS1 75Ω
Port #2
FGND
FGND
FGND
Pin 1
Pin 5
DS1 75Ω
Port #13
Pin 25
Pin 2 — FGnd
Pin 3 — FGnd
Pin 4 — FGnd
75Ω Signal
To/From UBIC-H
75Ω Signal
To/From UBIC-H
75Ω Signal
To/From UBIC-H
FGND
DS1 75Ω
Port #14 Pin 50
75Ω Signal
To/From UBIC-H
1:1.15
1:1.15
1:1.15
1:1.15
To/From
Customer DSX
2738081-49
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.9 UBIC-H Cables
Table 1-21 identifies the UBIC-H SCSI connector pin assignments for the DS-3/EC-1 cables as
referenced from the EIA backplane to the SCSI connector.
Table 1-20 UBIC-H DS-1 Tip/Ring Color Coding
Wire Color Signal Signal Wire Color
White/blue Tip DS-1 #1 Ring DS-1 #1 Blue/white
White/orange Tip DS-1 #2 Ring DS-1 #2 Orange/white
White/green Tip DS-1 #3 Ring DS-1 #3 Green/white
White/brown Tip DS-1 #4 Ring DS-1 #4 Brown/white
White/slate Tip DS-1 #5 Ring DS-1 #5 Slate/white
Red/blue Tip DS-1 #6 Ring DS-1 #6 Blue/red
Red/orange Tip DS-1 #7 Ring DS-1 #7 Orange/red
Red/green Tip DS-1 #8 Ring DS-1 #8 Green/red
Red/brown Tip DS-1 #9 Ring DS-1 #9 Brown/red
Red/slate Tip DS-1 #10 Ring DS-1 #10 Slate/red
Black/blue Tip DS-1 #11 Ring DS-1 #11 Blue/black
Black/orange Tip DS-1 #12 Ring DS-1 #12 Orange/black
Black/green Tip DS-1 #13 Ring DS-1 #13 Green/black
Black/brown Tip DS-1 #14 Ring DS-1 #14 Brown/black
Table 1-21 UBIC-H DS-3/EC-1 SCSI Connector Pin Out
Port SCSI Pin SCSI Pin Port
#1 1 26 #7
FGnd 2 27 FGnd
FGnd 3 28 FGnd
FGnd 4 29 FGnd
#2 5 30 #8
FGnd 6 31 FGnd
FGnd 7 32 FGnd
FGnd 8 33 FGnd
#3 9 34 #9
FGnd 10 35 FGnd
FGnd 11 36 FGnd
FGnd 12 37 FGnd
#4 13 38 #10
FGnd 14 39 FGnd
FGnd 15 40 FGnd
FGnd 16 41 FGnd1-50
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.9 UBIC-H Cables
Figure 1-30 shows the UBIC-H DS-3/EC-1 cable schematic diagram
#5 17 42 #11
FGnd 18 43 FGnd
FGnd 19 44 FGnd
FGnd 20 45 FGnd
#6 21 46 #12
FGnd 22 47 FGnd
FGnd 23 48 FGnd
FGnd 24 49 FGnd
Not connected 25 50 Not connected
Table 1-21 UBIC-H DS-3/EC-1 SCSI Connector Pin Out (continued)
Port SCSI Pin SCSI Pin Port1-51
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.10 Ethernet Cables
Figure 1-30 UBIC-H DS-3/EC-1 Cable Schematic Diagram
1.10 Ethernet Cables
Ethernet cables use RJ-45 connectors, and are straight-through or crossover, depending on what is
connected to them.
Table 1-22 shows 100Base-TX connector pin assignments, used with E100 Ethernet cards in the ONS
15454.
DS-3 75Ω
Port #1
DS-3 75Ω
Port #2
FGND
FGND
Pin 1
Pin 5
DS-3 75Ω
Port #11
Pin 42
75Ω Signal
To/From UBIC
75Ω Signal To/From
75Ω Signal To/From
DS-3 75Ω
Port #12
Pin 46
75Ω Signal To/From
From/To
Customer DSx
273809
DS-3/EC1 Cable
Port #1
Port #2
Port #11
Port #12
75Ω DS-3/EC1 signal coming to/from Tyco SCSI
connector and being placed on 735A (or 735C) Coax1-52
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.10 Ethernet Cables
Figure 1-31 shows the pin locations on 100BaseT connector.
Figure 1-31 100BaseT Connector Pins
Figure 1-32 shows the straight-through Ethernet cable schematic. Use a straight-through cable when
connecting to a router or a PC.
Figure 1-32 Straight-Through Cable
Table 1-22 E100-TX Connector Pinout
Pin Cable Port
1 RD+
2 RD–
3 TD+
4 NC
5 NC
6 TD–
7 NC
8 NC
1 2 3 4 5 67 8
H5436
Switch
3 TD+
6 TD–
1 RD+
2 RD–
Router or PC
3 RD+
6 RD–
1 TD+
2 TD– H55781-53
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.11 Cable Routing and Management
Figure 1-33 shows the crossover Ethernet cable schematic. Use a crossover cable when connecting to a
switch or hub.
Figure 1-33 Crossover Cable
1.11 Cable Routing and Management
The ONS 15454 cable management facilities include the following:
• A cable-routing channel (behind the fold-down door) that runs the width of the shelf assembly
(Figure 1-34)
• Plastic horseshoe-shaped fiber guides at each side opening of the cable-routing channel that ensure
the proper bend radius is maintained in the fibers (Figure 1-35)
Note You can remove the fiber guide if necessary to create a larger opening (if you need to route
CAT-5 Ethernet cables out the side, for example). To remove the fiber guide, take out the
three screws that anchor it to the side of the shelf assembly.
• A fold-down door that provides access to the cable-management tray
• Cable tie-wrap facilities on EIAs that secure cables to the cover panel
• A cable routing channel that enables you to route cables out either side
• Jumper slack storage reels (2) on each side panel that reduce the amount of slack in cables that are
connected to other devices
Note To remove the jumper slack storage reels, take out the screw in the center of each reel.
• Optional tie-down bar
Figure 1-34 shows the cable management facilities that you can access through the fold-down front door,
including the cable-routing channel and cable-routing channel posts.
Switch
3 TD+
6 TD–
1 RD+
2 RD–
Switch
3 TD+
6 TD–
1 RD+
2 RD– H55791-54
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.11.1 Fiber Management
Figure 1-34 Managing Cables on the Front Panel
1.11.1 Fiber Management
The jumper routing fins are designed to route fiber jumpers out of both sides of the shelf. Slots 1 to 6
exit to the left, and Slots 12 to 17 exit to the right. Figure 1-35 shows fibers routed from cards in the left
slots, down through the fins, then exiting out the fiber channel to the left. The maximum capacity of the
fiber routing channel depends on the size of the fiber jumpers. Table 1-23 gives the maximum capacity
of the fiber channel for each side of the shelf, for the different fiber sizes.
Figure 1-35 Fiber Capacity
FAN FAIL CRIT MAJ MIN
145262
Cable-routing
channel posts
Fold down
front door
Fiber guides
965181-55
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.11.2 Fiber Management Using the Tie-Down Bar
Table 1-23 provides the maximum capacity of the fiber channel for one side of a shelf, depending on
fiber size and number of Ethernet cables running through that fiber channel.
Plan your fiber size according to the number of cards/ports installed in each side of the shelf. For
example, if your port combination requires 36 fibers, 3 mm (0.11 inch) fiber is adequate. If your port
combination requires 68 fibers, you must use 2 mm(0.7 inch) or smaller fibers.
1.11.2 Fiber Management Using the Tie-Down Bar
You can install an optional 5-inch (127 mm) tie-down bar on the rear of the ANSI chassis. You can use
tie-wraps or other site-specific material to bundle the cabling and attach it to the bar so that you can more
easily route the cable away from the rack.
Figure 1-36 shows the tie-down bar, the ONS 15454, and the rack.
Figure 1-36 Tie-Down Bar
Table 1-23 Fiber Channel Capacity (One Side of the Shelf)
Fiber Diameter
Maximum Number of Fibers Exiting Each Side
No Ethernet Cables One Ethernet Cable Two Ethernet Cables
1.6 mm (0.6 inch) 144 127 110
2 mm (0.7 inch) 90 80 70
3 mm (0.11 inch) 40 36 32
105012
Tie-down bar1-56
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.11.3 Coaxial Cable Management
1.11.3 Coaxial Cable Management
Coaxial cables connect to EIAs on the ONS 15454 backplane using cable connectors. EIAs feature
cable-management eyelets for tie wrapping or lacing cables to the cover panel.
1.11.4 DS-1 Twisted-Pair Cable Management
Connect twisted pair/DS-1 cables to SMB EIAs on the ONS 15454 backplane using cable connectors
and DS-1 EIAs (baluns).
1.11.5 AMP Champ Cable Management
EIAs have cable management eyelets to tiewrap or lace cables to the cover panel. Tie wrap or lace the
AMP Champ cables according to local site practice and route the cables. If you configure the ONS 15454
for a 23-inch (584.2 mm) rack, two additional inches (50.8 mm) of cable management area is available
on each side of the shelf assembly.
1.12 Alarm Expansion Panel
The optional ONS 15454 alarm expansion panel (AEP) can be used with the Alarm Interface
Controller—International card (AIC-I) card to provide an additional 48 dry alarm contacts for the ONS
15454, 32 of which are inputs and 16 are outputs. The AEP is a printed circuit board assembly that is
installed on the backplane. Figure 1-37 shows the AEP board; the left connector is the input connector
and the right connector is the output connector.
The AIC-I without an AEP already contains direct alarm contacts. These direct AIC-I alarm contacts are
routed through the backplane to wire-wrap pins accessible from the back of the shelf. If you install an
AEP, you cannot use the alarm contacts on the wire-wrap pins. For further information about the AIC-I,
see the “2.8 AIC-I Card” section on page 2-29.1-57
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.12.1 Wire-Wrap and Pin Connections
Figure 1-37 AEP Printed Circuit Board Assembly
Figure 1-38 shows the AEP block diagram.
Figure 1-38 AEP Block Diagram
Each AEP alarm input port has provisionable label and severity. The alarm inputs have optocoupler
isolation. They have one common 48-VDC output and a maximum of 2 mA per input. Each opto metal
oxide semiconductor (MOS) alarm output can operate by definable alarm condition, a maximum open
circuit voltage of 60 VDC, anda maximum current of 100 mA. See the “2.8.2 External Alarms and
Controls” section on page 2-31 for further information.
1.12.1 Wire-Wrap and Pin Connections
Figure 1-39 shows the wire-wrapping connections on the backplane.
78471
Input Connector
Output Connector
AIC-I Interface
(wire wrapping)
TIA/EIA 485 In Alarm Relays
Out Alarm Relays
Inventory data
(EEPROM)
AEP/AIE
CPLD
Power Supply
784061-58
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.12.1 Wire-Wrap and Pin Connections
Figure 1-39 AEP Wire-Wrap Connections to Backplane Pins
Table 1-24 shows the backplane pin assignments and corresponding signals on the AIC-I and AEP.
Figure 1-40 is a circuit diagram of the alarm inputs (Inputs 1 and 32 are shown in the example).
1
2
3
4
A
FG1 FG2 FG3 FG4
BITS LAN
1
2
3
4
B A
1
2
3
4
B A
IN
1
2
3
4
B A
IN/OUT
FG5 FG6
7
8
5 9
6 10
B A B A
ENVIRONMENTAL ALARMS
IN
ACO
FG7
1
2
3
4
IN
B A
FG8
1
2
3
4
B A
MODEM
FG9
1
2
3
4
A
CRAFT
VIS AUD
FG10
1
2
3
4
B A
LOCAL ALARMS
IN
FG11 FG12
11
12
B B A
96618
White
Black
Blue
Green
Slate
Violet
Orange
Yellow
Red
Brown
Table 1-24 Pin Assignments for the AEP
AEP Cable Wire Backplane Pin AIC-I Signal AEP Signal
Black A1 GND AEP_GND
White A2 AE_+5 AEP_+5
Slate A3 VBAT– VBAT–
Violet A4 VB+ VB+
Blue A5 AE_CLK_P AE_CLK_P
Green A6 AE_CLK_N AE_CLK_N
Yellow A7 AE_DIN_P AE_DOUT_P
Orange A8 AE_DIN_N AE_DOUT_N
Red A9 AE_DOUT_P AE_DIN_P
Brown A10 AE_DOUT_N AE_DIN_N1-59
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.12.1 Wire-Wrap and Pin Connections
Figure 1-40 Alarm Input Circuit Diagram
Table 1-25 lists the connections to the external alarm sources.
78473
Station
48 V
max. 2 mA
AEP/AIE
GND
VBAT–
VBAT–
Input 1
Input 48
Table 1-25 Alarm Input Pin Association
AMP Champ
Pin Number Signal Name
AMP Champ
Pin Number Signal Name
1 ALARM_IN_1– 27 GND
2 GND 28 ALARM_IN_2–
3 ALARM_IN_3– 29 ALARM_IN_4–
4 ALARM_IN_5– 30 GND
5 GND 31 ALARM_IN_6–
6 ALARM_IN_7– 32 ALARM_IN_8–
7 ALARM_IN_9– 33 GND
8 GND 34 ALARM_IN_10–
9 ALARM_IN_11– 35 ALARM_IN_12–
10 ALARM_IN_13– 36 GND
11 GND 37 ALARM_IN_14–
12 ALARM_IN_15– 38 ALARM_IN_16–
13 ALARM_IN_17– 39 GND
14 GND 40 ALARM_IN_18–
15 ALARM_IN_19– 41 ALARM_IN_20–
16 ALARM_IN_21– 42 GND
17 GND 43 ALARM_IN_22–
18 ALARM_IN_23– 44 ALARM_IN_24–
19 ALARM_IN_25– 45 GND1-60
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.12.1 Wire-Wrap and Pin Connections
Figure 1-41 is a circuit diagram of the alarm outputs (Outputs 1 and 16 are shown in the example).
Figure 1-41 Alarm Output Circuit Diagram
Use the pin numbers in Table 1-26 to connect to the external elements being switched by external alarms.
20 GND 46 ALARM_IN_26–
21 ALARM_IN_27– 47 ALARM_IN_28–
22 ALARM_IN_29– 48 GND
23 GND 49 ALARM_IN_30–
24 ALARM_IN_31– 50 N.C.
25 ALARM_IN_+ 51 GND1
26 ALARM_IN_0– 52 GND2
Table 1-25 Alarm Input Pin Association (continued)
AMP Champ
Pin Number Signal Name
AMP Champ
Pin Number Signal Name
78474
Station
max. 60 V/100 mA
AEP/AIE
Output 1
Output 16
Table 1-26 Pin Association for Alarm Output Pins
AMP Champ
Pin Number Signal Name
AMP Champ
Pin Number Signal Name
1 N.C. 27 COM_0
2 COM_1 28 N.C.
3 NO_1 29 NO_2
4 N.C. 30 COM_2
5 COM_3 31 N.C.
6 NO_3 32 NO_41-61
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.13 Filler Card
1.13 Filler Card
Filler cards are designed to occupy empty multiservice and AIC-I slots in the Cisco ONS 15454
(Slots 1–6, 9, and 12 – 17). The filler card cannot operate in the XC slots (Slots 8 and 10) or TCC slots
(7 and 11). When installed, the filler card aids in maintaining proper air flow and EMI requirements.
Note There are two types of filler cards, a detectable version (Cisco P/N 15454-FILLER) and a non-detectable
version (Cisco P/N 15454-BLANK). The detectable card has the label FILLER on the faceplate. The
non-detectable card has no faceplate label. In Software Release 6.0 and greater, the former card is
detectable through CTC when installed in the ONS 15454 shelf.
Figure 1-42 shows the faceplate of the detectable filler card. The filler cards have no card-level LED
indicators.
7 N.C. 33 COM_4
8 COM_5 34 N.C.
9 NO_5 35 NO_6
10 N.C. 36 COM_6
11 COM_7 37 N.C.
12 NO_7 38 NO_8
13 N.C. 39 COM_8
14 COM_9 40 N.C.
15 NO_9 41 NO_10
16 N.C. 42 COM_10
17 COM_11 43 N.C.
18 NO_11 44 NO_12
19 N.C. 45 COM_12
20 COM_13 46 N.C.
21 NO_13 47 NO_14
22 N.C. 48 COM_14
23 COM_15 49 N.C.
24 NO_15 50 N.C.
25 N.C. 51 GND1
26 NO_0 52 GND2
Table 1-26 Pin Association for Alarm Output Pins (continued)
AMP Champ
Pin Number Signal Name
AMP Champ
Pin Number Signal Name1-62
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.14 Filler Plus Cards
Figure 1-42 Detectable Filler Card Faceplate
1.14 Filler Plus Cards
The Filler Plus card is designed to occupy empty I/O and AIC slots in the Cisco ONS 15454 (Slots 1 –
6, 9, and 12 – 17). The Filler Plus card cannot operate in the TCC slots (Slots 7 and 11) and the XC slots
(Slots 8 and 10). This card will be detectable through the management interfaces of the ONS 15454.
When installed, the Filler Plus card aids in maintaining proper air flow and EMI requirements. The fiber
storage bracket aids in fibers being already pulled and plugged in for card installation. The storage
bracket also prevents fibers dangling around the card installation area.
Figure 1-43 shows the faceplate of the Filler Plus card.
124234
FILLER1-63
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.14 Filler Plus Cards
Figure 1-43 Filler Plus Card Faceplate
This card is mounted with fiber storage brackets and fibers readymade for installation of an MRC-12
card in selected ONS 15454 nodes. The fiber storage bracket provides a holder for 12 LC fiber pairs
suited for installing an MRC-12 card.
Figure 1-44 shows the Filler Plus Card with the fiber storage bracket. The Filler Plus card has no
card-level LED indicators.
2803081-64
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.15 Fan-Tray Assembly
Figure 1-44 Filler Plus Card with Fiber Storage Bracket
1.15 Fan-Tray Assembly
The fan-tray assembly is located at the bottom of the ONS 15454 bay assembly. The fan tray is a
removable drawer that holds fans and fan-control circuitry for the ONS 15454. The front door can be left
in place or removed before installing the fan-tray assembly. After you install the fan tray, you should
only need to access it if a fan failure occurs or if you need to replace or clean the fan-tray air filter.
The front of the fan-tray assembly has an LCD screen that provides slot- and port-level information for
all ONS 15454 card slots, including the number of Critical, Major, and Minor alarms. For optical cards,
you can use the LCD to determine if a port is in working or protect mode and is active or standby. The
LCD also tells you whether the software load is SONET or SDH and the software version number.
2803091-65
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.15.1 Fan Tray Units for ONS 15454 Cards
Note The 15454-SA-ANSI or 15454-SA-HD shelf assembly and 15454-FTA3 or 15454-CC-FTA fan-tray
assembly are required with any ONS 15454 that has XC10G or XC-VXC-10G cards.
Caution The 15454-FTA3-T fan-tray assembly can only be installed in ONS 15454 Release 3.1 and later shelf
assemblies (15454-SA-ANSI, P/N: 800-19857; 15454-SA-HD, P/N: 800-24848). The fan-tray assembly
has a pin that prevents it from being installed in ONS 15454 shelf assemblies released before ONS 15454
Release 3.1 (15454-SA-NEBS3E, 15454-SA-NEBS3, and 15454-SA-R1, P/N: 800-07149). Equipment
damage can result from attempting to install the 15454-FTA3 in a noncompatible shelf assembly.
Note 15454-CC-FTA is compatible with Software Release 2.2.2 and greater and shelf assemblies
15454-SA-HD and 15454-SA-ANSI.
Note The 15454-FTA3 is not I-temp compliant. To obtain an I-temp tray, install the 15454-FTA3-T or
15454-CC-FTA fan-tray assembly in an ONS 15454 Release 3.1 shelf assembly (15454-SA-ANSI or
15454-SA-HD). However, do not install the ONS 15454 XC10G cross-connect cards with the
15454-FTA2 fan-tray assembly.
1.15.1 Fan Tray Units for ONS 15454 Cards
Table 1-27 lists the applicable fan tray units supported for ONS 15454 cards in Release 9.1
Table 1-27 Fan Tray Units for ONS 15454 Cards
ONS 15454 Cards
15454E-FTA-48V (ETSI shelf)
/15454-FTA3-T(ANSI shelf)
15454E-CC-FTA (ETSI shelf)/
15454-CC-FTA (ANSI shelf)
TCC2/TCC2P Yes Yes
XCVT Yes Yes
XC10G Yes Yes
XC-VXC-10G Yes Yes
AIC-I Yes Yes
EC1-12 Yes Yes
DS1-14 Yes Yes
DS1N-14 Yes Yes
DS1/E1-56 Yes Yes
DS3-12 Yes Yes
DS3N-12 Yes Yes
DS3/EC1-48 Yes Yes
DS3i-N-12 Yes Yes
DS3-12E Yes Yes
DS3N-12E Yes Yes1-66
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.15.1 Fan Tray Units for ONS 15454 Cards
DS3XM-6 Yes Yes
DS3XM-12 Yes Yes
OC3 IR 4 SH 1310 Yes Yes
OC3 IR 4/ STM1 SH 1310 Yes Yes
OC3 IR/ STM1 SH 1310-8 Yes Yes
OC12 IR 1310 Yes Yes
OC12 IR/STM4 SH 1310 Yes Yes
OC12 LR 1310 Yes Yes
OC12 LR/STM4 LH 1310 Yes Yes
OC12 LR 1550 Yes Yes
OC12 LR/STM4 LH 1550 Yes Yes
OC12 IR/STM4 SH 1310-4 Yes Yes
OC48 IR 1310 Yes Yes
OC48 LR 1550 Yes Yes
OC48 IR/STM16 SH AS 1310 Yes Yes
OC48 LR/STM16 LH AS 1550 Yes Yes
OC48 ELR/STM16 EH 100 GHz Yes Yes
OC48 ELR 200 GHz Yes Yes
OC192 SR/STM64 IO 1310 Yes Yes
OC192 IR/STM64 SH 1550 Yes Yes
OC192 LR/STM64 LH 1550 Yes Yes
OC192 LR/ STM64 LH ITU
15xx.xx
Yes Yes
15454_MRC-12 Yes Yes
MRC-2.5G-4 Yes Yes
OC192SR1/STM64IO Short
Reach and OC192/STM64 Any
Reach
Yes Yes
E100T-12 Yes Yes
E100T-G Yes Yes
E1000-2 Yes Yes
E1000-2-G Yes Yes
G1K-4 Yes Yes
M100T-12 Yes Yes
M100X-8 Yes Yes
M1000-2 Yes Yes
Table 1-27 Fan Tray Units for ONS 15454 Cards
ONS 15454 Cards
15454E-FTA-48V (ETSI shelf)
/15454-FTA3-T(ANSI shelf)
15454E-CC-FTA (ETSI shelf)/
15454-CC-FTA (ANSI shelf)1-67
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.15.2 1Fan Speed
1.15.2 1Fan Speed
Fan speed is controlled by TCC2/TCC2P card temperature sensors. The sensors measure the input air
temperature at the fan-tray assembly. Fan speed options are low, medium, and high. If the TCC2/TCC2P
card fails, the fans automatically shift to high speed. The temperature measured by the TCC/TCC2P2
sensors is displayed on the LCD screen. To view temperature displayed in CTC, see “1.17 Shelf Voltage
and Temperature” section on page 1-69.
1.15.3 Fan Failure
If one or more fans fail on the fan-tray assembly, replace the entire assembly. You cannot replace
individual fans. The red Fan Fail LED on the front of the fan tray illuminates when one or more fans fail.
For fan tray replacement instructions, refer to the Cisco ONS 15454 Troubleshooting Guide. The red Fan
Fail LED clears after you install a working fan tray.
Caution As with the FTA3, the 15454-CC-FTA Fan Fail LED on the front of the fan-tray assembly illuminates
when one or more fans fail to indicate that a fan-tray assembly or AIP replacement is required. But the
Fan Fail LED on the 15454-CC-FTA will also illuminate when only one power source is connected to
the chassis, and or any fuse blows. In such conditions, the Fan Alarm is triggered and the fans run at
maximum speed.
1.15.4 Air Filter
The ONS 15454 contains a reusable air filter; Model 15454-FTF2, that is installed either beneath the
fan-tray assembly or in the optional external filter brackets. Earlier versions of the ONS 15454 used a
disposable air filter that is installed beneath the fan-tray assembly only. However, the reusable air filter
is backward compatible.
The reusable filter is made of a gray, open-cell, polyurethane foam that is specially coated to provide fire
and fungi resistance. All versions of the ONS 15454 can use the reusable air filter. Spare filters should
be kept in stock.
Caution Do not operate an ONS 15454 without the mandatory fan-tray air filter.
ML-MR-10 No Yes
CE-100T-8 Yes Yes
CE-MR-10 No Yes
CE-1000-4 Yes Yes
FC_MR-4 Yes Yes
Table 1-27 Fan Tray Units for ONS 15454 Cards
ONS 15454 Cards
15454E-FTA-48V (ETSI shelf)
/15454-FTA3-T(ANSI shelf)
15454E-CC-FTA (ETSI shelf)/
15454-CC-FTA (ANSI shelf)1-68
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.15.5 Pilot Fuse
Caution Inspect the air filter every 30 days, and clean the filter every three to six months. Replace the air filter
every two to three years. Avoid cleaning the air filter with harsh cleaning agents or solvents. Refer to the
Cisco ONS 15454 Troubleshooting Guide for information about cleaning and maintaining the fan-tray
air filter.
1.15.5 Pilot Fuse
The Pilot Fuse in the Fan tray assembly allows you to blow a low rate fuse when the main fuse of the
lower power battery is not installed in the equipment.
CC-FTAs 15454-CC-FTA 800-27558-01 and 15454-CC-FTA 800-27561-01 can automatically generate
an electrical pulse (without external commands) at power on and about every 25-35 minutes in order to
drain extra current from both the batteries. The amount of current and the duration of the pulse that the
CC-FTA can generate, is suitable to blow the fuses listed in the Table 1-28. Similar to CC-FTA,
15454-FTA3-T 800-23907-01 and 800-23907-05 can also operate the pilot fuses mentioned in
Table 1-28 when the main fuse is missing. Unlike CC-FTA, FTA3-T alternatively drains the current from
the two batteries every 50-100 msec to feed the fans.
Table 1-28 Pilot Fuse Ratings
This is accomplished in the I-temp range (-40°C to +65°C) in either of these conditions:
• When the lower power battery is in the 43.0V to 60.0V range and the higher power battery is more
than 1V greater than the lower power battery (or)
• When the lower power battery is in the 40.0V to 60.0V range and the difference between the two
batteries does not exceed 0.5V.
1.16 Power and Ground Description
Ground the equipment according to Telcordia standards or local practices.
Cisco recommends the following wiring conventions, but customer conventions prevail:
• Red wire for battery connections (–48 VDC)
• Black wire for battery return connections (0 VDC)
• The battery return connection is treated as DC-I, as defined in GR-1089-CORE, issue 3.
Note For detailed instructions on grounding the chassis, refer to the Cisco ONS Electrostatic Discharge (ESD)
and Grounding Guide.
Type of Fuse Current rating
Bussmann GMT-18/100A 18/100A
Bussmann GMT-1/4A 1/4A
Bussmann 70E 18/100A
Bussmann 70F 1/4A1-69
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.17 Shelf Voltage and Temperature
The ONS 15454 has redundant –48 VDC #8 power terminals on the shelf-assembly backplane. The
terminals are labeled BAT1, RET1, BAT2, and RET2 and are located on the lower section of the
backplane behind a clear plastic cover.
To install redundant power feeds, use four power cables and one ground cable. For a single power feed,
only two power cables (#10 AWG, 2.588 mm² [0.1018 inch], copper conductor, 194°F [90°C]) and one
ground cable (#6 AWG, 4.115 mm² [0.162 inch]) are required. Use a conductor with low impedance to
ensure circuit overcurrent protection. However, the conductor must have the capability to safely conduct
any faulty current that might be imposed.
The existing ground post is a #10-32 bolt. The nut provided for a field connection is also a #10 AWG
(2.588 mm² [0.1018 inch]), with an integral lock washer. The lug must be a dual-hole type and rated to
accept the #6 AWG (4.115 mm² [0.162 inch]) cable. Two posts are provided on the Cisco ONS 15454 to
accommodate the dual-hole lug. Figure 1-45 shows the location of the ground posts.
Figure 1-45 Ground Posts on the ONS 15454 Backplane
1.17 Shelf Voltage and Temperature
Note The temperature measured by the TCC2/TCC2P sensors appears on the LCD screen in the ONS 15454
chassis.
The input voltages and temperature of the ONS 15454 chassis are displayed in the Shelf view >
Provisioning > General > Voltage/Temperature pane in CTC. The voltage supplied to the shelf (in
millivolts) is displayed in the Voltage area of the Voltage/Temperature pane. The temperature of the shelf
(in degrees Celsius) is displayed in the Temperature area of the pane.
The Voltage/Temperature pane retrieves the following values for the ONS 15454 chassis:
• Voltage A—Voltage of the shelf that corresponds to power supply A, in millivolts.
• Voltage B—Voltage of the shelf that corresponds to power supply B, in millivolts.
• Chassis Temperature—Temperature of the shelf, in degrees Celsius.
In multishelf configuration, the voltage and temperature of each shelf is displayed in the Shelf view >
Provisioning > General > Voltage/Temperature pane.
FRAME GROUND 61852
Attach #6 AWG1-70
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.18 Alarm, Timing, LAN, and Craft Pin Connections
1.18 Alarm, Timing, LAN, and Craft Pin Connections
Caution Always use the supplied ESD wristband when working with a powered ONS 15454. For detailed
instructions on how to wear the ESD wristband, refer to the Cisco ONS Electrostatic Discharge (ESD)
and Grounding Guide.
The ONS 15454 has a backplane pin field located at the bottom of the backplane. The backplane pin field
provides 0.045 square inch (29 mm2
) wire-wrap pins for enabling external alarms, timing input and
output, and craft interface terminals. This section describes the backplane pin field and the pin
assignments for the field. Figure 1-46 shows the wire-wrap pins on the backplane pin field. Beneath each
wire-wrap pin is a frame ground pin. Frame ground pins are labeled FG1, FG2, FG3, etc. Install the
ground shield of the cables connected to the backplane to the ground pin that corresponds to the pin field
used.
Note The AIC-I requires a shelf assembly running Software Release 3.4.0 or later. The backplane of the ANSI
shelf contains a wire-wrap field with pin assignment according to the layout in Figure 1-46. The shelf
assembly might be an existing shelf that has been upgraded to R3.4 or later. In this case the backplane
pin labeling appears as indicated in Figure 1-47 on page 1-72. But you must use the pin assignments
provided by the AIC-I as shown in Figure 1-46.1-71
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.18 Alarm, Timing, LAN, and Craft Pin Connections
Figure 1-46 ONS 15454 Backplane Pinouts (Release 3.4 or Later)
1
2
3
4
A
FG1 FG2 FG3 FG4
BITS LAN
1
2
3
4
B A
1
2
3
4
B A
IN
1
2
3
4
B A
IN/OUT
FG5 FG6
7
8
5 9
6 10
B A B A
ENVIRONMENTAL ALARMS
IN
ACO
FG7
1
2
3
4
IN
B A
FG8
1
2
3
4
B A
MODEM
FG9
1
2
3
4
A
CRAFT
VIS AUD
FG10
1
2
3
4
B A
LOCAL ALARMS
IN
FG11 FG12
11
12
B B A
83020
Field Pin Function Field Pin Function
BITS A1 BITS Output 2 negative (–) ENVIR
ALARMS
IN/OUT
N/O
A1/A13 Normally open output pair number 1
B1 BITS Output 2 positive (+) B1/B13
A2 BITS Input 2 negative (–) A2/A14 Normally open output pair number 2
B2 BITS Input 2 positive (+) B2/B14
A3 BITS Output 1 negative (–) A3/A15 Normally open output pair number 3
B3 BITS Output 1 positive (+) B3/B15
A4 BITS Input 1 negative (–) A4/A16 Normally open output pair number 4
B4 BITS Input 1 positive (+) B4/B16
LAN Connecting to a hub, or switch ACO A1 Normally open ACO pair
A1 B1
B1 CRAFT A1 Receive (PC pin #2)
A2 A2 Transmit (PC pin #3)
B2 A3 Ground (PC pin #5)
A4 DTR (PC pin #4)
LOCAL
ALARMS
AUD
(Audible)
N/O
N/O
A1 Alarm output pair number 1: Remote
audible alarm. B1 B1
ENVIR
ALARMS
IN
A2 Alarm output pair number 2: Critical
audible alarm. B2
A3 Alarm output pair number 3: Major
audible alarm.
A1
B1 B3
A4 Alarm output pair number 4: Minor
audible alarm.
A2
B2 B4
LOCAL
ALARMS
VIS
(Visual)
A1 Alarm output pair number 1: Remote
visual alarm.
A3
B1
A2 Alarm output pair number 2: Critical
visual alarm. B2
A3 Alarm output pair number 3: Major
visual alarm. B3
A4 Alarm output pair number 4: Minor
visual alarm. B4
A1
A2
B3
A4
B4
RJ-45 pin 2 TX–
RJ-45 pin 1 TX+
RJ-45 pin 2 RX–
RJ-45 pin 1 RX+
RJ-45 pin 6 TX–
Alarm input pair number 1: Reports
closure on connected wires.
Alarm input pair number 2: Reports
closure on connected wires.
Alarm input pair number 3: Reports
closure on connected wires.
Alarm input pair number 4: Reports
closure on connected wires.
A5
B5
Alarm input pair number 5: Reports
closure on connected wires.
A6
B6
Alarm input pair number 6: Reports
closure on connected wires.
A7
B7
Alarm input pair number 7: Reports
closure on connected wires.
A8
B8
Alarm input pair number 8: Reports
closure on connected wires.
A9
B9
Alarm input pair number 9: Reports
closure on connected wires.
A10
B10
Alarm input pair number 10: Reports
closure on connected wires.
A11
B11
Alarm input pair number 11: Reports
closure on connected wires.
A12
B12
Alarm input pair number 12: Reports
closure on connected wires.
Connecting to a PC/Workstation or router
B2 RJ-45 pin 3 TX+
RJ-45 pin 3 RX+
RJ-45 pin 6 RX–
If you are using an
AIC-I card, contacts
provisioned as OUT
are 1-4. Contacts
provisioned as IN
are 13-16.1-72
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.18.1 Alarm Contact Connections
Figure 1-47 ONS 15454 Backplane Pinouts
1.18.1 Alarm Contact Connections
The alarm pin field supports up to 17 alarm contacts, including four audible alarms, four visual alarms,
one alarm cutoff (ACO), and four user-definable alarm input and output contacts.
Audible alarm contacts are in the LOCAL ALARM AUD pin field and visual contacts are in the LOCAL
ALARM VIS pin field. Both of these alarms are in the LOCAL ALARMS category. User-definable
contacts are in the ENVIR ALARM IN (external alarm) and ENVIR ALARM OUT (external control)
pin fields. These alarms are in the ENVIR ALARMS category; you must have the AIC-I card installed
to use the ENVIR ALARMS. Alarm contacts are Normally Open (N/O), meaning that the system closes
the alarm contacts when the corresponding alarm conditions are present. Each alarm contact consists of
two wire-wrap pins on the shelf assembly backplane. Visual and audible alarm contacts are classified as
critical, major, minor, and remote. Figure 1-47 shows alarm pin assignments.
Field Pin Function Field Pin Function
BITS A1 BITS Output 2 negative (-) ENVIR
ALARMS
OUT
N/O
A1 Normally open output pair number 1
B1 BITS Output 2 positive (+) B1
A2 BITS Input 2 negative (-) A2 Normally open output pair number 2
B2 BITS Input 2 positive (+) B2
A3 BITS Output 1 negative (-) A3 Normally open output pair number 3
B3 BITS Output 1 positive (+) B3
A4 BITS Input 1 negative (-) A4 Normally open output pair number 4
B4 BITS Input 1 positive (+) B4
LAN Connecting to a hub, or switch ACO A1 Normally open ACO pair
A1 B1
B1 CRAFT A1 Receive (PC pin #2)
A2 A2 Transmit (PC pin #3)
B2 A3 Ground (PC pin #5)
A4 DTR (PC pin #4)
LOCAL
ALARMS
AUD
(Audible)
N/O
N/O
A1 Alarm output pair number 1: Remote
audible alarm. B1 B1
ENVIR
ALARMS
IN
A2 Alarm output pair number 2: Critical
audible alarm. B2
A3 Alarm output pair number 3: Major
audible alarm.
A1
B1 B3
A4 Alarm output pair number 4: Minor
audible alarm.
A2
B2 B4
LOCAL
ALARMS
VIS
(Visual)
A1 Alarm output pair number 1: Remote
visual alarm.
A3
B1
A2 Alarm output pair number 2: Critical
visual alarm. B2
A3 Alarm output pair number 3: Major
visual alarm. B3
A4 Alarm output pair number 4: Minor
visual alarm. B4
A1
A2
B3
A4
B4
RJ-45 pin 2 TXRJ-45 pin 1 TX+
RJ-45 pin 2 RXRJ-45 pin 1 RX+
RJ-45 pin 6 TXAlarm input pair number 1: Reports
closure on connected wires.
Alarm input pair number 2: Reports
closure on connected wires.
Alarm input pair number 3: Reports
closure on connected wires.
Alarm input pair number 4: Reports
closure on connected wires.
Connecting to a PC/Workstation or router
B2 RJ-45 pin 3 TX+
RJ-45 pin 3 RX+
RJ-45 pin 6 RXTBOS
VIS AUD
FG2 FG3 FG4 FG5 FG6 FG7 FG8 FG9 FG10 FG11 FG12
BITS LAN
FG1
1 1 1 1 1 1 1 1 1 1 1 1
2 2 2 2 2 2 2 2 2 2
3 3 3 3 3 3 3 3 3 3
4 4 4 4 4 4 4 4 4 4
2
3
4
2
A B A B A B A B A B A B A B A A B A B A B
ENVIR ALARMS ACO X . 25 MODEM CRAFT LOCAL ALARMS
IN OUT
385331-73
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.18.2 Timing Connections
Visual and audible alarms are typically wired to trigger an alarm light or bell at a central alarm collection
point when the corresponding contacts are closed. You can use the Alarm Cutoff pins to activate a remote
ACO for audible alarms. You can also activate the ACO function by pressing the ACO button on the
TCC2/TCC2P card faceplate. The ACO function clears all audible alarm indications. After clearing the
audible alarm indication, the alarm is still present and viewable in the Alarms tab in CTC. For more
information, see the “2.8.2 External Alarms and Controls” section on page 2-31.
1.18.2 Timing Connections
The ONS 15454 backplane supports two building integrated timing supply (BITS) clock pin fields. The
first four BITS pins, rows 3 and 4, support output and input from the first external timing device. The
last four BITS pins, rows 1 and 2, perform the identical functions for the second external timing device.
Table 1-29 lists the pin assignments for the BITS timing pin fields.
Note For timing connection, use 100-ohm shielded BITS clock cable pair #22 or #24 AWG (0.51 mm² [0.020
inch] or 0.64 mm² [0.0252 inch]), twisted-pair T1-type.
Note Refer to Telcordia SR-NWT-002224 for rules about provisioning timing references.
For more information, see Chapter 10, “Timing.”
1.18.3 LAN Connections
Use the LAN pins on the ONS 15454 backplane to connect the ONS 15454 to a workstation or Ethernet
LAN, or to a LAN modem for remote access to the node. You can also use the LAN port on the
TCC2/TCC2P card faceplate to connect a workstation or to connect the ONS 15454 to the network.
Table 1-30 shows the LAN pin assignments.
Before you can connect an ONS 15454 to other ONS 15454s or to a LAN, you must change the default
IP address that is shipped with each ONS 15454 (192.1.0.2).
Table 1-29 BITS External Timing Pin Assignments
External Device Contact Tip and Ring Function
First external device A3 (BITS 1 Out) Primary ring (–) Output to external device
B3 (BITS 1 Out) Primary tip (+) Output to external device
A4 (BITS 1 In) Secondary ring (–) Input from external device
B4 (BITS 1 In) Secondary tip (+) Input from external device
Second external device A1 (BITS 2 Out) Primary ring (–) Output to external device
B1 (BITS 2 Out) Primary tip (+) Output to external device
A2 (BITS 2 In) Secondary ring (–) Input from external device
B2 (BITS 2 In) Secondary tip (+) Input from external device1-74
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.18.4 TL1 Craft Interface Installation
1.18.4 TL1 Craft Interface Installation
You can use the craft pins on the ONS 15454 backplane or the EIA/TIA-232 port on the TCC2/TCC2P
card faceplate to create a VT100 emulation window to serve as a TL1 craft interface to the ONS 15454.
Use a straight-through cable to connect to the EIA/TIA-232 port. Table 1-31 shows the pin assignments
for the CRAFT pin field.
Note You cannot use the craft backplane pins and the EIA/TIA-232 port on the TCC2/TCC2P card
simultaneously.
Note To use the serial port craft interface wire-wrap pins on the backplane, the DTR signal line on the
backplane port wire-wrap pin must be connected and active.
1.19 Cards and Slots
ONS 15454 cards have electrical plugs at the back that plug into electrical connectors on the shelf-
assembly backplane. When the ejectors are fully closed, the card plugs into the assembly backplane.
Figure 1-48 shows card installation.
Table 1-30 LAN Pin Assignments
Pin Field Backplane Pins RJ-45 Pins
LAN 1
Connecting to data circuit-terminating
equipment (DCE1
, a hub or switch)
1. The Cisco ONS 15454 is DCE.
B2 1
A2 2
B1 3
A1 6
LAN 1
Connecting to data terminal equipment
(DTE) (a PC/workstation or router)
B1 1
A1 2
B2 3
A2 6
Table 1-31 Craft Interface Pin Assignments
Pin Field Contact Function
Craft A1 Receive
A2 Transmit
A3 Ground
A4 DTR1-75
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.19.1 Card Slot Requirements
Figure 1-48 Installing Cards in the ONS 15454
1.19.1 Card Slot Requirements
The ONS 15454 shelf assembly has 17 card slots numbered sequentially from left to right. Slots 1 to 6 and 12 to 17 are multiservice
slots that are used for electrical, optical, and Ethernet cards (traffic cards). Card compatibility depends on the EIA, protection
scheme, and cross-connect card type used in the shelf. Refer to the “3.1.2 Card Compatibility” section on page 3-3 for more
detailed compatibility information.
Slots 7 and 11 are dedicated to TCC2/TCC2P cards. Slots 8 and 10 are dedicated to cross-connect (XCVT, XC10G, and
XC-VXC-10G) cards. Slot 9 is reserved for the optional AIC-I card. Slots 3 and 15 can also host electrical cards that are used for
1:N protection. (See the “7.1 Electrical Card Protection” section on page 7-1 for a list of electrical cards that can operate as protect
cards.)
FAN FAIL CRIT MAJ MIN
39391
Ejector
Guide rail1-76
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.19.1 Card Slot Requirements
Caution Do not operate the ONS 15454 with a single TCC2/TCC2P card or a single XCVT/XC10G/XC-VXC-10G card installed. Always
operate the shelf assembly with one working and one protect card of the same type.
Shelf assembly slots have symbols indicating the type of cards that you can install in them. Each ONS 15454 card has a
corresponding symbol. The symbol on the card must match the symbol on the slot.
Table 1-32 shows the slot and card symbol definitions.
Note Protection schemes and EIA types can affect slot compatibility.
Table 1-33 lists the number of ports, line rates, connector options, and connector locations for ONS 15454 optical and electrical
cards.
Table 1-32 Slot and Card Symbols
Symbol
Color/Shape Definition
Orange/Circle Slots 1 to 6 and 12 to 17. Only install ONS 15454 cards with a circle symbol on the
faceplate.
Blue/Triangle Slots 5, 6, 12, and 13. Only install ONS 15454 cards with circle or a triangle symbol
on the faceplate.
Purple/Square TCC2/TCC2P slot, Slots 7 and 11. Only install ONS 15454 cards with a square
symbol on the faceplate.
Green/Cross Cross-connect (XCVT/XC10G) slot, Slots 8 and 10. Only install ONS 15454 cards
with a cross symbol on the faceplate.
Red/P Protection slot in 1:N protection schemes.
Red/Diamond AIC-I slot (Slot 9). Only install ONS 15454 cards with a diamond symbol on the
faceplate.
Gold/Star Slots 1 to 4 and 14 to 17. Only install ONS 15454 cards with a star symbol on the
faceplate.
Blue/Hexagon (Only used with the 15454-SA-HD shelf assembly) Slots 3 and 15. Only install
ONS 15454 cards with a blue hexagon symbol on the faceplate.1-77
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.19.1 Card Slot Requirements
Table 1-33 Card Ports, Line Rates, and Connectors
Card Ports Line Rate per Port Connector Types
Connector
Location
DS1-14 14 1.544 Mbps SMB w/wire wrap
adapter, AMP Champ
connector
Backplane
DS1N-14 14 1.544 Mbps SMB w/wire wrap
1
adapter, AMP Champ
connector
—
DS1/E1-56 56 1.544 Mbps SMB w/wire wrap
2
adapter, AMP Champ
connector
—
DS3-12 12 44.736 Mbps SMB or BNC
1
Backplane
DS3N-12 12 44.736 Mbps SMB or BNC
1
—
DS3-12E 12 44.736 Mbps SMB or BNC
1
Backplane
DS3N-12E 12 44.736 Mbps SMB or BNC
1
—
DS3XM-6 6 44.736 Mbps SMB or BNC
1
Backplane
DS3XM-12 12 89.472 Mbps SMB or BNC
1
Backplane
DS3/EC1-48 48 2.147 Gbps SMB or BNC Backplane
EC1-12 12 51.84 Mbps SMB or BNC
1
Backplane
E100T-12 12 100 Mbps RJ-45 Faceplate
E1000-2 2 1 Gbps SC (GBIC) Faceplate
E100T-G 12 100 Mbps RJ-45 Faceplate
E1000-2-G 2 1 Gbps SC (GBIC) Faceplate
G1K-4 4 1 Gbps SC (GBIC) Faceplate
ML100T-12 12 100 Mbps RJ-45 Faceplate
ML100X-8 8 100 Mbps SC (SFP) Faceplate
ML-MR-10 10 10/100/1000 Mbps LC (SFP), Copper
(SFP)-RJ45
Faceplate
CE-100T-8 8 100 Mbps RJ-45 Faceplate
CE-MR-10 10 1000 Mbps LC (SFP), Copper
(SFP)-RJ45
Faceplate
ML1000-2 2 1 Gbps LC (SFP) Faceplate1-78
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.19.1 Card Slot Requirements
OC-3 IR 4 155.52 Mbps (STS-3) SC Faceplate
OC3 IR/STM4 SH
1310-8
8 155.52 Mbps (STS-3) LC Faceplate
OC-12/STM4-4
(IR/LR)
4 622.08 Mbps (STS-12) SC Faceplate
OC-12 (IR/LR) 1 622.08 Mbps (STS-12) SC Faceplate
OC-48
(IR/LR/ELR)
1 2488.32 Mbps (STS-48) SC Faceplate
OC-48 AS (IR/LR) 1 2488.32 Mbps (STS-48) SC Faceplate
OC-48 ELR
(100GHz, 200GHz)
1 2488.32 Mbps (STS-48) SC Faceplate
OC192 SR/STM64
IO 1310
1 9.95 Gbps (STS-192) SC Faceplate
OC192 IR/STM64
SH 1550
1 9.95 Gbps (STS-192) SC Faceplate
OC192 LR/STM64
LH 1550
1 9.95 Gbps (STS-192) SC Faceplate
OC192 LR/STM64
LH ITU 15xx.xx
1 9.95 Gbps (STS-192) SC Faceplate
FC_MR-4 4 (only 2
available
in R4.6)
1.0625 Gbps SC Faceplate
15454_MRC-12 12 Up to 2488.32 Mbps
(STM-48), depending on
SFP
LC Faceplate
MRC-2.5G-4 4 Up to 2488.32 Mbps
(STS-48), depending on
SFP
LC Faceplate
OC192SR1/STM64
IO Short Reach/
OC192/STM64
Any Reach
3
1 9.95 Gbps (OC-192) LC Faceplate
Table 1-33 Card Ports, Line Rates, and Connectors (continued)
Card Ports Line Rate per Port Connector Types
Connector
Location1-79
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.19.2 Card Replacement
1.19.2 Card Replacement
To replace an ONS 15454 card with another card of the same type, you do not need to make any changes to the database; remove
the old card and replace it with a new card. To replace a card with a card of a different type, physically remove the card and replace
it with the new card, then delete the original card from CTC. For specifics, refer to the “Install Cards and Fiber-Optic Cable” chapter
in the Cisco ONS 15454 Procedure Guide.
Caution Removing any active card from the ONS 15454 can result in traffic interruption. Use caution when replacing cards and verify that
only inactive or standby cards are being replaced. If the active card needs to be replaced, switch it to standby prior to removing the
card from the node. For traffic switching procedures, refer to the “Maintain the Node” chapter in the Cisco ONS 15454 Procedure
Guide.
Note An improper removal (IMPROPRMVL) alarm is raised whenever a card is removed and reinserted (reseated) is performed, unless
the card is deleted in CTC first. The alarm clears after the card replacement is complete.
Note In a path protection configuration, pulling the active XCVT/XC10G without a lockout causes path protection circuits to switch.
1.20 Software and Hardware Compatibility
Table 1-34 shows ONS 15454 software and hardware compatibility for nodes configured with XC or XCVT cards for Releases 4.6,
4.7, 5.0, 6.0, 7.0, 7.2, 8.0, 8.5, 9.0, and 9.1.
For software compatibility for a specific card, refer to the following URL:
http://cisco.com/en/US/products/hw/optical/ps2006/prod_eol_notices_list.html
Note Partially supported: Once a card has been through End Of Life(EOL), new features would not be supported for the card. However
bug fixes would be available.
1. When used as a protect card, the card does not have a physical external connection. The protect card connects to the working
card(s) through the backplane and becomes active when the working card fails. The protect card then uses the physical
connection of the failed card.
2. When used as a protect card, the card does not have a physical external connection. The protect card connects to the working
card(s) through the backplane and becomes active when the working card fails. The protect card then uses the physical
connection of the failed card.
3. These cards are designated as OC192-XFP in CTC.1-80
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.20 Software and Hardware Compatibility
Note TCC and TCC+ are only supported up to Release 4.x.
Table 1-34 ONS 15454 Software and Hardware Compatibility—XC
1
and XCVT Configurations
Hardware
Shelf
Assembly
2
4.6.0x
(4.6)
5.0.0x
(5.0)
6.0.0x
(6.0)
7.0.0x
(7.0)
7.2.0x
(7.2)
8.0.0x
(8.0)
8.5.0x
(8.5)
9.0.0x
(9.0)
9.1.0x
(9.1)
TCC2 All Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
TCC2P All Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
AIC All Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
AIC-I All Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
DS1-14 All Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
DS1N-14 All Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
DS1/E1-56 SA-HD Not
supported
Not
supported
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
DS3-12
3
All Fully
compatible
Fully
compatible
Partially
supported
Partially
supported
Partially
supported
Partially
supported
Partially
supported
Partially
supported
Partially
supported
DS3N-12 All Fully
compatible
Fully
compatible
Partially
supported
Partially
supported
Partially
supported
Partially
supported
Partially
supported
Partially
supported
Partially
supported
DS3i-N-12 All Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
DS3-12E All Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
DS3N-12E All Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
DS3XM-6 All Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
DS3XM-12 SA-HD
and
SA-ANSI
Not
supported
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible1-81
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.20 Software and Hardware Compatibility
EC1-12 All Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
E100T-12 All Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
E1000-2 All Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
E100T-12-G All Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
E1000-2-G All Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
G1000-4 All Fully
compatible
Fully
compatible
Partially
supported
Partially
supported
Partially
supported
Not
supported
Not
supported
Not
supported
Not
supported
G1K-4 All Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
ML100T-12 All Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
ML1000-2 All Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
ML100X-8 All Not
supported
Not
supported
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
ML-MR-10 SA-HD
and
SA-ANSI
Not
supported
Not
supported
Not
supported
Not
supported
Not
supported
Not
supported
Not
supported
Not
supported
Not
supported
CE-MR-10 SA-HD
and
SA-ANSI
Not
supported
Not
supported
Not
supported
Not
supported
Not
supported
Not
supported
Not
supported
Not
supported
Not
supported
CE-100T-8 All Not
Supported
Fully
Compatible
Fully
Compatible
Fully
Compatible
Fully
Compatible
Fully
Compatible
Fully
Compatibl
e
Fully
Compatible
Fully
Compatible
CE-1000-4 SA-HD
and
SA-ANSI
Not
Supported
Not
Supported
Not
Supported
Fully
Compatible
Fully
Compatible
Fully
Compatible
Fully
Compatibl
e
Fully
Compatible
Fully
Compatible
Table 1-34 ONS 15454 Software and Hardware Compatibility—XC
1
and XCVT Configurations (continued)
Hardware
Shelf
Assembly
2
4.6.0x
(4.6)
5.0.0x
(5.0)
6.0.0x
(6.0)
7.0.0x
(7.0)
7.2.0x
(7.2)
8.0.0x
(8.0)
8.5.0x
(8.5)
9.0.0x
(9.0)
9.1.0x
(9.1)1-82
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.20 Software and Hardware Compatibility
OC3 IR
4/STM1 SH
1310
All Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
OC3IR/STM1S
H 1310-8
All Not
supported
Not
supported
Not
supported
Not
supported
Not
supported
Not
supported
Not
supported
Not
supported
Not
supported
OC12 IR 1310 All Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
OC12 IR/4
1310
All Not
supported
Not
supported
Not
supported
Not
supported
Not
supported
Not
supported
Not
supported
Not
supported
Not
supported
OC12 LR 1310 All Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
OC12 LR 1550 All Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
OC48 IR 1310 All Fully
compatible
Fully
compatible
Fully
compatible
Partially
supported
Partially
supported
Not
supported
Partially
supported
Partially
supported
Partially
supported
OC48 LR 1550 All Fully
compatible
Fully
compatible
Fully
compatible
Partially
supported
Partially
supported
Partially
supported
Partially
supported
Partially
supported
Partially
supported
OC48 ELR
DWDM
All Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
OC48
IR/STM16 SH
AS 1310
All Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
OC48
LR/STM16 LH
AS 1550
All Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
OC192
SR/STM64 IO
1310
SA-HD
and
SA-ANSI
Not
supported
Not
supported
Not
supported
Not
supported
Not
supported
Not
supported
Not
supported
Not
supported
Not
supported
OC192
IR/STM64 SH
1550
SA-HD
and
SA-ANSI
Not
supported
Not
supported
Not
supported
Not
supported
Not
supported
Not
supported
Not
supported
Not
supported
Not
supported
OC192
LH/STM64 LH
1550
SA-HD
and
SA-ANSI
Not
supported
Not
supported
Not
supported
Not
supported
Not
supported
Not
supported
Not
supported
Not
supported
Not
supported
Table 1-34 ONS 15454 Software and Hardware Compatibility—XC
1
and XCVT Configurations (continued)
Hardware
Shelf
Assembly
2
4.6.0x
(4.6)
5.0.0x
(5.0)
6.0.0x
(6.0)
7.0.0x
(7.0)
7.2.0x
(7.2)
8.0.0x
(8.0)
8.5.0x
(8.5)
9.0.0x
(9.0)
9.1.0x
(9.1)1-83
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.20 Software and Hardware Compatibility
Table 1-35 shows ONS 15454 software and hardware compatibility for systems configured with XC10G or XC-VXC-10G cards for
Releases 4.6, 4.7, 5.0, 6.0, 7.0, 7.2, 8.0, 8.5, and 9.0. The 15454-SA-ANSI or 15454-SA-HD shelf assembly is required to operate
the XC10G or XC-VXC-10G card. XC-VXC-10G is only supported from Release 6.0. Refer to the older ONS 15454 documentation
for compatibility with older software releases.
Note Release 4.7 is for MSTP only. The cards supported in Release 4.7 are TCC2, TCC2P, and AIC, AIC-I.
Note Partially supported: Once a card has been through End Of Life(EOL), new features would not be supported for the card. However
bug fixes would be available.
OC192
LR/STM64 LH
ITU 15xx.xx
SA-HD
and
SA-ANSI
Not
supported
Not
supported
Not
supported
Not
supported
Not
supported
Not
supported
Not
supported
Not
supported
Not
supported
FC_MR-4 SA-HD
and
SA-ANSI
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
MRC-12
4
All Not
supported
Not
supported
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
MRC-2.5G-4
4
All Not
supported
Not
supported
Not
supported
Not
supported
Not
supported
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
OC192SR1/ST
M64IO Short
Reach/
OC192/STM64
Any Reach
5
SA-HD
and
SA-ANSI
Not
supported
Not
supported
Not
supported
Not
supported
Not
supported
Not
supported
Not
supported
Not
supported
Not
supported
1. The XC card does not support features new to Release 5.0 and greater.
2. The shelf assemblies supported are 15454-SA-HD, 15454-SA-ANSI, and 15454-NEBS3E.
3. DS3 card having the part number 87-31-0001 does not work in Cisco ONS 15454 R8.0 and later.
4. Slots 1 to 4 and 14 to 17 give a total bandwidth of up to 622 Mb/s. Slots 5, 6 , 12 , and 13 give a total bandwidth of up to 2.5 Gb/s
5. These cards are designated as OC192-XFP in CTC.
Table 1-34 ONS 15454 Software and Hardware Compatibility—XC
1
and XCVT Configurations (continued)
Hardware
Shelf
Assembly
2
4.6.0x
(4.6)
5.0.0x
(5.0)
6.0.0x
(6.0)
7.0.0x
(7.0)
7.2.0x
(7.2)
8.0.0x
(8.0)
8.5.0x
(8.5)
9.0.0x
(9.0)
9.1.0x
(9.1)1-84
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.20 Software and Hardware Compatibility
Table 1-35 ONS 15454 Software and Hardware Compatibility—XC10G and XC-VXC-10G Configurations
Hardware
Shelf
Assembly
1
4.6.0x (4.6) 5.0.0x (5.0) 6.0.0x (6.0) 7.0.0x (7.0) 7.2.0x (7.2) 8.0.0x (8.0) 8.5.0.x (8.5) 9.0.0.x (9.0) 9.1.0.x (9.1)
TCC2 All Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
TCC2P All Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
XC10G SA-HD and
SA-ANSI
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
AIC All Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
AIC-I All Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
DS1-14 All Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
DS1N-14 All Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
DS1/E1-56 SA-HD Not
supported
Not
supported
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
DS3-12
2
All Fully
compatible
Fully
compatible
Partially
supported
Partially
supported
Partially
supported
Partially
supported
Partially
supported
Partially
supported
Partially
supported
DS3N-12 All Fully
compatible
Fully
compatible
Partially
supported
Partially
supported
Partially
supported
Partially
supported
Partially
supported
Partially
supported
Partially
supported
DS3i-N-12 All Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
DS3-12E All Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
DS3N-12E All Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
DS3/EC1-48
1
SA-HD Not
supported
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
DS3XM-6 All Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
DS3XM-12 SA-HD and
SA-ANSI
Not
supported
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible1-85
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.20 Software and Hardware Compatibility
EC1-12 All Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
SVC-RAN SA-HD and
SA-ANSI
Not
supported
Not
supported
Not
supported
Not
supported
Fully
compatible
Not
supported
Not
supported
Not
supported
Not
supported
E100T SA-HD and
SA-ANSI
Not
supported
Not
supported
Not
supported
Not
supported
Not
supported
Not
supported
Not
supported
Not
supported
Not
supported
E1000 SA-HD and
SA-ANSI
Not
supported
Not
supported
Not
supported
Not
supported
Not
supported
Not
supported
Not
supported
Not
supported
Not
supported
E100T-12-G All Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
E1000-2-G All Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
G1000-4 All Fully
compatible
Fully
compatible
Partially
supported
Partially
supported
Partially
supported
Not
supported
Not
supported
Not
supported
Not
supported
G1K-4 SA-HD and
SA-ANSI
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
ML100T-12 All Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
ML1000-2 All Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
ML100X-8 All Not
supported
Not
supported
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
ML-MR-10 SA-HD and
SA-ANSI
Not
supported
Not
supported
Not
supported
Not
supported
Not
supported
Not
supported
Fully
compatible
Fully
compatible
Fully
compatible
CE-MR-10 SA-HD and
SA-ANSI
Not
supported
Not
supported
Not
supported
Not
supported
Not
supported
Not
supported
Fully
compatible
Fully
compatible
Fully
compatible
CE-100T-8 All Not
supported
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
CE-1000-4 SA-HD and
SA-ANSI
Not
supported
Not
supported
Not
supported
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
OC3 IR 4/STM1
SH 1310
All Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Table 1-35 ONS 15454 Software and Hardware Compatibility—XC10G and XC-VXC-10G Configurations (continued)
Hardware
Shelf
Assembly
1
4.6.0x (4.6) 5.0.0x (5.0) 6.0.0x (6.0) 7.0.0x (7.0) 7.2.0x (7.2) 8.0.0x (8.0) 8.5.0.x (8.5) 9.0.0.x (9.0) 9.1.0.x (9.1)1-86
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.20 Software and Hardware Compatibility
OC3IR/STM1SH
1310-8
SA-HD and
SA-ANSI
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
OC12/STM4-4 SA-HD and
SA-ANSI
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
OC12 IR 1310 All Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
OC12 LR 1310 All Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
OC12 LR 1550 All Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
OC48 IR 1310 All Fully
compatible
Fully
compatible
Fully
compatible
Partially
supported
Partially
supported
Not
supported
Partially
supported
Partially
supported
Partially
supported
OC48 LR 1550 All Fully
compatible
Fully
compatible
Fully
compatible
Partially
supported
Partially
supported
Partially
supported
Partially
supported
Partially
supported
Partially
supported
OC48 IR/STM16
SH AS 1310
SA-HD and
SA-ANSI
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
OC48
LR/STM16 LH
AS 1550
SA-HD and
SA-ANSI
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
OC192
SR/STM64 IO
1310
SA-HD and
SA-ANSI
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
OC192
IR/STM64 SH
1550
SA-HD and
SA-ANSI
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
OC192
LH/STM64 LH
1550
SA-HD and
SA-ANSI
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
OC192
LR/STM64 LH
ITU 15xx.xx
SA-HD and
SA-ANSI
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
FC_MR-4 SA-HD and
SA-ANSI
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Table 1-35 ONS 15454 Software and Hardware Compatibility—XC10G and XC-VXC-10G Configurations (continued)
Hardware
Shelf
Assembly
1
4.6.0x (4.6) 5.0.0x (5.0) 6.0.0x (6.0) 7.0.0x (7.0) 7.2.0x (7.2) 8.0.0x (8.0) 8.5.0.x (8.5) 9.0.0.x (9.0) 9.1.0.x (9.1)1-87
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.20 Software and Hardware Compatibility
If an upgrade is required for compatibility, contact the Cisco Technical Assistance Center (TAC). For contact information, go to
http://www.cisco.com/tac.
MRC-12
3
All Not
supported
Not
supported
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
MRC-2.5G-4 All Not
supported
Not
supported
Not
supported
Not
supported
Not
supported
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
OC192SR1/STM
64IO Short
Reach/
OC192/STM64
Any Reach
4
SA-HD and
SA-ANSI
Not
supported
Not
supported
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
Fully
compatible
1. The shelf assemblies supported are 15454-SA-HD and 15454-SA-ANSI.
2. DS3 card having the part number 87-31-0001 does not work in Cisco ONS 15454 R8.0 and later.
3. Slots 1 to 4 and 14 to 17 give a total bandwidth of up to 2.5 Gb/s. Slots 5, 6, 12 , and 13 give a total bandwidth of up to 10 Gb/s
4. These cards are designated as OC192-XFP in CTC.
Table 1-35 ONS 15454 Software and Hardware Compatibility—XC10G and XC-VXC-10G Configurations (continued)
Hardware
Shelf
Assembly
1
4.6.0x (4.6) 5.0.0x (5.0) 6.0.0x (6.0) 7.0.0x (7.0) 7.2.0x (7.2) 8.0.0x (8.0) 8.5.0.x (8.5) 9.0.0.x (9.0) 9.1.0.x (9.1)1-88
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 1 Shelf and Backplane Hardware
1.20 Software and Hardware CompatibilityCHAPTER
2-1
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
2
Common Control Cards
Note The terms “Unidirectional Path Switched Ring” and “UPSR” may appear in Cisco literature. These terms
do not refer to using Cisco ONS 15xxx products in a unidirectional path switched ring configuration.
Rather, these terms, as well as “Path Protected Mesh Network” and “PPMN,” refer generally to Cisco's
path protection feature, which may be used in any topological network configuration. Cisco does not
recommend using its path protection feature in any particular topological network configuration.
This chapter describes Cisco ONS 15454 common control card functions. For installation and turn-up
procedures, refer to the Cisco ONS 15454 Procedure Guide.
Chapter topics include:
• 2.1 Common Control Card Overview, page 2-1
• 2.2 TCC2 Card, page 2-7
• 2.3 TCC2P Card, page 2-11
• 2.4 TCC3 Card, page 2-16
• 2.5 XCVT Card, page 2-16
• 2.6 XC10G Card, page 2-20
• 2.7 XC-VXC-10G Card, page 2-24
• 2.8 AIC-I Card, page 2-29
2.1 Common Control Card Overview
The card overview section summarizes card functions and compatibility.
Each card is marked with a symbol that corresponds to a slot (or slots) on the ONS 15454 shelf assembly.
The cards are then installed into slots displaying the same symbols. See the “1.19.1 Card Slot
Requirements” section on page 1-75 for a list of slots and symbols.
2.1.1 Cards Summary
Table 2-1 lists the common control cards for the Cisco ONS 15454 and summarizes card functions.2-2
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 2 Common Control Cards
2.1.1 Cards Summary
Table 2-1 Common Control Card Functions
Card Description For Additional Information...
TCC2 The Advanced Timing, Communications, and Control
(TCC2) card is the main processing center for the
ONS 15454 and provides system initialization,
provisioning, alarm reporting, maintenance, and
diagnostics. It has additional features including
supply voltage monitoring, support for up to 84 data
communications channel/generic communications
channel (DCC/GCC) terminations, and an on-card
lamp test.
See the “2.2 TCC2 Card” section on page 2-7.
TCC2P The Advanced Timing, Communications, and Control
Plus (TCC2P) card is the main processing center for
the ONS 15454 and provides system initialization,
provisioning, alarm reporting, maintenance, and
diagnostics. It also provides supply voltage
monitoring, support for up to 84 DCC/GCC
terminations, and an on-card lamp test. This card also
has Ethernet security features and 64K composite
clock building integrated timing supply (BITS)
timing.
See the “2.3 TCC2P Card” section on
page 2-11.
TCC3 The Timing Communications Control Three (TCC3)
card is an enhanced version of the TCC2P card. The
primary enhancements include the increase in
memory size and compact flash space.
See the “2.4 TCC3 Card” section on
page 2-16.
XCVT The Cross Connect Virtual Tributary (XCVT) card is
the central element for switching; it establishes
connections and performs time-division switching
(TDS). The XCVT can manage STS and Virtual
Tributary (VT) circuits up to 48c.
See the “2.5 XCVT Card” section on
page 2-16.
XC10G The 10 Gigabit Cross Connect (XC10G) card is the
central element for switching; it establishes
connections and performs TDS. The XC10G can
manage STS and VT circuits up to 192c. The XC10G
allows up to four times the bandwidth of XC and
XCVT cards.
See the “2.6 XC10G Card” section on
page 2-20.
XC-VXC-10G The 10 Gigabit Cross Connect Virtual
Tributary/Virtual Container (XC-VXC-10G) card
serves as the switching matrix for the Cisco 15454
ANSI multiservice platform. The module operates as
a superset of the XCVT or XC10G cross-connect
module. The XC-VXC-10G card provides a
maximum of 1152 STS-1 or 384 VC4
cross-connections and supports cards with speeds up
to 10 Gbps.
See the “2.7 XC-VXC-10G Card” section on
page 2-24.2-3
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 2 Common Control Cards
2.1.2 Card Compatibility
2.1.2 Card Compatibility
Table 2-2 lists the Cisco Transport Controller (CTC) software release compatibility for each
common-control card. In the tables below, “Yes” means cards are compatible with the listed software
versions. Table cells with dashes mean cards are not compatible with the listed software versions.
2.1.3 Cross-Connect Card Compatibility
The following tables list the compatible cross-connect cards for each Cisco ONS 15454 common-control
card. The tables are organized according to type of common-control card. In the tables below, “Yes”
means cards are compatible with the listed cross-connect card. Table cells with dashes mean cards are
not compatible with the listed cross-connect card.
Table 2-3 lists the cross-connect card compatibility for each common-control card.
AIC-I The Alarm Interface Card–International (AIC-I)
provides customer-defined (environmental) alarms
with its additional input/output alarm contact
closures. It also provides orderwire, user data
channels, and supply voltage monitoring.
See the “2.8 AIC-I Card” section on
page 2-29.
AEP The alarm expansion panel (AEP) board provides
48 dry alarm contacts: 32 inputs and 16 outputs. It can
be used with the AIC-I card.
See the “1.12 Alarm Expansion Panel” section
on page 1-56
Table 2-1 Common Control Card Functions (continued)
Card Description For Additional Information...
Table 2-2 Common-Control Card Software Release Compatibility
Card R3.3 R3.4 R4.0 R4.1 R4.5 R4.6 R4.7 R5.0 R6.0 R7.0 R7.2 R8.0 R8.5 R9.0 R9.1 R9.2 R9.2.1
TCC+ Yes Yes Yes Yes — — — — — — — — — — — — —
TCC2 — — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
TCC2P — — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
TCC31
1. The TCC3 card is backward compatible with software Release 9.1 and earlier releases. In the Release 9.1 and earlier releases, the TCC3 card boots up
as the TCC2P card in the Cisco ONS 15454 DWDM systems.
— — — — — — — — — — — — — — — Yes Yes
XC Yes Yes Yes Yes — Yes — Yes2
2. The XC card does not support features new to Release 5.0 and later.
Yes2
Yes2
Yes2
Yes2
Yes2
Yes2
Yes2
Yes2
Yes2
XCVT Yes Yes Yes Yes — Yes — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
XC10G Yes Yes Yes Yes — Yes — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
XC-VXC-10G — — — — — — — — Yes Yes Yes Yes Yes Yes Yes Yes Yes
AIC Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
AIC-I — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
AEP — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes2-4
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 2 Common Control Cards
2.1.3 Cross-Connect Card Compatibility
Table 2-3 Common-Control Card Cross-Connect Compatibility
Card XCVT Card XC10G Card1
XC-VXC-10G Card1
TCC+2
Yes Yes —
TCC2 Yes Yes Yes
TCC2P Yes Yes Yes
TCC3 Yes Yes Yes
XC —3
—3
—3
XCVT Yes —3
—3
XC10G —3
Yes —3
XC-VXC-10G —3
—3
Yes
AIC-I Yes Yes Yes2-5
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 2 Common Control Cards
2.1.3 Cross-Connect Card Compatibility
Table 2-4 lists the cross-connect card compatibility for each electrical card. For electrical card software
compatiblilty, see Table 3-2 on page 3-3.
Note The XC card is compatible with most electrical cards, with the exception of the DS3i-N-12,
DS3/EC1-48, DS1/E1-56, and transmux cards, but does not support features new to Release 5.0 and
later.
Table 2-5 lists the cross-connect card compatibility for each optical card. For optical card software
compatibility, see Table 4-2 on page 4-5.
Note The XC card is compatible with most optical cards, with the exception of those cards noted as
incompatible with the XCVT card, but does not support features new to Release 5.0 and later.
AEP Yes Yes Yes
1. Requires SA-ANSI or SA-HD shelf assembly.
2. The TCC+ is not compatible with Software R4.5 or greater.
3. These cross-connect cards are compatible only during an upgrade.
Table 2-3 Common-Control Card Cross-Connect Compatibility (continued)
Card XCVT Card XC10G Card1
XC-VXC-10G Card1
Table 2-4 Electrical Card Cross-Connect Compatibility
Electrical Card XCVT Card XC10G Card1
1. Requires a 15454-SA-ANSI or 15454-SA-HD shelf assembly.
XC-VXC-10G Card1
EC1-12 Yes Yes Yes
DS1-14 Yes Yes Yes
DS1N-14 Yes Yes Yes
DS3-12 Yes Yes Yes
DS3N-12 Yes Yes Yes
DS3-12E Yes Yes Yes
DS3N-12E Yes Yes Yes
DS3/EC1-48 — Yes Yes
DS3XM-6 (Transmux) Yes Yes Yes
DS3XM-12 (Transmux) Yes Yes Yes
DS3i-N-12 Yes Yes Yes
DS1/E1-56 Yes Yes Yes2-6
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 2 Common Control Cards
2.1.3 Cross-Connect Card Compatibility
Table 2-6 lists the cross-connect card compatibility for each Ethernet card. For Ethernet card software
compatibility, see Table 5-2 on page 5-3.
Note The XC card is compatible with most Ethernet cards, with the exception of the G1000-4, but does not
support features new to Release 5.0 and later.
Table 2-5 Optical Card Cross-Connect Compatibility
Optical Card XCVT Card XC10G Card1
1. Requires a 15454-SA-ANSI or 15454-SA-HD shelf assembly.
XC-VXC-10GCard1
OC3 IR 4 1310 Yes Yes Yes
OC3 IR 4/STM1 SH 1310 Yes Yes Yes
OC3 IR /STM1SH 1310-8 — Yes Yes
OC12 IR 1310 Yes Yes Yes
OC12 LR 1310 Yes Yes Yes
OC12 LR 1550 Yes Yes Yes
OC12 IR/STM4 SH 1310 Yes Yes Yes
OC12 LR/STM4 LH 1310 Yes Yes Yes
OC12 LR/STM4 LH 1550 Yes Yes Yes
OC12 IR/STM4 SH 1310-4 — Yes Yes
OC48 LR 1550 Yes Yes Yes
OC48 IR/STM16 SH AS 1310 Yes2
2. Requires Software Release 3.2 and later in Slots 5, 6, 12, 13.
Yes Yes
OC48 LR/STM16 LH AS 1550 Yes2
Yes Yes
OC48 ELR/STM16 EH 100 GHz Yes Yes Yes
OC48 ELR 200 GHz Yes Yes Yes
OC192 SR/STM64 IO 1310 — Yes Yes
OC192 IR/STM64 SH 1550 — Yes Yes
OC192 LR/STM64 LH 1550 — Yes Yes
OC192 LR/STM64 LH ITU 15xx.xx — Yes Yes
OC192SR1/STM64 IO Short Reach
and OC192/STM64 Any Reach
(OC192-XFP cards)
— Yes Yes
15454_MRC-12 Yes Yes Yes
MRC-2.5G-4 Yes Yes Yes
Table 2-6 Ethernet Card Cross-Connect Compatibility
Ethernet Cards XCVT Card XC10G Card1
XC-VXC-10G Card1
E100T-12 Yes — —
E1000-2 Yes — —2-7
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 2 Common Control Cards
2.2 TCC2 Card
Table 2-7 lists the cross-connect card compatibility for each storage area network (SAN) card. For SAN
card software compatibility, see the “6.1.3 FC_MR-4 Compatibility” section on page 6-4.
2.2 TCC2 Card
Note For hardware specifications, see the “A.4.1 TCC2 Card Specifications” section on page A-12.
The TCC2 card performs system initialization, provisioning, alarm reporting, maintenance, diagnostics,
IP address detection/resolution, SONET section overhead (SOH) DCC/GCC termination, and system
fault detection for the ONS 15454. The TCC2 also ensures that the system maintains Stratum 3
(Telcordia GR-253-CORE) timing requirements. It monitors the supply voltage of the system.
Note The TCC2 card requires Software Release 4.0.0 or later.
Note The LAN interface of the TCC2 card meets the standard Ethernet specifications by supporting a cable
length of 328 ft (100 m) at temperatures from 32 to 149 degrees Fahrenheit (0 to 65 degrees Celsius).
The interfaces can operate with a cable length of 32.8 ft (10 m) maximum at temperatures from –40 to
32 degrees Fahrenheit (–40 to 0 degrees Celsius).
Figure 2-1 shows the faceplate and block diagram for the TCC2 card.
E100T-G Yes Yes Yes
E1000-2-G Yes Yes Yes
G1K-4 Yes, in Slots 5, 6, 12, 13 Yes Yes
ML100T-12 Yes, in Slots 5, 6, 12, 13 Yes Yes
ML1000-2 Yes, in Slots 5, 6, 12, 13 Yes Yes
ML-MR-10 No Yes Yes
ML100X-8 Yes, in Slots 5, 6, 12, 13 Yes Yes
CE-100T-8 Yes Yes Yes
CE-1000-4 Yes Yes Yes
CE-MR-10 No Yes Yes
1. Requires a 15454-SA-ANSI or 15454-SA-HD shelf assembly.
Table 2-6 Ethernet Card Cross-Connect Compatibility (continued)
Ethernet Cards XCVT Card XC10G Card1
XC-VXC-10G Card1
Table 2-7 SAN Card Cross-Connect Compatibility
SAN Cards XCVT Card XC10G Card1
1. Requires SA-ANSI or SA-HD shelf assembly
XC-VXC-10G Card1
FC_MR-4 Yes Yes Yes2-8
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 2 Common Control Cards
2.2.1 TCC2 Card Functionality
Figure 2-1 TCC2 Card Faceplate and Block Diagram
2.2.1 TCC2 Card Functionality
The TCC2 card supports multichannel, high-level data link control (HDLC) processing for the DCC. Up
to 84 DCCs can be routed over the TCC2 card and up to 84 section DCCs can be terminated at the TCC2
card (subject to the available optical digital communication channels). The TCC2 card selects and
processes 84 DCCs to facilitate remote system management interfaces.
FAIL
A
PWR
B
ACT/STBY
ACO
CRIT
MIN
REM
SYNC
RS-232
TCP/IP
MAJ
ACO
TCC2
LAMP
BACKPLANE
Ethernet
Repeater
Mate TCC2
Ethernet Port
Backplane
Ethernet Port
(Shared with
Mate TCC2)
SDRAM Memory
& Compact Flash
FPGA
TCCA ASIC
SCL Processor
Serial
Debug
Modem
Interface
RS-232 Craft
Interface
Backplane
RS-232 Port
(Shared with
Mate TCC2)
Faceplate
RS-232 Port
Note: Only 1 RS-232 Port Can Be Active -
Backplane Port Will Supercede Faceplate Port
Faceplate
Ethernet Port
SCL Links to
All Cards
HDLC
Message
Bus
Mate TCC2
HDLC Link
Modem
Interface
(Not Used) 400MHz
Processor
Communications
Processor
SCC3
MCC1
FCC1
MCC2
SCC4 FCC2
SCC1 SCC2
DCC
Processor
System
Timing
BITS Input/
Output
Ref Clocks
(all I/O Slots)
-48V PWR
Monitors
Real Time
Clock
1376392-9
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 2 Common Control Cards
2.2.2 TCC2 Card-Level Indicators
The TCC2 card also originates and terminates a cell bus carried over the module. The cell bus supports
links between any two cards in the node, which is essential for peer-to-peer communication. Peer-to-peer
communication accelerates protection switching for redundant cards.
The node database, IP address, and system software are stored in TCC2 card nonvolatile memory, which
allows quick recovery in the event of a power or card failure.
The TCC2 card performs all system-timing functions for each ONS 15454. The TCC2 monitors the
recovered clocks from each traffic card and two BITS ports (DS1, 1.544 MHz) for frequency accuracy.
The TCC2 selects a recovered clock, a BITS, or an internal Stratum 3 reference as the system-timing
reference. You can provision any of the clock inputs as primary or secondary timing sources. A
slow-reference tracking loop allows the TCC2 to synchronize with the recovered clock, which provides
holdover if the reference is lost.
The TCC2 monitors both supply voltage inputs on the shelf. An alarm is generated if one of the supply
voltage inputs has a voltage out of the specified range.
Install TCC2 cards in Slots 7 and 11 for redundancy. If the active TCC2 fails, traffic switches to the
protect TCC2. All TCC2 protection switches conform to protection switching standards when the bit
error rate (BER) counts are not in excess of 1 * 10 exp – 3 and completion time is less than 50 ms.
The TCC2 card has two built-in interface ports for accessing the system: an RJ-45 10BaseT LAN
interface and an EIA/TIA-232 ASCII interface for local craft access. It also has a 10BaseT LAN port for
user interfaces over the backplane.
Note When using the LAN RJ-45 craft interface or back panel wirewrap LAN connection, the connection must
be 10BASE T, half duplex. Full duplex and autonegotiate settings should not be used because they might
result in a loss of visibility to the node.
Note Cisco does not support operation of the ONS 15454 with only one TCC2 card. For full functionality and
to safeguard your system, always operate with two TCC2 cards.
Note When a second TCC2 card is inserted into a node, it synchronizes its software, its backup software, and
its database with the active TCC2. If the software version of the new TCC2 does not match the version
on the active TCC2, the newly inserted TCC2 copies from the active TCC2, taking about
15 to 20 minutes to complete. If the backup software version on the new TCC2 does not match the
version on the active TCC2, the newly inserted TCC2 copies the backup software from the active TCC2
again, taking about 15 to 20 minutes. Copying the database from the active TCC2 takes about 3 minutes.
Depending on the software version and backup version the new TCC2 started with, the entire process
can take between 3 and 40 minutes.
2.2.2 TCC2 Card-Level Indicators
The TCC2 faceplate has ten LEDs. Table 2-8 describes the two card-level LEDs on the TCC2 card
faceplate.2-10
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 2 Common Control Cards
2.2.3 Network-Level Indicators
2.2.3 Network-Level Indicators
Table 2-9 describes the six network-level LEDs on the TCC2 faceplate.
Table 2-8 TCC2 Card-Level Indicators
Card-Level LEDs Definition
Red FAIL LED This LED is on during reset. The FAIL LED flashes during the boot and
write process. Replace the card if the FAIL LED persists.
ACT/STBY LED
Green (Active)
Amber (Standby)
Indicates the TCC2 is active (green) or in standby (amber) mode. The
ACT/STBY LED also provides the timing reference and shelf control. When
the active TCC2 is writing to its database or to the standby TCC2 database,
the card LEDs blink. To avoid memory corruption, do not remove the TCC2
when the active or standby LED is blinking.
Table 2-9 TCC2 Network-Level Indicators
System-Level LEDs Definition
Red CRIT LED Indicates critical alarms in the network at the local terminal.
Red MAJ LED Indicates major alarms in the network at the local terminal.
Amber MIN LED Indicates minor alarms in the network at the local terminal.
Red REM LED Provides first-level alarm isolation. The remote (REM) LED turns red when
an alarm is present in one or more of the remote terminals.
Green SYNC LED Indicates that node timing is synchronized to an external reference.
Green ACO LED After pressing the alarm cutoff (ACO) button, the ACO LED turns green.
The ACO button opens the audible alarm closure on the backplane. ACO is
stopped if a new alarm occurs. After the originating alarm is cleared, the
ACO LED and audible alarm control are reset.2-11
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 2 Common Control Cards
2.2.4 Power-Level Indicators
2.2.4 Power-Level Indicators
Table 2-10 describes the two power-level LEDs on the TCC2 faceplate.
2.3 TCC2P Card
Note For hardware specifications, see the “A.4.2 TCC2P Card Specifications” section on page A-13.
The TCC2P card is an enhanced version of the TCC2 card. For Software Release 5.0 and later, the
primary enhancements are Ethernet security features and 64K composite clock BITS timing. It also
supports E1 SDH external timing sources so that a SONET shelf can be deployed in a network using
SDH timing. SDH timing is typically used when the SONET platform is deployed for Au3 SDH
applications.
The TCC2P card performs system initialization, provisioning, alarm reporting, maintenance,
diagnostics, IP address detection/resolution, SONET SOH DCC/GCC termination, and system fault
detection for the ONS 15454. The TCC2P card also ensures that the system maintains Stratum 3
(Telcordia GR-253-CORE) timing requirements. It monitors the supply voltage of the system.
The TCC2P card supports multi-shelf management. The TCC2P card acts as a shelf controller and node
controller for the ONS 15454. The TCC2P card supports up to 12 subtended shelves through the
MSM-ISC card or external switch. In a multi-shelf configuration, the TCC2P card allows the
ONS 15454 node to be a node controller if an M6 shelf is subtended to it.
Note The LAN interface of the TCC2P card meets the standard Ethernet specifications by supporting a cable
length of 328 ft (100 m) at temperatures from 32 to 149 degrees Fahrenheit (0 to 65 degrees Celsius).
The interfaces can operate with a cable length of 32.8 ft (10 m) maximum at temperatures from –40 to
32 degrees Fahrenheit (–40 to 0 degrees Celsius).
Figure 2-2 shows the faceplate and block diagram for the TCC2P card.
Table 2-10 TCC2 Power-Level Indicators
Power-Level LEDs Definition
Green/Amber/Red
PWR A LED
The PWR A LED is green when the voltage on supply input A is between the
low battery voltage (LWBATVG) and high battery voltage (HIBATVG)
thresholds. The LED is amber when the voltage on supply input A is between
the high battery voltage and extremely high battery voltage (EHIBATVG)
thresholds or between the low battery voltage and extremely low battery
voltage (ELWBATVG) thresholds. The LED is red when the voltage on
supply input A is above extremely high battery voltage or below extremely
low battery voltage thresholds.
Green/Amber/Red
PWR B LED
The PWR B LED is green when the voltage on supply input B is between the
low battery voltage and high battery voltage thresholds. The LED is amber
when the voltage on supply input B is between the high battery voltage and
extremely high battery voltage thresholds or between the low battery voltage
and extremely low battery voltage thresholds. The LED is red when the
voltage on supply input B is above extremely high battery voltage or below
extremely low battery voltage thresholds. 2-12
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 2 Common Control Cards
2.3.1 TCC2P Functionality
Figure 2-2 TCC2P Faceplate and Block Diagram
2.3.1 TCC2P Functionality
The TCC2P card supports multichannel, high-level data link control (HDLC) processing for the DCC.
Up to 84 DCCs can be routed over the TCC2P card and up to 84 section DCCs can be terminated at the
TCC2P card (subject to the available optical digital communication channels). The TCC2P selects and
processes 84 DCCs to facilitate remote system management interfaces.
FAIL
A
PWR
B
ACT/STBY
ACO
CRIT
MIN
REM
SYNC
RS-232
TCP/IP
MAJ
ACO
TCC2P
LAMP
BACKPLANE
Ethernet Switch
Mate TCC2
Ethernet Port
Backplane
Ethernet Port
(Shared with
Mate TCC2)
SDRAM Memory
& Compact Flash
FPGA
TCCA ASIC
SCL Processor
Serial
Debug
Modem
Interface
RS-232 Craft
Interface
Backplane
RS-232 Port
(Shared with
Mate TCC2)
Faceplate
RS-232 Port
Note: Only 1 RS-232 Port Can Be Active -
Backplane Port Will Supercede Faceplate Port
Faceplate
Ethernet Port
SCL Links to
All Cards
HDLC
Message
Bus
Mate TCC2
HDLC Link
Modem
Interface
400MHz (Not Used)
Processor
Communications
Processor
SCC3
MCC1
FCC1
MCC2
SCC4 FCC2
SMC1 SCC2
DCC
Processor
System
Timing BITS Input/
Output
Ref Clocks
-48V PWR (all I/O Slots)
Monitors
Real Time
Clock
Ethernet
Phy
SCC1
1376402-13
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 2 Common Control Cards
2.3.1 TCC2P Functionality
The TCC2P card also originates and terminates a cell bus carried over the module. The cell bus supports
links between any two cards in the node, which is essential for peer-to-peer communication. Peer-to-peer
communication accelerates protection switching for redundant cards.
The node database, IP address, and system software are stored in TCC2P card nonvolatile memory,
which allows quick recovery in the event of a power or card failure.
The TCC2P card monitors both supply voltage inputs on the shelf. An alarm is generated if one of the
supply voltage inputs has a voltage out of the specified range.
Install TCC2P cards in Slots 7 and 11 for redundancy. If the active TCC2P card fails, traffic switches to
the protect TCC2P card. All TCC2P card protection switches conform to protection switching standards
when the BER counts are not in excess of 1 * 10 exp – 3 and completion time is less than 50 ms.
The TCC2P card has two built-in Ethernet interface ports for accessing the system: one built-in RJ-45
port on the front faceplate for on-site craft access and a second port on the backplane. The rear Ethernet
interface is for permanent LAN access and all remote access via TCP/IP as well as for Operations
Support System (OSS) access. The front and rear Ethernet interfaces can be provisioned with different
IP addresses using CTC.
Two EIA/TIA-232 serial ports, one on the faceplate and a second on the backplane, allow for craft
interface in TL1 mode.
Note To use the serial port craft interface wire-wrap pins on the backplane, the DTR signal line on the
backplane port wire-wrap pin must be connected and active.
Note When using the LAN RJ-45 craft interface or back panel wirewrap LAN connection, the connection must
be 10BASE T, half duplex. Full duplex and autonegotiate settings should not be used because they might
result in a loss of visibility to the node.
Note Cisco does not support operation of the ONS 15454 with only one TCC2P card. For full functionality
and to safeguard your system, always operate with two TCC2P cards.
Note When a second TCC2P card is inserted into a node, it synchronizes its software, its backup software, and
its database with the active TCC2P card. If the software version of the new TCC2P card does not match
the version on the active TCC2P card, the newly inserted TCC2P card copies from the active TCC2P
card, taking about 15 to 20 minutes to complete. If the backup software version on the new TCC2P card
does not match the version on the active TCC2P card, the newly inserted TCC2P card copies the backup
software from the active TCC2P card again, taking about 15 to 20 minutes. Copying the database from
the active TCC2P card takes about 3 minutes. Depending on the software version and backup version
the new TCC2P card started with, the entire process can take between 3 and 40 minutes.
2.3.1.1 System Timing Functions
The TCC2P card performs all system-timing functions for each ONS 15454. The TCC2P card monitors
the recovered clocks from each traffic card and two BITS ports (BITS_IN_A and BITS_IN-B) for
frequency accuracy. The TCC2P card selects a recovered clock, a BITS clock, or an internal Stratum 3 2-14
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 2 Common Control Cards
2.3.2 TCC2P Card-Level Indicators
reference as the system-timing reference. You can provision any of the clock inputs as primary or
secondary timing sources. A slow-reference tracking loop allows the TCC2P card to synchronize with
the recovered clock, which provides holdover if the reference is lost.
The minimum free-run accuracy, holdover stability, pull-in, and hold-in characteristics are as defined in
ITU-T G.813 option I in Section 5, 6, and 10, ITU-T G.811 Section 5, and ITU-T G.812 Sections 6 and
7, as well as in ANSI EN 300 462-5-1.
Note If SDH timing is selected (see the “2.3.1.1.2 SDH Timing Operation” section on page 2-14), it is not
possible to select an E1 or DS1 port from the DS1/E1-56 high-density card as a timing reference.
2.3.1.1.1 SONET Timing Operation
The TCC2P card supports a 64 kHz + 8 kHz composite clock BITS input (BITS IN) as well as a
6.312-MHz BITS OUT clock. The BITS clock on the system is configurable as DS1 (default),
1.544 MHz, or 64 kHz. The BITS OUT clock runs at a rate determined by the BITS IN clock, as follows:
If BITS IN = DS1, then BITS OUT = DS1 (default)
A BITS output interface configured as 6.312 MHz complies with ITU-T G.703, Appendix II, Table II.4,
with a monitor level of –40 dBm +/– 4 dBm.
2.3.1.1.2 SDH Timing Operation
The TCC2P card supports typical external E1 SDH timing sources so that the card can be provisioned to
accept either an SDH or SONET timing standard. The initial default is for the card to use SONET timing;
the default can be changed to SDH timing after the TCC2P card boots up. The BITS OUT clock runs at
a rate determined by the BITS IN clock, as follows:
• If BITS IN = E1, then BITS OUT = E1
• If BITS IN = 2.048 MHz (square wave clock), then BITS OUT = 2.048 MHz (square wave clock)
• If BITS IN = 64 kHz, then BITS OUT = 6.312 MHz
The TCC2P card supports the E1 BITS OUT signal as defined in ITU-T G.703 Section 9, and the BITS
OUT 2.048 MHz signal as defined in ITU-T G.703 Section 13. All of the BITS OUT signals meet the
output signal criteria (including jitter and wander) as defined in ITU-T G.813 Sections 5 and 6, ITU-T
G.811 Section 5, and ITU-T G.812, Section 6.
When SDH timing is selected, SDH Sync Status Messaging (SSM) is transmitted on the output ports and
received on the input ports. SSM can be enabled or disabled.
The following framing options are allowed when E1 2.048 MHz timing is selected:
• Frame Alignment Signal (FAS)
• Frame Alignment Signal plus Channel Associated Signal (FAS + CAS)
• Frame Alignment Signal plus Cyclic Redundancy Check (FAS + CRC)
• Frame Alignment Signal plus Channel Associated Signal plus Cyclic Redundancy Check (FAS +
CAS + CRC)
2.3.2 TCC2P Card-Level Indicators
The TCC2P faceplate has ten LEDs. Table 2-11 describes the two card-level LEDs on the TCC2P
faceplate.2-15
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 2 Common Control Cards
2.3.3 Network-Level Indicators
2.3.3 Network-Level Indicators
Table 2-12 describes the six network-level LEDs on the TCC2P faceplate.
Table 2-11 TCC2P Card-Level Indicators
Card-Level LEDs Definition
Red FAIL LED This LED is on during reset. The FAIL LED flashes during the boot and
write process. Replace the card if the FAIL LED persists.
ACT/STBY LED
Green (Active)
Amber (Standby)
Indicates the TCC2P is active (green) or in standby (amber) mode. The
ACT/STBY LED also provides the timing reference and shelf control. When
the active TCC2P is writing to its database or to the standby TCC2P
database, the card LEDs blink. To avoid memory corruption, do not remove
the TCC2P when the active or standby LED is blinking.
Table 2-12 TCC2P Network-Level Indicators
System-Level LEDs Definition
Red CRIT LED Indicates critical alarms in the network at the local terminal.
Red MAJ LED Indicates major alarms in the network at the local terminal.
Amber MIN LED Indicates minor alarms in the network at the local terminal.
Red REM LED Provides first-level alarm isolation. The REM LED turns red when an alarm
is present in one or more of the remote terminals.
Green SYNC LED Indicates that node timing is synchronized to an external reference.
Green ACO LED After pressing the ACO button, the ACO LED turns green. The ACO button
opens the audible alarm closure on the backplane. ACO is stopped if a new
alarm occurs. After the originating alarm is cleared, the ACO LED and
audible alarm control are reset.2-16
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 2 Common Control Cards
2.3.4 Power-Level Indicators
2.3.4 Power-Level Indicators
Table 2-13 describes the two power-level LEDs on the TCC2P faceplate.
2.4 TCC3 Card
The Timing Communications Control Three (TCC3) card is an enhanced version of the TCC2P card. The
primary enhancements include the increase in memory size and compact flash space. The TCC3 card
boots up as TCC2P card in older releases and as TCC3 card from Release 9.2 onwards.
The TCC3 card supports multi-shelf management. The TCC3 card acts as a shelf controller and node
controller for the ONS 15454. The TCC3 card supports up to 30 subtended shelves through the
MSM-ISC card or external switch. In a multi-shelf configuration, the TCC3 card allows the ONS 15454
node to be a node controller if an M6 shelf is subtended to it. We recommend the use the TCC3 card as
a node controller when the number of subtended shelves exceeds four.
For more information on TCC3 card, see Cisco ONS 15454 DWDM Reference Manual, Release 9.2.
2.5 XCVT Card
Note For hardware specifications, see the “A.4.3 XCVT Card Specifications” section on page A-14.
The Cross Connect Virtual Tributary (XCVT) card establishes connections at the STS-1 and VT levels.
The XCVT provides STS-48 capacity to Slots 5, 6, 12, and 13, and STS-12 capacity to Slots 1 to 4 and
14 to 17. Any STS-1 on any port can be connected to any other port, meaning that the STS
cross-connections are nonblocking.
Figure 2-3 shows the XCVT faceplate and block diagram.
Table 2-13 TCC2P Power-Level Indicators
Power-Level LEDs Definition
Green/Amber/Red
PWR A LED
The PWR A LED is green when the voltage on supply input A is between the
low battery voltage (LWBATVG) and high battery voltage (HIBATVG)
thresholds. The LED is amber when the voltage on supply input A is between
the high battery voltage and extremely high battery voltage (EHIBATVG)
thresholds or between the low battery voltage and extremely low battery
voltage (ELWBATVG) thresholds. The LED is red when the voltage on
supply input A is above extremely high battery voltage or below extremely
low battery voltage thresholds.
Green/Amber/Red
PWR B LED
The PWR B LED is green when the voltage on supply input B is between the
low battery voltage and high battery voltage thresholds. The LED is amber
when the voltage on supply input B is between the high battery voltage and
extremely high battery voltage thresholds or between the low battery voltage
and extremely low battery voltage thresholds. The LED is red when the
voltage on supply input B is above extremely high battery voltage or below
extremely low battery voltage thresholds. 2-17
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 2 Common Control Cards
2.5.1 XCVT Functionality
Figure 2-3 XCVT Faceplate and Block Diagram
2.5.1 XCVT Functionality
The STS-1 switch matrix on the XCVT card consists of 288 bidirectional ports and adds a VT matrix
that can manage up to 336 bidirectional VT1.5 ports or the equivalent of a bidirectional STS-12. The
VT1.5-level signals can be cross connected, dropped, or rearranged. The TCC2/TCC2P card assigns
bandwidth to each slot on a per STS-1 or per VT1.5 basis. The switch matrices are fully crosspoint and
broadcast supporting.
The XCVT card provides:
• 288 STS bidirectional ports
• 144 STS bidirectional cross-connects
• 672 VT1.5 ports via 24 logical STS ports
• 336 VT1.5 bidirectional cross-connects
• Nonblocking at the STS level
• STS-1/3c/6c/12c/48c cross-connects
Input
ports
Output
ports
STS
ASIC1
STS
ASIC2
0
1
2
3
4
5
0
1
2
3
4
5
6
0
1
2
3
4
5
6
7
8
9
10
11
0
1
2
3
4
5
6
7
8
9
10
11
Ports Ports
61341
VT
ASIC
XCVT
FAIL
33678 12931
ACT/STBY2-18
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 2 Common Control Cards
2.5.2 VT Mapping
The XCVT card works with the TCC2/TCC2P cards to maintain connections and set up cross-connects
within the node. The cross-connect cards (such as the XCVT and XC10G), installed in Slots 8 and 10,
are required to operate the ONS 15454. You can establish cross-connect (circuit) information through
CTC. The TCC2/TCC2P cards establish the proper internal cross-connect information and relay the
setup information to the XCVT card.
Caution Do not operate the ONS 15454 with only one cross-connect card. Two cross-connect cards of the same
type (two XCVT or two XC10G cards) must always be installed.
Figure 2-4 shows the cross-connect matrix.
Figure 2-4 XCVT Cross-Connect Matrix
2.5.2 VT Mapping
The VT structure is designed to transport and switch payloads below the DS-3 rate. The ONS 15454
performs VT mapping according to Telcordia GR-253-CORE standards. Table 2-14 shows the VT
numbering scheme for the ONS 15454 as it relates to the Telcordia standard.
32125
1
2
3
4
5
Input Ports Output Ports
4X
STS-12/48
8X
STS-12
8X
STS-12
4X
STS-12/48
XCVT STS-1 Cross-connect ASIC (288x288 STS-1)
VT 1.5 Cross-connect ASIC
1
2
3
4
5
6
VTXC
336 bidirectional VT 1.5 cross-connects
Table 2-14 VT Mapping
ONS 15454 VT Number Telcordia Group/VT Number
VT1 Group1/VT1
VT2 Group2/VT1
VT3 Group3/VT1
VT4 Group4/VT1
VT5 Group5/VT1
VT6 Group6/VT1
VT7 Group7/VT1
VT8 Group1/VT22-19
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 2 Common Control Cards
2.5.3 XCVT Hosting DS3XM-6 or DS3XM-12
2.5.3 XCVT Hosting DS3XM-6 or DS3XM-12
A DS3XM card can demultiplex (map down to a lower rate) M13-mapped DS-3 signals into 28 DS-1s
that are then mapped to VT1.5 payloads. The VT1.5s can then be cross-connected by the XCVT card.
The XCVT card can host a maximum of 336 bidirectional VT1.5s.
2.5.4 XCVT Card-Level Indicators
Table 2-15 shows the two card-level LEDs on the XCVT card faceplate.
VT9 Group2/VT2
VT10 Group3/VT2
VT11 Group4/VT2
VT12 Group5/VT2
VT13 Group6/VT2
VT14 Group7/VT2
VT15 Group1/VT3
VT16 Group2/VT3
VT17 Group3/VT3
VT18 Group4/VT3
VT19 Group5/VT3
VT20 Group6/VT3
VT21 Group7/VT3
VT22 Group1/VT4
VT23 Group2/VT4
VT24 Group3/VT4
VT25 Group4/VT4
VT26 Group5/VT4
VT27 Group6/VT4
VT28 Group7/VT4
Table 2-14 VT Mapping (continued)
ONS 15454 VT Number Telcordia Group/VT Number2-20
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 2 Common Control Cards
2.6 XC10G Card
2.6 XC10G Card
Note For hardware specifications, see the “A.4.4 XC10G Card Specifications” section on page A-14.
The 10 Gigabit Cross Connect (XC10G) card establishes connections at the STS-1 and VT levels. The
XC10G provides STS-192 capacity to Slots 5, 6, 12, and 13, and STS-48 capacity to Slots 1 to 4 and 14
to 17. The XC10G allows up to four times the bandwidth of the XCVT cards. The XC10G provides a
maximum of 576 STS-1 cross-connections through 1152 STS-1 ports. Any STS-1 on any port can be
connected to any other port, meaning that the STS cross-connections are nonblocking.
Figure 2-5 shows the XC10G faceplate and block diagram.
Table 2-15 XCVT Card-Level Indicators
Card-Level Indicators Definition
Red FAIL LED Indicates that the cards processor is not ready. Replace the card if the red
FAIL LED persists.
ACT/STBY LED
Green (Active)
Amber (Standby)
Indicates whether the XCVT card is active and carrying traffic (green) or in
standby mode to the active XCVT card (amber).2-21
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 2 Common Control Cards
2.6.1 XC10G Functionality
Figure 2-5 XC10G Faceplate and Block Diagram
2.6.1 XC10G Functionality
The XC10G card manages up to 672 bidirectional VT1.5 ports and 1152 bidirectional STS-1 ports. The
TCC2/TCC2P cards assign bandwidth to each slot on a per STS-1 or per VT1.5 basis.
Two cross-connect cards, installed in Slots 8 and 10, are required to operate the ONS 15454. You can
establish cross-connect (circuit) information through the CTC. The cross-connect card establishes the
proper internal cross-connect information and sends the setup information to the cross-connect card.
The XC10G card provides:
• 1152 STS bidirectional ports
• 576 STS bidirectional cross-connects
• 672 VT1.5 ports via 24 logical STS ports
• 336 VT1.5 bidirectional cross-connects
• Nonblocking at STS level
• STS-1/3c/6c/12c/48c/192c cross-connects
Line 1
Line 2
Line 3
Line 4
Span 1
Span 2
Span 3
Span 4
Line 5
Line 6
Line 7
Line 8
Cross-Connect
Main SCL
Protect
SCL
Ref Clk A
Ref Clk B
TCCA
ASIC
SCL Link
uP
VT
Cross-Connect
Matrix
uP Interface
uP Interface
Matrix
FLASH
RAM
B
a
c
k
p
l
a
n
e
61342
FAIL
ACT/STBY
XC10G2-22
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 2 Common Control Cards
2.6.2 VT Mapping
Caution Do not operate the ONS 15454 with only one XCVT or XC10G card. Two cross-connect cards of the
same type (either two XCVT or two XC10G cards) must always be installed.
Figure 2-6 shows the cross-connect matrix.
Figure 2-6 XC10G Cross-Connect Matrix
2.6.2 VT Mapping
The VT structure is designed to transport and switch payloads below the DS-3 rate. The ONS 15454
performs VT mapping according to Telcordia GR-253-CORE standards. Table 2-16 shows the VT
numbering scheme for the ONS 15454 as it relates to the Telcordia standard.
1
2
.
.
.
.
25
Input Ports Output Ports
4X
STS-192
8X
STS-48
8X
STS-48
4X
STS-192
XC10G STS-1 Cross-connect ASIC (1152x1152 STS-1)
VT 1.5 Cross-connect ASIC
336 bidirectional VT 1.5 cross-connects
55386
1
2
.
.
.
.
25
VTXC
VT cross-connection occurs on the 25th port.
Table 2-16 VT Mapping
ONS 15454 VT Number Telcordia Group/VT Number
VT1 Group1/VT1
VT2 Group2/VT1
VT3 Group3/VT1
VT4 Group4/VT1
VT5 Group5/VT1
VT6 Group6/VT1
VT7 Group7/VT1
VT8 Group1/VT2
VT9 Group2/VT2
VT10 Group3/VT2
VT11 Group4/VT22-23
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 2 Common Control Cards
2.6.3 XC10G Hosting DS3XM-6 or DS3XM-12
2.6.3 XC10G Hosting DS3XM-6 or DS3XM-12
A DS3XM card can demultiplex (map down to a lower rate) M13-mapped DS-3 signals into 28 DS-1s
that are then mapped to VT1.5 payloads. The VT1.5s can then be cross-connected by the XC10G card.
The XC10G card can host a maximum of 336 bidirectional VT1.5s.
2.6.4 XC10G Card-Level Indicators
Table 2-17 describes the two card-level LEDs on the XC10G faceplate.
VT12 Group5/VT2
VT13 Group6/VT2
VT14 Group7/VT2
VT15 Group1/VT3
VT16 Group2/VT3
VT17 Group3/VT3
VT18 Group4/VT3
VT19 Group5/VT3
VT20 Group6/VT3
VT21 Group7/VT3
VT22 Group1/VT4
VT23 Group2/VT4
VT24 Group3/VT4
VT25 Group4/VT4
VT26 Group5/VT4
VT27 Group6/VT4
VT28 Group7/VT4
Table 2-16 VT Mapping (continued)
ONS 15454 VT Number Telcordia Group/VT Number
Table 2-17 XC10G Card-Level Indicators
Card-Level Indicators Definition
Red FAIL LED Indicates that the cards processor is not ready. This LED illuminates during
reset. The FAIL LED flashes during the boot process. Replace the card if the
red FAIL LED persists.
ACT/STBY LED
Green (Active)
Amber (Standby)
Indicates whether the XC10G is active and carrying traffic (green), or in
standby mode to the active XC10G card (amber).2-24
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 2 Common Control Cards
2.6.5 XCVT/XC10G/XC-VXC-10G Compatibility
2.6.5 XCVT/XC10G/XC-VXC-10G Compatibility
The XC10G and XC-VXC-10G cards support the same features as the XCVT card. The XC10G or
XC-VXC-10G cards are required for OC-192, OC-48 any-slot (AS), OC3-8, and OC12-4 operation. Do
not use the XCVT card if you are using an OC-192, OC3-8, or OC12-4 card or if you install an OC-48
AS card in Slots 1 to 4 or 14 to 17.
Note A configuration mismatch alarm occurs when an XCVT cross-connect card co-exists with an OC-192,
OC3-8, or OC12-4 card placed in Slots 5, 6, 12, or 13 or with an OC-48 card placed in Slots 1 to 4 or 14
to 17.
If you are using Ethernet cards, the E1000-2-G or the E100T-G must be used when the XC10G or
XC-VXC-10G cross-connect card is in use. Do not pair an XCVT card with an XC10G or XC-VXC-10G
card. When upgrading from an XCVT to the XC10G or XC-VXC-10G card, refer to the “Upgrade Cards
and Spans” chapter in the Cisco ONS 15454 Procedure Guide for more information.
2.7 XC-VXC-10G Card
Note For hardware specifications, see the “A.4.5 XC-VXC-10G Card Specifications” section on page A-15.
The XC-VXC-10G card establishes connections at the STS and VT levels. The XC-VXC-10G provides
STS-192 capacity to Slots 5, 6, 12, and 13, and STS-48 capacity to Slots 1 to 4 and 14 to 17. Any STS-1
on any port can be connected to any other port, meaning that the STS cross-connections are nonblocking.
Figure 2-7 shows the XC-VXC-10G faceplate and block diagram. 2-25
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 2 Common Control Cards
2.7.1 XC-VXC-10G Functionality
Figure 2-7 XC-VXC-10G Faceplate and Block Diagram
2.7.1 XC-VXC-10G Functionality
The XC-VXC-10G card manages up to 1152 bidirectional high-order STS-1 ports. In addition, it is able
to simultaneously manage one of the following low-order VT cross-connect arrangements:
• 2688 bidirectional VT1.5 low-order ports, or
• 2016 VT2 low-order ports, or
• 1344 bidirectional VT1.5 ports and 1008 bidirectional VT2 ports (mixed grooming)
The TCC2/TCC2P card assigns bandwidth to each slot on a per STS-1, per VT1.5, or per VT2 basis. The
switch matrices are fully crosspoint and broadcast supporting.
XC-VXC-10G Backplane Connectors
IBPIA (2)
EDVT
Serial
Port
STS-1 Cross Connect ASIC
TU Cross Connect ASIC
VT Cross Connect ASIC
IBPIA (2) TCCA
CPLD
CPU
DDR
SDRAM
DETLEF
DDR
FPGA
TARAN
GDX1
TULA
GDX2
FLASH
Clock
FPGA
2 VT
Ports
2 VT
Ports
2 VT
Ports
2 VT
Ports
SCL Bus
6 AUX
Ports
6 AUX
Ports
EEPROM
134364
XC-VXC-
10G
FAIL
ACT/STBY2-26
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 2 Common Control Cards
2.7.1 XC-VXC-10G Functionality
At the STS level (high-order cross-connect), the XC-VXC-10G is always non-blocking (any STS-1 from
the system can be cross-connected to any other STS-1 without limitation up to 1152 bidirectional STS-1
ports (576 STS-1 cross-connects).
In addition, for “mixed” VT1.5 and VT2 grooming, 50% of the available VT resources (ports) are
allocated to each VT circuit type. The following three modes are supported (only one mode is available
at a time):
• Mode 1: full VT1.5 cross-connect, which is 2688 bidirectional VT1.5 ports (1344 bidirectional
VT1.5 cross-connects)
• Mode 2: full VT2 cross-connect, which is 2016 bidirectional VT2 ports (1008 bidirectional VT2
cross-connects)
• Mode 3 (mixed grooming): 50% VT1.5 and 50% VT2 XC, which is 1344 bidirectional VT1.5 ports
and 1008 bidirectional VT2 ports (672 bidirectional VT1.5 and 504 VT2 bidirectional
cross-connects)
The XC-VXC-10G card provides:
• 1152 STS bidirectional ports
• 576 STS bidirectional cross-connects
• 2688 VT1.5 ports via 96 logical STS ports
• 1344 VT1.5 bidirectional cross-connects
• 2016 VT2 ports via 96 logical STS ports
• 1008 VT2 bidirectional cross-connects
• Mixed grooming (50% VT1.5 and 50% VT2)
• Nonblocking at the STS level
• VT1.5, VT2, and STS-1/3c/6c/12c/48c/192c cross-connects
Note VT 2 circuit provisioning works between optical cards and the DS3/EC1-48 card (EC1 ports, not the
ports provisioned for DS3)
The XC-VXC-10G supports errorless side switches (switching from one XC-VXC-10G on one side of
the shelf to the other XC-VXC-10G on the other side of the shelf) when the switch is initiated through
software and the shelf is equipped with TCC2/TCC2P cards. The XCVT and XC10G cards do not
support errorless switching.
Cross-connect and provisioning information is established through the user interface on the
TCC2/TCC2P card. In turn, the TCC2/TCC2P card establishes the proper internal cross-connect
information and relays the setup information to the XC-VXC-10G card so that the proper
cross-connection is established within the system.
The XC-VXC-10G card is deployed in Slots 8 or 10. Upgrading a system to an XC-VXC-10G from an
earlier cross-connect module type is performed in-service, with hitless operation (less than 50-ms impact
to any traffic). The XC-VXC-10G can be used with either the standard ANSI shelf assembly
(15454-SA-ANSI) or high-density shelf assembly (15454-SA-HD).
Caution Do not operate the ONS 15454 with only one XC-VXC-10G cross-connect card. Two cross-connect
cards must always be installed.
Figure 2-8 shows the XC-VXC-10G cross-connect matrix.2-27
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 2 Common Control Cards
2.7.2 VT Mapping
Figure 2-8 XC-VXC-10G Cross-Connect Matrix
2.7.2 VT Mapping
The VT structure is designed to transport and switch payloads below the DS-3 rate. The ONS 15454
performs VT mapping according to Telcordia GR-253-CORE standards. Table 2-16 shows the VT
numbering scheme for the ONS 15454 as it relates to the Telcordia standard.
1
2
.
.
.
.
20
Input Ports Output Ports
4X
STS-192
8X
STS-48
8X
STS-48
4X
STS-192
XC-XVC-10G STS-1 Cross-connect ASIC (1152x1152 STS-1)
VT 1.5/VT 2 Cross-connect ASIC
TU-3 Cross-connect ASIC
(bypassed in SONETmode)
6X STS-48
2X STS-48 (VT Ports)
2X STS-48 (VT Ports)
1344 bidirectional VT 1.5 cross-connects, or
1008 bidirectional VT 2 cross-connects, or
Mixed grooming (50% VT1.5 and 50% VT2)
1
2
.
.
.
.
20
VTXC
TUXC
134272
Table 2-18 VT Mapping
ONS 15454 VT Number Telcordia Group/VT Number
VT1 Group1/VT1
VT2 Group2/VT1
VT3 Group3/VT1
VT4 Group4/VT1
VT5 Group5/VT1
VT6 Group6/VT1
VT7 Group7/VT1
VT8 Group1/VT2
VT9 Group2/VT2
VT10 Group3/VT2
VT11 Group4/VT2
VT12 Group5/VT2
VT13 Group6/VT22-28
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 2 Common Control Cards
2.7.3 XC-VXC-10G Hosting DS3XM-6 or DS3XM-12
2.7.3 XC-VXC-10G Hosting DS3XM-6 or DS3XM-12
A DS3XM card can demultiplex (map down to a lower rate) M13-mapped DS-3 signals into 28 DS-1s
that are then mapped to VT1.5 payloads. The VT1.5s can then be cross-connected by the XC-VXC-10G
card. The XC-VXC-10G card can host a maximum of 1344 bidirectional VT1.5s.
2.7.4 XC-VXC-10G Card-Level Indicators
Table 2-19 describes the two card-level LEDs on the XC-VXC-10G faceplate.
VT14 Group7/VT2
VT15 Group1/VT3
VT16 Group2/VT3
VT17 Group3/VT3
VT18 Group4/VT3
VT19 Group5/VT3
VT20 Group6/VT3
VT21 Group7/VT3
VT22 Group1/VT4
VT23 Group2/VT4
VT24 Group3/VT4
VT25 Group4/VT4
VT26 Group5/VT4
VT27 Group6/VT4
VT28 Group7/VT4
Table 2-18 VT Mapping (continued)
ONS 15454 VT Number Telcordia Group/VT Number
Table 2-19 XC-VXC-10G Card-Level Indicators
Card-Level Indicators Definition
Red FAIL LED Indicates that the cards processor is not ready. This LED illuminates during
reset. The FAIL LED flashes during the boot process. Replace the card if the
red FAIL LED persists.
ACT/STBY LED
Green (Active)
Amber (Standby)
Indicates whether the XC10G is active and carrying traffic (green), or in
standby mode to the active XC10G card (amber).2-29
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 2 Common Control Cards
2.7.5 XC-VXC-10G Compatibility
2.7.5 XC-VXC-10G Compatibility
The XC-VXC-10G card supports the same features as the XC10G card. Either the XC10G or
XC-VXC-10G card is required for OC-192, OC3-8, and OC12-4 operation and OC-48 AS operation.
If you are using Ethernet cards, the E1000-2-G or the E100T-G must be used when the XC-VXC-10G
cross-connect card is in use. When upgrading from an XC10G card to an XC-VXC-10G card, refer to
the “Upgrade Cards and Spans” chapter in the Cisco ONS 15454 Procedure Guide for more information.
Also refer to the “2.1.2 Card Compatibility” section on page 2-3.
2.8 AIC-I Card
Note For hardware specifications, see the “A.4.6 AIC-I Card Specifications” section on page A-15.
The optional Alarm Interface Controller–International (AIC-I) card provides customer-defined
(environmental) alarms and controls and supports local and express orderwire. It provides
12 customer-defined input and 4 customer-defined input/output contacts. The physical connections are
through the backplane wire-wrap pin terminals. If you use the additional AEP, the AIC-I card can
support up to 32 inputs and 16 outputs, which are connected on the AEP connectors. A power monitoring
function monitors the supply voltage (–48 VDC). Figure 2-9 shows the AIC-I faceplate and a block
diagram of the card. 2-30
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 2 Common Control Cards
2.8.1 AIC-I Card-Level Indicators
Figure 2-9 AIC-I Faceplate and Block Diagram
2.8.1 AIC-I Card-Level Indicators
Table 2-20 describes the eight card-level LEDs on the AIC-I card faceplate.
AIC-I
Fail
Express orderwire
Local orderwire
EEPROM
LED x2 AIC-I FPGA
SCL links
4 x
IN/OUT
Power
Monitoring
12/16 x IN
Ringer
Act
Ring
Ring
Input
Output
78828
FAIL
ACT
ACC
INPUT/OUTPUT
EOW
LOW
RING
AIC-1
(DTMF)
(DTMF)
UDC-A
UDC-B
DCC-A
DCC-B
ACC
PWR
A B
RING
DCC-B
DCC-A
UDC-B
UDC-A
Table 2-20 AIC-I Card-Level Indicators
Card-Level LEDs Description
Red FAIL LED Indicates that the cards processor is not ready. The FAIL LED is on during
Reset and flashes during the boot process. Replace the card if the red FAIL
LED persists.
Green ACT LED Indicates the AIC-I card is provisioned for operation.2-31
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 2 Common Control Cards
2.8.2 External Alarms and Controls
2.8.2 External Alarms and Controls
The AIC-I card provides input/output alarm contact closures. You can define up to twelve external alarm
inputs and 4 external alarm inputs/outputs (user configurable). The physical connections are made using
the backplane wire-wrap pins. See the “1.12 Alarm Expansion Panel” section on page 1-56 for
information about increasing the number of input/output contacts.
LEDs on the front panel of the AIC-I indicate the status of the alarm lines, one LED representing all of
the inputs and one LED representing all of the outputs. External alarms (input contacts) are typically
used for external sensors such as open doors, temperature sensors, flood sensors, and other
environmental conditions. External controls (output contacts) are typically used to drive visual or
audible devices such as bells and lights, but they can control other devices such as generators, heaters,
and fans.
You can program each of the twelve input alarm contacts separately. You can program each of the
sixteen input alarm contacts separately. Choices include:
• Alarm on Closure or Alarm on Open
• Alarm severity of any level (Critical, Major, Minor, Not Alarmed, Not Reported)
• Service Affecting or Non-Service Affecting alarm-service level
• 63-character alarm description for CTC display in the alarm log. You cannot assign the fan-tray
abbreviation for the alarm; the abbreviation reflects the generic name of the input contacts. The
alarm condition remains raised until the external input stops driving the contact or you unprovision
the alarm input.
You cannot assign the fan-tray abbreviation for the alarm; the abbreviation reflects the generic name of
the input contacts. The alarm condition remains raised until the external input stops driving the contact
or you provision the alarm input.
Green/Red PWR A LED The PWR A LED is green when a supply voltage within a specified range
has been sensed on supply input A. It is red when the input voltage on supply
input A is out of range.
Green/Red PWR B LED The PWR B LED is green when a supply voltage within a specified range has
been sensed on supply input B. It is red when the input voltage on supply
input B is out of range.
Amber INPUT LED The INPUT LED is amber when there is an alarm condition on at least one
of the alarm inputs.
Amber OUTPUT LED The OUTPUT LED is amber when there is an alarm condition on at least one
of the alarm outputs.
Green RING LED The RING LED on the local orderwire (LOW) side is flashing green when a
call is received on the LOW.
Green RING LED The RING LED on the express orderwire (EOW) side is flashing green when
a call is received on the EOW.
Table 2-20 AIC-I Card-Level Indicators (continued)
Card-Level LEDs Description2-32
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 2 Common Control Cards
2.8.3 Orderwire
The output contacts can be provisioned to close on a trigger or to close manually. The trigger can be a
local alarm severity threshold, a remote alarm severity, or a virtual wire:
• Local NE alarm severity: A hierarchy of Not Reported, Not Alarmed, Minor, Major, or Critical
alarm severities that you set to cause output closure. For example, if the trigger is set to Minor, a
Minor alarm or above is the trigger.
• Remote NE alarm severity: Same as the local network element (NE) alarm severity but applies to
remote alarms only.
• Virtual wire entities: You can provision any environmental alarm input to raise a signal on any
virtual wire on external outputs 1 through 4 when the alarm input is an event. You can provision a
signal on any virtual wire as a trigger for an external control output.
You can also program the output alarm contacts (external controls) separately. In addition to
provisionable triggers, you can manually force each external output contact to open or close. Manual
operation takes precedence over any provisioned triggers that might be present.
Note The number of inputs and outputs can be increased using the AEP. The AEP is connected to the shelf
backplane and requires an external wire-wrap panel.
2.8.3 Orderwire
Orderwire allows a craftsperson to plug a phoneset into an ONS 15454 and communicate with
craftspeople working at other ONS 15454s or other facility equipment. The orderwire is a pulse code
modulation (PCM) encoded voice channel that uses E1 or E2 bytes in section/line overhead.
The AIC-I allows simultaneous use of both local (section overhead signal) and express (line overhead
signal) orderwire channels on an SDH ring or particular optics facility. Express orderwire also allows
communication via regeneration sites when the regenerator is not a Cisco device.
You can provision orderwire functions with CTC similar to the current provisioning model for
DCC/GCC channels. In CTC, you provision the orderwire communications network during ring turn-up
so that all NEs on the ring can reach one another. Orderwire terminations (that is, the optics facilities
that receive and process the orderwire channels) are provisionable. Both express and local orderwire can
be configured as on or off on a particular SONET facility. The ONS 15454 supports up to four orderwire
channel terminations per shelf. This allows linear, single ring, dual ring, and small hub-and-spoke
configurations. Keep in mind that orderwire is not protected in ring topologies such as bidirectional line
switched rings (BLSRs) and path protection configurations.
Caution Do not configure orderwire loops. Orderwire loops cause feedback that disables the orderwire channel.
The ONS 15454 implementation of both local and express orderwire is broadcast in nature. The line acts
as a party line. Anyone who picks up the orderwire channel can communicate with all other participants
on the connected orderwire subnetwork. The local orderwire party line is separate from the express
orderwire party line. Up to four OC-N facilities for each local and express orderwire are provisionable
as orderwire paths.
Note The OC3 IR 4/STM1 SH 1310 card does not support the express orderwire channel. 2-33
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 2 Common Control Cards
2.8.4 Power Monitoring
The AIC-I supports selective dual tone multifrequency (DTMF) dialing for telephony connectivity,
which causes one AIC-I card or all ONS 15454 AIC-I cards on the orderwire subnetwork to “ring.” The
ringer/buzzer resides on the AIC-I. There is also a “ring” LED that mimics the AIC-I ringer. It flashes
when a call is received on the orderwire subnetwork. A party line call is initiated by pressing *0000 on
the DTMF pad. Individual dialing is initiated by pressing * and the individual four-digit number on the
DTMF pad.
Table 2-21 shows the pins on the orderwire connector that correspond to the tip and ring orderwire
assignments.
When provisioning the orderwire subnetwork, make sure that an orderwire loop does not exist. Loops
cause oscillation and an unusable orderwire channel.
Figure 2-10 shows the standard RJ-11 connectors used for orderwire ports. Use a shielded RJ-11 cable.
Figure 2-10 RJ-11 Connector
2.8.4 Power Monitoring
The AIC-I card provides a power monitoring circuit that monitors the supply voltage of –48 VDC for
presence, undervoltage, or overvoltage.
2.8.5 User Data Channel
The user data channel (UDC) features a dedicated data channel of 64 kbps (F1 byte) between two nodes
in an ONS 15454 network. Each AIC-I card provides two user data channels, UDC-A and UDC-B,
through separate RJ-11 connectors on the front of the AIC-I card. Use an unshielded RJ-11 cable. Each
UDC can be routed to an individual optical interface in the ONS 15454. For UDC circuit provisioning,
refer to the “Create Circuits and VT Tunnels” chapter in the Cisco ONS 15454 Procedure Guide.
The UDC ports are standard RJ-11 receptacles. Table 2-22 lists the UDC pin assignments.
Table 2-21 Orderwire Pin Assignments
RJ-11 Pin Number Description
1 Four-wire receive ring
2 Four-wire transmit tip
3 Two-wire ring
4 Two-wire tip
5 Four-wire transmit ring
6 Four-wire receive tip
61077
Pin 1 Pin 6
RJ-112-34
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 2 Common Control Cards
2.8.6 Data Communications Channel
2.8.6 Data Communications Channel
The DCC features a dedicated data channel of 576 kbps (D4 to D12 bytes) between two nodes in an
ONS 15454 network. Each AIC-I card provides two DCCs, DCC-A and DCC-B, through separate RJ-45
connectors on the front of the AIC-I card. Use a shielded RJ-45 cable. Each DCC can be routed to an
individual optical interface in the ONS 15454.
The DCC ports are synchronous serial interfaces. The DCC ports are standard RJ-45 receptacles.
Table 2-23 lists the DCC pin assignments.
Table 2-22 UDC Pin Assignments
RJ-11 Pin Number Description
1 For future use
2 TXN
3 RXN
4 RXP
5 TXP
6 For future use
Table 2-23 DCC Pin Assignments
RJ-45 Pin Number Description
1 TCLKP
2 TCLKN
3 TXP
4 TXN
5 RCLKP
6 RCLKN
7 RXP
8 RXNCHAPTER
3-1
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
3
Electrical Cards
This chapter describes Cisco ONS 15454 electrical card features and functions. For installation and card
turn-up procedures, refer to the Cisco ONS 15454 Procedure Guide. For information on the electrical
interface assemblies (EIAs), see the “1.5 Electrical Interface Assemblies” section on page 1-15.
Chapter topics include:
• 3.1 Electrical Card Overview, page 3-1
• 3.2 Bit Error Rate Testing, page 3-4
• 3.3 EC1-12 Card, page 3-5
• 3.4 DS1-14 and DS1N-14 Cards, page 3-7
• 3.5 DS1/E1-56 Card, page 3-11
• 3.6 DS3-12 and DS3N-12 Cards, page 3-14
• 3.7 DS3/EC1-48 Card, page 3-17
• 3.8 DS3i-N-12 Card, page 3-20
• 3.9 DS3-12E and DS3N-12E Cards, page 3-22
• 3.10 DS3XM-6 Card, page 3-26
• 3.11 DS3XM-12 Card, page 3-28
• 3.12 Interoperability Rules for Electrical Cards, page 3-33
3.1 Electrical Card Overview
Each card is marked with a symbol that corresponds to a slot (or slots) on the ONS 15454 shelf assembly.
The cards are then installed into slots displaying the same symbols. See the “1.19 Cards and Slots”
section on page 1-74 for a list of slots and symbols.
3.1.1 Card Summary
Table 3-1 lists the Cisco ONS 15454 electrical cards.3-2
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 3 Electrical Cards
3.1.1 Card Summary
Table 3-1 Cisco ONS 15454 Electrical Cards
Card Name Description For Additional Information
EC1-12 The EC1-12 card provides 12 Telcordia-compliant,
GR-253 STS-1 electrical ports per card. Each port
operates at 51.840 Mbps over a single 750-ohm,
728A or equivalent coaxial span.
See the “3.3 EC1-12 Card”
section on page 3-5.
DS1-14 The DS1-14 card provides 14 Telcordia-compliant
GR-499 DS-1 ports. Each port operates at
1.544 Mbps over a 100-ohm, twisted-pair copper
cable.
See the “3.4 DS1-14 and
DS1N-14 Cards” section on
page 3-7.
DS1N-14 The DS1N-14 card supports the same features as the
DS1-14 card but can also provide 1:N (N <= 5)
protection.
See the “3.4 DS1-14 and
DS1N-14 Cards” section on
page 3-7.
DS1/E1-56 The DS1/E1-56 card provides 56 Telcordia-
compliant, GR-499 DS-1 ports per card, or 56 E1
ports per card. Each port operates at 1.544 Mbps
(DS-1) or 2.048 Mbps (E1). The DS1/E1-56 card
operates as a working or protect card in 1:N
protection schemes, where N <= 2.
See the “3.5 DS1/E1-56 Card”
section on page 3-11.
DS3-12 The DS3-12 card provides 12 Telcordia-compliant
GR-499 DS-3 ports per card. Each port operates at
44.736 Mbps over a single 75-ohm, 728A or
equivalent coaxial span.
See the “3.6 DS3-12 and
DS3N-12 Cards” section on
page 3-14.
DS3N-12 The DS3N-12 card supports the same features as the
DS3-12 but can also provide 1:N (N <= 5)
protection.
See the “3.6 DS3-12 and
DS3N-12 Cards” section on
page 3-14.
DS3/EC1-48 The DS3/EC1-48 provides 48 Telcordia-compliant
ports per card. Each port operates at 44.736 Mbps
over a single 75-ohm, 728A or equivalent coaxial
span.
See the “3.7 DS3/EC1-48 Card”
section on page 3-17.
DS3i-N-12 The DS3i-N-12 card provides 12 ITU-T G.703,
ITU-T G.704, and Telcordia GR-499-CORE
compliant DS-3 ports per card. Each port operates at
44.736 Mbps over a 75-ohm coaxial cable.
See the “3.8 DS3i-N-12 Card”
section on page 3-20
DS3-12E The DS3-12E card provides 12 Telcordia-compliant
ports per card. Each port operates at 44.736 Mbps
over a single 75-ohm, 728A or equivalent coaxial
span. The DS3-12E card provides enhanced
performance monitoring functions.
See the “3.9 DS3-12E and
DS3N-12E Cards” section on
page 3-22.
DS3N-12E The DS3N-12E card supports the same features as
the DS3-12E but can also provide 1:N (N <= 5)
protection.
See the “3.9 DS3-12E and
DS3N-12E Cards” section on
page 3-22.3-3
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 3 Electrical Cards
3.1.2 Card Compatibility
3.1.2 Card Compatibility
Table 3-2 lists the CTC software compatibility for each electrical card. See Table 2-4 on page 2-5 for a list of cross-connect cards
that are compatible with each electrical card.
Note “Yes” indicates that this card is fully or partially supported by the indicated software release. Refer to the individual card reference
section for more information about software limitations for this card.
DS3XM-6
(Transmux)
The DS3XM-6 card provides six Telcordia-
compliant GR-499-CORE M13 multiplexing
functions. The DS3XM-6 converts six framed DS-3
network connections to 28x6 or 168 VT1.5s.
See the “3.10 DS3XM-6 Card”
section on page 3-26.
DS3XM-12
(Transmux)
The DS3XM-12 card provides 12 Telcordia-
compliant GR-499-CORE M13 multiplexing
functions. The DS3XM-12 converts twelve framed
DS-3 network connections to 28x12 or 168 VT1.5s.
See the “3.11 DS3XM-12 Card”
section on page 3-28.
Table 3-1 Cisco ONS 15454 Electrical Cards (continued)
Card Name Description For Additional Information
Table 3-2 Electrical Card Software Release Compatibility
Electrical
Card R3.0.1 R3.1 R3.2 R3.3 R3.4 R4.0 R4.1 R4.5 R4.6 R4.7 R5.0 R6.0 R7.0 R7.2 R8.0 R8.5 R9.0 R9.1 R9.2 R9.2.1
EC1-12
Yes Yes Yes Yes Yes Yes Yes — Yes — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
DS1-14
Yes Yes Yes Yes Yes Yes Yes — Yes — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
DS1N-14
Yes Yes Yes Yes Yes Yes Yes — Yes — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
DS1/E1-56 — — — — — — — — — — — Yes Yes Yes Yes Yes Yes Yes Yes Yes
DS3-12
Yes Yes Yes Yes Yes Yes Yes — Yes — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
DS3N-12
Yes Yes Yes Yes Yes Yes Yes — Yes — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
DS3-12E
Yes Yes Yes Yes Yes Yes Yes — Yes — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
DS3N-12E
Yes Yes Yes Yes Yes Yes Yes — Yes — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
DS3XM-6
(Transmux)
Yes Yes Yes Yes Yes Yes Yes — Yes — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
DS3XM-12
(Transmux)
— — — — — — — — — — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes3-4
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 3 Electrical Cards
3.2 Bit Error Rate Testing
Note The DS3-12 card does not boot properly for Software Release 8.0 and later due to memory limitations. If you are upgrading to
Software Release 8.0 or later, use any other DS3 card listed in the above table.
3.2 Bit Error Rate Testing
The bit error rate testing (BERT) feature can be used to test the connectivity, error rate, and error count of the traffic running on an
electrical input/output (I/O) card port. The BERT feature is currently supported for ONS 15454 DS1/E1-56 and DS3XM-12
electrical cards only.
BERT is broadly classified into two components—Test Pattern Generator (TPG) and Test Pattern Monitor (TPM) and is called Test
Pattern Generator and Monitor (TPGM) when referring to Test Pattern Generator and Monitor.
TPG generates test patterns like PRBS15, PRBS20, PRBS23, QRSS and ATL1s0s (alternating ones and zeroes). TPM monitors test
patterns like PRBS15, PRBS20, PRBS23, QRSS and ALT1s0s. TPG and TPM inject and monitor errors in the test pattern for both
single bit and multirate (1.0E-3, 1.0E-4, 1.0E-5 and 1.0E-6) errors.
TPGM-L enables test pattern generation and monitoring on the line side. This option is not available for the DS1 port in the
DS3XM-12 card because you can configure DS1 port on the backplane side only.
TPGM-B enables test pattern generation and monitoring on the backplane side. You can enable TPGM-B on a port only if the port
has a bidirectional circuit.
Note The port must be in Out-of-Service and Maintenance (OOS-MT) state before enabling TPGM-L or TPGM-B. OOS-MT state puts
the circuit cross-connects to a service state. This service state does not interrupt traffic flow and allows loopbacks to be performed
on the circuit. OOS-MT however, suppresses any alarms and conditions. Change the administrative state to IS, OOS, or IS-AINS
when testing is complete. For information on how to set the port to OOS-MT state, see the “DLP-A230 Change a Circuit Service
State” task in the Cisco ONS 15454 Procedure Guide, Release 9.1 and Release 9.2.
Note To enable TPGM-L or TPGM-B on a DS1 port, the line framing type must be D4, ESF, or unframed.
DS3/EC1-48 — — — — — — — — — — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
DS3i-N-12 — — — — — — Yes
(4.1.
2)
— Yes — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
Table 3-2 Electrical Card Software Release Compatibility (continued)
Electrical
Card R3.0.1 R3.1 R3.2 R3.3 R3.4 R4.0 R4.1 R4.5 R4.6 R4.7 R5.0 R6.0 R7.0 R7.2 R8.0 R8.5 R9.0 R9.1 R9.2 R9.2.13-5
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 3 Electrical Cards
3.3 EC1-12 Card
Note At any given time, you can enable BERT mode only on a single port of a card.
The following table summarizes if BERT can be enabled on the line side or backplane side for
DS1/E1-56 and DS3XM-12 electrical cards.
Note “Yes” indicates that BERT can be enabled on the line side (TPGM-L) or backplane side (TPGM-B).
For information on how to enable BERT on the DS1/E1-56 and DS3XM-12 cards, see the
Cisco ONS 15454 Procedure Guide, Release 9.1 and Release 9.2.
BERT Alarms
The BERT feature can raise the following two alarms in CTC:
• BERT_ENABL—Specifies that BERT feature is enabled.
• BERT_SYNC_FAIL—Synchronization is necessary and occurs when the errors injected by the TPG
reach the TPM and connectivity is established. The BERT_SYNC_FAIL alarm occurs when
synchronization fails.
Both the alarms are non-reportable conditions, non-service affecting, and no severity is associated with
these two conditions.
3.3 EC1-12 Card
Note For hardware specifications, see the “A.5.1 EC1-12 Card Specifications” section on page A-17.
The EC1-12 card provides 12 Telcordia-compliant, GR-253 STS-1 electrical ports per card. Each port
operates at 51.840 Mbps over a single 75-ohm, 728A or equivalent coaxial span.
STS path selection for UNEQ-P, AIS-P, and bit error rate (BER) thresholds is done on the SONET ring
interfaces (optical cards) in conjunction with the STS cross-connect. The EC1-12 terminates but does
not select the 12 working STS-1 signals from the backplane. The EC1-12 maps each of the 12 received
EC1 signals into 12 STS-1s with visibility into the SONET path overhead.
An EC1-12 card can be 1:1 protected with another EC1-12 card but cannot protect more than one EC1-12
card. You must install the EC1-12 in an even-numbered slot to serve as a working card and in an
odd-numbered slot to serve as a protect card.
Table 3-3 Enabling BERT on Line Side and Backplane Side
DS1/E1-56 card TPGM-L TPGM-B
DS1 Port Yes Yes
DS3XM-12 card
DS1 Port No Yes
DS3 Port Yes No3-6
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 3 Electrical Cards
3.3.1 EC1-12 Slots and Connectors
3.3.1 EC1-12 Slots and Connectors
You can install the EC1-12 card in Slots 1 to 6 or 12 to 17 on the ONS 15454. Each EC1-12 interface
features DSX-level (digital signal cross-connect frame) outputs supporting distances up to 450 feet
(137 meters) depending on facility conditions. See the “7.2 Electrical Card Protection and the
Backplane” section on page 7-5 for more information about electrical card slot protection and
restrictions.
3.3.2 EC1-12 Faceplate and Block Diagram
Figure 3-1 shows the EC1-12 faceplate and a block diagram of the card.
Figure 3-1 EC1-12 Faceplate and Block Diagram
Line
Interface
Unit
main STS1
protect STS1
STS-12/
12xSTS-1
Mux/Demux
ASIC
BTC
ASIC
STS-1
Framer
x12
61344
B
a
c
k
p
l
a
n
e
FAIL
ACT/STBY
SF
EC1
123-7
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 3 Electrical Cards
3.3.3 EC1-12 Hosted by XCVT, XC10G, or XC-VXC-10G
3.3.3 EC1-12 Hosted by XCVT, XC10G, or XC-VXC-10G
All 12 STS-1 payloads from an EC1-12 card are carried to the XCVT, XC10G, or XC-VXC-10G card
where the payload is further aggregated for efficient transport. XCVT cards can host a maximum of
288 bidirectional STS-1s. The XC10G and XC-VXC-10G cards can host up to 1152 bidirectional
STS-1s.
3.3.4 EC1-12 Card-Level Indicators
Table 3-4 describes the three card-level LEDs on the EC1-12 card.
3.3.5 EC1-12 Port-Level Indicators
You can obtain the status of the EC1-12 card ports by using the LCD screen on the ONS 15454 fan tray.
Use the LCD to view the status of any port or card slot; the screen displays the number and severity of
alarms for a given port or slot.
3.4 DS1-14 and DS1N-14 Cards
Note For hardware specifications, see the “A.5.2 DS1-14 and DS1N-14 Card Specifications” section on
page A-18.
The ONS 15454 DS1-14 card provides 14 Telcordia-compliant, GR-499 DS-1 ports. Each port operates
at 1.544 Mbps over a 100-ohm, twisted-pair copper cable. The DS1-14 card can function as a working
or protect card in 1:1 protection schemes and as a working card in 1:N protection schemes. Each DS1-14
port has digital signal cross-connect frame (DSX)-level outputs supporting distances up to 655 feet (200
meters).
The DS1-14 card supports 1:1 protection. The DS1-14 can be a working card in a 1:N protection scheme
with the proper backplane EIA and wire-wrap or AMP Champ connectors. You can also provision the
DS1-14 to monitor for line and frame errors in both directions.
You can group and map DS1-14 card traffic in STS-1 increments to any other card in an ONS 15454
except DS-3 cards. Each DS-1 is asynchronously mapped into a SONET VT1.5 payload and the card
carries a DS-1 payload intact in a VT1.5. For performance monitoring purposes, you can gather
bidirectional DS-1 frame-level information (LOF, parity errors, cyclic redundancy check [CRC] errors,
and so on).
Table 3-4 EC1-12 Card-Level Indicators
Card-Level Indicators Description
Red FAIL LED The red FAIL LED indicates that the EC1-12 card processor is not ready.
Replace the unit if the FAIL LED persists.
Green ACT LED The green ACT LED indicates that the EC1-12 card is operational and ready
to carry traffic.
Amber SF LED The amber SF LED indicates a signal failure or condition such as loss of
signal (LOS), loss of frame (LOF) or high BER on one or more card ports. 3-8
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 3 Electrical Cards
3.4.1 DS1N-14 Features and Functions
3.4.1 DS1N-14 Features and Functions
The DS1N-14 card supports the same features as the DS1-14 card in addition to enhanced protection
schemes. The DS1N-14 is capable of 1:N (N <= 5) protection with the proper backplane EIA and
wire-wrap or AMP Champ connectors. The DS1N-14 card can function as a working or protect card in
1:1 or 1:N protection schemes.
If you use the DS1N-14 as a standard DS-1 card in a 1:1 protection group, you can install the DS1N-14
card in Slots 1 to 6 or 12 to 17 on the ONS 15454. If you use the card’s 1:N functionality, you must install
a DS1N-14 card in Slots 3 and 15. Each DS1N-14 port features DS-n-level outputs supporting distances
of up to 655 feet (200 meters) depending on facility conditions.
3.4.2 DS1-14 and DS1N-14 Slot Compatibility
You can install the DS1-14 card in Slots 1 to 6 or 12 to 17 on the ONS 15454.
3.4.3 DS1-14 and DS1N-14 Faceplate and Block Diagram
Figure 3-2 shows the DS1-14 faceplate and the block diagram of the card.3-9
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 3 Electrical Cards
3.4.3 DS1-14 and DS1N-14 Faceplate and Block Diagram
Figure 3-2 DS1-14 Faceplate and Block Diagram
Figure 3-3 shows the DS1N-14 faceplate and a block diagram of the card.
Cross
Connect
14 Line
Interface
Units
STS1 to
14 DS1
Mapper Matrix
DRAM FLASH
Mux/Demux
ASIC
Protection
Relay
Matrix
STS-1 / STS-12
uP
BTC
ASIC
61345
B
a
c
k
p
l
a
n
e
FAIL
ACT/STBY
DS1-
14
SF
33678 129313-10
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 3 Electrical Cards
3.4.4 DS1-14 and DS1N-14 Hosted by XCVT, XC10G, or XC-VXC-10G
Figure 3-3 DS1N-14 Faceplate and Block Diagram
3.4.4 DS1-14 and DS1N-14 Hosted by XCVT, XC10G, or XC-VXC-10G
All 14 VT1.5 payloads from DS1-14 and DSIN-14 cards are carried in a single STS-1 to the XCVT,
XC10G, or XC-VXC-10G cards, where the payload is further aggregated for efficient STS-1 transport.
The XC10G and XCVT cards manage up to 336 bidirectional VT1.5 ports. The XC-VXC-10G card can
manage up to 2688 bidirectional VT1.5 ports
3.4.5 DS1-14 and DS1N-14 Card-Level Indicators
Table 3-5 describes the three card-level LEDs on the DS1-14 and DS1N-14 card faceplates.
14 Line
Interface
Units
STS1 to
14 DS1
Mapper
DRAM FLASH
Mux/Demux ASIC
Protection
Relay
Matrix
STS-1 / STS-12
uP
61346
BTC
ASIC
B
a
c
k
p
l
a
n
e
FAIL
ACT/STBY
SF
DS1N-
14
33678 129313-11
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 3 Electrical Cards
3.4.6 DS1-14 and DS1N-14 Port-Level Indicators
3.4.6 DS1-14 and DS1N-14 Port-Level Indicators
You can obtain the status of the DS1-14 and DS1N-14 card ports by using the LCD screen on the
ONS 15454 fan-tray assembly. Use the LCD to view the status of any port or card slot; the screen
displays the number and severity of alarms for a given port or slot.
3.5 DS1/E1-56 Card
Note For hardware specifications, see the “A.5.3 DS1/E1-56 Card Specifications” section on page A-19.
The ONS 15454 DS1/E1-56 card provides 56 Telcordia-compliant, GR-499 DS-1 ports per card, or
56 E1 ports per card. Each port operates at 1.544 Mbps (DS-1) or 2.048 Mbps (E1). The DS1/E1-56 card
operates as a working or protect card in 1:N protection schemes, where N <= 2. The DS1/E1-56 card can
be used with the XCVT, XC10G, or XC-VXC-10G cross-connect cards.
Note The DS1/E1-56 card does not support VT-2 (virtual tributary-2) circuit creation on E1 ports.
Caution When a protection switch moves traffic from the active (or working) DS1/E1-56 card to the standby (or
protect) DS1/E1-56 card, ports on the now standby (or protect) card cannot be moved to Out of Service
state. Traffic is dropped if the ports are in Out of Service state.
3.5.1 DS1/E1-56 Slots and Connectors
For SONET applications, the DS1/E1-56 card requires a high-density (HD) shelf (15454-SA-HD),
UBIC EIA, and Software Release 6.0 or greater.
Note The UBIC-H EIA supports the termination of both DS-1 and E-1 signals when used with the appropriate
cables. The UBIC-V EIA only supports the termination of DS-1 signals.
Table 3-5 DS1-14 and DS1N-14 Card-Level Indicators
Card-Level Indicators Description
Red FAIL LED The red FAIL LED indicates that the card processor is not ready. Replace the
card if the red FAIL LED persists.
ACT/STBY LED
Green (Active)
Amber (Standby)
The green/amber ACT/STBY LED indicates whether the card is operational
and ready to carry traffic (green) or in standby mode (amber).
Amber SF LED The amber SF LED indicates a signal failure or condition such as LOS, LOF,
or high BERs on one or more card ports.3-12
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 3 Electrical Cards
3.5.2 DS1/E1-56 Faceplate and Block Diagram
Note The DS1/E1-56 card supports an errorless software-initiated cross-connect card switch when used in a
shelf equipped with XC-VXC-10G and TCC2/TCC2P cards.
You can install the DS1/E1-56 card in Slots 1 to 3 or 15 to 17 on the ONS 15454, but installing this card
in certain slots will block the use of other slots. Table 3-6 shows which slots become unusable for other
electrical cards when the DS1/E1-56 card is installed in a particular slot.
With the proper backplane EIA, the card supports SCSI (UBIC) connectors. See the “7.2 Electrical Card
Protection and the Backplane” section on page 7-5 for more information about electrical card slot
protection and restrictions.
Connectivity, error rate, and error count of the traffic running on an Electrical IO card ports can be tested
by using BERT. For more information on BERT, see 3.2 Bit Error Rate Testing, page 3-4.
3.5.2 DS1/E1-56 Faceplate and Block Diagram
Figure 3-4 shows the DS1/E1-56 faceplate and a block diagram of the card.
Table 3-6 DS1/E1-56 Slot Restrictions
Slot Additional Unusable Slots for Electrical Cards
1 5 and 6
2 3 or 4 (except another DS1/E1-56 protect card can be installed in Slot 3)
3 —
15 —
16 14 and 15 (except another DS1/E1-56 protect card can be installed in Slot 15)
17 12 and 133-13
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 3 Electrical Cards
3.5.3 DS1/E1-56 Card-Level Indicators
Figure 3-4 DS1/E1-56 Faceplate and Block Diagram
3.5.3 DS1/E1-56 Card-Level Indicators
The DS1/E1-56 card has three card-level LED indicators (Table 3-7).
131201
U
B
I
C
DS1
x56 ports
XFMR/
MUX
DS1
Analog
x8 ports
DS1
Digital
x8 ports
DS1
Digital
x8 ports
DS1
Digital
x8 ports
DS1
Analog
x8 ports
DS1
Analog
x8 ports
DS1/E1
Octal
LIU
#1
DS1/E1
Octal
LIU
#2
DS1/E1
Octal
LIU
#7
LIUs
3 thru 6
not shown
Agere
Ultramapper
AD BUS
to
PROC
SCL
LINK to
TCC
622MHz
Ref
38MHz
Ref’s
STS-12
Data
TSWC
Clock
Synth
MAIN
Data
PROT
Data
Stingray
FPGA
4 Bit
155Mhz
STS-12
4 Bit
155Mhz
STS-12
B
a
c
k
p
l
a
n
e3-14
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 3 Electrical Cards
3.5.4 DS1/E1-56 Port-Level Indicators
3.5.4 DS1/E1-56 Port-Level Indicators
You can obtain the status of the DS1/E1-56 card ports by using the LCD screen on the ONS 15454
fan-tray assembly. Use the LCD to view the status of any port or card slot; the screen displays the number
and severity of alarms for a given port or slot.
3.6 DS3-12 and DS3N-12 Cards
Note For hardware specifications, see the “A.5.5 DS3-12 and DS3N-12 Card Specifications” section on
page A-22.
Note Any new features that are available as part of this software release are not enabled for this card.
The ONS 15454 DS3-12 card provides 12 Telcordia-compliant, GR-499 DS-3 ports per card. Each port
operates at 44.736 Mbps over a single 75-ohm 728A or equivalent coaxial span. The DS3-12 card
operates as a working or protect card in 1:1 protection schemes and as a working card in 1:N protection
schemes.
The DS3-12 card supports 1:1 protection with the proper backplane EIA. EIAs are available with BNC,
SMB, or SCSI (UBIC) connectors.
Caution When a protection switch moves traffic from the DS3-12 working/active card to the DS3-12
protect/standby card, ports on the now active/standby card cannot be taken out of service. Lost traffic
can result if you take a port out of service, even if the DS3-12 standby card no longer carries traffic.
Other than protection capabilities, the DS3-12 and DS3N-12 cards are identical. The DS3N-12 can
operate as the protect card in a 1:N (N <= 5) DS3 protection group. It has additional circuitry that is not
present on the basic DS3-12 card that allows it to protect up to five working DS3-12 cards. The basic
DS3-12 card can only function as the protect card for one other DS3-12 card.
Table 3-7 DS1/E1-56 Card-Level Indicators
Card-Level Indicators Description
Red FAIL LED Indicates that the card processor is not ready. This LED is on during reset.
The FAIL LED flashes during the boot process. Replace the card if the red
FAIL LED persists in flashing.
ACT/STBY LED
Green (Active)
Amber (Standby)
When the ACT/STBY LED is green, the card is operational and ready to
carry traffic. When the ACT/STBY LED is amber, the card is operational and
in standby (protect) mode.
Amber SF LED Indicates a signal failure or condition such as LOS or LOF on one or more
card ports.3-15
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 3 Electrical Cards
3.6.1 DS3-12 and DS3N-12 Slots and Connectors
3.6.1 DS3-12 and DS3N-12 Slots and Connectors
You can install the DS3-12 or DS3N-12 card in Slots 1 to 6 or 12 to 17 on the ONS 15454. Each DS3-12
or DS3N-12 card port features DSX-level outputs supporting distances up to 137 meters (450 feet)
depending on facility conditions. With the proper backplane EIA, the card supports BNC or SMB
connectors. See the “7.2 Electrical Card Protection and the Backplane” section on page 7-5 for more
information about electrical card slot protection and restrictions.
3.6.2 DS3-12 and DS3N-12 Faceplate and Block Diagram
Figure 3-5 shows the DS3-12 faceplate and a block diagram of the card.
Figure 3-5 DS3-12 Faceplate and Block Diagram
BTC
ASIC
DS3A
ASIC
61347
Protection
Relay
Matrix
B
a
c
k
p
l
a
n
e
12
Line
Interface
Units
FAIL
ACT/STBY
SF
DS3
12
33678 129313-16
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 3 Electrical Cards
3.6.3 DS3-12 and DS3N-12 Card-Level Indicators
Figure 3-6 shows the DS3N-12 faceplate and a block diagram of the card.
Figure 3-6 DS3N-12 Faceplate and Block Diagram
3.6.3 DS3-12 and DS3N-12 Card-Level Indicators
Table 3-8 describes the three card-level LEDs on the DS3-12 and DS3N-12 card faceplates.
BTC
ASIC
DS3A
ASIC
61348
Protection
Relay
Matrix
B
a
c
k
p
l
a
n
e
12
Line
Interface
Units
FAIL
ACT/STBY
SF
DS3N
12
1345987
Table 3-8 DS3-12 and DS3N-12 Card-Level Indicators
Card-Level Indicators Description
Red FAIL LED The red FAIL LED indicates that the card processor is not ready. Replace the
card if the red FAIL LED persists.
ACT/STBY LED
Green (Active)
Amber (Standby)
When the ACT/STBY LED is green, the card is operational and ready to
carry traffic. When the ACT/STBY LED is amber, the card is operational and
in standby (protect) mode.
Amber SF LED The amber SF LED indicates a signal failure or condition such as port LOS.3-17
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 3 Electrical Cards
3.6.4 DS3-12 and DS3N-12 Port-Level Indicators
3.6.4 DS3-12 and DS3N-12 Port-Level Indicators
You can find the status of the 12 DS3-12 and 12 DS3N-12 card ports by using the LCD screen on the
ONS 15454 fan-tray assembly. Use the LCD to view the status of any port or card slot; the screen
displays the number and severity of alarms for a given port or slot.
3.7 DS3/EC1-48 Card
Note For hardware specifications, see the “A.5.4 DS3/EC1-48 Card Specifications” section on page A-21.
The ONS 15454 DS3/EC1-48 card provides 48 Telcordia-compliant, GR-499 DS-3 ports per card. Each
port operates at 44.736 Mbps over a single 75-ohm 728A or equivalent coaxial span. The DS3/EC1-48
card operates as a working or protect card in 1:N protection schemes, where N <= 2.
Caution When a protection switch moves traffic from the DS3/EC1-48 working/active card to the DS3/EC1-48
protect/standby card, ports on the now active/standby card cannot be taken out of service. Lost traffic
can result if you take a port out of service, even if the DS3/EC1-48 standby card no longer carries traffic.
3.7.1 DS3/EC1-48 Slots and Connectors
For SONET applications, the DS3/EC1-48 card requires an HD shelf (15454-SA-HD) and EIA (UBIC,
MiniBNC); Software Release 5.0 or greater; and XC10G or XC-VXC-10G cards.
Note The DS3/EC1-48 card supports an errorless software-initiated cross-connect card switch when used in a
shelf equipped with XC-VXC-10G and TCC2/TCC2P cards.
You can install the DS3/EC1-48 card in Slots 1 to 3 or 15 to 17 on the ONS 15454, but installing this
card in certain slots will block the use of other slots. Table 3-9 shows which slots become unusable for
other electrical cards when the DS3/EC1-48 card is installed in a particular slot.
Caution Do not install low-density DS-1 cards in the same side of the shelf as DS3/EC1-48 cards.
Table 3-9 DS3/EC1-48 Slot Restrictions
Slot Additional Unusable Slots for Electrical Cards
1 5 and 6
2 3 or 4 (except another DS3/EC1-48 card can be installed in Slot 3)
3 —
15 —
16 14 and 15 (except another DS3/EC1-48 card can be installed in Slot 15)
17 12 and 133-18
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 3 Electrical Cards
3.7.2 DS3/EC1-48 Faceplate and Block Diagram
Caution Do not install a DS3/EC1-48 card in Slots 1 or 2 if you have installed an MXP_2.5G_10G card in Slot 3.
Likewise, do not install a DS3/EC1-48 card in Slots 16 or 17 if you have installed an MXP_2.5G_10G
card in Slot 15. If you do, the cards will interact and cause DS-3 bit errors.
With the proper backplane EIA, the card supports BNC or SCSI (UBIC) connectors. See the
“7.2 Electrical Card Protection and the Backplane” section on page 7-5 for more information about
electrical card slot protection and restrictions.
3.7.2 DS3/EC1-48 Faceplate and Block Diagram
Figure 3-7 shows the DS3/EC1-48 faceplate and a block diagram of the card.3-19
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 3 Electrical Cards
3.7.3 DS3/EC1-48 Card-Level Indicators
Figure 3-7 DS3/EC1-48 Faceplate and Block Diagram
3.7.3 DS3/EC1-48 Card-Level Indicators
The DS3/EC1-48 card has three card-level LED indicators (Table 3-10).
115955
FAIL
ACT/STBY
SF
DS3
EC1
48
Main & Protect
SCL Bus’s
Processor
48 DS3/EC1
Ports
(UBIC-V,
UBIC-H, or
HD MiniBNC)
Transformers
& Protection
Mux/Relays
4x
DS3/EC1
Framer/
Mapper/
LIU
STS-48
Mapper
FPGA
B
a
c
k
p
l
a
n
e
MAIN
IBPIA
ASIC
PROTECT
IBPIA
ASIC3-20
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 3 Electrical Cards
3.7.4 DS3/EC1-48 Port-Level Indicators
3.7.4 DS3/EC1-48 Port-Level Indicators
You can obtain the status of the DS3/EC1-48 card ports by using the LCD screen on the ONS 15454
fan-tray assembly. Use the LCD to view the status of any port or card slot; the screen displays the number
and severity of alarms for a given port or slot.
3.8 DS3i-N-12 Card
Note For hardware specifications, see the “A.5.6 DS3i-N-12 Card Specifications” section on page A-23.
The 12-port ONS 15454 DS3i-N-12 card provides 12 ITU-T G.703, ITU-T G.704, and
Telcordia GR-499-CORE compliant DS-3 ports per card. Each port operates at 44.736 Mbps over a
75-ohm coaxial cable. The DS3i-N-12 card supports 1:1 or 1:N protection with the proper backplane
EIA. The DS3i-N-12 card works with the XCVT, XC10G, and XC-VXC-10G cross-connect cards. Four
sets of three adjacent DS-3 signals (Port 1 through Port 3, Port 4 through Port 6, Port 7 through Port 9,
and Port 10 through Port 12) are mapped to VC3s into a VC4 and transported as an STC-3c.
The DS3i-N-12 can also aggregate DS3 and E1 traffic and transport it between SONET and SDH
networks through AU4/STS 3 trunks, with the ability to add and drop DS3s to an STS3 trunk at
intermediate nodes.
3.8.1 DS3i-N-12 Slots and Connectors
You can install the DS3i-N-12 card in Slots 1 to 6 and 12 to 17. The DS3i-N-12 can operate as the protect
card in a 1:N (N <= 5) DS-3 protection group on a half-shelf basis, with protection cards in Slots 3 and
15. It has circuitry that allows it to protect up to five working DS3i-N-12 cards. With the proper
backplane EIA, the card supports BNC or SMB connectors. See the “7.2 Electrical Card Protection and
the Backplane” section on page 7-5 for more information about electrical card slot protection and
restrictions.
Figure 3-8 shows the DS3i-N-12 faceplate and block diagram.
Table 3-10 DS3/EC1-48 Card-Level Indicators
Card-Level Indicators Description
Red FAIL LED Indicates that the card processor is not ready. This LED is on during reset.
The FAIL LED flashes during the boot process. Replace the card if the red
FAIL LED persists in flashing.
ACT/STBY LED
Green (Active)
Amber (Standby)
When the ACT/STBY LED is green, the card is operational and ready to
carry traffic. When the ACT/STBY LED is amber, the card is operational and
in standby (protect) mode.
Amber SF LED Indicates a signal failure or condition such as LOS or LOF on one or more
card ports.3-21
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 3 Electrical Cards
3.8.1 DS3i-N-12 Slots and Connectors
Figure 3-8 DS3i-N-12 Faceplate and Block Diagram
The following list summarizes the DS3i-N-12 card features:
• Provisionable framing format (M23, C-bit, or unframed)
• Autorecognition and provisioning of incoming framing
• VC-3 payload mapping as per ITU-T G.707, mapped into VC-4 and transported as STS-3c
• Idle signal (“1100”) monitoring as per Telcordia GR-499-CORE
• P-bit monitoring
• C-bit parity monitoring
• X-bit monitoring
• M-bit monitoring
• F-bit monitoring
• Far-end block error (FEBE) monitoring
• Far-end alarm and control (FEAC) status and loop code detection
• Path trace byte support with TIM-P alarm generation
134365
B
a
c
k
p
l
a
n
e
DS3
ASIC
Flash
uP bus
SDRAM
BTC
ASIC
Line
Interface
Unit #1
main DS3-m1
protect DS3-p1
Line
Interface
Unit #1
main DS3-m12
protect DS3-p12
Processor
OHP
FPGA
BERT
FPGA
FAIL
ACT/STBY
SF
DS3I- N
123-22
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 3 Electrical Cards
3.8.2 DS3i-N-12 Card-Level Indicators
3.8.2 DS3i-N-12 Card-Level Indicators
Table 3-11 describes the three LEDs on the DS3i-N-12 card faceplate.
3.8.3 DS3i-N-12 Port-Level Indicators
You can find the status of the DS3i-N-12 card ports by using the LCD screen on the ONS 15454 fan-tray
assembly. Use the LCD to view the status of any port or card slot; the screen displays the number and
severity of alarms for a given port or slot. Refer to the Cisco ONS 15454 Troubleshooting Guide for a
complete description of the alarm messages.
3.9 DS3-12E and DS3N-12E Cards
Note For hardware specifications, see the “A.5.7 DS3-12E and DS3N-12E Card Specifications” section on
page A-24.
The ONS 15454 DS3-12E card provides 12 Telcordia-compliant GR-499 DS-3 ports per card. Each port
operates at 44.736 Mbps over a single 75-ohm 728A or equivalent coaxial span. The DS3-12E card
provides enhanced performance monitoring functions. The DS3-12E can detect several different errored
logic bits within a DS3 frame. This function allows the ONS 15454 to identify a degrading DS3 facility
caused by upstream electronics (DS3 Framer). In addition, DS3 frame format autodetection and J1 path
trace are supported. By monitoring additional overhead in the DS3 frame, subtle network degradations
can be detected.
The following list summarizes DS3-12E card features:
• Provisionable framing format M23, C-bit or unframed
• Autorecognition and provisioning of incoming framing
• P-bit monitoring
• C-bit parity monitoring
• X-bit monitoring
• M-bit monitoring
• F-bit monitoring
Table 3-11 DS3i-N-12 Card-Level Indicators
Card-Level LEDs Description
Red FAIL LED Indicates that the card processor is not ready. This LED is on during reset.
The FAIL LED flashes during the boot process. Replace the card if the red
FAIL LED persists in flashing.
ACT/STBY LED
Green (Active)
Amber (Standby)
When the ACT/STBY LED is green, the DS3i-N-12 card is operational and
ready to carry traffic. When the ACT/STBY LED is amber, the DS3i-N-12
card is operational and in standby (protect) mode.
Amber SF LED Indicates a signal failure or condition such as LOS or LOF on one or more
card ports.3-23
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 3 Electrical Cards
3.9.1 DS3-12E and DS3N-12E Slots and Connectors
• FEBE monitoring
• FEAC status and loop code detection
• Path trace byte support with TIM-P alarm generation
The DS3-12E supports a 1:1 protection scheme, meaning it can operate as the protect card for one other
DS3-12E card.
The DS3N-12E can operate as the protect card in a 1:N (N <= 5) DS3 protection group. It has additional
circuitry not present on the basic DS3-12E card that allows it to protect up to five working DS3-12E
cards. The basic DS3-12E card can only function as the protect card for one other DS3-12E card.
3.9.1 DS3-12E and DS3N-12E Slots and Connectors
You can install the DS3-12E and DS3N-12E cards in Slots 1 to 6 or 12 to 17 on the ONS 15454. Each
DS3-12E and DS3N-12E port features DSX-level outputs supporting distances up to 137 meters
(450 feet). With the proper backplane EIA, the card supports BNC or SMB connectors. See the
“7.2 Electrical Card Protection and the Backplane” section on page 7-5 for more information about
electrical card slot protection and restrictions.
3.9.2 DS3-12E Faceplate and Block Diagram
Figure 3-9 shows the DS3-12E faceplate and a block diagram of the card.3-24
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 3 Electrical Cards
3.9.2 DS3-12E Faceplate and Block Diagram
Figure 3-9 DS3-12E Faceplate and Block Diagram
Figure 3-10 shows the DS3N-12E faceplate and a block diagram of the card.
61349
B
a
c
k
p
l
a
n
e
DS3
ASIC
Flash
uP bus
SDRAM
BTC
ASIC
Line
Interface
Unit #1
main DS3-m1
protect DS3-p1
Line
Interface
Unit #1
main DS3-m12
protect DS3-p12
Processor
OHP
FPGA
BERT
FPGA
FAIL
ACT
SF
DS3
12E3-25
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 3 Electrical Cards
3.9.3 DS3-12E and DS3N-12E Card-Level Indicators
Figure 3-10 DS3N-12E Faceplate and Block Diagram
3.9.3 DS3-12E and DS3N-12E Card-Level Indicators
Table 3-12 describes the three card-level LEDs on the DS3-12E and DS3N-12E card faceplates.
61350
B
a
c
k
p
l
a
n
e
DS3
ASIC
Flash
uP bus
SDRAM
BTC
ASIC
Line
Interface
Unit #1
main DS3-m1
protect DS3-p1
Line
Interface
Unit #1
main DS3-m12
protect DS3-p12
Processor
OHP
FPGA
BERT
FPGA
FAIL
ACT/STBY
SF
DS3 N
12E
Table 3-12 DS3-12E and DS3N-12E Card-Level Indicators
Card-Level Indicators Description
Red FAIL LED The red FAIL LED indicates that the card processor is not ready. Replace the
card if the red FAIL LED persists.
ACT/STBY LED
Green (Active)
Amber (Standby)
When the ACT/STBY LED is green, the card is operational and ready to
carry traffic. When the ACT/STBY LED is amber, the card is operational and
in standby (protect) mode.
Amber SF LED The amber SF LED indicates a signal failure or condition such as port LOS
or AIS.3-26
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 3 Electrical Cards
3.9.4 DS3-12E and DS3N-12E Port-Level Indicators
3.9.4 DS3-12E and DS3N-12E Port-Level Indicators
You can find the status of the DS3-12E and DS3N-12E card ports by using the LCD screen on the
ONS 15454 fan-tray assembly. Use the LCD to quickly view the status of any port or card slot; the screen
displays the number and severity of alarms for a given port or slot.
3.10 DS3XM-6 Card
Note For hardware specifications, see the “A.5.9 DS3XM-6 Card Specifications” section on page A-26.
The DS3XM-6 card, commonly referred to as a transmux card, provides six Telcordia-compliant,
GR-499-CORE M13 multiplexing ports. The DS3XM-6 converts six framed DS-3 network connections
to 28 x6 or 168 VT1.5s. DS3XM-6 cards operate at the VT1.5 level.
3.10.1 DS3XM-6 Slots and Connectors
The DS3XM-6 card supports 1:1 protection with the proper backplane EIA. EIAs are available with BNC
or SMB connectors.
You can install the DS3XM-6 in Slots 1 to 6 or 12 to 17. Each DS3XM-6 port features DSX-level outputs
supporting distances up to 137 meters (450 feet) depending on facility conditions. See “7.2 Electrical
Card Protection and the Backplane” section on page 7-5 for more information about electrical card slot
protection and restrictions.
3.10.2 DS3XM-6 Faceplate and Block Diagram
Figure 3-11 shows the DS3XM-6 faceplate and a block diagram of the card.3-27
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 3 Electrical Cards
3.10.3 DS3XM-6 Hosted By XCVT, XC10G, or XC-VXC-10G
Figure 3-11 DS3XM-6 Faceplate and Block Diagram
3.10.3 DS3XM-6 Hosted By XCVT, XC10G, or XC-VXC-10G
The DS3XM-6 card works in conjunction with the XCVT card. A single DS3XM-6 can demultiplex six
DS-3 signals into 168 VT1.5s that the XCVT card then manages and cross connects. XCVT cards host
a maximum of 336 bidirectional VT1.5s on two DS3XM-6 cards. In most network configurations, two
DS3XM-6 cards are paired together as working and protect cards.
3.10.4 DS3XM-6 Card-Level Indicators
Table 3-13 describes the three card-level LEDs on the DS3XM-6 card faceplate.
BTC
ASIC
6 x Line
Interface
Units
6 STS1 to
28 DS1
Mapper
FLASH DC/DC
unit
DRAM
Mux/Demux ASIC
Protection
Relay
Matrix
6 STS-1 / STS-12
uP
6 x M13
Units
61351
Mapper unit
B
a
c
k
p
l
a
n
e
FAIL
ACT
SF
DS3XM
6
13459873-28
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 3 Electrical Cards
3.10.5 DS3XM-6 Port-Level Indicators
3.10.5 DS3XM-6 Port-Level Indicators
You can find the status of the six DS3XM-6 card ports by using the LCD screen on the ONS 15454
fan-tray assembly. Use the LCD to quickly view the status of any port or card slot; the screen displays
the number and severity of alarms for a given port or slot.
3.11 DS3XM-12 Card
Note For hardware specifications, see the “A.5.8 DS3XM-12 Card Specifications” section on page A-25.
The DS3XM-12 card, commonly referred to as a transmux card, provides twelve Telcordia-compliant,
GR-499-CORE M13 multiplexing ports. The DS3XM-12 converts up to 12 framed DS-3 network
connections to 12 x 28 VT1.5s.
3.11.1 Backplane Configurations
The DS3XM-12 card has 12 framed DS-3 physical ports (known as “ported” mode). The card also
supports a maximum of 12 “portless” DS3-mapped STS1 interfaces depending on the type of
cross-connect used. Each physical port corresponds to two portless ports. If a circuit is provisioned to a
physical port, its associated portless pair becomes unavailable and vice versa. See the “12.4 Portless
Transmux” section on page 12-15 for more information.
The DS3XM-12 card is compatible with the XCVT, XC10G, and XC-VXC-10G cross-connect cards.
Note The DS3XM-12 card supports an errorless software-initiated cross-connect card switch when used in a
shelf equipped with XC-VXC-10G and TCC2/TCC2P cards.
Caution During an upgrade of the DS3XM-6 card to DS3XM-12 card, the DS-3XM-12 card (in slots 1 to 5)
encounters an insufficient cable loss of margin when the LBO setting on the DS-3 input ports are set
between 225 to 450 feet cable lengths.
Table 3-13 DS3XM-6 Card-Level Indicators
Card-Level Indicators Description
Red FAIL LED The red FAIL LED indicates that the card processor is not ready. Replace the
card if the red FAIL LED persists.
ACT/STBY LED
Green (Active)
Amber (Standby)
When the ACT/STBY LED is green, the DS3XM-6 card is operational and
ready to carry traffic. When the ACT/STBY LED is amber, the DS3XM-6
card is operational and in standby in a 1:1 protection group.
Amber SF LED The amber SF LED indicates a signal failure or condition such as LOS, LOF,
or high BER on one or more card ports.3-29
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 3 Electrical Cards
3.11.2 Ported Mode
The DS3XM-12 supports three different backplane throughput configurations:
• STS-48 when an XC10G or XC-VXC-10G card is used. This configuration supports the OC-48 rate
in any slot.
• STS-48 for the Slots 5, 6, 12, and 13 when an XCVT card is used.
• STS-12 for Slot 1 through 4, and 7 through 12 slots when an XCVT card is used. This configuration
is bandwidth-limiting in the portless mode of operation.
The backplane throughput configuration is selected in CTC card view using the Maintenance > Card tab.
3.11.2 Ported Mode
The “ported” mode supports up to 12 framed DS-3 bidirectional mapped signals to each DS3XM-12
card, where the traffic is demultiplexed and mapped into a VT1.5 payload. This payload is then mapped
and multiplexed up to a bidirectional STS-1.
3.11.3 Portless Mode
The “portless” mode allows for IXC hand off connections through a standard SONET fiber optical
interface with DS-3-mapped STS-1s as a payload. This physical connection is accomplished with any of
the OC-N cards. The system cross-connect grooms the DS-3 mapped STS1 traffic to the appropriate
DS3XM-12 card, where the traffic is demultiplexed and mapped into a VT1.5 payload. This payload is
then mapped and multiplexed up to a higher rate STS-1. See the “12.4 Portless Transmux” section on
page 12-15 for more information.
3.11.4 Shelf Configurations
The DS3XM-12 card supports the XCVT, XC10G, and XC-VXC-10G cards. The DS3XM-12 card is
supported in any of the multiservice slots (Slots 1 through 6 and 12 through 17).
The DS3XM-12 card operates at the VT1.5 level and supports a maximum of 6 or 12 ports of “portless”
(DS-3-mapped STS1s) interface, depending on the shelf configuration (see Table 3-14).
Caution Do not install low-density DS-1 cards in the same side of the shelf as DS3XM-12 cards.
Table 3-14 DS3XM-12 Shelf Configurations
Port Maximums
Slots 1 through 4, and
14 through 17
(XCVT Card)
Slots 5, 6, 12, and 13
(XCVT, XC10G, or
XC-VXC-10G Cards)
XC10G/XC-VXC-10G Shelf
(any multiservice slot)
Portless Ports 6 12 12
Ported Ports 12 12 123-30
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 3 Electrical Cards
3.11.5 Protection Modes
3.11.5 Protection Modes
The DS3XM-12 card supports 1:1 and 1:N protection groups, where N <= 5. However, N <= 7 if one of
the following conditions is true:
• Only portless connections are used.
• A combination of ported and portless connections is used but all the ported cards being protected
are on the same side of the chassis as the protecting card.
These protection groups can be implemented in the ONS 15454 SONET platform for both the A and B
sides and do not require a special protect card.
In 1:N protection, the protect card must be in Slot 3 or 15. In 1:1 protection, the working and protect
cards must be in adjacent slots. The protection switches cause a traffic hit of no more than 50 ms. See
the “7.2 Electrical Card Protection and the Backplane” section on page 7-5 for more information about
electrical card slot protection and restrictions.
In 1:1 or 1:N protection group with DS3XM12 cards having different backplane bandwidths, when a
protection switch moves traffic from the working/active card to the protect/standby card or vice versa, it
causes a traffic hit of greater than 50ms.
3.11.6 Card Features
Table 3-15 summarizes the DS3XM-12 features.
Table 3-15 DS3XM-12 Features
Feature Description
Protection 1:1 and 1:N protection (“ported” and “portless”)
Upgrade • Errorless software upgrade
• In-service upgrade of legacy DS3XM-6 to DS3XM-12 (> 60 ms hit)
Performance
Monitoring
• DS-3 M2-3 near-end performance monitoring (PM) parameters
• DS-3 C-bit near end and far end PM parameters
• DS-1 near end PM parameters
• DS-1 Extended Super Frame (ESF) PM far end parameters based on FDL
PRM messages
• 1989 AT&T TR 54016 DS1 ESF PM
• SPRM and NPRM DS1 PM parameters
Loopbacks • DS3 terminal and facility
• DS1 facility
• DS1 terminal
• FEAC based DS1 and DS3 loopbacks (TX and RX)
• DS1 ESF-FDL TX line and payload loopbacks
• DS1 SF (D4) “in-band” TX loopbacks
• AT&T TR 54016 ESF DS1 TX line and payload loopbacks3-31
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 3 Electrical Cards
3.11.7 DS3XM-12 Slots and Connectors
3.11.7 DS3XM-12 Slots and Connectors
The DS3XM-12 card can be used with BNC, SMB, SCSI (UBIC), or MiniBNC EIA connectors.
The card can be installed in Slots 1 to 6 or 12 to 17. Each DS3XM-12 port features DSX-level outputs
supporting distances up to 137 meters (450 feet) depending on facility conditions.
3.11.8 DS3XM-12 Faceplate and Block Diagram
Figure 3-12 shows the DS3XM-12 faceplate and a block diagram of the card.
DS1 Auto-Frame
Detection
DS1 frame autodetection and autoprovisioning
Manual DS1 frame
provisioning
Works in conjunction with the DS1 autoframe detection and gives you
override capability
Manual DS3 frame
provisioning
Legacy feature (C-Bit and M23 frame formats are supported)
J1 Legacy feature (extended to 6 additional ports)
J2 336 J2 strings are supported
Portless Supports DS3 data from the backplane in addition to the DS3 data from the
line interface unit
Diagnostics Power-up diagnostics on working and protect cards
Testing Connectivity, error rate, and error count of the traffic running on an Electrical
IO card ports can be tested by using BERT. For more information on BERT,
see 3.2 Bit Error Rate Testing, page 3-4.
Table 3-15 DS3XM-12 Features
Feature Description3-32
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 3 Electrical Cards
3.11.9 DS3XM-12 Card-Level Indicators
Figure 3-12 DS3XM-12 Faceplate and Block Diagram
3.11.9 DS3XM-12 Card-Level Indicators
Table 3-16 describes the three card-level LEDs on the DS3XM-12 card faceplate.
115956
Main & Protect
SCL Bus’s
Processor
12 DS3
Ports
Transformers
& Protection
Mux/Relays
4x
DS3/VT1.5
Framer/
Mapper
12 Port
DS3 LIU
STS-24
Mapper
FPGA
B
a
c
k
p
l
a
n
e
MAIN
IBPIA
ASIC
PROTECT
IBPIA
ASIC
FAIL
ACT/STBY
SF
DS3XM
12
DS3 Mapped
STS’1s
(Portless Mode)
VT1.5 Mapped
STS-1's
(Both Modes)3-33
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 3 Electrical Cards
3.11.10 DS3XM-12 Port-Level Indicators
3.11.10 DS3XM-12 Port-Level Indicators
You can find the status of the twelve DS3XM-12 card ports by using the LCD screen on the ONS 15454
fan-tray assembly. Use the LCD to quickly view the status of any port or card slot; the screen displays
the number and severity of alarms for a given port or slot.
3.12 Interoperability Rules for Electrical Cards
The interoperability rules for DS3XM-12 and DS3/EC1-48 is as follows:
• DS1/DS1-E1-56 cards cannot co-exist with high-density (HD) DS3/EC1-48 cards in the same half
shelf.
• MXP_2.5G_10G cards cannot co-exist with high-density DS3/EC1-48 or DS1/E1-56 in the HD
electrical slots.
• DS3XM-12 card cannot co-exit with DS1/DS1N- DS1/E1-56 cards.
• DS3i and E1 line card is allowed only in protect slots.
3.12.1 Half Shelf Compatibility
The DS3/EC1-48 card cannot be provisioned in slots 1 to 6 if:
• DS1 card is present in any slot from 1 to 6
• DS1N or MXP_2.5G_10G card is present in slot 3
• DS1/E1-56 card is present in any slot from 1 to 3
The DS3/EC1-48- card cannot be provisioned in slots 12 to 17 if:
• DS1 card is present in any slot from 12 to 17
• DS1 or MXP_2.5G_10G card is present in slot 15
• DS1/E1-56 card is present in any slot from 15 to 17
Table 3-16 DS3XM-12 Card-Level Indicators
Card-Level Indicators Description
Red FAIL LED The red FAIL LED indicates that the card processor is not ready. It is steady
while the self-test runs, and blinks during provisioning.
Replace the card if the red FAIL LED persists.
ACT/STBY LED
Green (Active)
Amber (Standby)
When the ACT/STBY LED is green, the DS3XM-12 card is operational and
ready to carry traffic. When the ACT/STBY LED is amber, the DS3XM-12
card is operational and in standby in a 1:1 protection group.
Amber SF LED The amber SF LED indicates a signal failure or condition such as LOS, LOF,
or high BER on one or more card ports.3-34
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 3 Electrical Cards
3.12.2 Slot Compatibility
The DS3XM-12 card cannot be provisioned in slots 1 to 6 if:
• DS1 card is present in any slot from 1 to 6
• DS1N card is present in slot 3
• DS1/E1-56 card is present in any slot from 1 to 3
The DS3XM-12 card cannot be provisioned in slots 12 to 17 if:
• DS1 card is present in any slot from 12 to 17
• DS1N card is present in slot 15
• DS1/E1-56 card is present in any slot from 15 to 17
The DS1 or DS1N cards cannot be provisioned in slots 1 to 6 if:
• DS3/EC1-48 card is present in any slot from 1 to 3
• DS3XM-12 card is present in any slot from 1 to 6
The DS1 or DS1N cards cannot be provisioned in slots 12 to 17 if:
• DS3/EC1-48 card is present in any slot from 15 to 17
• DS3XM-12 card is present in any slot from 12 to 17
The DS1/E1-56 card cannot be provisioned in slots 1 to 6 if:
• DS3/EC1-48 card is present in any slot from 1 to 3
• DS3XM-12 card is present in any slot from 1 to 6
• MXP_2.5G_10G card is present in slot 3
The DS1/E1-56 card cannot be provisioned in slots 12 to 17 if:
• DS3/EC1-48 card is present in any slot from 15 to 17
• DS3XM-12 card is present in any slot from 12 to 17
• MXP_2.5G_10G card is present in slot 15
The MXP_2.5G_10G card cannot be provisioned in slot 3 if the DS3/EC1-48 or DS1/E1-56 card is
present in slots 1 or 2.
The MXP_2.5G_10G card cannot be provisioned in slot 15 if the DS3/EC1-48 or DS1/E1-56 card is
present in slots 16 or 17.
3.12.2 Slot Compatibility
The DS3/EC1-48 or DS1/E1-56 card cannot be provisioned in slot 1 if any electrical card is present in
slots 5 or 6.
The DS3/EC1-48 or DS1/E1-56 card cannot be provisioned in slot 2 if any low-density (LD) electrical
card, except DS3/EC1-48 or DS1/E1-56, is present in slots 3 or 4.
High-density (HD) DS3/EC1-48 or DS1/E1-56 cards cannot be provisioned in slot 3 if:3-35
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 3 Electrical Cards
3.12.2 Slot Compatibility
• It is in a 1:N low-density electrical protection group and slot 3 protects any card on slot 4, 5, or 6.
• A low-density electrical card in slot 1 is the working card
• Slots 5 and 6 have low-density cards
• Slots 2 and 4 have low-density cards and if slot 2 is in a protection group
No electrical cards can be provisioned in slot 3 if slot 2 has a DS3/EC1-48 or DS1/E1-56 card.
DS3/EC1-48 or DS1/E1-56 cannot be provisioned in slot 17 if any electrical card is present in slot 12 or
13.
DS3/EC1-48 or DS1/E1-56 cannot be provisioned in slot 16 if any electrical card other than DS3/EC1-48
or DS1/E1-56 card is present in slots 14 or 15.
Slot 15 cannot be upgraded to high-density DS3/EC1-48 or DS1/E1-56 card if:
• It is in a 1:N low-density electrical protection group and slot 15 protects any card on slot 12, 13, or
14.
• If slot 17 low-density card is the working card, slot 15 can not upgrade to HD DS3/EC1-48 or
DS1/E1-56 if slot 12 and 13 have low-density cards.
• If slot 16 and 14 have low-density cards and if slot 16 is in a protection group, slot 15 cannot upgrade
to HD DS3/EC1-48 or DS1/E1-56 card.
No electrical cards can be provisioned in slot 15 if slot 16 has a DS3/EC1-48 or DS1/E1-56 card.
DS3/EC1-48 or DS1/E1-56 cannot be provisioned in slot 4.
No low-density electrical cards can be provisioned in slot 4 if:
• Slot 2 has a DS3/EC1-48 or DS1/E1-56 card
• Slot 3 has a DS3/EC1-48 or DS1/E1-56 card and 1:N (N=2) protection group is present.
• Slot 3 has a DS3/EC1-48 or DS1/E1-56 card and 1:N (N=1) protection group is present with slot 2
as working slot.
A DS3/EC1-48 or DS1/E1-56 card cannot be provisioned in slots 5 or 6.
No low-density electrical cards can be provisioned in slots 5 or 6 if:
• Slot 1 has a DS3/EC1-48 or DS1/E1-56 card
• Slot 3 has a DS3/EC1-48 or DS1/E1-56 and 1:N (N=2) protection group is present.
• Slot 3 has a DS3/EC1-48 or DS1/E1-56 and 1:N (N=1) protection group is present with slot 1 as
working slot.
A DS3/EC1-48 or DS1/E1-56 card cannot be provisioned in slots 12 or 13.
No low-density electrical cards can be provisioned in slots 12 or 13 if:
• Slot 17 has a DS3/EC1-48 or DS1/E1-56 card.
• Slot 15 has a DS3/EC1-48 or DS1/E1-56 card and 1:N (N=2) protection group is present
• Slot 15 has a DS3/EC1-48 or DS1/E1-56 card and 1:N (N=1) protection group is present with slot
17 as working slot.
A DS3/EC1-48 or DS1/E1-56 card cannot be provisioned in slot 14.
No low-density electrical cards can be provisioned in slot 14 if:
Slot 16 has a DS3/EC1-48 or DS1/E1-56 card.
Slot 15 has a DS3/EC1-48 or DS1/E1-56 card and 1:N (N=2) protection group is present.3-36
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 3 Electrical Cards
3.12.2 Slot Compatibility
Slot 15 has a DS3/EC1-48 or DS1/E1-56 card and 1:N (N=1) protection group is present with slot 16 as
working slot.CHAPTER
4-1
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
4
Optical Cards
Note The terms “Unidirectional Path Switched Ring” and “UPSR” may appear in Cisco literature. These terms
do not refer to using Cisco ONS 15xxx products in a unidirectional path switched ring configuration.
Rather, these terms, as well as “Path Protected Mesh Network” and “PPMN,” refer generally to Cisco's
path protection feature, which may be used in any topological network configuration. Cisco does not
recommend using its path protection feature in any particular topological network configuration.
This chapter describes the Cisco ONS 15454 optical card features and functions. It includes descriptions,
hardware specifications, and block diagrams for each optical card. For installation and card turn-up
procedures, refer to the Cisco ONS 15454 Procedure Guide.
Chapter topics include:
• 4.1 Optical Card Overview, page 4-2
• 4.2 OC3 IR 4/STM1 SH 1310 Card, page 4-6
• 4.3 OC3 IR/STM1 SH 1310-8 Card, page 4-8
• 4.4 OC12 IR/STM4 SH 1310 Card, page 4-10
• 4.5 OC12 LR/STM4 LH 1310 Card, page 4-12
• 4.6 OC12 LR/STM4 LH 1550 Card, page 4-14
• 4.7 OC12 IR/STM4 SH 1310-4 Card, page 4-16
• 4.8 OC48 IR 1310 Card, page 4-18
• 4.9 OC48 LR 1550 Card, page 4-20
• 4.10 OC48 IR/STM16 SH AS 1310 Card, page 4-22
• 4.11 OC48 LR/STM16 LH AS 1550 Card, page 4-24
• 4.12 OC48 ELR/STM16 EH 100 GHz Cards, page 4-26
• 4.13 OC48 ELR 200 GHz Cards, page 4-28
• 4.14 OC192 SR/STM64 IO 1310 Card, page 4-30
• 4.15 OC192 IR/STM64 SH 1550 Card, page 4-32
• 4.16 OC192 LR/STM64 LH 1550 Card, page 4-34
• 4.17 OC192 LR/STM64 LH ITU 15xx.xx Card, page 4-39
• 4.18 15454_MRC-12 Multirate Card, page 4-42
• 4.19 MRC-2.5G-4 Multirate Card, page 4-474-2
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 4 Optical Cards
4.1 Optical Card Overview
• 4.20 OC192SR1/STM64IO Short Reach and OC192/STM64 Any Reach Cards, page 4-51
• 4.21 Optical Card SFPs and XFPs, page 4-53
4.1 Optical Card Overview
Each card is marked with a symbol that corresponds to a slot (or slots) on the ONS 15454 shelf assembly.
The cards are then installed into slots displaying the same symbols. See the “1.19 Cards and Slots”
section on page 1-74 for a list of slots and symbols.
4.1.1 Card Summary
Table 4-1 lists the Cisco ONS 15454 optical cards.
Table 4-1 Optical Cards for the ONS 15454
Card Port Description For Additional Information...
OC3 IR 4 SH 1310 The OC3 IR 4 SH 1310 card provides four
intermediate- or short-range OC-3 ports and operates
at 1310 nm.
Note The OC3 IR 4 SH 1310 and OC3 IR 4/STM1
SH 1310 cards are functionally the same.
See the “4.2 OC3 IR
4/STM1 SH 1310 Card”
section on page 4-6.
OC3 IR 4/ STM1
SH 1310
The OC3 IR 4/STM1 SH 1310 card provides four
intermediate- or short-range OC-3 ports and operates
at 1310 nm.
See the “4.2 OC3 IR
4/STM1 SH 1310 Card”
section on page 4-6.
OC3 IR/ STM1 SH
1310-8
The OC3 IR/STM1 SH 1310-8 card provides eight
intermediate- or short-range OC-3 ports and operates
at 1310 nm.
See the “4.3 OC3 IR/STM1
SH 1310-8 Card” section on
page 4-8.
OC12 IR 1310 The OC12 IR 1310 card provides one intermediate- or
short-range OC-12 port and operates at 1310 nm.
Note The OC12 IR 1310 and OC12/STM4 SH 1310
cards are functionally the same.
See the “4.4 OC12
IR/STM4 SH 1310 Card”
section on page 4-10.
OC12 IR/STM4 SH
1310
The OC12 IR/STM4 SH 1310 card provides one
intermediate- or short-range OC-12 port and operates
at 1310 nm.
See the “4.4 OC12
IR/STM4 SH 1310 Card”
section on page 4-10.
OC12 LR 1310 The OC12 LR 1310 card provides one long-range
OC-12 port and operates at 1310 nm.
Note The OC12 LR 1310 and OC12 LR/STM4 LH
1310 cards are functionally the same.
See the “4.5 OC12
LR/STM4 LH 1310 Card”
section on page 4-12.
OC12 LR/STM4
LH 1310
The OC12 LR/STM4 LH 1310 card provides one
long-range OC-12 port and operates at 1310 nm.
See the “4.5 OC12
LR/STM4 LH 1310 Card”
section on page 4-12.
OC12 LR 1550 The OC12 LR 1550 card provides one long-range
OC-12 port and operates at 1550 nm.
Note The OC12 LR 1550 and OC12 LR/STM4 LH
1550 cards are functionally the same.
See the “4.6 OC12
LR/STM4 LH 1550 Card”
section on page 4-14.4-3
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 4 Optical Cards
4.1.1 Card Summary
OC12 LR/STM4
LH 1550
The OC12 LR/STM4 LH 1550 card provides one
long-range OC-12 port and operates at 1550 nm.
See the “4.6 OC12
LR/STM4 LH 1550 Card”
section on page 4-14.
OC12 IR/STM4 SH
1310-4
The OC12 IR/STM4 SH 1310-4 card provides four
intermediate- or short-range OC-12 ports and operates
at 1310 nm.
See the “4.7 OC12
IR/STM4 SH 1310-4 Card”
section on page 4-16.
OC48 IR 1310 The OC48 IR 1310 card provides one
intermediate-range OC-48 port and operates at
1310 nm.
See the “4.8 OC48 IR 1310
Card” section on page 4-18.
OC48 LR 1550 The OC48 LR 1550 card provides one long-range
OC-48 port and operates at 1550 nm.
See the “4.9 OC48 LR 1550
Card” section on page 4-20.
OC48 IR/STM16
SH AS 1310
The OC48 IR/STM16 SH AS 1310 card provides one
intermediate- or short-range OC-48 port at 1310 nm.
See the “4.10 OC48
IR/STM16 SH AS 1310
Card” section on page 4-22.
OC48 LR/STM16
LH AS 1550
The OC48 LR/STM16 LH AS 1550 card provides one
long-range OC-48 port at 1550 nm.
See the “4.11 OC48
LR/STM16 LH AS 1550
Card” section on page 4-24.
OC48 ELR/STM16
EH 100 GHz
The OC48 ELR/STM16 EH 100 GHz card provides
one long-range (enhanced) OC-48 port and operates in
Slot 5, 6, 12, or 13. This card is available in 18
different wavelengths (9 in the blue band and 9 in the
red band) in the 1550-nm range, every second
wavelength in the ITU grid for 100-GHz spacing dense
wavelength division multiplexing (DWDM).
See the “4.12 OC48
ELR/STM16 EH 100 GHz
Cards” section on
page 4-26.
OC48 ELR
200 GHz
The OC48 ELR 200 GHz card provides one long-range
(enhanced) OC-48 port and operates in Slot 5, 6, 12, or
13. This card is available in 18 different wavelengths
(9 in the blue band and 9 in the red band) in the
1550-nm range, every fourth wavelength in the ITU
grid for 200-GHz spacing DWDM.
See the “4.13 OC48 ELR
200 GHz Cards” section on
page 4-28.
OC192 SR/STM64
IO 1310
The OC192 SR/STM64 IO 1310 card provides one
intra-office-haul OC-192 port at 1310 nm.
See the “4.14 OC192
SR/STM64 IO 1310 Card”
section on page 4-30.
OC192 IR/STM64
SH 1550
The OC192 IR/STM64 SH 1550 card provides one
intermediate-range OC-192 port at 1550 nm.
See the “4.15 OC192
IR/STM64 SH 1550 Card”
section on page 4-32.
OC192 LR/STM64
LH 1550
The OC192 LR/STM64 LH 1550 card provides one
long-range OC-192 port at 1550 nm.
See the “4.16 OC192
LR/STM64 LH 1550 Card”
section on page 4-34.
OC192 LR/ STM64
LH ITU 15xx.xx
The OC192 LR/STM64 LH ITU 15xx.xx card provides
one extended long-range OC-192 port. This card is
available in multiple wavelengths in the 1550-nm
range of the ITU grid for 100-GHz-spaced DWDM.
See the “4.17 OC192
LR/STM64 LH ITU 15xx.xx
Card” section on page 4-39.
Table 4-1 Optical Cards for the ONS 15454 (continued)
Card Port Description For Additional Information...4-4
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 4 Optical Cards
4.1.2 Card Compatibility
Note The Cisco OC3 IR/STM1 SH, OC12 IR/STM4 SH, and OC48 IR/STM16 SH interface optics, all
working at 1310 nm, are optimized for the most widely used SMF-28 fiber, available from many
suppliers.
Corning MetroCor fiber is optimized for optical interfaces that transmit at 1550 nm or in the C and L
DWDM windows, and targets interfaces with higher dispersion tolerances than those found in
OC3 IR/STM1 SH, OC12 IR/STM4 SH, and OC48 IR/STM16 SH interface optics. If you are using
Corning MetroCor fiber, OC3 IR/STM1 SH, OC12 IR/STM4 SH, and OC48 IR/STM16 SH interface
optics become dispersion limited before they become attenuation limited. In this case, consider using
OC12 LR/STM4 LH and OC48 LR/STM16 LH cards instead of OC12 IR/STM4 SH and
OC48 IR/STM16 SH cards.
With all fiber types, network planners/engineers should review the relative fiber type and optics
specifications to determine attenuation, dispersion, and other characteristics to ensure appropriate
deployment.
4.1.2 Card Compatibility
Table 4-2 lists the CTC software compatibility for each optical card. See Table 2-5 on page 2-6 for a list
of cross-connect cards that are compatible with each optical card.
Note “Yes” indicates that this card is fully or partially supported by the indicated software release. Refer to
the individual card reference section for more information about software limitations for this card.
15454_MRC-12 The 15454_MRC-12 card provides up to twelve OC-3
or OC-12 ports, or up to four OC-48 ports. The card
operates in Slots 1 to 6 and 12 to 17.
See the
“4.18 15454_MRC-12
Multirate Card” section on
page 4-42.
MRC-2.5G-4 The MRC-2.5G-4 card provides up to four
OC-3/STM-1 or OC-12/STM-4 ports, or one
OC-48/STM-16 ports. The card operates in Slots 1 to
6 and 12 to 17.
See the “4.19 MRC-2.5G-4
Multirate Card” section on
page 4-47.
OC192SR1/STM6
4IO Short Reach
and
OC192/STM64
Any Reach1
The OC192SR1/STM64IO Short Reach and
OC192/STM64 Any Reach cards each provide a single
OC-192/STM-64 interface capable of operating with
SR-1, IR-2, and LR-2 XFP modules (depending on the
card) at 1310 nm and 1550 nm. The cards operate in
Slot 5, 6, 12, or 13 with the XC10G and XC-VXC-10G
cards.
See the
“4.20 OC192SR1/STM64I
O Short Reach and
OC192/STM64 Any Reach
Cards” section on
page 4-51.
1. In the Cisco Transport Controller (CTC) GUI, these cards are known as OC192-XFP.
Table 4-1 Optical Cards for the ONS 15454 (continued)
Card Port Description For Additional Information...4-5
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 4 Optical Cards
4.1.2 Card Compatibility
Table 4-2 Optical Card Software Release Compatibility
Optical Card R3.3 R3.4 R4.0 R4.1 R4.5
1
1. DWDM-only release.
R4.6 R4.7
1
R5.0 R6.0 R7.0 R7.2 R8.0 R8.5 R9.0 R9.1 R9.2 R9.2.1
OC3 IR 4 1310
Yes Yes Yes Yes — Yes — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
OC3 IR 4/STM1 SH 1310
Yes Yes Yes Yes — Yes — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
OC3 IR /STM1 SH 1310-8 — — Yes Yes — Yes — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
OC12 IR/STM4 SH 1310
Yes Yes Yes Yes — Yes — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
OC12 IR 1310
Yes Yes Yes Yes — Yes — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
OC12 LR 1310
Yes Yes Yes Yes — Yes — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
OC12 LR 1550
Yes Yes Yes Yes — Yes — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
OC12 LR/STM4 LH 1310
Yes Yes Yes Yes — Yes — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
OC12 LR/STM4 LH 1550
Yes Yes Yes Yes — Yes — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
OC12 IR/STM4 SH 1310-4
Yes Yes Yes Yes — Yes — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
OC48 IR 1310
Yes Yes Yes Yes — Yes — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
OC48 LR 1550
Yes Yes Yes Yes — Yes — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
OC48 IR/STM16 SH AS 1310
2
2. To enable OC-192 and OC-48 any-slot card operation, use the XC10G or XC-VXC-10G card, the TCC+/TCC2/TCC2P card, Software R3.1 or later, and the
15454-SA-ANSI or 154545-SA-HD shelf assembly. Note that the TCC+ card is not compatible with Software 4.5 or later.
Yes Yes Yes Yes — Yes — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
OC48 LR/STM16 LH AS 1550
3
Yes Yes Yes Yes — Yes — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
OC48 ELR/STM16 EH 100 GHz
Yes Yes Yes Yes — Yes — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
OC48 ELR 200 GHz
Yes Yes Yes Yes — Yes — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
OC192 SR/STM64 IO 1310 — — Yes Yes — Yes — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
OC192 IR/STM64 SH 1550 — — Yes Yes — Yes — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
OC192 LR/STM64 LH 1550
(15454-OC192LR1550)
Yes Yes Yes Yes — Yes — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
OC192 LR/STM64 LH 1550
(15454-OC192-LR2)
— — Yes Yes — Yes — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
OC192 LR/STM64 LH ITU 15xx.xx — — Yes Yes — Yes — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
15454_MRC-12 — — — — — — — — Yes Yes Yes Yes Yes Yes Yes Yes Yes
MRC-2.5G-4 — — — — — — — — — — — Yes Yes Yes Yes Yes Yes
OC192SR1/STM64IO Short
Reach and OC192/STM64 Any
Reach
4
— — — — — — — — Yes Yes Yes Yes Yes Yes Yes Yes Yes4-6
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 4 Optical Cards
4.2 OC3 IR 4/STM1 SH 1310 Card
4.2 OC3 IR 4/STM1 SH 1310 Card
Note For hardware specifications, see the “A.6.1 OC3 IR 4/STM1 SH 1310 Card Specifications” section on
page A-28. See Table 4-2 on page 4-5 for optical card compatibility.
The OC3 IR 4/STM1 SH 1310 card provides four intermediate or short range SONET/SDH OC-3 ports
compliant with ITU-T G.707, ITU-T G.957, and Telcordia GR-253-CORE. Each port operates at
155.52 Mbps over a single-mode fiber span. The card supports Virtual Tributary (VT), nonconcatenated
(STS-1), or concatenated (STS-1 or STS-3c) payloads. Figure 4-1 shows the OC3 IR 4/STM1 SH 1310
faceplate and a block diagram of the card.
Warning The laser is on when the optical card is booted. The port does not have to be in service for the laser
to be on.
Note The OC3 IR 4 SH 1310 and OC3 IR 4/STM1 SH 1310 cards are functionally the same.
3. To enable OC-192 and OC-48 any-slot card operation, use the XC10G or XC-VXC-10G card, the TCC+/TCC2/TCC2P card, Software R3.1 or later, and the
15454-SA-ANSI or 154545-SA-HD shelf assembly. Note that the TCC+ card is not compatible with Software 4.5 or later.
4. These cards are designated as OC192-XFP in CTC.4-7
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 4 Optical Cards
4.2.1 OC3 IR 4/STM1 SH 1310 Card-Level Indicators
Figure 4-1 OC3 IR 4/STM1 SH 1310 Faceplate and Block Diagram
You can install the OC3 IR 4/STM1 SH 1310 card in Slots 1 to 6 and 12 to 17. The card can be
provisioned as part of a path protection or a linear add/drop multiplexer (ADM) configuration. Each
interface features a 1310-nm laser and contains a transmit and receive connector (labeled) on the card
faceplate. The card uses SC connectors.
The OC3 IR 4/STM1 SH 1310 card supports 1+1 unidirectional or bidirectional protection switching.
You can provision protection on a per port basis.
The OC3 IR 4/STM1 SH 1310 card detects loss of signal (LOS), loss of frame (LOF), loss of pointer
(LOP), line-layer alarm indication signal (AIS-L), and line-layer remote defect indication (RDI-L)
conditions. Refer to the Cisco ONS 15454 Troubleshooting Guide for a description of these conditions.
The card also counts section and line bit interleaved parity (BIP) errors.
To enable automatic protection switching (APS), the OC3 IR 4/STM1 SH 1310 card extracts the K1 and
K2 bytes from the SONET overhead to perform appropriate protection switches. The data
communication channel/general communication channel (DCC/GCC) bytes are forwarded to the
TCC2/TCC2P card, which terminates the DCC/GCC.
4.2.1 OC3 IR 4/STM1 SH 1310 Card-Level Indicators
Table 4-3 describes the three card-level LED indicators on the OC3 IR 4/STM1 SH 1310 card.
uP bus
uP
Flash RAM
BTC
ASIC
B
a
c
k
p
l
a
n
e
STS-12
STS-12/
STS-3
Mux/Demux
Optical
Transceiver
Optical
Transceiver
Optical
Transceiver
Optical
Transceiver
STS-3
termination/
framing
STS-3
termination/
framing
STS-3
termination/
framing
STS-3
termination/
framing
OC-3
61352
1
33678 12931
Tx
Rx
2
Tx
Rx
4
Tx
Rx
3
Tx
Rx
FAIL
ACT
SF
OC3IR4
STM1SH
13104-8
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 4 Optical Cards
4.2.2 OC3 IR 4/STM1 SH 1310 Port-Level Indicators
4.2.2 OC3 IR 4/STM1 SH 1310 Port-Level Indicators
Eight bicolor LEDs show the status per port. The LEDs are green if the port is available to carry traffic,
is provisioned as in-service, and is part of a protection group, in the active mode. You can find the status
of the four card ports by using the LCD screen on the ONS 15454 fan-tray assembly. Use the LCD to
view the status of any port or card slot; the screen displays the number and severity of alarms for a given
port or slot. Refer to the Cisco ONS 15454 Troubleshooting Guide for a complete description of the
alarm messages.
4.3 OC3 IR/STM1 SH 1310-8 Card
Note For hardware specifications, see the “A.6.2 OC3 IR/STM1SH 1310-8 Card Specifications” section on
page A-29. See Table 4-2 on page 4-5 for optical card compatibility.
The OC3 IR/STM1 SH 1310-8 card provides eight intermediate or short range SONET/SDH OC-3 ports
compliant with ITU-T G.707, ITU-T G.957, and Telcordia GR-253-CORE. Each port operates at
155.52 Mbps over a single-mode fiber span. The card supports VT, nonconcatenated (STS-1), or
concatenated (STS-3C) payloads.
Warning The laser is on when the optical card is booted. The port does not have to be in service for the laser
to be on.
Figure 4-2 shows the card faceplate and block diagram.
Table 4-3 OC3 IR 4/STM1 SH 1310 Card-Level Indicators
Card-Level Indicators Description
Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready. This LED
is on during reset. The FAIL LED flashes during the boot process. Replace
the card if the red FAIL LED persists.
Green ACT LED The green ACT LED indicates that the card is carrying traffic or is
traffic-ready.
Amber SF LED The amber SF LED indicates a signal failure or condition such as LOS, LOF,
AIS-L, or high bit error rate (BER) on one or more of the card’s ports. The
amber SF LED is also on if the transmit and receive fibers are incorrectly
connected. If the fibers are properly connected and the links are working, the
light turns off.4-9
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 4 Optical Cards
4.3 OC3 IR/STM1 SH 1310-8 Card
Figure 4-2 OC3IR/STM1 SH 1310-8 Faceplate and Block Diagram
You can install the OC3 IR/STM1 SH 1310-8 card in Slots 1 to 4 and 14 to 17. The card can be
provisioned as part of a path protection or an ADM configuration. Each interface features a 1310-nm
laser and contains a transmit and receive connector (labeled) on the card faceplate. The card uses LC
connectors on the faceplate that are angled downward 12.5 degrees.
The OC3 IR/STM1 SH 1310-8 card supports 1+1 unidirectional and bidirectional protection switching.
You can provision protection on a per port basis.
The OC3 IR/STM1 SH 1310-8 card detects LOS, LOF, LOP, AIS-L, and RDI-L conditions. Refer to the
Cisco ONS 15454 Troubleshooting Guide for a description of these conditions. The card also counts
section and line BIP errors.
To enable APS, the OC3 IR/STM1 SH 1310-8 card extracts the K1 and K2 bytes from the SONET
overhead to perform appropriate protection switches. The OC3 IR/STM1 SH 1310-8 card supports full
DCC/GCC connectivity for remote network management.
uP bus
Flash RAM uP
B
a
c
k
p
l
a
n
e
Optical
Transceiver #1
Optical
Transceiver #2
Optical
Transceiver #3
Optical
Transceiver #4
134369
BPIA RX
Prot
BPIA RX
Main
BPIA TX
Prot
BPIA TX
Main
OCEAN
ASIC
STM-1
STM-1
STM-1
STM-1
Optical
Transceiver #5
Optical
Transceiver #6
Optical
Transceiver #7
Optical
Transceiver #8
STM-1
STM-1
STM-1
STM-1
FAIL
ACT
SF
OC3IR
STM1SH
1310-84-10
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 4 Optical Cards
4.3.1 OC3 IR/STM1 SH 1310-8 Card-Level Indicators
4.3.1 OC3 IR/STM1 SH 1310-8 Card-Level Indicators
Table 4-4 describes the three card-level LEDs on the eight-port OC3 IR/STM1 SH 1310-8 card.
4.3.2 OC3 IR/STM1 SH 1310-8 Port-Level Indicators
Eight bicolor LEDs show the status per port. The LEDs show green if the port is available to carry traffic,
is provisioned as in-service, is part of a protection group, or is in the active mode. You can also find the
status of the eight card ports by using the LCD screen on the ONS 15454 fan-tray assembly. Use the LCD
to view the status of any port or card slot; the screen displays the number and severity of alarms for a
given port or slot. Refer to the Cisco ONS 15454 Troubleshooting Guide for a complete description of
the alarm messages.
4.4 OC12 IR/STM4 SH 1310 Card
Note For hardware specifications, see the “A.6.3 OC12 IR/STM4 SH 1310 Card Specifications” section on
page A-30. See Table 4-2 on page 4-5 for optical card compatibility.
The OC12 IR/STM4 SH 1310 card provides one intermediate or short range SONET OC-12 port
compliant with ITU-T G.707, ITU-T G.957, and Telcordia GR-253-CORE. The port operates at
622.08 Mbps over a single-mode fiber span. The card supports VT, nonconcatenated (STS-1), or
concatenated (STS-3c, STS-6c, or STS-12c) payloads. Figure 4-3 shows the OC12 IR/STM4 SH 1310
faceplate and a block diagram of the card.
Note The OC12 IR 1310 and OC12/STM4 SH 1310 cards are functionally the same.
Warning The laser is on when the optical card is booted. The port does not have to be in service for the laser
to be on.
Table 4-4 OC3IR/STM1 SH 1310-8 Card-Level Indicators
Card-Level LED Description
Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready. This LED
is on during reset. The FAIL LED flashes during the boot process. Replace
the card if the red FAIL LED persists.
Green ACT LED The green ACT LED indicates that the card is carrying traffic or is
traffic-ready.
Amber SF LED The amber SF LED indicates a signal failure or condition such as LOS, LOF,
AIS-L, or high BER on one or more of the card’s ports. The amber SF LED
is also on if the transmit and receive fibers are incorrectly connected. If the
fibers are properly connected and the links are working, the light turns off.4-11
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 4 Optical Cards
4.4.1 OC12 IR/STM4 SH 1310 Card-Level Indicators
Figure 4-3 OC12 IR/STM4 SH 1310 Faceplate and Block Diagram
You can install the OC12 IR/STM4 SH 1310 card in Slots 1 to 6 and 12 to 17, and provision the card as
a drop card or span card in a two-fiber BLSR, path protection, or ADM (linear) configuration.
The OC12 IR/STM4 SH 1310 card interface features a 1310-nm laser and contains a transmit and receive
connector (labeled) on the card faceplate. The OC12 IR/STM4 SH 1310 card uses SC optical
connections and supports 1+1 unidirectional and bidirectional protection.
The OC12 IR/STM4 SH 1310 detects LOS, LOF, LOP, AIS-L, and RDI-L conditions. Refer to the
Cisco ONS 15454 Troubleshooting Guide for a description of these conditions. The card also counts
section and line BIT errors.
To enable APS, the OC12 IR/STM4 SH 1310 card extracts the K1 and K2 bytes from the SONET
overhead to perform appropriate protection switches. The DCC/GCC bytes are forwarded to the
TCC2/TCC2P card, which terminates the DCC/GCC.
4.4.1 OC12 IR/STM4 SH 1310 Card-Level Indicators
Table 4-5 describes the three card-level LEDs on the OC12 IR/STM4 SH 1310 card.
uP bus
uP
Flash RAM
STS-12
Mux/
Optical Demux
Transceiver
OC-12
Main SCI
Protect SCI
BTC
ASIC
STS-12 B
a
c
k
p
l
a
n
e
61353
FAIL
ACT
SF
OC12IR
STM4SH
1310
1
33678 12931
Tx
Rx4-12
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 4 Optical Cards
4.4.2 OC12 IR/STM4 SH 1310 Port-Level Indicators
4.4.2 OC12 IR/STM4 SH 1310 Port-Level Indicators
You can find the status of the OC-12 IR/STM4 SH 1310 card port by using the LCD screen on the
ONS 15454 fan-tray assembly. Use the LCD to view the status of any port or card slot; the screen
displays the number and severity of alarms for a given port or slot. Refer to the Cisco ONS 15454
Troubleshooting Guide for a complete description of the alarm messages.
4.5 OC12 LR/STM4 LH 1310 Card
Note For hardware specifications, see the “A.6.4 OC12 LR/STM4 LH 1310 Card Specifications” section on
page A-31. See Table 4-2 on page 4-5 for optical card compatibility.
The OC12 LR/STM4 LH 1310 card provides one long-range SONET OC-12 port per card compliant
with ITU-T G.707, ITU-T G.957, and Telcordia GR-253-CORE. The port operates at 622.08 Mbps over
a single-mode fiber span. The card supports VT, nonconcatenated (STS-1), or concatenated (STS-3c,
STS-6c, or STS-12c) payloads. Figure 4-4 shows the OC12 LR/STM4 LH 1310 faceplate and a block
diagram of the card.
Note The OC12 LR 1310 and OC12 LR/STM4 LH 1310 cards are functionally the same.
Warning The laser is on when the optical card is booted. The port does not have to be in service for the laser
to be on.
Table 4-5 OC12 IR/STM4 SH 1310 Card-Level Indicators
Card-Level Indicators Description
Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready. This LED
is on during reset. The FAIL LED flashes during the boot process. Replace
the card if the red FAIL LED persists.
Green/Amber ACT
LED
The green ACT LED indicates that the card is operational and is carrying
traffic or is traffic-ready. The amber ACT LED indicates that the card is part
of an active ring switch (BLSR).
Amber SF LED The amber SF LED indicates a signal failure or condition such as LOS, LOF,
AIS-L, or high BERs on one or more of the card’s ports. The amber SF LED
is also on if the transmit and receive fibers are incorrectly connected. If the
fibers are properly connected and the link is working, the light turns off.4-13
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 4 Optical Cards
4.5.1 OC12 LR/STM4 LH 1310 Card-Level Indicators
Figure 4-4 OC12 LR/STM4 LH 1310 Faceplate and Block Diagram
You can install the OC12 LR/STM4 LH 1310 card in Slots 1 to 6 and 12 to 17, and provision the card as
a drop card or span card in a two-fiber BLSR, path protection, or ADM (linear) configuration.
The OC12 LR/STM4 LH 1310 card interface features a 1310-nm laser and contains a transmit and
receive connector (labeled) on the card faceplate. The card uses SC optical connections and supports 1+1
unidirectional and bidirectional protection.
The OC12 LR/STM4 LH 1310 card detects LOS, LOF, LOP, AIS-L, and RDI-L conditions. Refer to the
Cisco ONS 15454 Troubleshooting Guide for a description of these conditions. The card also counts
section and line BIT errors.
To enable APS, the OC12 LR/STM4 LH 1310 card extracts the K1 and K2 bytes from the SONET
overhead to perform appropriate protection switches. The DCC/GCC bytes are forwarded to the
TCC2/TCC2P card, which terminates the DCC/GCC.
4.5.1 OC12 LR/STM4 LH 1310 Card-Level Indicators
Table 4-6 describes the three card-level LEDs on the OC12 LR/STM4 LH 1310 card.
uP bus
uP
Flash RAM
BTC
ASIC
STS-12
Mux/
Optical Demux
Transceiver
OC-12
Main SCI
Protect SCI
STS-12 B
a
c
k
p
l
a
n
e
61354
FAIL
ACT
SF
OC12LR
STM4LH
1310
1
33678 12931
Tx
Rx4-14
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 4 Optical Cards
4.5.2 OC12 LR/STM4 LH 1310 Port-Level Indicators
4.5.2 OC12 LR/STM4 LH 1310 Port-Level Indicators
You can find the status of the OC12 LR/STM4 LH 1310 card port by using the LCD screen on the
ONS 15454 fan-tray assembly. Use the LCD to quickly view the status of any port or card slot; the screen
displays the number and severity of alarms for a given port or slot.
4.6 OC12 LR/STM4 LH 1550 Card
Note For hardware specifications, see the “A.6.5 OC12 LR/STM4 LH 1550 Card Specifications” section on
page A-32. See Table 4-2 on page 4-5 for optical card compatibility.
The OC12 LR/STM4 LH 1550 card provides one long-range SONET/SDH OC-12 port compliant with
ITU-T G.707, ITU-T G.957, and Telcordia GR-253-CORE. The port operates at 622.08 Mbps over a
single-mode fiber span. The card supports VT, nonconcatenated (STS-1), or concatenated (STS-3c,
STS-6c, or STS-12c) payloads. Figure 4-5 shows the OC12 LR/STM4 LH 1550 faceplate and a block
diagram of the card.
Note The OC12 LR 1550 and OC12 LR/STM4 LH 1550 cards are functionally the same.
Warning The laser is on when the optical card is booted. The port does not have to be in service for the laser
to be on.
Table 4-6 OC12 LR/STM4 LH 1310 Card-Level Indicators
Card-Level Indicators Description
Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready. Replace
the card if the red FAIL LED persists.
Green/Amber ACT
LED
The green ACT LED indicates that the card is operational and is carrying
traffic or is traffic-ready. The amber ACT LED indicates that the card is part
of an active ring switch (BLSR).
Amber SF LED The amber SF LED indicates a signal failure or condition such as LOS, LOF,
AIS-L, or high BERs on the card’s port. The amber SF LED is also on if the
transmit and receive fibers are incorrectly connected. If the fibers are
properly connected, the light turns off.4-15
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 4 Optical Cards
4.6.1 OC12 LR/STM4 LH 1550 Card-Level Indicators
Figure 4-5 OC12 LR/STM4 LH 1550 Faceplate and Block Diagram
You can install the OC12 LR/STM4 LH 1550 card in Slots 1 to 4 and 14 to 17. The
OC12 LR/STM4 LH 1550 can be provisioned as part of a two-fiber BLSR, path protection, or linear
ADM.
The OC12 LR/STM4 LH 1550 uses long-reach optics centered at 1550 nm and contains a transmit and
receive connector (labeled) on the card faceplate. The OC12 LR/STM4 LH 1550 uses SC optical
connections and supports 1+1 bidirectional or unidirectional protection switching.
The OC12 LR/STM4 LH 1550 detects LOS, LOF, LOP, AIS-L, and RDI-L conditions. The card also
counts section and line BIT errors.
4.6.1 OC12 LR/STM4 LH 1550 Card-Level Indicators
Table 4-7 describes the three card-level LEDs on the OC12 LR/STM4 LH 1550 card.
uP bus
uP
Flash RAM
BTC
ASIC
STS-12
Mux/
Optical Demux
Transceiver
OC-12
Main SCI
Protect SCI
STS-12 B
a
c
k
p
l
a
n
e
61355
FAIL
ACT
SF
OC12LR
STM4LH
1550
1
Tx
Rx
33678 129314-16
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 4 Optical Cards
4.6.2 OC12 LR/STM4 LH 1550 Port-Level Indicators
4.6.2 OC12 LR/STM4 LH 1550 Port-Level Indicators
You can find the status of the OC12 LR/STM4 LH 1550 card port by using the LCD screen on the
ONS 15454 fan-tray assembly. Use the LCD to view the status of any port or card slot; the screen
displays the number and severity of alarms for a given port or slot.
4.7 OC12 IR/STM4 SH 1310-4 Card
Note For hardware specifications, see the “A.6.6 OC12 IR/STM4 SH 1310-4 Specifications” section on
page A-33. See Table 4-2 on page 4-5 for optical card compatibility.
The OC12 IR/STM4 SH 1310-4 card provides four intermediate or short range SONET/SDH
OC-12/STM-4 ports compliant with the ITU-T G.707, ITU-T G.957, and Telcordia GR-253-CORE.
Each port operates at 622.08 Mbps over a single-mode fiber span. The card supports VT,
nonconcatenated (STS-1), or concatenated (STS-1, STS-3c, STS-6c, or STS-12c) payloads.
Warning The laser is on when the optical card is booted. The port does not have to be in service for the laser
to be on.
Figure 4-6 shows the OC12 IR/STM4 SH 1310-4 faceplate and a block diagram of the card.
Table 4-7 OC12 LR/STM4 LH 1550 Card-Level Indicators
Card-Level Indicators Description
Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready. Replace
the card if the red FAIL LED persists.
Green/Amber ACT
LED
The green ACT LED indicates that the card is operational and ready to carry
traffic. The amber ACT LED indicates that the card is part of an active ring
switch (BLSR).
Amber SF LED The amber SF LED indicates a signal failure or condition such as LOS, LOF,
AIS-L, or high BERs on the card’s port. The amber SF LED is also on if the
transmit and receive fibers are incorrectly connected. If the fibers are
properly connected, the light turns off.4-17
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 4 Optical Cards
4.7 OC12 IR/STM4 SH 1310-4 Card
Figure 4-6 OC12 IR/STM4 SH 1310-4 Faceplate and Block Diagram
You can install the OC12 IR/STM4 SH 1310-4 card in Slots 1 to 4 and 14 to 17. Each interface features
a 1310-nm laser and contains a transmit and receive connector (labeled) on the card faceplate. The card
uses SC connectors.
The OC12 IR/STM4 SH 1310-4 card supports 1+1 unidirectional and bidirectional protection switching.
You can provision protection on a per port basis.
The OC12 IR/STM4 SH 1310-4 card detects LOS, LOF, LOP, MS-AIS, and MS-FERF conditions. Refer
to the Cisco ONS 15454 Troubleshooting Guide for a description of these conditions. The card also
counts section and line BIP errors.
To enable BLSR, the OC12 IR/STM4 SH 1310-4 card extracts the K1 and K2 bytes from the SONET
overhead and processes them to switch accordingly. The DCC/GCC bytes are forwarded to the
TCC2/TCC2P card, which terminates the DCC/GCC.
Note If you ever expect to upgrade an OC-12/STM-4 ring to a higher bit rate, you should not put an
OC12 IR/STM4 SH 1310-4 card in that ring. The four-port card is not upgradable to a single-port card.
The reason is that four different spans, possibly going to four different nodes, cannot be merged to a
single span.
uP bus
uP
Flash RAM
ASIC
B
a
c
k
p
l
a
n
e
STS-12
Optical
Transceiver
Optical
Transceiver
Optical
Transceiver
Optical
Transceiver
STS-12/STM-4
termination/
framing
STS-12/STM-4
termination/
framing
STS-12/STM-4
termination/
framing
STS-12/STM-4
termination/
framing
OC-12
STM-4
78095
1
33678 12931
Tx
Rx
2
Tx
Rx
4
Tx
Rx
3
Tx
Rx
FAIL
ACT
SF
OC12IR
STM4SH
1310-44-18
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 4 Optical Cards
4.7.1 OC12 IR/STM4 SH 1310-4 Card-Level Indicators
4.7.1 OC12 IR/STM4 SH 1310-4 Card-Level Indicators
Table 4-8 describes the three card-level LEDs on the OC12 IR/STM4 SH 1310-4 card.
4.7.2 OC12 IR/STM4 SH 1310-4 Port-Level Indicators
You can find the status of the four card ports by using the LCD screen on the ONS 15454 fan-tray
assembly. Use the LCD to view the status of any port or card slot; the screen displays the number and
severity of alarms for a given port or slot.
4.8 OC48 IR 1310 Card
Note For hardware specifications, see the “A.6.7 OC48 IR 1310 Card Specifications” section on page A-34.
See Table 4-2 on page 4-5 for optical card compatibility.
Note Any new features that are available as part of this software release are not enabled for this card.
The OC48 IR 1310 card provides one intermediate-range, SONET OC-48 port per card, compliant with
Telcordia GR-253-CORE. Each port operates at 2.49 Gbps over a single-mode fiber span. The card
supports VT, nonconcatenated (STS-1), or concatenated (STS-3c, STS-6c, STS-12c, or STS-48c)
payloads.
Warning The laser is on when the optical card is booted. The port does not have to be in service for the laser
to be on.
Figure 4-7 shows the OC48 IR 1310 faceplate and a block diagram of the card.
Table 4-8 OC12 IR/STM4 SH 1310-4 Card-Level Indicators
Card-Level Indicators Description
Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready. Replace
the card if the red FAIL LED persists.
Green ACT LED The green ACT LED indicates that the card is carrying traffic or is
traffic-ready.
Amber SF LED The amber SF LED indicates a signal failure or condition such as LOS, LOF,
AIS-L, or high BER on one or more of the card’s ports. The amber SF LED
is also on if the transmit and receive fibers are incorrectly connected. If the
fibers are properly connected, the light turns off.4-19
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 4 Optical Cards
4.8.1 OC48 IR 1310 Card-Level Indicators
Figure 4-7 OC48 IR 1310 Faceplate and Block Diagram
You can install the OC48 IR 1310 card in Slots 5, 6, 12, and 13, and provision the card as a drop or span
card in a two-fiber or four-fiber BLSR, path protection, or in an ADM (linear) configuration.
The OC-48 port features a 1310-nm laser and contains a transmit and receive connector (labeled) on the
card faceplate. The OC48 IR 1310 uses SC connectors. The card supports 1+1 unidirectional and
bidirectional protection switching.
The OC48 IR 1310 detects LOS, LOF, LOP, AIS-L, and RDI-L conditions. The card also counts section
and line BIP errors.
4.8.1 OC48 IR 1310 Card-Level Indicators
Table 4-9 describes the three card-level LEDs on the OC48 IR 1310 card.
uP bus
uP
Flash RAM
BTC
ASIC
Optical
Transceiver
OC-48
Main SCI
Protect SCI
STS-48
61356
Mux/
Demux
B
a
c
k
p
l
a
n
e
FAIL
ACT
SF
OC48
IR
1310
1
33678 12931
Tx
Rx4-20
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 4 Optical Cards
4.8.2 OC48 IR 1310 Port-Level Indicators
4.8.2 OC48 IR 1310 Port-Level Indicators
You can find the status of the OC48 IR 1310 card port by using the LCD screen on the ONS 15454
fan-tray assembly. Use the LCD to view the status of any port or card slot; the screen displays the number
and severity of alarms for a given port or slot.
4.9 OC48 LR 1550 Card
Note For hardware specifications, see the “A.6.8 OC48 LR 1550 Card Specifications” section on page A-35.
See Table 4-2 on page 4-5 for optical card compatibility.
Note Any new features that are available as part of this software release are not enabled for this card.
The OC48 LR 1550 card provides one long-range, SONET OC-48 port per card, compliant with
Telcordia GR-253-CORE. Each port operates at 2.49 Gbps over a single-mode fiber span. The card
supports VT, nonconcatenated (STS-1), or concatenated (STS-3c, STS-6c, STS-12c, or STS-48c)
payloads.
Warning The laser is on when the optical card is booted. The port does not have to be in service for the laser
to be on.
Figure 4-8 shows the OC48 LR 1550 faceplate and a block diagram of the card.
Table 4-9 OC48 IR 1310 Card-Level Indicators
Card-Level Indicators Description
Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready. Replace
the card if the red FAIL LED persists.
Green/Amber ACT
LED
The green ACT LED indicates that the card is carrying traffic or is
traffic-ready. The amber ACT LED indicates that the card is part of an active
ring switch (BLSR).
Amber SF LED The amber SF LED indicates a signal failure or condition such as LOS, LOF,
AIS-L, or high BERs on the card’s port. The amber SF LED is also on if the
transmit and receive fibers are incorrectly connected. If the fibers are
properly connected, the light turns off.4-21
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 4 Optical Cards
4.9.1 OC48 LR 1550 Card-Level Indicators
Figure 4-8 OC48 LR 1550 Faceplate and Block Diagram
You can install OC48 LR 1550 cards in Slots 5, 6, 12, and 13 and provision the card as a drop or span
card in a two-fiber or four-fiber BLSR, path protection, or ADM (linear) configuration.
The OC48 LR 1550 port features a 1550-nm laser and contains a transmit and receive connector (labeled)
on the card faceplate. The card uses SC connectors, and it supports 1+1 unidirectional and bidirectional
protection switching.
The OC48 LR 1550 detects LOS, LOF, LOP, AIS-L, and RDI-L conditions. The card also counts section
and line BIP errors.
4.9.1 OC48 LR 1550 Card-Level Indicators
Table 4-10 describes the three card-level LEDs on the OC48 LR 1550 card.
uP bus
uP
Flash RAM
BTC
ASIC
Optical
Transceiver
OC-48
Main SCI
Protect SCI
STS-48
61359
Mux/
Demux
B
a
c
k
p
l
a
n
e
FAIL
ACT
SF
OC48
LR
1550
1
33678 12931
Tx
Rx4-22
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 4 Optical Cards
4.9.2 OC48 LR 1550 Port-Level Indicators
4.9.2 OC48 LR 1550 Port-Level Indicators
You can find the status of the OC48 LR 1550 card port by using the LCD screen on the ONS 15454
fan-tray assembly. Use the LCD to view the status of any port or card slot; the screen displays the number
and severity of alarms for a given port or slot.
4.10 OC48 IR/STM16 SH AS 1310 Card
Note For hardware specifications, see the “A.6.9 OC48 IR/STM16 SH AS 1310 Card Specifications” section
on page A-36. See Table 4-2 on page 4-5 for optical card compatibility.
The OC48 IR/STM16 SH AS 1310 card provides one intermediate-range SONET/SDH OC-48 port
compliant with ITU-T G.707, ITU-T G.957, and Telcordia GR-253-CORE. The port operates at
2.49 Gbps over a single-mode fiber span. The card supports VT, nonconcatenated (STS-1), or
concatenated (STS-3c, STS-6c, STS-12c, or STS-48c) payloads.
Warning The laser is on when the optical card is booted. The port does not have to be in service for the laser
to be on.
Figure 4-9 shows the OC48 IR/STM16 SH AS 1310 faceplate and a block diagram of the card.
Table 4-10 OC48 LR 1550 Card-Level Indicators
Card-Level Indicators Description
Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready. Replace
the card if the red FAIL LED persists.
Green/Amber ACT
LED
The green ACT LED indicates that the card is carrying traffic or is
traffic-ready. The amber ACT LED indicates that the card is part of an active
ring switch (BLSR).
Amber SF LED The amber SF LED indicates a signal failure or condition such as LOS, LOF,
or high BERs on the card’s port. The amber SF LED is also on if the transmit
and receive fibers are incorrectly connected. If the fibers are properly
connected, the light turns off.4-23
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 4 Optical Cards
4.10.1 OC48 IR/STM16 SH AS 1310 Card-Level Indicators
Figure 4-9 OC48 IR/STM16 SH AS 1310 Faceplate and Block Diagram
You can install the OC48 IR/STM16 SH AS 1310 card in Slots 1 to 6 and 12 to 17 and provision the card
as a drop or span card in a two-fiber or four-fiber BLSR, path protection, or ADM (linear) configuration.
The OC-48 port features a 1310-nm laser and contains a transmit and receive connector (labeled) on the
card faceplate. The OC48 IR/STM16 SH AS 1310 uses SC connectors. The card supports 1+1
unidirectional and bidirectional protection switching.
The OC48 IR/STM16 SH AS 1310 detects LOS, LOF, LOP, AIS-L, and RDI-L conditions. The card also
counts section and line BIP errors.
4.10.1 OC48 IR/STM16 SH AS 1310 Card-Level Indicators
Table 4-11 lists the three card-level LEDs on the OC48 IR/STM16 SH AS 1310 card.
uP bus
uP
Flash RAM
BTC
ASIC
Optical
Transceiver
OC-48
Main SCI
Protect SCI
STS-48
61357
Mux/
Demux
B
a
c
k
p
l
a
n
e
FAIL
ACT
SF
TX
1
RX
OC48IR
STM16SH
AS
13104-24
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 4 Optical Cards
4.10.2 OC48 IR/STM16 SH AS 1310 Port-Level Indicators
4.10.2 OC48 IR/STM16 SH AS 1310 Port-Level Indicators
You can find the status of the OC48 IR/STM16 SH AS 1310 card port by using the LCD screen on the
ONS 15454 fan-tray assembly. Use the LCD to view the status of any port or card slot; the screen
displays the number and severity of alarms for a given port or slot.
4.11 OC48 LR/STM16 LH AS 1550 Card
Note For hardware specifications, see the “A.6.10 OC48 LR/STM16 LH AS 1550 Card Specifications”
section on page A-37. See Table 4-2 on page 4-5 for optical card compatibility.
The OC48 LR/STM16 LH AS 1550 card provides one long-range SONET/SDH OC-48 port compliant
with ITU-T G.707, ITU-T G.957, and Telcordia GR-253-CORE. Each port operates at 2.49 Gbps over a
single-mode fiber span. The card supports VT, nonconcatenated (STS-1), or concatenated (STS-3c,
STS-6c, STS-12c, or STS-48c) payloads.
Warning The laser is on when the optical card is booted. The port does not have to be in service for the laser
to be on.
Figure 4-10 shows a block diagram and the faceplate of the OC48 LR/STM16 LH AS 1550 card.
Table 4-11 OC48 IR/STM16 SH AS 1310 Card-Level Indicators
Card-Level Indicators Description
Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready. Replace
the card if the red FAIL LED persists.
Green/Amber ACT
LED
The green ACT LED indicates that the card is carrying traffic or is
traffic-ready. The amber ACT LED indicates that the card is part of an active
ring switch (BLSR).
Amber SF LED The amber SF LED indicates a signal failure or condition such as LOS, LOF,
AIS-L, or high BERs on the card’s port. The amber SF LED is also on if the
transmit and receive fibers are incorrectly connected. If the fibers are
properly connected, the light turns off.4-25
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 4 Optical Cards
4.11.1 OC48 LR/STM16 LH AS 1550 Card-Level Indicators
Figure 4-10 OC48 LR/STM16 LH AS 1550 Faceplate and Block Diagram
You can install OC48 LR/STM16 LH AS 1550 cards in Slots 1 to 6 and 12 to 17 and provision the card
as a drop or span card in a two-fiber or four-fiber BLSR, path protection, or ADM (linear) configuration.
The OC48 LR/STM16 LH AS 1550 port features a 1550-nm laser and contains a transmit and receive
connector (labeled) on the card faceplate. The card uses SC connectors, and it supports 1+1
unidirectional and bidirectional protection switching.
The OC48 LR/STM16 LH AS 1550 detects LOS, LOF, LOP, AIS-L, and RDI-L conditions. The card
also counts section and line BIP errors.
4.11.1 OC48 LR/STM16 LH AS 1550 Card-Level Indicators
Table 4-12 describes the three card-level LEDs on the OC48 LR/STM16 LH AS 1550 card.
uP bus
uP
Flash RAM
BTC
ASIC
Optical
Transceiver
OC-48
Main SCI
Protect SCI
STS-48
61358
Mux/
Demux
B
a
c
k
p
l
a
n
e
FAIL
ACT
SF
TX
1
RX
OC48LR
STM16LH
AS
15504-26
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 4 Optical Cards
4.11.2 OC48 LR/STM16 LH AS 1550 Port-Level Indicators
4.11.2 OC48 LR/STM16 LH AS 1550 Port-Level Indicators
You can find the status of the OC48 LR/STM16 LH AS 1550 card port by using the LCD screen on the
ONS 15454 fan-tray assembly. Use the LCD to view the status of any port or card slot; the screen
displays the number and severity of alarms for a given port or slot.
4.12 OC48 ELR/STM16 EH 100 GHz Cards
Note For hardware specifications, see the “A.6.11 OC48 ELR/STM 16 EH 100 GHz Card Specifications”
section on page A-38. See Table 4-2 on page 4-5 for optical card compatibility.
Thirty-seven distinct OC48 ELR/STM16 EH 100 GHz cards provide the ONS 15454 DWDM channel
plan. Each OC48 ELR/STM16 EH 100 GHz card has one SONET OC-48/SDH STM-16 port that
complies with Telcordia GR-253-CORE, ITU-T G.692, and ITU-T G.958.
The port operates at 2.49 Gbps over a single-mode fiber span. The card carries VT, concatenated
(STS-1), and nonconcatenated (STS-1, STS-3c, STS-6c, STS-12c, or STS-48c) payloads.
Warning The laser is on when the optical card is booted. The port does not have to be in service for the laser
to be on.
Figure 4-11 shows the OC48 ELR/STM16 EH 100 GHz faceplate and a block diagram of the card.
Table 4-12 OC48 LR/STM16 LH AS 1550 Card-Level Indicators
Card-Level Indicators Description
Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready. Replace
the card if the red FAIL LED persists.
Green/Amber ACT
LED
The green ACT LED indicates that the card is carrying traffic or is
traffic-ready. The amber ACT LED indicates that the card is part of an active
ring switch (BLSR).
Amber SF LED The amber SF LED indicates a signal failure or condition such as LOS, LOF,
or high BERs on the card’s port. The amber SF LED is also on if the transmit
and receive fibers are incorrectly connected. If the fibers are properly
connected, the light turns off.4-27
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 4 Optical Cards
4.12 OC48 ELR/STM16 EH 100 GHz Cards
Figure 4-11 OC48 ELR/STM16 EH 100 GHz Faceplate and Block Diagram
Nineteen of the cards operate in the blue band with spacing of 100 GHz on the ITU grid (1528.77 nm,
1530.33 nm, 1531.12 nm, 1531.90 nm, 1532.68 nm, 1533.47 nm, 1534.25 nm, 1535.04 nm,
1535.82 nm, 1536.61 nm, 1538.19 nm, 1538.98 nm, 1539.77 nm, 1540.56 nm, 1541.35 nm,
1542.14 nm, 1542.94 nm, 1543.73 nm, and 1544.53 nm). ITU spacing conforms to ITU-T G.692 and
Telcordia GR-2918-CORE, Issue 2.
The other eighteen cards operate in the red band with spacing of 100 GHz on the ITU grid (1546.12 nm,
1546.92 nm, 1547.72 nm, 1548.51 nm,1549.32 nm, 1550.12 nm, 1550.92 nm, 1551.72 nm, 1552.52 nm,
1554.13 nm, 1554.94 nm, 1555.75 nm, 1556.55 nm, 1557.36 nm, 1558.17 nm, 1558.98 nm,
1559.79 nm, and 1560.61 nm). These cards are also designed to interoperate with the Cisco ONS 15216
DWDM solution.
You can install the OC48 ELR/STM16 EH 100 GHz cards in Slots 5, 6, 12, and 13 and provision the card
as a drop or span card in a two-fiber or four-fiber BLSR, path protection, or ADM (linear) configuration.
Each OC48 ELR/STM16 EH 100 GHz card uses extended long-reach optics operating individually
within the ITU-T 100-GHz grid. The OC-48 DWDM cards are intended to be used in applications with
long unregenerated spans of up to 300 km (186 miles) (with mid-span amplification). These transmission
distances are achieved through the use of inexpensive optical amplifiers (flat gain amplifiers) such as
Cisco ONS 15216 erbium-doped fiber amplifiers (EDFAs).
Maximum system reach in filterless applications is 26 dB without the use of optical amplifiers or
regenerators. However, system reach also depends on the condition of the facilities, the number of
splices and connectors, and other performance-affecting factors. When used in combination with
uP bus
uP
Flash RAM
BTC
ASIC
Optical
Transceiver
OC-48
Main SCI
Protect SCI
STS-48
61613
Mux/
Demux
B
a
c
k
p
l
a
n
e
FAIL
ACT/STBY
SF
TX
1
RX
OC48ELR
STM16EH
100GHz
1560.614-28
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 4 Optical Cards
4.12.1 OC48 ELR 100 GHz Card-Level Indicators
ONS 15216 100-GHz filters, the link budget is reduced by the insertion loss of the filters plus an
additional 2-dB power penalty. The wavelength stability of the OC48 ELR/STM16 EH 100 GHz cards
is +/– 0.12 nm for the life of the product and over the full range of operating temperatures. Each interface
contains a transmitter and receiver.
The OC48 ELR/STM16 EH 100 GHz cards detect LOS, LOF, LOP, and AIS-L conditions. The cards also
count section and line BIP errors.
4.12.1 OC48 ELR 100 GHz Card-Level Indicators
Table 4-13 lists the three card-level LEDs on the OC48 ELR/STM16 EH 100 GHz cards.
4.12.2 OC48 ELR 100 GHz Port-Level Indicators
You can find the status of the OC48 ELR/STM16 EH 100 GHz card ports by using the LCD screen on
the ONS 15454 fan-tray assembly. Use the LCD to quickly view the status of any port or card slot; the
screen displays the number and severity of alarms for a given port or slot.
4.13 OC48 ELR 200 GHz Cards
Note For hardware specifications, see the “A.6.12 OC48 ELR 200 GHz Card Specifications” section on
page A-38. See Table 4-2 on page 4-5 for optical card compatibility.
Eighteen distinct OC48 ELR 200 GHz cards provide the ONS 15454 DWDM channel plan. Each
OC48 ELR 200 GHz card provides one SONET OC-48 port that is compliant with Telcordia
GR-253-CORE. The port operates at 2.49 Gbps over a single-mode fiber span. The card carries VT,
concatenated (STS-1), or nonconcatenated (STS-3c, STS-6c, STS-12c, or STS-48c) payloads.
Warning The laser is on when the optical card is booted. The port does not have to be in service for the laser
to be on.
Figure 4-12 shows the OC48 ELR 200 GHz faceplate and a block diagram of the card.
Table 4-13 OC48 ELR/STM16 EH 100 GHz Card-Level Indicators
Card-Level Indicators Description
Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready. Replace
the card if the red FAIL LED persists.
Green/Amber ACT
LED
The green ACT LED indicates that the card is carrying traffic or is
traffic-ready. The amber ACT LED indicates that the card is part of an active
ring switch (BLSR).
Amber SF LED The amber SF LED indicates a signal failure or condition such as LOS, LOF,
or high BERs on the card’s port. The amber SF LED is also on if the transmit
and receive fibers are incorrectly connected. If the fibers are properly
connected, the light turns off.4-29
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 4 Optical Cards
4.13 OC48 ELR 200 GHz Cards
Figure 4-12 OC48 ELR 200 GHz Faceplate and Block Diagram
Nine of the cards operate in the blue band with spacing of 200 GHz on the ITU grid (1530.33 nm,
1531.90 nm, 1533.47 nm, 1535.04 nm, 1536.61 nm, 1538.19 nm, 1539.77 nm, 1541.35 nm, and
1542.94 nm).
The other nine cards operate in the red band with spacing of 200 GHz on the ITU grid
(1547.72 nm, 1549.32 nm, 1550.92 nm, 1552.52 nm, 1554.13 nm, 1555.75 nm, 1557.36 nm,
1558.98 nm, and 1560.61 nm). These cards are also designed to interoperate with the Cisco ONS 15216
DWDM solution.
You can install the OC48 ELR 200 GHz cards in Slots 5, 6, 12, and 13, and provision the card as a drop
or span card in a two-fiber or four-fiber BLSR, path protection, or ADM (linear) configuration. Each
OC48 ELR 200 GHz card uses extended long-reach optics operating individually within the
ITU-T 200-GHz grid. The OC48 ELR 200 GHz cards are intended to be used in applications with long
unregenerated spans of up to 200 km (124 miles) (with mid-span amplification). These transmission
distances are achieved through the use of inexpensive optical amplifiers (flat gain amplifiers) such as
EDFAs. Using collocated amplification, distances up to 200 km (124 miles) can be achieved for a single
channel, 160 km (99 miles) for 8 channels.
Maximum system reach in filterless applications is 24 dB or approximately 80 km (50 miles) without
the use of optical amplifiers or regenerators. However, system reach also depends on the condition of the
facilities, the number of splices and connectors, and other performance-affecting factors. The
OC48 ELR DWDM cards feature wavelength stability of +/–0.25 nm. Each interface contains a
transmitter and receiver.
uP bus
uP
Flash RAM
BTC
ASIC
Optical
Transceiver
OC-48
Main SCI
Protect SCI
STS-48
61360
Mux/
Demux
B
a
c
k
p
l
a
n
e
FAIL
ACT/STBY
SF
TX
1
RX
OC48
ELR
1530.334-30
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 4 Optical Cards
4.13.1 OC48 ELR 200 GHz Card-Level Indicators
The OC48 ELR 200 GHz cards support extended long-reach applications in conjunction with optical
amplification. Using electro-absorption technology, the OC48 DWDM cards provide a solution at the
lower extended long-reach distances.
The OC48 ELR 200 GHz interface features a 1550-nm laser and contains a transmit and receive
connector (labeled) on the card faceplate. The card uses SC connectors and supports 1+1 unidirectional
and bidirectional protection switching.
The OC48 ELR 200 GHz cards detect LOS, LOF, LOP, AIS-L, and RDI-L conditions. The cards also
count section and line BIP errors. To enable APS, the OC48 ELR 200 GHz cards extract the K1 and K2
bytes from the SONET overhead. The DCC bytes are forwarded to the TCC2/TCC2P card; the
TCC2/TCC2P terminates the DCC/GCC.
4.13.1 OC48 ELR 200 GHz Card-Level Indicators
Table 4-14 describes the three card-level LEDs on the OC48 ELR 200 GHz cards.
4.13.2 OC48 ELR 200 GHz Port-Level Indicators
You can find the status of the OC48 ELR 200 GHz card ports by using the LCD screen on the
ONS 15454 fan-tray assembly. Use the LCD to quickly view the status of any port or card slot; the screen
displays the number and severity of alarms for a given port or slot.
4.14 OC192 SR/STM64 IO 1310 Card
Note For hardware specifications, see the “A.6.13 OC192 SR/STM64 IO 1310 Card Specifications” section
on page A-39. See Table 4-2 on page 4-5 for optical card compatibility.
The OC192 SR/STM64 IO 1310 card provides one intra-office haul SONET/SDH OC-192 port in the
1310-nm wavelength range, compliant with ITU-T G.707, ITU-T G.691, ITU-T G.957, and Telcordia
GR-253-CORE. The port operates at 9.95328 Gbps over unamplified distances up to 2 km (1.24 miles).
The card supports VT, nonconcatenated (STS-1), or concatenated payloads.
Table 4-14 OC48 ELR 200 GHz Card-Level Indicators
Card-Level Indicators Description
Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready. Replace
the card if the red FAIL LED persists.
Green/Amber ACT
LED
The green ACT LED indicates that the card is carrying traffic or is
traffic-ready. The amber ACT LED indicates that the card is part of an active
ring switch (BLSR).
Amber SF LED The amber SF LED indicates a signal failure or condition such as LOS, LOF,
or high BERs on the card’s port. The amber SF LED is also on if the transmit
and receive fibers are incorrectly connected. If the fibers are properly
connected, the light turns off.4-31
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 4 Optical Cards
4.14.1 OC192 SR/STM64 IO 1310 Card-Level Indicators
Warning The laser is on when the optical card is booted. The port does not have to be in service for the laser
to be on.
Figure 4-13 shows the OC192 SR/STM64 IO 1310 faceplate and block diagram.
Figure 4-13 OC192 SR/STM64 IO 1310 Faceplate and Block Diagram
You can install OC192 SR/STM64 IO 1310 cards in Slot 5, 6, 12, or 13. You can provision this card as
part of a BLSR, a path protection, a linear configuration, or as a regenerator for longer span reaches.
The OC192 SR/STM64 IO 1310 port features a 1310-nm laser and contains a transmit and receive
connector (labeled) on the card faceplate. The card uses a dual SC connector for optical cable
termination. The card supports 1+1 unidirectional and bidirectional facility protection. It also supports
1:1 protection in four-fiber BLSR applications where both span switching and ring switching might
occur.
The OC192 SR/STM64 IO 1310 card detects SF, LOS, or LOF conditions on the optical facility. Refer
to the Cisco ONS 15454 Troubleshooting Guide for a description of these conditions. The card also
counts section and line BIP errors from B1 and B2 byte registers in the section and line overhead.
4.14.1 OC192 SR/STM64 IO 1310 Card-Level Indicators
Table 4-15 describes the three card-level LEDs on the OC192 SR/STM64 IO 1310 card.
Demux
CDR
SRAM Flash
Optical
transceiver
ADC x 8
Demux
BTC
ASIC
STM-64/
OC-192
STM-64/
OC-192
STM-64 / OC192
STM-64 / OC192
SCL
Processor
134367
B
a
c
k
p
l
a
n
e
Mux
CK Mpy
Optical
transceiver Mux
SCL
FAIL
ACT
SF
1
Tx
Rx
OC192SR
STM64IO
13104-32
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 4 Optical Cards
4.14.2 OC192 SR/STM64 IO 1310 Port-Level Indicators
4.14.2 OC192 SR/STM64 IO 1310 Port-Level Indicators
You can find the status of the OC192 SR/STM64 IO 1310 card ports by using the LCD screen on the
ONS 15454 fan-tray assembly. Use the LCD to view the status of any port or card slot; the screen
displays the number and severity of alarms for a given port or slot. Refer to the Cisco ONS 15454
Troubleshooting Guide for a complete description of the alarm messages.
4.15 OC192 IR/STM64 SH 1550 Card
Note For hardware specifications, see the “A.6.14 OC192 IR/STM64 SH 1550 Card Specifications” section
on page A-40. See Table 4-2 on page 4-5 for optical card compatibility.
The OC192 IR/STM64 SH 1550 card provides one intermediate reach SONET/SDH OC-192 port in the
1550-nm wavelength range, compliant with ITU-T G.707,ITU-T G.691, ITU-T G.957, and Telcordia
GR-253-CORE. The port operates at 9.95328 Gbps over unamplified distances up to 40 km (25 miles)
with SMF-28 fiber limited by loss and/or dispersion. The card supports VT, nonconcatenated (STS-1),
or concatenated payloads.
Warning The laser is on when the optical card is booted. The port does not have to be in service for the laser
to be on.
Figure 4-14 shows the OC192 IR/STM64 SH 1550 faceplate and block diagram.
Table 4-15 OC192 SR/STM64 IO 1310 Card-Level Indicators
Card-Level LED Description
Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready. This LED
is on during reset. The FAIL LED flashes during the boot process. Replace
the card if the red FAIL LED persists.
ACT/STBY LED
Green (Active)
Amber (Standby)
If the ACT/STBY LED is green, the card is operational and ready to carry
traffic. The amber ACT LED indicates that the card in standby mode or is
part of an active ring switch (BLSR).
Amber SF LED The amber SF LED indicates a signal failure or condition such as LOS, LOF,
or high BERs on one or more of the card’s ports. The amber SF LED is also
on if the transmit and receive fibers are incorrectly connected. If the fibers
are properly connected and the link is working, the light turns off.4-33
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 4 Optical Cards
4.15.1 OC192 IR/STM64 SH 1550 Card-Level Indicators
Figure 4-14 OC192 IR/STM64 SH 1550 Faceplate and Block Diagram
Note You must use a 3 to 15 dB fiber attenuator (5 dB recommended) when working with the
OC192 IR/STM64 SH 1550 card in a loopback. Do not use fiber loopbacks with the
OC192 IR/STM64 SH 1550 card. Using fiber loopbacks can cause irreparable damage to the card.
You can install OC192 IR/STM64 SH 1550 cards in Slot 5, 6, 12, or 13. You can provision this card as
part of a BLSR, path protection, or linear configuration, or also as a regenerator for longer span reaches.
The OC192 IR/STM64 SH 1550 port features a 1550-nm laser and contains a transmit and receive
connector (labeled) on the card faceplate. The card uses a dual SC connector for optical cable
termination. The card supports 1+1 unidirectional and bidirectional facility protection. It also supports
1:1 protection in four-fiber BLSR applications where both span switching and ring switching might
occur.
The OC192 IR/STM64 SH 1550 card detects SF, LOS, or LOF conditions on the optical facility. Refer
to the Cisco ONS 15454 Troubleshooting Guide for a description of these conditions. The card also
counts section and line BIP errors from B1 and B2 byte registers in the section and line overhead.
4.15.1 OC192 IR/STM64 SH 1550 Card-Level Indicators
Table 4-16 describes the three card-level LEDs on the OC192 IR/STM64 SH 1550 card.
Demux
CDR
SRAM Flash
Optical
transceiver
ADC x 8
Demux
BTC
ASIC
STM-64/
OC-192
STM-64/
OC-192
STM-64 / OC192
STM-64 / OC192
SCL
Processor
134368
B
a
c
k
p
l
a
n
e
Mux
CK Mpy
Optical
transceiver Mux
SCL
FAIL
ACT
SF
1
Tx
Rx
OC192IR
STM64SH
15504-34
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 4 Optical Cards
4.15.2 OC192 IR/STM64 SH 1550 Port-Level Indicators
4.15.2 OC192 IR/STM64 SH 1550 Port-Level Indicators
You can find the status of the OC192 IR/STM64 SH 1550 card ports by using the LCD screen on the
ONS 15454 fan-tray assembly. Use the LCD to view the status of any port or card slot; the screen
displays the number and severity of alarms for a given port or slot. Refer to the Cisco ONS 15454
Troubleshooting Guide for a complete description of the alarm messages.
4.16 OC192 LR/STM64 LH 1550 Card
Note For hardware specifications, see the “A.6.15 OC192 LR/STM64 LH 1550 Card Specifications” section
on page A-41. See Table 4-2 on page 4-5 for optical card compatibility.
Note Any new features that are available as part of this software release are not enabled for this card.
The OC192 LR/STM64 LH 1550 card provides one long-range SONET/SDH OC-192 port compliant
with ITU-T G.707, ITU-T G.691, ITU-T G.957, and Telcordia GR-253-CORE (except minimum and
maximum transmit power, and minimum receive power). The card port operates at 9.95328 Gbps over
unamplified distances up to 80 km (50 miles) with different types of fiber such as C-SMF or dispersion
compensated fiber limited by loss and/or dispersion. The card supports VT, nonconcatenated (STS-1),
or concatenated payloads.
There are two versions of the OC192 LR/STM64 LH 1550. The earliest version has the product ID
15454-OC192LR1550, and the latest card’s product ID is 15454-OC192-LR2. These cards have slight
specification differences that are noted throughout this description.
Note You can differentiate this OC-192/STM-64 card (15454-OC192-LR2, 15454E-L64.2-1) from the
OC-192/STM-64 card with the product ID 15454-OC192LR1550 by looking at the faceplate. This card
does not have a laser on/off switch.
Table 4-16 OC192 IR/STM64 SH 1550 Card-Level Indicators
Card-Level LED Description
Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready. This LED
is on during reset. The FAIL LED flashes during the boot process. Replace
the card if the red FAIL LED persists.
ACT/STBY LED
Green (Active)
Amber (Standby)
If the ACT/STBY LED is green, the card is operational and ready to carry
traffic. If the ACT/STBY LED is amber, the card is operational and in
standby (protect) mode or is part of an active ring switch (BLSR).
Amber SF LED The amber SF LED indicates a signal failure or condition such as LOS, LOF,
or high BERs on one or more of the card’s ports. The amber SF LED is also
on if the transmit and receive fibers are incorrectly connected. If the fibers
are properly connected and the link is working, the light turns off.4-35
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 4 Optical Cards
4.16 OC192 LR/STM64 LH 1550 Card
Warning The laser is on when the optical card is booted. The port does not have to be in service for the laser
to be on.
Figure 4-15 shows the OC192 LR/STM64 LH 1550 (15454-OC192LR1550) faceplate and a block
diagram of the card.
Figure 4-15 OC192 LR/STM64 LH 1550 (15454-OC192LR1550) Faceplate and Block Diagram
Figure 4-16 shows an enlarged view of the faceplate warning for 15454-OC192-LR2.
Demux
CDR
SRAM Flash
Optical
transceiver
DAC x 8
ADC x 8
Dig Pol x 2
Mux
BTC
ASIC
OC-192 STS
SCL
Processor
61361
B
a
c
k
p
l
a
n
e
Mux
CK Mpy
Optical
transceiver Mux
OC-192 STS
SCL
FAIL
ACT/STBY
SF
DANGER - INVISIBLE
LASER RADIATION
MAY BE EMITTED
FROM THE END OF
UNTERMINATED
FIBER CABLE OR
CONNECTOR. DO
NOT STARE INTO
BEAM OR VIEW
DIRECTLY WITH
OPTICAL
INSTRUMENTS.
TX
TX
1
RX
OC192LR
STM64LH
1550
0
MAX INPUT
POWER LEVEL
- 10dBm
RX
!
1
Class 1M (IEC)
Class 1 (CDRH)4-36
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 4 Optical Cards
4.16 OC192 LR/STM64 LH 1550 Card
Figure 4-16 Enlarged Section of the OC192 LR/STM64 LH 1550 (15454-OC192LR1550) Faceplate
Figure 4-17 shows the OC192 LR/STM64 LH 1550 (15454-OC192-LR2) faceplate and a block diagram
of the card.
DANGER - INVISIBLE
LASER RADIATION
MAY BE EMITTED
FROM THE END OF
UNTERMINATED
FIBER CABLE OR
CONNECTOR. DO
NOT STARE INTO
BEAM OR VIEW
DIRECTLY WITH
OPTICAL
INSTRUMENTS.
TX
MAX INPUT
POWER LEVEL
- 10dBm
RX
!
67465
Class 1M (IEC)
Class 1 (CDRH)4-37
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 4 Optical Cards
4.16 OC192 LR/STM64 LH 1550 Card
Figure 4-17 OC192 LR/STM64 LH 1550 (15454-OC192-LR2) Faceplate and Block Diagram
Figure 4-18 shows an enlarged view of the faceplate warning on 15454-OC192LR1550.
Demux
CDR
SRAM Flash
Optical
transceiver
ADC x 8
Mux
BTC
ASIC
OC-192/STM-64 STS
SCL
Processor
115222
B
a
c
k
p
l
a
n
e
Mux
CK Mpy
Optical
transceiver Mux
OC-192/STM-64 STS
SCL
FAIL
ACT/STBY
SF
TX
1
RX
!
MAX INPUT
POWER LEVEL
-7 dBm
RX
15504-38
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 4 Optical Cards
4.16 OC192 LR/STM64 LH 1550 Card
Figure 4-18 Enlarged Section of the OC192 LR/STM64 LH 1550 (15454-OC192-LR2) Faceplate
Caution You must use a 19 to 24 dB (14 to 28 dB for 15454-OC192-LR2) (20 dB recommended) fiber attenuator
when connecting a fiber loopback to an OC192 LR/STM64 LH 1550 card. Never connect a direct fiber
loopback. Using fiber loopbacks causes irreparable damage to the card. A transmit-to-receive (Tx-to-Rx)
connection that is not attenuated damages the receiver.
You can install OC192 LR/STM64 LH 1550 cards in Slots 5, 6, 12, and 13 and provision the card as a
drop or span card in a two-fiber or four-fiber BLSR, path protection, ADM (linear) configuration, or as
a regenerator for longer span reaches.
COMPLIES WITH 21 CFR 1040.10
AND 1040.11 EXCEPT FOR
DEVIATIONS PURSUANT TO
LASER NOTICE No.50,
DATED JULY 26, 2001
!
MAX INPUT
POWER LEVEL
-7 dBm
RX
115226
COMPLIES WITH 21 CFR 1040.10
AND 1040.11 EXCEPT FOR
DEVIATIONS PURSUANT TO
LASER NOTICE No.50,
DATED JULY 26, 2001
FAIL
ACT/STBY
SF
TX
1
RX
!
MAX INPUT
POWER LEVEL
-7 dBm
RX
15504-39
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 4 Optical Cards
4.16.1 OC192 LR/STM64 LH 1550 Card-Level Indicators
The card port features a 1550-nm laser and contains a transmit and receive connector (labeled) on the
card faceplate.The card uses a dual SC connector for optical cable termination. The card supports 1+1
unidirectional and bidirectional facility protection. It also supports 1:1 protection in four-fiber BLSR
applications where both span switching and ring switching might occur.
The OC192 LR/STM64 LH 1550 card detects SF, LOS, or LOF conditions on the optical facility. The
card also counts section and line BIT errors from B1 and B2 byte registers in the section and line
overhead.
4.16.1 OC192 LR/STM64 LH 1550 Card-Level Indicators
Table 4-17 describes the three card-level LEDs on the OC192 LR/STM64 LH 1550 card.
4.16.2 OC192 LR/STM64 LH 1550 Port-Level Indicators
You can find the status of the OC192 LR/STM64 LH 1550 card port by using the LCD screen on the
ONS 15454 fan-tray assembly. Use the LCD to view the status of the port or card slot; the screen displays
the number and severity of alarms for a given port or slot.
Note The optical output power of the OC192 LR/STM64 LH 1550 (+4 dBm to +7 dBm) is 6 dB lower than in
L-64.2b of the 10/2000 prepublished unedited version of ITU-T G.691 (+10 dBm to +13 dBm). However,
the total attenuation range of the optical path, 22 to 16 dB, is maintained by the optical receiver
sensitivity range of the OC192 LR/STM64 LH 1550 (–7 dBm to –24 dBm). This sensitivity range
outperforms the specification in L-64.2b of the 10/2000 prepublished unedited version of ITU-T G.691.
The resulting link budget of the card is 26 dBm.
4.17 OC192 LR/STM64 LH ITU 15xx.xx Card
Note For hardware specifications, see the “A.6.16 OC192 LR/STM64 LH ITU 15xx.xx Card Specifications”
section on page A-43. See Table 4-2 on page 4-5 for optical card compatibility.
Table 4-17 OC192 LR/STM64 LH 1550 Card-Level Indicators
Card-Level Indicators Description
Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready. Replace
the card if the red FAIL LED persists.
ACT/STBY LED
Green (Active)
Amber (Standby)
If the ACT/STBY LED is green, the card is operational and ready to carry
traffic. If the ACT/STBY LED is amber, the card is operational and in
standby (protect) mode or is part of an active ring switch (BLSR).
Amber SF LED The amber SF LED indicates a signal failure or condition such as LOS, LOF,
or high BERs on the card’s port. The amber SF LED is also on if the transmit
and receive fibers are incorrectly connected. If the fibers are properly
connected, the light turns off.4-40
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 4 Optical Cards
4.17 OC192 LR/STM64 LH ITU 15xx.xx Card
Sixteen distinct OC-192/STM-64 ITU 100 GHz DWDM cards comprise the ONS 15454 DWDM channel
plan. Each OC192 LR/STM64 LH ITU 15xx.xx card provides one long-reach STM-64/OC-192 port per
card, compliant with ITU-T G.707, ITU-T G.957, and Telcordia GR-253-CORE (except minimum and
maximum transmit power, and minimum receive power). The port operates at 9.95328 Gbps over
unamplified distances up to 60 km (37 miles) with different types of fiber such as C-SMF or dispersion
compensated fiber limited by loss and/or dispersion.
Note Longer distances are possible in an amplified system using dispersion compensation.
Warning The laser is on when the optical card is booted. The port does not have to be in service for the laser
to be on.
The card supports VT, nonconcatenated (STS-1), or concatenated payloads. Figure 4-19 shows the
OC192 LR/STM64 LH ITU 15xx.xx faceplate.
Figure 4-19 OC192 LR/STM64 LH ITU 15xx.xx Faceplate
Figure 4-20 shows a block diagram of the OC192 LR/STM64 LH ITU 15xx.xx card.
FAIL
ACT
SF
83646
1
33678 12931
Tx
Rx
OC192LR
STM64LH
ITU
RX
MAX INPUT
POWER LEVEL
-8 dBm
RX
MAX INPUT
POWER LEVEL
-8 dBm4-41
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 4 Optical Cards
4.17.1 OC192 LR/STM64 LH ITU 15xx.xx Card-Level Indicators
Figure 4-20 OC192 LR/STM64 LH ITU 15xx.xx Block Diagram
Note You must use a 20-dB fiber attenuator (15 to 25 dB) when working with the
OC192 LR/STM64 LH 15xx.xx card in a loopback. Do not use fiber loopbacks with the
OC192 LR/STM64 LH 15xx.xx card. Using fiber loopbacks causes irreparable damage to this card.
Eight of the cards operate in the blue band with a spacing of 100 GHz in the ITU grid (1534.25 nm,
1535.04 nm, 1535.82 nm, 1536.61 nm, 1538.19 nm, 1538.98 nm, 1539.77 nm, and 1540.56 nm). The
other eight cards operate in the red band with a spacing of 100 GHz in the ITU grid (1550.12 nm,
1550.92 nm, 1551.72 nm, 1552.52 nm, 1554.13 nm, 1554.94 nm, 1555.75 nm, and 1556.55 nm).
You can install OC192 LR/STM64 LH ITU 15xx.xx cards in Slot 5, 6, 12, or 13. You can provision this
card as part of an BLSR, path protection, or linear configuration or also as a regenerator for longer span
reaches.
The OC192 LR/STM64 LH ITU 15xx.xx port features a laser on a specific wavelength in the
1550-nm range and contains a transmit and receive connector (labeled) on the card faceplate. The card
uses a dual SC connector for optical cable termination. The card supports 1+1 unidirectional and
bidirectional facility protection. It also supports 1:1 protection in four-fiber BLSR applications where
both span switching and ring switching might occur.
The OC192 LR/STM64 LH ITU 15xx.xx card detects SF, LOS, or LOF conditions on the optical facility.
Refer to the Cisco ONS 15454 Troubleshooting Guide for a description of these conditions. The card also
counts section and line BIP errors from B1 and B2 byte registers in the section and line overhead.
4.17.1 OC192 LR/STM64 LH ITU 15xx.xx Card-Level Indicators
Table 4-18 describes the three card-level LEDs on the OC192 LR/STM64 LH ITU 15xx.xx card.
Demux
CDR
SRAM Flash
Optical
transceiver
ADC x 8
Demux
BTC
ASIC
STM-64/
OC-192
STM-64/
OC-192
STM-64 / OC192
STM-64 / OC192
SCL
Processor
B
a
c
k
p
l
a
n
e
Mux
CK Mpy
Optical
transceiver Mux
SCL4-42
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 4 Optical Cards
4.17.2 OC192 LR/STM64 LH ITU 15xx.xx Port-Level Indicators
4.17.2 OC192 LR/STM64 LH ITU 15xx.xx Port-Level Indicators
You can find the status of the OC192 LR/STM64 LH ITU 15xx.xx card ports by using the LCD screen
on the ONS 15454 fan-tray assembly. Use the LCD to view the status of any port or card slot; the screen
displays the number and severity of alarms for a given port or slot. Refer to the Cisco ONS 15454
Troubleshooting Guide for a complete description of the alarm messages.
4.18 15454_MRC-12 Multirate Card
Note For hardware specifications, see the “A.6.17 15454_MRC-12 Card Specifications” section on
page A-44. See Table 4-2 on page 4-5 for optical card compatibility.
The 15454_MRC-12 multirate card provides up to twelve OC-3/STM-1 ports, twelve OC-12/STM-4
ports, or four OC-48/STM-16 ports using small form-factor pluggables (SFPs), in any combination of
line rates. All ports are Telcordia GR-253 compliant. The SFP optics can use SR, IR, LR, coarse
wavelength division multiplexing (CWDM), and DWDM SFPs to support unrepeated spans. See the
“4.21 Optical Card SFPs and XFPs” section on page 4-53 for more information about SFPs.
The ports operate at up to 2488.320 Mbps over a single-mode fiber. The 15454_MRC-12 card has twelve
physical connector adapters with two fibers per connector adapter (Tx and Rx). The card supports VT
payloads, STS-1 payloads, and concatenated payloads at STS-3c, STS-6c, STS-9c, STS-12c, STS-18c,
STS-24c, STS-36c, or STS-48c signal levels. It is fully interoperable with the ONS 15454 G-Series
Ethernet cards.
The 15454_MRC-12 port contains a transmit and receive connector (labeled) on the card faceplate. The
card supports 1+1 unidirectional and bidirectional facility protection. It also supports 1+1 protection in
four-fiber BLSR applications where both span switching and ring switching might occur. You can
provision this card as part of an BLSR, path protection, or 1+1 linear configuration.
Note Longer distances are possible in an amplified system using dispersion compensation.
Figure 4-21 shows the 15454_MRC-12 faceplate and block diagram.
Table 4-18 OC192 LR/STM64 LH ITU 15xx.xx Card-Level Indicators
Card-Level LED Description
Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready. This LED
is on during reset. The FAIL LED flashes during the boot process. Replace
the card if the red FAIL LED persists.
ACT/STBY LED
Green (Active)
Amber (Standby)
If the ACT/STBY LED is green, the card is operational and ready to carry
traffic. If the ACT/STBY LED is amber, the card is operational and in
standby (protect) mode or is part of an active ring switch (BLSR).
Amber SF LED The amber SF LED indicates a signal failure or condition such as LOS, LOF,
or high BERs on one or more of the card’s ports. The amber SF LED is also
on if the transmit and receive fibers are incorrectly connected. If the fibers
are properly connected and the link is working, the light turns off.4-43
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 4 Optical Cards
4.18.1 Slot Compatibility by Cross-Connect Card
Figure 4-21 15454_MRC-12 Card Faceplate and Block Diagram
4.18.1 Slot Compatibility by Cross-Connect Card
You can install 15454_MRC-12 cards in Slots 1 through 6 and 12 through 17 with an XCVT, XC10G,
or XC-VXC-10G.
Note The 15454_MRC-12 card supports an errorless software-initiated cross-connect card switch when used
in a shelf equipped with XC-VXC-10G and TCC2/TCC2P cards.
131788
COMPLIES WITH 21 CFR 1040.10
AND 1040.11 EXCEPT FOR
DEVIATIONS PURSUANT TO
LASER NOTICE No. 50,
DATED JULY 26, 2001
OC-3/12/48
(STM-1/4/16) Port 1
SFP Optical XCVR OC-3/12
(STM-1/4/) Port 2
SFP Optical XCVR OC-3/12
(STM-1/4) Port 3
SFP Optical XCVR OC-3/12/48
(STM-1/4/16) Port 4
SFP Optical XCVR OC-3/12
(STM-1/4) Port 5
SFP Optical XCVR OC-3/12
(STM-1/4) Port 6
SFP Optical XCVR OC-3/12/48
(STM-1/4/16) Port 7
SFP Optical XCVR OC-3/12
(STM-1/4) Port 8
SFP Optical XCVR OC-3/12
(STM-1/4) Port 9
SFP Optical XCVR OC-3/12/48
(STM-1/4/16) Port 0
SFP Optical XCVR OC-3/12
(STM-1/4) Port 11
SFP Optical XCVR OC-3/12
(STM-1/4) Port 12
SFP Optical XCVR
Main SCL Intfc.
Protect SCL Intfc.
Amazon
ASIC
B
a
c
k
p
l
a
n
e
Main
iBPIA
Protect
iBPIA
Processor
Flash
Memory4-44
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 4 Optical Cards
4.18.2 Ports and Line Rates
The maximum bandwidth of the 15454_MRC-12 card is determined by the cross-connect card, as shown
in Table 4-19.
4.18.2 Ports and Line Rates
Each port on the 15454_MRC-12 card can be configured as OC-3/STM-1, OC-12/STM-4, or
OC-48/STM-16, depending on the available bandwidth and existing provisioned ports. Based on the
cross-connect card and slot limitations shown in Table 4-19, the following rules apply for various
synchronous transport signal (STS) available bandwidths. (Table 4-20 shows the same information in
tabular format.)
• STS-12
– Port 1 is the only port that is usable as an OC-12. If Port 1 is used as an OC-12, all other ports
are disabled.
– Ports 1, 4, 7, and 10 are the only ports usable as OC-3. If any of these ports is used as an OC-3,
Ports 2, 3, 5, 6, 8, 9, 11, and 12 are disabled.
• STS-48
– Port 1 is the only port usable as an OC-48. If Port 1 is used as an OC-48, all other ports are
disabled.
– Ports 1, 4, 7, and 10 are the only ports usable as OC-12.
– If Port 4 is used as an OC-12, Ports 2 and 3 are disabled.
– If Port 7 is used as an OC-12, Ports 5, 6, and 8 are disabled.
– If Port 10 is used as an OC-12, Ports 9, 11, and 12 are disabled.
– Any port can be used as an OC-3 as long as all of the above rules are followed.
• STS-192
– Ports 1, 4, 7, and 10 are the only ports usable as OC-48.
– If Port 4 is used as an OC-48, Ports 2 and 3 are disabled.
– If Port 7 is used as an OC-48, Ports 5, 6, and 8 are disabled.
– If Port 10 is used as an OC-48, Ports 9, 11, and 12 are disabled.
– If Port 4 is used as an OC-12, Ports 2 and 3 can be used as an OC-12 or OC-3.
– If Port 7 is used as an OC-12, Ports 5, 6, and 8 can be used as an OC-12 or OC-3.
– If Port 10 is as used as an OC-12, Ports 9, 11, and 12 can be used as an OC-12 or OC-3.
– If Port 4 is used as an OC-3, Ports 2 and 3 can be used as an OC-3 or OC-12.
– If Port 7 is used as an OC-3, Ports 5, 6, and 8 can be used as an OC-3 or OC-12.
Table 4-19 Maximum Bandwidth by Shelf Slot for the 15454_MRC-12 in Different Cross-Connect
Configurations
XC Card Type
Maximum Bandwidth
in Slots 1 through 4
and 14 through 17
Maximum Bandwidth
in Slots 5, 6, 12, or 13
XCVT OC-12 OC-48
XC10G/XC-VXC-10G OC-48 OC-1924-45
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 4 Optical Cards
4.18.2 Ports and Line Rates
– If Port 10 is used as an OC-3, Ports 9, 11, and 12 can be used as an OC-3 or OC-12.
– Any port can be used as an OC-12 or OC-3, as long as all of the above rules are followed.
Table 4-20 shows the 15454_MRC-12 port availability and line rate for each port, based on total
available bandwidth. To use the table, go to the rows for the bandwidth that you have available, as
determined in Table 4-19. Each row indicates what line rate can be provisioned for each port (identified
in the MCR-12 Port Number row). The Ports Used column shows the total number of ports that can be
used with each bandwidth scheme.
Table 4-20 Line Rate Configurations Per 15454_MRC-12 Port, Based on Available Bandwidth
MRC-12 Port
Number 1 2 3 4 5 6 7 8 9 10 11 12
Ports
Used
Total
STSs
Permitted
Rate(s)
OC-3
OC-1
2
OC-4
8
OC-3
OC-1
2
OC-3
OC-1
2
OC-3
OC-12
OC-48
OC-3
OC-1
2
OC-3
OC-1
2
OC-3
OC-12
OC-48
OC-3
OC-1
2
OC-3
OC-1
2
OC-3
OC-12
OC-48
OC-3
OC-1
2
OC-3
OC-1
2
— —
STS-12
Available
Bandwidth
12 — — — — — — — — — — — 1 12
3 — — 3 — — 3 — — 3 — — 4 12
STS-48
Available
Bandwidth
3 3 3 3 3 3 3 3 3 3 3 3 12 36
3 — — 12 3 3 3 3 3 3 3 3 10 39
3 — — 12 — — 12 — 3 3 3 3 7 39
3 — — 12 — — 12 — — 12 — — 4 39
12 3 3 3 3 3 3 3 3 3 3 3 12 45
12 — — 12 3 3 3 3 3 3 3 3 10 48
12 — — 12 — — 12 — 3 3 3 3 7 48
12 — — 12 — — 12 — — 12 — — 4 48
12 3 3 3 — — 12 — 3 3 3 3 9 45
12 3 3 3 3 3 3 3 — 12 — — 9 45
3 3 3 3 3 3 3 3 — 12 — — 9 36
3 3 3 3 — — 12 — — 12 — — 6 36
48 — — — — — — — — — — — 1 48
48 3 3 — 12 12 12 12 3 3 3 3 11 1144-46
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 4 Optical Cards
4.18.3 15454_MRC-12 Card-Level Indicators
4.18.3 15454_MRC-12 Card-Level Indicators
Table 4-21 describes the three card-level LEDs on the 15454_MRC-12 card.
STS-192
Available
Bandwidth
(when
installing
additional
SFPs from
the top port
to the
bottom
port)1
48 3 3 3 3 3 3 3 3 3 3 3 12 81
48 12 12 12 3 3 3 3 3 3 3 3 12 108
48 12 12 12 12 12 12 12 3 3 3 3 12 144
48 12 12 12 12 12 12 12 12 12 12 12 12 180
48 3 3 3 12 12 12 12 12 12 12 12 12 153
48 3 3 3 3 3 3 3 12 12 12 12 12 117
48 — — 48 3 3 3 3 3 3 3 3 10 120
48 — — 48 12 12 12 12 3 3 3 3 10 156
48 — — 48 12 12 12 12 12 12 12 12 10 192
48 — — 48 — — 48 — 3 3 3 3 7 156
48 — — 48 — — 48 — 12 12 12 12 7 192
48 — — 48 — — 48 — — 48 — — 4 192
STS-192
Available
Bandwidth
(when
installing
additional
SFPs from
the bottom
port to the
top port)1
3 3 3 3 3 3 3 3 — 48 — — 9 72
3 3 3 3 12 12 12 12 — 48 — — 9 108
3 12 12 12 12 12 12 12 — 48 — — 9 135
12 12 12 12 12 12 12 12 — 48 — — 9 144
12 12 12 12 3 3 3 3 — 48 — — 9 108
12 3 3 3 3 3 3 3 — 48 — — 9 81
3 3 3 3 — — 48 — — 48 — — 6 108
3 12 12 12 — — 48 — — 48 — — 6 135
12 12 12 12 — — 48 — — 48 — — 6 144
12 3 3 3 — — 48 — — 48 — — 6 117
3 — — 48 — — 48 — — 48 — — 4 147
12 — — 48 — — 48 — — 48 — — 4 156
1. If the MRC-12 card is initially populated with OC-3/12 on all its 12 ports, you can later add OC-48 SFPs on that card from top port to bottom port or from
bottom port to top port. The maximum available bandwidth usage is different for these two cases.
Table 4-20 Line Rate Configurations Per 15454_MRC-12 Port, Based on Available Bandwidth (continued)
MRC-12 Port
Number 1 2 3 4 5 6 7 8 9 10 11 12
Ports
Used
Total
STSs4-47
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 4 Optical Cards
4.18.4 15454_MRC-12 Port-Level Indicators
4.18.4 15454_MRC-12 Port-Level Indicators
Each port has an Rx indicator. The LED flashes green if the port is receiving a signal, and it flashes red
if the port is not receiving a signal.
You can also find the status of the 15454_MRC-12 card ports by using the LCD screen on the ONS 15454
fan-tray assembly. Use the LCD to view the status of any port or card slot; the screen displays the number
and severity of alarms for a given port or slot. Refer to the Cisco ONS 15454 Troubleshooting Guide for
a complete description of the alarm messages.
4.19 MRC-2.5G-4 Multirate Card
Note For hardware specifications, see the “A.6.17 15454_MRC-12 Card Specifications” section on
page A-44. See Table 4-2 on page 4-5 for optical card compatibility.
The MRC-2.5G-4 multirate card provides up to four OC-3/STM-1 ports, four OC-12/STM-4 ports, or
one OC-48/STM-16 ports using small form-factor pluggables (SFPs), in various combinations of line
rates. All ports are Telcordia GR-253 compliant. The SFP optics can use SR, IR, LR, coarse wavelength
division multiplexing (CWDM), and DWDM SFPs to support unrepeated spans. See the “4.21 Optical
Card SFPs and XFPs” section on page 4-53 for more information about SFPs.
The ports operate at up to 2488.320 Mbps over a single-mode fiber. The MRC-2.5G-4 card has four
physical connector adapters with two fibers per connector adapter (Tx and Rx). The card supports VT
payloads, STS-1 payloads, and concatenated payloads at STS-3c, STS-6c, STS-9c, STS-12c, STS-18c,
STS-24c, STS-36c, or STS-48c signal levels. It is fully interoperable with the ONS 15454 G-Series
Ethernet cards.
Each MRC-2.5G-4 port contains a transmit and receive connector (labeled) on the card faceplate. The
card supports 1+1 unidirectional and bidirectional facility protection. It also supports 1+1 protection in
four-fiber BLSR applications where both span switching and ring switching might occur. You can
provision this card as part of an BLSR, path protection, or 1+1 linear configuration. The MRC-2.5G-4
card also supports optimized 1+1 protection when used with OC-3 SFPs.
Table 4-21 15454_MRC-12 Card-Level Indicators
Card-Level LED Description
Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready. This LED
is on during reset. The FAIL LED flashes during the boot process. Replace
the card if the red FAIL LED persists.
ACT/STBY LED
Green (Active)
Amber (Standby)
If the ACT/STBY LED is green, the card is operational and ready to carry
traffic. If the ACT/STBY LED is amber, the card is operational and in
standby (protect) mode or is part of an active ring switch (BLSR).
Amber SF LED The amber SF LED indicates a signal failure or condition such as LOS, LOF,
or high BERs on one or more of the card’s ports. The amber SF LED is also
on if the transmit and receive fibers are incorrectly connected. If the fibers
are properly connected and the link is working, the light turns off.4-48
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 4 Optical Cards
4.19 MRC-2.5G-4 Multirate Card
Note 1+1 protection must be configured between the same equipment type, using the same port number and
line rate.
Note Longer distances are possible in an amplified system using dispersion compensation.
Figure 4-22 shows the MRC-2.5G-4 faceplate and block diagram.
Figure 4-22 MRC-2.5G-4 Card Faceplate and Block Diagram
159815
OC-3/12/48
(STM-1/4/16) Port 1
SFP Optical XCVR
OC-3/12
(STM-1/4/) Port 2
SFP Optical XCVR
OC-3/12
(STM-1/4) Port 3
SFP Optical XCVR
OC-3/12
(STM-1/4/16) Port 4
SFP Optical XCVR
Main SCL Intfc.
Protect SCL Intfc.
Amazon
ASIC
B
a
c
k
p
l
a
n
e
Main
iBPIA
Protect
iBPIA
Processor
Flash
Memory
2
3
4
14-49
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 4 Optical Cards
4.19.1 Slot Compatibility by Cross-Connect Card
4.19.1 Slot Compatibility by Cross-Connect Card
You can install MRC-2.5G-4 cards in Slots 1 through 6 and 12 through 17 with an XCVT, XC10G, or
XC-VXC-10G.
Note The MRC-2.5G-4 card supports an errorless software-initiated cross-connect card switch when used in
a shelf equipped with XC-VXC-10G and TCC2/TCC2P cards.
The maximum bandwidth of the MRC-2.5G-4 card is determined by the cross-connect card, as shown in
Table 4-22.
4.19.2 Ports and Line Rates
Total MRC-2.5G-4 card bandwidth cannot exceed OC-48/STM-16, so there are some limitations on
which SFP ports can be used as OC-3/STM-1, OC-12/STM-4, and OC-48/STM-16.
The following rules apply for port bandwidth allocation:
• STS-12 maximum backplane bandwidth
– Port 1 is the only port that is usable as an OC-12/STM-4. If Port 1 is used as an OC-12/STM-4,
all other ports are disabled.
– Each of the four ports can be used as OC-3/STM-1.
• STS-48 maximum backplane bandwidth
– Port 1 is the only port that is usable as an OC-48/STM-16. If Port 1 is used as an
OC-48/STM-16, all other ports are disabled.
– Mixed OC-3/STM-1 and OC-12/STM-4 configurations are supported. All possible
permutations are not covered in this reference section.
Table 4-22 Maximum Bandwidth by Shelf Slot for the MRC-2.5G-4 in Different Cross-Connect
Configurations
XC Card Type
Maximum Bandwidth
in Slots 1 through 4
and 14 through 17
Maximum Bandwidth
in Slots 5, 6, 12, or 13
XCVT OC-12 OC-48
XC10G/XC-VXC-10G OC-48 OC-484-50
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 4 Optical Cards
4.19.3 MRC-2.5G-4 Card-Level Indicators
Table 4-23 shows the 15454_MRC-4 port availability and line rate for each port, based on total available
bandwidth. To use the table, go to the rows for the bandwidth that you have available, as determined in
Table 4-22. Each row indicates what line rate can be provisioned for each port (identified in the MCR-4
Port Number row). The Ports Used column shows the total number of ports that can be used with each
bandwidth scheme.
With the MRC-4 card, you can have a maximum of 16 combinations of STS-48 available bandwidths with the OC-12 and OC-3
port rates.
4.19.3 MRC-2.5G-4 Card-Level Indicators
Table 4-21 describes the three card-level LEDs on the MRC-2.5G-4 card.
4.19.4 MRC-2.5G-4 Port-Level Indicators
Each port has an Rx indicator. The LED flashes green if the port is receiving a signal, and it flashes red
if the port is not receiving a signal.
You can also find the status of the MRC-2.5G-4 card ports by using the LCD screen on the ONS 15454
fan-tray assembly. Use the LCD to view the status of any port or card slot; the screen displays the number
and severity of alarms for a given port or slot. Refer to the Cisco ONS 15454 Troubleshooting Guide for
a complete description of the alarm messages.
Table 4-23 Line Rate Configurations Per 15454_MRC- 4 Port, Based on Available Bandwidth
MRC-4 Port Number 1 2 3 4 Ports Used Total STSs
Permitted Rate(s) OC-3
OC-12
OC-48
OC-3
OC-12
OC-3
OC-12
OC-3
OC-12
— —
STS-12 Available
Bandwidth
12
3
—
3
—
3
—
3
1
4
12
12
STS-48 Available
Bandwidth
48
12/3
—
12/3
—
12/3
—
12/3
1
4
48
Table 4-24 MRC-2.5G-4 Card-Level Indicators
Card-Level LED Description
Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready. This LED
is on during reset. The FAIL LED flashes during the boot process. Replace
the card if the red FAIL LED persists.
ACT/STBY LED
Green (Active)
Amber (Standby)
If the ACT/STBY LED is green, the card is operational and ready to carry
traffic. If the ACT/STBY LED is amber, the card is operational and in
standby (protect) mode or is part of an active ring switch (BLSR).
Amber SF LED The amber SF LED indicates a signal failure or condition such as LOS, LOF,
or high BERs on one or more of the card’s ports. The amber SF LED is also
on if the transmit and receive fibers are incorrectly connected. If the fibers
are properly connected and the link is working, the light turns off.4-51
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 4 Optical Cards
4.20 OC192SR1/STM64IO Short Reach and OC192/STM64 Any Reach Cards
4.20 OC192SR1/STM64IO Short Reach and OC192/STM64 Any
Reach Cards
Note For hardware specifications, see the “A.6.19 OC192SR1/STM64IO Short Reach Card Specifications”
section on page A-47 and the “A.6.20 OC192/STM64 Any Reach Card Specifications” section on
page A-48. See Table 4-2 on page 4-5 for optical card compatibility.
The OC192SR1/STM64IO Short Reach and OC192/STM64 Any Reach cards each provide a single
OC-192/STM-64 interface, as follows:
• OC192SR1/STM64IO Short Reach card (SR-1)
• OC192/STM-64 Any Reach card (SR-1, IR-2, and LR-2)
In CTC, these cards are referred to as “OC192-XFP” cards.
The interface operates at 9.952 Gbps over single-mode fiber spans and can be provisioned for both
concatenated and nonconcatenated payloads on a per STS-1/VC-4 basis. Specification references can be
found for the OC-192/STM-64 interface in ITU-T G.691, ITU-T G.693, and ITU-T G.959.1, and
Telcordia GR-253.
The optical interface uses a 10-Gbps Form-factor Pluggable (XFP) optical transceiver that plugs into a
receptacle on the front of the card. The OC192SR1/STM64IO Short Reach card is used only with an
SR-1 XFP, while the OC192/STM-64 Any Reach card can be provisioned for use with an SR-1, IR-2,
LR-2, or DWDM XFP module. The XFP SR, IR, and LR interfaces each provide one bidirectional
OC192/STM64 interface compliant with the recommendations defined by ITU-T G.91. SR-1 is
compliant with ITU-T I-64.1, IR-2 is compliant with ITU G.691 S-64.2b, and LR-2 is compliant with
ITU G.959.1 P1L1-2D2.
The cards are used only in Slots 5, 6, 12, and 13. and only with 10-Gbps cross-connect cards, such as
the XC10G and XC-VXC-10G.
Note The OC192SR1/STM64IO Short Reach and OC192/STM64 Any Reach cards support an errorless
software-initiated cross-connect card switch when used in a shelf equipped with XC-VXC-10G and
TCC2/TCC2P cards.
Figure 4-23 shows the faceplates and block diagram for the two cards.4-52
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 4 Optical Cards
4.20 OC192SR1/STM64IO Short Reach and OC192/STM64 Any Reach Cards
Figure 4-23 OC192SR1/STM64IO Short Reach and OC192/STM64 Any Reach Card Faceplates and
Block Diagram
The cards’ spans depend on the XFP module that is used:
• A card using the SR-1 XFP is intended to be used in applications requiring 10-Gbps transport with
unregenerated spans of up to 2.0 km.
• A card using the IR-2 XFP is intended to be used in applications requiring 10-Gbps transport with
unregenerated spans of up to 40 km.
• A card using the LR-2 XFP is intended to be used in applications requiring 10-Gbps transport with
unregenerated spans of up to 80 km.
XFP
Serial
EEPROM
FLASH
DDR
SDRAM
Transport OH
Processor
and Backplane I/F
uP
ID
Main
IBPIA
OC-192
B
a
c
k
p
l
a
n
e
FAIL
ACT/STBY
OC192
STM64
ANY
REACH
OC192SR1
STM64IO
SHORT
REACH
SF
T
x
1
R
x
FAIL
ACT/STBY
SF
T
x
1
R
x
Protect
IBPIA
I2C
Mux
1343474-53
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 4 Optical Cards
4.20.1 OC192SR1/STM64IO Short Reach and OC192/STM64 Any Reach Card-Level Indicators
4.20.1 OC192SR1/STM64IO Short Reach and OC192/STM64 Any Reach
Card-Level Indicators
Table 4-25 describes the three card-level LEDs on the OC192SR1/STM64IO Short Reach and
OC192/STM64 Any Reach cards.
4.20.2 OC192SR1/STM64IO Short Reach and OC-192/STM-64 Any Reach
Port-Level Indicators
You can find the status of the OC192SR1/STM64IO Short Reach and OC192/STM64 Any Reach card
ports by using the LCD screen on the ONS 15454 fan-tray assembly. Use the LCD to view the status of
any port or card slot; the screen displays the number and severity of alarms for a given port or slot. Refer
to the Cisco ONS 15454 Troubleshooting Guide for a complete description of the alarm messages.
4.21 Optical Card SFPs and XFPs
The ONS 15454 optical cards use industry-standard SFPs and XFP modular receptacles.
Currently, the only optical cards that use SFPs and XFPs are the 15454_MRC-12, MRC-2.5G-4,
OC192SR1/STM64IO Short Reach, and OC192/STM64 Any Reach cards.
For all optical cards, the type of SFP or XFP plugged into the card is displayed in CTC and TL1. Cisco
offers SFPs and XFPs as separate orderable products.
4.21.1 Compatibility by Card
Table 4-26 lists Cisco ONS 15454 optical cards and their compatible SFPs and XFPs.
Caution Only use SFPs and XFPs certified for use in Cisco Optical Networking Systems (ONSs). The qualified
Cisco SFP and XFP pluggable module’s top assembly numbers (TANs) are provided in Table 4-26.
Table 4-25 OC192SR1/STM64IO Short Reach and OC192/STM64 Any Reach Card-Level Indicators
Card-Level LED Description
Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready. This LED
is on during reset. The FAIL LED flashes during the boot process. Replace
the card if the red FAIL LED persists.
ACT/STBY LED
Green (Active)
Amber (Standby)
If the ACT/STBY LED is green, the card is operational and ready to carry
traffic. If the ACT/STBY LED is amber, the card is operational and in
standby (protect) mode or is part of an active ring switch (BLSR).
Amber SF LED The amber SF LED indicates a signal failure or condition such as LOS, LOF,
or high BERs on one or more of the card’s ports. The amber SF LED is also
on if the transmit and receive fibers are incorrectly connected. If the fibers
are properly connected and the link is working, the light turns off.4-54
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 4 Optical Cards
4.21.1 Compatibility by Card
Table 4-26 SFP and XFP Card Compatibility
Card
Compatible SFPs and XFPs
(Cisco Product ID)
Cisco Top Assembly Number
(TAN)1
1. The TAN indicated for the pluggables are backward compatible. For example, TAN 10-2307-02 is compatible with 10-2307-01.
15454_MRC-12 and MRC-2.5G-4
(ONS 15454 SONET/SDH)
ONS-SC-2G-28.7=2
through
ONS-SC-2G-60.6=
ONS-SE-155-1470= through
ONS-SE-155-1610
ONS-SE-622-1470= through
ONS-SE-622-1610=
ONS-SI-155-I1=
ONS-SI-155-L1=
ONS-SI-155-L2=
ONS-SI-2G-S1=
ONS-SI-2G-I1=
ONS-SI-2G-L1=
ONS-SI-2G-L2=
ONS-SI-622-I1=
ONS-SI-622-L1=
ONS-SI-622-L2=
ONS-SI-155-SR-MM=
ONS-SI-622-SR-MM=
ONS-SC-Z3-1470= through
ONS-SC-Z3-1610=
ONS-SE-Z1=
ONS-SC-155-EL=
2. ONS-SC-2G-28.7, ONS-SC-2G-33.4, ONS-SC-2G-41.3, ONS-SC-2G-49.3, and ONS-SC-2G-57.3 are supported from
Release 8.5 and later.
10-2307-02, 10-2155-02 through
10-2184-02
10-1996-02 through
10-2003-02
10-2004-02 through
10-2011-02
10-1938-02
10-1957-02
10-1937-02
10-1992-02
10-1993-02
10-2102-02
10-1990-02
10-1956-02
10-1958-02
10-1936-02
10-2279-01
10-2280-01
10-2285-01 through
10-2292-01
10-1971-02
10-2363-01
OC192SR1/STM64IO Short Reach
(ONS 15454 SONET/SDH)3
3. This card is designated as OC192-XFP in CTC.
Table 4-27 lists the LED based SFPs. SFPs that are LED based do not support the Optical power transmitted
(OPT) and laser bias current (LBC) optical parameters.
ONS-XC-10G-S1
ONS-XC-10G-30.3= through
ONS-XC-10G-61.4=
10-2012-02
10-2347-01 through
10-2309-01
OC192/STM64 Any Reach
(ONS 15454 SONET/SDH)3
ONS-XC-10G-C=
ONS-XC-10G-S1
ONS-XC-10G-I2
ONS-XC-10G-L2
ONS-XC-10G-30.3= through
ONS-XC-10G-61.4=
10-2480-01
10-2012-02
10-2193-02
10-2194-02
10-2347-01 through
10-2309-01
Table 4-27 LED Based SFPs
SFPs (Cisco Product ID) Cisco Top Assembly Number (TAN)
ONS-SI-155-SR-MM SFP 10-2279-01
ONS-SI-622-SR-MM SFP 10-2280-014-55
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 4 Optical Cards
4.21.2 SFP Description
4.21.2 SFP Description
SFPs are integrated fiber optic transceivers that provide high-speed serial links from a port or slot to the
network. Various latching mechanisms can be utilized on the modules. There is no correlation between
the type of latch to the model type (such as SX or LX/LH) or technology type (such as Gigabit Ethernet).
See the label on the SFP for technology type and model. Three latch types are available: mylar
(Figure 4-24), actuator/button (Figure 4-25), and bail clasp (Figure 4-26).
Figure 4-24 Mylar Tab SFP
Figure 4-25 Actuator/Button SFP
Figure 4-26 Bail Clasp SFP
SFP dimensions are:
• Height 0.03 in. (8.5 mm)
• Width 0.53 in. (13.4 mm)
• Depth 2.22 in. (56.5 mm)
ONS-SE-100-FX 10-2212-01
ONS-SI-100-FX 10-2350-01
Table 4-27 LED Based SFPs
SFPs (Cisco Product ID) Cisco Top Assembly Number (TAN)
63065
63066
630674-56
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 4 Optical Cards
4.21.3 XFP Description
SFP temperature ranges are:
• COM—Commercial operating temperature range: 23 to 158 degrees Fahrenheit (–5 to 70 degrees
Celsius)
• EXT—Extended operating temperature range: 23 to185 degrees Fahrenheit (–5to 85 degrees
Celsius)
• IND—Industrial operating temperature range: –40 to 185 degrees Fahrenheit (–40 to 85 degrees
Celsius)
4.21.3 XFP Description
The 10-Gbps 1310-nm and 1550-nm XFP transceivers are integrated fiber optic transceivers that provide
high-speed serial links at the following signaling rates: 9.95 Gbps, 10.31 Gbps, and 10.51 Gbps. The
XFP integrates the receiver and transmit path. The transmit side recovers and retimes the 10-Gbps serial
data and passes it to a laser driver. The laser driver biases and modulates a 1310-nm or 1550-nm
distributed feedback (DFB) laser, enabling data transmission over single-mode fiber (SMF) through an
LC connector. The receive side recovers and retimes the 10-Gbps optical data stream from a
positive-intrinsic-negative (PIN) photodetector, transimpedance amplifier and passes it to an output
driver.
The XFP module uses the bail clasp latching mechanism, shown unlatched in Figure 4-27 and latched in
Figure 4-28. See the label on the XFP for technology type and model.
Figure 4-27 Bail Clasp XFP (Unlatched)
Figure 4-28 Bail Clasp XFP (Latched)
XFP dimensions are:
• Height 0.33 in. (8.5 mm)
• Width 0.72 in. (18.3 mm)
• Depth 3.1 in. (78 mm)
XFP temperature ranges are:
115720
1157194-57
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 4 Optical Cards
4.21.4 PPM Provisioning
• COM—Commercial operating temperature range: 23 to 158 degrees Fahrenheit (–5 to 70 degrees
Celsius)
• EXT—Extended operating temperature range: 23 to185 degrees Fahrenheit (–5to 85 degrees
Celsius)
• IND—Industrial operating temperature range: –40 to 185 degrees Fahrenheit (–40 to 85 degrees
Celsius)
4.21.4 PPM Provisioning
SFPs and XFPs are known as pluggable-port modules (PPMs) in CTC. Multirate PPMs for the
15454_MRC-12 card can be provisioned for different line rates in CTC. For more information about
provisioning PPMs, refer to the Cisco ONS 15454 Procedure Guide.4-58
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 4 Optical Cards
4.21.4 PPM ProvisioningCHAPTER
5-1
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
5
Ethernet Cards
Note The terms “Unidirectional Path Switched Ring” and “UPSR” may appear in Cisco literature. These terms
do not refer to using Cisco ONS 15xxx products in a unidirectional path switched ring configuration.
Rather, these terms, as well as “Path Protected Mesh Network” and “PPMN,” refer generally to Cisco's
path protection feature, which may be used in any topological network configuration. Cisco does not
recommend using its path protection feature in any particular topological network configuration.
The Cisco ONS 15454 integrates Ethernet into a SONET platform through the use of Ethernet cards.
This chapter describes the E-Series, G-Series, ML-Series, and CE-Series Ethernet cards. For installation
and card turn-up procedures, refer to the Cisco ONS 15454 Procedure Guide. For ML-Series
configuration information, refer to the Cisco ONS 15454 and Cisco ONS 15454 SDH Ethernet Card
Software Feature and Configuration Guide.
Chapter topics include:
• 5.1 Ethernet Card Overview, page 5-2
• 5.2 E100T-12 Card, page 5-4
• 5.3 E100T-G Card, page 5-6
• 5.4 E1000-2 Card, page 5-9
• 5.5 E1000-2-G Card, page 5-11
• 5.6 G1K-4 Card, page 5-14
• 5.7 ML100T-12 Card, page 5-16
• 5.8 ML100X-8 Card, page 5-18
• 5.9 ML1000-2 Card, page 5-20
• 5.10 ML-MR-10 Card, page 5-22
• 5.11 CE-100T-8 Card, page 5-25
• 5.12 CE-1000-4 Card, page 5-27
• 5.13 CE-MR-10 Card, page 5-30
• 5.14 Ethernet Card GBICs and SFPs, page 5-345-2
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 5 Ethernet Cards
5.1 Ethernet Card Overview
5.1 Ethernet Card Overview
The card overview section summarizes the Ethernet card functions and provides the software
compatibility for each card.
Note Each card is marked with a symbol that corresponds to a slot (or slots) on the ONS 15454 shelf assembly.
The cards are then installed into slots displaying the same symbols. Refer to the Cisco ONS 15454
Procedure Guide for a list of slots and symbols.
5.1.1 Ethernet Cards
Table 5-1 lists the Cisco ONS 15454 Ethernet cards.
Table 5-1 Ethernet Cards for the ONS 15454
Card Port Description For Additional Information...
E100T-12 The E100T-12 card provides 12 switched, autosensing,
10/100BaseT Ethernet ports and is compatible with the
XCVT card.
See the “5.2 E100T-12 Card”
section on page 5-4.
E100T-G The E100T-G card provides 12 switched, autosensing,
10/100BaseT Ethernet ports and is compatible with the
XC10G and XC-VXC-10G cards.
See the “5.3 E100T-G Card”
section on page 5-6.
E1000-2 The E1000-2 card provides two IEEE-compliant,
1000-Mbps ports. Gigabit Interface Converters
(GBICs) are separate.
See the “5.4 E1000-2 Card”
section on page 5-9.
E1000-2-G The E1000-2-G card provides two IEEE-compliant,
1000-Mbps ports. GBICs are separate. The E1000-2-G
card is compatible with the XC10G and XC-VXC-10G
cards.
See the “5.5 E1000-2-G Card”
section on page 5-11.
G1K-4 The G1K-4 card provides four IEEE-compliant,
1000-Mbps ports. GBICs are separate. The G1K-4 card
can operate with XCVT, XC10G and XC-VXC-10G
cross-connect cards.
See the “5.6 G1K-4 Card”
section on page 5-14.
M100T-12 The ML100T-12 card provides 12 switched,
autosensing, 10/100Base-T Ethernet ports.
See the “5.7 ML100T-12
Card” section on page 5-16.
M100X-8 The ML100X-8 card provides eight switched,
100BaseFX Ethernet ports.
See the “5.8 ML100X-8 Card”
section on page 5-18.
M1000-2 The ML1000-2 card provides two IEEE-compliant,
1000-Mbps ports. Small Form-factor Pluggable (SFP)
connectors are separate.
See the “5.9 ML1000-2 Card”
section on page 5-20.
ML-MR-10 The ML-MR-10 card is a ten-port multilayer Ethernet
card. The Ethernet ports support speeds of 10 Mbps,
100 Mbps, or 1000 Mbps through pluggable SFPs.
See the “5.10 ML-MR-10
Card” section on page 5-22.5-3
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 5 Ethernet Cards
5.1.2 Card Compatibility
5.1.2 Card Compatibility
Table 5-2 lists the CTC software compatibility for each Ethernet card.
Note “Yes” indicates that this card is fully or partially supported by the indicated software release. Refer to the individual card reference
section for more information about software limitations for this card.
CE-100T-8 The CE-100T-8 card provides eight IEEE-compliant,
10/100-Mbps ports. The CE-100T-8 can operate with
the XC10G, XC-VXC-10G, or XCVT cross-connect
cards.
See the “5.11 CE-100T-8
Card” section on page 5-25.
CE-MR-10 The CE-MR-10 card is a ten-port Ethernet card. The
Ethernet ports support speeds of 10 Mbps, 100 Mbps,
or 1000 Mbps through pluggable SFPs.
See the “5.13 CE-MR-10
Card” section on page 5-30.
CE-1000-4 The CE-1000-4 card provides four IEEE-compliant,
1000-Mbps ports. The CE-1000-4 card can operate
with the XC10G, XC-VXC-10G, or XCVT
cross-connect cards.
See the “5.12 CE-1000-4
Card” section on page 5-27.
CE-MR-10 The CE-MR-10 card provides ten IEEE-compliant,
10/100/1000-Mbps ports. The CE-MR-10 card can
operate with the XC10G, XC-VXC-10G, or XCVT
cross-connect cards.
See the “5.13 CE-MR-10
Card” section on page 5-30.
Table 5-1 Ethernet Cards for the ONS 15454 (continued)
Card Port Description For Additional Information...
Table 5-2 Ethernet Card Software Compatibility
Ethernet
Cards R3.0.1 R3.1 R3.2 R3.3 R3.4 R4.0 R4.1 R4.5 R4.6 R4.7 R5.0 R6.0 R7.0 R7.2 R8.0 R8.5 R9.0 R9.1 R9.2 R9.2.1
E100T-12
Yes Yes Yes Yes Yes Yes Yes — Yes — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
E1000-2
Yes Yes Yes Yes Yes Yes Yes — Yes — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
E100T-G
Yes Yes Yes Yes Yes Yes Yes — Yes — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
E1000-2-G
Yes Yes Yes Yes Yes Yes Yes — Yes — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
G1000-4 — — Yes Yes Yes Yes Yes — Yes — Yes Yes Yes Yes — — — — — —
G1K-4 — — Yes Yes Yes Yes Yes — Yes — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes5-4
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 5 Ethernet Cards
5.2 E100T-12 Card
5.2 E100T-12 Card
Note For hardware specifications, see the “A.7.1 E100T-12 Card Specifications” section on page A-49.
The ONS 15454 uses E100T-12 cards for Ethernet (10 Mbps) and Fast Ethernet (100 Mbps). Each card provides 12 switched,
IEEE 802.3-compliant, 10/100BaseT Ethernet ports that can independently detect the speed of an attached device (autosense) and
automatically connect at the appropriate speed. The ports autoconfigure to operate at either half or full duplex and determine
whether to enable or disable flow control. You can also configure Ethernet ports manually. Figure 5-1 shows the faceplate and a
block diagram of the card.
ML100T-12 — — — — — Yes Yes — Yes — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
ML100X-8 — — — — — — — — — — — Yes Yes Yes Yes Yes Yes Yes Yes Yes
ML1000-2 — — — — — Yes Yes — Yes — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
ML-MR-10 — — — — — — — — — — — — — — — Yes Yes Yes Yes Yes
CE-100T-8 — — — — — — — — — — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
CE-1000-4 — — — — — — — — — — — — Yes Yes Yes Yes Yes Yes Yes Yes
CE-MR-10 — — — — — — — — — — — — — — — Yes Yes Yes Yes Yes
Table 5-2 Ethernet Card Software Compatibility (continued)
Ethernet
Cards R3.0.1 R3.1 R3.2 R3.3 R3.4 R4.0 R4.1 R4.5 R4.6 R4.7 R5.0 R6.0 R7.0 R7.2 R8.0 R8.5 R9.0 R9.1 R9.2 R9.2.15-5
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 5 Ethernet Cards
5.2.1 Slot Compatibility
Figure 5-1 E100T-12 Faceplate and Block Diagram
The E100T-12 Ethernet card provides high-throughput, low-latency packet switching of Ethernet traffic
across a SONET network while providing a greater degree of reliability through SONET self-healing
protection services. This Ethernet capability enables network operators to provide multiple
10/100-Mbps access drops for high-capacity customer LAN interconnects, Internet traffic, and cable
modem traffic aggregation. It enables the efficient transport and co-existence of traditional time-division
multiplexing (TDM) traffic with packet-switched data traffic.
Each E100T-12 card supports standards-based, wire-speed, Layer 2 Ethernet switching between its
Ethernet interfaces. The IEEE 802.1Q tag logically isolates traffic (typically subscribers). IEEE 802.1Q
also supports multiple classes of service.
5.2.1 Slot Compatibility
You can install the E100T-12 card in Slots 1 to 6 and 12 to 17. Multiple E-Series Ethernet cards installed
in an ONS 15454 can act independently or as a single Ethernet switch. You can create logical SONET
ports by provisioning synchronous transport signal (STS) channels to the packet switch entity within the
ONS 15454. Logical ports can be created with a bandwidth granularity of STS-1. The E100T-12 supports
STS-1, STS-3c, STS-6c, and STS-12c circuit sizes.
10/100
PHYS
A/D Mux
Flash DRAM CPU
Buffer
memory
Control
memory
Ethernet
MACs/switch
61362
FPGA BTC
B
a
c
k
p
l
a
n
e
1
2
3
4
5
6
7
8
9
10
11
12
FAIL
ACT
SF
E100T
125-6
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 5 Ethernet Cards
5.2.2 E100T-12 Card-Level Indicators
Note When making an STS-12c Ethernet circuit, the E-Series cards must be configured as single-card
EtherSwitch.
5.2.2 E100T-12 Card-Level Indicators
The E100T-12 card faceplate has two card-level LED indicators, described in Table 5-3.
5.2.3 E100T-12 Port-Level Indicators
The E100T-12 card has 12 pairs of LEDs (one pair for each port) to indicate port conditions. Table 5-4
lists the port-level indicators. You can find the status of the E100T-12 card port using the LCD on the
ONS 15454 fan-tray assembly. Use the LCD to view the status of any port or card slot; the screen
displays the number and severity of alarms for a given port or slot.
5.2.4 Cross-Connect Compatibility
The E100T-12 card is compatible with the XCVT card. Do not use the E100T-12 card with the XC10G
and XC-VXC-10G cards.
5.3 E100T-G Card
Note For hardware specifications, see the “A.7.2 E100T-G Card Specifications” section on page A-49.
Table 5-3 E100T-12 Card-Level Indicators
Card-Level Indicators Description
FAIL LED (Red) The red FAIL LED indicates that the card processor is not ready or that a
catastrophic software failure occurred on the E100T-12 card. As part of the
boot sequence, the FAIL LED is on until the software deems the card
operational.
ACT LED (Green) The green ACT LED provides the operational status of the E100T-12. If the
ACT LED is green, it indicates that the E100T-12 card is active and the
software is operational.
SF LED Not used.
Table 5-4 E100T-12 Port-Level Indicators
LED State Description
Amber The port is active (transmitting and receiving data).
Solid green The link is established.
Off The connection is inactive, or traffic is unidirectional. 5-7
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 5 Ethernet Cards
5.3 E100T-G Card
The ONS 15454 uses E100T-G cards for Ethernet (10 Mbps) and Fast Ethernet (100 Mbps). Each card
provides 12 switched, IEEE 802.3-compliant, 10/100BaseT Ethernet ports that can independently detect
the speed of an attached device (autosense) and automatically connect at the appropriate speed. The ports
autoconfigure to operate at either half or full duplex and determine whether to enable or disable flow
control. You can also configure Ethernet ports manually. Figure 5-2 shows the faceplate and a block
diagram of the card.
Figure 5-2 E100T-G Faceplate and Block Diagram
The E100T-G Ethernet card provides high-throughput, low-latency packet switching of Ethernet traffic
across a SONET network while providing a greater degree of reliability through SONET self-healing
protection services. This Ethernet capability enables network operators to provide multiple 10/100 Mbps
access drops for high-capacity customer LAN interconnects, Internet traffic, and cable modem traffic
aggregation. It enables the efficient transport and co-existence of traditional TDM traffic with
packet-switched data traffic.
Each E100T-G card supports standards-based, wire-speed, Layer 2 Ethernet switching between its
Ethernet interfaces. The IEEE 802.1Q tag logically isolates traffic (typically subscribers). IEEE 802.1Q
also supports multiple classes of service.
Note When making an STS-12c Ethernet circuit, the E-Series cards must be configured as single-card
EtherSwitch.
10/100
PHYS
A/D Mux
Flash DRAM CPU
Buffer
memory
Control
memory
Ethernet
MACs/switch
61877
FPGA BTC
B
a
c
k
p
l
a
n
e
1
2
3
4
5
6
7
8
9
10
11
12
FAIL
ACT
SF
E100T-G5-8
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 5 Ethernet Cards
5.3.1 Slot Compatibility
5.3.1 Slot Compatibility
You can install the E100T-G card in Slots 1 to 6 and 12 to 17. Multiple E-Series Ethernet cards installed
in an ONS 15454 can act independently or as a single Ethernet switch. You can create logical SONET
ports by provisioning a number of STS channels to the packet switch entity within the ONS 15454.
Logical ports can be created with a bandwidth granularity of STS-1. The ONS 15454 supports STS-1,
STS-3c, STS-6c, or STS-12c circuit sizes.
5.3.2 E100T-G Card-Level Indicators
The E100T-G card faceplate has two card-level LED indicators, described in Table 5-5.
5.3.3 E100T-G Port-Level Indicators
The E100T-G card has 12 pairs of LEDs (one pair for each port) to indicate port conditions (Table 5-6).
You can find the status of the E100T-G card port using the LCD screen on the ONS 15454 fan-tray
assembly. Use the LCD to view the status of any port or card slot; the screen displays the number and
severity of alarms for a given port or slot.
5.3.4 Cross-Connect Compatibility
The E100T-G card is compatible with the XCVT, XC10G and XC-VXC-10G cards.
Table 5-5 E100T-G Card-Level Indicators
Card-Level Indicators Description
FAIL LED (Red) The red FAIL LED indicates that the card processor is not ready or that a
catastrophic software failure occurred on the E100T-G card. As part of the
boot sequence, the FAIL LED is turned on until the software deems the card
operational.
ACT LED (Green) The green ACT LED provides the operational status of the E100T-G. If the
ACT LED is green it indicates that the E100T-G card is active and the
software is operational.
SF LED Not used.
Table 5-6 E100T-G Port-Level Indicators
LED State Description
Yellow (Active) Port is active (transmitting or receiving data). By default, indicates the
transmitter is active but can be software controlled to indicate link status,
duplex status, or receiver active.
Solid Green (Link) Link is established. By default, indicates the link for this port is up, but can
be software controlled to indicate duplex status, operating speed, or
collision.5-9
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 5 Ethernet Cards
5.4 E1000-2 Card
5.4 E1000-2 Card
Note For hardware specifications, see the “A.7.3 E1000-2 Card Specifications” section on page A-49.
The ONS 15454 uses E1000-2 cards for Gigabit Ethernet (1000 Mbps). The E1000-2 card provides two
IEEE-compliant, 1000-Mbps ports for high-capacity customer LAN interconnections. Each port
supports full-duplex operation.
The E1000-2 card uses GBIC modular receptacles for the optical interfaces. For details, see the
“5.14 Ethernet Card GBICs and SFPs” section on page 5-34.
Figure 5-3 shows the card faceplate and a block diagram of the card.
Figure 5-3 E1000-2 Faceplate and Block Diagram
The E1000-2 Gigabit Ethernet card provides high-throughput, low-latency packet switching of Ethernet
traffic across a SONET network while providing a greater degree of reliability through SONET
self-healing protection services. This enables network operators to provide multiple 1000-Mbps access
drops for high-capacity customer LAN interconnects. It enables efficient transport and co-existence of
traditional TDM traffic with packet-switched data traffic.
Gigabit Ethernet
PHYS
A/D Mux
Flash DRAM CPU
Buffer
memory
Control
memory
Ethernet
MACs/switch
61363
FPGA BTC
B
a
c
k
p
l
a
n
e
E1000
2
FAIL
ACT
1
SF
33678 12931
2
RX
TX
RX
TX
ACT/LINK
ACT/LINK5-10
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 5 Ethernet Cards
5.4.1 Slot Compatibility
Each E1000-2 card supports standards-based, Layer 2 Ethernet switching between its Ethernet interfaces
and SONET interfaces on the ONS 15454. The IEEE 802.1Q VLAN tag logically isolates traffic
(typically subscribers).
Multiple E-Series Ethernet cards installed in an ONS 15454 can act together as a single switching entity
or as independent single switches supporting a variety of SONET port configurations.
You can create logical SONET ports by provisioning STS channels to the packet switch entity within the
ONS 15454. Logical ports can be created with a bandwidth granularity of STS-1. The ONS 15454
supports STS-1, STS-3c, STS-6c, or STS-12c circuit sizes.
Note When making an STS-12c circuit, the E-Series cards must be configured as single-card EtherSwitch.
5.4.1 Slot Compatibility
You can install the E1000-2 card in Slots 1 to 6 and 12 to 17. The E1000-2 is compatible with the XCVT
card but not the XC10G or and XC-VXC-10G cards. The E1000-2-G is compatible with the XC10G and
XC-VXC-10G.
5.4.2 E1000-2 Card-Level Indicators
The E1000-2 card faceplate has two card-level LED indicators, described in Table 5-7.
5.4.3 E1000-2 Port-Level Indicators
The E1000-2 card has one bicolor LED per port (Table 5-8). When the LED is solid green, it indicates
that carrier is detected, meaning an active network cable is installed. When the LED is off, it indicates
that an active network cable is not plugged into the port, or the card is carrying unidirectional traffic.
When the LED flashes amber, it does so at a rate proportional to the level of traffic being received and
transmitted over the port.
Table 5-7 E1000-2 Card-Level Indicators
Card-Level Indicators Description
FAIL LED (Red) The red FAIL LED indicates that the card processor is not ready or that a
catastrophic software failure occurred on the E1000-2 card. As part of the
boot sequence, the FAIL LED is turned on until the software deems the card
operational.
ACT LED (Green) The green ACT LED provides the operational status of the E1000-2. When
the ACT LED is green it indicates that the E1000-2 card is active and the
software is operational.
SF LED Not used.5-11
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 5 Ethernet Cards
5.4.4 Cross-Connect Compatibility
5.4.4 Cross-Connect Compatibility
The E1000-2 is compatible with XCVT cards. The XC10G and XC-VXC-10G cards require the
E1000-2-G card.
5.5 E1000-2-G Card
Note For hardware specifications, see the “A.7.4 E1000-2-G Card Specifications” section on page A-50.
The ONS 15454 uses E1000-2-G cards for Gigabit Ethernet (1000 Mbps). The E1000-2-G card provides
two IEEE-compliant, 1000-Mbps ports for high-capacity customer LAN interconnections. Each port
supports full-duplex operation.
The E1000-2-G card uses GBIC modular receptacles for the optical interfaces. For details, see the
“5.14 Ethernet Card GBICs and SFPs” section on page 5-34.
Figure 5-4 shows the card faceplate and a block diagram of the card.
Table 5-8 E1000-2 Port-Level Indicators
LED State Description
Amber The port is active (transmitting and receiving data).
Solid green The link is established.
Off The connection is inactive, or traffic is unidirectional. 5-12
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 5 Ethernet Cards
5.5 E1000-2-G Card
Figure 5-4 E1000-2-G Faceplate and Block Diagram
The E1000-2-G Gigabit Ethernet card provides high-throughput, low-latency packet switching of
Ethernet traffic across a SONET network while providing a greater degree of reliability through SONET
self-healing protection services. This enables network operators to provide multiple 1000-Mbps access
drops for high-capacity customer LAN interconnects. It enables efficient transport and co-existence of
traditional TDM traffic with packet-switched data traffic.
Each E1000-2-G card supports standards-based, Layer 2 Ethernet switching between its Ethernet
interfaces and SONET interfaces on the ONS 15454. The IEEE 802.1Q VLAN tag logically isolates
traffic (typically subscribers).
Multiple E-Series Ethernet cards installed in an ONS 15454 can act together as a single switching entity
or as independent single switches supporting a variety of SONET port configurations.
Gigabit Ethernet
PHYS
A/D Mux
Flash DRAM CPU
Buffer
memory
Control
memory
Ethernet
MACs/switch
61878
FPGA BTC
B
a
c
k
p
l
a
n
e
E1000-2-G
FAIL
ACT
1
SF
33678 12931
2
RX
TX
RX
TX
ACT/LINK
ACT/LINK5-13
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 5 Ethernet Cards
5.5.1 E1000-2-G Card-Level Indicators
You can create logical SONET ports by provisioning STS channels to the packet switch entity within the
ONS 15454. Logical ports can be created with a bandwidth granularity of STS-1. The ONS 15454
supports STS-1, STS-3c, STS-6c, or STS-12c circuit sizes.
Note When making an STS-12c Ethernet circuit, the E-Series cards must be configured as a single-card
EtherSwitch.
5.5.1 E1000-2-G Card-Level Indicators
The E1000-2-G card faceplate has two card-level LED indicators, described in Table 5-9.
5.5.2 E1000-2-G Port-Level Indicators
The E1000-2-G card has one bicolor LED per port (Table 5-10). When the green LINK LED is on, carrier
is detected, meaning an active network cable is installed. When the green LINK LED is off, an active
network cable is not plugged into the port, or the card is carrying unidirectional traffic. The amber port
ACT LED flashes at a rate proportional to the level of traffic being received and transmitted over the port.
5.5.3 Cross-Connect Compatibility
The E1000-2-G is compatible with the XCVT, XC10G, and XC-VXC-10G cards. You can install the card
in Slots 1 to 6 and 12 to 17.
Table 5-9 E1000-2-G Card-Level Indicators
Card-Level Indicators Description
FAIL LED (Red) The red FAIL LED indicates that the card processor is not ready or that a
catastrophic software failure occurred on the E1000-2-G card. As part of the
boot sequence, the FAIL LED is turned on until the software deems the card
operational.
ACT LED (Green) The green ACT LED provides the operational status of the E1000-2-G. If the
ACT LED is green it indicates that the E1000-2-G card is active and the
software is operational.
SF LED The SF LED is not used in the current release.
Table 5-10 E1000-2-G Port-Level Indicators
LED State Description
Amber The port is active (transmitting and receiving data).
Solid green The link is established.
Off The connection is inactive, or traffic is unidirectional. 5-14
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 5 Ethernet Cards
5.6 G1K-4 Card
5.6 G1K-4 Card
Note For hardware specifications, see the “A.7.8 G1K-4 Card Specifications” section on page A-51.
The G1K-4 card is the functional equivalent of the earlier G1000-4 card and provides four ports of
IEEE-compliant, 1000-Mbps interfaces. Each interface supports full-duplex operation for a maximum
bandwidth of 1 Gbps or 2 Gbps bidirectional per port, and 2.5 Gbps or 5 Gbps bidirectional per card.
Each port autonegotiates for full duplex and IEEE 802.3x flow control. The G1K-4 card uses GBIC
modular receptacles for the optical interfaces. For details, see the “5.14 Ethernet Card GBICs and SFPs”
section on page 5-34.
Figure 5-5 shows the card faceplate and the block diagram of the card.
Figure 5-5 G1K-4 Faceplate and Block Diagram
The G1K-4 Gigabit Ethernet card provides high-throughput, low-latency transport of Ethernet
encapsulated traffic (IP and other Layer 2 or Layer 3 protocols) across a SONET network while
providing a greater degree of reliability through SONET self-healing protection services. Carrier-class
Ethernet transport is achieved by hitless (< 50 ms) performance in the event of any failures or protection
Flash DRAM CPU
83649
B
a
c
k
p
l
a
n
e
GBICs
Decode
PLD
Transceivers
Ethernet
MACs/switch
Mux/
Demux
FPGA
Interface
FPGA
BTC POS
function
Buffer
memory
Protect/
Main
Rx/Tx
BPIAs
Power Clock
generation
To FPGA, BTC,
MACs
FAIL
ACT
G1K
RX
1
TX
RX
2
TX
RX
3
TX
RX
4
TX
ACT/LINK
ACT/LINK
ACT/LINK
ACT/LINK5-15
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 5 Ethernet Cards
5.6.1 STS-24c Restriction
switches (such as 1+1 APS, path protection, BLSR, or optical equipment protection) and by full
provisioning and manageability, as in SONET service. Full provisioning support is possible through
CTC or CTM. Each G1K-4 card performs independently of the other cards in the same shelf.
5.6.1 STS-24c Restriction
Due to hardware constraints, the card imposes an additional restriction on the combinations of circuits
that can be dropped onto a G-Series card. These restrictions are transparently enforced by the
ONS 15454, and you do not need to keep track of restricted circuit combinations.
When a single STS-24c terminates on a card, the remaining circuits on that card can be another single
STS-24c or any combination of circuits of STS-12c size or less that add up to no more than 12 STSs (that
is a total of 36 STSs on the card).
If STS-24c circuits are not being dropped on the card, the full 48 STSs bandwidth can be used with no
restrictions (for example, using either a single STS-48c or 4 STS-12c circuits).
Note The STS-24c restriction only applies when a single STS-24c circuit is dropped; therefore, you can easily
minimize the impact of this restriction. Group the STS-24c circuits together on a card separate from
circuits of other sizes. The grouped circuits can be dropped on other G-Series cards on the ONS 15454.
5.6.2 G1K-4 Compatibility
The G1K-4 card operates with the XCVT, XC10G or XC-VXC-10G cards. With the XC10G or
XC-VXC-10G cards, you can install the G1K-4 card in Slots 1 to 6 and 12 to 17, for a total shelf capacity
of 48 Gigabit Ethernet ports. (The practical limit is 40 ports because at least two slots are typically
populated by optical cards such as OC-192). When used with the XCVT cards, the G1K-4 is limited to
Slots 5, 6, 12, and 13.
5.6.3 G1K-4 Card-Level Indicators
The G1K-4 card faceplate has two card-level LED indicators, described in Table 5-11.
Table 5-11 G1K-4 Card-Level Indicators
Card-Level LEDs Description
FAIL LED (Red) The red FAIL LED indicates that the card processor is not ready or that a
catastrophic software failure occurred on the G1K-4 card. As part of the boot
sequence, the FAIL LED is turned on, and it goes off when the software is
deemed operational.
The red FAIL LED blinks when the card is loading software.
ACT LED (Green) The green ACT LED provides the operational status of the G1K-4. If the
ACT LED is green, it indicates that the G1K-4 card is active and the software
is operational.5-16
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 5 Ethernet Cards
5.6.4 G1K-4 Port-Level Indicators
5.6.4 G1K-4 Port-Level Indicators
The G1K-4 card has four bicolor LEDs (one LED per port). Table 5-12 describes the status that each
color represents.
5.7 ML100T-12 Card
Note For hardware specifications, see the “A.7.9 ML100T-12 Card Specifications” section on page A-52.
The ML100T-12 card provides 12 ports of IEEE 802.3-compliant, 10/100 interfaces. Each interface
supports full-duplex operation for a maximum bandwidth of 200 Mbps per port and 2.488 Gbps per card.
Each port independently detects the speed of an attached device (autosenses) and automatically connects
at the appropriate speed. The ports autoconfigure to operate at either half or full duplex and can
determine whether to enable or disable flow control. For ML-Series configuration information, see the
Cisco ONS 15454 and Cisco ONS 15454 SDH Ethernet Card Software Feature and Configuration
Guide.
Figure 5-6 shows the card faceplate and block diagram.
Caution Shielded twisted-pair cabling should be used for inter-building applications.
Table 5-12 G1K-4 Port-Level Indicators
Port-Level LED Status Description
Off No link exists to the Ethernet port.
Steady amber A link exists to the Ethernet port, but traffic flow is inhibited. For example,
a lack of circuit setup, an error on the line, or a nonenabled port might inhibit
traffic flow.
Solid green A link exists to the Ethernet port, but no traffic is carried on the port.
Flashing green A link exists to the Ethernet port, and traffic is carried on the port. The LED
flash rate reflects the traffic rate for the port. 5-17
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 5 Ethernet Cards
5.7.1 ML100T-12 Card-Level Indicators
Figure 5-6 ML100T-12 Faceplate and Block Diagram
The card features two virtual packet over SONET (POS) ports with a maximum combined bandwidth of
STS-48. The ports function in a manner similar to OC-N card ports, and each port carries an STS circuit
with a size of STS-1, STS-3c, STS-6c, STS-9c, STS-12c, or STS-24c. To configure an ML-Series card
SONET STS circuit, refer to the “Create Circuits and VT Tunnels” chapter of the Cisco ONS 15454
Procedure Guide.
The ML-Series POS ports supports virtual concatenation (VCAT) of SONET circuits and a software link
capacity adjustment scheme (SW-LCAS). The ML-Series card supports a maximum of two VCAT
groups with each group corresponding to one of the POS ports. Each VCAT group must be provisioned
with two circuit members. An ML-Series card supports STS-1c-2v, STS-3c-2v and STS-12c-2v. To
configure an ML-Series card SONET VCAT circuit, refer to the “Create Circuits and VT Tunnels”
chapter of the Cisco ONS 15454 Procedure Guide.
5.7.1 ML100T-12 Card-Level Indicators
The ML00T-12 card supports two card-level LED indicators. The card-level indicators are described in
Table 5-13.
1
2
3
4
5
6
7
8
9
10
11
ACT
FAIL
ML100T
12
134621
0
DOS
FPGA BTC192
port
1
4xMag.
12 x
RJ45
Octal
PHY
port
0
SMII RGGI
Octal
PHY
4xMag.
4xMag.
4
6
port
A
port
B
port
3
port
2
port
0
port
1
ch0-1 ch4-5
6
RGGI
SCL
B
a
c
k
p
l
a
n
e
BPIA
Main
Rx
BPIA
Protect
Rx
BPIA
Main
Tx
BPIA
Protect
Tx
Processor
Daughter Card
128MB SDRAM
16MB FLASH
8KB NVRAM
Packet
Buffer
6MB
Packet
Buffer
6MB
Packet
Buffer
4MB
4
2
2
4
4
2
2
Control Mem
2MB
Control Mem
2MB
Result Mem
2MB5-18
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 5 Ethernet Cards
5.7.2 ML100T-12 Port-Level Indicators
5.7.2 ML100T-12 Port-Level Indicators
The ML100T-12 card provides a pair of LEDs for each Fast Ethernet port: an amber LED for activity
(ACT) and a green LED for LINK. The port-level indicators are described in Table 5-14.
5.7.3 Cross-Connect and Slot Compatibility
The ML100T-12 card works in Slots 1 to 6 or 12 to 17 with the XC10G or XC-VXC-10G card. It works
only in Slots 5, 6, 12, or 13 with the XCVT card.
5.8 ML100X-8 Card
Note For hardware specifications, see the “A.7.11 ML100X-8 Card Specifications” section on page A-53.
The ML100X-8 card provides eight ports with 100BaseFX interfaces. The FX interfaces support one of
two connectors, an LX SFP or an FX SFP. The LX SFP is a 100 Mbps 802.3-compliant SFP that operates
over a pair of single-mode optical fibers and includes LC connectors. The FX SFP is a 100 Mbps 802.3-
compliant SFP that operates over a pair of multimode optical fibers and includes LC connectors. For
more information on SFPs, see the “5.14 Ethernet Card GBICs and SFPs” section on page 5-34.
Each interface supports full-duplex operation for autonegotiation and a maximum bandwidth of 200
Mbps per port and 2.488 Gbps per card. For ML-Series configuration information, see the
Cisco ONS 15454 and Cisco ONS 15454 SDH Ethernet Card Software Feature and Configuration
Guide.
Table 5-13 ML100T-12 Card-Level Indicators
Card-Level LEDs Description
FAIL LED (Red) The red FAIL LED indicates that the card processor is not ready or that a
catastrophic software failure occurred on the ML100T-12 card. As part of the
boot sequence, the FAIL LED is turned on until the software deems the card
operational.
ACT LED (Green) The green ACT LED provides the operational status of the ML100T-12. If
the ACT LED is green, it indicates that the ML100T-12 card is active and the
software is operational.
Table 5-14 ML100T-12 Port-Level Indicators
Port-Level Indicators Description
ACT LED (Amber) A steady amber LED indicates a link is detected, but there is an issue
inhibiting traffic. A blinking amber LED means traffic is flowing.
LINK LED (Green) A steady green LED indicates that a link is detected, but there is no
traffic. A blinking green LED flashes at a rate proportional to the level
of traffic being received and transmitted over the port.
Both ACT and LINK LED Unlit green and amber LEDs indicate no traffic.5-19
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 5 Ethernet Cards
5.8 ML100X-8 Card
Figure 5-7 shows the card faceplate and block diagram.
Figure 5-7 ML100X-8 Faceplate and Block Diagram
The card features two virtual packet over SONET (POS) ports with a maximum combined bandwidth of
STS-48. The ports function in a manner similar to OC-N card ports, and each port carries an STS circuit
with a size of STS-1, STS-3c, STS-6c, STS-9c, STS-12c, or STS-24c. To configure an ML-Series card
SONET STS circuit, refer to the “Create Circuits and VT Tunnels” chapter of the Cisco ONS 15454
Procedure Guide.
The ML-Series POS ports supports virtual concatenation (VCAT) of SONET circuits and a software link
capacity adjustment scheme (SW-LCAS). The ML-Series cards support a maximum of two VCAT
groups with each group corresponding to one of the POS ports. Each VCAT group must be provisioned
with two circuit members. An ML-Series card supports STS-1c-2v, STS-3c-2v and STS-12c-2v. To
configure an ML-Series-card SONET VCAT circuit, refer to the “Create Circuits and VT Tunnels”
chapter of the Cisco ONS 15454 Procedure Guide.
131786
ML 100X-
8
FAIL
ACT
Tx
0
Rx
Tx
1
Rx
Tx
2
Rx
Tx
3
Rx
Tx
4
Rx
Tx
5
Rx
Tx
6
Rx
Tx
7
Rx
PHY
SFP
SFP
SFP
SFP
SFP
SFP
SFP
SFP
Network
Processor
Unit
TCAM
SONET
Framer
Packet
Memory
B
a
c
k
p
l
a
n
e5-20
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 5 Ethernet Cards
5.8.1 ML100X-8 Card-Level Indicators
5.8.1 ML100X-8 Card-Level Indicators
The ML100X-8 card supports two card-level LED indicators. Table 5-15 describes the card-level
indicators.
5.8.2 ML100X-8 Port-Level Indicators
The ML100X-8 card provides a pair of LEDs for each Fast Ethernet port: an amber LED for activity
(ACT) and a green LED for LINK. Table 5-16 describes the port-level indicators.
5.8.3 Cross-Connect and Slot Compatibility
The ML100X-8 card operates in Slots 1 to 6 or 12 to 17 with the XC10G or XC-VXC-10G cards. It
operates only in Slots 5, 6, 12, or 13 with the XCVT card.
5.9 ML1000-2 Card
Note For hardware specifications, see the “A.7.10 ML1000-2 Card Specifications” section on page A-52.
The ML1000-2 card provides two ports of IEEE-compliant, 1000-Mbps interfaces. Each interface
supports full-duplex operation for a maximum bandwidth of 2 Gbps per port and 4 Gbps per card. Each
port autoconfigures for full duplex and IEEE 802.3x flow control.
Table 5-15 ML100X-8 Card-Level Indicators
Card-Level LEDs Description
FAIL LED (Red) The red FAIL LED indicates that the card processor is not ready or that a
catastrophic software failure occurred on the ML100-FX card. As part of the
boot sequence, the FAIL LED is turned on until the software deems the card
operational.
ACT LED (Green) The green ACT LED provides the operational status of the ML100-FX. If the
ACT LED is green, it indicates that the ML100-FX card is active and the
software is operational.
Table 5-16 ML100X-8 Port-Level Indicators
Port-Level Indicators Description
ACT LED (Amber) A steady amber LED indicates a link is detected, but there is an issue
inhibiting traffic. A blinking amber LED means traffic is flowing.
LINK LED (Green) A steady green LED indicates that a link is detected, but there is no
traffic. A blinking green LED flashes at a rate proportional to the level
of traffic being received and transmitted over the port.
Both ACT and LINK LED Unlit green and amber LEDs indicate no traffic.5-21
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 5 Ethernet Cards
5.9 ML1000-2 Card
SFP modules are offered as separate orderable products for maximum customer flexibility. For details,
see the “5.14 Ethernet Card GBICs and SFPs” section on page 5-34.
Figure 5-8 shows the ML1000-2 card faceplate and block diagram.
Figure 5-8 ML1000-2 Faceplate and Block Diagram
The card features two virtual packet over SONET (POS) ports with a maximum combined bandwidth of
STS-48. The ports function in a manner similar to OC-N card ports, and each port carries an STS circuit
with a size of STS-1, STS-3c, STS-6c, STS-9c, STS-12c, or STS-24c. To configure an ML-Series card
SONET STS circuit, refer to the “Create Circuits and VT Tunnels” chapter of the Cisco ONS 15454
Procedure Guide.
The ML-Series POS ports supports VCAT of SONET circuits and a software link capacity adjustment
scheme (SW-LCAS). The ML-Series card supports a maximum of two VCAT groups with each group
corresponding to one of the POS ports. Each VCAT group must be provisioned with two circuit
members. An ML-Series card supports STS-1c-2v, STS-3c-2v and STS-12c-2v. To configure an
ML-Series card SONET VCAT circuit, refer to the “Create Circuits and VT Tunnels” chapter of the
Cisco ONS 15454 Procedure Guide.
134622
BTC192
B
a
c
k
p
l
a
n
e
BPIA
Main
Rx
BPIA
Protect
Rx
BPIA
Main
Tx
BPIA
Protect
Tx
Processor
Daughter Card
(FLASHs,
SDRAMs)
Packet
Buffer
512Kx96
Packet
Buffer
512Kx96
SSRAM
2x512Kx36
Control Mem ch0-1 ch4-5
512Kx32
Control Mem
512Kx32
Result Mem
512Kx32
DOS
FPGA
port
2
port
3
GMII
RGGI
RGGI
RGGI
RGGI
port
A
port
B
port
3
port
2
port
0
port
1
Serdes
Serdes
SFP
GBIC
Module
SFP
GBIC
Module
MAC 1 MAC 2
port
0
port
1
GMII
Panel Port 0
Panel Port 1
FAIL
ACT
TX
1
RX
TX
0
RX
LINK
ACT
LINK
ACT
CONSOLE5-22
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 5 Ethernet Cards
5.9.1 ML1000-2 Card-Level Indicators
5.9.1 ML1000-2 Card-Level Indicators
The ML1000-2 card faceplate has two card-level LED indicators, described in Table 5-17.
5.9.2 ML1000-2 Port-Level Indicators
The ML1000-2 card has three LEDs for each of the two Gigabit Ethernet ports, described in Table 5-18.
5.9.3 Cross-Connect and Slot Compatibility
The ML1000-2 card is compatible in Slots 1 to 6 or 12 to 17 with the XC10G or XC-VXC-10G card. It
is only compatible in Slots 5, 6, 12, or 13 with the XCVT card.
5.10 ML-MR-10 Card
Note For hardware specifications, see the “A.7.12 ML-MR-10 Card Specifications” section on page A-53.
The ML-MR-10 card is a ten-port multilayer Ethernet card. The Ethernet ports support speeds of
10 Mbps, 100 Mbps, or 1000 Mbps through pluggable SFPs. SFP modules are offered as separate
orderable products for flexibility. For details, see the “5.14 Ethernet Card GBICs and SFPs” section on
page 5-34.
Table 5-17 ML1000-2 Card-Level Indicators
Card-Level LEDs Description
SF LED (Red) The red FAIL LED indicates that the card processor is not ready or that a
catastrophic software failure occurred on the ML1000-2 card. As part of the
boot sequence, the FAIL LED is turned on until the software deems the card
operational.
ACT LED (Green) The green ACT LED provides the operational status of the ML1000-2. When
the ACT LED is green, it indicates that the ML1000-2 card is active and the
software is operational.
Table 5-18 ML1000-2 Port-Level Indicators
Port-Level Indicators Description
ACT LED (Amber) A steady amber LED indicates a link is detected, but there is an issue
inhibiting traffic. A blinking amber LED means traffic flowing.
LINK LED (Green) A steady green LED indicates that a link is detected, but there is no
traffic. A blinking green LED flashes at a rate proportional to the level
of traffic being received and transmitted over the port.
Both ACT and LINK LED Unlit green and amber LEDs indicate no traffic.5-23
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 5 Ethernet Cards
5.10 ML-MR-10 Card
The ML-MR-10 card has two RPR ports, which function in a manner similar to OC-N card ports. Each
Ethernet port carries an STS circuit with a size of STS-12c, STS-24c, STS-48c, or STS-96c. The two
RPR port interfaces combine to support a resilient packet ring (RPR) interface. The ML-MR-10 supports
only frame-mapped generic framing procedure (GFP-F) encapsulation for SONET. In addition to this,
the ML-MR-10 can be configured to support up to 26 POS ports, each one terminating a SONET GFP-F
encapsulated circuit.
To configure a ML-MR-10 card SONET STS circuit, refer to the “Create Circuits and Tunnels” chapter
in the Cisco ONS 15454 Procedure Guide.
Cisco IOS is used to provision the Layer 2 functions of the card. The ML-MR-10 card provides
management for Layer 1 operations through CTC. You can use CTM for Layer 1 and Layer 2 monitoring
and fault detection, and TL1 supports card inventory and equipment alarming.
Figure 5-9 shows the ML-MR-10 card faceplate and block diagram.
Figure 5-9 ML-MR-10 Faceplate and Block Diagram
FAIL
ACT/STBY
CONSOLE
1
2
3
4
5
6
7
8
9
10
SF
TX
RX
TX
RX
TX
RX
TX
RX
TX
RX
TX
RX
TX
RX
TX
RX
TX
RX
TX
RX
240352
B
a
c
k
p
l
a
n
e
SFP
SFP
SFP
SFP
SFP
SFP
SFP
SFP
SFP
SFP
Serdes 10x
GE
MAC
Ingress
PPE+
RPR
TM+
Ingress
PPE+
RPR
TM+
Queues
SDH
Framer Backplane
I/F
Instruction+
Statistics
MEM
MEM
Reassembly+
MEM Statistics
MEM
10/100/1000 CPU interface
SFPs
CPU interface
CPU
MEM
TCAM
ML-MR
105-24
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 5 Ethernet Cards
5.10.1 ML-MR-10 Card-Level Indicators
The ML-MR-10 card supports 1:1 protection at the port level. It also supports 1:1 card protection with
redundant cards installed. For more information on ML-MR-10 card protection, refer to the
Cisco ONS 15454 and Cisco ONS 15454 SDH Ethernet Card Software Feature and Configuration
Guide.
The ML-MR-10 card supports the Version Up feature, which allows a user to independently upgrade
ML-MR-10 cards as part of an overall software upgrade process. With this feature enabled, the user first
upgrades all the cards in the node that are not ML-MR-10 cards, then in a second pass updates the
ML-MR-10 cards. For more information on the Version Up feature, refer to the Cisco ONS 15454 and
Cisco ONS 15454 SDH Ethernet Card Software Feature and Configuration Guide.
The ML-MR-10 card supports an Ethernet Virtual Connection (EVC), which is an instance of an
association of two or more user network interfaces (UNI) for Ethernet services. For more information
on EVC, refer to the Cisco ONS 15454 and Cisco ONS 15454 SDH Ethernet Card Software Feature and
Configuration Guide.
5.10.1 ML-MR-10 Card-Level Indicators
The ML-MR-10 card faceplate has two card-level LED indicators, described in Table 5-23.
5.10.2 ML-MR-10 Port-Level Indicators
The ML-MR-10 card provides a pair of LEDs for each Ethernet port: an amber LED for activity (ACT)
and a green LED for link status (LINK). Table 5-24 describes the status that each color represents.
Table 5-19 ML-MR-10 Card-Level Indicators
Card-Level LEDs Description
FAIL LED (Red) The red FAIL LED indicates that the card processor is not ready or that a
catastrophic software failure occurred on the ML-MR-10 card. As part of the
boot sequence, the FAIL LED is turned on until the software deems the card
operational.
ACT LED (Green) The green ACT LED provides the operational status of the ML-MR-10 card.
When the ACT LED is green, it indicates that the ML-MR-10 card is active
and the software is operational.
Table 5-20 ML-MR-10 Port-Level Indicators
Port-Level Indicators Description
Off No link exists to the Ethernet port.
Steady amber A link exists to the Ethernet port, but traffic flow is inhibited. For
example, a lack of circuit setup, an error on the line, or a disabled port
might inhibit traffic flow.
Solid green A link exists to the Ethernet port, but no traffic is carried on the port.
Flashing green A link exists to the Ethernet port, and traffic is carried on the port. The
LED flash rate reflects the traffic rate for that port.5-25
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 5 Ethernet Cards
5.10.3 Cross-Connect and Slot Compatibility
5.10.3 Cross-Connect and Slot Compatibility
The ML-MR-10 card can be installed in Slots 1 to 6 and 12 to 17 when used with the XC10G and
XC-VXC-10G cards. It is not compatible with the XCVT card.
Caution Fan-tray assembly 15454-CC-FTA (ANSI shelf) must be installed in a shelf where an ML-MR-10 card
is installed.
5.10.4 ML-MR-10 Card-Differential Delay
The differential delay has been hardcoded to 55ms for high-order circuits in high speed slots and 175ms
for low-order circuits in high speed slots. For all other slots and circuit combinations, it has been
hardcoded to 135ms.
5.11 CE-100T-8 Card
Note For hardware specifications, see the “A.7.6 CE-100T-8 Card Specifications” section on page A-51.
The CE-100T-8 card provides eight RJ-45 10/100 Mbps Ethernet ports and an RJ-45 console port on the
card faceplate. The CE-100T-8 card provides mapping of 10/100 Mbps Ethernet traffic into SONET
STS-12 payloads, making use of low-order (VT1.5) virtual concatenation, high-order (STS-1) virtual
concatenation, GFP, and point-to-point protocol/high-level data link control (PPP/HDLC) framing
protocols.
The CE-100T-8 card also supports the link capacity adjustment scheme (LCAS), which allows hitless
dynamic adjustment of SONET link bandwidth. The CE-100T-8 card’s LCAS is hardware-based, but the
CE-100T-8 also supports SW-LCAS. This makes it compatible with the ONS 15454 SDH ML-Series
card, which supports only SW-LCAS and does not support the standard hardware-based LCAS.
SW-LCAS is supported when a circuit from the CE-100T-8 terminates on the ONS 15454 SDH
ML-Series card.
Note The SW-LCAS is not supported on CE-100T-8 cards for interoperation with the CE-MR-10, CE-MR-6,
and ML-MR-10 cards.
The circuit types supported are:
• HO-CCAT
• LO-VCAT with no HW-LCAS
• LO-VCAT with HW-LCAS
• STS-1-2v SW-LCAS with ML only
Each 10/100 Ethernet port can be mapped to a SONET channel in increments of VT1.5 or STS-1
granularity, allowing efficient transport of Ethernet and IP over the SONET infrastructure.
Figure 5-10 shows the CE-100T-8 card faceplate and block diagram.5-26
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 5 Ethernet Cards
5.11 CE-100T-8 Card
Figure 5-10 CE-100T-8 Faceplate and Block Diagram
The following paragraphs describe the general functions of the CE-100T-8 card and relate to the block
diagram.
In the ingress direction, (Ethernet-to-SONET), the PHY, which performs all of the physical layer
interface functions for 10/100 Mbps Ethernet, sends the frame to the network processor for queuing in
the respective packet buffer memory. The network processor performs packet processing, packet
switching, and classification. The Ethernet frames are then passed to the Ethermap where Ethernet traffic
is terminated and is encapsulated using HDLC or GFP framing on a per port basis. The encapsulated
Ethernet frames are then mapped into a configurable number of virtual concatenated low and high order
payloads, such as VT1.5 synchronous payload envelope (SPE), STS-1 SPE, or a contiguous
concatenated payload such as STS-3c SPE. Up to 64 VT1.5 SPEs or 3 STS-1 SPEs can be virtually
concatenated. The SONET SPE carrying encapsulated Ethernet frames are passed onto the qMDM
FPGA, where four STS-3 frames are multiplexed to form a STS-12 frame for transport over the SONET
network by means of the Bridging Convergence Transmission (BTC) ASIC.
In the Egress direction (SONET-to-Ethernet), the FPGA extracts four STS-3 SPEs from the STS-12
frame it receives from the BTC and sends each of the STS-3s to the ET3 mappers. The STS-3 SONET
SPE carrying GFP or PPP/HDLC encapsulated Ethernet frames is then extracted and buffered in
Ethermap’s external memory. This memory is used for providing alignment and differential delay
compensation for the received low-order and high-order virtual concatenated payloads. After alignment
and delay compensation have been done, the Ethernet frames are decapsulated with one of the framing
protocols (GFP or HDLC). Decapsulated Ethernet frames are then passed onto the network processor for
QoS queuing and traffic scheduling. The network processor switches the frame to one of the
corresponding PHY channels and then to the Ethernet port for transmission to the external client(s).
CE100T
8
FAIL
ACT
CONSOLE
1
2
3
4
5
6
7
8
134366
Packet Buffer
3x0.5MB
Control Mem
1x2MB
ETS
#1
SDRAM
qMDM
FPGA
Packet
Processor/
Switch
Fabric qMDM
FPGA
Octal
PHY
SMII
8
8x
10/100BaseT
RJ45
Part of qMDM FPGA FCC3
SMII
MII
4 SMII
STS3
STS3
STS3
ETS
#2
SDRAM
SDRAM
STS3
SCC1
60x
Flash
8MB
SDRAM
128MB CPLD
SDRAM
1
4 SMII
ETS
#3
4 SMII
STS12
Add_Bus
Drop_Bus
ETS
#4
3 SMII
BTC
CPU
nVRAM
B
a
c
k
p
l
a
n
e
Option5-27
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 5 Ethernet Cards
5.11.1 CE-100T-8 Card-Level Indicators
For information on the CE-100T-8 QoS features, refer to the “CE-100T-8 Operations” chapter of the
Cisco ONS 15454 and Cisco ONS 15454 SDH Ethernet Card Software Feature and Configuration
Guide.
5.11.1 CE-100T-8 Card-Level Indicators
The CE-100T-8 card faceplate has two card-level LED indicators, described in Table 5-21.
5.11.2 CE-100T-8 Port-Level Indicators
The CE-100T-8 card has two LEDs embedded into each of the eight Ethernet port RJ-45 connectors. The
LEDs are described in Table 5-22.
5.11.3 Cross-Connect and Slot Compatibility
The CE-100T-8 card is compatible in Slots 1 to 6 or 12 to 17 with the XC10G, XC-VXC-10G, or XCVT
cards.
5.12 CE-1000-4 Card
Note For hardware specifications, see the “A.7.5 CE-1000-4 Card Specifications” section on page A-50.
Table 5-21 CE-100T-8 Card-Level Indicators
Card-Level LEDs Description
SF LED (Red) The red FAIL LED indicates that the card processor is not ready or that a
catastrophic software failure occurred on the CE-100T-8 card. As part of the
boot sequence, the FAIL LED is turned on until the software deems the card
operational.
ACT LED (Green) The green ACT LED provides the operational status of the CE-100T-8. When
the ACT LED is green, it indicates that the CE-100T-8 card is active and the
software is operational.
Table 5-22 CE-100T-8 Port-Level Indicators
Port-Level Indicators Description
ACT LED (Amber) A steady amber LED indicates a link is detected, but there is an issue
inhibiting traffic. A blinking amber LED means traffic flowing.
LINK LED (Green) A steady green LED indicates that a link is detected, but there is no
traffic. A blinking green LED flashes at a rate proportional to the level
of traffic being received and transmitted over the port.
Both ACT and LINK LED
OFF
Unlit green and amber LEDs indicate no traffic.5-28
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 5 Ethernet Cards
5.12 CE-1000-4 Card
The CE-1000-4 card uses pluggable GBICs to transport Ethernet traffic over a SONET network. The
CE-1000-4 provides four IEEE 802.3-compliant, 1000-Mbps Gigabit Ethernet ports at the ingress. At
the egress, the CE-1000-4 card provides an integrated Ethernet over SONET mapper with four virtual
ports to transfer Ethernet packets over a SONET network.
The Ethernet ports automatically configure to operate at either half or full duplex and can determine
whether to enable or disable flow control. The Ethernet ports can also be oversubscribed using flow
control.
The Ethernet frames are encapsulated using the ITU-T generic framing procedure (GFP) (with or
without CRC) or LEX, the point-to-point protocol (PPP) with high-level data link control (HDLC). The
CE-1000-4 card can interoperate with G1K-4 cards (using LEX encapsulation), CE-100T-8 cards (using
LEX or GFP-F), and ML-Series cards (using LEX or GFP-F).
The Ethernet frames can be mapped into:
• T1X1 G.707-based high-order virtual concatenated (HO VCAT) payloads:
– STS-3c
– STS-1
• Contiguously concatenated (CCAT) SONET payloads:
– Standard CCAT sizes (STS-1, STS-3c, STS-12c, STS-24c, STS-48c)
– Non-standard CCAT sizes (STS-6c, STS-9c, STS-18c).
To configure a CE-1000-4 card SONET STS or VCAT circuit, refer to the “Create Circuits and Tunnels”
chapter in the Cisco ONS 15454 Procedure Guide.
The CE-1000-4 card provides multiple management options through Cisco Transport Controller (CTC),
Cisco Transport Manager (CTM), Transaction Language 1 (TL1), and Simple Network Management
Protocol (SNMP).
The CE-1000-4 card supports the software link capacity adjustment scheme (SW-LCAS). This makes it
compatible with the ONS 15454 CE-100T-8 and ML-Series cards. The CE-1000-4 card supports VCAT
groups (VCGs) that are reconfigurable when SW-LCAS is enabled (flexible VCGs). The CE-1000-4 card
does not support the standard hardware-based LCAS.
The following guidelines apply to flexible VCGs:
• Members can be added or removed from VCGs.
• Members can be put into or out of service.
• Cross-connects can be added or removed from VCGs.
• Errored members will be automatically removed from VCGs.
• Adding or removing members from the VCG is service affecting.
• Adding or removing cross connects from the VCG is not service affecting if the associated members
are not in group.
The CE-1000-4 card supports a non link capacity adjustment scheme (no-LCAS). This also makes it
compatible with the ONS 15454 CE-100T-8 and ML-Series cards. The CE-1000-4 card supports VCAT
groups (VCGs) that are fixed and not reconfigurable when no-LCAS is enabled (fixed VCGs).
The following guidelines apply to fixed VCGs:
• Members can be added or removed from VCGs using CTC or TL1.
• Members cannot be put into or out of service unless the force command mode is instantiated. 5-29
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 5 Ethernet Cards
5.12.1 CE-1000-4 Card-Level Indicators
Note This is possible with CTC as it assumes the force command mode by default. However, to
put members into or out of service using TL1, the force command mode must be set.
• Cross-connects can be added or removed from VCGs using CTC or TL1. This is service affecting
as long as the VCG size (TXCOUNT) is not realigned with the loss of connections.
The CE-1000-4 card supports VCAT differential delay and provides these associated features:
• Supports a maximum VCG differential delay of 122 ms in each direction.
• Supports all protection schemes (path protection, two-fiber BLSR, four-fiber BLSR) on VCAT
circuits that are split-fiber routed.
• Supports 2-fiber on VCAT circuits that are common-fiber routed.
• Differential delay compensation is automatically enabled on VCAT circuits that are diverse (split
fiber) routed and disabled on VCAT circuits that are common-fiber routed.
Figure 5-11 shows the CE-1000-4 card faceplate and block diagram.
Figure 5-11 CE-1000-4 Faceplate and Block Diagram
5.12.1 CE-1000-4 Card-Level Indicators
The CE-1000-4 card faceplate has two card-level LED indicators, described in Table 5-23.
145231
1
Rx
Tx
2
Rx
Tx
4
Rx
Tx
3
Rx
Tx
FAIL
ACT
CE-1000-4
ACT/LNK
ACT/LNK
ACT/LNK
ACT/LNK
4 ports:
GigE
GBIC
GBIC
GBIC
GBIC
SERDES
CLOCK Generation
SERDES
SERDES
SERDES
Malena FPGA TADM
Altera
8260 Processor, SDRAM
Flash and DecodePLD
50MHz,100Mhz
125Mhz,155MHz
BUFFER
MEMORY
CDR
Framer
Quicksilver
FPGA
BTC
192
POWER
5V, 3.3V, 2.5V, 1.8V, -1.7V -48V
Diff.
Delay.
Mem.
Main RX
BPIA
Protect
TX BPIA
Protect
RX BPIA
Main TX
BPIA
STS48
BACKPLANE
Interface5-30
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 5 Ethernet Cards
5.12.2 CE-1000-4 Port-Level Indicators
Note If the CE-1000-4 card is inserted in a slot that has been preprovisioned for a different type of card, the
red FAIL LED and the green ACT LED will flash alternately until the configuration mismatch is
resolved.
5.12.2 CE-1000-4 Port-Level Indicators
The CE-1000-4 card provides a pair of LEDs for each Gigabit Ethernet port: an amber LED for activity
(ACT) and a green LED for link status (LINK). Table 5-24 describes the status that each color represents.
5.12.3 Cross-Connect and Slot Compatibility
The CE-1000-4 card can be installed in Slots 1 to 6 and 12 to 17 when used with the XC10G and
XC-VXC-10G cards. When the shelf uses the XCVT card, the CE-1000-4 card can only be installed in
Slots 5, 6, 12, and 13.
5.13 CE-MR-10 Card
Note For hardware specifications, see the “A.7.7 CE-MR-10 Card Specifications” section on page A-51.
Table 5-23 CE-1000-4 Card-Level Indicators
Card-Level LEDs Description
FAIL LED (Red) The red FAIL LED indicates that the card processor is not ready or that a
catastrophic software failure occurred on the CE-1000-4 card. As part of the
boot sequence, the FAIL LED is turned on until the software deems the card
operational.
ACT LED (Green) The green ACT LED provides the operational status of the CE-1000-4 card.
When the ACT LED is green, it indicates that the CE-1000-4 card is active
and the software is operational.
Table 5-24 CE-1000-4 Port-Level Indicators
Port-Level Indicators Description
Off No link exists to the Ethernet port.
Steady amber A link exists to the Ethernet port, but traffic flow is inhibited. For
example, a lack of circuit setup, an error on the line, or a disabled port
might inhibit traffic flow.
Solid green A link exists to the Ethernet port, but no traffic is carried on the port.
Flashing green A link exists to the Ethernet port, and traffic is carried on the port. The
LED flash rate reflects the traffic rate for that port.5-31
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 5 Ethernet Cards
5.13 CE-MR-10 Card
The CE-MR-10 card provides ten IEEE 802.3-compliant 10/100/1000-Mbps Gigabit Ethernet ports at
the ingress. At the egress, the CE-MR-10 card provides an integrated Ethernet-over-SONET mapper with
ten virtual ports to transfer Ethernet packets over a SONET network.
The CE-MR-10 card uses pluggable SFPs to transport Ethernet traffic over a SONET network. SFP
modules are offered as separate orderable products for flexibility. For details, see the “5.14 Ethernet
Card GBICs and SFPs” section on page 5-34.
The Ethernet frames are encapsulated using the ITU-T generic framing procedure (GFP) (with or
without CRC) or LEX, the Point-to-Point Protocol (PPP) with high-level data link control (HDLC).
The Ethernet ports automatically configure to operate at either half or full duplex and can determine
whether to enable or disable flow control. The Ethernet ports can also be oversubscribed using flow
control.
The CE-MR-10 card supports the link capacity adjustment scheme (LCAS), which allows hitless
dynamic adjustment of SONET link bandwidth. The CE-MR-10 card's LCAS is hardware-based, but the
CE-MR-10 also supports software LCAS (SW-LCAS). This makes it compatible with ML-Series cards,
which support only SW-LCAS, along with G-Series and CE-Series cards. The CE-MR-10 card also
supports the non link capacity adjustment scheme (non-LCAS). The CE-MR-10 card supports both
flexible and fixed VCAT groups (VCG).
Note The SW-LCAS is not supported on CE-MR-10 cards for interoperation with the CE-100T-8 and
ML-MR-10 cards.
Note The CE-MR-10 card does not support interoperation between the LCAS and non-LCAS circuits.
The Ethernet frames can be mapped into:
• T1X1 G.707-based high-order virtual concatenated (HO VCAT) payloads
– STS-3c-nv, where n is 1 to 7
– STS-1-nv, where n is 1 to 21
• T1X1 G.707-based low-order virtual concatenated (LO VCAT) payloads
– VT1.5-nv, where n is 1 to 64
• Contiguously concatenated (CCAT) SONET payloads
– Standard CCAT sizes (STS-1, STS-3c, STS-12c, STS-24c, and STS-48c)
– Non-standard CCAT sizes (STS-6c and STS-9c)
To configure a CE-MR-10 card circuit, refer to the “Create Circuits and Tunnels” chapter in the
Cisco ONS 15454 Procedure Guide.
The CE-MR-10 card provides multiple management options through CTC, CTM, TL1, and SNMP.
Figure 5-12 shows the CE-MR-10 card faceplate and block diagram.5-32
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 5 Ethernet Cards
5.13.1 CE-MR-10 Card-Level Indicators
Figure 5-12 CE-MR-10 Faceplate and Block Diagram
Note The backplane capacity of the CE-MR-10 card is 10 Gigabit Ethernet ports in slots 5, 6, 12, and 13 and
2.5 Gigabit Ethernet ports in slots 1 to 4 and 14 to 17.
5.13.1 CE-MR-10 Card-Level Indicators
The CE-MR-10 card faceplate has two card-level LED indicators, described in Table 5-25.
159724
Marvell
10G
MAC
MV82119
35mm
SP14
FCC (2x)
SP14
SP14
MP41
FPGA
B
a
c
k
p
l
a
n
e
BCM5482S
PHY
SFP
SFP
SFP
SFP
SFP
SFP
SFP
SFP
SFP
SFP
BCM5482S
PHY
BCM5482S
PHY
BCM5482S
PHY
BCM5482S
PHY
FCC (2x)
SP14
MPC8555
Subsystem
Super
Carrera
ASIC
MEM QDR2
1Mx36
IBPIA
IBPIA
MP4E
FPGA
MEM QDR2
1Mx36
MEM
RLDRAM2
8Mx36
MEM RLDRAM2
8Mx36
FAIL
ACT
LINK
ACT
T
X
1
R
X
LINK
ACT
T
X
2
R
X
LINK
ACT
T
X
3
R
X
LINK
ACT
T
X
4
R
X
LINK
ACT
T
X
5
R
X
LINK
ACT
T
X
6
R
X
LINK
ACT
T
X
7
R
X
LINK
ACT
T
X
8
R
X
LINK
ACT
T
X
9
R
X
LINK
ACT
T
X
10
R
X
CE-MR
105-33
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 5 Ethernet Cards
5.13.2 CE-MR-10 Port-Level Indicators
5.13.2 CE-MR-10 Port-Level Indicators
The CE-MR-10 card provides a pair of LEDs for each port: an amber LED for activity (ACT) and a green
LED for link status (LINK).
Table 5-26 describes the status that each color represents.
5.13.3 Cross-Connect and Slot Compatibility
The CE-MR-10 card can be installed in Slots 1 to 6 and 12 to 17 when used with the XC10G and
XC-VXC-10G cards. It is not compatible with the XVT card.
Caution Fan-tray assembly 15454-CC-FTA (ANSI shelf) must be installed in a shelf where a CE-MR-10 card is
installed.
5.13.4 CE-MR-10 Card- Differential Delay
The differential delay has been hardcoded to 55ms for high-order circuits in high speed slots and 175ms
for low-order circuits in high speed slots. For all other slots and circuit combinations, it has been
hardcoded to 135ms.
Table 5-25 CE-MR-10 Card-Level Indicators
Card-Level LEDs Description
FAIL LED (Red) The red FAIL LED indicates that the card processor is not ready or that a
catastrophic software failure occurred on the card. As part of the boot
sequence, the FAIL LED is turned on until the software deems the card
operational.
ACT LED (Green) The green ACT LED provides the operational status of the CE-1000-4 card.
When the ACT LED is green, it indicates that the CE-1000-4 card is active
and the software is operational.
Table 5-26 CE-MR-10 Port-Level Indicators
Port-Level Indicators Description
Off No link exists to the Ethernet port.
Steady amber A link exists to the Ethernet port, but traffic flow is inhibited. For
example, a lack of circuit setup, an error on the line, or a disabled port
might inhibit traffic flow.
Solid green A link exists to the Ethernet port, but no traffic is carried on the port.
Flashing green A link exists to the Ethernet port, and traffic is carried on the port. The
LED flash rate reflects the traffic rate for that port.5-34
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 5 Ethernet Cards
5.14 Ethernet Card GBICs and SFPs
5.14 Ethernet Card GBICs and SFPs
This section describes the GBICs and SFPs used with the Ethernet cards.
The ONS 15454 Ethernet cards use industry standard SFPs and GBIC modular receptacles. The
ML-MR-10, ML100X-8, ML1000-2, and CE-MR-10 cards use standard Cisco SFPs. The Gigabit
E-Series, G-1K-4, and CE-1000-4 cards use standard Cisco GBICs. With Software Release 4.1 and later,
G-Series cards can also be equipped with dense wavelength division multiplexing (DWDM) and coarse
wavelength division multiplexing (CWDM) GBICs to function as Gigabit Ethernet transponders.
For all Ethernet cards, the type of GBIC or SFP plugged into the card is displayed in CTC and TL1. Cisco
offers SFPs and GBICs as separate orderable products.
5.14.1 Compatibility by Card
Table 5-27 shows the GBICs for the E1000-2-G, G1K-4, or CE-1000-4 cards.
Note The GBICs are very similar in appearance. Check the GBIC label carefully before installing it.
Table 5-28 shows the available SFPs and XFPs for Ethernet cards.
Table 5-27 Available GBICs
GBIC
Associated
Cards Application Fiber Product Number
1000BASE-S
X
E1000-2-G
G1K-4
CE-1000-4
Short reach Multimode fiber up to 550 m
long
15454E-GBIC-SX=
15454-GBIC-SX
ONS-GC-GE-SX
1000BASE-L
X
E1000-2-G
G1K-4
CE-1000-4
Long reach Single-mode fiber up to
5 km long
15454E-GBIC-LX=
15454-GBIC-LX
ONS-GC-GE-LX
1000BASE-Z
X
G1K-4
CE-1000-4
Extra long reach Single-mode fiber up to
70 km long
15454E-GBIC-ZX=
15454-GBIC-ZX
ONS-GC-GE-ZX
Table 5-28 Available SFPs and XFPs
SFP/XFP
Associated
Cards Application Fiber Product Number
1000BASE-SX ML1000-2 Short reach Multimode fiber up to
550 m long
ONS-SC-GE-SX
ML1000-2
ML-MR-10
CE-MR-10
Short reach 850 nm multimode
fiber up to 500 m long
ONS-SI-GE-SX5-35
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 5 Ethernet Cards
5.14.2 Speed-Duplex Combinations on SFPs
5.14.2 Speed-Duplex Combinations on SFPs
Table 5-29 through Table 5-33 provides information on the speed-duplex combination supported on
different SFP types for ML-MR-10 and CE-MR-10 cards.
1000BASE-LX ML1000-2 Long reach Single-mode fiber up to
5 km long
ONS-SC-GE-LX
ML1000-2
ML-MR-10
CE-MR-10
Long reach 1310 nm single-mode
fiber up to 10 km long
ONS-SI-GE-LX
1000BASE-ZX ML1000-2
ML-MR-10
CE-MR-10
Extra long reach 1550 nm single-mode
fiber
ONS-SI-GE-ZX
100BASE-FX ML100X-8 Short reach 1310 nm multimode
fiber up to 2 km long
ONS-SE-100-FX
ML100X-8
ML-MR-10
CE-MR-10
Short reach 1310 nm multimode
fiber
ONS-SI-100-FX
100BASE-LX10 ML100X-8 Long reach 1310 nm single-mode
fiber
ONS-SE-100-LX10
ML100X-8
ML-MR-10
CE-MR-10
Long reach 1310 nm single-mode
fiber
ONS-SI-100-LX10
10/100/1000BAS
E-T
ML-MR-10
CE-MR-10
Short reach RJ45 ONS-SE-ZE-EL
100BASE-BX ML100X-8
ML-MR-10
CE-MR-10
Short reach 1550 nm RX ONS-SE-100-BX10U
100BASE-BX ML100X-8
ML-MR-10
CE-MR-10
Short reach 1310 nm RX ONS-SE-100-BX10D
E1/DS1 over Fast
Ethernet
ML-MR-10
CE-MR-10
— — ONS-SC-E1-T1-PW
(Release 9.2 only)
E3/DS3 PDH
over Fast
Ethernet
ML-MR-10
CE-MR-10
— — ONS-SC-E3-T3-PW
(Release 9.2 only)
Table 5-28 Available SFPs and XFPs (continued)
SFP/XFP
Associated
Cards Application Fiber Product Number
Table 5-29 Speed-Duplex Matrix for Electrical 10/100/1000Base-T SFPs
Speed Configuration
Duplex Configuration
(Y- Supported, N-Not supported)
Full Half Auto5-36
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 5 Ethernet Cards
5.14.2 Speed-Duplex Combinations on SFPs
10 Mbps Y Y Y
100 Mbps YY Y
1000 Mbps Y N Y
Auto YY Y
Table 5-29 Speed-Duplex Matrix for Electrical 10/100/1000Base-T SFPs
Table 5-30 Speed-Duplex Matrix for Optical 1000BaseSX/LX/ZX SFPs
Speed Configuration
Duplex Configuration
(Y- Supported, N-Not supported)
Full Half Auto
10 Mbps NN N
100 Mbps NN N
1000 Mbps YN Y
Auto YN Y
Table 5-31 Speed-Duplex Matrix for Optical 100Base FX/LX10/BX-D/BX-U SFPs
Speed Configuration
Duplex Configuration
(Y- Supported, N-Not supported)
Full Half Auto
10 Mbps NN N
100 Mbps YN N
1000 Mbps NN N
Auto NN N
Table 5-32 Speed-Duplex Matrix for E1/DS1 over Fast Ethernet SFP
Speed Configuration
Duplex Configuration
(Y- Supported, N-Not supported)
Full Half Auto
10 Mbps NN N
100 Mbps YN N
1000 Mbps NN N
Auto NN N5-37
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 5 Ethernet Cards
5.14.3 GBIC Description
5.14.3 GBIC Description
GBICs are integrated fiber optic transceivers that provide high-speed serial links from a port or slot to
the network. Various latching mechanisms can be utilized on the GBIC pluggable modules. There is no
correlation between the type of latch and the model type (such as SX or LX/LH) or technology type (such
as Gigabit Ethernet). See the label on the GBIC for technology type and model. One GBIC model has
two clips (one on each side of the GBIC) that secure the GBIC in the slot on the Ethernet card; the other
has a locking handle. Both types are shown in Figure 5-13.
GBIC dimensions are:
• Height 0.39 in. (1 cm)
• Width 1.18 in. (3 cm)
• Depth 2.56 in. (6.5 cm)
GBIC temperature ranges are:
• COM—Commercial operating temperature range –5 degrees C to 70 degrees C (23 degrees F to
158 degrees F)
• EXT—Extended operating temperature range –5 degrees C to 85 degrees C (23 degrees F to
185 degrees F)
• IND—Industrial operating temperature range –40 degrees C to 85 degrees C (-40 degrees F to
185 degrees F)
Figure 5-13 GBICs with Clips (left) and with a Handle (right)
Table 5-33 Speed-Duplex Matrix for E3/DS3 PDH over Fast Ethernet SFP
Speed Configuration
Duplex Configuration
(Y- Supported, N-Not supported)
Full Half Auto
10 Mbps NN N
100 Mbps YN N
1000 Mbps NN N
Auto NN N
Receiver
Clip
Handle
Transmitter Receiver
Transmitter 511785-38
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 5 Ethernet Cards
5.14.4 G1K-4 DWDM and CWDM GBICs
5.14.4 G1K-4 DWDM and CWDM GBICs
DWDM (15454-GBIC-xx.x, 15454E-GBIC-xx.x) and CWDM (15454-GBIC-xxxx,
15454E-GBIC-xxxx) GBICs operate in an ONS 15454 G-Series card when the card is configured in
Gigabit Ethernet Transponding mode or in Ethernet over SONET mode. DWDM and CWDM GBICs are
both wavelength division multiplexing (WDM) technologies and operate over single-mode fibers with SC
connectors. Cisco CWDM GBIC technology uses a 20 nm wavelength grid and Cisco ONS 15454 DWDM
GBIC technology uses a 1 nm wavelength grid. CTC displays the specific wavelengths of the installed
CWDM or DWDM GBICs. DWDM wavelengths are spaced closer together and require more precise lasers
than CWDM. The DWDM spectrum allows for optical signal amplification. For more information on
G-Series card transponding mode, refer to the Cisco ONS 15454 and Cisco ONS 15454 SDH Ethernet Card
Software Feature and Configuration Guide.
The DWDM and CWDM GBICs receive across the full 1300 nm and 1500 nm bands, which includes all
CWDM, DWDM, LX/LH, ZX wavelengths, but transmit on one specified wavelength. This capability
can be exploited in some of the G-Series transponding modes by receiving wavelengths that do not match
the specific transmission wavelength.
Note G1K-4 cards with the Common Language Equipment Identification (CLEI) code of WM5IRWPCAA
(manufactured after August 2003) support CWDM and DWDM GBICs. G1K-4 cards manufactured prior
to August 2003 do not support CWDM or DWDM GBICs.
The ONS 15454-supported CWDM GBICs reach up to 100 to 120 km over single-mode fiber and support
eight wavelengths as shown in Table 5-34.
The ONS 15454-supported DWDM GBICs reach up to 100 to 120 km over single-mode fiber and
support 32 different wavelengths in the red and blue bands. Paired with optical amplifiers, such as the
Cisco ONS 15216, the DWDM GBICs allow maximum unregenerated spans of approximately 300 km
(Table 5-35).
CWDM or DWDM GBICs for the G-Series card come in set wavelengths and are not provisionable. The
wavelengths are printed on each GBIC, for example, CWDM-GBIC-1490. The user must insert the
specific GBIC transmitting the wavelength required to match the input of the CWDM/DWDM device for
successful operation (Figure 5-14). Follow your site plan or network diagram for the required
wavelengths.
Table 5-34 Supported Wavelengths for CWDM GBICs
CWDM GBIC Wavelengths 1470 nm 1490 nm 1510 nm 1530 nm 1550 nm 1570 nm 1590 nm 1610 nm
Corresponding GBIC Colors Gray Violet Blue Green Yellow Orange Red Brown
Band 47 49 51 53 55 57 59 61
Table 5-35 Supported Wavelengths for DWDM GBICs
Blue Band 1530.33 nm 1531.12 nm 1531.90 nm 1532.68 nm 1534.25 nm 1535.04 nm 1535.82 nm 1536.61 nm
1538.19 nm 1538.98 nm 1539.77 nm 1540.56 nm 1542.14 nm 1542.94 nm 1543.73 nm 1544.53 nm
Red Band 1546.12 nm 1546.92 nm 1547.72 nm 1548.51 nm 1550.12 nm 1550.92 nm 1551.72 nm 1552.52 nm
1554.13 nm 1554.94 nm 1555.75 nm 1556.55 nm 1558.17 nm 1558.98 nm 1559.79 nm 1560.61 nm5-39
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 5 Ethernet Cards
5.14.5 SFP Description
Figure 5-14 CWDM GBIC with Wavelength Appropriate for Fiber-Connected Device
A G-Series card equipped with CWDM or DWDM GBICs supports the delivery of unprotected Gigabit
Ethernet service over Metro DWDM (Figure 5-15). It can be used in short-haul and long-haul
applications.
Figure 5-15 G-Series with CWDM/DWDM GBICs in Cable Network
5.14.5 SFP Description
SFPs are integrated fiber-optic transceivers that provide high-speed serial links from a port or slot to the
network. Various latching mechanisms can be utilized on the SFP modules. There is no correlation
between the type of latch and the model type (such as SX or LX/LH) or technology type (such as Gigabit
Ethernet). See the label on the SFP for technology type and model. One type of latch available is a mylar
tab (Figure 5-16), a second type of latch available is an actuator/button (Figure 5-17), and a third type
of latch is a bail clasp (Figure 5-18).
SFP dimensions are:
• Height 0.03 in. (8.5 mm)
FAIL
ACT
G1K
RX
1
TX
RX
2
TX
RX
3
TX
RX
4
TX
ACT/LINK
ACT/LINK
ACT/LINK
ACT/LINK
CWDM Mux
1470-nm Input
CWDM-GBIC-1470
90957
Fiber Optic Connection
CWDM/DWDM
Mux only
ONS Node
with G-Series Cards
with CWDM/DWDM GBICs
QAM 90954
VoD
HFC
Conventional GigE signals
CWDM/DWDM
Demux only
GigE / GigE /
GigE over 's
= Lambdas5-40
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 5 Ethernet Cards
5.14.5 SFP Description
• Width 0.53 in. (13.4 mm)
• Depth 2.22 in. (56.5 mm)
SFP temperature ranges for are:
• COM—Commercial operating temperature range –5 degrees C to 70 degrees C (23 degrees F to
158 degrees F)
• EXT—Extended operating temperature range –5 degrees C to 85 degrees C (23 degrees F to
185 degrees F)
• IND—Industrial operating temperature range –40 degrees C to 85 degrees C (-40 degrees F to
185 degrees F)
Figure 5-16 Mylar Tab SFP
Figure 5-17 Actuator/Button SFP
Figure 5-18 Bail Clasp SFP
63065
63066
63067CHAPTER
6-1
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
6
Storage Access Networking Cards
Note The terms “Unidirectional Path Switched Ring” and “UPSR” may appear in Cisco literature. These terms
do not refer to using Cisco ONS 15xxx products in a unidirectional path switched ring configuration.
Rather, these terms, as well as “Path Protected Mesh Network” and “PPMN,” refer generally to Cisco's
path protection feature, which may be used in any topological network configuration. Cisco does not
recommend using its path protection feature in any particular topological network configuration.
The Fibre Channel Multirate 4-Port (FC_MR-4) card is a 1.0625- or 2.125-Gbps Fibre Channel/fiber
connectivity (FICON) card that integrates non-SONET framed protocols into a SONET time-division
multiplexing (TDM) platform through virtually concatenated payloads. For installation and step-by-step
circuit configuration procedures, refer to the Cisco ONS 15454 Procedure Guide.
Chapter topics include:
• 6.1 FC_MR-4 Card Overview, page 6-1
• 6.2 FC_MR-4 Card Modes, page 6-4
• 6.3 FC_MR-4 Card Application, page 6-7
• 6.4 FC_MR-4 Card GBICs and SFPs, page 6-8
6.1 FC_MR-4 Card Overview
Note For hardware specifications, see the “A.8 Storage Access Networking Card Specifications” section on
page A-53.
The FC_MR-4 card uses pluggable Gigabit Interface Converters (GBICs) to transport
non-SONET/SDH-framed, block-coded protocols over SONET/SDH. The FC_MR-4 enables four client
Fibre Channel (FC) ports to be transported over SONET/SDH, encapsulating the frames using the ITU-T
generic framing procedure (GFP) format and mapping them into either T1X1 G.707-based virtual
concatenated (VCAT) payloads or standard contiguously concatenated SONET payloads. The FC_MR-4
card has the following features:
• Four FICON ports operating at 1 Gbps or 2 Gbps
– All four ports can be operational at any time due to subrate support
– Advanced distance extension capability (buffer-to-buffer credit spoofing)
• Pluggable GBIC optics6-2
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 6 Storage Access Networking Cards
6.1 FC_MR-4 Card Overview
– Dual rate (1G/2G): MM (550 m) and SM (10 km)
– Single rate (1G): SX (550 m) and LX (10 km)
• SONET/SDH support
– Four 1.0625-Gbps FC channels can be mapped into one of the following:
SONET containers as small as STS1-1v (subrate)
SDH containers as small as VC4-1v (subrate)
SONET/SDH containers as small as STS-18c/VC4-6v (full rate)
– Four 2.125-Gbps FC channels can be mapped into one of the following:
SONET containers as small as STS1-1v (subrate)
SDH containers as small as VC4-1v (subrate)
SONET/SDH containers as small as STS-36c/VC4-12v (full rate)
• Frame encapsulation: ITU-T G.7041 transparent generic framing procedure (GFP-T)
• High-order SONET/SDH VCAT support (STS1-Xv and STS-3c-Xv/VC4-Xv)
• Differential delay support for VCAT circuits
• Interoperation with the Cisco MDS 9000 switches
Figure 6-1 shows the FC_MR-4 faceplate and block diagram. 6-3
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 6 Storage Access Networking Cards
6.1.1 FC_MR-4 Card-Level Indicators
Figure 6-1 FC_MR-4 Faceplate and Block Diagram
6.1.1 FC_MR-4 Card-Level Indicators
Table 6-1 describes the two card-level LEDs on the FC_MR-4 card.
FLASH SDRAM MPC8250
TADM IBPIA
QDR MEMORY
SERDES
IBPIA
110595
BTC
192
CDR +
SONET
FRAMER
DDR
MEMORY
QUICKSILVER
VCAT
PROCESSOR
Decode and
Control
PLD
GBIC
OPTICS
GBIC
OPTICS
GBIC
OPTICS
GBIC
OPTICS
RUDRA
FPGA
1
Rx
Tx
2
Rx
Tx
4
Rx
Tx
3
Rx
Tx
FAIL
ACT
FC_MR-4
ACT/LNK
ACT/LNK
ACT/LNK
ACT/LNK
B
A
C
K
P
L
A
N
E
Table 6-1 FC_MR-4 Card-Level Indicators
Card-Level Indicators Description
FAIL LED (Red) The red FAIL LED indicates that the card processor is not ready. Replace the
card if the red FAIL LED persists.
ACT LED (Green) If the ACT/STBY LED is green, the card is operational and ready to carry
traffic.
ACT LED (Amber) If the ACT/STBY LED is amber, the card is rebooting.6-4
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 6 Storage Access Networking Cards
6.1.2 FC_MR-4 Port-Level Indicators
6.1.2 FC_MR-4 Port-Level Indicators
Each FC_MR-4 port has a corresponding ACT/LNK LED. The ACT/LNK LED is solid green if the port
is available to carry traffic, is provisioned as in-service, and is in the active mode. The ACT/LNK LED
is flashing green if the port is carrying traffic. The ACT/LNK LED is steady amber if the port is not
enabled and the link is connected, or if the port is enabled and the link is connected but there is a
SONET/SDH transport error. The ACT/LNK LED is not lit if there is no link.
You can find the status of the card ports using the LCD screen on the ONS 15454 SDH fan-tray assembly.
Use the LCD to view the status of any port or card slot; the screen displays the number and severity of
alarms for a given port or slot. Refer to the Cisco ONS 15454 Troubleshooting Guide for a complete
description of the alarm messages.
6.1.3 FC_MR-4 Compatibility
The FC_MR-4 cards can be installed in Slots 1 to 6 and 12 to 17 when used with the XC10G and
XC-VXC-10G cards. When the shelf uses the XCVT card, the FC_MR-4 can be used in only the
high-speed (slots 5/6 and 12/13).
The FC_MR-4 card can be provisioned as part of any valid ONS 15454 SONET/SDH network topology,
such as a path protection, bidirectional line switched ring (BLSR), or linear network topologies. The
FC_MR-4 card is compatible with Software Release 4.6 and greater.
6.2 FC_MR-4 Card Modes
The FC_MR-4 card can operate in two different modes:
• Line rate mode—This mode is backward compatible with the Software R4.6 Line Rate mode.
• Enhanced mode—This mode supports subrate, distance extension, differential delay, and other
enhancements.
The FC_MR-4 card reboots when a card mode changes (a traffic hit results). The Field Programmable
Gate Array (FPGA) running on the card upgrades to the required image. However, the FPGA image in
the card’s flash memory is not modified.
6.2.1 Line-Rate Card Mode
The mapping for the line rate card mode is summarized here.
• 1 Gbps Fibre Channel/FICON is mapped into:
– STS-24c, STS-48c
– VC4-8c, VC4-16c
– STS1-Xv where X is 19 to 24
– STS3c-Xv where X is 6 to 8
– VC4-Xv where X is 6 to 8
• 2 Gbps Fibre Channel/FICON is mapped into:
– STS-48c
– VC4-16c6-5
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 6 Storage Access Networking Cards
6.2.2 Enhanced Card Mode
– STS-1-Xv where X is 37 to 48
– STS-3c-Xv where X is 12 to 16
– VC4-Xv where X is 12 to 16
6.2.2 Enhanced Card Mode
The features available in enhanced card mode are given in this section.
6.2.2.1 Mapping
1 Gbps Fibre Channel/FICON is mapped into:
– STS-1, STS-3c, STS-6c, STS-9c, STS-12c, STS-18c, STS-24c, STS-48c
– VC4-1c, VC4-2c, VC4-3c, VC4-4c, VC4-6c, VC4-8c, VC4-16c
– STS-1-Xv where X is 1 to 24
– STS-3c-Xv where X is 1 to 8
– VC4-Xv where X is 1 to 8
2 Gbps Fibre Channel/FICON is mapped into:
– STS-1, STS-3c, STS-6c, STS-9c, STS-12c, STS-18c, STS-24c, STS-36c, STS-48c
– VC4-1c, VC4-2c, VC4-3c, VC4-4c, VC4-6c, VC4-8c, VC4-12c, VC4-16c
– STS-1-Xv where X is 1 to 48
– STS-3c-Xv where X is 1 to 16
– VC4-Xv where X is 1 to 16
6.2.2.2 SW -LCAS
VCAT group (VCG) is reconfigurable when the software link capacity adjustment scheme (SW-LCAS)
is enabled, as follows:
• Out-of-service (OOS) and out-of-group (OOG) members can be removed from VCG
• Members with deleted cross-connects can be removed from VCGs
• Errored members can be autonomously removed from VCGs
• Degraded bandwidth VCGs are supported
• VCG is flexible with SW-LCAS enabled (VCG can run traffic as soon as the first cross-connect is
provisioned on both sides of the transport)
6.2.2.3 Distance Extension
This following list describes the FC_MR-4 card distance extension capabilities:
• Enabling of a storage access networking (SAN) extension over long distances through
buffer-to-buffer (B2B) credit spoofing.
– 2300 km for 1G ports (longer distances supported with lesser throughput)
– 1150 km for 2G ports (longer distances supported with lesser throughput)6-6
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 6 Storage Access Networking Cards
6.2.2 Enhanced Card Mode
• Negotiation mechanism to identify whether a far-end FC-over-SONET card supports the Cisco
proprietary B2B mechanism
• Auto detection of FC switch B2B credits from FC-SW standards-based exchange link parameters
(ELP) frames
• Support for manual provisioning of credits based on FC switch credits
• Automatic GFP buffers adjustment based on roundtrip latency between two SL ports
• Automatic credits recovery during SONET switchovers/failures
• Insulation for FC switches from any SONET switchovers; no FC fabric reconvergences for SONET
failures of less than or equal to 60 ms
6.2.2.4 Differential Delay Features
The combination of VCAT, SW-LCAS, and GFP specifies how to process information for data and
storage clients. The resulting operations introduce delays. Their impact depends on the type of service
being delivered. For example, storage requirements call for very low latency, as opposed to traffic such
as e-mail where latency variations are not critical.
With VCAT, SONET paths are grouped to aggregate bandwidth to form VCGs. Because each VCG
member can follow a unique physical route through a network, there are differences in propagation
delay, and possibly processing delays between members. The overall VCG propagation delay
corresponds to that of the slowest member. The VCAT differential delay is the relative arrival time
measurement between members of a VCG. The FC_MR-4 card is able to handle VCAT differential delay
and provides these associated features:
• Supports a maximum of 122 ms of delay difference between the shortest and longest paths.
• Supports diverse fiber routing for VCAT circuit.
• All protection schemes are supported (path protection, automatic protection switching [APS],
2-fiber BLSR, 4-fiber BLSR).
• Supports routing of VCAT group members through different nodes in the SONET network.
• Differential delay compensation is automatically enabled on VCAT circuits that are diverse (split
fiber) routed, and disabled on VCAT circuits that are common fiber routed.
Note Differential delay support for VCAT circuits is supported by means of a TL1 provisioning parameter
(EXTBUFFERS) in the ENT-VCG command.
6.2.2.5 Interoperability Features
The interoperability features are as follows:
• Maximum frame size setting to prevent accumulation of oversized performance monitoring
parameters for virtual SAN (VSAN) frames
• Ingress filtering disable for attachment to third-party GFP-over-SONET/SDH equipment
• String (port name) provisioning for each fiber channel and FICON interface on the FC_MR-4 card
to allow the MDS Fabric Manager to create link association between a SAN port on a
Cisco MDS 9000 switch and the FC_MR-4 SAN port.6-7
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 6 Storage Access Networking Cards
6.2.3 Link Integrity
6.2.3 Link Integrity
The link integrity features are as follows:
• Data port disabled if upstream data port is not able to send over SONET/SDH transport
• Data port disabled if SONET/SDH transport is errored
6.2.4 Link Recovery
Link recovery has the following features:
• Reduces the impact of SONET/SDH disruptions on attached Fibre Channel equipment
• Speeds up the recovery of Inter-Switch Links (ISLs)
• Allows monitoring of B2B credit depletion due to SONET outage and full recovery of the credits,
thus preventing the slow decay of bandwidth/throughput
Note Distance extension and link recovery cannot be enabled at the same time.
6.3 FC_MR-4 Card Application
The FC_MR-4 card reliably transports carrier-class, private-line Fibre Channel/FICON transport
service. Each FC_MR-4 card can support up to four 1-Gbps circuits or four 2-Gbps circuits. Four
1.0625-Gbps FC channels can be mapped into containers as small as STS-1 (subrate), with a minimum
of STS-18c/VC4-6v for full rate. Four 2.125-Gbps FC channels can be mapped into containers as small
as STS-1 (sub-rate), with a minimum of STS-36c/VC4-12v for full rate.
The FC_MR-4 card incorporates features optimized for carrier-class applications such as:
• Carrier-class Fibre Channel/FICON
• 50 ms of switch time through SONET/SDH protection as specified in Telcordia GR-253-CORE
Note Protection switch traffic hit times of less than 60 ms are not guaranteed with differential delay in effect.
• Hitless software upgrades
Note Hitless software upgrades are not possible with an activation from Software R5.0 to Software R6.0 or
higher in enhanced card mode. This is because the FPGA must be upgraded to support differential delay
in enhanced mode. Upgrades are still hitless with the line rate mode.
• Remote Fibre Channel/FICON circuit bandwidth upgrades through integrated Cisco Transport
Controller (CTC)
• Multiple management options through CTC, Cisco Transport Manager (CTM), TL1, and Simple
Network Management Protocol (SNMP)
• Differential delay compensation of up to 122 ms for diversely routed VCAT circuits
The FC_MR-4 payloads can be transported over the following protection types:6-8
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 6 Storage Access Networking Cards
6.4 FC_MR-4 Card GBICs and SFPs
• Path protection
• BLSR
• Unprotected
• Protection channel access (PCA)
The FC_MR-4 payloads can be transported over the following circuit types:
• STS
• STSn
• STS-V
Note Virtual Tributary (VT) and VT-V circuits are not supported.
The FC_MR-4 card supports VCAT. See the “12.18 Virtual Concatenated Circuits” section on
page 12-34 for more information about VCAT circuits.
6.4 FC_MR-4 Card GBICs and SFPs
The FC_MR-4 uses pluggable GBICs and SFPs for client interfaces. Table 6-2 lists GBICs and SFPs that
are compatible with the FC_MR-4 card. See the 5.14.3 GBIC Description and 5.14.5 SFP Description
sections for more information.
Table 6-2 GBIC and SFP Compatibility
Card
Compatible GBIC or SFP
(Cisco Product ID)
Cisco Top Assembly
Number (TAN)
FC_MR-4
(ONS 15454 SONET/SDH)
15454-GBIC-SX
15454E-GBIC-SX
15454-GBIC-LX/LH
15454E-GBIC-LX/LH
ONS-GX-2FC-MMI
ONS-GX-2FC-SML
ONS-SI-GE-ZX
ONS-SC-Z3-1470 through
ONS-SC-Z3-1610
30-0759-01
800-06780-01
10-1743-01
30-0703-01
10-2015-01
10-2016-01
10-2296-01
10-2285-01 through
10-2292-01CHAPTER
7-1
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
7
Card Protection
This chapter explains the Cisco ONS 15454 card protection configurations. To provision card protection,
refer to the Cisco ONS 15454 Procedure Guide.
Chapter topics include:
• 7.1 Electrical Card Protection, page 7-1
• 7.2 Electrical Card Protection and the Backplane, page 7-5
• 7.3 OC-N Card Protection, page 7-13
• 7.4 Unprotected Cards, page 7-14
• 7.5 External Switching Commands, page 7-14
7.1 Electrical Card Protection
The ONS 15454 provides a variety of electrical card protection methods. This section describes the
protection options. Figure 7-1 on page 7-2 shows a 1:1 protection configuration and Figure 7-2 on
page 7-3 shows a 1:N protection configuration.
This section covers the general concept of electrical card protection. Specific electrical card protection
schemes depend on the type of electrical card as well as the electrical interface assembly (EIA) type used
on the ONS 15454 backplane. Table 7-4 on page 7-6 details the specific electrical card protection
schemes.
Note See Table 1-1 on page 1-16 and Table 1-2 on page 1-17 for the EIA types supported by the
15454-SA-ANSI and 15454-SA-HD (high-density) shelf assemblies.
Caution When a protection switch moves traffic from the working/active electrical card to the protect/standby
electrical card, ports on the new active/standby card cannot be placed out of service as long as traffic is
switched. Lost traffic can result when a port is taken out of service, even if the standby card no longer
carries traffic.7-2
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 7 Card Protection
7.1.1 1:1 Protection
7.1.1 1:1 Protection
In 1:1 protection, a working card is paired with a protect card of the same type. If the working card fails,
the traffic from the working card switches to the protect card. You can provision 1:1 to be revertive or
nonrevertive. If revertive, traffic automatically reverts to the working card after the failure on the
working card is resolved. Figure 7-1 shows an example of the ONS 15454 in a 1:1 protection
configuration. Each working card in an even-numbered slot is paired with a protect card in an
odd-numbered slot: Slot 1 is protecting Slot 2, Slot 3 is protecting Slot 4, Slot 5 is protecting Slot 6,
Slot 17 is protecting Slot 16, Slot 15 is protecting Slot 14, and Slot 13 is protecting Slot 12.
Figure 7-1 Example: ONS 15454 Cards in a 1:1 Protection Configuration (SMB EIA)
Table 7-1 provides supported 1:1 protection by electrical card type.
33384
Protect
Working
Protect
Working
Protect
Working
TCC+
XC10G
AIC (Optional)
XC10G
TCC+
Working
Protect
Working
Protect
Working
Protect
1:1 Protection
Table 7-1 Supported 1:1 Protection by Electrical Card
Working Card Protect Card Working Slot Protection Slot
DS1-14 or DS1N-14 DS1-14 or DS1N-14 2 1
DS3-12/DS3-12E or
DS3N-12/DS3N-12E
DS3-12 or DS3N-12 4 3
DS3i-N-12 DS3i-N-12 6 5
DS3XM-6 (Transmux) DS3XM-6 (Transmux) 12 13
DS3XM-12 (Transmux) DS3XM-12 (Transmux) 14 15
16 177-3
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 7 Card Protection
7.1.2 1:N Protection
7.1.2 1:N Protection
1:N protection allows a single electrical card to protect up to five working cards of the same speed. 1:N
cards have added circuitry to act as the protect card in a 1:N protection group. Otherwise, the card is
identical to the standard card and can serve as a normal working card.
The physical DS-1 or DS-3 interfaces on the ONS 15454 backplane use the working card until the
working card fails. When the node detects this failure, the protect card takes over the physical DS-1 or
DS-3 electrical interfaces through the relays and signal bridging on the backplane. Figure 7-2 shows the
ONS 15454 in a 1:N protection configuration. Each side of the shelf assembly has only one card
protecting all of the cards on that side.
Figure 7-2 Example: ONS 15454 Cards in a 1:N Protection Configuration (SMB EIA)
Table 7-2 provides the supported 1:N configurations by electrical card, as well as the card types that can
be used for working and protection cards. Additional engineering rules for 1:N card deployments will
be covered in the following sections.
Working
Working
1:N Protection
Working
Working
Working
TCC+
XC10G
AIC (Optional)
XC10G
TCC+
Working
Working
Working
1:N Protection
Working
Working
1:N Protection
32106
Table 7-2 Supported 1:N Protection by Electrical Card
Working Card Protect Card
Protect Group
(Maximum) Working Slot Protection Slot
DS1-14 or DS1N-14 DS1N-14 N < 5 1, 2, 4, 5, 6 3
12, 13, 14, 16, 17 15
DS1/E1-56 DS1/E1-56 N < 211
, 22
3
163
, 174
15
DS3-12/DS3-12E or
DS3N-12/DS3N-12E
DS3N-12/DS3N-12E N < 5 1, 2, 4, 5, 6 3
12, 13, 14, 16, 17 15
DS3i-N-12 DS3i-N-12 N < 5 1, 2, 4, 5, 6 3
12, 13, 14, 16, 17 157-4
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 7 Card Protection
7.1.2 1:N Protection
7.1.2.1 Revertive Switching
1:N protection supports revertive switching. Revertive switching sends the electrical interfaces (traffic)
back to the original working card after the card comes back online. Detecting an active working card
triggers the reversion process. There is a variable time period for the lag between detection and
reversion, called the revertive delay, which you can set using the ONS 15454 software, Cisco Transport
Controller (CTC). To set the revertive delay, refer to the “Turn Up a Node” chapter in the
Cisco ONS 15454 Procedure Guide. All cards in a protection group share the same reversion settings.
1:N protection groups default to automatic reversion.
Caution A user-initiated switch (external switching command) overrides the revertive delay, that is, clearing the
switch clears the timer.
7.1.2.2 1:N Protection Guidelines
There are two types of 1:N protection groups for the ONS 15454: ported and portless. Ported 1:N
interfaces are the traditional protection groups for signals electrically terminated on the shelf assembly.
Portless 1:N interfaces are signals received through an electrical synchronous transport signal (STS)
through the cross-connect card. The DS3XM-12 card supports portless as well as traditional ported
deployments. Table 7-2 on page 7-3 outlines the 1:N configurations supported by each electrical card
type.
The following rules apply to ported 1:N protection groups in the ONS 15454:
• Working and protect card groups must reside in the same card bank (Side A or Side B).
• The 1:N protect card must reside in Slot 3 for Side A and Slot 15 for Side B.
DS3/EC1-48 DS3/EC1-48 N < 215
, 26
3
167
, 178
15
DS3XM-12
(Transmux)
DS3XM-12
(Transmux)
N < 5 1, 2, 4, 5, 6 3
12, 13, 14, 16, 17 15
DS3XM-12
(Transmux)
DS3XM-12
(Transmux)
N < 7
(portless9
)
1, 2, 4, 5, 6, 12, 13,
14, 15, 16, 17
3
1, 2, 3, 4, 5, 6, 12,
13, 14, 16, 17
15
1. A high-density electrical card inserted in Slot 1 restricts the use of Slots 5 and 6 to optical, data, or storage cards.
2. A high-density electrical card inserted in Slot 2 restricts the use of Slots 4 and 6 to optical, data, or storage cards.
3. A high-density electrical card inserted in Slot 16 restricts the use of Slot 14 to optical, data, or storage cards.
4. A high-density electrical card inserted in Slot 17 restricts the use of Slots 12 and 13 to optical, data, or storage cards.
5. A high-density electrical card inserted in Slot 1 restricts the use of Slots 5 and 6 to optical, data, or storage cards.
6. A high-density electrical card inserted in Slot 2 restricts the use of Slots 4 and 6 to optical, data, or storage cards.
7. A high-density electrical card inserted in Slot 16 restricts the use of Slot 14 to optical, data, or storage cards.
8. A high-density electrical card inserted in Slot 17 restricts the use of Slots 12 and 13 to optical, data, or storage cards.
9. Portless DS-3 Transmux operation does not terminate the DS-3 signal on the EIA panel.
Table 7-2 Supported 1:N Protection by Electrical Card (continued)
Working Card Protect Card
Protect Group
(Maximum) Working Slot Protection Slot7-5
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 7 Card Protection
7.2 Electrical Card Protection and the Backplane
• Working cards can sit on either or both sides of the protect card.
The following rules apply to portless 1:N protection groups in the ONS 15454:
• Working and protect card groups can reside in the same card bank or different card banks (Side A
or Side B).
• The 1:N protect card can be installed in either Slot 3 or Slot 15 and protect working cards in both
card banks.
• Working cards can sit on either or both sides of the protect card.
The ONS 15454 supports 1:N equipment protection for all add-drop multiplexer (ADM) configurations
(ring, linear, and terminal), as specified by Telcordia GR-253-CORE. For detailed procedures for setting
up DS-1 and DS-3 protection groups, refer to the Cisco ONS 15454 Procedure Guide.
7.2 Electrical Card Protection and the Backplane
Protection schemes for electrical cards depend on the EIA type used on the ONS 15454 backplane. The
difference is due to the varying connector size. For example, because BNC connectors are larger, fewer
DS3-12 cards can be supported when using a BNC connector. Table 7-3 shows the number of connectors
per side for each EIA type according to low-density and high-density interfaces.
In the tables, high-density (HD) cards include the DS3/EC1-48 and DS1/E1-56 cards. Low-density (LD
cards) include the following:
• DS1-14, DS1N-14
• DS3-12/DS3-12E, DS3N-12/DS3N-12E
• DS3XM-6
• DS3XM-12
• EC1-12
Note For EIA installation, refer to the “Install the Shelf and Backplane Cable” chapter in the
Cisco ONS 15454 Procedure Guide.
Caution When a protection switch moves traffic from the working/active electrical card to the protect/standby electrical card,
ports on the new active/standby card cannot be taken out of service as long as traffic is switched. Lost traffic can
result when a port is taken out of service even if the standby electrical card no longer carries traffic.
Table 7-3 EIA Connectors Per Side
Interfaces per Side
Standard
BNC
High-Density
BNC MiniBNC SMB AMP Champ
UBIC-V and
UBIC-H (SCSI)
Total physical connectors 48 96 192 168 6 16
Maximum LD DS-1 Interfaces (transmit [Tx]
and receive [Rx])
— — — 84 84 84
Maximum LD DS-3 interfaces (Tx and Rx) 24 48 72 72 — 72
Maximum HD DS-1 interfaces (Tx and Rx) — — — — — 112
Maximum HD DS-3 interfaces (Tx and Rx) — — 96 — — 967-6
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 7 Card Protection
7.2 Electrical Card Protection and the Backplane
Table 7-4 shows the electrical card protection for each EIA type according to shelf side and slots.
Table 7-4 Electrical Card Protection By EIA Type
Protection
Type Card Type Side Standard BNC High-Density BNC MiniBNC SMB
AMP
Champ
UBIC-V and
UBIC-H (SCSI)
Unprotected LD, Working A 2, 4 1, 2, 4, 5 1–6 1–6 1–6 1–6
B 14, 16 13, 14, 16, 17 12–17 12–17 12–17 12–17
HD, Working A — — 1, 2 — — 1, 2
B — — 16, 17 — — 16, 17
1:1 LD, Working A 2, 4 2, 4 2, 4, 6 2, 4, 6 2, 4, 6 2, 4, 6
B 14, 16 14, 16 12, 14, 16 12, 14, 16 12, 14, 16 12, 14, 16
LD, Protect A 1, 3 1, 3 1, 3, 5 1, 3, 5 1, 3, 5 1, 3, 5
B 15, 17 15, 17 13, 15, 17 13, 15, 17 13, 15, 17 13, 15, 17
1:N LD, Working A — 1, 2, 4, 5 1–6 1–6 1–6 1–6
B — 13, 14, 16, 17 12–17 12–17 12–17 12–17
LD, Protect A — 3 3 3 3 3
B — 15 15 15 15 15
HD, Working A — — 1, 2 — — 1, 2
B — — 16, 17 — — 16, 17
HD, Protect A — — 3 — — 3
B — — 15 — — 157-7
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 7 Card Protection
7.2 Electrical Card Protection and the Backplane
Figure 7-3 shows unprotected low-density electrical card schemes by EIA type.
Figure 7-3 Unprotected Low-Density Electrical Card Schemes for EIA Types
TCC
Cross-connect
AIC
Cross-connect
Working
Working
TCC
Working
Working
TCC
Cross-connect
AIC
Cross-connect
Working
Working
Working
Working
TCC
Working
Working
Working
Working
TCC
Cross-connect
AIC
Cross-connect
Working
Working
Working
Working
Working
TCC
Working
Working
Working
Working
Working
TCC
Cross-connect
AIC
Cross-connect
Working
Working
Working
Working
Working
TCC
Working
Working
Working
Working
Working
Standard BNC High-Density BNC
SMB/UBIC/AMP Champ MiniBNC
Working
Working
1249607-8
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 7 Card Protection
7.2 Electrical Card Protection and the Backplane
Figure 7-4 shows unprotected high-density electrical card schemes by EIA type.
Figure 7-4 Unprotected High-Density Electrical Card Schemes for EIA Types
TCC
Cross-connect
AIC
Cross-connect
TCC
UBIC/MiniBNC
124963
Working
Working
Working
Working7-9
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 7 Card Protection
7.2 Electrical Card Protection and the Backplane
Figure 7-5 shows 1:1 low-density card protection by EIA type.
Figure 7-5 1:1 Protection Schemes for Low-Density Electrical Cards with EIA Types
TCC
Cross-connect
AIC
Cross-connect
Working
Protect
Working
TCC
Working
Working
TCC
Cross-connect
AIC
Cross-connect
Working
Working
TCC
Working
Working
TCC
Cross-connect
AIC
Cross-connect
Working
Working
Working
TCC
Working
Working
Working
Standard BNC High-Density BNC
SMB/UBIC/AMP Champ/MiniBNC
Protect
Protect
Protect
Protect
Protect
Protect
Protect
124962
Protect
Protect
Protect
Protect
Protect
Protect7-10
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 7 Card Protection
7.2 Electrical Card Protection and the Backplane
Figure 7-6 shows 1:N protection for low-density electrical cards.
Figure 7-6 1:N Protection Schemes for Low-Density Electrical Cards with EIA Types
Note EC-1 cards do not support 1:N protection.
TCC
Cross-connect
AIC
Cross-connect
Working
1:N Protection
Working
TCC
Working
1:N Protection
Working
TCC
Cross-connect
AIC
Cross-connect
Working
Working
1:N Protection
Working
Working
TCC
Working
Working
1:N Protection
Working
Working
TCC
Cross-connect
AIC
Cross-connect
Working
Working
1:N Protection
Working
Working
Working
TCC
Working
Working
Working
1:N Protection
Working
Working
Standard BNC High-Density BNC
SMB/UBIC/AMP Champ/MiniBNC
1249617-11
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 7 Card Protection
7.2.1 Standard BNC Protection
Figure 7-7 shows 1:1 high-density card protection by EIA type.
Figure 7-7 1:1 Protection Schemes for High-Density Electrical Cards with UBIC or MiniBNC EIA
Types
7.2.1 Standard BNC Protection
When used with the standard BNC EIA, the ONS 15454 supports unprotected, 1:1, or 1:N (N < 2)
electrical card protection for DS-3 and EC-1 signals, as outlined in Table 7-1 on page 7-2 and Table 7-2
on page 7-3. The standard BNC EIA panel provides 48 BNC connectors for terminating up to 24 transmit
and 24 receive signals per EIA panel, enabling 96 BNC connectors for terminating up to 48 transmit and
receive signals per shelf with two standard-BNC panels installed. With an A-Side standard BNC EIA,
Slots 2 and 4 can be used for working slots and with a B-Side EIA, Slots 14 and 16 can be used for
working slots. Each of these slots is mapped to 24 BNC connectors on the EIA to support up to 12
transmit/receive signals. These slots can be used with or without equipment protection for DS-3 and
EC-1 services.
7.2.2 High-Density BNC Protection
When used with the high-density BNC EIA, the ONS 15454 supports unprotected, 1:1, or 1:N (N < 4)
electrical card protection for DS-3 and EC-1 signals, as outlined in Table 7-1 on page 7-2 and Table 7-2
on page 7-3. The high-density BNC EIA panel provides 96 BNC connectors for terminating up to
48 transmit and 24 receive signals per EIA panel, enabling 192 BNC connectors for terminating up to
96 transmit and receive signals per shelf with two high-density BNC panels installed. With an A-Side
high-density BNC EIA, Slots 1, 2, 4, and 5 can be used for working slots and with a B-Side EIA,
Slots 13, 14, 16, and 17 can be used for working slots. Each of these slots is mapped to 24 BNC
connectors on the EIA to support up to 12 transmit/receive signals. These slots can be used with or
without equipment protection for DS-3 and EC-1 services.
TCC
Cross-connect
AIC
Cross-connect
TCC
UBIC/MiniBNC
124964
Working
Working
Protect
Protect
Working
Working7-12
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 7 Card Protection
7.2.3 MiniBNC Protection
7.2.3 MiniBNC Protection
When used with the MiniBNC EIA, the ONS 15454 supports unprotected, 1:1, or 1:N (N < 5) electrical
card protection for DS-1, DS-3 and EC-1 signals, as outlined in Table 7-1 on page 7-2 and Table 7-2 on
page 7-3. The MiniBNC EIA provides 192 MiniBNC connectors for terminating up to 96 transmit and
96 receive signals per EIA, enabling 384 MiniBNC connectors for terminating up to 192 transmit and
receive signals per shelf with two MiniBNC panels installed. With an A-Side MiniBNC EIA, Slots 1, 2,
4, 5, and 6 can be used for working slots and on a B-Side panel, Slots 12, 13, 14, 16, and 17 can be used
for working slots. Each of these slots is mapped to 24 MiniBNC connectors on the EIA panel to support
up to 12 transmit/receive signals. In addition, working Slots 1, 2, 16 and 17 can be mapped to 96
MiniBNC connectors to support the high-density electrical card. These slots can be used with or without
equipment protection for DS-3 and EC-1 services.
7.2.4 SMB Protection
When used with the SMB EIA, the ONS 15454 supports unprotected, 1:1, or 1:N (N < 5) electrical card
protection for DS-3 and EC-1 signals, as outlined in Table 7-1 on page 7-2 and Table 7-2 on page 7-3.
The SMB EIA provides 168 SMB connectors for terminating up to 84 transmit and 84 receive signals
per EIA, enabling 336 SMB connectors for terminating up to 168 transmit and receive signals per shelf
with two SMB EIAs installed. With an A-Side SMB EIA, Slots 1, 2, 3, 4, 5, and 6 can be used for
working slots and with a B-Side EIA, Slots 12, 13, 14, 15, 16, and 17 can be used for working slots. Each
of these slots is mapped to 28 SMB connectors on the EIA to support up to 14 transmit/receive signals.
These slots can be used with or without equipment protection for DS-1, DS-3 and EC-1 services. For
DS-1 services, an SMB-to-wire-wrap balun is installed on the SMB ports for termination of the 100 ohm
signal.
7.2.5 AMP Champ Protection
When used with the AMP Champ EIA, the ONS 15454 supports unprotected, 1:1, or 1:N (N < 5)
electrical card protection for DS-1 signals, as outlined in Table 7-1 on page 7-2 and Table 7-2 on
page 7-3. The AMP Champ EIA provides 6 AMP Champ connectors for terminating up to 84 transmit
and 84 receive signals per EIA, enabling 12 AMP Champ connectors for terminating up to 168 transmit
and receive signals per shelf with two AMP Champ EIAs installed. With an A-Side SMB EIA, Slots 1,
2, 3, 4, 5, and 6 can be used for working slots and with a B-Side EIA, Slots 12, 13, 14, 15, 16, and 17
can be used for working slots. Each of these slots is mapped to 1 AMP Champ connector on the EIA to
support 14 transmit/receive signals. These slots can be used with or without equipment protection for
DS-1 services.
7.2.6 UBIC Protection
When used with the UBIC EIA, the ONS 15454 high-density shelf assembly (15454-HD-SA) supports
unprotected, 1:1, or 1:N (N < 5) electrical card protection for DS-1, DS-3 and EC-1 signals, as outlined
in Table 7-1 on page 7-2 and Table 7-2 on page 7-3. The UBIC EIA provides 16 SCSI connectors for
terminating up to 112 transmit and receive DS-1 signals per EIA, or up to 96 transmit and receive DS-3
connections. With an A-side UBIC EIA, Slots 1, 2, 3, 4, 5, and 6 can be used for working slots and with
a B-Side EIA, Slots 12, 13, 14, 15, 16, and 17 can be used for working slots. Each of these slots is
mapped to two SCSI connectors on the EIA to support up to 14 transmit/receive signals. In addition,
working Slots 1, 2, 16, and 17 can be mapped to 8 SCSI connectors to support the high-density electrical
card. These slots can be used with or without equipment protection for DS-1, DS-3, and EC-1 services.7-13
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 7 Card Protection
7.3 OC-N Card Protection
7.3 OC-N Card Protection
The ONS 15454 provides two optical card protection methods, 1+1 protection and optimized 1+1
protection. This section covers the general concept of optical card protection. Specific optical card
protection schemes depend on the optical cards in use.
7.3.1 1+1 Protection
Any OC-N card can use 1+1 protection. With 1+1 port-to-port protection, ports on the protect card can
be assigned to protect the corresponding ports on the working card. Both ports must belong to two
different cards and should have the same port number. For example, if port 2 is the protect port on Card
A then port 2 on Card B would be the working port. The working and protect cards do not have to be
placed side by side in the node. A working card must be paired with a protect card of the same type and
number of ports. For example, a single-port OC-12 must be paired with another single-port OC-12, and
a four-port OC-12 must be paired with another four-port OC-12. You cannot create a 1+1 protection
group if one card is single-port and the other is multiport, even if the OC-N rates are the same. The
protection takes place on the port level, and any number of ports on the protect card can be assigned to
protect the corresponding ports on the working card.
For example, on a four-port card, you can assign one port as a protection port on the protect card
(protecting the corresponding port on the working card) and leave three ports unprotected. Conversely,
you can assign three ports as protection ports and leave one port unprotected. In other words, all the ports
on the protect card are used in the protection scheme.
1+1 span protection can be either revertive or nonrevertive. With nonrevertive 1+1 protection, when a
failure occurs and the signal switches from the working card to the protect card, the signal stays switched
to the protect card until it is manually switched back. Revertive 1+1 protection automatically switches
the signal back to the working card when the working card comes back online. 1+1 protection is
unidirectional and nonrevertive by default; revertive switching is easily provisioned using CTC.
Note When provisioning a line timing reference for the node, you cannot select the protect port of a 1+1
protection group. If a traffic switch occurs on the working port of the 1+1 protection group, the timing
reference of the node automatically switches to the protect port of the 1+1 protection group.
7.3.2 Optimized 1+1 Protection
Optimized 1+1 protection is used in networks that mainly use the linear 1+1 bidirectional protection
scheme. Optimized 1+1 is a line-level protection scheme using two lines, working and protect. One of
the two lines assumes the role of the primary channel, where traffic is selected, and the other line
assumes the role of secondary channel, which protects the primary channel. Traffic switches from the
primary channel to the secondary channel based on either line conditions or an external switching
command performed by the user. After the line condition clears, the traffic remains on the secondary
channel. The secondary channel is automatically renamed as the primary channel and the former primary
channel is automatically renamed as the secondary channel.
Unlike 1+1 span protection, 1+1 optimized span protection does not use the revertive or nonrevertive
feature. Also, 1+1 optimized span protection does not use the Manual switch command. The 1+1
optimized span protection scheme is supported only on the Cisco ONS 15454 SONET using either
OC3-4 cards or OC3-8 cards with ports that are provisioned for SDH payloads. 7-14
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 7 Card Protection
7.4 Unprotected Cards
Optimized 1+1 is fully compliant with Nippon Telegraph and Telephone Corporation (NTT)
specifications. With optimized 1+1 port-to-port protection, ports on the protect card can be assigned to
protect the corresponding ports on the working card. The working and protect cards do not have to be
installed side by side in the node. A working card must be paired with a protect card of the same type
and number of ports. For example, a four-port OC-3 must be paired with another four-port OC-3, and an
eight-port OC-3 must be paired with another eight-port OC-3. You cannot create an optimized 1+1
protection group if the number of ports do not match, even if the OC-N rates are the same.
The protection takes place on the port level, and any number of ports on the protect card can be assigned
to protect the corresponding ports on the working card. For example, on a four-port card, you can assign
one port as a protection port on the protect card (protecting the corresponding port on the working card)
and leave three ports unprotected. Conversely, you can assign three ports as protection ports and leave
one port unprotected. With 1:1 or 1:N protection (electrical cards), the protect card must protect an entire
slot. In other words, all the ports on the protect card are used in the protection scheme.
7.4 Unprotected Cards
Unprotected cards are not included in a protection scheme; therefore, a card failure or a signal error
results in lost data. Because no bandwidth lies in reserve for protection, unprotected schemes maximize
the available ONS 15454 bandwidth. Figure 7-8 shows the ONS 15454 in an unprotected configuration.
All cards are in a working state.
Figure 7-8 ONS 15454 in an Unprotected Configuration
7.5 External Switching Commands
The external switching commands on the ONS 15454 are Manual, Force, and Lockout. If you choose a
Manual switch, the command will switch traffic only if the path has an error rate less than the signal
degrade (SD) bit error rate threshold. A Force switch will switch traffic even if the path has SD or signal
fail (SF) conditions; however, a Force switch will not override an SF on a 1+1 protection channel.
TCC
Cro
Unprotected
ss-connect
AIC (Optional)
Cross-connect
Working
Working
Working
Working
Working
Working
TCC
Working
Working
Working
Working
Working
Working
333837-15
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 7 Card Protection
7.5 External Switching Commands
A Force switch has a higher priority than a Manual switch. Lockouts, which prevent traffic from
switching to the protect port under any circumstance, can only be applied to protect cards (in 1+1
configurations). Lockouts have the highest priority. In a 1+1 configuration you can also apply a lock on
to the working port. A working port with a lock on applied cannot switch traffic to the protect port in the
protection group (pair). In 1:1 protection groups, working or protect ports can have a lock on.
Note Force and Manual switches do not apply to 1:1 protection groups; these ports have a single switch
command.7-16
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 7 Card Protection
7.5 External Switching CommandsCHAPTER
8-1
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
8
Cisco Transport Controller Operation
This chapter describes Cisco Transport Controller (CTC), the software interface for the
Cisco ONS 15454. For CTC set up and login information, refer to the Cisco ONS 15454 Procedure
Guide.
Chapter topics include:
• 8.1 CTC Software Delivery Methods, page 8-1
• 8.2 CTC Installation Overview, page 8-4
• 8.3 PC and UNIX Workstation Requirements, page 8-4
• 8.4 ONS 15454 Connection, page 8-7
• 8.5 CTC Login, page 8-8
• 8.6 CTC Window, page 8-9
• 8.7 Using the CTC Launcher Application to Manage Multiple ONS Nodes, page 8-19
• 8.8 TCC2/TCC2P Card Reset, page 8-22
• 8.9 TCC2/TCC2P Card Database, page 8-22
• 8.10 Software Revert, page 8-23
8.1 CTC Software Delivery Methods
ONS 15454 provisioning and administration is performed using the CTC software. CTC is a Java
application that is installed in two locations; CTC is stored on the Advanced Timing, Communications,
and Control (TCC2) card or the Advanced Timing, Communications, and Control Plus (TCC2P) card,
and it is downloaded to your workstation the first time you log into the ONS 15454 with a new software
release.
8.1.1 CTC Software Installed on the TCC2/TCC2P Card
CTC software is preloaded on the ONS 15454 TCC2/TCC2P cards; therefore, you do not need to install
software on the TCC2/TCC2P cards. When a new CTC software version is released, use the
release-specific software upgrade document to upgrade the ONS 15454 software on the TCC2/TCC2P
cards. 8-2
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 8 Cisco Transport Controller Operation
8.1.1 CTC Software Installed on the TCC2/TCC2P Card
When you upgrade CTC software, the TCC2/TCC2P cards store the new CTC version as the protect CTC
version. When you activate the new CTC software, the TCC2/TCC2P cards store the older CTC version
as the protect CTC version, and the newer CTC release becomes the working version. You can view the
software versions that are installed on an ONS 15454 by selecting the Maintenance > Software tabs in
node view (Figure 8-1).
Figure 8-1 CTC Software Versions, Node View
159507
Software tab Maintenance tab8-3
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 8 Cisco Transport Controller Operation
8.1.2 CTC Software Installed on the PC or UNIX Workstation
Select the Maintenance > Software tabs in network view to display the software versions installed on all
the network nodes (Figure 8-2).
Figure 8-2 CTC Software Versions, Network View
8.1.2 CTC Software Installed on the PC or UNIX Workstation
CTC software is downloaded from the TCC2/TCC2P cards and installed on your computer automatically
after you connect to the ONS 15454 with a new software release for the first time. Downloading the CTC
software files automatically ensures that your computer is running the same CTC software version as the
TCC2/TCC2P cards you are accessing. The CTC files are stored in the temporary directory designated
by your computer operating system. You can use the Delete CTC Cache button to remove files stored in
the temporary directory. If the files are deleted, they download the next time you connect to an ONS
15454. Downloading the Java archive (JAR) files for CTC takes several minutes depending on the
bandwidth of the connection between your workstation and the ONS 15454. For example, JAR files
downloaded from a modem or a data communications channel (DCC) network link require more time
than JAR files downloaded over a LAN connection.
During network topology discovery, CTC polls each node in the network to determine which one
contains the most recent version of the CTC software. If CTC discovers a node in the network that has
a more recent version of the CTC software than the version you are currently running, CTC generates a
message stating that a later version of the CTC has been found in the network and offers to install the
CTC software upgrade JAR files. If you have network discovery disabled, CTC will not seek more recent
versions of the software. Unreachable nodes are not included in the upgrade discovery.
159505
Maintenance tab8-4
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 8 Cisco Transport Controller Operation
8.2 CTC Installation Overview
Note Upgrading the CTC software will overwrite your existing software. You must restart CTC after the
upgrade is complete.
8.2 CTC Installation Overview
To connect to an ONS 15454 using CTC, you enter the ONS 15454 IP address in the URL field of
Netscape Navigator or Microsoft Internet Explorer. After connecting to an ONS 15454, the following
occurs automatically:
1. A CTC launcher applet is downloaded from the TCC2/TCC2P card to your computer.
2. The launcher determines whether your computer has a CTC release matching the release on the
ONS 15454 TCC2/TCC2P card.
3. If the computer does not have CTC installed, or if the installed release is older than the
TCC2/TCC2P card’s version, the launcher downloads the CTC program files from the TCC2/TCC2P
card.
4. The launcher starts CTC. The CTC session is separate from the web browser session, so the web
browser is no longer needed. Always log into nodes having the latest software release. If you log
into an ONS 15454 that is connected to ONS 15454s with older versions of CTC, or to
Cisco ONS 15327s or Cisco ONS 15600s, CTC files are downloaded automatically to enable you to
interact with those nodes. The CTC file download occurs only when necessary, such as during your
first login. You cannot interact with nodes on the network that have a software version later than the
node that you used to launch CTC.
Each ONS 15454 can handle up to five concurrent CTC sessions. CTC performance can vary, depending
on the volume of activity in each session, network bandwidth, and TCC2/TCC2P card load.
Note You can also use TL1 commands to communicate with the Cisco ONS 15454 through VT100 terminals
and VT100 emulation software, or you can telnet to an ONS 15454 using TL1 port 3083. Refer to the
Cisco ONS SONET TL1 Command Guide for a comprehensive list of TL1 commands.
8.3 PC and UNIX Workstation Requirements
To use CTC for the ONS 15454, your computer must have a web browser with the correct Java Runtime
Environment (JRE) installed. The correct JRE for each CTC software release is included on the
Cisco ONS 15454 software CD. If you are running multiple CTC software releases on a network, the
JRE installed on the computer must be compatible with the different software releases.
You can change the JRE version on the Preferences dialog box JRE tab. When you change the JRE
version on the JRE tab, you must exit and restart CTC for the new JRE version to take effect. Table 8-1
shows JRE compatibility with ONS 15454 software releases.8-5
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 8 Cisco Transport Controller Operation
8.3 PC and UNIX Workstation Requirements
Note To avoid network performance issues, Cisco recommends managing a maximum of 50 nodes
concurrently with CTC. The 50 nodes can be on a single DCC or split across multiple DCCs. Cisco does
not recommend running multiple CTC sessions when managing two or more large networks.
To manage more than 50 nodes, Cisco recommends using Cisco Transport Manager (CTM). If you do
use CTC to manage more than 50 nodes, you can improve performance by adjusting the heap size; see
the “General Troubleshooting” chapter of the Cisco ONS 15454 Troubleshooting Guide. You can also
create login node groups; see the “Connect the PC and Log Into the GUI” chapter of the
Cisco ONS 15454 Procedure Guide.
Table 8-2 lists the requirements for PCs and UNIX workstations.
Table 8-1 JRE Compatibility
ONS Software Release
JRE 1.2.2
Compatible
JRE 1.3
Compatible
JRE 1.4
Compatible
JRE 5.0
Compatible
JRE 1.6
Compatible
ONS 15454 Release 4.5 No Yes No No No
ONS 15454 Release 4.6 No Yes Yes No No
ONS 15454 Release 4.7 No No Yes No No
ONS 15454 Release 5.0 No No Yes No No
ONS 15454 Release 6.0 No No Yes No No
ONS 15454 Release 7.0 No No Yes Yes No
ONS 15454 Release 7.2 No No Yes Yes No
ONS 15454 Release 8.0 No No No Yes No
ONS 15454 Release 8.5 No No No Yes No
ONS 15454 Release 9.0 No No No Yes No
ONS 15454 Release 9.1 No No No Yes No
ONS 15454 Release 9.2 No No No No Yes
ONS 15454 Release 9.2.1 No No No No Yes
Table 8-2 CTC Computer Requirements
Area Requirements Notes
Processor
(PC only)
Pentium 4 processor or equivalent A faster CPU is recommended if your
workstation runs multiple applications
or if CTC manages a network with a
large number of nodes and circuits.
RAM 512 MB RAM or more (1 GB RAM or more
for Release 9.2)
A minimum of 1 GB is recommended if
your workstation runs multiple
applications or if CTC manages a
network with a large number of nodes
and circuits. 8-6
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 8 Cisco Transport Controller Operation
8.3 PC and UNIX Workstation Requirements
Hard drive 20 GB hard drive with 100MB of free space
required (250 MB of free space required for
Release 9.2)
CTC application files are downloaded
from the TCC2/TCC2P to your
computer. These files occupy around
100MB (250MB to be safer) or more
space depending on the number of
versions in the network.
Operating
System
• PC: Windows 2000 with SP4, Windows
XP with SP2, Windows Vista with SP1,
Windows Server 2003 with SP2
(Windows 7, Windows Server 2008 for
Release 9.2 and later)
• Workstation: Solaris version 9 or 10
• Apple Mac OS X, CTC Needs to be
installed using the CacheInstaller
available on CCO or the Release CD (for
Release 9.2 and later).
Use the latest patch/Service Packs
released by the OS vendor. Check with
the vendor for the latest patch/Service
Packs.
Java Runtime
Environment
JRE 5.0 (Release 9.1)
JRE 1.6 (Release 9.2 and later)
The appropriate JRE version is
installed by the CTC Installation
Wizard included on the Cisco ONS
15454 software CD. JRE installation
provides enhancements to CTC
performance, especially for large
networks with numerous circuits.
If CTC must be launched directly from
nodes running software R7.0 or R7.2,
Cisco recommends JRE 1.4.2 or JRE
5.0. If CTC must be launched directly
from nodes running software R5.0 or
R6.0, Cisco recommends JRE 1.4.2.If
CTC must be launched directly from
nodes running software earlier than
R5.0, Cisco recommends JRE
1.3.1_02.
Table 8-2 CTC Computer Requirements (continued)
Area Requirements Notes8-7
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 8 Cisco Transport Controller Operation
8.4 ONS 15454 Connection
8.4 ONS 15454 Connection
You can connect to the ONS 15454 in multiple ways. You can connect your PC directly the ONS 15454
(local craft connection) using the RJ-45 port on the TCC2/TCC2P card or the LAN pins on the
backplane, connect your PC to a hub or switch that is connected to the ONS 15454, connect to the ONS
15454 through a LAN or modem, or establish TL1 connections from a PC or TL1 terminal. Table 8-3
lists the ONS 15454 connection methods and requirements.
Web browser The appropriate JRE version is installed by
the CTC Installation Wizard included on the
Cisco ONS 15454 software CD. JRE
installation provides enhancements to CTC
performance, especially for large networks
with numerous circuits.
If CTC must be launched directly from nodes
running software R7.0 or R7.2, Cisco
recommends JRE 1.4.2 or JRE 5.0. If CTC
must be launched directly from nodes
running software R5.0 or R6.0, Cisco
recommends JRE 1.4.2.If CTC must be
launched directly from nodes running
software earlier than R5.0, Cisco
recommends JRE 1.3.1_02.
For the PC, use JRE 5.0 or JRE 1.6 with
any supported web browser.
For UNIX, use JRE 5.0 with Netscape
7.x or JRE 1.3.1_02 with Netscape
4.76.
The supported browser can be
downloaded from the Web.
Cable User-supplied CAT-5 straight-through cable
with RJ-45 connectors on each end to
connect the computer to the ONS 15310-CL
or ONS 15310-MA directly or though a LAN
—
Table 8-2 CTC Computer Requirements (continued)
Area Requirements Notes8-8
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 8 Cisco Transport Controller Operation
8.5 CTC Login
8.5 CTC Login
After you have installed CTC, you can log in to a node using your browser. To log in, you must type the
node IP address in the URL window. The CTC Login window appears.
The CTC Login window provides the following options to accelerate the login process.
• The Disable Network Discovery option omits the discovery of nodes with data communications
channel (DCC) connectivity. To access all nodes with DCC connectivity, make sure that Disable
Network Discovery is not checked. If you have network discovery disabled, CTC will not poll the
network for more recent versions of the software. (For more information about the automatic
download of the latest CTC JAR files, see the “8.1.2 CTC Software Installed on the PC or UNIX
Workstation” section on page 8-3.)
Table 8-3 ONS 15454 Connection Methods
Method Description Requirements
Local craft Refers to onsite network connections
between the CTC computer and the
ONS 15454 using one of the following:
• The RJ-45 (LAN) port on the
TCC2/TCC2P card
• The LAN pins on the ONS 15454
backplane
• A hub or switch to which the ONS 15454
is connected
If you do not use Dynamic Host
Configuration Protocol (DHCP), you must
change the computer IP address, subnet
mask, and default router, or use automatic
host detection.
Corporate
LAN
Refers to a connection to the ONS 15454
through a corporate or network operations
center (NOC) LAN.
• The ONS 15454 must be provisioned
for LAN connectivity, including IP
address, subnet mask, and default
gateway.
• The ONS 15454 must be physically
connected to the corporate LAN.
• The CTC computer must be connected
to the corporate LAN that has
connectivity to the ONS 15454.
TL1 Refers to a connection to the ONS 15454
using TL1 rather than CTC. TL1 sessions can
be started from CTC, or you can use a TL1
terminal. The physical connection can be a
craft connection, corporate LAN, or a TL1
terminal.
Refer to the Cisco ONS SONET TL1
Reference Guide.
Remote Refers to a connection made to the
ONS 15454 using a modem.
• A modem must be connected to the
ONS 15454.
• The modem must be provisioned for
the ONS 15454. To run CTC, the
modem must be provisioned for
Ethernet access.8-9
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 8 Cisco Transport Controller Operation
8.5.1 Legal Disclaimer
• The Disable Circuit Management option omits the discovery of circuits. To view circuits
immediately after logging in, make sure that Disable Circuit Management is not checked. However,
if disabled, after you have logged in you can click the Circuits tab and CTC will give you the option
to enable circuit management.
These options are useful if you want to log in to a node to perform a single task, such as placing a card
in or out of service, and do not want to wait while CTC discovers DCC connections and circuits.
8.5.1 Legal Disclaimer
The CTC Login window currently displays the following warning message: “Warning: This system is
restricted to authorized users for business purpose. Unauthorized access is a violation of the law. This
service can be monitored for administrative and security reasons. By proceeding, you consent to this
monitoring.”
The ONS 15600 allows a user with Superuser privileges to modify the default login warning message
and save it to a node using the Provisioning > Security > Legal Disclaimer > HTML tab. The login
warning message field allows up to 250 characters of text (1600 characters total, including HTML
markup).
8.5.2 Login Node Group
Login node groups display nodes that have only an IP connection. After you are logged into CTC, you
can create a login node group from the Edit > Preferences menu. Login groups appear in the
Additional Nodes list on the Login window.
For example, if you logged into Node 1, you would see Node 2 and Node 3 because they have DCC
connectivity to Node 1. You would not see Nodes 4, 5, and 6 because DCC connections do not exist. To
view all six nodes at once, you create a login node group with the IP addresses of Nodes 1, 4, 5, and 6.
Those nodes, and all nodes optically connected to them, appear when you select the login group from
the Additional Nodes list on the Login window the next time you log in.
8.6 CTC Window
The CTC window appears after you log into an ONS 15454 (Figure 8-3). The window includes a menu
bar, a toolbar, and a top and bottom pane. The top pane provides status information about the selected
objects and a graphic of the current view. The bottom pane provides tabs and subtab to view ONS 15454
information and perform ONS 15454 provisioning and maintenance. From this window you can display
three ONS 15454 views: network, node, and card. 8-10
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 8 Cisco Transport Controller Operation
8.6.1 Node View
Figure 8-3 Node View (Default Login View)
8.6.1 Node View
Node view, shown in Figure 8-3, is the first view that appears after you log into an ONS 15454. The login
node is the first node shown, and it is the “home view” for the session. Node view allows you to manage
one ONS 15454 node. The status area shows the node name; IP address; session boot date and time;
number of Critical (CR), Major (MJ), and Minor (MN) alarms; the name of the current logged-in user;
and the security level of the user; software version; and the network element default setup.
8.6.1.1 CTC Card Colors
The graphic area of the CTC window depicts the ONS 15454 shelf assembly. The colors of the cards in
the graphic reflect the real-time status of the physical card and slot (Table 8-4).
159506
Menu bar
Top pane
Tool bar
Status area
Graphic area
Tabs
Status bar
Subtabs
Bottom pane
Table 8-4 Node View Card Colors
Card Color Status
Gray Slot is not provisioned; no card is installed.
Violet Slot is provisioned; no card is installed.
White Slot is provisioned; a functioning card is installed.
Yellow Slot is provisioned; a Minor alarm condition exists.
Orange Slot is provisioned; a Major alarm condition exists.
Red Slot is provisioned; a Critical alarm exists.8-11
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 8 Cisco Transport Controller Operation
8.6.1 Node View
The wording on a card in node view shows the status of a card (Active, Standby, Loading, or
Not Provisioned). Table 8-5 lists the card statuses.
The port color in both card and node view indicates the port service state. Table 8-6 lists the port colors
and their service states. For more information about port service states, see Appendix B, “Administrative
and Service States.”
Table 8-5 Node View Card Statuses
Card Status Description
Sby Card is in standby mode.
Act Card is active.
NP Card is not present.
Ldg Card is resetting.
Mis Card is mismatched.
Table 8-6 Node View Card Port Colors and Service States
Port Color Service State Description
Blue OOS-MA,LPBK (Out-of-Service and Management, Loopback) Port is in a
loopback state. On the card in node view, a line between
ports indicates that the port is in terminal or facility
loopback (see Figure 8-4 on page 8-12 and Figure 8-5 on
page 8-12). Traffic is carried and alarm reporting is
suppressed. Raised fault conditions, whether or not their
alarms are reported, can be retrieved on the CTC
Conditions tab or by using the TL1 RTRV-COND
command.
Blue OOS-MA,MT (Out-of-Service and Management, Maintenance) Port is
out-of-service for maintenance. Traffic is carried and
loopbacks are allowed. Alarm reporting is suppressed.
Raised fault conditions, whether or not their alarms are
reported, can be retrieved on the CTC Conditions tab or by
using the TL1 RTRV-COND command. Use OOS-MA,MT
for testing or to suppress alarms temporarily. Change the
state to IS-NR, OOS-MA,DSBLD, or OOS-AU,AINS
when testing is complete.
Gray OOS-MA,DSBLD (Out-of-Service and Management, Disabled) The port is
out-of-service and unable to carry traffic. Loopbacks are
not allowed in this service state. 8-12
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 8 Cisco Transport Controller Operation
8.6.1 Node View
Figure 8-4 Terminal Loopback Indicator
Figure 8-5 Facility Loopback Indicator
8.6.1.2 Node View Card Shortcuts
If you move your mouse over cards in the graphic, popups display additional information about the card
including the card type; the card status (active or standby); the type of alarm, such as Critical, Major, or
Minor (if any); and the alarm profile used by the card. Right-click a card to reveal a shortcut menu, which
you can use to open, reset, delete, or change a card. Right-click a slot to preprovision a card (that is,
provision a slot before installing the card).
8.6.1.3 Node View Tabs
Table 8-7 lists the tabs and subtabs available in the node view.
Green IS-NR (In-Service and Normal) The port is fully operational and
performing as provisioned. The port transmits a signal and
displays alarms; loopbacks are not allowed.
Violet OOS-AU,AINS (Out-of-Service and Autonomous, Automatic In-Service)
The port is out-of-service, but traffic is carried. Alarm
reporting is suppressed. The node monitors the ports for an
error-free signal. After an error-free signal is detected, the
port stays in OOS-AU,AINS state for the duration of the
soak period. After the soak period ends, the port service
state changes to IS-NR.
Raised fault conditions, whether or not their alarms are
reported, can be retrieved on the CTC Conditions tab or by
using the TL1 RTRV-COND command. The AINS port will
automatically transition to IS-NR when a signal is received
for the length of time provisioned in the soak field.
Table 8-6 Node View Card Port Colors and Service States (continued)
Port Color Service State Description
Table 8-7 Node View Tabs and Subtabs
Tab Description Subtabs
Alarms Lists current alarms (CR, MJ, MN) for the node
and updates them in real time.
—
Conditions Displays a list of standing conditions on the
node.
—8-13
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 8 Cisco Transport Controller Operation
8.6.2 Network View
8.6.2 Network View
Network view allows you to view and manage ONS 15454s that have DCC connections to the node that
you logged into and any login node groups you have selected (Figure 8-6).
History Provides a history of node alarms including date,
type, and severity of each alarm. The Session
subtab displays alarms and events for the current
session. The Node subtab displays alarms and
events retrieved from a fixed-size log on the
node.
Session, Shelf
Circuits Creates, deletes, edits, and maps circuits and
rolls.
Circuits, Rolls
Provisioning Provisions the ONS 15454 node. General, Ether Bridge, Network,
OSI, BLSR, Protection, Security,
SNMP, Comm Channels, Timing,
Alarm Profiles, Cross-Connect,
Defaults, WDM-ANS
Inventory Provides inventory information (part number,
serial number, Common Language Equipment
Identification [CLEI] codes) for cards installed
in the node. Allows you to delete and reset cards,
and change card service state. For more
information on card service states, see
Appendix B, “Administrative and Service
States.”
—
Maintenance Performs maintenance tasks for the node. Database, Ether Bridge, Network,
OSI, BLSR, Protection, Software,
Cross-Connect, Overhead
XConnect, Diagnostic, Timing,
Audit, Test Access, DWDM
Table 8-7 Node View Tabs and Subtabs (continued)
Tab Description Subtabs8-14
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 8 Cisco Transport Controller Operation
8.6.2 Network View
Figure 8-6 Network in CTC Network View
Note Nodes with DCC connections to the login node do not appear if you checked the Disable Network
Discovery check box in the Login dialog box.
The graphic area displays a background image with colored ONS 15454 icons. A Superuser can set up
the logical network view feature, which enables each user to see the same network view. Selecting a node
or span in the graphic area displays information about the node and span in the status area.
8.6.2.1 Network View Tabs
Table 8-8 lists the tabs and subtabs available in network view.
96939
Bold letters indicate
login node, asterisk
indicates topology host
Icon color indicates
node status
Dots indicate
selected node
Table 8-8 Network View Tabs and Subtabs
Tab Description Subtabs
Alarms Lists current alarms (CR, MJ, MN) for the
network and updates them in real time.
—
Conditions Displays a list of standing conditions on the
network.
—
History Provides a history of network alarms including
date, type, and severity of each alarm.
—
Circuits Creates, deletes, edits, filters, and searches for
network circuits and rolls.
Circuits, Rolls8-15
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 8 Cisco Transport Controller Operation
8.6.2 Network View
8.6.2.2 CTC Node Colors
The color of a node in network view, shown in Table 8-9, indicates the node alarm status.
8.6.2.3 DCC Links
The lines show DCC connections between the nodes (Table 8-10). DCC connections can be green
(active) or gray (fail). The lines can also be solid (circuits can be routed through this link) or dashed
(circuits cannot be routed through this link). Circuit provisioning uses active/routable links.
Provisioning Provisions security, alarm profiles,
bidirectional line switched rings (BLSRs),
overhead circuits, server trails, and
loads/manages a VLAN database
Security, Alarm Profiles, BLSR,
Overhead Circuits, Server Trails,
VLAN DB Profile
Maintenance Displays the working and protect software
versions and allows software to be
downloaded, retrieves Open Shortest Path
First (OSPF) node information, and displays
the list of automatic power control (APC)
domains for a network
Software, Diagnostic, APC
Table 8-8 Network View Tabs and Subtabs (continued)
Tab Description Subtabs
Table 8-9 Node Status Shown in Network View
Color Alarm Status
Green No alarms
Yellow Minor alarms
Orange Major alarms
Red Critical alarms
Gray with
Unknown#
Node initializing for the first time (CTC displays Unknown# because CTC has
not discovered the name of the node yet)
Table 8-10 DCC Colors Indicating State in Network View
Color and Line Style State
Green and solid Active/Routable
Green and dashed Active/Nonroutable
Gray and solid Failed/Routable
Gray and dashed Failed/Nonroutable8-16
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 8 Cisco Transport Controller Operation
8.6.3 Card View
8.6.2.4 Link Consolidation
CTC provides the ability to consolidate the DCC, general communications channel (GCC), optical
transport section (OTS), provisionable patchcord (PPC), and server trail links shown in the network
view. Link consolidation allows you to condense multiple inter-nodal links into a single link. The link
consolidation sorts links by class; for example, all DCC links are consolidated together.You can access
individual links within consolidated links using the right-click shortcut menu.
Each link has an associated icon (Table 8-11).
Note Link consolidation is only available on non-detailed maps. Non-detailed maps display nodes in icon
form instead of detailed form, meaning the nodes appear as rectangles with ports on the sides. Refer to
the Cisco ONS 15454 Procedure Guide for more information about consolidated links.
8.6.3 Card View
The card view provides information about individual ONS 15454 cards. Use this window to perform
card-specific maintenance and provisioning (Figure 8-7). A graphic showing the ports on the card is
shown in the graphic area. The status area displays the node name, slot, number of alarms, card type,
equipment type, and the card status (active or standby), card service state if the card is present, and port
service state (described in Table 8-6 on page 8-11). The information that appears and the actions you can
perform depend on the card. For more information about card service states, see Appendix B,
“Administrative and Service States.”
Table 8-11 Link Icons
Icon Description
DCC icon
GCC icon
OTS icon
PPC icon
Server Trail icon8-17
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 8 Cisco Transport Controller Operation
8.6.3 Card View
Figure 8-7 CTC Card View Showing a DS1 Card
Note CTC provides a card view for all ONS 15454 cards except the TCC2, TCC2P, XCVT, XC10G, and
XC-VXC-10G cards. Provisioning for these common control cards occurs at the node view; therefore,
no card view is necessary.
Use the card view tabs and subtabs shown in Table 8-12 to provision and manage the ONS 15454. The
subtabs, fields, and information shown under each tab depend on the card type selected. The
Performance tab is not available for the Alarm Interface Controller-International (AIC-I) cards.
159504
Card identification and status
Table 8-12 Card View Tabs and Subtabs
Tab Description Subtabs
Alarms Lists current alarms (CR, MJ, MN) for the card
and updates them in real time.
—
Conditions Displays a list of standing conditions on the
card.
—
History Provides a history of card alarms including
date, object, port, and severity of each alarm.
Session (displays alarms and events
for the current session), Card
(displays alarms and events retrieved
from a fixed-size log on the card)
Circuits Creates, deletes, edits, and search circuits and
rolls.
Circuits, Rolls8-18
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 8 Cisco Transport Controller Operation
8.6.4 Print or Export CTC Data
8.6.4 Print or Export CTC Data
You can use the File > Print or File > Export options to print or export CTC provisioning information
for record keeping or troubleshooting. The functions can be performed in card, node, or network views.
The File > Print function sends the data to a local or network printer. File > Export exports the data to a
file where it can be imported into other computer applications, such as spreadsheets and database
management programs.
Whether you choose to print or export data, you can choose from the following options:
• Entire frame—Prints or exports the entire CTC window including the graphical view of the card,
node, or network. This option is available for all windows.
• Tabbed view—Prints or exports the lower half of the CTC window containing tabs and data. The
printout includes the selected tab (on top) and the data shown in the tab window. For example, if you
print the History window Tabbed view, you print only history items appearing in the window. This
option is available for all windows.
• Table Contents—Prints or exports CTC data in table format without graphical representations of
shelves, cards, or tabs. The Table Contents option prints all the data contained in a table with the
same column headings. For example, if you print the History window Table Contents view, you print
all data included in the table whether or not items appear in the window.
Provisioning Provisions an ONS 15454 card. DS-N and OC-N cards: Line, Line
Thresholds (different threshold
options are available for electrical
and optical cards), Elect Path
Thresholds, SONET Thresholds,
Alarm Profiles
Ethernet cards (subtabs depend on
the card type): Line, Line
Thresholds, Electrical Path
Thresholds, SONET Thresholds,
Port, RMON Thresholds, VLAN,
Card, Alarm Profiles
Maintenance Performs maintenance tasks for the card. DS-N and OC-N cards: Loopback,
ALS, Info, Protection, Path Trace,
Bandwidth, AINS Soak
Ethernet cards (subtabs depend on
the card type): Path Trace, Loopback,
Allocation, AINS Soak, Ether Port
Soak, RPR Span Soak
Performance Performs performance monitoring for the card. DS-N and OC-N cards: no subtabs
Ethernet cards: Statistics,
Utilization, History
Inventory Displays an Inventory screen of the ports (TXP
and MXP cards only).
—
Table 8-12 Card View Tabs and Subtabs (continued)
Tab Description Subtabs8-19
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 8 Cisco Transport Controller Operation
8.7 Using the CTC Launcher Application to Manage Multiple ONS Nodes
The Table Contents option does not apply to all windows; for a list of windows that do not support
print or export, see the Cisco ONS 15454 Procedure Guide.
8.7 Using the CTC Launcher Application to Manage Multiple
ONS Nodes
The CTC Launcher application is an executable file, StartCTC.exe, that is provided on Software
Release 9.1, 9.2, and 9.2.1 CDs for Cisco ONS products. You can use CTC Launcher to log into multiple
ONS nodes that are running CTC Software Release 3.3 or higher, without using a web browser.
CTC Launcher provides two connection options. The first option is used to connect to ONS network
elements (NEs) that have an IP connection to the CTC computer. The second option is used to connect
to ONS NEs that reside behind third party, OSI-based gateway network elements (GNEs). For this
option, CTC Launcher creates a TL1 tunnel to transport the TCP traffic through the OSI-based GNE.
The TL1 tunnel transports the TCP traffic to and from ONS ENEs through the OSI-based GNE. TL1
tunnels are similar to the existing static IP-over-CLNS tunnels, GRE and Cisco IP, that can be created
at ONS NEs using CTC. (Refer to the Cisco ONS product documentation for information about static
IP-over-CLNS tunnels.) However, unlike the static IP-over-CLNS tunnels, TL1 tunnels require no
provisioning at the ONS ENE, the third-party GNE, or DCN routers. All provisioning occurs at the CTC
computer when the CTC Launcher is started.
Figure 8-8 shows examples of two static IP-over-CLNS tunnels. A static Cisco IP tunnel is created from
ENE 1 through other vendor GNE 1 to a DCN router, and a static GRE tunnel is created from ONS ENE 2
to the other vender, GNE 2. For both static tunnels, provisioning is required on the ONS ENEs. In
addition, a Cisco IP tunnel must be provisioned on the DCN router and a GRE tunnel provisioned on
GNE 2. 8-20
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 8 Cisco Transport Controller Operation
8.7 Using the CTC Launcher Application to Manage Multiple ONS Nodes
Figure 8-8 Static IP-Over-CLNS Tunnels
Figure 8-9 shows the same network using TL1 tunnels. Tunnel provisioning occurs at the CTC computer
when the tunnel is created with the CTC Launcher. No provisioning is needed at ONS NEs, GNEs or
routers.
Other vendor
GNE 1
Other vendor
GNE 2
Central office
IP+ OSI
IP-over-CLNS
tunnel
IP-over-CLNS
tunnel
IP
OSI/DCC
OSI/DCC
IP/DCC
IP/DCC
140174
IP DCN
CTC
Tunnel provisioning
Tunnel
provisioning
ONS ENE 1
ONS ENE 2
Tunnel
provisioning
Tunnel
provisioning8-21
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 8 Cisco Transport Controller Operation
8.7 Using the CTC Launcher Application to Manage Multiple ONS Nodes
Figure 8-9 TL1 Tunnels
TL1 tunnels provide several advantages over static IP-over-CLNS tunnels. Because tunnel provisioning
is needed only at the CTC computer, they are faster to set up. Because they use TL1 for TCP transport,
they are more secure. TL1 tunnels also provide better flow control. On the other hand, IP over CLNS
tunnels require less overhead and usually provide a slight performance edge over TL1 Tunnels
(depending on network conditions). TL1 tunnels do not support all IP applications such as SNMP and
RADIUS Authentication. Table 8-13 shows a comparison between the two types of tunnels.
Other vendor
GNE 1
Other vendor
GNE 2
Central office
IP + OSI
TL1 tunnel
IP
OSI/DCC
OSI/DCC
IP/DCC
IP/DCC
Tunnel provisioning
140175
IP DCN
CTC
ONS ENE 1
ONS ENE 2
TL1 tunnel
Table 8-13 TL1 and Static IP-Over-CLNS Tunnels Comparison
Category
Static
IP-Over-CLNS TL1 Tunnel Comments
Setup Complex Simple Requires provisioning at ONS NE, GNE, and DCN routers. For
TL1 tunnels, provisioning is needed at CTC computer.
Performance Best Average to
good
Static tunnels generally provide better performance than TL1
tunnels, depending on TL1 encoding used. LV+Binary provides
the best performance. Other encoding will produce slightly
slower TL1 tunnel performance.
Support all IP
applications
Yes No TL1 tunnels do not support SNMP or RADIUS Server IP
applications.
ITU Standard Yes No Only the static IP-over-CLNS tunnels meet ITU standards. TL1
tunnels are new.
Tunnel traffic control Good Very good Both tunnel types provide good traffic control
Security setup Complex No setup
needed
Static IP-over-CLNS tunnels require careful planning. Because
TL1 tunnels are carried by TL1, no security provisioning is
needed.8-22
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 8 Cisco Transport Controller Operation
8.8 TCC2/TCC2P Card Reset
TL1 tunnel specifications and general capabilities include:
• Each tunnel generally supports between six to eight ENEs, depending on the number of tunnels at
the ENE.
• Each CTC session can support up to 32 tunnels.
• The TL1 tunnel database is stored locally in the CTC Preferences file.
• Automatic tunnel reconnection when the tunnel goes down.
• Each ONS NE can support at least 16 concurrent tunnels.
8.8 TCC2/TCC2P Card Reset
You can reset the ONS 15454 TCC2/TCC2P card by using CTC (a soft reset) or by physically reseating
a TCC2/TCC2P card (a hard reset). A soft reset reboots the TCC2/TCC2P card and reloads the operating
system and the application software. Additionally, a hard reset temporarily removes power from the
TCC2/TCC2P card and clears all buffer memory.
You can apply a soft reset from CTC to either an active or standby TCC2/TCC2P card without affecting
traffic. If you need to perform a hard reset on an active TCC2/TCC2P card, put the TCC2/TCC2P card
into standby mode first by performing a soft reset.
Note When a CTC reset is performed on an active TCC2/TCC2P card, the AIC-I cards go through an
initialization process and also reset because AIC-I cards are controlled by the active TCC2/TCC2P.
8.9 TCC2/TCC2P Card Database
When dual TCC2/TCC2P cards are installed in the ONS 15454, each TCC2/TCC2P card hosts a separate
database; therefore, the protect card database is available if the database on the working TCC2/TCC2P
fails. You can also store a backup version of the database on the workstation running CTC. This
Potential to breach DCN
from DCC using IP.
Possible Not possible A potential exists to breach a DCN from a DCC using IP. This
potential does not exist for TL1 tunnels.
IP route management Expensive Automatic For static IP-over-CLNS tunnels, route changes require manual
provisioning at network routers, GNEs, and ENEs. For TL1
tunnels, route changes are automatic.
Flow control Weak Strong TL1 tunnels provide the best flow control.
Bandwidth sharing
among multiple
applications
Weak Best —
Tunnel lifecycle Fixed CTC session TL1 tunnels are terminated when the CTC session ends. Static
IP-over-CLNS tunnels exist until they are deleted in CTC.
Table 8-13 TL1 and Static IP-Over-CLNS Tunnels Comparison (continued)
Category
Static
IP-Over-CLNS TL1 Tunnel Comments8-23
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 8 Cisco Transport Controller Operation
8.10 Software Revert
operation should be part of a regular ONS 15454 maintenance program at approximately weekly
intervals, and should also be completed when preparing an ONS 15454 for a pending natural disaster,
such as a flood or fire.
A database backup may be restored in two ways, partial or complete. A partial database restore operation
restores only the provisioning data. A complete database restore operation restores both system and
provisioning data. For more information on restoring a database, refer to the Cisco ONS 15454
Procedure Guide.
Note The following parameters are not backed up and restored: node name, IP address, mask and gateway, and
Internet Inter-ORB Protocol (IIOP) port. If you change the node name and then restore a backed up
database with a different node name, the circuits map to the new node name. Cisco recommends keeping
a record of the old and new node names.
Note To avoid a node IP and secure IP ending up in the same domain after restoring a database, ensure that
the node IP stored in the database differs in domain from that of the node in repeater mode. Also, after
restoring a database, ensure that the node IP and secure IP differ in domain.
8.10 Software Revert
When you click the Activate button after a software upgrade, the TCC2/TCC2P copies the current
working database and saves it in a reserved location in the TCC2/TCC2P flash memory. If you later need
to revert to the original working software load from the protect software load, the saved database installs
automatically. You do not need to restore the database manually or recreate circuits.
Note The TCC2/TCC2P card does not carry any software earlier than Software R4.0. You will not be able to
revert to a software release earlier than Software R4.0 with TCC2/TCC2P cards installed.
The revert feature is useful if a maintenance window closes while you are upgrading CTC software. You
can revert to the protect software load without losing traffic. When the next maintenance window opens,
complete the upgrade and activate the new software load.
Circuits created and provisioning done after a software load is activated (upgraded to a higher software
release) will be lost with a revert. The database configuration at the time of activation is reinstated after
a revert. This does not apply to maintenance reverts (for example, 4.6.2 to 4.6.1), because maintenance
releases use the same database.
To perform a supported (non-service-affecting) revert from Software R9.1 and R9.2, the release you
want to revert to must have been working at the time you first activated Software R9.1 and R9.2 on that
node. Because a supported revert automatically restores the node configuration at the time of the
previous activation, any configuration changes made after activation will be lost when you revert the
software. Downloading R9.1 and R9.2 a second time after you have activated the new load ensures that
no actual revert to a previous load can take place (the TCC2/TCC2P card will reset, but will not be traffic
affecting and will not change your database).8-24
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 8 Cisco Transport Controller Operation
8.10 Software RevertCHAPTER
9-1
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
9
Security
This chapter provides information about Cisco ONS 15454 users and security. To provision security,
refer to the Cisco ONS 15454 Procedure Guide.
Chapter topics include:
• 9.1 User IDs and Security Levels, page 9-1
• 9.2 User Privileges and Policies, page 9-1
• 9.3 Audit Trail, page 9-9
• 9.4 RADIUS Security, page 9-10
9.1 User IDs and Security Levels
The CISCO15 user ID is provided with the ONS 15454 for initial login to the node, but this user ID is
not supplied in the prompt when you sign into Cisco Transport Controller (CTC). This ID can be used
to set up other ONS 15454 user IDs.
You can have up to 500 user IDs on one ONS 15454. Each CTC or Transaction Language One (TL1)
user can be assigned one of the following security levels:
• Retrieve—Users can retrieve and view CTC information but cannot set or modify parameters.
• Maintenance—Users can access only the ONS 15454 maintenance options.
• Provisioning—Users can access provisioning and maintenance options.
• Superuser—Users can perform all of the functions of the other security levels as well as set names,
passwords, and security levels for other users.
See Table 9-3 on page 9-8 for idle user timeout information for each security level.
By default, multiple concurrent user ID sessions are permitted on the node; that is, multiple users can
log into a node using the same user ID. However, you can provision the node to allow only a single login
per user ID and prevent concurrent logins for all users.
9.2 User Privileges and Policies
This section lists user privileges for each CTC action and describes the security policies available to
Superusers for provisioning. 9-2
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 9 Security
9.2.1 User Privileges by CTC Action
9.2.1 User Privileges by CTC Action
Table 9-1 shows the actions that each user privilege level can perform in node view.
Table 9-1 ONS 15454 Security Levels—Node View
CTC Tab Subtab [Subtab]:Actions Retrieve Maintenance Provisioning Superuser
Alarms — Synchronize/Filter/Delete
Cleared Alarms
XX X X
Conditions — Retrieve/Filter X X X X
History Session Filter X X X X
Shelf Retrieve/Filter X X X X
Circuits Circuits Create/Delete — — X X
Edit/Filter/Search X X X X
Rolls Complete/ Force Valid Signal/
Finish
—— X X
Provisioning General General: Edit — — Partial1
X
Multishelf Config: Edit — — — —
Power Monitor: Edit — — X X
EtherBridge Spanning trees: Edit — — X X
Network General: Edit — — — X
Static Routing:
Create/Edit/Delete
—— X X
OSPF: Create/Edit/Delete — — X X
RIP: Create/Edit/Delete — — X X
Proxy: Create/Edit/Delete — — — X
Firewall: Create/Edit/Delete — — — X
OSI Main Setup: Edit — — — X
TARP: Config: Edit — — — X
TARP: Static TDC:
Add/Edit/Delete
—— X X
TARP: MAT:
Add/Edit/Remove
—— X X
Routers: Setup: Edit — — — X
Routers: Subnets:
Edit/Enable/Disable
—— X X
Tunnels: Create/Edit/Delete — — X X
BLSR Create/Edit/Delete/Upgrade — — X X
Ring Map/Squelch Table/RIP
Table
XX X X
Protection Create/Edit/Delete — — X X9-3
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 9 Security
9.2.1 User Privileges by CTC Action
Security Users: Create/Delete/Clear
Security Intrusion Alarm
—— — X
Users: Edit Same user Same user Same user All users
Active Logins: View/Logout/
Retrieve Last Activity Time
—— — X
Policy: Edit/View
(Prevent superuser disable - NE
default)
—— — X
Access: Edit/View — — — X
RADIUS Server:
Create/Edit/Delete/Move Up/
Move Down/View
—— — X
Legal Disclaimer: Edit — — — X
SNMP Create/Edit/Delete — — X X
Browse trap destinations X X X X
Comm Channels SDCC: Create/Edit/Delete — — X X
LDCC: Create/Edit/Delete — — X X
GCC: Create/Edit/Delete — — X X
OSC: OSC Terminations:
Create/Edit/Delete
—— X X
PPC: Create/Edit/Delete — — X X
LMP: General/TE Links/Data
Links
XX X X
LMP: Control Channels — — — X
Timing General: Edit — — X X
BITS Facilities: Edit — — X X
Alarm Profiles Alarm Behavior: Edit — — X X
Alarm Profile Editor:
Store/Delete2
—— X X
Alarm Profile Editor:
New/Load/Compare/Available/
Usage
XX X X
Cross-Connect Edit — — X X
Defaults Edit/Import — — — X
Reset/Export X X X X
Table 9-1 ONS 15454 Security Levels—Node View (continued)
CTC Tab Subtab [Subtab]:Actions Retrieve Maintenance Provisioning Superuser9-4
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 9 Security
9.2.1 User Privileges by CTC Action
WDM-ANS Provisioning: Edit — — — X
Provisioning: Reset X X X X
Internal Patchcords:
Create/Edit/Delete/Commit/
Default Patchcords
—— X X
Port Status: Launch ANS — — — X
Node Setup X X X X
Optical Side:
Create/Edit/Delete
XX X X
Inventory — Delete — — X X
Reset — X X X
Table 9-1 ONS 15454 Security Levels—Node View (continued)
CTC Tab Subtab [Subtab]:Actions Retrieve Maintenance Provisioning Superuser9-5
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 9 Security
9.2.1 User Privileges by CTC Action
Maintenance Database Backup — X X X
Restore — — — X
EtherBridge Spanning Trees X X X X
MAC Table: Retrieve X X X X
MAC Table: Clear/Clear All — X X X
Trunk Utilization: Refresh X X X X
Circuits: Refresh X X X X
Network Routing Table: Retrieve X X X X
RIP Routing Table: Retrieve X X X X
OSI IS-IS RIB: Refresh X X X X
ES-IS RIB: Refresh X X X X
TDC: TID to NSAP/Flush
Dynamic Entries
—X X X
TDC: Refresh X X X X
BLSR Edit/Reset — X X X
Protection Switch/Lock out/Lockon/
Clear/ Unlock
—X X X
Software Download/Cancel — X X X
Activate/Revert — — — X
Cross-Connect Cards: Switch/Lock/Unlock — X X X
Resource Usage: Delete — — X X
Overhead
XConnect
View X X X X
Diagnostic Retrieve Tech Support Log
Node Diagnostic Logs
(Release 9.2 and later releases)
—— X X
Lamp Test — X X X
Timing Source: Edit — X X X
Report: View/Refresh X X X X
Table 9-1 ONS 15454 Security Levels—Node View (continued)
CTC Tab Subtab [Subtab]:Actions Retrieve Maintenance Provisioning Superuser9-6
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 9 Security
9.2.1 User Privileges by CTC Action
Table 9-2 shows the actions that each user privilege level can perform in network view.
Audit Retrieve — — — X
Archive — — X X
Test Access View X X X X
DWDM APC: Run/Disable/Refresh — X X X
WDM Span Check:
Edit/Retrieve Span Loss
values/Reset
XX X X
ROADM Power Monitoring:
Refresh
XX X X
PP-MESH Internal Patchcord:
Refresh
XX X X
Install Without Metro Planner:
Retrieve Installation values
XX X X
All Facilities: Mark/Refresh X X X X
1. Provisioner user cannot change node name, contact, location, or AIS-V insertion on STS-1 signal degrade (SD) parameters.
2. The action buttons in the subtab are active for all users, but the actions can be completely performed only by the users with the required security levels.
Table 9-1 ONS 15454 Security Levels—Node View (continued)
CTC Tab Subtab [Subtab]:Actions Retrieve Maintenance Provisioning Superuser
Table 9-2 ONS 15454 Security Levels—Network View
CTC Tab Subtab [Subtab]: Actions Retrieve Maintenance Provisioning Superuser
Alarms — Synchronize/Filter/Delete
cleared alarms
XX X X
Conditions — Retrieve/Filter X X X X
History — Filter X X X X
Circuits Circuits Create/Edit/Delete — — X X
Filter/Search X X X X
Rolls Complete, Force Valid Signal,
Finish
—— X X9-7
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 9 Security
9.2.2 Security Policies
9.2.2 Security Policies
Users with Superuser security privileges can provision security policies on the ONS 15454. These
security policies include idle user timeouts, password changes, password aging, and user lockout
parameters. In addition, a Superuser can access the ONS 15454 through the TCC2/TCC2P RJ-45 port,
the backplane LAN connection, or both. If enabled in the NE defaults, superusers can be configured to
override the inactive user timeout interval.
9.2.2.1 Superuser Privileges for Provisioning Users
Superusers can grant permission to Provisioning users to retrieve audit logs, restore databases, clear
performance monitoring (PM) parameters, activate software loads, and revert software loads. These
privileges can only be set using CTC network element (NE) defaults, except the PM clearing privilege,
which can be granted to a Provisioning user using the CTC Provisioning> Security > Access tabs. For
more information about setting up Superuser privileges, refer to the Cisco ONS 15454 Procedure Guide.
Provisioning Security Users: Create/Delete — — — X
Users: Edit Same user Same user Same user All users
Active logins:
Logout/Retrieve Last Activity
Time
—— — X
Policy: Change — — — X
Alarm Profiles Store/Delete1
—— X X
New/Load/Compare/
Available/Usage
XX X X
BLSR Create/Delete/Edit/Upgrade — — X X
Overhead Circuits Create/Delete/Edit/Merge — — X X
Search X X X X
Provisionable
Patchcords (PPC)
Create/Edit/Delete — — X X
Server Trails Create/Edit/Delete — — X X
VLAN DB Profile Load/Store/Merge/Circuits X X X X
Maintenance Software Download/Cancel — X — X
Diagnostic OSPF Node Information:
Retrieve/Clear
XX X X
APC Run APC/Disable APC — — — X
Refresh X X X X
1. The action buttons in the subtab are active for all users, but the actions can be completely performed only by the users with the required security levels.
Table 9-2 ONS 15454 Security Levels—Network View (continued)
CTC Tab Subtab [Subtab]: Actions Retrieve Maintenance Provisioning Superuser9-8
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 9 Security
9.2.2 Security Policies
9.2.2.2 Idle User Timeout
Each ONS 15454 CTC or TL1 user can be idle during his or her login session for a specified amount of
time before the CTC window is locked. The lockouts prevent unauthorized users from making changes.
Higher-level users have shorter default idle periods and lower-level users have longer or unlimited
default idle periods, as shown in Table 9-3. The user idle period can be modified by a Superuser; refer
to the Cisco ONS 15454 Procedure Guide for instructions.
9.2.2.3 User Password, Login, and Access Policies
Superusers can view real-time lists of users who are logged into CTC or TL1 by node. Superusers can
also provision the following password, login, and node access policies:
• Password length, expiration and reuse—Superusers can configure the password length using NE
defaults. The password length, by default, is set to a minimum of six and a maximum of 20
characters. You can configure the default values in CTC node view with the Provisioning > Defaults
> Node > security > password Complexity tabs. The minimum length can be set to eight, ten or
twelve characters, and the maximum length to 80 characters. The password must be a combination
of alphanumeric (a-z, A-Z, 0-9) and special (+, #,%) characters, where at least two characters are
nonalphabetic and at least one character is a special character. Superusers can specify when users
must change and when they can reuse their passwords.
• Locking out and disabling users—Superusers can provision the number of invalid logins that are
allowed before locking out users and the length of time before inactive users are disabled.
• Node access and user sessions—Superusers can limit the number of CTC sessions a user login can
have to just one session. Superusers can also prohibit access to the ONS 15454 using the LAN or
TCC2/TCC2P RJ-45 connections.
In addition, a Superuser can select secure shell (SSH) instead of Telnet at the CTC Provisioning >
Security > Access tabs. SSH is a terminal-remote host Internet protocol that uses encrypted links. It
provides authentication and secure communication over unsecure channels. Port 22 is the default
port and cannot be changed. Superuser can also configure EMS and TL1 access states to secure and
non-secure modes.
9.2.2.4 Secure Access
Secure access is based on SSH and SSL protocols. Secure access can be enabled for EMS (applicable to
CTC). When access is set to secure, CTC provides enhanced SFTP and SSH security when
communicating with the node.
For more information on how to enable EMS secure access, refer Cisco ONS 15454 Procedure Guide for
instructions.
Table 9-3 ONS 15454 Default User Idle Times
Security Level Idle Time
Superuser 15 minutes
Provisioning 30 minutes
Maintenance 60 minutes
Retrieve Unlimited9-9
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 9 Security
9.3 Audit Trail
9.3 Audit Trail
The Cisco ONS 15454 maintains a Telcordia GR-839-CORE-compliant audit trail log that resides on the
TCC2/TCC2P card. Audit trails are useful for maintaining security, recovering lost transactions, and
enforcing accountability. Accountability refers to tracing user activities; that is, associating a process or
action with a specific user. The audit trail log shows who has accessed the system and what operations
were performed during a given period of time. The log includes authorized Cisco support logins and
logouts using the operating system command line interface (CLI), CTC, and TL1; the log also includes FTP
actions, circuit creation/deletion, and user/system generated actions.
Event monitoring is also recorded in the audit log. An event is defined as the change in status of an
network element. External events, internal events, attribute changes, and software upload/download
activities are recorded in the audit trail.
To view the audit trail log, refer to the Cisco ONS 15454 Procedure Guide. You can access the audit trail
logs from any management interface (CTC, CTM, TL1).
The audit trail is stored in persistent memory and is not corrupted by processor switches, resets, or
upgrades. However, if you remove both TCC2/TCC2P cards, the audit trail log is lost.
9.3.1 Audit Trail Log Entries
Table 9-4 contains the columns listed in Audit Trail window.
Audit trail records capture the following activities:
• User—Name of the user performing the action
• Host—Host from where the activity is logged
• Device ID—IP address of the device involved in the activity
• Application—Name of the application involved in the activity
• Task—Name of the task involved in the activity (view a dialog box, apply configuration, etc.)
• Connection Mode—Telnet, Console, SNMP
• Category—Type of change (Hardware, Software, Configuration)
• Status—Status of the user action (Read, Initial, Successful, Timeout, Failed)
• Time—Time of change
• Message Type—Whether the event is Success/Failure type
• Message Details—Description of the change
Table 9-4 Audit Trail Window Columns
Heading Explanation
Date Date when the action occurred
Num Incrementing count of actions
User User ID that initiated the action
P/F Pass/Fail (whether or not the action was executed)
Operation Action that was taken9-10
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 9 Security
9.3.2 Audit Trail Capacities
9.3.2 Audit Trail Capacities
The ONS 15454 is able to store 640 log entries. When this limit is reached, the oldest entries are
overwritten with new events. When the log server is 80 percent full, an AUD-LOG-LOW condition is
raised and logged (by way of CORBA/CTC).
When the log server reaches the maximum capacity of 640 entries and begins overwriting records that
were not archived, an AUD-LOG-LOSS condition is raised and logged. This event indicates that audit
trail records have been lost. Until you off-load the file, this event will not occur a second time regardless
of the amount of entries that are overwritten by incoming data. To export the audit trail log, refer to the
Cisco ONS 15454 Procedure Guide.
9.4 RADIUS Security
Users with Superuser security privileges can configure nodes to use Remote Authentication Dial In User
Service (RADIUS) authentication. Cisco Systems uses a strategy known as authentication,
authorization, and accounting (AAA) for verifying the identity of, granting access to, and tracking the
actions of remote users.
RADIUS server supports IPv6 addresses and can process authentication requests from a GNE or an ENE
that uses IPv6 addresses.
9.4.1 RADIUS Authentication
RADIUS is a system of distributed security that secures remote access to networks and network services
against unauthorized access. RADIUS comprises three components:
• A protocol with a frame format that utilizes User Datagram Protocol (UDP)/IP
• A server
• A client
The server runs on a central computer, typically at a customer site, while the clients reside in the dial-up
access servers and can be distributed throughout the network.
An ONS 15454 node operates as a client of RADIUS. The client is responsible for passing user
information to designated RADIUS servers, and then acting on the response that is returned. RADIUS
servers are responsible for receiving user connection requests, authenticating the user, and returning all
configuration information necessary for the client to deliver service to the user. The RADIUS servers
can act as proxy clients to other kinds of authentication servers. Transactions between the RADIUS
client and server are authenticated through the use of a shared secret, which is never sent over the
network. In addition, any user passwords are sent encrypted between the client and RADIUS server. This
eliminates the possibility that someone monitoring an unsecured network could determine a user's
password. Refer to the Cisco ONS 15454 Procedure Guide for detailed instructions for implementing
RADIUS authentication.
9.4.2 Shared Secrets
A shared secret is a text string that serves as a password between:
• A RADIUS client and RADIUS server
• A RADIUS client and a RADIUS proxy9-11
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 9 Security
9.4.2 Shared Secrets
• A RADIUS proxy and a RADIUS server
For a configuration that uses a RADIUS client, a RADIUS proxy, and a RADIUS server, the shared
secret that is used between the RADIUS client and the RADIUS proxy can be different from the shared
secret used between the RADIUS proxy and the RADIUS server.
Shared secrets are used to verify that RADIUS messages, with the exception of the Access-Request
message, are sent by a RADIUS-enabled device that is configured with the same shared secret. Shared
secrets also verify that the RADIUS message has not been modified in transit (message integrity). The
shared secret is also used to encrypt some RADIUS attributes, such as User-Password and
Tunnel-Password.
When creating and using a shared secret:
• Use the same case-sensitive shared secret on both RADIUS devices.
• Use a different shared secret for each RADIUS server-RADIUS client pair.
• To ensure a random shared secret, generate a random sequence at least 22 characters long.
• You can use any standard alphanumeric and special characters.
• You can use a shared secret of up to 128 characters in length. To protect your server and your
RADIUS clients from brute force attacks, use long shared secrets (more than 22 characters).
• Make the shared secret a random sequence of letters, numbers, and punctuation and change it often
to protect your server and your RADIUS clients from dictionary attacks. Shared secrets should
contain characters from each of the three groups listed in Table 9-5.
The stronger your shared secret, the more secure are the attributes (for example, those used for
passwords and encryption keys) that are encrypted with it. An example of a strong shared secret is
8d#>9fq4bV)H7%a3-zE13sW$hIa32M#m Timing > Report tabs show current timing information for an ONS 15454,
including the timing mode, clock state and status, switch type, and reference data. 10-2
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 10 Timing
10.2 Network Timing
Caution Mixed timing allows you to select both external and line timing sources. However, Cisco does not
recommend its use because it can create timing loops. Use this mode with caution.
10.2 Network Timing
Figure 10-1 shows an ONS 15454 network timing setup example. Node 1 is set to external timing. Two
timing references are set to BITS. These are Stratum 1 timing sources wired to the BITS input pins on
the Node 1 backplane. The third reference is set to internal clock. The BITS output pins on the backplane
of Node 3 are used to provide timing to outside equipment, such as a digital access line multiplexer.
In the example, Slots 5 and 6 contain the trunk (span) cards. Timing at Nodes 2, 3, and 4 is set to line,
and the timing references are set to the trunk cards based on distance from the BITS source. Reference 1
is set to the trunk card closest to the BITS source. At Node 2, Reference 1 is Slot 5 because it is
connected to Node 1. At Node 4, Reference 1 is set to Slot 6 because it is connected to Node 1. At
Node 3, Reference 1 could be either trunk card because they are an equal distance from Node 1.
Figure 10-1 ONS 15454 Timing Example
Node 4
Timing Line
Ref 1: Slot 6
Ref 2: Slot 5
Ref 3: Internal (ST3)
Node 2
Timing Line
Ref 1: Slot 5
Ref 2: Slot 6
Ref 3: Internal (ST3)
Node 1
Timing External
Ref 1: BITS1
Ref 2: BITS2
Ref 3: Internal (ST3)
Node 3
Timing Line
Ref 1: Slot 5
Ref 2: Slot 6
Ref 3: Internal (ST3)
BITS1
out
BITS2
out
BITS1
source
BITS2
source
Third party
equipment 34726
Slot 5
Slot 5
Slot 5
Slot 5
Slot 6
Slot 6
Slot 6
Slot 610-3
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 10 Timing
10.3 Synchronization Status Messaging
10.3 Synchronization Status Messaging
Synchronization status messaging (SSM) is a SONET and SDH protocol that communicates information
about the quality of the timing source. SSM messages are transported as follows:
• If SSM is carried over an optical line, for both SONET and SDH the SSM is transported in the S1
byte.
• If SSM is carried over an electrical line:
– For SDH, the SSM is transported in the Sa bit of E1.
– For SONET, the SSM is transported in the outband loop code.
The SSM messages enable SONET and SDH devices to select the highest quality timing reference
automatically and to avoid timing loops.
10.3.1 SONET SSM Messages
SSM messages are either Generation 1 or Generation 2. Generation 1 is the first and most widely
deployed SSM message set. Generation 2 is a newer version. If you enable SONET SSM for the
ONS 15454, consult your timing reference documentation to determine which message set to use.
Table 10-1 and Table 10-2 show the SONET Generation 1 and Generation 2 message sets.
Table 10-1 SONET SSM Generation 1 Message Set
Message Quality Description
PRS 1 Primary reference source—Stratum 1
STU 2 Synchronization traceability unknown
ST2 3 Stratum 2
ST3 4 Stratum 3
SMC 5 SONET minimum clock
ST4 6 Stratum 4
DUS 7 Do not use for timing synchronization
RES — Reserved; quality level set by user
Table 10-2 SONET SSM Generation 2 Message Set
Message Quality Description
PRS 1 Primary reference source—Stratum 1
STU 2 Synchronization traceability unknown
ST2 3 Stratum 2
TNC 4 Transit node clock
ST3E 5 Stratum 3E
ST3 6 Stratum 3
SMC 7 SONET minimum clock
ST4 8 Stratum 410-4
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 10 Timing
10.3.2 SDH SSM Messages
10.3.2 SDH SSM Messages
If you enable SDH SSM for the ONS 15454, consult your timing reference documentation to determine
which message set to use. Table 10-3 shows the SDH SSM messages.
DUS 9 Do not use for timing synchronization
RES — Reserved; quality level set by user
Table 10-2 SONET SSM Generation 2 Message Set
Message Quality Description
Table 10-3 SDH SSM Messages
Message Quality Description
G811 1 Primary reference clock
STU 2 Sync traceability unknown
G812T 3 Transit node clock traceable
G812L 4 Local node clock traceable
SETS 5 Synchronous equipment
DUS 6 Do not use for timing synchronizationCHAPTER
11-1
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
11
SONET Topologies and Upgrades
Note The terms “Unidirectional Path Switched Ring” and “UPSR” may appear in Cisco literature. These terms
do not refer to using Cisco ONS 15xxx products in a unidirectional path switched ring configuration.
Rather, these terms, as well as “Path Protected Mesh Network” and “PPMN,” refer generally to Cisco's
path protection feature, which may be used in any topological network configuration. Cisco does not
recommend using its path protection feature in any particular topological network configuration.
This chapter explains Cisco ONS 15454 SONET topologies and upgrades. To provision topologies, refer
to the Cisco ONS 15454 Procedure Guide.
Chapter topics include:
• 11.1 SONET Rings and TCC2/TCC2P Cards, page 11-1
• 11.2 Bidirectional Line Switched Rings, page 11-2
• 11.3 Path Protection, page 11-13
• 11.4 Dual-Ring Interconnect, page 11-18
• 11.5 Comparison of the Protection Schemes, page 11-27
• 11.6 Subtending Rings, page 11-28
• 11.7 Linear ADM Configurations, page 11-30
• 11.8 Path-Protected Mesh Networks, page 11-30
• 11.9 Four-Shelf Node Configurations, page 11-32
• 11.10 STS around the Ring, page 11-33
• 11.11 OC-N Speed Upgrades, page 11-34
• 11.12 In-Service Topology Upgrades, page 11-40
• 11.13 Overlay Ring Circuits, page 11-43
11.1 SONET Rings and TCC2/TCC2P Cards
Table 11-1 shows the SONET rings that can be created on each ONS 15454 node using redundant
TCC2/TCC2P cards.11-2
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 11 SONET Topologies and Upgrades
11.2 Bidirectional Line Switched Rings
11.2 Bidirectional Line Switched Rings
The ONS 15454 can support five concurrent bidirectional line switch rings (BLSRs) in one of the
following configurations:
• Five two-fiber BLSRs
• Four two-fiber and one four-fiber BLSR
Each BLSR can have up to 32 ONS 15454s. Because the working and protect bandwidths must be equal,
you can create only OC-12 (two-fiber only), OC-48, or OC-192 BLSRs.
Note For best performance, BLSRs should have one LAN connection for every ten nodes in the BLSR.
11.2.1 Two-Fiber BLSRs
In two-fiber BLSRs, each fiber is divided into working and protect bandwidths. For example, in an
OC-48 BLSR (Figure 11-1), STSs 1 to 24 carry the working traffic, and STSs 25 to 48 are reserved for
protection. Working traffic (STSs 1 to 24) travels in one direction on one fiber and in the opposite
direction on the second fiber. The Cisco Transport Controller (CTC) circuit routing routines calculate
the shortest path for circuits based on many factors, including user requirements, traffic patterns, and
distance. For example, in Figure 11-1, circuits going from Node 0 to Node 1 typically travel on Fiber 1,
unless that fiber is full, in which case circuits are routed on Fiber 2 through Node 3 and Node 2. Traffic
from Node 0 to Node 2 (or Node 1 to Node 3) can be routed on either fiber, depending on circuit
provisioning requirements and traffic loads.
Table 11-1 ONS 15454 Rings with Redundant TCC2/TCC2P Cards
Ring Type Maximum Rings per Node
BLSRs 5
2-Fiber BLSR 5
4-Fiber BLSR 1
Path protection with SDCC 341
,
2
1. Total SDCC usage must be equal to or less than 68 SDCCs.
2. See the “11.3 Path Protection” section on page 11-13.
Path protection with LDCC 143
,
4
3. Total LDCC usage must be equal to or less than 28 LDCCs.
4. See the “11.3 Path Protection” section on page 11-13.
Path protection with LDCC and SDCC 265
5. Total LDCC and SDCC usage must be equal to or less than 84. When LDCC is provisioned, an
SDCC termination is allowed on the same port, but is not recommended. Using SDCC and LDCC on
the same port is only needed during a software upgrade if the other end of the link does not support
LDCC. You can provision SDCCs and LDCCs on different ports in the same node.11-3
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 11 SONET Topologies and Upgrades
11.2.1 Two-Fiber BLSRs
Figure 11-1 Four-Node, Two-Fiber BLSR
The SONET K1, K2, and K3 bytes carry the information that governs BLSR protection switches. Each
BLSR node monitors the K bytes to determine when to switch the SONET signal to an alternate physical
path. The K bytes communicate failure conditions and actions taken between nodes in the ring.
If a break occurs on one fiber, working traffic targeted for a node beyond the break switches to the protect
bandwidth on the second fiber. The traffic travels in a reverse direction on the protect bandwidth until it
reaches its destination node. At that point, traffic is switched back to the working bandwidth.
Figure 11-2 shows a traffic pattern sample on a four-node, two-fiber BLSR.
Node 0
Node 1
Node 2
Node 3 OC-48 Ring
= Fiber 1
= Fiber 2 61938
STSs 1-24 (working)
STSs 25-48 (protect)
STSs 1-24 (working)
STSs 25-48 (protect)11-4
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 11 SONET Topologies and Upgrades
11.2.1 Two-Fiber BLSRs
Figure 11-2 Four-Node, Two-Fiber BLSR Traffic Pattern Sample
Figure 11-3 shows how traffic is rerouted following a line break between Node 0 and Node 3.
• All circuits originating on Node 0 that carried traffic to Node 2 on Fiber 2 are switched to the protect
bandwidth of Fiber 1. For example, a circuit carrying traffic on STS-1 on Fiber 2 is switched to
STS-25 on Fiber 1. A circuit carried on STS-2 on Fiber 2 is switched to STS-26 on Fiber 1. Fiber 1
carries the circuit to Node 3 (the original routing destination). Node 3 switches the circuit back to
STS-1 on Fiber 2 where it is routed to Node 2 on STS-1.
• Circuits originating on Node 2 that normally carried traffic to Node 0 on Fiber 1 are switched to the
protect bandwidth of Fiber 2 at Node 3. For example, a circuit carrying traffic on STS-2 on Fiber 1
is switched to STS-26 on Fiber 2. Fiber 2 carries the circuit to Node 0 where the circuit is switched
back to STS-2 on Fiber 1 and then dropped to its destination.
Node 0
Node 1
Traffic flow
Node 2
Node 3 OC-48 Ring
Fiber 1
Fiber 2 6195611-5
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 11 SONET Topologies and Upgrades
11.2.2 Four-Fiber BLSRs
Figure 11-3 Four-Node, Two-Fiber BLSR Traffic Pattern Following Line Break
11.2.2 Four-Fiber BLSRs
Four-fiber BLSRs double the bandwidth of two-fiber BLSRs. Because they allow span switching as well
as ring switching, four-fiber BLSRs increase the reliability and flexibility of traffic protection. Two
fibers are allocated for working traffic and two fibers for protection, as shown in Figure 11-4. To
implement a four-fiber BLSR, you must install four OC-48, OC-48 AS, or OC-192 cards at each BLSR
node.
Node 0
Node 1
Node 2
Node 3 OC-48 Ring
61957
Traffic flow
Fiber 1
Fiber 211-6
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 11 SONET Topologies and Upgrades
11.2.2 Four-Fiber BLSRs
Figure 11-4 Four-Node, Four-Fiber BLSR
Four-fiber BLSRs provide span and ring switching:
• Span switching (Figure 11-5 on page 11-7) occurs when a working span fails. Traffic switches to the
protect fibers between the nodes (Node 0 and Node 1 in the example in Figure 11-5) and then returns
to the working fibers. Multiple span switches can occur at the same time.
Node 0
Node 1
Node 2
Node 3
Span 1
Span 3 Span 2
Span 4
Span 8
Span 6 Span 7
Span 5
OC-48 Ring
= Working fibers
= Protect fibers 6193211-7
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 11 SONET Topologies and Upgrades
11.2.2 Four-Fiber BLSRs
Figure 11-5 Four-Fiber BLSR Span Switch
• Ring switching (Figure 11-6) occurs when a span switch cannot recover traffic, such as when both
the working and protect fibers fail on the same span. In a ring switch, traffic is routed to the protect
fibers throughout the full ring.
Node 0
Node 1
Node 2
Node 3
Span 1
Span 3 Span 2
Span 4
Span 8
Span 6 Span 7
Span 5
OC-48 Ring
= Working fibers
= Protect fibers 6195911-8
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 11 SONET Topologies and Upgrades
11.2.3 BLSR Bandwidth
Figure 11-6 Four-Fiber BLSR Ring Switch
11.2.3 BLSR Bandwidth
BLSR nodes can terminate traffic coming from either side of the ring. Therefore, BLSRs are suited for
distributed node-to-node traffic applications such as interoffice networks and access networks.
BLSRs allow bandwidth to be reused around the ring and can carry more traffic than a network with
traffic flowing through one central hub. BLSRs can also carry more traffic than a path protection
configuration operating at the same OC-N rate. Table 11-2 shows the bidirectional bandwidth capacities
of two-fiber BLSRs. The capacity is the OC-N rate divided by two, multiplied by the number of nodes
in the ring minus the number of pass-through STS-1 circuits.
Table 11-3 shows the bidirectional bandwidth capacities of four-fiber BLSRs.
Node 0
Node 1
Node 2
Node 3
Span 1
Span 3 Span 2
Span 4
Span 8
Span 6 Span 7
Span 5
OC-48 Ring
= Working fibers
= Protect fibers 61960
Table 11-2 Two-Fiber BLSR Capacity
OC Rate Working Bandwidth Protection Bandwidth Ring Capacity
OC-12 STS1-6 STS 7-12 6 x N1
– PT2
1. N equals the number of ONS 15454 nodes configured as BLSR nodes.
2. PT equals the number of STS-1 circuits passed through ONS 15454 nodes in the ring (capacity can vary
depending on the traffic pattern).
OC-48 STS 1-24 STS 25-48 24 x N – PT
OC-192 STS 1-96 STS 97-192 96 x N – PT11-9
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 11 SONET Topologies and Upgrades
11.2.4 BLSR Application Example
Figure 11-7 shows an example of BLSR bandwidth reuse. The same STS carries three different traffic
sets simultaneously on different spans around the ring: one set from Node 3 to Node 1, another set from
Node 1 to Node 2, and another set from Node 2 to Node 3.
Figure 11-7 BLSR Bandwidth Reuse
11.2.4 BLSR Application Example
Figure 11-8 shows a two-fiber BLSR implementation example with five nodes. A regional long-distance
network connects to other carriers at Node 0. Traffic is delivered to the service provider’s major hubs.
• Carrier 1 delivers six DS-3s over two OC-3 spans to Node 0. Carrier 2 provides twelve DS-3s
directly. Node 0 receives the signals and delivers them around the ring to the appropriate node.
• The ring also brings 14 DS-1s back from each remote site to Node 0. Intermediate nodes serve these
shorter regional connections.
Table 11-3 Four-Fiber BLSR Capacity
OC Rate Working Bandwidth Protection Bandwidth Ring Capacity
OC-48 STS 1-48 (Fiber 1) STS 1-48 (Fiber 2) 48 x N1
– PT2
1. N equals the number of ONS 15454 nodes configured as BLSR nodes.
2. PT equals the number of STS-1 circuits passed through ONS 15454 nodes in the ring (capacity can vary
depending on the traffic pattern).
OC-192 STS 1-192 (Fiber 1) STS 1-192 (Fiber 2) 192 x N – PT
STS#1 STS#1
STS#1 STS#1
Node 0
Node 1
Node 2
Node 3
32131
= Node 3 – Node 1 traffic
= Node 1 – Node 2 traffic
= Node 2 – Node 3 traffic11-10
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 11 SONET Topologies and Upgrades
11.2.4 BLSR Application Example
• The ONS 15454 OC-3 card supports a total of four OC-3 ports so that two additional OC-3 spans
can be added at little cost.
Figure 11-8 Five-Node Two-Fiber BLSR
Figure 11-9 shows the shelf assembly layout for Node 0, which has one free slot.
Node 0
56 local
DS-1s 4 DS-3s 14 DS-1s
14 DS-1s
14 DS-1s
14 DS-1s
8 DS-3s
4 DS-3s
2 DS-3s
Carrier 1
2 OC-3s
Node 1
Node 2
Node 3
Node 4
= Fiber 1
= Fiber 2 32138
Carrier 2
12 DS-3s11-11
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 11 SONET Topologies and Upgrades
11.2.4 BLSR Application Example
Figure 11-9 Shelf Assembly Layout for Node 0 in Figure 11-8
Figure 11-10 shows the shelf assembly layout for the remaining sites in the ring. In this BLSR
configuration, an additional eight DS-3s at Node IDs 1 and 3 can be activated. An additional four DS-3s
can be added at Node 4, and ten DS-3s can be added at Node 2. Each site has free slots for future traffic
needs.
Figure 11-10 Shelf Assembly Layout for Nodes 1 to 4 in Figure 11-8
DS1-14
DS1-14
DS1N-14
DS1-14
DS1-14
Free Slot
TCC2/TCC2P
Cross Connect
AIC-I (Optional)
Cross Connect
TCC2/TCC2P
OC48
OC48
OC3
OC3
DS3-12
DS3-12
134608
DS1-14
DS1-14
TCC2/TCC2P
Cross Connect
AIC-I (Optional)
Cross Connect
TCC2/TCC2P
OC48
Free Slot
Free Slot
DS3-12
DS3-12
Free Slot
Free Slot
Free Slot
Free Slot
OC48
13460511-12
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 11 SONET Topologies and Upgrades
11.2.5 BLSR Fiber Connections
11.2.5 BLSR Fiber Connections
Plan your fiber connections and use the same plan for all BLSR nodes. For example, make the east port
the farthest slot to the right and the west port the farthest slot to the left. Plug fiber connected to an east
port at one node into the west port on an adjacent node. Figure 11-11 shows fiber connections for a
two-fiber BLSR with trunk cards in Slot 5 (west) and Slot 12 (east). Refer to the Cisco ONS 15454
Procedure Guide for fiber connection procedures.
Note Always plug the transmit (Tx) connector of an OC-N card at one node into the receive (Rx)
connector of an OC-N card at the adjacent node. Cards display an SF LED when Tx and Rx
connections are mismatched.
Figure 11-11 Connecting Fiber to a Four-Node, Two-Fiber BLSR
For four-fiber BLSRs, use the same east-west connection pattern for the working and protect fibers. Do
not mix working and protect card connections. The BLSR does not function if working and protect cards
are interconnected. Figure 11-12 shows fiber connections for a four-fiber BLSR. Slot 5 (west) and
Slot 12 (east) carry the working traffic. Slot 6 (west) and Slot 13 (east) carry the protect traffic.
55297
Node 1
West East
West East
West East
West East
Slot 5
Tx
Rx
Slot 12
Tx
Rx
Node 4
Slot 5
Tx
Rx
Slot 12
Tx
Rx
Node 2
Slot 5
Tx
Rx
Slot 12
Tx
Rx
Node 3
Slot 5
Tx
Rx
Slot 12
Tx
Rx11-13
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 11 SONET Topologies and Upgrades
11.3 Path Protection
Figure 11-12 Connecting Fiber to a Four-Node, Four-Fiber BLSR
11.3 Path Protection
Path Protection Configurations (PPC) provide duplicate fiber paths around the ring. Working traffic
flows in one direction and protection traffic flows in the opposite direction. If a problem occurs with the
working traffic path, the receiving node switches to the path coming from the opposite direction.
CTC automates ring configuration. path protection traffic is defined within the ONS 15454 on a
circuit-by-circuit basis. If a path-protected circuit is not defined within a 1+1 or BLSR line protection
scheme and path protection is available and specified, CTC uses path protection as the default.
A path protection circuit requires two DCC-provisioned optical spans per node. Path protection circuits
can be created across these spans until their bandwidth is consumed.
Note If a path protection circuit is created manually by TL1, data communications channels (DCCs) are not
needed; therefore, path protection circuits are limited by the cross-connection bandwidth or the span
bandwidth, but not by the number of DCCs.
The span bandwidth consumed by a path protection circuit is two times the circuit bandwidth, because
the circuit is duplicated. The cross-connection bandwidth consumed by a path protection circuit is three
times the circuit bandwidth at the source and destination nodes only. The cross-connection bandwidth
consumed by an intermediate node has a factor of one.
61958
Node 1
West East
West East
West East
West East
Slot
5
Slot
12
Node 4
Slot
5
Slot
12
Node 2
Slot
5
Slot
12
Node 3
Slot
5
Slot
12
Tx
Rx
Slot
6
Slot
13
Tx
Rx
Slot
6
Slot
13
Tx
Rx
Slot
6
Slot
13
Tx
Rx
Slot
6
Slot
13
Working fibers
Protect fibers11-14
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 11 SONET Topologies and Upgrades
11.3 Path Protection
The path protection circuit limit is the sum of the optical bandwidth containing 84 section data
communication channels (SDCCs) or 28 line data communication channels (LDCCs), divided by two if
you are using redundant TCC2/TCC2P cards. The spans can be of any bandwidth from OC-3 to OC-192.
The circuits can be of any size from VT1.5 to 192c.
Figure 11-13 shows a basic four-node path protection configuration. If Node ID 0 sends a signal to Node
ID 2, the working signal travels on the working traffic path through Node ID 1. The same signal is also
sent on the protect traffic path through Node ID 3.
Figure 11-13 Basic Four-Node Path Protection
If a fiber break occurs (Figure 11-14), Node ID 2 switches its active receiver to the protect signal coming
through Node ID 3.
Because each traffic path is transported around the entire ring, path protection configurations are best
suited for networks where traffic concentrates at one or two locations and is not widely distributed. Path
protection capacity is equal to its bit rate. Services can originate and terminate on the same path
protection, or they can be passed to an adjacent access or interoffice ring for transport to the
service-terminating location.
ONS 15454
Node ID 0
ONS 15454
Node ID 1
ONS 15454
Node ID 2
ONS 15454
Node ID 3
32148
= Fiber 1
= Fiber 211-15
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 11 SONET Topologies and Upgrades
11.3 Path Protection
Figure 11-14 Path Protection with a Fiber Break
Figure 11-15 shows a common path protection application. OC-3 optics provide remote switch
connectivity to a host Telcordia TR-303 switch. In the example, each remote switch requires eight DS-1s
to return to the host switch. Figure 11-16 on page 11-17 and Figure 11-17 on page 11-17 show the shelf
layout for each site.
Span 1
Span 2
Span 3
Span 4
Span 8
Span 6 Span 7
Span 5
Fiber
break
Source
Destination
32639
ONS 15454
Node ID 0
ONS 15454
Node ID 1
ONS 15454
Node ID 2
ONS 15454
Node ID 3
= Fiber 1
= Fiber 211-16
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 11 SONET Topologies and Upgrades
11.3 Path Protection
Figure 11-15 Four-Port, OC-3 Path Protection
Node ID 0 has four DS1-14 cards to provide 56 active DS-1 ports. The other sites only require two
DS1-14 cards to handle the eight DS-1s to and from the remote switch. You can use the other half of
each ONS 15454 shelf assembly to provide support for a second or third ring to other existing or planned
remote sites.
In the OC-3 path protection sample, Node ID 0 contains four DS1-14 cards and two OC3 IR 4 1310
cards. Six free slots can be provisioned with cards or left empty. Figure 11-16 shows the shelf setup for
these card.
8 DS-1s
8 DS-1s
8 DS-1s
TR-303
Switch
32149
ONS 15454
Node ID 0
ONS 15454
Node ID 1
ONS 15454
Node ID 2
ONS 15454
Node ID 3
= Fiber 1
= Fiber 211-17
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 11 SONET Topologies and Upgrades
11.3 Path Protection
Figure 11-16 Layout of Node ID 0 in the OC-3 Path Protection Example in Figure 11-15
In the Figure 11-15 on page 11-16 example, Nodes IDs 1 to 3 each contain two DS1-14 cards and two
OC3 IR 4 1310 cards. Eight free slots exist. They can be provisioned with other cards or left empty.
Figure 11-17 shows the shelf assembly setup for this configuration example.
Figure 11-17 Layout of Node IDs 1 to 3 in the OC-3 Path Protection Example in Figure 11-15
DS1-14
DS1-14
DS1-14
DS1-14
OC3 IR 4 1310
OC3 IR 4 1310
TCC2/TCC2P
Cross Connect
AIC-I (Optional)
Cross Connect
TCC2/TCC2P
Free Slot
Free Slot
Free Slot
Free Slot
Free Slot
Free Slot
134606
DS1-14
DS1-14
Free Slot
OC3 IR 4 1310
OC3 IR 4 1310
TCC2/TCC2P
Cross Connect
AIC-I (Optional)
Cross Connect
TCC2/TCC2P
Free Slot
Free Slot
Free Slot
Free Slot
Free Slot
Free Slot
Free Slot
13460711-18
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 11 SONET Topologies and Upgrades
11.4 Dual-Ring Interconnect
11.4 Dual-Ring Interconnect
Dual-ring interconnect (DRI) topologies provide an extra level of path protection for circuits on
interconnected rings. DRI allows users to interconnect BLSRs, path protection configurations, or a path
protection with a BLSR, with additional protection provided at the transition nodes. In a DRI topology,
ring interconnections occur at two or four nodes.
The drop-and-continue DRI method is used for all ONS 15454 DRIs. In drop-and-continue DRI, a
primary node drops the traffic to the connected ring and routes traffic to a secondary node within the
same ring. The secondary node also routes the traffic to the connected ring; that is, the traffic is dropped
at two different interconnection nodes to eliminate single points of failure. To route circuits on DRI, you
must choose the Dual Ring Interconnect option during circuit provisioning. Dual transmit is not
supported.
Two DRI topologies can be implemented on the ONS 15454:
• A traditional DRI requires two pairs of nodes to interconnect two networks. Each pair of
user-defined primary and secondary nodes drops traffic over a pair of interconnection links to the
other network.
• An integrated DRI requires one pair of nodes to interconnect two networks. The two interconnected
nodes replace the interconnection ring.
For DRI topologies, a hold-off timer sets the amount of time before a selector switch occurs. It reduces
the likelihood of multiple switches, such as:
• Both a service selector and a path selector
• Both a line switch and a path switch of a service selector
For example, if a path protection DRI service selector switch does not restore traffic, then the path
selector switches after the hold-off time. The path protection DRI hold-off timer default is 100 ms. You
can change this setting in the Path Protection Selectors tab of the Edit Circuits window. For BLSR DRI,
if line switching does not restore traffic, then the service selector switches. The hold-off time delays the
recovery provided by the service selector. The BLSR DRI default hold-off time is 100 ms, but it can be
changed.
11.4.1 BLSR DRI
Unlike BLSR automatic protection switching (APS) protocol, BLSR-DRI is a path-level protection
protocol at the circuit level. Drop-and-continue BLSR-DRI requires a service selector in the primary
node for each circuit routing to the other ring. Service selectors monitor signal conditions from dual feed
sources and select the one that has the best signal quality. Same-side routing drops the traffic at primary
nodes set up on the same side of the connected rings, and opposite-side routing drops the traffic at
primary nodes set up on the opposite sides of the connected rings. For BLSR-DRI, primary and
secondary nodes cannot be the circuit source or destination.
Note A DRI circuit cannot be created if an intermediate node exists on the interconnecting link. However, an
intermediate node can be added on the interconnecting link after the DRI circuit is created.
DRI protection circuits act as protection channel access (PCA) circuits. In CTC, you set up DRI
protection circuits by selecting the PCA option when setting up primary and secondary nodes during DRI
circuit creation.11-19
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 11 SONET Topologies and Upgrades
11.4.1 BLSR DRI
Figure 11-18 shows ONS 15454 nodes in a traditional BLSR-DRI topology with same-side routing. In
Ring 1, Nodes 3 and 4 are the interconnect nodes, and in Ring 2, Nodes 8 and 9 are the interconnect
nodes. Duplicate signals are sent between Node 4 (Ring 1) and Node 9 (Ring 2), and between Node 3
(Ring 1) and Node 8 (Ring 2). The primary nodes (Nodes 4 and 9) are on the same side, and the
secondary nodes (Nodes 3 and 8) provide an alternative route. In Ring 1, traffic at Node 4 is dropped (to
Node 9) and continued (to Node 3). Similarly, at Node 9, traffic is dropped (to Node 4) and continued
(to Node 8).
Figure 11-18 ONS 15454 Traditional BLSR Dual-Ring Interconnect (Same-Side Routing)
Service Selector
Secondary Path
Primary Path, Drop and Continue to Bridge
Drop and Continue
115235
BLSR
Ring 1
Primary
Node
Secondary
Node
Node 5
Node 4 Node 3
Node 9 Node 8
Node 1
Node 2
BLSR
Ring 2
Primary
Node
Secondary
Node
Node 10
Node 6
Node 711-20
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 11 SONET Topologies and Upgrades
11.4.1 BLSR DRI
Figure 11-19 shows ONS 15454 nodes in a traditional BLSR-DRI topology with opposite-side routing.
In Ring 1, Nodes 3 and 4 are the interconnect nodes, and in Ring 2, Nodes 8 and 9 are the interconnect
nodes. Duplicate signals are sent from Node 4 (Ring 1) to Node 8 (Ring 2), and between Node 3 (Ring
1) and Node 9 (Ring 2). In Ring 1, traffic at Node 4 is dropped (to Node 9) and continued (to Node 3).
Similarly, at Node 8, traffic is dropped (to Node 3) and continued (to Node 8).
Figure 11-19 ONS 15454 Traditional BLSR Dual-Ring Interconnect (Opposite-Side Routing)
Figure 11-20 shows ONS 15454s in an integrated BLSR-DRI topology. The same drop-and-continue
traffic routing occurs at two nodes, rather than four. This is achieved by installing an additional OC-N
trunk at the two interconnect nodes. Nodes 3 and 8 are the interconnect nodes.
Service Selector
Secondary Path
Primary Path, Drop and Continue to Bridge
Drop and Continue
115234
BLSR
Ring 1
Primary
Node
Secondary
Node
Node 5
Node 4 Node 3
Node 9 Node 8
Node 1
Node 2
BLSR
Ring 2
Secondary
Node
Primary
Node
Node 10
Node 6
Node 711-21
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 11 SONET Topologies and Upgrades
11.4.1 BLSR DRI
Figure 11-20 ONS 15454 Integrated BLSR Dual-Ring Interconnect
Figure 11-21 shows an example of an integrated BLSR DRI on the Edit Circuits window.
Service Selector
Secondary Path (protection)
Primary Path (working) 115236
BLSR 1
Primary
Secondary
Secondary
Primary
BLSR 2
Node 8
Node 3
Node 1 Node 2
Node 7 Node 6
Node 5
Node 411-22
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 11 SONET Topologies and Upgrades
11.4.2 Path Protection DRI
Figure 11-21 Integrated BLSR DRI on the Edit Circuits Window
11.4.2 Path Protection DRI
Figure 11-22 shows ONS 15454 nodes in a traditional drop-and-continue path protection DRI topology.
In Ring 1, Nodes 4 and 5 are the interconnect nodes, and in Ring 2, Nodes 6 and 7 are the interconnect
nodes. Duplicate signals are sent between Node 4 (Ring 1) and Node 6 (Ring 2), and between Node 5
(Ring 1) and Node 7 (Ring 2). In Ring 1, traffic at Node 4 is dropped (to Node 6) and continued (to Node
5). Similarly, at Node 5, traffic is dropped (to Node 7) and continued (to Node 4). 11-23
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 11 SONET Topologies and Upgrades
11.4.2 Path Protection DRI
Figure 11-22 ONS 15454 Traditional Path Protection Dual-Ring Interconnect
Figure 11-23 shows ONS 15454 nodes in an integrated DRI topology. The same drop-and-continue
traffic routing occurs at two nodes, rather than four. This is achieved by installing an additional OC-N
trunk at the two interconnect nodes.
Path Selector
Primary Path, Primary
Return Path, Secondary
Return Path, Primary
Primary Path, Secondary
UPSR
Ring 1
Duplicate
Signals
Pass-through
Node
UPSR
Ring 2
Bridge
85761
Node 1
Node 3 Node 2
Node 4 Node 5
Node 6 Node 711-24
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 11 SONET Topologies and Upgrades
11.4.2 Path Protection DRI
Figure 11-23 ONS 15454 Integrated Path Protection Dual-Ring Interconnect
Path Selector
Primary Path, Primary
Return Path, Secondary
Return Path, Primary
Primary Path, Secondary
ONS 15454
Path Protection
Configuration 1
ONS 15454
Path Protection
Configuration 2
DS1/EC1/DS3/GigE
Duplicate
Signals
Pass-through
Node
Bridge DS1/EC1/DS3/GigE
85762
Cross
Connect
Cross
Connect
ONS 15454 DRI Node 1 of 2
supporting two-rings with
integrated STS-1 and
VT1.5 grooming11-25
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 11 SONET Topologies and Upgrades
11.4.3 Path Protection/BLSR DRI Handoff Configurations
11.4.3 Path Protection/BLSR DRI Handoff Configurations
Path protection configurations and BLSRs can also be interconnected. In BLSR/path protection DRI
handoff configurations, primary and secondary nodes can be the circuit source or destination, which is
useful when non-DCC optical interconnecting links are present. Figure 11-24 shows an example of a
path protection to BLSR traditional DRI handoff.
Figure 11-24 ONS 15454 Path Protection to BLSR Traditional DRI Handoff
Figure 11-25 shows an example of a path protection to BLSR integrated DRI handoff.
Path Selector
Secondary Path (protection)
Primary Path (working)
Bridge 115273
Path Protection Configuration
BLSR
Node 1
Node 5 Node 2
Node 10
Node 6 Node 7
Node 4 Node 3
Node 8
Node 911-26
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 11 SONET Topologies and Upgrades
11.4.3 Path Protection/BLSR DRI Handoff Configurations
Figure 11-25 ONS 15454 Path Protection to BLSR Integrated DRI Handoff
Figure 11-26 shows a path protection to BLSR integrated DRI handoff on the Edit Circuits window.
Path Selector
Bridge 115272
Path Protection Configuration
BLSR
Node 4 Node 3
Node 1
Node 5 Node 2
Node 8 Node 6
Node 711-27
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 11 SONET Topologies and Upgrades
11.5 Comparison of the Protection Schemes
Figure 11-26 Path Protection to BLSR Integrated DRI Handoff on the Detailed Circuit Map
11.5 Comparison of the Protection Schemes
Table 11-4 shows a comparison of the different protection schemes using OC-48 as an example.
Table 11-4 Comparison of the Protection Schemes
Topology
Ring
Capacity
Protected
Bandwidth
Between
Any Two
Nodes
Protection
Channel
Access
Dual
Failure Number of Cards
Path Protection 48 - PT STS 1-48 Not
supported
Not
supported
2 x N
Two-Fiber BLSR 24 x N1
-
PT2
STS 1-24 STS 25-48 Not
supported
2 x N
Four-Fiber BLSR 48 x N - PT STS 1-48
(Fiber 1)
STS 1-48
(Fiber 2)
Supported 4 x N
Two-Fiber BLSR DRI 24 x N - PT STS 1-24 STS 25-48 Supported (2 x N) + 4
Path Protection DRI 48 - PT STS 1-48 Not
supported
Supported (2 x N) + 4
1. N equals the number of ONS 15454 nodes configured as BLSR nodes.
2. PT equals the number of STS-1 circuits passed through ONS 15454 nodes in the ring (capacity can vary depending on the
traffic pattern).11-28
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 11 SONET Topologies and Upgrades
11.6 Subtending Rings
11.6 Subtending Rings
The ONS 15454 supports up to 84 SONET SDCCs or 28 SONET LDCCs with TCC2/TCC2P cards. See
Table 11-1 on page 11-2 for ring, SDCC, and LDCC information.
Subtending rings reduce the number of nodes and cards required, and reduce external shelf-to-shelf
cabling. Figure 11-27 shows an ONS 15454 with multiple subtending rings.
Figure 11-27 ONS 15454 with Multiple Subtending Rings
Figure 11-28 shows a path protection configuration subtending from a BLSR. In this example, Node 3
is the only node serving both the BLSR and the path protection configuration. OC-N cards in Slots 5 and
12 serve the BLSR, and OC-N cards in Slots 6 and 13 serve the path protection configuration.
Path
Protected
Nodes
BLSR
BLSR
5530211-29
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 11 SONET Topologies and Upgrades
11.6 Subtending Rings
Figure 11-28 Path Protection Subtending from a BLSR
The ONS 15454 can support two BLSRs on the same node. This allows you to deploy an ONS 15454 in
applications requiring SONET Digital Cross-connect Systems (DCSs) or multiple SONET add/drop
multiplexers (ADMs).
Figure 11-29 shows two BLSRs shared by one ONS 15454. Ring 1 runs on Nodes 1, 2, 3, and 4. Ring 2
runs on Nodes 4, 5, 6, and 7. Two BLSR rings, Ring 1 and Ring 2, are provisioned on Node 4. Ring 1
uses cards in Slots 5 and 12, and Ring 2 uses cards in Slots 6 and 13.
Note Nodes in different BLSRs can have the same, or different node IDs.
Figure 11-29 BLSR Subtending from a BLSR
Node 3
Node 1
Node 2
BLSR
Node 4
55303
Slot 13
Slot 12
Slot 12
Slot 12
Slot 13
Slot 6 Slot 5
Slot 5
Slot 5
Slot 6
55298
Node 5
Slot 6
West
East
Slot 13
Node 7
Slot 13
East
Slot 6
West
Slot 6
West
Slot 13
East
Node 6
Node 1
Slot 5
West
Slot 5
West
Slot 12
East
Slot 12
East
Node 3
Slot 12
East
Slot 5
West
Node 2
Slot 5
West
Slot 12
East
Slot 13
East
Slot 6
West Node 4
BLSR
Ring 1
BLSR
Ring 211-30
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 11 SONET Topologies and Upgrades
11.7 Linear ADM Configurations
After subtending two BLSRs, you can route circuits from nodes in one ring to nodes in the second ring.
For example, in Figure 11-29 you can route a circuit from Node 1 to Node 7. The circuit would normally
travel from Node 1 to Node 4 to Node 7. If fiber breaks occur, for example between Nodes 1 and 4 and
Nodes 4 and 7, traffic is rerouted around each ring: in this example, Nodes 2 and 3 in Ring 1 and Nodes 5
and 6 in Ring 2.
11.7 Linear ADM Configurations
You can configure ONS 15454s as a line of add/drop multiplexers (ADMs) by configuring one set of
OC-N cards as the working path and a second set as the protect path. Unlike rings, point-to-point ADMs
(two-node configurations) and linear ADMs (three-node configurations) require that the OC-N cards at
each node be in 1+1 protection to ensure that a break to the working line is automatically routed to the
protect line.
Figure 11-30 shows three ONS 15454 nodes in a linear ADM configuration. Working traffic flows from
Slot 5/Node 1 to Slot 5/Node 2, and from Slot 12/Node 2 to Slot 12/Node 3. You create the protect path
by placing Slot 6 in 1+1 protection with Slot 5 at Nodes 1 and 2, and Slot 12 in 1+1 protection with
Slot 13 at Nodes 2 and 3.
Figure 11-30 Linear (Point-to-Point) ADM Configuration
11.8 Path-Protected Mesh Networks
In addition to single BLSRs, path protection configurations, and ADMs, you can extend ONS 15454
traffic protection by creating path-protected mesh networks (PPMNs). PPMNs include multiple
ONS 15454 SONET topologies and extend the protection provided by a single path protection to the
meshed architecture of several interconnecting rings. In a PPMN, circuits travel diverse paths through a
network of single or multiple meshed rings. When you create circuits, you can have CTC automatically
route circuits across the PPMN, or you can manually route them. You can also choose levels of circuit
protection. For example, if you choose full protection, CTC creates an alternate route for the circuit in
addition to the main route. The second route follows a unique path through the network between the
source and destination and sets up a second set of cross-connections.
For example, in Figure 11-31 a circuit is created from Node 3 to Node 9. CTC determines that the
shortest route between the two nodes passes through Node 8 and Node 7, shown by the dotted line, and
automatically creates cross-connections at Nodes 3, 8, 7, and 9 to provide the primary circuit path.
If full protection is selected, CTC creates a second unique route between Nodes 3 and 9 which, in this
example, passes through Nodes 2, 1, and 11. Cross-connections are automatically created at Nodes 3, 2,
1, 11, and 9, shown by the dashed line. If a failure occurs on the primary path, traffic switches to the
second circuit path. In this example, Node 9 switches from the traffic coming in from Node 7 to the
traffic coming in from Node 11 and service resumes. The switch occurs within 50 ms.
Node 1 Node 2 Node 3
Slot 5 to Slot 5
Slot 6 to Slot 6
Slot 12 to Slot 12
Slot 13 to Slot 13
Working Path
Protect Path
3428411-31
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 11 SONET Topologies and Upgrades
11.8 Path-Protected Mesh Networks
Figure 11-31 Path-Protected Mesh Network
PPMN also allows spans with different SONET speeds to be mixed together in “virtual rings.”
Figure 11-32 shows Nodes 1, 2, 3, and 4 in a standard OC-48 ring. Nodes 5, 6, 7, and 8 link to the
backbone ring through OC-12 fiber. The “virtual ring” formed by Nodes 5, 6, 7, and 8 uses both OC-48
and OC-12 cards.
= Primary path
= Secondary path
Working traffic
Protect traffic
Source
Node
Destination
Node
32136
Node 1
Node 11
Node 2
Node 4
Node 5
Node 6
Node 7
Node 10 Node 8
Node 9
Node 311-32
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 11 SONET Topologies and Upgrades
11.9 Four-Shelf Node Configurations
Figure 11-32 PPMN Virtual Ring
11.9 Four-Shelf Node Configurations
You can link multiple ONS 15454s using their OC-N cards (that is, create a fiber-optic bus) to
accommodate more access traffic than a single ONS 15454 can support. Refer to the Cisco ONS 15454
Procedure Guide. For example, to drop more than 112 DS-1s or 96 DS-3s (the maximum that can be
aggregated in a single node), you can link the nodes but not merge multiple nodes into a single
ONS 15454. You can link nodes with OC-12 or OC-48 fiber spans as you would link any other two
network nodes. The nodes can be grouped in one facility to aggregate more local traffic.
Figure 11-33 on page 11-33 shows a four-shelf node setup. Each shelf assembly is recognized as a
separate node in the ONS 15454 software interface and traffic is mapped using CTC cross-connect
options. In Figure 11-33, each node uses redundant fiber-optic cards. Node 1 uses redundant OC-N
transport and OC-N bus (connecting) cards for a total of four cards, with eight free slots remaining.
Nodes 2 and 3 each use two redundant OC-N bus cards for a total of four cards, with eight free slots
remaining. Node 4 uses redundant OC-12 bus cards for a total of two cards, with ten free slots remaining.
The four-shelf node example presented here is one of many ways to set up a multiple-node configuration.
OC-12 OC-48 OC-12
32137
ONS 15454
Node 5
ONS 15454
Node 1
ONS 15454
Node 6
ONS 15454
Node 2
ONS 15454
Node 4
ONS 15454
Node 8
ONS 15454
Node 3
ONS 15454
Node 711-33
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 11 SONET Topologies and Upgrades
11.10 STS around the Ring
Figure 11-33 Four-Shelf Node Configuration
11.10 STS around the Ring
You can provision STS circuits with a source endpoint and a destination endpoint on the same node, and
route the traffic around a ring. The circuit source and destination can be on the same card, but you must
use two different ports on the card, see Figure 11-34 on page 11-34.
Manual routing is required for STS around the ring circuits and “Route Automatically” must be
unchecked in the CTC circuit provisioning pane. STS around ring circuits created using Transaction
Language 1 (TL1) are discovered by CTC and the status “COMPLETE” is displayed. STS around the
ring supports circuit sizes; STS-1, 3c, 6c, 9c, 12c, 24c, 36c, 48c, and 192cs. Both unidirectional and
bidirectional circuits are supported, and STS around the ring circuits are CCAT only, VCAT is not
supported. STS around ring circuits are linear circuits.
Redundant
OC-N Bus
OC-N Feed
Redundant
OC-N Bus
Redundant
OC-N Bus
Up to 72 DS-3s, 84 DS-1s
Up to 72 DS-3s, 84 DS-1s
ONS 15454, Node 1
ONS 15454, Node 2
ONS 15454, Node 3
ONS 15454, Node 4
Redundant
Up to 72 DS-3s, 84 DS-1s
Up to 96 DS-3s, 112 DS-1s
3209711-34
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 11 SONET Topologies and Upgrades
11.11 OC-N Speed Upgrades
Figure 11-34 STS Around the Ring
11.11 OC-N Speed Upgrades
A span is the optical fiber connection between two ONS 15454 nodes. In a span (optical speed) upgrade,
the transmission rate of a span is upgraded from a lower to a higher OC-N signal but all other span
configuration attributes remain unchanged. With multiple nodes, a span upgrade is a coordinated series
of upgrades on all nodes in the ring or protection group. You can perform in-service span upgrades for
the following ONS 15454 cards:
• Single-port OC-12 to OC-48
• Single-port OC-12 to OC-192
• Single-port OC-12 to four-port OC-12
• Single-port OC-12 to OC-48
• Single-port OC-12 to OC-192
• Single-port OC-12 to MRC-12
• Four-port OC-12 to MRC-2.5G-4
• OC-48 to OC-192
• MRC-12 to OC-192 or OC192-XFP
• MRC-2.5G-4 to OC-192 or OC192-XFP
• OC-48 to OC192SR1/STM64IO Short Reach or OC192/STM64 Any Reach
You can also perform in-service card upgrades for the following ONS 15454 cards:
• Four-port OC-3 to eight-port OC-3
• Four-port OC-3 to MRC-2.5G-4
• Single-port OC-12 to four-port OC-12
ONS 15454
Node 2
ONS 15454
Node 3
ONS 15454
Node 4
ONS 15454
Node 1
Source
Drop
24064411-35
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 11 SONET Topologies and Upgrades
11.11 OC-N Speed Upgrades
• Single-port OC-12 to OC-48
• Single-port OC-12 to OC-192
• Single-port OC-12 to MRC-12
• Single-port OC-12 to MRC-2.5G-4
• OC-48 to MRC-12
• OC-192 to OC192-XFP
• MRC-4 to MRC-12
• OC-48 to OC192SR1/STM64IO Short Reach or OC192/STM64 Any Reach
Table 11-5 lists permitted upgrades for Slots 5, 6, 12, and 13 (high-speed slots).
Table 11-5 Slot 5, 6, 12, and 13 Upgrade Options
Cards
Four-port
OC-3
Eight-port
OC-3
One-port
OC-12
Four-port
OC-12 OC-48 OC-192 MRC-12 MRC-2.5G-4
Four-port
OC-3
— Not
supported
Not
supported
Not
supported
Not
supported
Not
supported
Not
supported
Supported
Eight-port
OC-31
1. The eight-port OC-3 is not supported in Slots 5, 6, 12, and 13.
Not
supported
— Not
supported
Not
supported
Not
supported
Not
supported
Not
supported
Not
supported
One-port
OC-12
Not
supported
Not
supported
— Not
supported
Supported Supported Supported Not
supported
Four-port
OC-122
2. The four-port OC-12 is not supported in Slots 5, 6, 12, and 13.
Not
supported
Not
supported
Not
supported
— Not
supported
Not
supported
Not
supported
Supported
OC-48 Not
supported
Not
supported
Supported Not
supported
— Supported Supported Supported
OC-192 Not
supported
Not
supported
Supported Not
supported
Supported — Supported Supported
MRC-12 Not
supported
Not
supported
Supported Not
supported
Supported Supported — Not
supported
MRC-2.5G-4 Supported Not
supported
Not
supported
Supported Supported Supported Supported —11-36
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 11 SONET Topologies and Upgrades
11.11 OC-N Speed Upgrades
Table 11-6 lists permitted upgrades for Slots 1 through 4 and 14 through 17 (low-speed slots).
Note Replacing cards that are the same speed are not considered span upgrades. For example replacing a
four-port OC-3 with an eight-port OC-3 card or replacing a single-port OC-12 with a four-port OC-12
card.
To perform a span upgrade, the higher-rate OC-N card must replace the lower-rate card in the same slot.
If the upgrade is conducted on spans residing in a BLSR, all spans in the ring must be upgraded. The
protection configuration of the original lower-rate OC-N card (two-fiber BLSR, four-fiber BLSR, path
protection, and 1+1) is retained for the higher-rate OC-N card.
To perform a span upgrade on either the OC192-XFP or MRC-12 card with an SFP/XFP (known as
pluggable port modules, PPMs, in CTC), the higher-rate PPM must replace the lower-rate PPM in the
same slot. If you are using a multi-rate PPM, you do not need to physically replace the PPM but can
provision the PPM for a different line rate. All spans in the network must be upgraded. The 1+1
protection configuration of the original lower-rate PPM is retained for the higher-rate PPM.
When performing span upgrades on a large number of nodes, we recommend that you upgrade all spans
in a ring consecutively and in the same maintenance window. Until all spans are upgraded, mismatched
card types or PPM types are present.
We recommend using the Span Upgrade Wizard to perform span upgrades. Although you can also use
the manual span upgrade procedures, the manual procedures are mainly provided as error recovery for
the wizard. The Span Upgrade Wizard and the Manual Span Upgrade procedures require at least two
technicians (one at each end of the span) who can communicate with each other during the upgrade.
Upgrading a span is non-service affecting and causes no more than three switches, each of which is less
than 50 ms in duration.
Table 11-6 Upgrade Options for Slots 1 through 4 and 14 through 17
Cards
Four-port
OC-3
Eight-port
OC-3
One-port
OC-12
Four-port
OC-12 OC-48 OC-192 MRC-2.5G-4 MRC-12
Four-port OC-3 — Supported Not
supported
Not
supported
Not
supported
— Supported Not
supported
Eight-port OC-3 Supported — Not
supported
Not
supported
Not
supported
— Not
supported
Not
supported
One-port OC-12 Not
supported
Not
supported
— Supported Supported — Not
Supported
Supported
Four-port OC-12 Not
supported
Not
supported
Supported — Not
supported
— Supported Not
supported
OC-48 Not
supported
Not
supported
Supported Not
supported
— — Supported Supported
OC-1921
1. The OC-192 is not supported on Slots 1 through 4 and 14 through 17.
— — — — — — — Not
supported
MRC-2.5G-4 Supported Not
supported
Not
Supported
Supported Supported — — Supported
MRC-12 Not
supported
Not
supported
Supported Not
supported
Supported — Not
supported
—11-37
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 11 SONET Topologies and Upgrades
11.11.1 Span Upgrade Wizard
Note Span upgrades do not upgrade SONET topologies (for example, a 1+1 group to a two-fiber BLSR). Refer
to the Cisco ONS 15454 Procedure Guide for topology upgrade procedures.
11.11.1 Span Upgrade Wizard
The Span Upgrade Wizard automates all steps in the manual span upgrade procedure (BLSR, path
protection, and 1+1). The wizard can upgrade both lines on one side of a four-fiber BLSR or both lines
of a 1+1 group; the wizard upgrades path protection configurations and two-fiber BLSRs one line at a
time. The Span Upgrade Wizard requires that all working spans have DCC enabled.
The Span Upgrade Wizard provides no way to back out of an upgrade. In the case of an error, you must
exit the wizard and initiate the manual procedure to either continue with the upgrade or back out of it.
To continue with the manual procedure, examine the standing conditions and alarms to identify the stage
in which the wizard failure occurred.
Note When a card change operation is initiated, either through an explicit card change operation or a span
upgrade, you need to ensure that the parameters configured before the upgrade are supported by the new
card or port that is plugged in. If the new card does not support the configured parameters on the existing
card, then there can be unexpected behavior, such as the PROV-MISMATCH alarm.
11.11.2 Manual Span Upgrades
Manual span upgrades are mainly provided as error recovery for the Span Upgrade Wizard, but they can
be used to perform span upgrades. Downgrading can be performed to back out of a span upgrade. The
procedure for downgrading is the same as upgrading except that you choose a lower-rate card type. You
cannot downgrade if circuits exist on the STSs that will be removed (the higher STSs).
Procedures for manual span upgrades can be found in the “Upgrade Cards and Spans” chapter in the
Cisco ONS 15454 Procedure Guide. Five manual span upgrade options are available:
• Upgrade on a two-fiber BLSR
• Upgrade on a four-fiber BLSR
• Upgrade on a path protection configuration
• Upgrade on a 1+1 protection group
• Upgrade on an unprotected span
11.11.3 In-Service MRC Card Upgrades
The ONS 15454 supports in-service upgrades for the following multiport fixed optics cards:
• MRC-12 multirate card
• MRC-2.5G-4 multirate card11-38
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 11 SONET Topologies and Upgrades
11.11.3 In-Service MRC Card Upgrades
11.11.3.1 MRC-12 Multirate Card
The MRC-12 multirate card supports an in-service card upgrade from a four-port OC-3 card. The
configurations on Ports 1 to 4 of the OC-3 card are migrated to Ports 1 to 4 of the MRC-12 card with
OC-3 SFPs.
The MRC-12 multirate card supports an in-service card upgrade from a four-port OC-12 card. For an
MRC-12 card with OC-12 SFPs, the configurations on Ports 1, 2, 3, 4 of the OC-12 card are migrated to
Ports 1, 4, 7, 10 of the MRC-12 card.
The MRC-12 card also supports an in-service card upgrade from an eight-port OC-3 card. The
configurations on Ports 1 to 8 of the OC-3 card are migrated to Ports 1 to 8 of the MRC-12 card with
OC-3 SFPs.
The MRC-12 multirate card supports an in-service card upgrade from the MRC-2.5G-4 card. This
upgrade is possible only if Port 1 is the only provisioned port on the MRC-2.5G-4 card.
When the card is upgraded, all circuits, including overhead circuits, server trails, and timing information
that is provisioned on the card, are moved to the port with the appropriate signal. Note that some circuits
may become partial after the card upgrade and must be configured using CTC.
Note An existing 1+1 or BLSR protection scheme must be deleted before you perform a card upgrade and
must be recreated after the upgrade is complete. Span upgrades are not supported.
Table 11-7 describes the upgrade matrix for the MRC-12 card.
Table 11-7 MRC-12 Card Upgrade Matrix
Existing Card
Cross-Connect Card
Type Existing Slot Type
Existing
Card Port
Number
Starting
Backplane
STS
MRC-12
Card Port
Number
Starting
Backplane STS
Mapping
OC-3 (4 ports) XCVT Drop slot 1 to 4 0, 3, 6, 9 1, 4, 7, 10 0, 48, 96, 144
OC-3 (4 ports) XCVT Trunk slot 1 to 4 0, 3, 6, 9 1, 2, 3, 4 0, 60, 72, 48
OC-3 (4 ports) XC10G/XC-VXC-10G Any slot 1 to 4 0, 3, 6, 9 1, 2, 3, 4 0, 60, 72, 48
OC-3 (8 ports) XCVT Not supported — — — —
OC-3 (8 ports) XC10G/XC-VXC-10G Drop slot
Note OC-3 (8 ports)
card is not
supported in trunk
slots for the
XC10G and
XC-VXC-10G
cards.
1 to 8 0, 3, 6, 9,
12, 15, 18,
21
1 to 8 0, 60, 72, 48,
108, 120, 96,
132
OC-12 (4
ports)
XCVT Not supported — — — —11-39
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 11 SONET Topologies and Upgrades
11.11.3 In-Service MRC Card Upgrades
11.11.3.2 MRC-2.5G-4 Multirate Card
The MRC-2.5G-4 card supports an in-service card upgrade from a four-port OC-3 card. The
configurations on Ports 1 to 4 of the OC-3 card are migrated to Ports 1 to 4 of the MRC-2.5G-4 card with
OC-3 SFPs.
The MRC-2.5G-4 card also supports an in-service card upgrade from a four-port OC-12 card. For an
MRC-2.5G-4 card with OC-12 SFPs, the configurations on Ports 1 to 4 of the OC-12 card are migrated
to Ports 1 to 4 of the MRC-2.5G-4 card.
When the card is upgraded, all circuits, including overhead circuits, server trails, and timing information
that is provisioned on the card, are moved to the port with the appropriate signal. Note that some circuits
may become partial after the card upgrade and must be configured using CTC.
Note An existing 1+1 or BLSR protection scheme must be deleted before you perform a card upgrade and
must be recreated after the upgrade is complete. Span upgrades are not supported.
Table 11-8 describes the upgrade matrix for the MRC-2.5G-4 card.
OC-12 (4
ports)
XC10G/XC-VXC-10G Drop slot
Note OC-12 (4 ports)
card is not
supported in trunk
slots for the
XC10G and
XC-VXC-10G
cards.
1 to 4 0, 12, 24,
36
1, 4, 7, 10 0, 48, 96, 144
MRC-2.5G-4 XCVT Drop Slot 1 0 1 0
MRC-2.5G-4 XCVT Trunk Slot 1 0 1 0
MRC-2.5G-4 XC10G/XC-VXC-10G Drop Slot 1 0 1 0
MRC-2.5G-4 XC10G/XC-VXC-10G Trunk Slot 1 0 1 0
Table 11-7 MRC-12 Card Upgrade Matrix (continued)
Existing Card
Cross-Connect Card
Type Existing Slot Type
Existing
Card Port
Number
Starting
Backplane
STS
MRC-12
Card Port
Number
Starting
Backplane STS
Mapping
Table 11-8 MRC-2.5G-4 Card Upgrade Matrix
Existing Card Cross-Connect Card Type Existing Slot Type
Existing
Card
Port
Number
Starting
Backplane
STS
MRC-2.5G-4
Card Port
Number
Starting
Backplane
STS Mapping
OC-3 (4 ports) XCVT Drop slot 1 to 4 0, 3, 6, 9 1 to 4 0, 48, 96, 144
OC-3 (4 ports) XC10G/XC-VXC-10G Any slot 1 to 4 0, 3, 6, 9 1 to 4 0, 48, 96, 144
OC-3 (8 ports) XCVT/XC10G/XC-VXC-10G Not supported — — — —11-40
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 11 SONET Topologies and Upgrades
11.12 In-Service Topology Upgrades
The card upgrade procedure automatically provisions PPMs, modifies the port count, adjusts bandwidth
pools, and provisions VT circuits. For more information on how to perform in-service card upgrades,
refer to the Cisco ONS 15454 Procedure Guide.
Note When a card change operation is initiated, either through an explicit card change operation or a span
upgrade, you need to ensure that the parameters configured before the upgrade are supported by the new
card or port that is plugged in. If the new card does not support the configured parameters on the existing
card, then there can be unexpected behavior, such as the PROV-MISMATCH alarm.
11.12 In-Service Topology Upgrades
Topology upgrades can be performed in-service to convert a live network to a different topology. An
in-service topology upgrade is potentially service-affecting, and generally allows a traffic hit of 50 ms
or less. Traffic might not be protected during the upgrade. The following in-service topology upgrades
are supported:
• Unprotected point-to-point or linear ADM to path protection
• Point-to-point or linear ADM to two-fiber BLSR
• Path protection to two-fiber BLSR
• Two-fiber to four-fiber BLSR
• Node addition or removal from an existing topology
You can perform in-service topology upgrades irrespective of the service state of the involved
cross-connects or circuits; however, a circuit must have a DISCOVERED status.
Circuit types supported for in-service topology upgrades are:
• STS, VT, and VT tunnels
• Virtual concatenated circuits (VCAT)
• Unidirectional and bidirectional
OC-12 (4 ports) XCVT Not supported — — — —
OC-12 (4 ports) XC10G/XC-VXC-10G Drop slot
Note OC-12 (4
ports) card is
not
supported in
trunk slots
for the
XC10G and
XC-VXC-10
G cards.
1 to 4 0, 12, 24,
36
1 to 4 0, 48, 96, 144
Table 11-8 MRC-2.5G-4 Card Upgrade Matrix
Existing Card Cross-Connect Card Type Existing Slot Type
Existing
Card
Port
Number
Starting
Backplane
STS
MRC-2.5G-4
Card Port
Number
Starting
Backplane
STS Mapping11-41
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 11 SONET Topologies and Upgrades
11.12.1 Unprotected Point-to-Point or Linear ADM to Path Protection
• Automatically routed and manually routed
• CTC-created and TL1-created
• Ethernet (unstitched)
• Multiple source and destination (both sources should be on one node and both drops on one node)
You cannot upgrade stitched Ethernet circuits during topology conversions. For in-service topology
upgrade procedures, refer to the “Convert Network Configurations” chapter in the Cisco ONS 15454
Procedure Guide. For procedures to add or remove a node, refer to the “Add and Remove Nodes” chapter
of the Cisco ONS 15454 Procedure Guide.
Note A database restore on all nodes in a topology returns converted circuits to their original topology.
Note Open-ended path protection and DRI configurations do not support in-service topology upgrades.
11.12.1 Unprotected Point-to-Point or Linear ADM to Path Protection
CTC provides a topology conversion wizard for converting an unprotected point-to-point or linear ADM
topology to path protection. This conversion occurs at the circuit level. CTC calculates the additional
path protection circuit route automatically or you can do it manually. When routing the path protection
circuit, you can provision the USPR as go-and-return or unidirectional.
When performing an in-service topology upgrade on a configuration with VCAT circuits, CTC allows
you to select member circuits to upgrade individually. When upgrading VT tunnels, CTC does not
convert the VT tunnel to path protection, but instead creates a secondary tunnel for the alternate path.
The result is two unprotected VT tunnels using alternate paths.
To convert from point-to-point or linear ADM to a path protection, the topology requires an additional
circuit route to complete the ring. When the route is established, CTC creates circuit connections on any
intermediate nodes and modifies existing circuit connections on the original circuit path. The number
and position of network spans in the topology remains unchanged during and after the conversion.
Figure 11-35 shows an unprotected point-to-point ADM configuration converted to a path protection. An
additional circuit routes through Node 3 to complete the path protection.11-42
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 11 SONET Topologies and Upgrades
11.12.2 Point-to-Point or Linear ADM to Two-Fiber BLSR
Figure 11-35 Unprotected Point-to-Point ADM to Path Protection Conversion
11.12.2 Point-to-Point or Linear ADM to Two-Fiber BLSR
A 1+1 point-to-point or linear ADM to a two-fiber BLSR conversion is manual. You must remove the
protect fibers from all nodes in the linear ADM and route them from the end node to the protect port on
the other end node. In addition, you must delete the circuit paths that are located in the bandwidth that
will become the protection portion of the two-fiber BLSR (for example, circuits in STS 25 or higher on
an OC-48 BLSR) and recreate them in the appropriate bandwidth. Finally, you must provision the nodes
as BLSR nodes.
To complete a conversion from an unprotected point-to-point or linear ADM to a two-fiber BLSR, use
the CTC Convert Unprotected/Path Protection to BLSR wizard from the Tools > Topology Upgrade
menu.
11.12.3 Path Protection to Two-Fiber BLSR
CTC provides a topology conversion wizard to convert a path protection to a two-fiber BLSR. An
upgrade from a path protection to a two-fiber BLSR changes path protection to line protection. A path
protection can have a maximum of 16 nodes before conversion. Circuits paths must occupy the same time
slots around the ring. Only the primary path through the path protection is needed; the topology
conversion wizard removes the alternate path protection path during the conversion. Because circuit
paths can begin and end outside of the topology, the conversion might create line-protected segments
within path protection paths of circuits outside the scope of the ring. The physical arrangement of the
ring nodes and spans remains the same after the conversion.
OC-48 OC-12
37
ONS 15454
Node 1
ONS 15454
Node 4
ONS 15454
Node 811-43
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 11 SONET Topologies and Upgrades
11.12.4 Two-Fiber BLSR to Four-Fiber BLSR
11.12.4 Two-Fiber BLSR to Four-Fiber BLSR
CTC provides a wizard to convert two-fiber OC-48 or OC-192 BLSRs to four-fiber BLSRs. To convert
the BLSR, you must install two OC-48 or OC-192 cards at each two-fiber BLSR node, then log into CTC
and convert each node from two-fiber to four-fiber. The fibers that were divided into working and protect
bandwidths for the two-fiber BLSR are now fully allocated for working BLSR traffic.
11.12.5 Add or Remove a Node from a Topology
You can add or remove a node from a linear ADM, BLSR, or path protection configuration. Adding or
removing nodes from BLSRs is potentially service affecting; however, adding and removing nodes from
an existing 1+1 linear ADM or path protection configuration does not disrupt traffic. CTC provides a
wizard for adding a node to a point-to-point or 1+1 linear ADM. This wizard is used when adding a node
between two other nodes.
11.13 Overlay Ring Circuits
An overlay ring configuration consists of a core ring and subtended rings (Figure 11-36). An Overlay
Ring Circuit routes traffic around multiple rings in an overlay ring configuration, passing through one
or more nodes more than once. This results in multiple cross-connections on the nodes connecting the
core ring to the subtended rings. For example, a customer having a core ring with cross-connects
provisioned using TL1 can create cross-connects on subtended rings, due to a business need, without
having to hamper the existing cross-connects on the core ring. This circuit can be either protected or
unprotected.
A typical path protected overlay ring configuration is shown in Figure 11-36, where the circuit traverses
the nodes B, D, and F twice resulting in two cross-connections on these nodes for the same circuit. In
Figure 11-36, the circuits on the OC-12 path are unprotected. The DS3 drop traffic is protected on the
drop nodes by provisioning a primary and secondary destination, making it a path protected circuit.11-44
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 11 SONET Topologies and Upgrades
11.13 Overlay Ring Circuits
Figure 11-36 Overlay Ring Circuit
Overlay ring supports circuit sizes; STS-1, 3c, 6c, 9c, 12c, 24c, 36c, 48c, and 192cs. Both unidirectional
and bidirectional circuits are supported. Overlay ring circuits are contiguous concatenated (CCAT) and
not virtual concatenated (VCAT) circuits.
Manual routing is mandatory while provisioning the overlay ring circuit. Overlay ring circuits created
using Transaction Language 1 (TL1) are discovered by CTC and the status “DISCOVERED” is
displayed. If the overlay ring circuit is deleted, the cross-connects on the core ring and subtended rings
get deleted. Cross-connects on a subtended ring can be deleted through TL1 but would reflect as a partial
overlay ring circuit in CTC, i.e. core ring will continue having cross-connects.
Subtended
Ring
OC-12
Path Protection
Subtended
Rings
Core
Ring
223267
DS3 PASS-THRU
DS3 DROP
DS3 CIRCUIT
OC-3 OVERLAY RING
DS3 PASS-THRU
DS3 DROP
Node C
Node A Node B Node D
Node G
Node F
Node E
OC-3
Path
Protection
OC-3
Path
Protection
OC-3
Path
ProtectionCHAPTER
12-1
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
12
Circuits and Tunnels
Note The terms “Unidirectional Path Switched Ring” and “UPSR” may appear in Cisco literature. These terms
do not refer to using Cisco ONS 15xxx products in a unidirectional path switched ring configuration.
Rather, these terms, as well as “Path Protected Mesh Network” and “PPMN,” refer generally to Cisco's
path protection feature, which may be used in any topological network configuration. Cisco does not
recommend using its path protection feature in any particular topological network configuration.
This chapter explains Cisco ONS 15454 synchronous transport signal (STS), virtual tributary (VT), and
virtual concatenated (VCAT) circuits and VT, data communications channel (DCC), and IP-encapsulated
tunnels. To provision circuits and tunnels, refer to the Cisco ONS 15454 Procedure Guide.
Chapter topics include:
• 12.1 Overview, page 12-2
• 12.2 Circuit Properties, page 12-2
• 12.3 Cross-Connect Card Bandwidth, page 12-12
• 12.4 Portless Transmux, page 12-15
• 12.5 DCC Tunnels, page 12-16
• 12.7 Multiple Destinations for Unidirectional Circuits, page 12-18
• 12.8 Monitor Circuits, page 12-18
• 12.9 Path Protection Circuits, page 12-19
• 12.10 BLSR Protection Channel Access Circuits, page 12-21
• 12.11 BLSR STS and VT Squelch Tables, page 12-22
• 12.12 IEEE 802.17 Resilient Packet Ring Circuit Display, page 12-23
• 12.13 Section and Path Trace, page 12-24
• 12.14 Path Signal Label, C2 Byte, page 12-25
• 12.15 Automatic Circuit Routing, page 12-27
• 12.16 Manual Circuit Routing, page 12-29
• 12.17 Constraint-Based Circuit Routing, page 12-33
• 12.18 Virtual Concatenated Circuits, page 12-34
• 12.19 Bridge and Roll, page 12-39
• 12.20 Merged Circuits, page 12-4512-2
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 12 Circuits and Tunnels
12.1 Overview
• 12.21 Reconfigured Circuits, page 12-46
• 12.22 VLAN Management, page 12-46
• 12.23 Server Trails, page 12-46
12.1 Overview
You can create circuits across and within ONS 15454 nodes and assign different attributes to circuits.
For example, you can:
• Create one-way, two-way (bidirectional), or broadcast circuits.
• Assign user-defined names to circuits.
• Assign different circuit sizes.
• Automatically or manually route circuits.
• Automatically create multiple circuits with autoranging. VT tunnels do not use autoranging.
• Provide full protection to the circuit path.
• Provide only protected sources and destinations for circuits.
• Define a secondary circuit source or destination that allows you to interoperate an ONS 15454 path
protection configuration with third-party equipment path protection configurations.
• Set path protection circuits as revertive or nonrevertive.
You can provision circuits at either of the following points:
• Before cards are installed. The ONS 15454 allows you to provision slots and circuits before
installing the traffic cards.
• After you preprovision the Small Form-factor Pluggables (SFPs) (also called provisionable port
modules [PPMs]).
• After cards and SFPs are installed and ports are in service. Circuits do not actually carry traffic until
the cards and SFPs are installed and the ports are In-Service and Normal (IS-NR); Out-of-Service
and Autonomous, Automatic In-Service (OO-AU,AINS); or Out-of-Service and
Management, Maintenance (OOS-MA,MT). Circuits carry traffic as soon as the signal is received.
12.2 Circuit Properties
The ONS 15454 Cisco Transport Controller (CTC) Circuits window, which appears in network, node,
and card view, is where you can view information about circuits. The Circuits window (Figure 12-1)
provides the following information:
• Name—The name of the circuit. The circuit name can be manually assigned or automatically
generated.
• Type—The circuit types are STS (STS circuit), VT (VT circuit), VTT (VT tunnel), VAP (VT
aggregation point), OCHNC (dense wavelength division multiplexing [DWDM] optical channel
network connection; refer to the Cisco ONS 15454 DWDM Procedure Guide), STS-V (STS VCAT
circuit), or VT-V (VT VCAT circuit).
• Size—The circuit size. VT circuits are 1.5. STS circuit sizes are 1, 3c, 6c, 9c, 12c, 24c, 36c, 48c,
and 192c. OCHNC sizes are Equipped non specific, Multi-rate, 2.5 Gbps No FEC (forward error
correction), 2.5 Gbps FEC, 10 Gbps No FEC, and 10 Gbps FEC (OCHNC is DWDM only; refer to 12-3
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 12 Circuits and Tunnels
12.2 Circuit Properties
the Cisco ONS 15454 DWDM Procedure Guide). VCAT circuits are VT1.5-nv, STS-1-nv,
STS-3c-nv, and STS-12c-nv, where n is the number of members. For time slot availability on
concatenated STSs, see the “12.2.1 Concatenated STS Time Slot Assignments” section on
page 12-4.
• OCHNC Wlen—For OCHNCs, the wavelength provisioned for the optical channel network
connection. For more information, refer to the Cisco ONS 15454 DWDM Procedure Guide.
• Direction—The circuit direction, either two-way or one-way.
• OCHNC Dir—For OCHNCs, the direction of the optical channel network connection, either east to
west or west to east. For more information, refer to the Cisco ONS 15454 DWDM Procedure Guide.
• Protection—The type of circuit protection. See the “12.2.4 Circuit Protection Types” section on
page 12-9 for a list of protection types.
• Status—The circuit status. See the “12.2.2 Circuit Status” section on page 12-6.
• Source—The circuit source in the format: node/slot/port “port name”/STS/VT. (The port name
appears in quotes.) Node and slot always appear; port “port name”/STS/VT might appear, depending
on the source card, circuit type, and whether a name is assigned to the port. For the OC192-XFP and
MRC-12 cards, the port appears as port pluggable module (PPM)-port. If the circuit size is a
concatenated size (3c, 6c, 12c, etc.), STSs used in the circuit are indicated by an ellipsis, for
example, S7..9, (STSs 7, 8, and 9) or S10..12 (STS 10, 11, and 12).
• Destination—The circuit destination in the same format as the circuit source.
• # of VLANS—The number of VLANs used by an Ethernet circuit.
• # of Spans—The number of internode links that constitute the circuit. Right-clicking the column
shows a shortcut menu from which you can choose Span Details to show or hide circuit span detail.
For each node in the span, the span detail shows the node/slot (card type)/port/STS/VT.
• State—The circuit state. See the “12.2.3 Circuit States” section on page 12-7.
The Filter button allows you to filter the circuits in network, node, or card view based on circuit name,
size, type, direction, and other attributes. In addition, you can export the Circuit window data in HTML,
comma-separated values (CSV), or tab-separated values (TSV) format using the Export command from
the File menu.12-4
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 12 Circuits and Tunnels
12.2.1 Concatenated STS Time Slot Assignments
Figure 12-1 ONS 15454 Circuit Window in Network View
12.2.1 Concatenated STS Time Slot Assignments
Table 12-1 shows the available time slot assignments for concatenated STSs when using CTC to
provision circuits.
Table 12-1 STS Mapping Using CTC
Starting
STS STS-3c STS-6c STS-9c STS-12c STS-18c STS-24c STS-36c STS-48c STS-192c
1 Yes Yes Yes Yes Yes Yes Yes Yes Yes
4 Yes Yes Yes No Yes Yes Yes No No
7 Yes Yes No No Yes Yes Yes No No
10 Yes No Yes No Yes Yes Yes No No
13 Yes Yes Yes Yes Yes Yes Yes No No
16 Yes Yes Yes No Yes Yes No No No
19 Yes Yes Yes No Yes Yes No No No
22 Yes No No No Yes Yes No No No
25 Yes Yes Yes Yes Yes Yes No No No
28 Yes Yes Yes No Yes No No No No
31 Yes Yes No No Yes No No No No
34 Yes No No No No No No No No
37 Yes Yes Yes Yes Yes No Yes No No12-5
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 12 Circuits and Tunnels
12.2.1 Concatenated STS Time Slot Assignments
40 Yes Yes Yes No No No No No No
43 Yes Yes No No No No No No No
46 Yes No Yes No No No No No No
49 Yes Yes Yes Yes Yes Yes Yes Yes No
52 Yes Yes Yes No Yes Yes Yes No No
55 Yes Yes Yes No Yes Yes Yes No No
58 Yes No No No Yes Yes Yes No No
61 Yes Yes Yes Yes Yes Yes Yes No No
64 Yes Yes Yes No Yes Yes No No No
67 Yes Yes No No Yes Yes No No No
70 Yes No No No Yes Yes No No No
73 Yes Yes Yes Yes Yes Yes Yes No No
76 Yes Yes Yes No Yes No No No No
79 Yes Yes No No Yes No No No No
82 Yes No Yes No No No No No No
85 Yes Yes Yes Yes No No No No No
88 Yes Yes Yes No No No No No No
91 Yes Yes Yes No Yes No No No No
94 Yes No No No No No No No No
97 Yes Yes Yes Yes Yes Yes Yes Yes No
100 Yes Yes Yes No Yes Yes Yes No No
103 Yes Yes No No Yes Yes Yes No No
106 Yes No No No Yes Yes Yes No No
109 Yes Yes Yes Yes Yes Yes Yes No No
112 Yes Yes Yes No Yes Yes No No No
115 Yes Yes No No Yes Yes No No No
118 Yes No Yes No Yes Yes No No No
121 Yes Yes Yes Yes Yes Yes No No No
124 Yes Yes Yes No Yes No No No No
127 Yes Yes Yes No Yes No No No No
130 Yes No No No No No No No No
133 Yes Yes Yes Yes No No No No No
136 Yes Yes Yes No No No No No No
139 Yes Yes No No No No No No No
142 Yes No No No No No No No No
Table 12-1 STS Mapping Using CTC (continued)
Starting
STS STS-3c STS-6c STS-9c STS-12c STS-18c STS-24c STS-36c STS-48c STS-192c12-6
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 12 Circuits and Tunnels
12.2.2 Circuit Status
12.2.2 Circuit Status
The circuit statuses that appear in the Circuit window Status column are generated by CTC based on
conditions along the circuit path. Table 12-2 shows the statuses that can appear in the Status column.
145 Yes Yes Yes Yes Yes Yes Yes Yes No
148 Yes Yes Yes No Yes Yes Yes No No
151 Yes Yes No No Yes Yes Yes No No
154 Yes No Yes No Yes Yes Yes No No
157 Yes Yes Yes Yes Yes Yes Yes No No
160 Yes Yes Yes No Yes Yes No No No
163 Yes Yes Yes No Yes Yes No No No
166 Yes No No No Yes Yes No No No
169 Yes Yes Yes Yes Yes Yes No No No
172 Yes Yes Yes No Yes No No No No
175 Yes Yes No No Yes No No No No
178 Yes No No No No No No No No
181 Yes Yes Yes Yes Yes No No No No
184 Yes Yes Yes No Yes No No No No
187 Yes Yes No No Yes No No No No
190 Yes No No No Yes No No No No
Table 12-1 STS Mapping Using CTC (continued)
Starting
STS STS-3c STS-6c STS-9c STS-12c STS-18c STS-24c STS-36c STS-48c STS-192c
Table 12-2 ONS 15454 Circuit Status
Status Definition/Activity
CREATING CTC is creating a circuit.
DISCOVERED CTC created a circuit. All components are in place and a complete path
exists from circuit source to destination.
DELETING CTC is deleting a circuit.12-7
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 12 Circuits and Tunnels
12.2.3 Circuit States
12.2.3 Circuit States
The circuit service state is an aggregate of the cross-connect states within the circuit.
• If all cross-connects in a circuit are in the In-Service and Normal (IS-NR) service state, the circuit
service state is In-Service (IS).
PARTIAL A CTC-created circuit is missing a cross-connect or network span, a
complete path from source to destinations does not exist, or an alarm
interface panel (AIP) change occurred on one of the circuit nodes and
the circuit is in need of repair. (AIPs store the node MAC address.)
In CTC, circuits are represented using cross-connects and network
spans. If a network span is missing from a circuit, the circuit status is
PARTIAL. However, a PARTIAL status does not necessarily mean a
circuit traffic failure has occurred, because traffic might flow on a
protect path.
Network spans are in one of two states: up or down. On CTC circuit and
network maps, up spans appear as green lines, and down spans appear
as gray lines. If a failure occurs on a network span during a CTC
session, the span remains on the network map but its color changes to
gray to indicate that the span is down. If you restart your CTC session
while the failure is active, the new CTC session cannot discover the span
and its span line does not appear on the network map.
Subsequently, circuits routed on a network span that goes down appear
as DISCOVERED during the current CTC session, but appear as
PARTIAL to users who log in after the span failure.
DISCOVERED_TL1 A TL1-created circuit or a TL1-like, CTC-created circuit is complete. A
complete path from source to destinations exists.
PARTIAL_TL1 A TL1-created circuit or a TL1-like, CTC-created circuit is missing a
cross-connect or circuit span (network link), and a complete path from
source to destinations does not exist.
CONVERSION_PENDING An existing circuit in a topology upgrade is set to this state. The circuit
returns to the DISCOVERED state once the topology upgrade is
complete. For more information about topology upgrades, see
Chapter 11, “SONET Topologies and Upgrades.”
PENDING_MERGE Any new circuits created to represent an alternate path in a topology
upgrade are set to this status to indicate that it is a temporary circuit.
These circuits can be deleted if a topology upgrade fails. For more
information about topology upgrades, see Chapter 11, “SONET
Topologies and Upgrades.”
DROP_PENDING A circuit is set to this status when a new circuit drop is being added.
ROLL_PENDING A circuit roll is awaiting completion or cancellation.
Table 12-2 ONS 15454 Circuit Status (continued)
Status Definition/Activity12-8
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 12 Circuits and Tunnels
12.2.3 Circuit States
• If all cross-connects in a circuit are in an Out-of-Service (OOS) service state, such as Out-of-Service
and Management, Maintenance (OOS-MA,MT); Out-of-Service and Management, Disabled
(OOS-MA,DSBLD); or Out-of-Service and Autonomous, Automatic In-Service (OOS-AU,AINS)
service state, the circuit service state is Out-of-Service (OOS).
• PARTIAL is appended to the OOS circuit service state when circuit cross-connects state are mixed
and not all in IS-NR. The OOS-PARTIAL state can occur during automatic or manual transitions
between states. For example, OOS-PARTIAL appears if you assign the IS,AINS administrative state
to a circuit with DS-1 or DS3XM cards as the source or destination. Some cross-connects transition
to the IS-NR service state, while others transition to OOS-AU,AINS. OOS-PARTIAL can appear
during a manual transition caused by an abnormal event such as a CTC crash or communication
error, or if one of the cross-connects could not be changed. Refer to the Cisco ONS 15454
Troubleshooting Guide for troubleshooting procedures. The OOS-PARTIAL circuit state does not
apply to OCHNC circuit types.
You can assign a state to circuit cross-connects at two points:
• During circuit creation, you can set the state in the Create Circuit wizard.
• After circuit creation, you can change a circuit state in the Edit Circuit window or from the
Tools > Circuits > Set Circuit State menu.
Note After you have created an initial circuit in a CTC session, the subsequent circuit states default to the
circuit state of the initial circuit, regardless of which nodes in the network the circuits traverse or the
node.ckt.state default setting.
During circuit creation, you can apply a service state to the drop ports in a circuit. You cannot transition
a drop port from the IS-NR service state to the OOS-MA,DSBLD service state; you must first put the
port in the OOS-MA,MT state before changing it to the OOS-MA,DSBLD state. For more information
about port service state transitions, see Appendix B, “Administrative and Service States.”
Circuits do not use the soak timer, but ports do. The soak period is the amount of time that the port
remains in the OOS-AU,AINS service state after a signal is continuously received. When the
cross-connects in a circuit are in the OOS-AU,AINS service state, the ONS 15454 monitors the
cross-connects for an error-free signal. It changes the state of the circuit from OOS to IS or to
OOS-PARTIAL as each cross-connect assigned to the circuit path is completed. This allows you to
provision a circuit using TL1, verify its path continuity, and prepare the port to go into service when it
receives an error-free signal for the time specified in the port soak timer. Two common examples of state
changes you see when provisioning circuits using CTC are:
• When assigning the IS,AINS administrative state to cross-connects in VT circuits and VT tunnels,
the source and destination ports on the VT circuits remain in the OOS-AU,AINS service state until
an alarm-free signal is received for the duration of the soak timer. When the soak timer expires and
an alarm-free signal is found, the VT source port and destination port service states change to IS-NR
and the circuit service state becomes IS.
• When assigning the IS,AINS administrative state to cross-connects in STS circuits, the circuit
source and destination ports transition to the OOS-AU,AINS service state. When an alarm-free
signal is received, the source and destination ports remain OOS-AU,AINS for the duration of the
soak timer. After the port soak timer expires, STS source and destination ports change to IS-NR and
the circuit service state changes to IS.
To find the remaining port soak time, choose the Maintenance > AINS Soak tabs in card view and click
the Retrieve button. If the port is in the OOS-AU,AINS state and has a good signal, the Time Until IS
column shows the soak count down status. If the port is OOS-AU,AINS and has a bad signal, the
Time Until IS column indicates that the signal is bad. You must click the Retrieve button to obtain the
latest time value.12-9
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 12 Circuits and Tunnels
12.2.4 Circuit Protection Types
Note Although ML-Series cards do not use the Telcordia GR-1093-CORE state model, you can also set a soak
timer for ML-Series cards ports. The soak period is the amount of time that the ML-Series port remains
in the Down state after an error-free signal is continuously received before changing to the Up state. To
find the remaining port soak time, choose the Maintenance > Ether/POS Port Soak tabs in ML-Series
card view and click the Retrieve button.
For more information about port and cross-connect states, see Appendix B, “Administrative and Service
States.”
12.2.4 Circuit Protection Types
The Protection column in the Circuit window shows the card (line) and SONET topology (path)
protection used for the entire circuit path. Table 12-3 shows the protection type indicators that appear in
this column.
Table 12-3 Circuit Protection Types
Protection Type Description
1+1 The circuit is protected by a 1+1 protection group.
2F BLSR The circuit is protected by a two-fiber BLSR.
4F BLSR The circuit is protected by a four-fiber BLSR.
2F-PCA The circuit is routed on a protection channel access (PCA) path on a two-fiber
BLSR. PCA circuits are unprotected.
4F-PCA The circuit is routed on a PCA path on a four-fiber BLSR. PCA circuits are
unprotected.
BLSR The circuit is protected by a both a two-fiber and a four-fiber BLSR.
DRI The circuit is protected by a dual-ring interconnection (DRI).
N/A A circuit with connections on the same node is not protected.
PCA The circuit is routed on a PCA path on both two-fiber and four-fiber BLSRs. PCA
circuits are unprotected.
Protected The circuit is protected by diverse SONET topologies, for example, a BLSR and a
path protection configuration, or a path protection configuration and 1+1 protection.
Unknown A circuit has a source and destination on different nodes and communication is
down between the nodes. This protection type appears if not all circuit components
are known.
Unprot (black) A circuit with a source and destination on different nodes is not protected.
Unprot (red) A circuit created as a fully protected circuit is no longer protected due to a system
change, such as removal of a BLSR or 1+1 protection group.
Path Protection The circuit is protected by a path protection.12-10
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 12 Circuits and Tunnels
12.2.5 Circuit Information in the Edit Circuit Window
12.2.5 Circuit Information in the Edit Circuit Window
You can edit a selected circuit using the Edit button on the Circuits window. The tabs that appear depend
on the circuit chosen:
• General—Displays general circuit information and allows you to edit the circuit name.
• Drops—Allows you to add a drop to a unidirectional circuit. For more information, see the
“12.7 Multiple Destinations for Unidirectional Circuits” section on page 12-18.
• Monitors—Displays possible monitor sources and allows you to create a monitor circuit. For more
information, see the “12.8 Monitor Circuits” section on page 12-18.
• Path Protection Selectors—Allows you to change path protection selectors. For more information,
see the “12.9 Path Protection Circuits” section on page 12-19.
• Path Protection Switch Counts—Allows you to change path protection switch protection paths. For
more information, see the “12.9 Path Protection Circuits” section on page 12-19.
• State—Allows you to edit cross-connect service states.
• Merge—Allows you to merge aligned circuits. For more information, see the “12.20 Merged
Circuits” section on page 12-45.
Using the Export command from the File menu, you can export data from the Path Protection Selectors,
Path Protection Switch Counts, State, and Merge tabs in HTML, comma-separated values (CSV), or
tab-separated values (TSV) format.
The Show Detailed Map checkbox in the Edit Circuit window updates the graphical view of the circuit
to show more detailed routing information, such as:
• Circuit direction (unidirectional/bidirectional)
• The nodes, STSs, and VTs through which a circuit passes, including slots and port numbers
• The circuit source and destination points
• Open Shortest Path First (OSPF) area IDs
• Link protection (path protection, unprotected, BLSR, 1+1) and bandwidth (OC-N)
• Provisionable patchcords between two cards on the same node or different nodes
For BLSRs, the detailed map shows the number of BLSR fibers and the BLSR ring ID. For path
protection configurations, the map shows the active and standby paths from circuit source to destination,
and it also shows the working and protect paths. Selectors appear as pentagons on the detailed circuit
map. The map indicates nodes set up as DRI nodes. For VCAT circuits, the detailed map is not available
for an entire VCAT circuit. However, you can view the detailed map to see the circuit route for each
individual member.
You can also view alarms and states on the circuit map, including:
SPLITTER The circuit is protected by the protect transponder (TXPP_MR_2.5G) splitter
protection. For splitter information, refer to the Cisco ONS 15454 DWDM
Procedure Guide.
Y-Cable The circuit is protected by a transponder or muxponder card Y-cable protection
group. For more information, refer to the Cisco ONS 15454 DWDM Procedure
Guide.
Table 12-3 Circuit Protection Types (continued)
Protection Type Description12-11
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 12 Circuits and Tunnels
12.2.5 Circuit Information in the Edit Circuit Window
• Alarm states of nodes on the circuit route
• Number of alarms on each node organized by severity
• Port service states on the circuit route
• Alarm state/color of most severe alarm on port
• Loopbacks
• Path trace states
• Path selector states
By default, the working path is indicated by a green, bidirectional arrow, and the protect path is indicated
by a purple, bidirectional arrow. Source and destination ports are shown as circles with an S and D. Port
states are indicated by colors, shown in Table 12-4.
In detailed view, a notation within or by the squares or selector pentagons indicates switches and
loopbacks, including:
• F = Force switch
• M = Manual switch
• L = Lockout switch
• Arrow = Facility (outward) or terminal (inward) loopback
Move the mouse cursor over nodes, ports, and spans to see tooltips with information including the
number of alarms on a node (organized by severity), the port service state, and the protection topology.
Right-click a node, port, or span on the detailed circuit map to initiate certain circuit actions:
• Right-click a unidirectional circuit destination node to add a drop to the circuit.
• Right-click a port containing a path-trace-capable card to initiate the path trace.
• Right-click a path protection span to change the state of the path selectors in the path protection
circuit.
Figure 12-2 shows a circuit routed on a two-fiber BLSR. A port is shown in terminal loopback.
Table 12-4 Port State Color Indicators
Port Color Service State
Green IS-NR
Gray OOS-MA,DSBLD
Violet OOS-AU,AINS
Blue (Cyan) OOS-MA,MT12-12
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 12 Circuits and Tunnels
12.3 Cross-Connect Card Bandwidth
Figure 12-2 BLSR Circuit Displayed on the Detailed Circuit Map
12.3 Cross-Connect Card Bandwidth
The ONS 15454 XCVT, XC10G, and XC-VXC-10G cross-connect cards perform port-to-port,
time-division multiplexing (TDM). XCVT, XC10G, and XC-VXC-10G cards perform STS, VT2
(XC-VXC-10G only), and VT1.5 multiplexing.
The STS matrix on the XCVT cross-connect card has a capacity for 288 STS terminations, and the
XC10G and XC-VXC-10G cards each have a capacity for 1152 STS terminations. Because each STS
circuit requires a minimum of two terminations, one for ingress and one for egress, the XCVT card has
a capacity for 144 STS circuits, while the XC10G and XC-VXC-10G cards have a capacity for 576 STS
circuits. However, this capacity is reduced at path protection and 1+1 nodes because three STS
terminations are required at circuit source and destination nodes and four terminations are required at
1+1 circuit pass-through nodes. Path protection pass-through nodes only require two STS terminations.
The XCVT and XC10G cards perform VT1.5 multiplexing through 24 logical STS ports on the XCVT
or XC10G VT matrix, and the XC-VXC-10G card performs VT1.5 and VT2 multiplexing through 96
logical STS ports on the XC-VXC-10G VT matrix. Each logical STS port can carry 28 VT1.5s or 21
VT2s. Subsequently, the VT matrix on the XCVT or XC10G has capacity for 672 VT1.5 terminations,
or 336 VT1.5 circuits. The VT matrix on the XC-VXC-10G has capacity for 2688 VT1.5 terminations
(1344 VT1.5 bidirectional circuits) or 2016 VT2 terminations (1008 VT2 bidirectional circuits). Every
circuit requires two terminations, one for ingress and one for egress. However, this capacity is only
achievable if:
• Every STS port on the VT matrix carries 28 VT1.5s or 21 VT2s.
• The node is in a BLSR or 1+1 protection scheme.12-13
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 12 Circuits and Tunnels
12.3 Cross-Connect Card Bandwidth
For example, if you create a VT1.5 circuit from an STS-1 on a drop card, two VT matrix STS ports are
used, as shown in Figure 12-3. If you create a second VT1.5 circuit from the same STS port on the drop
card, no additional logical STS ports are used on the VT matrix. In fact, you can create up to 28 VT1.5
circuits using the same STS-1 port. However, if the next VT1.5 circuit originates on a different STS, an
additional pair of STS ports on the VT matrix is used, as shown in Figure 12-4. If you continued to create
VT1.5 circuits on different EC-1 STSs and mapped each to an unused outbound STS, the VT matrix
capacity would be reached after you created 12 VT1.5 circuits in the case of the XCVT or XC10G cards,
or 48 VT1.5 circuits in the case of the XC-VXC-10G card.
Figure 12-3 One VT1.5 Circuit on One STS
STS Matrix
XCVT/XC10G Matrices
VT1.5 circuit #1 on STS-1
1 VT1.5 used on STS-1
27 VT1.5s available on STS-1
EC-1
Drop
2 STSs total used
22 STSs available
VT1.5 Matrix
Source
134344
STS Matrix
XC-VXC-10G Matrices
VT1.5 circuit #1 on STS-1
1 VT1.5 used on STS-1
27 VT1.5s available on STS-1
EC-1
Drop
2 STSs total used
94 STSs available
STS
VT1.5
VT1.5 Matrix
Source
OC-12
OC-19212-14
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 12 Circuits and Tunnels
12.3 Cross-Connect Card Bandwidth
Figure 12-4 Two VT1.5 Circuits in a BLSR
Note Circuits with DS1-14 and DS1N-14 circuit sources or destinations use one STS port on the VT matrix.
Because you can only create 14 VT1.5 circuits from the DS-1 cards, 14 VT1.5s are unused on the VT
matrix.
VT matrix capacity is also affected by SONET protection topology and node position within the circuit
path. Matrix usage is slightly higher for path protection nodes than BLSR and 1+1 nodes. Circuits use
two VT matrix ports at pass-through nodes if VT tunnels and aggregation points are not used. If the
circuit is routed on a VT tunnel or an aggregation point, no VT matrix resources are used. Table 12-5
shows basic STS port usage rates for VT 1.5 circuits.
STS Matrix
XCVT/XC10G Matrices
VT1.5 circuit #1 on STS-1
1 VT1.5 used on STS-1
27 VT1.5s available on STS-1
VT1.5 circuit #2 on STS-2
1 VT1.5 used on STS-2
27 VT1.5s available on STS-2
EC-1 4 STSs total used
20 STSs available
Drop
Source
134345
STS Matrix
XC-VXC-10G Matrices
VT1.5 circuit #1 on STS-1
1 VT1.5 used on STS-1
27 VT1.5s available on STS-1
VT1.5 circuit #2 on STS-2
1 VT1.5 used on STS-2
27 VT1.5s available on STS-2
EC-1 4 STSs total used
92 STSs available
STS
VT1.5
Drop
Source
VT1.5 Matrix
VT1.5 Matrix
OC-192
OC-1212-15
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 12 Circuits and Tunnels
12.4 Portless Transmux
Cross-connect card resources can be viewed on the Maintenance > Cross-Connect > Resource Usage tab.
This tab shows:
• STS-1 Matrix—The percent of STS matrix resources that are used. 288 STSs are available on XCVT
cards; 1152 are available on XC10G and XC-VXC-10G cards.
• VT Matrix Ports—The percent of the VT matrix ports (logical STS ports) that are used. 24 ports are
available on XCVT and XC10G cards. 96 ports are available on the XC-VXC-10G card. The
VT Port Matrix Detail shows the percent of each VT matrix port that is used.
• VT Matrix—The percent of the total VT matrix terminations that are used. There are
672 terminations for the XCVT and XC10G cards. 672 is the number of logical STS VT matrix
ports (24) multiplied by the number of VT1.5s per port (28). There are 2688 terminations for the
XC-VXC-10G card. 2688 is the number of logical STS VT matrix ports (96) multiplied by the
number of VT1.5s per port (28).
To maximize resources on the cross-connect card VT matrix, keep the following points in mind as you
provision circuits:
• Use all 28 VT1.5s on a given port or STS before moving to the next port or STS.
• Try to use EC-1, DS3XM, or OC-N cards as the VT1.5 circuit source and destination. VT1.5 circuits
with DS-1-14 or DS1N-14 sources or destinations use a full port on the VT matrix even though only
14 VT1.5 circuits can be created.
• Use VT tunnels and VT aggregation points to reduce VT matrix utilization. VT tunnels allow VT1.5
circuits to bypass the VT matrix on pass-through nodes. They are cross-connected as STSs and only
go through the STS matrix. VT aggregation points allow multiple VT1.5 circuits to be aggregated
onto a single STS to bypass the VT matrix at the aggregation node.
12.4 Portless Transmux
The DS3XM-12 card provides a portless transmux interface to change DS-3s into VT1.5s. For XCVT
drop slots, the DS3XM-12 card provides a maximum of 6 portless transmux interfaces; for XCVT trunk
slots and XC10G or XC-VXC-10G slots, the DS3XM-12 card provides a maximum of 12 portless
transmux interfaces. If two ports are configured as portless transmux, CTC allows you to create a
DS3/STS1 circuit using one of these ports as the circuit end point. You can create separate DS1/VT1.5
circuits (up to 28) using the other port in this portless transmux pair.
When creating a circuit through the DS3XM-12 card, the portless pair blocks the mapped physical
port(s); CTC does not display a blocked physical port in the source or destination drop-down list during
circuit creation. Table 12-6 lists the portless transmux mapping for XCVT drop ports.
Table 12-5 VT Matrix Port Usage for One VT1.5 Circuit
Node Type No Protection BLSR Path Protection 1+1
Circuit source or destination node 2 2 3 2
Circuit pass-through node without VT tunnel 2 2 2 2
Circuit pass-through node with VT tunnel 0 0 0 012-16
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 12 Circuits and Tunnels
12.5 DCC Tunnels
Table 12-7 lists the portless transmux for XCVT trunk ports and for XC10G or XC-VXC-10G any-slot
ports.
12.5 DCC Tunnels
SONET provides four DCCs for network element (NE) operation, administration, maintenance, and
provisioning (OAM&P): one on the SONET Section layer (DCC1) and three on the SONET Line layer
(DCC2, DCC3, and DCC4). The ONS 15454 uses the Section DCC (SDCC) for ONS 15454 management
and provisioning. An SDCC and Line DCC (LDCC) each provide 192 Kbps of bandwidth per channel.
The aggregate bandwidth of the three LDCCs is 576 Kbps. When multiple DCC channels exist between
two neighboring nodes, the ONS 15454 balances traffic over the existing DCC channels using a load
balancing algorithm. This algorithm chooses a DCC for packet transport by considering packet size and
DCC utilization. You can tunnel third-party SONET equipment across ONS 15454 networks using one
of two tunneling methods: a traditional DCC tunnel or an IP-encapsulated tunnel.
Table 12-6 Portless Transmux Mapping for XCVT Drop Ports
Physical Port Portless Port Pair
1, 2 13, 14
3, 4 15, 16
5, 6 17, 18
7, 8 19, 20
9, 10 21, 22
11, 12 23, 24
Table 12-7 Portless Transmux Mapping for XCVT Trunk and XC10G/XC-VXC-10G Any-Slot Ports
Physical Port Portless Port Pair
1 13, 14
2 25, 26
3 15, 16
4 27, 28
5 17, 18
6 29, 30
7 19, 20
8 31, 32
9 21, 22
10 33, 34
11 23, 24
12 35, 3612-17
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 12 Circuits and Tunnels
12.5.1 Traditional DCC Tunnels
12.5.1 Traditional DCC Tunnels
In traditional DCC tunnels, you can use the three LDCCs and the SDCC (when not used for ONS 15454
DCC terminations). A traditional DCC tunnel endpoint is defined by slot, port, and DCC, where DCC
can be either the SDCC or one of the LDCCs. You can link LDCCs to LDCCs and link SDCCs to SDCCs.
You can also link an SDCC to an LDCC, and an LDCC to an SDCC. To create a DCC tunnel, you connect
the tunnel endpoints from one ONS 15454 optical port to another. Cisco recommends a maximum of
84 DCC tunnel connections for an ONS 15454. Table 12-8 shows the DCC tunnels that you can create
using different OC-N cards.
Figure 12-5 shows a DCC tunnel example. Third-party equipment is connected to OC-3 cards at
Node 1/Slot 3/Port 1 and Node 3/Slot 3/Port 1. Each ONS 15454 node is connected by OC-48 trunk
(span) cards. In the example, three tunnel connections are created, one at Node 1 (OC-3 to OC-48), one
at Node 2 (OC-48 to OC-48), and one at Node 3 (OC-48 to OC-3).
Figure 12-5 Traditional DCC Tunnel
When you create DCC tunnels, keep the following guidelines in mind:
• Each ONS 15454 can have up to 84 DCC tunnel connections.
• Each ONS 15454 can have up to 84 Section DCC terminations.
• A SDCC that is terminated cannot be used as a DCC tunnel endpoint.
• A SDCC that is used as an DCC tunnel endpoint cannot be terminated.
Table 12-8 DCC Tunnels
Card DCC SONET Layer SONET Bytes
OC3 IR 4/STM1 SH 1310 DCC1 Section D1 - D3
OC3 IR/STM1 SH 1310-8; all
OC-12, OC-48, and OC-192 cards
DCC1 Section D1 - D3
DCC2 Line D4 - D6
DCC3 Line D7 - D9
DCC4 Line D10 - D12
Third party
equipment
Link 1
From (A)
Slot 3 (OC3)
Port 1, SDCC
To (B)
Slot 13 (OC48)
Port 1, Tunnel 1
Node 1
32134
Third party
equipment
Link 2
From (A)
Slot 12 (OC48)
Port 1, Tunnel 1
To (B)
Slot 13 (OC48)
Port 1, Tunnel 1
Node 2
Link 3
From (A)
Slot 12 (OC48)
Port 1, Tunnel 1
To (B)
Slot 3 (OC3)
Port 1, SDCC
Node 312-18
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 12 Circuits and Tunnels
12.5.2 IP-Encapsulated Tunnels
• All DCC tunnel connections are bidirectional.
12.5.2 IP-Encapsulated Tunnels
An IP-encapsulated tunnel puts an SDCC in an IP packet at a source node and dynamically routes the
packet to a destination node. To compare traditional DCC tunnels with IP-encapsulated tunnels, a
traditional DCC tunnel is configured as one dedicated path across a network and does not provide a
failure recovery mechanism if the path is down. An IP-encapsulated tunnel is a virtual path, which adds
protection when traffic travels between different networks.
IP-encapsulated tunneling has the potential of flooding the DCC network with traffic resulting in a
degradation of performance for CTC. The data originating from an IP tunnel can be throttled to a
user-specified rate, which is a percentage of the total SDCC bandwidth.
Each ONS 15454 supports up to ten IP-encapsulated tunnels. You can convert a traditional DCC tunnel
to an IP-encapsulated tunnel or an IP-encapsulated tunnel to a traditional DCC tunnel. Only tunnels in
the DISCOVERED status can be converted.
Caution Converting from one tunnel type to the other is service-affecting.
12.6 SDH Tunneling
The Cisco ONS 15454 SONET MSPP provides a SDH traffic transport solution with scalable SONET,
data or DWDM multiservice capabilities. The SDH traffic is aggregated and transported across an ONS
15454 network, similar to the SONET TDM and data services. STM-1 to STM-64 payloads are
transported over SONET from any port on a Cisco ONS 15454 OC-N card provisioned to support SDH
signals. For more information on SDH tunneling, refer to the "SDH Tunneling Over Cisco ONS 15454
SONET MSPP Systems" Application Note.
12.7 Multiple Destinations for Unidirectional Circuits
Unidirectional circuits can have multiple destinations for use in broadcast circuit schemes. In broadcast
scenarios, one source transmits traffic to multiple destinations, but traffic is not returned to the source.
When you create a unidirectional circuit, the card that does not have its backplane receive (Rx) input
terminated with a valid input signal generates a loss of signal (LOS) alarm. To mask the alarm, create an
alarm profile suppressing the LOS alarm and apply the profile to the port that does not have its Rx input
terminated.
12.8 Monitor Circuits
Monitor circuits are secondary circuits that monitor traffic on primary bidirectional circuits. Figure 12-6
shows an example of a monitor circuit. At Node 1, a VT1.5 is dropped from Port 1 of an EC1-12 card.
To monitor the VT1.5 traffic, plug test equipment into Port 2 of the EC1-12 card and provision a monitor
circuit to Port 2. Circuit monitors are one-way. The monitor circuit in Figure 12-6 monitors VT1.5 traffic
received by Port 1 of the EC1-12 card. 12-19
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 12 Circuits and Tunnels
12.8.1 Monitor Circuits using portless ports as a source on DS3XM-12
Figure 12-6 VT1.5 Monitor Circuit Received at an EC1-12 Port
12.8.1 Monitor Circuits using portless ports as a source on DS3XM-12
With STS bi-directional circuit between source and destination and with VT-MAPPED at “circuit
source” as an option using DS3XM-12 in 15454 SONET platforms, two circuits will get created:
1) src->even portless port
2) odd portless port->dest
Traffic flow from source to dest is as follows:
src->even port->odd port->dest
While creating Monitor circuit using Even portless port as source, the circuit will get created in the
direction towards:
dest-> odd portless port-> Even portless port -> dest Monitored port
While creating Monitor circuit using odd portless port as source, the circuit will get created in the
direction towards:
src-> Even portless port-> odd portless port -> dest Monitored port
Note Monitor circuits cannot be used with Ethernet circuits.
12.9 Path Protection Circuits
Use the Edit Circuits window to change path protection selectors and switch protection paths
(Figure 12-7). In the Path Protection Selectors subtab in the Edit Circuits window, you can:
• View the path protection circuit’s working and protection paths.
• Edit the reversion time.
• Set the hold-off timer.
• Edit the Signal Fail/Signal Degrade thresholds.
• Change payload defect indication path (PDI-P) settings.
EC1-12 OC-N
XC
ONS 15454
Node 1
OC-N DS1-14
XC
ONS 15454
Node 2
VT1.5 Drop
VT1.5 Monitor
Test Set
Port 1
Port 2
Class 5
Switch
4515712-20
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 12 Circuits and Tunnels
12.9.1 Open-Ended Path Protection Circuits
Note The XC-VXC-10G cross-connect card supports VT switching based on SF and SD bit error rate (BER)
thresholds. The XC10G and XCVT cross-connect cards do not support VT switching based on SF and
SD BER thresholds, and hence, in the path protection Selectors tab, the SF BER Level and SD BER
Level columns display “N/A” for these cards.
In the Path Protection Switch Counts subtab, you can:
• Perform maintenance switches on the circuit selector.
• View switch counts for the selectors.
Figure 12-7 Editing Path Protection Selectors
12.9.1 Open-Ended Path Protection Circuits
If ONS 15454s are connected to a third-party network, you can create an open-ended path protection
circuit to route a circuit through it. To do this, you create four circuits. One circuit is created on the
source ONS 15454 network. This circuit has one source and two destinations, each destination
provisioned to the ONS 15454 interface that is connected to the third-party network. The second and
third circuits are created on the third-party network so that the circuit travels across the network on two
diverse paths to the far end ONS 15454. At the destination node, the fourth circuit is created with two
sources, one at each node interface connected to the third-party network. A selector at the destination
node chooses between the two signals that arrive at the node, similar to a regular path protection circuit. 12-21
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 12 Circuits and Tunnels
12.9.2 Go-and-Return Path Protection Routing
12.9.2 Go-and-Return Path Protection Routing
The go-and-return path protection routing option allows you to route the path protection working path
on one fiber pair and the protect path on a separate fiber pair (Figure 12-8). The working path will always
be the shortest path. If a fault occurs, both the working and protection fibers are not affected. This feature
only applies to bidirectional path protection circuits. The go-and-return option appears in the Circuit
Attributes panel of the Circuit Creation wizard.
Figure 12-8 Path Protection Go-and-Return Routing
12.10 BLSR Protection Channel Access Circuits
You can provision circuits to carry traffic on BLSR protection channels when conditions are fault-free.
Traffic routed on BLSR PCA circuits, called extra traffic, has lower priority than the traffic on the
working channels and has no means for protection. During ring or span switches, PCA circuits are
preempted and squelched. For example, in a two-fiber OC-48 BLSR, STSs 25 to 48 can carry extra traffic
when no ring switches are active, but PCA circuits on these STSs are preempted when a ring switch
occurs. When the conditions that caused the ring switch are remedied and the ring switch is removed,
PCA circuits are restored. If the BLSR is provisioned as revertive, this occurs automatically after the
fault conditions are cleared and the reversion timer has expired.
Traffic provisioning on BLSR protection channels is performed during circuit provisioning. The
Protection Channel Access check box appears whenever Fully Protected Path is unchecked in the circuit
creation wizard. Refer to the Cisco ONS 15454 Procedure Guide for more information. When
provisioning PCA circuits, two considerations are important to keep in mind:
Node B
Go and Return working connection
Go and Return protecting connection
Node A
96953
Any network Any network12-22
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 12 Circuits and Tunnels
12.11 BLSR STS and VT Squelch Tables
• If BLSRs are provisioned as nonrevertive, PCA circuits are not restored automatically after a ring
or span switch. You must switch the BLSR manually.
• PCA circuits are routed on working channels when you upgrade a BLSR from a two-fiber to a
four-fiber or from one optical speed to a higher optical speed. For example, if you upgrade a
two-fiber OC-48 BLSR to an OC-192, STSs 25 to 48 on the OC-48 BLSR become working channels
on the OC-192 BLSR.
12.11 BLSR STS and VT Squelch Tables
ONS 15454 nodes display STS and VT squelch tables depending on the type of circuits created. For
example, if a fiber cut occurs, the BLSR squelch tables show STSs or VTs that will be squelched for
every isolated node. Squelching replaces traffic by inserting the appropriate alarm indication signal path
(AIS-P) and prevents traffic misconnections. For an STS with a VT-access check mark, the AIS-P will
be removed after 100 ms. To view the squelch tables, refer to the “Manage Circuits” chapter in the
Cisco ONS 15454 Procedure Guide for detailed instructions. For more information about BLSR
squelching, refer to Telcordia GR-1230.
12.11.1 BLSR STS Squelch Table
BLSR STS squelch tables show STSs that will be squelched for every isolated node.
The BLSR Squelch Table window displays the following information:
• STS Number—Shows the BLSR STS numbers. For two-fiber BLSRs, the number of STSs is half
the BLSR OC-N, for example, an OC-48 BLSR squelch table will show 24 STSs. For four-fiber
BLSRs, the number of STSs in the table is the same as the BLSR OC-N.
• West Source—If traffic is received by the node on its west span, the BLSR node ID of the source
appears. (To view the BLSR node IDs for all nodes in the ring, click the Ring Map button.)
• West VT (from the West Source) — A check mark indicates that the STS carries incoming VT
traffic. The traffic source is coming from the west side.
• West VT (from the West Destination) — A check mark indicates that the STS carries outgoing VT
traffic. The traffic is dropped on the west side.
• West Dest—If traffic is sent on the node’s west span, the BLSR node ID of the destination appears.
• East Source—If traffic is received by the node on its east span, the BLSR node ID of the source
appears.
• East VT — (from the East Source) - A check mark indicates that the STS carries incoming VT
traffic. The traffic source is coming from the east side.
• East VT — (from the East Destination) - A check mark indicate that the STS carries outgoing VT
traffic. The traffic is dropped on the east side.
• East Dest—If traffic is sent on the node’s east span, the BLSR node ID of the destination appears.
Note BLSR squelching is performed on STSs that carry STS circuits only. Squelch table entries will not
appear for STSs carrying VT circuits or Ethernet circuits to or from E-Series Ethernet cards provisioned
in a multicard Ethergroup.12-23
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 12 Circuits and Tunnels
12.11.2 BLSR VT Squelch Table
12.11.2 BLSR VT Squelch Table
BLSR VT squelch tables only appear on the node dropping VTs from a BLSR and are used to perform
VT-level squelching when a node is isolated. VT squelching is supported on the ONS 15454 and the
ONS 15327 platforms. The ONS 15600 platform does not support VT squelching; however, when an
ONS 15454 and an ONS 15600 are in the same network, the ONS 15600 node allows the ONS 15454
node to carry VT circuits in a VT tunnel. The ONS 15600 performs 100-ms STS-level squelching for
each VT-access STS at the switching node in case of a node failure.
When using a VT circuit on a VT tunnel (VTT), the VTT allows multiple VT circuits to be passed
through on a single STS without consuming VT matrix resources on the cross-connect card. Both
endpoints of the VTT are the source and destination nodes for the VTT. The node carrying VT circuits
through a VTT is called a VT-access node. In case of a source and destination node failure of the VTT,
the switching node performs 100-ms STS-level squelching for the VTT STS. The node dropping VT
traffic performs VT-level squelching. VT traffic on the VTT that is not coming from the failed node is
protected.
When using a VT circuit on a VT aggregation point (VAP), the VAP allows multiple VT circuits to be
aggregated into a single STS without consuming VT matrix resources on the cross-connect card. The
source for each VAP STS timeslot is the STS-grooming end where VT1.5 circuits are aggregated into a
single STS. The destination for each VAP STS is the VT-grooming end where VT1.5 circuits originated.
The source node for each VT circuit on a VAP is the STS-grooming end where the VT1.5 circuits are
aggregated into a single STS. The STS grooming node is not a VT-access node. The non VT-access node
performs STS-level squelching for each STS timeslot at the switching node in case the VT-grooming
node fails. The node dropping VT traffic performs VT-level squelching for each VT timeslot in case the
STS-grooming end node fails. No VT traffic on the VAP is protected during a failure of the
STS-grooming node or the VT-grooming node.
To view the VT squelch table, double-click the VT with a check mark in the BLSR STS squelch table
window. The check mark appears on every VT-access STS; however, the VT-squelch table appears only
by double-clicking the check mark on the node dropping the VT. The intermediate node of the VT does
not maintain the VT-squelch table.
The VT squelch table provides the following information:
• VT Number—Shows the BLSR VT numbers. The VT number includes VT group number and VT
number in group (VT group 2 and channel 1 are displayed as 2-1.)
• West Source—If traffic is received by the node on its west span, the BLSR node ID of the source
appears. (To view the BLSR node IDs for all nodes in the ring, click the Ring Map button.)
• East Source—If traffic is received by the node on its east span, the BLSR node ID of the source
appears.
12.12 IEEE 802.17 Resilient Packet Ring Circuit Display
Resilient Packet Ring (RPR), as described in IEEE 802.17, is a metropolitan area network (MAN)
technology supporting data transfer among stations interconnected in a dual-ring configuration. The
IEEE 802.17b spatially-aware sublayer amendment is not yet ratified but is expected to add support for
bridging to IEEE 802.17. Since the amendment is not yet ratified, no equipment is currently
IEEE 802.17b compliant. The RPR-IEEE for ONS 15454 ML-Series cards is based on the expected
IEEE 802.17b-based standard.
CTC provides a graphical representation (map) of IEEE 802.17 RPR circuits between ML-Series cards
with a list of the following information:12-24
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 12 Circuits and Tunnels
12.13 Section and Path Trace
• Circuit name
• Type
• Size
• OCHNC Wlen
• Direction
• Protection
• Status
• Source
• Destination
• # of VLANs
• # of Spans
• State
• Loopback
Note CTC does not support the display of Cisco proprietary RPR circuit topologies.
Note CTC does not support provisioning or maintenance of IEEE RPR rings. You must use Cisco IOS.
For more information about IEEE 802.17 RPR, refer to the Cisco ONS 15454 and
Cisco ONS 15454 SDH Ethernet Card Software Feature and Configuration Guide.
12.13 Section and Path Trace
SONET J0 section and J1 and J2 path trace are repeated, fixed-length strings composed of 16 or 64
consecutive bytes. You can use the strings to monitor interruptions or changes to circuit traffic.
The OC192-XFP and MRC-12 cards support J0 section trace. Table 12-9 shows the ONS 15454 cards
that support J1 path trace. DS-1 and DS-3 cards can transmit and receive the J1 field, while the EC-1,
OC-3, OC-48 AS, and OC-192 can only receive the J1 bytes. Cards that are not listed in the table do not
support the J1 byte. The DS3XM-12 card supports J2 path trace for VT circuits.12-25
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 12 Circuits and Tunnels
12.14 Path Signal Label, C2 Byte
If the string received at a circuit drop port does not match the string the port expects to receive, an alarm
is raised. Two path trace modes are available:
• Automatic—The receiving port assumes that the first string it receives is the baseline string.
• Manual—The receiving port uses a string that you manually enter as the baseline string.
12.14 Path Signal Label, C2 Byte
One of the overhead bytes in the SONET frame is the C2 byte. The SONET standard defines the C2 byte
as the path signal label. The purpose of this byte is to communicate the payload type being encapsulated
by the STS path overhead (POH). The C2 byte functions similarly to EtherType and Logical Link Control
Table 12-9 ONS 15454 Cards Capable of J1 Path Trace
J1 Function Cards
Transmit and Receive CE-Series
DS1-141
DS1N-14
DS1/EC1-56
DS3-12E
DS3i-N-12
DS3/EC1-48
DS3N-12E
DS3XM-6
DS3XM-12
FC_MR-4
G-Series
ML-Series
1. J1 path trace is not supported for DS-1s used in VT circuits.
Receive Only EC1-12
OC3 IR 4/STM1 SH 1310
OC3 IR 4/STM1 SH 1310-8
OC12/STM4-4
OC48 IR/STM16 SH AS 1310
OC48 LR/STM16 LH AS 1550
OC192 SR/STM64 IO 1310
OC192 LR/STM64 LH 1550
OC192 IR/STM SH 1550
OC192-XFP12-26
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 12 Circuits and Tunnels
12.14 Path Signal Label, C2 Byte
(LLC)/Subnetwork Access Protocol (SNAP) header fields on an Ethernet network; it allows a single
interface to transport multiple payload types simultaneously. C2 byte hex values are provided in
Table 12-10.
If a circuit is provisioned using a terminating card, the terminating card provides the C2 byte. A VT
circuit is terminated at the XCVT, XC10G, or XC-VXC-10G card, which generates the C2 byte (0x02)
downstream to the STS terminating cards. The XCVT, XC10G, or XC-VXC-10G card generates the C2
value (0x02) to the DS1 or DS3XM terminating card. If an optical circuit is created with no terminating
cards, the test equipment must supply the path overhead in terminating mode. If the test equipment is in
pass-through mode, the C2 values usually change rapidly between 0x00 and 0xFF. Adding a terminating
card to an optical circuit usually fixes a circuit having C2 byte problems. Table 12-11 lists label
assignments for signals with payload defects.
Table 12-10 STS Path Signal Label Assignments for Signals
Hex Code Content of the STS Synchronous Payload Envelope (SPE)
0x00 Unequipped
0x01 Equipped - nonspecific payload
0x02 VT structured STS-1 (DS-1)
0x03 Locked VT mode
0x04 Asynchronous mapping for DS-3
0x12 Asynchronous mapping for DS4NA
0x13 Mapping for Asynchronous Transfer Mode (ATM)
0x14 Mapping for distributed queue dual bus (DQDB)
0x15 Asynchronous mapping for fiber distributed data interface (FDDI)
0x16 High-level data link control (HDLC) over SONET mapping
0x1B Generic Frame Procedure (GFP) used by the FC_MR-4 and ML
Series cards
0xFD Reserved
0xFE 0.181 test signal (TSS1 to TSS3) mapping SDH network
0xFF Alarm indication signal, path (AIS-P)
Table 12-11 STS Path Signal Label Assignments for Signals with Payload Defects
Hex Code Content of the STS SPE
0xE1 VT-structured STS-1 SPE with 1 VTx payload defect (STS-1 with 1 VTx PD)
0xE2 STS-1 with 2 VTx PDs
0xE3 STS-1 with 3 VTx PDs
0xE4 STS-1 with 4 VTx PDs
0xE5 STS-1 with 5 VTx PDs
0xE6 STS-1 with 6 VTx PDs
0xE7 STS-1 with 7 VTx PDs
0xE8 STS-1 with 8 VTx PDs
0xE9 STS-1 with 9 VTx PDs12-27
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 12 Circuits and Tunnels
12.15 Automatic Circuit Routing
12.15 Automatic Circuit Routing
If you select automatic routing during circuit creation, CTC routes the circuit by dividing the entire
circuit route into segments based on protection domains. For unprotected segments of circuits
provisioned as fully protected, CTC finds an alternate route to protect the segment, creating a virtual path
protection configuration. Each segment of a circuit path is a separate protection domain. Each protection
domain is protected in a specific protection scheme including card protection (1+1, 1:1, etc.) or SONET
topology (path protection, BLSR, etc.).
The following list provides principles and characteristics of automatic circuit routing:
• Circuit routing tries to use the shortest path within the user-specified or network-specified
constraints. VT tunnels are preferable for VT circuits because VT tunnels are considered shortcuts
when CTC calculates a circuit path in path-protected mesh networks.
• If you do not choose Fully Path Protected during circuit creation, circuits can still contain protected
segments. Because circuit routing always selects the shortest path, one or more links and/or
segments can have some protection. CTC does not look at link protection while computing a path
for unprotected circuits.
0xEA STS-1 with 10 VTx PDs
0xEB STS-1 with 11 VTx PDs
0xEC STS-1 with 12 VTx PDs
0xED STS-1 with 13 VTx PDs
0xEE STS-1 with 14 VTx PDs
0xEF STS-1 with 15 VTx PDs
0xF0 STS-1 with 16 VTx PDs
0xF1 STS-1 with 17 VTx PDs
0xF2 STS-1 with 18 VTx PDs
0xF3 STS-1 with 19 VTx PDs
0xF4 STS-1 with 20 VTx PDs
0xF5 STS-1 with 21 VTx PDs
0xF6 STS-1 with 22 VTx PDs
0xF7 STS-1 with 23 VTx PDs
0xF8 STS-1 with 24 VTx PDs
0xF9 STS-1 with 25 VTx PDs
0xFA STS-1 with 26 VTx PDs
0xFB STS-1 with 27 VTx PDs
0xFC VT-structured STS-1 SPE with 28 VT1.5
(Payload defects or a non-VT-structured STS-1 or STS-Nc SPE with a payload
defect.)
0xFF Reserved
Table 12-11 STS Path Signal Label Assignments for Signals with Payload Defects (continued)
Hex Code Content of the STS SPE12-28
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 12 Circuits and Tunnels
12.15.1 Bandwidth Allocation and Routing
• Circuit routing does not use links that are down. If you want all links to be considered for routing,
do not create circuits when a link is down.
• Circuit routing computes the shortest path when you add a new drop to an existing circuit. It tries to
find the shortest path from the new drop to any nodes on the existing circuit.
• If the network has a mixture of VT-capable nodes and VT-incapable nodes, CTC can automatically
create a VT tunnel. Otherwise, CTC asks you whether a VT tunnel is needed.
• To create protected circuits between topologies, install an XCVT, XC10G, or XC-VXC-10G
cross-connect card on the shared node.
• For STS circuits, you can use portless transmux interfaces if a DS3XM-12 card is installed in the
network. CTC automatically routes the circuit over the portless transmux interfaces on the specified
node creating an end-to-end STS circuit.
Note Automatic routing and its associated subfields are not available if both the Automatic Circuit Routing
NE default and the Network Circuit Automatic Routing Overridable NE default are set to FALSE. For a
full description of these defaults see Appendix C, “Network Element Defaults.”
12.15.1 Bandwidth Allocation and Routing
Within a given network, CTC routes circuits on the shortest possible path between source and destination
based on the circuit attributes, such as protection and type. CTC considers using a link for the circuit
only if the link meets the following requirements:
• The link has sufficient bandwidth to support the circuit.
• The link does not change the protection characteristics of the path.
• The link has the required time slots to enforce the same time slot restrictions for BLSRs.
If CTC cannot find a link that meets these requirements, an error appears.
The same logic applies to VT circuits on VT tunnels. Circuit routing typically favors VT tunnels because
VT tunnels are shortcuts between a given source and destination. If the VT tunnel in the route is full (no
more bandwidth), CTC asks whether you want to create an additional VT tunnel.
12.15.2 Secondary Sources and Destinations
CTC supports secondary circuit sources and destinations (drops). Secondary sources and destinations
typically interconnect two third-party networks, as shown in Figure 12-9. Traffic is protected while it
goes through a network of ONS 15454s.12-29
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 12 Circuits and Tunnels
12.16 Manual Circuit Routing
Figure 12-9 Secondary Sources and Destinations
Several rules apply to secondary sources and destinations:
• CTC does not allow a secondary destination for unidirectional circuits because you can always
specify additional destinations after you create the circuit.
• The sources and destinations cannot be DS-3, DS3XM, or DS-1-based STS-1s or VT1.5s.
• Secondary sources and destinations are permitted only for regular STS/VT1.5 connections (not for
VT tunnels and multicard EtherSwitch circuits).
• For point-to-point (straight) Ethernet circuits, only SONET STS endpoints can be specified as
multiple sources or destinations.
For bidirectional circuits, CTC creates a path protection connection at the source node that allows traffic
to be selected from one of the two sources on the ONS 15454 network. If you check the Fully Path
Protected option during circuit creation, traffic is protected within the ONS 15454 network. At the
destination, another path protection connection is created to bridge traffic from the ONS 15454 network
to the two destinations. A similar but opposite path exists for the reverse traffic flowing from the
destinations to the sources.
For unidirectional circuits, a path protection drop-and-continue connection is created at the source node.
12.16 Manual Circuit Routing
Routing circuits manually allows you to:
• Choose a specific path, not necessarily the shortest path.
• Choose a specific STS/VT1.5 on each link along the route.
• Create a shared packet ring for multicard EtherSwitch circuits.
• Choose a protected path for multicard EtherSwitch circuits, allowing virtual path protection
segments.
CTC imposes the following rules on manual routes:
• All circuits, except multicard EtherSwitch circuits in a shared packet ring, should have links with a
direction that flows from source to destination. This is true for multicard EtherSwitch circuits that
are not in a shared packet ring.
• If you enabled Fully Path Protected, choose a diverse protect (alternate) path for every unprotected
segment (Figure 12-10).
55402
Primary source
Secondary source
Primary destination
Secondary destination
Vendor A
network
Vendor B
network
ONS 15454 network12-30
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 12 Circuits and Tunnels
12.16 Manual Circuit Routing
Figure 12-10 Alternate Paths for Virtual Path Protection Segments
• For multicard EtherSwitch circuits, the Fully Path Protected option is ignored.
• For a node that has a path protection selector based on the links chosen, the input links to the path
protection selectors cannot be 1+1 or BLSR protected (Figure 12-11). The same rule applies at the
path protection bridge.
Figure 12-11 Mixing 1+1 or BLSR Protected Links With a Path Protection Configuration
• In a shared packet ring, choose the links of multicard EtherSwitch circuits to route from source to
destination back to source (Figure 12-12). Otherwise, a route (set of links) chosen with loops is
invalid.
55403
BLSR ring
1+1 1+1
1+1
Twoway Twoway
Twoway Twoway
Node 7 Node 8
Node 5 Node 6
Unidirectional Unidirectional
Twoway Twoway
Node 3 Node 4
Node 1 Node 2
Twoway
Node 11 Node 12
Node 9 Node 10
Source
Path Segment 1
Path/MESH
protected
Needs alternate path
from N1 to N2
Drop
Path Segment 3
BLSR protected
Path Segment 2
1+1 protected
Path Segment 4
1+1 protected
No need for alternate path
55404
Unprotected
Unprotected Unprotected
Unprotected
Unprotected
Unprotected
1+1 protected
BLSR ring
Node 4
Node 3 (destination)
Unidirectional Unidirectional
Unidirectional Unidirectional
Unidirectional Unidirectional
Node 3 Node 4
Node 1
(source)
Node 2
(destination)
Node 1
(source)
Node 2
Node 1
(source)
Node 2
Node 4
Node 3 (destination)
Illegal
Illegal
Unprotected
Legal12-31
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 12 Circuits and Tunnels
12.16 Manual Circuit Routing
Figure 12-12 Ethernet Shared Packet Ring Routing
• Multicard EtherSwitch circuits can have virtual path protection segments if the source or destination
is not in the path protection domain. This restriction also applies after circuit creation; therefore, if
you create a circuit with path protection segments, Ethernet destinations cannot exist anywhere on
the path protection segment (Figure 12-13).
Figure 12-13 Ethernet and Path Protection
• A VT tunnel cannot be the endpoint of a path protection segment. A path protection segment
endpoint is where the path protection selector resides.
If you provision full path protection, CTC verifies that the route selection is protected at all segments.
A route can have multiple protection domains with each domain protected by a different scheme.
Table 12-12 through Table 12-15 on page 12-32 summarize the available node connections. Any other
combination is invalid and generates an error.
55405
Ethernet source
Ethernet destination
Node 3 Node 4
Node 1 Node 2
55406
Path Protection
Segment
Legal
Node 7 Node 8
Node 2 Node 5
Node 11 Node 11
Node 6
Source
Drop
Path Protection
Segment
Illegal
Node 7 Node 8
Node 5 Node 6
Source
Drop
Table 12-12 Bidirectional STS/VT/Regular Multicard EtherSwitch/Point-to-Point (Straight)
Ethernet Circuits
Connection Type
Number of
Inbound Links
Number of
Outbound Links
Number of
Sources
Number of
Destinations
Path protection — 2 1 —
Path protection 2 — — 1
Path protection 2 1 — —
Path protection 1 2 — —
Path protection 1 — — 2
Path protection — 1 2 —
Double path protection 2 2 — —12-32
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 12 Circuits and Tunnels
12.16 Manual Circuit Routing
Double path protection 2 — — 2
Double path protection — 2 2 —
Two way 1 1 — —
Ethernet 0 or 1 0 or 1 Ethernet node
source
—
Ethernet 0 or 1 0 or 1 — Ethernet
node drop
Table 12-13 Unidirectional STS/VT Circuit
Connection Type
Number of
Inbound Links
Number of
Outbound Links
Number of
Sources
Number of
Destinations
One way 1 1 — —
Path protection head
end
1 2 ——
Path protection head
end
—2 1 —
Path protection drop
and continue
2 — — 1+
Table 12-14 Multicard Group Ethernet Shared Packet Ring Circuit
Connection Type
Number of
Inbound Links
Number of
Outbound Links
Number of
Sources
Number of
Destinations
At Intermediate Nodes Only
Double path protection 2 2 — —
Two way 1 1 — —
At Source or Destination Nodes Only
Ethernet 1 1 — —
Table 12-15 Bidirectional VT Tunnels
Connection Type
Number of
Inbound Links
Number of
Outbound Links
Number of
Sources
Number of
Destinations
At Intermediate Nodes Only
Path protection 2 1 — —
Path protection 1 2 — —
Double path
protection
2 2 ——
Table 12-12 Bidirectional STS/VT/Regular Multicard EtherSwitch/Point-to-Point (Straight)
Ethernet Circuits (continued)
Connection Type
Number of
Inbound Links
Number of
Outbound Links
Number of
Sources
Number of
Destinations12-33
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 12 Circuits and Tunnels
12.17 Constraint-Based Circuit Routing
Although virtual path protection segments are possible in VT tunnels, VT tunnels are still considered
unprotected. If you need to protect VT circuits, use two independent VT tunnels that are diversely routed
or use a VT tunnel that is routed over 1+1, BLSR, or a mixture of 1+1 and BLSR links.
12.17 Constraint-Based Circuit Routing
When you create circuits, you can choose Fully Protected Path to protect the circuit from source to
destination. The protection mechanism used depends on the path that CTC calculates for the circuit. If
the network is composed entirely of BLSR or 1+1 links, or the path between source and destination can
be entirely protected using 1+1 or BLSR links, no path-protected mesh network (PPMN), or virtual path
protection, protection is used.
If PPMN protection is needed to protect the path, set the level of node diversity for the PPMN portions
of the complete path in the Circuit Routing Preferences area of the Circuit Creation dialog box:
• Nodal Diversity Required—Ensures that the primary and alternate paths of each PPMN domain in
the complete path have a diverse set of nodes.
• Nodal Diversity Desired—CTC looks for a node diverse path; if a node-diverse path is not available,
CTC finds a link-diverse path for each PPMN domain in the complete path.
• Link Diversity Only—Creates only a link-diverse path for each PPMN domain.
When you choose automatic circuit routing during circuit creation, you have the option to require or
exclude nodes and links in the calculated route. You can use this option to achieve the following results:
• Simplify manual routing, especially if the network is large and selecting every span is tedious. You
can select a general route from source to destination and allow CTC to fill in the route details.
• Balance network traffic. By default, CTC chooses the shortest path, which can load traffic on certain
links while other links have most of their bandwidth available. By selecting a required node and/or
a link, you force the CTC to use (or not use) an element, resulting in more efficient use of network
resources.
CTC considers required nodes and links to be an ordered set of elements. CTC treats the source nodes
of every required link as required nodes. When CTC calculates the path, it makes sure that the computed
path traverses the required set of nodes and links and does not traverse excluded nodes and links.
The required nodes and links constraint is only used during the primary path computation and only for
PPMN domains/segments. The alternate path is computed normally; CTC uses excluded nodes/links
when finding all primary and alternate paths on PPMNs.
Two way 1 1 — —
At Source Nodes Only
VT tunnel endpoint — 1 — —
At Destination Nodes Only
VT tunnel endpoint 1 — ——
Table 12-15 Bidirectional VT Tunnels (continued)
Connection Type
Number of
Inbound Links
Number of
Outbound Links
Number of
Sources
Number of
Destinations12-34
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 12 Circuits and Tunnels
12.18 Virtual Concatenated Circuits
12.18 Virtual Concatenated Circuits
Virtual concatenated (VCAT) circuits, also called VCAT groups (VCGs), transport traffic using
noncontiguous TDM time slots, avoiding the bandwidth fragmentation problem that exists with
contiguous concatenated (CCAT) circuits. The cards that support VCAT circuits are the CE-Series,
FC_MR-4 (both line rate and enhanced mode), and ML-Series cards.
In a VCAT circuit, circuit bandwidth is divided into smaller circuits called VCAT members. The
individual members act as independent TDM circuits. All VCAT members should be the same size and
must originate and terminate at the same end points. For two-fiber BLSR configurations, some members
can be routed on protected time slots and others on PCA time slots.
To enable end-to-end connectivity in a VCAT circuit that traverses through a third-party network, you
can use Open-Ended VCAT circuit creation, or you can create a server trail between the ports. For more
details, refer to the “Create Circuits and VT Tunnels” chapter in the Cisco ONS 15454 Procedure Guide.
12.18.1 VCAT Circuit States
The state of a VCAT circuit is an aggregate of its member circuits. You can view whether a VCAT
member is In Group or Out of Group in the VCAT State column in the Edit Circuits window.
• If all member circuits are in the IS state, the VCAT circuit state is IS.
• If all In Group member circuits are in the OOS state, the VCAT circuit state is OOS.
• If no member circuits exist or if all member circuits are Out of Group, the VCAT circuit state is
OOS.
• A VCAT circuit is in OOS-PARTIAL state when In Group member states are mixed and not all are
in the IS state.
12.18.2 VCAT Member Routing
The automatic and manual routing selection applies to the entire VCAT circuit, that is, all members are
manually or automatically routed. Bidirectional VCAT circuits are symmetric, which means that the
same number of members travel in each direction. With automatic routing, you can specify the
constraints for individual members; with manual routing, you can select different spans for different
members.
Two types of automatic and manual routing are available for VCAT members: common fiber routing and
split routing. CE-Series, FC_MR-4 (both line rate and enhanced mode), and ML-Series cards support
common fiber routing. In common fiber routing, all VCAT members travel on the same fibers, which
eliminates delay between members. Three protection options are available for common fiber routing:
Fully Protected, PCA, and Unprotected. Figure 12-14 shows an example of common fiber routing. 12-35
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 12 Circuits and Tunnels
12.18.2 VCAT Member Routing
Figure 12-14 VCAT Common Fiber Routing
CE-Series cards also support split fiber routing, which allows the individual members to be routed on
different fibers or each member to have different routing constraints. This mode offers the greatest
bandwidth efficiency and also the possibility of differential delay, which is handled by the buffers on the
terminating cards. Four protection options are available for split fiber routing: Fully Protected, PCA,
Unprotected, and DRI. Figure 12-15 shows an example of split fiber routing.
Figure 12-15 VCAT Split Fiber Routing
In both common fiber and split fiber routing, each member can use a different protection scheme;
however, for common fiber routing, CTC checks the combination to make sure that a valid route exists.
If it does not, the user must modify the protection type. In both common fiber and split fiber routing,
intermediate nodes treat the VCAT members as normal circuits that are independently routed and
protected by the SONET network. At the terminating nodes, these member circuits are multiplexed into
a contiguous stream of data.
The switch time for split fiber routing depends on the type of circuits traversing the path.
• CCAT circuits will carry traffic after the SONET defects are cleared.
• VCAT circuits will carry traffic after the SONET defects are cleared and VCAT framers are in frame
for ALL the time slots that are part of the group. Hence the switchover takes extra time.
• LCAS circuits carry traffic after the SONET defects are cleared, and the VCAT framers are in frame
for any time slots that are part of the group, and the LCAS protocol has fed back MST=OK
(MST=Member Status) to the far end so the far end can enable the time slot to carry traffic.
Member 1
VCG-2
Member 2 102170
Intermediate
NE
Member 1
VCG-1
Member 2
Member 1
VCG-2
Member 2
Member 1
VCG-1
Member 2
VCAT
Function
VCAT
Function
VCAT
Function
VCAT
Function
STS-1
STS-2
STS-3
STS-4
STS-1
STS-2
STS-3
STS-4
CE-100T-8 CE-100T-8
124065
VCAT
Function
Source VCAT at NE
Traffic Traffic
Virtually
Concatenated
Group Member #1
Member #2
Member #3
Intermediate
NE
VCAT
Function
with
Differential
Delay Buffer
Destination VCAT at NE
Intermediate
NE
Intermediate
NE12-36
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 12 Circuits and Tunnels
12.18.3 Link Capacity Adjustment
Note The switch time values shown in Table 12-16 does not include differential delay. The maximum
differential delay for CE100T-8 is 48ms. This differential delay is added to the switch time to
get the maximum time.
12.18.3 Link Capacity Adjustment
The CE-100T-8 card supports the link capacity adjustment scheme (LCAS), which is a signaling
protocol that allows dynamic bandwidth adjustment of VCAT circuits. When a member fails, a brief
traffic hit occurs. LCAS temporarily removes the failed member from the VCAT circuit for the duration
of the failure, leaving the remaining members to carry the traffic. When the failure clears, the member
circuit is automatically added back into the VCAT circuit without affecting traffic. You can select LCAS
during VCAT circuit creation.
Note Although LCAS operations are errorless, a SONET error can affect one or more VCAT members. If this
occurs, the VCAT Group Degraded (VCG-DEG) alarm is raised. For information on clearing this alarm,
refer to the Cisco ONS 15454 Troubleshooting Guide.
Instead of LCAS, the FC_MR-4 (enhanced mode), CE-1000-4 card, CE-MR-10, and ML-Series cards
support software LCAS (SW-LCAS). SW-LCAS is a limited form of LCAS that allows the VCAT circuit
to adapt to member failures and keep traffic flowing at a reduced bandwidth. SW-LCAS uses legacy
SONET failure indicators like AIS-P and remote defect indication, path (RDI-P) to detect member
failure. SW-LCAS removes the failed member from the VCAT circuit, leaving the remaining members
to carry the traffic. When the failure clears, the member circuit is automatically added back into the
VCAT circuit. For ML-Series cards, SW-LCAS allows circuit pairing over two-fiber BLSRs. With circuit
pairing, a VCAT circuit is set up between two ML-Series cards: one is a protected circuit (line
protection) and the other is a PCA circuit. For four-fiber BLSRs, member protection cannot be mixed.
You select SW-LCAS during VCAT circuit creation. The FC_MR-4 (line rate mode) does not support
SW-LCAS.
In addition, you can create non-LCAS VCAT circuits, which do not use LCAS or SW-LCAS. While
LCAS and SW-LCAS member cross-connects can be in different service states, all In Group non-LCAS
members must have cross-connects in the same service state. A non-LCAS circuit can mix Out of Group
and In Group members, as long as the In Group members are in the same service state. Non-LCAS
members do not support the OOS-MA,OOG service state; to put a non-LCAS member in the Out
of Group VCAT state, use the OOS-MA,DSBLD administrative state.
Table 12-16 Switch Times
Type of circuit For CE100T-8 in ms
CCAT 60
HO VCAT 90
HO LCAS1
90
LO VCAT 202
LO LCAS 202
1. The calculated number for HO LCAS includes all the inherent delays of the protocol. Also the CE-100-T numbers are for a
group size of only three members.12-37
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 12 Circuits and Tunnels
12.18.4 VCAT Circuit Size
Note Protection switching for LCAS, SW-LCAS, and non-LCAS VCAT circuits might exceed 60ms. Traffic
loss for VT VCAT circuits is approximately two times more than an STS VCAT circuit. You can
minimize traffic loss by reducing path differential delay.
12.18.4 VCAT Circuit Size
Table 12-17 lists supported VCAT circuit rates and number of members for each card.
Use the Members tab in the Edit Circuit window to add or delete members from a VCAT circuit. The
capability to add or delete members depends on the card and whether the VCAT circuit is LCAS,
SW-LCAS, or non-LCAS.
• CE-100T-8 cards—You can add or delete members to an LCAS VCAT circuit without affecting
service. Before deleting a member of an LCAS VCAT circuit, Cisco recommends that you put the
member in the OOS-MA,OOG service state. If you create non-LCAS VCAT circuits, adding and
deleting members to the circuit is possible, but service-affecting.
• CE-1000-4 and CE-MR-10 cards—You can add or delete SW-LCAS VCAT members, although it
might affect service. Before deleting a member, Cisco recommends that you put the member in the
OOS-MA,OOG service state. If you create non-LCAS VCAT circuits, adding and deleting members
to the circuit is possible, but service-affecting.
Table 12-17 ONS 15454 Card VCAT Circuit Rates and Members
Card Circuit Rate Number of Members
CE-100T-8 VT1.5 1–64
STS-1 1–31
1. A VCAT circuit with a CE-Series card as a source or destination and an ML-Series card as a source or
destination can have only two members.
CE-1000-4 STS-1 1–211
STS-3 1–7
CE-MR-10 VT1.5 1–64
STS-1 1–211
STS-3 1–7
FC_MR-4 (line rate mode) STS-1 24 (1 Gbps port)
48 (2 Gbps port)
STS-3c 8 (1 Gbps port)
16 (2 Gbps port)
FC_MR-4 (enhanced mode) STS-1 1–24 (1 Gbps port)
1–48 (2 Gbps port)
STS-3c 1–8 (1 Gbps port)
1–16 (2 Gbps port)
ML-Series STS-1, STS-3c,
STS-12c
212-38
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 12 Circuits and Tunnels
12.18.5 Open-Ended VCAT
• FC_MR-4 (enhanced mode) card—You can add or delete SW-LCAS VCAT members, although it
might affect service. Before deleting a member, Cisco recommends that you put the member in the
OOS-MA,OOG service state. You cannot add or delete members from non-LCAS VCAT circuits on
FC_MR-4 cards.
• FC_MR-4 (line mode) card—All VCAT circuits using FC_MR-4 (line mode) cards have a fixed
number of members; you cannot add or delete members.
• ML-Series cards—All VCAT circuits using ML-Series cards have a fixed number of members; you
cannot add or delete members.
Table 12-18 summarizes the VCAT capabilities for each card.
12.18.5 Open-Ended VCAT
For applications where the complete end-to-end VCAT circuit is not in a CTC managed network, CTC
will only see either the source or the destination of the Virtual Concatenated Group (VCG) and some of
the intermediate nodes. Figure 12-16 shows an end-to-end VC AT circuit. The termination points of the
end-to-end VCAT circuit, with VCAT functionality, are referred to as the VCAT-Source and
VCAT-Destination. The termination points of the CTC managed circuit, which is the Open-Ended VCAT
circuit, is referred to as simply the Source and Destination.
Table 12-18 ONS 15454 VCAT Card Capabilities
Card Mode
Add a
Member
Delete a
Member
Support
OOS-MA,OOG
CE-100T-8 LCAS Yes1
1. When adding or deleting a member from an LCAS VCAT circuit, Cisco recommends that you first put the member
in the OOS-MA,OOG service state to avoid service disruptions.
Yes1
Yes
SW-LCAS No No No
Non-LCAS Yes2
2. For CE-Series cards, you can add or delete members after creating a VCAT circuit with no protection. During the
time it takes to add or delete members (from seconds to minutes), the entire VCAT circuit will be unable to carry
traffic.
Yes2
No
CE-1000-4 LCAS No No No
SW-LCAS Yes Yes Yes
Non-LCAS Yes2
Yes2
No
CE-MR-10 LCAS Yes Yes Yes
SW-LCAS Yes Yes Yes
Non-LCAS Yes2
Yes2
No
FC_MR-4 (enhanced mode) SW-LCAS Yes Yes Yes
Non-LCAS No No No
FC_MR-4 (line mode) Non-LCAS No No No
ML-Series SW-LCAS No No No
Non-LCAS No No No12-39
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 12 Circuits and Tunnels
12.19 Bridge and Roll
Figure 12-16 Open-Ended VCAT
Open-ended VCAT circuits can originate or terminate on any pair of OC-N ports and you can route
open-ended VCAT circuits using any of the cards and ports supported by VCAT. The CTC circuit
creation wizard provides an additional check box in the VCAT attributes pane to enable Open-VCAT
circuit creation. Enabling the check box differentiates open-ended VCAT from regular VCAT Circuits.
The routing preferences for an open-ended VCAT circuit must be specified in the initial stages of circuit
provisioning. For example, if the circuit is independent fiber routing, then multiple OC-N ports can be
involved. Alternatively, the source of an open-VCAT circuit should always be a card capable of
participating in a VCG. This allows CTC to determine which routing preferences are permissible.
Auto ranging of 12 STS1 circuits is supported.
12.19 Bridge and Roll
The CTC Bridge and Roll wizard reroutes live traffic without interrupting service. The bridge process
takes traffic from a designated “roll from” facility and establishes a cross-connect to the designated “roll
to” facility. When the bridged signal at the receiving end point is verified, the roll process creates a new
cross-connect to receive the new signal. When the roll completes, the original cross-connects are
released. You can use the bridge and roll feature for maintenance functions such as card or facility
replacement, or for load balancing. You can perform a bridge and roll on the following ONS platforms:
ONS 15454, ONS 15454 SDH, ONS 15600, ONS 15327, and ONS 15310-CL.
12.19.1 Rolls Window
The Rolls window lists information about a rolled circuit before the roll process is complete. You can
access the Rolls window by clicking the Circuits > Rolls tabs in either network or node view.
Figure 12-17 shows the Rolls window.
240645
Source
Open-ended VCAT Circuit
VCAT-Source
CTC Managed
Network
SONET/SDH Port
SONET/SDH Port
Destination
Destination
End-to-end VCAT Circuit
VCAT-Destination
Non-CTC Managed
Network12-40
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 12 Circuits and Tunnels
12.19.1 Rolls Window
Figure 12-17 Rolls Window
The Rolls window information includes:
• Roll From Circuit—The circuit that has connections that will no longer be used when the roll
process is complete.
• Roll To Circuit—The circuit that will carry the traffic after the roll process is complete. The
Roll To Circuit is the same as the Roll From Circuit if a single circuit is involved in a roll.
• Roll State—The roll status; see the “12.19.2 Roll Status” section on page 12-41.
• Roll Valid Signal—If the Roll Valid Signal status is true, a valid signal was found on the new port.
If the Roll Valid Signal status is false, a valid signal was not found. It is not possible to get a
Roll Valid Signal status of true for a one-way destination roll.
• Roll Mode—The mode indicates whether the roll is automatic or manual.
Note CTC implements a roll mode at the circuit level. TL1 implements a roll mode at the
cross-connect level. If a single roll is performed, CTC and TL1 behave the same. If a dual
roll is performed, the roll mode specified in CTC might be different than the roll mode
retrieved in TL1. For example, if you select Automatic, CTC coordinates the two rolls to
minimize possible traffic hits by using the Manual mode behind the scenes. When both rolls
have a good signal, CTC signals the nodes to complete the roll.
– Automatic—When a valid signal is received on the new path, CTC completes the roll on the
node automatically. One-way source rolls are always automatic. When the valid signal status is
true, the Automatic mode switches the traffic to the Roll To Path and completes the roll
automatically.
– Manual—You must complete a manual roll after a valid signal is received. One-way destination
rolls are always manual. When the valid signal status is true, the Manual mode switches the
traffic to the Roll To Path.12-41
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 12 Circuits and Tunnels
12.19.2 Roll Status
• Roll Path—The fixed point of the roll object.
• Roll From Circuit—The circuit that has connections that will no longer be used when the process is
complete.
• Roll From Path— The old path that is being rerouted.
• Roll To Path—The new path where the Roll From Path is rerouted.
• Complete—Completes a manual roll after a valid signal is received. You can do this when a manual
roll is in a ROLL_PENDING status and you have not yet completed the roll or have not cancelled
its sibling roll. You cannot cancel the roll after you complete the roll.
• Force Valid Signal—Forces a roll onto the Roll To Circuit destination without a valid signal.
Note If you choose Force Valid Signal, traffic on the circuit that is involved in the roll will be
dropped when the roll is completed.
• Finish—Completes the circuit processing of both manual and automatic rolls and changes the circuit
status from ROLL_PENDING to DISCOVERED. After a roll, the Finish button also removes any
cross-connects that are no longer used from the Roll From Circuit field. The roll process ends when
you finish the roll.
• Cancel—Cancels the roll process.
Note When the roll mode is Manual, cancelling a roll is only allowed before you click the
Complete button. When the roll mode is Auto, cancelling a roll is only allowed before a good
signal is detected by the node or before clicking the Force Valid Signal button.
12.19.2 Roll Status
Table 12-19 lists the roll statuses.
Table 12-19 Roll Statuses
State Description
ROLL_PENDING Roll is awaiting completion or cancellation.
ROLL_COMPLETED Roll is complete. Click the Finish button.
ROLL_CANCELLED Roll has been canceled.12-42
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 12 Circuits and Tunnels
12.19.3 Single and Dual Rolls
Note You can only reroute circuits in the DISCOVERED status. You cannot reroute circuits that are in the
ROLL_PENDING status.
12.19.3 Single and Dual Rolls
Circuits have an additional layer of roll types: single and dual. A single roll on a circuit is a roll on one
of its cross-connects. Use a single roll to:
• Change either the source or destination of a selected circuit (Figure 12-18 and Figure 12-19,
respectively).
• Roll a segment of the circuit onto another chosen circuit (Figure 12-20). This roll also results in a
new destination or a new source.
In Figure 12-18, you can select any available STS on Node 1 for a new source.
Figure 12-18 Single Source Roll
In Figure 12-19, you can select any available STS on Node 2 for a new destination.
TL1_ROLL A TL1 roll was initiated.
Note If a roll is created using TL1, a CTC user cannot complete or
cancel the roll. Also, if a roll is created using CTC, a TL1 user
cannot complete or cancel the roll. You must use the same
interface to complete or change a roll.
INCOMPLETE This state appears when the underlying circuit becomes incomplete. To
correct this state, you must fix the underlying circuit problem before the
roll state will change.
For example, a circuit traveling on Nodes A, B, and C can become
INCOMPLETE if Node B is rebooted. The cross-connect information
is lost on Node B during a reboot. The Roll State on Nodes A and C will
change to INCOMPLETE.
Table 12-19 Roll Statuses (continued)
State Description
83267
S1 Node 1
S2
Node 2 D
Original leg
New leg12-43
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 12 Circuits and Tunnels
12.19.3 Single and Dual Rolls
Figure 12-19 Single Destination Roll
Figure 12-20 shows one circuit rolling onto another circuit at the destination. The new circuit has
cross-connects on Node 1, Node 3, and Node 4. CTC deletes the cross-connect on Node 2 after the roll.
Figure 12-20 Single Roll from One Circuit to Another Circuit (Destination Changes)
Figure 12-21 shows one circuit rolling onto another circuit at the source.
Figure 12-21 Single Roll from One Circuit to Another Circuit (Source Changes)
Note Create a Roll To Circuit before rolling a circuit with the source on Node 3 and the destination on Node 4.
A dual roll involves two cross-connects. It allows you to reroute intermediate segments of a circuit, but
keep the original source and destination. If the new segments require new cross-connects, use the Bridge
and Roll wizard or create a new circuit and then perform a roll.
Caution Only single rolls can be performed using TL1. Dual rolls require the network-level view that only CTC
or CTM provide.
83266
S
Node 1
D2
Node 2 D1
Original leg
New leg
78703
S
Node 1 D
D2
Node 2
Node 3 Node 4
Original leg
New leg
134274
S
Node 1 Node 2 D
Node 3 Node 4
Original leg
New leg
S212-44
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 12 Circuits and Tunnels
12.19.4 Two Circuit Bridge and Roll
Dual rolls have several constraints:
• You must complete or cancel both cross-connects rolled in a dual roll. You cannot complete one roll
and cancel the other roll.
• When a Roll To circuit is involved in the dual roll, the first roll must roll onto the source of the
Roll To circuit and the second roll must roll onto the destination of the Roll To circuit.
Figure 12-22 illustrates a dual roll on the same circuit.
Figure 12-22 Dual Roll to Reroute a Link
Figure 12-23 illustrates a dual roll involving two circuits.
Figure 12-23 Dual Roll to Reroute to a Different Node
Note If a new segment is created on Nodes 3 and 4 using the Bridge and Roll wizard, the created circuit has
the same name as the original circuit with the suffix _ROLL**. The circuit source is on Node 3 and the
circuit destination is on Node 4.
12.19.4 Two Circuit Bridge and Roll
When using the bridge and roll feature to reroute traffic using two circuits, the following constraints
apply:
• DCC must be enabled on the circuits involved in a roll before roll creation.
• A maximum of two rolls can exist between any two circuits.
• If two rolls are involved between two circuits, both rolls must be on the original circuit. The second
circuit should not carry live traffic. The two rolls loop from the second circuit back to the original
circuit. The roll mode of the two rolls must be identical (either automatic or manual).
• If a single roll exists on a circuit, you must roll the connection onto the source or the destination of
the second circuit and not an intermediate node in the circuit.
83268
S
Node 1 Node 2 D
Original leg
New leg
83102
S
Node 1 Node 2 D
Node 3 Node 4
Original leg
New leg12-45
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 12 Circuits and Tunnels
12.19.5 Protected Circuits
12.19.5 Protected Circuits
CTC allows you to roll the working or protect path regardless of which path is active. You can upgrade
an unprotected circuit to a fully protected circuit or downgrade a fully protected circuit to an unprotected
circuit with the exception of a path protection circuit. When using bridge and roll on path protection
circuits, you can roll the source or destination or both path selectors in a dual roll. However, you cannot
roll a single path selector.
12.20 Merged Circuits
A circuit merge combines a single selected circuit with one or more circuits. You can merge VT tunnels,
VAP circuits, VCAT members, CTC-created circuits, and TL1-created circuits. To merge circuits, you
choose a circuit in the CTC Circuits window and the circuits that you want to merge with the chosen
(master) circuit on the Merge tab in the Edit Circuits window. The Merge tab shows only the circuits that
are available for merging with the master circuit:
• Circuit cross-connects must create a single, contiguous path.
• Circuits types must be a compatible. For example, you can combine an STS circuit with a VAP
circuit to create a longer VAP circuit, but you cannot combine a VT circuit with an STS circuit.
• Circuit directions must be compatible. You can merge a one-way and a two-way circuit, but not two
one-way circuits in opposing directions.
• Circuit sizes must be identical.
• VLAN assignments must be identical.
• Circuit end points must send or receive the same framing format.
• The merged circuits must become a DISCOVERED circuit.
If all connections from the master circuit and all connections from the merged circuits align to form one
complete circuit, the merge is successful. If all connections from the master circuit and some, but not
all, connections from the other circuits align to form a single complete circuit, CTC notifies you and
gives you the chance to cancel the merge process. If you choose to continue, the aligned connections
merge successfully into the master circuit, and the unaligned connections remain in the original circuits.
All connections in the completed master circuit use the original master circuit name.
All connections from the master circuit and at least one connection from the other selected circuits must
be used in the resulting circuit for the merge to succeed. If a merge fails, the master circuit and all other
circuits remain unchanged. When the circuit merge completes successfully, the resulting circuit retains
the name of the master circuit.
You can also merge orderwire and user data channel (UDC) overhead circuits, which use the overhead
bytes instead of frame payload to transfer data. To merge overhead circuits, you choose the overhead
circuits on the network view Provisioning > Overhead Circuits window. You can only merge orderwire
and UDC circuits. 12-46
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 12 Circuits and Tunnels
12.21 Reconfigured Circuits
12.21 Reconfigured Circuits
You can reconfigure multiple circuits, which is typically necessary when a large number of circuits are
in the PARTIAL status. When reconfiguring multiple circuits, the selected circuits can be any
combination of DISCOVERED, PARTIAL, DISCOVERED_TL1, or PARTIAL_TL1 circuits. You can
reconfigure tunnels, VAP circuits, VLAN-assigned circuits, VCAT circuits, CTC-created circuits, and
TL1-created circuits. The Reconfigure command maintains the names of the original cross-connects.
Use the CTC Tools > Circuits > Reconfigure Circuits menu item to reconfigure selected circuits. During
reconfiguration, CTC reassembles all connections of the selected circuits and VCAT members into
circuits based on path size, direction, and alignment. Some circuits might merge and others might split
into multiple circuits. If the resulting circuit is a valid circuit, it appears as a DISCOVERED circuit.
Otherwise, the circuit appears as a PARTIAL or PARTIAL_TL1 circuit.
Note If CTC cannot reconfigure all members in a VCAT circuit, the reconfigure operation fails for the entire
VCAT circuit and it remains in the PARTIAL or PARTIAL_TL1 status. If CTC does reconfigure all
members in a VCAT circuit, the VCAT circuit may still remain in the PARTIAL or PARTIAL_TL1
status. This occurs if the ports defined in the VCAT termination do not match the source/drop ports of
the member circuits or if one or two VCAT terminations are missing.
Note PARTIAL tunnel and PARTIAL VLAN-capable circuits do not split into multiple circuits during
reconfiguration.
12.22 VLAN Management
In Software Release 4.6 and later, VLANs are populated within topologies to limit broadcasts to each
topology rather than to the entire network. Using the Manage VLANs command in the Tools menu, you
can view a list of topology hosts and provisioned VLANs. You create VLANs during circuit creation or
with the Manage VLANs command. When creating a VLAN, you must identify the topology host (node)
where the VLAN will be provisioned. The Manage VLANs command also allows you to delete existing
VLANs.
12.23 Server Trails
A server trail is a non-DCC (logical or virtual) link across a third-party network that connects two CTC
network domains. A server trail allows A-Z circuit provisioning when no DCC is available. You can
create server trails between two distant optical or EC-1 ports. The end ports on a server trail can be
different types (for example, an OC-3 port can be linked to an OC-12 port). Server trails are not allowed
on DCC-enabled ports.
The server trail link is bidirectional and can be VT1.5, VT2, STS1, STS-3c, STS-6c, STS-12c, STS-48c,
or STS-192c; you cannot change an existing server trail to another size. It must be deleted and recreated.
A circuit provisioned over a server trail must match the type and size of the server trail it uses. For
example, an STS-3c server trail can carry only STS-3c circuits and not three STS-1 circuits.
Note There is no OSPF or any other management information exchange between NEs over a server trail.12-47
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 12 Circuits and Tunnels
12.23.1 Server Trail Protection Types
12.23.1 Server Trail Protection Types
The server trail protection type determines the protection type for any circuits that traverse it. A server
trail link can be one of the following protection types:
• Preemptible— PCA circuits will use server trails with the Preemptible attribute.
• Unprotected—In Unprotected Server Trail, CTC assumes that the circuits going out from that
specific port will not be protected by provider network and will look for a secondary path from
source to destination if you are creating a protected circuit.
• Fully Protected—In Fully Protected Server Trail, CTC assumes that the circuits going out from that
specific port will be protected by provider network and will not look for a secondary path from
source to destination.
Note Only path protection is available on server trails. BLSR protection is not available on server trail.
12.23.2 VCAT Circuit Routing over Server Trails
An STS-3c server trail can be used to route STS-3c circuits and an STS-1 server trail can be used to route
STS-1 circuits. Similarly, a VT1.5 server trail can be used to route VT1.5 circuits and an STS-12c server
trail can only be used for STS-12c circuits.
For example, to route a STS-3c-2v circuit over a server trail, you must enable split fiber routing and
create two STS-3c server trails and route each member manually or automatically over each server trail.
To route a STS-12c-2v circuit over a server trail, you must enable split fiber routing and create two
STS-12c server trails and route each member manually or automatically over each server trail.
Note Server trails can only be created between any two optical ports or EC-1 ports.
VCAT circuities can be created over server trails in the following ways:
• Manual routing
• Automatic routing
– Diverse routing: This method enables VCAT circuit routing over diverse server trail links.
Note When creating circuits or VCATs, you can choose a server trail link during manual circuit routing. CTC
may also route circuits over server trail links during automatic routing. VCAT common-fiber automatic
routing is not supported.
For a detailed procedure on how to route a VCAT circuit over a server trail, refer “Chapter 6, Create
Circuits and VT Tunnels, Section NTP-A264, Create an Automatically Routed VCAT Circuit and
Section NTP-A265, Create a Manually Routed VCAT Circuit” in the Cisco ONS 15454 Procedure
Guide.12-48
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 12 Circuits and Tunnels
12.23.2 VCAT Circuit Routing over Server Trails
12.23.2.1 Shared Resource Link Group
The Shared Resource Link Group (SRLG) attribute can be assigned to a server trail link using a
commonly shared resource such as port, fiber or span. For example, if two server trail links are routed
over the same fiber, an SRLG attribute can be assigned to these links. SRLG is used by Cisco Transport
Manager (CTM) to specify link diversity. If you create multiple server trails from one port, you can
assign the same SRLG value to all the links to indicate that they originate from the same port.CHAPTER
13-1
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
13
Alarm Monitoring and Management
This chapter describes Cisco Transport Controller (CTC) alarm management. To troubleshoot specific
alarms, refer to the Cisco ONS 15454 Troubleshooting Guide. Chapter topics include:
• 13.1 Overview, page 13-1
• 13.2 LCD Alarm Counts, page 13-1
• 13.3 Alarm Information, page 13-2
• 13.4 Alarm Severities, page 13-9
• 13.5 Alarm Profiles, page 13-9
• 13.6 Alarm Suppression, page 13-13
• 13.7 External Alarms and Controls, page 13-14
13.1 Overview
CTC detects and reports SONET alarms generated by the Cisco ONS 15454 and the larger SONET
network. You can use CTC to monitor and manage alarms at the card, node, or network level. Alarming
conforms to Telcordia GR-253 standard. Severities conform to Telcordia GR-474, but you can set alarm
severities in customized alarm profiles or suppress CTC alarm reporting. For a detailed description of
the standard Telcordia categories employed by Optical Networking System (ONS) nodes, refer to the
Cisco ONS 15454 Troubleshooting Guide.
Note ONS 15454 alarms can also be monitored and managed through Transaction Language One (TL1) or a
network management system (NMS).
13.2 LCD Alarm Counts
You can view node, slot, or port-level alarm counts and summaries using the buttons on the ONS 15454
LCD panel. The Slot and Port buttons toggle between display types; the Slot button toggles between
node display and slot display, and the Port button toggles between slot and port views. Pressing the
Status button after you choose the display mode changes the display from alarm count to alarm summary.13-2
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 13 Alarm Monitoring and Management
13.3 Alarm Information
The ONS 15454 has a one-button update for some commonly viewed alarm counts. If you press the Slot
button once and then wait eight seconds, the display automatically changes from a slot alarm count to a
slot alarm summary. If you press the Port button to toggle to port-level display, you can use the Port
button to toggle to a specific slot and to view each port’s port-level alarm count. Figure 13-1 shows the
LCD panel layout.
Figure 13-1 Shelf LCD Panel
13.3 Alarm Information
You can use the Alarms tab to view card, node, or network-level alarms. The Alarms window shows
alarms in conformance with Telcordia GR-253. This means that if a network problem causes two alarms,
such as loss of frame (LOF) and loss of signal (LOS), CTC only shows the LOS alarm in this window
because it supersedes LOF. (The LOF alarm can still be retrieved in the Conditions window.)
The Path Width column in the Alarms and Conditions tabs expands upon alarmed object information
contained in the access identifier (AID) string (such as “STS-4-1-3”) by giving the number of STSs
contained in the alarmed path. For example, the Path Width will tell you whether a critical alarm applies
to an STS1 or an STS48c. The column reports the width as a 1, 3, 6, 12, 48, etc. as appropriate,
understood to be “STS-N.”
Table 13-1 lists the column headings and the information recorded in each column.
FAN FAIL
Slot
8/18/03
04.06-002L-10
24˚C
97758
CRIT MAJ MIN
Status Port
Table 13-1 Alarms Column Descriptions
Column Information Recorded
Num Num (number) is the quantity of alarm messages received, and is incremented
automatically as alarms occur to display the current total of received error messages.
(The column is hidden by default; to view it, right-click a column and choose Show
Column > Num.)
Ref Ref (reference) is a unique identification number assigned to each alarm to reference a
specific alarm message that is displayed. (The column is hidden by default. To view it,
right-click a column and choose Show Column.)
New Indicates a new alarm. To change this status, click either the Synchronize button or the
Delete Cleared Alarms button.
Date Date and time of the alarm.
Node Shows the name of the node where the condition or alarm occurred. (Visible in network
view.)
Object TL1 AID for the alarmed object. For an STSmon or VTmon, this is the monitored STS
or VT object.
Eqpt Type Card type in this slot.13-3
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 13 Alarm Monitoring and Management
13.3 Alarm Information
Note When an entity is put in the OOS,MT administrative state, the ONS 15454 suppresses all standing alarms
on that entity. All alarms and events appear on the Conditions tab. You can change this behavior for the
LPBKFACILITY and LPBKTERMINAL alarms. To display these alarms on the Alarms tab, set the
NODE.general.ReportLoopbackConditionsOnPortsInOOS-MT to TRUE on the NE Defaults tab.
Table 13-2 lists the color codes for alarm and condition severities. The inherited (I) and unset (U)
severities are only listed in the network view Provisioning > Alarm Profiles tab.
Note Major and Minor alarms might appear yellow in CTC under certain circumstances. This is not due to a
CTC problem but to a workstation memory and color utilization problem. For example, a workstation
might run out of colors if many color-intensive applications are running. When using Netscape, you can
limit the number of colors used by launching it from the command line with either the -install option or
the -ncols 32 option.
Shelf For dense wavelength division multiplexing (DWDM) configurations, the shelf where
the alarmed object is located. Visible in network view.
Slot Slot where the alarm occurred (appears only in network and node view).
Port Port where the alarm is raised. For STSTerm and VTTerm, the port refers to the upstream
card it is partnered with.
Path Width Indicates how many STSs are contained in the alarmed path. This information
complements the alarm object notation, which is explained in the “Alarm
Troubleshooting” chapter of the Cisco ONS 15454 Troubleshooting Guide.
Sev Severity level: CR (Critical), MJ (Major), MN (Minor), NA (Not Alarmed), NR
(Not Reported).
ST Status: R (raised), C (clear), or T (transient).
SA When checked, indicates a service-affecting alarm.
Cond The error message/alarm name. These names are alphabetically defined in the “Alarm
Troubleshooting” chapter of the Cisco ONS 15454 Troubleshooting Guide.
Description Description of the alarm.
Table 13-1 Alarms Column Descriptions (continued)
Column Information Recorded
Table 13-2 Color Codes for Alarm and Condition Severities
Color Description
Red Raised Critical (CR) alarm
Orange Raised Major (MJ) alarm
Yellow Raised Minor (MN) alarm
Magenta Raised Not Alarmed (NA) condition
Blue Raised Not Reported (NR) condition
White Cleared (C) alarm or condition13-4
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 13 Alarm Monitoring and Management
13.3.1 Viewing Alarms With Each Node’s Time Zone
13.3.1 Viewing Alarms With Each Node’s Time Zone
By default, alarms and conditions are displayed with the time stamp of the CTC workstation where you
are viewing them. But you can set the node to report alarms (and conditions) using the time zone where
the node is located by clicking Edit > Preferences, and clicking the Display Events Using Each Node’s
Timezone check box.
13.3.2 Controlling Alarm Display
You can control the display of the alarms shown on the Alarms window. Table 13-3 shows the actions
you can perform in the Alarms window.
13.3.3 Filtering Alarms
The alarm display can be filtered to prevent display of alarms with certain severities or alarms that
occurred between certain dates and times. You can set the filtering parameters by clicking the Filter
button at the bottom-left of the Alarms window. You can turn the filter on or off by clicking the Filter
tool at the bottom-right of the window. CTC retains your filter activation setting. For example, if you
turn the filter on and then log out, CTC keeps the filter active the next time you log in.
Table 13-3 Alarm Display
Button/Check Box/Tool Action
Filter button Allows you to change the display on the Alarms window to show only
alarms that meet a certain severity level, occur in a specified time frame,
and/or reflect specific conditions. For example, you can set the filter so that
only critical alarms display on the window.
If you enable the Filter feature by clicking the Filter button in one CTC
view, such as node view, it is enabled in the others as well (card view and
network view).
Synchronize button Updates the alarm display. Although CTC displays alarms in real time, the
Synchronize button allows you to verify the alarm display. This is
particularly useful during provisioning or troubleshooting.
Delete Cleared Alarms
button
Deletes, from the view, alarms that have been cleared.
AutoDelete Cleared
Alarms check box
If checked, CTC automatically deletes cleared alarms.
Filter tool Enables or disables alarm filtering in the card, node, or network view. When
enabled or disabled, this state applies to other views for that node and for
all other nodes in the network. For example, if the Filter tool is enabled in
the node (default login) view Alarms window, the network view Alarms
window and card view Alarms window also show the tool enabled. All other
nodes in the network also show the tool enabled.13-5
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 13 Alarm Monitoring and Management
13.3.4 Viewing Alarm-Affected Circuits
13.3.4 Viewing Alarm-Affected Circuits
A user can view which ONS 15454 circuits are affected by a specific alarm by positioning the cursor
over the alarm in the Alarm window and right-clicking. A shortcut menu appears (Figure 13-2). When
the user selects the Select Affected Circuits option, the Circuits window opens to show the circuits that
are affected by the alarm.
Figure 13-2 Select Affected Circuits Option
13.3.5 Conditions Tab
The Conditions window displays retrieved fault conditions. A condition is a fault or status detected by
ONS 15454 hardware or software. When a condition occurs and continues for a minimum period, CTC
raises a condition, which is a flag showing that this particular condition currently exists on the
ONS 15454.
The Conditions window shows all conditions that occur, including those that are superseded. For
instance, if a network problem causes two alarms, such as LOF and LOS, CTC shows both the LOF and
LOS conditions in this window (even though LOS supersedes LOF). Having all conditions visible can
be helpful when troubleshooting the ONS 15454. If you want to retrieve conditions that obey a
root-cause hierarchy (that is, LOS supersedes and replaces LOF), you can exclude the same root causes
by checking “Exclude Same Root Cause” check box in the window.
Fault conditions include reported alarms and Not Reported or Not Alarmed conditions. Refer to the
trouble notifications information in the Cisco ONS 15454 Troubleshooting Guide for more information
about alarm and condition classifications.13-6
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 13 Alarm Monitoring and Management
13.3.6 Controlling the Conditions Display
13.3.6 Controlling the Conditions Display
You can control the display of the conditions on the Conditions window. Table 13-4 shows the actions
you can perform in the window.
13.3.6.1 Retrieving and Displaying Conditions
The current set of all existing conditions maintained by the alarm manager can be seen when you click
the Retrieve button. The set of conditions retrieved is relative to the view. For example, if you click the
button while displaying the node view, node-specific conditions are displayed. If you click the button
while displaying the network view, all conditions for the network (including ONS 15454 nodes and other
connected nodes) are displayed, and the card view shows only card-specific conditions.
You can also set a node to display conditions using the time zone where the node is located, rather than
the time zone of the PC where they are being viewed. See the “13.3.1 Viewing Alarms With Each Node’s
Time Zone” section on page 13-4 for more information.
13.3.6.2 Conditions Column Descriptions
Table 13-5 lists the Conditions window column headings and the information recorded in each column.
Table 13-4 Conditions Display
Button Action
Retrieve Retrieves the current set of all existing fault conditions, as maintained by
the alarm manager, from the ONS 15454.
Filter Allows you to change the Conditions window display to only show the
conditions that meet a certain severity level or occur in a specified time. For
example, you can set the filter so that only critical conditions display on the
window.
There is a Filter button on the lower-right of the window that allows you to
enable or disable the filter feature.
Exclude Same Root
Cause
Retrieves conditions that obey a root-cause hierarchy (for example, LOS
supersedes and replaces LOF).
Table 13-5 Conditions Column Description
Column Information Recorded
Date Date and time of the condition.
Node Shows the name of the node where the condition or alarm occurred. (Visible in network
view.)
Object TL1 AID for the condition object. For an STSmon or VTmon, the object.
Eqpt Type Card type in this slot.
Shelf For DWDM configurations, the shelf where the alarmed object is located. Visible in
network view.
Slot Slot where the condition occurred (appears only in network and node view).
Port Port where the condition occurred. For STSTerm and VTTerm, the port refers to the
upstream card it is partnered with.13-7
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 13 Alarm Monitoring and Management
13.3.7 Viewing History
13.3.6.3 Filtering Conditions
The condition display can be filtered to prevent display of conditions (including alarms) with certain
severities or that occurred between certain dates. You can set the filtering parameters by clicking the
Filter button at the bottom-left of the Conditions window. You can turn the filter on or off by clicking
the Filter tool at the bottom-right of the window. CTC retains your filter activation setting. For example,
if you turn the filter on and then log out, CTC keeps the filter active the next time your user ID is
activated.
13.3.7 Viewing History
The History window displays historic alarm or condition data for the node or for your login session. You
can choose to display only alarm history, only events, or both by checking check boxes in the History >
Shelf window. You can view network-level alarm and condition history, such as for circuits, for all the
nodes visible in network view. At the node level, you can see all port (facility), card, STS, and
system-level history entries for that node. For example, protection-switching events or
performance-monitoring threshold crossings appear here. If you double-click a card, you can view all
port, card, and STS alarm or condition history that directly affects the card.
Note In the Preference dialog General tab, the Maximum History Entries value only applies to the Session
window.
Different views of CTC display different kinds of history:
• The History > Session window is shown in network view, node view, and card view. It shows alarms
and conditions that occurred during the current user CTC session.
• The History > Shelf window is only shown in node view. It shows the alarms and conditions that
occurred on the node since CTC software was operated on the node.
• The History > Card window is only shown in card view. It shows the alarms and conditions that
occurred on the card since CTC software was installed on the node.
Tip Double-click an alarm in the History window to display the corresponding view. For example,
double-clicking a card alarm takes you to card view. In network view, double-clicking a node alarm takes
you to node view.
Path Width Width of the data path.
Sev1
Severity level: CR (Critical), MJ (Major), MN (Minor), NA (Not Alarmed), NR
(Not Reported).
SA1
Indicates a service-affecting alarm (when checked).
Cond The error message/alarm name; these names are alphabetically defined in the “Alarm
Troubleshooting” chapter of the Cisco ONS 15454 Troubleshooting Guide.
Description Description of the condition.
1. All alarms, their severities, and service-affecting statuses are also displayed in the Condition tab unless you choose to filter
the alarm from the display using the Filter button.
Table 13-5 Conditions Column Description (continued)
Column Information Recorded13-8
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 13 Alarm Monitoring and Management
13.3.7 Viewing History
If you check the History window Alarms check box, you display the node history of alarms. If you check
the Events check box, you display the node history of Not Alarmed and transient events (conditions). If
you check both check boxes, you retrieve node history for both.
13.3.7.1 History Column Descriptions
Table 13-6 lists the History window column headings and the information recorded in each column.
13.3.7.2 Retrieving and Displaying Alarm and Condition History
You can retrieve and view the history of alarms and conditions, as well as transients (passing
notifications of processes as they occur) in the CTC history window. The information in this window is
specific to the view where it is shown (that is, network history in the network view, node history in the
node view, and card history in the card view).
The node and card history views are each divided into two tabs. In node view, when you click the
Retrieve button, you can see the history of alarms, conditions, and transients that have occurred on the
node in the History > Shelf window, and the history of alarms, conditions, and transients that have
occurred on the node during your login session in the History > Session window. In the card-view history
window, after you retrieve the card history, you can see the history of alarms, conditions, and transients
Table 13-6 History Column Description
Column Information Recorded
Num An incrementing count of alarm or condition messages. (The column is hidden by
default; to view it, right-click a column and choose Show Column > Num.)
Ref The reference number assigned to the alarm or condition. (The column is hidden by
default; to view it, right-click a column and choose Show Column > Ref.)
Date Date and time of the condition.
Node Shows the name of the node where the condition or alarm occurred. (Visible in network
view.)
Object TL1 AID for the condition object. For an STSmon or VTmon, the object.
Eqpt Type Card type in this slot.
Shelf For DWDM configurations, the shelf where the alarmed object is located. Visible in
network view.
Slot Slot where the condition occurred (only displays in network view and node view).
Port Port where the condition occurred. For STSTerm and VTTerm, the port refers to the
upstream card it is partnered with.
Path Width Width of the data path.
Sev Severity level: Critical (CR), Major (MJ), Minor (MN), Not Alarmed (NA),
Not Reported (NR).
ST Status: raised (R), cleared (C), or transient (T).
SA Indicates a service-affecting alarm (when checked).
Cond Condition name.
Description Description of the condition.13-9
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 13 Alarm Monitoring and Management
13.3.8 Alarm History and Log Buffer Capacities
on the card in the History > Card window, or a history of alarms, conditions, and transients that have
occurred during your login session in the History > Session window. You can also filter the severities
and occurrence period in these history windows.
13.3.8 Alarm History and Log Buffer Capacities
The ONS 15454 alarm history log, stored in the TCC2/TCC2P RSA memory, contains four categories
of alarms. These include:
• CR severity alarms
• MJ severity alarms
• MN severity alarms
• the combined group of cleared, Not Alarmed severity, and Not Reported severity alarms
Each category can store between 4 and 640 alarm chunks, or entries. In each category, when the upper
limit is reached, the oldest entry in the category is deleted. The capacity is not user-provisionable.
CTC also has a log buffer, separate from the alarm history log, that pertains to the total number of entries
displayed in the Alarms, Conditions, and History windows. The total capacity is provisionable up to
5,000 entries. When the upper limit is reached, the oldest entries are deleted.
13.4 Alarm Severities
ONS 15454 alarm severities follow the Telcordia GR-253 standard, so a condition might be Alarmed (at
a severity of Critical [CR], Major [MJ], or Minor [MN]), Not Alarmed (NA), or Not Reported (NR).
These severities are reported in the CTC software Alarms, Conditions, and History windows at all levels:
network, shelf, and card.
ONS equipment provides a standard profile named Default listing all alarms and conditions with severity
settings based on Telcordia GR-474 and other standards, but users can create their own profiles with
different settings for some or all conditions and apply these wherever desired. (See the “13.5 Alarm
Profiles” section on page 13-9.) For example, in a custom alarm profile, the default severity of a carrier
loss (CARLOSS) alarm on an Ethernet port could be changed from major to critical. The profile allows
setting to Not Reported or Not Alarmed, as well as the three alarmed severities.
Critical and Major severities are only used for service-affecting alarms. If a condition is set as Critical
or Major by profile, it will raise as Minor alarm in the following situations:
• In a protection group, if the alarm is on a standby entity (side not carrying traffic)
• If the alarmed entity has no traffic provisioned on it, so no service is lost
Because of this possibility of being raised at two different levels, the alarm profile pane shows Critical
as CR / MN and Major as MJ / MN.
13.5 Alarm Profiles
The alarm profiles feature allows you to change default alarm severities by creating unique alarm profiles
for individual ONS 15454 ports, cards, or nodes. A created alarm profile can be applied to any node on
the network. Alarm profiles can be saved to a file and imported elsewhere in the network, but the profile
must be stored locally on a node before it can be applied to the node, its cards, or its cards’ ports. 13-10
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 13 Alarm Monitoring and Management
13.5.1 Creating and Modifying Alarm Profiles
CTC can store up to ten active alarm profiles at any time to apply to the node. Custom profiles can take
eight of these active profile positions. Two other profiles, Default profile and Inherited profile, are
reserved by the NE, and cannot be edited.The reserved Default profile contains Telcordia GR-474
severities. The reserved Inherited profile allows port alarm severities to be governed by the card-level
severities, or card alarm severities to be determined by the node-level severities.
If one or more alarm profiles have been stored as files from elsewhere in the network onto the local PC
or server hard drive where CTC resides, you can use as many profiles as you can physically store by
deleting and replacing them locally in CTC so that only eight are active at any given time.
13.5.1 Creating and Modifying Alarm Profiles
Alarm profiles are created in the network view using the Provisioning > Alarm Profiles tabs. Figure 13-3
shows the default list of alarm severities. A default alarm severity following Telcordia GR-253 standards
is preprovisioned for every alarm. After loading the default profile or another profile on the node, you
can clone a profile to create custom profiles. After the new profile is created, the Alarm Profiles window
shows the original profile (frequently Default) and the new profile.
Figure 13-3 Network View Alarm Profiles Window
The alarm profile list contains a master list of alarms that is used for a mixed node network. Some of
these alarms might not be used in all ONS nodes.
Tip To see the full list of profiles including those available for loading or cloning, click the Available button.
You must load a profile before you can clone it. 13-11
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 13 Alarm Monitoring and Management
13.5.2 Alarm Profile Buttons
Note Up to 10 profiles, including the two reserved profiles (Inherited and Default) can be stored in CTC.
Wherever it is applied, the Default alarm profile sets severities to standard Telcordia GR-253 settings.
In the Inherited profile, alarms inherit, or copy, severity from the next-highest level. For example, a card
with an Inherited alarm profile copies the severities used by the node housing the card. If you choose the
Inherited profile from the network view, the severities at the lower levels (node and card) are copied from
this selection.
You do not have to apply a single severity profile to the node, card, and port alarms. Different profiles
can be applied at different levels. You could use the inherited or default profile on a node and on all cards
and ports, but apply a custom profile that downgrades an alarm on one particular card. For example, you
might choose to downgrade an OC-N unequipped path alarm (UNEQ-P) from Critical (CR) to Not
Alarmed (NA) on an optical card because this alarm raises and then clears every time you create a circuit.
UNEQ-P alarms for the card with the custom profile would not display on the Alarms tab. (But they
would still be recorded on the Conditions and History tabs.)
When you modify severities in an alarm profile:
• All Critical (CR) or Major (MJ) default or user-defined severity settings are demoted to Minor (MN)
in Non-Service-Affecting (NSA) situations as defined in Telcordia GR-474.
• Default severities are used for all alarms and conditions until you create a new profile and apply it.
The Load and Store buttons are not available for Retrieve and Maintenance users.
The Delete and Store options will only display nodes to delete profiles from or store profiles to if the
user has provisioning permission for those nodes. If the user does not have the proper permissions, CTC
greys out the buttons and they are not available to the user.
13.5.2 Alarm Profile Buttons
The Alarm Profiles window displays six buttons at the bottom of the window. Table 13-7 lists and
describes each of the alarm profile buttons and their functions.
Table 13-7 Alarm Profile Buttons
Button Description
New Creates a new profile.
Load Loads a profile to a node or a file.
Store Saves profiles on a node (or nodes) or in a file.
Delete Deletes profiles from a node.
Compare Displays differences between alarm profiles (for example, individual alarms that
are not configured equivalently between profiles).
Available Displays all profiles available on each node.
Usage Displays all entities (nodes and alarm subjects) present in the network and which
profiles contain the alarm. Can be printed.13-12
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 13 Alarm Monitoring and Management
13.5.3 Alarm Profile Editing
13.5.3 Alarm Profile Editing
Table 13-8 lists and describes the five profile-editing options available when you right-click an alarm
item in the profile column.
13.5.4 Alarm Severity Options
To change or assign alarm severity, left-click the alarm severity you want to change in the alarm profile
column. Seven severity levels appear for the alarm:
• Not Reported (NR)
• Not Alarmed (NA)
• Minor (MN)
• Major (MJ)
• Critical (CR)
• Use Default
• Inherited
Inherited and Use Default severity levels only appear in alarm profiles. They do not appear when you
view alarms, history, or conditions.
13.5.5 Row Display Options
The Alarm Profiles window (from network view) or the Alarm Profile Editor (from node view) displays
three check boxes at the bottom of the window:
• Only show service-affecting severities—If unchecked, the editor shows severities in the format
/ where is a service-affecting severity and is not service-affecting. If
checked, the editor only shows alarms.
• Hide reference values—Highlights alarms with non-default severities by clearing alarm cells with
default severities. This check-box is normally greyed out. It becomes active only when more than
one profile is listed in the Alarm Profile Editor window. (The check box text changes to “Hide
Values matching profile Default” in this case.
• Hide identical rows—Hides rows of alarms that contain the same severity for each profile.
Table 13-8 Alarm Profile Editing Options
Button Description
Store Saves a profile in a node or in a file.
Rename Changes a profile name.
Clone Creates a profile that contains the same alarm severity settings as the profile being cloned.
Reset Restores a profile to its previous state or to the original state (if it has not yet been applied).
Remove Removes a profile from the table editor.13-13
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 13 Alarm Monitoring and Management
13.5.6 Applying Alarm Profiles
13.5.6 Applying Alarm Profiles
In CTC node view, the Alarm Behavior window displays alarm profiles for the node. In card view, the
Alarm Behavior window displays the alarm profiles for the selected card. Alarm profiles form a
hierarchy. A node-level alarm profile applies to all cards in the node except cards that have their own
profiles. A card-level alarm profile applies to all ports on the card except ports that have their own
profiles.
At the node level, you can apply profile changes on a card-by-card basis or set a profile for the entire
node. At the card-level view, you can apply profile changes on a port-by-port basis or set alarm profiles
for all ports on that card. Figure 13-4 shows the DS1 card alarm profile.
Figure 13-4 DS1 Card Alarm Profile
13.6 Alarm Suppression
The following sections explain alarm suppression features for the ONS 15454.
13.6.1 Alarms Suppressed for Maintenance
When you place a port in OOS,MT administrative state, this raises the alarm suppressed for maintenance
(AS-MT) alarm in the Conditions and History windows1
and causes subsequently raised alarms for that
port to be suppressed.
1. AS-MT can be seen in the Alarms window as well if you have set the Filter dialog box to show NA severity
events.13-14
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 13 Alarm Monitoring and Management
13.6.2 Alarms Suppressed by User Command
While the facility is in the OOS,MT state, any alarms or conditions that are raised and suppressed on it
(for example, a transmit failure [TRMT] alarm) are reported in the Conditions window and show their
normal severity in the Sev column. The suppressed alarms are not shown in the Alarms and History
windows. (These windows only show AS-MT). When you place the port back into IS,AINS
administrative state, the AS-MT alarm is resolved in all three windows. Suppressed alarms remain raised
in the Conditions window until they are cleared.
13.6.2 Alarms Suppressed by User Command
In the Provisioning > Alarm Profiles > Alarm Behavior tabs, the ONS 15454 has an alarm suppression
option that clears raised alarm messages for the node, chassis, one or more slots (cards), or one or more
ports. Using this option raises the alarms suppressed by user command, or AS-CMD alarm. The
AS-CMD alarm, like the AS-MT alarm, appears in the Conditions, and History1
windows. Suppressed
conditions (including alarms) appear only in the Conditions window--showing their normal severity in
the Sev column. When the Suppress Alarms check box is unchecked, the AS-CMD alarm is cleared from
all three windows.
A suppression command applied at a higher level does not supersede a command applied at a lower level.
For example, applying a node-level alarm suppression command makes all raised alarms for the node
appear to be cleared, but it does not cancel out card-level or port-level suppression. Each of these
conditions can exist independently and must be cleared independently.
Caution Use alarm suppression with caution. If multiple CTC or TL1 sessions are open, suppressing the alarms
in one session suppresses the alarms in all other open sessions.
13.7 External Alarms and Controls
External alarm inputs can be provisioned on the Alarm Interface Controller-International (AIC-I) card
for external sensors such as an open door and flood sensors, temperature sensors, and other
environmental conditions. External control outputs on these two cards allow you to drive external visual
or audible devices such as bells and lights. They can control other devices such as generators, heaters,
and fans.
You provision external alarms in the AIC-I card view Provisioning > External Alarms tab and controls
in the AIC-I card view Provisioning > External Controls tab. Up to 12 external alarm inputs and four
external controls are available. If you also provision the alarm extension panel (AEP), there are 32 inputs
and 16 outputs.
13.7.1 External Alarms
You can provision each alarm input separately. Provisionable characteristics of external alarm inputs
include:
• Alarm Type—List of alarm types.
• User Defined Alarm Types
• Severity—CR, MJ, MN, NA, and NR.
• Virtual Wire—The virtual wire associated with the alarm.13-15
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 13 Alarm Monitoring and Management
13.7.2 User Defined Alarm Types
• Raised When—Open means that the normal condition is to not have current flowing through the
contact, and the alarm is generated when current does flow; closed means that the normal condition
is to have current flowing through the contact, and the alarm is generated when current stops
flowing.
• Description—CTC alarm log description (up to 63 characters).
Note If you provision an external alarm to raise when a contact is open, and you have not attached the
alarm cable, the alarm will remain raised until the alarm cable is connected.
Note When you provision an external alarm, the alarm object is ENV-IN-nn. The variable nn refers to
the external alarm’s number, regardless of the name you assign.
13.7.2 User Defined Alarm Types
User Defined Alarm Types allows you to dynamically add and delete the alarm types. In addition to the
existing hard coded alarm type attributes, you can define up to 50 alarm types. These dynamically added
alarm types can be associated, or disassociated, to any external alarm input and the added alarm type can
use the same behavior as hard coded alarm type attributes.
The following limits and guidelines apply:
• An AIC or AIC-I card must be installed
• Up to 50 Alarm Types can be defined
• The User Defined name can be up to 20 alphanumeric characters (upper case).
• The User Defined name can not contain special characters or spaces (Hyphen (-) is allowed)
13.7.3 External Controls
You can provision each alarm output separately. Provisionable characteristics of alarm outputs include:
• Control type.
• Trigger type (alarm or virtual wire).
• Description for CTC display.
• Closure setting (manually or by trigger). If you provision the output closure to be triggered, the
following characteristics can be used as triggers:
– Local NE alarm severity—A chosen alarm severity (for example, major) and any higher-severity
alarm (in this case, critical) causes output closure.
– Remote NE alarm severity—Similar to local NE alarm severity trigger setting, but applies to
remote alarms.
– Virtual wire entities—You can provision an alarm that is input to a virtual wire to trigger an
external control output.13-16
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 13 Alarm Monitoring and Management
13.7.3 External ControlsCHAPTER
14-1
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
14
Management Network Connectivity
This chapter provides an overview of ONS 15454 data communications network (DCN) connectivity.
Cisco Optical Networking System (ONS) network communication is based on IP, including
communication between Cisco Transport Controller (CTC) computers and ONS 15454 nodes, and
communication among networked ONS 15454 nodes. The chapter provides scenarios showing Cisco
ONS 15454 nodes in common IP network configurations as well as information about provisionable
patchcords, the IP routing table, external firewalls, and open gateway network element (GNE) networks.
Although ONS 15454 DCN communication is based on IP, ONS 15454 nodes can be networked to
equipment that is based on the Open System Interconnection (OSI) protocol suites. This chapter also
describes the ONS 15454 OSI implementation and provides scenarios that show how the ONS 15454 can
be networked within a mixed IP and OSI environment.
Note This chapter does not provide a comprehensive explanation of IP networking concepts and procedures,
nor does it provide IP addressing examples to meet all networked scenarios. For ONS 15454 networking
setup instructions, refer to the “Turn Up a Node” chapter of the Cisco ONS 15454 Procedure Guide.
Chapter topics include:
• 14.1 IP Networking Overview, page 14-2
• 14.2 IP Addressing Scenarios, page 14-2
• 14.3 Routing Table, page 14-24
• 14.4 External Firewalls, page 14-25
• 14.5 Open GNE, page 14-27
• 14.6 TCP/IP and OSI Networking, page 14-29
• 14.7 IPv6 Network Compatibility, page 14-62
• 14.8 IPv6 Native Support, page 14-62
• 14.9 FTP Support for ENE Database Backup, page 14-64
Note To connect ONS 15454s to an IP network, you must work with a LAN administrator or other individual
at your site who has IP networking training and experience. 14-2
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 14 Management Network Connectivity
14.1 IP Networking Overview
14.1 IP Networking Overview
ONS 15454s can be connected in many different ways within an IP environment:
• They can be connected to LANs through direct connections or a router.
• IP subnetting can create multiple logical ONS 15454 networks within a single Class A, B, or C IP
network. If you do not subnet, you will only be able to use one network from your Class A, B, or C
network.
• Different IP functions and protocols can be used to achieve specific network goals. For example,
Proxy Address Resolution Protocol (ARP) enables one LAN-connected ONS 15454 to serve as a
gateway for ONS 15454s that are not connected to the LAN.
• Static routes can be created to enable connections among multiple CTC sessions with ONS 15454s
that reside on the same subnet.
• ONS 15454s can be connected to Open Shortest Path First (OSPF) networks so that ONS 15454
network information is automatically communicated across multiple LANs and WANs.
• The ONS 15454 SOCKS (network proxy protocol) proxy server can control the visibility and
accessibility between CTC computers and ONS 15454 element nodes.
14.2 IP Addressing Scenarios
ONS 15454 IP addressing generally has eight common scenarios or configurations. Use the scenarios as
building blocks for more complex network configurations. Table 14-1 provides a general list of items to
check when setting up ONS 15454 nodes in IP networks.
The TCC2P card secure mode option allows two IP addresses to be provisioned for the node: one for the
backplane LAN port and one for the TCC2P LAN (TCP/IP) port. Secure mode IP addressing examples
are provided in the “14.2.9 IP Scenario 9: IP Addressing with Secure Mode Enabled” section on
page 14-20. IP addresses shown in the other scenarios assume that secure mode is not enabled. If secure
Table 14-1 General ONS 15454 IP Troubleshooting Checklist
Item What to Check
Link integrity Verify that link integrity exists between:
• CTC computer and network hub/switch
• ONS 15454s (backplane wire-wrap pins or RJ-45 port) and network
hub/switch
• Router ports and hub/switch ports
ONS 15454
hub/switch ports
If connectivity problems occur, set the hub or switch port that is connected to
the ONS 15454 to 10 Mbps half-duplex.
Ping Ping the node to test connections between computers and ONS 15454s.
IP addresses/subnet
masks
Verify that ONS 15454 IP addresses and subnet masks are set up correctly.
Optical connectivity Verify that ONS 15454 optical trunk (span) ports are in service and that a DCC
is enabled on each trunk port.14-3
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 14 Management Network Connectivity
14.2.1 IP Scenario 1: CTC and ONS 15454s on Same Subnet
mode is enabled, the IP addresses shown in the examples apply to the backplane LAN port. See the
“14.2.9 IP Scenario 9: IP Addressing with Secure Mode Enabled” section on page 14-20 for information
about secure mode, repeater (single IP address) mode, and configuration locks.
14.2.1 IP Scenario 1: CTC and ONS 15454s on Same Subnet
IP Scenario 1 shows a basic ONS 15454 LAN configuration (Figure 14-1). The ONS 15454s and CTC
computer reside on the same subnet. All ONS 15454s connect to LAN A, and all ONS 15454s have DCC
connections.
Figure 14-1 IP Scenario 1: CTC and ONS 15454s on Same Subnet
14.2.2 IP Scenario 2: CTC and ONS 15454 Nodes Connected to a Router
In IP Scenario 2 the CTC computer resides on a subnet (192.168.1.0) and attaches to LAN A
(Figure 14-2). The ONS 15454s reside on a different subnet (192.168.2.0) and attach to LAN B. A router
connects LAN A to LAN B. The IP address of router interface A is set to LAN A (192.168.1.1), and the
IP address of router interface B is set to LAN B (192.168.2.1).
On the CTC computer, the default gateway is set to router interface A. If the LAN uses Dynamic Host
Configuration Protocol (DHCP), the default gateway and IP address are assigned automatically. In the
Figure 14-2 example, a DHCP server is not available.
CTC Workstation
IP Address 192.168.1.100
Subnet Mask 255.255.255.0
Default Gateway = N/A
Host Routes = N/A
ONS 15454 #1
IP Address 192.168.1.10
Subnet Mask 255.255.255.0
Default Router = N/A
Static Routes = N/A
ONS 15454 #2
IP Address 192.168.1.20
Subnet Mask 255.255.255.0
Default Router = N/A
Static Routes = N/A
ONS 15454 #3
IP Address 192.168.1.30
Subnet Mask 255.255.255.0
Default Router = N/A
Static Routes = N/A
LAN A
SONET RING14-4
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 14 Management Network Connectivity
14.2.3 IP Scenario 3: Using Proxy ARP to Enable an ONS 15454 Gateway
Figure 14-2 IP Scenario 2: CTC and ONS 15454 Nodes Connected to a Router
14.2.3 IP Scenario 3: Using Proxy ARP to Enable an ONS 15454 Gateway
ARP matches higher-level IP addresses to the physical addresses of the destination host. It uses a lookup
table (called ARP cache) to perform the translation. When the address is not found in the ARP cache, a
broadcast is sent out on the network with a special format called the ARP request. If one of the machines
on the network recognizes its own IP address in the request, it sends an ARP reply back to the requesting
host. The reply contains the physical hardware address of the receiving host. The requesting host stores
this address in its ARP cache so that all subsequent datagrams (packets) to this destination IP address
can be translated to a physical address.
Proxy ARP enables one LAN-connected ONS 15454 to respond to the ARP request for ONS 15454s not
connected to the LAN. (ONS 15454 proxy ARP requires no user configuration.) For this to occur, the
DCC-connected ONS 15454s must reside on the same subnet. When a LAN device sends an ARP request
to an ONS 15454 that is not connected to the LAN, the gateway ONS 15454 returns its MAC address to
the LAN device. The LAN device then sends the datagram for the remote ONS 15454 to the MAC
address of the proxy ONS 15454. The proxy ONS 15454 uses its routing table to forward the datagram
to the non-LAN ONS 15454.
CTC Workstation
IP Address 192.168.1.100
Subnet Mask 255.255.255.0
Default Gateway = 192.168.1.1
Host Routes = N/A
Router
IP Address of interface “A” to LAN “A” 192.168.1.1
IP Address of interface “B” to LAN “B” 192.168.2.1
Subnet Mask 255.255.255.0
Default Router = N/A
Host Routes = N/A
ONS 15454 #1
IP Address 192.168.2.10
Subnet Mask 255.255.255.0
Default Router = 192.168.2.1
Static Routes = N/A
ONS 15454 #2
IP Address 192.168.2.20
Subnet Mask 255.255.255.0
Default Router = 192.168.2.1
Static Routes = N/A
ONS 15454 #3
IP Address 192.168.2.30
Subnet Mask 255.255.255.0
Default Router = 192.168.2.1
Static Routes = N/A
LAN B
LAN A
Int "A"
Int "B"
SONET RING
3315814-5
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 14 Management Network Connectivity
14.2.3 IP Scenario 3: Using Proxy ARP to Enable an ONS 15454 Gateway
IP Scenario 3 is similar to IP Scenario 1, but only one ONS 15454 (1) connects to the LAN (Figure 14-3).
Two ONS 15454s (2 and 3) connect to ONS 15454 1 through the SONET DCC. Because all three
ONS 15454s are on the same subnet, proxy ARP enables ONS 15454 1 to serve as a gateway for
ONS 15454 2 and 3.
Note This scenario assumes all CTC connections are to Node 1. If you connect a laptop to either ONS 15454
2 or 3, network partitioning occurs; neither the laptop nor the CTC computer can see all nodes. If you
want laptops to connect directly to end network elements, you must create static routes (see “14.2.5 IP
Scenario 5: Using Static Routes to Connect to LANs” section on page 14-7) or enable the ONS 15454
SOCKS proxy server (see “14.2.7 IP Scenario 7: Provisioning the ONS 15454 SOCKS Proxy Server”
section on page 14-12).
Figure 14-3 IP Scenario 3: Using Proxy ARP
You can also use proxy ARP to communicate with hosts attached to the craft Ethernet ports of
DCC-connected nodes (Figure 14-4). The node with an attached host must have a static route to the host.
Static routes are propagated to all DCC peers using OSPF. The existing proxy ARP node is the gateway
for additional hosts. Each node examines its routing table for routes to hosts that are not connected to
the DCC network but are within the subnet. The existing proxy server replies to ARP requests for these
additional hosts with the node MAC address. The existence of the host route in the routing table ensures
that the IP packets addressed to the additional hosts are routed properly. Other than establishing a static
route between a node and an additional host, no provisioning is necessary. The following restrictions
apply:
• Only one node acts as the proxy ARP server for any given additional host.
• A node cannot be the proxy ARP server for a host connected to its Ethernet port.
CTC Workstation
IP Address 192.168.1.100
Subnet Mark at CTC Workstation 255.255.255.0
Default Gateway = N/A
ONS 15454 #2
IP Address 192.168.1.20
Subnet Mask 255.255.255.0
Default Router = N/A
Static Routes = N/A
ONS 15454 #1
IP Address 192.168.1.10
Subnet Mask 255.255.255.0
Default Router = N/A
Static Routes = N/A
ONS 15454 #3
IP Address 192.168.1.30
Subnet Mask 255.255.255.0
Default Router = N/A
Static Routes = N/A
LAN A
SONET RING14-6
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 14 Management Network Connectivity
14.2.4 IP Scenario 4: Default Gateway on a CTC Computer
In Figure 14-4, Node 1 announces to Node 2 and 3 that it can reach the CTC host. Similarly, Node 3
announces that it can reach the ONS 152xx. The ONS 152xx is shown as an example; any network
element (NE) can be set up as an additional host.
Figure 14-4 IP Scenario 3: Using Proxy ARP with Static Routing
14.2.4 IP Scenario 4: Default Gateway on a CTC Computer
IP Scenario 4 is similar to IP Scenario 3, but Nodes 2 and 3 reside on different subnets, 192.168.2.0 and
192.168.3.0, respectively (Figure 14-5). Node 1 and the CTC computer are on subnet 192.168.1.0. Proxy
ARP is not used because the network includes different subnets. For the CTC computer to communicate
with Nodes 2 and 3, Node 1 is entered as the default gateway on the CTC computer.
CTC Workstation
IP Address 192.168.1.100
Subnet Mark at CTC Workstation 255.255.255.0
Default Gateway = N/A
ONS 15454 #2
IP Address 192.168.1.20
Subnet Mask 255.255.255.0
Default Router = N/A
Static Routes = N/A
ONS 15454 #1
IP Address 192.168.1.10
Subnet Mask 255.255.255.0
Default Router = N/A
Static Routes = Destination 192.168.1.100
Mask 255.255.255.255
Next Hop 192.168.1.10
ONS 15454 #3
IP Address 192.168.1.30
Subnet Mask 255.255.255.0
Default Router = N/A
Static Routes = Destination 192.168.1.31
Mask 255.255.255.255
Next Hop 192.168.1.30
ONS 152xx
IP Address 192.168.1.31
Subnet Mask 255.255.255.0
LAN A
SONET RING
9698414-7
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 14 Management Network Connectivity
14.2.5 IP Scenario 5: Using Static Routes to Connect to LANs
Figure 14-5 IP Scenario 4: Default Gateway on a CTC Computer
14.2.5 IP Scenario 5: Using Static Routes to Connect to LANs
Static routes are used for two purposes:
• To connect ONS 15454s to CTC sessions on one subnet connected by a router to ONS 15454s
residing on another subnet. (These static routes are not needed if OSPF is enabled. “14.2.6 IP
Scenario 6: Using OSPF” section on page 14-10 shows an OSPF example.)
• To enable multiple CTC sessions among ONS 15454s residing on the same subnet.
In Figure 14-6, one CTC residing on subnet 192.168.1.0 connects to a router through interface A. (The
router is not set up with OSPF.) ONS 15454s residing on different subnets are connected through Node
1 to the router through interface B. Because Nodes 2 and 3 are on different subnets, proxy ARP does not
enable Node 1 as a gateway. To connect to the CTC computer on LAN A (subnet 192.168.1.0), you must
create a static route on Node 1. You must also manually add static routes between the CTC computer on
LAN A and Nodes 2 and 3 because these nodes are on different subnets.
CTC Workstation
IP Address 192.168.1.100
Subnet Mask at CTC Workstation 255.255.255.0
Default Gateway = 192.168.1.10
Host Routes = N/A
ONS 15454 #2
IP Address 192.168.2.20
Subnet Mask 255.255.255.0
Default Router = N/A
Static Routes = N/A
ONS 15454 #1
IP Address 192.168.1.10
Subnet Mask 255.255.255.0
Default Router = N/A
Static Routes = N/A
ONS 15454 #3
IP Address 192.168.3.30
Subnet Mask 255.255.255.0
Default Router = N/A
Static Routes = N/A
LAN A
SONET RING
3316014-8
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 14 Management Network Connectivity
14.2.5 IP Scenario 5: Using Static Routes to Connect to LANs
Figure 14-6 IP Scenario 5: Static Route With One CTC Computer Used as a Destination
The destination and subnet mask entries control access to the ONS 15454s:
• If a single CTC computer is connected to a router, enter the complete CTC “host route” IP address
as the destination with a subnet mask of 255.255.255.255.
• If CTC computers on a subnet are connected to a router, enter the destination subnet (in this example,
192.168.1.0) and a subnet mask of 255.255.255.0.
• If all CTC computers are connected to a router, enter a destination of 0.0.0.0 and a subnet mask of
0.0.0.0. Figure 14-7 shows an example.
The IP address of router interface B is entered as the next hop, and the cost (number of hops from source
to destination) is 2. You must manually add static routes between the CTC computers on LAN A, B, and
C and Nodes 2 and 3 because these nodes are on different subnets.
CTC Workstation
IP Address 192.168.1.100
Subnet Mask 255.255.255.0
Default Gateway = 192.168.1.1
Host Routes = N/A
Router
IP Address of interface ”A” to LAN “A” 192.168.1.1
IP Address of interface “B” to LAN “B” 192.168.2.1
Subnet Mask 255.255.255.0
Static Routes
Destination 192.168.3.0
Mask 255.255.255.0
Next Hop 192.168.2.10
Destination 192.168.4.0
Mask 255.255.255.0
Next Hop 192.168.2.10
ONS 15454 #2
IP Address 192.168.3.20
Subnet Mask 255.255.255.0
Default Router = N/A
Static Routes = N/A
ONS 15454 #1
IP Address 192.168.2.10
Subnet Mask 255.255.255.0
Default Router = 192.168.2.1
Static Routes
Destination 192.168.1.0
Mask 255.255.255.0
Next Hop 192.168.2.1
Cost = 2
ONS 15454 #3
IP Address 192.168.4.30
Subnet Mask 255.255.255.0
Default Router = N/A
Static Routes = N/A
LAN B
LAN A
Int "A"
Int "B"
SONET RING
3316214-9
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 14 Management Network Connectivity
14.2.5 IP Scenario 5: Using Static Routes to Connect to LANs
Figure 14-7 IP Scenario 5: Static Route With Multiple LAN Destinations
CTC Workstation
IP Address 192.168.1.100
Subnet Mask 255.255.255.0
Default Gateway = 192.168.1.1
Host Routes = N/A
Router #1
IP Address of interface ”A” to LAN “A” 192.168.1.1
IP Address of interface “B” to LAN “B” 192.168.2.1
Subnet Mask 255.255.255.0
Destination = 192.168.0.0
Mask = 255.255.255.0
Next Hop = 192.168.2.10
ONS 15454 #2
IP Address 192.168.3.20
Subnet Mask 255.255.255.0
Default Router = N/A
Static Routes = N/A
ONS 15454 #1
IP Address 192.168.2.10
Subnet Mask 255.255.255.0
Default Router = 192.168.2.1
ONS 15454 #3
IP Address 192.168.4.30
Subnet Mask 255.255.255.0
Default Router = N/A
Static Routes = N/A
LAN B
LAN A
Int "A"
Int "B"
SONET RING
55251
Static Routes
Destination 0.0.0.0
Mask 0.0.0.0
Next Hop 192.168.2.1
Cost = 2
LAN C
LAN D
Router #2:
IP Address of the interface connected to LAN-A = 192.168.1.10
IP Address of the interface connected to LAN-C = 192.168.5.1
Subnet Mask = 255.255.255.0
Static Routes:
Destination = 192.168.0.0
Mask = 255.255.255.0
Next Hop = 192.168.1.1
Router #3:
IP Address of the interface connected to LAN-C = 192.168.5.10
IP Address of the interface connected to LAN-D = 192.168.6.1
Subnet Mask = 255.255.255.0
Static Routes:
Destination = 192.168.0.0
Mask = 255.255.255.0
Next Hop = 192.168.5.1
Destination = 192.168.4.0
Mask = 255.255.255.0
Next Hop = 192.168.5.1
Destination = 192.168.4.0
Mask = 255.255.255.0
Next Hop = 192.168.5.1
Destination = 192.168.4.0
Mask = 255.255.255.0
Next Hop = 192.168.5.114-10
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 14 Management Network Connectivity
14.2.6 IP Scenario 6: Using OSPF
14.2.6 IP Scenario 6: Using OSPF
Open Shortest Path First (OSPF) is a link state Internet routing protocol. Link state protocols use a “hello
protocol” to monitor their links with adjacent routers and to test the status of their links to their
neighbors. Link state protocols advertise their directly connected networks and their active links. Each
link state router captures the link state “advertisements” and puts them together to create a topology of
the entire network or area. From this database, the router calculates a routing table by constructing a
shortest path tree. Routes are recalculated when topology changes occur.
ONS 15454s use the OSPF protocol in internal ONS 15454 networks for node discovery, circuit routing,
and node management. You can enable OSPF on the ONS 15454s so that the ONS 15454 topology is
sent to OSPF routers on a LAN. Advertising the ONS 15454 network topology to LAN routers
eliminates the need to manually enter static routes for ONS 15454 subnetworks. Figure 14-8 shows a
network enabled for OSPF. Figure 14-9 shows the same network without OSPF. Static routes must be
manually added to the router for CTC computers on LAN A to communicate with Nodes 2 and 3 because
these nodes reside on different subnets.
OSPF divides networks into smaller regions, called areas. An area is a collection of networked end
systems, routers, and transmission facilities organized by traffic patterns. Each OSPF area has a unique
ID number, known as the area ID. Every OSPF network has one backbone area called “area 0.” All other
OSPF areas must connect to area 0.
When you enable an ONS 15454 OSPF topology for advertising to an OSPF network, you must assign
an OSPF area ID in decimal format to the ONS 15454 network. Coordinate the area ID number
assignment with your LAN administrator. All DCC-connected ONS 15454s should be assigned the same
OSPF area ID.14-11
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 14 Management Network Connectivity
14.2.6 IP Scenario 6: Using OSPF
Figure 14-8 IP Scenario 6: OSPF Enabled
CTC Workstation
IP Address 192.168.1.100
Subnet Mask 255.255.255.0
Default Gateway = 192.168.1.1
Host Routes = N/A
Router
IP Address of interface “A” to LAN A 192.168.1.1
IP Address of interface “B” to LAN B 192.168.2.1
Subnet Mask 255.255.255.0
ONS 15454 #2
IP Address 192.168.3.20
Subnet Mask 255.255.255.0
Default Router = N/A
Static Routes = N/A
ONS 15454 #1
IP Address 192.168.2.10
Subnet Mask 255.255.255.0
Default Router = 192.168.2.1
Static Routes = N/A
ONS 15454 #3
IP Address 192.168.4.30
Subnet Mask 255.255.255.0
Default Router = N/A
Static Routes = N/A
LAN B
LAN A
Int "A"
Int "B"
SONET RING
5525014-12
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 14 Management Network Connectivity
14.2.7 IP Scenario 7: Provisioning the ONS 15454 SOCKS Proxy Server
Figure 14-9 IP Scenario 6: OSPF Not Enabled
14.2.7 IP Scenario 7: Provisioning the ONS15454 SOCKS Proxy Server
The ONS 15454 SOCKS proxy is an application that allows an ONS 15454 node to serve as an internal
gateway between a private enterprise network and the ONS 15454 network. (SOCKS is a standard proxy
protocol for IP-based applications developed by the Internet Engineering Task Force.) Access is allowed
from the private network to the ONS 15454 network, but access is denied from the ONS 15454 network
to the private network. For example, you can set up a network so that field technicians and network
operations center (NOC) personnel can both access the same ONS 15454s while preventing the field
technicians from accessing the NOC LAN. To do this, one ONS 15454 is provisioned as a gateway
network element (GNE) and the other ONS 15454s are provisioned as end network elements (ENEs).
The GNE ONS 15454 tunnels connections between CTC computers and ENE ONS 15454s, providing
management capability while preventing access for non-ONS 15454 management purposes.
CTC Workstation
IP Address 192.168.1.100
Subnet Mask 255.255.255.0
Default Gateway = 192.168.1.1
Host Routes = N/A
Router
IP Address of interface “A” to LAN A 192.168.1.1
IP Address of interface “B” to LAN B 192.168.2.1
Subnet Mask 255.255.255.0
Static Routes = Destination 192.168.3.20 Next Hop 192.168.2.10
Destination 192.168.4.30 Next Hop 192.168.2.10
ONS 15454 #2
IP Address 192.168.3.20
Subnet Mask 255.255.255.0
Default Router = N/A
Static Routes = N/A
ONS 15454 #1
IP Address 192.168.2.10
Subnet Mask 255.255.255.0
Default Router = 192.168.2.1
Static Routes
Destination = 192.168.1.100
Mask = 255.255.255.255
Next Hop = 192.168.2.1
Cost = 2
ONS 15454 #3
IP Address 192.168.4.30
Subnet Mask 255.255.255.0
Default Router = N/A
Static Routes = N/A
LAN B
LAN A
Int "A"
Int "B"
SONET RING14-13
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 14 Management Network Connectivity
14.2.7 IP Scenario 7: Provisioning the ONS 15454 SOCKS Proxy Server
The ONS 15454 gateway setting performs the following tasks:
• Isolates DCC IP traffic from Ethernet (craft port) traffic and accepts packets based on filtering rules.
The filtering rules (see Table 14-3 on page 14-17 and Table 14-4 on page 14-18) depend on whether
the packet arrives at the ONS 15454 DCC or the TCC2/TCC2P Ethernet interface.
• Processes Simple Network Time Protocol (SNTP) and Network Time Protocol (NTP) requests.
ONS 15454 ENEs can derive time-of-day from an SNTP/NTP LAN server through the GNE
ONS 15454.
• Processes Simple Network Management Protocol version 1 (SNMPv1) traps. The GNE ONS 15454
receives SNMPv1 traps from the ENE ONS 15454s and forwards or relays the traps to SNMPv1 trap
destinations or ONS 15454 SNMP relay nodes.
The ONS 15454 SOCKS proxy server is provisioned using the Enable SOCKS proxy server on port
check box on the Provisioning > Network > General tab (Figure 14-10).
Figure 14-10 SOCKS Proxy Server Gateway Settings
If checked, the ONS 15454 serves as a proxy for connections between CTC clients and ONS 15454s that
are DCC-connected to the proxy ONS 15454. The CTC client establishes connections to DCC-connected
nodes through the proxy node. The CTC client can connect to nodes that it cannot directly reach from
the host on which it runs. If not selected, the node does not proxy for any CTC clients, although any
established proxy connections continue until the CTC client exits. In addition, you can set the SOCKS
proxy server as an ENE or a GNE:14-14
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 14 Management Network Connectivity
14.2.7 IP Scenario 7: Provisioning the ONS 15454 SOCKS Proxy Server
• External Network Element (ENE)—If set as an ENE, the ONS 15454 neither installs nor advertises
default or static routes. CTC computers can communicate with the ONS 15454 using the
TCC2/TCC2P craft port, but they cannot communicate directly with any other DCC-connected
ONS 15454.
In addition, firewall is enabled, which means that the node prevents IP traffic from being routed
between the DCC and the LAN port. The ONS 15454 can communicate with machines connected to
the LAN port or connected through the DCC. However, the DCC-connected machines cannot
communicate with the LAN-connected machines, and the LAN-connected machines cannot
communicate with the DCC-connected machines. A CTC client using the LAN to connect to the
firewall-enabled node can use the proxy capability to manage the DCC-connected nodes that would
otherwise be unreachable. A CTC client connected to a DCC-connected node can only manage other
DCC-connected nodes and the firewall itself.
• Gateway Network Element (GNE)—If set as a GNE, the CTC computer is visible to other
DCC-connected nodes and firewall is enabled.
• Proxy-only—If Proxy-only is selected, firewall is not enabled. CTC can communicate with any
other DCC-connected ONS 15454s.
Note If you launch CTC against a node through a Network Address Translation (NAT) or Port Address
Translation (PAT) router and that node does not have proxy enabled, your CTC session starts and initially
appears to be fine. However, CTC never receives alarm updates and disconnects and reconnects every
two minutes. If the proxy is accidentally disabled, it is still possible to enable the proxy during a
reconnect cycle and recover your ability to manage the node, even through a NAT/PAT firewall.
Note ENEs that belong to different private subnetworks do not need to have unique IP addresses. Two ENEs
that are connected to different GNEs can have the same IP address. However, ENEs that connect to the
same GNE must always have unique IP addresses.
Figure 14-11 shows an ONS 15454 SOCKS proxy server implementation. A GNE ONS 15454 is
connected to a central office LAN and to ENE ONS 15454s. The central office LAN is connected to a
NOC LAN, which has CTC computers. Both the NOC CTC computer and the craft technicians must be
able to access the ONS 15454 ENEs. However, the craft technicians must be prevented from accessing
or seeing the NOC or central office LANs.
In the example, the ONS 15454 GNE is assigned an IP address within the central office LAN and is
physically connected to the LAN through its LAN port. ONS 15454 ENEs are assigned IP addresses that
are outside the central office LAN and are given private network IP addresses. If the ONS 15454 ENEs
are collocated, the craft LAN ports could be connected to a hub. However, the hub should have no other
network connections. 14-15
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 14 Management Network Connectivity
14.2.7 IP Scenario 7: Provisioning the ONS 15454 SOCKS Proxy Server
Figure 14-11 IP Scenario 7: ONS 15454 SOCKS Proxy Server with GNE and ENEs on the Same
Subnet
Table 14-2 shows recommended settings for ONS 15454 GNEs and ENEs in the configuration shown in
Figure 14-11.
Figure 14-12 shows the same SOCKS proxy server implementation with ONS 15454 ENEs on different
subnets. Figure 14-13 on page 14-17 shows the implementation with ONS 15454 ENEs in multiple
rings. In each example, ONS 15454 GNEs and ENEs are provisioned with the settings shown in
Table 14-2.
Remote CTC
10.10.20.10
10.10.20.0/24
10.10.10.0/24
Interface 0/0
10.10.20.1
Router A
Interface 0/1
10.10.10.1
ONS 15454
GNE
10.10.10.100/24
ONS 15454
ENE
10.10.10.250/24
ONS 15454
ENE
10.10.10.150/24
ONS 15454
ENE
10.10.10.200/24
71673
Local/Craft CTC
10.10.10.50
Ethernet
SONET
Table 14-2 ONS 15454 Gateway and End NE Settings
Setting ONS 15454 Gateway NE ONS 15454 End NE
OSPF Off Off
SNTP server (if used) SNTP server IP address Set to ONS 15454 GNE IP address
SNMP (if used) SNMPv1 trap destinations Set SNMPv1 trap destinations to
ONS 15454 GNE, port 39114-16
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 14 Management Network Connectivity
14.2.7 IP Scenario 7: Provisioning the ONS 15454 SOCKS Proxy Server
Figure 14-12 IP Scenario 7: ONS 15454 SOCKS Proxy Server with GNE and ENEs on Different
Subnets
71674
Remote CTC
10.10.20.10
10.10.20.0/24
10.10.10.0/24
Interface 0/0
10.10.20.1
Router A
Interface 0/1
10.10.10.1
ONS 15454
GNE
10.10.10.100/24
ONS 15454
ENE
192.168.10.250/24
ONS 15454
ENE
192.168.10.150/24
ONS 15454
ENE
192.168.10.200/24
Local/Craft CTC
192.168.10.20
Ethernet
SONET14-17
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 14 Management Network Connectivity
14.2.7 IP Scenario 7: Provisioning the ONS 15454 SOCKS Proxy Server
Figure 14-13 IP Scenario 7: ONS 15454 SOCKS Proxy Server With ENEs on Multiple Rings
Table 14-3 shows the rules that the ONS 15454 follows to filter packets for the firewall when nodes are
configured as ENEs and GNEs.
If the packet is addressed to the ONS 15454 node, additional rules, shown in Table 14-4, are applied.
Rejected packets are silently discarded.
71675
Remote CTC
10.10.20.10
10.10.20.0/24
10.10.10.0/24
Interface 0/0
10.10.20.1
Router A
Interface 0/1
10.10.10.1
ONS 15454
GNE
10.10.10.100/24
ONS 15454
ENE
192.168.10.250/24
ONS 15454
ENE
192.168.10.150/24
ONS 15454
ENE
192.168.10.200/24
Ethernet
SONET
ONS 15454
GNE
10.10.10.200/24
ONS 15454
ENE
192.168.80.250/24
ONS 15454
ENE
192.168.60.150/24
ONS 15454
ENE
192.168.70.200/24
Table 14-3 SOCKS Proxy Server Firewall Filtering Rules
Packets Arriving At: Are Accepted if the Destination IP Address is:
TCC2/TCC2P
Ethernet interface
• The ONS 15454 node itself
• The ONS 15454 node’s subnet broadcast address
• Within the 224.0.0.0/8 network (reserved network used for standard
multicast messages)
• Subnet mask = 255.255.255.255
DCC interface • The ONS 15454 node itself
• Any destination connected through another DCC interface
• Within the 224.0.0.0/8 network14-18
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 14 Management Network Connectivity
14.2.8 IP Scenario 8: Dual GNEs on a Subnet
If you implement the SOCKS proxy server, note that all DCC-connected ONS 15454s on the same
Ethernet segment must have the same gateway setting. Mixed values produce unpredictable results, and
might leave some nodes unreachable through the shared Ethernet segment.
If nodes become unreachable, correct the setting with one of the following actions:
• Disconnect the craft computer from the unreachable ONS 15454. Connect to the ONS 15454
through another network ONS 15454 that has a DCC connection to the unreachable ONS 15454.
• Disconnect all DCCs to the node by disabling them on neighboring nodes. Connect a CTC computer
directly to the ONS 15454 and change its provisioning.
14.2.8 IP Scenario 8: Dual GNEs on a Subnet
The ONS 15454 provides GNE load balancing, which allows CTC to reach ENEs over multiple GNEs
without the ENEs being advertised over OSPF. This feature allows a network to quickly recover from
the loss of a GNE, even if the GNE is on a different subnet. If a GNE fails, all connections through that
GNE fail. CTC disconnects from the failed GNE and from all ENEs for which the GNE was a proxy, and
then reconnects through the remaining GNEs. GNE load balancing reduces the dependency on the launch
GNE and DCC bandwidth, both of which enhance CTC performance. Figure 14-14 shows a network with
dual GNEs on the same subnet.
Table 14-4 SOCKS Proxy Server Firewall Filtering Rules When Packet Addressed to the
ONS 15454
Packets Arriving At Accepts Rejects
TCC2/TCC2P
Ethernet interface
• All UDP1
packets except those in
the Rejected column
1. UDP = User Datagram Protocol
• UDP packets addressed to the
SNMP trap relay port (391)
DCC interface • All UDP packets
• All TCP2
protocols except
packets addressed to the Telnet
and SOCKS proxy server ports
• OSPF packets
• ICMP3
packets
2. TCP = Transmission Control Protocol
3. ICMP = Internet Control Message Protocol
• TCP packets addressed to the
Telnet port
• TCP packets addressed to the
SOCKS proxy server port
• All packets other than UDP, TCP,
OSPF, ICMP14-19
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 14 Management Network Connectivity
14.2.8 IP Scenario 8: Dual GNEs on a Subnet
Figure 14-14 IP Scenario 8: Dual GNEs on the Same Subnet
Figure 14-15 shows a network with dual GNEs on different subnets.
115258
Remote CTC
10.10.20.10
10.10.20.0/24
10.10.10.0/24
Interface 0/0
10.10.20.1
Router A
Interface 0/1
10.10.10.1
ONS 15454
GNE
10.10.10.100/24
ONS 15454
ENE
10.10.10.250/24
ONS 15454
GNE
10.10.10.150/24
ONS 15454
ENE
10.10.10.200/24
Local/Craft CTC
192.168.20.20
Ethernet
SONET14-20
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 14 Management Network Connectivity
14.2.9 IP Scenario 9: IP Addressing with Secure Mode Enabled
Figure 14-15 IP Scenario 8: Dual GNEs on Different Subnets
14.2.9 IP Scenario 9: IP Addressing with Secure Mode Enabled
The TCC2 card and TCC2P card both default to nonsecure mode. In this mode, the front and back
Ethernet (LAN) ports share a single MAC address and IP address. TCC2P cards allow you to place a
node in secure mode, which prevents a front-access craft port user from accessing the LAN through the
backplane port. Secure mode can be locked, which prevents the mode from being altered. To place a node
in secure mode or to lock secure node, refer to the “Change Node Settings” chapter in the
Cisco ONS 15454 Procedure Guide.
14.2.9.1 Secure Mode Behavior
Changing a TCC2P node from repeater mode to secure mode allows you to provision two IP addresses
for the ONS 15454 and causes the node to assign the ports different MAC addresses. In secure mode,
one IP address is provisioned for the ONS 15454 backplane LAN port, and the other IP address is
provisioned for the TCC2P Ethernet port. Both addresses reside on different subnets, providing an
additional layer of separation between the craft access port and the ONS 15454 LAN. If secure mode is
115259
Remote CTC
10.10.20.10
10.10.20.0/24
10.10.10.0/24 10.20.10.0/24
Interface 0/0
10.10.20.1
Router A
Interface 0/1
10.10.10.1
Interface 0/2
10.20.10.1
ONS 15454
GNE
10.10.10.100/24
ONS 15454
ENE
192.168.10.250/24
ONS 15454
GNE
10.20.10.100/24
ONS 15454
ENE
192.168.10.200/24
Local/Craft CTC
192.168.20.20
Ethernet
SONET14-21
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 14 Management Network Connectivity
14.2.9 IP Scenario 9: IP Addressing with Secure Mode Enabled
enabled, the IP addresses provisioned for both TCC2P TCP/IP LAN ports must follow general IP
addressing guidelines and must reside on different subnets from each other and the default router IP
address.
In secure mode, the IP address assigned to the front LAN (Ethernet) port becomes a private address,
while the backplane connects the node to an Operations Support System (OSS) through a central office
LAN or private enterprise network. A superuser can configure the node to hide or reveal the backplane's
LAN IP address in CTC, the routing table, or autonomous message reports.
In nonsecure mode, a node can be a GNE or ENE. Placing the node into secure mode automatically turns
on SOCKS proxy and defaults the node to GNE status. However, the node can be changed back to an
ENE. In nonsecure mode, an ENE’s SOCKS proxy can be disabled—effectively isolating the node
beyond the LAN firewall—but it cannot be disabled in secure mode.To change a node’s GNE or ENE
status and disable the SOCKS proxy, refer to the “Turn Up a Node” chapter in the Cisco ONS 15454
Procedure Guide.
Caution Enabling secure mode causes the TCC2P card to reboot; a TCC2P card reboot affects traffic.
Note The secure mode option does not appear in CTC if TCC2 cards are installed. If one TCC2 and one
TCC2P card are installed in a node, secure mode will appear in CTC but it cannot be modified.
Note If both front and backplane access ports are disabled in an ENE and the node is isolated from DCC
communication (due to user provisioning or network faults), the front and backplane ports are
automatically reenabled.
Figure 14-16 on page 14-22 shows an example of secure-mode ONS 15454 nodes with front-access
Ethernet port addresses that reside on the same subnet. 14-22
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 14 Management Network Connectivity
14.2.9 IP Scenario 9: IP Addressing with Secure Mode Enabled
Figure 14-16 IP Scenario 9: ONS 15454 GNE and ENEs on the Same Subnet with Secure Mode
Enabled
Figure 14-17 shows an example of ONS 15454 nodes connected to a router with secure mode enabled.
In each example, the node’s TCC2P port address (node address) resides on a different subnet from the
node backplane addresses.
Remote CTC
10.10.20.10
10.10.20.0/24
10.10.10.0/24
Interface 0/0
10.10.20.1
Router A
Interface 0/1
10.10.10.1
ONS 15454
GNE
Backplane - 10.10.10.100/24
TCC2P - 176.20.20.40/24
ONS 15454
ENE
Backplane - 10.10.10.250/24
TCC2P - 176.20.20.30/24
ONS 15454
ENE
10.10.10.150/24 - Backplane
176.20.20.10/24 - TCC2P
ONS 15454
ENE
10.10.10.200/24 - Backplane
176.20.20.20/24 - TCC2P
124679
Local/Craft CTC
176.20.20.50
Ethernet
SONET14-23
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 14 Management Network Connectivity
14.2.9 IP Scenario 9: IP Addressing with Secure Mode Enabled
Figure 14-17 IP Scenario 9: ONS 15454 GNE and ENEs on Different Subnets with Secure Mode
Enabled
14.2.9.2 Secure Node Locked and Unlocked Behavior
Secure mode can operate on a node in either locked or unlocked mode. By default, secure mode’s status
is unlocked; only a superuser can convert it to locked mode. Doing so permanently changes the hardware
configuration on the active and standby TCC2P cards as well as the chassis.
Locked mode must be used carefully because the cards and shelf retain their locked status even if
separated from each other. For example, if a node is in secure, locked mode and you perform a card pull
on its standby TCC2P, then insert that as the active card into another node, the secure, locked mode is
written to the new node’s chassis and standby TCC2P. If you perform a card pull on a secure, locked
node’s active and standby TCC2Ps and insert both of them into a chassis that previously was in unlocked
mode, the node becomes locked.
When it is secure and locked, a node’s configuration, Ethernet port status, its secure mode, and the
locked status cannot be changed by any network user— including a superuser. To have a secure node’s
lock removed, contact Cisco Technical Support to arrange a Return Material Authorization (RMA) for
the chassis and for the TCC2Ps. Refer to the “Obtaining Documentation and Submitting a Service
Request” section on page liii as needed.
71674
Remote CTC
10.10.20.10
10.10.20.0/24
10.10.10.0/24
Interface 0/0
10.10.20.1
Router A
Interface 0/1
10.10.10.1
ONS 15454
GNE
Backplane - 10.10.10.100/24
TCC2P - 176.20.20.40/24
ONS 15454
ENE
Backplane - 192.168.10.250/24
TCC2P - 176.20.20.30/24
ONS 15454
ENE
192.168.10.150/24 - Backplane
176.20.20.10/24 - TCC2P
ONS 15454
ENE
192.168.10.200/24 - Backplane
176.20.20.20/24 - TCC2P
Local/Craft CTC
176.20.20.50
Ethernet
SONET14-24
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 14 Management Network Connectivity
14.3 Routing Table
14.3 Routing Table
ONS 15454 routing information appears on the Maintenance > Routing Table tab. The routing table
provides the following information:
• Destination—Displays the IP address of the destination network or host.
• Mask—Displays the subnet mask used to reach the destination host or network.
• Gateway—Displays the IP address of the gateway used to reach the destination network or host.
• Usage—Shows the number of times the listed route has been used.
• Interface—Shows the ONS 15454 interface used to access the destination. Values are:
– motfcc0—The ONS 15454 Ethernet interface, that is, the RJ-45 jack on the TCC2/TCC2P and
the LAN 1 pins on the backplane
– pdcc0—A DCC/OSC/GCC interface
– lo0—A loopback interface
Table 14-5 shows sample routing table entries for an ONS 15454.
Entry 1 shows the following:
• Destination (0.0.0.0) is the default route entry. All undefined destination network or host entries on
this routing table are mapped to the default route entry.
• Mask (0.0.0.0) is always 0 for the default route.
• Gateway (172.20.214.1) is the default gateway address. All outbound traffic that cannot be found in
this routing table or is not on the node’s local subnet is sent to this gateway.
• Interface (motfcc0) indicates that the ONS 15454 Ethernet interface is used to reach the gateway.
Entry 2 shows the following:
• Destination (172.20.214.0) is the destination network IP address.
• Mask (255.255.255.0) is a 24-bit mask, meaning all addresses within the 172.20.214.0 subnet can
be destinations.
• Gateway (172.20.214.92) is the gateway address. All outbound traffic belonging to this network is
sent to this gateway.
• Interface (motfcc0) indicates that the ONS 15454 Ethernet interface is used to reach the gateway.
Entry 3 shows the following:
• Destination (172.20.214.92) is the destination host IP address.
Table 14-5 Sample Routing Table Entries
Entry Destination Mask Gateway Usage Interface
1 0.0.0.0 0.0.0.0 172.20.214.1 265103 motfcc0
2 172.20.214.0 255.255.255.0 172.20.214.92 0 motfcc0
3 172.20.214.92 255.255.255.255 127.0.0.1 54 lo0
4 172.20.214.93 255.255.255.255 0.0.0.0 16853 pdcc0
5 172.20.214.94 255.255.255.255 172.20.214.93 16853 pdcc014-25
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 14 Management Network Connectivity
14.4 External Firewalls
• Mask (255.255.255.255) is a 32 bit mask, meaning that only the 172.20.214.92 address is a
destination.
• Gateway (127.0.0.1) is a loopback address. The host directs network traffic to itself using this
address.
• Interface (lo0) indicates that the local loopback interface is used to reach the gateway.
Entry 4 shows the following:
• Destination (172.20.214.93) is the destination host IP address.
• Mask (255.255.255.255) is a 32 bit mask, meaning that only the 172.20.214.93 address is a
destination.
• Gateway (0.0.0.0) means the destination host is directly attached to the node.
• Interface (pdcc0) indicates that a DCC interface is used to reach the destination host.
Entry 5 shows a DCC-connected node that is accessible through a node that is not directly connected:
• Destination (172.20.214.94) is the destination host IP address.
• Mask (255.255.255.255) is a 32-bit mask, meaning that only the 172.20.214.94 address is a
destination.
• Gateway (172.20.214.93) indicates that the destination host is accessed through a node with IP
address 172.20.214.93.
• Interface (pdcc0) indicates that a DCC interface is used to reach the gateway.
14.4 External Firewalls
This section provides sample access control lists (ACLs) for external firewalls. Table 14-6 lists the ports
that are used by the TCC2/TCC2P card.
Table 14-6 Ports Used by the TCC2/TCC2P
Port Function Action1
0 Never used D
20 FTP D
21 FTP control D
22 SSH (Secure Shell) D
23 Telnet D
80 HTTP D
111 SUNRPC (Sun Remote Procedure Call) NA
161 SNMP traps destinations D
162 SNMP traps destinations D
513 rlogin D
683 CORBA IIOP2
OK
1080 Proxy server (socks) D
2001-2017 I/O card Telnet D
2018 DCC processor on active TCC2/TCC2P D14-26
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 14 Management Network Connectivity
14.4 External Firewalls
The following ACL example shows a firewall configuration when the SOCKS proxy server gateway
setting is not enabled. In the example, the CTC workstation's address is 192.168.10.10. and the
ONS 15454 address is 10.10.10.100. The firewall is attached to the GNE, so inbound is CTC to the GNE
and outbound is from the GNE to CTC. The CTC CORBA Standard constant is 683 and the TCC CORBA
Default is TCC Fixed (57790).
access-list 100 remark *** Inbound ACL, CTC -> NE ***
access-list 100 remark
access-list 100 permit tcp host 192.168.10.10 host 10.10.10.100 eq www
access-list 100 remark *** allows initial contact with ONS 15454 using http (port 80) ***
access-list 100 remark
access-list 100 permit tcp host 192.168.10.10 host 10.10.10.100 eq 57790
access-list 100 remark *** allows CTC communication with ONS 15454 GNE (port 57790) ***
access-list 100 remark
access-list 100 permit tcp host 192.168.10.10 host 10.10.10.100 established
access-list 100 remark *** allows ACKs back from CTC to ONS 15454 GNE ***
access-list 101 remark *** Outbound ACL, NE -> CTC ***
access-list 101 remark
access-list 101 permit tcp host 10.10.10.100 host 192.168.10.10 eq 683
access-list 101 remark *** allows alarms etc., from the 15454 (random port) to the CTC
workstation (port 683) ***
access-list 100 remark
access-list 101 permit tcp host 10.10.10.100 host 192.168.10.10 established
access-list 101 remark *** allows ACKs from the 15454 GNE to CTC ***
The following ACL example shows a firewall configuration when the SOCKS proxy server gateway
setting is enabled. As with the first example, the CTC workstation address is 192.168.10.10 and the
ONS 15454 address is 10.10.10.100. The firewall is attached to the GNE, so inbound is CTC to the GNE
and outbound is from the GNE to CTC. CTC CORBA Standard constant is 683 and the TCC CORBA
Default is TCC Fixed (57790).
access-list 100 remark *** Inbound ACL, CTC -> NE ***
access-list 100 remark
access-list 100 permit tcp host 192.168.10.10 host 10.10.10.100 eq www
2361 TL1 D
3082 Raw TL1 D
3083 TL1 D
5001 BLSR3
server port D
5002 BLSR client port D
7200 SNMP alarm input port D
9100 EQM port D
9401 TCC boot port D
9999 Flash manager D
10240-12287 Proxy client D
57790 Default TCC listener port OK
1. D = deny, NA = not applicable, OK = do not deny
2. CORBA IIOP = Common Object Request Broker Architecture Internet Inter-ORB Protocol
3. BLSR = bidirectional line switched ring
Table 14-6 Ports Used by the TCC2/TCC2P (continued)
Port Function Action114-27
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 14 Management Network Connectivity
14.5 Open GNE
access-list 100 remark *** allows initial contact with the 15454 using http (port 80) ***
access-list 100 remark
access-list 100 permit tcp host 192.168.10.10 host 10.10.10.100 eq 1080
access-list 100 remark *** allows CTC communication with the 15454 GNE (port 1080) ***
access-list 100 remark
access-list 101 remark *** Outbound ACL, NE -> CTC ***
access-list 101 remark
access-list 101 permit tcp host 10.10.10.100 host 192.168.10.10 established
access-list 101 remark *** allows ACKs from the 15454 GNE to CTC ***
14.5 Open GNE
The ONS 15454 can communicate with non-ONS nodes that do not support Point-to-Point Protocol
(PPP) vendor extensions or OSPF type 10 opaque link-state advertisements (LSA), both of which are
necessary for automatic node and link discovery. An open GNE configuration allows the DCC-based
network to function as an IP network for non-ONS nodes.
To configure an open GNE network, you can provision SDCC, LDCC, and GCC terminations to include
a far-end, non-ONS node using either the default IP address of 0.0.0.0 or a specified IP address. You
provision a far-end, non-ONS node by checking the Far End is Foreign check box during SDCC, LDCC,
and GCC creation. The default 0.0.0.0 IP address allows the far-end, non-ONS node to provide the IP
address; if you set an IP address other than 0.0.0.0, a link is established only if the far-end node identifies
itself with that IP address, providing an extra level of security.
By default, the SOCKS proxy server only allows connections to discovered ONS peers and the firewall
blocks all IP traffic between the DCC network and LAN. You can, however, provision proxy tunnels to
allow up to 12 additional destinations for SOCKS version 5 connections to non-ONS nodes. You can also
provision firewall tunnels to allow up to 12 additional destinations for direct IP connectivity between the
DCC network and the LAN. Proxy and firewall tunnels include both a source and destination subnet. The
connection must originate within the source subnet and terminate within the destination subnet before
either the SOCKS connection or IP packet flow is allowed.
To set up proxy and firewall subnets in CTC, use the Provisioning > Network > Proxy and Firewalls
subtabs. The availability of proxy and/or firewall tunnels depends on the network access settings of the
node:
• If the node is configured with the SOCKS proxy server enabled in GNE or ENE mode, you must set
up a proxy tunnel and/or a firewall tunnel.
• If the node is configured with the SOCKS proxy server enabled in proxy-only mode, you can set up
proxy tunnels. Firewall tunnels are not allowed.
• If the node is configured with the SOCKS proxy server disabled, neither proxy tunnels nor firewall
tunnels are allowed.
Figure 14-18 shows an example of a foreign node connected to the DCC network. Proxy and firewall
tunnels are useful in this example because the GNE would otherwise block IP access between the PC
and the foreign node.14-28
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 14 Management Network Connectivity
14.5 Open GNE
Figure 14-18 Proxy and Firewall Tunnels for Foreign Terminations
Figure 14-19 shows a remote node connected to an ENE Ethernet port. Proxy and firewall tunnels are
useful in this example because the GNE would otherwise block IP access between the PC and foreign
node. This configuration also requires a firewall tunnel on the ENE.
Remote CTC
10.10.20.10
10.10.20.0/24
10.10.10.0/24
Interface 0/0
10.10.20.1
Router A
Interface 0/1
10.10.10.1
ONS 15454
GNE
10.10.10.100/24
ONS 15454
ENE
10.10.10.250/24
Non-ONS node
Foreign NE
130.94.122.199/28
ONS 15454
ENE
10.10.10.150/24
ONS 15454
ENE
10.10.10.200/24
115748
Local/Craft CTC
192.168.20.20
Ethernet
SONET14-29
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 14 Management Network Connectivity
14.6 TCP/IP and OSI Networking
Figure 14-19 Foreign Node Connection to an ENE Ethernet Port
14.6 TCP/IP and OSI Networking
ONS 15454 DCN communication is based on the TCP/IP protocol suite. However, ONS 15454s can also
be networked with equipment that uses the OSI protocol suite. While TCP/IP and OSI protocols are not
directly compatible, they do have the same objectives and occupy similar layers of the OSI reference
model. Table 14-7 shows the protocols and mediation processes that are involved when TCP/IP-based
NEs are networked with OSI-based NEs.
Remote CTC
10.10.20.10
10.10.20.0/24
10.10.10.0/24
Interface 0/0
10.10.20.1
Router A
Interface 0/1
10.10.10.1
ONS 15454
GNE
10.10.10.100/24
ONS 15454
ENE
10.10.10.250/24
ONS 15454
ENE
10.10.10.150/24
ONS 15454
ENE
10.10.10.200/24
115749
Local/Craft CTC
192.168.20.20
Ethernet
SONET
Non-ONS node
Foreign NE
130.94.122.199/2814-30
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 14 Management Network Connectivity
14.6.1 Point-to-Point Protocol
14.6.1 Point-to-Point Protocol
PPP is a data link (Layer 2) encapsulation protocol that transports datagrams over point-to-point links.
Although PPP was developed to transport IP traffic, it can carry other protocols including the OSI CLNP.
PPP components used in the transport of OSI include:
• High-level data link control (HDLC)—Performs the datagram encapsulation for transport across
point-to-point links.
• Link control protocol (LCP)—Establishes, configures, and tests the point-to-point connections.
CTC automatically enables IP over PPP whenever you create an SDCC or LDCC. The SDCC or LDCC
can be provisioned to support OSI over PPP.
Table 14-7 TCP/IP and OSI Protocols
OSI Model IP Protocols OSI Protocols IP-OSI Mediation
Layer 7
Application
• TL1
• FTP
• HTTP
• Telnet
• IIOP
• TARP1
1. TARP = TID Address Resolution Protocol
• TL1 (over
OSI)
• FTAM2
• ACSE3
2. FTAM = File Transfer and Access Management
3. ACSE = association-control service element
• T–TD4
• FT–TD5
4. T–TD = TL1–Translation Device
5. FT–TD = File Transfer—Translation Device
Layer 6
Presentation
• PST6
6. PST = Presentation layer
Layer 5
Session
• Session
Layer 4
Transport
• TCP
• UDP
• TP (Transport)
Class 4
• IP-over-CLNS7
tunnels
7. CLNS = Connectionless Network Layer Service
Layer 3
Network
• IP
• OSPF
• CLNP8
• ES-IS9
• IS-IS10
8. CLNP = Connectionless Network Layer Protocol
9. ES-IS = End System-to-Intermediate System
10. IS-IS = Intermediate System-to-Intermediate System
Layer 2 Data
link
• PPP • PPP
• LAP-D11
11. LAP-D = Link Access Protocol on the D Channel
Layer 1
Physical
DCC, LAN, fiber,
electrical
DCC, LAN, fiber, electrical14-31
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 14 Management Network Connectivity
14.6.2 Link Access Protocol on the D Channel
14.6.2 Link Access Protocol on the D Channel
LAP-D is a data link protocol used in the OSI protocol stack. LAP-D is assigned when you provision an
ONS 15454 SDCC as OSI-only. Provisionable LAP-D parameters include:
• Transfer Service—One of the following transfer services must be assigned:
– Acknowledged Information Transfer Service (AITS)—(Default) Does not exchange data until
a logical connection between two LAP-D users is established. This service provides reliable
data transfer, flow control, and error control mechanisms.
– Unacknowledged Information Transfer Service (UITS)—Transfers frames containing user data
with no acknowledgement. The service does not guarantee that the data presented by one user
will be delivered to another user, nor does it inform the user if the delivery attempt fails. It does
not provide any flow control or error control mechanisms.
• Mode—LAP-D is set to either Network or User mode. This parameter sets the LAP-D frame
command/response (C/R) value, which indicates whether the frame is a command or a response.
• Maximum transmission unit (MTU)—The LAP-D N201 parameter sets the maximum number of
octets in a LAP-D information frame. The range is 512 to 1500 octets.
Note The MTU must be the same size for all NEs on the network.
• Transmission Timers—The following LAP-D timers can be provisioned:
– The T200 timer sets the timeout period for initiating retries or declaring failures.
– The T203 timer provisions the maximum time between frame exchanges, that is, the trigger for
transmission of the LAP-D “keep-alive” Receive Ready (RR) frames.
Fixed values are assigned to the following LAP-D parameters:
• Terminal Endpoint Identifier (TEI)—A fixed value of 0 is assigned.
• Service Access Point Identifier (SAPI)—A fixed value of 62 is assigned.
• N200 supervisory frame retransmissions—A fixed value of 3 is assigned.
14.6.3 OSI Connectionless Network Service
OSI connectionless network service is implemented by using the Connectionless Network Protocol
(CLNP) and Connectionless Network Service (CLNS). CLNP and CLNS are described in the ISO 8473
standard. CLNS provides network layer services to the transport layer through CLNP. CLNS does not
perform connection setup or termination because paths are determined independently for each packet
that is transmitted through a network. CLNS relies on transport layer protocols to perform error detection
and correction.
CLNP is an OSI network layer protocol that carries upper-layer data and error indications over
connectionless links. CLNP provides the interface between the CLNS and upper layers. CLNP performs
many of the same services for the transport layer as IP. The CLNP datagram is very similar to the IP
datagram. It provides mechanisms for fragmentation (data unit identification, fragment/total length, and
offset). Like IP, a checksum computed on the CLNP header verifies that the information used to process
the CLNP datagram is transmitted correctly, and a lifetime control mechanism (Time to Live) limits the
amount of time a datagram is allowed to remain in the system.14-32
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 14 Management Network Connectivity
14.6.3 OSI Connectionless Network Service
CLNP uses network service access points (NSAPs) to identify network devices. The CLNP source and
destination addresses are NSAPs. In addition, CLNP uses a network element title (NET) to identify a
network-entity in an end system (ES) or intermediate system (IS). NETs are allocated from the same
name space as NSAP addresses. Whether an address is an NSAP address or a NET depends on the
network selector value in the NSAP.
The ONS 15454 supports the ISO Data Country Code (ISO-DCC) NSAP address format as specified in
ISO 8348. The NSAP address is divided into an initial domain part (IDP) and a domain-specific part
(DSP). NSAP fields are shown in Table 14-8. NSAP field values are in hexadecimal format. All NSAPs
are editable. Shorter NSAPs can be used. However NSAPs for all NEs residing within the same OSI
network area usually have the same NSAP format.
Table 14-8 NSAP Fields
Field Definition Description
IDP
AFI Authority and
format identifier
Specifies the NSAP address format. The initial value is 39 for the
ISO-DCC address format.
IDI Initial domain
identifier
Specifies the country code. The initial value is 840F, the United States
country code padded with an F.
DSP
DFI DSP format
identifier
Specifies the DSP format. The initial value is 80, indicating the DSP
format follows American National Standards Institute (ANSI)
standards.
ORG Organization Organization identifier. The initial value is 000000.
Reserved Reserved Reserved NSAP field. The Reserved field is normally all zeros (0000).
RD Routing domain Defines the routing domain. The initial value is 0000.
AREA Area Identifies the OSI routing area to which the node belongs. The initial
value is 0000.14-33
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 14 Management Network Connectivity
14.6.3 OSI Connectionless Network Service
Figure 14-20 shows the ISO-DCC NSAP address with the default values delivered with the ONS 15454.
The System ID is automatically populated with the node MAC address.
Figure 14-20 ISO-DCC NSAP Address
The ONS 15454 main NSAP address is shown on the node view Provisioning > OSI > Main Setup subtab
(Figure 14-21).
System System identifier The ONS 15454 system identifier is set to its IEEE 802.3 MAC
address. Each ONS 15454 supports three OSI virtual routers. Each
router NSAP system identifier is the ONS 15454 IEEE 802.3 MAC
address + n, where n = 0 to 2. For the primary virtual router, n = 0.
SEL Selector The selector field directs the protocol data units (PDUs) to the correct
destination using the CLNP network layer service. Selector values
supported by the ONS 15454 include:
• 00—Network Entity Title (NET). Used to exchange PDUs in the
ES-IS and IS-IS routing exchange protocols. (See the
“14.6.4.1 End System-to-Intermediate System Protocol” section
on page 14-36 and the “14.6.4.2 Intermediate
System-to-Intermediate System Protocol” section on
page 14-36.)
• 1D—Selector for Transport Class 4 (and for FTAM and TL1
applications (Telcordia GR-253-CORE standard)
• AF—Selector for the TARP protocol (Telcordia GR-253-CORE
standard)
• 2F—Selector for the GRE IP-over-CLNS tunnel (ITU/RFC
standard)
• CC—Selector for the Cisco IP-over-CLNS tunnels (Cisco
specific)
• E0—Selector for the OSI ping application (Cisco specific)
NSELs are only advertised when the node is configured as an ES.
They are not advertised when a node is configured as an IS. Tunnel
NSELs are not advertised until a tunnel is created.
Table 14-8 NSAP Fields (continued)
Field Definition Description
39.840F.80.000000.0000.0000.0000.xxxxxxxxxxxx.00 131598
AFI IDI ORG Reserved RD Area System ID
Authority
and
Format
Identifier
SEL
NSAP
Selector
DFI
DSP
Format
Identifier
Routing
Domain
Initial
Domain
Identifier14-34
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 14 Management Network Connectivity
14.6.4 OSI Routing
Figure 14-21 OSI Main Setup
This address is also the Router 1 primary manual area address, which is viewed and edited on the
Provisioning > OSI > Routers subtab. See the “14.6.7 OSI Virtual Routers” section on page 14-41 for
information about the OSI router and manual area addresses in CTC.
14.6.4 OSI Routing
OSI architecture includes ESs and ISs. The OSI routing scheme includes:
• A set of routing protocols that allow ESs and ISs to collect and distribute the information necessary
to determine routes. Protocols include the ES-IS and IS-IS protocols. ES-IS routing establishes
connectivity and reach ability among ESs and ISs attached to the same (single) subnetwork.
• A routing information base (RIB) (see containing this information, from which routes between ESs
can be computed. The RIB consists of a table of entries that identify a destination (for example, an
NSAP), the subnetwork over which packets should be forwarded to reach that destination, and a
routing metric. The routing metric communicates characteristics of the route (such as delay
properties or expected error rate) that are used to evaluate the suitability of a route compared to
another route with different properties, for transporting a particular packet or class of packets.
• A routing algorithm, Shortest Path First (SPF), that uses information contained in the RIB to derive
routes between ESs. 14-35
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 14 Management Network Connectivity
14.6.4 OSI Routing
In OSI networking, discovery is based on announcements. An ES uses the ES-IS protocol end system
hello (ESH) message to announce its presence to ISs and ESs connected to the same network. Any ES
or IS that is listening for ESHs gets a copy. ISs store the NSAP address and the corresponding
subnetwork address pair in routing tables. ESs might store the address, or they might wait to be informed
by ISs when they need such information.
An IS composes intermediate system hello (ISH) messages to announce its configuration information to
ISs and ESs that are connected to the same broadcast subnetwork. Like the ESHs, the ISH contains the
addressing information for the IS (the NET and the subnetwork point-of-attachment address [SNPA])
and a holding time. ISHs might also communicate a suggested ES configuration time recommending a
configuration timer to ESs.
The exchange of ISHs is called neighbor greeting or initialization. Each router learns about the other
routers with which they share direct connectivity. After the initialization, each router constructs a
link-state packet (LSP). The LSP contains a list of the names of the IS’s neighbors and the cost to reach
each of the neighbors. Routers then distribute the LSPs to all of the other routers. When all LSPs are
propagated to all routers, each router has a complete map of the network topology (in the form of LSPs).
Routers use the LSPs and the SPF algorithm to compute routes to every destination in the network.
OSI networks are divided into areas and domains. An area is a group of contiguous networks and
attached hosts that is designated as an area by a network administrator. A domain is a collection of
connected areas. Routing domains provide full connectivity to all ESs within them. Routing within the
same area is known as Level 1 routing. Routing between two areas is known as Level 2 routing. LSPs
that are exchanged within a Level 1 area are called L1 LSPs. LSPs that are exchanged across Level 2
areas are called L2 LSPs. Figure 14-22 shows an example of Level 1 and Level 2 routing.
Figure 14-22 Level 1 and Level 2 OSI Routing
When you provision an ONS 15454 for a network with NEs that use both the TCP/IP and OSI protocol
stacks, you will provision it as one of the following:
• End System—The ONS 15454 performs OSI ES functions and relies upon an IS for communication
with nodes that reside within its OSI area.
• Intermediate System Level 1—The ONS 15454 performs OSI IS functions. It communicates with IS
and ES nodes that reside within its OSI area. It depends upon an IS L1/L2 node to communicate with
IS and ES nodes that reside outside its OSI area.
Level 2
routing
Area 1
IS IS
IS IS
Area 2
Domain
Level 1
routing
Level 1
routing
ES
131597
ES
ES
ES14-36
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 14 Management Network Connectivity
14.6.4 OSI Routing
• Intermediate System Level 1/Level 2—The ONS 15454 performs IS functions. It communicates
with IS and ES nodes that reside within its OSI area. It also communicates with IS L1/L2 nodes that
reside in other OSI areas. This option should not be provisioned unless the node is connected to
another IS L1/L2 node that resides in a different OSI area. The node must also be connected to all
nodes within its area that are provisioned as IS L1/L2.
14.6.4.1 End System-to-Intermediate System Protocol
ES-IS is an OSI protocol that defines how ESs (hosts) and ISs (routers) learn about each other. ES-IS
configuration information is transmitted at regular intervals through the ES and IS hello messages. The
hello messages contain the subnetwork and network layer addresses of the systems that generate them.
The ES-IS configuration protocol communicates both OSI network layer addresses and OSI subnetwork
addresses. OSI network layer addresses identify either the NSAP, which is the interface between OSI
Layer 3 and Layer 4, or the NET, which is the network layer entity in an OSI IS. OSI SNPAs are the
points at which an ES or IS is physically attached to a subnetwork. The SNPA address uniquely identifies
each system attached to the subnetwork. In an Ethernet network, for example, the SNPA is the 48-bit
MAC address. Part of the configuration information transmitted by ES-IS is the NSAP-to-SNPA or
NET-to-SNPA mapping.
14.6.4.2 Intermediate System-to-Intermediate System Protocol
IS-IS is an OSI link-state hierarchical routing protocol that floods the network with link-state
information to build a complete, consistent picture of a network topology. IS-IS distinguishes between
Level 1 and Level 2 ISs. Level 1 ISs communicate with other Level 1 ISs in the same area. Level 2 ISs
route between Level 1 areas and form an intradomain routing backbone. Level 1 ISs need to know only
how to get to the nearest Level 2 IS. The backbone routing protocol can change without impacting the
intra-area routing protocol.
OSI routing begins when the ESs discover the nearest IS by listening to ISH packets. When an ES wants
to send a packet to another ES, it sends the packet to one of the ISs on its directly attached network. The
router then looks up the destination address and forwards the packet along the best route. If the
destination ES is on the same subnetwork, the local IS knows this from listening to ESHs and forwards
the packet appropriately. The IS also might provide a redirect (RD) message back to the source to tell it
that a more direct route is available. If the destination address is an ES on another subnetwork in the
same area, the IS knows the correct route and forwards the packet appropriately. If the destination
address is an ES in another area, the Level 1 IS sends the packet to the nearest Level 2 IS. Forwarding
through Level 2 ISs continues until the packet reaches a Level 2 IS in the destination area. Within the
destination area, the ISs forward the packet along the best path until the destination ES is reached.
Link-state update messages help ISs learn about the network topology. Each IS generates an update
specifying the ESs and ISs to which it is connected, as well as the associated metrics. The update is then
sent to all neighboring ISs, which forward (flood) it to their neighbors, and so on. (Sequence numbers
terminate the flood and distinguish old updates from new ones.) Using these updates, each IS can build
a complete topology of the network. When the topology changes, new updates are sent.
IS-IS uses a single required default metric with a maximum path value of 1024. The metric is arbitrary
and typically is assigned by a network administrator. Any single link can have a maximum value of 64,
and path links are calculated by summing link values. Maximum metric values were set at these levels
to provide the granularity to support various link types while at the same time ensuring that the
shortest-path algorithm used for route computation is reasonably efficient. Three optional IS-IS metrics
(costs)—delay, expense, and error—are not supported by the ONS 15454. IS-IS maintains a mapping of
the metrics to the quality of service (QoS) option in the CLNP packet header. IS-IS uses the mappings
to compute routes through the internetwork.14-37
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 14 Management Network Connectivity
14.6.5 TARP
14.6.5 TARP
TARP is used when TL1 target identifiers (TIDs) must be translated to NSAP addresses. The
TID-to-NSAP translation occurs by mapping TIDs to the NETs, then deriving NSAPs from the NETs by
using the NSAP selector values (Table 14-8 on page 14-32).
TARP uses a selective PDU propagation methodology in conjunction with a distributed database (that
resides within the NEs) of TID-to-NET mappings. TARP allows NEs to translate between TID and NET
by automatically exchanging mapping information with other NEs. The TARP PDU is carried by the
standard CLNP Data PDU. TARP PDU fields are shown in Table 14-9.
Table 14-10 shows the TARP PDUs types that govern TARP interaction and routing.
Table 14-9 TARP PDU Fields
Field Abbreviation Size (bytes) Description
TARP Lifetime tar-lif 2 The TARP time-to-live in hops.
TARP Sequence
Number
tar-seq 2 The TARP sequence number used for loop detection.
Protocol
Address Type
tar-pro 1 Used to identify the type of protocol address that the
TID must be mapped to. The value FE is used to
identify the CLNP address type.
TARP Type
Code
tar-tcd 1 The TARP Type Code identifies the TARP type of
PDU. Five TARP types, shown in Table 14-10, are
defined.
TID Target
Length
tar-tln 1 The number of octets that are in the tar-ttg field.
TID Originator
Length
tar-oln 1 The number of octets that are in the tar-tor field.
Protocol
Address Length
tar-pln 1 The number of octets that are in the tar-por field.
TID of Target tar-ttg n = 0, 1, 2... TID value for the target NE.
TID of
Originator
tar-tor n = 0, 1, 2... TID value of the TARP PDU originator.
Protocol
Address of
Originator
tar-por n = 0, 1, 2... Protocol address (for the protocol type identified in the
tar-pro field) of the TARP PDU originator. When the
tar-pro field is set to FE (hex), tar-por will contain a
CLNP address (that is, the NET).
Table 14-10 TARP PDU Types
Type Description Actions
1 Sent when a device has a TID for which
it has no matching NSAP.
After an NE originates a TARP Type 1 PDU, the PDU
is sent to all adjacent NEs within the NE routing area.
2 Sent when a device has a TID for which
it has no matching NSAP and no
response was received from the Type 1
PDU.
After an NE originates a TARP Type 2 PDU, the PDU
is sent to all Level 1 and Level 2 neighbors.14-38
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 14 Management Network Connectivity
14.6.5 TARP
14.6.5.1 TARP Processing
A TARP data cache (TDC) is created at each NE to facilitate TARP processing. In CTC, the TDC is
displayed and managed on the node view Maintenance > OSI > TDC subtab. The TDC subtab contains
the following TARP PDU fields:
• TID—TID of the originating NE (tar-tor).
• NSAP—NSAP of the originating NE.
• Type— Indicates whether the TARP PDU was created through the TARP propagation process
(dynamic) or manually created (static).
Provisionable timers, shown in Table 14-11, control TARP processing.
Table 14-12 shows the main TARP processes and the general sequence of events that occurs in each
process.
3 Sent as a response to Type 1, Type 2, or
Type 5 PDUs.
After a TARP Request (Type 1 or 2) PDU is received,
a TARP Type 3 PDU is sent to the request originator.
Type 3 PDUs do not use the TARP propagation
procedures.
4 Sent as a notification when a change
occurs locally, for example, a TID or
NSAP change. It might also be sent
when an NE initializes.
A Type 4 PDU is a notification of a TID or Protocol
Address change at the NE that originates the
notification. The PDU is sent to all adjacencies inside
and outside the NE’s routing area.
5 Sent when a device needs a TID that
corresponds to a specific NSAP.
When a Type 5 PDU is sent, the CLNP destination
address is known, so the PDU is sent to only that
address. Type 5 PDUs do not use the TARP
propagation procedures.
Table 14-10 TARP PDU Types (continued)
Type Description Actions
Table 14-11 TARP Timers
Timer Description
Default
(seconds)
Range
(seconds)
T1 Waiting for response to TARP Type 1 Request PDU 15 0–3600
T2 Waiting for response to TARP Type 2 Request PDU 25 0–3600
T3 Waiting for response to address resolution request 40 0–3600
T4 Timer starts when T2 expires (used during error recovery) 20 0–360014-39
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 14 Management Network Connectivity
14.6.5 TARP
14.6.5.2 TARP Loop Detection Buffer
The TARP loop detection buffer (LDB) can be enabled to prevent duplicate TARP PDUs from entering
the TDC. When a TARP Type 1, 2, or 4 PDU arrives, TARP checks its LDB for a NET address (tar-por)
of the PDU originator match. If no match is found, TARP processes the PDU and assigns a tar-por,
tar-seq (sequence) entry for the PDU to the LDB. If the tar-seq is zero, a timer associated with the LDB
entry is started using the provisionable LDB entry timer on the node view OSI > TARP > Config tab. If
a match exists, the tar-seq is compared to the LDB entry. If the tar-seq is not zero and is less than or equal
to the LDB entry, the PDU is discarded. If the tar-seq is greater than the LDB entry, the PDU is processed
and the tar-seq field in the LDB entry is updated with the new value. The Cisco ONS 15454 LDB holds
approximately 500 entries. The LDB is flushed periodically based on the time set in the LDB Flush timer
on the node view OSI > TARP > Config tab.
14.6.5.3 Manual TARP Adjacencies
TARP adjacencies can be manually provisioned in networks where ONS 15454s must communicate
across routers or non-SONET NEs that lack TARP capability. In CTC, manual TARP adjacencies are
provisioned on the node view Provisioning > OSI > TARP > MAT (Manual Area Table) subtab. The
manual adjacency causes a TARP request to hop through the general router or non-SONET NE, as shown
in Figure 14-23.
Table 14-12 TARP Processing Flow
Process General TARP Flow
Find a NET that
matches a TID
1. TARP checks its TDC for a match. If a match is found, TARP returns the
result to the requesting application.
2. If no match is found, a TARP Type 1 PDU is generated and Timer T1 is
started.
3. If Timer T1 expires before a match if found, a Type 2 PDU is generated and
Timer T2 is started.
4. If Timer T2 expires before a match is found, Timer T4 is started.
5. If Timer T4 expires before a match is found, a Type 2 PDU is generated and
Timer T2 is started.
Find a TID that
matches a NET
A Type 5 PDU is generated. Timer T3 is used. However, if the timer expires, no
error recovery procedure occurs, and a status message is provided to indicate
that the TID cannot be found.
Send a notification
of TID or protocol
address change
TARP generates a Type 4 PDU in which the tar-ttg field contains the NE TID
value that existed prior to the change of TID or protocol address. Confirmation
that other NEs successfully received the address change is not sent.14-40
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 14 Management Network Connectivity
14.6.6 TCP/IP and OSI Mediation
Figure 14-23 Manual TARP Adjacencies
14.6.5.4 Manual TID to NSAP Provisioning
TIDs can be manually linked to NSAPs and added to the TDC. Static TDC entries are similar to static
routes. For a specific TID, you force a specific NSAP. Resolution requests for that TID always return
that NSAP. No TARP network propagation or instantaneous replies are involved. Static entries allow you
to forward TL1 commands to NEs that do not support TARP. However, static TDC entries are not
dynamically updated, so outdated entries are not removed after the TID or the NSAP changes on the
target node.
14.6.6 TCP/IP and OSI Mediation
Two mediation processes facilitate TL1 networking and file transfers between NEs and ONS client
computers running TCP/IP and OSI protocol suites:
• T–TD—Performs a TL1-over-IP to TL1-over-OSI gateway mediation to enable an IP-based OSS to
manage OSI-only NEs subtended from a GNE. Figure 14-24 shows the T–TD protocol flow.
131957
Generic
router
DCN
DCN
Manual
adjacency14-41
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 14 Management Network Connectivity
14.6.7 OSI Virtual Routers
Figure 14-24 T–TD Protocol Flow
• FT–TD—Performs an FTP conversion between FTAM and FTP. The FT–TD gateway entity includes
an FTAM responder (server) and an FTP client, allowing FTAM initiators (clients) to store, retrieve,
or delete files from an FTP server. The FT–TD gateway is unidirectional and is driven by the FTAM
initiator. The FT–TD FTAM responder exchanges messages with the FTAM initiator over the full
OSI stack. Figure 14-25 shows the FT–TD protocol flow.
Figure 14-25 FT–TD Protocol Flow
The ONS 15454 uses FT–TD for the following file transfer processes:
• Software downloads
• Database backups and restores
• Cisco IOS configuration backups and restores for ML and ML2 Series cards.
14.6.7 OSI Virtual Routers
The ONS 15454 supports three OSI virtual routers. The routers are provisioned on the Provisioning >
OSI > Routers tab, shown in Figure 14-26.
131954
OSS GNE
TL1 Gateway
DCC
LAPD
ISIS / CLNS
TP4
Session
Presentation
ACSE
LAN
LLC1
IPv4
UDP TCP
TL1
LAN
LLC1
IPv4
TL1
UDP TCP
DCC
LAPD
ISIS / CLNS
TP4
Session
Presentation
ACSE TL1
TL1 Gateway
ENE
FT-TD
ENE
FTP File
Server
OSS
FTP
Client
FTAM
FTAM Initiator
Responder
GNE
FTP / IP FTAM / OSI
13195514-42
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 14 Management Network Connectivity
14.6.7 OSI Virtual Routers
Figure 14-26 Provisioning OSI Routers
Each router has an editable manual area address and a unique NSAP System ID that is set to the node
MAC address + n. For Router 1, n = 0. For Router 2, n = 1. For Router 3, n = 2. Each router can be
enabled and connected to different OSI routing areas. However, Router 1 is the primary router, and it
must be enabled before Router 2 and Router 3 can be enabled. The Router 1 manual area address and
System ID create the NSAP address assigned to the node’s TID. In addition, Router 1 supports OSI
TARP, mediation, and tunneling functions that are not supported by Router 2 and Router 3. These
include:
• TID-to-NSAP resolution
• TARP data cache
• IP-over-CLNS tunnels
• FTAM
• FT-TD
• T-TD
• LAN subnet
OSI virtual router constraints depend on the routing mode provisioned for the node. Table 14-13 shows
the number of IS L1s, IS L1/L2s, and DCCs that are supported by each router. An IS Level1 and IS
Level1/Level2 support one ES per DCC subnet and up to 100 ESs per LAN subnet.14-43
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 14 Management Network Connectivity
14.6.8 IP-over-CLNS Tunnels
Each OSI virtual router has a primary manual area address. You can also create two additional manual
area addresses. These manual area addresses can be used to:
• Split up an area—Nodes within a given area can accumulate to a point that they are difficult to
manage, cause excessive traffic, or threaten to exceed the usable address space for an area.
Additional manual area addresses can be assigned so that you can smoothly partition a network into
separate areas without disrupting service.
• Merge areas—Use transitional area addresses to merge as many as three separate areas into a single
area that shares a common area address.
• Change to a different address—You might need to change an area address for a particular group of
nodes. Use multiple manual area addresses to allow incoming traffic intended for an old area address
to continue being routed to associated nodes.
14.6.8 IP-over-CLNS Tunnels
IP-over-CLNS tunnels are used to encapsulate IP for transport across OSI NEs. The ONS 15454 supports
two tunnel types:
• GRE—Generic Routing Encapsulation is a tunneling protocol that encapsulates one network layer
for transport across another. GRE tunnels add both a CLNS header and a GRE header to the tunnel
frames. GRE tunnels are supported by Cisco routers and some other vendor NEs.
• Cisco IP—The Cisco IP tunnel directly encapsulates the IP packet with no intermediate header.
Cisco IP is supported by most Cisco routers.
Figure 14-24 shows the protocol flow when an IP-over-CLNS tunnel is created through four NEs (A, B,
C, and D). The tunnel ends are configured on NEs A and D, which support both IP and OSI. NEs B and
C only support OSI, so they only route the OSI packets.
Table 14-13 OSI Virtual Router Constraints
Routing Mode Router 1 Router 2 Router 3
IS L1
per area
IS L1/L2
per area
DCC
per IS
End System Yes No No — — —
IS L1 Yes Yes Yes 250 — 40
IS L1/L2 Yes Yes Yes 250 50 4014-44
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 14 Management Network Connectivity
14.6.8 IP-over-CLNS Tunnels
Figure 14-27 IP-over-CLNS Tunnel Flow
14.6.8.1 Provisioning IP-over-CLNS Tunnels
IP-over-CLNS tunnels must be carefully planned to prevent nodes from losing visibility or connectivity.
Before you begin a tunnel, verify that the tunnel type, either Cisco IP or GRE, is supported by the
equipment at the other end. Always verify IP and NSAP addresses. Provisioning of IP-over-CLNS
tunnels in CTC is performed on the node view Provisioning > OSI > IP over CLNS Tunnels tab. For
procedures, refer to the “Turn Up a Node” chapter in the Cisco ONS 15454 Procedure Guide.
Provisioning IP-over-CLNS tunnels on Cisco routers requires the following prerequisite tasks, as well
as other OSI provisioning:
• (Required) Enable IS-IS
• (Optional) Enable routing for an area on an interface
• (Optional) Assign multiple area addresses
• (Optional) Configure IS-IS interface parameters
• (Optional) Configure miscellaneous IS-IS parameters
The Cisco IOS commands used to create IP-over-CLNS tunnels (CTunnels) are shown in Table 14-14.
131956
NE-D
SNMP
RMON
HTTP
FTP
Telnet
UDP
IPv4
GRE
Tunnel
LLC1
LAN
CLNP
LAPD
DCC
TCP
EMS
SNMP
RMON
HTTP
FTP
Telnet
UDP
IPv4
LLC1
LAN
TCP
NE-A (GNE)
IPv4
GRE
Tunnel
LLC1
LAN
CLNP
LAPD
DCC
NE-C
CLNP
LAPD
DCC
NE-B
CLNP
LAPD
DCC14-45
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 14 Management Network Connectivity
14.6.8 IP-over-CLNS Tunnels
If you are provisioning an IP-over-CLNS tunnel on a Cisco router, always follow procedures provided
in the Cisco IOS documentation for the router you are provisioning. For information about ISO CLNS
provisioning including IP-over-CLNS tunnels, see the “Configuring ISO CLNS” chapter in the
Cisco IOS Apollo Domain, Banyon VINES, DECnet, ISO CLNS, and XNS Configuration Guide.
14.6.8.2 IP-over-CLNS Tunnel Scenario 1: ONS Node to Other Vendor GNE
Figure 14-28 shows an IP-over-CLNS tunnel created from an ONS node to another vendor GNE. The
other vendor NE has an IP connection to an IP DCN to which a CTC computer is attached. An OSI-only
(LAP-D) SDCC and a GRE tunnel are created between the ONS NE 1 to the other vender GNE.
ONS NE 1 IP-over-CLNS tunnel provisioning information:
• Destination: 10.10.10.100 (CTC 1)
• Mask: 255.255.255.255 for host route (CTC 1 only), or 255.255.255.0 for subnet route (all CTC
computers residing on the 10.10.10.0 subnet)
• NSAP: 39.840F.80.1111.0000.1111.1111.cccccccccccc.00 (other vendor GNE)
• Metric: 110
• Tunnel Type: GRE
Other vender GNE IP-over-CLNS tunnel provisioning information:
• Destination: 10.20.30.30 (ONS NE 1)
• Mask: 255.255.255.255 for host route (ONS NE 1 only), or 255.255.255.0 for subnet route (all ONS
nodes residing on the 10.30.30.0 subnet)
• NSAP: 39.840F.80.1111.0000.1111.1111.dddddddddddd.00 (ONS NE 1)
• Metric: 110
• Tunnel Type: GRE
Table 14-14 IP-over-CLNS Tunnel IOS Commands
Step Step Purpose
1 Router (config) # interface ctunnel
interface-number
Creates a virtual interface to transport IP over a
CLNS tunnel and enters interface configuration
mode. The interface number must be unique for each
CTunnel interface.
2 Router (config-if # ctunnel destination
remote-nsap-address
Configures the destination parameter for the
CTunnel. Specifies the destination NSAP1 address of
the CTunnel, where the IP packets are extracted.
3 Router (config-if) # ip address
ip-address mask
Sets the primary or secondary IP address for an
interface.14-46
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 14 Management Network Connectivity
14.6.8 IP-over-CLNS Tunnels
Figure 14-28 IP-over-CLNS Tunnel Scenario 1: ONS NE to Other Vender GNE
14.6.8.3 IP-over-CLNS Tunnel Scenario 2: ONS Node to Router
Figure 14-29 shows an IP-over-CLNS tunnel from an ONS node to a router. The other vendor NE has an
OSI connection to a router on an IP DCN, to which a CTC computer is attached. An OSI-only (LAP-D)
SDCC is created between the ONS NE 1 and the other vender GNE. The OSI over IP tunnel can be either
the Cisco IP tunnel or a GRE tunnel, depending on the tunnel types supported by the router.
ONS NE 1 IP-over-CLNS tunnel provisioning:
• Destination: 10.10.30.10 (Router 1, Interface 0/1)
• Mask: 255.255.255.255 for host route (Router 1 only), or 255.255.255.0 for subnet route (all routers
on the same subnet)
• NSAP: 39.840F.80.1111.0000.1111.1111.bbbbbbbbbbbb.00 (Router 1)
• Metric: 110
• Tunnel Type: Cisco IP
Router 1 CTunnel (IP-over-CLNS) provisioning:
ip routing
134355
CTC 1
10.10.10.100/24
IP
DCN
IP/OSI
Vendor GNE
10.10.30.20/24
39.840F.80. 111111.0000.1111.1111.cccccccccccc.00
ONS NE 1
10.10.30.30/24
39.840F.80. 111111.0000.1111.1111.dddddddddddd.00
Other vendor
NE
OSI
OSI-only
DCC (LAPD)
GRE tunnel
OSI
Router 2
Interface 0/0: 10.10.10.10/24
Interface 0/1: 10.10.20.10/24
39.840F.80.111111.0000.1111.1111.aaaaaaaaaaaa.00
Router 1
Interface 0/0: 10.10.20.20/24
Interface 0/1: 10.10.30.10/24
39.840F.80. 111111.0000.1111.1111.bbbbbbbbbbbb.0014-47
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 14 Management Network Connectivity
14.6.8 IP-over-CLNS Tunnels
clns routing
interface ctunnel 102
ip address 10.10.30.30 255.255.255.0
ctunnel destination 39.840F.80.1111.0000.1111.1111.dddddddddddd.00
interface Ethernet0/1
clns router isis
router isis
net 39.840F.80.1111.0000.1111.1111.bbbbbbbbbbbb.00
Figure 14-29 IP-over-CLNS Tunnel Scenario 2: ONS Node to Router
14.6.8.4 IP-over-CLNS Tunnel Scenario 3: ONS Node to Router Across an OSI DCN
Figure 14-30 shows an IP-over-CLNS tunnel from an ONS node to a router across an OSI DCN. The
other vendor NE has an OSI connection to an IP DCN to which a CTC computer is attached. An OSI-only
(LAP-D) SDCC is created between the ONS NE 1 and the other vender GNE. The OSI over IP tunnel
can be either the Cisco IP tunnel or a GRE tunnel, depending on the tunnel types supported by the router.
134356
CTC 1
10.10.10.100/24
IP
DCN
OSI
Other vendor
GNE
Other vendor
NE
OSI
OSI-only
DCC (LAPD)
GRE or
Cisco IP tunnel
OSI
ONS NE 1
10.10.30.30/24
39.840F.80. 111111.0000.1111.1111.dddddddddddd.00
Router 2
Interface 0/0: 10.10.10.10/24
Interface 0/1: 10.10.20.10/24
39.840F.80.111111.0000.1111.1111.aaaaaaaaaaaa.00
Router 1
Interface 0/0: 10.10.20.20/24
Interface 0/1: 10.10.30.10/24
39.840F.80. 111111.0000.1111.1111.bbbbbbbbbbbb.0014-48
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 14 Management Network Connectivity
14.6.8 IP-over-CLNS Tunnels
ONS NE 1 IP-over-CLNS tunnel provisioning:
• Destination: Router 2 IP address
• Mask: 255.255.255.255 for host route (CTC 1 only), or 255.255.255.0 for subnet route (all CTC
computers on the same subnet)
• NSAP: Other vender GNE NSAP address
• Metric: 110
• Tunnel Type: Cisco IP
Router 2 IP-over-CLNS tunnel provisioning (sample Cisco IOS provisioning):
ip routing
clns routing
interface ctunnel 102
ip address 10.10.30.30 255.255.255.0
ctunnel destination 39.840F.80.1111.0000.1111.1111.dddddddddddd.00
interface Ethernet0/1
clns router isis
router isis
net 39.840F.80.1111.0000.1111.1111.aaaaaaaaaaaa.0014-49
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 14 Management Network Connectivity
14.6.9 OSI/IP Networking Scenarios
Figure 14-30 IP-over-CLNS Tunnel Scenario 3: ONS Node to Router Across an OSI DCN
14.6.9 OSI/IP Networking Scenarios
The following eight scenarios show examples of ONS 15454s in networks with OSI-based NEs. The
scenarios show ONS 15454 nodes in a variety of roles. The scenarios assume the following:
• ONS 15454 NEs are configured as dual OSI and IP nodes with both IP and NSAP addresses. They
run both OSPF and OSI (IS-IS or ES-IS) routing protocols as “Ships-In-The-Night,” with no route
redistribution.
• ONS 15454 NEs run TARP, which allows them to resolve a TL1 TID to a NSAP address. A TID
might resolve to both an IP and an NSAP address when the destination TID is an ONS 15454 NE
that has both IP and NSAP address.
• DCC links between ONS 15454 NEs and OSI-only NEs run the full OSI stack over LAP-D, which
includes IS-IS, ES-IS, and TARP.
• DCC links between ONS 15454 NEs run the full OSI stack and IP (OSPF) over PPP.
134357
CTC 1
10.10.10.100/24
OSI
DCN
OSI
IP
Other vendor
GNE
Other vendor
NE
OSI
OSI-only
DCC (LAPD)
GRE or
Cisco IP tunnel
OSI
ONS NE 1
10.10.30.30/24
39.840F.80. 111111.0000.1111.1111.dddddddddddd.00
Router 2
Interface 0/0: 10.10.10.10/24
Interface 0/1: 10.10.20.10/24
39.840F.80.111111.0000.1111.1111.aaaaaaaaaaaa.00
Router 1
Interface 0/0: 10.10.20.20/24
Interface 0/1: 10.10.30.10/24
39.840F.80. 111111.0000.1111.1111.bbbbbbbbbbbb.0014-50
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 14 Management Network Connectivity
14.6.9 OSI/IP Networking Scenarios
• All ONS 15454 NEs participating in an OSI network run OSI over PPP between themselves. This is
needed so that other vendor GNEs can route TL1 commands to all ONS 15454 NEs participating in
the OSI network.
14.6.9.1 OSI/IP Scenario 1: IP OSS, IP DCN, ONS GNE, IP DCC, and ONS ENE
Figure 14-31 shows OSI/IP Scenario 1, the current ONS 15454 IP-based implementation, with an IP
DCN, IP-over-PPP DCC, and OSPF routing.
Figure 14-31 OSI/IP Scenario 1: IP OSS, IP DCN, ONS GNE, IP DCC, and ONS ENE
14.6.9.2 OSI/IP Scenario 2: IP OSS, IP DCN, ONS GNE, OSI DCC, and Other Vendor ENE
OSI/IP Scenario 2 (Figure 14-32) shows an ONS 15454 GNE in a multivendor OSI network. Both the
ONS 15454 GNE and the other vendor NEs are managed by an IP OSS using TL1 and FTP. The
ONS 15454 is also managed by CTC and Cisco Transport Manager (CTM). Because the other vendor
NE only supports TL1 and FTAM over the full OSI stack, the ONS 15454 GNE provides T–TD and
FT–TD mediation to convert TL1/IP to TL1/OSI and FTAM/OSI to FTP/IP.
1 IP OSS manages ONS 15454 using TL1 and FTP.
2 DCCs carry IP over the PPP protocol.
3 The ONS 15454 network is managed by IP over OSPF.
131930
IP DCN
IP
IP
CTC/CTM IP OSS
IP
IP/PPP/DCC
ONS GNE
ONS ENE
ONS NE
ONS NE
ONS NE
IP/OSPF
IP/PPP/DCC
IP/PPP/DCC IP/PPP/DCC
1
2
314-51
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 14 Management Network Connectivity
14.6.9 OSI/IP Networking Scenarios
Figure 14-32 OSI/IP Scenario 2: IP OSS, IP DCN, ONS GNE, OSI DCC, and Other Vendor ENE
The ONS 15454 GNE routes TL1 traffic to the correct NE by resolving the TL1 TID to either an IP or
NSAP address. For TL1 traffic to other vendor NEs (OSI-only nodes), the TID is resolved to an NSAP
address. The ONS 15454 GNE passes the TL1 to the mediation function, which encapsulates it over the
full OSI stack and routes it to the destination using the IS-IS protocol.
For TL1 traffic to ONS 15454 NEs, the TID is resolved to both an IP and an NSAP address. The
ONS 15454 GNE follows the current TL1 processing model and forwards the request to the destination
NE using the TCP/IP stack and OSPF routing.
1 The IP OSS manages ONS 15454 and other vendor NEs using TL1 and FTP.
2 The ONS 15454 GNE performs mediation for other vendor NEs.
3 DCCs between the ONS 15454 GNE and ONS 15454 NEs are provisioned for IP and OSI over
PPP.
4 DCCs between the ONS 15454 GNE and other vendor NEs are provisioned for OSI over
LAP-D.
5 The ONS 15454 and the other vendor NE network include IP over OSPF and OSI over the IS-IS
protocol.
131932
IP DCN
IP
IP
CTC/CTM IP OSS
IP
IP and OSI/PPP/DCC
ONS GNE
ONS NE
ONS NE
Other
vendor NE
Other
vendor NE
OSI/IS-IS
IP/OSPF
OSI/LAP-D/DCC
IP and
OSI/PPP/DCC
OSI/LAP-D/DCC
1
2
3 4
514-52
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 14 Management Network Connectivity
14.6.9 OSI/IP Networking Scenarios
OSS-initiated software downloads consist of two parts: the OSS to destination NE TL1 download request
and the file transfer. The TL1 request is handled the same as described in the previous paragraph. The
ONS 15454 NEs use FTP for file transfers. OSI-only NEs use FTAM to perform file transfers. The
FTAM protocol is carried over OSI between the OSI NE and the ONS 15454 GNE. The GNE mediation
translates between FTAM to FTP.
14.6.9.3 OSI/IP Scenario 3: IP OSS, IP DCN, Other Vendor GNE, OSI DCC, and ONS ENE
In OSI/IP Scenario 3 (Figure 14-33), all TL1 traffic between the OSS and GNE is exchanged over the IP
DCN. TL1 traffic targeted for the GNE is processed locally. All other TL1 traffic is forwarded to the OSI
stack, which performs IP-to-OSI TL1 translation. The TL1 is encapsulated in the full OSI stack and sent
to the target NE over the DCC. The GNE can route to any node within the IS-IS domain because all NEs,
ONS 15454 and non-ONS 15454, have NSAP addresses and support IS-IS routing.
TL1 traffic received by an ONS 15454 NE and not addressed to its NSAP address is forwarded by IS-IS
routing to the correct destination. TL1 traffic received by an ONS 15454 NE and addressed to its NSAP
is sent up the OSI stack to the mediation function, which extracts the TL1 and passes it to the ONS 15454
TL1 processor.
An OSS initiated software download includes the OSS-to-destination node TL1 download request and
the file transfer. The TL1 request is handled as described in the previous paragraph. The target node uses
FTAM for file transfers because the GNE does not support IP on the DCC and cannot forward FTP. The
ONS 15454 NEs therefore must support an FTAM client and initiate file transfer using FTAM when
subtended to an OSI GNE.
In this scenario, the GNE has both IP and OSI DCN connections. The GNE only supports TL1 and FTP
over IP. Both are translated and then carried over OSI to the destination ENE (ONS 15454 or OSI-only
NE). All other IP traffic is discarded by the GNE. The CTC/CTM IP traffic is carried over an IP-over-OSI
tunnel to an ONS 15454 NE. The tunnel is created between an external router and an ONS 15454 NE.
The traffic is sent to the ONS 15454 terminating the tunnel. That ONS 15454 then forwards the traffic
over the tunnel to CTC/CTM by way of the external router. 14-53
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 14 Management Network Connectivity
14.6.9 OSI/IP Networking Scenarios
Figure 14-33 OSI/IP Scenario 3: IP OSS, IP DCN, Other Vendor GNE, OSI DCC, and ONS ENE
Figure 14-34 shows the same scenario, except the IP-over-CLNS tunnel endpoint is the GNE rather than
the DCN router.
1 The IP OSS manages the ONS 15454 and other vendor NEs using TL1 and FTP.
2 The other vendor GNE performs mediation for TL1 and FTP, so the DCCs to the ONS 15454
and other vendor NEs are OSI-only.
3 CTC/CTM communicates with ONS 15454 NEs over a IP-over-CLNS tunnel. The tunnel is
created from the ONS 15454 node to the external router.
4 The ONS 15454 NE exchanges TL1 over the full OSI stack using FTAM for file transfer.
131933
IP DCN
IP
IP
OSI
CTC/CTM IP OSS
IP
Other
vendor GNE
ONS NE 1
ONS NE 2
Other
vendor NE
Other
vendor NE
IP and
OSI/PPP/DCC
OSI/LAP-D/DCC
OSI/LAP-D/DCC
OSI/LAPD/DCC
1
2
4
314-54
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 14 Management Network Connectivity
14.6.9 OSI/IP Networking Scenarios
Figure 14-34 OSI/IP Scenario 3 with OSI/IP-over-CLNS Tunnel Endpoint at the GNE
14.6.9.4 OSI/IP Scenario 4: Multiple ONS DCC Areas
OSI/IP Scenario 4 (Figure 14-35) is similar to OSI/IP Scenario 3 except that the OSI GNE is subtended
by multiple isolated ONS 15454 areas. A separate IP-over-CLNS tunnel is required to each isolated
ONS 15454 OSPF area. An alternate approach is to create a single IP-over-CLNS tunnel from CTC/CTM
to an ONS 15454 NE, and then to configure a tunnel from that NE to an NE in each isolated OSPF area.
This approach requires additional static routes.
1 The IP OSS manages ONS and other vendor NEs using TL1 and FTP.
2 The router routes requests to the other vender GNE.
3 The other vendor GNE performs mediation for TL1 and FTP, so the DCCs to ONS 15454 and
other vendor NEs are OSI-only.
4 CTC/CTM communicates with ONS 15454 NEs over an IP-over-CLNS tunnel between the
ONS 15454 and the GNE.
5 ONS 15454 NEs exchange TL1 over the full OSI stack. FTAM is used for file transfer.
131931
IP DCN
IP
IP
CTC/CTM IP OSS
IP
Other
vendor GNE
ONS NE 1
ONS NE 2
Other
vendor NE
Other
vendor NE
IP and
OSI/PPP/DCC
OSI/LAP-D/DCC
OSI/LAP-D/DCC
OSI/LAPD/DCC
1
3
5
4
214-55
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 14 Management Network Connectivity
14.6.9 OSI/IP Networking Scenarios
Figure 14-35 OSI/IP Scenario 4: Multiple ONS DCC Areas
14.6.9.5 OSI/IP Scenario 5: GNE Without an OSI DCC Connection
OSI/IP Scenario 5 (Figure 14-36) is similar to OSI/IP Scenario 3 except that the OSI GNE only has an
IP connection to the DCN. It does not have an OSI DCN connection to carry CTC/CTM IP traffic through
an IP-over-OSI tunnel. A separate DCN to ONS 15454 NE connection is created to provide CTC/CTM
access.
1 The IP OSS manages ONS 15454 and other vendor NEs using TL1 and FTP.
2 A separate tunnel is created for each isolated ONS 15454 DCC area.
131934
IP DCN
IP
IP
IP
CTC/CTM IP OSS
IP
ONS NE
ONS NE
IP and
OSI/PPP/DCC
1
2 2 2
ONS NE
ONS NE
ONS NE
ONS NE
IP and
OSI/PPP/DCC
IP and
OSI/PPP/DCC
OSI/
LAP-D/
DCC
OSI/
LAP-D/
DCC
OSI/
LAP-D/
DCC
Other
vendor GNE
OSI14-56
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 14 Management Network Connectivity
14.6.9 OSI/IP Networking Scenarios
Figure 14-36 OSI/IP Scenario 5: GNE Without an OSI DCC Connection
14.6.9.6 OSI/IP Scenario 6: IP OSS, OSI DCN, ONS GNE, OSI DCC, and Other Vendor ENE
OSI/IP Scenario 6 (Figure 14-37) shows how the ONS 15454 supports OSI DCNs. The OSI DCN has no
impact on the ONS 15454 because all IP traffic (CTC/CTM, FTP, and TL1) is tunneled through the OSI
DCN.
1 The IP OSS manages ONS 15454 and other vendor NEs using TL1 and FTP.
2 The other vendor GNE performs mediation on TL1 and FTP, so DCCs are OSI-only.
3 CTC/CTM communicates with ONS 15454 NEs over a separate IP DCN connection.
4 ONS 15454 NE exchanges TL1 over the full OSI stack. FTAM is used for file transfers.
131935
IP DCN
IP
IP IP
CTC/CTM IP OSS
IP
ONS NE
ONS NE
IP and
OSI/PPP/DCC
1
2
4
3
OSI/LAP-D/DCC
Other
vendor GNE
Other
vendor NE
Other
vendor NE
OSI/
LAP-D/
DCC
OSI/
LAP-D/
DCC14-57
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 14 Management Network Connectivity
14.6.9 OSI/IP Networking Scenarios
Figure 14-37 OSI/IP Scenario 6: IP OSS, OSI DCN, ONS GNE, OSI DCC, and Other Vendor ENE
14.6.9.7 OSI/IP Scenario 7: OSI OSS, OSI DCN, Other Vender GNE, OSI DCC, and ONS NEs
OSI/IP Scenario 7 (Figure 14-38) shows an example of a European network.
1 The IP OSS manages ONS 15454 and other vendor NEs using TL1 and FTP.
2 OSS IP traffic is tunneled through the DCN to the ONS 15454 GNE.
3 CTC/CTM IP traffic is tunneled through the DCN to the ONS 15454 GNE.
4 The GNE performs mediation for other vendor NEs.
131936
OSI
DCN
OSI
IP
IP IP
CTC/CTM IP OSS
OSI OSI
ONS GNE
ONS GNE
IP and
OSI/PPP/DCC
1
2
4
3
OSI/LAP-D/DCC
ONS GNE
Other
vendor NE
Other
vendor NE
OSI/
LAP-D/
DCC
OSI/
LAP-D/
DCC14-58
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 14 Management Network Connectivity
14.6.9 OSI/IP Networking Scenarios
Figure 14-38 OSI/IP Scenario 7: OSI OSS, OSI DCN, Other Vender GNE, OSI DCC, and ONS NEs
In European networks:
• CTC and CTM are used for management only.
• IP-over-CLNS tunnels are widely accepted and deployed.
1 ONS 15454 NEs are managed by CTC/CTM only (TL1/FTP is not used).
2 The OSI OSS manages other vendor NEs only.
3 CTC/CTM communicates with the ONS 15454 over a IP-over-CLNS tunnel between the
ONS 15454 NE and external router.
131937
OSI
DCN
OSI
IP
CTC/CTM IP OSS
OSI
OSI
ONS NE 1
ONS NE 3
ONS NE 2
IP and
OSI/PPP/DCC
IP and
OSI/PPP/DCC
2
3
1
OSI/LAP-D/DCC
Other
vendor GNE
Other
vendor NE 1
Other
vendor NE 2
OSI/
LAP-D/
DCC
OSI/
LAP-D/
DCC14-59
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 14 Management Network Connectivity
14.6.9 OSI/IP Networking Scenarios
• TL1 management is not required.
• FTP file transfer is not required.
• TL1 and FTAM to FTP mediation is not required.
Management traffic between CTC/CTM and ONS 15454 NEs is carried over an IP-over-CLNS tunnel.
A static route is configured on the ONS 15454 that terminates the tunnel (ONS 15454 NE 1) so that
downstream ONS 15454 NEs (ONS 15454 NE 2 and 3) know how to reach CTC/CTM.
14.6.9.8 OSI/IP Scenario 8: OSI OSS, OSI DCN, ONS GNE, OSI DCC, and Other Vender NEs
OSI/IP Scenario 8 (Figure 14-39) is another example of a European network. Similar to OSI/IP Scenario
7, the ONS 15454 NEs are solely managed by CTC/CTM. The CTC/CTM IP traffic is carried over a
IP-over-OSI tunnel between an external router and the ONS 15454 GNE. The GNE extracts the IP from
the tunnel and forwards it to the destination ONS 15454. Management traffic between the OSS and other
vendor NEs is routed by the ONS 15454 GNE and NEs. This is possible because all ONS 15454 NEs run
dual stacks (OSI and IP). 14-60
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 14 Management Network Connectivity
14.6.9 OSI/IP Networking Scenarios
Figure 14-39 OSI/IP Scenario 8: OSI OSS, OSI DCN, ONS GNE, OSI DCC, and Other Vender NEs
1 The ONS NEs are managed by CTC/CTM only (TL1/FTP is not used).
2 The OSI OSS manages other vendor NEs only.
3 CTC/CTM communicates with the ONS 15454 over an IP-over-CLNS tunnel between the
ONS 15454 NE and the external router. A static route is needed on the GNE.
4 The ONS 15454 GNE routes OSI traffic to other vendor NEs. No IP-over-CLNS tunnel is
needed.
131938
OSI
DCN
OSI
IP
CTC/CTM IP OSS
OSI
OSI
ONS NE 1
Other
vendor NE 3
ONS NE 2
IP and
OSI/PPP/DCC
OSI/PPP/DCC
2
3
4
1
OSI/LAP-D/DCC
ONS GNE
Other
vendor NE 1
Other
vendor NE 2
IP and
OSI/LAP-D/
DCC
OSI/
LAP-D/
DCC14-61
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 14 Management Network Connectivity
14.6.10 Provisioning OSI in CTC
14.6.10 Provisioning OSI in CTC
Table 14-15 shows the OSI actions that are performed from the node view Provisioning tab. Refer to the
Cisco ONS 15454 Procedure Guide for OSI procedures and tasks.
Table 14-16 shows the OSI actions that are performed from the node view Maintenance tab.
Table 14-15 OSI Actions from the CTC Provisioning Tab
Tab Actions
OSI > Main Setup • View and edit Primary Area Address.
• Change OSI routing mode.
• Change LSP buffers.
OSI > TARP > Config Configure the TARP parameters:
• PDU L1/L2 propagation and origination.
• TARP data cache and loop detection buffer.
• LAN storm suppression.
• Type 4 PDU on startup.
• TARP timers: LDB, T1, T2, T3, T4.
OSI > TARP > Static TDC Add and delete static TARP data cache entries.
OSI > TARP > MAT Add and delete static manual area table entries.
OSI > Routers > Setup • Enable and disable routers.
• Add, delete, and edit manual area addresses.
OSI > Routers > Subnets Edit SDCC, LDCC, and LAN subnets that are provisioned for OSI.
OSI > Tunnels Add, delete, and edit Cisco and IP-over-CLNS tunnels.
Comm Channels > SDCC • Add OSI configuration to an SDCC.
• Choose the data link layer protocol, PPP or LAP-D.
Comm Channels > LDCC • Add OSI configuration to an SDCC.
Table 14-16 OSI Actions from the CTC Maintenance Tab
Tab Actions
OSI > ISIS RIB View the IS-IS routing table.
OSI > ESIS RIB View ESs that are attached to ISs.
OSI > TDC • View the TARP data cache and identify static and dynamic entries.
• Perform TID to NSAP resolutions.
• Flush the TDC.14-62
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 14 Management Network Connectivity
14.7 IPv6 Network Compatibility
14.7 IPv6 Network Compatibility
IPv6 simplifies IP configuration and administration and has a larger address space than IPv4 to support
the future growth of the Internet and Internet related technologies. It uses 128-bit addresses as against
the 32-bit used in IPv4 addresses. Also, IPv6 gives more flexibility in designing newer addressing
architectures.
Cisco ONS 15454 can function in an IPv6 network when an Internet router that supports Network
Address Translation-Protocol Translation (NAT-PT) is positioned between the GNE, such as an ONS
15454, and the client workstation. NAT-PT is a migration tool that helps users transition from IPv4
networks to IPv6 networks. NAT-PT is defined in RFC-2766. IPv4 and IPv6 nodes communicate with
each other using NAT-PT by allowing both IPv6 and IPv4 stacks to interface between the IPv6 DCN and
the IPv4 DCC networks.
Note IPv6 is supported on Cisco ONS 15454 Software R8.0 and later with an external NAT-PT router.
14.8 IPv6 Native Support
Cisco ONS 15454 Software R9.0 and later supports native IPv6. ONS 15454 can be managed over IPv6
DCN networks by enabling the IPv6 feature. After you enable IPv6 in addition to IPv4, you can use CTC,
TL1, and SNMP over an IPv6 DCN to manage ONS 15454. Each NE can be assigned an IPv6 address
in addition to the IPv4 address. You can access the NE by entering the IPv4 address, an IPv6 address or
the DNS name of the device. The IPv6 address is assigned only on the LAN interface of the NE.
DCC/GCC interfaces use the IPv4 address.
By default, when IPv6 is enabled, the node processes both IPv4 and IPv6 packets on the LAN interface.
If you want to process only IPv6 packets, you need to disable IPv4 on the node. Before you disable IPv4,
ensure that IPv6 is enabled and the node is not in multishelf mode.
Figure 14-40 shows how an IPv6 DCN interacts with and IPv4 DCC.
Figure 14-40 IPv6-IPv4 Interaction
270827
IPv6
DCN
DCC IPv4 Network
ENE C
IPv6 Address:
3ffe:b00:ffff:1::4
IPv4 Address:
10.10.10.20
ENE B
IPv6 Address:
3ffe:b00:ffff:1::3
IPv4 Address:
10.10.10.10
GNE A
IPv6 Address:
3ffe:b00:ffff:1::5
IPv4 Address:
10.10.20.40
ENE D
IPv6 Address:
3ffe:b00:ffff:1::6
IPv4 Address:
10.10.20.30
NMS
IPv6 Address:
3ffe:b00:ffff:1::214-63
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 14 Management Network Connectivity
14.8.1 IPv6 Enabled Mode
You can manage MSTP multishelf nodes over IPv6 DCN. RADIUS, FTP, SNTP, and other network
applications support IPv6 DCN. To enable IPv6 addresses, you need to make the necessary configuration
changes from the CTC or TL1 management interface. After you enable IPv6, you can start a CTC or TL1
session using the provisioned IPv6 address. The ports used for all IPv6 connections to the node are the
same as the ports used for IPv4.
An NE can either be in IPv6 mode or IPv4 mode. In IPv4 mode, the LAN interface does not have an IPv6
address assigned to it. An NE, whether it is IPv4 or IPv6, has an IPv4 address and subnet mask.
TCC2/TCC2P cards do not reboot automatically when you provision an IPv6 address, but a change in
IPv4 address initiates a TCC2/TCC2P card reset. Table 14-17 describes the differences between an IPv4
node and an IPv6 node.
14.8.1 IPv6 Enabled Mode
The default IP address configured on the node is IPv4. You can use either CTC or the TL1 management
interface to enable IPv6. For more information about enabling IPv6 from the CTC interface, see the
Cisco ONS 15454 Procedure Guide. For more information about enabling IPv6 using TL1 commands,
see the Cisco ONS SONET TL1 Command Guide.
14.8.2 IPv6 Disabled Mode
You can disable IPv6 either from the CTC or from the TL1 management interface. For more information
about disabling IPv6 from the CTC interface, see the Cisco ONS 15454 Procedure Guide. For more
information about disabling IPv6 using TL1 commands, see the Cisco ONS SONET TL1 Command
Guide.
14.8.3 IPv6 in Non-secure Mode
In non-secure mode, IPv6 is supported on the front and the rear Ethernet interfaces. You can start a CTC
or TL1 session using the IPv6 address provisioned on the on the front and rear ports of the NE.
Table 14-17 Differences Between an IPv6 Node and an IPv4 Node
IPv6 Node IPv4 Node
Has both IPv6 address and IPv4 address assigned
to its craft Ethernet interface.
Does not have an IPv6 address assigned to its craft
Ethernet interface.
The default router has an IPv6 address for IPv6
connectivity, and an IPv4 address for IPv4
connectivity.
The default router has an IPv4 address.
Cannot enable OSPF on LAN. Cannot change
IPv4 NE to IPv6 NE if OSPF is enabled on the
LAN.
Can enable OSPF on the LAN.
Cannot enable RIP on the LAN. Cannot change
IPv4 NE to IPv6 NE if RIP is enabled on the LAN.
Can enable static routes/RIP on the LAN.
Not supported on static routes, proxy tunnels, and
firewall tunnels.
Supported on static routes, proxy tunnels, and
firewall tunnels.
Routing decisions are based on the default IPv6
router provisioned.14-64
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 14 Management Network Connectivity
14.8.4 IPv6 in Secure Mode
14.8.4 IPv6 in Secure Mode
In secure mode, IPv6 is only supported on the rear Ethernet interface. The front port only supports IPv4
even if it is disabled on the rear Ethernet interface. For more information about provisioning IPv6
addresses in secure mode, see the Cisco ONS 15454 Procedure Guide. For more information on secure
mode behavior, see the “14.2.9 IP Scenario 9: IP Addressing with Secure Mode Enabled” section on
page 14-20.
14.8.5 IPv6 Limitations
IPv6 has the following configuration restrictions:
• You can provision an NE as IPv6 enabled only if the node is a SOCKS-enabled or firewall-enabled
GNE/ENE.
• IPSec is not supported.
• OSPF/RIP cannot be enabled on the LAN interface if the NE is provisioned as an IPv6 node.
• Static route/firewall/proxy tunnel provisioning is applicable only to IPv4 addresses even if the IPv6
is enabled.
• In secure mode, IPv6 is supported only on the rear Ethernet interface. IPv6 is not supported on the
front port.
• ONS platforms use NAT-PT internally for providing IPv6 native support. NAT-PT uses the IPv4
address range 128.x.x.x for packet translation. Do not use the 128.x.x.x address range when you
enable IPv6 feature.
14.9 FTP Support for ENE Database Backup
The Cisco ONS 15454 provides FTP database backup and restore download to ENEs when
proxy/firewall is enabled. This feature allows you to provision a list of legal FTP hosts in CTC, that can
be used with TL1 commands to perform database backup/restore or software download. The FTP hosts
can be provisioned to elapse after a specified time interval with the enable FTP relay function.
Once FTP host are provisioned, and FTP Relay is enabled, TL1 users can then use the COPY-RFILE
command to perform database backup/restore or software download to and from this list of legal FTP
hosts that are provisioned to ENEs. Also, TL1 supports TID to IP address translation for the GNE TID
that is specified in the FTP URL of COPY-RFILE and COPY-IOSCFG commands.
Using the FTP Host provisioning feature in CTC and TL1 you can configure up to 12 valid FTP hosts.
ENEs are allowed access through the firewall according to the time configured in the FTP Relay Timer
in CTC or TL1. The time interval is 1 to 60 minutes, and once the timer elapses, all FTP access to the
FTP host is blocked again. A time of 0 disallows ENE access to FTP commands through the firewall.
When the firewall is not enabled (Proxy only), all FTP operations to the ENE will be allowed – software
download, database backup/restore and IOS config file backup/restore. All FTP operations to the ENEs
will be blocked when firewall is enabled.CHAPTER
15-1
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
15
Performance Monitoring
Performance monitoring (PM) parameters are used by service providers to gather, store, set thresholds
for, and report performance data for early detection of problems. In this chapter, PM parameters and
concepts are defined for electrical cards, ethernet cards, optical cards, optical multirate cards, and
storage access networking (SAN) cards in the Cisco ONS 15454.
For information about enabling and viewing PM values, refer to the Cisco ONS 15454 Procedure Guide.
Chapter topics include:
• 15.1 Threshold Performance Monitoring, page 15-2
• 15.2 Intermediate Path Performance Monitoring, page 15-3
• 15.3 Pointer Justification Count Performance Monitoring, page 15-4
• 15.4 Performance Monitoring Parameter Definitions, page 15-5
• 15.5 Performance Monitoring for Electrical Cards, page 15-12
• 15.6 Performance Monitoring for Ethernet Cards, page 15-29
• 15.7 Performance Monitoring for Optical Cards, page 15-49
• 15.8 Performance Monitoring for Optical Multirate Cards, page 15-52
• 15.9 Performance Monitoring for Storage Access Networking Cards, page 15-53
Note For transponder (TXP), and muxponder (TXP), and DWDM card PM parameters, refer to the
Cisco ONS 15454 DWDM Reference Manual.
Note For additional information regarding PM parameters, refer to Telcordia documents GR-1230-CORE,
GR-820-CORE, GR-499-CORE, and GR-253-CORE and the ANSI T1.231 document entitled Digital
Hierarchy - Layer 1 In-Service Digital Transmission Performance Monitoring.
Note When circuits transition from the out-of-service state to the in-service state, the performance monitoring
counts during the out-of-service circuit state are not part of the accumulation cycle.15-2
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 15 Performance Monitoring
15.1 Threshold Performance Monitoring
15.1 Threshold Performance Monitoring
Thresholds are used to set error levels for each PM parameter. You can set individual PM threshold
values from the Cisco Transport Controller (CTC) card view Provisioning tab. For procedures on
provisioning card thresholds, such as line, path, and SONET thresholds, refer to the Cisco ONS 15454
Procedure Guide.
During the accumulation cycle, if the current value of a PM parameter reaches or exceeds its
corresponding threshold value, a threshold crossing alert (TCA) is generated by the node and displayed
by CTC. TCAs provide early detection of performance degradation. When a threshold is crossed, the
node continues to count the errors during a given accumulation period. If zero is entered as the threshold
value, generation of TCAs is disabled, but performance monitoring continues.
Change the threshold if the default value does not satisfy your error monitoring needs. For example,
customers with a critical DS-1 installed for 911 calls must guarantee the best quality of service on the
line; therefore, they lower all thresholds so that the slightest error raises a TCA.
When TCAs occur, they appear in CTC. An example is T-UASP-P in the Cond column (shown in
Figure 15-1), where the “T-” indicates a threshold crossing. For certain electrical cards, “RX” or “TX”
is appended to the TCA description, as indicated by the red circles in Figure 15-1. The RX indicates that
the TCA is associated with the receive direction, and TX indicates that the TCA is associated with the
transmit direction.
Figure 15-1 TCAs Displayed in CTC
Table 15-1 shows the electrical cards for which RX and TX are appended to the TCA descriptions.15-3
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 15 Performance Monitoring
15.2 Intermediate Path Performance Monitoring
Due to memory limitations and the number of TCAs generated by different platforms, you can manually
add/modify the following two properties to the platform property file (CTC.INI for Windows and .ctcrc
for UNIX):
• ctc.15xxx.node.tr.lowater=yyy where xxx is the platform and yyy is the number of the lowater
mark. The default lowater mark is 25.
• ctc.15xxx.node.tr.hiwater=yyy where xxx is the platform and yyy is the number of the hiwater
mark. The default hiwater mark is 50.
If the number of the incoming TCA is greater than the hiwater mark, the node will keep the latest lowater
mark and discard older ones.
15.2 Intermediate Path Performance Monitoring
Intermediate path performance monitoring (IPPM) allows transparent monitoring of a constituent
channel of an incoming transmission signal by a node that does not terminate that channel. Many large
networks only use line terminating equipment (LTE), not path terminating equipment (PTE). Table 15-2
shows ONS 15454 cards that are considered LTE.
Table 15-1 Electrical Cards that Report RX and TX Direction for TCAs
Card Line Path
Near End Far End Near End Far End
RX TX RX TX RX TX RX TX
DS1-14 YES — YES — YES YES YES —
DS1N-14 YES — YES — YES YES YES —
Table 15-2 ONS 15454 Line Terminating Equipment
ONS 15454 Electrical LTE
EC1-12 card
ONS 15454 Optical LTE
OC3 IR 4/STM1 SH 1310 OC3 IR/STM1 SH 1310-8
OC12 IR/STM4 SH1310 OC12 LR/STM4 LH1310
OC12 LR/STM4 LH 1550 OC12 IR/STM4 SH 1310-4
OC48 IR/STM16 SH AS 1310 OC48 LR/STM16 LH AS 1550
OC48 ELR/STM16 EH 100 GHz OC48 ELR 200 GHz
OC192 SR/STM64 IO 1310 OC192 IR/STM64 SH 1550
OC192 LR/STM64 LH 1550 OC192 LR/STM64 LH ITU 15xx.xx
TXP_MR_10G MXP_2.5G_10G
MXP_MR_2.5G MXPP_MR_2.5G
MRC-12 MRC-2.5G-4
OC 192 - XFP15-4
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 15 Performance Monitoring
15.3 Pointer Justification Count Performance Monitoring
ONS 15454 Software R3.0 and higher allows LTE cards to monitor near-end PM data on individual
synchronous transport signal (STS) payloads by enabling IPPM. After enabling IPPM provisioning on
the line card, service providers can monitor large amounts of STS traffic through intermediate nodes,
thus making troubleshooting and maintenance activities more efficient.
IPPM occurs only on STS paths that have IPPM enabled, and TCAs are raised only for PM parameters
on the IPPM enabled paths. The monitored IPPM parameters are STS CV-P, STS ES-P, STS SES-P,
STS UAS-P, and STS FC-P.
Note Far-end IPPM is not supported by all OC-N cards. It is supported by OC3-4 and EC-1 cards. However,
SONET path PMs can be monitored by logging into the far-end node directly.
The ONS 15454 performs IPPM by examining the overhead in the monitored path and by reading all of
the near-end path PM values in the incoming direction of transmission. The IPPM process allows the
path signal to pass bidirectionally through the node completely unaltered.
See Table 15-3 on page 15-5 for detailed information and definitions of specific IPPM parameters.
15.3 Pointer Justification Count Performance Monitoring
Pointers are used to compensate for frequency and phase variations. Pointer justification counts indicate
timing errors on SONET networks. When a network is out of synchronization, jitter and wander occur
on the transported signal. Excessive wander can cause terminating equipment to slip.
Slips cause different effects in service. Voice service has intermittent audible clicks. Compressed voice
technology has short transmission errors or dropped calls. Fax machines lose scanned lines or experience
dropped calls. Digital video transmission has distorted pictures or frozen frames. Encryption service
loses the encryption key, causing data to be transmitted again.
Pointers provide a way to align the phase variations in STS and VT payloads. The STS payload pointer is
located in the H1 and H2 bytes of the line overhead. Clocking differences are measured by the offset in
bytes from the pointer to the first byte of the STS synchronous payload envelope (SPE) called the J1
byte. Clocking differences that exceed the normal range of 0 to 782 can cause data loss.
There are positive (PPJC) and negative (NPJC) pointer justification count parameters. PPJC is a count
of path-detected (PPJC-PDET-P) or path-generated (PPJC-PGEN-P) positive pointer justifications.
NPJC is a count of path-detected (NPJC-PDET-P) or path-generated (NPJC-PGEN-P) negative pointer
justifications depending on the specific PM name. PJCDIFF is the absolute value of the difference
between the total number of detected pointer justification counts and the total number of generated
pointer justification counts. PJCS-PDET-P is a count of the one-second intervals containing one or more
PPJC-PDET or NPJC-PDET. PJCS-PGEN-P is a count of the one-second intervals containing one or
more PPJC-PGEN or NPJC-PGEN.
A consistent pointer justification count indicates clock synchronization problems between nodes. A
difference between the counts means that the node transmitting the original pointer justification has
timing variations with the node detecting and transmitting this count. Positive pointer adjustments occur
when the frame rate of the SPE is too slow in relation to the rate of the STS-1.
You must enable PPJC and NPJC performance monitoring parameters for LTE cards. See Table 15-2 on
page 15-3 for a list of Cisco ONS 15454 LTE cards. In CTC, the count fields for PPJC and NPJC PMs
appear white and blank unless they are enabled on the card view Provisioning tab.
See Table 15-3 on page 15-5 for detailed information and definitions of specific pointer justification
count PM parameters.15-5
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 15 Performance Monitoring
15.4 Performance Monitoring Parameter Definitions
15.4 Performance Monitoring Parameter Definitions
Table 15-3 gives definitions for each type of PM parameter found in this chapter.
Table 15-3 Performance Monitoring Parameters
Parameter Definition
AISS-P AIS Seconds Path (AISS-P) is a count of one-second intervals containing
one or more alarm indication signal (AIS) defects.
BBE-PM Path Monitoring Background Block Errors (BBE-PM) indicates the
number of background block errors recorded in the optical transport
network (OTN) path during the PM time interval.
BBE-SM Section Monitoring Background Block Errors (BBE-SM) indicates the
number of background block errors recorded in the OTN section during
the PM time interval.
BBER-PM Path Monitoring Background Block Errors Ratio (BBER-PM) indicates
the background block errors ratio recorded in the OTN path during the PM
time interval.
BBER-SM Section Monitoring Background Block Errors Ratio (BBER-SM)
indicates the background block errors ratio recorded in the OTN section
during the PM time interval.
BIT-EC Bit Errors Corrected (BIT-EC) indicated the number of bit errors
corrected in the DWDM trunk line during the PM time interval.
CSS Controlled Slip Seconds (CSS) indicates the count of the seconds when at
least one or more controlled slips have occurred.
CSS-P Controlled Slip Seconds Path (CSS-P) indicates the count of the seconds
when at least one or more controlled slips have occurred.
CVCP-P Code Violation CP-bit Path (CVCP-P) is a count of CP-bit parity errors
occurring in the accumulation period.
CVCP-PFE Code Violation CP-bit Path (CVCP-PFE) is a parameter that is counted
when the three far-end block error (FEBE) bits in an M-frame are not all
collectively set to 1.
CGV Code Group Violations (CGV) is a count of received code groups that do
not contain a start or end delimiter.
CV-L Line Code Violation (CV-L) indicates the number of coding violations
occurring on the line. This parameter is a count of bipolar violations
(BPVs) and excessive zeros (EXZs) occurring over the accumulation
period.
CV-P Near-End STS Path Coding Violations (CV-P) is a count of BIP errors
detected at the STS path layer (that is, using the B3 byte). Up to eight BIP
errors can be detected per frame; each error increments the current CV-P
second register.
CV-PFE Far-End STS Path Coding Violations (CV-PFE) is a count of BIP errors
detected at the STS path layer (that is, using the B3 byte). Up to eight BIP
errors can be detected per frame; each error increments the current
CV-PFE second register.15-6
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 15 Performance Monitoring
15.4 Performance Monitoring Parameter Definitions
CVP-P Code Violation Path (CVP-P) is a code violation parameter for M23
applications. CVP-P is a count of P-bit parity errors occurring in the
accumulation period.
CV-S Section Coding Violation (CV-S) is a count of bit interleaved parity (BIP)
errors detected at the section layer (that is, using the B1 byte in the
incoming SONET signal). Up to eight section BIP errors can be detected
per STS-N frame; each error increments the current CV-S second register.
CV-V Code Violation VT Layer (CV-V) is a count of the BIP errors detected at
the VT path layer. Up to two BIP errors can be detected per VT
superframe, with each error incrementing the current CV-V second
register.
DCG Data Code Groups (DCG) is a count of received data code groups that do
not contain ordered sets.
ESA-P Path Errored Seconds-A (ESA-P) is the count of 1-second intervals with
exactly one CRC-6 error and no AIS or severely errored framing (SEF)
defects.
ESB-P Path Errored Seconds-B (Rx ESB-P) is a count of 1-second intervals with
between 2 and 319 CRC-6 errors and no AIS or SEF.
ESCP-P Errored Seconds CP-bit Path (ESCP-P) is a count of seconds containing
one or more CP-bit parity errors, one or more SEF defects, or one or more
AIS defects. ESCP-P is defined for the C-bit parity application.
ESCP-PFE Far-End Errored Seconds CP-bit Path (ESCP-PFE) is a count of
one-second intervals containing one or more M-frames with the three
FEBE bits not all collectively set to 1 or one or more far-end SEF/AIS
defects.
ES-L Line Errored Seconds (ES-L) is a count of the seconds containing one or
more anomalies (BPV + EXZ) and/or defects (that is, loss of signal) on
the line.
ES-NP
ES-P Near-End STS Path Errored Seconds (ES-P) is a count of the seconds
when at least one STS path BIP error was detected. An AIS Path (AIS-P)
defect (or a lower-layer, traffic-related, near-end defect) or a Loss of
Pointer Path (LOP-P) defect can also cause an ES-P.
ES-PFE Far-End STS Path Errored Seconds (ES-PFE) is a count of the seconds
when at least one STS path BIP error was detected. An AIS-P defect (or a
lower-layer, traffic-related, far-end defect) or an LOP-P defect can also
cause an STS ES-PFE.
ES-PM Path Monitoring Errored Seconds (ES-PM) indicates the errored seconds
recorded in the OTN path during the PM time interval.
ESP-P Errored Seconds Path (ESP-P) is a count of seconds containing one or
more P-bit parity errors, one or more SEF defects, or one or more AIS
defects.
ESR-PM Path Monitoring Errored Seconds Ratio (ESR-PM) indicates the errored
seconds ratio recorded in the OTN path during the PM time interval.
Table 15-3 Performance Monitoring Parameters (continued)
Parameter Definition15-7
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 15 Performance Monitoring
15.4 Performance Monitoring Parameter Definitions
ESR-SM Section Monitoring Errored Seconds Ratio (ESR-SM) indicates the
errored seconds ratio recorded in the OTN section during the PM time
interval.
ES-S Section Errored Seconds (ES-S) is a count of the number of seconds when
at least one section-layer BIP error was detected or an SEF or loss of
signal (LOS) defect was present.
ES-SM Section Monitoring Errored Seconds (ES-SM) indicates the errored
seconds recorded in the OTN section during the PM time interval.
ES-V Errored Seconds VT Layer (ES-V) is a count of the seconds when at least
one VT Path BIP error was detected. An AIS Virtual Tributary (VT)
(AIS-V) defect (or a lower-layer, traffic-related, near-end defect) or an
LOP VT (LOP-V) defect can also cause an ES-V.
FC-L Line Failure Count (FC-L) is a count of the number of near-end line
failure events. A failure event begins when an AIS Line (AIS-L) failure is
declared or when a lower-layer, traffic-related, near-end failure is
declared. This failure event ends when the failure is cleared. A failure
event that begins in one period and ends in another period is counted only
in the period where it begins.
FC-P Near-End STS Path Failure Counts (FC-P) is a count of the number of
near-end STS path failure events. A failure event begins when an AIS-P
failure, an LOP-P failure, a UNEQ-P failure, or a Section Trace Identifier
Mismatch Path (TIM-P) failure is declared. A failure event also begins if
the STS PTE that is monitoring the path supports Three-Bit (Enhanced)
Remote Failure Indication Path Connectivity (ERFI-P-CONN) for that
path. The failure event ends when these failures are cleared.
FC-PFE Far-End STS Path Failure Counts (FC-PFE) is a count of the number of
near-end STS path failure events. A failure event begins when an AIS-P
failure, an LOP-P failure, a UNEQ-P failure, or a TIM-P failure is
declared. A failure event also begins if the STS PTE that is monitoring the
path supports ERFI-P-CONN for that path. The failure event ends when
these failures are cleared.
FC-PM Path Monitoring Failure Counts (FC-PM) indicates the failure counts
recorded in the OTN path during the PM time interval.
FC-SM Section Monitoring Failure Counts (FC-SM) indicates the failure counts
recorded in the OTN section during the PM time interval.
IOS Idle Ordered Sets (IOS) is a count of received packets containing idle
ordered sets.
IPC Invalid Packets (IPC) is the count of received packets that contain errored
data code groups that have start and end delimiters.
LBCL-MIN Laser Bias Current Line—Minimum (LBCL-MIN) is the minimum
percentage of laser bias current.
LBCL-AVG Laser Bias Current Line—Average (LBCL-AVG) is the average
percentage of laser bias current.
LBCL-MAX Laser Bias Current Line—Maximum (LBCL-MAX) is the maximum
percentage of laser bias current.
Table 15-3 Performance Monitoring Parameters (continued)
Parameter Definition15-8
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 15 Performance Monitoring
15.4 Performance Monitoring Parameter Definitions
LOFC Loss of Frame Count (LOFC)
LOSS-L Line Loss of Signal (LOSS-L) is a count of one-second intervals
containing one or more LOS defects.
NIOS Non-Idle Ordered Sets (NIOS) is a count of received packets containing
non-idle ordered sets.
NPJC-PDET Negative Pointer Justification Count, STS Detected (NPJC-PDET),
formerly Pointer Justification Negative (PJNEG)
NPJC-PDET-P Negative Pointer Justification Count, STS Path Detected (NPJC-PDET-P)
is a count of the negative pointer justifications detected on a particular
path in an incoming SONET signal.
NPJC-PGEN-P Negative Pointer Justification Count, STS Path Generated
(NPJC-PGEN-P) is a count of the negative pointer justifications generated
for a particular path to reconcile the frequency of the SPE with the local
clock.
OPR Optical Power Received (OPR) is the measure of average optical power
received as a percentage of the nominal OPR.
OPR-AVG Average Receive Optical Power (dBm)
OPR-MAX Maximum Receive Optical Power (dBm)
OPR-MIN Minimum Receive Optical Power (dBm)
OPT Optical Power Transmitted (OPT) is the measure of average optical power
transmitted as a percentage of the nominal OPT.
OPT-AVG Average Transmit Optical Power (dBm)
OPT-MAX Maximum Transmit Optical Power (dBm)
OPT-MIN Minimum Transmit Optical Power (dBm)
OPWR-AVG Optical Power - Average (OPWR-AVG) is the measure of average optical
power on the unidirectional port.
OPWR-MAX Optical Power - Maximum (OPWR-MAX) is the measure of maximum
value of optical power on the unidirectional port.
OPWR-MIN Optical Power - Minimum (OPWR-MIN) is the measure of minimum
value of optical power on the unidirectional port.
PJCDIFF-P Pointer Justification Count Difference, STS Path (PJCDIFF-P) is the
absolute value of the difference between the total number of detected
pointer justification counts and the total number of generated pointer
justification counts. That is, PJCDiff-P is equal to (PPJC-PGEN-P –
NPJC-PGEN-P) – (PPJC-PDET-P – NPJC-PDET-P).
PPJC-PDET Pointer Justification STS Detected (PPJC-PDET), formerly Pointer
Justification Positive (PJPOS).
PPJC-PDET-P Positive Pointer Justification Count, STS Path Detected (PPJC-PDET-P)
is a count of the positive pointer justifications detected on a particular path
in an incoming SONET signal.
Table 15-3 Performance Monitoring Parameters (continued)
Parameter Definition15-9
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 15 Performance Monitoring
15.4 Performance Monitoring Parameter Definitions
PPJC-PGEN-P Positive Pointer Justification Count, STS Path Generated (PPJC-PGEN-P)
is a count of the positive pointer justifications generated for a particular
path to reconcile the frequency of the SPE with the local clock.
PJCS-PDET-P Pointer Justification Count Seconds, STS Path Detect (NPJCS-PDET-P)
is a count of the one-second intervals containing one or more PPJC-PDET
or NPJC-PDET.
PJCS-PGEN-P Pointer Justification Count Seconds, STS Path Generate (PJCS-PGEN-P)
is a count of the one-second intervals containing one or more PPJC-PGEN
or NPJC-PGEN.
PSC In a 1 + 1 protection scheme for a working card, Protection Switching
Count (PSC) is a count of the number of times service switches from a
working card to a protection card plus the number of times service
switches back to the working card.
For a protection card, PSC is a count of the number of times service
switches to a working card from a protection card plus the number of
times service switches back to the protection card. The PSC PM parameter
is only applicable if revertive line-level protection switching is used.
PSC-R In a four-fiber bidirectional line switched ring (BLSR), Protection
Switching Count-Ring (PSC-R) is a count of the number of times service
switches from a working line to a protection line plus the number of times
it switches back to a working line. A count is only incremented if ring
switching is used.
PSC-S In a four-fiber BLSR, Protection Switching Count-Span (PSC-S) is a
count of the number of times service switches from a working line to a
protection line plus the number of times it switches back to the working
line. A count is only incremented if span switching is used.
PSC-W For a working line in a two-fiber BLSR, Protection Switching
Count-Working (PSC-W) is a count of the number of times traffic
switches away from the working capacity in the failed line and back to the
working capacity after the failure is cleared. PSC-W increments on the
failed working line and PSC increments on the active protect line.
For a working line in a four-fiber BLSR, PSC-W is a count of the number
of times service switches from a working line to a protection line plus the
number of times it switches back to the working line. PSC-W increments
on the failed line and PSC-R or PSC-S increments on the active protect
line.
PSD Protection Switching Duration (PSD) applies to the length of time, in
seconds, that service is carried on another line. For a working line, PSD
is a count of the number of seconds that service was carried on the
protection line.
For the protection line, PSD is a count of the seconds that the line was
used to carry service. The PSD PM is only applicable if revertive
line-level protection switching is used.
Table 15-3 Performance Monitoring Parameters (continued)
Parameter Definition15-10
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 15 Performance Monitoring
15.4 Performance Monitoring Parameter Definitions
PSD-R In a four-fiber BLSR, Protection Switching Duration-Ring (PSD-R) is a
count of the seconds that the protection line was used to carry service. A
count is only incremented if ring switching is used.
PSD-S In a four-fiber BLSR, Protection Switching Duration-Span (PSD-S) is a
count of the seconds that the protection line was used to carry service. A
count is only incremented if span switching is used.
SASCP-P SEF/AIS Seconds CP-bit Path (SASCP-P) is a count of one-second
intervals containing one or more SEFs or one or more AIS defects on the
path.
SASP SEF/AIS Seconds (SASP) is a count of one-second intervals containing
one or more SEFs or one or more AIS defects on the path.
SASP-P SEF/AIS Seconds Path (SASP-P) is a count of one-second intervals
containing one or more SEFs or one or more AIS defects on the path.
SEF-S Severely Errored Framing Seconds (SEFS-S) is a count of the seconds
when an SEF defect was present. An SEF defect is expected to be present
during most seconds when an LOS or loss of frame (LOF) defect is
present. However, there can be situations when the SEFS-S parameter is
only incremented based on the presence of the SEF defect.
Note The RTRV-PM- command does not retrieve SEF-S
counter for OC192/STM64 payloads on ADM-10G and OTU2-XP
cards.
SESCP-P Severely Errored Seconds CP-bit Path (SESCP-P) is a count of seconds
containing more than 44 CP-bit parity errors, one or more SEF defects, or
one or more AIS defects.
SESCP-PFE Severely Errored Seconds CP-bit Path (SESCP-PFE) is a count of
one-second intervals containing one or more far-end SEF/AIS defects, or
one or more 44 M-frames with the three FEBE bits not all collectively set
to 1.
SES-L Line Severely Errored Seconds (SES-L) is a count of the seconds
containing more than a particular quantity of anomalies (BPV + EXZ >
44) and/or defects on the line.
SES-P Near-End STS Path Severely Errored Seconds (SES-P) is a count of the
seconds when K (2400) or more STS path BIP errors were detected. An
AIS-P defect (or a lower-layer, traffic-related, near-end defect) or an
LOP-P defect can also cause an SES-P.
SES-PFE Far-End STS Path Severely Errored Seconds (SES-PFE) is a count of the
seconds when K (2400) or more STS path BIP errors were detected. An
AIS-P defect (or a lower-layer, traffic-related, far-end defect) or an LOP-P
defect can also cause an SES-PFE.
SES-PM Path Monitoring Severely Errored Seconds (SES-PM) indicates the
severely errored seconds recorded in the OTN path during the PM time
interval.
SESP-P Severely Errored Seconds Path (SESP-P) is a count of seconds containing
more than 44 P-bit parity violations, one or more SEF defects, or one or
more AIS defects.
Table 15-3 Performance Monitoring Parameters (continued)
Parameter Definition15-11
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 15 Performance Monitoring
15.4 Performance Monitoring Parameter Definitions
SES-S Section Severely Errored Seconds (SES-S) is a count of the seconds when
K (see Telcordia GR-253 for value) or more section-layer BIP errors were
detected or an SEF or LOS defect was present.
SES-SM Section Monitoring Severely Errored Seconds (SES-SM) indicates the
severely errored seconds recorded in the OTN section during the PM time
interval.
SESR-PM Path Monitoring Severely Errored Seconds Ratio (SESR-PM) indicates
the severely errored seconds ratio recorded in the OTN path during the PM
time interval.
SESR-SM Section Monitoring Severely Errored Seconds Ratio (SESR-SM)
indicates the severely errored seconds ratio recorded in the OTN section
during the PM time interval.
SES-V Severely Errored Seconds VT Layer (SES-V) is a count of seconds when
K (600) or more VT Path BIP errors were detected. An AIS-V defect (or
a lower-layer, traffic-related, near-end defect) or an LOP-V defect can
also cause SES-V.
UAS-L Line Unavailable Seconds (UAS-L) is a count of the seconds when the line
is unavailable. A line becomes unavailable when ten consecutive seconds
occur that qualify as SES-Ls, and it continues to be unavailable until ten
consecutive seconds occur that do not qualify as SES-Ls.
UASCP-P Unavailable Seconds CP-bit Path (UASCP-P) is a count of one-second
intervals when the DS-3 path is unavailable. A DS-3 path becomes
unavailable when ten consecutive SESCP-Ps occur. The ten SESCP-Ps are
included in unavailable time. After the DS-3 path becomes unavailable, it
becomes available again when ten consecutive seconds with no SESCP-Ps
occur. The ten seconds with no SESCP-Ps are excluded from unavailable
time.
UASCP-PFE Unavailable Seconds CP-bit Path (UASCP-PFE) is a count of one-second
intervals when the DS-3 path becomes unavailable. A DS-3 path becomes
unavailable when ten consecutive far-end CP-bit SESs occur. The ten
CP-bit SESs are included in unavailable time. After the DS-3 path
becomes unavailable, it becomes available again when ten consecutive
seconds occur with no CP-bit SESs. The ten seconds with no CP-bit SESs
are excluded from unavailable time.
UAS-P Near-End STS Path Unavailable Seconds (UAS-P) is a count of the
seconds when the STS path was unavailable. An STS path becomes
unavailable when ten consecutive seconds occur that qualify as SES-Ps,
and continues to be unavailable until ten consecutive seconds occur that
do not qualify as SES-Ps.
UAS-PFE Far-End STS Path Unavailable Seconds (UAS-PFE) is a count of the
seconds when the STS path was unavailable. An STS path becomes
unavailable when ten consecutive seconds occur that qualify as
SES-PFEs, and continues to be unavailable until ten consecutive seconds
occur that do not qualify as SES-PFEs.
Table 15-3 Performance Monitoring Parameters (continued)
Parameter Definition15-12
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 15 Performance Monitoring
15.5 Performance Monitoring for Electrical Cards
15.5 Performance Monitoring for Electrical Cards
The following sections define PM parameters for the EC1-12, DS1/E1-56, DS1-14, DS1N-14, DS3-12,
DS3-12E, DS3N-12, DS3N-12E, DS3i-N-12, DS3XM-6, DS3XM-12, and DS3/EC1-48 cards.
15.5.1 EC1-12 Card Performance Monitoring Parameters
Figure 15-2 shows signal types that support near-end and far-end PMs. Figure 15-3 shows where
overhead bytes detected on the application specific integrated circuits (ASICs) produce PM parameters
for the EC1-12 card.
UAS-PM Path Monitoring Unavailable Seconds (UAS-PM) indicates the
unavailable seconds recorded in the OTN path during the PM time
interval.
UASP-P Unavailable Seconds Path (UASP-P) is a count of one-second intervals
when the DS-3 path is unavailable. A DS-3 path becomes unavailable
when ten consecutive SESP-Ps occur. The ten SESP-Ps are included in
unavailable time. After the DS-3 path becomes unavailable, it becomes
available again when ten consecutive seconds with no SESP-Ps occur. The
ten seconds with no SESP-Ps are excluded from unavailable time.
UAS-SM Section Monitoring Unavailable Seconds (UAS-SM) indicates the
unavailable seconds recorded in the OTN section during the PM time
interval.
UAS-V Unavailable Seconds VT Layer (UAS-V) is a count of the seconds when
the VT path was unavailable. A VT path becomes unavailable when ten
consecutive seconds occur that qualify as SES-Vs, and it continues to be
unavailable until ten consecutive seconds occur that do not qualify as
SES-Vs.
UNC-WORDS Uncorrectable Words (UNC-WORDS) is the number of uncorrectable
words detected in the DWDM trunk line during the PM time interval.
VPC Valid Packets (VPC) is a count of received packets that contain
non-errored data code groups that have start and end delimiters.
Table 15-3 Performance Monitoring Parameters (continued)
Parameter Definition15-13
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 15 Performance Monitoring
15.5.1 EC1-12 Card Performance Monitoring Parameters
Figure 15-2 Monitored Signal Types for the EC1-12 Card
Note The XX in Figure 15-2 represents all PMs listed in Table 15-4 with the given prefix and/or suffix.
Figure 15-3 PM Read Points on the EC1-12 Card
Table 15-4 lists the PM parameters for the EC1-12 cards.
78981
PTE ONS 15454
EC1 OC48
Fiber
EC1 Signal
EC1 Path (EC1 XX) PMs Near and Far End Supported
EC1 Signal
ONS 15454
OC48 EC1
STS Path (STS XX-P) PMs Near and Far End Supported
PTE
78982
ONS 15454
EC1 Card
LIU
Framer
BTC
Tx/Rx
XC Card(s) OC-N
EC1 Side SONET Side
STS CV-P
STS ES-P
STS FC-P
STS SES-P
STS UAS-P
STS CV-PFE
STS ES-PFE
STS FC-PFE
STS SES-PFE
STS UAS-PFE
CV-S
ES-S
SES-S
SEFS-S
CV-L
SES-L
ES-L
UAS-L
FC-L
PPJC-Pdet
NPJC-Pdet
PPJC-Pgen
NPJC-Pgen
PMs read on LIU PMs read on Framer15-14
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 15 Performance Monitoring
15.5.2 DS1/E1-56 Card Performance Monitoring Parameters
Note If the CV-L(NE and FE) falls in the range 51-61 for EC1,then, the user might see discrepancy in the SES
and the UAS-L values. However, ES-L will be in the nearest accuracy. For a few seconds, in a given 10
seconds interval, the number of CV-L counted may not cross the CV count criteria for SES, (due to
system/application limitation for the below mentioned ranges); as a consequence of which there may not
be 10 continuous SES, thus UAS will not be observed.
15.5.2 DS1/E1-56 Card Performance Monitoring Parameters
Figure 15-4 shows signal types that support near-end and far-end PMs.
Figure 15-4 Monitored Signal Types for the DS1/E1-56 Card
Figure 15-5 shows where overhead bytes detected on the ASICs produce PM parameters for the
DS1/E1-56 card.
Table 15-4 EC1-12 Card PMs
Section (NE) Line (NE) STS Path (NE) Line (FE) STS Path (FE)
CV-S
ES-S
SES-S
SEF-S
CV-L
ES-L
SES-L
UAS-L
FC-L
CV-P
ES-P
SES-P
UAS-P
FC-P
PPJC-PDET-P
NPJC-PDET-P
PPJC-PGEN-P
NPJC-PGEN-P
PJCS-PDET-P
PJCS-PGEN-P
PJC-DIFF-P
CV-LFE
ES-LFE
SES-LFE
UAS-LFE
FC-LFE
CV-PFE
ES-PFE
SES-PFE
UAS-PFE
FC-PFE
78981
PTE ONS 15454
EC1 OC48
Fiber
EC1 Signal
EC1 Path (EC1 XX) PMs Near and Far End Supported
EC1 Signal
ONS 15454
OC48 EC1
STS Path (STS XX-P) PMs Near and Far End Supported
PTE15-15
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 15 Performance Monitoring
15.5.2 DS1/E1-56 Card Performance Monitoring Parameters
Figure 15-5 PM Read Points on the DS1/E1-56 Card
Tx/Rx
LIU Ultramapper ASIC
Stingray ASIC
DS-1 Path Side E-1 Path Side
This group of PMs are received
from the far end.
They only exist for ESF framing mode.
PMs read on Ultramapper ASIC and LIU
ES-P
SAS-P
UAS-P
AISS-P
CSS-P
CV-P
SAS-P
ESA-P
ESB-P
FC-P
FC-PFE
ES-NP
ES-NPFE
SES-NP
SES-NPFE
UAS-NP
UAS-NPFE
ES-PFE
SES-PFE
UAS-PFE
CSS-PFE
CV-PFE
ESA-PFE
ESB-PFE
SEFS-PFE
BFDL (ES)
BFDL (UAS)
BFDL (BES)
BFDL (SES)
BFDL (CSS)
BFDL LOFC)
AISS-P
ES-P
SES-P
UAS-P
EB-P
BBE-P
ESA-P
SESR-P
BBER-P
ONS 15454
High Density DS-1/E1 Card
DS-1 Line PMs
CV-L
ES-L
SES-L
LOSS-L
ES-L (far end)
E1 Line PMs
CV-L
ES-L
SES-L
LOSS-L
134414
XC Card(s) OC-N15-16
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 15 Performance Monitoring
15.5.3 DS1-14 and DS1N-14 Card Performance Monitoring Parameters
Table 15-5 lists the PM parameters for the DS1/E1-56 card.
15.5.3 DS1-14 and DS1N-14 Card Performance Monitoring Parameters
Figure 15-6 shows the signal types that support near-end and far-end PMs.
Figure 15-6 Monitored Signal Types for the DS1-14 and DS1N-14 Cards
Note The XX in Figure 15-6 represents all PMs listed in Table 15-6 with the given prefix and/or suffix.
Figure 15-7 shows where overhead bytes detected on the ASICs produce PM parameters for the DS1-14
and DS1N-14 cards.
Table 15-5 DS1/E1-56 Card PMs
Line (NE) Line (FE)
Rx Path
(NE)
Tx Path
(NE)
STS Path
(NE)
Rx Path
(FE)
STS Path
(FE)
Network
Path
BFDL
(FE)
CV-L
ES-L
SES-L
LOSS-L
CV-L
ES-L
SES-L
LOSS-L
AISS-P
CV-P
ES-P
SES-P
SAS-P
UAS-P
CSS-P
ESA-P
ESB-P
SEFS-P
AISS-P
CV-P
ES-P
SES-P
UAS-P
BBER-P
SESR-P
ESR-P
CV-P
ES-P
SES-P
UAS-P
FC-P
ES-PFE
ESA-PFE
ESB-PFE
CV-PFE
CSS-PFE
SEFS-PFE
SES-PFE
UAS-PFE
CV-PFE
ES-PFE
SES-PFE
UAS-PFE
FC-PFE
ES-NP
ES-NPFE
SES-NP
SES-NPFE
UAS-NP
UAS-NPFE
CSS
ES
SES
BES
UAS
LOFC
90324
PTE CSU ONS 15454
DS1 OC-N
Fiber
DS1 Signal
FDL PRM FDL PRM
DS1 Path (DS1 XX) PMs Near and Far End Supported
DS1 Signal
ONS 15454
OC-N DS1
VT Path (XX-V) PMs Near and Far End Supported
STS Path (STS XX-P) PMs Near and Far End Supported
PTE CSU
DS1 FDL (DS1 XX) PMs Near and Far End Supported15-17
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 15 Performance Monitoring
15.5.3 DS1-14 and DS1N-14 Card Performance Monitoring Parameters
Figure 15-7 PM Read Points on the DS1-14 and DS1N-14 Cards
Table 15-6 describes the PM parameters for the DS1-14 and DS1N-14 cards.
Note Far-end DS1 performance monitoring values are valid only when the DS1 line is set to extended super
frame (ESF).
78974
ONS 15454
DS1 and DS1N Cards
LIU
Framer
BTC
Tx/Rx
XC Card(s) OC-N
DS1 CV-L
DS1 ES-L
DS1 SES-L
DS1 LOSS-L
DS1 Rx AISS-P
DS1 Rx CV-P
DS1 Rx ES-P
DS1 Rx SAS-P
DS1 Rx SES-P
DS1 Rx UAS-P
DS1 Tx AISS-P
DS1 Tx CV-P
DS1 Tx ES-P
DS1 Tx SAS-P
DS1 Tx SES-P
DS1 Tx UAS-P
PMs read on LIU
DS1 Side
VT
Level
Path
Level
SONET Side
CV-V
ES-V
SES-V
UAS-V
STS CV-P
STS ES-P
STS FC-P
STS SES-P
STS UAS-P
STS CV-PFE
STS ES-PFE
STS FC-PFE
STS SES-PFE
STS UAS-PFE
PMs read on Framer
Table 15-6 DS1-14 and DS1N-14 Card PMs
Line (NE) Line (FE) Rx Path (NE) Tx Path (NE) VT Path (NE) STS Path (NE) Rx Path (FE) VT Path (FE) STS Path (FE)
CV-L
ES-L
SES-L
LOSS-L
CV-L
ES-L
AISS-P
CV-P
ES-P
FC-P
SAS-P
SES-P
UAS-P
CSS-P
ESA-P
ESB-P
SEFS-P
AISS-P
CV-P
ES-P
FC-P
SAS-P
SES-P
UAS-P
CV-V
ES-V
SES-V
UAS-V
FC-V
CV-P
ES-P
SES-P
UAS-P
FC-P
ES-PFE
ESA-PFE
ES-B-PFE
CV-PFE
CSS-PFE
SEFS-PFE
SES-PFE
UAS-PFE
CV-VFE
ES-VFE
SES-VFE
UAS-VFE
FC-VFE
CV-PFE
ES-PFE
SES-PFE
UAS-PFE
FC-PFE15-18
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 15 Performance Monitoring
15.5.4 DS3-12 and DS3N-12 Card Performance Monitoring Parameters
15.5.3.1 DS-1 Facility Data Link Performance Monitoring
Facility Data Link (FDL) performance monitoring enables an ONS 15454 DS1N-14 card to calculate and
report DS-1 error rate performance measured at both the near-end and far-end of the FDL. The far-end
information is reported as received on the FDL in a performance report message (PRM) from an
intelligent channel service unit (CSU).
To monitor DS-1 FDL PM values, the DS-1 must be set to use ESF format and the FDL must be
connected to an intelligent CSU. For procedures for provisioning ESF on the DS1N-14 card, refer to the
Cisco ONS 15454 Procedure Guide.
The monitored DS-1 FDL PM parameters are CV-PFE, ES-PFE, ESA-PFE, ESB-PFE, SES-PFE,
SEFS-PFE, CSS-PFE, UAS-PFE, FC-PFE, and ES-LFE. See Table 15-3 on page 15-5 for detailed
information and definitions of specific FDL DS1 PM parameters.
15.5.4 DS3-12 and DS3N-12 Card Performance Monitoring Parameters
Figure 15-8 shows the signal types that support near-end and far-end PMs. Figure 15-9 shows where
overhead bytes detected on the ASICs produce PM parameters for the DS3-12 and DS3N-12 cards.
Figure 15-8 Monitored Signal Types for the DS3-12 and DS3N-12 Cards
Note The XX in Figure 15-8 represents all PMs listed in Table 15-7 with the given prefix and/or suffix.
78975
PTE ONS 15454
DS3 OC-N
Fiber
DS3 Signal
DS3 Path (DS3 XX) PMs Near and Far End Supported
DS3 Signal
ONS 15454
OC-N DS3
STS Path (STS XX-P) PMs Near and Far End Supported
PTE15-19
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 15 Performance Monitoring
15.5.5 DS3-12E and DS3N-12E Card Performance Monitoring Parameters
Figure 15-9 PM Read Points on the DS3-12 and DS3N-12 Cards
The PM parameters for the DS3-12 and DS3N-12 cards are described in Table 15-7.
15.5.5 DS3-12E and DS3N-12E Card Performance Monitoring Parameters
Figure 15-10 shows the signal types that support near-end and far-end PMs.
78976
ONS 15454
DS3 & DS3N Cards
LIU
Mux/Demux ASIC
BTC
ASIC
XC Card(s) OC-N
DS3 Side
Path
Level
SONET Side
STS CV-P
STS ES-P
STS FC-P
STS SES-P
STS UAS-P
STS CV-PFE
STS ES-PFE
STS FC-PFE
STS SES-PFE
STS UAS-PFE
DS3 CV-L
DS3 ES-L
DS3 SES-L
DS3 LOSS-L
PMs read on Mux/Demux ASIC
PMs read on LIU
Table 15-7 DS3-12 and DS3N-12 Card PMs
Line (NE) STS Path (NE) STS Path (FE)
CV-L
ES-L
SES-L
LOSS-L
CV-P
ES-P
SES-P
UAS-P
FC-P
CV-PFE
ES-PFE
SES-PFE
UAS-PFE
FC-PFE15-20
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 15 Performance Monitoring
15.5.5 DS3-12E and DS3N-12E Card Performance Monitoring Parameters
Figure 15-10 Monitored Signal Types for the DS3-12E and DS3N-12E Cards
Note The XX in Figure 15-10 represents all PMs listed in Table 15-8 with the given prefix and/or suffix.
Figure 15-11 shows where overhead bytes detected on the ASICs produce PM parameters for the
DS3-12E and DS3N-12E cards.
Figure 15-11 PM Read Points on the DS3-12E and DS3N-12E Cards
Table 15-8 describes the PM parameters for the DS3-12E and DS3N-12E cards.
78977
PTE ONS 15454
DS3E OC-N
Fiber
DS3 Signal
DS3E Path (DS3 XX) PMs Near and Far End Supported
DS3 Signal
ONS 15454
OC-N DS3E
STS Path (STS XX-P) PMs Near and Far End Supported
PTE
78978
ONS 15454
DS3-12E & DS3N-12E Cards
LIU
Mux/Demux ASIC
BTC
ASIC
XC Card(s) OC-N
DS3 Side
Path
Level
SONET Side
STS CV-P
STS ES-P
STS FC-P
STS SES-P
STS UAS-P
STS CV-PFE
STS ES-PFE
STS FC-PFE
STS SES-PFE
STS UAS-PFE
DS3 CV-L
DS3 ES-L
DS3 SES-L
DS3 LOSS-L
DS3 AISS-P
DS3 CVP-P
DS3 ESP-P
DS3 SASP-P
DS3 SESP-P
DS3 UASP-P
DS3 CVCP-P
DS3 ESCP-P
DS3 SESCP-P
DS3 UASCP-P
DS3 CVCP-PFE
DS3 ESCP-PFE
DS3 SASCP-PFE
DS3 SESCP-PFE
DS3 UASCP-PFE
PMs read on LIU
PMs read on Mux/Demux ASIC15-21
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 15 Performance Monitoring
15.5.6 DS3i-N-12 Card Performance Monitoring Parameters
15.5.6 DS3i-N-12 Card Performance Monitoring Parameters
Figure 15-12 shows the signal types that support near-end and far-end PMs.
Figure 15-12 Monitored Signal Types for the DS3i-N-12 Cards
Note The XX in Figure 15-12 represents all PMs listed in Table 15-9 with the given prefix and/or suffix.
Figure 15-13 shows where overhead bytes detected on the ASICs produce PM parameters for the
DS3i-N-12 cards.
Table 15-8 DS3-12E and DS3N-12E Card PMs
Line (NE) Path (NE) STS Path (NE) Path (FE)1
1. The C-bit PMs (PMs that contain the text “CP-P”) are applicable only if the line format is C-bit.
STS Path (FE)
CV-L
ES-L
SES-L
LOSS-L
AISS-P
CV-P
ES-P
SAS-P2
SES-P
UAS-P
CVCP-P
ESCP-P
SASCP-P3
SESCP-P
UASCP-P
2. DS3(N)-12E cards support SAS-P only on the receive (Rx) path.
3. The SASCP parameter is also displayed as “undefined” for near-end parameter though it is a far-end parameter.
CV-P
ES-P
SES-P
UAS-P
FC-P
CVCP-PFE
ESCP-PFE
SASCP-P
SESCP-PFE
UASCP-PFE
CV-PFE
ES-PFE
SES-PFE
UAS-PFE
FC-PFE
110718
PTE ONS 15454
DS3i-N-12 OC-N
Fiber
DS3 Signal
DS3i Path (DS3 XX) PMs Near and Far End Supported
DS3 Signal
ONS 15454
OC-N DS3i-N-12
STS Path (STS XX-P) PMs Near and Far End Supported
PTE15-22
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 15 Performance Monitoring
15.5.6 DS3i-N-12 Card Performance Monitoring Parameters
Figure 15-13 PM Read Points on the DS3i-N-12 Cards
Table 15-9 describes the PM parameters for the DS3i-N-12 card.
110717
ONS 15454
DS3i-N-12 Card
LIU
Mux/Demux ASIC
BTC
ASIC
XC Card(s) OC-N
DS3 Side
Path
Level
SONET Side
CV-P
ES-P
FC-P
SES-P
UAS-P
CV-PFE
ES-PFE
FC-PFE
SES-PFE
UAS-PFE
DS3 CV-L
DS3 ES-L
DS3 SES-L
DS3 LOSS-L
DS3 AISS-P
DS3 CVP-P
DS3 ESP-P
DS3 SASP-P
DS3 SESP-P
DS3 UASP-P
DS3 CVCP-P
DS3 ESCP-P
DS3 SASCP-P
DS3 SESCP-P
DS3 UASCP-P
DS3 CVCP-PFE
DS3 ESCP-PFE
DS3 SASCP-PFE
DS3 SESCP-PFE
DS3 UASCP-PFE
PMs read on LIU
PMs read on Mux/Demux ASIC
Table 15-9 DS3i-N-12 Card PMs
Line (NE) Path (NE) STS Path (NE) Path (FE)1
1. The C-Bit PMs (PMs that contain the text “CP-P”) are applicable only if the line format is C-Bit.
STS Path (FE)
CV-L
ES-L
SES-L
LOSS-L
AISSP-P
CVP-P
ESP-P
SASP-P2
SESP-P
UASP-P
CVCP-P
ESCP-P
SASCP-P3
SESCP-P
UASCP-P
2. DS3i-N-12 cards support SAS-P only on the Rx path.
3. The SASCP parameter is also displayed as “undefined” for near-end parameter though it is a far-end parameter.
CV-P
ES-P
SES-P
UAS-P
FC-P
CVCP-PFE
ESCP-PFE
SASCP-PFE
SESCP-PFE
UASCP-PFE
CV-PFE
ES-PFE
SES-PFE
UAS-PFE
FC-PFE15-23
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 15 Performance Monitoring
15.5.7 DS3XM-6 Card Performance Monitoring Parameters
15.5.7 DS3XM-6 Card Performance Monitoring Parameters
Figure 15-14 shows the signal types that support near-end and far-end PMs.
Figure 15-14 Monitored Signal Types for the DS3XM-6 Card
Note The XX in Figure 15-14 represents all PMs listed in Table 15-10 with the given prefix and/or suffix.
Figure 15-15 shows where the overhead bytes detected on the ASICs produce PM parameters for the
DS3XM-6 card.
PTE ONS 15454
DS3XM OC-N
Fiber
Muxed
DS3 Signal
Muxed
DS3 Signal
DS1 Path (DS1 XX) PMs Near and Far End Supported
ONS 15454
OC-N DS3XM
VT Path (XX-V) PMs Near and Far End Supported
PTE
78979
DS3 Path (DS3 XX) PMs Near and Far End Supported
STS Path (STS XX-P) PMs Near and Far End Supported15-24
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 15 Performance Monitoring
15.5.7 DS3XM-6 Card Performance Monitoring Parameters
Figure 15-15 PM Read Points on the DS3XM-6 Card
Table 15-10 lists the PM parameters for the DS3XM-6 cards.
78980
ONS 15454
DS3XM-6 Card
LIU
Mapper Unit
BTC
ASIC
XC Card(s) OC-N
DS1 Side
VT
Level
SONET Side
CV-V
ES-V
SES-V
UAS-V
DS1 AISS-P
DS1 ES-P
DS1 SAS-P
DS1 SES-P
DS1 UAS-P
DS3 CV-L
DS3 ES-L
DS3 SES-L
DS3 LOSS-L
DS3 AISS-P
DS3 CVP-P
DS3 ESP-P
DS3 SASP-P
DS3 SESP-P
DS3 UASP-P
DS3 CVCP-P
DS3 ESCP-P
DS3 SASCP-P
DS3 SESCP-P
DS3 UASCP-P
DS3 CVCP-PFE
DS3 ESCP-PFE
DS3 SASCP-PFE
DS3 SESCP-PFE
DS3 UASCP-PFE
PMs read on LIU
STS CV-P
STS ES-P
STS FC-P
STS SES-P
STS UAS-P
STS CV-PFE
STS ES-PFE
STS FC-PFE
STS SES-PFE
STS UAS-PFE
PMs read on Mapper Unit ASIC
The DS3 path is terminated on the
transmux and regenerated.
Path
Level
Table 15-10 DS3XM-6 Card PMs
DS3 Line
(NE)
DS3 Path
(NE)1
1. The C-Bit PMs (PMs that contain the text “CP-P”) are applicable only if the line format is C-Bit.
DS1 Path (NE) VT Path (NE)
STS Path
(NE)
DS3 Path
(FE)1
VT Path
(FE) STS Path (FE)
Network
Path2
2. Parameter received from far-end direction only.
CV-L
ES-L
SES-L
LOSS-L
AISS-P
CVP-P
ESP-P
SASP-P3
SESP-P
UASP-P
ESCP-P
SASCP-P4
SESCP-P
UASCP-P
CVCP-P
3. DS3XM-6 cards support SAS-P only on the Rx path.
4. The SASCP parameter is also displayed as “undefined” for near-end parameter though it is a far-end parameter.
AISS-P
ES-P
SAS-P3
SES-P
UAS-P
CV-V
ES-V
SES-V
UAS-V
CV-P
ES-P
SES-P
UAS-P
FC-P
CVCP-PFE
ESCP-PFE
SASCP-PFE
SESCP-PFE
UASCP-PFE
CV-VFE
ES-VFE
SES-VFE
UAS-VFE
CV-PFE
ES-PFE
SES-PFE
UAS-PFE
FC-PFE
ES-NP
ES-NPFE
SES-NP
SES-NPFE
UAS-NP
UAS-NPFE15-25
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 15 Performance Monitoring
15.5.8 DS3XM-12 Card Performance Monitoring Parameters
15.5.8 DS3XM-12 Card Performance Monitoring Parameters
Figure 15-16 shows the signal types that support near-end and far-end PMs.
Figure 15-16 Monitored Signal Types for the DS3XM-12 Card
Note The XX in Figure 15-16 represents all PMs listed in Table 15-11 with the given prefix and/or suffix.
Figure 15-17 shows where the overhead bytes detected on the ASICs produce PM parameters for the
DS3XM-12 card.
PTE ONS 15454
DS3XM OC-N
Fiber
Muxed
DS3 Signal
Muxed
DS3 Signal
DS1 Path (DS1 XX) PMs Near and Far End Supported
ONS 15454
OC-N DS3XM
VT Path (XX-V) PMs Near and Far End Supported
PTE
78979
DS3 Path (DS3 XX) PMs Near and Far End Supported
STS Path (STS XX-P) PMs Near and Far End Supported15-26
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 15 Performance Monitoring
15.5.8 DS3XM-12 Card Performance Monitoring Parameters
Figure 15-17 PM Read Points on the DS3XM-12 Card
Table 15-11 lists the PM parameters for the DS3XM-12 cards.
124556
ONS 15454
DS3XM-12 Card
LIU
Mapper Unit
BTC
ASIC
XC Card(s) OC-N
DS1 Side
VT
Level
SONET Side
CV-V
ES-V
SES-V
UAS-V
DS1 AISS-P
DS1 ES-P
DS1 SAS-P
DS1 SES-P
DS1 UAS-P
DS3 CV-L
DS3 ES-L
DS3 SES-L
DS3 LOSS-L
DS3 AISS-P
DS3 CVP-P
DS3 ESP-P
DS3 SASP-P
DS3 SESP-P
DS3 UASP-P
DS3 CVCP-P
DS3 ESCP-P
DS3 SASCP-P
DS3 SESCP-P
DS3 UASCP-P
DS3 CVCP-PFE
DS3 ESCP-PFE
DS3 SASCP-PFE
DS3 SESCP-PFE
DS3 UASCP-PFE
PMs read on LIU
STS CV-P
STS ES-P
STS FC-P
STS SES-P
STS UAS-P
STS CV-PFE
STS ES-PFE
STS FC-PFE
STS SES-PFE
STS UAS-PFE
PMs read on Mapper Unit ASIC
The DS3 path is terminated on the
transmux and regenerated.
Path
Level
Table 15-11 DS3XM-12 Card PMs
DS3 Line
(NE)
DS3 Path
(NE)1
1. The C-Bit PMs (PMs that contain the text “CP-P”) are applicable only if the line format is C-Bit.
DS1 Path
(NE)
VT Path
(NE)
STS Path
(NE) DS3 Path (FE)1
VT Path (FE)
STS Path
(FE)
BFDL
(FE)
Network
Path2
2. Parameter received from far-end direction only.
CV-L
ES-L
SES-L
LOSS-L
AISS-P
CV-P
ES-P
SAS-P3
SES-P
UAS-P
ESCP-P
SESCP-P
UASCP-P
CVCP-P
3. DS3XM-12 cards support SAS-P only on the Rx path.
AISS-P
CV-P
ES-P
FC-P
SAS-P3
SES-P
UAS-P
CSS-P
ESA-P
ESB-P
SEFS-P
CV-V
ES-V
SES-V
UAS-V
CV-P
ES-P
SES-P
UAS-P
FC-P
CVCP-PFE
ESCP-PFE
SASCP-PFE4
SESCP-PFE
UASCP-PFE
4. The SASCP parameter is also displayed as “undefined” for near-end parameter though it is a far-end parameter.
CV-VFE
ES-VFE
SES-VFE
UAS-VFE
CV-PFE
ES-PFE
SES-PFE
UAS-PFE
FC-PFE
CSS
ES
SES
BES
UAS
LOFC
ES-NP
ES-NPFE
SES-NP
SES-NPFE
UAS-NP
UAS-NPFE15-27
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 15 Performance Monitoring
15.5.9 DS3/EC1-48 Card Performance Monitoring Parameters
15.5.9 DS3/EC1-48 Card Performance Monitoring Parameters
Figure 15-18 shows the signal types that support near-end and far-end PMs.
Figure 15-18 Monitored Signal Types for the DS3/EC1-48 Card
Note The XX in Figure 15-18 represents all PMs listed in Table 15-12 with the given prefix and/or suffix.
Figure 15-19 shows where the overhead bytes detected on the ASICs produce PM parameters for the
DS3-EC1-48 card.
78975
PTE ONS 15454
DS3 OC-N
Fiber
DS3 Signal
DS3 Path (DS3 XX) PMs Near and Far End Supported
DS3 Signal
ONS 15454
OC-N DS3
STS Path (STS XX-P) PMs Near and Far End Supported
PTE15-28
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 15 Performance Monitoring
15.5.9 DS3/EC1-48 Card Performance Monitoring Parameters
Figure 15-19 PM Read Points on the DS3/EC1-48 Card
Table 15-12 lists the PM parameters for the DS3/EC1-48 cards.
124997
ONS 15454
DS3/EC1-48 Card
LIU
Mapper Unit
BTC
ASIC
XC Card(s) OC-N
SONET Side
DS3 CV-L
DS3 ES-L
DS3 SES-L
DS3 LOSS-L
DS3 AISS-P
DS3 CVP-P
DS3 ESP-P
DS3 SASP-P
DS3 SESP-P
DS3 UASP-P
DS3 CVCP-P
DS3 ESCP-P
DS3 SASCP-P
DS3 SESCP-P
DS3 UASCP-P
DS3 CVCP-PFE
DS3 ESCP-PFE
DS3 SASCP-PFE
DS3 SESCP-PFE
DS3 UASCP-PFE
PMs read on LIU
STS CV-P
STS ES-P
STS FC-P
STS SES-P
STS UAS-P
STS CV-PFE
STS ES-PFE
STS FC-PFE
STS SES-PFE
STS UAS-PFE
PMs read on Mapper Unit ASIC
The DS3 path is terminated on the
transmux and regenerated.
Path
Level
Table 15-12 DS3/EC1-48 Card PMs
DS3/EC1 Line (NE) DS3 Path (NE)1
1. The C-Bit PMs (PMs that contain the text “CP-P”) are applicable only if the line format is C-Bit.
STS Path (NE) DS3 Path (FE)1
STS Path (FE)
CV-L
ES-L
SES-L
LOSS-L
AISS-P
CVP-P
ESP-P
SASP-P2
SESP-P
UASP-P
ESCP-P
SASCP-P3
SESCP-P
UASCP-P
CVCP-P
2. DS3/EC1-48 cards support SAS-P only on the Rx path.
3. The SASCP parameter is also displayed as “undefined” for near-end parameter though it is a far-end parameter.
CV-P
ES-P
SES-P
UAS-P
FC-P
CVCP-PFE
ESCP-PFE
SASCP-PFE
SESCP-PFE
UASCP-PFE
CV-PFE
ES-PFE
SES-PFE
UAS-PFE
FC-PFE15-29
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 15 Performance Monitoring
15.6 Performance Monitoring for Ethernet Cards
Note If the CV-L(NE and FE) falls in the range 51-61 for DS3,then, the user might see discrepancy in the SES
and the UAS-L values. However, ES-L will be in the nearest accuracy. For a few seconds, in a given 10
seconds interval, the number of CV-L counted may not cross the CV count criteria for SES, (due to
system/application limitation for the below mentioned ranges); as a consequence of which there may not
be 10 continuous SES, thus UAS will not be observed.
15.6 Performance Monitoring for Ethernet Cards
The following sections define PM parameters and definitions for the ONS 15454 E-Series, G-Series,
ML-Series, and CE-Series Ethernet cards.
15.6.1 E-Series Ethernet Card Performance Monitoring Parameters
CTC provides Ethernet performance information, including line-level parameters, port bandwidth
consumption, and historical Ethernet statistics. The E-Series Ethernet performance information is
divided into the Statistics, Utilization, and History tabbed windows within the card view Performance
tab window.
15.6.1.1 E-Series Ethernet Statistics Window
The Ethernet Statistics window lists Ethernet parameters at the line level. The Statistics window provides
buttons to change the statistical values shown. The Baseline button resets the displayed statistics values
to zero. The Refresh button manually refreshes statistics. Auto-Refresh sets a time interval at which
automatic refresh occurs.
Table 15-13 defines the E-Series Ethernet card statistics parameters.
Table 15-13 E-Series Ethernet Statistics Parameters
Parameter Definition
Link Status Indicates whether link integrity is present; up means present, and down
means not present.
ifInOctets Number of bytes received since the last counter reset.
ifInUcastPkts Number of unicast packets received since the last counter reset.
ifInErrors The number of inbound packets (or transmission units) that contained
errors preventing them from being deliverable to a higher-layer protocol.
ifOutOctets Number of bytes transmitted since the last counter reset.
ifOutUcastPkts Number of unicast packets transmitted.
dot3StatsAlignmentErrors A count of frames received on a particular interface that are not an integral
number of octets in length and do not pass the FCS check.
dot3StatsFCSErrors A count of frames received on a particular interface that are an integral
number of octets in length but do not pass the FCS check.
dot3StatsFrameTooLong A count of frames received on a particular interface that exceed the
maximum permitted frame size.15-30
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 15 Performance Monitoring
15.6.1 E-Series Ethernet Card Performance Monitoring Parameters
etherStatsUndersizePkts The total number of packets received that were less than 64 octets long
(excluding framing bits, but including FCS octets) and were otherwise
well formed.
etherStatsFragments The total number of packets received that were less than 64 octets in length
(excluding framing bits but including FCS octets) and had either a bad
FCS with an integral number of octets (FCS Error) or a bad FCS with a
nonintegral number of octets (Alignment Error).
Note It is entirely normal for etherStatsFragments to increment. This is
because it counts both runts (which are normal occurrences due to
collisions) and noise hits.
etherStatsPkts64Octets The total number of packets (including bad packets) received that were
64 octets in length (excluding framing bits but including FCS octets).
etherStatsPkts65to127
Octets
The total number of packets (including bad packets) received that were
between 65 and 127 octets in length inclusive (excluding framing bits but
including FCS octets).
etherStatsPkts128to255
Octets
The total number of packets (including bad packets) received that were
between 128 and 255 octets in length inclusive (excluding framing bits but
including FCS octets).
etherStatsPkts256to511
Octets
The total number of packets (including bad packets) received that were
between 256 and 511 octets in length inclusive (excluding framing bits but
including FCS octets).
etherStatsPkts512to1023
Octets
The total number of packets (including bad packets) received that were
between 512 and 1023 octets in length inclusive (excluding framing bits
but including FCS octets).
etherStatsPkts1024to1518
Octets
The total number of packets (including bad packets) received that were
between 1024 and 1518 octets in length inclusive (excluding framing bits
but including FCS octets).
etherStatsOversizePkts The total number of packets received that were longer than 1518 octets
(excluding framing bits, but including FCS octets) and were otherwise
well formed. Note that for tagged interfaces, this number becomes 1522
bytes.
etherStatsJabbers The total number of packets received that were longer than 1518 octets
(excluding framing bits, but including FCS octets), and had either a bad
FCS with an integral number of octets (FCS Error) or a bad FCS with a
nonintegral number of octets (Alignment Error).
etherStatsOctets The total number of octets of data (including those in bad packets)
received on the network (excluding framing bits but including FCS octets
etherStatsCRCAlign
Errors
The total number of packets received that had a length (excluding framing
bits, but including FCS octets) of between 64 and 1518 octets, inclusive,
but had either a bad FCS with an integral number of octets (FCS Error) or
a bad FCS with a nonintegral number of octets (Alignment Error).
Table 15-13 E-Series Ethernet Statistics Parameters (continued)
Parameter Definition15-31
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 15 Performance Monitoring
15.6.1 E-Series Ethernet Card Performance Monitoring Parameters
15.6.1.2 E-Series Ethernet Utilization Window
The Utilization window shows the percentage of transmit (Tx) and receive (Rx) line bandwidth used by
the Ethernet ports during consecutive time segments. The Mode field displays the real-time mode status,
such as 100 Full, which is the mode setting configured on the E-Series port. However, if the E-Series
port is set to autonegotiate the mode (Auto), this field shows the result of the link negotiation between
the E-Series and the peer Ethernet device attached directly to the E-Series port.
The Utilization window provides an Interval drop-down list that enables you to set time intervals of
1 minute, 15 minutes, 1 hour, and 1 day. Line utilization is calculated with the following formulas:
Rx = (inOctets + inPkts * 20) * 8 / 100% interval * maxBaseRate
Tx = (outOctets + outPkts * 20) * 8 / 100% interval * maxBaseRate
The interval is defined in seconds. The maxBaseRate is defined by raw bits per second in one direction
for the Ethernet port (that is, 1 Gbps). The maxBaseRate for E-Series Ethernet cards is shown in
Table 15-14.
Note Line utilization numbers express the average of ingress and egress traffic as a percentage of capacity.
Note The E-Series Ethernet card is a Layer 2 device or switch and supports Trunk Utilization statistics. The
Trunk Utilization statistics are similar to the Line Utilization statistics, but shows the percentage of
circuit bandwidth used rather than the percentage of line bandwidth used. The Trunk Utilization statistics
are accessed through the card view Maintenance tab.
15.6.1.3 E-Series Ethernet History Window
The Ethernet History window lists past Ethernet statistics for the previous time intervals. Depending on
the selected time interval, the History window displays the statistics for each port for the number of
previous time intervals as shown in Table 15-15. The parameters are defined in Table 15-13 on
page 15-29.
Table 15-14 maxBaseRate for STS Circuits
STS maxBaseRate
STS-1 51840000
STS-3c 155000000
STS-6c 311000000
STS-12c 622000000
Table 15-15 Ethernet History Statistics per Time Interval
Time Interval Number of Previous Intervals Displayed
1 minute 60
15 minutes 32
1 hour 24
1 day (24 hours) 715-32
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 15 Performance Monitoring
15.6.2 G-Series Ethernet Card Performance Monitoring Parameters
15.6.2 G-Series Ethernet Card Performance Monitoring Parameters
CTC provides Ethernet performance information, including line-level parameters, port bandwidth
consumption, and historical Ethernet statistics. The G-Series Ethernet performance information is
divided into the Statistics, Utilization, and History tabbed windows within the card view Performance
tab window.
15.6.2.1 G-Series Ethernet Statistics Window
The Ethernet Statistics window lists Ethernet parameters at the line level. The Statistics window provides
buttons to change the statistical values shown. The Baseline button resets the displayed statistics values
to zero. The Refresh button manually refreshes statistics. Auto-Refresh sets a time interval at which
automatic refresh occurs. The G-Series Statistics window also has a Clear button. The Clear button sets
the values on the card to zero, but does not reset the G-Series card.
Table 15-16 defines the G-Series Ethernet card statistics parameters.
Table 15-16 G-Series Ethernet Statistics Parameters
Parameter Definition
Time Last Cleared A time stamp indicating the last time statistics were reset.
Link Status Indicates whether the Ethernet link is receiving a valid Ethernet signal
(carrier) from the attached Ethernet device; up means present, and down
means not present.
Rx Packets Number of packets received since the last counter reset.
Rx Bytes Number of bytes received since the last counter reset.
Tx Packets Number of packets transmitted since the last counter reset.
Tx Bytes Number of bytes transmitted since the last counter reset.
Rx Total Errors Total number of receive errors.
Rx FCS Number of packets with a FCS error. FCS errors indicate frame corruption
during transmission.
Rx Alignment Number of packets with received incomplete frames.
Rx Runts Measures undersized packets with bad CRC errors.
Rx Shorts Measures undersized packets with good CRC errors.
Rx Jabbers The total number of frames received that exceed the 1548-byte maximum
and contain CRC errors.
Rx Giants Number of packets received that are greater than 1530 bytes in length.
Rx Pause Frames Number of received Ethernet IEEE 802.3z pause frames.
Tx Pause Frames Number of transmitted IEEE 802.3z pause frames.
Rx Pkts Dropped Internal
Congestion
Number of received packets dropped due to overflow in G-Series frame
buffer.
Tx Pkts Dropped Internal
Congestion
Number of transmit queue drops due to drops in the G-Series frame buffer.
HDLC Errors High-level data link control (HDLC) errors received from SONET/SDH
(see Note).15-33
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 15 Performance Monitoring
15.6.2 G-Series Ethernet Card Performance Monitoring Parameters
Note Do not use the HDLC errors counter to count the number of frames dropped because of HDLC errors,
because each frame can fragment into several smaller frames during HDLC error conditions and spurious
HDLC frames can be generated. If HDLC error counters are incrementing when no SONET path
problems should be present, it might indicate a problem with the quality of the SONET path. For
example, a SONET protection switch generates a set of HDLC errors. However, the actual values of these
counters are less significant than the fact that they are changing.
15.6.2.2 G-Series Ethernet Utilization Window
The Utilization window shows the percentage of Tx and Rx line bandwidth used by the Ethernet ports
during consecutive time segments. The Mode field displays the real-time mode status, such as 100 Full,
which is the mode setting configured on the G-Series port. However, if the G-Series port is set to
autonegotiate the mode (Auto), this field shows the result of the link negotiation between the G-Series
and the peer Ethernet device attached directly to the G-Series port.
The Utilization window provides an Interval drop-down list that enables you to set time intervals of
1 minute, 15 minutes, 1 hour, and 1 day. Line utilization is calculated with the following formulas:
Rx = (inOctets + inPkts * 20) * 8 / 100% interval * maxBaseRate
Tx = (outOctets + outPkts * 20) * 8 / 100% interval * maxBaseRate
The interval is defined in seconds. The maxBaseRate is defined by raw bits per second in one direction
for the Ethernet port (that is, 1 Gbps). The maxBaseRate for G-Series Ethernet cards is shown in
Table 15-14.
Note Line utilization numbers express the average of ingress and egress traffic as a percentage of capacity.
Note Unlike the E-Series, the G-Series card does not have a display of Trunk Utilization statistics, because
the G-Series card is not a Layer 2 device or switch.
Rx Unicast Packets Number of unicast packets received since the last counter reset.
Tx Unicast Packets Number of unicast packets transmitted.
Rx Multicast Packets Number of multicast packets received since the last counter reset.
Tx Multicast Packets Number of multicast packets transmitted.
Rx Broadcast Packets Number of broadcast packets received since the last counter reset.
Tx Broadcast Packets Number or broadcast packets transmitted.
Table 15-16 G-Series Ethernet Statistics Parameters (continued)
Parameter Definition15-34
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 15 Performance Monitoring
15.6.3 ML-Series Ethernet Card Performance Monitoring Parameters
15.6.2.3 G-Series Ethernet History Window
The Ethernet History window lists past Ethernet statistics for the previous time intervals. Depending on
the selected time interval, the History window displays the statistics for each port for the number of
previous time intervals as shown in Table 15-15 on page 15-31. The listed parameters are defined in
Table 15-16 on page 15-32.
15.6.3 ML-Series Ethernet Card Performance Monitoring Parameters
CTC provides Ethernet performance information for line-level parameters and historical Ethernet
statistics. The ML-Series Ethernet performance information is divided into the Ether Ports,
Packet-over-SONET (POS) Ports, and RPR Span tabbed windows within the card view Performance tab
window. These tabs may vary depending on the card selected.
15.6.3.1 ML-Series Ether Ports Statistics Window
The Ethernet Ether Ports Statistics window lists Ethernet parameters at the line level. The Statistics
window provides buttons to change the statistical values shown. The Baseline button resets the displayed
statistics values to zero. The Refresh button manually refreshes statistics. Auto-Refresh sets a time
interval at which automatic refresh occurs. The ML-Series Statistics window also has a Clear button. The
Clear button sets the values on the card to zero, but does not reset the ML-Series card.
During each automatic cycle, whether auto-refreshed or manually refreshed (using the Refresh button),
statistics are added cumulatively and are not immediately adjusted to equal total received packets until
testing ends. To see the final PM count totals, allow a few moments for the PM window statistics to finish
testing and update fully. PM counts are also listed in the ML-Series card Performance > History window.
Table 15-17 defines the ML-Series Ethernet card Ether Ports PM parameters.
Table 15-17 ML-Series Ether Ports PM Parameters
Parameter Definition
ifInOctets Number of bytes received since the last counter reset.
rxTotalPackets Number of packets received.
ifInUcastPkts Number of unicast packets received since the last counter reset.
ifInMulticast Pkts Number of multicast packets received since the last counter reset.
ifInBroadcast Pkts Number of broadcast packets received since the last counter reset.
ifInDiscards The number of inbound packets that were chosen to be discarded even
though no errors had been detected to prevent their being deliverable to a
higher-layer protocol. One possible reason for discarding such a packet
could be to free up buffer space.
ifInErrors1
The number of inbound packets (or transmission units) that contained
errors preventing them from being deliverable to a higher-layer protocol.
ifOutOctets Number of bytes transmitted since the last counter reset.
txTotalPkts Number of transmitted packets.
ifOutUcast Pkts Number of unicast packets transmitted.
ifOutMulticast Pkts Number of multicast packets transmitted.
ifOutBroadcast Pkts Number or broadcast packets transmitted. 15-35
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 15 Performance Monitoring
15.6.3 ML-Series Ethernet Card Performance Monitoring Parameters
dot3StatsAlignmentErrors A count of frames received on a particular interface that are not an integral
number of octets in length and do not pass the FCS check.
dot3StatsFCSErrors A count of frames received on a particular interface that are an integral
number of octets in length but do not pass the FCS check.
dot3StatsSingleCollisionF
rames1
A count of successfully transmitted frames on a particular interface for
which transmission is inhibited by exactly on collision.
dot3StatsFrameTooLong1
A count of frames received on a particular interface that exceed the
maximum permitted frame size.
etherStatsUndersizePkts The total number of packets received that were less than 64 octets long
(excluding framing bits, but including FCS octets) and were otherwise
well formed.
etherStatsOversizePkts The total number of packets received that were longer than 1518 octets
(excluding framing bits, but including FCS octets) and were otherwise
well formed. Note that for tagged interfaces, this number becomes 1522
bytes.
etherStatsFragments1
The total number of packets received that were less than 64 octets in
length (excluding framing bits but including FCS octets) and had either a
bad FCS with an integral number of octets (FCS Error) or a bad FCS with
a nonintegral number of octets (Alignment Error).
Note Note: It is entirely normal for etherStatsFragments to increment.
This is because it counts both runts (which are normal
occurrences due to collisions) and noise hits.
etherStatsPkts64Octets1
The total number of packets (including bad packets) received that were 64
octets in length (excluding framing bits but including FCS octets).
etherStatsPkts65to127Oct
ets1
The total number of packets (including bad packets) received that were
between 65 and 127 octets in length inclusive (excluding framing bits but
including FCS octets).
etherStatsPkts128to255Oc
tets1
The total number of packets (including bad packets) received that were
between 128 and 255 octets in length inclusive (excluding framing bits but
including FCS octets).
etherStatsPkts256to511Oc
tets1
The total number of packets (including bad packets) received that were
between 256 and 511 octets in length inclusive (excluding framing bits but
including FCS octets).
etherStatsPkts512to1023O
ctets1
The total number of packets (including bad packets) received that were
between 512 and 1023 octets in length inclusive (excluding framing bits
but including FCS octets).
etherStatsPkts1024to1518
Octets1
The total number of packets (including bad packets) received that were
between 1024 and 1518 octets in length inclusive (excluding framing bits
but including FCS octets).
etherStatsBroadcastPkts1
The total number of good packets received that were directed to the
broadcast address. Note that this does not include multicast packets.
Table 15-17 ML-Series Ether Ports PM Parameters (continued)
Parameter Definition15-36
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 15 Performance Monitoring
15.6.3 ML-Series Ethernet Card Performance Monitoring Parameters
15.6.3.2 ML-Series Card Ether Ports Utilization Window
The Ether Ports Utilization window shows the percentage of Tx and Rx line bandwidth used by the
Ethernet ports during consecutive time segments. The Utilization window provides an Interval
drop-down list that enables you to set time intervals of 1 minute, 15 minutes, 1 hour, and 1 day. Line
utilization is calculated with the following formulas:
Rx = (inOctets + inPkts * 20) * 8 / 100% interval * maxBaseRate
Tx = (outOctets + outPkts * 20) * 8 / 100% interval * maxBaseRate
The interval is defined in seconds. The maxBaseRate is defined by raw bits per second in one direction
for the Ethernet port (that is, 1 Gbps). The maxBaseRate for ML-Series Ethernet cards is shown in
Table 15-14.
Note Line utilization numbers express the average of ingress and egress traffic as a percentage of capacity.
etherStatsMulticastPkts 1
The total number of good packets received that were directed to a
multicast address. Note that this number does not include packets directed
to the broadcast address.
etherStatsJabbers The total number of packets received that were longer than 1518 octets
(excluding framing bits, but including FCS octets), and had either a bad
FCS with an integral number of octets (FCS Error) or a bad FCS with a
nonintegral number of octets (Alignment Error).
etherStatsOctets1
The total number of octets of data (including those in bad packets)
received on the network (excluding framing bits but including FCS octets.
etherStatsCollissions Number of transmit packets that are collisions; the port and the attached
device transmitting at the same time caused collisions.
etherStatsCRCAlignError
s
1
The total number of packets received that had a length (excluding framing
bits, but including FCS octets) of between 64 and 1518 octets, inclusive,
but had either a bad FCS with an integral number of octets (FCS Error) or
a bad FCS with a nonintegral number of octets (Alignment Error).
etherStatsDropEvents Number of received frames dropped at the port level.
rx PauseFrames2
Number of received Ethernet 802.3z pause frames.
mediaIndStatsOversize
Dropped2
Number of received oversized packages that are dropped.
mediaIndStatsTxFrames
TooLong2
Number of received frames that are too long. The maximum is the
programmed max frame size (for virtual SAN [VSAN] support); if the
maximum frame size is set to default, then the maximum is a 2112 byte
payload plus the 36 byte header, which is a total of 2148 bytes.
1. ML-MR-10 only
2. ML1000-2 only
Table 15-17 ML-Series Ether Ports PM Parameters (continued)
Parameter Definition15-37
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 15 Performance Monitoring
15.6.3 ML-Series Ethernet Card Performance Monitoring Parameters
15.6.3.3 ML-Series Card Ether Ports History Window
The Ethernet Ether Ports History window lists past Ethernet statistics for the previous time intervals.
Depending on the selected time interval, the History window displays the statistics for each port for the
number of previous time intervals as shown in Table 15-15 on page 15-31. The listed parameters are
defined in Table 15-17 on page 15-34.
15.6.3.4 ML-Series POS Ports Window
In the ML-Series POS Ports window, the parameters displayed depend on the framing mode employed
by the ML-Series card. The two framing modes for the POS port on the ML-Series card are HDLC and
frame-mapped generic framing procedure (GFP-F). For more information on provisioning a framing
mode, refer to Cisco ONS 15454 Procedure Guide.
Table 15-18 defines the ML-Series Ethernet card POS Ports HDLC parameters. Table 15-19 defines the
ML-Series Ethernet card POS Ports GFP-F parameters.
Table 15-18 ML-Series POS Ports Parameters for HDLC Mode
Parameter Definition
ifInOctets Number of bytes received since the last counter reset.
rxTotalPkts Number of packets received.
ifOutOctets Number of bytes transmitted since the last counter reset.
tx TotalPkts Number of transmitted packets.
etherStatsDropEvents Number of received frames dropped at the port level.
rxPktsDropped Internal
Congestion
Number of received packets dropped due to overflow in frame buffer.
mediaIndStatsRxFrames
Truncated
Number of received frames with a length of 36 bytes or less.
mediaIndStatsRxFrames
TooLong
Number of received frames that are too long. The maximum is the
programmed maximum frame size (for VSAN support); if the maximum
frame size is set to default, then the maximum is the 2112 byte payload plus
the 36 byte header, which is a total of 2148 bytes.
mediaIndStatsRxFrames
BadCRC
Number of received frames with CRC errors.
mediaIndStatsRxShort
Pkts
Number of received packets that are too small.
hdlcInOctets Number of bytes received (from the SONET/SDH path) prior to the bytes
undergoing HLDC decapsulation by the policy engine.
hdlcRxAborts Number of received packets aborted on input.
hdlcOutOctets Number of bytes transmitted (to the SONET/SDH path) after the bytes
undergoing HLDC encapsulation by the policy engine.15-38
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 15 Performance Monitoring
15.6.3 ML-Series Ethernet Card Performance Monitoring Parameters
15.6.3.5 ML-Series RPR Span Window
The parameters that appear in the ML-Series RPR Span window are the mandatory attributes of the
802.17 MIB. For more information on provisioning a framing mode, refer to Cisco ONS 15454
Procedure Guide.
Table 15-20 defines the ML-Series Ethernet card RPR Span parameters.
Table 15-19 ML-Series POS Ports Parameters for GFP-F Mode
Parameter Meaning
etherStatsDropEvents Number of received frames dropped at the port level.
rx PktsDroppedInternal
Congestion
Number of received packets dropped due to overflow in the frame buffer.
gfpStatsRxFrame Number of received GFP frames.
gfpStatsTxFrame Number of transmitted GFP frames.
gfpStatsRxOctets Number of GFP bytes received.
gfpStatsTxOctets Number of GFP bytes transmitted.
gfpStatsRxSBitErrors Sum of all the single bit errors. In the GFP CORE HDR at the GFP-T
receiver, these are correctable.
gfpStatsRxMBitErrors Sum of all the multiple bit errors. In the GFP CORE HDR at the GFP-T
receiver, these are uncorrectable.
gfpStatsRxTypeInvalid Number of receive packets dropped due to Client Data Frame UPI errors.
gfpStatsRxCRCErrors Number of packets received with a payload FCS error.
gfpStatsLFDRaised Count of core HEC CRC multiple bit errors.
Note This count is only of eHec multiple bit errors when in frame. This
can be looked at as a count of when the state machine goes out of
frame.
gfpStatsCSFRaised Number of GFP Client signal fail frames detected at the GFP-T receiver.
mediaIndStatsRxFrames
Truncated
Number of received frames that are too long. The maximum is the
programmed maximum frame size (for VSAN support); if the maximum
frame size is set to default, then the maximum is the 2112 byte payload
plus the 36 byte header, which is a total of 2148 bytes.
mediaIndStatsRxFramesTo
oLong
Number of received frames with CRC error.s
mediaIndStatsRxShortPkts Number of received packets that are too small.
Table 15-20 ML-Series RPR Span Parameters for 802.17 MIB
Parameter Meaning
gfpStatsRxSBitErrors Sum of all the single bit errors. In the GFP CORE HDR at the GFP-T
receiver, these are correctable.
gfpStatsRxMBitErrors Sum of all the multiple bit errors. In the GFP CORE HDR at the
GFP-T receiver, these are uncorrectable.15-39
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 15 Performance Monitoring
15.6.3 ML-Series Ethernet Card Performance Monitoring Parameters
gfpStatsRxTypeInvalid Number of receive packets dropped due to Client Data Frame UPI
errors.
rprSpanStatsInUcastClassC
Frames
Number of received (PHY to MAC) classC unicast frames.
rprSpanStatsInUcastClassC
Octets
Number of received (PHY to MAC) classC unicast octets.
rprSpanStatsInMcastClassC
Frames
Number of received (PHY to MAC) classC multicast and broadcast
frames.
rprSpanStatsInMcastClassC
Octets
Number of received (PHY to MAC) classC multicast and broadcast
octets.
rprSpanStatsInUcastClassB
EirFrames
Number of received (PHY to MAC) classB EIR unicast frames.
rprSpanStatsInUcastClassB
EirOctets
Number of received (PHY to MAC) classB EIR unicast octets.
rprSpanStatsInMcastClassB
EirFrames
Number of received (PHY to MAC) classB EIR multicast and
broadcast frames.
rprSpanStatsInMcastClassB
EirOctets
Number of received (PHY to MAC) classB EIR multicast and
broadcast octets.
rprSpanStatsInUcastClassB
CirFrames
Number of received (PHY to MAC) classB CIR unicast frames.
rprSpanStatsInUcastClassB
CirOctets
Number of received (PHY to MAC) classB CIR unicast octets.
rprSpanStatsInMcastClassB
CirFrames
Number of received (PHY to MAC) classB CIR multicast and
broadcast frames.
rprSpanStatsInMcastClassB
CirOctets
Number of received (PHY to MAC) classB CIR multicast and
broadcast octets.
rprSpanStatsInUcastClassA
Frames
Number of received (PHY to MAC) classA unicast frames.
rprSpanStatsInUcastClassA
Octets
Number of received (PHY to MAC) classA unicast octets.
rprSpanStatsInMcastClassA
Frames
Number of received (PHY to MAC) classA multicast and broadcast
frames.
rprSpanStatsInMcastClassA
Octets
Number of received (PHY to MAC) classA multicast and broadcast
octets.
rprSpanStatsInCtrlFrames Number of received (PHY to MAC) control frames processed by this
MAC. This does not include control frames in transit, i.e. a multicast
control frame received from a ringlet will be counted as In but not
Out. This does not include Fairness or idle frames.
rprSpanStatsInOamEcho
Frames
Number of received (PHY to MAC) OAM echo frames processed by
this MAC.
rprSpanStatsInOamFlush
Frames
Number of received (PHY to MAC) OAM flush frames processed by
this MAC.
Table 15-20 ML-Series RPR Span Parameters for 802.17 MIB (continued)
Parameter Meaning15-40
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 15 Performance Monitoring
15.6.3 ML-Series Ethernet Card Performance Monitoring Parameters
rprSpanStatsInOamOrgFrames Number of received (PHY to MAC) OAM Org frames processed by
this MAC.
rprSpanStatsInTopoAtdFrames Number of received (PHY to MAC) Topology ATD frames processed
by this MAC.
rprSpanStatsInTopoChkSum
Frames
Number of received (PHY to MAC) topology
checksum frames processed by this MAC.
rprSpanStatsInTopoTpFrames Number of received (PHY to MAC) topology TP frames processed by
this MAC.
rprSpanStatsOutUcastClassC
Frames
Number of transmitted (MAC to PHY) classC unicast frames.
rprSpanStatsOutUcastClassC
Octets
Number of transmitted (MAC to PHY) classC unicast octets.
rprSpanStatsOutMcastClassC
Frames
Number of transmitted (MAC to PHY) classC multicast and
broadcast frames.
rprSpanStatsOutMcastClassC
Octets
Number of transmitted (MAC to PHY) classC multicast and
broadcast octets.
rprSpanStatsOutUcastClassB
EirFrames
Number of transmitted (MAC to PHY) classB EIR unicast frames
rprSpanStatsOutUcastClassB
EirOctets
The number of transmitted (MAC to PHY) classB EIR unicast octets.
rprSpanStatsOutMcastClassB
EirFrames
The number of transmitted (MAC to PHY) classB EIR multicast and
broadcast frames.
rprSpanStatsOutMcastClassB
EirOctets
The number of transmitted (MAC to PHY) classB EIR multicast and
broadcast octets.
rprSpanStatsOutUcastClassB
CirFrames
The number of transmitted (MAC to PHY) classB CIR unicast
frames.
rprSpanStatsOutUcastClassB
CirOctets
The number of transmitted (MAC to PHY) classB CIR unicast octets.
rprSpanStatsOutMcastClassB
CirFrames
The number of transmitted (MAC to PHY) classB CIR multicast and
broadcast frames.
rprSpanStatsOutMcastClassB
CirOctets
The number of transmitted (MAC to PHY) classB CIR multicast and
broadcast octets.
rprSpanStatsOutUcastClassA
Frames
The number of transmitted (MAC to PHY) classA unicast frames.
rprSpanStatsOutUcastClassA
Octets
The number of transmitted (MAC to PHY) classA unicast octets.
rprSpanStatsOutMcastClassA
Frames
The number of transmitted (MAC to PHY) classA multicast and
broadcast frames.
rprSpanStatsOutMcastClassA
Octets
The number of transmitted (MAC to PHY) classA multicast and
broadcast octets.
Table 15-20 ML-Series RPR Span Parameters for 802.17 MIB (continued)
Parameter Meaning15-41
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 15 Performance Monitoring
15.6.3 ML-Series Ethernet Card Performance Monitoring Parameters
rprSpanStatsOutCtrlFrames The number of transmitted (MAC to PHY) control frames generated
by this MAC. This does not include control frames in transit, i.e. a
multicast control frame received from a ringlet will be counted as In
but not Out. This does not include Fairness or idle frames.
rprSpanStatsOutOamEcho
Frames
The number of transmitted (MAC to PHY) OAM echo frames
generated by this MAC.
rprSpanStatsOutOamFlush
Frames
The number of transmitted (MAC to PHY) OAM flush frames
generated by this MAC.
rprSpanStatsOutOamOrg
Frames
The number of transmitted (MAC to PHY) OAM Org frames
generated by this MAC.
rprSpanStatsOutTopoAtd
Frames
The number of transmitted (MAC to PHY) topology ATD frames
generated by this MAC.
rprSpanStatsOutTopoChkSum
Frames
The number of transmitted (MAC to PHY) topology checksum
frames generated by this MAC.
rprSpanStatsOutTopoTp
Frames
The number of transmitted (MAC to PHY) topology TP frames
generated by this MAC.
rprClientStatsInUcastClassC
Frames
The number of MAC to client classC unicast frames.
rprClientStatsInUcastClassC
Octets
The number of MAC to client classC unicast octets.
rprClientStatsInMcastClassC
Frames
The number of MAC to client classC multicast and broadcast frames.
rprClientStatsInMcastClassC
Octets
The number of MAC to client classC multicast and broadcast octets.
rprClientStatsInUcastClassB
EirFrames
The number of MAC to client classB EIR unicast frames.
rprClientStatsInUcastClassB
EirOctets
Number of packets received with a payload FCS error.
rprClientStatsInMcastClassB
EirFrames
Number of MAC to client classB EIR multicast and broadcast frames
rprClientStatsInMcastClassB
EirOctets
Number of MAC to client classB EIR multicast and broadcast octets.
rprClientStatsInUcastClassB
CirFrames
Number of MAC to client classB CIR unicast frames.
rprClientStatsInUcastClassB
CirOctets
Number of MAC to client classB CIR unicast octets.
rprClientStatsInMcastClassB
CirFrames
Number of MAC to client classB CIR multicast and broadcast
frames.
rprClientStatsInMcastClassB
CirOctets
Number of MAC to client classB CIR multicast and broadcast octets
rprClientStatsInUcastClassA
Frames
Number of MAC to client classA unicast frames.
Table 15-20 ML-Series RPR Span Parameters for 802.17 MIB (continued)
Parameter Meaning15-42
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 15 Performance Monitoring
15.6.3 ML-Series Ethernet Card Performance Monitoring Parameters
rprClientStatsInUcastClassA
Octets
Number of MAC to client classA unicast octets.
rprClientStatsInMcastClassA
Frames
Number of MAC to client classA multicast and broadcast frames.
rprClientStatsInMcastClassA
Octets
Number of MAC to client classA multicast and broadcast octets.
rprClientStatsInBcastFrames Number of MAC to client broadcast frames. This is used only when
deriving the multicast and broadcast packet counters for the interface
MIB.
rprClientStatsOutUcastClassC
Frames
Number of client to MAC classC unicast frames.
rprClientStatsOutUcastClassC
Octets
Number of client to MAC classC unicast octets.
rprClientStatsOutMcastClassC
Frames
Number of client to MAC classC multicast and broadcast frames.
rprClientStatsOutMcastClassC
Octets
Number of client to MAC classC multicast and broadcast
octets.
rprClientStatsOutUcastClassB
EirFrames
Number of client to MAC classB EIR unicast
frames.
rprClientStatsOutUcastClassB
EirOctets
Number of client to MAC classB EIR unicast
octets.
rprClientStatsOutMcastClassB
EirFrames
Number of client to MAC classB EIR multicast and broadcast frames.
rprClientStatsOutMcastClassB
EirOctets
Number of client to MAC classB EIR multicast and broadcast octets.
rprClientStatsOutUcastClassB
CirFrames
Number of client to MAC classB CIR unicast frames.
rprClientStatsOutUcastClassB
CirOctets
Number of client to MAC classB CIR unicast octets.
rprClientStatsOutMcastClassB
CirFrames
Number of client to MAC classB CIR multicast and broadcast
frames.
rprClientStatsOutMcastClassB
CirOctets
Number of client to MAC classB CIR multicast and broadcast octets.
rprClientStatsOutUcastClassA
Frames
Number of client to MAC classA unicast frames.
rprClientStatsOutUcastClassA
Octets
Number of client to MAC classA unicast octets.
rprClientStatsOutMcastClassA
Frames
Number of client to MAC classA multicast and broadcast frames.
rprClientStatsOutMcastClassA
Octets
Number of client to MAC classA multicast and broadcast octets.
Table 15-20 ML-Series RPR Span Parameters for 802.17 MIB (continued)
Parameter Meaning15-43
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 15 Performance Monitoring
15.6.4 CE-Series Ethernet Card Performance Monitoring Parameters
15.6.4 CE-Series Ethernet Card Performance Monitoring Parameters
CTC provides Ethernet performance information, including line-level parameters, port bandwidth
consumption, and historical Ethernet statistics. The CE-Series card Ethernet performance information is
divided into Ether Ports and POS Ports tabbed windows within the card view Performance tab window.
rprClientStatsOutBcastFrames Number of client to MAC broadcast frames. This is used only when
deriving the multicast and broadcast packet counters for the interface
MIB.
rprErrorStatsBadParityFrames Number of received (PHY to MAC) frames parity value not matching
the expected parity value
rprErrorStatsBadHecFrames The number of received (PHY to MAC) frames with HEC error
rprErrorStatsTtlExpFrames The number of received (PHY to MAC) frames that were dropped due
to zero Time To Live (TTL).
rprErrorStatsTooLongFrames The number of received (PHY to MAC) frames that exceed the
maximum permitted frame size.
rprErrorStatsTooShortFrames The number of received (PHY to MAC) frames shortest than the
minimum permitted frame size.
rprErrorStatsBadFcsFrames The number of received (PHY to MAC) data and control frames
where the fcs value did not match the expected fcs value.
rprErrorStatsSelfSrcUcastFram
es
The number of received (PHY to MAC) unicast frames that were
transmitted by the station itself. That is, the source MAC is equal to
the interface MAC.
rprErrorStatsPmdAbortFrames The number of received (PHY to MAC) frames that were aborted by
the PMD.
rprErrorStatsBadAddrFrames The number of received (PHY to MAC) frames with invalid SA
value.
rprErrorStatsContainedFrames The number of received (PHY to MAC) frames that were removed
due to context containment.
rprErrorStatsScffErrors The number of received (PHY to MAC) errored SCFF, with bad
parity, bad FCS, or both.
gpfStatsCSFRaised The number of total received client management frames.
gfpStatsLFDRaised The number of Core HEC CRC Multiple Bit Errors.
Note This count is only for cHEC multiple bit error when in frame.
It is a count of when the state machine goes out of frame.
rprPortCounterError Packets dropped internally by the network processor.
Table 15-20 ML-Series RPR Span Parameters for 802.17 MIB (continued)
Parameter Meaning15-44
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 15 Performance Monitoring
15.6.4 CE-Series Ethernet Card Performance Monitoring Parameters
15.6.4.1 CE-Series Card Ether Port Statistics Window
The Ethernet Ether Ports Statistics window lists Ethernet parameters at the line level. The Statistics
window provides buttons to change the statistical values shown. The Baseline button resets the displayed
statistics values to zero. The Refresh button manually refreshes statistics. Auto-Refresh sets a time
interval at which automatic refresh occurs. The CE-Series Statistics window also has a Clear button. The
Clear button sets the values on the card to zero, but does not reset the CE-Series card.
During each automatic cycle, whether auto-refreshed or manually refreshed (using the Refresh button),
statistics are added cumulatively and are not immediately adjusted to equal total received packets until
testing ends. To see the final PM count totals, allow a few moments for the PM window statistics to finish
testing and update fully. PM counts are also listed in the CE-Series card Performance > History window.
Table 15-21 defines the CE-Series card Ethernet port parameters.
Table 15-21 CE-Series Ether Port PM Parameters
Parameter Definition
Time Last Cleared A time stamp indicating the last time statistics were reset.
Link Status Indicates whether the Ethernet link is receiving a valid Ethernet signal
(carrier) from the attached Ethernet device; up means present, and down
means not present.
ifInOctets Number of bytes received since the last counter reset.
rxTotalPkts Number of received packets.
ifInUcastPkts Number of unicast packets received since the last counter reset.
ifInMulticastPkts Number of multicast packets received since the last counter reset.
ifInBroadcastPkts Number of broadcast packets received since the last counter reset.
ifInDiscards The number of inbound packets that were chosen to be discarded even
though no errors had been detected to prevent their being deliverable to a
higher-layer protocol. One possible reason for discarding such a packet
could be to free buffer space.
Note The counter ifInDiscards counts discarded frames regardless of the
state (enabled or disabled) of flow control.
ifInErrors The number of inbound packets (or transmission units) that contained errors
preventing them from being deliverable to a higher-layer protocol.
ifOutOctets Number of bytes transmitted since the last counter reset.
txTotalPkts Number of transmitted packets.
ifOutDiscards1
Number of outbound packets which were chosen to be discarded even
though no errors had been detected to prevent their transmission. A possible
reason for discarding such packets could be to free up buffer space.
ifOutErrors1
Number of outbound packets or transmission units that could not be
transmitted because of errors.
ifOutUcastPkts2
Number of unicast packets transmitted.
ifOutMulticastPkts2
Number of multicast packets transmitted.
ifOutBroadcastPkts2
Number of broadcast packets transmitted.15-45
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 15 Performance Monitoring
15.6.4 CE-Series Ethernet Card Performance Monitoring Parameters
dot3StatsAlignment
Errors2
A count of frames received on a particular interface that are not an integral
number of octets in length and do not pass the FCS check.
dot3StatsFCSErrors A count of frames received on a particular interface that are an integral
number of octets in length but do not pass the FCS check.
dot3StatsSingleCollision
Frames2
A count of successfully transmitted frames on a particular interface for
which transmission is inhibited by exactly on collision.
dot3StatsFrameTooLong A count of frames received on a particular interface that exceed the
maximum permitted frame size.
etherStatsUndersizePkts The total number of packets received that were less than 64 octets long
(excluding framing bits, but including FCS octets) and were otherwise well
formed.
etherStatsFragments The total number of packets received that were less than 64 octets in length
(excluding framing bits but including FCS octets) and had either a bad FCS
with an integral number of octets (FCS Error) or a bad FCS with a
nonintegral number of octets (Alignment Error).
Note It is entirely normal for etherStatsFragments to increment. This is
because it counts both runts (which are normal occurrences due to
collisions) and noise hits.
etherStatsPkts64Octets The total number of packets (including bad packets) received that were
64 octets in length (excluding framing bits but including FCS octets).
etherStatsPkts65to127
Octets
The total number of packets (including bad packets) received that were
between 65 and 127 octets in length inclusive (excluding framing bits but
including FCS octets).
etherStatsPkts128to255
Octets
The total number of packets (including bad packets) received that were
between 128 and 255 octets in length inclusive (excluding framing bits but
including FCS octets).
etherStatsPkts256to511
Octets
The total number of packets (including bad packets) received that were
between 256 and 511 octets in length inclusive (excluding framing bits but
including FCS octets).
etherStatsPkts512to1023
Octets
The total number of packets (including bad packets) received that were
between 512 and 1023 octets in length inclusive (excluding framing bits but
including FCS octets).
etherStatsPkts1024to151
8Octets
The total number of packets (including bad packets) received that were
between 1024 and 1518 octets in length inclusive (excluding framing bits
but including FCS octets).
etherStatsBroadcastPkts The total number of good packets received that were directed to the
broadcast address. Note that this does not include multicast packets.
etherStatsMulticastPkts The total number of good packets received that were directed to a multicast
address. Note that this number does not include packets directed to the
broadcast address.
etherStatsOversizePkts The total number of packets received that were longer than 1518 octets
(excluding framing bits, but including FCS octets) and were otherwise well
formed. Note that for tagged interfaces, this number becomes 1522 bytes.
Table 15-21 CE-Series Ether Port PM Parameters (continued)
Parameter Definition15-46
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 15 Performance Monitoring
15.6.4 CE-Series Ethernet Card Performance Monitoring Parameters
etherStatsJabbers The total number of packets received that were longer than 1518 octets
(excluding framing bits, but including FCS octets), and had either a bad
FCS with an integral number of octets (FCS Error) or a bad FCS with a
nonintegral number of octets (Alignment Error).
etherStatsOctets The total number of octets of data (including those in bad packets) received
on the network (excluding framing bits but including FCS octets
etherStatsCollisions2
Number of transmit packets that are collisions; the port and the attached
device transmitting at the same time caused collisions.
etherStatsCRCAlign
Errors2
The total number of packets received that had a length (excluding framing
bits, but including FCS octets) of between 64 and 1518 octets, inclusive, but
had either a bad FCS with an integral number of octets (FCS Error) or a bad
FCS with a nonintegral number of octets (Alignment Error).
etherStatsDropEvents2
Number of received frames dropped at the port level.
rxPauseFrames Number of received pause frames.
Note rxPauseFrames is not supported on CE-100T-8 card.
txPauseFrames Number of transmitted pause frames.
Note txPauseFrames is not supported on CE-100T-8 card.
rxPktsDroppedInternalC
ongestion1
Number of received packets dropped due to overflow in frame buffer.
txPktsDroppedInternalC
ongestion1
Number of transmit queue drops due to drops in frame buffer.
rxControlFrames1
Number of received control frames.
mediaIndStatsRxFrames
Truncated1
Number of received frames with length of 36 bytes or less.
mediaIndStatsRxFrames
TooLong1
Number of received frames that are too long. The maximum is the
programmed maximum frame size (for VSAN support); if the maximum
frame size is set to default, then the maximum is the 2112 byte payload plus
the 36 byte header, which is a total of 2148 bytes.
mediaIndStatsRxFrames
BadCRC1
Number of received frames with CRC error.
mediaIndStatsTxFrames
BadCRC1
Number of transmitted frames with CRC error.
mediaIndStatsRxShortPk
ts1
Number of received packets that are too small.
1. For CE1000-4 only
2. For CE100T-8, CE-MR-10 only
Table 15-21 CE-Series Ether Port PM Parameters (continued)
Parameter Definition15-47
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 15 Performance Monitoring
15.6.4 CE-Series Ethernet Card Performance Monitoring Parameters
15.6.4.2 CE-Series Card Ether Ports Utilization Window
The Ether Ports Utilization window shows the percentage of Tx and Rx line bandwidth used by the
Ethernet ports during consecutive time segments. The Utilization window provides an Interval
drop-down list that enables you to set time intervals of 1 minute, 15 minutes, 1 hour, and 1 day. Line
utilization is calculated with the following formulas:
Rx = (inOctets + inPkts * 20) * 8 / 100% interval * maxBaseRate
Tx = (outOctets + outPkts * 20) * 8 / 100% interval * maxBaseRate
The interval is defined in seconds. The maxBaseRate is defined by raw bits per second in one direction
for the Ethernet port (that is, 1 Gbps). The maxBaseRate for CE-Series Ethernet cards is shown in
Table 15-14.
Note Line utilization numbers express the average of ingress and egress traffic as a percentage of capacity.
15.6.4.3 CE-Series Card Ether Ports History Window
The Ethernet Ether Ports History window lists past Ethernet statistics for the previous time intervals.
Depending on the selected time interval, the History window displays the statistics for each port for the
number of previous time intervals as shown in Table 15-15 on page 15-31. The listed parameters are
defined in Table 15-21 on page 15-44.
15.6.4.4 CE-Series Card POS Ports Statistics Parameters
The Ethernet POS Ports statistics window lists Ethernet POS parameters at the line level. Table 15-22
defines the CE-Series Ethernet card POS Ports parameters.
Table 15-22 CE-Series Card POS Ports Parameters
Parameter Definition
Time Last Cleared A time stamp indicating the last time that statistics were reset.
Link Status Indicates whether the Ethernet link is receiving a valid Ethernet signal
(carrier) from the attached Ethernet device; up means present, and down
means not present.
ifInOctets Number of bytes received since the last counter reset.
rxTotalPkts Number of received packets.
ifInDiscards1
The number of inbound packets that were chosen to be discarded even
though no errors had been detected to prevent their being deliverable to a
higher-layer protocol. One possible reason for discarding such a packet
could be to free buffer space.
Note that due to hardware problems, the drop counter is not very accurate
when flow control is enabled.
Note The counter ifInDiscards counts discarded frames regardless of the
state (enabled or disabled) of flow control.15-48
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 15 Performance Monitoring
15.6.4 CE-Series Ethernet Card Performance Monitoring Parameters
15.6.4.5 CE-Series Card POS Ports Utilization Window
The POS Ports Utilization window shows the percentage of Tx and Rx line bandwidth used by the POS
ports during consecutive time segments. The Utilization window provides an Interval drop-down list that
enables you to set time intervals of 1 minute, 15 minutes, 1 hour, and 1 day. Line utilization is calculated
with the following formulas:
Rx = (inOctets * 8) / (interval * maxBaseRate)
Tx = (outOctets * 8) / (interval * maxBaseRate)
The interval is defined in seconds. The maxBaseRate is defined by raw bits per second in one direction
for the Ethernet port (that is, 1 Gbps). The maxBaseRate for CE-Series cards is shown in Table 15-14 on
page 15-31.
Note Line utilization numbers express the average of ingress and egress traffic as a percentage of capacity.
ifInErrors1
The number of inbound packets (or transmission units) that contained errors
preventing them from being deliverable to a higher-layer protocol.
ifOutOctets Number of bytes transmitted since the last counter reset.
txTotalPkts Number of transmitted packets.
Note that due to hardware problems, the txTotalPkts and txTotalOctets
counters are incorrect when flow control is enabled and there are drop
packets in the ET3 mapper of the CE-100T-8 card.
gfpStatsRxFrame2
Number of received GFP frames.
gfpStatsTxFrame2
Number of transmitted GFP frames.
gfpStatsRxCRCErrors Number of packets received with a payload FCS error.
gfpStatsRxOctets2
Number of GFP bytes received.
gfpStatsTxOctets2
Number of GFP bytes transmitted.
gfpStatsRxSBitErrors Sum of all the single bit errors. In the GFP CORE HDR at the GFP-T
receiver, these are correctable.
gfpStatsRxMBitErrors Sum of all the multiple bit errors. In the GFP CORE HDR at the GFP-T
receiver, these are uncorrectable.
gfpStatsRxTypeInvalid Number of receive packets dropped due to Client Data Frame UPI errors.
gfpStatsRxCIDInvalid1
Number of packets with invalid CID.
gfpStatsCSFRaised Number of GFP Client signal fail frames detected at the GFP-T receiver.
ifInPayloadCrcErrors1
Received payload CRC errors.
ifOutPayloadCrcErrors1
Transmitted payload CRC errors.
hdlcPktDrops Number of received packets dropped before input.
1. Applicable only for CE100T-8, CE-MR-10
2. Applicable only for CE1000-4
Table 15-22 CE-Series Card POS Ports Parameters (continued)
Parameter Definition15-49
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 15 Performance Monitoring
15.7 Performance Monitoring for Optical Cards
15.6.4.6 CE-Series Card POS Ports History Window
The Ethernet POS Ports History window lists past Ethernet POS ports statistics for the previous time
intervals. Depending on the selected time interval, the History window displays the statistics for each
port for the number of previous time intervals as shown in Table 15-15 on page 15-31. The listed
parameters are defined in Table 15-22 on page 15-47.
15.7 Performance Monitoring for Optical Cards
This section lists PM parameters for ONS 15454 optical cards, including the OC-3, OC-12, OC-48, and
OC-192 cards. Figure 15-20 shows the signal types that support near-end and far-end PMs.
Figure 15-20 Monitored Signal Types for the OC-3 Cards
Note The XX in Figure 15-20 represents all PMs listed in Table 15-23, Table 15-24, and Table 15-25 with the
given prefix and/or suffix.
Figure 15-21 shows where overhead bytes detected on the ASICs produce PM parameters for the OC3
IR 4 SH 1310 and OC3 IR SH 1310-8 cards.
78985
PTE ONS 15454
OC-3 OC48
Fiber
OC-3 Signal OC-3 Signal
ONS 15454
OC48 OC-3
STS Path (STS XX-P) PMs Near and Far End Supported
PTE15-50
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 15 Performance Monitoring
15.7 Performance Monitoring for Optical Cards
Figure 15-21 PM Read Points on the OC-3 Cards
Note For PM locations relating to protection switch counts, see the Telcordia GR-253-CORE document.
Table 15-23 and Table 15-24 list the PM parameters for OC-3 cards.
78986
ONS 15454
OC-3 Card
Pointer Processors
BTC
ASIC
XC Card(s) OC-N
CV-S
ES-S
SES-S
SEFS-S
CV-L
ES-L
SES-L
UAS-L
FC-L
PPJC-Pdet
NPJC-Pdet
PPJC-Pgen
NPJC-Pgen
Path
Level
STS CV-P
STS ES-P
STS FC-P
STS SES-P
STS UAS-P
STS CV-PFE
STS ES-PFE
STS FC-PFE
STS SES-PFE
STS UAS-PFE
PMs read on BTC ASIC PMs read on PMC
Table 15-23 OC-3 Card PMs
Section (NE) Line (NE) STS Path (NE) Line (FE) STS Path (FE)1
1. The STS Path (FE) PMs are valid only for the OC3-4 card on ONS 15454. Also, OC-3/12/48 on 15310MA platform,
MRC-12, and OC192/STM64-XFP based cards support far-end path PM parameters. All other optical cards do not support
far-end path PM parameters.
CV-S
ES-S
SES-S
SEF-S
CV-L
ES-L
SES-L
UAS-L
FC-L
PSC (1+1)
PSD (1+1)
CV-P
ES-P
SES-P
UAS-P
FC-P
PPJC-PDET
NPJC-PDET
PPJC-PGEN
NPJC-PGEN
PPJC-PDET-P
PPJC-PGEN-P
PJC-DIFF
CV-LFE
ES-LFE
SES-LFE
UAS-LFE
FC-LFE
CV-PFE
ES-PFE
SES-PFE
UAS-PFE
FC-PFE15-51
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 15 Performance Monitoring
15.7 Performance Monitoring for Optical Cards
Table 15-25 lists the PM parameters for OC-12, OC-48, OC-192, and OC-192-XFP cards.
Note If the CV-L(NE and FE) falls in a specific range, then, the user might see discrepancy in the SES and the
UAS-L values. However, ES-L will be in the nearest accuracy. For a few seconds, in a given 10 seconds
interval, the number of CV-L counted may not cross the CV count criteria for SES, (due to
system/application limitation for the below mentioned ranges); as a consequence of which there may not
be 10 continuous SES, thus UAS will not be observed. The corresponding (error) range for the line rates
is as shown in Table 15-26.
Table 15-24 OC3-8 Card PMs
Section (NE) Line (NE)
Physical Layer
(NE) STS Path (NE) Line (FE) STS Path (FE)
CV-S
ES-S
SES-S
SEF-S
CV-L
ES-L
SES-L
UAS-L
FC-L
PSC (1+1)
PSD (1+1)
LBCL
OPT
OPR
CV-P
ES-P
SES-P
UAS-P
FC-P
PPJC-PDET-P
NPJC-PDET-P
PPJC-PGEN-P
NPJC-PGEN-P
PJCS-PDET-P
PJCS-PGEN-P
PJC-DIFF-P
CV-LFE
ES-LFE
SES-LFE
UAS-LFE
FC-LFE
CV-PFE
ES-PFE
SES-PFE
UAS-PFE
FC-PFE
Table 15-25 OC-12, OC-48, OC-192, OC-192-XFP Card PMs
Section (NE) Line (NE) STS Path (NE) Line (FE)
CV-S
ES-S
SES-S
SEF-S
CV-L
ES-L
SES--L
UASL
FC-L
PSC (1+1, 2F BLSR)
PSD (1+1, 2F BLSR)
PSC-W (4F BLSR)
PSD-W (4F BLSR)
PSC-S (4F BLSR)
PSD-S (4F BLSR)
PSC-R (4F BLSR)
PSD-R (4F BLSR)
CV-P
ES-P
SES-P
UAS-P
FC-P
PPJC-PDET-P
NPJC-PDET-P
PPJC-PGEN-P
NPJC-PGEN-P
PJCS-PGEN-P
PJCS-PDET-P
PJC-DIFF-P
CV-L
ES-L
SES-L
UAS-L
FC-L15-52
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 15 Performance Monitoring
15.8 Performance Monitoring for Optical Multirate Cards
15.8 Performance Monitoring for Optical Multirate Cards
This section lists PM parameters for the optical mutirate cards MRC-12 and MRC-2.5G-4.
Figure 15-22 shows where overhead bytes detected on the ASICs produce PM parameters for the
MRC-12 card and the MRC-2.5G-4 card.
Figure 15-22 PM Read Points for the MRC-12 and the MRC-2.5G-4 Cards
Table 15-27 lists the PM parameters for MRC-12 and MRC-4 cards.
Table 15-26 Table of Border Error Rates
Line Rate Error Ranges
OC3 154-164
OC12 615-625
OC48 2459-2470
OC192 9835-9845
134561
XC Card OC-N
iBPIA
ASIC
iBPIA
ASIC
Regenerator Section PM (SDH
Near-End RS-EB
Near-End RS-ES
Near-End RS-SES
Near-End RS-BBE
Near-End RS-OFS
Multiplex Section PM (SDH)
Near-End MS-EB
Near-End MS-ES
Near-End MS-SES
Near-End MS-UAS
Near-End MS-BBE
Near-End MS-FC
Far-End MS-EB
Far-End MS-ES
Far-End MS-SES
Far-End MS-UAS
Far-End MS-BBE
Far-End MS-FC
Section PM - SONET
Near-End CV-S
Near-End ES-S
Near-End SEFS-S
Line PMs (SONET)
Near-End CV-L
Near-End ES-L
Near-End SES-L
Near-End UAS-L
Near-End FC-L
Far-End CV-LFE
Far-End ES-LFE
Far-End SES-LFE
Far-End UAS-LFE
ONS 15454 MRC-12/MRC-2.5G-4 Multirate Cards
PMs read on Amazon ASIC15-53
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 15 Performance Monitoring
15.9 Performance Monitoring for Storage Access Networking Cards
15.9 Performance Monitoring for Storage Access Networking
Cards
The following sections define PM parameters and definitions for the SAN card, also known as the
FC_MR-4 or Fibre Channel card.
CTC provides FC_MR-4 performance information, including line-level parameters, port bandwidth
consumption, and historical statistics. The FC_MR-4 card performance information is divided into the
Statistics, Utilization, and History tabbed windows within the card view Performance tab window.
15.9.1 FC_MR-4 Statistics Window
The Statistics window lists parameters at the line level. The Statistics window provides buttons to change
the statistical values shown. The Baseline button resets the displayed statistics values to zero. The
Refresh button manually refreshes statistics. Auto-Refresh sets a time interval at which automatic
refresh occurs. The Statistics window also has a Clear button. The Clear button sets the values on the
card to zero. All counters on the card are cleared. Table 15-28 defines the FC_MR-4 card statistics
parameters.
Table 15-27 MRC Card PMs
Section (NE) Line (NE) Physical Layer (NE) STS Path (NE) Line (FE) STS Path
CV-S
ES-S
SES-S
SEF-S
CV-L
ES-L
SES-L
UAS-L
FC-L
PSC (1+1)
PSD (1+1)
LBC
OPT
OPR
CV-P
ES-P
SES-P
UAS-P
FC-P
PPJC-PDET-P
NPJC-PDET-P
PPJC-PGEN-P
NPJC-PGEN-P
PJCS-PDET-P
PJCS-PGEN-P
PJC-DIFF-P
CV-LFE
ES-LFE
SES-LFE
UAS-LFE
FC-LFE
CV-PFE
ES-PFE
SES-PFE
UAS-PFE
FC-PFE
Table 15-28 FC_MR-4 Card Statistics
Parameter Definition
Time Last Cleared Time stamp indicating the time at which the
statistics were last reset.
Link Status Indicates whether the Fibre Channel link is
receiving a valid Fibre Channel signal (carrier)
from the attached Fibre Channel device; up means
present, and down means not present.
ifInOctets Number of bytes received without error for the
Fibre Channel payload.15-54
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 15 Performance Monitoring
15.9.1 FC_MR-4 Statistics Window
rxTotalPkts Number of Fibre Channel frames received without
errors.
ifInDiscards Number of inbound packets that were chosen to
be discarded even though no errors had been
detected to prevent their being deliverable to a
higher-layer protocol. One possible reason for
discarding such a packet could be to free up buffer
space.
ifInErrors Sum of frames that are oversized, undersized, or
with cyclic redundancy check (CRC) error.
ifOutOctets Number of bytes transmitted without error for the
Fibre Channel payload.
txTotalPkts Number of Fibre Channel frames transmitted
without errors.
ifOutDiscards Number of outbound packets which were chosen
to be discarded even though no errors had been
detected to prevent their transmission. A possible
reason for discarding such packets could be to
free up buffer space.
gfpStatsRxSBitErrors Number of single bit errors in core header error
check (CHEC).
gfpStatsRxMBitErrors Number of multiple bit errors in CHEC.
gfpStatsRxTypeInvalid Number of invalid generic framing procedure
(GFP) type field received. This includes
unexpected user payload identifier (UPI) type and
also errors in CHEC.
gfpStatsRxSblkCRCErrors Number of super block CRC errors.
gfpStatsRoundTripLatencyUSec Round trip delay for the end-to-end Fibre Channel
transport in milliseconds.
gfpStatsRxDistanceExtBuffers Number of buffer credit received for GFP-T
receiver (valid only if distance extension is
enabled).
gfpStatsTxDistanceExtBuffers Number of buffer credit transmitted for GFP-T
transmitter (valid only if distance extension is
enabled).
mediaIndStatsRxFramesTruncated Number of Fibre Channel frames received with
frame size <= 36 bytes.
mediaIndStatsRxFramesTooLong Number of Fibre Channel frames received with
frame size higher than the provisioned maximum
frame size.
mediaIndStatsRxFramesBadCRC Number of Fibre Channel frames received with
bad CRC.
Table 15-28 FC_MR-4 Card Statistics
Parameter Definition15-55
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 15 Performance Monitoring
15.9.2 FC_MR-4 Utilization Window
15.9.2 FC_MR-4 Utilization Window
The Utilization window shows the percentage of Tx and Rx line bandwidth used by the ports during
consecutive time segments. The Utilization window provides an Interval drop-down list that enables you
to set time intervals of 1 minute, 15 minutes, 1 hour, and 1 day. Line utilization is calculated with the
following formulas:
Rx = (inOctets + inPkts * 24) * 8 / 100% interval * maxBaseRate
Tx = (outOctets + outPkts * 24) * 8 / 100% interval * maxBaseRate
The interval is defined in seconds. The maxBaseRate is defined by raw bits per second in one direction
for the port (that is, 1 Gbps or 2 Gbps). The maxBaseRate for FC_MR-4 cards is shown in Table 15-29.
Note Line utilization numbers express the average of ingress and egress traffic as a percentage of capacity.
mediaIndStatsTxFramesBadCRC Number of Fibre Channel frames transmitted with
bad CRC.
fcStatsLinkRecoveries Number of link recoveries.
fcStatsRxCredits Number of buffers received to buffer credits T
(valid only if distance extension is enable).
fcStatsTxCredits Number of buffers transmitted to buffer credits T
(valid only if distance extension is enable).
fcStatsZeroTxCredits Number of transmit attempts that failed because
of unavailable credits.
8b10bInvalidOrderedSets 8b10b loss of sync count on Fibre Channel line
side.
8b10bStatsEncodingDispErrors 8b10b disparity violations count on Fibre Channel
line side.
gfpStatsCSFRaised Number of GFP Client Signal Fail frames
detected.
Table 15-28 FC_MR-4 Card Statistics
Parameter Definition
Table 15-29 maxBaseRate for STS Circuits
STS maxBaseRate
STS-24 850000000
STS-48 850000000 x 21
1. For 1 Gbps of bit rate being transported, there are only 850 Mbps of actual data
because of 8b->10b conversion. Similarly, for 2 Gbps of bit rate being transported,
there are only 1700 Mbps (850 Mbps x 2) of actual data.15-56
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 15 Performance Monitoring
15.9.3 FC_MR-4 History Window
15.9.3 FC_MR-4 History Window
The History window lists past FC_MR-4 statistics for the previous time intervals. Depending on the
selected time interval, the History window displays the statistics for each port for the number of previous
time intervals as shown in Table 15-30. The listed parameters are defined in Table 15-28 on page 15-53.
Table 15-30 FC_MR-4 History Statistics per Time Interval
Time Interval Number of Intervals Displayed
1 minute 60 previous time intervals
15 minutes 32 previous time intervals
1 hour 24 previous time intervals
1 day (24 hours) 7 previous time intervalsCHAPTER
16-1
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
16
SNMP
This chapter explains Simple Network Management Protocol (SNMP) as implemented by the
Cisco ONS 15454.
For SNMP setup information, refer to the Cisco ONS 15454 Procedure Guide.
Chapter topics include:
• 16.1 SNMP Overview, page 16-1
• 16.2 Basic SNMP Components, page 16-2
• 16.3 SNMP External Interface Requirement, page 16-4
• 16.4 SNMP Version Support, page 16-4
• 16.5 SNMP Message Types, page 16-5
• 16.6 SNMP Management Information Bases, page 16-5
• 16.7 SNMP Trap Content, page 16-13
• 16.8 SNMPv1/v2 Community Names, page 16-21
• 16.9 SNMPv1/v2 Proxy Over Firewalls, page 16-21
• 16.10 SNMPv3 Proxy Configuration, page 16-21
• 16.11 Remote Monitoring, page 16-22
16.1 SNMP Overview
SNMP is an application-layer communication protocol that allows ONS 15454 network devices to
exchange management information among these systems and with other devices outside the network.
Through SNMP, network administrators can manage network performance, find and solve network
problems, and plan network growth. Up to ten SNMPv1/v2 trap destinations and five concurrent Cisco
Transport Controller (CTC) user sessions are allowed per node.
The ONS 15454 uses SNMP for asynchronous event notification to a network management system
(NMS). Cisco ONS system SNMP implementation uses standard Internet Engineering Task Force
(IETF) management information bases (MIBs) to convey node-level inventory, fault, and performance
management information for generic DS-1, DS-3, SONET, and Ethernet read-only management. SNMP
allows a generic SNMP manager such as HP OpenView Network Node Manager (NNM) or Open
Systems Interconnection (OSI) NetExpert to be utilized for limited management functions. 16-2
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 16 SNMP
16.2 Basic SNMP Components
The Cisco ONS 15454 supports SNMP Version 1 (SNMPv1), SNMP Version 2c (SNMPv2c), and SNMP
Version 3 (SNMPv3). As compared to SNMPv1, SNMPv2c includes additional protocol operations and
64-bit performance monitoring support. SNMPv3 provides authentication, encryption, and message
integrity and is more secure. This chapter describes SNMP versions and describes the configuration
parameters for the ONS 15454.
Note It is recommended that the SNMP Manager timeout value be set to 60 seconds. Under certain conditions,
if this value is lower than the recommended time, the TCC card can reset. However, the response time
depends on various parameters such as object being queried, complexity, and number of hops in the
node, etc.
Note In Software Release 8.0 and later, you can retrieve automatic in service (AINS) state and soak time
through the SNMP and Transaction Language One (TL1) interfaces.
Note The CERENT-MSDWDM-MIB.mib, CERENT-FC-MIB.mib, and CERENT-GENERIC-PM-MIB.mib
in the CiscoV2 directory support 64-bit performance monitoring counters. The SNMPv1 MIB in the
CiscoV1 directory does not contain 64-bit performance monitoring counters, but supports the lower and
higher word values of the corresponding 64-bit counter. The other MIB files in the CiscoV1 and CiscoV2
directories are identical in content and differ only in format.
Figure 16-1 illustrates the basic layout idea of an SNMP-managed network.
Figure 16-1 Basic Network Managed by SNMP
16.2 Basic SNMP Components
In general terms, an SNMP-managed network consists of a management system, agents, and managed
devices.
5258216-3
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 16 SNMP
16.2 Basic SNMP Components
A management system such as HP OpenView executes monitoring applications and controls managed
devices. Management systems execute most of the management processes and provide the bulk of
memory resources used for network management. Additionally, a network might be managed by one or
several management systems. Figure 16-2 illustrates the relationship between the network manager, the
SNMP agent, and the managed devices.
Figure 16-2 Example of the Primary SNMP Components
An agent (such as SNMP) residing on each managed device translates local management information
data—such as performance information or event and error information caught in software traps—into a
readable form for the management system. Figure 16-3 illustrates SNMP agent get-requests that
transport data to the network management software.
Figure 16-3 Agent Gathering Data from a MIB and Sending Traps to the Manager
The SNMP agent captures data from MIBs, which are device parameter and network data repositories,
or from error or change traps.
Management
Entity
Agent
Management
Database
Agent
NMS
Management
Database
Managed Devices
Agent
Management
Database
33930
get, get-next, get-bulk
Network device
get-response, traps
32632
SNMP Manager
NMS
MIB
SNMP Agent16-4
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 16 SNMP
16.3 SNMP External Interface Requirement
A managed element—such as a router, access server, switch, bridge, hub, computer host, or network
element (such as an ONS 15454)—is accessed through the SNMP agent. Managed devices collect and
store management information, making it available through SNMP to other management systems having
the same protocol compatibility.
16.3 SNMP External Interface Requirement
Since all SNMP requests come from a third-party application, the only external interface requirement is
that a third-party SNMP client application should have the ability to upload RFC 3273 SNMP MIB
variables in the etherStatsHighCapacityTable, etherHistoryHighCapacityTable, or
mediaIndependentTable.
16.4 SNMP Version Support
The ONS 5454 supports SNMPv1, SNMPv2c, and SNMPv3 traps and get requests. The ONS 15454
SNMP MIBs define alarms, traps, and status. Through SNMP, NMS applications can query a
management agent for data from functional entities such as Ethernet switches and SONET multiplexers
using a supported MIB.
Note ONS 15454 MIB files in the CiscoV1 and CiscoV2 directories are almost identical in content except for
the difference in 64-bit performance monitoring features. The CiscoV2 directory contains three MIBs
with 64-bit performance monitoring counters:. CERENT-MSDWDM-MIB.mib, CERENT-FC-MIB.mib,
and CERENT-GENERIC-PM-MIB.mib The CiscoV1 directory does not contain any 64-bit counters, but
it does support the lower and higher word values used in 64-bit counters. The two directories also have
somewhat different formats.
16.4.1 SNMPv3 Support
Cisco ONS 15454 Software R9.0 and later supports SNMPv3 in addition to SNMPv1 and SNMPv2c.
SNMPv3 is an interoperable standards-based protocol for network management. SNMPv3 provides
secure access to devices by a combination of authentication and encryption packets over the network
based on the User Based Security Model (USM) and the View-Based Access Control Model (VACM).
• User-Based Security Model—The User-Based Security Model (USM) uses the HMAC algorithm
for generating keys for authentication and privacy. SNMPv3 authenticates data based on its origin,
and ensures that the data is received intact. SNMPv1 and v2 authenticate data based on the plain text
community string, which is less secure when compared to the user-based authentication model.
• View-Based Access Control Model—The view-based access control model controls the access to
the managed objects. RFC 3415 defines the following five elements that VACM comprises:
– Groups—A set of users on whose behalf the MIB objects can be accessed. Each user belongs to
a group. The group defines the access policy, notifications that users can receive, and the
security model and security level for the users.
– Security level—The access rights of a group depend on the security level of the request.
– Contexts—Define a named subset of the object instances in the MIB. MIB objects are grouped
into collections with different access policies based on the MIB contexts.16-5
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 16 SNMP
16.5 SNMP Message Types
– MIB views—Define a set of managed objects as subtrees and families. A view is a collection or
family of subtrees. Each subtree is included or excluded from the view.
– Access policy—Access is determined by the identity of the user, security level, security model,
context, and the type of access (read/write). The access policy defines what SNMP objects can
be accessed for reading, writing, and creating.
Access to information can be restricted based on these elements. Each view is created with different
access control details. An operation is permitted or denied based on the access control details.
You can configure SNMPv3 on a node to allow SNMP get and set access to management information
and configure a node to send SNMPv3 traps to trap destinations in a secure way. SNMPv3 can be
configured in secure mode, non-secure mode, or disabled mode.
SNMP, when configured in secure mode, only allows SNMPv3 messages that have the authPriv security
level. SNMP messages without authentication or privacy enabled are not allowed. When SNMP is
configured in non-secure mode, it allows SNMPv1, SNMPv2, and SNMPv3 message types.
16.5 SNMP Message Types
The ONS 15454 SNMP agent communicates with an SNMP management application using SNMP
messages. Table 16-1 describes these messages.
16.6 SNMP Management Information Bases
A managed object, sometimes called a MIB object, is one of many specific characteristics of a managed
device. The MIB consists of hierarchically organized object instances (variables) that are accessed by
network-management protocols such as SNMP. Section 16.6.1 IETF-Standard MIBs for the ONS 15454
lists the IETF standard MIBs implemented in the ONS 15454 SNMP agent. Section 16.6.2 Proprietary
ONS 15454 MIBs lists the proprietary MIBs implemented in the ONS 15454.
Table 16-1 ONS 15454 SNMP Message Types
Operation Description
get-request Retrieves a value from a specific variable.
get-next-request Retrieves the value following the named variable; this operation is often used to
retrieve variables from within a table. With this operation, an SNMP manager does
not need to know the exact variable name. The SNMP manager searches
sequentially to find the needed variable from within the MIB.
get-response Replies to a get-request, get-next-request, get-bulk-request, or set-request sent by
an NMS.
get-bulk-request Fills the get-response with up to the max-repetition number of get-next interactions,
similar to a get-next-request.
set-request Provides remote network monitoring (RMON) MIB.
trap Indicates that an event has occurred. An unsolicited message is sent by an SNMP
agent to an SNMP manager.16-6
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 16 SNMP
16.6.1 IETF-Standard MIBs for the ONS 15454
16.6.1 IETF-Standard MIBs for the ONS 15454
Table 16-2 lists the IETF-standard MIBs implemented in the ONS 15454 SNMP agents.
You must first compile the MIBs in Table 16-2. Compile the MIBs in Table 16-3 next.
Caution If you do not compile MIBs in the correct order, one or more might not compile correctly.
Table 16-2 IETF Standard MIBs Implemented in the ONS 15454 System
RFC1
Number Module Name Title/Comments
— IANAifType-MIB.mib Internet Assigned Numbers Authority (IANA) ifType
1213 RFC1213-MIB-rfc1213.mib Management Information Base for Network
1907 SNMPV2-MIB-rfc1907.mib Management of TCP/IP-based Internets: MIB-II
Management Information Base for Version 2 of the
Simple Network Management Protocol (SNMPv2)
1253 RFC1253-MIB-rfc1253.mib OSPF Version 2 Management Information Base
1493 BRIDGE-MIB-rfc1493.mib Definitions of Managed Objects for Bridges
(This defines MIB objects for managing MAC bridges
based on the IEEE 802.1D-1990 standard between
Local Area Network [LAN] segments.)
2819 RMON-MIB-rfc2819.mib Remote Network Monitoring Management Information
Base
2737 ENTITY-MIB-rfc2737.mib Entity MIB (Version 2)
2233 IF-MIB-rfc2233.mib Interfaces Group MIB using SNMPv2
2358 EtherLike-MIB-rfc2358.mib Definitions of Managed Objects for the Ethernet-like
Interface Types
2493 PerfHist-TC-MIB-rfc2493.mib Textual Conventions for MIB Modules Using
Performance History Based on 15 Minute Intervals
2495 DS1-MIB-rfc2495.mib Definitions of Managed Objects for the DS1, E1, DS2
and E2 Interface Types
2496 DS3-MIB-rfc2496.mib Definitions of Managed Object for the DS3/E3
Interface Type
2558 SONET-MIB-rfc2558.mib Definitions of Managed Objects for the SONET/SDH
Interface Type
2674 P-BRIDGE-MIB-rfc2674.mib
Q-BRIDGE-MIB-rfc2674.mib
Definitions of Managed Objects for Bridges with
Traffic Classes, Multicast Filtering and Virtual LAN
Extensions
3273 HC-RMON-MIB The MIB module for managing remote monitoring
device implementations, augmenting the original
RMON MIB as specified in RFC 2819 and RFC 1513
and RMON-2 MIB as specified in RFC 202116-7
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 16 SNMP
16.6.2 Proprietary ONS 15454 MIBs
16.6.2 Proprietary ONS15454 MIBs
Each ONS 15454 is shipped with a software CD containing applicable proprietary MIBs. Table 16-3 lists
the proprietary MIBs for the ONS 15454.
3413 SNMP-NOTIFICATION-MIB Defines the MIB objects that provide mechanisms to
remotely configure the parameters used by an SNMP
entity for generating notifications.
3413 SNMP-TARGET-MIB Defines the MIB objects that provide mechanisms to
remotely configure the parameters that are used by an
SNMP entity for generating SNMP messages.
3413 SNMP-PROXY-MIB Defines MIB objects that provide mechanisms to
remotely configure the parameters used by a proxy
forwarding application.
3414 SNMP-USER-BASED-SM-MIB The management information definitions for the SNMP
User-Based Security Model.
3415 SNMP-VIEW-BASED-ACM-MIB The management information definitions for the
View-Based Access Control Model for SNMP.
— CISCO-DOT3-OAM-MIB A Cisco proprietary MIB defined for IEEE 802.3ah
ethernet OAM.
1. RFC = Request for Comment
Table 16-2 IETF Standard MIBs Implemented in the ONS 15454 System (continued)
RFC1
Number Module Name Title/Comments
Table 16-3 ONS 15454 Proprietary MIBs
MIB
Number Module Name
1 CERENT-GLOBAL-REGISTRY.mib
2 CERENT-TC.mib
3 CERENT-454.mib
4 CERENT-GENERIC.mib (not applicable to ONS 15454)
5 CISCO-SMI.mib
6 CISCO-VOA-MIB.mib
7 CERENT-MSDWDM-MIB.mib
8 CERENT-OPTICAL-MONITOR-MIB.mib
9 CERENT-HC-RMON-MIB.mib
10 CERENT-ENVMON-MIB.mib
11 CERENT-GENERIC-PM-MIB.mib
12 BRIDGE-MIB.my
13 CERENT-454-MIB.mib
14 CERENT-ENVMON-MIB.mib16-8
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 16 SNMP
16.6.2 Proprietary ONS 15454 MIBs
15 CERENT-FC-MIB.mib
16 CERENT-GENERIC-MIB.mib
17 CERENT-GENERIC-PM-MIB.mib
18 CERENT-GLOBAL-REGISTRY.mib
19 CERENT-HC-RMON-MIB.mib
20 CERENT-IF-EXT-MIB.mib
21 CERENT-MSDWDM-MIB.mib
22 CERENT-OPTICAL-MONITOR-MIB.mib
23 CERENT-TC.mib
24 CISCO-IGMP-SNOOPING-MIB.mib
25 CISCO-OPTICAL-MONITOR-MIB.mib
26 CISCO-OPTICAL-PATCH-MIB.mib
27 CISCO-SMI.mib
28 CISCO-VOA-MIB.mib
29 CISCO-VTP-MIB.mib
30 INET-ADDRESS-MIB.mib
31 OLD-CISCO-TCP-MIB.my
32 OLD-CISCO-TS-MIB.my
33 RFC1155-SMI.my
34 RFC1213-MIB.my
35 RFC1315-MIB.my
36 BGP4-MIB.my
37 CERENT-454-MIB.mib
38 CERENT-ENVMON-MIB.mib
39 CERENT-FC-MIB.mib
40 CERENT-GENERIC-MIB.mib
41 CERENT-GENERIC-PM-MIB.mib
42 CERENT-GLOBAL-REGISTRY.mib
43 CERENT-HC-RMON-MIB.mib
44 CERENT-IF-EXT-MIB.mib
45 CERENT-MSDWDM-MIB.mib
46 CERENT-OPTICAL-MONITOR-MIB.mib
47 CERENT-TC.mib
48 CISCO-CDP-MIB.my
49 CISCO-CLASS-BASED-QOS-MIB.my
Table 16-3 ONS 15454 Proprietary MIBs
MIB
Number Module Name16-9
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 16 SNMP
16.6.2 Proprietary ONS 15454 MIBs
50 CISCO-CONFIG-COPY-MIB.my
51 CISCO-CONFIG-MAN-MIB.my
52 CISCO-ENTITY-ASSET-MIB.my
53 CISCO-ENTITY-EXT-MIB.my
54 CISCO-ENTITY-VENDORTYPE-OID-MI
55 CISCO-FRAME-RELAY-MIB.my
56 CISCO-FTP-CLIENT-MIB.my
57 CISCO-HSRP-EXT-MIB.my
58 CISCO-HSRP-MIB.my
59 CISCO-IGMP-SNOOPING-MIB.mib
60 CISCO-IMAGE-MIB.my
61 CISCO-IP-STAT-MIB.my
62 CISCO-IPMROUTE-MIB.my
63 CISCO-MEMORY-POOL-MIB.my
64 CISCO-OPTICAL-MONITOR-MIB.mib
65 CISCO-OPTICAL-PATCH-MIB.mib
66 CISCO-PING-MIB.my
67 CISCO-PORT-QOS-MIB.my
68 CISCO-PROCESS-MIB.my
69 CISCO-PRODUCTS-MIB.my
70 CISCO-RTTMON-MIB.my
71 CISCO-SMI.mib
72 CISCO-SMI.my
73 CISCO-SYSLOG-MIB.my
74 CISCO-TC.my
75 CISCO-TCP-MIB.my
76 CISCO-VLAN-IFTABLE-RELATIONSHI
77 CISCO-VOA-MIB.mib
78 CISCO-VTP-MIB.mib
79 CISCO-VTP-MIB.my
80 ENTITY-MIB.my
81 ETHERLIKE-MIB.my
82 HC-PerfHist-TC-MIB.my
83 HC-RMON-MIB.my
84 HCNUM-TC.my
Table 16-3 ONS 15454 Proprietary MIBs
MIB
Number Module Name16-10
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 16 SNMP
16.6.2 Proprietary ONS 15454 MIBs
85 IANA-RTPROTO-MIB.my
86 IANAifType-MIB.my
87 IEEE-802DOT17-RPR-MIB.my
88 IEEE8023-LAG-MIB.my
89 IF-MIB.my
90 IGMP-MIB.my
91 INET-ADDRESS-MIB.my
92 IPMROUTE-STD-MIB.my
93 OSPF-MIB.my
94 PIM-MIB.my
95 RMON-MIB.my
96 RMON2-MIB.my
97 SNMP-FRAMEWORK-MIB.my
98 SNMP-NOTIFICATION-MIB.my
99 SNMP-TARGET-MIB.my
100 SNMPv2-MIB.my
101 SNMPv2-SMI.my
102 SNMPv2-TC.my
103 TCP-MIB.my
104 TOKEN-RING-RMON-MIB.my
105 UDP-MIB.my
106 BRIDGE-MIB-rfc1493.mib
107 DS1-MIB-rfc2495.mib
108 DS3-MIB-rfc2496.mib
109 ENTITY-MIB-rfc2737.mib
110 EtherLike-MIB-rfc2665.mib
111 HC-RMON-rfc3273.mib
112 HCNUM-TC.mib
113 IANAifType-MIB.mib
114 IF-MIB-rfc2233.mib
115 INET-ADDRESS-MIB.mib
116 P-BRIDGE-MIB-rfc2674.mib
117 PerfHist-TC-MIB-rfc2493.mib
118 Q-BRIDGE-MIB-rfc2674.mib
119 RFC1213-MIB-rfc1213.mib
Table 16-3 ONS 15454 Proprietary MIBs
MIB
Number Module Name16-11
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 16 SNMP
16.6.3 Generic Threshold and Performance Monitoring MIBs
Note If you cannot compile the proprietary MIBs correctly, log into the Technical Support Website at
http://www.cisco.com/techsupport or call Cisco TAC (800) 553-2447.
Note When SNMP indicates that a muxponder (MXP) or transponder (TXP) wavelength is unknown, it means
that the corresponding card (MXP_2.5G_10E, TXP_MR_10E, MXP_2.5G_10G, TXP_MR_10G,
TXP_MR_2.5G, or TXPP_MR_2.5G) works with the first tunable wavelength. For more information
about MXP and TXP cards, refer to the Cisco ONS 15454 DWDM Reference Manual.
16.6.3 Generic Threshold and Performance Monitoring MIBs
A MIB called CERENT-GENERIC-PM-MIB allows network management stations (NMS) to use a
single, generic MIB for accessing threshold and performance monitoring data of different interface
types. The MIB is generic in the sense that it is not tied to any particular kind of interface. The MIB
objects can be used to obtain threshold values, current performance monitoring (PM) counts, and historic
PM statistics for each kind of monitor and any supported interval at the near end and far end.
Previously existing MIBs in the ONS 15454 system provide some of these counts. For example, SONET
interface 15-minute current PM counts and historic PM statistics are available using the SONET-MIB.
DS-1 and DS-3 counts and statistics are available through the DS1-MIB and DS-3 MIB respectively. The
generic MIB provides these types of information and also fetches threshold values and single-day
statistics. In addition, the MIB supports optics and dense wavelength division multiplexing (DWDM)
threshold and performance monitoring information.
The CERENT-GENERIC-PM-MIB is organized into three different tables:
120 RFC1253-MIB-rfc1253.mib
121 RIPv2-MIB-rfc1724.mib
122 RMON-MIB-rfc2819.mib
123 RMON2-MIB-rfc2021.mib
124 RMONTOK-rfc1513.mib
125 SNMP-FRAMEWORK-MIB-rfc2571.mib
126 SNMP-MPD-MIB.mib
127 SNMP-NOTIFY-MIB-rfc3413.mib
128 SNMP-PROXY-MIB-rfc3413.mib
129 SNMP-TARGET-MIB-rfc3413.mib
130 SNMP-USER-BASED-SM-MIB-rfc3414.mib
131 SNMP-VIEW-BASED-ACM-MIB-rfc3415.mib
132 SNMPv2-MIB-rfc1907.mib
133 SONET-MIB-rfc2558.mib
Table 16-3 ONS 15454 Proprietary MIBs
MIB
Number Module Name16-12
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 16 SNMP
16.6.3 Generic Threshold and Performance Monitoring MIBs
• cerentGenericPmThresholdTable
• cerentGenericPmStatsCurrentTable
• cerentGenericPmStatsIntervalTable
• The cerentGenericPmThresholdTable is used to obtain the threshold values for the monitor types. It
is indexed based on the following items:
• Interface index (cerentGenericPmThresholdIndex)
• Monitor type (cerentGenericPmThresholdMonType). The syntax of
cerentGenericPmThresholdMonType is type cerentMonitorType, defined in CERENT-TC.mib.
• Location (cerentGenericPmThresholdLocation). The syntax of cerentGenericPmThresholdLocation
is type cerentLocation, defined in CERENT-TC.mib.
• Time period (cerentGenericPmThresholdPeriod). The syntax of cerentGenericPmThresholdPeriod
is type cerentPeriod, defined in CERENT-TC.mib.
Threshold values can be provided in 64-bit and 32-bit formats. (For more information about 64-bit
counters, see the “16.11.2 HC-RMON-MIB Support” section on page 16-24.) The 64-bit values in
cerentGenericPmThresholdHCValue can be used with agents that support SNMPv2. The two 32-bit
values (cerentGenericPmThresholdValue and cerentGenericPmThresholdOverFlowValue) can be used
by NMSs that only support SNMPv1. The objects compiled in the cerentGenericPmThresholdTable are
shown in Table 16-4.
The second table within the MIB, cerentGenericPmStatsCurrentTable, compiles the current performance
monitoring (PM) values for the monitor types. The table is indexed based on interface index
(cerentGenericPmStatsCurrentIndex), monitor type (cerentGenericPmStatsCurrentMonType), location
(cerentGenericPmStatsCurrentLocation) and time period (cerentGenericPmStatsCurrentPeriod). The
syntax of cerentGenericPmStatsCurrentIndex is type cerentLocation, defined in CERENT-TC.mib. The
syntax of cerentGenericPmStatsCurrentMonType is type cerentMonitor, defined in CERENT-TC.mib.
The syntax of cerentGenericPmStatsCurrentPeriod is type cerentPeriod, defined in CERENT-TC.mib.
The cerentGenericPmStatsCurrentTable validates the current PM value using the
cerentGenericPmStatsCurrentValid object and registers the number of valid intervals with historical PM
statistics in the cerentGenericPmStatsCurrentValidIntervals object.
PM values are provided in 64-bit and 32-bit formats. The 64-bit values in
cerentGenericPmStatsCurrentHCValue can be used with agents that support SNMPv2. The two 32-bit
values (cerentGenericPmStatsCurrentValue and cerentGenericPmStatsCurrentOverFlowValue) can be
used by NMS that only support SNMPv1. The cerentGenericPmStatsCurrentTable is shown in
Table 16-5.
Table 16-4 cerentGenericPmThresholdTable
Index Objects Information Objects
cerentGenericPmThresholdIndex cerentGenericPmThresholdValue
cerentGenericPmThresholdMonType cerentGenericPmThresholdOverFlowValue
cerentGenericPmThresholdLocation cerentGenericPmThresholdHCValue
cerentGenericPmThresholdPeriod —16-13
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 16 SNMP
16.7 SNMP Trap Content
The third table in the MIB, cerentGenericPmStatsIntervalTable, obtains historic PM values for the
monitor types. It validates the current PM value in the cerentGenericPmStatsIntervalValid object. This
table is indexed based on interface index (cerentGenericPmStatsIntervalIndex), monitor type
(cerentGenericPMStatsIntervalMonType), location (cerentGenericPmStatsIntervalLocation), and period
(cerentGenericPmStatsIntervalPeriod). The syntax of cerentGenericPmStatsIntervalIndex is type
cerentLocation, defined in CERENT-TC.mib. The syntax of cerentGenericPmStatsIntervalMonType is
type cerentMonitor, defined in CERENT-TC.mib. The syntax of cerentGernicPmStatsIntervalPeriod is
type cerentPeriod, defined in CERENT-TC.mib.
The table provides historic PM values in 64-bit and 32-bit formats. The 64-bit values contained in the
cerentGenericPmStatsIntervalHCValue table can be used with SNMPv2 agents. The two 32-bit values
(cerentGenericPmStatsIntervalValue and cerentGenericPmStatsIntervalOverFlowValue) can be used by
SNMPv1 NMS. The cerentGenericPmStatsIntervalTable is shown in Table 16-6.
16.7 SNMP Trap Content
The ONS 15454 uses SNMP traps to generate all alarms and events, such as raises and clears. The traps
contain the following information:
• Object IDs that uniquely identify each event with information about the generating entity (the slot
or port; synchronous transport signal [STS] and Virtual Tributary [VT]; bidirectional line switched
ring [BLSR], Spanning Tree Protocol [STP], etc.).
• Severity and service effect of the alarm (critical, major, minor, or event; service-affecting or
non-service-affecting).
• Date and time stamp showing when the alarm occurred.
Table 16-5 32-Bit cerentGenericPmStatsCurrentTable
Index Objects Informational Objects
cerentGenericPmStatsCurrentIndex cerentGenericPmStatsCurrentValue
cerentGenericPmStatsCurrentMonType cerentGenericPmStatsCurrentOverFlowValue
cerentGenericPmStatsCurrentLocation cerentGenericPmStatsCurrentHCValue
cerentGenericPmStatsCurrentPeriod cerentGenericPmStatsCurrentValidData
— cerentGenericPmStatsCurrentValidIntervals
Table 16-6 32-Bit cerentGenericPmStatsIntervalTable
Index Objects Informational Objects
cerentGenericPmStatsIntervalIndex cerentGenericPmStatsIntervalValue
cerentGenericPmStatsIntervalMonType cerentGenericPmStatsIntervalOverFlowValue
cerentGenericPmStatsIntervalLocation cerentGenericPmStatsIntervalHCValue
cerentGenericPmStatsIntervalPeriod cerentGenericPmStatsIntervalValidData
cerentGenericPmStatsIntervalNumber —16-14
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 16 SNMP
16.7.1 Generic and IETF Traps
16.7.1 Generic and IETF Traps
The ONS 15454 supports the generic IETF traps listed in Table 16-7.
16.7.2 Variable Trap Bindings
Each SNMP trap contains variable bindings that are used to create the MIB tables. ONS 15454 traps and
variable bindings are listed in Table 16-8. For each group (such as Group A), all traps within the group
are associated with all of its variable bindings.
Table 16-7 Supported Generic IETF Traps
Trap
From RFC No.
MIB Description
coldStart RFC1907-MIB Agent up, cold start.
warmStart RFC1907-MIB Agent up, warm start.
authenticationFailure RFC1907-MIB Community string does not match.
newRoot RFC1493/
BRIDGE-MIB
Sending agent is the new root of the spanning tree.
topologyChange RFC1493/
BRIDGE-MIB
A port in a bridge has changed from Learning to
Forwarding or Forwarding to Blocking.
entConfigChange RFC2737/
ENTITY-MIB
The entLastChangeTime value has changed.
dsx1LineStatusChange RFC2495/
DS1-MIB
The value of an instance of dsx1LineStatus has changed.
The trap can be used by an NMS to trigger polls. When
the line status change results from a higher-level line
status change (for example, a DS-3), no traps for the
DS-1 are sent.
dsx3LineStatusChange RFC2496/
DS3-MIB
The value of an instance of dsx3LineStatus has changed.
This trap can be used by an NMS to trigger polls. When
the line status change results in a lower-level line status
change (for example, a DS-1), no traps for the
lower-level are sent.
risingAlarm RFC2819/
RMON-MIB
The SNMP trap that is generated when an alarm entry
crosses the rising threshold and the entry generates an
event that is configured for sending SNMP traps.
fallingAlarm RFC2819/
RMON-MIB
The SNMP trap that is generated when an alarm entry
crosses the falling threshold and the entry generates an
event that is configured for sending SNMP traps.16-15
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 16 SNMP
16.7.2 Variable Trap Bindings
Table 16-8 Supported ONS 15454 SNMPv2 Trap Variable Bindings
Group
Trap Name(s) Associated
with
Variable
Binding
Number SNMPv2 Variable Bindings Description
A dsx1LineStatusChange
(from RFC 2495)
(1) dsx1LineStatus This variable indicates the line
status of the interface. It contains
loopback, failure, received alarm
and transmitted alarm
information.
(2) dsx1LineStatusLastChange The value of MIB II’s sysUpTime
object at the time this DS1
entered its current line status
state. If the current state was
entered prior to the last
proxy-agent reinitialization, the
value of this object is zero.
(3) cerent454NodeTime The time that an event occurred.
(4) cerent454AlarmState The alarm severity and
service-affecting status.
Severities are Minor, Major, and
Critical. Service-affecting
statuses are Service-Affecting
and Non-Service Affecting.
(5) snmpTrapAddress The address of the SNMP trap.
B dsx3LineStatusChange
(from RFC 2496)
(1) dsx3LineStatus This variable indicates the line
status of the interface. It contains
loopback state information and
failure state information.
(2) dsx3LineStatusLastChange The value of MIB II's sysUpTime
object at the time this DS3/E3
entered its current line status
state. If the current state was
entered prior to the last
reinitialization of the
proxy-agent, then the value is
zero.
(3) cerent454NodeTime The time that an event occurred.
B
(cont.)
(4) cerent454AlarmState The alarm severity and
service-affecting status.
Severities are Minor, Major, and
Critical. Service-affecting
statuses are Service-Affecting
and Non-Service Affecting.
(5) snmpTrapAddress The address of the SNMP trap.16-16
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 16 SNMP
16.7.2 Variable Trap Bindings
C coldStart (from RFC
1907)
(1) cerent454NodeTime The time that the event occurred.
warmStart (from RFC
1907)
(2) cerent454AlarmState The alarm severity and
service-affecting status.
Severities are Minor, Major, and
Critical. Service-affecting
statuses are Service-Affecting
and Non-Service Affecting.
newRoot (from RFC) (3) snmpTrapAddress The address of the SNMP trap.
topologyChange (from
RFC)
— —
entConfigChange (from
RFC 2737)
— —
authenticationFailure
(from RFC 1907)
— —
D1 risingAlarm (from RFC
2819)
(1) alarmIndex This variable uniquely identifies
each entry in the alarm table.
When an alarm in the table clears,
the alarm indexes change for each
alarm listed.
(2) alarmVariable The object identifier of the
variable being sampled.
(3) alarmSampleType The method of sampling the
selected variable and calculating
the value to be compared against
the thresholds.
(4) alarmValue The value of the statistic during
the last sampling period.
Table 16-8 Supported ONS 15454 SNMPv2 Trap Variable Bindings (continued)
Group
Trap Name(s) Associated
with
Variable
Binding
Number SNMPv2 Variable Bindings Description16-17
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 16 SNMP
16.7.2 Variable Trap Bindings
D1
(cont.)
(5) alarmRisingThreshold When the current sampled value
is greater than or equal to this
threshold, and the value at the last
sampling interval was less than
this threshold, a single event is
generated. A single event is also
generated if the first sample after
this entry is greater than or equal
to this threshold.
(6) cerent454NodeTime The time that an event occurred.
(7) cerent454AlarmState The alarm severity and
service-affecting status.
Severities are Minor, Major, and
Critical. Service-affecting
statuses are Service-Affecting
and Non-Service Affecting.
(8) snmpTrapAddress The address of the SNMP trap.
D2 fallingAlarm (from RFC
2819)
(1) alarmIndex This variable uniquely identifies
each entry in the alarm table.
When an alarm in the table clears,
the alarm indexes change for each
alarm listed.
(2) alarmVariable The object identifier of the
variable being sampled.
(3) alarmSampleType The method of sampling the
selected variable and calculating
the value to be compared against
the thresholds.
(4) alarmValue The value of the statistic during
the last sampling period.
(5) alarmFallingThreshold When the current sampled value
is less than or equal to this
threshold, and the value at the last
sampling interval was greater
than this threshold, a single event
is generated. A single is also
generated if the first sample after
this entry is less than or equal to
this threshold.
(6) cerent454NodeTime The time that an event occurred.
Table 16-8 Supported ONS 15454 SNMPv2 Trap Variable Bindings (continued)
Group
Trap Name(s) Associated
with
Variable
Binding
Number SNMPv2 Variable Bindings Description16-18
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 16 SNMP
16.7.2 Variable Trap Bindings
D2
(cont.)
(7) cerent454AlarmState The alarm severity and
service-affecting status.
Severities are Minor, Major, and
Critical. Service-affecting
statuses are Service-Affecting
and Non-Service Affecting.
(8) snmpTrapAddress The address of the SNMP trap.
E failureDetectedExternal
ToTheNE (from
CERENT-454-mib)
(1) cerent454NodeTime The time that an event occurred.
(2) cerent454AlarmState The alarm severity and
service-affecting status.
Severities are Minor, Major, and
Critical. Service-affecting
statuses are Service-Affecting
and Non-Service Affecting.
(3) cerent454AlarmObjectType The entity that raised the alarm.
The NMS should use this value to
decide which table to poll for
further information about the
alarm.
(4) cerent454AlarmObjectIndex Every alarm is raised by an object
entry in a specific table. This
variable is the index of objects in
each table; if the alarm is
interface-related, this is the index
of the interface in the interface
table.
(5) cerent454AlarmSlotNumber The slot of the object that raised
the alarm. If a slot is not relevant
to the alarm, the slot number is
zero.
(6) cerent454AlarmPortNumber The port of the object that raised
the alarm. If a port is not relevant
to the alarm, the port number is
zero.
(7) cerent454AlarmLineNumber The object line that raised the
alarm. If a line is not relevant to
the alarm, the line number is zero.
(8) cerent454AlarmObjectName The TL1-style user-visible name
that uniquely identifies an object
in the system.
Table 16-8 Supported ONS 15454 SNMPv2 Trap Variable Bindings (continued)
Group
Trap Name(s) Associated
with
Variable
Binding
Number SNMPv2 Variable Bindings Description16-19
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 16 SNMP
16.7.2 Variable Trap Bindings
E
(cont.)
(9) cerent454AlarmAdditionalInfo Additional information for the
alarm object. In the current
version of the MIB, this object
contains provisioned description
for alarms that are external to the
NE. If there is no additional
information, the value is zero.
(10) snmpTrapAddress The address of the SNMP trap.
F performanceMonitor
ThresholdCrossingAlert
(from
CERENT-454-mib)
(1) cerent454NodeTime The time that an event occurred.
(2) cerent454AlarmState The alarm severity and
service-affecting status.
Severities are Minor, Major, and
Critical. Service-affecting
statuses are Service-Affecting
and Non-Service Affecting.
(3) cerent454AlarmObjectType The entity that raised the alarm.
The NMS should use this value to
decide which table to poll for
further information about the
alarm.
(4) cerent454AlarmObjectIndex Every alarm is raised by an object
entry in a specific table. This
variable is the index of objects in
each table; if the alarm is
interface-related, this is the index
of the interface in the interface
table.
(5) cerent454AlarmSlotNumber The slot of the object that raised
the alarm. If a slot is not relevant
to the alarm, the slot number is
zero.
(6) cerent454AlarmPortNumber The port of the object that raised
the alarm. If a port is not relevant
to the alarm, the port number is
zero.
(7) cerent454AlarmLineNumber The object line that raised the
alarm. If a line is not relevant to
the alarm, the line number is zero.
(8) cerent454AlarmObjectName The TL1-style user-visible name
that uniquely identifies an object
in the system.
(9) cerent454ThresholdMonitorType This object indicates the type of
metric being monitored.
Table 16-8 Supported ONS 15454 SNMPv2 Trap Variable Bindings (continued)
Group
Trap Name(s) Associated
with
Variable
Binding
Number SNMPv2 Variable Bindings Description16-20
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 16 SNMP
16.7.2 Variable Trap Bindings
F
(cont.)
(10) cerent454ThresholdLocation Indicates whether the event
occurred at the near or far end.
(11) cerent454ThresholdPeriod Indicates the sampling interval
period.
(12) cerent454ThresholdSetValue The value of this object is the
threshold provisioned by the
NMS.
(13) cerent454ThresholdCurrentValue —
(14) cerent454ThresholdDetectType —
(15) snmpTrapAddress The address of the SNMP trap.
G All other traps (from
CERENT-454-MIB) not
listed above
(1) cerent454NodeTime The time that an event occurred.
(2) cerent454AlarmState The alarm severity and
service-affecting status.
Severities are Minor, Major, and
Critical. Service-affecting
statuses are Service-Affecting
and Non-Service Affecting.
(3) cerent454AlarmObjectType The entity that raised the alarm.
The NMS should use this value to
decide which table to poll for
further information about the
alarm.
(4) cerent454AlarmObjectIndex Every alarm is raised by an object
entry in a specific table. This
variable is the index of objects in
each table; if the alarm is
interface-related, this is the index
of the interface in the interface
table.
(5) cerent454AlarmSlotNumber The slot of the object that raised
the alarm. If a slot is not relevant
to the alarm, the slot number is
zero.
(6) cerent454AlarmPortNumber The port of the object that raised
the alarm. If a port is not relevant
to the alarm, the port number is
zero.
(7) cerent454AlarmLineNumber The object line that raised the
alarm. If a line is not relevant to
the alarm, the line number is zero.
Table 16-8 Supported ONS 15454 SNMPv2 Trap Variable Bindings (continued)
Group
Trap Name(s) Associated
with
Variable
Binding
Number SNMPv2 Variable Bindings Description16-21
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 16 SNMP
16.8 SNMPv1/v2 Community Names
16.8 SNMPv1/v2 Community Names
Community names are used to group SNMPv1/v2 trap destinations. All ONS 15454 trap destinations can
be provisioned as part of SNMP communities in CTC. When community names are assigned to traps,
the ONS 15454 treats the request as valid if the community name matches one that is provisioned in
CTC. In this case, all agent-managed MIB variables are accessible to that request. If the community
name does not match the provisioned list, SNMP drops the request.
16.9 SNMPv1/v2 Proxy Over Firewalls
SNMP and NMS applications have traditionally been unable to cross firewalls used for isolating security
risks inside or from outside networks. CTC enables network operations centers (NOCs) to access
performance monitoring data such as RMON statistics or autonomous messages across firewalls by
using an SNMP proxy element installed on a firewall.
The application-level proxy transports SNMP protocol data units (PDU) between the NMS and NEs,
allowing requests and responses between the NMS and NEs and forwarding NE autonomous messages
to the NMS. The proxy agent requires little provisioning at the NOC and no additional provisioning at
the NEs.
The firewall proxy is intended for use in a gateway network element-end network element (GNE-ENE)
topology with many NEs through a single NE gateway. Up to 64 SNMP requests (such as get, getnext,
or getbulk) are supported at any time behind single or multiple firewalls. The proxy interoperates with
common NMS such as HP OpenView.
For security reasons, the SNMP proxy feature must be enabled at all receiving and transmitting NEs to
function. For instructions to do this, refer to the Cisco ONS 15454 Procedure Guide.
16.10 SNMPv3 Proxy Configuration
The GNE can act as a proxy for the ENEs and forward SNMP requests to other SNMP entities (ENEs)
irrespective of the types of objects that are accessed. For this, you need to configure two sets of users,
one between the GNE and NMS, and the other between the GNE and ENE. In addition to forwarding
requests from the NMS to the ENE, the GNE also forwards responses and traps from the ENE to the
NMS.
G
(cont.)
(8) cerent454AlarmObjectName The TL1-style user-visible name
that uniquely identifies an object
in the system.
(9) snmpTrapAddress The address of the SNMP trap.
Table 16-8 Supported ONS 15454 SNMPv2 Trap Variable Bindings (continued)
Group
Trap Name(s) Associated
with
Variable
Binding
Number SNMPv2 Variable Bindings Description16-22
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 16 SNMP
16.11 Remote Monitoring
The proxy forwarder application is defined in RFC 3413. Each entry in the Proxy Forwarder Table
consists of the following parameters:
• Proxy Type—Defines the type of message that may be forwarded based on the translation
parameters defined by this entry. If the Proxy Type is read or write, the proxy entry is used for
forwarding SNMP requests and their response between the NMS and the ENE. If the Proxy Type is
trap, the entry is used for forwarding SNMP traps from the ENE to the NMS.
• Context Engine ID/Context Name—Specifies the ENE to which the incoming requests should be
forwarded or the ENE whose traps should be forwarded to the NMS by the GNE.
• TargetParamsIn—Points to the Target Params Table that specifies the GNE user who proxies on
behalf of an ENE user. When the proxy type is read or write, TargetParamsIn specifies the GNE user
who receives requests from an NMS, and forwards requests to the ENE. When the proxy type is trap,
TargetParamsIn specifies the GNE user who receives notifications from the ENE and forwards them
to the NMS. TargetParamsIn and the contextEngineID or the contextName columns are used to
determine the row in the Proxy Forwarder Table that could be used for forwarding the received
message.
• Single Target Out—Refers to the Target Address Table. After you select a row in the Proxy
Forwarder Table for forwarding, this object is used to get the target address and the target parameters
that are used for forwarding the request. This object is used for requests with proxy types read or
write, which only requires one target.
• Multiple Target Out (Tag)—Refers to a group of entries in the Target Address Table. Notifications
are forwarded using this tag. The Multiple Target Out tag is only relevant when proxy type is Trap
and is used to send notifications to one or more NMSs.
16.11 Remote Monitoring
The ONS 15454 incorporates RMON to allow network operators to monitor Ethernet card performance
and events. The RMON thresholds are user-provisionable in CTC. Refer to the Cisco ONS 15454
Procedure Guide for instructions.
Note Typical RMON operations, other than threshold provisioning, are invisible to the CTC user.
ONS 15454 system RMON is based on the IETF-standard MIB RFC 2819 and includes the following
five groups from the standard MIB: Ethernet Statistics, History Control, Ethernet History, Alarm, and
Event.
Certain statistics measured on the ML-Series Ethernet cards are mapped to a standard MIB if one exists.
Otherwise, they are mapped to a nonstandard MIB variable. The naming convention used by the
standard/nonstandard MIB is not the same as the statistics variable used by the card. Because of this,
statistics of this type that are obtained through get-requests, get-next-requests, and SNMP traps do not
match the name used on the card or as seen by CTC/TL1.
• For example, the STATS_MediaIndStatsRxFramesTooLong statistics are mapped to
cMediaIndependentInFramesTooLong variable in CERENT MIB, whereas the STATS_RxTotalPkts is
mapped to mediaIndependentInPkts in HC-RMON-rfc3273.mib16-23
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 16 SNMP
16.11.1 64-Bit RMON Monitoring over DCC
16.11.1 64-Bit RMON Monitoring over DCC
The ONS 15454 DCC is implemented over the IP protocol, which is not compatible with Ethernet. The
system builds Ethernet equipment History and Statistics tables using high data level control (HDLC)
statistics that are gathered over the data communications channel (DCC) that is running point-to-point
protocol (PPP). RMON DCC monitors the health of remote DCC connections for IP and Ethernet.
RMON DCC contains two MIBS for DCC interfaces. They are:
• cMediaIndependentTable—Standard, RFC3273; the proprietary extension of the HC-RMON MIB
used for reporting statistics
• cMediaIndependentHistoryTable—Proprietary MIB used to support history
16.11.1.1 Row Creation in MediaIndependentTable
The SetRequest PDU contains all needed values to activate a row of the mediaIndependentTable in a
single operation as well as assign the status variable to createRequest (2). In order to create the row and
status, the SetRequest PDU for entry creation must have a value of zero for each of the object IDs. That
is, all object IDs (OIDs) should be of the type OID.0.
In order to create a row, the SetRequest PDU should contain the following:
• mediaIndependentDataSource and its desired value
• mediaIndependentOwner and its desired value (up to 32 characters)
• mediaIndependentStatus with a value of createRequest (2)
The mediaIndependentTable creates a row if the SetRequest PDU is valid according to these rules. The
SNMP agent decides the value of mediaIndependentIndex when the row is created, and a value can
change if an Ethernet interface is added or deleted. The values are not sequentially allotted or
contiguously numbered. The newly created row will have an mediaIndependentTable value of valid (1).
If the row already exists, or if the SetRequest PDU values are insufficient or do not make sense, the
SNMP agent returns an error code.
Note mediaIndependentTable entries are not preserved if the SNMP agent is restarted.
The mediaIndependentTable deletes a row if the SetRequest PDU contains a mediaIndependentStatus
with a value of invalid (4). The varbind’s OID instance value identifies the row for deletion. You can
recreate a deleted row in the table if desired.
16.11.1.2 Row Creation in cMediaIndependentHistoryControlTable
SNMP row creation and deletion for the cMediaIndependentHistoryControlTable follows the same
processes as for the MediaIndependentTable; only the variables differ. In order to create a row, the
SetRequest PDU should contain the following:
• cMediaIndependentHistoryControlDataSource and its desired value
• cMediaIndependentHistoryControlOwner and its desired value
• cMediaIndependentHistoryControlStatus with a value of createRequest (2)16-24
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 16 SNMP
16.11.2 HC-RMON-MIB Support
16.11.2 HC-RMON-MIB Support
For the ONS 15454, the implementation of the high-capacity remote monitoring information base
(HC-RMON-MIB, or RFC 3273) enables 64-bit support of existing RMON tables. This support is
provided with the etherStatsHighCapacityTable and the etherHistoryHighCapacityTable. An additional
table, the mediaIndependentTable, and an additional object, hcRMONCapabilities, are also added for
this support. All of these elements are accessible by any third-party SNMP client should have the ability
to upload RFC 3273 SNMP MIB variables in the etherStatsHighCapacityTable,
etherHistoryHighCapacityTable, or mediaIndependentTable.
16.11.3 Ethernet Statistics RMON Group
The Ethernet Statistics group contains the basic statistics monitored for each subnetwork in a single table
called the etherStatsTable.
16.11.3.1 Row Creation in etherStatsTable
The SetRequest PDU for creating a row in this table contains all needed values to activate a table row in
a single operation as well as assign the status variable to createRequest. The SetRequest PDU OID)
entries must have an instance value, or type OID, of 0.
In order to create a row, the SetRequest PDU should contain the following:
• The etherStatsDataSource and its desired value
• The etherStatsOwner and its desired value (up to 32 characters)
• The etherStatsStatus with a value of createRequest (2)
The etherStatsTable creates a row if the SetRequest PDU is valid according to these rules. The SNMP
agent decides the value of etherStatsIndex when the row is created and this value changes when an
Ethernet interface is added or deleted; it is not sequentially allotted or contiguously numbered. A newly
created row will have an etherStatsStatus value of valid (1). If the etherStatsTable row already exists, or
if the SetRequest PDU values are insufficient or do not make sense, the SNMP agent returns an error
code.
Note EtherStatsTable entries are not preserved if the SNMP agent is restarted.
16.11.3.2 Get Requests and GetNext Requests
Get requests and getNext requests for the etherStatsMulticastPkts and etherStatsBroadcastPkts columns
return a value of zero because the variables are not supported by ONS 15454 Ethernet cards.
16.11.3.3 Row Deletion in etherStatsTable
To delete a row in the etherStatsTable, the SetRequest PDU should contain an etherStatsStatus “invalid”
value (4). The OID marks the row for deletion. If required, a deleted row can be recreated.16-25
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 16 SNMP
16.11.4 History Control RMON Group
16.11.3.4 64-Bit etherStatsHighCapacityTable
The Ethernet statistics group contains 64-bit statistics in the etherStatsHighCapacityTable, which
provides 64-bit RMON support for the HC-RMON-MIB. The etherStatsHighCapacityTable is an
extension of the etherStatsTable that adds 16 new columns for performance monitoring data in 64-bit
format. There is a one-to-one relationship between the etherStatsTable and etherStatsHighCapacityTable
when rows are created or deleted in either table.
16.11.4 History Control RMON Group
The History Control group defines sampling functions for one or more monitor interfaces in the
historyControlTable. The values in this table, as specified in RFC 2819, are derived from the
historyControlTable and etherHistoryTable.
16.11.4.1 History Control Table
The RMON is sampled at one of four possible intervals. Each interval, or period, contains specific
history values called buckets. Table 16-9 lists the four sampling periods and corresponding buckets.
The historyControlTable maximum row size is determined by multiplying the number of ports on a card
by the number of sampling periods. For example, an ONS 15454 E100 card contains 24 ports, which
multiplied by periods allows 96 rows in the table. An E1000 card contains 14 ports, which multiplied by
four periods allows 56 table rows.
16.11.4.2 Row Creation in historyControlTable
To activate a historyControlTable row, the SetRequest PDU must contain all needed values and have a
status variable value of 2 (createRequest). All OIDs in the SetRequest PDU should be type OID.0 for
entry creation.
To create a SetRequest PDU for the historyControlTable, the following values are required:
• The historyControlDataSource and its desired value
• The historyControlBucketsRequested and it desired value
• The historyControlInterval and its desired value
• The historyControlOwner and its desired value
• The historyControlStatus with a value of createRequest (2)
The historyControlBucketsRequested OID value is ignored because the number of buckets allowed for
each sampling period, based upon the historyControlInterval value, is already fixed as listed in
Table 16-9.
Table 16-9 RMON History Control Periods and History Categories
Sampling Periods
(historyControlValue Variable)
Total Values, or Buckets
(historyControl Variable)
15 minutes 32
24 hours 7
1 minute 60
60 minutes 2416-26
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 16 SNMP
16.11.5 Ethernet History RMON Group
The historyControlInterval value cannot be changed from the four allowed choices. If you use another
value, the SNMP agent selects the closest smaller time period from the set buckets. For example, if the
set request specifies a 25-minute interval, this falls between the 15-minute (32 bucket) variable and the
60-minute (24 bucket) variable. The SNMP agent automatically selects the lower, closer value, which is
15 minutes, so it allows 32 buckets.
If the SetRequest PDU is valid, a historyControlTable row is created. If the row already exists, or if the
SetRequest PDU values do not make sense or are insufficient, the SNMP agent does not create the row
and returns an error code.
16.11.4.3 Get Requests and GetNext Requests
These PDUs are not restricted.
16.11.4.4 Row Deletion in historyControl Table
To delete a row from the table, the SetRequest PDU should contain a historyControlStatus value of 4
(invalid). A deleted row can be recreated.
16.11.5 Ethernet History RMON Group
The ONS 15454 implements the etherHistoryTable as defined in RFC 2819. The group is created within
the bounds of the historyControlTable and does not deviate from the RFC in its design.
16.11.5.1 64-Bit etherHistoryHighCapacityTable
64-bit Ethernet history for the HC-RMON-MIB is implemented in the etherHistoryHighCapacityTable,
which is an extension of the etherHistoryTable. The etherHistoryHighCapacityTable adds four columns
for 64-bit performance monitoring data. These two tables have a one-to-one relationship. Adding or
deleting a row in one table will effect the same change in the other.
16.11.6 Alarm RMON Group
The Alarm group consists of the alarmTable, which periodically compares sampled values with
configured thresholds and raises an event if a threshold is crossed. This group requires the
implementation of the event group, which follows this section.
16.11.6.1 Alarm Table
The NMS uses the alarmTable to determine and provision network performance alarmable thresholds.
16.11.6.2 Row Creation in alarmTable
To create a row in the alarmTable, all OIDs in the SetRequest PDU should be type OID.0. The table has
a maximum number of 256 rows.
To create a SetRequest PDU for the alarmTable, the following values are required:
• The alarmInterval and its desired value16-27
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 16 SNMP
16.11.6 Alarm RMON Group
• The alarmVariable and its desired value
• The alarmSampleType and its desired value
• The alarmStartupAlarm and its desired value
• The alarmOwner and its desired value
• The alarmStatus with a value of createRequest (2)
If the SetRequest PDU is valid, a historyControlTable row is created. If the row already exists, or if the
SetRequest PDU values do not make sense or are insufficient, the SNMP agent does not create the row
and returns an error code.
In addition to the required values, the following restrictions must be met in the SetRequest PDU:
• The alarmOwner is a string of length 32 characters.
• The alarmRisingEventIndex always takes value 1.
• The alarmFallingEventIndex always takes value 2.
• The alarmStatus has only two values supported in SETs: createRequest (2) and invalid (4).
• The AlarmVariable is of the type OID.ifIndex, where ifIndex gives the interface this alarm is created
on and OID is one of the OIDs supported in Table 16-10.
Table 16-10 OIDs Supported in the AlarmTable
No. Column Name OID Status
1 ifInOctets {1.3.6.1.2.1.2.2.1.10} —
2 IfInUcastPkts {1.3.6.1.2.1.2.2.1.11} —
3 ifInMulticastPkts {1.3.6.1.2.1.31.1.1.1.2} Unsupported in E100/E1000
4 ifInBroadcastPkts {1.3.6.1.2.1.31.1.1.1.3} Unsupported in E100/E1000
5 ifInDiscards {1.3.6.1.2.1.2.2.1.13} Unsupported in E100/E1000
6 ifInErrors {1.3.6.1.2.1.2.2.1.14} —
7 ifOutOctets {1.3.6.1.2.1.2.2.1.16} —
8 ifOutUcastPkts {1.3.6.1.2.1.2.2.1.17} —
9 ifOutMulticastPkts {1.3.6.1.2.1.31.1.1.1.4} Unsupported in E100/E1000
10 ifOutBroadcastPkts {1.3.6.1.2.1.31.1.1.1.5} Unsupported in E100/E1000
11 ifOutDiscards {1.3.6.1.2.1.2.2.1.19} Unsupported in E100/E1000
12 Dot3StatsAlignmentErrors {1.3.6.1.2.1.10.7.2.1.2} —
13 Dot3StatsFCSErrors {1.3.6.1.2.1.10.7.2.1.3} —
14 Dot3StatsSingleCollisionFrames {1.3.6.1.2.1.10.7.2.1.4} —
15 Dot3StatsMultipleCollisionFrames {1.3.6.1.2.1.10.7.2.1.5} —
16 Dot3StatsDeferredTransmissions {1.3.6.1.2.1.10.7.2.1.7} —
17 Dot3StatsLateCollisions {1.3.6.1.2.1.10.7.2.1.8} —
18 Dot3StatsExcessiveCollisions {13.6.1.2.1.10.7.2.1.9} —
19 Dot3StatsFrameTooLong {1.3.6.1.2.1.10.7.2.1.13} —
20 Dot3StatsCarrierSenseErrors {1.3.6.1.2.1.10.7.2.1.11} Unsupported in E100/E1000
21 Dot3StatsSQETestErrors {1.3.6.1.2.1.10.7.2.1.6} Unsupported in E100/E100016-28
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 16 SNMP
16.11.7 Event RMON Group
16.11.6.3 Get Requests and GetNext Requests
These PDUs are not restricted.
16.11.6.4 Row Deletion in alarmTable
To delete a row from the table, the SetRequest PDU should contain an alarmStatus value of 4 (invalid).
A deleted row can be recreated.
Note Entries in the alarmTable are preserved if the SNMP agent is restarted.
16.11.7 Event RMON Group
The Event group controls event generation and notification. It consists of two tables: the eventTable,
which is a read-only list of events to be generated, and the logTable, which is a writable set of data
describing a logged event. The ONS 15454 implements the logTable as specified in RFC 2819.
16.11.7.1 Event Table
The eventTable is read-only and unprovisionable. The table contains one row for rising alarms and
another for falling ones. This table has the following restrictions:
22 etherStatsUndersizePkts {1.3.6.1.2.1.16.1.1.1.9} —
23 etherStatsFragments {1.3.6.1.2.1.16.1.1.1.11} —
24 etherStatsPkts64Octets {1.3.6.1.2.1.16.1.1.1.14} —
25 etherStatsPkts65to127Octets {1.3.6.1.2.1.16.1.1.1.15} —
26 etherStatsPkts128to255Octets {1.3.6.1.2.1.16.1.1.1.16} —
27 etherStatsPkts256to511Octets {1.3.6.1.2.1.16.1.1.1.17} —
28 etherStatsPkts512to1023Octets {1.3.6.1.2.1.16.1.1.1.18} —
29 etherStatsPkts1024to1518Octets {1.3.6.1.2.1.16.1.1.1.19} —
30 EtherStatsBroadcastPkts {1.3.6.1.2.1.16.1.1.1.6} —
31 EtherStatsMulticastPkts {1.3.6.1.2.1.16.1.1.1.7} —
32 EtherStatsOversizePkts {1.3.6.1.2.1.16.1.1.1.10} —
33 EtherStatsJabbers {1.3.6.1.2.1.16.1.1.1.12} —
34 EtherStatsOctets {1.3.6.1.2.1.16.1.1.1.4} —
35 EtherStatsCollisions {1.3.6.1.2.1.16.1.1.1.13} —
36 EtherStatsCollisions {1.3.6.1.2.1.16.1.1.1.8} —
37 EtherStatsDropEvents {1.3.6.1.2.1.16.1.1.1.3} Unsupported in E100/E1000
and G1000
Table 16-10 OIDs Supported in the AlarmTable (continued)
No. Column Name OID Status16-29
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 16 SNMP
16.11.7 Event RMON Group
• The eventType is always log-and-trap (4).
• The eventCommunity value is always a zero-length string, indicating that this event causes the trap
to be despatched to all provisioned destinations.
• The eventOwner column value is always “monitor.”
• The eventStatus column value is always valid(1).
16.11.7.2 Log Table
The logTable is implemented exactly as specified in RFC 2819. The logTable is based upon data that is
locally cached in a controller card. If there is a controller card protection switch, the existing logTable
is cleared and a new one is started on the newly active controller card. The table contains as many rows
as provided by the alarm controller.16-30
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Chapter 16 SNMP
16.11.7 Event RMON GroupA-1
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
APPENDIX A
Hardware Specifications
Note The terms “Unidirectional Path Switched Ring” and “UPSR” may appear in Cisco literature. These terms
do not refer to using Cisco ONS 15xxx products in a unidirectional path switched ring configuration.
Rather, these terms, as well as “Path Protected Mesh Network” and “PPMN,” refer generally to Cisco's
path protection feature, which may be used in any topological network configuration. Cisco does not
recommend using its path protection feature in any particular topological network configuration.
This appendix contains hardware and software specifications for the ONS 15454.
The following sections are included:
• A.1 Shelf Specifications, page A-1
• A.2 SFP, XFP, and GBIC Specifications, page A-5
• A.3 General Card Specifications, page A-7
• A.4 Common Control Card Specifications, page A-12
• A.5 Electrical Card Specifications, page A-17
• A.6 Optical Card Specifications, page A-28
• A.7 Ethernet Card Specifications, page A-49
• A.8 Storage Access Networking Card Specifications, page A-53
A.1 Shelf Specifications
This section provides specifications for shelf bandwidth; a list of topologies; Cisco Transport Controller
(CTC) specifications; LAN, TL1, modem, alarm, and electrical interface assembly (EIA) interface
specifications; timing, power, and environmental specifications; and shelf dimensions.
A.1.1 Bandwidth
The ONS 15454 has the following bandwidth specifications:
• Total bandwidth: 240 Gbps
• Data plane bandwidth: 160 Gbps
• SONET plane bandwidth: 80 GbpsA-2
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix A Hardware Specifications
A.1.2 Configurations
A.1.2 Configurations
The ONS 15454 can be configured as follows:
• Two-fiber path protection
• Path protected mesh network (PPMN)
• Two-fiber bidirectional line switch ring (BLSR)
• Four-fiber BLSR
• Add-drop multiplexer (ADM)
• Terminal mode
• Regenerator mode
• Hubbed rings
• Multihubbed rings
• Point-to-point
• Linear
• Linear with optical add/drop multiplexing (OADM)
A.1.3 Cisco Transport Controller
CTC, the ONS 15454 craft interface software, has the following specifications:
• 10BaseT
• TCC2/TCC2P access: RJ-45 connector
• Backplane access: LAN pin field
A.1.4 External LAN Interface
The ONS 15454 external LAN interface has the following specifications:
• 10BaseT Ethernet
• Backplane access: LAN pin field
A.1.5 TL1 Craft Interface
The ONS 15454 TL1 craft interface has the following specifications:
• Speed: 9600 bps
• TCC2/TCC2P access: EIA/TIA-232 DB-9 type connector
• Backplane access: CRAFT pin field
A.1.6 Modem Interface
The ONS 15454 modem interface has the following specifications: A-3
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix A Hardware Specifications
A.1.7 Alarm Interface
• Hardware flow control
• TCC2/TCC2P: EIA/TIA-232 DB-9 type connector
A.1.7 Alarm Interface
The ONS 15454 alarm interface has the following specifications:
• Visual: Critical, Major, Minor, Remote
• Audible: Critical, Major, Minor, Remote
• Alarm contacts: 0.045 mm, –48 V, 50 mA
• Backplane access: Alarm pin fields
A.1.8 EIA Interface
The ONS 15454 EIA interface has the following specifications:
• SMB: AMP #415504-3 75-ohm, 4-leg connectors
• BNC: Trompeter #UCBJ224 75-ohm 4 leg connector (King and ITT are also compatible)
• AMP Champ: AMP#552246-1 with #552562-2 bail locks
A.1.9 BITS Interface
The ONS 15454 building integrated timing supply (BITS) interface has the following specifications:
• 2 DS-1 BITS inputs
• 2 derived DS-1 outputs
• Backplane access: BITS pin field
A.1.10 System Timing
The ONS 15454 has the following system timing specifications:
• Stratum 3 per Telcordia GR-253-CORE
• Free running accuracy: +/–4.6 ppm
• Holdover stability: 3.7 x10–7 per day, including temperature (< 255 slips in first 24 hours)
• Reference: External BITS, line, internal
A.1.11 System Power
The ONS 15454 ANSI has the following power specifications:
• Nominal Input Voltage: –48 VDC
• Power consumption: Configuration dependent; 55 W (fan tray only)
• Power requirements: A-4
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix A Hardware Specifications
A.1.12 Fan Tray
– Nominal: –48 VDC
– Input Voltage Range: –40.5 to –57.0 VDC
• Power terminals: #6 Lug
• ANSI shelf fusing: 100–A fuse panel (minimum 30 A fuse per shelf)
HD shelf fusing: 100–A fuse panel (minimum 30 A fuse per shelf)
The ONS 15454 ETSI has the following power specifications:
• Nominal Input Voltage: –48 VDC
• Power consumption: Configuration dependent; 53 W (fan tray only)
• Power requirements:
– Nominal: –48 VDC
– Input Voltage Range: –40.5 to –57.0 VDC
• Power terminals: 3WK3 Combo-D power cable connector (MIC-A/P and MIC-C/T/P faceplates)
• Fusing: 100 A fuse panel; minimum 30 A fuse per shelf
A.1.12 Fan Tray
Table A-1 lists power requirements for the fan-tray assembly.
A.1.13 System Environmental Specifications
The ONS 15454 has the following environmental specifications:
• Operating temperature: 0 to +55 degrees Celsius; –40 to +65 degrees Celsius with industrial
temperature rated cards
• Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95
percent relative humidity
A.1.14 Dimensions
The ONS 15454 shelf assembly has the following dimensions:
• Height: 18.25 in. (46.3 cm)
• Width: 19 or 23 in. (48.3 cm or 58.4 cm) with mounting ears attached
• Depth: 12.018 in. (30.5 cm) for standard door and 13.810 in. (35 cm) for deep door
• Weight: 55 lb (24.947 kg) empty
Table A-1 Fan Tray Assembly Power Requirements
Fan Tray Assembly Watts Amps BTU/Hr
FTA2 53 1.21 198
FTA3 -T 129.60 2.7 442.21
15454-CC-FTA 115 2.4 393A-5
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix A Hardware Specifications
A.2 SFP, XFP, and GBIC Specifications
A.2 SFP, XFP, and GBIC Specifications
Table A-2 lists the specifications for the available Small Form-factor Pluggables (SFPs), 10 Gbps
Pluggables (XFPs) and GBICs. In the table, the following acronyms are used:
• ESCON = Enterprise System Connection
• FICON = fiber connectivity
• GE = Gigabit Ethernet
• FE = Fast Ethernet
• E = Ethernet (10 Mbps)
• FC = Fibre Channel
• HDTV = high definition television
• CWDM = coarse wavelength division multiplexing
Table A-2 SFP, XFP, and GBIC Specifications
SFP/XFP Product ID Interface
Transmitter Output
Power Min/Max (dBm)
Receiver Input Power
Min/Max (dBm)
15454-SFP-LC-SX/
15454E-SFP-LC-SX
GE –9.5 to 0 –17 to 01
15454-SFP-LC-LX/
15454E-SFP-LC-LX
GE –9.5 to –3 –19 to –32
15454-SFP3-1-IR= OC-3 –15 to –8 –28 to –8
15454E-SFP-L.1.1= STM-1 –15 to –8 –34 to –10
15454-SFP12-4-IR= OC-12, D1 Video –15 to –8 –28 to –8
15454E-SFP-L.4.1= STM-4, D1 Video –15 to –8 –28 to –8
15454-SFP-OC48-IR= OC-48, DV6000 (C-Cor) –5 to 0 –18 to 0
ONS-SE-2G-S1= OC-48, STM-16 –10 to –3 –18 to –3
15454E-SFP-L.16.1= STM-16, DV6000
(C-Cor)
–5 to 0 –18 to 0
15454-SFP-200/
15454E-SFP-200
ESCON –20.5 to –15 –14 to –293
15454-SFP-GEFC-SX=/
15454E-SFP-GEFC-S=
FC (1 and 2 Gbps),
FICON, GE
–9.5 to 0 –17 to 01
15454-SFP-GE+-LX=/
15454E-SFP-GE+-LX=
FC (1 and 2 Gbps),
FICON, GE, HDTV
–9.5 to –3 –19 to –32
ONS-SE-200-MM= ESCON –20.5 to –15 –14 to –293
ONS-SE-G2F-SX= Fibre Channel
(1 and 2 Gbps), GE
–9.5 to 0 –17 to 01
ONS-SE-G2F-LX= Fibre Channel
(1 and 2 Gbps), FICON,
GE, HDTV
–9.5 to –3 –19 to –32
ONS-SC-GE-SX= GE –9.5 to 0 –17 to 01
ONS-SC-GE-LX= GE –9.5 to –3 –19 to –32A-6
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix A Hardware Specifications
A.2 SFP, XFP, and GBIC Specifications
ONS-SI-2G-S1 OC-48 SR –10 to –3 –18 to –3
ONS-SI-2G-I1 OC-48 IR1 –5 to 0 –18 to 0
ONS-SI-2G-L1 OC-48 LR1 -2 to +3 –27 to –9
ONS-SI-2G-L2 OC-48 LR2 -2 to +3 –28 to –9
ONS-SC-2G-28.74
through
ONS-SC-2G-60.6
OC-48 DWDM 0 to +4 –28 to –9
ONS-SI-622-I1 OC-3/OC-12 IR1 Dual
rate
–15 to –8 –28 to –8
ONS-SI-622-L1 OC-12 LR1 –3 to +2 –28 to –8
ONS-SI-622-L2 OC-12 LR2 –3 to +2 –28 to –8
ONS-SE-622-1470
through
ONS-SE-622-1610
OC-12/STM-4 CWDM 0 to +5 –28 to –3 (BER 10-10)
ONS-SI-155-I1 OC-3 IR1 –15 to –8 –28 to –8
ONS-SI-155-L1 OC-3 LR1 –5 to 0 –34 to –10
ONS-SI-155-L2 OC-3 LR2 –5 to 0 –34 to –10
ONS-SE-155-1470
through
ONS-SE-155-1610
OC-3 CWDM 0 to +5 –34 to –3 (BER 10-10)
ONS-XC-10G-S1 OC-192 SR1 –6 to –15
–11 to –14
ONS-XC-10G-I2 OC-192 IR2 –1 to +2 –14 to +2
ONS-XC-10G-L2 OC-192 LR2 0 to +4 –24 to –7
ONS-XC-10G-30.3=
through
ONS-XC-10G-61.4=
OC-192/STM64/10GE –1 to +3 –27 to –7
ONS-SE-100-FX FE –20 to –14 –31 to –14
ONS-SE-100-LX10 FE –15 to –8 –28 to –8
15454-GBIC-SX FC, GE –9.5 to –3.5 –19 to –3
15454E-GBIC-SX GE, FC — —
15454-GBIC-LX/LH GE, FC –9 to –3 –19 to –3
15454E-GBIC-LX/LH GE, FC –9 to –3 –19 to –3
ONS-GX-2FC-MMI FC –10 to –2.5 –22
ONS-GX-2FC-SML FC –9 to –3 –23.5
ONS-SI-155-SR-MM= OC-3, STM-1 -20 to -14 -30 to -14
Table A-2 SFP, XFP, and GBIC Specifications (continued)
SFP/XFP Product ID Interface
Transmitter Output
Power Min/Max (dBm)
Receiver Input Power
Min/Max (dBm)A-7
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix A Hardware Specifications
A.3 General Card Specifications
A.3 General Card Specifications
This section provides power specifications and temperature ranges for all ONS 15454 cards.
A.3.1 Power
Table A-3 provides power consumption information for the ONS 15454 cards.
ONS-SI-622-SR-MM= OC-12, STM-4 -20 to -14
(50 micrometer)
-24 to -14
(62.5 micrometer)
-26 to -14
ONS-SC-Z3-1470=
through
ONS-SC-Z3-1610=
OC48/STM16/GE 0 to +4 –28 to –9 (BER 10-10)
ONS-SE-Z1= OC-3/STM1
OC-12/STM-4
OC-48/STM-16
Fibre Channel
(1 and 2 Gbps)
GE
–5 to 0 –18 (OC-48/STM-16)
–22 (GE)
–23 (OC-12/STM-4)
–23 (OC-3/STM-1)
ONS-SI-2G-S1 OC-48/STM-16 –10 to –3 –18 to –3
ONS-SE-155-1470
through
ONS-SE-155-1610
OC-3/STM-1 0 to +5 –34 to –3 (BER 10-10)
ONS-SI-GE-SX GE –9.5 to 0 –17 to 01
ONS-SI-GE-LX GE –9.5 to –3 –19 to –32
ONS-SI-GE-ZX GE 0 to +5 –23 to –3
ONS-SI-100-FX FE — —
ONS-SI-100-LX10 FE — —
ONS-SE-ZE-EL E, FE, or GE — —
ONS-SE-100-BX10U FE –14 to –8 -8 to –28.2
ONS-SE-100-BX10D FE –14 to –8 -8 to –28.2
ONS-XC-10G-C 10GE 0 to +3 –24 to –7
1. Minimum Stressed Sensitivity (10-12): -12.5(62.5um) and -13.5(50um) dBm
2. Minimum Stressed Sensitivity (10–12): -14.4 dBm
3. Based on any valid 8B/10B code pattern measured at, or extrapolated to, 10E-15 BER measured at center of eye
4. ONS-SC-2G-28.7, ONS-SC-2G-33.4, ONS-SC-2G-41.3, ONS-SC-2G-49.3, and ONS-SC-2G-57.3 are supported from
Release 8.5 and later.
5. SONET/SDH application
Table A-2 SFP, XFP, and GBIC Specifications (continued)
SFP/XFP Product ID Interface
Transmitter Output
Power Min/Max (dBm)
Receiver Input Power
Min/Max (dBm)A-8
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix A Hardware Specifications
A.3.1 Power
Table A-3 Individual Card Power Requirements
Card Type Card Name Watts Amperes BTU/Hr.
Control Cards TCC2 19.20 0.4 66.8
TCC2P 27.00 0.56 92.2
XCVT 34.40 0.72 117.46
XC10G 48 1 163.68
XC-VXC-10G 67 1.4 228.62
AIC-I 4.8 0.1 15.3
AEP 3 (from +5 VDC
from AIC-I)
10.2
FTA3 Fan Tray –48 VDC 129.60 2.7 442.21
FTA4 Fan Tray –48 VDC 115 2.4 393
Electrical Cards EC1-12 36.60 0.76 124.97
DS1-14 12.60 0.26 43.02
DS1N-14 12.60 0.26 43.02
DS1/E1-56 36.00 0.76 124.97
DS3-12 38.20 0.79 130.43
DS3/EC1-48 30 0.58 95.6
DS3N-12 38.20 0.79 130.43
DS3i-N-12 30 0.63 102.4
DS3-12E 26.80 0.56 91.51
DS3N-12E 26.80 0.56 91.51
DS3XM-12 Transmux 34 0.71 116.1
DS3XM-6 Transmux 20 0.42 68A-9
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix A Hardware Specifications
A.3.1 Power
Optical Cards OC3 IR 4 19.20 0.40 65.56
OC3 IR 4/STM1 SH 1310 19.20 0.40 65.56
OC3 IR 4/STM1SH 1310-8 26.00 0.48 78.5
OC12 IR 1310 10.90 0.23 37.22
OC12 LR 1310 9.28 0.2 31.68
OC12 LR 1550 9.28 0.2 31.68
OC12 LR/STM4 LH 1310 9.00 0.2 31.68
OC12 LR/STM4 LH 1550 9.28 0.2 31.68
OC12 IR/STM4 SH 1310-4 35.60 0.74 121.6
OC48 IR 1310 32.20 0.67 109.94
OC48 LR 1550 26.80 0.56 91.50
OC48 IR/STM16 SH AS 1310 37.20 0.77 127.01
OC48 LR/STM16 LH AS 1550 37.20 0.77 127.01
OC48 ELR/STM16 EH 100 GHz 31.20 0.65 106.53
OC48 ELR 200 GHz 31.20 0.65 106.53
OC192 SR/STM64 IO H 1310 41.80 0.90 132.00
OC192 IR/STM64 SH 1550 48.00 1.00 163.68
OC192 LR/STM64 LH 1550 41.80 0.90 132.00
OC192 LR/STM64 LH 15xx.xx 62.40 1.30 214.00
15454_MRC-12 38 0.79 129.66
MRC-2.5G-4 38 0.79 129.66
OC192SR1/STM64IO Short Reach
and OC-192/STM64 Any Reach1
40 0.83 136.49
Ethernet Cards E100T-12 65 1.35 221.93
E100T-G 65 1.35 221.93
E1000-2 53.50 1.11 182.67
E1000-2-G 53.50 1.11 182.67
G1K-4 63.00 (including GBICs2
) 1.31 215.11
ML100T-12 53 1.10 181.00
ML1000-2 49 (including SFPs) 1.02 167.30
ML100X-8 65 1.35 221.93
ML-MR-10 100 N/A N/A
CE-100T-8 53.14 1.10 181.30
CE-1000-4 60 1.25 204.80
CE-MR-10 95 1.35 221.93
Table A-3 Individual Card Power Requirements (continued)
Card Type Card Name Watts Amperes BTU/Hr.A-10
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix A Hardware Specifications
A.3.2 Temperature
A.3.2 Temperature
Table A-4 provides temperature ranges and product names for ONS 15454 cards.
Note The I-Temp symbol is displayed on the faceplate of an I-Temp compliant card. A card without this
symbol is C-Temp compliant.
Storage Access
Networking
FC_MR-4 60 1.25 212.00
1. These cards are designated as OC192-XFP in CTC.
2. GBICs = Gigabit Interface Converters
Table A-3 Individual Card Power Requirements (continued)
Card Type Card Name Watts Amperes BTU/Hr.
Table A-4 Card Temperature Ranges and Product Names
Card Type Card Name
C-Temp Product Name
(32 to 131 degrees
Fahrenheit, 0 to +55
degrees Celsius)
I-Temp Product Name
(–40 to 149 degrees
Fahrenheit, –40 to +65
degrees Celsius)
Control Cards TCC2 — 15454-TCC2
TCC2P — 15454-TCC2P
XCVT 15454-XC-VT 15454-XC-VT-T
XC10G 15454-XC-10G —
XC-VXC-10G — 15454-XC-VXC-10G-T
AIC-I — 15454-AIC-I
AEP — 15454-AEP
Electrical EC1-12 15454-EC1-12 15454-EC1-12-T
DS1-14 15454-DS1-14 15454-DS1-14-T
DS1N-14 15454-DS1N-14 15454-DS1N-14-T
DS1/E1-56 — 15454-DS1E1-56
DS3-12 15454-DS3-12 15454-DS3-12-T
DS3/EC1-48 — 15454-DS3_EC1-48
DS3N-12 15454-DS3N-12 15454-DS3N-12-T
DS3i-N-12 15454-DS3i-N-12 —
DS3-12E — 15454-DS3-12E-T
DS3N-12E — 15454-DS3N-12E-T
DS3XM-12 (Transmux) — 15454-DS3XM-12
DS3XM-6 (Transmux) 15454-DS3XM-6 15454-DS3XM-6-TA-11
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix A Hardware Specifications
A.3.2 Temperature
Optical OC3 IR 4/STM1 SH 1310 15454-OC34IR1310 15454-OC34I13-T
OC3 IR/STM1 SH 1310-8 15454-OC3I8-1310 —
OC12 IR/STM4 SH 1310 15454-OC121IR1310 15454-OC121I13-T
OC12 LR/STM4 LH 1310 15454-OC121LR1310 15454-OC121L13-T
OC12 LR/STM4 LH 1550 15454-OC121LR1550 15454-OC121L15-T
OC12 IR/STM4 SH 1310-4 15454-OC12I4-1310 —
OC48 IR 1310 15454-OC481IR1310 —
OC48 LR 1550 15454-OC481LR1550 —
OC48 IR/STM16 SH AS 1310 15454-OC481IR1310A —
OC48 LR/STM16 LH AS 1550 15454-OC481LR1550A —
OC48 ELR/STM16 EH 100 GHz 15454-OC48E-1-xx.xx
(all wavelengths)
—
OC48 ELR/STM16 EH 200 GHz 15454-OC48E-xx.xx
(all wavelengths)
—
OC 192 SR/STM64 IO 1310 15454-OC192IO1310 —
OC192 IR/STM64 SH 1550 15454-OC192IR1550 —
OC192 LR/STM64 LH 1550 15454-OC192LR1550 —
OC192 LR/STM64 LH ITU
15xx.xx
15454-OC192LR15xx —
15454_MRC-12 — 15454-MRC-12-T
MRC-2.5G-4 — 15454-MRC-I-4
OC-192/STM-64 SR1 Short
Reach1
15454_OC-192/STM-64
SR1 Short Reach
—
OC-192/STM-64 Any Reach1
15454_OC-192/STM-64
Any Reach
—
Table A-4 Card Temperature Ranges and Product Names (continued)
Card Type Card Name
C-Temp Product Name
(32 to 131 degrees
Fahrenheit, 0 to +55
degrees Celsius)
I-Temp Product Name
(–40 to 149 degrees
Fahrenheit, –40 to +65
degrees Celsius)A-12
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix A Hardware Specifications
A.4 Common Control Card Specifications
A.4 Common Control Card Specifications
This section provides specifications for the TCC2, TCC2P, XCVT, XC10G, XC-VXC-10G, and AIC-I
cards.
For compliance information, refer to the Cisco Optical Transport Products Safety and Compliance
Information document.
A.4.1 TCC2 Card Specifications
The TCC2 card has the following specifications:
• CTC software
– Interface: EIA/TIA-232 (local craft access, on TCC2 faceplate)
– Interface: 10BaseT LAN (on TCC2 faceplate)
– Interface: 10BaseT LAN (through the backplane)
• Synchronization
– Stratum 3, per Telcordia GR-253-CORE
– Free running access: Accuracy +/– 4.6 ppm
– Holdover stability: 3.7 * 10 exp – 7 per day including temperature (< 255 slips in first 24 hours)
Ethernet E100T-12 15454-E100T —
E100T-G 15454-E100T-G —
E1000-2 15454-E1000-2 —
E1000-2-G 15454-E1000-2-G —
G1K-4 15454-G1K-4 —
ML100T-12 15454-ML100T-12 —
ML1000-2 15454-ML1000-2 —
ML100X-8 — 15454-ML100X-8
ML-MR-10 — 15454-ML-MR-10
CE-100T-8 15454-CE100T-8 —
CE-1000-4 15454-CE1000-4 —
CE-MR-10 15454-CE-MR-10 —
Storage
Access
Networking
FC_MR-4 15454-FC_MR-4 —
1. Designated as OC192-XFP in CTC.
Table A-4 Card Temperature Ranges and Product Names (continued)
Card Type Card Name
C-Temp Product Name
(32 to 131 degrees
Fahrenheit, 0 to +55
degrees Celsius)
I-Temp Product Name
(–40 to 149 degrees
Fahrenheit, –40 to +65
degrees Celsius)A-13
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix A Hardware Specifications
A.4.2 TCC2P Card Specifications
– Reference: External BITS, line, internal
• Supply voltage monitoring
– Both supply voltage inputs are monitored.
– Normal operation: –40.5 to –56.7 V
– Undervoltage: Major alarm
– Overvoltage: Major alarm
• Environmental
– Operating temperature: –40 to +149 degrees Fahrenheit (–40 to +65 degrees Celsius)
– Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95
percent relative humidity
– Power consumption: 26.00 W, 0.54 A at –48 V, 88.8 BTU/hr
• Dimensions
– Height: 12.650 in. (321.3 mm)
– Width: 0.716 in. (18.2 mm)
– Depth: 9.000 in. (228.6 mm)
– Depth with backplane connector: 9.250 in. (235 mm)
– Weight not including clam shell: 1.5 lb (0.7 kg)
A.4.2 TCC2P Card Specifications
The TCC2P card has the following specifications:
• CTC software
– Interface: EIA/TIA-232 (local craft access, on TCC2P faceplate)
– Interface: 10BaseT LAN (on TCC2P faceplate)
– Interface: 10BaseT LAN (via backplane)
• Synchronization
– Stratum 3, per Telcordia GR-253-CORE
– Free running access: Accuracy +/– 4.6 ppm
– Holdover stability: 3.7 * 10 exp – 7 per day including temperature (< 255 slips in first 24 hours)
– Reference: External BITS, line, internal
• Supply voltage monitoring
– Both supply voltage inputs are monitored.
– Normal operation: –40.5 to –56.7 V (in –48 VDC systems)
– Undervoltage: Major alarm
– Overvoltage: Major alarm
• Environmental
– Operating temperature: –40 to +149 degrees Fahrenheit (–40 to +65 degrees Celsius) A-14
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix A Hardware Specifications
A.4.3 XCVT Card Specifications
– Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95
percent relative humidity
– Power consumption: 27.00 W, 0.56 A at –48 V, 92.2 BTU/hr
• Dimensions
– Height: 12.650 in. (321.3 mm)
– Width: 0.716 in. (18.2 mm)
– Depth: 9.000 in. (228.6 mm)
– Depth with backplane connector: 9.250 in. (235 mm)
– Weight not including clam shell: 1.5 lb (0.7 kg)
A.4.3 XCVT Card Specifications
The XCVT card has the following specifications:
• Environmental
– Operating temperature:
C-Temp (15454-XC-VT): 32 to 131 degrees Fahrenheit (0 to +55 degrees Celsius)
I-Temp (15454-XC-VT-T): –40 to 149 degrees Fahrenheit (–40 to +65 degrees Celsius)
– Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95
percent relative humidity
– Power consumption: 34.40 W, 0.72 A, 117.46 BTU/hr
• Dimensions
– Height: 12.650 in. (321.3 mm)
– Width: 0.716 in. (18.2 mm)
– Depth: 9.000 in. (228.6 mm)
– Card weight: 1.9 lb (0.8 kg)
A.4.4 XC10G Card Specifications
The XC10G card has the following specifications:
• Environmental
– Operating temperature:
C-Temp (15454-XC-10G): 32 to 131 degrees Fahrenheit (0 to +55 degrees Celsius)
– Operating humidity: 5 to 85 percent, noncondensing
– Power consumption: 48 W, 1.00 A, 163.68 BTU/hr
• Dimensions
– Height: 12.650 in. (321.3 mm)
– Width: 0.716 in. (18.2 mm)
– Depth: 9.000 in. (228.6 mm)
– Card weight: 1.5 lb (0.6 kg)A-15
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix A Hardware Specifications
A.4.5 XC-VXC-10G Card Specifications
A.4.5 XC-VXC-10G Card Specifications
The XC-VXC-10G card has the following specifications:
• Environmental
– Operating temperature:
I-Temp (15454-XC-VXC-10G-T): –40 to 149 degrees Fahrenheit (–40 to +65 degrees Celsius)
– Operating humidity: 5 to 85 percent, noncondensing
– Power consumption: 67 W, 1.4 A, 228.62 BTU/hr
• Dimensions
– Height: 12.650 in. (321.3 mm)
– Width: 0.716 in. (18.2 mm)
– Depth: 9.000 in. (228.6 mm)
– Card weight: 1.5 lb (0.6 kg)
A.4.6 AIC-I Card Specifications
The AIC-I card has the following specifications:
• Alarm inputs
– Number of inputs: 12 without alarm extension panel (AEP), 32 with AEP
– Opto coupler isolated
– Label is customer provisionable.
– Severity is customer provisionable.
– Common 32 V output for all alarm inputs
– Each input limited to 2 mA
– Termination: Wire-wrap on backplane without AEP, on AEP connectors with AEP
• Alarm outputs
– Number of outputs: 4 (user configurable as inputs) without AEP, 16 with AEP
– Switched by opto MOS (metal oxide semiconductor)
– Triggered by definable alarm condition
– Maximum allowed open circuit voltage: 60 VDC
– Maximum allowed closed circuit current: 100 mA
– Termination: Wire-wrap on backplane without AEP, on AEP connectors with AEP
• Express orderwire/Local orderwire (EOW/LOW)
– ITU-T G.711, ITU-T G.712, Telcordia GR-253-CORE
– A-law, mu-law
Note Due to the nature of mixed coding, in a mixed-mode configuration (A-law/mu-law) the
orderwire is not ITU-T G.712 compliant.A-16
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix A Hardware Specifications
A.4.7 AEP Specifications
– Orderwire party line
– Dual tone multifrequency (DTMF) signaling
• User data channel (UDC)
– Bit rate: 64 kbps, bidirectional
– ITU-T G.703
– Input/output impedance: 120 ohm
– Termination: RJ-11 connectors
• Data communications channel (DCC)
– Bit rate: 576 kbps
– EIA/TIA-485/V11
– Input/output impedance: 120 ohm
– Termination: RJ-45 connectors
• ACC connection for additional alarm interfaces
– Connection to AEP
• Power monitoring alarming states:
– Power failure (0 to –38 VDC)
– Undervoltage (–38 to –40.5 VDC)
– Overvoltage (beyond –56.7 VDC)
• Environmental
– Operating temperature: –40 to 149 degrees Fahrenheit (–40 to +65 degrees Celsius)
– Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95
percent relative humidity
– Power consumption (including AEP, if used): 8.00 W, 0.17 A, 27.3 BTU/hr
• Dimensions
– Height: 12.650 in. (321.3 mm)
– Width: 0.716 in. (18.2 mm)
– Depth: 9.000 in. (228.6 mm)
– Card weight: 1.8 lb (0.82 kg)
A.4.7 AEP Specifications
The AEP has the following specifications:
• Alarm inputs
– Number of inputs: 32
– Optocoupler isolated
– Label customer provisionable
– Severity customer provisionable
– Common 32 V output for all alarm inputsA-17
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix A Hardware Specifications
A.5 Electrical Card Specifications
– Each input limited to 2 mA
– Termination: 50-pin AMP champ connector
• Alarm outputs
– Number of outputs: 16
– Switched by opto MOS
– Triggered by definable alarm condition
– Maximum allowed open circuit voltage: 60 VDC
– Maximum allowed closed circuit current: 100 mA
– Termination: 50-pin AMP champ connector
• Environmental
– Overvoltage protection: as in ITU-T G.703 Annex B
– Operating temperature: –40 to +65 degrees Celsius
– Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95
percent relative humidity
– Power consumption: 3.00 W max., from +5 VDC from AIC-I, 10.2 BTU/hr max.
• Dimensions of AEP board
– Height: 0.79 in. (20 mm)
– Width: 13.0 in. (330 mm)
– Depth: 3.5 in. (89 mm)
– Weight: 0.4 lb (0.18 kg)
A.5 Electrical Card Specifications
This section provides specifications for the EC1-12, DS1-14, DS1N-14, DS1/E1-56, DS3/EC1-48,
DS3-12, DS3N-12, DS3i-N-12, DS3-12E, DS3N-12E, DS3XM-6, DS3XM-12, and filler cards.
For compliance information, refer to the Cisco Optical Transport Products Safety and Compliance
Information document.
A.5.1 EC1-12 Card Specifications
The EC1-12 card has the following specifications:
• Input
– Bit rate: 51.84 Mbps +/– 20 ppm
– Frame format: SONET
– Line code: B3ZS
– Termination: Unbalanced coaxial cable
– Input impedance: 75 ohms +/– 5 percent
– Cable loss: Max 450 feet 734A, RG-59, 728A/Max 79 feet RG-179
– AIS: TR-TSY-000191 compliantA-18
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix A Hardware Specifications
A.5.2 DS1-14 and DS1N-14 Card Specifications
• Output
– Bit rate: 51.84 Mbps +/– 20 ppm
– Frame format: SONET
– Line code: B3ZS
– Termination: Unbalanced coaxial cable
– Input impedance: 75 ohms +/–5 percent
– Cable loss: Max 450 feet 734A, RG-59, 728A/Max 79 feet RG-179
– AIS: TR-TSY-000191 compliant
– Power level: –1.8 +/– 5.7 dBm
– Pulse shape: ANSI T1.102-1988 Figure 8
– Pulse amplitude: 0.36 to 0.85 V peak
– Loopback modes: Terminal and facility
– Line build out: 0 to 225 feet (0 to 68.8 meters); 226 to 450 feet (68.9 to 137.2 meters)
• Electrical interface: BNC or SMB connectors
• Operating temperature
– C-Temp (15454-EC1-12): 0 to 131 degrees Fahrenheit (0 to +55 degrees Celsius)
– I-Temp (15454-EC1-12-T): –40 to 149 degrees Fahrenheit (–40 to +65 degrees Celsius)
Note The I-Temp symbol is displayed on the faceplate of an I-Temp compliant card. A card
without this symbol is C-Temp compliant.
• Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95
percent relative humidity
• Power consumption: 36.60 W, 0.76 A, 124.97 BTU/hr
• Dimensions
– Height: 12.650 in. (321.3 mm)
– Width: 0.716 in. (18.2 mm)
– Depth: 9.000 in. (228.6 mm)
– Card weight: 2.0 lb (0.9 kg)
A.5.2 DS1-14 and DS1N-14 Card Specifications
The DS1-14 and DS1N-14 cards have the following specifications:
• Input
– Bit rate: 1.544 Mbps +/– 32 ppm
– Frame format: Off, SF (D4), ESF
– Line code: AMI, B8ZS
– Termination: Wire-wrap, AMP Champ
– Input impedance: 100 ohms A-19
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix A Hardware Specifications
A.5.3 DS1/E1-56 Card Specifications
– Cable loss: Max 655 feet ABAM #22 AWG
– AIS: TR-TSY-000191 compliant
• Output
– Bit rate: 1.544 Mbps +/– 32 ppm
– Frame format: Off, SF (D4), ESF
– Line code: AMI, B8ZS
– Termination: Wire-wrap, AMP Champ
– Input impedance: 100 ohms
– Cable loss: Max 655 feet ABAM #22 AWG
– AIS: TR-TSY-000191 compliant
– Power level: 12.5 to 17.9 dBm centered at 772 KHz, –16.4 to –11.1 dBm centered at 1544 KHz
– Pulse shape: Telcordia GR-499-CORE Figure 9-5
– Pulse amplitude: 2.4 to 3.6 V peak
– Loopback modes: Terminal and facility
• Electrical interface: BNC or SMB connectors
• Surge protection: Telcordia GR-1089
• Operating temperature
– C-Temp (15454-DS1-14 and 15454-DS1N-14): 0 to 131 degrees Fahrenheit (0 to
+55 degrees Celsius)
– I-Temp (15454-DS1-14-T and 15454-DS1N-14-T): –40 to 149 degrees Fahrenheit (–40 to
+65 degrees Celsius)
Note The I-Temp symbol is displayed on the faceplate of an I-Temp compliant card. A card
without this symbol is C-Temp compliant.
• Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95
percent relative humidity
• Power consumption: 12.60 W, 0.26 A, 43.02 BTU/hr
• Dimensions
– Height: 12.650 in. (321.3 mm)
– Width: 0.716 in. (18.2 mm)
– Depth: 9.000 in. (228.6 mm)
– Card weight: 1.8 lb (0.8 kg)
A.5.3 DS1/E1-56 Card Specifications
The DS1/E1-56 card has the following specifications:
• Input
– Bit rate: 1.544 Mbps ± 32 ppm (DS-1); 2.048 Mbps ±50ppm (E1)A-20
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix A Hardware Specifications
A.5.3 DS1/E1-56 Card Specifications
– Frame format: Off, SF (D4), ESF (DS-1); E1 multiframe, E1 CRC multiframe, and
unframed (ITU) (E1)
– Line code: AMI, B8ZS (DS-1); HDB3 (E1)
– Termination: Balanced, twisted pair, #22/24 AWG
– Input impedance: 100 ohms +/– 5 percent (DS1); 120 ohms =/–5% (E1)
– Cable loss: Max 655 feet ABAM #22/24 AWG (DS1); Compliant per ITU-T G.703 (E1)
– AIS: TR-TSY-000191 compliant
• Output
– Bit rate: 1.544 Mbps ± 32 ppm (DS-1); 2.048 Mbps ±50ppm (E1)
– Frame format: Off, SF (D4), ESF (DS-1); E1 multiframe, E1 CRC multiframe, and
unframed (ITU) (E1)
– Line code: AMI, B8ZS (DS-1); HDB3 (E1)
– Termination: Balanced, twisted pair, #22/24 AWG
– Input impedance: 100 ohms +/– 5 percent (DS1); 120 ohms =/–5% (E1)
– Cable loss: Max 655 feet ABAM #22/24 AWG (DS1); Compliant per ITU-T G.703 (E1)
– AIS: TR-TSY-000191 compliant
– Power level: 12.6 to 17.9 dBm centered at 772 KHz
– Pulse shape: Telcordia GR-499-CORE Figure 9-5 (DS-1); ITU-T G.703, Figure 15 (E1)
– Pulse amplitude: 2.4 to 3.6 V peak (DS-1); 2.7 to 3.3 V peak (E1)
– Loopback modes: Terminal and facility
• Electrical interface: SCSI (UBIC) connectors. UBIC-H: DS-1 and E1; UBIC-V: DS-1 only.
• Surge protection: Telcordia GR-1089
• Operating temperature
– I-Temp (15454-DS1E1-56):–40 to 149 degrees Fahrenheit (–40 to +65 degrees Celsius)
Note The I-Temp symbol is displayed on the faceplate of an I-Temp compliant card. A card
without this symbol is C-Temp compliant.
• Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95
percent relative humidity
• Power consumption: 36.00 W, 0.76 A, 124.97 BTU/hr
• Dimensions
– Height: 12.650 in. (321.3 mm)
– Width: 0.716 in. (18.2 mm)
– Depth: 9.000 in. (228.6 mm)
– Card weight: 2.0 lb (0.9 kg)A-21
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix A Hardware Specifications
A.5.4 DS3/EC1-48 Card Specifications
A.5.4 DS3/EC1-48 Card Specifications
The DS3/EC1-48 card has the following specifications:
• Input
– Bit rate: 44.736 Mbps +/– 20 ppm
– Frame format: DS-3 ANSI T1.107-1988
– Line code: B3ZS
– Termination: Unbalanced coaxial cable
– Input impedance: 75 ohms +/–5 percent
– Cable loss: Max 450 feet with 734A or 728A, Max 79 feet with RG-179
– AIS: TR-TSY-000191 compliant
• Output
– Bit rate: 44.736 Mbps +/– 20 ppm
– Frame format: DS-3 ANSI T1.107-1988
– Line code: B3ZS
– Termination: Unbalanced coaxial cable
– Input impedance: 75 ohms +/–5 percent
– Cable loss: Max 900 feet with 734A or 728A cable, Max 79 feet with RG-179
– AIS: TR-TSY-000191 compliant
– Power level: –1.8 to +5.7 dBm
– Pulse shape: ANSI T1.102-1988 Figure 8
– Pulse amplitude: 0.36 to 0.85 V peak
– Loopback modes: Terminal and facility
– Line build out: 0 to 225 feet (0 to 68.8 meters); 226 to 450 feet (68.9 to 137.2 meters)
• Electrical interface: BNC or SMB connectors
• Surge protection: Telcordia GR-1089
• Operating temperature:
– I-Temp (15454-DS3_EC1-48): –40 to 149 degrees Fahrenheit (–40 to +65 degrees Celsius)
Note The I-Temp symbol is displayed on the faceplate of an I-Temp compliant card. A card
without this symbol is C-Temp compliant.
• Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95
percent relative humidity
• Power consumption: 60W, 1.25A at -48V, 95.6 BTU/hr
• Dimensions
– Height: 12.650 in. (321.3 mm)
– Width: 0.716 in. (18.2 mm)
– Depth: 9.000 in. (228.6 mm)A-22
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix A Hardware Specifications
A.5.5 DS3-12 and DS3N-12 Card Specifications
– Weight: 1.7 lb (0.7 kg)
A.5.5 DS3-12 and DS3N-12 Card Specifications
The DS3-12 and DS3N-12 cards have the following specifications:
• Input
– Bit rate: 44.736 Mbps +/– 20 ppm
– Frame format: DS-3 ANSI T1.107-1988
– Line code: B3ZS
– Termination: Unbalanced coaxial cable
– Input impedance: 75 ohms +/–5 percent
– Cable loss: Max 450 feet 734A, RG-59, 728A/Max 79 feet RG-179
– AIS: TR-TSY-000191 compliant
• Output
– Bit rate: 44.736 Mbps +/– 20 ppm
– Frame format: DS-3 ANSI T1.107-1988
– Line code: B3ZS
– Termination: Unbalanced coaxial cable
– Input impedance: 75 ohms +/–5 percent
– Cable loss: Max 450 feet 734A, RG-59, 728A/Max 79 feet RG-179
– AIS: TR-TSY-000191 compliant
– Power level: –1.8 to +5.7 dBm
– Pulse shape: ANSI T1.102-1988 Figure 8
– Pulse amplitude: 0.36 to 0.85 V peak-to-peak
– Loopback modes: Terminal and facility
– Line build out: 0 to 225 feet (0 to 68.8 meters); 226 to 450 feet (68.9 to 137.2 meters)
• Electrical interface: BNC or SMB connectors
• Surge protection: Telcordia GR-1089
• Operating temperature
C-Temp (15454-DS3-12 and 15454-DS3N-12): 0 to 131 degrees Fahrenheit (0 to
+55 degrees Celsius)
– I-Temp (15454-DS3-12-T and 15454-DS3N-12-T): –40 to 149 degrees Fahrenheit (–40 to
+65 degrees Celsius)
Note The I-Temp symbol is displayed on the faceplate of an I-Temp compliant card. A card
without this symbol is C-Temp compliant.
• Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95
percent relative humidityA-23
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix A Hardware Specifications
A.5.6 DS3i-N-12 Card Specifications
• Power consumption: 38.20 W, 0.79 A, 130.43 BTU/hr
• Dimensions
– Height: 12.650 in. (321.3 mm)
– Width: 0.716 in. (18.2 mm)
– Depth: 9.000 in. (228.6 mm)
– DS3-12 card weight: 1.7 lb (0.7 kg)
– DS3N-12 card weight: 1.8 lb (0.8 kg)
A.5.6 DS3i-N-12 Card Specifications
The DS3i-N-12 card has the following specifications:
• Input
– Bit rate: 44.736 Mbps +/–20 ppm
– Frame format: ITU-T G.704, ITU-T G.752/DS-3 ANSI T1.107-1988
– Line code: B3ZS
– Termination: Unbalanced coaxial cable
– Input impedance: 75 ohms +/– 5 percent
– Cable loss:
Maximum 137 m (450 ft): 734A, RG59, 728A
Maximum 24 m (79 ft): RG179
– AIS: ITU-T G.704 compliant
• Output
– Bit rate: 44.736 Mbps +/– 20 ppm
– Frame format: ITU-T G.704, ITU-T G.752/DS-3 ANSI T1.107-1988
– Line code: B3ZS
– Termination: Unbalanced coaxial cable
– Output impedance: 75 ohms +/–5 percent
– AIS: ITU-T G.704 compliant
– Power level: –1.8 to +5.7 dBm
Note The power level is for a signal of all ones and is measured at a center frequency of
22.368 MHz (3 +/–1 kHz) bandwidth.)
– Pulse shape: ITU-T G.703, Figure 14/ANSI T1.102-1988, Figure 8
– Pulse amplitude: 0.36 to 0.85 V peak-to-peak
– Loopback modes: Terminal and facility
– Line build out: 0 to 225 feet (0 to 68.8 meters); 226 to 450 feet (68.9 to 137.2 meters)
• Electrical interface connectors: SMB, BNC
• EnvironmentalA-24
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix A Hardware Specifications
A.5.7 DS3-12E and DS3N-12E Card Specifications
– Overvoltage protection: As in ITU-T G.703 Annex B
– Operating temperature: +23 to +113 degrees Fahrenheit (–5 to +45 degrees Celsius)
– Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95
percent relative humidity
– Power consumption: 26.80 W, 0.56 A at –48 V, 91.5 BTU/hr
• Dimensions
– Height: 12.650 in. (321.3 mm)
– Width: 0.716 in. (18.2 mm)
– Depth: 9.000 in. (228.6 mm)
– Depth with backplane connector: 9.250 in. (235 mm)
– Weight not including clam shell: 1.9 lb (0.8 kg)
A.5.7 DS3-12E and DS3N-12E Card Specifications
The DS3-12E and DS3N-12E cards have the following specifications:
• Input
– Bit rate: 44.736 Mbps +/– 20 ppm
– Frame format: DS-3 ANSI T1.107-1988
– Line code: B3ZS
– Termination: Unbalanced coaxial cable
– Input impedance: 75 ohms +/–5 percent
– Cable loss: Max 450 feet 734A, RG-59, 728A/Max 79 feet RG-179
– AIS: TR-TSY-000191 compliant
• Output
– Bit rate: 44.736 Mbps +/– 20 ppm
– Frame format: DS-3 ANSI T1.107-1988
– Line code: B3ZS
– Termination: Unbalanced coaxial cable
– Input impedance: 75 ohms +/–5 percent
– Cable loss: Max 450 feet 734A, RG-59, 728A/Max 79 feet RG-179
– AIS: TR-TSY-000191 compliant
– Power level: –1.8 to +5.7 dBm
Note The power level is for a signal of all ones and is measured at a center frequency of
22.368 MHz (3 +/–1 kHz) bandwidth.
– Pulse shape: ANSI T1.102-1988 Figure 8
– Pulse amplitude: 0.36 to 0.85 V peak-to-peak
– Loopback modes: Terminal and facilityA-25
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix A Hardware Specifications
A.5.8 DS3XM-12 Card Specifications
– Line build out: 0 to 225 feet (0 to 68.8 meters); 226 to 450 feet (68.9 to 137.2 meters)
• Electrical interface: Connectors: BNC or SMB
• Surge protection: Telcordia GR-1089
• Operating temperature: I-Temp (15454-DS3-12E-T and 15454-DS3N-12E-T): –40 to
149 degrees Fahrenheit (–40 to +65 degrees Celsius)
Note The I-Temp symbol is displayed on the faceplate of an I-Temp compliant card. A card
without this symbol is C-Temp compliant.
• Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95
percent relative humidity
• Power consumption: 26.80 W, 0.56 A, 91.51 BTU/hr
• Dimensions
– Height: 12.650 in. (321.3 mm)
– Width: 0.716 in. (18.2 mm)
– Depth: 9.000 in. (228.6 mm)
– Depth with backplane connector: 9.250 in. (235.0 mm)
– DS3-12E card weight: 1.8 lb (0.8 kg)
– DS3N-12E card weight: 1.9 lb (0.8 kg)
A.5.8 DS3XM-12 Card Specifications
The DS3XM-12 card has the following specifications:
• Input
– Bit rate: 44.736 Mbps +/–20 ppm
– Frame format: DS-3 ANSI T1.107-1988
– Line code: B3ZS
– Termination: Unbalanced coaxial cable
– Input impedance: 75 ohms +/–5 percent
– Cable loss: Max 450 feet 734A, RG-59, 728A/Max 79 feet RG-179
– AIS: TR-TSY-000191 compliant
• Output
– Bit rate: 44.736 Mbps +/– 20 ppm
– Frame format: DS-3 ANSI T1.107-1988
– Line code: B3ZS
– Termination: Unbalanced coaxial cable
– Input impedance: 75 ohms +/–5 percent
– Cable loss: Max 450 feet 734A, RG-59, 728A/Max 79 feet RG-179
– AIS: TR-TSY-000191 compliantA-26
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix A Hardware Specifications
A.5.9 DS3XM-6 Card Specifications
– Power level: –1.8 to +5.7 dBm
– Pulse shape: ANSI T1.102-1988 Figure 8
– Pulse amplitude: 0.36 to 0.85 V peak-to-peak
– Loopback modes: Terminal and facility
– Line build out: 0 to 225 feet (0 to 68.8 meters); 226 to 450 feet (68.9 to 137.2 meters)
• Interface: BNC, SMB, UBIC and MiniBNC connectors
• Surge protection: Telcordia GR-1089
• Operating temperature:
– I-Temp (15454-DS3XM-12): –40 to 149 degrees Fahrenheit (–40 to +65 degrees Celsius)
Note The I-Temp symbol is displayed on the faceplate of an I-Temp compliant card. A card
without this symbol is C-Temp compliant.
• Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95
percent relative humidity
• Power consumption: 34 W, 0.71A at –48 V, 116.1 BTU/hr
• Dimensions
– Height: 12.65 in. (321.3 mm)
– Width: 0.716 in. (18.2 mm)
– Depth: 9.00 in. (228.6 mm)
– Card weight: 1.8 lb (0.8 kg)
A.5.9 DS3XM-6 Card Specifications
The DS3XM-6 card has the following specifications:
• Input
– Bit rate: 44.736 Mbps +/–20 ppm
– Frame format: DS-3 ANSI T1.107-1988
– Line code: B3ZS
– Termination: Unbalanced coaxial cable
– Input impedance: 75 ohms +/–5 percent
– Cable loss: Max 450 feet 734A, RG-59, 728A/Max 79 feet RG-179
– AIS: TR-TSY-000191 compliant
• Output
– Bit rate: 44.736 Mbps +/– 20 ppm
– Frame format: DS-3 ANSI T1.107-1988
– Line code: B3ZS
– Termination: Unbalanced coaxial cable
– Input impedance: 75 ohms +/–5 percentA-27
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix A Hardware Specifications
A.5.10 FILLER Card Specifications
– Cable loss: Max 450 feet 734A, RG-59, 728A/Max 79 feet RG-179
– AIS: TR-TSY-000191 compliant
– Power level: –1.8 to +5.7 dBm
– Pulse shape: ANSI T1.102-1988 Figure 8
– Pulse amplitude: 0.36 to 0.85 V peak-to-peak
– Loopback modes: Terminal and facility
– Line build out: 0 to 225 feet (0 to 68.8 meters); 226 to 450 feet (68.9 to 137.2 meters)
• Interface: BNC or SMB connectors
• Surge protection: Telcordia GR-1089
• Operating temperature:
– C-Temp (15454-DS3XM-6): 0 to 131 degrees Fahrenheit (0 to +55 degrees Celsius)
– I-Temp (15454-DS3XM-6-T): –40 to 149 degrees Fahrenheit (–40 to +65 degrees Celsius)
Note The I-Temp symbol is displayed on the faceplate of an I-Temp compliant card. A card
without this symbol is C-Temp compliant.
• Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95
percent relative humidity
• Power consumption: 20 W, 0.42 A, 68 BTU/hr
• Dimensions
– Height: 12.650 in. (321.3 mm)
– Width: 0.716 in. (18.2 mm)
– Depth: 9.000 in. (228.6 mm)
– Card weight: 1.8 lb (0.8 kg)
A.5.10 FILLER Card Specifications
The FILLER cards have the following specifications:
• Environmental
– Operating temperature:
C-Temp: -40 to +149 degree Fahrenheit (-40 to +65 degrees Celsius)
– Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95
percent relative humidity
• Dimensions
– Height: 12.650 in. (321.3 mm)
– Width: 0.716 in. (18.2 mm)
– Depth: 9.000 in. (228.6 mm)
– Card weight: 0.4 lb (0.19 kg)A-28
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix A Hardware Specifications
A.6 Optical Card Specifications
A.6 Optical Card Specifications
This section provides specifications for the OC3 IR4/STM1 SH 1310 (four-port), OC3 IR/STM1 SH
1310-8 (eight-port), OC12 IR/STM4 SH 1310, OC12 LR/STM4 LH 1310, OC12 LR STM4 LH 1550,
OC12 IR/STM4 SH 1310-4 (four-port), OC48 IR 1310, OC48 LR 1550, OC48 IR/STM16 SH AS 1310,
OC48 LR/STM16 LH AS 1550, OC48 ELR 100 GHz, OC48 ELR 200 GHz, OC192 SR/STM64 IO 1310,
OC192 IR/STM64 SH 1550, OC192 LR/STM64 LH 1550, OC192 LR/STM64 LH ITU 15xx.xx,
15454_MRC-12 (12-port), MRC-2.5G-4, OC192SR1/STM64IO Short Reach, and OC192/STM64 Any
Reach cards.
For compliance information, refer to the Cisco Optical Transport Products Safety and Compliance
Information.
A.6.1 OC3 IR 4/STM1 SH 1310 Card Specifications
The OC3 IR 4/STM1 SH 1310 card has the following specifications:
• Line
– Bit rate: 155.52 Mbps
– Code: Scrambled non-return to zero (NRZ)
– Fiber: 1310-nm single-mode
– Loopback modes: Terminal and facility
– Connector: SC
– Compliance: Telcordia GR-253-CORE, ITU-T G.707, ITU-T G.957
• Transmitter
– Maximum transmitter output power: –8 dBm
– Minimum transmitter output power: –15 dBm
– Center wavelength: 1274 to 1356 nm
– Nominal wavelength: 1310 nm
– Transmitter: Fabry Perot (FP) laser
– Extinction Ratio: 8.2 dB
– Dispersion Ratio: 96 ps/nm
• Receiver
– Maximum receiver level: –8 dBm at BER 1 * 10 exp – 12
– Minimum receiver level: –28 dBm at BER 1 * 10 exp – 12
– Receiver: InGaAs/InP photodetector
– Link loss budget: 13 dB
– Receiver input wavelength range: 1274 to 1356 nm
– Jitter tolerance: Telcordia GR-253/ITU-T G.823 compliant
• Environmental
– Operating temperature:
C-Temp (15454-OC34IR1310): +23 to +113 degrees Fahrenheit (–5 to +45 degrees Celsius)A-29
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix A Hardware Specifications
A.6.2 OC3 IR/STM1SH 1310-8 Card Specifications
I-Temp (15454-OC34I13-T): –40 to 149 degrees Fahrenheit (–40 to +65 degrees Celsius)
– Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95
percent relative humidity
– Power consumption: 19.20 W, 0.40 A at –48 V, 65.56 BTU/hr
• Dimensions
– Height: 12.650 in. (321.3 mm)
– Width: 0.716 in. (18.2 mm)
– Depth: 9.000 in. (228.6 mm)
– Depth with backplane connector: 9.250 in. (235 mm)
– Weight not including clam shell: 1.0 lb (0.4 kg)
A.6.2 OC3 IR/STM1SH 1310-8 Card Specifications
The OC3 IR/STM1SH 1310-8 card has the following specifications:
• Line
– Bit rate: 155.52 Mbps
– Code: Scrambled NRZ
– Fiber: 1310-nm single-mode
– Loopback modes: Terminal and facility
– Connector: LC
– Compliance: Telcordia GR-253-CORE, ITU-T G.707, ITU-T G.957
• Transmitter
– Maximum transmitter output power: –8 dBm
– Minimum transmitter output power: –15 dBm
– Center wavelength: 1261 to 1360 nm
– Nominal wavelength: 1310 nm
– Transmitter: Fabry Perot laser
– Extinction ratio: 8.2 dB
– Dispersion tolerance: 96 ps/nm
• Receiver
– Maximum receiver level: –8 dBm at BER 1 * 10 exp – 12
– Minimum receiver level: –28 dBm at BER 1 * 10 exp – 12
– Receiver: InGaAs/InP photodetector
– Link loss budget: 13 dB
– Receiver input wavelength range: 1261 to 1360 nm
– Jitter tolerance: Telcordia GR-253/ITU-T G.823 compliant
• Environmental
– Operating temperature: +23 to +113 degrees Fahrenheit (–5 to +45 degrees Celsius) A-30
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix A Hardware Specifications
A.6.3 OC12 IR/STM4 SH 1310 Card Specifications
– Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95
percent relative humidity
– Power consumption: 23.00 W, 0.48 A at –48 V, 78.5 BTU/hr
• Dimensions
– Height: 12.650 in. (321.3 mm)
– Width: 0.716 in. (18.2 mm)
– Depth: 9.000 in. (228.6 mm)
– Depth with backplane connector: 9.250 in. (235 mm)
– Weight not including clam shell: 1.0 lb (0.4 kg)
A.6.3 OC12 IR/STM4 SH 1310 Card Specifications
The OC12 IR/STM4 SH 1310 card has the following specifications:
• Line
– Bit rate: 622.08 Mbps
– Code: Scrambled NRZ
– Fiber: 1310-nm single-mode
– Loopback modes: Terminal and facility
– Connectors: SC
– Compliance: Telcordia GR-253-CORE, ITU-T G.707, ITU-T G.957
• Transmitter
– Maximum transmitter output power: –8 dBm
– Minimum transmitter output power: –15 dBm
– Center wavelength: 1274 to 1356 nm
– Nominal wavelength: 1310 nm
– Transmitter: Fabry Perot laser
– Extinction ratio: 8.2 dB
– Dispersion tolerance: 96 ps/nm
• Receiver
– Maximum receiver level: –8 dBm at BER 1 * 10 exp – 12
– Minimum receiver level: –28 dBm at BER 1 * 10 exp – 12
– Receiver: InGa As/InP photodetector
– Link loss budget: 13 dB
– Receiver input wavelength range: 1274 to 1356 nm
– Jitter tolerance: Telcordia GR-253/ITU-T G.823 compliant
• Environmental
– Operating temperature:
C-Temp (15454-OC121IR1310): +23 to +131 degrees Fahrenheit (–5 to +55 degrees Celsius)A-31
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix A Hardware Specifications
A.6.4 OC12 LR/STM4 LH 1310 Card Specifications
I-Temp (15454-OC121I13-T): –40 to +149 degrees Fahrenheit (–40 to +65 degrees Celsius)
– Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95
percent relative humidity
– Power consumption: 10.90 W, 0.23 A at –48 V, 37.22 BTU/hr
• Dimensions
– Height: 12.650 in. (321.3 mm)
– Width: 0.716 in. (18.2 mm)
– Depth: 9.000 in. (228.6 mm)
– Weight not including clam shell: 1.4 lb (0.6 kg)
A.6.4 OC12 LR/STM4 LH 1310 Card Specifications
The OC12 LR/STM4 LH 1310 card has the following specifications:
• Line
– Bit rate: 622.08 Mbps
– Code: Scrambled NRZ
– Fiber: 1310-nm single-mode
– Loopback modes: Terminal and facility
– Connectors: SC
– Compliance: Telcordia SONET, Telcordia GR-253-CORE, ITU-T G.707, ITU-T G.957
• Transmitter
– Maximum transmitter output power: +2 dBm
– Minimum transmitter output power: –3 dBm
– Center wavelength: 1280 to 1335 nm
– Nominal wavelength: 1310 nm
– Transmitter: Distributed feedback (DFB) laser
– Extinction ratio: 10 dB
– Dispersion tolerance: 190 ps/nm
• Receiver
– Maximum receiver level: –8 dBm at BER 1 * 10 exp – 12
– Minimum receiver level: –28 dBm at BER 1 * 10 exp – 12
– Receiver: InGaAs/InP photodetector
– Link loss budget: 25 dB
– Receiver input wavelength range: 1280 to 1335 nm
– Jitter tolerance: Telcordia GR-253/ITU-T G.823 compliant
• Environmental
– Operating temperature:
C-Temp (15454-OC121LR1310): +23 to +131 degrees Fahrenheit (–5 to +55 degrees Celsius)A-32
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix A Hardware Specifications
A.6.5 OC12 LR/STM4 LH 1550 Card Specifications
I-Temp (15454-OC121L13-T): –40 to +149 degrees Fahrenheit (–40 to +65 degrees Celsius)
– Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95
percent relative humidity
– Power consumption: 9.28 W, 0.25 A, 41 BTU/hr
• Dimensions
– Height: 12.650 in. (321.3 mm)
– Width: 0.716 in. (18.2 mm)
– Depth: 9.000 in. (228.6 mm)
– Weight not including clam shell: 1.4 lb (0.6 kg)
A.6.5 OC12 LR/STM4 LH 1550 Card Specifications
The OC12 LR/STM4 LH 1550 card has the following specifications:
• Line
– Bit rate: 622.08 Mbps
– Code: Scrambled NRZ
– Fiber: 1550-nm single-mode
– Loopback modes: Terminal and facility
– Connectors: SC
– Compliance: Telcordia SONET, Telcordia GR-253-CORE, ITU-T G.707, ITU-T G.957
• Transmitter
– Maximum transmitter output power: +2 dBm
– Minimum transmitter output power: –3 dBm
– Center wavelength: 1480 to 1580 nm
– Nominal wavelength: 1550 nm
– Transmitter: DFB laser
– Dispersion tolerance: 1440 ps/nm
• Receiver
– Maximum receiver level: –8 dBm at BER 1 * 10 exp – 12
– Minimum receiver level: –28 dBm at BER 1 * 10 exp – 12
– Receiver: InGaAs/InP photodetector
– Link loss budget: 25 dB
– Receiver input wavelength range: 1480 to 1580 nm
– Jitter tolerance: Telcordia GR-253/ITU-T G.823 compliant
• Environmental
– Operating temperature:
C-Temp (15454-OC121LR1550): +23 to +131 degrees Fahrenheit (–5 to +55 degrees Celsius)
I-Temp (15454-OC121L15-T): –40 to +149 degrees Fahrenheit (–40 to +65 degrees Celsius)A-33
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix A Hardware Specifications
A.6.6 OC12 IR/STM4 SH 1310-4 Specifications
– Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95
percent relative humidity
– Power consumption: 9.28 W, 0.19 A, 31.68 BTU/hr
• Dimensions
– Height: 12.650 in. (321.3 mm)
– Width: 0.716 in. (18.2 mm)
– Depth: 9.000 in. (228.6 mm)
– Weight not including clam shell: 1.4 lb (0.6 kg)
A.6.6 OC12 IR/STM4 SH 1310-4 Specifications
The OC12 IR/STM4 SH 1310-4 card has the following specifications:
• Line
– Bit rate: 622.08 Mbps
– Code: Scrambled NRZ
– Fiber: 1310-nm single-mode
– Loopback modes: Terminal and facility
– Connector: SC
– Compliance: Telcordia GR-253-CORE, ITU-T G.707, ITU-T G.957
• Transmitter
– Maximum transmitter output power: –8 dBm
– Minimum transmitter output power: –15 dBm
– Center wavelength: 1274 to 1356 nm
– Nominal wavelength: 1310 nm
– Transmitter: Fabry Perot laser
– Extinction ratio: 10 dB
– Dispersion tolerance: 190 ps/nm
• Receiver
– Maximum receiver level: –8 dBm
– Minimum receiver level: –30 dBm
– Receiver: InGaAs/InP photodetector
– Link loss budget: 15 dB
– Receiver input wavelength range: 1274 to 1356 nm
– Jitter tolerance: Telcordia GR-253/ITU-T G.823 compliant
• Operating temperature
– C-Temp: +23 to +131 degrees Fahrenheit (–5 to +55 degrees Celsius)
• Operating humidityA-34
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix A Hardware Specifications
A.6.7 OC48 IR 1310 Card Specifications
– 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95 percent relative
humidity
• Power consumption
– 28 W, 0.58 A, 100 BTU/hr
• Dimensions
– Height: 12.650 in. (321.3 mm)
– Width: 0.716 in. (18.2 mm)
– Depth: 9.000 in. (228.6 mm)
– Weight not including clam shell: 1.0 lb (0.4 kg)
Note Minimum transmit power, minimum receive power, and link loss budget might exceed standard
specifications.
A.6.7 OC48 IR 1310 Card Specifications
The OC48 IR 1310 card has the following specifications:
• Line
– Bit rate: 2.49 Gbps
– Code: Scrambled NRZ
– Fiber: 1310-nm single-mode
– Loopback modes: Terminal and facility
– Connectors: SC
– Compliance: Telcordia GR-253-CORE
• Transmitter
– Maximum transmitter output power: 0 dBm
– Minimum transmitter output power: –5 dBm
– Center wavelength: 1280 to 1350 nm
– Nominal wavelength: 1310 nm
– Transmitter: Uncooled direct modulated DFB
• Receiver
– Maximum receiver level: 0 dBm
– Minimum receiver level: –18 dBm
– Receiver: InGaAs InP photodetector
– Link loss budget: 13 dB minimum
– Receiver input wavelength range: 1280 to 1350 nm
• Environmental
– Operating temperature:
C-Temp (15454-OC481IR1310): +23 to +131 degrees Fahrenheit (–5 to +55 degrees Celsius)A-35
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix A Hardware Specifications
A.6.8 OC48 LR 1550 Card Specifications
– Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95
percent relative humidity
– Power consumption: 32.20 W, 0.67 A, 109.94 BTU/hr
• Dimensions
– Height: 12.650 in. (321.3 mm)
– Width: 0.716 in. (18.2 mm)
– Depth: 9.000 in. (228.6 mm)
– Weight not including clam shell: 1.8 lb (0.8 kg)
A.6.8 OC48 LR 1550 Card Specifications
The OC48 LR 1550 card has the following specifications:
• Line
– Bit rate: 2.49 Gbps
– Code: Scrambled NRZ
– Fiber: 1550-nm single-mode
– Loopback modes: Terminal and facility
– Connectors: SC
– Compliance: Telcordia GR-253-CORE
• Transmitter
– Maximum transmitter output power: +3 dBm
– Minimum transmitter output power: –2 dBm
– Center wavelength: 1520 to 1580 nm
– Nominal wavelength: 1550 nm
– Transmitter: DFB laser
• Receiver
– Maximum receiver level: –8 dBm
– Minimum receiver level: –28 dBm
– Receiver: InGaAs avalanche photo diode (APD) photodetector
– Link loss budget: 26 dB minimum, with 1 dB dispersion penalty
– Receiver input wavelength range: 1520 to 1580 nm
• Environmental
– Operating temperature:
C-Temp (15454-OC481LR1550): +23 to +131 degrees Fahrenheit (–5 to +55 degrees Celsius)
– Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95
percent relative humidity
– Power consumption: 26.80 W, 0.56 A, 91.50 BTU/hr
• DimensionsA-36
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix A Hardware Specifications
A.6.9 OC48 IR/STM16 SH AS 1310 Card Specifications
– Height: 12.650 in. (321.3 mm)
– Width: 0.716 in. (18.2 mm)
– Depth: 9.000 in. (228.6 mm)
– Weight not including clam shell: 1.8 lb (0.8 kg)
A.6.9 OC48 IR/STM16 SH AS 1310 Card Specifications
The OC48 IR/STM16 SH AS 1310 card has the following specifications:
• Line
– Bit rate: 2.49 Gbps
– Code: Scrambled NRZ
– Fiber: 1310-nm single-mode
– Loopback modes: Terminal and facility
– Connectors: SC
– Compliance: Telcordia GR-253-CORE, ITU-T G.707, ITU-T G.957
• Transmitter
– Maximum transmitter output power: 0 dBm
– Minimum transmitter output power: –5 dBm
– Center wavelength: 1280 to 1350 nm
– Nominal wavelength: 1310 nm
– Transmitter: DFB laser
– Dispersion tolerance: 96 ps/nm
• Receiver
– Maximum receiver level: 0 dBm
– Minimum receiver level: –18 dBm
– Receiver: InGaAs InP photodetector
– Link loss budget: 13 dB minimum
– Receiver input wavelength range: 1280 to 1350 nm
– Jitter tolerance: Telcordia GR-253/ITU-T G.823 compliant
• Environmental
– Operating temperature:
C-Temp (15454-OC481IR1310A): +23 to +131 degrees Fahrenheit (–5 to +55 degrees Celsius)
– Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95
percent relative humidity
– Power consumption: 37.20 W, 0.77 A, 127.01 BTU/hr
• Dimensions
– Height: 12.650 in. (321.3 mm)
– Width: 0.716 in. (18.2 mm)A-37
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix A Hardware Specifications
A.6.10 OC48 LR/STM16 LH AS 1550 Card Specifications
– Depth: 9.000 in. (228.6 mm)
– Weight not including clam shell: 2.2 lb (0.9 kg)
A.6.10 OC48 LR/STM16 LH AS 1550 Card Specifications
The OC48 LR/STM16 SH AS 1550 card has the following specifications:
• Line
– Bit rate: 2.49 Gbps
– Code: Scrambled NRZ
– Fiber: 1550-nm single-mode
– Loopback modes: Terminal and facility
– Connectors: SC
– Compliance: Telcordia GR-253-CORE, ITU-T G.707, ITU-T G.957
• Transmitter
– Maximum transmitter output power: +3 dBm
– Minimum transmitter output power: –2 dBm
– Center wavelength: 1520 to 1580 nm
– Nominal wavelength: 1550 nm
– Transmitter: DFB laser
– Dispersion ratio: 3600 ps/nm
• Receiver
– Maximum receiver level: –8 dBm
– Minimum receiver level: –28 dBm
– Receiver: InGaAs APD photodetector
– Link loss budget: 26 dB minimum, with 1 dB dispersion penalty
– Receiver input wavelength range: 1520 to 1580 nm
– Jitter tolerance: Telcordia GR-253/ITU-T G.823 compliant
• Environmental
– Operating temperature:
C-Temp (15454-OC481LR1550A): +23 to +131 degrees Fahrenheit (–5 to +55 degrees Celsius)
– Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95
percent relative humidity
– Power consumption: 37.20 W, 0.77 A, 127.01 BTU/hr
• Dimensions
– Height: 12.650 in. (321.3 mm)
– Width: 0.716 in. (18.2 mm)
– Depth: 9.000 in. (228.6 mm)
– Weight not including clam shell: 2.2 lb (0.9 kg)A-38
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix A Hardware Specifications
A.6.11 OC48 ELR/STM 16 EH 100 GHz Card Specifications
A.6.11 OC48 ELR/STM 16 EH 100 GHz Card Specifications
The OC48 ELR 100 GHz card has the following specifications:
• Line
– Bit rate: 2.49 Gbps
– Code: Scrambled NRZ
– Fiber: 1550-nm single-mode
– Loopback modes: Terminal and facility
– Connectors: SC
– Compliance: Telcordia GR-253-CORE, ITU-T G.692, ITU-T G.958
• Transmitter
– Maximum transmitter output power: 0 dBm
– Minimum transmitter output power: –2 dBm
– Center wavelength accuracy: +/– 0.12 nm
– Transmitter: Electro-absorption laser
– Dispersion tolerance: 5400 ps/nm
• Receiver
– Maximum receiver level: –9 dBm
– Minimum receiver level: –27 dBm at 1E–12 BER
– Receiver: InGaAs APD photodetector
– Link loss budget: 25 dB minimum at 1E–12 BER (not including the power dispersion penalty)
– Dispersion penalty: 2 dB for a dispersion of up to 5400 ps/nm
– Receiver input wavelength range: 1520 to 1580 nm
– Jitter tolerance: Telcordia GR-253/ITU-T G.823 compliant
• Environmental
– Operating temperature: C-Temp: +23 to +131 degrees Fahrenheit (–5 to +55 degrees Celsius)
– Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95
percent relative humidity
– Power consumption: 31.20 W, 0.65 A, 106.53 BTU/hr
• Dimensions
– Height: 12.650 in. (321.3 mm)
– Width: 0.716 in. (18.2 mm)
– Depth: 9.000 in. (228.6 mm)
– Weight not including clam shell: 2.4 lb (1.1 kg)
A.6.12 OC48 ELR 200 GHz Card Specifications
The OC48 ELR 200 GHz card has the following specifications:A-39
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix A Hardware Specifications
A.6.13 OC192 SR/STM64 IO 1310 Card Specifications
• Line
– Bit rate: 2.49 Gbps
– Code: Scrambled NRZ
– Fiber: 1550-nm single-mode
– Loopback modes: Terminal and facility
– Connectors: SC
– Compliance: Telcordia GR-253-CORE, ITU-T G692, ITU-T G958
• Transmitter
– Maximum transmitter output power: 0 dBm
– Minimum transmitter output power: –2 dBm
– Center wavelength accuracy: +/– 0.25 nm
– Transmitter: Electro-absorption laser
– Dispersion tolerance: 3600 ps/nm
• Receiver
– Maximum receiver level: –8 dBm
– Minimum receiver level: –28 dBm
– Receiver: InGaAs APD photodetector
– Link loss budget: 26 dB minimum, with 1 dB dispersion penalty
– Receiver input wavelength range: 1520 to 1580 nm
– Jitter tolerance: Telcordia GR-253/ITU-T G.823 compliant
• Environmental
– Operating temperature:
C-Temp: +23 to +131 degrees Fahrenheit (–5 to +55 degrees Celsius)
– Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95
percent relative humidity
– Power consumption: 31.20 W, 0.65 A, 106.53 BTU/hr
• Dimensions
– Height: 12.650 in. (321.3 mm)
– Width: 0.716 in. (18.2 mm)
– Depth: 9.000 in. (228.6 mm)
– Weight not including clam shell: 2.9 lb (1.3 kg)
A.6.13 OC192 SR/STM64 IO 1310 Card Specifications
The OC192 SR/STM64 IO 1310 card has the following specifications:
• Line
– Bit rate: 9.95328 Gbps
– Code: Scrambled NRZ A-40
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix A Hardware Specifications
A.6.14 OC192 IR/STM64 SH 1550 Card Specifications
– Fiber: 1310-nm single-mode
– Maximum chromatic dispersion allowance: 6.6 ps/nm
– Loopback modes: Terminal and facility
– Connectors: SC
– Compliance: Telcordia GR-253-CORE, ITU-T G.707, ITU-T G.957, ITU-T G.691
• Transmitter
– Maximum transmitter output power: –1 dBm
– Minimum transmitter output power: –6 dBm
– Center wavelength: 1290 to 1330 nm
– Nominal wavelength: 1310 nm
– Transmitter: Directly modulated laser
• Receiver
– Maximum receiver level: –1 dBm at BER 1 * 10 exp – 12
– Minimum receiver level: –11 dBm at BER 1 * 10 exp – 12
– Receiver: PIN diode
– Link loss budget: 5 dB minimum, plus 1 dB dispersion penalty
at BER = 1 * 10 exp – 12 including dispersion
– Receiver input wavelength range: 1290 to 1330 nm
– Dispersion tolerance: 6.6 ps/nm
• Environmental
– Operating temperature: +23 to +131 degrees Fahrenheit (–5 to +55 degrees Celsius)
– Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95
percent relative humidity
– Power consumption: 47.00 W, 0.98 A at –48 V, 160.5 BTU/hr
• Dimensions
– Height: 12.650 in. (321.3 mm)
– Width: 0.716 in. (18.2 mm)
– Depth: 9.000 in. (228.6 mm)
– Depth with backplane connector: 9.250 in. (235 mm)
– Weight not including clam shell: 3.1 lb (1.3 kg)
A.6.14 OC192 IR/STM64 SH 1550 Card Specifications
The OC192 IR/STM64 SH 1550 card has the following specifications:
• Line
– Bit rate: 9.95328 Gbps
– Code: Scrambled NRZ
– Fiber: 1550-nm single-mode A-41
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix A Hardware Specifications
A.6.15 OC192 LR/STM64 LH 1550 Card Specifications
– Maximum chromatic dispersion allowance: 800 ps/nm
– Loopback modes: Terminal and facility
Note You must use a 3 to 15 dB fiber attenuator (5 dB recommended) when working with the
OC192 IR/STM64 SH 1550 card in a loopback. Do not use fiber loopbacks with the
OC192 IR/STM64 SH 1550 card. Using fiber loopbacks can cause irreparable damage to the
OC192 IR/STM64 SH 1550 card.
– Connectors: SC
– Compliance: Telcordia GR-253-CORE, ITU-T G.707, ITU-T G.957, ITU-T G.691
• Transmitter
– Maximum transmitter output power: +2 dBm
– Minimum transmitter output power: –1 dBm
– Center wavelength: 1530 to 1565 nm
– Nominal wavelength: 1550 nm
– Transmitter: Cooled EA (European accreditation) modulated laser
• Receiver
– Maximum receiver level: –1 dBm at BER 1 * 10 exp – 12
– Minimum receiver level: –14 dBm at BER 1 * 10 exp – 12
– Receiver: PIN diode
– Link loss budget: 13 dB minimum, plus 2 dB dispersion penalty
at BER = 1 * 10 exp – 12 including dispersion
– Receiver input wavelength range: 1530 to 1565 nm
– Dispersion tolerance: 800 ps/nm
• Environmental
– Operating temperature: +23 to +131 degrees Fahrenheit (–5 to +55 degrees Celsius)
– Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95
percent relative humidity
– Power consumption: 50.00 W, 1.04 A at –48 V, 170.7 BTU/hr
• Dimensions
– Height: 12.650 in. (321.3 mm)
– Width: 0.716 in. (18.2 mm)
– Depth: 9.000 in. (228.6 mm)
– Depth with backplane connector: 9.250 in. (235 mm)
– Weight not including clam shell: 3.1 lb (1.3 kg)
A.6.15 OC192 LR/STM64 LH 1550 Card Specifications
The OC192 LR/STM64 LH 1550 card has the following specifications:
• LineA-42
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix A Hardware Specifications
A.6.15 OC192 LR/STM64 LH 1550 Card Specifications
– Bit rate: 9.95328 Gbps
– Code: Scrambled NRZ
– Fiber: 1550-nm single-mode
– Loopback modes: Terminal and facility
Note You must use a fiber attenuator when connecting a fiber loopback to an OC192 LR/STM64 LH 1550
card. Use a 19 to 24 dB attenuator for 15454-OC192LR1550 or a 14 to 28 dB attenuator for
15454-OC192-LR2 (20 dB is recommended). Never connect a direct fiber loopback.
– Connectors: SC
– Compliance: Telcordia GR-253-CORE, ITU-T G.707, ITU-T G.957
• Transmitter
– Maximum transmitter output power:
+10 dBm (15454-OC192LR1550);
+7 dBm (15454-OC192-LR2)
– Minimum transmitter output power:
+7 dBm (15454-OC192LR1550);
+4 dBm (15454-OC192-LR2)
– Center wavelength: 1530 to 1565 nm
– Nominal wavelength: 1550 nm
– Maximum chromatic dispersion allowed: 1600 ps/nm
– Transmitter: LN (Lithium Niobate) external modulator transmitter
• Receiver
– Maximum receiver level:
–10 dBm (15454-OC192LR1550);
–7 dBm (15454-OC192LR1550)
– Minimum receiver level:
–19 dBm (15454-OC192LR1550);
–24 dBm from 1530 to 1565 nm
–20 dBm from 1290 to 1330 nm (15454-OC192-LR2)
– Receiver: APD/TIA
– Link loss budget: 24 dB minimum, with no dispersion or 22 dB optical path loss at
BER = 1 – exp (–12) including dispersion
– Receiver input wavelength range: 1530 to 1565 nm
– Jitter tolerance: Telcordia GR-253/ITU-T G.823 compliant
• Environmental
– Operating temperature:
C-Temp (15454-OC192LR1550): +23 to +131 degrees Fahrenheit (–5 to +55 degrees Celsius)
– Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95
percent relative humidity
– Power consumption: 72.20 W, 1.50 A, 246.52 BTU/hr (15454-OC192LR1550);
52.00 W, 1.08 A at –48 V, 177.6 BTU/hr (15454-OC192-LR2)A-43
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix A Hardware Specifications
A.6.16 OC192 LR/STM64 LH ITU 15xx.xx Card Specifications
• Dimensions
– Height: 12.650 in. (321.3 mm)
– Width: 0.716 in. (18.2 mm)
– Depth: 9.000 in. (228.6 mm)
– Weight not including clam shell: 3.1 lb (1.3 kg)
A.6.16 OC192 LR/STM64 LH ITU 15xx.xx Card Specifications
The OC192 LR/STM64 LH ITU 15xx.xx card has the following specifications:
• Line
– Bit rate: 9.95328 Gbps
– Code: Scrambled NRZ
– Fiber: 1550-nm single-mode
– Maximum chromatic dispersion allowance:
In deployments with a dispersion compensation unit (DCU): +/– 1000 ps/nm, with optical
signal-to-noise ration (OSNR) of 19 dB (0.5 nm resolution bandwidth [RBW])
In deployments without a DCU: +/– 1200 ps/nm, with OSNR of 23 dB (0.5 nm RBW)
– Loopback modes: Terminal and facility
Note You must use a 20-dB fiber attenuator (15 to 25 dB) when working with the
OC192 LR/STM64 LH 15xx.xx card in a loopback. Do not use fiber loopbacks with the
OC192 LR/STM64 LH 15xx.xx card. Using fiber loopbacks causes irreparable damage to
this card.
– Connectors: SC
– Compliance: Telcordia GR-253-CORE, ITU-T G.707, ITU-T G.691, ITU-T G.957
• Transmitter
– Maximum transmitter output power: +6 dBm
– Minimum transmitter output power: +3 dBm
– Center wavelength: See wavelength plan
– Center wavelength accuracy: +/– 0.040 nm
– Transmitter: LN external modulator transmitter
• Receiver
– Maximum receiver level: –8 dBm at BER 1 * 10 exp – 12
– Minimum receiver level: –22 dBm at BER 1 * 10 exp – 12
– Receiver: APD
– Link loss budget: 25 dB minimum, plus 2 dB dispersion penalty
at BER = 1 * 10 exp – 12 including dispersion
– Receiver input wavelength range: 1529 to 1565 nm
• EnvironmentalA-44
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix A Hardware Specifications
A.6.17 15454_MRC-12 Card Specifications
– Operating temperature: +23 to +131 degrees Fahrenheit (–5 to +55 degrees Celsius)
– Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95
percent relative humidity
– Power consumption: 52.00 W, 1.08 A at –48 V, 177.6 BTU/hr
• Dimensions
– Height: 12.650 in. (321.3 mm)
– Width: 0.716 in. (18.2 mm)
– Depth: 9.000 in. (228.6 mm)
– Depth with backplane connector: 9.250 in. (235 mm)
– Weight not including clam shell: 3.1 lb (1.3 kg)
• Currently available wavelengths and versions of OC192 LR/STM64 LH ITU 15xx.xx card:
ITU grid blue band:
– 1534.25 +/– 0.040 nm, OC192 LR/STM64 LH ITU 1534.25
– 1535.04 +/– 0.040 nm, OC192 LR/STM64 LH ITU 1535.04
– 1535.82 +/– 0.040 nm, OC192 LR/STM64 LH ITU 1535.82
– 1536.61 +/– 0.040 nm, OC192 LR/STM64 LH ITU 1536.61
– 1538.19 +/– 0.040 nm, OC192 LR/STM64 LH ITU 1538.19
– 1538.98 +/– 0.040 nm, OC192 LR/STM64 LH ITU 1538.98
– 1539.77 +/– 0.040 nm, OC192 LR/STM64 LH ITU 1539.77
– 1540.56 +/– 0.040 nm, OC192 LR/STM64 LH ITU 1540.56
ITU grid red band:
– 1550.12 +/– 0.040 nm, OC192 LR/STM64 LH ITU 1550.12
– 1550.92 +/– 0.040 nm, OC192 LR/STM64 LH ITU 1550.92
– 1551.72 +/– 0.040 nm, OC192 LR/STM64 LH ITU 1551.72
– 1552.52 +/– 0.040 nm, OC192 LR/STM64 LH ITU 1552.52
– 1554.13 +/– 0.040 nm, OC192 LR/STM64 LH ITU 1554.13
– 1554.94 +/– 0.040 nm, OC192 LR/STM64 LH ITU 1554.94
– 1555.75 +/– 0.040 nm, OC192 LR/STM64 LH ITU 1555.75
– 1556.55 +/– 0.040 nm, OC192 LR/STM64 LH ITU 1556.55
A.6.17 15454_MRC-12 Card Specifications
The 15454_MRC-12 card has the following specifications:
• Line
– Bit rate: up to OC-48 (2488.320 Mbps), depending on SFPA-45
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix A Hardware Specifications
A.6.17 15454_MRC-12 Card Specifications
Note Each optical interface on the card can be configured as OC-3, OC-12, or OC-48, depending
on the available backplane bandwidth and existing provisioned lines. In general, the card
supports all different rates on the line side as long as the accumulated bandwidth does not
exceed the total backplane allowed bandwidth.
– Fiber: 1550-nm single-mode
– Connectors: LC duplex connector for each SFP
– Compliance: Telcordia GR-253-CORE
• Transmitter
– Maximum transmitter output power: Depends on SFP (see A.2 SFP, XFP, and GBIC
Specifications, page A-5)
– Minimum transmitter output power: Depends on SFP (see A.2 SFP, XFP, and GBIC
Specifications, page A-5)
– Center wavelength: See wavelength plan
– Center wavelength accuracy: 1 nm to 4 nm, depending on SFP
– Transmitter: FP and DFB laser
• Receiver
– Maximum receiver level: Depends on SFP (see A.2 SFP, XFP, and GBIC Specifications,
page A-5)
– Minimum receiver level: Depends on SFP (see A.2 SFP, XFP, and GBIC Specifications,
page A-5)
– Receiver: PIN PD
– Receiver input wavelength range: Depends on SFP
• Environmental
– Operating temperature: –40 to +149 degrees Fahrenheit (–40 to +65 degrees Celsius)
– Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95
percent relative humidity
– Power consumption: 38.00 W, 0.79 A at –48 V, 129.66 BTU/hr
• Dimensions
– Height: 12.650 in. (321.3 mm)
– Width: 0.716 in. (18.2 mm)
– Depth: 9.000 in. (228.6 mm)
– Depth with backplane connector: 9.250 in. (235 mm)
– Weight not including clam shell: 3.1 lb (1.3 kg)
• Wavelength plan. Currently available wavelengths and versions of the 15454_MRC-12 card:
– For ONS-SC-2G-28.7 through ONS-SC-2G-60.0 SFPs: 1528.77 nm to 1560.61 nm
(32 distinct wavelengths at 100 GHz spacing)
Note ONS-SC-2G-28.7, ONS-SC-2G-33.4, ONS-SC-2G-41.3, ONS-SC-2G-49.3, and
ONS-SC-2G-57.3 are supported from Release 8.5 and later.A-46
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix A Hardware Specifications
A.6.18 MRC-2.5G-4 Card Specifications
– For ONS-SE-622-1470 through ONS-SE-622-1610 SFPs: 1470 to 1610 nm
(eight distinct wavelengths at 2500 GHz spacing)
– For ONS_SE-155-1470 through ONS-SE-155-1610 SFPs: 1470 to 1610 nm
(eight distinct wavelengths at 2500 GHz spacing)
A.6.18 MRC-2.5G-4 Card Specifications
The MRC-2.5G-4 card has the following specifications:
• Line
– Bit rate: up to OC-48 (2488.320 Mbps), depending on SFP
Note Each optical interface on the card can be configured as OC-3, OC-12, or OC-48, depending
on the available backplane bandwidth and existing provisioned lines. In general, the card
supports all different rates on the line side as long as the accumulated bandwidth does not
exceed the total backplane allowed bandwidth.
– Fiber: 1550-nm single-mode
– Connectors: LC duplex connector for each SFP
– Compliance: Telcordia GR-253-CORE
• Transmitter
– Maximum transmitter output power: Depends on SFP (see A.2 SFP, XFP, and GBIC
Specifications, page A-5)
– Minimum transmitter output power: Depends on SFP (see A.2 SFP, XFP, and GBIC
Specifications, page A-5)
– Center wavelength: See wavelength plan
– Center wavelength accuracy: 1 nm to 4 nm, depending on SFP
– Transmitter: FP and DFB laser
• Receiver
– Maximum receiver level: Depends on SFP (see A.2 SFP, XFP, and GBIC Specifications,
page A-5)
– Minimum receiver level: Depends on SFP (see A.2 SFP, XFP, and GBIC Specifications,
page A-5)
– Receiver: PIN PD
– Receiver input wavelength range: Depends on SFP
• Environmental
– Operating temperature: –40 to +149 degrees Fahrenheit (–40 to +65 degrees Celsius)
– Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95
percent relative humidity
– Power consumption: 38.00 W, 0.79 A at –48 V, 129.66 BTU/hr
• Dimensions
– Height: 12.650 in. (321.3 mm)A-47
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix A Hardware Specifications
A.6.19 OC192SR1/STM64IO Short Reach Card Specifications
– Width: 0.716 in. (18.2 mm)
– Depth: 9.000 in. (228.6 mm)
– Depth with backplane connector: 9.250 in. (235 mm)
– Weight not including clam shell: 3.1 lb (1.3 kg)
• Wavelength plan. Currently available wavelengths and versions of the MRC-2.5G-4 card:
– For ONS-SC-2G-30.3 through ONS-SC-2G-60.0 SFPs: 1528.77 nm to 1560.61 nm
(32 distinct wavelengths at 100 GHz spacing)
Note ONS-SC-2G-28.7, ONS-SC-2G-33.4, ONS-SC-2G-41.3, ONS-SC-2G-49.3, and
ONS-SC-2G-57.3 are supported from Release 8.5 and later.
– For ONS-SE-622-1470 through ONS-SE-622-1610 SFPs: 1470 to 1610 nm
(eight distinct wavelengths at 2500 GHz spacing)
– For ONS_SE-155-1470 through ONS-SE-155-1610 SFPs: 1470 to 1610 nm
(eight distinct wavelengths at 2500 GHz spacing)
A.6.19 OC192SR1/STM64IO Short Reach Card Specifications
Note The OC192SR1/STM64IO Short Reach card is designated as OC192-XFP in CTC.
The OC192SR1/STM64IO Short Reach card has the following specifications:
• Line
– Bit rate: OC-192 (9.9520 Gbps)
– Fiber: 1310-nm single-mode
– Connectors: LC duplex connector for the XFP
– Compliance: Telcordia GR-253-CORE
• Transmitter
– Maximum transmitter output power: –1 dBm
– Minimum transmitter output power: –6 dBm
• Receiver
– Maximum receiver level: –1 dBm
– Minimum receiver level: –11 dBm
– Receiver input wavelength range: 1260 to 1565 nm
• Environmental
– Operating temperature: 32 to +131 degrees Fahrenheit (0 to +55 degrees Celsius)
– Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95
percent relative humidity
– Power consumption: 40.00 W, 0.83 A at –48 V, 136.49 BTU/hr
• DimensionsA-48
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix A Hardware Specifications
A.6.20 OC192/STM64 Any Reach Card Specifications
– Height: 12.650 in. (321.3 mm)
– Width: 0.716 in. (18.2 mm)
– Depth: 9.000 in. (228.6 mm)
– Depth with backplane connector: 9.250 in. (235 mm)
– Weight not including clam shell: 3.1 lb (1.3 kg)
A.6.20 OC192/STM64 Any Reach Card Specifications
Note The OC192/STM64 Any Reach card is designated as OC192-XFP in CTC.
The OC192/STM64 Any Reach card has the following specifications:
• Line
– Bit rate: OC-192 (9.9520 Gbps)
– Fiber: 1310-nm single-mode for ONS-XC-10G-S1 XFP, 1550-nm single mode for
ONS-XC-10G-I2 and ONS-XC-10G-L2 XFPs
– Connectors: LC duplex connector for the XFPs
– Compliance: Telcordia GR-253-CORE
• Transmitter
– Maximum transmitter output power: Depends on SFP (see A.2 SFP, XFP, and GBIC
Specifications, page A-5)
– Minimum transmitter output power: Depends on SFP (see A.2 SFP, XFP, and GBIC
Specifications, page A-5)
• Receiver
– Maximum receiver level: Depends on SFP (see A.2 SFP, XFP, and GBIC Specifications,
page A-5)
– Minimum receiver level: Depends on SFP (see A.2 SFP, XFP, and GBIC Specifications,
page A-5)
– Receiver input wavelength range: 1260 to 1565 nm
• Environmental
– Operating temperature: 32 to +131 degrees Fahrenheit (0 to +55 degrees Celsius)
– Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95
percent relative humidity
– Power consumption: 40.00 W, 0.83 A at –48 V, 136.49 BTU/hr
• Dimensions
– Height: 12.650 in. (321.3 mm)
– Width: 0.716 in. (18.2 mm)
– Depth: 9.000 in. (228.6 mm)
– Depth with backplane connector: 9.250 in. (235 mm)
– Weight not including clam shell: 3.1 lb (1.3 kg) A-49
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix A Hardware Specifications
A.7 Ethernet Card Specifications
A.7 Ethernet Card Specifications
This section includes specifications for the E100T-12, E100T-G, E1000-2, E1000-2-G, CE-1000-4,
CE-100T-8, CE-MR-10, G1K-4, ML100T-12, ML1000-2, ML-MR-10, and ML100X-8 cards.
For compliance information, refer to the Cisco Optical Transport Products Safety and Compliance
Information document.
A.7.1 E100T-12 Card Specifications
The E100T-12 card has the following specifications:
• Environmental
– Operating temperature
C-Temp (15454-E100T): 32 to 131 degrees Fahrenheit (0 to +55 degrees Celsius)
– Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95
percent relative humidity
– Power consumption: 65 W, 1.35 A, 221.93 BTU/hr
• Dimensions
– Height: 12.650 in. (321.3 mm)
– Width: 0.716 in. (18.2 mm)
– Depth: 9.000 in. (228.6 mm)
– Card weight: 2.3 lb (1.0 kg)
A.7.2 E100T-G Card Specifications
The E100T-G card has the following specifications:
• Environmental
– Operating temperature:
C-Temp (15454-E100T-G): 32 to 131 degrees Fahrenheit (0 to +55 degrees Celsius)
– Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95
percent relative humidity
– Power consumption: 65 W, 1.35 A, 221.93 BTU/hr
• Dimensions
– Height: 12.650 in. (321.3 mm)
– Width: 0.716 in. (18.2 mm)
– Depth: 9.000 in. (228.6 mm)
– Card weight: 2.3 lb (1.0 kg)
A.7.3 E1000-2 Card Specifications
The E1000-2 card has the following specifications:A-50
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix A Hardware Specifications
A.7.4 E1000-2-G Card Specifications
• Environmental
– Operating temperature:
C-Temp (15454-E1000-2): 32 to 131 degrees Fahrenheit (0 to +55 degrees Celsius)
– Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95
percent relative humidity
– Power consumption: 53.50 W, 1.11 A, 182.67 BTU/hr
• Dimensions
– Height: 12.650 in. (321.3 mm)
– Width: 0.716 in. (18.2 mm)
– Depth: 9.000 in. (228.6 mm)
– Card weight: 2.1 lb (0.9 kg)
A.7.4 E1000-2-G Card Specifications
The E1000-2-G card has the following specifications:
• Environmental
– Operating temperature:
C-Temp (15454-E1000-2-G): 32 to 131 degrees Fahrenheit (0 to +55 degrees Celsius)
– Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95
percent relative humidity
– Power consumption: 53.50 W, 1.11 A, 182.67 BTU/hr
• Dimensions
– Height: 12.650 in. (321.3 mm)
– Width: 0.716 in. (18.2 mm)
– Depth: 9.000 in. (228.6 mm)
– Card weight: 2.1 lb (0.9 kg)
A.7.5 CE-1000-4 Card Specifications
The CE-1000-4 card has the following specifications:
• Environmental
– Operating temperature: +23 to +131 degrees Fahrenheit (-5 to +55 degrees Celsius)
– Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95
percent relative humidity
– Power consumption: 60 W, 1.25 A at -48 V, 204.8 BTU/hr
• Dimensions
– Height: 12.650 in. (321.310 mm)
– Width: 0.716 in. (18.2 mm)
– Depth: 9.000 in. (228.6 mm)A-51
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix A Hardware Specifications
A.7.6 CE-100T-8 Card Specifications
– Card weight: 2.1 lb (0.9 kg)
A.7.6 CE-100T-8 Card Specifications
The CE-100T-8 card has the following specifications:
• Environmental
– Operating temperature
C-Temp (15454-CE100T): 32 to 131 degrees Fahrenheit (0 to +55 degrees Celsius)
– Operating humidity: 0 to 95 percent, noncondensing
– Power consumption: 53 W, 1.1 A, 181.3 BTU/hr
• Dimensions
– Height: 12.650 in. (321.3 mm)
– Width: 0.913 in. (23.19 mm)
– Depth: 9.073 in. (230.45 mm)
– Card weight: 1.8 lb (0.82 kg)
A.7.7 CE-MR-10 Card Specifications
The CE-MR-10 card has the following specifications:
• Environmental
– Operating temperature
C-Temp (15454-CE-MR-10): 32 to 131 degrees Fahrenheit (0 to +50 degrees Celsius)
– Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95
percent relative humidity
– Power consumption: 95
• Dimensions
– Height: 12.650 in. (321.3 mm)
– Width: 0.716 in. (18.2 mm)
– Depth: 9.000 in. (228.6 mm)
– Depth with backplane connector: 9.250 in. (235 mm)
– Weight not including clam shell: 2.3 lb (1.0 kg)
A.7.8 G1K-4 Card Specifications
The G1K-4 card has the following specifications:
• Environmental
– Operating temperature: +23 to +131 degrees Fahrenheit (–5 to +55 degrees Celsius)
– Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95
percent relative humidityA-52
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix A Hardware Specifications
A.7.9 ML100T-12 Card Specifications
– Power consumption: 63.00 W, 1.31 A at –48 V, 215.1 BTU/hr
• Dimensions
– Height: 12.650 in. (321.3 mm)
– Width: 0.716 in. (18.2 mm)
– Depth: 9.000 in. (228.6 mm)
– Depth with backplane connector: 9.250 in. (235 mm)
– Weight not including clam shell: 2.1 lb (0.9 kg)
A.7.9 ML100T-12 Card Specifications
The ML100T-12 card has the following specifications:
• Environmental
– Operating temperature: +23 to +131 degrees Fahrenheit (–5 to +55 degrees Celsius)
– Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95
percent relative humidity
– Power consumption: 53.00 W, 1.10 A at –48 V, 181.0 BTU/hr
• Dimensions
– Height: 12.650 in. (321.3 mm)
– Width: 0.716 in. (18.2 mm)
– Depth: 9.000 in. (228.6 mm)
– Depth with backplane connector: 9.250 in. (235 mm)
– Weight not including clam shell: 2.3 lb (1.0 kg)
A.7.10 ML1000-2 Card Specifications
The ML1000-2 card has the following specifications:
• Environmental
– Operating temperature: +23 to +131 degrees Fahrenheit (–5 to +55 degrees Celsius)
– Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95
percent relative humidity
– Power consumption: 49.00 W, 1.02 A at –48 V, 167.3 BTU/hr
• Dimensions
– Height: 12.650 in. (321.3 mm)
– Width: 0.716 in. (18.2 mm)
– Depth: 9.000 in. (228.6 mm)
– Depth with backplane connector: 9.250 in. (235 mm)
– Weight not including clam shell: 0.9 kg (2.1 lb)A-53
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix A Hardware Specifications
A.7.11 ML100X-8 Card Specifications
A.7.11 ML100X-8 Card Specifications
The ML100X-8 card has the following specifications:
• Environmental
– Operating temperature: +23 to +131 degrees Fahrenheit (–40 to +65 degrees Celsius)
– Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95
percent relative humidity
– Power consumption: 65.00 W, 1.35 A at –48 V, 221.93 BTU/hr
• Dimensions
– Height: 12.650 in. (321.3 mm)
– Width: 0.716 in. (18.2 mm)
– Depth: 9.000 in. (228.6 mm)
– Depth with backplane connector: 9.250 in. (235 mm)
– Weight not including clam shell: 0.9 kg (2.1 lb)
A.7.12 ML-MR-10 Card Specifications
The ML-MR-10 card has the following specifications:
• Environmental
– Operating temperature: +23 to +131 degrees Fahrenheit (–40 to +65 degrees Celsius)
– Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95
percent relative humidity
– Power consumption: 100 W
• Dimensions
– Height: 12.650 in. (321.3 mm)
– Width: 0.716 in. (18.2 mm)
– Depth: 9.000 in. (228.6 mm)
– Depth with backplane connector: 9.250 in. (235 mm)
– Weight not including clam shell: 0.9 kg (2.1 lb)
A.8 Storage Access Networking Card Specifications
This section describes the FC_MR-4 (Fibre Channel) card specifications.
For compliance information, refer to the Cisco Optical Transport Products Safety and Compliance
Information document.
• Fibre Channel Support: FC-0 and FC-1 layers of ANSI X3.230 FC-PH
• GBIC Line Interface
– Bit Rate: 1.0625 Gbit/s single-rate or 1.0625/2.125 dual-rate Gbit/s Fibre Channel (FC)
– Wavelength/Fiber/Reach: A-54
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix A Hardware Specifications
A.8 Storage Access Networking Card Specifications
850 nm, multimode fiber, 550 m (SX)
1310 nm, single-mode fiber, 10 km (LX)
1550 nm/, single-mode fiber, 80 km (ZX)
– Hot pluggable
– Auto-detection
• Transmitter
– Maximum transmitter output power: depends on GBIC type (see Table A-2)
– Minimum transmitter output power: depends on GBIC type (see Table A-2)
• Receiver
– Maximum receiver level: depends on GBIC type (see Table A-2)
– Minimum receiver level: depends on GBIC type (see Table A-2)
• Environmental
– Operating temperature
C-Temp (15454-E100T): 23 to 131 degrees Fahrenheit (–5 to +55 degrees Celsius)
– Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95
percent relative humidity
– Power consumption: 60 W, 1.35 A, 221.93 BTU/hr
• Dimensions
– Height: 12.650 in. (321.3 mm)
– Width: 0.716 in. (18.2 mm)
– Depth: 9.000 in. (228.6 mm)
– Card weight: 2.59 lb (1.17 kg)B-1
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
APPENDIX B
Administrative and Service States
This appendix describes administrative and service states for Cisco ONS 15454 cards, ports, and
cross-connects. For circuit state information, refer to Chapter 12, “Circuits and Tunnels.” Entity states
in Software Release 5.0 and later are based on the generic state model defined in
Telcordia GR-1093-CORE, Issue 2 and ITU-T X.731.
This appendix contains the following sections:
• B.1 Service States, page B-1
• B.2 Administrative States, page B-2
• B.3 Service State Transitions, page B-3
B.1 Service States
Service states include a Primary State (PST), a Primary State Qualifier (PSTQ), and one or more
Secondary States (SST). Table B-1 lists the service state PSTs and PSTQs supported by the ONS 15454.
Table B-2 defines the SSTs supported by the ONS 15454.
Table B-1 ONS 15454 Service State Primary States and Primary State Qualifiers
Primary State, Primary
State Qualifier Definition
IS-NR (In-Service and Normal) The entity is fully operational and will perform as
provisioned.
OOS-AU (Out-of-Service and Autonomous) The entity is not operational because of
an autonomous event.
OOS-AUMA (Out-of-Service and Autonomous Management) The entity is not operational
because of an autonomous event and has also been manually removed from
service.
OOS-MA (Out-of-Service and Management) The entity has been manually removed
from service.B-2
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix B Administrative and Service States
B.2 Administrative States
B.2 Administrative States
Administrative states are used to manage service states. Administrative states consist of a PST and an
SST. Table B-3 lists the administrative states supported by the ONS 15454. See Table B-2 for SST
definitions.
Note A change in the administrative state of an entity does not change the service state of supporting or
supported entities.
Table B-2 ONS 15454 Secondary States
Secondary State Definition
AINS (Automatic In-Service) The entity is delayed before transitioning to the IS-NR
service state. The transition to IS-NR depends on the correction of conditions, or
on a soak timer. Alarm reporting is suppressed, but traffic is carried. Raised fault
conditions, whether or not their alarms are reported, can be retrieved on the CTC
Conditions tab or by using the TL1 RTRV-COND command.
DSBLD (Disabled) The entity was manually removed from service and does not provide its
provisioned functions. All services are disrupted; the entity is unable to carry
traffic.
Note OC-N ports and connections in the DSBLD state continue to send an Alarm
Indication Signal Line (AIS-L).
FLT (Fault) The entity has a raised alarm or condition.
LPBK (Loopback) The entity is in loopback mode.
MEA (Mismatched Equipment) An improper card is installed. For example, an installed
card is not compatible with the card preprovisioning or the slot. This SST applies
only to cards.
MT (Maintenance) The entity has been manually removed from service for a
maintenance activity but still performs its provisioned functions. Alarm reporting
is suppressed, but traffic is carried. Raised fault conditions, whether or not their
alarms are reported, can be retrieved on the CTC Conditions tab or by using the
TL1 RTRV-COND command.
OOG (Out of Group) The virtual concatenation (VCAT) member cross-connect is not
used to carry VCAT group traffic. This state is used to put a member circuit out of
the group and to stop sending traffic. OOS-MA,OOG only applies to the
cross-connects on an end node where VCAT resides. The cross-connects on
intermediate nodes are in the OOS-MA,MT service state.
SWDL (Software Download) The card is involved in a software and database download.
This SST applies only to cards.
UAS (Unassigned) The card is not provisioned in the database. This SST applies only to
cards.
UEQ (Unequipped) The card is not physically present (that is, an empty slot). This SST
applies only to cards.B-3
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix B Administrative and Service States
B.3 Service State Transitions
B.3 Service State Transitions
This section describes the transition from one service state to the next for cards, ports, and
cross-connects. A service state transition is based on the action performed on the entity.
Note When an entity is put in the OOS,MT administrative state, the ONS 15454 suppresses all standing alarms
on that entity. All alarms and events appear on the Conditions tab. You can change this behavior for the
LPBKFACILITY and LPBKTERMINAL alarms. To display these alarms on the Alarms tab, set the
NODE.general.ReportLoopbackConditionsOnOOS-MTPorts to TRUE on the NE Defaults tab.
B.3.1 Card Service State Transitions
Table B-4 lists card service state transitions.
Table B-3 ONS 15454 Administrative States
Administrative State (PST,SST) Definition
IS Puts the entity in service.
IS,AINS Puts the entity in automatic in-service.
OOS,DSBLD Removes the entity from service and disables it.
OOS,MT Removes the entity from service for maintenance.
OOS,OOG (VCAT circuits only) Removes a VCAT cross-connect cross-connect
from service and from the group of members.
Note Only CE-100T-8 cards in link capacity adjustment scheme
(LCAS) mode and FC_MR-4 (enhanced mode) cards in
software LCAS (SW-LCAS) mode accept the OOG state.
Table B-4 ONS 15454 Card Service State Transitions
Current Service State Action Next Service State
IS-NR Change the administrative state
to OOS,MT.
OOS-MA,MT
Delete the card. OOS-AUMA,UAS
Remove the card. OOS-AU,UEQ
Reset the card. OOS-AU,SWDL
Alarm/condition is raised. OOS-AU,FLT
OOS-AU,AINS & MEA Remove the card. OOS-AU,AINS & UEQ
Delete the card. OOS-AUMA,UAS if the card is
valid
OOS-AUMA,MEA & UAS if the
card is invalidB-4
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix B Administrative and Service States
B.3.1 Card Service State Transitions
OOS-AU,AINS & SWDL Restart completed. IS-NR
Remove the card. OOS-AU,AINS & UEQ
OOS-AU,AINS & UEQ Insert a valid card. OOS-AU,AINS & SWDL
Insert an invalid card. OOS-AU,AINS & MEA
Delete the card. OOS-AUMA,UAS & UEQ
OOS-AU,FLT Remove the card. OOS-AU,UEQ
Delete the card. OOS-AUMA,UAS
Change the administrative state
to OOS,MT.
OOS-AUMA,FLT & MT
Reset the card. OOS-AU,SWDL
Alarm/condition is cleared. IS-NR
OOS-AU,MEA Remove the card. OOS-AU,UEQ
Delete the card. OOS-AUMA,UAS if the card is
valid
OOS-AUMA,MEA & UAS if the
card is invalid
Change the administrative state
to OOS,MT.
OOS-AUMA,MEA & MT
OOS-AU,SWDL Restart completed. IS-NR
Remove the card. OOS-AU,UEQ
OOS-AU,UEQ Insert a valid card. OOS-AU,SWDL
Insert an invalid card. OOS-AU,MEA
Delete the card. OOS-AUMA,UAS & UEQ
Change the administrative state
to OOS,MT.
OOS-AUMA,MT & UEQ
OOS-AUMA,FLT & MT Remove the card. OOS-AUMA,MT & UEQ
Delete the card. OOS-AUMA,UAS
Change the administrative state
to IS.
OOS-AU,FLT
Reset the card. OOS-AUMA,MT & SWDL
Alarm/condition is cleared. OOS-MA,MT
OOS-AUMA,MEA & MT Change the administrative state
to IS.
OOS-AU,MEA
Remove the card. OOS-AUMA,MT & UEQ
Delete the card. OOS-AUMA,UAS if the card is
valid
OOS-AUMA,MEA & UAS if the
card is invalid
Table B-4 ONS 15454 Card Service State Transitions (continued)
Current Service State Action Next Service StateB-5
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix B Administrative and Service States
B.3.2 Port and Cross-Connect Service State Transitions
B.3.2 Port and Cross-Connect Service State Transitions
Table B-5 lists the port and cross-connect service state transitions. Port states do not impact
cross-connect states with one exception. A cross-connect in the OOS-AU,AINS service state cannot
transition autonomously into the IS-NR service state until the parent port is in the IS-NR service state.
You cannot transition a port from the IS-NR service state to the OOS-MA,DSBLD service state. You
must first put the port in the OOS-MA,MT service state. Once a port is in the OOS-MA,MT state, the
NODE.general.ForceToOosDsbldStateChange default setting of TRUE allows you to put a port in
OOS-MA,DSBLD even if the following conditions exist:
• The port is a timing source.
• The port is used for line, section, or tunneling DCC.
• The port supports 1+1 protection or bidirectional line switched rings (BLSRs).
• Cross-connects are present on the port.
• Overhead connections or overhead terminations are in use (such as express orderwire, local
orderwire, or user data channels [UDCs]).
OOS-AUMA,MEA & UAS Remove the card. OOS-AUMA,UAS & UEQ
Provision the card. OOS-AU,MEA
OOS-AUMA,MT & SWDL Restart completed. OOS-MA,MT
Remove the card. OOS-AUMA,MT & UEQ
OOS-AUMA,MT & UEQ Change the administrative state
to IS.
OOS-AU,UEQ
Insert a valid card. OOS-AUMA,MT & SWDL
Insert an invalid card. OOS-AUMA,MEA & MT
Delete the card. OOS-AUMA,UAS & UEQ
OOS-AUMA,UAS Remove the card. OOS-AUMA,UAS & UEQ
Provision an invalid card. OOS-AU,MEA
Provision a valid card. OOS-AU,SWDL
OOS-AUMA,UAS & UEQ Insert a valid card. OOS-AU,SWDL
Insert an invalid card. OOS-AUMA,MEA & UAS
Preprovision a card. OOS-AU,AINS & UEQ
OOS-MA,MT Change the administrative state
to IS.
IS-NR
Delete the card. OOS-AUMA,UAS
Remove the card. OOS-AUMA,MT & UEQ
Reset the card. OOS-AUMA,MT & SWDL
Alarm/condition is raised. OOS-AUMA,FLT & MT
Table B-4 ONS 15454 Card Service State Transitions (continued)
Current Service State Action Next Service StateB-6
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix B Administrative and Service States
B.3.2 Port and Cross-Connect Service State Transitions
To change this behavior so that you cannot put a port in OOS-MA,DSBLD if any of these conditions
exist, set the NODE.general.ForceToOosDsbldStateChange default setting to FALSE. For the procedure
to change node defaults, refer to the “Maintain the Node” chapter in the Cisco ONS 15454 Procedure
Guide.
The following ports do not support all of the service states listed in Table B-5:
• E-Series Ethernet ports do not support service states; these ports are either enabled or disabled.
• FC_MR-4 ports support the IS-NR; OOS-MA,DSBLD; and OOS-MA,MT service states; they do not
support the OOS-AU,AINS service state.
Note Deleting a port or cross-connect removes the entity from the system. The deleted entity does not
transition to another service state.
Note The DS1 port service state on the DS3XM-12 card is based on the DS3 service state.
Table B-5 ONS 15454 Port and Cross-Connect Service State Transitions
Current Service State Action Next Service State
IS-NR Put the port or cross-connect in the
OOS,MT administrative state.
OOS-MA,MT
Put the port or cross-connect in the
IS,AINS administrative state.
OOS-AU,AINS1
Put the VCAT cross-connect in the
OOS,OOG administrative state.
OOS-MA,MT & OOG
Alarm/condition is raised. OOS-AU,FLT
OOS-AU,FLT & OOG for a
VCAT cross-connect
(Cross-connect only) Put the
cross-connect in the OOS,DSBLD
administrative state.
OOS-MA,DSBLD
OOS-MA,DSBLD & OOG for a
VCAT cross-connect
OOS-AU,AINS Put the port or cross-connect in the IS
administrative state.
IS-NR
Put the port or cross-connect in the
OOS,MT administrative state.
OOS-MA,MT
Put the port or cross-connect in the
OOS,DSBLD administrative state.
OOS-MA,DSBLD
OOS-MA,DSBLD & OOG for a
VCAT cross-connect
Put the VCAT cross-connect in the
OOS,OOG administrative state.
OOS-MA,MT and OOG
Alarm/condition is raised. OOS-AU,AINS & FLT
OOS-AU,AINS & FLT & OOG
for a VCAT cross-connectB-7
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix B Administrative and Service States
B.3.2 Port and Cross-Connect Service State Transitions
OOS-AU,AINS & FLT Alarm/condition is cleared. OOS-AU,AINS
Put the port or cross-connect in the IS
administrative state.
OOS-AU,FLT
Put the port or cross-connect in the
OOS,DSBLD administrative state.
OOS-MA,DSBLD
Put the port or cross-connect in the
OOS,MT administrative state.
OOS-AUMA,FLT & MT
Put the VCAT cross-connect in the
OOS,OOG administrative state.
OOS-AUMA,FLT & MT & OOG
OOS-AU,AINS & FLT &
OOG
Alarm/condition is cleared. OOS-AU,AINS or OOS-MA,MT
• If an In Group member is
IS-NR or OOS-AU,AINS,
the member transitions to
OOS-AU,AINS
• If an In Group member is
OOS-MA,MT, the member
transitions to OOS-MA,MT
Put the VCAT cross-connect in the IS
administrative state.
OOS-AU,FLT & OOG
Put the VCAT cross-connect in the
OOS,DSBLD administrative state.
OOS-MA,DSBLD & OOG
Put the VCAT cross-connect in the
OOS,MT administrative state.
OOS-AUMA,FLT & MT & OOG
OOS-AU,FLT Alarm/condition is cleared. IS-NR
Put the port or cross-connect in the
IS,AINS administrative state.
OOS-AU,AINS & FLT
Put the port or cross-connect in the
OOS,DSBLD administrative state.
OOS-MA,DSBLD
OOS-MA,DSBLD & OOG for a
VCAT cross-connect
Put the port or cross-connect in the
OOS,MT administrative state
OOS-AUMA,FLT & MT
Put the VCAT cross-connect in the
OOS,OOG administrative state.
OOS-AUMA,FLT & MT & OOG
Table B-5 ONS 15454 Port and Cross-Connect Service State Transitions (continued)
Current Service State Action Next Service StateB-8
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix B Administrative and Service States
B.3.2 Port and Cross-Connect Service State Transitions
OOS-AU,FLT & OOG Alarm/condition is cleared. IS-NR or OOS-MA,MT
• If an In Group member is
IS-NR or OOS-AU,AINS,
the member transitions to
IS-NR.
• If an In Group member is
OOS-MA,MT, the member
transitions to OOS-MA,MT
Put the VCAT cross-connect in the
IS,AINS administrative state.
OOS-AU,AINS & FLT & OOG
Put the VCAT cross-connect in the
OOS,DSBLD administrative state.
OOS-MA,DSBLD & OOG
Put the VCAT cross-connect in the
OOS,MT administrative state.
OOS-AUMA,FLT & MT & OOG
OOS-AUMA,FLT &
LPBK & MT
Release the loopback. OOS-AUMA,FLT & MT
Alarm/condition is cleared. OOS-MA,LPBK & MT
OOS-AUMA,FLT &
LPBK & MT & OOG
Release the loopback. OOS-AUMA,FLT & MT & OOG
Alarm/condition is cleared. OOS-MT,MT & OOG
OOS-AUMA,FLT & MT Alarm/condition is cleared. OOS-MA,MT
Put the port or cross-connect in the IS
administrative state.
OOS-AU,FLT
Put the port or cross-connect in the
IS,AINS administrative state.
OOS-AU,AINS & FLT
Put the port or cross-connect in the
OOS,DSBLD administrative state.
OOS-MA,DSBLD
OOS-MA,DSBLD & OOG for a
VCAT cross-connect
Put the port or cross-connect in a
loopback.
OOS-AUMA,FLT & LPBK &
MT
Put the VCAT cross-connect in the
OOS,OOG administrative state.
OOS-AUMA,FLT & MT & OOG
Table B-5 ONS 15454 Port and Cross-Connect Service State Transitions (continued)
Current Service State Action Next Service StateB-9
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix B Administrative and Service States
B.3.2 Port and Cross-Connect Service State Transitions
OOS-AUMA,FLT & MT
& OOG
Alarm/condition is cleared. OOS-MA,MT & OOG
Put the VCAT cross-connect in the IS
administrative state.
Note VCAT In Group members are in
the OOS-AU,FLT or IS-NR
service state.
OOS-AU,FLT & OOG
Put the VCAT cross-connect in the
IS,AINS administrative state.
Note VCAT In Group members are in
the OOS-AU,AINS & FLT or
IS-NR service state.
OOS-AU,AINS & FLT & OOG
Put the VCAT cross-connect in the
OOS,DSBLD administrative state.
OOS-MA,DSBLD & OOG
Put the VCAT cross-connect in the
OOS,MT administrative state.
Note VCAT In Group members are in
the OOS-MA,FLT & MT service
state.
OOS-MA,FLT & MT
Operate a loopback. OOS-MA,FLT & LPBK & MT &
OOG
OOS-MA,DSBLD Put the port or cross-connect in the IS
administrative state.
IS-NR
Put the port or cross-connect in the
IS,AINS administrative state.
OOS-AU,AINS
Put the port or cross-connect in the
OOS,MT administrative state.
OOS-MA,MT
Put the VCAT cross-connect in the
OOS,OOG administrative state.
OOS-MA,MT & OOG
OOS-MA,LPBK & MT Release the loopback.
Note While in OOS-MA,LPBK & MT,
both Cisco Transport Controller
(CTC) and Transaction
Language One (TL1) allow a
cross-connect to be deleted,
which also removes the
loopback. This applies only to
the cross-connect, not the ports.
OOS-MA,MT
Alarm/condition is raised. OOS-AUMA,FLT & LPBK &
MT
OOS-AUMA,FLT & LPBK &
MT & OOG for a VCAT
cross-connect
Table B-5 ONS 15454 Port and Cross-Connect Service State Transitions (continued)
Current Service State Action Next Service StateB-10
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix B Administrative and Service States
B.3.3 Pluggable Equipment Service State Transitions
B.3.3 Pluggable Equipment Service State Transitions
The service state transitions for pluggable equipment are the same as for other equipment with the
exceptions listed in Table B-6.
Note Pluggable equipment (pluggable interface modules [PIMs] and pluggable port modules [PPMs]) will
transition out of the UAS state when inserted if the software can read the EEPROM and identify
information on the pluggable equipment. If the software cannot read the pluggable equipment, the
equipment is considered invalid and will not transition out of the UAS state.
OOS-MA,LPBK & MT
& OOG
Alarm/condition is raised. OOS-AUMA,FLT & LPBK &
MT & OOG
OOS-MA,MT Put the port or cross-connect in the IS
administrative state.
IS-NR
Put the port or cross-connect in the
IS,AINS administrative state.
OOS-AU,AINS
Put the port or cross-connect in the
OOS,DSBLD administrative state.
OOS-MA,DSBLD
OOS-MA,DSBLD & OOG for a
VCAT cross-connect
Put the port or cross-connect in a
loopback.
OOS-MA,LPBK & MT
Put the VCAT cross-connect in the
OOS,OOG administrative state.
OOS-MA,MT & OOG
Alarm/condition is raised. OOS-AUMA,FLT & MT
OOS-AUMA,FLT & MT & OOG
for a VCAT cross-connect
OOG-MA,MT & OOG Alarm/condition is raised. OOS-AUMA,FLT & MT & OOG
1. For a VCAT cross-connect, an IS-NR to OOS-AU,AINS transition will not occur with a Loss of Multiframe (LOM) or
Sequence Mismatch (SQM) condition on the member.
Table B-5 ONS 15454 Port and Cross-Connect Service State Transitions (continued)
Current Service State Action Next Service State
Table B-6 ONS 15454 Pluggable Equipment Service State Transitions
Current Service State Action Next Service State
IS-NR Reset the pluggable equipment. IS-NR
Provision an unsupported service rate. OOS-AU,MEA
Pluggable equipment does not work with
the board configuration.B-11
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix B Administrative and Service States
B.3.3 Pluggable Equipment Service State Transitions
OOS-AU,AINS & UEQ Insert valid pluggable equipment. IS-NR
Insert pluggable equipment with the
incorrect rate.
OOS-AU,MEA
Pluggable equipment does not work with
the board configuration.
OOS-AU,MEA Delete unsupported service rate or
modify provisioning so that the pluggable
equipment is no longer a mismatch.
IS-NR
OOS-AU,UEQ Insert valid pluggable equipment. IS-NR
OOS-AUMA,MEA & MT Delete unsupported service rate or
modify provisioning so that the pluggable
equipment is no longer a mismatch.
OOS-MA,MT
OOS-AUMA,MT & UEQ Insert valid pluggable equipment. OOS-MA,MT
OOS-AUMA,UAS Provision valid pluggable equipment. IS-NR
OOS-AUMA,UAS & UEQ Insert valid pluggable equipment. IS-NR
Insert pluggable equipment with the
incorrect rate.
OOS-AU,MEA
Pluggable equipment does not work with
the board configuration.
OOS-MA,MT Reset the pluggable equipment. OOS-MA,MT
Provision an unsupported service rate. OOS-AUMA,MEA & MT
Pluggable equipment does not work with
the board configuration.
Table B-6 ONS 15454 Pluggable Equipment Service State Transitions (continued)
Current Service State Action Next Service StateB-12
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix B Administrative and Service States
B.3.3 Pluggable Equipment Service State TransitionsC-1
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
APPENDIX C
Network Element Defaults
Note The terms “Unidirectional Path Switched Ring” and “UPSR” may appear in Cisco literature. These terms
do not refer to using Cisco ONS 15xxx products in a unidirectional path switched ring configuration.
Rather, these terms, as well as “Path Protected Mesh Network” and “PPMN,” refer generally to Cisco's
path protection feature, which may be used in any topological network configuration. Cisco does not
recommend using its path protection feature in any particular topological network configuration.
This appendix describes the factory-configured (default) network element (NE) settings for the
Cisco ONS 15454. It includes descriptions of card, node, and Cisco Transport Controller (CTC) default
settings. To import, export, or edit the settings, refer to the “Maintain the Node” chapter of the
Cisco ONS 15454 Procedure Guide. Cards supported by this platform that are not listed in this appendix
are not supported by user-configurable NE defaults settings.
To change card settings individually (that is, without directly changing the NE defaults), refer to the
“Change Card Settings” chapter of the Cisco ONS 15454 Procedure Guide. To change node settings,
refer to the “Change Node Settings” chapter of the Cisco ONS 15454 Procedure Guide.
This appendix includes the following sections:
• C.1 Network Element Defaults Description, page C-1
• C.2 Card Default Settings, page C-2
• C.3 Node Default Settings, page C-99
• C.4 CTC Default Settings, page C-119
C.1 Network Element Defaults Description
The NE defaults are preinstalled on each Cisco ONS 15454 Advanced Timing, Communications, and
Control (TCC2) and Advanced Timing, Communications, and Control Plus (TCC2P) card. Cisco also
ships a file named 15454-defaults.txt on the CTC software CD in case you want to import the defaults
onto existing TCC2/TCC2P cards. The NE defaults include card-level, CTC, and node-level defaults.
Changes to card provisioning that are made manually using the procedures in the “Change Card
Settings” chapter in the Cisco ONS 15454 Procedure Guide override default settings. If you use the CTC
Defaults editor (on the node view Provisioning > Defaults tab) or import a new defaults file, any changes
to card or port settings that result only affect cards that are installed or preprovisioned after the defaults
have changed. C-2
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2 Card Default Settings
Changes that are made manually to most node-level default settings override the current settings,
whether default or provisioned. If you change node-level default settings, either by using the Defaults
editor or by importing a new defaults file, the new defaults reprovision the node immediately for all
settings except those relating to protection (1+1 bidirectional switching, 1+1 reversion time, 1+1
revertive switching, bidirectional line switched ring [BLSR] ring reversion time, BLSR ring revertive
switching, BLSR span reversion time, and BLSR span revertive switching). Settings relating to
protection apply to subsequent provisioning.
Note Changing some node-level provisioning through NE defaults can cause CTC disconnection or a
reboot of the node in order for the provisioning to take effect. Before you change a default, check
in the Side Effects column of the Defaults editor (right-click a column header and select
Show Column > Side Effects) and be prepared for the occurrence of any side effects listed for
that default.
C.2 Card Default Settings
The tables in this section list the default settings for each SONET card. Cisco provides several types of
user-configurable defaults for Cisco ONS 15454 optical, electrical, storage access networking, and
Ethernet (or data) cards. Types of card defaults can be broadly grouped by function, as outlined in the
following subsections. For information about individual card settings, refer to the “Change Card
Settings” chapter of the Cisco ONS 15454 Procedure Guide.
Note When the card level defaults are changed, the new provisioning done after the defaults have changed is
affected. Existing provisioning remains unaffected.
Note To view DWDM card defaults consult the Cisco ONS 15454 DWDM Reference Manual.
The following types of defaults are defined for SONET cards.
C.2.1 Configuration Defaults
Most card-level and port-level configuration defaults correspond to settings found in the CTC card-level
Provisioning tabs.
Note The full set of Automatic Laser Shutdown (ALS) configuration defaults can be found in the CTC
card-level Maintenance > ALS tab for supported cards. ALS defaults are supported for OC3-8,
OC-48ELR, OC-192, OC192-XFP, MRC-2.5G-4, and MRC-12 cards.
Configuration defaults that correspond to settings that are reachable from the CTC card-level
Provisioning tabs (except as noted) include the following types of options (arranged by CTC subtab):
• Line—(DS-N, EC1-12, OC-N, MRC-12, MRC-2.5G-4, G-series, and CE-series cards) Line-level
configuration settings.C-3
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.2 Threshold Defaults
Note MRC-12 and MRC-2.5G-4 line configuration defaults are defined on a per OC-N rate basis.
• SONET STS—(OC-N and EC1-12 cards) SONET STS-level configuration settings.
• Port—(FC_MR-4 cards only) Port line-level configuration, distance extension, and enhanced
FC/FICON ISL settings.
• Card—(DS1/E1-56, ML-series, and FC_MR-4 cards) Transport mode, operating mode,
enable/disable retiming, and port to Virtual Tributary (VT) mapping standard settings (DS1/E1-56
only); or FC_MR-4 card mode settings (FC_MR-4 only); or framing mode (ML-series cards).
• DS1—(DS3XM-12 cards only) DS-1 rate virtual port-level line configuration settings.
• Broadband Ports—(DS3/EC1-48 cards only) Set the port rate as DS3, EC1, or unassigned (DS3 is
the default).
• DS3—(DS3/EC1-48 cards only) DS-3 rate port-level line configuration settings.
• EC1—(DS3/EC1-48 cards only) EC-1 rate port-level line configuration, section trace, and SONET
STS settings.
• ALS (card-level Maintenance > ALS tab)—(OC3-8, OC-48ELR, OC-192, OC192-XFP,
MRC-2.5G-4, and MRC-12 cards) ALS configuration defaults.
• IOS (card-level IOS tab)—(ML-series and RAN-SVC cards) Console port and RADIUS server
access settings.
• Ether Ports—(CE-series cards) Line configuration settings (including 802 class of service [IEEE
802.1p CoS] and IP type of service [ToS]).
• POS Ports—(CE-series cards) Line configuration settings.
Note Line configuration defaults for the CE-100T-8 card apply to both Ethernet port and packet-over-SONET
(POS) port settings where the same setting exists for both.
Note For further information about each card, consult the appropriate card reference chapter, that is,Chapter 3,
“Electrical Cards,” Chapter 4, “Optical Cards,” Chapter 5, “Ethernet Cards,” and Chapter 6, “Storage
Access Networking Cards.”
Note For further information about IOS configuration defaults for ML-series cards, refer to the
Cisco ONS 15454 and Cisco ONS 15454 SDH Ethernet Card Software Feature and Configuration
Guide.
C.2.2 Threshold Defaults
Threshold default settings define the default cumulative values (thresholds) beyond which a threshold
crossing alert (TCA) will be raised, making it possible to monitor the network and detect errors early.
Card threshold default settings are provided as follows:
• PM thresholds—(DS-N, EC-1, OC-N, MRC-2.5G-4, and MRC-12 cards) Can be expressed in
counts or seconds; includes line, electrical path, and SONET thresholds.C-4
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
• Physical Layer thresholds—(OC3-8, OC-192, OC-192XFP, MRC-2.5G-4, and MRC-12 cards)
Expressed in percentages; includes optics thresholds.
Threshold defaults are defined for near end and/or far end, at 15-minute and one-day intervals.
Thresholds are further broken down by type, such as Section, Line, STS, or VT for performance
monitoring (PM) thresholds, and TCA (warning) or Alarm for physical thresholds. PM threshold types
define the layer to which the threshold applies. Physical threshold types define the level of response
expected when the threshold is crossed.
Note For full descriptions of the thresholds you can set for each card, see Chapter 15, “Performance
Monitoring.”
Note For additional information regarding PM parameter threshold defaults as defined by Telcordia
specifications, refer to Telcordia GR-820-CORE and GR-253-CORE.
C.2.3 Defaults by Card
In the tables that follow, card defaults are defined by the default name, its factory-configured value, and
the domain of allowable values that you can assign to it.
Note Some default values, such as certain thresholds, are interdependent. Before changing a value, review the
domain for that default and any other related defaults for potential dependencies.
C.2.3.1 DS-1 Card Default Settings
Table C-1 lists the DS-1 (DS1-14 and DS1N-14) card default settings.
Table C-1 DS-1 Card Default Settings
Default Name Default Value Default Domain
DS1.config.AINSSoakTime 08:00 (hours:mins) 00:00, 00:15, 00:30 .. 48:00
DS1.config.LineCoding AMI B8ZS, AMI
DS1.config.LineLength 0 - 131 ft 0 - 131 ft, 132 - 262 ft, 263 - 393
ft, 394 - 524 ft, 525 - 655 ft
DS1.config.LineType D4 ESF, D4, UNFRAMED
DS1.config.SDBER 1.00E-07 1E-5, 1E-6, 1E-7, 1E-8, 1E-9
DS1.config.SendAISOnFacilityLoopback TRUE TRUE, FALSE
DS1.config.SendAISOnTerminalLoopback FALSE TRUE, FALSE
DS1.config.SendAISVOnDefects FALSE FALSE, TRUE
DS1.config.State IS,AINS IS, OOS,DSBLD, OOS,MT,
IS,AINS
DS1.config.TreatLOFAsDefect FALSE FALSE, TRUE
DS1.pmthresholds.line.farend.15min.ES 65 (seconds) 0 - 900C-5
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
DS1.pmthresholds.line.farend.1day.ES 648 (seconds) 0 - 86400
DS1.pmthresholds.line.nearend.15min.CV 13340 (BPV count) 0 - 1388700
DS1.pmthresholds.line.nearend.15min.ES 65 (seconds) 0 - 900
DS1.pmthresholds.line.nearend.15min.LOSS 10 (seconds) 0 - 900
DS1.pmthresholds.line.nearend.15min.SES 10 (seconds) 0 - 900
DS1.pmthresholds.line.nearend.1day.CV 133400 (BPV count) 0 - 133315200
DS1.pmthresholds.line.nearend.1day.ES 648 (seconds) 0 - 86400
DS1.pmthresholds.line.nearend.1day.LOSS 10 (seconds) 0 - 86400
DS1.pmthresholds.line.nearend.1day.SES 100 (seconds) 0 - 86400
DS1.pmthresholds.path.farend.15min.CSS 25 (seconds) 0 - 900
DS1.pmthresholds.path.farend.15min.CV 13296 (BIP count) 0 - 38700
DS1.pmthresholds.path.farend.15min.ES 65 (seconds) 0 - 900
DS1.pmthresholds.path.farend.15min.ESA 25 (seconds) 0 - 900
DS1.pmthresholds.path.farend.15min.ESB 25 (seconds) 0 - 900
DS1.pmthresholds.path.farend.15min.FC 0 (count) 0 - 90
DS1.pmthresholds.path.farend.15min.SEFS 25 (seconds) 0 - 900
DS1.pmthresholds.path.farend.15min.SES 10 (seconds) 0 - 900
DS1.pmthresholds.path.farend.15min.UAS 10 (seconds) 0 - 900
DS1.pmthresholds.path.farend.1day.CSS 25 (seconds) 0 - 86400
DS1.pmthresholds.path.farend.1day.CV 132960 (BIP count) 0 - 3715200
DS1.pmthresholds.path.farend.1day.ES 648 (seconds) 0 - 86400
DS1.pmthresholds.path.farend.1day.ESA 25 (seconds) 0 - 86400
DS1.pmthresholds.path.farend.1day.ESB 25 (seconds) 0 - 86400
DS1.pmthresholds.path.farend.1day.FC 0 (count) 0 - 8640
DS1.pmthresholds.path.farend.1day.SEFS 25 (seconds) 0 - 86400
DS1.pmthresholds.path.farend.1day.SES 100 (seconds) 0 - 86400
DS1.pmthresholds.path.farend.1day.UAS 10 (seconds) 0 - 86400
DS1.pmthresholds.path.nearend.15min.AISS 10 (seconds) 0 - 900
DS1.pmthresholds.path.nearend.15min.CV 13296 (BIP count) 0 - 38700
DS1.pmthresholds.path.nearend.15min.ES 65 (seconds) 0 - 900
DS1.pmthresholds.path.nearend.15min.FC 0 (count) 0 - 90
DS1.pmthresholds.path.nearend.15min.SAS 2 (seconds) 0 - 900
DS1.pmthresholds.path.nearend.15min.SES 10 (seconds) 0 - 900
DS1.pmthresholds.path.nearend.15min.UAS 10 (seconds) 0 - 900
DS1.pmthresholds.path.nearend.1day.AISS 10 (seconds) 0 - 86400
DS1.pmthresholds.path.nearend.1day.CV 132960 (BIP count) 0 - 3715200
Table C-1 DS-1 Card Default Settings (continued)
Default Name Default Value Default DomainC-6
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
DS1.pmthresholds.path.nearend.1day.ES 648 (seconds) 0 - 86400
DS1.pmthresholds.path.nearend.1day.FC 0 (count) 0 - 8640
DS1.pmthresholds.path.nearend.1day.SAS 17 (seconds) 0 - 86400
DS1.pmthresholds.path.nearend.1day.SES 100 (seconds) 0 - 86400
DS1.pmthresholds.path.nearend.1day.UAS 10 (seconds) 0 - 86400
DS1.pmthresholds.sts.farend.15min.CV 15 (B3 count) 0 - 2160000
DS1.pmthresholds.sts.farend.15min.ES 12 (seconds) 0 - 900
DS1.pmthresholds.sts.farend.15min.FC 10 (count) 0 - 72
DS1.pmthresholds.sts.farend.15min.SES 3 (seconds) 0 - 900
DS1.pmthresholds.sts.farend.15min.UAS 10 (seconds) 0 - 900
DS1.pmthresholds.sts.farend.1day.CV 125 (B3 count) 0 - 207360000
DS1.pmthresholds.sts.farend.1day.ES 100 (seconds) 0 - 86400
DS1.pmthresholds.sts.farend.1day.FC 10 (count) 0 - 6912
DS1.pmthresholds.sts.farend.1day.SES 7 (seconds) 0 - 86400
DS1.pmthresholds.sts.farend.1day.UAS 10 (seconds) 0 - 86400
DS1.pmthresholds.sts.nearend.15min.CV 15 (B3 count) 0 - 2160000
DS1.pmthresholds.sts.nearend.15min.ES 12 (seconds) 0 - 900
DS1.pmthresholds.sts.nearend.15min.FC 10 (count) 0 - 72
DS1.pmthresholds.sts.nearend.15min.SES 3 (seconds) 0 - 900
DS1.pmthresholds.sts.nearend.15min.UAS 10 (seconds) 0 - 900
DS1.pmthresholds.sts.nearend.1day.CV 125 (B3 count) 0 - 207360000
DS1.pmthresholds.sts.nearend.1day.ES 100 (seconds) 0 - 86400
DS1.pmthresholds.sts.nearend.1day.FC 10 (count) 0 - 6912
DS1.pmthresholds.sts.nearend.1day.SES 7 (seconds) 0 - 86400
DS1.pmthresholds.sts.nearend.1day.UAS 10 (seconds) 0 - 86400
DS1.pmthresholds.vt.farend.15min.CV 15 (BIP8 count) 0 - 2160000
DS1.pmthresholds.vt.farend.15min.ES 12 (seconds) 0 - 900
DS1.pmthresholds.vt.farend.15min.SES 3 (seconds) 0 - 900
DS1.pmthresholds.vt.farend.15min.UAS 10 (seconds) 0 - 900
DS1.pmthresholds.vt.farend.1day.CV 125 (BIP8 count) 0 - 207360000
DS1.pmthresholds.vt.farend.1day.ES 100 (seconds) 0 - 86400
DS1.pmthresholds.vt.farend.1day.SES 7 (seconds) 0 - 86400
DS1.pmthresholds.vt.farend.1day.UAS 10 (seconds) 0 - 86400
DS1.pmthresholds.vt.nearend.15min.CV 15 (BIP8 count) 0 - 2160000
DS1.pmthresholds.vt.nearend.15min.ES 12 (seconds) 0 - 900
DS1.pmthresholds.vt.nearend.15min.SES 3 (seconds) 0 - 900
Table C-1 DS-1 Card Default Settings (continued)
Default Name Default Value Default DomainC-7
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
C.2.3.2 DS1/E1-56 Card Default Settings
Table C-2 lists the DS1/E1-56 card default settings.
DS1.pmthresholds.vt.nearend.15min.UAS 10 (seconds) 0 - 900
DS1.pmthresholds.vt.nearend.1day.CV 125 (BIP8 count) 0 - 207360000
DS1.pmthresholds.vt.nearend.1day.ES 100 (seconds) 0 - 86400
DS1.pmthresholds.vt.nearend.1day.SES 7 (seconds) 0 - 86400
DS1.pmthresholds.vt.nearend.1day.UAS 10 (seconds) 0 - 86400
Table C-1 DS-1 Card Default Settings (continued)
Default Name Default Value Default Domain
Table C-2 DS1/E1-56 Card Default Settings
Default Name Default Value Default Domain
DS1-E1-56.config.OperatingMode All DS1 All DS1, All E1
DS1-E1-56.config.PortToVtMappingMode GR253 Industry when OperatingMode All E1;
GR253, Industry when OperatingMode
All DS1
DS1-E1-56.DS1-PORT.config.AINSSoakTime 08:00
(hours:mins)
00:00, 00:15, 00:30 .. 48:00
DS1-E1-56.DS1-PORT.config.Ds1Mapping Asynchronous Asynchronous when LineType
UNFRAMED, UNFRAMED;
Asynchronous, Byte Synchronous when
LineType ESF, D4, E1_MF, E1_CRCMF,
AUTO FRAME, J_ESF
DS1-E1-56.DS1-PORT.config.FdlMode T1.403 T1.403 when LineType UNFRAMED,
AUTO FRAME; T1.403, BFDL when
LineType ESF, D4, J_ESF
DS1-E1-56.DS1-PORT.config.FeInhibitLpbk TRUE TRUE, FALSE
DS1-E1-56.DS1-PORT.config.LineCoding AMI B8ZS, AMI
DS1-E1-56.DS1-PORT.config.LineLength 0 - 131 ft 0 - 131 ft, 132 - 262 ft, 263 - 393 ft, 394 -
524 ft, 525 - 655 ft
DS1-E1-56.DS1-PORT.config.LineType UNFRAMED ESF, D4, UNFRAMED, AUTO FRAME,
J_ESF
DS1-E1-56.DS1-PORT.config.RetimingEnabled FALSE TRUE, FALSE
DS1-E1-56.DS1-PORT.config.SDBER 1.00E-07 1E-5, 1E-6, 1E-7, 1E-8, 1E-9
DS1-E1-56.DS1-PORT.config.SendAISOnFacilityLoopback TRUE TRUE, FALSE
DS1-E1-56.DS1-PORT.config.SendAISOnTerminalLoopbac
k
TRUE TRUE, FALSE
DS1-E1-56.DS1-PORT.config.SendAISVOnDefects FALSE FALSE, TRUE
DS1-E1-56.DS1-PORT.config.SendDoNotUse FALSE TRUE, FALSE
DS1-E1-56.DS1-PORT.config.SFBER 1.00E-04 1E-3, 1E-4, 1E-5C-8
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
DS1-E1-56.DS1-PORT.config.sonet.AdminSSMIn STU PRS, STU, ST2, ST3, SMC, ST4, DUS,
RES when
//.//.//.//.NODE.timing.general.SSMMessa
geSet Generation 1; PRS, STU, ST2, TNC,
ST3E, ST3, SMC, ST4, DUS, RES when
//.//.//.//.NODE.timing.general.SSMMessa
geSet Generation 2; PRS, STU, ST2, ST3,
SMC, ST4, DUS, RES when
//.//.//.//.NODE.timing.general.SSMMessa
geSet N/A
DS1-E1-56.DS1-PORT.config.State OOS,DSBLD OOS,DSBLD when LineType AUTO
FRAME; IS, OOS,DSBLD, OOS,MT,
IS,AINS when LineType ESF, D4,
UNFRAMED, J_ESF
DS1-E1-56.DS1-PORT.config.SyncMsgIn FALSE FALSE when LineType D4, E1_MF,
E1_CRCMF, UNFRAMED, AUTO
FRAME; FALSE, TRUE when LineType
ESF, J_ESF
DS1-E1-56.DS1-PORT.config.TreatLOFAsDefect TRUE FALSE, TRUE
DS1-E1-56.DS1-PORT.pmthresholds.line.farend.15min.ES 65 (seconds) 0 - 900
DS1-E1-56.DS1-PORT.pmthresholds.line.farend.1day.ES 648 (seconds) 0 - 86400
DS1-E1-56.DS1-PORT.pmthresholds.line.nearend.15min.CV 13340 (BPV
count)
0 - 1388700
DS1-E1-56.DS1-PORT.pmthresholds.line.nearend.15min.ES 65 (seconds) 0 - 900
DS1-E1-56.DS1-PORT.pmthresholds.line.nearend.15min.LO
SS
10 (seconds) 0 - 900
DS1-E1-56.DS1-PORT.pmthresholds.line.nearend.15min.SE
S
10 (seconds) 0 - 900
DS1-E1-56.DS1-PORT.pmthresholds.line.nearend.1day.CV 133400 (BPV
count)
0 - 133315200
DS1-E1-56.DS1-PORT.pmthresholds.line.nearend.1day.ES 648 (seconds) 0 - 86400
DS1-E1-56.DS1-PORT.pmthresholds.line.nearend.1day.LOS
S
10 (seconds) 0 - 86400
DS1-E1-56.DS1-PORT.pmthresholds.line.nearend.1day.SES 100 (seconds) 0 - 86400
DS1-E1-56.DS1-PORT.pmthresholds.path.farend.15min.CSS 25 (seconds) 0 - 900
DS1-E1-56.DS1-PORT.pmthresholds.path.farend.15min.CV 13296 (BIP
count)
0 - 38700
DS1-E1-56.DS1-PORT.pmthresholds.path.farend.15min.ES 65 (seconds) 0 - 900
DS1-E1-56.DS1-PORT.pmthresholds.path.farend.15min.ESA 25 (seconds) 0 - 900
DS1-E1-56.DS1-PORT.pmthresholds.path.farend.15min.ESB 25 (seconds) 0 - 900
DS1-E1-56.DS1-PORT.pmthresholds.path.farend.15min.ESF
E
65 (seconds) 0 - 900
Table C-2 DS1/E1-56 Card Default Settings (continued)
Default Name Default Value Default DomainC-9
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
DS1-E1-56.DS1-PORT.pmthresholds.path.farend.15min.ESN
E
65 (seconds) 0 - 900
DS1-E1-56.DS1-PORT.pmthresholds.path.farend.15min.FC 10 (count) 0 - 72
DS1-E1-56.DS1-PORT.pmthresholds.path.farend.15min.SEF
S
25 (seconds) 0 - 900
DS1-E1-56.DS1-PORT.pmthresholds.path.farend.15min.SES 10 (seconds) 0 - 900
DS1-E1-56.DS1-PORT.pmthresholds.path.farend.15min.SES
FE
10 (seconds) 0 - 900
DS1-E1-56.DS1-PORT.pmthresholds.path.farend.15min.SES
NE
10 (seconds) 0 - 900
DS1-E1-56.DS1-PORT.pmthresholds.path.farend.15min.UA
S
10 (seconds) 0 - 900
DS1-E1-56.DS1-PORT.pmthresholds.path.farend.15min.UA
SFE
10 (seconds) 0 - 900
DS1-E1-56.DS1-PORT.pmthresholds.path.farend.15min.UA
SNE
10 (seconds) 0 - 900
DS1-E1-56.DS1-PORT.pmthresholds.path.farend.1day.CSS 25 (seconds) 0 - 86400
DS1-E1-56.DS1-PORT.pmthresholds.path.farend.1day.CV 132960 (BIP
count)
0 - 3715200
DS1-E1-56.DS1-PORT.pmthresholds.path.farend.1day.ES 648 (seconds) 0 - 86400
DS1-E1-56.DS1-PORT.pmthresholds.path.farend.1day.ESA 25 (seconds) 0 - 86400
DS1-E1-56.DS1-PORT.pmthresholds.path.farend.1day.ESB 25 (seconds) 0 - 86400
DS1-E1-56.DS1-PORT.pmthresholds.path.farend.1day.ESFE 648 (seconds) 0 - 86400
DS1-E1-56.DS1-PORT.pmthresholds.path.farend.1day.ESNE 648 (seconds) 0 - 86400
DS1-E1-56.DS1-PORT.pmthresholds.path.farend.1day.FC 40 (count) 0 - 6912
DS1-E1-56.DS1-PORT.pmthresholds.path.farend.1day.SEFS 25 (seconds) 0 - 86400
DS1-E1-56.DS1-PORT.pmthresholds.path.farend.1day.SES 100 (seconds) 0 - 86400
DS1-E1-56.DS1-PORT.pmthresholds.path.farend.1day.SESF
E
100 (seconds) 0 - 86400
DS1-E1-56.DS1-PORT.pmthresholds.path.farend.1day.SESN
E
100 (seconds) 0 - 86400
DS1-E1-56.DS1-PORT.pmthresholds.path.farend.1day.UAS 10 (seconds) 0 - 86400
DS1-E1-56.DS1-PORT.pmthresholds.path.farend.1day.UASF
E
10 (seconds) 0 - 86400
DS1-E1-56.DS1-PORT.pmthresholds.path.farend.1day.UAS
NE
10 (seconds) 0 - 86400
DS1-E1-56.DS1-PORT.pmthresholds.path.nearend.15min.AI
SS
10 (seconds) 0 - 900
DS1-E1-56.DS1-PORT.pmthresholds.path.nearend.15min.C
V
13296 (BIP
count)
0 - 38700
Table C-2 DS1/E1-56 Card Default Settings (continued)
Default Name Default Value Default DomainC-10
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
DS1-E1-56.DS1-PORT.pmthresholds.path.nearend.15min.ES 65 (seconds) 0 - 900
DS1-E1-56.DS1-PORT.pmthresholds.path.nearend.15min.FC 10 (count) 0 - 72
DS1-E1-56.DS1-PORT.pmthresholds.path.nearend.15min.SA
S
2 (seconds) 0 - 900
DS1-E1-56.DS1-PORT.pmthresholds.path.nearend.15min.SE
S
10 (seconds) 0 - 900
DS1-E1-56.DS1-PORT.pmthresholds.path.nearend.15min.U
AS
10 (seconds) 0 - 900
DS1-E1-56.DS1-PORT.pmthresholds.path.nearend.1day.AIS
S
10 (seconds) 0 - 86400
DS1-E1-56.DS1-PORT.pmthresholds.path.nearend.1day.CV 132960 (BIP
count)
0 - 3715200
DS1-E1-56.DS1-PORT.pmthresholds.path.nearend.1day.ES 648 (seconds) 0 - 86400
DS1-E1-56.DS1-PORT.pmthresholds.path.nearend.1day.FC 40 (count) 0 - 6912
DS1-E1-56.DS1-PORT.pmthresholds.path.nearend.1day.SAS 17 (seconds) 0 - 86400
DS1-E1-56.DS1-PORT.pmthresholds.path.nearend.1day.SES 100 (seconds) 0 - 86400
DS1-E1-56.DS1-PORT.pmthresholds.path.nearend.1day.UAS 10 (seconds) 0 - 86400
DS1-E1-56.DS1-PORT.pmthresholds.sts.farend.15min.ES 12 (seconds) 0 - 900
DS1-E1-56.DS1-PORT.pmthresholds.sts.farend.15min.FC 10 (count) 0 - 72
DS1-E1-56.DS1-PORT.pmthresholds.sts.farend.15min.SES 3 (seconds) 0 - 900
DS1-E1-56.DS1-PORT.pmthresholds.sts.farend.15min.UAS 10 (seconds) 0 - 900
DS1-E1-56.DS1-PORT.pmthresholds.sts.farend.1day.ES 100 (seconds) 0 - 86400
DS1-E1-56.DS1-PORT.pmthresholds.sts.farend.1day.FC 40 (count) 0 - 6912
DS1-E1-56.DS1-PORT.pmthresholds.sts.farend.1day.SES 7 (seconds) 0 - 86400
DS1-E1-56.DS1-PORT.pmthresholds.sts.farend.1day.UAS 10 (seconds) 0 - 86400
DS1-E1-56.DS1-PORT.pmthresholds.sts.nearend.15min.ES 12 (seconds) 0 - 900
DS1-E1-56.DS1-PORT.pmthresholds.sts.nearend.15min.FC 10 (count) 0 - 72
DS1-E1-56.DS1-PORT.pmthresholds.sts.nearend.15min.SES 3 (seconds) 0 - 900
DS1-E1-56.DS1-PORT.pmthresholds.sts.nearend.15min.UAS 10 (seconds) 0 - 900
DS1-E1-56.DS1-PORT.pmthresholds.sts.nearend.1day.ES 100 (seconds) 0 - 86400
DS1-E1-56.DS1-PORT.pmthresholds.sts.nearend.1day.FC 40 (count) 0 - 6912
DS1-E1-56.DS1-PORT.pmthresholds.sts.nearend.1day.SES 7 (seconds) 0 - 86400
DS1-E1-56.DS1-PORT.pmthresholds.sts.nearend.1day.UAS 10 (seconds) 0 - 86400
DS1-E1-56.DS1-PORT.pmthresholds.vt.farend.15min.ES 12 (seconds) 0 - 900
DS1-E1-56.DS1-PORT.pmthresholds.vt.farend.15min.FC 10 (count) 0 - 72
DS1-E1-56.DS1-PORT.pmthresholds.vt.farend.15min.SES 3 (seconds) 0 - 900
DS1-E1-56.DS1-PORT.pmthresholds.vt.farend.15min.UAS 10 (seconds) 0 - 900
Table C-2 DS1/E1-56 Card Default Settings (continued)
Default Name Default Value Default DomainC-11
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
DS1-E1-56.DS1-PORT.pmthresholds.vt.farend.1day.ES 100 (seconds) 0 - 86400
DS1-E1-56.DS1-PORT.pmthresholds.vt.farend.1day.FC 40 (count) 0 - 6912
DS1-E1-56.DS1-PORT.pmthresholds.vt.farend.1day.SES 7 (seconds) 0 - 86400
DS1-E1-56.DS1-PORT.pmthresholds.vt.farend.1day.UAS 10 (seconds) 0 - 86400
DS1-E1-56.DS1-PORT.pmthresholds.vt.nearend.15min.ES 12 (seconds) 0 - 900
DS1-E1-56.DS1-PORT.pmthresholds.vt.nearend.15min.FC 10 (count) 0 - 72
DS1-E1-56.DS1-PORT.pmthresholds.vt.nearend.15min.SES 3 (seconds) 0 - 900
DS1-E1-56.DS1-PORT.pmthresholds.vt.nearend.15min.UAS 10 (seconds) 0 - 900
DS1-E1-56.DS1-PORT.pmthresholds.vt.nearend.1day.ES 100 (seconds) 0 - 86400
DS1-E1-56.DS1-PORT.pmthresholds.vt.nearend.1day.FC 40 (count) 0 - 6912
DS1-E1-56.DS1-PORT.pmthresholds.vt.nearend.1day.SES 7 (seconds) 0 - 86400
DS1-E1-56.DS1-PORT.pmthresholds.vt.nearend.1day.UAS 10 (seconds) 0 - 86400
DS1-E1-56.E1-PORT.config.AINSSoakTime 08:00
(hours:mins)
00:00, 00:15, 00:30 .. 48:00
DS1-E1-56.E1-PORT.config.LineCoding HDB3 HDB3
DS1-E1-56.E1-PORT.config.LineType E1_UNFRAM
ED
E1_MF, E1_CRCMF, AUTO FRAME,
UNFRAMED
DS1-E1-56.E1-PORT.config.RetimingEnabled FALSE TRUE, FALSE
DS1-E1-56.E1-PORT.config.SaBit SA Bit 4 SA Bit 4, SA Bit 5, SA Bit 6, SA Bit 7, SA
Bit 8
DS1-E1-56.E1-PORT.config.SDBER 1.00E-07 1E-5, 1E-6, 1E-7, 1E-8, 1E-9
DS1-E1-56.E1-PORT.config.SendAISOnFacilityLoopback TRUE TRUE, FALSE
DS1-E1-56.E1-PORT.config.SendAISOnTerminalLoopback TRUE TRUE, FALSE
DS1-E1-56.E1-PORT.config.SendAISVOnDefects FALSE FALSE, TRUE
DS1-E1-56.E1-PORT.config.SendDoNotUse FALSE TRUE, FALSE
DS1-E1-56.E1-PORT.config.SFBER 1.00E-04 1E-3, 1E-4, 1E-5
DS1-E1-56.E1-PORT.config.sonet.AdminSSMIn STU PRS, STU, ST2, ST3, SMC, ST4, DUS,
RES when
//.//.//.//.NODE.timing.general.SSMMessa
geSet Generation 1; PRS, STU, ST2, TNC,
ST3E, ST3, SMC, ST4, DUS, RES when
//.//.//.//.NODE.timing.general.SSMMessa
geSet Generation 2; PRS, STU, ST2, ST3,
SMC, ST4, DUS, RES when
//.//.//.//.NODE.timing.general.SSMMessa
geSet N/A
DS1-E1-56.E1-PORT.config.State OOS,DSBLD OOS,DSBLD when LineType AUTO
FRAME; IS, OOS,DSBLD, OOS,MT,
IS,AINS when LineType E1_MF,
E1_CRCMF, UNFRAMED
Table C-2 DS1/E1-56 Card Default Settings (continued)
Default Name Default Value Default DomainC-12
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
DS1-E1-56.E1-PORT.config.SyncMsgIn FALSE FALSE, TRUE
DS1-E1-56.E1-PORT.config.TreatLOFAsDefect TRUE FALSE, TRUE
DS1-E1-56.E1-PORT.pmthresholds.line.nearend.15min.CV 9 (BPV count) 0 - 1388700
DS1-E1-56.E1-PORT.pmthresholds.line.nearend.15min.ES 65 (seconds) 0 - 900
DS1-E1-56.E1-PORT.pmthresholds.line.nearend.15min.LOS
S
10 (seconds) 0 - 900
DS1-E1-56.E1-PORT.pmthresholds.line.nearend.15min.SES 10 (seconds) 0 - 900
DS1-E1-56.E1-PORT.pmthresholds.line.nearend.1day.CV 90 (BPV count) 0 - 133315200
DS1-E1-56.E1-PORT.pmthresholds.line.nearend.1day.ES 648 (seconds) 0 - 86400
DS1-E1-56.E1-PORT.pmthresholds.line.nearend.1day.LOSS 10 (seconds) 0 - 900
DS1-E1-56.E1-PORT.pmthresholds.line.nearend.1day.SES 100 (seconds) 0 - 86400
DS1-E1-56.E1-PORT.pmthresholds.path.nearend.15min.AIS
S
10 (seconds) 0 - 900
DS1-E1-56.E1-PORT.pmthresholds.path.nearend.15min.BBE 9 (count) 0 - 287100
DS1-E1-56.E1-PORT.pmthresholds.path.nearend.15min.EB 9 (count) 0 - 450000
DS1-E1-56.E1-PORT.pmthresholds.path.nearend.15min.ES 65 (seconds) 0 - 900
DS1-E1-56.E1-PORT.pmthresholds.path.nearend.15min.SES 10 (seconds) 0 - 900
DS1-E1-56.E1-PORT.pmthresholds.path.nearend.15min.UAS 10 (seconds) 0 - 900
DS1-E1-56.E1-PORT.pmthresholds.path.nearend.1day.AISS 10 (seconds) 0 - 86400
DS1-E1-56.E1-PORT.pmthresholds.path.nearend.1day.BBE 90 (count) 0 - 27561600
DS1-E1-56.E1-PORT.pmthresholds.path.nearend.1day.EB 90 (count) 0 - 43200000
DS1-E1-56.E1-PORT.pmthresholds.path.nearend.1day.ES 648 (seconds) 0 - 86400
DS1-E1-56.E1-PORT.pmthresholds.path.nearend.1day.SES 100 (seconds) 0 - 86400
DS1-E1-56.E1-PORT.pmthresholds.path.nearend.1day.UAS 10 (seconds) 0 - 86400
DS1-E1-56.E1-PORT.pmthresholds.sts.farend.15min.ES 12 (seconds) 0 - 900
DS1-E1-56.E1-PORT.pmthresholds.sts.farend.15min.FC 10 (count) 0 - 72
DS1-E1-56.E1-PORT.pmthresholds.sts.farend.15min.SES 3 (seconds) 0 - 900
DS1-E1-56.E1-PORT.pmthresholds.sts.farend.15min.UAS 10 (seconds) 0 - 900
DS1-E1-56.E1-PORT.pmthresholds.sts.farend.1day.ES 100 (seconds) 0 - 86400
DS1-E1-56.E1-PORT.pmthresholds.sts.farend.1day.FC 40 (count) 0 - 6912
DS1-E1-56.E1-PORT.pmthresholds.sts.farend.1day.SES 7 (seconds) 0 - 86400
DS1-E1-56.E1-PORT.pmthresholds.sts.farend.1day.UAS 10 (seconds) 0 - 86400
DS1-E1-56.E1-PORT.pmthresholds.sts.nearend.15min.ES 12 (seconds) 0 - 900
DS1-E1-56.E1-PORT.pmthresholds.sts.nearend.15min.FC 10 (count) 0 - 72
DS1-E1-56.E1-PORT.pmthresholds.sts.nearend.15min.SES 3 (seconds) 0 - 900
DS1-E1-56.E1-PORT.pmthresholds.sts.nearend.15min.UAS 10 (seconds) 0 - 900
DS1-E1-56.E1-PORT.pmthresholds.sts.nearend.1day.ES 100 (seconds) 0 - 86400
Table C-2 DS1/E1-56 Card Default Settings (continued)
Default Name Default Value Default DomainC-13
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
C.2.3.3 DS-3 Card Default Settings
Table C-3 lists the DS-3 card default settings.
DS1-E1-56.E1-PORT.pmthresholds.sts.nearend.1day.FC 40 (count) 0 - 6912
DS1-E1-56.E1-PORT.pmthresholds.sts.nearend.1day.SES 7 (seconds) 0 - 86400
DS1-E1-56.E1-PORT.pmthresholds.sts.nearend.1day.UAS 10 (seconds) 0 - 86400
DS1-E1-56.E1-PORT.pmthresholds.vt.farend.15min.ES 65 (seconds) 0 - 900
DS1-E1-56.E1-PORT.pmthresholds.vt.farend.15min.FC 10 (count) 0 - 72
DS1-E1-56.E1-PORT.pmthresholds.vt.farend.15min.SES 10 (seconds) 0 - 900
DS1-E1-56.E1-PORT.pmthresholds.vt.farend.15min.UAS 10 (seconds) 0 - 900
DS1-E1-56.E1-PORT.pmthresholds.vt.farend.1day.ES 648 (seconds) 0 - 86400
DS1-E1-56.E1-PORT.pmthresholds.vt.farend.1day.FC 40 (count) 0 - 6912
DS1-E1-56.E1-PORT.pmthresholds.vt.farend.1day.SES 100 (seconds) 0 - 86400
DS1-E1-56.E1-PORT.pmthresholds.vt.farend.1day.UAS 10 (seconds) 0 - 86400
DS1-E1-56.E1-PORT.pmthresholds.vt.nearend.15min.ES 65 (seconds) 0 - 900
DS1-E1-56.E1-PORT.pmthresholds.vt.nearend.15min.FC 10 (count) 0 - 72
DS1-E1-56.E1-PORT.pmthresholds.vt.nearend.15min.SES 10 (seconds) 0 - 900
DS1-E1-56.E1-PORT.pmthresholds.vt.nearend.15min.UAS 10 (seconds) 0 - 900
DS1-E1-56.E1-PORT.pmthresholds.vt.nearend.1day.ES 648 (seconds) 0 - 86400
DS1-E1-56.E1-PORT.pmthresholds.vt.nearend.1day.FC 40 (count) 0 - 6912
DS1-E1-56.E1-PORT.pmthresholds.vt.nearend.1day.SES 100 (seconds) 0 - 86400
DS1-E1-56.E1-PORT.pmthresholds.vt.nearend.1day.UAS 10 (seconds) 0 - 86400
Table C-2 DS1/E1-56 Card Default Settings (continued)
Default Name Default Value Default Domain
Table C-3 DS-3 Card Default Settings
Default Name Default Value Default Domain
DS3.config.AINSSoakTime 08:00 (hours:mins) 00:00, 00:15, 00:30 .. 48:00
DS3.config.LineLength 0 - 225 ft 0 - 225 ft, 226 - 450 ft
DS3.config.SDBER 1.00E-07 1E-5, 1E-6, 1E-7, 1E-8, 1E-9
DS3.config.SendAISOnFacilityLoopback TRUE TRUE, FALSE
DS3.config.SFBER 1.00E-04 1E-3, 1E-4, 1E-5
DS3.config.State IS,AINS IS, OOS,DSBLD, OOS,MT, IS,AINS
DS3.pmthresholds.line.nearend.15min.CV 387 (BPV count) 0 - 38700
DS3.pmthresholds.line.nearend.15min.ES 25 (seconds) 0 - 900
DS3.pmthresholds.line.nearend.15min.LOSS 10 (seconds) 0 - 900
DS3.pmthresholds.line.nearend.15min.SES 4 (seconds) 0 - 900
DS3.pmthresholds.line.nearend.1day.CV 3865 (BPV count) 0 - 3715200C-14
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
C.2.3.4 DS3/EC1-48 Card Default Settings
Table C-4 lists the DS3/EC1-48 card default settings.
DS3.pmthresholds.line.nearend.1day.ES 250 (seconds) 0 - 86400
DS3.pmthresholds.line.nearend.1day.LOSS 10 (seconds) 0 - 86400
DS3.pmthresholds.line.nearend.1day.SES 40 (seconds) 0 - 86400
DS3.pmthresholds.sts.farend.15min.CV 15 (G1 count) 0 - 2160000
DS3.pmthresholds.sts.farend.15min.ES 12 (seconds) 0 - 900
DS3.pmthresholds.sts.farend.15min.FC 10 (count) 0 - 72
DS3.pmthresholds.sts.farend.15min.SES 3 (seconds) 0 - 900
DS3.pmthresholds.sts.farend.15min.UAS 10 (seconds) 0 - 900
DS3.pmthresholds.sts.farend.1day.CV 125 (G1 count) 0 - 207360000
DS3.pmthresholds.sts.farend.1day.ES 100 (seconds) 0 - 86400
DS3.pmthresholds.sts.farend.1day.FC 10 (count) 0 - 6912
DS3.pmthresholds.sts.farend.1day.SES 7 (seconds) 0 - 86400
DS3.pmthresholds.sts.farend.1day.UAS 10 (seconds) 0 - 86400
DS3.pmthresholds.sts.nearend.15min.CV 15 (B3 count) 0 - 2160000
DS3.pmthresholds.sts.nearend.15min.ES 12 (seconds) 0 - 900
DS3.pmthresholds.sts.nearend.15min.FC 10 (count) 0 - 72
DS3.pmthresholds.sts.nearend.15min.SES 3 (seconds) 0 - 900
DS3.pmthresholds.sts.nearend.15min.UAS 10 (seconds) 0 - 900
DS3.pmthresholds.sts.nearend.1day.CV 125 (B3 count) 0 - 207360000
DS3.pmthresholds.sts.nearend.1day.ES 100 (seconds) 0 - 86400
DS3.pmthresholds.sts.nearend.1day.FC 10 (count) 0 - 6912
DS3.pmthresholds.sts.nearend.1day.SES 7 (seconds) 0 - 86400
DS3.pmthresholds.sts.nearend.1day.UAS 10 (seconds) 0 - 86400
Table C-3 DS-3 Card Default Settings (continued)
Default Name Default Value Default Domain
Table C-4 DS3/EC1-48 Card Default Settings
Default Name Default Value Default Domain
DS3-EC1-48.Broadband.portAssignment DS3-PORT UNASSIGNED, DS3-PORT,
EC1-PORT
DS3-EC1-48.DS3-PORT.config.AINSSoakTime 08:00
(hours:mins)
00:00, 00:15, 00:30 .. 48:00
DS3-EC1-48.DS3-PORT.config.FeInhibitLpbk TRUE TRUE, FALSE
DS3-EC1-48.DS3-PORT.config.LineLength 0 - 225 ft 0 - 225 ft, 226 - 450 ft
DS3-EC1-48.DS3-PORT.config.LineType UNFRAME
D
UNFRAMED, M13, C BIT,
AUTO PROVISION FMTC-15
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
DS3-EC1-48.DS3-PORT.config.SDBER 1.00E-07 1E-5, 1E-6, 1E-7, 1E-8, 1E-9
DS3-EC1-48.DS3-PORT.config.SendAISOnFacilityLoopback TRUE TRUE, FALSE
DS3-EC1-48.DS3-PORT.config.SendAISOnTerminalLoopback FALSE TRUE, FALSE
DS3-EC1-48.DS3-PORT.config.SFBER 1.00E-04 1E-3, 1E-4, 1E-5
DS3-EC1-48.DS3-PORT.config.State IS,AINS IS, OOS,DSBLD, OOS,MT,
IS,AINS
DS3-EC1-48.DS3-PORT.pmthresholds.cpbitpath.farend.15min.CV 382 (BIP
count)
0 - 38700
DS3-EC1-48.DS3-PORT.pmthresholds.cpbitpath.farend.15min.ES 25 (seconds) 0 - 900
DS3-EC1-48.DS3-PORT.pmthresholds.cpbitpath.farend.15min.SAS 2 (seconds) 0 - 900
DS3-EC1-48.DS3-PORT.pmthresholds.cpbitpath.farend.15min.SES 4 (seconds) 0 - 900
DS3-EC1-48.DS3-PORT.pmthresholds.cpbitpath.farend.15min.UAS 10 (seconds) 0 - 900
DS3-EC1-48.DS3-PORT.pmthresholds.cpbitpath.farend.1day.CV 3820 (BIP
count)
0 - 3715200
DS3-EC1-48.DS3-PORT.pmthresholds.cpbitpath.farend.1day.ES 250
(seconds)
0 - 86400
DS3-EC1-48.DS3-PORT.pmthresholds.cpbitpath.farend.1day.SAS 8 (seconds) 0 - 86400
DS3-EC1-48.DS3-PORT.pmthresholds.cpbitpath.farend.1day.SES 40 (seconds) 0 - 86400
DS3-EC1-48.DS3-PORT.pmthresholds.cpbitpath.farend.1day.UAS 10 (seconds) 0 - 86400
DS3-EC1-48.DS3-PORT.pmthresholds.cpbitpath.nearend.15min.CV 382 (BIP
count)
0 - 38700
DS3-EC1-48.DS3-PORT.pmthresholds.cpbitpath.nearend.15min.ES 25 (seconds) 0 - 900
DS3-EC1-48.DS3-PORT.pmthresholds.cpbitpath.nearend.15min.SAS 2 (seconds) 0 - 900
DS3-EC1-48.DS3-PORT.pmthresholds.cpbitpath.nearend.15min.SES 4 (seconds) 0 - 900
DS3-EC1-48.DS3-PORT.pmthresholds.cpbitpath.nearend.15min.UAS 10 (seconds) 0 - 900
DS3-EC1-48.DS3-PORT.pmthresholds.cpbitpath.nearend.1day.CV 3820 (BIP
count)
0 - 3715200
DS3-EC1-48.DS3-PORT.pmthresholds.cpbitpath.nearend.1day.ES 250
(seconds)
0 - 86400
DS3-EC1-48.DS3-PORT.pmthresholds.cpbitpath.nearend.1day.SAS 8 (seconds) 0 - 86400
DS3-EC1-48.DS3-PORT.pmthresholds.cpbitpath.nearend.1day.SES 40 (seconds) 0 - 86400
DS3-EC1-48.DS3-PORT.pmthresholds.cpbitpath.nearend.1day.UAS 10 (seconds) 0 - 86400
DS3-EC1-48.DS3-PORT.pmthresholds.line.nearend.15min.CV 387 (BPV
count)
0 - 38700
DS3-EC1-48.DS3-PORT.pmthresholds.line.nearend.15min.ES 25 (seconds) 0 - 900
DS3-EC1-48.DS3-PORT.pmthresholds.line.nearend.15min.LOSS 10 (seconds) 0 - 900
DS3-EC1-48.DS3-PORT.pmthresholds.line.nearend.15min.SES 4 (seconds) 0 - 900
DS3-EC1-48.DS3-PORT.pmthresholds.line.nearend.1day.CV 3865 (BPV
count)
0 - 3715200
Table C-4 DS3/EC1-48 Card Default Settings (continued)
Default Name Default Value Default DomainC-16
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
DS3-EC1-48.DS3-PORT.pmthresholds.line.nearend.1day.ES 250
(seconds)
0 - 86400
DS3-EC1-48.DS3-PORT.pmthresholds.line.nearend.1day.LOSS 10 (seconds) 0 - 86400
DS3-EC1-48.DS3-PORT.pmthresholds.line.nearend.1day.SES 40 (seconds) 0 - 86400
DS3-EC1-48.DS3-PORT.pmthresholds.pbitpath.nearend.15min.AISS 10 (seconds) 0 - 900
DS3-EC1-48.DS3-PORT.pmthresholds.pbitpath.nearend.15min.CV 382 (BIP
count)
0 - 38700
DS3-EC1-48.DS3-PORT.pmthresholds.pbitpath.nearend.15min.ES 25 (seconds) 0 - 900
DS3-EC1-48.DS3-PORT.pmthresholds.pbitpath.nearend.15min.SAS 2 (seconds) 0 - 900
DS3-EC1-48.DS3-PORT.pmthresholds.pbitpath.nearend.15min.SES 4 (seconds) 0 - 900
DS3-EC1-48.DS3-PORT.pmthresholds.pbitpath.nearend.15min.UAS 10 (seconds) 0 - 900
DS3-EC1-48.DS3-PORT.pmthresholds.pbitpath.nearend.1day.AISS 10 (seconds) 0 - 86400
DS3-EC1-48.DS3-PORT.pmthresholds.pbitpath.nearend.1day.CV 3820 (BIP
count)
0 - 3715200
DS3-EC1-48.DS3-PORT.pmthresholds.pbitpath.nearend.1day.ES 250
(seconds)
0 - 86400
DS3-EC1-48.DS3-PORT.pmthresholds.pbitpath.nearend.1day.SAS 8 (seconds) 0 - 86400
DS3-EC1-48.DS3-PORT.pmthresholds.pbitpath.nearend.1day.SES 40 (seconds) 0 - 86400
DS3-EC1-48.DS3-PORT.pmthresholds.pbitpath.nearend.1day.UAS 10 (seconds) 0 - 86400
DS3-EC1-48.DS3-PORT.pmthresholds.sts.farend.15min.CV 15 (G1
count)
0 - 2160000
DS3-EC1-48.DS3-PORT.pmthresholds.sts.farend.15min.ES 12 (seconds) 0 - 900
DS3-EC1-48.DS3-PORT.pmthresholds.sts.farend.15min.FC 10 (count) 0 - 72
DS3-EC1-48.DS3-PORT.pmthresholds.sts.farend.15min.SES 3 (seconds) 0 - 900
DS3-EC1-48.DS3-PORT.pmthresholds.sts.farend.15min.UAS 10 (seconds) 0 - 900
DS3-EC1-48.DS3-PORT.pmthresholds.sts.farend.1day.CV 125 (G1
count)
0 - 207360000
DS3-EC1-48.DS3-PORT.pmthresholds.sts.farend.1day.ES 100
(seconds)
0 - 86400
DS3-EC1-48.DS3-PORT.pmthresholds.sts.farend.1day.FC 10 (count) 0 - 6912
DS3-EC1-48.DS3-PORT.pmthresholds.sts.farend.1day.SES 7 (seconds) 0 - 86400
DS3-EC1-48.DS3-PORT.pmthresholds.sts.farend.1day.UAS 10 (seconds) 0 - 86400
DS3-EC1-48.DS3-PORT.pmthresholds.sts.nearend.15min.CV 15 (B3
count)
0 - 2160000
DS3-EC1-48.DS3-PORT.pmthresholds.sts.nearend.15min.ES 12 (seconds) 0 - 900
DS3-EC1-48.DS3-PORT.pmthresholds.sts.nearend.15min.FC 10 (count) 0 - 72
DS3-EC1-48.DS3-PORT.pmthresholds.sts.nearend.15min.SES 3 (seconds) 0 - 900
DS3-EC1-48.DS3-PORT.pmthresholds.sts.nearend.15min.UAS 10 (seconds) 0 - 900
Table C-4 DS3/EC1-48 Card Default Settings (continued)
Default Name Default Value Default DomainC-17
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
DS3-EC1-48.DS3-PORT.pmthresholds.sts.nearend.1day.CV 125 (B3
count)
0 - 207360000
DS3-EC1-48.DS3-PORT.pmthresholds.sts.nearend.1day.ES 100
(seconds)
0 - 86400
DS3-EC1-48.DS3-PORT.pmthresholds.sts.nearend.1day.FC 10 (count) 0 - 6912
DS3-EC1-48.DS3-PORT.pmthresholds.sts.nearend.1day.SES 7 (seconds) 0 - 86400
DS3-EC1-48.DS3-PORT.pmthresholds.sts.nearend.1day.UAS 10 (seconds) 0 - 86400
DS3-EC1-48.EC1-PORT.config.line.AINSSoakTime 08:00
(hours:mins)
00:00, 00:15, 00:30 .. 48:00
DS3-EC1-48.EC1-PORT.config.line.LineLength 0 - 225 ft 0 - 225 ft, 226 - 450 ft
DS3-EC1-48.EC1-PORT.config.line.PJStsMon# 0 (STS #) 0 - 1
DS3-EC1-48.EC1-PORT.config.line.SDBER 1.00E-07 1E-5, 1E-6, 1E-7, 1E-8, 1E-9
DS3-EC1-48.EC1-PORT.config.line.SendAISOnFacilityLoopback TRUE TRUE, FALSE
DS3-EC1-48.EC1-PORT.config.line.SendAISOnTerminalLoopback FALSE TRUE, FALSE
DS3-EC1-48.EC1-PORT.config.line.SFBER 1.00E-04 1E-3, 1E-4, 1E-5
DS3-EC1-48.EC1-PORT.config.line.State IS,AINS IS, OOS,DSBLD, OOS,MT,
IS,AINS
DS3-EC1-48.EC1-PORT.config.sts.IPPMEnabled FALSE TRUE, FALSE
DS3-EC1-48.EC1-PORT.pmthresholds.line.farend.15min.CV 1312 (B2
count)
0 - 137700
DS3-EC1-48.EC1-PORT.pmthresholds.line.farend.15min.ES 87 (seconds) 0 - 900
DS3-EC1-48.EC1-PORT.pmthresholds.line.farend.15min.FC 10 (count) 0 - 72
DS3-EC1-48.EC1-PORT.pmthresholds.line.farend.15min.SES 1 (seconds) 0 - 900
DS3-EC1-48.EC1-PORT.pmthresholds.line.farend.15min.UAS 3 (seconds) 0 - 900
DS3-EC1-48.EC1-PORT.pmthresholds.line.farend.1day.CV 13120 (B2
count)
0 - 8850600
DS3-EC1-48.EC1-PORT.pmthresholds.line.farend.1day.ES 864
(seconds)
0 - 86400
DS3-EC1-48.EC1-PORT.pmthresholds.line.farend.1day.FC 40 (count) 0 - 72
DS3-EC1-48.EC1-PORT.pmthresholds.line.farend.1day.SES 4 (seconds) 0 - 86400
DS3-EC1-48.EC1-PORT.pmthresholds.line.farend.1day.UAS 10 (seconds) 0 - 86400
DS3-EC1-48.EC1-PORT.pmthresholds.line.nearend.15min.CV 1312 (B2
count)
0 - 137700
DS3-EC1-48.EC1-PORT.pmthresholds.line.nearend.15min.ES 87 (seconds) 0 - 900
DS3-EC1-48.EC1-PORT.pmthresholds.line.nearend.15min.FC 10 (count) 0 - 72
DS3-EC1-48.EC1-PORT.pmthresholds.line.nearend.15min.SES 1 (seconds) 0 - 900
DS3-EC1-48.EC1-PORT.pmthresholds.line.nearend.15min.UAS 3 (seconds) 0 - 900
DS3-EC1-48.EC1-PORT.pmthresholds.line.nearend.1day.CV 13120 (B2
count)
0 - 13219200
Table C-4 DS3/EC1-48 Card Default Settings (continued)
Default Name Default Value Default DomainC-18
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
DS3-EC1-48.EC1-PORT.pmthresholds.line.nearend.1day.ES 864
(seconds)
0 - 86400
DS3-EC1-48.EC1-PORT.pmthresholds.line.nearend.1day.FC 40 (count) 0 - 6912
DS3-EC1-48.EC1-PORT.pmthresholds.line.nearend.1day.SES 4 (seconds) 0 - 86400
DS3-EC1-48.EC1-PORT.pmthresholds.line.nearend.1day.UAS 10 (seconds) 0 - 86400
DS3-EC1-48.EC1-PORT.pmthresholds.section.nearend.15min.CV 10000 (B1
count)
0 - 138600
DS3-EC1-48.EC1-PORT.pmthresholds.section.nearend.15min.ES 500
(seconds)
0 - 900
DS3-EC1-48.EC1-PORT.pmthresholds.section.nearend.15min.SEFS 500
(seconds)
0 - 900
DS3-EC1-48.EC1-PORT.pmthresholds.section.nearend.15min.SES 500
(seconds)
0 - 900
DS3-EC1-48.EC1-PORT.pmthresholds.section.nearend.1day.CV 100000 (B1
count)
0 - 13305600
DS3-EC1-48.EC1-PORT.pmthresholds.section.nearend.1day.ES 5000
(seconds)
0 - 86400
DS3-EC1-48.EC1-PORT.pmthresholds.section.nearend.1day.SEFS 5000
(seconds)
0 - 86400
DS3-EC1-48.EC1-PORT.pmthresholds.section.nearend.1day.SES 5000
(seconds)
0 - 86400
DS3-EC1-48.EC1-PORT.pmthresholds.sts1.farend.15min.CV 15 (B3
count)
0 - 2160000
DS3-EC1-48.EC1-PORT.pmthresholds.sts1.farend.15min.ES 12 (seconds) 0 - 900
DS3-EC1-48.EC1-PORT.pmthresholds.sts1.farend.15min.FC 10 (count) 0 - 72
DS3-EC1-48.EC1-PORT.pmthresholds.sts1.farend.15min.SES 3 (seconds) 0 - 900
DS3-EC1-48.EC1-PORT.pmthresholds.sts1.farend.15min.UAS 10 (seconds) 0 - 900
DS3-EC1-48.EC1-PORT.pmthresholds.sts1.farend.1day.CV 125 (B3
count)
0 - 207360000
DS3-EC1-48.EC1-PORT.pmthresholds.sts1.farend.1day.ES 100
(seconds)
0 - 86400
DS3-EC1-48.EC1-PORT.pmthresholds.sts1.farend.1day.FC 10 (count) 0 - 6912
DS3-EC1-48.EC1-PORT.pmthresholds.sts1.farend.1day.SES 7 (seconds) 0 - 86400
DS3-EC1-48.EC1-PORT.pmthresholds.sts1.farend.1day.UAS 10 (seconds) 0 - 86400
DS3-EC1-48.EC1-PORT.pmthresholds.sts1.nearend.15min.CV 15 (B3
count)
0 - 2160000
DS3-EC1-48.EC1-PORT.pmthresholds.sts1.nearend.15min.ES 12 (seconds) 0 - 900
DS3-EC1-48.EC1-PORT.pmthresholds.sts1.nearend.15min.FC 10 (count) 0 - 72
DS3-EC1-48.EC1-PORT.pmthresholds.sts1.nearend.15min.NPJC-PDET 60 (count) 0 - 7200000
DS3-EC1-48.EC1-PORT.pmthresholds.sts1.nearend.15min.NPJC-PGEN 60 (count) 0 - 7200000
Table C-4 DS3/EC1-48 Card Default Settings (continued)
Default Name Default Value Default DomainC-19
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
C.2.3.5 DS3E Card Default Settings
Table C-5 lists the DS3E card default settings.
DS3-EC1-48.EC1-PORT.pmthresholds.sts1.nearend.15min.PJCDIFF 60 (count) 0 - 14400000
DS3-EC1-48.EC1-PORT.pmthresholds.sts1.nearend.15min.PJCS-PDET 100
(seconds)
0 - 900
DS3-EC1-48.EC1-PORT.pmthresholds.sts1.nearend.15min.PJCS-PGEN 100
(seconds)
0 - 900
DS3-EC1-48.EC1-PORT.pmthresholds.sts1.nearend.15min.PPJC-PDET 60 (count) 0 - 7200000
DS3-EC1-48.EC1-PORT.pmthresholds.sts1.nearend.15min.PPJC-PGEN 60 (count) 0 - 7200000
DS3-EC1-48.EC1-PORT.pmthresholds.sts1.nearend.15min.SES 3 (seconds) 0 - 900
DS3-EC1-48.EC1-PORT.pmthresholds.sts1.nearend.15min.UAS 10 (seconds) 0 - 900
DS3-EC1-48.EC1-PORT.pmthresholds.sts1.nearend.1day.CV 125 (B3
count)
0 - 207360000
DS3-EC1-48.EC1-PORT.pmthresholds.sts1.nearend.1day.ES 100
(seconds)
0 - 86400
DS3-EC1-48.EC1-PORT.pmthresholds.sts1.nearend.1day.FC 10 (count) 0 - 6912
DS3-EC1-48.EC1-PORT.pmthresholds.sts1.nearend.1day.NPJC-PDET 5760 (count) 0 - 691200000
DS3-EC1-48.EC1-PORT.pmthresholds.sts1.nearend.1day.NPJC-PGEN 5760 (count) 0 - 691200000
DS3-EC1-48.EC1-PORT.pmthresholds.sts1.nearend.1day.PJCDIFF 5760 (count) 0 - 1382400000
DS3-EC1-48.EC1-PORT.pmthresholds.sts1.nearend.1day.PJCS-PDET 9600
(seconds)
0 - 86400
DS3-EC1-48.EC1-PORT.pmthresholds.sts1.nearend.1day.PJCS-PGEN 9600
(seconds)
0 - 86400
DS3-EC1-48.EC1-PORT.pmthresholds.sts1.nearend.1day.PPJC-PDET 5760 (count) 0 - 691200000
DS3-EC1-48.EC1-PORT.pmthresholds.sts1.nearend.1day.PPJC-PGEN 5760 (count) 0 - 691200000
DS3-EC1-48.EC1-PORT.pmthresholds.sts1.nearend.1day.SES 7 (seconds) 0 - 86400
DS3-EC1-48.EC1-PORT.pmthresholds.sts1.nearend.1day.UAS 10 (seconds) 0 - 86400
Table C-4 DS3/EC1-48 Card Default Settings (continued)
Default Name Default Value Default Domain
Table C-5 DS3E Card Default Settings
Default Name Default Value Default Domain
DS3E.config.AINSSoakTime 08:00 (hours:mins) 00:00, 00:15, 00:30 .. 48:00
DS3E.config.FeInhibitLpbk TRUE TRUE, FALSE
DS3E.config.LineLength 0 - 225 ft 0 - 225 ft, 226 - 450 ft
DS3E.config.LineType UNFRAMED UNFRAMED, M13, C BIT, AUTO
PROVISION FMT
DS3E.config.SDBER 1.00E-07 1E-5, 1E-6, 1E-7, 1E-8, 1E-9
DS3E.config.SendAISOnFacilityLoopback TRUE TRUE, FALSEC-20
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
DS3E.config.SFBER 1.00E-04 1E-3, 1E-4, 1E-5
DS3E.config.State IS,AINS IS, OOS,DSBLD, OOS,MT, IS,AINS
DS3E.pmthresholds.cpbitpath.farend.15min.CV 382 (BIP count) 0 - 38700
DS3E.pmthresholds.cpbitpath.farend.15min.ES 25 (seconds) 0 - 900
DS3E.pmthresholds.cpbitpath.farend.15min.SAS 2 (seconds) 0 - 900
DS3E.pmthresholds.cpbitpath.farend.15min.SES 4 (seconds) 0 - 900
DS3E.pmthresholds.cpbitpath.farend.15min.UAS 10 (seconds) 0 - 900
DS3E.pmthresholds.cpbitpath.farend.1day.CV 3820 (BIP count) 0 - 3715200
DS3E.pmthresholds.cpbitpath.farend.1day.ES 250 (seconds) 0 - 86400
DS3E.pmthresholds.cpbitpath.farend.1day.SAS 8 (seconds) 0 - 86400
DS3E.pmthresholds.cpbitpath.farend.1day.SES 40 (seconds) 0 - 86400
DS3E.pmthresholds.cpbitpath.farend.1day.UAS 10 (seconds) 0 - 86400
DS3E.pmthresholds.cpbitpath.nearend.15min.CV 382 (BIP count) 0 - 38700
DS3E.pmthresholds.cpbitpath.nearend.15min.ES 25 (seconds) 0 - 900
DS3E.pmthresholds.cpbitpath.nearend.15min.SES 4 (seconds) 0 - 900
DS3E.pmthresholds.cpbitpath.nearend.15min.UAS 10 (seconds) 0 - 900
DS3E.pmthresholds.cpbitpath.nearend.1day.CV 3820 (BIP count) 0 - 3715200
DS3E.pmthresholds.cpbitpath.nearend.1day.ES 250 (seconds) 0 - 86400
DS3E.pmthresholds.cpbitpath.nearend.1day.SAS 8 (seconds) 0 - 86400
DS3E.pmthresholds.cpbitpath.nearend.1day.SES 40 (seconds) 0 - 86400
DS3E.pmthresholds.cpbitpath.nearend.1day.UAS 10 (seconds) 0 - 86400
DS3E.pmthresholds.line.nearend.15min.CV 387 (BPV count) 0 - 38700
DS3E.pmthresholds.line.nearend.15min.ES 25 (seconds) 0 - 900
DS3E.pmthresholds.line.nearend.15min.LOSS 10 (seconds) 0 - 900
DS3E.pmthresholds.line.nearend.15min.SES 4 (seconds) 0 - 900
DS3E.pmthresholds.line.nearend.1day.CV 3865 (BPV count) 0 - 3715200
DS3E.pmthresholds.line.nearend.1day.ES 250 (seconds) 0 - 86400
DS3E.pmthresholds.line.nearend.1day.LOSS 10 (seconds) 0 - 86400
DS3E.pmthresholds.line.nearend.1day.SES 40 (seconds) 0 - 86400
DS3E.pmthresholds.pbitpath.nearend.15min.AISS 10 (seconds) 0 - 900
DS3E.pmthresholds.pbitpath.nearend.15min.CV 382 (BIP count) 0 - 38700
DS3E.pmthresholds.pbitpath.nearend.15min.ES 25 (seconds) 0 - 900
DS3E.pmthresholds.pbitpath.nearend.15min.SAS 2 (seconds) 0 - 900
DS3E.pmthresholds.pbitpath.nearend.15min.SES 4 (seconds) 0 - 900
DS3E.pmthresholds.pbitpath.nearend.15min.UAS 10 (seconds) 0 - 900
DS3E.pmthresholds.pbitpath.nearend.1day.AISS 10 (seconds) 0 - 86400
Table C-5 DS3E Card Default Settings (continued)
Default Name Default Value Default DomainC-21
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
C.2.3.6 DS3I Card Default Settings
Table C-6 lists the DS3I card default settings.
DS3E.pmthresholds.pbitpath.nearend.1day.CV 3820 (BIP count) 0 - 3715200
DS3E.pmthresholds.pbitpath.nearend.1day.ES 250 (seconds) 0 - 86400
DS3E.pmthresholds.pbitpath.nearend.1day.SAS 8 (seconds) 0 - 86400
DS3E.pmthresholds.pbitpath.nearend.1day.SES 40 (seconds) 0 - 86400
DS3E.pmthresholds.pbitpath.nearend.1day.UAS 10 (seconds) 0 - 86400
DS3E.pmthresholds.sts.farend.15min.CV 15 (G1 count) 0 - 2160000
DS3E.pmthresholds.sts.farend.15min.ES 12 (seconds) 0 - 900
DS3E.pmthresholds.sts.farend.15min.FC 10 (count) 0 - 72
DS3E.pmthresholds.sts.farend.15min.SES 3 (seconds) 0 - 900
DS3E.pmthresholds.sts.farend.15min.UAS 10 (seconds) 0 - 900
DS3E.pmthresholds.sts.farend.1day.CV 125 (G1 count) 0 - 207360000
DS3E.pmthresholds.sts.farend.1day.ES 100 (seconds) 0 - 86400
DS3E.pmthresholds.sts.farend.1day.FC 10 (count) 0 - 6912
DS3E.pmthresholds.sts.farend.1day.SES 7 (seconds) 0 - 86400
DS3E.pmthresholds.sts.farend.1day.UAS 10 (seconds) 0 - 86400
DS3E.pmthresholds.sts.nearend.15min.CV 15 (B3 count) 0 - 2160000
DS3E.pmthresholds.sts.nearend.15min.ES 12 (seconds) 0 - 900
DS3E.pmthresholds.sts.nearend.15min.FC 10 (count) 0 - 72
DS3E.pmthresholds.sts.nearend.15min.SES 3 (seconds) 0 - 900
DS3E.pmthresholds.sts.nearend.15min.UAS 10 (seconds) 0 - 900
DS3E.pmthresholds.sts.nearend.1day.CV 125 (B3 count) 0 - 207360000
DS3E.pmthresholds.sts.nearend.1day.ES 100 (seconds) 0 - 86400
DS3E.pmthresholds.sts.nearend.1day.FC 10 (count) 0 - 6912
DS3E.pmthresholds.sts.nearend.1day.SES 7 (seconds) 0 - 86400
DS3E.pmthresholds.sts.nearend.1day.UAS 10 (seconds) 0 - 86400
Table C-5 DS3E Card Default Settings (continued)
Default Name Default Value Default Domain
Table C-6 DS3I Card Default Settings
Default Name Default Value Default Domain
DS3I.config.AINSSoakTime 08:00
(hours:mins)
00:00, 00:15, 00:30 .. 48:00
DS3I.config.FeInhibitLpbk TRUE TRUE, FALSE
DS3I.config.LineLength 0 - 225 ft 0 - 225 ft, 226 - 450 ftC-22
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
DS3I.config.LineType C BIT UNFRAMED, M13, C BIT, AUTO
PROVISION FMT
DS3I.config.SDBER 1.00E-07 1E-5, 1E-6, 1E-7, 1E-8, 1E-9
DS3I.config.SendAISOnFacilityLoopback TRUE TRUE, FALSE
DS3I.config.SFBER 1.00E-04 1E-3, 1E-4, 1E-5
DS3I.config.State IS,AINS IS, OOS,DSBLD, OOS,MT, IS,AINS
DS3I.pmthresholds.cpbitpath.farend.15min.CVCP 382 (BIP count) 0 - 38700
DS3I.pmthresholds.cpbitpath.farend.15min.ESCP 25 (seconds) 0 - 900
DS3I.pmthresholds.cpbitpath.farend.15min.SASCP 2 (seconds) 0 - 900
DS3I.pmthresholds.cpbitpath.farend.15min.SESCP 4 (seconds) 0 - 900
DS3I.pmthresholds.cpbitpath.farend.15min.UASCP 10 (seconds) 0 - 900
DS3I.pmthresholds.cpbitpath.farend.1day.CVCP 3820 (BIP count) 0 - 3715200
DS3I.pmthresholds.cpbitpath.farend.1day.ESCP 250 (seconds) 0 - 86400
DS3I.pmthresholds.cpbitpath.farend.1day.SASCP 8 (seconds) 0 - 86400
DS3I.pmthresholds.cpbitpath.farend.1day.SESCP 40 (seconds) 0 - 86400
DS3I.pmthresholds.cpbitpath.farend.1day.UASCP 10 (seconds) 0 - 86400
DS3I.pmthresholds.cpbitpath.nearend.15min.CVCP 382 (BIP count) 0 - 38700
DS3I.pmthresholds.cpbitpath.nearend.15min.ESCP 25 (seconds) 0 - 900
DS3I.pmthresholds.cpbitpath.nearend.15min.SASCP 2 (seconds) 0 - 900
DS3I.pmthresholds.cpbitpath.nearend.15min.SESCP 4 (seconds) 0 - 900
DS3I.pmthresholds.cpbitpath.nearend.15min.UASCP 10 (seconds) 0 - 900
DS3I.pmthresholds.cpbitpath.nearend.1day.CVCP 3820 (BIP count) 0 - 3715200
DS3I.pmthresholds.cpbitpath.nearend.1day.ESCP 250 (seconds) 0 - 86400
DS3I.pmthresholds.cpbitpath.nearend.1day.SASCP 8 (seconds) 0 - 86400
DS3I.pmthresholds.cpbitpath.nearend.1day.SESCP 40 (seconds) 0 - 86400
DS3I.pmthresholds.cpbitpath.nearend.1day.UASCP 10 (seconds) 0 - 86400
DS3I.pmthresholds.line.nearend.15min.CV 387 (BPV count) 0 - 38700
DS3I.pmthresholds.line.nearend.15min.ES 25 (seconds) 0 - 900
DS3I.pmthresholds.line.nearend.15min.LOSS 10 (seconds) 0 - 900
DS3I.pmthresholds.line.nearend.15min.SES 4 (seconds) 0 - 900
DS3I.pmthresholds.line.nearend.1day.CV 3865 (BPV count) 0 - 3715200
DS3I.pmthresholds.line.nearend.1day.ES 250 (seconds) 0 - 86400
DS3I.pmthresholds.line.nearend.1day.LOSS 10 (seconds) 0 - 86400
DS3I.pmthresholds.line.nearend.1day.SES 40 (seconds) 0 - 86400
DS3I.pmthresholds.pbitpath.nearend.15min.AISSP 10 (seconds) 0 - 900
DS3I.pmthresholds.pbitpath.nearend.15min.CVP 382 (BIP count) 0 - 38700
Table C-6 DS3I Card Default Settings (continued)
Default Name Default Value Default DomainC-23
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
C.2.3.7 DS3XM-6 Card Default Settings
Table C-7 lists the DS3XM-6 card default settings.
DS3I.pmthresholds.pbitpath.nearend.15min.ESP 25 (seconds) 0 - 900
DS3I.pmthresholds.pbitpath.nearend.15min.SASP 2 (seconds) 0 - 900
DS3I.pmthresholds.pbitpath.nearend.15min.SESP 4 (seconds) 0 - 900
DS3I.pmthresholds.pbitpath.nearend.15min.UASP 10 (seconds) 0 - 900
DS3I.pmthresholds.pbitpath.nearend.1day.AISSP 10 (seconds) 0 - 86400
DS3I.pmthresholds.pbitpath.nearend.1day.CVP 3820 (BIP count) 0 - 3715200
DS3I.pmthresholds.pbitpath.nearend.1day.ESP 250 (seconds) 0 - 86400
DS3I.pmthresholds.pbitpath.nearend.1day.SASP 8 (seconds) 0 - 86400
DS3I.pmthresholds.pbitpath.nearend.1day.SESP 40 (seconds) 0 - 86400
DS3I.pmthresholds.pbitpath.nearend.1day.UASP 10 (seconds) 0 - 86400
DS3I.pmthresholds.sts.farend.15min.CV 15 (G1 count) 0 - 2160000
DS3I.pmthresholds.sts.farend.15min.ES 12 (seconds) 0 - 900
DS3I.pmthresholds.sts.farend.15min.FC 10 (count) 0 - 72
DS3I.pmthresholds.sts.farend.15min.SES 3 (seconds) 0 - 900
DS3I.pmthresholds.sts.farend.15min.UAS 10 (seconds) 0 - 900
DS3I.pmthresholds.sts.farend.1day.CV 125 (G1 count) 0 - 207360000
DS3I.pmthresholds.sts.farend.1day.ES 100 (seconds) 0 - 86400
DS3I.pmthresholds.sts.farend.1day.FC 10 (count) 0 - 6912
DS3I.pmthresholds.sts.farend.1day.SES 7 (seconds) 0 - 86400
DS3I.pmthresholds.sts.farend.1day.UAS 10 (seconds) 0 - 86400
DS3I.pmthresholds.sts.nearend.15min.CV 15 (B3 count) 0 - 2160000
DS3I.pmthresholds.sts.nearend.15min.ES 12 (seconds) 0 - 900
DS3I.pmthresholds.sts.nearend.15min.FC 10 (count) 0 - 72
DS3I.pmthresholds.sts.nearend.15min.SES 3 (seconds) 0 - 900
DS3I.pmthresholds.sts.nearend.15min.UAS 10 (seconds) 0 - 900
DS3I.pmthresholds.sts.nearend.1day.CV 125 (B3 count) 0 - 207360000
DS3I.pmthresholds.sts.nearend.1day.ES 100 (seconds) 0 - 86400
DS3I.pmthresholds.sts.nearend.1day.FC 10 (count) 0 - 6912
DS3I.pmthresholds.sts.nearend.1day.SES 7 (seconds) 0 - 86400
DS3I.pmthresholds.sts.nearend.1day.UAS 10 (seconds) 0 - 86400
Table C-6 DS3I Card Default Settings (continued)
Default Name Default Value Default DomainC-24
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
Table C-7 DS3XM-6 Card Default Settings
Default Name Default Value Default Domain
DS3XM.config.AINSSoakTime 08:00 (hours:mins) 00:00, 00:15, 00:30 .. 48:00
DS3XM.config.FeInhibitLpbk TRUE TRUE, FALSE
DS3XM.config.LineLength 0 - 225 ft 0 - 225 ft, 226 - 450 ft
DS3XM.config.LineType M13 M13, C BIT
DS3XM.config.SDBER 1.00E-07 1E-5, 1E-6, 1E-7, 1E-8, 1E-9
DS3XM.config.SendAISOnFacilityLoopback TRUE TRUE, FALSE
DS3XM.config.SendAISOnTerminalLoopback FALSE TRUE, FALSE
DS3XM.config.SFBER 1.00E-04 1E-3, 1E-4, 1E-5
DS3XM.config.State IS,AINS IS, OOS,DSBLD, OOS,MT, IS,AINS
DS3XM.pmthresholds.cpbitpath.farend.15min.CV 382 (BIP count) 0 - 38700
DS3XM.pmthresholds.cpbitpath.farend.15min.ES 25 (seconds) 0 - 900
DS3XM.pmthresholds.cpbitpath.farend.15min.SAS 2 (seconds) 0 - 900
DS3XM.pmthresholds.cpbitpath.farend.15min.SES 4 (seconds) 0 - 900
DS3XM.pmthresholds.cpbitpath.farend.15min.UAS 10 (seconds) 0 - 900
DS3XM.pmthresholds.cpbitpath.farend.1day.CV 3820 (BIP count) 0 - 3715200
DS3XM.pmthresholds.cpbitpath.farend.1day.ES 250 (seconds) 0 - 86400
DS3XM.pmthresholds.cpbitpath.farend.1day.SAS 8 (seconds) 0 - 86400
DS3XM.pmthresholds.cpbitpath.farend.1day.SES 40 (seconds) 0 - 86400
DS3XM.pmthresholds.cpbitpath.farend.1day.UAS 10 (seconds) 0 - 86400
DS3XM.pmthresholds.cpbitpath.nearend.15min.CV 382 (BIP count) 0 - 38700
DS3XM.pmthresholds.cpbitpath.nearend.15min.ES 25 (seconds) 0 - 900
DS3XM.pmthresholds.cpbitpath.nearend.15min.SAS 2 (seconds) 0 - 900
DS3XM.pmthresholds.cpbitpath.nearend.15min.SES 4 (seconds) 0 - 900
DS3XM.pmthresholds.cpbitpath.nearend.15min.UAS 10 (seconds) 0 - 900
DS3XM.pmthresholds.cpbitpath.nearend.1day.CV 3820 (BIP count) 0 - 3715200
DS3XM.pmthresholds.cpbitpath.nearend.1day.ES 250 (seconds) 0 - 86400
DS3XM.pmthresholds.cpbitpath.nearend.1day.SAS 8 (seconds) 0 - 86400
DS3XM.pmthresholds.cpbitpath.nearend.1day.SES 40 (seconds) 0 - 86400
DS3XM.pmthresholds.cpbitpath.nearend.1day.UAS 10 (seconds) 0 - 86400
DS3XM.pmthresholds.ds1path.nearend.15min.AISS 10 (seconds) 0 - 900
DS3XM.pmthresholds.ds1path.nearend.15min.ES 65 (seconds) 0 - 900
DS3XM.pmthresholds.ds1path.nearend.15min.SAS 2 (seconds) 0 - 900
DS3XM.pmthresholds.ds1path.nearend.15min.SES 10 (seconds) 0 - 900
DS3XM.pmthresholds.ds1path.nearend.15min.UAS 10 (seconds) 0 - 900
DS3XM.pmthresholds.ds1path.nearend.1day.AISS 10 (seconds) 0 - 86400
DS3XM.pmthresholds.ds1path.nearend.1day.ES 648 (seconds) 0 - 86400C-25
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
DS3XM.pmthresholds.ds1path.nearend.1day.SAS 17 (seconds) 0 - 86400
DS3XM.pmthresholds.ds1path.nearend.1day.SES 100 (seconds) 0 - 86400
DS3XM.pmthresholds.ds1path.nearend.1day.UAS 10 (seconds) 0 - 86400
DS3XM.pmthresholds.line.nearend.15min.CV 387 (BPV count) 0 - 38700
DS3XM.pmthresholds.line.nearend.15min.ES 25 (seconds) 0 - 900
DS3XM.pmthresholds.line.nearend.15min.LOSS 10 (seconds) 0 - 900
DS3XM.pmthresholds.line.nearend.15min.SES 4 (seconds) 0 - 900
DS3XM.pmthresholds.line.nearend.1day.CV 3865 (BPV count) 0 - 3715200
DS3XM.pmthresholds.line.nearend.1day.ES 250 (seconds) 0 - 86400
DS3XM.pmthresholds.line.nearend.1day.LOSS 10 (seconds) 0 - 86400
DS3XM.pmthresholds.line.nearend.1day.SES 40 (seconds) 0 - 86400
DS3XM.pmthresholds.pbitpath.nearend.15min.AISS 10 (seconds) 0 - 900
DS3XM.pmthresholds.pbitpath.nearend.15min.CV 382 (BIP count) 0 - 38700
DS3XM.pmthresholds.pbitpath.nearend.15min.ES 25 (seconds) 0 - 900
DS3XM.pmthresholds.pbitpath.nearend.15min.SAS 2 (seconds) 0 - 900
DS3XM.pmthresholds.pbitpath.nearend.15min.SES 4 (seconds) 0 - 900
DS3XM.pmthresholds.pbitpath.nearend.15min.UAS 10 (seconds) 0 - 900
DS3XM.pmthresholds.pbitpath.nearend.1day.AISS 10 (seconds) 0 - 86400
DS3XM.pmthresholds.pbitpath.nearend.1day.CV 3820 (BIP count) 0 - 3715200
DS3XM.pmthresholds.pbitpath.nearend.1day.ES 250 (seconds) 0 - 86400
DS3XM.pmthresholds.pbitpath.nearend.1day.SAS 8 (seconds) 0 - 86400
DS3XM.pmthresholds.pbitpath.nearend.1day.SES 40 (seconds) 0 - 86400
DS3XM.pmthresholds.pbitpath.nearend.1day.UAS 10 (seconds) 0 - 86400
DS3XM.pmthresholds.sts.farend.15min.CV 15 (B3 count) 0 - 2160000
DS3XM.pmthresholds.sts.farend.15min.ES 12 (seconds) 0 - 900
DS3XM.pmthresholds.sts.farend.15min.FC 10 (count) 0 - 72
DS3XM.pmthresholds.sts.farend.15min.SES 3 (seconds) 0 - 900
DS3XM.pmthresholds.sts.farend.15min.UAS 10 (seconds) 0 - 900
DS3XM.pmthresholds.sts.farend.1day.CV 125 (B3 count) 0 - 207360000
DS3XM.pmthresholds.sts.farend.1day.ES 100 (seconds) 0 - 86400
DS3XM.pmthresholds.sts.farend.1day.FC 10 (count) 0 - 6912
DS3XM.pmthresholds.sts.farend.1day.SES 7 (seconds) 0 - 86400
DS3XM.pmthresholds.sts.farend.1day.UAS 10 (seconds) 0 - 86400
DS3XM.pmthresholds.sts.nearend.15min.CV 15 (B3 count) 0 - 2160000
DS3XM.pmthresholds.sts.nearend.15min.ES 12 (seconds) 0 - 900
DS3XM.pmthresholds.sts.nearend.15min.FC 10 (count) 0 - 72
Table C-7 DS3XM-6 Card Default Settings (continued)
Default Name Default Value Default DomainC-26
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
C.2.3.8 DS3XM-12 Card Default Settings
Table C-8 lists the DS3XM-12 card default settings.
DS3XM.pmthresholds.sts.nearend.15min.SES 3 (seconds) 0 - 900
DS3XM.pmthresholds.sts.nearend.15min.UAS 10 (seconds) 0 - 900
DS3XM.pmthresholds.sts.nearend.1day.CV 125 (B3 count) 0 - 207360000
DS3XM.pmthresholds.sts.nearend.1day.ES 100 (seconds) 0 - 86400
DS3XM.pmthresholds.sts.nearend.1day.FC 10 (count) 0 - 6912
DS3XM.pmthresholds.sts.nearend.1day.SES 7 (seconds) 0 - 86400
DS3XM.pmthresholds.sts.nearend.1day.UAS 10 (seconds) 0 - 86400
DS3XM.pmthresholds.vt.farend.15min.CV 15 (BIP8 count) 0 - 2160000
DS3XM.pmthresholds.vt.farend.15min.ES 12 (seconds) 0 - 900
DS3XM.pmthresholds.vt.farend.15min.SES 3 (seconds) 0 - 900
DS3XM.pmthresholds.vt.farend.15min.UAS 10 (seconds) 0 - 900
DS3XM.pmthresholds.vt.farend.1day.CV 125 (BIP8 count) 0 - 207360000
DS3XM.pmthresholds.vt.farend.1day.ES 100 (seconds) 0 - 86400
DS3XM.pmthresholds.vt.farend.1day.SES 7 (seconds) 0 - 86400
DS3XM.pmthresholds.vt.farend.1day.UAS 10 (seconds) 0 - 86400
DS3XM.pmthresholds.vt.nearend.15min.CV 15 (BIP8 count) 0 - 2160000
DS3XM.pmthresholds.vt.nearend.15min.ES 12 (seconds) 0 - 900
DS3XM.pmthresholds.vt.nearend.15min.SES 3 (seconds) 0 - 900
DS3XM.pmthresholds.vt.nearend.15min.UAS 10 (seconds) 0 - 900
DS3XM.pmthresholds.vt.nearend.1day.CV 125 (BIP8 count) 0 - 207360000
DS3XM.pmthresholds.vt.nearend.1day.ES 100 (seconds) 0 - 86400
DS3XM.pmthresholds.vt.nearend.1day.SES 7 (seconds) 0 - 86400
DS3XM.pmthresholds.vt.nearend.1day.UAS 10 (seconds) 0 - 86400
Table C-7 DS3XM-6 Card Default Settings (continued)
Default Name Default Value Default Domain
Table C-8 DS3XM-12 Card Default Settings
Default Name Default Value Default Domain
DS3XM12.config.AINSSoakTime 08:00 (hours:mins) 00:00, 00:15, 00:30 .. 48:00
DS3XM12.config.FeInhibitLpbk TRUE TRUE, FALSE
DS3XM12.config.LineLength 0 - 225 ft (feet) 0 - 225 ft, 226 - 450 ft
DS3XM12.config.LineType M13 M13, C BIT
DS3XM12.config.SDBER 1.00E-07 1E-5, 1E-6, 1E-7, 1E-8, 1E-9
DS3XM12.config.SendAISOnFacilityLoopback TRUE TRUE, FALSE
DS3XM12.config.SendAISOnTerminalLoopback FALSE TRUE, FALSEC-27
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
DS3XM12.config.SFBER 1.00E-04 1E-3, 1E-4, 1E-5
DS3XM12.config.State OOS,DSBLD IS, OOS,DSBLD, OOS,MT, IS,AINS
DS3XM12.ds1config.FdlMode T1.403 T1.403, BFDL when LineType ESF, D4;
T1.403 when LineType UNFRAMED,
AUTO FRAME
DS3XM12.ds1config.LineType AUTO FRAME ESF, D4, UNFRAMED, AUTO FRAME
DS3XM12.pmthresholds.cpbitpath.farend.15min.CV 382 (BIP count) 0 - 38700
DS3XM12.pmthresholds.cpbitpath.farend.15min.ES 25 (seconds) 0 - 900
DS3XM12.pmthresholds.cpbitpath.farend.15min.SAS 2 (seconds) 0 - 900
DS3XM12.pmthresholds.cpbitpath.farend.15min.SES 4 (seconds) 0 - 900
DS3XM12.pmthresholds.cpbitpath.farend.15min.UAS 10 (seconds) 0 - 900
DS3XM12.pmthresholds.cpbitpath.farend.1day.CV 3820 (BIP count) 0 - 3715200
DS3XM12.pmthresholds.cpbitpath.farend.1day.ES 250 (seconds) 0 - 86400
DS3XM12.pmthresholds.cpbitpath.farend.1day.SAS 8 (seconds) 0 - 86400
DS3XM12.pmthresholds.cpbitpath.farend.1day.SES 40 (seconds) 0 - 86400
DS3XM12.pmthresholds.cpbitpath.farend.1day.UAS 10 (seconds) 0 - 86400
DS3XM12.pmthresholds.cpbitpath.nearend.15min.CV 382 (BIP count) 0 - 38700
DS3XM12.pmthresholds.cpbitpath.nearend.15min.ES 25 (seconds) 0 - 900
DS3XM12.pmthresholds.cpbitpath.nearend.15min.SAS 2 (seconds) 0 - 900
DS3XM12.pmthresholds.cpbitpath.nearend.15min.SES 4 (seconds) 0 - 900
DS3XM12.pmthresholds.cpbitpath.nearend.15min.UAS 10 (seconds) 0 - 900
DS3XM12.pmthresholds.cpbitpath.nearend.1day.CV 3820 (BIP count) 0 - 3715200
DS3XM12.pmthresholds.cpbitpath.nearend.1day.ES 250 (seconds) 0 - 86400
DS3XM12.pmthresholds.cpbitpath.nearend.1day.SAS 8 (seconds) 0 - 86400
DS3XM12.pmthresholds.cpbitpath.nearend.1day.SES 40 (seconds) 0 - 86400
DS3XM12.pmthresholds.cpbitpath.nearend.1day.UAS 10 (seconds) 0 - 86400
DS3XM12.pmthresholds.ds1path.farend.15min.AISS 10 (seconds) 0 - 900
DS3XM12.pmthresholds.ds1path.farend.15min.CSS 25 (seconds) 0 - 900
DS3XM12.pmthresholds.ds1path.farend.15min.CV 13296 (count) 0 - 287100
DS3XM12.pmthresholds.ds1path.farend.15min.ES 65 (seconds) 0 - 900
DS3XM12.pmthresholds.ds1path.farend.15min.ESA 25 (seconds) 0 - 900
DS3XM12.pmthresholds.ds1path.farend.15min.ESB 25 (seconds) 0 - 900
DS3XM12.pmthresholds.ds1path.farend.15min.ESFE 65 (seconds) 0 - 900
DS3XM12.pmthresholds.ds1path.farend.15min.ESNE 65 (seconds) 0 - 900
DS3XM12.pmthresholds.ds1path.farend.15min.SEFS 25 (seconds) 0 - 900
DS3XM12.pmthresholds.ds1path.farend.15min.SES 10 (seconds) 0 - 900
DS3XM12.pmthresholds.ds1path.farend.15min.SESFE 10 (seconds) 0 - 900
Table C-8 DS3XM-12 Card Default Settings (continued)
Default Name Default Value Default DomainC-28
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
DS3XM12.pmthresholds.ds1path.farend.15min.SESNE 10 (seconds) 0 - 900
DS3XM12.pmthresholds.ds1path.farend.15min.UAS 10 (seconds) 0 - 900
DS3XM12.pmthresholds.ds1path.farend.15min.UASFE 10 (seconds) 0 - 900
DS3XM12.pmthresholds.ds1path.farend.15min.UASNE 10 (seconds) 0 - 900
DS3XM12.pmthresholds.ds1path.farend.1day.AISS 10 (seconds) 0 - 86400
DS3XM12.pmthresholds.ds1path.farend.1day.CSS 25 (seconds) 0 - 86400
DS3XM12.pmthresholds.ds1path.farend.1day.CV 132960 (count) 0 - 27561600
DS3XM12.pmthresholds.ds1path.farend.1day.ES 648 (seconds) 0 - 86400
DS3XM12.pmthresholds.ds1path.farend.1day.ESA 25 (seconds) 0 - 86400
DS3XM12.pmthresholds.ds1path.farend.1day.ESB 25 (seconds) 0 - 86400
DS3XM12.pmthresholds.ds1path.farend.1day.ESFE 648 (seconds) 0 - 86400
DS3XM12.pmthresholds.ds1path.farend.1day.ESNE 648 (seconds) 0 - 86400
DS3XM12.pmthresholds.ds1path.farend.1day.SEFS 25 (seconds) 0 - 86400
DS3XM12.pmthresholds.ds1path.farend.1day.SES 100 (seconds) 0 - 86400
DS3XM12.pmthresholds.ds1path.farend.1day.SESFE 100 (seconds) 0 - 86400
DS3XM12.pmthresholds.ds1path.farend.1day.SESNE 100 (seconds) 0 - 86400
DS3XM12.pmthresholds.ds1path.farend.1day.UAS 10 (seconds) 0 - 86400
DS3XM12.pmthresholds.ds1path.farend.1day.UASFE 10 (seconds) 0 - 86400
DS3XM12.pmthresholds.ds1path.farend.1day.UASNE 10 (seconds) 0 - 86400
DS3XM12.pmthresholds.ds1path.nearend.15min.AISS 10 (seconds) 0 - 900
DS3XM12.pmthresholds.ds1path.nearend.15min.CV 13296 (count) 0 - 287100
DS3XM12.pmthresholds.ds1path.nearend.15min.ES 65 (seconds) 0 - 900
DS3XM12.pmthresholds.ds1path.nearend.15min.FC 10 (seconds) 0 - 900
DS3XM12.pmthresholds.ds1path.nearend.15min.SAS 2 (seconds) 0 - 900
DS3XM12.pmthresholds.ds1path.nearend.15min.SES 10 (seconds) 0 - 900
DS3XM12.pmthresholds.ds1path.nearend.15min.UAS 10 (seconds) 0 - 900
DS3XM12.pmthresholds.ds1path.nearend.1day.AISS 10 (seconds) 0 - 86400
DS3XM12.pmthresholds.ds1path.nearend.1day.CV 132960 (count) 0 - 27561600
DS3XM12.pmthresholds.ds1path.nearend.1day.ES 648 (seconds) 0 - 86400
DS3XM12.pmthresholds.ds1path.nearend.1day.FC 10 (seconds) 0 - 86400
DS3XM12.pmthresholds.ds1path.nearend.1day.SAS 17 (seconds) 0 - 86400
DS3XM12.pmthresholds.ds1path.nearend.1day.SES 100 (seconds) 0 - 86400
DS3XM12.pmthresholds.ds1path.nearend.1day.UAS 10 (seconds) 0 - 86400
DS3XM12.pmthresholds.line.nearend.15min.CV 387 (BPV count) 0 - 38700
DS3XM12.pmthresholds.line.nearend.15min.ES 25 (seconds) 0 - 900
DS3XM12.pmthresholds.line.nearend.15min.LOSS 10 (seconds) 0 - 900
Table C-8 DS3XM-12 Card Default Settings (continued)
Default Name Default Value Default DomainC-29
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
DS3XM12.pmthresholds.line.nearend.15min.SES 4 (seconds) 0 - 900
DS3XM12.pmthresholds.line.nearend.1day.CV 3865 (BPV count) 0 - 3715200
DS3XM12.pmthresholds.line.nearend.1day.ES 250 (seconds) 0 - 86400
DS3XM12.pmthresholds.line.nearend.1day.LOSS 10 (seconds) 0 - 86400
DS3XM12.pmthresholds.line.nearend.1day.SES 40 (seconds) 0 - 86400
DS3XM12.pmthresholds.pbitpath.nearend.15min.AISS 10 (seconds) 0 - 900
DS3XM12.pmthresholds.pbitpath.nearend.15min.CV 382 (BIP count) 0 - 38700
DS3XM12.pmthresholds.pbitpath.nearend.15min.ES 25 (seconds) 0 - 900
DS3XM12.pmthresholds.pbitpath.nearend.15min.SAS 2 (seconds) 0 - 900
DS3XM12.pmthresholds.pbitpath.nearend.15min.SES 4 (seconds) 0 - 900
DS3XM12.pmthresholds.pbitpath.nearend.15min.UAS 10 (seconds) 0 - 900
DS3XM12.pmthresholds.pbitpath.nearend.1day.AISS 10 (seconds) 0 - 86400
DS3XM12.pmthresholds.pbitpath.nearend.1day.CV 3820 (BIP count) 0 - 3715200
DS3XM12.pmthresholds.pbitpath.nearend.1day.ES 250 (seconds) 0 - 86400
DS3XM12.pmthresholds.pbitpath.nearend.1day.SAS 8 (seconds) 0 - 86400
DS3XM12.pmthresholds.pbitpath.nearend.1day.SES 40 (seconds) 0 - 86400
DS3XM12.pmthresholds.pbitpath.nearend.1day.UAS 10 (seconds) 0 - 86400
DS3XM12.pmthresholds.sts.farend.15min.CV 15 (B3 count) 0 - 2160000
DS3XM12.pmthresholds.sts.farend.15min.ES 12 (seconds) 0 - 900
DS3XM12.pmthresholds.sts.farend.15min.FC 10 (count) 0 - 72
DS3XM12.pmthresholds.sts.farend.15min.SES 3 (seconds) 0 - 900
DS3XM12.pmthresholds.sts.farend.15min.UAS 10 (seconds) 0 - 900
DS3XM12.pmthresholds.sts.farend.1day.CV 125 (B3 count) 0 - 207360000
DS3XM12.pmthresholds.sts.farend.1day.ES 100 (seconds) 0 - 86400
DS3XM12.pmthresholds.sts.farend.1day.FC 10 (count) 0 - 6912
DS3XM12.pmthresholds.sts.farend.1day.SES 7 (seconds) 0 - 86400
DS3XM12.pmthresholds.sts.farend.1day.UAS 10 (seconds) 0 - 86400
DS3XM12.pmthresholds.sts.nearend.15min.CV 15 (B3 count) 0 - 2160000
DS3XM12.pmthresholds.sts.nearend.15min.ES 12 (seconds) 0 - 900
DS3XM12.pmthresholds.sts.nearend.15min.FC 10 (count) 0 - 72
DS3XM12.pmthresholds.sts.nearend.15min.SES 3 (seconds) 0 - 900
DS3XM12.pmthresholds.sts.nearend.15min.UAS 10 (seconds) 0 - 900
DS3XM12.pmthresholds.sts.nearend.1day.CV 125 (B3 count) 0 - 207360000
DS3XM12.pmthresholds.sts.nearend.1day.ES 100 (seconds) 0 - 86400
DS3XM12.pmthresholds.sts.nearend.1day.FC 10 (count) 0 - 6912
DS3XM12.pmthresholds.sts.nearend.1day.SES 7 (seconds) 0 - 86400
Table C-8 DS3XM-12 Card Default Settings (continued)
Default Name Default Value Default DomainC-30
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
C.2.3.9 EC1-12 Card Default Settings
Table C-9 lists the EC1-12 card default settings.
DS3XM12.pmthresholds.sts.nearend.1day.UAS 10 (seconds) 0 - 86400
DS3XM12.pmthresholds.vt.farend.15min.CV 15 (BIP8 count) 0 - 2160000
DS3XM12.pmthresholds.vt.farend.15min.ES 12 (seconds) 0 - 900
DS3XM12.pmthresholds.vt.farend.15min.SES 3 (seconds) 0 - 900
DS3XM12.pmthresholds.vt.farend.15min.UAS 10 (seconds) 0 - 900
DS3XM12.pmthresholds.vt.farend.1day.CV 125 (BIP8 count) 0 - 207360000
DS3XM12.pmthresholds.vt.farend.1day.ES 100 (seconds) 0 - 86400
DS3XM12.pmthresholds.vt.farend.1day.SES 7 (seconds) 0 - 86400
DS3XM12.pmthresholds.vt.farend.1day.UAS 10 (seconds) 0 - 86400
DS3XM12.pmthresholds.vt.nearend.15min.CV 15 (BIP8 count) 0 - 2160000
DS3XM12.pmthresholds.vt.nearend.15min.ES 12 (seconds) 0 - 900
DS3XM12.pmthresholds.vt.nearend.15min.SES 3 (seconds) 0 - 900
DS3XM12.pmthresholds.vt.nearend.15min.UAS 10 (seconds) 0 - 900
DS3XM12.pmthresholds.vt.nearend.1day.CV 125 (BIP8 count) 0 - 207360000
DS3XM12.pmthresholds.vt.nearend.1day.ES 100 (seconds) 0 - 86400
DS3XM12.pmthresholds.vt.nearend.1day.SES 7 (seconds) 0 - 86400
DS3XM12.pmthresholds.vt.nearend.1day.UAS 10 (seconds) 0 - 86400
Table C-8 DS3XM-12 Card Default Settings (continued)
Default Name Default Value Default Domain
Table C-9 EC1-12 Card Default Settings
Default Name Default Value Default Domain
EC1.config.line.AINSSoakTime 08:00 (hours:mins) 00:00, 00:15, 00:30 .. 48:00
EC1.config.line.LineLength 0 - 225 ft 0 - 225 ft, 226 - 450 ft
EC1.config.line.PJStsMon# 0 (STS #) 0 - 1
EC1.config.line.RxEqualization TRUE TRUE, FALSE
EC1.config.line.SDBER 1.00E-07 1E-5, 1E-6, 1E-7, 1E-8, 1E-9
EC1.config.line.SendAISOnFacilityLoopback TRUE TRUE, FALSE
EC1.config.line.SFBER 1.00E-04 1E-3, 1E-4, 1E-5
EC1.config.line.State IS,AINS IS, OOS,DSBLD, OOS,MT, IS,AINS
EC1.config.sts.IPPMEnabled FALSE TRUE, FALSE
EC1.pmthresholds.line.farend.15min.CV 1312 (B2 count) 0 - 137700
EC1.pmthresholds.line.farend.15min.ES 87 (seconds) 0 - 900
EC1.pmthresholds.line.farend.15min.FC 10 (count) 0 - 72
EC1.pmthresholds.line.farend.15min.SES 1 (seconds) 0 - 900C-31
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
EC1.pmthresholds.line.farend.15min.UAS 3 (seconds) 0 - 900
EC1.pmthresholds.line.farend.1day.CV 13120 (B2 count) 0 - 8850600
EC1.pmthresholds.line.farend.1day.ES 864 (seconds) 0 - 86400
EC1.pmthresholds.line.farend.1day.FC 40 (count) 0 - 72
EC1.pmthresholds.line.farend.1day.SES 4 (seconds) 0 - 86400
EC1.pmthresholds.line.farend.1day.UAS 10 (seconds) 0 - 86400
EC1.pmthresholds.line.nearend.15min.CV 1312 (B2 count) 0 - 137700
EC1.pmthresholds.line.nearend.15min.ES 87 (seconds) 0 - 900
EC1.pmthresholds.line.nearend.15min.FC 10 (count) 0 - 72
EC1.pmthresholds.line.nearend.15min.SES 1 (seconds) 0 - 900
EC1.pmthresholds.line.nearend.15min.UAS 3 (seconds) 0 - 900
EC1.pmthresholds.line.nearend.1day.CV 13120 (B2 count) 0 - 13219200
EC1.pmthresholds.line.nearend.1day.ES 864 (seconds) 0 - 86400
EC1.pmthresholds.line.nearend.1day.FC 40 (count) 0 - 6912
EC1.pmthresholds.line.nearend.1day.SES 4 (seconds) 0 - 86400
EC1.pmthresholds.line.nearend.1day.UAS 10 (seconds) 0 - 86400
EC1.pmthresholds.section.nearend.15min.CV 10000 (B1 count) 0 - 138600
EC1.pmthresholds.section.nearend.15min.ES 500 (seconds) 0 - 900
EC1.pmthresholds.section.nearend.15min.SEFS 500 (seconds) 0 - 900
EC1.pmthresholds.section.nearend.15min.SES 500 (seconds) 0 - 900
EC1.pmthresholds.section.nearend.1day.CV 100000 (B1 count) 0 - 13305600
EC1.pmthresholds.section.nearend.1day.ES 5000 (seconds) 0 - 86400
EC1.pmthresholds.section.nearend.1day.SEFS 5000 (seconds) 0 - 86400
EC1.pmthresholds.section.nearend.1day.SES 5000 (seconds) 0 - 86400
EC1.pmthresholds.sts1.farend.15min.CV 15 (B3 count) 0 - 2160000
EC1.pmthresholds.sts1.farend.15min.ES 12 (seconds) 0 - 900
EC1.pmthresholds.sts1.farend.15min.FC 10 (count) 0 - 72
EC1.pmthresholds.sts1.farend.15min.SES 3 (seconds) 0 - 900
EC1.pmthresholds.sts1.farend.15min.UAS 10 (seconds) 0 - 900
EC1.pmthresholds.sts1.farend.1day.CV 125 (B3 count) 0 - 207360000
EC1.pmthresholds.sts1.farend.1day.ES 100 (seconds) 0 - 86400
EC1.pmthresholds.sts1.farend.1day.FC 10 (count) 0 - 6912
EC1.pmthresholds.sts1.farend.1day.SES 7 (seconds) 0 - 86400
EC1.pmthresholds.sts1.farend.1day.UAS 10 (seconds) 0 - 86400
EC1.pmthresholds.sts1.nearend.15min.CV 15 (B3 count) 0 - 2160000
EC1.pmthresholds.sts1.nearend.15min.ES 12 (seconds) 0 - 900
Table C-9 EC1-12 Card Default Settings (continued)
Default Name Default Value Default DomainC-32
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
C.2.3.10 FC_MR-4 Card Default Settings
Table C-10 lists the FC_MR-4 card default settings.
EC1.pmthresholds.sts1.nearend.15min.FC 10 (count) 0 - 72
EC1.pmthresholds.sts1.nearend.15min.NPJC-PDET 60 (count) 0 - 7200000
EC1.pmthresholds.sts1.nearend.15min.NPJC-PGEN 60 (count) 0 - 7200000
EC1.pmthresholds.sts1.nearend.15min.PJCDIFF 60 (count) 0 - 14400000
EC1.pmthresholds.sts1.nearend.15min.PJCS-PDET 100 (seconds) 0 - 900
EC1.pmthresholds.sts1.nearend.15min.PJCS-PGEN 100 (seconds) 0 - 900
EC1.pmthresholds.sts1.nearend.15min.PPJC-PDET 60 (count) 0 - 7200000
EC1.pmthresholds.sts1.nearend.15min.PPJC-PGEN 60 (count) 0 - 7200000
EC1.pmthresholds.sts1.nearend.15min.SES 3 (seconds) 0 - 900
EC1.pmthresholds.sts1.nearend.15min.UAS 10 (seconds) 0 - 900
EC1.pmthresholds.sts1.nearend.1day.CV 125 (B3 count) 0 - 207360000
EC1.pmthresholds.sts1.nearend.1day.ES 100 (seconds) 0 - 86400
EC1.pmthresholds.sts1.nearend.1day.FC 10 (count) 0 - 6912
EC1.pmthresholds.sts1.nearend.1day.NPJC-PDET 5760 (count) 0 - 691200000
EC1.pmthresholds.sts1.nearend.1day.NPJC-PGEN 5760 (count) 0 - 691200000
EC1.pmthresholds.sts1.nearend.1day.PJCDIFF 5760 (count) 0 - 1382400000
EC1.pmthresholds.sts1.nearend.1day.PJCS-PDET 9600 (seconds) 0 - 86400
EC1.pmthresholds.sts1.nearend.1day.PJCS-PGEN 9600 (seconds) 0 - 86400
EC1.pmthresholds.sts1.nearend.1day.PPJC-PDET 5760 (count) 0 - 691200000
EC1.pmthresholds.sts1.nearend.1day.PPJC-PGEN 5760 (count) 0 - 691200000
EC1.pmthresholds.sts1.nearend.1day.SES 7 (seconds) 0 - 86400
EC1.pmthresholds.sts1.nearend.1day.UAS 10 (seconds) 0 - 86400
Table C-9 EC1-12 Card Default Settings (continued)
Default Name Default Value Default DomainC-33
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
C.2.3.11 Ethernet Card Default Settings
Table C-11 lists the ML1000, ML100T, ML-100X-8, ML-MR-10, CE-1000-4, CE-100T-8, and
CE-MR-10 card default settings.
Table C-10 FC_MR-4 Card Default Settings
Default Name Default Value Default Domain
FC-MR.config.card.Mode Fibre
Channel/FICO
N Enhanced
Fibre Channel Line Rate, Fibre
Channel/FICON Enhanced when
//.port.MediaType Undefined;
Fibre Channel/FICON Enhanced
when //.port.MediaType FICON -
1 Gbps ISL, FICON - 2 Gbps ISL;
Fibre Channel Line Rate, Fibre
Channel/FICON Enhanced when
//.port.MediaType Fibre Channel -
1 Gbps ISL, Fibre Channel - 2
Gbps ISL
FC-MR.config.port.AINSSoakTime 08:00
(hours:mins)
00:00, 00:15, 00:30 .. 48:00
FC-MR.config.port.distanceExtension.AutoadjustGFPBufferThreshold TRUE TRUE, FALSE
FC-MR.config.port.distanceExtension.AutoDetect TRUE TRUE, FALSE
FC-MR.config.port.distanceExtension.NumCredits 32 2 - 256
FC-MR.config.port.distanceExtension.NumGFPBuffers 16 16, 32, 48 .. 1200
FC-MR.config.port.DistanceExtensionVsLinkRecovery Distance
Extension
Neither Distance Extension nor
Link Recovery, Distance
Extension, LinkRecovery when
MediaType Undefined; Distance
Extension when MediaType
FICON - 1 Gbps ISL, FICON - 2
Gbps ISL; Neither Distance
Extension nor Link Recovery,
Distance Extension,
LinkRecovery when MediaType
Fibre Channel - 1 Gbps ISL, Fibre
Channel - 2 Gbps ISL
FC-MR.config.port.enhancedFibreChannelFicon.IngressIdleFiltering TRUE TRUE, FALSE
FC-MR.config.port.enhancedFibreChannelFicon.MaxFrameSize 2148 2148, 2152, 2156, 2160, 2164,
2168, 2172
FC-MR.config.port.MediaType Undefined Fibre Channel - 1 Gbps ISL, Fibre
Channel - 2 Gbps ISL, FICON - 1
Gbps ISL, FICON - 2 Gbps ISL,
Undefined
FC-MR.config.port.State OOS,DSBLD IS, OOS,DSBLD, OOS,MT,
IS,AINSC-34
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
Table C-11 Ethernet Card Default Settings
Default Name Default Value Default Domain
CE-1000-4.config.AINSSoakTime 08:00 (hours:mins) 00:00, 00:15, 00:30 .. 48:00
CE-1000-4.config.State OOS,DSBLD IS, OOS,DSBLD, OOS,MT, IS,AINS
CE-1000-4.etherPortConfig.AutoNegotiation TRUE TRUE, FALSE
CE-1000-4.etherPortConfig.FlowControl Symmetric None, Symmetric, Pass Through
CE-1000-4.etherPortConfig.liTimer 200 (ms) 200 - 5000
CE-1000-4.etherPortConfig.MTU 10004 (bytes) 1548, 10004
CE-1000-4.posPortConfig.FramingType GFP-F HDLC, GFP-F
CE-100T-8.config.AINSSoakTime 00:15 (hours:mins) 00:00, 00:15, 00:30 .. 48:00
CE-100T-8.config.State OOS,DSBLD IS, OOS,DSBLD, OOS,MT, IS,AINS
CE-100T-8.etherPortConfig.802-1Q-VlanCoS 7 (count) 0 - 7
CE-100T-8.etherPortConfig.IP-ToS 255 (count) 0 - 255
CE-100T-8.etherPortConfig.liTimer 200 (ms) 200 - 5000
CE-MR.config.AINSSoakTime 08:00 (hours:mins) 00:00, 00:15, 00:30 .. 48:00
CE-MR.config.card.Mode MANUAL AUTOMATIC, MANUAL
CE-MR.config.State OOS,DSBLD IS, OOS,DSBLD, OOS,MT, IS,AINS
CE-MR.etherPortConfig.802-1Q-VlanCoS 7 (count) 0 - 7
CE-MR.etherPortConfig.IP-ToS 255 (count) 0 - 255
CE-MR.etherPortConfig.liTimer 200 (ms) 200 - 5000
ML1000.config.card.Mode HDLC HDLC, GFP-F, RPR 802.17
ML1000.config.PreServiceAlarmSuppression FALSE TRUE, FALSE
ML1000.config.SoakTime 08:00 (hours:mins) 00:00, 00:15, 00:30 .. 48:00
ML1000.ios.consolePortAccess TRUE TRUE, FALSE
ML1000.ios.radiusServerAccess FALSE TRUE, FALSE
ML100T.config.card.Mode HDLC HDLC, GFP-F, RPR 802.17
ML100T.config.PreServiceAlarmSuppression FALSE TRUE, FALSE
ML100T.config.SoakTime 08:00 (hours:mins) 00:00, 00:15, 00:30 .. 48:00
ML100T.ios.consolePortAccess TRUE TRUE, FALSE
ML100T.ios.radiusServerAccess FALSE TRUE, FALSE
ML100X-8.config.card.Mode HDLC HDLC, GFP-F, RPR 802.17
ML100X-8.config.PreServiceAlarmSuppression FALSE TRUE, FALSE
ML100X-8.config.SoakTime 08:00 (hours:mins) 00:00, 00:15, 00:30 .. 48:00
ML100X-8.ios.consolePortAccess TRUE TRUE, FALSE
ML100X-8.ios.radiusServerAccess FALSE TRUE, FALSE
ML-MR.config.card.Mode MANUAL AUTOMATIC, MANUAL
ML-MR.ios.consolePortAccess TRUE TRUE, FALSE
ML-MR.config.PreServiceAlarmSuppression FALSE TRUE, FALSEC-35
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
C.2.3.12 OC-3 Card Default Settings
Table C-12 lists the OC-3 (OC3 IR 4/STM1 SH 1310) card default settings.
ML-MR.ios.radiusServerAccess FALSE TRUE, FALSE
ML-MR.config.SoakTime 08:00 (hours:mins) 00:00, 00:15, 00:30 .. 48:00
Table C-11 Ethernet Card Default Settings (continued)
Default Name Default Value Default Domain
Table C-12 OC-3 Card Default Settings
Default Name Default Value Default Domain
OC3.config.line.AINSSoakTime 08:00 (hours:mins) 00:00, 00:15, 00:30 .. 48:00
OC3.config.line.PJStsMon# 0 (STS #) 0 - 3
OC3.config.line.SDBER 1.00E-07 1E-5, 1E-6, 1E-7, 1E-8, 1E-9
OC3.config.line.sdh.AdminSSMIn STU G811, STU, G812T, G812L, SETS, DUS
OC3.config.line.sdh.SendDoNotUse FALSE FALSE when SendDoNotUse TRUE;
FALSE, TRUE when SendDoNotUse FALSE
OC3.config.line.sdh.SendDoNotUse FALSE FALSE, TRUE
OC3.config.line.sdh.SyncMsgIn TRUE FALSE, TRUE
OC3.config.line.SendAISOnFacilityLoopback FALSE TRUE, FALSE
OC3.config.line.SendAISOnTerminalLoopback FALSE FALSE
OC3.config.line.SFBER 1.00E-04 1E-3, 1E-4, 1E-5
OC3.config.line.sonet.AdminSSMIn STU PRS, STU, ST2, ST3, SMC, ST4, DUS, RES
when
//.//.//.//.NODE.timing.general.SSMMessage
Set Generation 1; PRS, STU, ST2, TNC,
ST3E, ST3, SMC, ST4, DUS, RES when
//.//.//.//.NODE.timing.general.SSMMessage
Set Generation 2; PRS, STU, ST2, ST3,
SMC, ST4, DUS, RES when
//.//.//.//.NODE.timing.general.SSMMessage
Set N/A
OC3.config.line.sonet.SendDoNotUse FALSE FALSE when SendDoNotUse TRUE;
FALSE, TRUE when SendDoNotUse FALSE
OC3.config.line.sonet.SendDoNotUse FALSE FALSE, TRUE
OC3.config.line.sonet.SyncMsgIn TRUE FALSE, TRUE
OC3.config.line.State IS,AINS IS, OOS,DSBLD, OOS,MT, IS,AINS
OC3.config.sts.IPPMEnabled FALSE TRUE, FALSE
OC3.pmthresholds.line.farend.15min.CV 1312 (B2 count) 0 - 137700
OC3.pmthresholds.line.farend.15min.ES 87 (seconds) 0 - 900
OC3.pmthresholds.line.farend.15min.FC 10 (count) 0 - 72
OC3.pmthresholds.line.farend.15min.SES 1 (seconds) 0 - 900C-36
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
OC3.pmthresholds.line.farend.15min.UAS 3 (seconds) 0 - 900
OC3.pmthresholds.line.farend.1day.CV 13120 (B2 count) 0 - 13219200
OC3.pmthresholds.line.farend.1day.ES 864 (seconds) 0 - 86400
OC3.pmthresholds.line.farend.1day.FC 40 (count) 0 - 6912
OC3.pmthresholds.line.farend.1day.SES 4 (seconds) 0 - 86400
OC3.pmthresholds.line.farend.1day.UAS 10 (seconds) 0 - 86400
OC3.pmthresholds.line.nearend.15min.CV 1312 (B2 count) 0 - 137700
OC3.pmthresholds.line.nearend.15min.ES 87 (seconds) 0 - 900
OC3.pmthresholds.line.nearend.15min.FC 10 (count) 0 - 72
OC3.pmthresholds.line.nearend.15min.PSC 1 (count) 0 - 600
OC3.pmthresholds.line.nearend.15min.PSD 300 (seconds) 0 - 900
OC3.pmthresholds.line.nearend.15min.SES 1 (seconds) 0 - 900
OC3.pmthresholds.line.nearend.15min.UAS 3 (seconds) 0 - 900
OC3.pmthresholds.line.nearend.1day.CV 13120 (B2 count) 0 - 13219200
OC3.pmthresholds.line.nearend.1day.ES 864 (seconds) 0 - 86400
OC3.pmthresholds.line.nearend.1day.FC 40 (count) 0 - 6912
OC3.pmthresholds.line.nearend.1day.PSC 5 (count) 0 - 57600
OC3.pmthresholds.line.nearend.1day.PSD 600 (seconds) 0 - 86400
OC3.pmthresholds.line.nearend.1day.SES 4 (seconds) 0 - 86400
OC3.pmthresholds.line.nearend.1day.UAS 10 (seconds) 0 - 86400
OC3.pmthresholds.section.nearend.15min.CV 10000 (B1 count) 0 - 138600
OC3.pmthresholds.section.nearend.15min.ES 500 (seconds) 0 - 900
OC3.pmthresholds.section.nearend.15min.SEFS 500 (seconds) 0 - 900
OC3.pmthresholds.section.nearend.15min.SES 500 (seconds) 0 - 900
OC3.pmthresholds.section.nearend.1day.CV 100000 (B1 count) 0 - 13305600
OC3.pmthresholds.section.nearend.1day.ES 5000 (seconds) 0 - 86400
OC3.pmthresholds.section.nearend.1day.SEFS 5000 (seconds) 0 - 86400
OC3.pmthresholds.section.nearend.1day.SES 5000 (seconds) 0 - 86400
OC3.pmthresholds.sts1.nearend.15min.CV 15 (B3 count) 0 - 2160000
OC3.pmthresholds.sts1.nearend.15min.ES 12 (seconds) 0 - 900
OC3.pmthresholds.sts1.nearend.15min.FC 10 (count) 0 - 72
OC3.pmthresholds.sts1.nearend.15min.NPJC-PDET 60 (count) 0 - 7200000
OC3.pmthresholds.sts1.nearend.15min.NPJC-PGEN 60 (count) 0 - 7200000
OC3.pmthresholds.sts1.nearend.15min.PJCDIFF 60 (count) 0 - 14400000
OC3.pmthresholds.sts1.nearend.15min.PJCS-PDET 100 (seconds) 0 - 900
OC3.pmthresholds.sts1.nearend.15min.PJCS-PGEN 100 (seconds) 0 - 900
Table C-12 OC-3 Card Default Settings (continued)
Default Name Default Value Default DomainC-37
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
OC3.pmthresholds.sts1.nearend.15min.PPJC-PDET 60 (count) 0 - 7200000
OC3.pmthresholds.sts1.nearend.15min.PPJC-PGEN 60 (count) 0 - 7200000
OC3.pmthresholds.sts1.nearend.15min.SES 3 (seconds) 0 - 900
OC3.pmthresholds.sts1.nearend.15min.UAS 10 (seconds) 0 - 900
OC3.pmthresholds.sts1.nearend.1day.CV 125 (B3 count) 0 - 207360000
OC3.pmthresholds.sts1.nearend.1day.ES 100 (seconds) 0 - 86400
OC3.pmthresholds.sts1.nearend.1day.FC 10 (count) 0 - 6912
OC3.pmthresholds.sts1.nearend.1day.NPJC-PDET 5760 (count) 0 - 691200000
OC3.pmthresholds.sts1.nearend.1day.NPJC-PGEN 5760 (count) 0 - 691200000
OC3.pmthresholds.sts1.nearend.1day.PJCDIFF 5760 (count) 0 - 1382400000
OC3.pmthresholds.sts1.nearend.1day.PJCS-PDET 9600 (seconds) 0 - 86400
OC3.pmthresholds.sts1.nearend.1day.PJCS-PGEN 9600 (seconds) 0 - 86400
OC3.pmthresholds.sts1.nearend.1day.PPJC-PDET 5760 (count) 0 - 691200000
OC3.pmthresholds.sts1.nearend.1day.PPJC-PGEN 5760 (count) 0 - 691200000
OC3.pmthresholds.sts1.nearend.1day.SES 7 (seconds) 0 - 86400
OC3.pmthresholds.sts1.nearend.1day.UAS 10 (seconds) 0 - 86400
OC3.pmthresholds.sts3c.nearend.15min.CV 25 (B3 count) 0 - 2160000
OC3.pmthresholds.sts3c.nearend.15min.ES 20 (seconds) 0 - 900
OC3.pmthresholds.sts3c.nearend.15min.FC 10 (count) 0 - 72
OC3.pmthresholds.sts3c.nearend.15min.NPJC-PDET 60 (count) 0 - 7200000
OC3.pmthresholds.sts3c.nearend.15min.NPJC-PGEN 60 (count) 0 - 7200000
OC3.pmthresholds.sts3c.nearend.15min.PJCDIFF 60 (count) 0 - 14400000
OC3.pmthresholds.sts3c.nearend.15min.PJCS-PDET 100 (seconds) 0 - 900
OC3.pmthresholds.sts3c.nearend.15min.PJCS-PGEN 100 (seconds) 0 - 900
OC3.pmthresholds.sts3c.nearend.15min.PPJC-PDET 60 (count) 0 - 7200000
OC3.pmthresholds.sts3c.nearend.15min.PPJC-PGEN 60 (count) 0 - 7200000
OC3.pmthresholds.sts3c.nearend.15min.SES 3 (seconds) 0 - 900
OC3.pmthresholds.sts3c.nearend.15min.UAS 10 (seconds) 0 - 900
OC3.pmthresholds.sts3c.nearend.1day.CV 250 (B3 count) 0 - 207360000
OC3.pmthresholds.sts3c.nearend.1day.ES 200 (seconds) 0 - 86400
OC3.pmthresholds.sts3c.nearend.1day.FC 10 (count) 0 - 6912
OC3.pmthresholds.sts3c.nearend.1day.NPJC-PDET 5760 (count) 0 - 691200000
OC3.pmthresholds.sts3c.nearend.1day.NPJC-PGEN 5760 (count) 0 - 691200000
OC3.pmthresholds.sts3c.nearend.1day.PJCDIFF 5760 (count) 0 - 1382400000
OC3.pmthresholds.sts3c.nearend.1day.PJCS-PDET 9600 (seconds) 0 - 86400
OC3.pmthresholds.sts3c.nearend.1day.PJCS-PGEN 9600 (seconds) 0 - 86400
Table C-12 OC-3 Card Default Settings (continued)
Default Name Default Value Default DomainC-38
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
C.2.3.13 OC3-8 Card Default Settings
Table C-13 lists the eight-port OC3-8 (OC3 IR/STM1 SH 1310-8) card default settings.
OC3.pmthresholds.sts3c.nearend.1day.PPJC-PDET 5760 (count) 0 - 691200000
OC3.pmthresholds.sts3c.nearend.1day.PPJC-PGEN 5760 (count) 0 - 691200000
OC3.pmthresholds.sts3c.nearend.1day.SES 7 (seconds) 0 - 86400
OC3.pmthresholds.sts3c.nearend.1day.UAS 10 (seconds) 0 - 86400
Table C-12 OC-3 Card Default Settings (continued)
Default Name Default Value Default Domain
Table C-13 OC3-8 Card Default Settings
Default Name Default Value Default Domain
OC3-8.config.line.AINSSoakTime 08:00 (hours:mins) 00:00, 00:15, 00:30 .. 48:00
OC3-8.config.line.AlsMode Disabled Disabled, Auto Restart, Manual Restart,
Manual Restart for Test
OC3-8.config.line.AlsRecoveryPulseDuration 2.0 (seconds) 2.0, 2.1, 2.2 .. 100.0 when AlsMode
Disabled, Auto Restart, Manual Restart;
80.0, 80.1, 80.2 .. 100.0 when AlsMode
Manual Restart for Test
OC3-8.config.line.AlsRecoveryPulseInterval 100 (seconds) 60 - 300
OC3-8.config.line.PJStsMon# 0 (STS #) 0 - 3
OC3-8.config.line.SDBER 1.00E-07 1E-5, 1E-6, 1E-7, 1E-8, 1E-9
OC3-8.config.line.sdh.AdminSSMIn STU G811, STU, G812T, G812L, SETS, DUS
OC3-8.config.line.sdh.SendDoNotUse FALSE FALSE when SendDoNotUse TRUE;
FALSE, TRUE when SendDoNotUse FALSE
OC3-8.config.line.sdh.SendDoNotUse FALSE FALSE, TRUE
OC3-8.config.line.sdh.SyncMsgIn TRUE FALSE, TRUE
OC3-8.config.line.SendAISOnFacilityLoopback TRUE TRUE, FALSE
OC3-8.config.line.SendAISOnTerminalLoopback FALSE FALSE
OC3-8.config.line.SFBER 1.00E-04 1E-3, 1E-4, 1E-5
OC3-8.config.line.sonet.AdminSSMIn STU PRS, STU, ST2, ST3, SMC, ST4, DUS, RES
when
//.//.//.//.NODE.timing.general.SSMMessage
Set Generation 1; PRS, STU, ST2, TNC,
ST3E, ST3, SMC, ST4, DUS, RES when
//.//.//.//.NODE.timing.general.SSMMessage
Set Generation 2; PRS, STU, ST2, ST3,
SMC, ST4, DUS, RES when
//.//.//.//.NODE.timing.general.SSMMessage
Set N/A
OC3-8.config.line.sonet.SendDoNotUse FALSE FALSE when SendDoNotUse TRUE;
FALSE, TRUE when SendDoNotUse FALSEC-39
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
OC3-8.config.line.sonet.SendDoNotUse FALSE FALSE, TRUE
OC3-8.config.line.sonet.SyncMsgIn TRUE FALSE, TRUE
OC3-8.config.line.State IS,AINS IS, OOS,DSBLD, OOS,MT, IS,AINS
OC3-8.config.sts.IPPMEnabled FALSE TRUE, FALSE
OC3-8.physicalthresholds.alarm.LBC-HIGH 200 (%) LBC-LOW, LBC-LOW + 1, LBC-LOW + 2 ..
255
OC3-8.physicalthresholds.alarm.LBC-LOW 20 (%) 0, 1, 2 .. LBC-HIGH
OC3-8.physicalthresholds.alarm.OPR-HIGH 200 (%) OPR-LOW, OPR-LOW + 1, OPR-LOW + 2 ..
255
OC3-8.physicalthresholds.alarm.OPR-LOW 50 (%) -1, 0, 1 .. OPR-HIGH
OC3-8.physicalthresholds.alarm.OPT-HIGH 120 (%) OPT-LOW, OPT-LOW + 1, OPT-LOW + 2 ..
255
OC3-8.physicalthresholds.alarm.OPT-LOW 80 (%) 0, 1, 2 .. OPT-HIGH
OC3-8.physicalthresholds.warning.15min.LBC-HIGH 200 (%) LBC-LOW, LBC-LOW + 1, LBC-LOW + 2 ..
255
OC3-8.physicalthresholds.warning.15min.LBC-LOW 20 (%) 0, 1, 2 .. LBC-HIGH
OC3-8.physicalthresholds.warning.15min.OPR-HIGH 200 (%) OPR-LOW, OPR-LOW + 1, OPR-LOW + 2 ..
255
OC3-8.physicalthresholds.warning.15min.OPR-LOW 50 (%) -1, 0, 1 .. OPR-HIGH
OC3-8.physicalthresholds.warning.15min.OPT-HIGH 120 (%) OPT-LOW, OPT-LOW + 1, OPT-LOW + 2 ..
255
OC3-8.physicalthresholds.warning.15min.OPT-LOW 80 (%) 0, 1, 2 .. OPT-HIGH
OC3-8.physicalthresholds.warning.1day.LBC-HIGH 200 (%) LBC-LOW, LBC-LOW + 1, LBC-LOW + 2 ..
255
OC3-8.physicalthresholds.warning.1day.LBC-LOW 20 (%) 0, 1, 2 .. LBC-HIGH
OC3-8.physicalthresholds.warning.1day.OPR-HIGH 200 (%) OPR-LOW, OPR-LOW + 1, OPR-LOW + 2 ..
255
OC3-8.physicalthresholds.warning.1day.OPR-LOW 50 (%) -1, 0, 1 .. OPR-HIGH
OC3-8.physicalthresholds.warning.1day.OPT-HIGH 120 (%) OPT-LOW, OPT-LOW + 1, OPT-LOW + 2 ..
255
OC3-8.physicalthresholds.warning.1day.OPT-LOW 80 (%) 0, 1, 2 .. OPT-HIGH
OC3-8.pmthresholds.line.farend.15min.CV 1312 (B2 count) 0 - 137700
OC3-8.pmthresholds.line.farend.15min.ES 87 (seconds) 0 - 900
OC3-8.pmthresholds.line.farend.15min.FC 10 (count) 0 - 72
OC3-8.pmthresholds.line.farend.15min.SES 1 (seconds) 0 - 900
OC3-8.pmthresholds.line.farend.15min.UAS 3 (seconds) 0 - 900
OC3-8.pmthresholds.line.farend.1day.CV 13120 (B2 count) 0 - 13219200
OC3-8.pmthresholds.line.farend.1day.ES 864 (seconds) 0 - 86400
OC3-8.pmthresholds.line.farend.1day.FC 40 (count) 0 - 6912
Table C-13 OC3-8 Card Default Settings (continued)
Default Name Default Value Default DomainC-40
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
OC3-8.pmthresholds.line.farend.1day.SES 4 (seconds) 0 - 86400
OC3-8.pmthresholds.line.farend.1day.UAS 10 (seconds) 0 - 86400
OC3-8.pmthresholds.line.nearend.15min.CV 1312 (B2 count) 0 - 137700
OC3-8.pmthresholds.line.nearend.15min.ES 87 (seconds) 0 - 900
OC3-8.pmthresholds.line.nearend.15min.FC 10 (count) 0 - 72
OC3-8.pmthresholds.line.nearend.15min.PSC 1 (count) 0 - 600
OC3-8.pmthresholds.line.nearend.15min.PSD 300 (seconds) 0 - 900
OC3-8.pmthresholds.line.nearend.15min.SES 1 (seconds) 0 - 900
OC3-8.pmthresholds.line.nearend.15min.UAS 3 (seconds) 0 - 900
OC3-8.pmthresholds.line.nearend.1day.CV 13120 (B2 count) 0 - 13219200
OC3-8.pmthresholds.line.nearend.1day.ES 864 (seconds) 0 - 86400
OC3-8.pmthresholds.line.nearend.1day.FC 40 (count) 0 - 6912
OC3-8.pmthresholds.line.nearend.1day.PSC 5 (count) 0 - 57600
OC3-8.pmthresholds.line.nearend.1day.PSD 600 (seconds) 0 - 86400
OC3-8.pmthresholds.line.nearend.1day.SES 4 (seconds) 0 - 86400
OC3-8.pmthresholds.line.nearend.1day.UAS 10 (seconds) 0 - 86400
OC3-8.pmthresholds.section.nearend.15min.CV 10000 (B1 count) 0 - 138600
OC3-8.pmthresholds.section.nearend.15min.ES 500 (seconds) 0 - 900
OC3-8.pmthresholds.section.nearend.15min.SEFS 500 (seconds) 0 - 900
OC3-8.pmthresholds.section.nearend.15min.SES 500 (seconds) 0 - 900
OC3-8.pmthresholds.section.nearend.1day.CV 100000 (B1 count) 0 - 13305600
OC3-8.pmthresholds.section.nearend.1day.ES 5000 (seconds) 0 - 86400
OC3-8.pmthresholds.section.nearend.1day.SEFS 5000 (seconds) 0 - 86400
OC3-8.pmthresholds.section.nearend.1day.SES 5000 (seconds) 0 - 86400
OC3-8.pmthresholds.sts1.nearend.15min.CV 15 (B3 count) 0 - 2160000
OC3-8.pmthresholds.sts1.nearend.15min.ES 12 (seconds) 0 - 900
OC3-8.pmthresholds.sts1.nearend.15min.FC 10 (count) 0 - 72
OC3-8.pmthresholds.sts1.nearend.15min.NPJC-PDET 60 (count) 0 - 7200000
OC3-8.pmthresholds.sts1.nearend.15min.NPJC-PGEN 60 (count) 0 - 7200000
OC3-8.pmthresholds.sts1.nearend.15min.PJCDIFF 60 (count) 0 - 14400000
OC3-8.pmthresholds.sts1.nearend.15min.PJCS-PDET 100 (seconds) 0 - 900
OC3-8.pmthresholds.sts1.nearend.15min.PJCS-PGEN 100 (seconds) 0 - 900
OC3-8.pmthresholds.sts1.nearend.15min.PPJC-PDET 60 (count) 0 - 7200000
OC3-8.pmthresholds.sts1.nearend.15min.PPJC-PGEN 60 (count) 0 - 7200000
OC3-8.pmthresholds.sts1.nearend.15min.SES 3 (seconds) 0 - 900
OC3-8.pmthresholds.sts1.nearend.15min.UAS 10 (seconds) 0 - 900
Table C-13 OC3-8 Card Default Settings (continued)
Default Name Default Value Default DomainC-41
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
OC3-8.pmthresholds.sts1.nearend.1day.CV 125 (B3 count) 0 - 207360000
OC3-8.pmthresholds.sts1.nearend.1day.ES 100 (seconds) 0 - 86400
OC3-8.pmthresholds.sts1.nearend.1day.FC 10 (count) 0 - 6912
OC3-8.pmthresholds.sts1.nearend.1day.NPJC-PDET 5760 (count) 0 - 691200000
OC3-8.pmthresholds.sts1.nearend.1day.NPJC-PGEN 5760 (count) 0 - 691200000
OC3-8.pmthresholds.sts1.nearend.1day.PJCDIFF 5760 (count) 0 - 1382400000
OC3-8.pmthresholds.sts1.nearend.1day.PJCS-PDET 9600 (seconds) 0 - 86400
OC3-8.pmthresholds.sts1.nearend.1day.PJCS-PGEN 9600 (seconds) 0 - 86400
OC3-8.pmthresholds.sts1.nearend.1day.PPJC-PDET 5760 (count) 0 - 691200000
OC3-8.pmthresholds.sts1.nearend.1day.PPJC-PGEN 5760 (count) 0 - 691200000
OC3-8.pmthresholds.sts1.nearend.1day.SES 7 (seconds) 0 - 86400
OC3-8.pmthresholds.sts1.nearend.1day.UAS 10 (seconds) 0 - 86400
OC3-8.pmthresholds.sts3c.nearend.15min.CV 25 (B3 count) 0 - 2160000
OC3-8.pmthresholds.sts3c.nearend.15min.ES 20 (seconds) 0 - 900
OC3-8.pmthresholds.sts3c.nearend.15min.FC 10 (count) 0 - 72
OC3-8.pmthresholds.sts3c.nearend.15min.NPJC-PDET 60 (count) 0 - 7200000
OC3-8.pmthresholds.sts3c.nearend.15min.NPJC-PGEN 60 (count) 0 - 7200000
OC3-8.pmthresholds.sts3c.nearend.15min.PJCDIFF 60 (count) 0 - 14400000
OC3-8.pmthresholds.sts3c.nearend.15min.PJCS-PDET 100 (seconds) 0 - 900
OC3-8.pmthresholds.sts3c.nearend.15min.PJCS-PGEN 100 (seconds) 0 - 900
OC3-8.pmthresholds.sts3c.nearend.15min.PPJC-PDET 60 (count) 0 - 7200000
OC3-8.pmthresholds.sts3c.nearend.15min.PPJC-PGEN 60 (count) 0 - 7200000
OC3-8.pmthresholds.sts3c.nearend.15min.SES 3 (seconds) 0 - 900
OC3-8.pmthresholds.sts3c.nearend.15min.UAS 10 (seconds) 0 - 900
OC3-8.pmthresholds.sts3c.nearend.1day.CV 250 (B3 count) 0 - 207360000
OC3-8.pmthresholds.sts3c.nearend.1day.ES 200 (seconds) 0 - 86400
OC3-8.pmthresholds.sts3c.nearend.1day.FC 10 (count) 0 - 6912
OC3-8.pmthresholds.sts3c.nearend.1day.NPJC-PDET 5760 (count) 0 - 691200000
OC3-8.pmthresholds.sts3c.nearend.1day.NPJC-PGEN 5760 (count) 0 - 691200000
OC3-8.pmthresholds.sts3c.nearend.1day.PJCDIFF 5760 (count) 0 - 1382400000
OC3-8.pmthresholds.sts3c.nearend.1day.PJCS-PDET 9600 (seconds) 0 - 691200000
OC3-8.pmthresholds.sts3c.nearend.1day.PJCS-PGEN 9600 (seconds) 0 - 86400
OC3-8.pmthresholds.sts3c.nearend.1day.PPJC-PDET 5760 (count) 0 - 691200000
OC3-8.pmthresholds.sts3c.nearend.1day.PPJC-PGEN 5760 (count) 0 - 691200000
OC3-8.pmthresholds.sts3c.nearend.1day.SES 7 (seconds) 0 - 86400
OC3-8.pmthresholds.sts3c.nearend.1day.UAS 10 (seconds) 0 - 86400
Table C-13 OC3-8 Card Default Settings (continued)
Default Name Default Value Default DomainC-42
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
C.2.3.14 OC-12 Card Default Settings
Table C-14 lists the OC-12 (OC12 IR/STM4 SH 1310, OC12 LR/STM4 LH 1310, and OC12 LR/STM4
LH 1550) card default settings.
Table C-14 OC-12 Card Default Settings
Default Name Default Value Default Domain
OC12.config.line.AINSSoakTime 08:00
(hours:mins)
00:00, 00:15, 00:30 .. 48:00
OC12.config.line.PJStsMon# 0 (STS #) 0 - 12
OC12.config.line.SDBER 1.00E-07 1E-5, 1E-6, 1E-7, 1E-8, 1E-9
OC12.config.line.sdh.AdminSSMIn STU G811, STU, G812T, G812L, SETS, DUS
OC12.config.line.sdh.SendDoNotUse FALSE FALSE when SendDoNotUse TRUE;
FALSE, TRUE when SendDoNotUse
FALSE
OC12.config.line.sdh.SendDoNotUse FALSE FALSE, TRUE
OC12.config.line.sdh.SyncMsgIn TRUE FALSE, TRUE
OC12.config.line.SFBER 1.00E-04 1E-3, 1E-4, 1E-5
OC12.config.line.SendAISOnFacilityLoopback TRUE TRUE, FALSE
OC12.config.line.SendAISOnTerminalLoopback FALSE FALSE
OC12.config.line.sonet.AdminSSMIn STU PRS, STU, ST2, ST3, SMC, ST4, DUS, RES
when
//.//.//.//.NODE.timing.general.SSMMessag
eSet Generation 1; PRS, STU, ST2, TNC,
ST3E, ST3, SMC, ST4, DUS, RES when
//.//.//.//.NODE.timing.general.SSMMessag
eSet Generation 2; PRS, STU, ST2, ST3,
SMC, ST4, DUS, RES when
//.//.//.//.NODE.timing.general.SSMMessag
eSet N/A
OC12.config.line.sonet.SendDoNotUse FALSE FALSE when SendDoNotUse TRUE;
FALSE, TRUE when SendDoNotUse
FALSE
OC12.config.line.sonet.SendDoNotUse FALSE FALSE, TRUE
OC12.config.line.sonet.SyncMsgIn TRUE FALSE, TRUE
OC12.config.line.State IS,AINS IS, OOS,DSBLD, OOS,MT, IS,AINS
OC12.config.sts.IPPMEnabled FALSE TRUE, FALSE
OC12.pmthresholds.line.farend.15min.CV 5315 (B2 count) 0 - 552600
OC12.pmthresholds.line.farend.15min.ES 87 (seconds) 0 - 900
OC12.pmthresholds.line.farend.15min.FC 10 (count) 0 - 72
OC12.pmthresholds.line.farend.15min.SES 1 (seconds) 0 - 900
OC12.pmthresholds.line.farend.15min.UAS 3 (seconds) 0 - 900
OC12.pmthresholds.line.farend.1day.CV 53150 (B2 count) 0 - 53049600C-43
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
OC12.pmthresholds.line.farend.1day.ES 864 (seconds) 0 - 86400
OC12.pmthresholds.line.farend.1day.FC 40 (count) 0 - 6912
OC12.pmthresholds.line.farend.1day.SES 4 (seconds) 0 - 86400
OC12.pmthresholds.line.farend.1day.UAS 10 (seconds) 0 - 86400
OC12.pmthresholds.line.nearend.15min.CV 5315 (B2 count) 0 - 552600
OC12.pmthresholds.line.nearend.15min.ES 87 (seconds) 0 - 900
OC12.pmthresholds.line.nearend.15min.FC 10 (count) 0 - 72
OC12.pmthresholds.line.nearend.15min.PSC 1 (count) 0 - 600
OC12.pmthresholds.line.nearend.15min.PSC-W 1 (count) 0 - 600
OC12.pmthresholds.line.nearend.15min.PSD 300 (seconds) 0 - 900
OC12.pmthresholds.line.nearend.15min.PSD-W 300 (seconds) 0 - 900
OC12.pmthresholds.line.nearend.15min.SES 1 (seconds) 0 - 900
OC12.pmthresholds.line.nearend.15min.UAS 3 (seconds) 0 - 900
OC12.pmthresholds.line.nearend.1day.CV 53150 (B2 count) 0 - 53049600
OC12.pmthresholds.line.nearend.1day.ES 864 (seconds) 0 - 86400
OC12.pmthresholds.line.nearend.1day.FC 40 (count) 0 - 6912
OC12.pmthresholds.line.nearend.1day.PSC 5 (count) 0 - 57600
OC12.pmthresholds.line.nearend.1day.PSC-W 5 (count) 0 - 57600
OC12.pmthresholds.line.nearend.1day.PSD 600 (seconds) 0 - 86400
OC12.pmthresholds.line.nearend.1day.PSD-W 600 (seconds) 0 - 86400
OC12.pmthresholds.line.nearend.1day.SES 4 (seconds) 0 - 86400
OC12.pmthresholds.line.nearend.1day.UAS 10 (seconds) 0 - 86400
OC12.pmthresholds.section.nearend.15min.CV 10000 (B1 count) 0 - 553500
OC12.pmthresholds.section.nearend.15min.ES 500 (seconds) 0 - 900
OC12.pmthresholds.section.nearend.15min.SEFS 500 (seconds) 0 - 900
OC12.pmthresholds.section.nearend.15min.SES 500 (seconds) 0 - 900
OC12.pmthresholds.section.nearend.1day.CV 100000 (B1
count)
0 - 53136000
OC12.pmthresholds.section.nearend.1day.ES 5000 (seconds) 0 - 86400
OC12.pmthresholds.section.nearend.1day.SEFS 5000 (seconds) 0 - 86400
OC12.pmthresholds.section.nearend.1day.SES 5000 (seconds) 0 - 86400
OC12.pmthresholds.sts1.nearend.15min.CV 15 (B3 count) 0 - 2160000
OC12.pmthresholds.sts1.nearend.15min.ES 12 (seconds) 0 - 900
OC12.pmthresholds.sts1.nearend.15min.FC 10 (count) 0 - 72
OC12.pmthresholds.sts1.nearend.15min.NPJC-PDET 60 (count) 0 - 7200000
OC12.pmthresholds.sts1.nearend.15min.NPJC-PGEN 60 (count) 0 - 7200000
Table C-14 OC-12 Card Default Settings (continued)
Default Name Default Value Default DomainC-44
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
OC12.pmthresholds.sts1.nearend.15min.PJCDIFF 60 (count) 0 - 14400000
OC12.pmthresholds.sts1.nearend.15min.PJCS-PDET 100 (seconds) 0 - 900
OC12.pmthresholds.sts1.nearend.15min.PJCS-PGEN 100 (seconds) 0 - 900
OC12.pmthresholds.sts1.nearend.15min.PPJC-PDET 60 (count) 0 - 7200000
OC12.pmthresholds.sts1.nearend.15min.PPJC-PGEN 60 (count) 0 - 7200000
OC12.pmthresholds.sts1.nearend.15min.SES 3 (seconds) 0 - 900
OC12.pmthresholds.sts1.nearend.15min.UAS 10 (seconds) 0 - 900
OC12.pmthresholds.sts1.nearend.1day.CV 125 (B3 count) 0 - 207360000
OC12.pmthresholds.sts1.nearend.1day.ES 100 (seconds) 0 - 86400
OC12.pmthresholds.sts1.nearend.1day.FC 10 (count) 0 - 6912
OC12.pmthresholds.sts1.nearend.1day.NPJC-PDET 5760 (count) 0 - 691200000
OC12.pmthresholds.sts1.nearend.1day.NPJC-PGEN 5760 (count) 0 - 691200000
OC12.pmthresholds.sts1.nearend.1day.PJCDIFF 5760 (count) 0 - 1382400000
OC12.pmthresholds.sts1.nearend.1day.PJCS-PDET 9600 (seconds) 0 - 86400
OC12.pmthresholds.sts1.nearend.1day.PJCS-PGEN 9600 (seconds) 0 - 86400
OC12.pmthresholds.sts1.nearend.1day.PPJC-PDET 5760 (count) 0 - 691200000
OC12.pmthresholds.sts1.nearend.1day.PPJC-PGEN 5760 (count) 0 - 691200000
OC12.pmthresholds.sts1.nearend.1day.SES 7 (seconds) 0 - 86400
OC12.pmthresholds.sts1.nearend.1day.UAS 10 (seconds) 0 - 86400
OC12.pmthresholds.sts12c.nearend.15min.CV 75 (B3 count) 0 - 2160000
OC12.pmthresholds.sts12c.nearend.15min.ES 60 (seconds) 0 - 900
OC12.pmthresholds.sts12c.nearend.15min.FC 10 (count) 0 - 72
OC12.pmthresholds.sts12c.nearend.15min.NPJC-PDET 60 (count) 0 - 7200000
OC12.pmthresholds.sts12c.nearend.15min.NPJC-PGEN 60 (count) 0 - 7200000
OC12.pmthresholds.sts12c.nearend.15min.PJCDIFF 60 (count) 0 - 14400000
OC12.pmthresholds.sts12c.nearend.15min.PJCS-PDET 100 (seconds) 0 - 900
OC12.pmthresholds.sts12c.nearend.15min.PJCS-PGEN 100 (seconds) 0 - 900
OC12.pmthresholds.sts12c.nearend.15min.PPJC-PDET 60 (count) 0 - 7200000
OC12.pmthresholds.sts12c.nearend.15min.PPJC-PGEN 60 (count) 0 - 7200000
OC12.pmthresholds.sts12c.nearend.15min.SES 3 (seconds) 0 - 900
OC12.pmthresholds.sts12c.nearend.15min.UAS 10 (seconds) 0 - 900
OC12.pmthresholds.sts12c.nearend.1day.CV 750 (B3 count) 0 - 207360000
OC12.pmthresholds.sts12c.nearend.1day.ES 600 (seconds) 0 - 86400
OC12.pmthresholds.sts12c.nearend.1day.FC 10 (count) 0 - 6912
OC12.pmthresholds.sts12c.nearend.1day.NPJC-PDET 5760 (count) 0 - 691200000
OC12.pmthresholds.sts12c.nearend.1day.NPJC-PGEN 5760 (count) 0 - 691200000
Table C-14 OC-12 Card Default Settings (continued)
Default Name Default Value Default DomainC-45
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
C.2.3.15 OC12-4 Card Default Settings
Table C-15 lists the four-port OC12-4 (OC12 IR/STM4 SH 1310-4) card default settings.
OC12.pmthresholds.sts12c.nearend.1day.PJCDIFF 5760 (count) 0 - 1382400000
OC12.pmthresholds.sts12c.nearend.1day.PJCS-PDET 9600 (seconds) 0 - 86400
OC12.pmthresholds.sts12c.nearend.1day.PJCS-PGEN 9600 (seconds) 0 - 86400
OC12.pmthresholds.sts12c.nearend.1day.PPJC-PDET 5760 (count) 0 - 691200000
OC12.pmthresholds.sts12c.nearend.1day.PPJC-PGEN 5760 (count) 0 - 691200000
OC12.pmthresholds.sts12c.nearend.1day.SES 7 (seconds) 0 - 86400
OC12.pmthresholds.sts12c.nearend.1day.UAS 10 (seconds) 0 - 86400
OC12.pmthresholds.sts3c-9c.nearend.15min.CV 25 (B3 count) 0 - 2160000
OC12.pmthresholds.sts3c-9c.nearend.15min.ES 20 (seconds) 0 - 900
OC12.pmthresholds.sts3c-9c.nearend.15min.FC 10 (count) 0 - 72
OC12.pmthresholds.sts3c-9c.nearend.15min.NPJC-PDET 60 (count) 0 - 7200000
OC12.pmthresholds.sts3c-9c.nearend.15min.NPJC-PGEN 60 (count) 0 - 7200000
OC12.pmthresholds.sts3c-9c.nearend.15min.PJCDIFF 60 (count) 0 - 14400000
OC12.pmthresholds.sts3c-9c.nearend.15min.PJCS-PDET 100 (seconds) 0 - 900
OC12.pmthresholds.sts3c-9c.nearend.15min.PJCS-PGEN 100 (seconds) 0 - 900
OC12.pmthresholds.sts3c-9c.nearend.15min.PPJC-PDET 60 (count) 0 - 7200000
OC12.pmthresholds.sts3c-9c.nearend.15min.PPJC-PGEN 60 (count) 0 - 7200000
OC12.pmthresholds.sts3c-9c.nearend.15min.SES 3 (seconds) 0 - 900
OC12.pmthresholds.sts3c-9c.nearend.15min.UAS 10 (seconds) 0 - 900
OC12.pmthresholds.sts3c-9c.nearend.1day.CV 250 (B3 count) 0 - 207360000
OC12.pmthresholds.sts3c-9c.nearend.1day.ES 200 (seconds) 0 - 86400
OC12.pmthresholds.sts3c-9c.nearend.1day.FC 10 (count) 0 - 6912
OC12.pmthresholds.sts3c-9c.nearend.1day.NPJC-PDET 5760 (count) 0 - 691200000
OC12.pmthresholds.sts3c-9c.nearend.1day.NPJC-PGEN 5760 (count) 0 - 691200000
OC12.pmthresholds.sts3c-9c.nearend.1day.PJCDIFF 5760 (count) 0 - 1382400000
OC12.pmthresholds.sts3c-9c.nearend.1day.PJCS-PDET 9600 (seconds) 0 - 86400
OC12.pmthresholds.sts3c-9c.nearend.1day.PJCS-PGEN 9600 (seconds) 0 - 86400
OC12.pmthresholds.sts3c-9c.nearend.1day.PPJC-PDET 5760 (count) 0 - 691200000
OC12.pmthresholds.sts3c-9c.nearend.1day.PPJC-PGEN 5760 (count) 0 - 691200000
OC12.pmthresholds.sts3c-9c.nearend.1day.SES 7 (seconds) 0 - 86400
OC12.pmthresholds.sts3c-9c.nearend.1day.UAS 10 (seconds) 0 - 86400
Table C-14 OC-12 Card Default Settings (continued)
Default Name Default Value Default DomainC-46
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
Table C-15 OC12-4 Card Default Settings
Default Name Default Value Default Domain
OC12-4.config.line.AINSSoakTime 08:00 (hours:mins) 00:00, 00:15, 00:30 .. 48:00
OC12-4.config.line.PJStsMon# 0 (STS #) 0 - 12
OC12-4.config.line.SDBER 1.00E-07 1E-5, 1E-6, 1E-7, 1E-8, 1E-9
OC12-4.config.line.sdh.AdminSSMIn STU G811, STU, G812T, G812L, SETS,
DUS
OC12-4.config.line.sdh.SendDoNotUse FALSE FALSE when SendDoNotUse TRUE;
FALSE, TRUE when SendDoNotUse
FALSE
OC12-4.config.line.sdh.SendDoNotUse FALSE FALSE, TRUE
OC12-4.config.line.sdh.SyncMsgIn TRUE FALSE, TRUE
OC12-4.config.line.SendAISOnFacilityLoopback TRUE TRUE, FALSE
OC12-4.config.line.SendAISOnTerminalLoopback FALSE FALSE
OC12-4.config.line.SFBER 1.00E-04 1E-3, 1E-4, 1E-5
OC12-4.config.line.sonet.AdminSSMIn STU PRS, STU, ST2, ST3, SMC, ST4, DUS,
RES when
//.//.//.//.NODE.timing.general.SSMMe
ssageSet Generation 1; PRS, STU, ST2,
TNC, ST3E, ST3, SMC, ST4, DUS,
RES when
//.//.//.//.NODE.timing.general.SSMMe
ssageSet Generation 2; PRS, STU, ST2,
ST3, SMC, ST4, DUS, RES when
//.//.//.//.NODE.timing.general.SSMMe
ssageSet N/A
OC12-4.config.line.sonet.SendDoNotUse FALSE FALSE when SendDoNotUse TRUE;
FALSE, TRUE when SendDoNotUse
FALSE
OC12-4.config.line.sonet.SendDoNotUse FALSE FALSE, TRUE
OC12-4.config.line.sonet.SyncMsgIn TRUE FALSE, TRUE
OC12-4.config.line.State IS,AINS IS, OOS,DSBLD, OOS,MT, IS,AINS
OC12-4.config.sts.IPPMEnabled FALSE TRUE, FALSE
OC12-4.pmthresholds.line.farend.15min.CV 5315 (B2 count) 0 - 552600
OC12-4.pmthresholds.line.farend.15min.ES 87 (seconds) 0 - 900
OC12-4.pmthresholds.line.farend.15min.FC 10 (count) 0 - 72
OC12-4.pmthresholds.line.farend.15min.SES 1 (seconds) 0 - 900
OC12-4.pmthresholds.line.farend.15min.UAS 3 (seconds) 0 - 900
OC12-4.pmthresholds.line.farend.1day.CV 53150 (B2 count) 0 - 53049600
OC12-4.pmthresholds.line.farend.1day.ES 864 (seconds) 0 - 86400
OC12-4.pmthresholds.line.farend.1day.FC 40 (count) 0 - 6912
OC12-4.pmthresholds.line.farend.1day.SES 4 (seconds) 0 - 86400C-47
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
OC12-4.pmthresholds.line.farend.1day.UAS 10 (seconds) 0 - 86400
OC12-4.pmthresholds.line.nearend.15min.CV 5315 (B2 count) 0 - 552600
OC12-4.pmthresholds.line.nearend.15min.ES 87 (seconds) 0 - 900
OC12-4.pmthresholds.line.nearend.15min.FC 10 (count) 0 - 72
OC12-4.pmthresholds.line.nearend.15min.PSC 1 (count) 0 - 600
OC12-4.pmthresholds.line.nearend.15min.PSC-W 1 (count) 0 - 600
OC12-4.pmthresholds.line.nearend.15min.PSD 300 (seconds) 0 - 900
OC12-4.pmthresholds.line.nearend.15min.PSD-W 300 (seconds) 0 - 900
OC12-4.pmthresholds.line.nearend.15min.SES 1 (seconds) 0 - 900
OC12-4.pmthresholds.line.nearend.15min.UAS 3 (seconds) 0 - 900
OC12-4.pmthresholds.line.nearend.1day.CV 53150 (B2 count) 0 - 53049600
OC12-4.pmthresholds.line.nearend.1day.ES 864 (seconds) 0 - 86400
OC12-4.pmthresholds.line.nearend.1day.FC 40 (count) 0 - 6912
OC12-4.pmthresholds.line.nearend.1day.PSC 5 (count) 0 - 57600
OC12-4.pmthresholds.line.nearend.1day.PSC-W 5 (count) 0 - 57600
OC12-4.pmthresholds.line.nearend.1day.PSD 600 (seconds) 0 - 86400
OC12-4.pmthresholds.line.nearend.1day.PSD-W 600 (seconds) 0 - 86400
OC12-4.pmthresholds.line.nearend.1day.SES 4 (seconds) 0 - 86400
OC12-4.pmthresholds.line.nearend.1day.UAS 10 (seconds) 0 - 86400
OC12-4.pmthresholds.section.nearend.15min.CV 10000 (B1 count) 0 - 553500
OC12-4.pmthresholds.section.nearend.15min.ES 500 (seconds) 0 - 900
OC12-4.pmthresholds.section.nearend.15min.SEFS 500 (seconds) 0 - 900
OC12-4.pmthresholds.section.nearend.15min.SES 500 (seconds) 0 - 900
OC12-4.pmthresholds.section.nearend.1day.CV 100000 (B1 count) 0 - 53136000
OC12-4.pmthresholds.section.nearend.1day.ES 5000 (seconds) 0 - 86400
OC12-4.pmthresholds.section.nearend.1day.SEFS 5000 (seconds) 0 - 86400
OC12-4.pmthresholds.section.nearend.1day.SES 5000 (seconds) 0 - 86400
OC12-4.pmthresholds.sts1.nearend.15min.CV 15 (B3 count) 0 - 2160000
OC12-4.pmthresholds.sts1.nearend.15min.ES 12 (seconds) 0 - 900
OC12-4.pmthresholds.sts1.nearend.15min.FC 10 (count) 0 - 72
OC12-4.pmthresholds.sts1.nearend.15min.NPJC-PDET 60 (count) 0 - 7200000
OC12-4.pmthresholds.sts1.nearend.15min.NPJC-PGEN 60 (count) 0 - 7200000
OC12-4.pmthresholds.sts1.nearend.15min.PJCDIFF 60 (count) 0 - 14400000
OC12-4.pmthresholds.sts1.nearend.15min.PJCS-PDET 100 (seconds) 0 - 900
OC12-4.pmthresholds.sts1.nearend.15min.PJCS-PGEN 100 (seconds) 0 - 900
OC12-4.pmthresholds.sts1.nearend.15min.PPJC-PDET 60 (count) 0 - 7200000
Table C-15 OC12-4 Card Default Settings (continued)
Default Name Default Value Default DomainC-48
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
OC12-4.pmthresholds.sts1.nearend.15min.PPJC-PGEN 60 (count) 0 - 7200000
OC12-4.pmthresholds.sts1.nearend.15min.SES 3 (seconds) 0 - 900
OC12-4.pmthresholds.sts1.nearend.15min.UAS 10 (seconds) 0 - 900
OC12-4.pmthresholds.sts1.nearend.1day.CV 125 (B3 count) 0 - 207360000
OC12-4.pmthresholds.sts1.nearend.1day.ES 100 (seconds) 0 - 86400
OC12-4.pmthresholds.sts1.nearend.1day.FC 10 (count) 0 - 6912
OC12-4.pmthresholds.sts1.nearend.1day.NPJC-PDET 5760 (count) 0 - 691200000
OC12-4.pmthresholds.sts1.nearend.1day.NPJC-PGEN 5760 (count) 0 - 691200000
OC12-4.pmthresholds.sts1.nearend.1day.PJCDIFF 5760 (count) 0 - 1382400000
OC12-4.pmthresholds.sts1.nearend.1day.PJCS-PDET 9600 (seconds) 0 - 86400
OC12-4.pmthresholds.sts1.nearend.1day.PJCS-PGEN 9600 (seconds) 0 - 86400
OC12-4.pmthresholds.sts1.nearend.1day.PPJC-PDET 5760 (count) 0 - 691200000
OC12-4.pmthresholds.sts1.nearend.1day.PPJC-PGEN 5760 (count) 0 - 691200000
OC12-4.pmthresholds.sts1.nearend.1day.SES 7 (seconds) 0 - 86400
OC12-4.pmthresholds.sts1.nearend.1day.UAS 10 (seconds) 0 - 86400
OC12-4.pmthresholds.sts12c.nearend.15min.CV 75 (B3 count) 0 - 2160000
OC12-4.pmthresholds.sts12c.nearend.15min.ES 60 (seconds) 0 - 900
OC12-4.pmthresholds.sts12c.nearend.15min.FC 10 (count) 0 - 72
OC12-4.pmthresholds.sts12c.nearend.15min.NPJC-PDET 60 (count) 0 - 7200000
OC12-4.pmthresholds.sts12c.nearend.15min.NPJC-PGEN 60 (count) 0 - 7200000
OC12-4.pmthresholds.sts12c.nearend.15min.PJCDIFF 60 (count) 0 - 14400000
OC12-4.pmthresholds.sts12c.nearend.15min.PJCS-PDET 100 (seconds) 0 - 900
OC12-4.pmthresholds.sts12c.nearend.15min.PJCS-PGEN 100 (seconds) 0 - 900
OC12-4.pmthresholds.sts12c.nearend.15min.PPJC-PDET 60 (count) 0 - 7200000
OC12-4.pmthresholds.sts12c.nearend.15min.PPJC-PGEN 60 (count) 0 - 7200000
OC12-4.pmthresholds.sts12c.nearend.15min.SES 3 (seconds) 0 - 900
OC12-4.pmthresholds.sts12c.nearend.15min.UAS 10 (seconds) 0 - 900
OC12-4.pmthresholds.sts12c.nearend.1day.CV 750 (B3 count) 0 - 207360000
OC12-4.pmthresholds.sts12c.nearend.1day.ES 600 (seconds) 0 - 86400
OC12-4.pmthresholds.sts12c.nearend.1day.FC 10 (count) 0 - 6912
OC12-4.pmthresholds.sts12c.nearend.1day.NPJC-PDET 5760 (count) 0 - 691200000
OC12-4.pmthresholds.sts12c.nearend.1day.NPJC-PGEN 5760 (count) 0 - 691200000
OC12-4.pmthresholds.sts12c.nearend.1day.PJCDIFF 5760 (count) 0 - 1382400000
OC12-4.pmthresholds.sts12c.nearend.1day.PJCS-PDET 9600 (seconds) 0 - 86400
OC12-4.pmthresholds.sts12c.nearend.1day.PJCS-PGEN 9600 (seconds) 0 - 86400
OC12-4.pmthresholds.sts12c.nearend.1day.PPJC-PDET 5760 (count) 0 - 691200000
Table C-15 OC12-4 Card Default Settings (continued)
Default Name Default Value Default DomainC-49
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
C.2.3.16 OC-48 Card Default Settings
Table C-16 lists the OC-48 (OC48 IR 1310, OC48 LR 1550, OC48 IR/STM16 SH AS 1310, OC48
LR/STM16 LH AS 1550, OC48 ELR/STM16 EH 100 GHz, and OC48 ELR 200 GHz) card default
settings.
OC12-4.pmthresholds.sts12c.nearend.1day.PPJC-PGEN 5760 (count) 0 - 691200000
OC12-4.pmthresholds.sts12c.nearend.1day.SES 7 (seconds) 0 - 86400
OC12-4.pmthresholds.sts12c.nearend.1day.UAS 10 (seconds) 0 - 86400
OC12-4.pmthresholds.sts3c-9c.nearend.15min.CV 25 (B3 count) 0 - 2160000
OC12-4.pmthresholds.sts3c-9c.nearend.15min.ES 20 (seconds) 0 - 900
OC12-4.pmthresholds.sts3c-9c.nearend.15min.FC 10 (count) 0 - 72
OC12-4.pmthresholds.sts3c-9c.nearend.15min.NPJC-PDET 60 (count) 0 - 7200000
OC12-4.pmthresholds.sts3c-9c.nearend.15min.NPJC-PGEN 60 (count) 0 - 7200000
OC12-4.pmthresholds.sts3c-9c.nearend.15min.PJCDIFF 60 (count) 0 - 14400000
OC12-4.pmthresholds.sts3c-9c.nearend.15min.PJCS-PDET 100 (seconds) 0 - 900
OC12-4.pmthresholds.sts3c-9c.nearend.15min.PJCS-PGEN 100 (seconds) 0 - 900
OC12-4.pmthresholds.sts3c-9c.nearend.15min.PPJC-PDET 60 (count) 0 - 7200000
OC12-4.pmthresholds.sts3c-9c.nearend.15min.PPJC-PGEN 60 (count) 0 - 7200000
OC12-4.pmthresholds.sts3c-9c.nearend.15min.SES 3 (seconds) 0 - 900
OC12-4.pmthresholds.sts3c-9c.nearend.15min.UAS 10 (seconds) 0 - 900
OC12-4.pmthresholds.sts3c-9c.nearend.1day.CV 250 (B3 count) 0 - 207360000
OC12-4.pmthresholds.sts3c-9c.nearend.1day.ES 200 (seconds) 0 - 86400
OC12-4.pmthresholds.sts3c-9c.nearend.1day.FC 10 (count) 0 - 6912
OC12-4.pmthresholds.sts3c-9c.nearend.1day.NPJC-PDET 5760 (count) 0 - 691200000
OC12-4.pmthresholds.sts3c-9c.nearend.1day.NPJC-PGEN 5760 (count) 0 - 691200000
OC12-4.pmthresholds.sts3c-9c.nearend.1day.PJCDIFF 5760 (count) 0 - 1382400000
OC12-4.pmthresholds.sts3c-9c.nearend.1day.PJCS-PDET 9600 (seconds) 0 - 86400
OC12-4.pmthresholds.sts3c-9c.nearend.1day.PJCS-PGEN 9600 (seconds) 0 - 86400
OC12-4.pmthresholds.sts3c-9c.nearend.1day.PPJC-PDET 5760 (count) 0 - 691200000
OC12-4.pmthresholds.sts3c-9c.nearend.1day.PPJC-PGEN 5760 (count) 0 - 691200000
OC12-4.pmthresholds.sts3c-9c.nearend.1day.SES 7 (seconds) 0 - 86400
OC12-4.pmthresholds.sts3c-9c.nearend.1day.UAS 10 (seconds) 0 - 86400
Table C-15 OC12-4 Card Default Settings (continued)
Default Name Default Value Default DomainC-50
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
Table C-16 OC-48 Card Default Settings
Default Name Default Value Default Domain
OC48.config.line.AINSSoakTime 08:00 (hours:mins) 00:00, 00:15, 00:30 .. 48:00
OC48.config.line.AlsMode Disabled Disabled, Auto Restart, Manual
Restart, Manual Restart for Test
OC48.config.line.AlsRecoveryPulseDuration 2.0 (seconds) 2.0, 2.1, 2.2 .. 100.0 when AlsMode
Disabled, Auto Restart, Manual
Restart; 80.0, 80.1, 80.2 .. 100.0 when
AlsMode Manual Restart for Test
OC48.config.line.AlsRecoveryPulseInterval 100 (seconds) 60 - 300
OC48.config.line.PJStsMon# 0 (STS #) 0 - 48
OC48.config.line.SDBER 1.00E-07 1E-5, 1E-6, 1E-7, 1E-8, 1E-9
OC48.config.line.sdh.AdminSSMIn STU G811, STU, G812T, G812L, SETS,
DUS
OC48.config.line.sdh.SendDoNotUse FALSE FALSE when SendDoNotUse TRUE;
FALSE, TRUE when SendDoNotUse
FALSE
OC48.config.line.sdh.SendDoNotUse FALSE FALSE, TRUE
OC48.config.line.sdh.SyncMsgIn TRUE FALSE, TRUE
OC48.config.line.SendAISOnFacilityLoopback TRUE TRUE, FALSE
OC48.config.line.SendAISOnTerminalLoopback FALSE FALSE
OC48.config.line.SFBER 1.00E-04 1E-3, 1E-4, 1E-5
OC48.config.line.sonet.AdminSSMIn STU PRS, STU, ST2, ST3, SMC, ST4, DUS,
RES when
//.//.//.//.NODE.timing.general.SSMMe
ssageSet Generation 1; PRS, STU, ST2,
TNC, ST3E, ST3, SMC, ST4, DUS,
RES when
//.//.//.//.NODE.timing.general.SSMMe
ssageSet Generation 2; PRS, STU, ST2,
ST3, SMC, ST4, DUS, RES when
//.//.//.//.NODE.timing.general.SSMMe
ssageSet N/A
OC48.config.line.sonet.SendDoNotUse FALSE FALSE when SendDoNotUse TRUE;
FALSE, TRUE when SendDoNotUse
FALSE
OC48.config.line.sonet.SendDoNotUse FALSE FALSE, TRUE
OC48.config.line.sonet.SyncMsgIn TRUE FALSE, TRUE
OC48.config.line.State IS,AINS IS, OOS,DSBLD, OOS,MT, IS,AINS
OC48.config.sts.IPPMEnabled FALSE TRUE, FALSE
OC48.pmthresholds.line.farend.15min.CV 21260 (B2 count) 0 - 2212200
OC48.pmthresholds.line.farend.15min.ES 87 (seconds) 0 - 900
OC48.pmthresholds.line.farend.15min.FC 10 (count) 0 - 72C-51
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
OC48.pmthresholds.line.farend.15min.SES 1 (seconds) 0 - 900
OC48.pmthresholds.line.farend.15min.UAS 3 (seconds) 0 - 900
OC48.pmthresholds.line.farend.1day.CV 212600 (B2 count) 0 - 212371200
OC48.pmthresholds.line.farend.1day.ES 864 (seconds) 0 - 86400
OC48.pmthresholds.line.farend.1day.FC 40 (count) 0 - 6912
OC48.pmthresholds.line.farend.1day.SES 4 (seconds) 0 - 86400
OC48.pmthresholds.line.farend.1day.UAS 10 (seconds) 0 - 86400
OC48.pmthresholds.line.nearend.15min.CV 21260 (B2 count) 0 - 2212200
OC48.pmthresholds.line.nearend.15min.ES 87 (seconds) 0 - 900
OC48.pmthresholds.line.nearend.15min.FC 10 (count) 0 - 72
OC48.pmthresholds.line.nearend.15min.PSC 1 (count) 0 - 600
OC48.pmthresholds.line.nearend.15min.PSC-R 1 (count) 0 - 600
OC48.pmthresholds.line.nearend.15min.PSC-S 1 (count) 0 - 600
OC48.pmthresholds.line.nearend.15min.PSC-W 1 (count) 0 - 600
OC48.pmthresholds.line.nearend.15min.PSD 300 (seconds) 0 - 900
OC48.pmthresholds.line.nearend.15min.PSD-R 300 (seconds) 0 - 900
OC48.pmthresholds.line.nearend.15min.PSD-S 300 (seconds) 0 - 900
OC48.pmthresholds.line.nearend.15min.PSD-W 300 (seconds) 0 - 900
OC48.pmthresholds.line.nearend.15min.SES 1 (seconds) 0 - 900
OC48.pmthresholds.line.nearend.15min.UAS 3 (seconds) 0 - 900
OC48.pmthresholds.line.nearend.1day.CV 212600 (B2 count) 0 - 212371200
OC48.pmthresholds.line.nearend.1day.ES 864 (seconds) 0 - 86400
OC48.pmthresholds.line.nearend.1day.FC 40 (count) 0 - 6912
OC48.pmthresholds.line.nearend.1day.PSC 5 (count) 0 - 57600
OC48.pmthresholds.line.nearend.1day.PSC-R 5 (count) 0 - 57600
OC48.pmthresholds.line.nearend.1day.PSC-S 5 (count) 0 - 57600
OC48.pmthresholds.line.nearend.1day.PSC-W 5 (count) 0 - 57600
OC48.pmthresholds.line.nearend.1day.PSD 600 (seconds) 0 - 86400
OC48.pmthresholds.line.nearend.1day.PSD-R 600 (seconds) 0 - 86400
OC48.pmthresholds.line.nearend.1day.PSD-S 600 (seconds) 0 - 86400
OC48.pmthresholds.line.nearend.1day.PSD-W 600 (seconds) 0 - 86400
OC48.pmthresholds.line.nearend.1day.SES 4 (seconds) 0 - 86400
OC48.pmthresholds.line.nearend.1day.UAS 10 (seconds) 0 - 86400
OC48.pmthresholds.section.nearend.15min.CV 10000 (B1 count) 0 - 2151900
OC48.pmthresholds.section.nearend.15min.ES 500 (seconds) 0 - 900
OC48.pmthresholds.section.nearend.15min.SEFS 500 (seconds) 0 - 900
Table C-16 OC-48 Card Default Settings (continued)
Default Name Default Value Default DomainC-52
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
OC48.pmthresholds.section.nearend.15min.SES 500 (seconds) 0 - 900
OC48.pmthresholds.section.nearend.1day.CV 100000 (B1 count) 0 - 206582400
OC48.pmthresholds.section.nearend.1day.ES 5000 (seconds) 0 - 86400
OC48.pmthresholds.section.nearend.1day.SEFS 5000 (seconds) 0 - 86400
OC48.pmthresholds.section.nearend.1day.SES 5000 (seconds) 0 - 86400
OC48.pmthresholds.sts1.nearend.15min.CV 15 (B3 count) 0 - 2160000
OC48.pmthresholds.sts1.nearend.15min.ES 12 (seconds) 0 - 900
OC48.pmthresholds.sts1.nearend.15min.FC 10 (count) 0 - 72
OC48.pmthresholds.sts1.nearend.15min.NPJC-PDET 60 (count) 0 - 7200000
OC48.pmthresholds.sts1.nearend.15min.NPJC-PGEN 60 (count) 0 - 7200000
OC48.pmthresholds.sts1.nearend.15min.PJCDIFF 60 (count) 0 - 14400000
OC48.pmthresholds.sts1.nearend.15min.PJCS-PDET 100 (seconds) 0 - 900
OC48.pmthresholds.sts1.nearend.15min.PJCS-PGEN 100 (seconds) 0 - 900
OC48.pmthresholds.sts1.nearend.15min.PPJC-PDET 60 (count) 0 - 7200000
OC48.pmthresholds.sts1.nearend.15min.PPJC-PGEN 60 (count) 0 - 7200000
OC48.pmthresholds.sts1.nearend.15min.SES 3 (seconds) 0 - 900
OC48.pmthresholds.sts1.nearend.15min.UAS 10 (seconds) 0 - 900
OC48.pmthresholds.sts1.nearend.1day.CV 125 (B3 count) 0 - 207360000
OC48.pmthresholds.sts1.nearend.1day.ES 100 (seconds) 0 - 86400
OC48.pmthresholds.sts1.nearend.1day.FC 10 (count) 0 - 6912
OC48.pmthresholds.sts1.nearend.1day.NPJC-PDET 5760 (count) 0 - 691200000
OC48.pmthresholds.sts1.nearend.1day.NPJC-PGEN 5760 (count) 0 - 691200000
OC48.pmthresholds.sts1.nearend.1day.PJCDIFF 5760 (count) 0 - 1382400000
OC48.pmthresholds.sts1.nearend.1day.PJCS-PDET 9600 (seconds) 0 - 86400
OC48.pmthresholds.sts1.nearend.1day.PJCS-PGEN 9600 (seconds) 0 - 86400
OC48.pmthresholds.sts1.nearend.1day.PPJC-PDET 5760 (count) 0 - 691200000
OC48.pmthresholds.sts1.nearend.1day.PPJC-PGEN 5760 (count) 0 - 691200000
OC48.pmthresholds.sts1.nearend.1day.SES 7 (seconds) 0 - 86400
OC48.pmthresholds.sts1.nearend.1day.UAS 10 (seconds) 0 - 86400
OC48.pmthresholds.sts12c-48c.nearend.15min.CV 75 (B3 count) 0 - 2160000
OC48.pmthresholds.sts12c-48c.nearend.15min.ES 60 (seconds) 0 - 900
OC48.pmthresholds.sts12c-48c.nearend.15min.FC 10 (count) 0 - 72
OC48.pmthresholds.sts12c-48c.nearend.15min.NPJC-PDET 60 (count) 0 - 7200000
OC48.pmthresholds.sts12c-48c.nearend.15min.NPJC-PGEN 60 (count) 0 - 7200000
OC48.pmthresholds.sts12c-48c.nearend.15min.PJCDIFF 60 (count) 0 - 14400000
OC48.pmthresholds.sts12c-48c.nearend.15min.PJCS-PDET 100 (seconds) 0 - 900
Table C-16 OC-48 Card Default Settings (continued)
Default Name Default Value Default DomainC-53
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
OC48.pmthresholds.sts12c-48c.nearend.15min.PJCS-PGEN 100 (seconds) 0 - 900
OC48.pmthresholds.sts12c-48c.nearend.15min.PPJC-PDET 60 (count) 0 - 7200000
OC48.pmthresholds.sts12c-48c.nearend.15min.PPJC-PGEN 60 (count) 0 - 7200000
OC48.pmthresholds.sts12c-48c.nearend.15min.SES 3 (seconds) 0 - 900
OC48.pmthresholds.sts12c-48c.nearend.15min.UAS 10 (seconds) 0 - 900
OC48.pmthresholds.sts12c-48c.nearend.1day.CV 750 (B3 count) 0 - 207360000
OC48.pmthresholds.sts12c-48c.nearend.1day.ES 600 (seconds) 0 - 86400
OC48.pmthresholds.sts12c-48c.nearend.1day.FC 10 (count) 0 - 6912
OC48.pmthresholds.sts12c-48c.nearend.1day.NPJC-PDET 5760 (count) 0 - 691200000
OC48.pmthresholds.sts12c-48c.nearend.1day.NPJC-PGEN 5760 (count) 0 - 691200000
OC48.pmthresholds.sts12c-48c.nearend.1day.PJCDIFF 5760 (count) 0 - 1382400000
OC48.pmthresholds.sts12c-48c.nearend.1day.PJCS-PDET 9600 (seconds) 0 - 86400
OC48.pmthresholds.sts12c-48c.nearend.1day.PJCS-PGEN 9600 (seconds) 0 - 86400
OC48.pmthresholds.sts12c-48c.nearend.1day.PPJC-PDET 5760 (count) 0 - 691200000
OC48.pmthresholds.sts12c-48c.nearend.1day.PPJC-PGEN 5760 (count) 0 - 691200000
OC48.pmthresholds.sts12c-48c.nearend.1day.SES 7 (seconds) 0 - 86400
OC48.pmthresholds.sts12c-48c.nearend.1day.UAS 10 (seconds) 0 - 86400
OC48.pmthresholds.sts3c-9c.nearend.15min.CV 25 (B3 count) 0 - 2160000
OC48.pmthresholds.sts3c-9c.nearend.15min.ES 20 (seconds) 0 - 900
OC48.pmthresholds.sts3c-9c.nearend.15min.FC 10 (count) 0 - 72
OC48.pmthresholds.sts3c-9c.nearend.15min.NPJC-PDET 60 (count) 0 - 7200000
OC48.pmthresholds.sts3c-9c.nearend.15min.NPJC-PGEN 60 (count) 0 - 7200000
OC48.pmthresholds.sts3c-9c.nearend.15min.PJCDIFF 60 (count) 0 - 14400000
OC48.pmthresholds.sts3c-9c.nearend.15min.PJCS-PDET 100 (seconds) 0 - 900
OC48.pmthresholds.sts3c-9c.nearend.15min.PJCS-PGEN 100 (seconds) 0 - 900
OC48.pmthresholds.sts3c-9c.nearend.15min.PPJC-PDET 60 (count) 0 - 7200000
OC48.pmthresholds.sts3c-9c.nearend.15min.PPJC-PGEN 60 (count) 0 - 7200000
OC48.pmthresholds.sts3c-9c.nearend.15min.SES 3 (seconds) 0 - 900
OC48.pmthresholds.sts3c-9c.nearend.15min.UAS 10 (seconds) 0 - 900
OC48.pmthresholds.sts3c-9c.nearend.1day.CV 250 (B3 count) 0 - 207360000
OC48.pmthresholds.sts3c-9c.nearend.1day.ES 200 (seconds) 0 - 86400
OC48.pmthresholds.sts3c-9c.nearend.1day.FC 10 (count) 0 - 6912
OC48.pmthresholds.sts3c-9c.nearend.1day.NPJC-PDET 5760 (count) 0 - 691200000
OC48.pmthresholds.sts3c-9c.nearend.1day.NPJC-PGEN 5760 (count) 0 - 691200000
OC48.pmthresholds.sts3c-9c.nearend.1day.PJCDIFF 5760 (count) 0 - 1382400000
OC48.pmthresholds.sts3c-9c.nearend.1day.PJCS-PDET 9600 (seconds) 0 - 86400
Table C-16 OC-48 Card Default Settings (continued)
Default Name Default Value Default DomainC-54
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
C.2.3.17 OC-192 Card Default Settings
Table C-17 lists the OC-192 (OC192 SR/STM64 IO 1310, OC192 LR/STM64 LH ITU 15xx.xx, OC192
IR/STM64 SH 1550, and OC192 LR/STM64 LH 1550) card default settings.
OC48.pmthresholds.sts3c-9c.nearend.1day.PJCS-PGEN 9600 (seconds) 0 - 86400
OC48.pmthresholds.sts3c-9c.nearend.1day.PPJC-PDET 5760 (count) 0 - 691200000
OC48.pmthresholds.sts3c-9c.nearend.1day.PPJC-PGEN 5760 (count) 0 - 691200000
OC48.pmthresholds.sts3c-9c.nearend.1day.SES 7 (seconds) 0 - 86400
OC48.pmthresholds.sts3c-9c.nearend.1day.UAS 10 (seconds) 0 - 86400
Table C-16 OC-48 Card Default Settings (continued)
Default Name Default Value Default Domain
Table C-17 OC-192 Card Default Settings
Default Name Default Value Default Domain
OC192.config.line.AINSSoakTime 08:00
(hours:mins)
00:00, 00:15, 00:30 .. 48:00
OC192.config.line.AlsMode Disabled Disabled, Auto Restart, Manual
Restart, Manual Restart for Test
OC192.config.line.AlsRecoveryPulseDuration 2.0 (seconds) 2.0, 2.1, 2.2 .. 100.0 when AlsMode
Disabled, Auto Restart, Manual
Restart; 80.0, 80.1, 80.2 .. 100.0
when AlsMode Manual Restart for
Test
OC192.config.line.AlsRecoveryPulseInterval 100 (seconds) 60 - 300
OC192.config.line.PJStsMon# 0 (STS #) 0 - 192
OC192.config.line.SDBER 1.00E-07 1E-5, 1E-6, 1E-7, 1E-8, 1E-9
OC192.config.line.sdh.AdminSSMIn STU G811, STU, G812T, G812L, SETS,
DUS
OC192.config.line.sdh.SendDoNotUse FALSE FALSE when SendDoNotUse TRUE;
FALSE, TRUE when SendDoNotUse
FALSE
OC192.config.line.sdh.SendDoNotUse FALSE FALSE, TRUE
OC192.config.line.sdh.SyncMsgIn TRUE FALSE, TRUE
OC192.config.line.SendAISOnFacilityLoopback TRUE TRUE, FALSE
OC192.config.line.SendAISOnTerminalLoopback FALSE FALSE
OC192.config.line.SFBER 1.00E-04 1E-3, 1E-4, 1E-5C-55
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
OC192.config.line.sonet.AdminSSMIn STU PRS, STU, ST2, ST3, SMC, ST4,
DUS, RES when
//.//.//.//.NODE.timing.general.SSM
MessageSet Generation 1; PRS,
STU, ST2, TNC, ST3E, ST3, SMC,
ST4, DUS, RES when
//.//.//.//.NODE.timing.general.SSM
MessageSet Generation 2; PRS,
STU, ST2, ST3, SMC, ST4, DUS,
RES when
//.//.//.//.NODE.timing.general.SSM
MessageSet N/A
OC192.config.line.sonet.SendDoNotUse FALSE FALSE when SendDoNotUse TRUE;
FALSE, TRUE when SendDoNotUse
FALSE
OC192.config.line.sonet.SendDoNotUse FALSE FALSE, TRUE
OC192.config.line.sonet.SyncMsgIn TRUE FALSE, TRUE
OC192.config.line.State IS,AINS IS, OOS,DSBLD, OOS,MT, IS,AINS
OC192.config.sts.IPPMEnabled FALSE TRUE, FALSE
OC192.physicalthresholds.alarm.LBC-HIGH 200 (%) LBC-LOW, LBC-LOW + 1,
LBC-LOW + 2 .. 255
OC192.physicalthresholds.alarm.LBC-LOW 20 (%) 0, 1, 2 .. LBC-HIGH
OC192.physicalthresholds.alarm.OPR-HIGH 200 (%) OPR-LOW, OPR-LOW + 1,
OPR-LOW + 2 .. 255
OC192.physicalthresholds.alarm.OPR-LOW 50 (%) -1, 0, 1 .. OPR-HIGH
OC192.physicalthresholds.alarm.OPT-HIGH 120 (%) OPT-LOW, OPT-LOW + 1,
OPT-LOW + 2 .. 255
OC192.physicalthresholds.alarm.OPT-LOW 80 (%) 0, 1, 2 .. OPT-HIGH
OC192.physicalthresholds.warning.15min.LBC-HIGH 200 (%) LBC-LOW, LBC-LOW + 1,
LBC-LOW + 2 .. 255
OC192.physicalthresholds.warning.15min.LBC-LOW 20 (%) 0, 1, 2 .. LBC-HIGH
OC192.physicalthresholds.warning.15min.OPR-HIGH 200 (%) OPR-LOW, OPR-LOW + 1,
OPR-LOW + 2 .. 255
OC192.physicalthresholds.warning.15min.OPR-LOW 50 (%) -1, 0, 1 .. OPR-HIGH
OC192.physicalthresholds.warning.15min.OPT-HIGH 120 (%) OPT-LOW, OPT-LOW + 1,
OPT-LOW + 2 .. 255
OC192.physicalthresholds.warning.15min.OPT-LOW 80 (%) 0, 1, 2 .. OPT-HIGH
OC192.physicalthresholds.warning.1day.LBC-HIGH 200 (%) LBC-LOW, LBC-LOW + 1,
LBC-LOW + 2 .. 255
OC192.physicalthresholds.warning.1day.LBC-LOW 20 (%) 0, 1, 2 .. LBC-HIGH
OC192.physicalthresholds.warning.1day.OPR-HIGH 200 (%) OPR-LOW, OPR-LOW + 1,
OPR-LOW + 2 .. 255
Table C-17 OC-192 Card Default Settings (continued)
Default Name Default Value Default DomainC-56
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
OC192.physicalthresholds.warning.1day.OPR-LOW 50 (%) -1, 0, 1 .. OPR-HIGH
OC192.physicalthresholds.warning.1day.OPT-HIGH 120 (%) OPT-LOW, OPT-LOW + 1,
OPT-LOW + 2 .. 255
OC192.physicalthresholds.warning.1day.OPT-LOW 80 (%) 0, 1, 2 .. OPT-HIGH
OC192.pmthresholds.line.farend.15min.CV 85040 (B2 count) 0 - 8850600
OC192.pmthresholds.line.farend.15min.ES 87 (seconds) 0 - 900
OC192.pmthresholds.line.farend.15min.FC 10 (count) 0 - 72
OC192.pmthresholds.line.farend.15min.SES 1 (seconds) 0 - 900
OC192.pmthresholds.line.farend.15min.UAS 3 (seconds) 0 - 900
OC192.pmthresholds.line.farend.1day.CV 850400 (B2
count)
0 - 849657600
OC192.pmthresholds.line.farend.1day.ES 864 (seconds) 0 - 86400
OC192.pmthresholds.line.farend.1day.FC 40 (count) 0 - 6912
OC192.pmthresholds.line.farend.1day.SES 4 (seconds) 0 - 86400
OC192.pmthresholds.line.farend.1day.UAS 10 (seconds) 0 - 86400
OC192.pmthresholds.line.nearend.15min.CV 85040 (B2 count) 0 - 8850600
OC192.pmthresholds.line.nearend.15min.ES 87 (seconds) 0 - 900
OC192.pmthresholds.line.nearend.15min.FC 10 (count) 0 - 72
OC192.pmthresholds.line.nearend.15min.PSC 1 (count) 0 - 600
OC192.pmthresholds.line.nearend.15min.PSC-R 1 (count) 0 - 600
OC192.pmthresholds.line.nearend.15min.PSC-S 1 (count) 0 - 600
OC192.pmthresholds.line.nearend.15min.PSC-W 1 (count) 0 - 600
OC192.pmthresholds.line.nearend.15min.PSD 300 (seconds) 0 - 900
OC192.pmthresholds.line.nearend.15min.PSD-R 300 (seconds) 0 - 900
OC192.pmthresholds.line.nearend.15min.PSD-S 300 (seconds) 0 - 900
OC192.pmthresholds.line.nearend.15min.PSD-W 300 (seconds) 0 - 900
OC192.pmthresholds.line.nearend.15min.SES 1 (seconds) 0 - 900
OC192.pmthresholds.line.nearend.15min.UAS 3 (seconds) 0 - 900
OC192.pmthresholds.line.nearend.1day.CV 850400 (B2
count)
0 - 849657600
OC192.pmthresholds.line.nearend.1day.ES 864 (seconds) 0 - 86400
OC192.pmthresholds.line.nearend.1day.FC 40 (count) 0 - 6912
OC192.pmthresholds.line.nearend.1day.PSC 5 (count) 0 - 57600
OC192.pmthresholds.line.nearend.1day.PSC-R 5 (count) 0 - 57600
OC192.pmthresholds.line.nearend.1day.PSC-S 5 (count) 0 - 57600
OC192.pmthresholds.line.nearend.1day.PSC-W 5 (count) 0 - 57600
OC192.pmthresholds.line.nearend.1day.PSD 600 (seconds) 0 - 86400
Table C-17 OC-192 Card Default Settings (continued)
Default Name Default Value Default DomainC-57
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
OC192.pmthresholds.line.nearend.1day.PSD-R 600 (seconds) 0 - 86400
OC192.pmthresholds.line.nearend.1day.PSD-S 600 (seconds) 0 - 86400
OC192.pmthresholds.line.nearend.1day.PSD-W 600 (seconds) 0 - 86400
OC192.pmthresholds.line.nearend.1day.SES 4 (seconds) 0 - 86400
OC192.pmthresholds.line.nearend.1day.UAS 10 (seconds) 0 - 86400
OC192.pmthresholds.section.nearend.15min.CV 10000 (B1 count) 0 - 7967700
OC192.pmthresholds.section.nearend.15min.ES 500 (seconds) 0 - 900
OC192.pmthresholds.section.nearend.15min.SEFS 500 (seconds) 0 - 900
OC192.pmthresholds.section.nearend.15min.SES 500 (seconds) 0 - 900
OC192.pmthresholds.section.nearend.1day.CV 100000 (B1
count)
0 - 764899200
OC192.pmthresholds.section.nearend.1day.ES 5000 (seconds) 0 - 86400
OC192.pmthresholds.section.nearend.1day.SEFS 5000 (seconds) 0 - 86400
OC192.pmthresholds.section.nearend.1day.SES 5000 (seconds) 0 - 86400
OC192.pmthresholds.sts1.nearend.15min.CV 15 (B3 count) 0 - 2160000
OC192.pmthresholds.sts1.nearend.15min.ES 12 (seconds) 0 - 900
OC192.pmthresholds.sts1.nearend.15min.FC 10 (count) 0 - 72
OC192.pmthresholds.sts1.nearend.15min.NPJC-PDET 60 (count) 0 - 7200000
OC192.pmthresholds.sts1.nearend.15min.NPJC-PGEN 60 (count) 0 - 7200000
OC192.pmthresholds.sts1.nearend.15min.PJCDIFF 60 (count) 0 - 14400000
OC192.pmthresholds.sts1.nearend.15min.PJCS-PDET 100 (seconds) 0 - 900
OC192.pmthresholds.sts1.nearend.15min.PJCS-PGEN 100 (seconds) 0 - 900
OC192.pmthresholds.sts1.nearend.15min.PPJC-PDET 60 (count) 0 - 7200000
OC192.pmthresholds.sts1.nearend.15min.PPJC-PGEN 60 (count) 0 - 7200000
OC192.pmthresholds.sts1.nearend.15min.SES 3 (seconds) 0 - 900
OC192.pmthresholds.sts1.nearend.15min.UAS 10 (seconds) 0 - 900
OC192.pmthresholds.sts1.nearend.1day.CV 125 (B3 count) 0 - 207360000
OC192.pmthresholds.sts1.nearend.1day.ES 100 (seconds) 0 - 86400
OC192.pmthresholds.sts1.nearend.1day.FC 10 (count) 0 - 6912
OC192.pmthresholds.sts1.nearend.1day.NPJC-PDET 5760 (count) 0 - 691200000
OC192.pmthresholds.sts1.nearend.1day.NPJC-PGEN 5760 (count) 0 - 691200000
OC192.pmthresholds.sts1.nearend.1day.PJCDIFF 5760 (count) 0 - 1382400000
OC192.pmthresholds.sts1.nearend.1day.PJCS-PDET 9600 (seconds) 0 - 86400
OC192.pmthresholds.sts1.nearend.1day.PJCS-PGEN 9600 (seconds) 0 - 86400
OC192.pmthresholds.sts1.nearend.1day.PPJC-PDET 5760 (count) 0 - 691200000
OC192.pmthresholds.sts1.nearend.1day.PPJC-PGEN 5760 (count) 0 - 691200000
Table C-17 OC-192 Card Default Settings (continued)
Default Name Default Value Default DomainC-58
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
OC192.pmthresholds.sts1.nearend.1day.SES 7 (seconds) 0 - 86400
OC192.pmthresholds.sts1.nearend.1day.UAS 10 (seconds) 0 - 86400
OC192.pmthresholds.sts12c-192c.nearend.15min.CV 75 (B3 count) 0 - 2160000
OC192.pmthresholds.sts12c-192c.nearend.15min.ES 60 (seconds) 0 - 900
OC192.pmthresholds.sts12c-192c.nearend.15min.FC 10 (count) 0 - 72
OC192.pmthresholds.sts12c-192c.nearend.15min.NPJC-PDET 60 (count) 0 - 7200000
OC192.pmthresholds.sts12c-192c.nearend.15min.NPJC-PGEN 60 (count) 0 - 7200000
OC192.pmthresholds.sts12c-192c.nearend.15min.PJCDIFF 60 (count) 0 - 14400000
OC192.pmthresholds.sts12c-192c.nearend.15min.PJCS-PDET 100 (seconds) 0 - 900
OC192.pmthresholds.sts12c-192c.nearend.15min.PJCS-PGEN 100 (seconds) 0 - 900
OC192.pmthresholds.sts12c-192c.nearend.15min.PPJC-PDET 60 (count) 0 - 7200000
OC192.pmthresholds.sts12c-192c.nearend.15min.PPJC-PGEN 60 (count) 0 - 7200000
OC192.pmthresholds.sts12c-192c.nearend.15min.SES 3 (seconds) 0 - 900
OC192.pmthresholds.sts12c-192c.nearend.15min.UAS 10 (seconds) 0 - 900
OC192.pmthresholds.sts12c-192c.nearend.1day.CV 750 (B3 count) 0 - 207360000
OC192.pmthresholds.sts12c-192c.nearend.1day.ES 600 (seconds) 0 - 86400
OC192.pmthresholds.sts12c-192c.nearend.1day.FC 10 (count) 0 - 6912
OC192.pmthresholds.sts12c-192c.nearend.1day.NPJC-PDET 5760 (count) 0 - 691200000
OC192.pmthresholds.sts12c-192c.nearend.1day.NPJC-PGEN 5760 (count) 0 - 691200000
OC192.pmthresholds.sts12c-192c.nearend.1day.PJCDIFF 5760 (count) 0 - 1382400000
OC192.pmthresholds.sts12c-192c.nearend.1day.PJCS-PDET 9600 (seconds) 0 - 691200000
OC192.pmthresholds.sts12c-192c.nearend.1day.PJCS-PGEN 9600 (seconds) 0 - 86400
OC192.pmthresholds.sts12c-192c.nearend.1day.PPJC-PDET 5760 (count) 0 - 691200000
OC192.pmthresholds.sts12c-192c.nearend.1day.PPJC-PGEN 5760 (count) 0 - 691200000
OC192.pmthresholds.sts12c-192c.nearend.1day.SES 7 (seconds) 0 - 86400
OC192.pmthresholds.sts12c-192c.nearend.1day.UAS 10 (seconds) 0 - 86400
OC192.pmthresholds.sts3c-9c.nearend.15min.CV 25 (B3 count) 0 - 2160000
OC192.pmthresholds.sts3c-9c.nearend.15min.ES 20 (seconds) 0 - 900
OC192.pmthresholds.sts3c-9c.nearend.15min.FC 10 (count) 0 - 72
OC192.pmthresholds.sts3c-9c.nearend.15min.NPJC-PDET 60 (count) 0 - 7200000
OC192.pmthresholds.sts3c-9c.nearend.15min.NPJC-PGEN 60 (count) 0 - 7200000
OC192.pmthresholds.sts3c-9c.nearend.15min.PJCDIFF 60 (count) 0 - 14400000
OC192.pmthresholds.sts3c-9c.nearend.15min.PJCS-PDET 100 (seconds) 0 - 900
OC192.pmthresholds.sts3c-9c.nearend.15min.PJCS-PGEN 100 (seconds) 0 - 900
OC192.pmthresholds.sts3c-9c.nearend.15min.PPJC-PDET 60 (count) 0 - 7200000
OC192.pmthresholds.sts3c-9c.nearend.15min.PPJC-PGEN 60 (count) 0 - 7200000
Table C-17 OC-192 Card Default Settings (continued)
Default Name Default Value Default DomainC-59
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
C.2.3.18 OC192-XFP Default Settings
Table C-18 lists the OC192-XFP default settings.
OC192.pmthresholds.sts3c-9c.nearend.15min.SES 3 (seconds) 0 - 900
OC192.pmthresholds.sts3c-9c.nearend.15min.UAS 10 (seconds) 0 - 900
OC192.pmthresholds.sts3c-9c.nearend.1day.CV 250 (B3 count) 0 - 207360000
OC192.pmthresholds.sts3c-9c.nearend.1day.ES 200 (seconds) 0 - 86400
OC192.pmthresholds.sts3c-9c.nearend.1day.FC 10 (count) 0 - 6912
OC192.pmthresholds.sts3c-9c.nearend.1day.NPJC-PDET 5760 (count) 0 - 691200000
OC192.pmthresholds.sts3c-9c.nearend.1day.NPJC-PGEN 5760 (count) 0 - 691200000
OC192.pmthresholds.sts3c-9c.nearend.1day.PJCDIFF 5760 (count) 0 - 1382400000
OC192.pmthresholds.sts3c-9c.nearend.1day.PJCS-PDET 9600 (seconds) 0 - 86400
OC192.pmthresholds.sts3c-9c.nearend.1day.PJCS-PGEN 9600 (seconds) 0 - 86400
OC192.pmthresholds.sts3c-9c.nearend.1day.PPJC-PDET 5760 (count) 0 - 691200000
OC192.pmthresholds.sts3c-9c.nearend.1day.PPJC-PGEN 5760 (count) 0 - 691200000
OC192.pmthresholds.sts3c-9c.nearend.1day.SES 7 (seconds) 0 - 86400
OC192.pmthresholds.sts3c-9c.nearend.1day.UAS 10 (seconds) 0 - 86400
Table C-17 OC-192 Card Default Settings (continued)
Default Name Default Value Default Domain
Table C-18 OC192-XFP Default Settings
Default Name Default Value Default Domain
OC192-XFP.config.line.AINSSoakTime 08:00
(hours:mins)
00:00, 00:15, 00:30 .. 48:00
OC192-XFP.config.line.AlsMode Disabled Disabled, Auto Restart, Manual
Restart, Manual Restart for Test
OC192-XFP.config.line.AlsRecoveryPulseDuration 2.0 (seconds) 2.0, 2.1, 2.2 .. 100.0 when
AlsMode Disabled, Auto Restart,
Manual Restart; 80.0, 80.1, 80.2 ..
100.0 when AlsMode Manual
Restart for Test
OC192-XFP.config.line.AlsRecoveryPulseInterval 100 (seconds) 60 - 300
OC192-XFP.config.line.PJStsMon# 0 (STS #) 0 - 192
OC192-XFP.config.line.SDBER 1.00E-07 1E-5, 1E-6, 1E-7, 1E-8, 1E-9
OC192-XFP.config.line.sdh.AdminSSMIn STU G811, STU, G812T, G812L,
SETS, DUS
OC192-XFP.config.line.sdh.SendDoNotUse FALSE FALSE when SendDoNotUse
TRUE; FALSE, TRUE when
SendDoNotUse FALSE
OC192-XFP.config.line.sdh.SendDoNotUse FALSE FALSE, TRUEC-60
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
OC192-XFP.config.line.sdh.SyncMsgIn TRUE FALSE, TRUE
OC192-XFP.config.line.SendAISOnFacilityLoopback TRUE TRUE, FALSE
OC192-XFP.config.line.SendAISOnTerminalLoopback TRUE TRUE, FALSE
OC192-XFP.config.line.SFBER 1.00E-04 1E-3, 1E-4, 1E-5
OC192-XFP.config.line.sonet.AdminSSMIn STU PRS, STU, ST2, ST3, SMC, ST4,
DUS, RES when
//.//.//.//.NODE.timing.general.SS
MMessageSet Generation 1; PRS,
STU, ST2, TNC, ST3E, ST3,
SMC, ST4, DUS, RES when
//.//.//.//.NODE.timing.general.SS
MMessageSet Generation 2; PRS,
STU, ST2, ST3, SMC, ST4, DUS,
RES when
//.//.//.//.NODE.timing.general.SS
MMessageSet N/A
OC192-XFP.config.line.sonet.SendDoNotUse FALSE FALSE when SendDoNotUse
TRUE; FALSE, TRUE when
SendDoNotUse FALSE
OC192-XFP.config.line.sonet.SendDoNotUse FALSE FALSE, TRUE
OC192-XFP.config.line.sonet.SyncMsgIn TRUE FALSE, TRUE
OC192-XFP.config.line.State IS,AINS IS, OOS,DSBLD, OOS,MT,
IS,AINS
OC192-XFP.config.sts.IPPMEnabled FALSE TRUE, FALSE
OC192-XFP.physicalthresholds.alarm.LBC-HIGH 200 (%) LBC-LOW, LBC-LOW + 1,
LBC-LOW + 2 .. 255
OC192-XFP.physicalthresholds.alarm.LBC-LOW 20 (%) 0, 1, 2 .. LBC-HIGH
OC192-XFP.physicalthresholds.alarm.OPR-HIGH 200 (%) OPR-LOW, OPR-LOW + 1,
OPR-LOW + 2 .. 255
OC192-XFP.physicalthresholds.alarm.OPR-LOW 50 (%) -1, 0, 1 .. OPR-HIGH
OC192-XFP.physicalthresholds.alarm.OPT-HIGH 120 (%) OPT-LOW, OPT-LOW + 1,
OPT-LOW + 2 .. 255
OC192-XFP.physicalthresholds.alarm.OPT-LOW 80 (%) 0, 1, 2 .. OPT-HIGH
OC192-XFP.physicalthresholds.warning.15min.LBC-HIGH 200 (%) LBC-LOW, LBC-LOW + 1,
LBC-LOW + 2 .. 255
OC192-XFP.physicalthresholds.warning.15min.LBC-LOW 20 (%) 0, 1, 2 .. LBC-HIGH
OC192-XFP.physicalthresholds.warning.15min.OPR-HIGH 200 (%) OPR-LOW, OPR-LOW + 1,
OPR-LOW + 2 .. 255
OC192-XFP.physicalthresholds.warning.15min.OPR-LOW 50 (%) -1, 0, 1 .. OPR-HIGH
OC192-XFP.physicalthresholds.warning.15min.OPT-HIGH 120 (%) OPT-LOW, OPT-LOW + 1,
OPT-LOW + 2 .. 255
OC192-XFP.physicalthresholds.warning.15min.OPT-LOW 80 (%) 0, 1, 2 .. OPT-HIGH
Table C-18 OC192-XFP Default Settings (continued)
Default Name Default Value Default DomainC-61
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
OC192-XFP.physicalthresholds.warning.1day.LBC-HIGH 200 (%) LBC-LOW, LBC-LOW + 1,
LBC-LOW + 2 .. 255
OC192-XFP.physicalthresholds.warning.1day.LBC-LOW 20 (%) 0, 1, 2 .. LBC-HIGH
OC192-XFP.physicalthresholds.warning.1day.OPR-HIGH 200 (%) OPR-LOW, OPR-LOW + 1,
OPR-LOW + 2 .. 255
OC192-XFP.physicalthresholds.warning.1day.OPR-LOW 50 (%) -1, 0, 1 .. OPR-HIGH
OC192-XFP.physicalthresholds.warning.1day.OPT-HIGH 120 (%) OPT-LOW, OPT-LOW + 1,
OPT-LOW + 2 .. 255
OC192-XFP.physicalthresholds.warning.1day.OPT-LOW 80 (%) 0, 1, 2 .. OPT-HIGH
OC192-XFP.pmthresholds.line.farend.15min.CV 85040 (B2
count)
0 - 8850600
OC192-XFP.pmthresholds.line.farend.15min.ES 87 (seconds) 0 - 900
OC192-XFP.pmthresholds.line.farend.15min.FC 10 (count) 0 - 72
OC192-XFP.pmthresholds.line.farend.15min.SES 1 (seconds) 0 - 900
OC192-XFP.pmthresholds.line.farend.15min.UAS 3 (seconds) 0 - 900
OC192-XFP.pmthresholds.line.farend.1day.CV 850400 (B2
count)
0 - 849657600
OC192-XFP.pmthresholds.line.farend.1day.ES 864 (seconds) 0 - 86400
OC192-XFP.pmthresholds.line.farend.1day.FC 40 (count) 0 - 6912
OC192-XFP.pmthresholds.line.farend.1day.SES 4 (seconds) 0 - 86400
OC192-XFP.pmthresholds.line.farend.1day.UAS 10 (seconds) 0 - 86400
OC192-XFP.pmthresholds.line.nearend.15min.CV 85040 (B2
count)
0 - 8850600
OC192-XFP.pmthresholds.line.nearend.15min.ES 87 (seconds) 0 - 900
OC192-XFP.pmthresholds.line.nearend.15min.FC 10 (count) 0 - 72
OC192-XFP.pmthresholds.line.nearend.15min.PSC 1 (count) 0 - 600
OC192-XFP.pmthresholds.line.nearend.15min.PSC-R 1 (count) 0 - 600
OC192-XFP.pmthresholds.line.nearend.15min.PSC-S 1 (count) 0 - 600
OC192-XFP.pmthresholds.line.nearend.15min.PSC-W 1 (count) 0 - 600
OC192-XFP.pmthresholds.line.nearend.15min.PSD 300 (seconds) 0 - 900
OC192-XFP.pmthresholds.line.nearend.15min.PSD-R 300 (seconds) 0 - 900
OC192-XFP.pmthresholds.line.nearend.15min.PSD-S 300 (seconds) 0 - 900
OC192-XFP.pmthresholds.line.nearend.15min.PSD-W 300 (seconds) 0 - 900
OC192-XFP.pmthresholds.line.nearend.15min.SES 1 (seconds) 0 - 900
OC192-XFP.pmthresholds.line.nearend.15min.UAS 3 (seconds) 0 - 900
OC192-XFP.pmthresholds.line.nearend.1day.CV 850400 (B2
count)
0 - 849657600
OC192-XFP.pmthresholds.line.nearend.1day.ES 864 (seconds) 0 - 86400
Table C-18 OC192-XFP Default Settings (continued)
Default Name Default Value Default DomainC-62
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
OC192-XFP.pmthresholds.line.nearend.1day.FC 40 (count) 0 - 6912
OC192-XFP.pmthresholds.line.nearend.1day.PSC 5 (count) 0 - 57600
OC192-XFP.pmthresholds.line.nearend.1day.PSC-R 5 (count) 0 - 57600
OC192-XFP.pmthresholds.line.nearend.1day.PSC-S 5 (count) 0 - 57600
OC192-XFP.pmthresholds.line.nearend.1day.PSC-W 5 (count) 0 - 57600
OC192-XFP.pmthresholds.line.nearend.1day.PSD 600 (seconds) 0 - 86400
OC192-XFP.pmthresholds.line.nearend.1day.PSD-R 600 (seconds) 0 - 86400
OC192-XFP.pmthresholds.line.nearend.1day.PSD-S 600 (seconds) 0 - 86400
OC192-XFP.pmthresholds.line.nearend.1day.PSD-W 600 (seconds) 0 - 86400
OC192-XFP.pmthresholds.line.nearend.1day.SES 4 (seconds) 0 - 86400
OC192-XFP.pmthresholds.line.nearend.1day.UAS 10 (seconds) 0 - 86400
OC192-XFP.pmthresholds.section.nearend.15min.CV 10000 (B1
count)
0 - 7967700
OC192-XFP.pmthresholds.section.nearend.15min.ES 500 (seconds) 0 - 900
OC192-XFP.pmthresholds.section.nearend.15min.SEFS 500 (seconds) 0 - 900
OC192-XFP.pmthresholds.section.nearend.15min.SES 500 (seconds) 0 - 900
OC192-XFP.pmthresholds.section.nearend.1day.CV 100000 (B1
count)
0 - 764899200
OC192-XFP.pmthresholds.section.nearend.1day.ES 5000 (seconds) 0 - 86400
OC192-XFP.pmthresholds.section.nearend.1day.SEFS 5000 (seconds) 0 - 86400
OC192-XFP.pmthresholds.section.nearend.1day.SES 5000 (seconds) 0 - 86400
OC192-XFP.pmthresholds.sts1.farend.15min.CV 15 (B3 count) 0 - 2160000
OC192-XFP.pmthresholds.sts1.farend.15min.ES 12 (seconds) 0 - 900
OC192-XFP.pmthresholds.sts1.farend.15min.FC 10 (count) 0 - 72
OC192-XFP.pmthresholds.sts1.farend.15min.SES 3 (seconds) 0 - 900
OC192-XFP.pmthresholds.sts1.farend.15min.UAS 10 (seconds) 0 - 900
OC192-XFP.pmthresholds.sts1.farend.1day.CV 125 (B3 count) 0 - 207360000
OC192-XFP.pmthresholds.sts1.farend.1day.ES 100 (seconds) 0 - 86400
OC192-XFP.pmthresholds.sts1.farend.1day.FC 40 (count) 0 - 6912
OC192-XFP.pmthresholds.sts1.farend.1day.SES 7 (seconds) 0 - 86400
OC192-XFP.pmthresholds.sts1.farend.1day.UAS 10 (seconds) 0 - 86400
OC192-XFP.pmthresholds.sts1.nearend.15min.CV 15 (B3 count) 0 - 2160000
OC192-XFP.pmthresholds.sts1.nearend.15min.ES 12 (seconds) 0 - 900
OC192-XFP.pmthresholds.sts1.nearend.15min.FC 10 (count) 0 - 72
OC192-XFP.pmthresholds.sts1.nearend.15min.NPJC-PDET 60 (count) 0 - 7200000
OC192-XFP.pmthresholds.sts1.nearend.15min.NPJC-PGEN 60 (count) 0 - 7200000
OC192-XFP.pmthresholds.sts1.nearend.15min.PJCDIFF 60 (count) 0 - 14400000
Table C-18 OC192-XFP Default Settings (continued)
Default Name Default Value Default DomainC-63
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
OC192-XFP.pmthresholds.sts1.nearend.15min.PJCS-PDET 100 (seconds) 0 - 900
OC192-XFP.pmthresholds.sts1.nearend.15min.PJCS-PGEN 100 (seconds) 0 - 900
OC192-XFP.pmthresholds.sts1.nearend.15min.PPJC-PDET 60 (count) 0 - 7200000
OC192-XFP.pmthresholds.sts1.nearend.15min.PPJC-PGEN 60 (count) 0 - 7200000
OC192-XFP.pmthresholds.sts1.nearend.15min.SES 3 (seconds) 0 - 900
OC192-XFP.pmthresholds.sts1.nearend.15min.UAS 10 (seconds) 0 - 900
OC192-XFP.pmthresholds.sts1.nearend.1day.CV 125 (B3 count) 0 - 207360000
OC192-XFP.pmthresholds.sts1.nearend.1day.ES 100 (seconds) 0 - 86400
OC192-XFP.pmthresholds.sts1.nearend.1day.FC 40 (count) 0 - 6912
OC192-XFP.pmthresholds.sts1.nearend.1day.NPJC-PDET 5760 (count) 0 - 691200000
OC192-XFP.pmthresholds.sts1.nearend.1day.NPJC-PGEN 5760 (count) 0 - 691200000
OC192-XFP.pmthresholds.sts1.nearend.1day.PJCDIFF 5760 (count) 0 - 1382400000
OC192-XFP.pmthresholds.sts1.nearend.1day.PJCS-PDET 9600 (seconds) 0 - 86400
OC192-XFP.pmthresholds.sts1.nearend.1day.PJCS-PGEN 9600 (seconds) 0 - 86400
OC192-XFP.pmthresholds.sts1.nearend.1day.PPJC-PDET 5760 (count) 0 - 691200000
OC192-XFP.pmthresholds.sts1.nearend.1day.PPJC-PGEN 5760 (count) 0 - 691200000
OC192-XFP.pmthresholds.sts1.nearend.1day.SES 7 (seconds) 0 - 86400
OC192-XFP.pmthresholds.sts1.nearend.1day.UAS 10 (seconds) 0 - 86400
OC192-XFP.pmthresholds.sts12c-192c.farend.15min.CV 75 (B3 count) 0 - 2160000
OC192-XFP.pmthresholds.sts12c-192c.farend.15min.ES 60 (seconds) 0 - 900
OC192-XFP.pmthresholds.sts12c-192c.farend.15min.FC 10 (count) 0 - 72
OC192-XFP.pmthresholds.sts12c-192c.farend.15min.SES 3 (seconds) 0 - 900
OC192-XFP.pmthresholds.sts12c-192c.farend.15min.UAS 10 (seconds) 0 - 900
OC192-XFP.pmthresholds.sts12c-192c.farend.1day.CV 750 (B3 count) 0 - 207360000
OC192-XFP.pmthresholds.sts12c-192c.farend.1day.ES 600 (seconds) 0 - 86400
OC192-XFP.pmthresholds.sts12c-192c.farend.1day.FC 40 (count) 0 - 6912
OC192-XFP.pmthresholds.sts12c-192c.farend.1day.SES 7 (seconds) 0 - 86400
OC192-XFP.pmthresholds.sts12c-192c.farend.1day.UAS 10 (seconds) 0 - 86400
OC192-XFP.pmthresholds.sts12c-192c.nearend.15min.CV 75 (B3 count) 0 - 2160000
OC192-XFP.pmthresholds.sts12c-192c.nearend.15min.ES 60 (seconds) 0 - 900
OC192-XFP.pmthresholds.sts12c-192c.nearend.15min.FC 10 (count) 0 - 72
OC192-XFP.pmthresholds.sts12c-192c.nearend.15min.NPJC-PDET 60 (count) 0 - 7200000
OC192-XFP.pmthresholds.sts12c-192c.nearend.15min.NPJC-PGE
N
60 (count) 0 - 7200000
OC192-XFP.pmthresholds.sts12c-192c.nearend.15min.PJCDIFF 60 (count) 0 - 14400000
OC192-XFP.pmthresholds.sts12c-192c.nearend.15min.PJCS-PDET 100 (seconds) 0 - 900
Table C-18 OC192-XFP Default Settings (continued)
Default Name Default Value Default DomainC-64
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
OC192-XFP.pmthresholds.sts12c-192c.nearend.15min.PJCS-PGEN 100 (seconds) 0 - 900
OC192-XFP.pmthresholds.sts12c-192c.nearend.15min.PPJC-PDET 60 (count) 0 - 7200000
OC192-XFP.pmthresholds.sts12c-192c.nearend.15min.PPJC-PGEN 60 (count) 0 - 7200000
OC192-XFP.pmthresholds.sts12c-192c.nearend.15min.SES 3 (seconds) 0 - 900
OC192-XFP.pmthresholds.sts12c-192c.nearend.15min.UAS 10 (seconds) 0 - 900
OC192-XFP.pmthresholds.sts12c-192c.nearend.1day.CV 750 (B3 count) 0 - 207360000
OC192-XFP.pmthresholds.sts12c-192c.nearend.1day.ES 600 (seconds) 0 - 86400
OC192-XFP.pmthresholds.sts12c-192c.nearend.1day.FC 40 (count) 0 - 6912
OC192-XFP.pmthresholds.sts12c-192c.nearend.1day.NPJC-PDET 5760 (count) 0 - 691200000
OC192-XFP.pmthresholds.sts12c-192c.nearend.1day.NPJC-PGEN 5760 (count) 0 - 691200000
OC192-XFP.pmthresholds.sts12c-192c.nearend.1day.PJCDIFF 5760 (count) 0 - 1382400000
OC192-XFP.pmthresholds.sts12c-192c.nearend.1day.PJCS-PDET 9600 (seconds) 0 - 691200000
OC192-XFP.pmthresholds.sts12c-192c.nearend.1day.PJCS-PGEN 9600 (seconds) 0 - 86400
OC192-XFP.pmthresholds.sts12c-192c.nearend.1day.PPJC-PDET 5760 (count) 0 - 691200000
OC192-XFP.pmthresholds.sts12c-192c.nearend.1day.PPJC-PGEN 5760 (count) 0 - 691200000
OC192-XFP.pmthresholds.sts12c-192c.nearend.1day.SES 7 (seconds) 0 - 86400
OC192-XFP.pmthresholds.sts12c-192c.nearend.1day.UAS 10 (seconds) 0 - 86400
OC192-XFP.pmthresholds.sts3c-9c.farend.15min.CV 25 (B3 count) 0 - 2160000
OC192-XFP.pmthresholds.sts3c-9c.farend.15min.ES 20 (seconds) 0 - 900
OC192-XFP.pmthresholds.sts3c-9c.farend.15min.FC 10 (count) 0 - 72
OC192-XFP.pmthresholds.sts3c-9c.farend.15min.SES 3 (seconds) 0 - 900
OC192-XFP.pmthresholds.sts3c-9c.farend.15min.UAS 10 (seconds) 0 - 900
OC192-XFP.pmthresholds.sts3c-9c.farend.1day.CV 250 (B3 count) 0 - 207360000
OC192-XFP.pmthresholds.sts3c-9c.farend.1day.ES 200 (seconds) 0 - 86400
OC192-XFP.pmthresholds.sts3c-9c.farend.1day.FC 40 (count) 0 - 6912
OC192-XFP.pmthresholds.sts3c-9c.farend.1day.SES 7 (seconds) 0 - 86400
OC192-XFP.pmthresholds.sts3c-9c.farend.1day.UAS 10 (seconds) 0 - 86400
OC192-XFP.pmthresholds.sts3c-9c.nearend.15min.CV 25 (B3 count) 0 - 2160000
OC192-XFP.pmthresholds.sts3c-9c.nearend.15min.ES 20 (seconds) 0 - 900
OC192-XFP.pmthresholds.sts3c-9c.nearend.15min.FC 10 (count) 0 - 72
OC192-XFP.pmthresholds.sts3c-9c.nearend.15min.NPJC-PDET 60 (count) 0 - 7200000
OC192-XFP.pmthresholds.sts3c-9c.nearend.15min.NPJC-PGEN 60 (count) 0 - 7200000
OC192-XFP.pmthresholds.sts3c-9c.nearend.15min.PJCDIFF 60 (count) 0 - 14400000
OC192-XFP.pmthresholds.sts3c-9c.nearend.15min.PJCS-PDET 100 (seconds) 0 - 900
OC192-XFP.pmthresholds.sts3c-9c.nearend.15min.PJCS-PGEN 100 (seconds) 0 - 900
OC192-XFP.pmthresholds.sts3c-9c.nearend.15min.PPJC-PDET 60 (count) 0 - 7200000
Table C-18 OC192-XFP Default Settings (continued)
Default Name Default Value Default DomainC-65
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
C.2.3.19 MRC-12 Card Default Settings
Table C-19 lists the MRC-12 card default settings.
OC192-XFP.pmthresholds.sts3c-9c.nearend.15min.PPJC-PGEN 60 (count) 0 - 7200000
OC192-XFP.pmthresholds.sts3c-9c.nearend.15min.SES 3 (seconds) 0 - 900
OC192-XFP.pmthresholds.sts3c-9c.nearend.15min.UAS 10 (seconds) 0 - 900
OC192-XFP.pmthresholds.sts3c-9c.nearend.1day.CV 250 (B3 count) 0 - 207360000
OC192-XFP.pmthresholds.sts3c-9c.nearend.1day.ES 200 (seconds) 0 - 86400
OC192-XFP.pmthresholds.sts3c-9c.nearend.1day.FC 40 (count) 0 - 6912
OC192-XFP.pmthresholds.sts3c-9c.nearend.1day.NPJC-PDET 5760 (count) 0 - 691200000
OC192-XFP.pmthresholds.sts3c-9c.nearend.1day.NPJC-PGEN 5760 (count) 0 - 691200000
OC192-XFP.pmthresholds.sts3c-9c.nearend.1day.PJCDIFF 5760 (count) 0 - 1382400000
OC192-XFP.pmthresholds.sts3c-9c.nearend.1day.PJCS-PDET 9600 (seconds) 0 - 86400
OC192-XFP.pmthresholds.sts3c-9c.nearend.1day.PJCS-PGEN 9600 (seconds) 0 - 86400
OC192-XFP.pmthresholds.sts3c-9c.nearend.1day.PPJC-PDET 5760 (count) 0 - 691200000
OC192-XFP.pmthresholds.sts3c-9c.nearend.1day.PPJC-PGEN 5760 (count) 0 - 691200000
OC192-XFP.pmthresholds.sts3c-9c.nearend.1day.SES 7 (seconds) 0 - 86400
OC192-XFP.pmthresholds.sts3c-9c.nearend.1day.UAS 10 (seconds) 0 - 86400
Table C-18 OC192-XFP Default Settings (continued)
Default Name Default Value Default Domain
Table C-19 MRC-12 Card Default Settings
Default Name Default Value Default Domain
MRC-12.OC12-PORT.config.line.AINSSoakTime 08:00
(hours:mins)
00:00, 00:15, 00:30 ..
48:00
MRC-12.OC12-PORT.config.line.AlsMode Disabled Disabled, Auto Restart,
Manual Restart, Manual
Restart for Test
MRC-12.OC12-PORT.config.line.AlsRecoveryPulseDuration 2.0 (seconds) 2.0, 2.1, 2.2 .. 100.0 when
AlsMode Disabled, Auto
Restart, Manual Restart;
80.0, 80.1, 80.2 .. 100.0
when AlsMode Manual
Restart for Test
MRC-12.OC12-PORT.config.line.AlsRecoveryPulseInterval 100 (seconds) 60 - 300
MRC-12.OC12-PORT.config.line.PJStsMon# 0 (STS #) 0 - 12
MRC-12.OC12-PORT.config.line.SDBER 1.00E-07 1E-5, 1E-6, 1E-7, 1E-8,
1E-9C-66
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
MRC-12.OC12-PORT.config.line.sdh.SendDoNotUse FALSE FALSE when
SendDoNotUse TRUE;
FALSE, TRUE when
SendDoNotUse FALSE
MRC-12.OC12-PORT.config.line.sdh.SendDoNotUse FALSE FALSE, TRUE
MRC-12.OC12-PORT.config.line.sdh.SyncMsgIn TRUE FALSE, TRUE
MRC-12.OC12-PORT.config.line.SendAISOnFacilityLoopback TRUE TRUE, FALSE
MRC-12.OC12-PORT.config.line.SendAISOnTerminalLoopback TRUE TRUE, FALSE
MRC-12.OC12-PORT.config.line.SFBER 1.00E-04 1E-3, 1E-4, 1E-5
MRC-12.OC12-PORT.config.line.sonet.SendDoNotUse FALSE FALSE when
SendDoNotUse TRUE;
FALSE, TRUE when
SendDoNotUse FALSE
MRC-12.OC12-PORT.config.line.sonet.SendDoNotUse FALSE FALSE, TRUE
MRC-12.OC12-PORT.config.line.sonet.SyncMsgIn TRUE FALSE, TRUE
MRC-12.OC12-PORT.config.line.State IS,AINS IS, OOS,DSBLD,
OOS,MT, IS,AINS
MRC-12.OC12-PORT.config.sts.IPPMEnabled FALSE TRUE, FALSE
MRC-12.OC12-PORT.physicalthresholds.alarm.LBC-HIGH 200 (%) LBC-LOW, LBC-LOW +
1, LBC-LOW + 2 .. 255
MRC-12.OC12-PORT.physicalthresholds.alarm.LBC-LOW 20 (%) 0, 1, 2 .. LBC-HIGH
MRC-12.OC12-PORT.physicalthresholds.alarm.OPR-HIGH 200 (%) OPR-LOW, OPR-LOW +
1, OPR-LOW + 2 .. 255
MRC-12.OC12-PORT.physicalthresholds.alarm.OPR-LOW 50 (%) -1, 0, 1 .. OPR-HIGH
MRC-12.OC12-PORT.physicalthresholds.alarm.OPT-HIGH 120 (%) OPT-LOW, OPT-LOW + 1,
OPT-LOW + 2 .. 255
MRC-12.OC12-PORT.physicalthresholds.alarm.OPT-LOW 80 (%) 0, 1, 2 .. OPT-HIGH
MRC-12.OC12-PORT.physicalthresholds.warning.15min.LBC-HIGH 200 (%) LBC-LOW, LBC-LOW +
1, LBC-LOW + 2 .. 255
MRC-12.OC12-PORT.physicalthresholds.warning.15min.LBC-LOW 20 (%) 0, 1, 2 .. LBC-HIGH
MRC-12.OC12-PORT.physicalthresholds.warning.15min.OPR-HIGH 200 (%) OPR-LOW, OPR-LOW +
1, OPR-LOW + 2 .. 255
MRC-12.OC12-PORT.physicalthresholds.warning.15min.OPR-LOW 50 (%) -1, 0, 1 .. OPR-HIGH
MRC-12.OC12-PORT.physicalthresholds.warning.15min.OPT-HIGH 120 (%) OPT-LOW, OPT-LOW + 1,
OPT-LOW + 2 .. 255
MRC-12.OC12-PORT.physicalthresholds.warning.15min.OPT-LOW 80 (%) 0, 1, 2 .. OPT-HIGH
MRC-12.OC12-PORT.physicalthresholds.warning.1day.LBC-HIGH 200 (%) LBC-LOW, LBC-LOW +
1, LBC-LOW + 2 .. 255
MRC-12.OC12-PORT.physicalthresholds.warning.1day.LBC-LOW 20 (%) 0, 1, 2 .. LBC-HIGH
Table C-19 MRC-12 Card Default Settings (continued)
Default Name Default Value Default DomainC-67
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
MRC-12.OC12-PORT.physicalthresholds.warning.1day.OPR-HIGH 200 (%) OPR-LOW, OPR-LOW +
1, OPR-LOW + 2 .. 255
MRC-12.OC12-PORT.physicalthresholds.warning.1day.OPR-LOW 50 (%) -1, 0, 1 .. OPR-HIGH
MRC-12.OC12-PORT.physicalthresholds.warning.1day.OPT-HIGH 120 (%) OPT-LOW, OPT-LOW + 1,
OPT-LOW + 2 .. 255
MRC-12.OC12-PORT.physicalthresholds.warning.1day.OPT-LOW 80 (%) 0, 1, 2 .. OPT-HIGH
MRC-12.OC12-PORT.pmthresholds.line.farend.15min.CV 5315 (B2
count)
0 - 552600
MRC-12.OC12-PORT.pmthresholds.line.farend.15min.ES 87 (seconds) 0 - 900
MRC-12.OC12-PORT.pmthresholds.line.farend.15min.FC 10 (count) 0 - 72
MRC-12.OC12-PORT.pmthresholds.line.farend.15min.SES 1 (seconds) 0 - 900
MRC-12.OC12-PORT.pmthresholds.line.farend.15min.UAS 3 (seconds) 0 - 900
MRC-12.OC12-PORT.pmthresholds.line.farend.1day.CV 53150 (B2
count)
0 - 53049600
MRC-12.OC12-PORT.pmthresholds.line.farend.1day.ES 864 (seconds) 0 - 86400
MRC-12.OC12-PORT.pmthresholds.line.farend.1day.FC 40 (count) 0 - 6912
MRC-12.OC12-PORT.pmthresholds.line.farend.1day.SES 4 (seconds) 0 - 86400
MRC-12.OC12-PORT.pmthresholds.line.farend.1day.UAS 10 (seconds) 0 - 86400
MRC-12.OC12-PORT.pmthresholds.line.nearend.15min.CV 5315 (B2
count)
0 - 552600
MRC-12.OC12-PORT.pmthresholds.line.nearend.15min.ES 87 (seconds) 0 - 900
MRC-12.OC12-PORT.pmthresholds.line.nearend.15min.FC 10 (count) 0 - 72
MRC-12.OC12-PORT.pmthresholds.line.nearend.15min.PSC 1 (count) 0 - 600
MRC-12.OC12-PORT.pmthresholds.line.nearend.15min.PSC-W 1 (count) 0 - 600
MRC-12.OC12-PORT.pmthresholds.line.nearend.15min.PSD 300 (seconds) 0 - 900
MRC-12.OC12-PORT.pmthresholds.line.nearend.15min.PSD-W 300 (seconds) 0 - 900
MRC-12.OC12-PORT.pmthresholds.line.nearend.15min.SES 1 (seconds) 0 - 900
MRC-12.OC12-PORT.pmthresholds.line.nearend.15min.UAS 3 (seconds) 0 - 900
MRC-12.OC12-PORT.pmthresholds.line.nearend.1day.CV 53150 (B2
count)
0 - 53049600
MRC-12.OC12-PORT.pmthresholds.line.nearend.1day.ES 864 (seconds) 0 - 86400
MRC-12.OC12-PORT.pmthresholds.line.nearend.1day.FC 40 (count) 0 - 6912
MRC-12.OC12-PORT.pmthresholds.line.nearend.1day.PSC 5 (count) 0 - 57600
MRC-12.OC12-PORT.pmthresholds.line.nearend.1day.PSC-W 5 (count) 0 - 57600
MRC-12.OC12-PORT.pmthresholds.line.nearend.1day.PSD 600 (seconds) 0 - 86400
MRC-12.OC12-PORT.pmthresholds.line.nearend.1day.PSD-W 600 (seconds) 0 - 86400
MRC-12.OC12-PORT.pmthresholds.line.nearend.1day.SES 4 (seconds) 0 - 86400
MRC-12.OC12-PORT.pmthresholds.line.nearend.1day.UAS 10 (seconds) 0 - 86400
Table C-19 MRC-12 Card Default Settings (continued)
Default Name Default Value Default DomainC-68
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
MRC-12.OC12-PORT.pmthresholds.section.nearend.15min.CV 10000 (B1
count)
0 - 553500
MRC-12.OC12-PORT.pmthresholds.section.nearend.15min.ES 500 (seconds) 0 - 900
MRC-12.OC12-PORT.pmthresholds.section.nearend.15min.SEFS 500 (seconds) 0 - 900
MRC-12.OC12-PORT.pmthresholds.section.nearend.15min.SES 500 (seconds) 0 - 900
MRC-12.OC12-PORT.pmthresholds.section.nearend.1day.CV 100000 (B1
count)
0 - 53136000
MRC-12.OC12-PORT.pmthresholds.section.nearend.1day.ES 5000
(seconds)
0 - 86400
MRC-12.OC12-PORT.pmthresholds.section.nearend.1day.SEFS 5000
(seconds)
0 - 86400
MRC-12.OC12-PORT.pmthresholds.section.nearend.1day.SES 5000
(seconds)
0 - 86400
MRC-12.OC12-PORT.pmthresholds.sts1.farend.15min.CV 15 (B3 count) 0 - 2160000
MRC-12.OC12-PORT.pmthresholds.sts1.farend.15min.ES 12 (seconds) 0 - 900
MRC-12.OC12-PORT.pmthresholds.sts1.farend.15min.FC 10 (count) 0 - 72
MRC-12.OC12-PORT.pmthresholds.sts1.farend.15min.SES 3 (seconds) 0 - 900
MRC-12.OC12-PORT.pmthresholds.sts1.farend.15min.UAS 10 (seconds) 0 - 900
MRC-12.OC12-PORT.pmthresholds.sts1.farend.1day.CV 125 (B3
count)
0 - 207360000
MRC-12.OC12-PORT.pmthresholds.sts1.farend.1day.ES 100 (seconds) 0 - 86400
MRC-12.OC12-PORT.pmthresholds.sts1.farend.1day.FC 40 (count) 0 - 6912
MRC-12.OC12-PORT.pmthresholds.sts1.farend.1day.SES 7 (seconds) 0 - 86400
MRC-12.OC12-PORT.pmthresholds.sts1.farend.1day.UAS 10 (seconds) 0 - 86400
MRC-12.OC12-PORT.pmthresholds.sts1.nearend.15min.CV 15 (B3 count) 0 - 2160000
MRC-12.OC12-PORT.pmthresholds.sts1.nearend.15min.ES 12 (seconds) 0 - 900
MRC-12.OC12-PORT.pmthresholds.sts1.nearend.15min.FC 10 (count) 0 - 72
MRC-12.OC12-PORT.pmthresholds.sts1.nearend.15min.NPJC-PDET 60 (count) 0 - 7200000
MRC-12.OC12-PORT.pmthresholds.sts1.nearend.15min.NPJC-PGEN 60 (count) 0 - 7200000
MRC-12.OC12-PORT.pmthresholds.sts1.nearend.15min.PJCDIFF 60 (count) 0 - 14400000
MRC-12.OC12-PORT.pmthresholds.sts1.nearend.15min.PJCS-PDET 100 (seconds) 0 - 900
MRC-12.OC12-PORT.pmthresholds.sts1.nearend.15min.PJCS-PGEN 100 (seconds) 0 - 900
MRC-12.OC12-PORT.pmthresholds.sts1.nearend.15min.PPJC-PDET 60 (count) 0 - 7200000
MRC-12.OC12-PORT.pmthresholds.sts1.nearend.15min.PPJC-PGEN 60 (count) 0 - 7200000
MRC-12.OC12-PORT.pmthresholds.sts1.nearend.15min.SES 3 (seconds) 0 - 900
MRC-12.OC12-PORT.pmthresholds.sts1.nearend.15min.UAS 10 (seconds) 0 - 900
MRC-12.OC12-PORT.pmthresholds.sts1.nearend.1day.CV 125 (B3
count)
0 - 207360000
Table C-19 MRC-12 Card Default Settings (continued)
Default Name Default Value Default DomainC-69
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
MRC-12.OC12-PORT.pmthresholds.sts1.nearend.1day.ES 100 (seconds) 0 - 86400
MRC-12.OC12-PORT.pmthresholds.sts1.nearend.1day.FC 40 (count) 0 - 6912
MRC-12.OC12-PORT.pmthresholds.sts1.nearend.1day.NPJC-PDET 5760 (count) 0 - 691200000
MRC-12.OC12-PORT.pmthresholds.sts1.nearend.1day.NPJC-PGEN 5760 (count) 0 - 691200000
MRC-12.OC12-PORT.pmthresholds.sts1.nearend.1day.PJCDIFF 5760 (count) 0 - 1382400000
MRC-12.OC12-PORT.pmthresholds.sts1.nearend.1day.PJCS-PDET 9600
(seconds)
0 - 86400
MRC-12.OC12-PORT.pmthresholds.sts1.nearend.1day.PJCS-PGEN 9600
(seconds)
0 - 86400
MRC-12.OC12-PORT.pmthresholds.sts1.nearend.1day.PPJC-PDET 5760 (count) 0 - 691200000
MRC-12.OC12-PORT.pmthresholds.sts1.nearend.1day.PPJC-PGEN 5760 (count) 0 - 691200000
MRC-12.OC12-PORT.pmthresholds.sts1.nearend.1day.SES 7 (seconds) 0 - 86400
MRC-12.OC12-PORT.pmthresholds.sts1.nearend.1day.UAS 10 (seconds) 0 - 86400
MRC-12.OC12-PORT.pmthresholds.sts12c.farend.15min.CV 75 (B3 count) 0 - 2160000
MRC-12.OC12-PORT.pmthresholds.sts12c.farend.15min.ES 60 (seconds) 0 - 900
MRC-12.OC12-PORT.pmthresholds.sts12c.farend.15min.FC 10 (count) 0 - 72
MRC-12.OC12-PORT.pmthresholds.sts12c.farend.15min.SES 3 (seconds) 0 - 900
MRC-12.OC12-PORT.pmthresholds.sts12c.farend.15min.UAS 10 (seconds) 0 - 900
MRC-12.OC12-PORT.pmthresholds.sts12c.farend.1day.CV 750 (B3
count)
0 - 207360000
MRC-12.OC12-PORT.pmthresholds.sts12c.farend.1day.ES 600 (seconds) 0 - 86400
MRC-12.OC12-PORT.pmthresholds.sts12c.farend.1day.FC 40 (count) 0 - 6912
MRC-12.OC12-PORT.pmthresholds.sts12c.farend.1day.SES 7 (seconds) 0 - 86400
MRC-12.OC12-PORT.pmthresholds.sts12c.farend.1day.UAS 10 (seconds) 0 - 86400
MRC-12.OC12-PORT.pmthresholds.sts12c.nearend.15min.CV 75 (B3 count) 0 - 2160000
MRC-12.OC12-PORT.pmthresholds.sts12c.nearend.15min.ES 60 (seconds) 0 - 900
MRC-12.OC12-PORT.pmthresholds.sts12c.nearend.15min.FC 10 (count) 0 - 72
MRC-12.OC12-PORT.pmthresholds.sts12c.nearend.15min.NPJC-PDET 60 (count) 0 - 7200000
MRC-12.OC12-PORT.pmthresholds.sts12c.nearend.15min.NPJC-PGEN 60 (count) 0 - 7200000
MRC-12.OC12-PORT.pmthresholds.sts12c.nearend.15min.PJCDIFF 60 (count) 0 - 14400000
MRC-12.OC12-PORT.pmthresholds.sts12c.nearend.15min.PJCS-PDET 100 (seconds) 0 - 900
MRC-12.OC12-PORT.pmthresholds.sts12c.nearend.15min.PJCS-PGEN 100 (seconds) 0 - 900
MRC-12.OC12-PORT.pmthresholds.sts12c.nearend.15min.PPJC-PDET 60 (count) 0 - 7200000
MRC-12.OC12-PORT.pmthresholds.sts12c.nearend.15min.PPJC-PGEN 60 (count) 0 - 7200000
MRC-12.OC12-PORT.pmthresholds.sts12c.nearend.15min.SES 3 (seconds) 0 - 900
MRC-12.OC12-PORT.pmthresholds.sts12c.nearend.15min.UAS 10 (seconds) 0 - 900
Table C-19 MRC-12 Card Default Settings (continued)
Default Name Default Value Default DomainC-70
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
MRC-12.OC12-PORT.pmthresholds.sts12c.nearend.1day.CV 750 (B3
count)
0 - 207360000
MRC-12.OC12-PORT.pmthresholds.sts12c.nearend.1day.ES 600 (seconds) 0 - 86400
MRC-12.OC12-PORT.pmthresholds.sts12c.nearend.1day.FC 40 (count) 0 - 6912
MRC-12.OC12-PORT.pmthresholds.sts12c.nearend.1day.NPJC-PDET 5760 (count) 0 - 691200000
MRC-12.OC12-PORT.pmthresholds.sts12c.nearend.1day.NPJC-PGEN 5760 (count) 0 - 691200000
MRC-12.OC12-PORT.pmthresholds.sts12c.nearend.1day.PJCDIFF 5760 (count) 0 - 1382400000
MRC-12.OC12-PORT.pmthresholds.sts12c.nearend.1day.PJCS-PDET 9600
(seconds)
0 - 86400
MRC-12.OC12-PORT.pmthresholds.sts12c.nearend.1day.PJCS-PGEN 9600
(seconds)
0 - 86400
MRC-12.OC12-PORT.pmthresholds.sts12c.nearend.1day.PPJC-PDET 5760 (count) 0 - 691200000
MRC-12.OC12-PORT.pmthresholds.sts12c.nearend.1day.PPJC-PGEN 5760 (count) 0 - 691200000
MRC-12.OC12-PORT.pmthresholds.sts12c.nearend.1day.SES 7 (seconds) 0 - 86400
MRC-12.OC12-PORT.pmthresholds.sts12c.nearend.1day.UAS 10 (seconds) 0 - 86400
MRC-12.OC12-PORT.pmthresholds.sts3c-9c.farend.15min.CV 25 (B3 count) 0 - 2160000
MRC-12.OC12-PORT.pmthresholds.sts3c-9c.farend.15min.ES 20 (seconds) 0 - 900
MRC-12.OC12-PORT.pmthresholds.sts3c-9c.farend.15min.FC 10 (count) 0 - 72
MRC-12.OC12-PORT.pmthresholds.sts3c-9c.farend.15min.SES 3 (seconds) 0 - 900
MRC-12.OC12-PORT.pmthresholds.sts3c-9c.farend.15min.UAS 10 (seconds) 0 - 900
MRC-12.OC12-PORT.pmthresholds.sts3c-9c.farend.1day.CV 250 (B3
count)
0 - 207360000
MRC-12.OC12-PORT.pmthresholds.sts3c-9c.farend.1day.ES 200 (seconds) 0 - 86400
MRC-12.OC12-PORT.pmthresholds.sts3c-9c.farend.1day.FC 40 (count) 0 - 6912
MRC-12.OC12-PORT.pmthresholds.sts3c-9c.farend.1day.SES 7 (seconds) 0 - 86400
MRC-12.OC12-PORT.pmthresholds.sts3c-9c.farend.1day.UAS 10 (seconds) 0 - 86400
MRC-12.OC12-PORT.pmthresholds.sts3c-9c.nearend.15min.CV 25 (B3 count) 0 - 2160000
MRC-12.OC12-PORT.pmthresholds.sts3c-9c.nearend.15min.ES 20 (seconds) 0 - 900
MRC-12.OC12-PORT.pmthresholds.sts3c-9c.nearend.15min.FC 10 (count) 0 - 72
MRC-12.OC12-PORT.pmthresholds.sts3c-9c.nearend.15min.NPJC-PDET 60 (count) 0 - 7200000
MRC-12.OC12-PORT.pmthresholds.sts3c-9c.nearend.15min.NPJC-PGEN 60 (count) 0 - 7200000
MRC-12.OC12-PORT.pmthresholds.sts3c-9c.nearend.15min.PJCDIFF 60 (count) 0 - 14400000
MRC-12.OC12-PORT.pmthresholds.sts3c-9c.nearend.15min.PJCS-PDET 100 (seconds) 0 - 900
MRC-12.OC12-PORT.pmthresholds.sts3c-9c.nearend.15min.PJCS-PGEN 100 (seconds) 0 - 900
MRC-12.OC12-PORT.pmthresholds.sts3c-9c.nearend.15min.PPJC-PDET 60 (count) 0 - 7200000
MRC-12.OC12-PORT.pmthresholds.sts3c-9c.nearend.15min.PPJC-PGEN 60 (count) 0 - 7200000
MRC-12.OC12-PORT.pmthresholds.sts3c-9c.nearend.15min.SES 3 (seconds) 0 - 900
Table C-19 MRC-12 Card Default Settings (continued)
Default Name Default Value Default DomainC-71
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
MRC-12.OC12-PORT.pmthresholds.sts3c-9c.nearend.15min.UAS 10 (seconds) 0 - 900
MRC-12.OC12-PORT.pmthresholds.sts3c-9c.nearend.1day.CV 250 (B3
count)
0 - 207360000
MRC-12.OC12-PORT.pmthresholds.sts3c-9c.nearend.1day.ES 200 (seconds) 0 - 86400
MRC-12.OC12-PORT.pmthresholds.sts3c-9c.nearend.1day.FC 40 (count) 0 - 6912
MRC-12.OC12-PORT.pmthresholds.sts3c-9c.nearend.1day.NPJC-PDET 5760 (count) 0 - 691200000
MRC-12.OC12-PORT.pmthresholds.sts3c-9c.nearend.1day.NPJC-PGEN 5760 (count) 0 - 691200000
MRC-12.OC12-PORT.pmthresholds.sts3c-9c.nearend.1day.PJCDIFF 5760 (count) 0 - 1382400000
MRC-12.OC12-PORT.pmthresholds.sts3c-9c.nearend.1day.PJCS-PDET 9600
(seconds)
0 - 86400
MRC-12.OC12-PORT.pmthresholds.sts3c-9c.nearend.1day.PJCS-PGEN 9600
(seconds)
0 - 86400
MRC-12.OC12-PORT.pmthresholds.sts3c-9c.nearend.1day.PPJC-PDET 5760 (count) 0 - 691200000
MRC-12.OC12-PORT.pmthresholds.sts3c-9c.nearend.1day.PPJC-PGEN 5760 (count) 0 - 691200000
MRC-12.OC12-PORT.pmthresholds.sts3c-9c.nearend.1day.SES 7 (seconds) 0 - 86400
MRC-12.OC12-PORT.pmthresholds.sts3c-9c.nearend.1day.UAS 10 (seconds) 0 - 86400
MRC-12.OC3-PORT.config.line.AINSSoakTime 08:00
(hours:mins)
00:00, 00:15, 00:30 ..
48:00
MRC-12.OC3-PORT.config.line.AlsMode Disabled Disabled, Auto Restart,
Manual Restart, Manual
Restart for Test
MRC-12.OC3-PORT.config.line.AlsRecoveryPulseDuration 2.0 (seconds) 2.0, 2.1, 2.2 .. 100.0 when
AlsMode Disabled, Auto
Restart, Manual Restart;
80.0, 80.1, 80.2 .. 100.0
when AlsMode Manual
Restart for Test
MRC-12.OC3-PORT.config.line.AlsRecoveryPulseInterval 100 (seconds) 60 - 300
MRC-12.OC3-PORT.config.line.PJStsMon# 0 (STS #) 0 - 3
MRC-12.OC3-PORT.config.line.SDBER 1.00E-07 1E-5, 1E-6, 1E-7, 1E-8,
1E-9
MRC-12.OC3-PORT.config.line.sdh.SendDoNotUse FALSE FALSE when
SendDoNotUse TRUE;
FALSE, TRUE when
SendDoNotUse FALSE
MRC-12.OC3-PORT.config.line.sdh.SendDoNotUse FALSE FALSE, TRUE
MRC-12.OC3-PORT.config.line.sdh.SyncMsgIn TRUE FALSE, TRUE
MRC-12.OC3-PORT.config.line.SendAISOnFacilityLoopback TRUE TRUE, FALSE
MRC-12.OC3-PORT.config.line.SendAISOnTerminalLoopback TRUE TRUE, FALSE
MRC-12.OC3-PORT.config.line.SFBER 1.00E-04 1E-3, 1E-4, 1E-5
Table C-19 MRC-12 Card Default Settings (continued)
Default Name Default Value Default DomainC-72
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
MRC-12.OC3-PORT.config.line.sonet.SendDoNotUse FALSE FALSE when
SendDoNotUse TRUE;
FALSE, TRUE when
SendDoNotUse FALSE
MRC-12.OC3-PORT.config.line.sonet.SendDoNotUse FALSE FALSE, TRUE
MRC-12.OC3-PORT.config.line.sonet.SyncMsgIn TRUE FALSE, TRUE
MRC-12.OC3-PORT.config.line.State IS,AINS IS, OOS,DSBLD,
OOS,MT, IS,AINS
MRC-12.OC3-PORT.config.sts.IPPMEnabled FALSE TRUE, FALSE
MRC-12.OC3-PORT.physicalthresholds.alarm.LBC-HIGH 200 (%) LBC-LOW, LBC-LOW +
1, LBC-LOW + 2 .. 255
MRC-12.OC3-PORT.physicalthresholds.alarm.LBC-LOW 20 (%) 0, 1, 2 .. LBC-HIGH
MRC-12.OC3-PORT.physicalthresholds.alarm.OPR-HIGH 200 (%) OPR-LOW, OPR-LOW +
1, OPR-LOW + 2 .. 255
MRC-12.OC3-PORT.physicalthresholds.alarm.OPR-LOW 50 (%) -1, 0, 1 .. OPR-HIGH
MRC-12.OC3-PORT.physicalthresholds.alarm.OPT-HIGH 120 (%) OPT-LOW, OPT-LOW + 1,
OPT-LOW + 2 .. 255
MRC-12.OC3-PORT.physicalthresholds.alarm.OPT-LOW 80 (%) 0, 1, 2 .. OPT-HIGH
MRC-12.OC3-PORT.physicalthresholds.warning.15min.LBC-HIGH 200 (%) LBC-LOW, LBC-LOW +
1, LBC-LOW + 2 .. 255
MRC-12.OC3-PORT.physicalthresholds.warning.15min.LBC-LOW 20 (%) 0, 1, 2 .. LBC-HIGH
MRC-12.OC3-PORT.physicalthresholds.warning.15min.OPR-HIGH 200 (%) OPR-LOW, OPR-LOW +
1, OPR-LOW + 2 .. 255
MRC-12.OC3-PORT.physicalthresholds.warning.15min.OPR-LOW 50 (%) -1, 0, 1 .. OPR-HIGH
MRC-12.OC3-PORT.physicalthresholds.warning.15min.OPT-HIGH 120 (%) OPT-LOW, OPT-LOW + 1,
OPT-LOW + 2 .. 255
MRC-12.OC3-PORT.physicalthresholds.warning.15min.OPT-LOW 80 (%) 0, 1, 2 .. OPT-HIGH
MRC-12.OC3-PORT.physicalthresholds.warning.1day.LBC-HIGH 200 (%) LBC-LOW, LBC-LOW +
1, LBC-LOW + 2 .. 255
MRC-12.OC3-PORT.physicalthresholds.warning.1day.LBC-LOW 20 (%) 0, 1, 2 .. LBC-HIGH
MRC-12.OC3-PORT.physicalthresholds.warning.1day.OPR-HIGH 200 (%) OPR-LOW, OPR-LOW +
1, OPR-LOW + 2 .. 255
MRC-12.OC3-PORT.physicalthresholds.warning.1day.OPR-LOW 50 (%) -1, 0, 1 .. OPR-HIGH
MRC-12.OC3-PORT.physicalthresholds.warning.1day.OPT-HIGH 120 (%) OPT-LOW, OPT-LOW + 1,
OPT-LOW + 2 .. 255
MRC-12.OC3-PORT.physicalthresholds.warning.1day.OPT-LOW 80 (%) 0, 1, 2 .. OPT-HIGH
MRC-12.OC3-PORT.pmthresholds.line.farend.15min.CV 1312 (B2
count)
0 - 137700
MRC-12.OC3-PORT.pmthresholds.line.farend.15min.ES 87 (seconds) 0 - 900
MRC-12.OC3-PORT.pmthresholds.line.farend.15min.FC 10 (count) 0 - 72
Table C-19 MRC-12 Card Default Settings (continued)
Default Name Default Value Default DomainC-73
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
MRC-12.OC3-PORT.pmthresholds.line.farend.15min.SES 1 (seconds) 0 - 900
MRC-12.OC3-PORT.pmthresholds.line.farend.15min.UAS 3 (seconds) 0 - 900
MRC-12.OC3-PORT.pmthresholds.line.farend.1day.CV 13120 (B2
count)
0 - 13219200
MRC-12.OC3-PORT.pmthresholds.line.farend.1day.ES 864 (seconds) 0 - 86400
MRC-12.OC3-PORT.pmthresholds.line.farend.1day.FC 40 (count) 0 - 6912
MRC-12.OC3-PORT.pmthresholds.line.farend.1day.SES 4 (seconds) 0 - 86400
MRC-12.OC3-PORT.pmthresholds.line.farend.1day.UAS 10 (seconds) 0 - 86400
MRC-12.OC3-PORT.pmthresholds.line.nearend.15min.CV 1312 (B2
count)
0 - 137700
MRC-12.OC3-PORT.pmthresholds.line.nearend.15min.ES 87 (seconds) 0 - 900
MRC-12.OC3-PORT.pmthresholds.line.nearend.15min.FC 10 (count) 0 - 72
MRC-12.OC3-PORT.pmthresholds.line.nearend.15min.PSC 1 (count) 0 - 600
MRC-12.OC3-PORT.pmthresholds.line.nearend.15min.PSD 300 (seconds) 0 - 900
MRC-12.OC3-PORT.pmthresholds.line.nearend.15min.SES 1 (seconds) 0 - 900
MRC-12.OC3-PORT.pmthresholds.line.nearend.15min.UAS 3 (seconds) 0 - 900
MRC-12.OC3-PORT.pmthresholds.line.nearend.1day.CV 13120 (B2
count)
0 - 13219200
MRC-12.OC3-PORT.pmthresholds.line.nearend.1day.ES 864 (seconds) 0 - 86400
MRC-12.OC3-PORT.pmthresholds.line.nearend.1day.FC 40 (count) 0 - 6912
MRC-12.OC3-PORT.pmthresholds.line.nearend.1day.PSC 5 (count) 0 - 57600
MRC-12.OC3-PORT.pmthresholds.line.nearend.1day.PSD 600 (seconds) 0 - 86400
MRC-12.OC3-PORT.pmthresholds.line.nearend.1day.SES 4 (seconds) 0 - 86400
MRC-12.OC3-PORT.pmthresholds.line.nearend.1day.UAS 10 (seconds) 0 - 86400
MRC-12.OC3-PORT.pmthresholds.section.nearend.15min.CV 10000 (B1
count)
0 - 138600
MRC-12.OC3-PORT.pmthresholds.section.nearend.15min.ES 500 (seconds) 0 - 900
MRC-12.OC3-PORT.pmthresholds.section.nearend.15min.SEFS 500 (seconds) 0 - 900
MRC-12.OC3-PORT.pmthresholds.section.nearend.15min.SES 500 (seconds) 0 - 900
MRC-12.OC3-PORT.pmthresholds.section.nearend.1day.CV 100000 (B1
count)
0 - 13305600
MRC-12.OC3-PORT.pmthresholds.section.nearend.1day.ES 5000
(seconds)
0 - 86400
MRC-12.OC3-PORT.pmthresholds.section.nearend.1day.SEFS 5000
(seconds)
0 - 86400
MRC-12.OC3-PORT.pmthresholds.section.nearend.1day.SES 5000
(seconds)
0 - 86400
MRC-12.OC3-PORT.pmthresholds.sts1.farend.15min.CV 15 (B3 count) 0 - 2160000
Table C-19 MRC-12 Card Default Settings (continued)
Default Name Default Value Default DomainC-74
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
MRC-12.OC3-PORT.pmthresholds.sts1.farend.15min.ES 12 (seconds) 0 - 900
MRC-12.OC3-PORT.pmthresholds.sts1.farend.15min.FC 10 (count) 0 - 72
MRC-12.OC3-PORT.pmthresholds.sts1.farend.15min.SES 3 (seconds) 0 - 900
MRC-12.OC3-PORT.pmthresholds.sts1.farend.15min.UAS 10 (seconds) 0 - 900
MRC-12.OC3-PORT.pmthresholds.sts1.farend.1day.CV 125 (B3
count)
0 - 207360000
MRC-12.OC3-PORT.pmthresholds.sts1.farend.1day.ES 100 (seconds) 0 - 86400
MRC-12.OC3-PORT.pmthresholds.sts1.farend.1day.FC 40 (count) 0 - 6912
MRC-12.OC3-PORT.pmthresholds.sts1.farend.1day.SES 7 (seconds) 0 - 86400
MRC-12.OC3-PORT.pmthresholds.sts1.farend.1day.UAS 10 (seconds) 0 - 86400
MRC-12.OC3-PORT.pmthresholds.sts1.nearend.15min.CV 15 (B3 count) 0 - 2160000
MRC-12.OC3-PORT.pmthresholds.sts1.nearend.15min.ES 12 (seconds) 0 - 900
MRC-12.OC3-PORT.pmthresholds.sts1.nearend.15min.FC 10 (count) 0 - 72
MRC-12.OC3-PORT.pmthresholds.sts1.nearend.15min.NPJC-PDET 60 (count) 0 - 7200000
MRC-12.OC3-PORT.pmthresholds.sts1.nearend.15min.NPJC-PGEN 60 (count) 0 - 7200000
MRC-12.OC3-PORT.pmthresholds.sts1.nearend.15min.PJCDIFF 60 (count) 0 - 14400000
MRC-12.OC3-PORT.pmthresholds.sts1.nearend.15min.PJCS-PDET 100 (seconds) 0 - 900
MRC-12.OC3-PORT.pmthresholds.sts1.nearend.15min.PJCS-PGEN 100 (seconds) 0 - 900
MRC-12.OC3-PORT.pmthresholds.sts1.nearend.15min.PPJC-PDET 60 (count) 0 - 7200000
MRC-12.OC3-PORT.pmthresholds.sts1.nearend.15min.PPJC-PGEN 60 (count) 0 - 7200000
MRC-12.OC3-PORT.pmthresholds.sts1.nearend.15min.SES 3 (seconds) 0 - 900
MRC-12.OC3-PORT.pmthresholds.sts1.nearend.15min.UAS 10 (seconds) 0 - 900
MRC-12.OC3-PORT.pmthresholds.sts1.nearend.1day.CV 125 (B3
count)
0 - 207360000
MRC-12.OC3-PORT.pmthresholds.sts1.nearend.1day.ES 100 (seconds) 0 - 86400
MRC-12.OC3-PORT.pmthresholds.sts1.nearend.1day.FC 40 (count) 0 - 6912
MRC-12.OC3-PORT.pmthresholds.sts1.nearend.1day.NPJC-PDET 5760 (count) 0 - 691200000
MRC-12.OC3-PORT.pmthresholds.sts1.nearend.1day.NPJC-PGEN 5760 (count) 0 - 691200000
MRC-12.OC3-PORT.pmthresholds.sts1.nearend.1day.PJCDIFF 5760 (count) 0 - 1382400000
MRC-12.OC3-PORT.pmthresholds.sts1.nearend.1day.PJCS-PDET 9600
(seconds)
0 - 86400
MRC-12.OC3-PORT.pmthresholds.sts1.nearend.1day.PJCS-PGEN 9600
(seconds)
0 - 86400
MRC-12.OC3-PORT.pmthresholds.sts1.nearend.1day.PPJC-PDET 5760 (count) 0 - 691200000
MRC-12.OC3-PORT.pmthresholds.sts1.nearend.1day.PPJC-PGEN 5760 (count) 0 - 691200000
MRC-12.OC3-PORT.pmthresholds.sts1.nearend.1day.SES 7 (seconds) 0 - 86400
MRC-12.OC3-PORT.pmthresholds.sts1.nearend.1day.UAS 10 (seconds) 0 - 86400
Table C-19 MRC-12 Card Default Settings (continued)
Default Name Default Value Default DomainC-75
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
MRC-12.OC3-PORT.pmthresholds.sts3c.farend.15min.CV 25 (B3 count) 0 - 2160000
MRC-12.OC3-PORT.pmthresholds.sts3c.farend.15min.ES 20 (seconds) 0 - 900
MRC-12.OC3-PORT.pmthresholds.sts3c.farend.15min.FC 10 (count) 0 - 72
MRC-12.OC3-PORT.pmthresholds.sts3c.farend.15min.SES 3 (seconds) 0 - 900
MRC-12.OC3-PORT.pmthresholds.sts3c.farend.15min.UAS 10 (seconds) 0 - 900
MRC-12.OC3-PORT.pmthresholds.sts3c.farend.1day.CV 250 (B3
count)
0 - 207360000
MRC-12.OC3-PORT.pmthresholds.sts3c.farend.1day.ES 200 (seconds) 0 - 86400
MRC-12.OC3-PORT.pmthresholds.sts3c.farend.1day.FC 40 (count) 0 - 6912
MRC-12.OC3-PORT.pmthresholds.sts3c.farend.1day.SES 7 (seconds) 0 - 86400
MRC-12.OC3-PORT.pmthresholds.sts3c.farend.1day.UAS 10 (seconds) 0 - 86400
MRC-12.OC3-PORT.pmthresholds.sts3c.nearend.15min.CV 25 (B3 count) 0 - 2160000
MRC-12.OC3-PORT.pmthresholds.sts3c.nearend.15min.ES 20 (seconds) 0 - 900
MRC-12.OC3-PORT.pmthresholds.sts3c.nearend.15min.FC 10 (count) 0 - 72
MRC-12.OC3-PORT.pmthresholds.sts3c.nearend.15min.NPJC-PDET 60 (count) 0 - 7200000
MRC-12.OC3-PORT.pmthresholds.sts3c.nearend.15min.NPJC-PGEN 60 (count) 0 - 7200000
MRC-12.OC3-PORT.pmthresholds.sts3c.nearend.15min.PJCDIFF 60 (count) 0 - 14400000
MRC-12.OC3-PORT.pmthresholds.sts3c.nearend.15min.PJCS-PDET 100 (seconds) 0 - 900
MRC-12.OC3-PORT.pmthresholds.sts3c.nearend.15min.PJCS-PGEN 100 (seconds) 0 - 900
MRC-12.OC3-PORT.pmthresholds.sts3c.nearend.15min.PPJC-PDET 60 (count) 0 - 7200000
MRC-12.OC3-PORT.pmthresholds.sts3c.nearend.15min.PPJC-PGEN 60 (count) 0 - 7200000
MRC-12.OC3-PORT.pmthresholds.sts3c.nearend.15min.SES 3 (seconds) 0 - 900
MRC-12.OC3-PORT.pmthresholds.sts3c.nearend.15min.UAS 10 (seconds) 0 - 900
MRC-12.OC3-PORT.pmthresholds.sts3c.nearend.1day.CV 250 (B3
count)
0 - 207360000
MRC-12.OC3-PORT.pmthresholds.sts3c.nearend.1day.ES 200 (seconds) 0 - 86400
MRC-12.OC3-PORT.pmthresholds.sts3c.nearend.1day.FC 40 (count) 0 - 6912
MRC-12.OC3-PORT.pmthresholds.sts3c.nearend.1day.NPJC-PDET 5760 (count) 0 - 691200000
MRC-12.OC3-PORT.pmthresholds.sts3c.nearend.1day.NPJC-PGEN 5760 (count) 0 - 691200000
MRC-12.OC3-PORT.pmthresholds.sts3c.nearend.1day.PJCDIFF 5760 (count) 0 - 1382400000
MRC-12.OC3-PORT.pmthresholds.sts3c.nearend.1day.PJCS-PDET 9600
(seconds)
0 - 86400
MRC-12.OC3-PORT.pmthresholds.sts3c.nearend.1day.PJCS-PGEN 9600
(seconds)
0 - 86400
MRC-12.OC3-PORT.pmthresholds.sts3c.nearend.1day.PPJC-PDET 5760 (count) 0 - 691200000
MRC-12.OC3-PORT.pmthresholds.sts3c.nearend.1day.PPJC-PGEN 5760 (count) 0 - 691200000
MRC-12.OC3-PORT.pmthresholds.sts3c.nearend.1day.SES 7 (seconds) 0 - 86400
Table C-19 MRC-12 Card Default Settings (continued)
Default Name Default Value Default DomainC-76
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
MRC-12.OC3-PORT.pmthresholds.sts3c.nearend.1day.UAS 10 (seconds) 0 - 86400
MRC-12.OC48-PORT.config.line.AINSSoakTime 08:00
(hours:mins)
00:00, 00:15, 00:30 ..
48:00
MRC-12.OC48-PORT.config.line.AlsMode Disabled Disabled, Auto Restart,
Manual Restart, Manual
Restart for Test
MRC-12.OC48-PORT.config.line.AlsRecoveryPulseDuration 2.0 (seconds) 2.0, 2.1, 2.2 .. 100.0 when
AlsMode Disabled, Auto
Restart, Manual Restart;
80.0, 80.1, 80.2 .. 100.0
when AlsMode Manual
Restart for Test
MRC-12.OC48-PORT.config.line.AlsRecoveryPulseInterval 100 (seconds) 60 - 300
MRC-12.OC48-PORT.config.line.PJStsMon# 0 (STS #) 0 - 48
MRC-12.OC48-PORT.config.line.SDBER 1.00E-07 1E-5, 1E-6, 1E-7, 1E-8,
1E-9
MRC-12.OC48-PORT.config.line.sdh.SendDoNotUse FALSE FALSE when
SendDoNotUse TRUE;
FALSE, TRUE when
SendDoNotUse FALSE
MRC-12.OC48-PORT.config.line.sdh.SendDoNotUse FALSE FALSE, TRUE
MRC-12.OC48-PORT.config.line.sdh.SyncMsgIn TRUE FALSE, TRUE
MRC-12.OC48-PORT.config.line.SendAISOnFacilityLoopback TRUE TRUE, FALSE
MRC-12.OC48-PORT.config.line.SendAISOnTerminalLoopback TRUE TRUE, FALSE
MRC-12.OC48-PORT.config.line.SFBER 1.00E-04 1E-3, 1E-4, 1E-5
MRC-12.OC48-PORT.config.line.sonet.SendDoNotUse FALSE FALSE when
SendDoNotUse TRUE;
FALSE, TRUE when
SendDoNotUse FALSE
MRC-12.OC48-PORT.config.line.sonet.SendDoNotUse FALSE FALSE, TRUE
MRC-12.OC48-PORT.config.line.sonet.SyncMsgIn TRUE FALSE, TRUE
MRC-12.OC48-PORT.config.line.State IS,AINS IS, OOS,DSBLD,
OOS,MT, IS,AINS
MRC-12.OC48-PORT.config.sts.IPPMEnabled FALSE TRUE, FALSE
MRC-12.OC48-PORT.physicalthresholds.alarm.LBC-HIGH 200 (%) LBC-LOW, LBC-LOW +
1, LBC-LOW + 2 .. 255
MRC-12.OC48-PORT.physicalthresholds.alarm.LBC-LOW 20 (%) 0, 1, 2 .. LBC-HIGH
MRC-12.OC48-PORT.physicalthresholds.alarm.OPR-HIGH 200 (%) OPR-LOW, OPR-LOW +
1, OPR-LOW + 2 .. 255
MRC-12.OC48-PORT.physicalthresholds.alarm.OPR-LOW 50 (%) -1, 0, 1 .. OPR-HIGH
Table C-19 MRC-12 Card Default Settings (continued)
Default Name Default Value Default DomainC-77
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
MRC-12.OC48-PORT.physicalthresholds.alarm.OPT-HIGH 120 (%) OPT-LOW, OPT-LOW + 1,
OPT-LOW + 2 .. 255
MRC-12.OC48-PORT.physicalthresholds.alarm.OPT-LOW 80 (%) 0, 1, 2 .. OPT-HIGH
MRC-12.OC48-PORT.physicalthresholds.warning.15min.LBC-HIGH 200 (%) LBC-LOW, LBC-LOW +
1, LBC-LOW + 2 .. 255
MRC-12.OC48-PORT.physicalthresholds.warning.15min.LBC-LOW 20 (%) 0, 1, 2 .. LBC-HIGH
MRC-12.OC48-PORT.physicalthresholds.warning.15min.OPR-HIGH 200 (%) OPR-LOW, OPR-LOW +
1, OPR-LOW + 2 .. 255
MRC-12.OC48-PORT.physicalthresholds.warning.15min.OPR-LOW 50 (%) -1, 0, 1 .. OPR-HIGH
MRC-12.OC48-PORT.physicalthresholds.warning.15min.OPT-HIGH 120 (%) OPT-LOW, OPT-LOW + 1,
OPT-LOW + 2 .. 255
MRC-12.OC48-PORT.physicalthresholds.warning.15min.OPT-LOW 80 (%) 0, 1, 2 .. OPT-HIGH
MRC-12.OC48-PORT.physicalthresholds.warning.1day.LBC-HIGH 200 (%) LBC-LOW, LBC-LOW +
1, LBC-LOW + 2 .. 255
MRC-12.OC48-PORT.physicalthresholds.warning.1day.LBC-LOW 20 (%) 0, 1, 2 .. LBC-HIGH
MRC-12.OC48-PORT.physicalthresholds.warning.1day.OPR-HIGH 200 (%) OPR-LOW, OPR-LOW +
1, OPR-LOW + 2 .. 255
MRC-12.OC48-PORT.physicalthresholds.warning.1day.OPR-LOW 50 (%) -1, 0, 1 .. OPR-HIGH
MRC-12.OC48-PORT.physicalthresholds.warning.1day.OPT-HIGH 120 (%) OPT-LOW, OPT-LOW + 1,
OPT-LOW + 2 .. 255
MRC-12.OC48-PORT.physicalthresholds.warning.1day.OPT-LOW 80 (%) 0, 1, 2 .. OPT-HIGH
MRC-12.OC48-PORT.pmthresholds.line.farend.15min.CV 21260 (B2
count)
0 - 2212200
MRC-12.OC48-PORT.pmthresholds.line.farend.15min.ES 87 (seconds) 0 - 900
MRC-12.OC48-PORT.pmthresholds.line.farend.15min.FC 10 (count) 0 - 72
MRC-12.OC48-PORT.pmthresholds.line.farend.15min.SES 1 (seconds) 0 - 900
MRC-12.OC48-PORT.pmthresholds.line.farend.15min.UAS 3 (seconds) 0 - 900
MRC-12.OC48-PORT.pmthresholds.line.farend.1day.CV 212600 (B2
count)
0 - 212371200
MRC-12.OC48-PORT.pmthresholds.line.farend.1day.ES 864 (seconds) 0 - 86400
MRC-12.OC48-PORT.pmthresholds.line.farend.1day.FC 40 (count) 0 - 6912
MRC-12.OC48-PORT.pmthresholds.line.farend.1day.SES 4 (seconds) 0 - 86400
MRC-12.OC48-PORT.pmthresholds.line.farend.1day.UAS 10 (seconds) 0 - 86400
MRC-12.OC48-PORT.pmthresholds.line.nearend.15min.CV 21260 (B2
count)
0 - 2212200
MRC-12.OC48-PORT.pmthresholds.line.nearend.15min.ES 87 (seconds) 0 - 900
MRC-12.OC48-PORT.pmthresholds.line.nearend.15min.FC 10 (count) 0 - 72
MRC-12.OC48-PORT.pmthresholds.line.nearend.15min.PSC 1 (count) 0 - 600
MRC-12.OC48-PORT.pmthresholds.line.nearend.15min.PSC-R 1 (count) 0 - 600
Table C-19 MRC-12 Card Default Settings (continued)
Default Name Default Value Default DomainC-78
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
MRC-12.OC48-PORT.pmthresholds.line.nearend.15min.PSC-S 1 (count) 0 - 600
MRC-12.OC48-PORT.pmthresholds.line.nearend.15min.PSC-W 1 (count) 0 - 600
MRC-12.OC48-PORT.pmthresholds.line.nearend.15min.PSD 300 (seconds) 0 - 900
MRC-12.OC48-PORT.pmthresholds.line.nearend.15min.PSD-R 300 (seconds) 0 - 900
MRC-12.OC48-PORT.pmthresholds.line.nearend.15min.PSD-S 300 (seconds) 0 - 900
MRC-12.OC48-PORT.pmthresholds.line.nearend.15min.PSD-W 300 (seconds) 0 - 900
MRC-12.OC48-PORT.pmthresholds.line.nearend.15min.SES 1 (seconds) 0 - 900
MRC-12.OC48-PORT.pmthresholds.line.nearend.15min.UAS 3 (seconds) 0 - 900
MRC-12.OC48-PORT.pmthresholds.line.nearend.1day.CV 212600 (B2
count)
0 - 212371200
MRC-12.OC48-PORT.pmthresholds.line.nearend.1day.ES 864 (seconds) 0 - 86400
MRC-12.OC48-PORT.pmthresholds.line.nearend.1day.FC 40 (count) 0 - 6912
MRC-12.OC48-PORT.pmthresholds.line.nearend.1day.PSC 5 (count) 0 - 57600
MRC-12.OC48-PORT.pmthresholds.line.nearend.1day.PSC-R 5 (count) 0 - 57600
MRC-12.OC48-PORT.pmthresholds.line.nearend.1day.PSC-S 5 (count) 0 - 57600
MRC-12.OC48-PORT.pmthresholds.line.nearend.1day.PSC-W 5 (count) 0 - 57600
MRC-12.OC48-PORT.pmthresholds.line.nearend.1day.PSD 600 (seconds) 0 - 86400
MRC-12.OC48-PORT.pmthresholds.line.nearend.1day.PSD-R 600 (seconds) 0 - 86400
MRC-12.OC48-PORT.pmthresholds.line.nearend.1day.PSD-S 600 (seconds) 0 - 86400
MRC-12.OC48-PORT.pmthresholds.line.nearend.1day.PSD-W 600 (seconds) 0 - 86400
MRC-12.OC48-PORT.pmthresholds.line.nearend.1day.SES 4 (seconds) 0 - 86400
MRC-12.OC48-PORT.pmthresholds.line.nearend.1day.UAS 10 (seconds) 0 - 86400
MRC-12.OC48-PORT.pmthresholds.section.nearend.15min.CV 10000 (B1
count)
0 - 2151900
MRC-12.OC48-PORT.pmthresholds.section.nearend.15min.ES 500 (seconds) 0 - 900
MRC-12.OC48-PORT.pmthresholds.section.nearend.15min.SEFS 500 (seconds) 0 - 900
MRC-12.OC48-PORT.pmthresholds.section.nearend.15min.SES 500 (seconds) 0 - 900
MRC-12.OC48-PORT.pmthresholds.section.nearend.1day.CV 100000 (B1
count)
0 - 206582400
MRC-12.OC48-PORT.pmthresholds.section.nearend.1day.ES 5000
(seconds)
0 - 86400
MRC-12.OC48-PORT.pmthresholds.section.nearend.1day.SEFS 5000
(seconds)
0 - 86400
MRC-12.OC48-PORT.pmthresholds.section.nearend.1day.SES 5000
(seconds)
0 - 86400
MRC-12.OC48-PORT.pmthresholds.sts1.farend.15min.CV 15 (B3 count) 0 - 2160000
MRC-12.OC48-PORT.pmthresholds.sts1.farend.15min.ES 12 (seconds) 0 - 900
MRC-12.OC48-PORT.pmthresholds.sts1.farend.15min.FC 10 (count) 0 - 72
Table C-19 MRC-12 Card Default Settings (continued)
Default Name Default Value Default DomainC-79
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
MRC-12.OC48-PORT.pmthresholds.sts1.farend.15min.SES 3 (seconds) 0 - 900
MRC-12.OC48-PORT.pmthresholds.sts1.farend.15min.UAS 10 (seconds) 0 - 900
MRC-12.OC48-PORT.pmthresholds.sts1.farend.1day.CV 125 (B3
count)
0 - 207360000
MRC-12.OC48-PORT.pmthresholds.sts1.farend.1day.ES 100 (seconds) 0 - 86400
MRC-12.OC48-PORT.pmthresholds.sts1.farend.1day.FC 40 (count) 0 - 6912
MRC-12.OC48-PORT.pmthresholds.sts1.farend.1day.SES 7 (seconds) 0 - 86400
MRC-12.OC48-PORT.pmthresholds.sts1.farend.1day.UAS 10 (seconds) 0 - 86400
MRC-12.OC48-PORT.pmthresholds.sts1.nearend.15min.CV 15 (B3 count) 0 - 2160000
MRC-12.OC48-PORT.pmthresholds.sts1.nearend.15min.ES 12 (seconds) 0 - 900
MRC-12.OC48-PORT.pmthresholds.sts1.nearend.15min.FC 10 (count) 0 - 72
MRC-12.OC48-PORT.pmthresholds.sts1.nearend.15min.NPJC-PDET 60 (count) 0 - 7200000
MRC-12.OC48-PORT.pmthresholds.sts1.nearend.15min.NPJC-PGEN 60 (count) 0 - 7200000
MRC-12.OC48-PORT.pmthresholds.sts1.nearend.15min.PJCDIFF 60 (count) 0 - 14400000
MRC-12.OC48-PORT.pmthresholds.sts1.nearend.15min.PJCS-PDET 100 (seconds) 0 - 900
MRC-12.OC48-PORT.pmthresholds.sts1.nearend.15min.PJCS-PGEN 100 (seconds) 0 - 900
MRC-12.OC48-PORT.pmthresholds.sts1.nearend.15min.PPJC-PDET 60 (count) 0 - 7200000
MRC-12.OC48-PORT.pmthresholds.sts1.nearend.15min.PPJC-PGEN 60 (count) 0 - 7200000
MRC-12.OC48-PORT.pmthresholds.sts1.nearend.15min.SES 3 (seconds) 0 - 900
MRC-12.OC48-PORT.pmthresholds.sts1.nearend.15min.UAS 10 (seconds) 0 - 900
MRC-12.OC48-PORT.pmthresholds.sts1.nearend.1day.CV 125 (B3
count)
0 - 207360000
MRC-12.OC48-PORT.pmthresholds.sts1.nearend.1day.ES 100 (seconds) 0 - 86400
MRC-12.OC48-PORT.pmthresholds.sts1.nearend.1day.FC 40 (count) 0 - 6912
MRC-12.OC48-PORT.pmthresholds.sts1.nearend.1day.NPJC-PDET 5760 (count) 0 - 691200000
MRC-12.OC48-PORT.pmthresholds.sts1.nearend.1day.NPJC-PGEN 5760 (count) 0 - 691200000
MRC-12.OC48-PORT.pmthresholds.sts1.nearend.1day.PJCDIFF 5760 (count) 0 - 1382400000
MRC-12.OC48-PORT.pmthresholds.sts1.nearend.1day.PJCS-PDET 9600
(seconds)
0 - 86400
MRC-12.OC48-PORT.pmthresholds.sts1.nearend.1day.PJCS-PGEN 9600
(seconds)
0 - 86400
MRC-12.OC48-PORT.pmthresholds.sts1.nearend.1day.PPJC-PDET 5760 (count) 0 - 691200000
MRC-12.OC48-PORT.pmthresholds.sts1.nearend.1day.PPJC-PGEN 5760 (count) 0 - 691200000
MRC-12.OC48-PORT.pmthresholds.sts1.nearend.1day.SES 7 (seconds) 0 - 86400
MRC-12.OC48-PORT.pmthresholds.sts1.nearend.1day.UAS 10 (seconds) 0 - 86400
MRC-12.OC48-PORT.pmthresholds.sts12c-48c.farend.15min.CV 75 (B3 count) 0 - 2160000
MRC-12.OC48-PORT.pmthresholds.sts12c-48c.farend.15min.ES 60 (seconds) 0 - 900
Table C-19 MRC-12 Card Default Settings (continued)
Default Name Default Value Default DomainC-80
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
MRC-12.OC48-PORT.pmthresholds.sts12c-48c.farend.15min.FC 10 (count) 0 - 72
MRC-12.OC48-PORT.pmthresholds.sts12c-48c.farend.15min.SES 3 (seconds) 0 - 900
MRC-12.OC48-PORT.pmthresholds.sts12c-48c.farend.15min.UAS 10 (seconds) 0 - 900
MRC-12.OC48-PORT.pmthresholds.sts12c-48c.farend.1day.CV 750 (B3
count)
0 - 207360000
MRC-12.OC48-PORT.pmthresholds.sts12c-48c.farend.1day.ES 600 (seconds) 0 - 86400
MRC-12.OC48-PORT.pmthresholds.sts12c-48c.farend.1day.FC 40 (count) 0 - 6912
MRC-12.OC48-PORT.pmthresholds.sts12c-48c.farend.1day.SES 7 (seconds) 0 - 86400
MRC-12.OC48-PORT.pmthresholds.sts12c-48c.farend.1day.UAS 10 (seconds) 0 - 86400
MRC-12.OC48-PORT.pmthresholds.sts12c-48c.nearend.15min.CV 75 (B3 count) 0 - 2160000
MRC-12.OC48-PORT.pmthresholds.sts12c-48c.nearend.15min.ES 60 (seconds) 0 - 900
MRC-12.OC48-PORT.pmthresholds.sts12c-48c.nearend.15min.FC 10 (count) 0 - 72
MRC-12.OC48-PORT.pmthresholds.sts12c-48c.nearend.15min.NPJC-PDET 60 (count) 0 - 7200000
MRC-12.OC48-PORT.pmthresholds.sts12c-48c.nearend.15min.NPJC-PGEN 60 (count) 0 - 7200000
MRC-12.OC48-PORT.pmthresholds.sts12c-48c.nearend.15min.PJCDIFF 60 (count) 0 - 14400000
MRC-12.OC48-PORT.pmthresholds.sts12c-48c.nearend.15min.PJCS-PDET 100 (seconds) 0 - 900
MRC-12.OC48-PORT.pmthresholds.sts12c-48c.nearend.15min.PJCS-PGEN 100 (seconds) 0 - 900
MRC-12.OC48-PORT.pmthresholds.sts12c-48c.nearend.15min.PPJC-PDET 60 (count) 0 - 7200000
MRC-12.OC48-PORT.pmthresholds.sts12c-48c.nearend.15min.PPJC-PGEN 60 (count) 0 - 7200000
MRC-12.OC48-PORT.pmthresholds.sts12c-48c.nearend.15min.SES 3 (seconds) 0 - 900
MRC-12.OC48-PORT.pmthresholds.sts12c-48c.nearend.15min.UAS 10 (seconds) 0 - 900
MRC-12.OC48-PORT.pmthresholds.sts12c-48c.nearend.1day.CV 750 (B3
count)
0 - 207360000
MRC-12.OC48-PORT.pmthresholds.sts12c-48c.nearend.1day.ES 600 (seconds) 0 - 86400
MRC-12.OC48-PORT.pmthresholds.sts12c-48c.nearend.1day.FC 40 (count) 0 - 6912
MRC-12.OC48-PORT.pmthresholds.sts12c-48c.nearend.1day.NPJC-PDET 5760 (count) 0 - 691200000
MRC-12.OC48-PORT.pmthresholds.sts12c-48c.nearend.1day.NPJC-PGEN 5760 (count) 0 - 691200000
MRC-12.OC48-PORT.pmthresholds.sts12c-48c.nearend.1day.PJCDIFF 5760 (count) 0 - 1382400000
MRC-12.OC48-PORT.pmthresholds.sts12c-48c.nearend.1day.PJCS-PDET 9600
(seconds)
0 - 86400
MRC-12.OC48-PORT.pmthresholds.sts12c-48c.nearend.1day.PJCS-PGEN 9600
(seconds)
0 - 86400
MRC-12.OC48-PORT.pmthresholds.sts12c-48c.nearend.1day.PPJC-PDET 5760 (count) 0 - 691200000
MRC-12.OC48-PORT.pmthresholds.sts12c-48c.nearend.1day.PPJC-PGEN 5760 (count) 0 - 691200000
MRC-12.OC48-PORT.pmthresholds.sts12c-48c.nearend.1day.SES 7 (seconds) 0 - 86400
MRC-12.OC48-PORT.pmthresholds.sts12c-48c.nearend.1day.UAS 10 (seconds) 0 - 86400
MRC-12.OC48-PORT.pmthresholds.sts3c-9c.farend.15min.CV 25 (B3 count) 0 - 2160000
Table C-19 MRC-12 Card Default Settings (continued)
Default Name Default Value Default DomainC-81
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
MRC-12.OC48-PORT.pmthresholds.sts3c-9c.farend.15min.ES 20 (seconds) 0 - 900
MRC-12.OC48-PORT.pmthresholds.sts3c-9c.farend.15min.FC 10 (count) 0 - 72
MRC-12.OC48-PORT.pmthresholds.sts3c-9c.farend.15min.SES 3 (seconds) 0 - 900
MRC-12.OC48-PORT.pmthresholds.sts3c-9c.farend.15min.UAS 10 (seconds) 0 - 900
MRC-12.OC48-PORT.pmthresholds.sts3c-9c.farend.1day.CV 250 (B3
count)
0 - 207360000
MRC-12.OC48-PORT.pmthresholds.sts3c-9c.farend.1day.ES 200 (seconds) 0 - 86400
MRC-12.OC48-PORT.pmthresholds.sts3c-9c.farend.1day.FC 40 (count) 0 - 6912
MRC-12.OC48-PORT.pmthresholds.sts3c-9c.farend.1day.SES 7 (seconds) 0 - 86400
MRC-12.OC48-PORT.pmthresholds.sts3c-9c.farend.1day.UAS 10 (seconds) 0 - 86400
MRC-12.OC48-PORT.pmthresholds.sts3c-9c.nearend.15min.CV 25 (B3 count) 0 - 2160000
MRC-12.OC48-PORT.pmthresholds.sts3c-9c.nearend.15min.ES 20 (seconds) 0 - 900
MRC-12.OC48-PORT.pmthresholds.sts3c-9c.nearend.15min.FC 10 (count) 0 - 72
MRC-12.OC48-PORT.pmthresholds.sts3c-9c.nearend.15min.NPJC-PDET 60 (count) 0 - 7200000
MRC-12.OC48-PORT.pmthresholds.sts3c-9c.nearend.15min.NPJC-PGEN 60 (count) 0 - 7200000
MRC-12.OC48-PORT.pmthresholds.sts3c-9c.nearend.15min.PJCDIFF 60 (count) 0 - 14400000
MRC-12.OC48-PORT.pmthresholds.sts3c-9c.nearend.15min.PJCS-PDET 100 (seconds) 0 - 900
MRC-12.OC48-PORT.pmthresholds.sts3c-9c.nearend.15min.PJCS-PGEN 100 (seconds) 0 - 900
MRC-12.OC48-PORT.pmthresholds.sts3c-9c.nearend.15min.PPJC-PDET 60 (count) 0 - 7200000
MRC-12.OC48-PORT.pmthresholds.sts3c-9c.nearend.15min.PPJC-PGEN 60 (count) 0 - 7200000
MRC-12.OC48-PORT.pmthresholds.sts3c-9c.nearend.15min.SES 3 (seconds) 0 - 900
MRC-12.OC48-PORT.pmthresholds.sts3c-9c.nearend.15min.UAS 10 (seconds) 0 - 900
MRC-12.OC48-PORT.pmthresholds.sts3c-9c.nearend.1day.CV 250 (B3
count)
0 - 207360000
MRC-12.OC48-PORT.pmthresholds.sts3c-9c.nearend.1day.ES 200 (seconds) 0 - 86400
MRC-12.OC48-PORT.pmthresholds.sts3c-9c.nearend.1day.FC 40 (count) 0 - 6912
MRC-12.OC48-PORT.pmthresholds.sts3c-9c.nearend.1day.NPJC-PDET 5760 (count) 0 - 691200000
MRC-12.OC48-PORT.pmthresholds.sts3c-9c.nearend.1day.NPJC-PGEN 5760 (count) 0 - 691200000
MRC-12.OC48-PORT.pmthresholds.sts3c-9c.nearend.1day.PJCDIFF 5760 (count) 0 - 1382400000
MRC-12.OC48-PORT.pmthresholds.sts3c-9c.nearend.1day.PJCS-PDET 9600
(seconds)
0 - 86400
MRC-12.OC48-PORT.pmthresholds.sts3c-9c.nearend.1day.PJCS-PGEN 9600
(seconds)
0 - 86400
MRC-12.OC48-PORT.pmthresholds.sts3c-9c.nearend.1day.PPJC-PDET 5760 (count) 0 - 691200000
MRC-12.OC48-PORT.pmthresholds.sts3c-9c.nearend.1day.PPJC-PGEN 5760 (count) 0 - 691200000
MRC-12.OC48-PORT.pmthresholds.sts3c-9c.nearend.1day.SES 7 (seconds) 0 - 86400
MRC-12.OC48-PORT.pmthresholds.sts3c-9c.nearend.1day.UAS 10 (seconds) 0 - 86400
Table C-19 MRC-12 Card Default Settings (continued)
Default Name Default Value Default DomainC-82
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
C.2.3.20 MRC-2.5G-4 Card Default Settings
Table C-20 lists the MRC-2.5G-4 card default settings.
Table C-20 MRC-2.5G-4 Card Default Settings
Default Name Default Value Default Domain
MRC25G-4.OC12-PORT.config.line.AINSSoakTime 08:00
(hours:mins)
00:00, 00:15, 00:30 ..
48:00
MRC25G-4.OC12-PORT.config.line.AlsMode Disabled Disabled, Auto Restart,
Manual Restart, Manual
Restart for Test
MRC25G-4.OC12-PORT.config.line.AlsRecoveryPulseDuration 2.0 (seconds) 2.0, 2.1, 2.2 .. 100.0 when
AlsMode Disabled, Auto
Restart, Manual Restart;
80.0, 80.1, 80.2 .. 100.0
when AlsMode Manual
Restart for Test
MRC25G-4.OC12-PORT.config.line.AlsRecoveryPulseInterval 100
(seconds)
60 - 300
MRC25G-4.OC12-PORT.config.line.PJStsMon# 0 (STS #) 0 - 12
MRC25G-4.OC12-PORT.config.line.SDBER 1.00E-07 1E-5, 1E-6, 1E-7, 1E-8,
1E-9
MRC25G-4.OC12-PORT.config.line.SendAISOnFacilityLoopback TRUE TRUE, FALSE
MRC25G-4.OC12-PORT.config.line.SendAISOnTerminalLoopback TRUE TRUE, FALSE
MRC25G-4.OC12-PORT.config.line.SFBER 1.00E-04 1E-3, 1E-4, 1E-5
MRC25G-4.OC12-PORT.config.line.sonet.SendDoNotUse FALSE FALSE when
SendDoNotUse TRUE;
FALSE, TRUE when
SendDoNotUse FALSE
MRC25G-4.OC12-PORT.config.line.sonet.SendDoNotUse FALSE FALSE, TRUE
MRC25G-4.OC12-PORT.config.line.sonet.SyncMsgIn TRUE FALSE, TRUE
MRC25G-4.OC12-PORT.config.line.State IS,AINS IS, OOS,DSBLD,
OOS,MT, IS,AINS
MRC25G-4.OC12-PORT.config.sts.IPPMEnabled FALSE TRUE, FALSE
MRC25G-4.OC12-PORT.physicalthresholds.alarm.LBC-HIGH 200 (%) LBC-LOW, LBC-LOW +
1, LBC-LOW + 2 .. 255
MRC25G-4.OC12-PORT.physicalthresholds.alarm.LBC-LOW 20 (%) 0, 1, 2 .. LBC-HIGH
MRC25G-4.OC12-PORT.physicalthresholds.alarm.OPR-HIGH 200 (%) OPR-LOW, OPR-LOW +
1, OPR-LOW + 2 .. 255
MRC25G-4.OC12-PORT.physicalthresholds.alarm.OPR-LOW 50 (%) -1, 0, 1 .. OPR-HIGH
MRC25G-4.OC12-PORT.physicalthresholds.alarm.OPT-HIGH 120 (%) OPT-LOW, OPT-LOW +
1, OPT-LOW + 2 .. 255
MRC25G-4.OC12-PORT.physicalthresholds.alarm.OPT-LOW 80 (%) 0, 1, 2 .. OPT-HIGHC-83
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
MRC25G-4.OC12-PORT.physicalthresholds.warning.15min.LBC-HIGH 200 (%) LBC-LOW, LBC-LOW +
1, LBC-LOW + 2 .. 255
MRC25G-4.OC12-PORT.physicalthresholds.warning.15min.LBC-LOW 20 (%) 0, 1, 2 .. LBC-HIGH
MRC25G-4.OC12-PORT.physicalthresholds.warning.15min.OPR-HIGH 200 (%) OPR-LOW, OPR-LOW +
1, OPR-LOW + 2 .. 255
MRC25G-4.OC12-PORT.physicalthresholds.warning.15min.OPR-LOW 50 (%) -1, 0, 1 .. OPR-HIGH
MRC25G-4.OC12-PORT.physicalthresholds.warning.15min.OPT-HIGH 120 (%) OPT-LOW, OPT-LOW +
1, OPT-LOW + 2 .. 255
MRC25G-4.OC12-PORT.physicalthresholds.warning.15min.OPT-LOW 80 (%) 0, 1, 2 .. OPT-HIGH
MRC25G-4.OC12-PORT.physicalthresholds.warning.1day.LBC-HIGH 200 (%) LBC-LOW, LBC-LOW +
1, LBC-LOW + 2 .. 255
MRC25G-4.OC12-PORT.physicalthresholds.warning.1day.LBC-LOW 20 (%) 0, 1, 2 .. LBC-HIGH
MRC25G-4.OC12-PORT.physicalthresholds.warning.1day.OPR-HIGH 200 (%) OPR-LOW, OPR-LOW +
1, OPR-LOW + 2 .. 255
MRC25G-4.OC12-PORT.physicalthresholds.warning.1day.OPR-LOW 50 (%) -1, 0, 1 .. OPR-HIGH
MRC25G-4.OC12-PORT.physicalthresholds.warning.1day.OPT-HIGH 120 (%) OPT-LOW, OPT-LOW +
1, OPT-LOW + 2 .. 255
MRC25G-4.OC12-PORT.physicalthresholds.warning.1day.OPT-LOW 80 (%) 0, 1, 2 .. OPT-HIGH
MRC25G-4.OC12-PORT.pmthresholds.line.farend.15min.CV 5315 (B2
count)
0 - 552600
MRC25G-4.OC12-PORT.pmthresholds.line.farend.15min.ES 87 (seconds) 0 - 900
MRC25G-4.OC12-PORT.pmthresholds.line.farend.15min.FC 10 (count) 0 - 72
MRC25G-4.OC12-PORT.pmthresholds.line.farend.15min.SES 1 (seconds) 0 - 900
MRC25G-4.OC12-PORT.pmthresholds.line.farend.15min.UAS 3 (seconds) 0 - 900
MRC25G-4.OC12-PORT.pmthresholds.line.farend.1day.CV 53150 (B2
count)
0 - 53049600
MRC25G-4.OC12-PORT.pmthresholds.line.farend.1day.ES 864
(seconds)
0 - 86400
MRC25G-4.OC12-PORT.pmthresholds.line.farend.1day.FC 40 (count) 0 - 6912
MRC25G-4.OC12-PORT.pmthresholds.line.farend.1day.SES 4 (seconds) 0 - 86400
MRC25G-4.OC12-PORT.pmthresholds.line.farend.1day.UAS 10 (seconds) 0 - 86400
MRC25G-4.OC12-PORT.pmthresholds.line.nearend.15min.CV 5315 (B2
count)
0 - 552600
MRC25G-4.OC12-PORT.pmthresholds.line.nearend.15min.ES 87 (seconds) 0 - 900
MRC25G-4.OC12-PORT.pmthresholds.line.nearend.15min.FC 10 (count) 0 - 72
MRC25G-4.OC12-PORT.pmthresholds.line.nearend.15min.PSC 1 (count) 0 - 600
MRC25G-4.OC12-PORT.pmthresholds.line.nearend.15min.PSC-W 1 (count) 0 - 600
MRC25G-4.OC12-PORT.pmthresholds.line.nearend.15min.PSD 300
(seconds)
0 - 900
Table C-20 MRC-2.5G-4 Card Default Settings (continued)
Default Name Default Value Default DomainC-84
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
MRC25G-4.OC12-PORT.pmthresholds.line.nearend.15min.PSD-W 300
(seconds)
0 - 900
MRC25G-4.OC12-PORT.pmthresholds.line.nearend.15min.SES 1 (seconds) 0 - 900
MRC25G-4.OC12-PORT.pmthresholds.line.nearend.15min.UAS 3 (seconds) 0 - 900
MRC25G-4.OC12-PORT.pmthresholds.line.nearend.1day.CV 53150 (B2
count)
0 - 53049600
MRC25G-4.OC12-PORT.pmthresholds.line.nearend.1day.ES 864
(seconds)
0 - 86400
MRC25G-4.OC12-PORT.pmthresholds.line.nearend.1day.FC 40 (count) 0 - 6912
MRC25G-4.OC12-PORT.pmthresholds.line.nearend.1day.PSC 5 (count) 0 - 57600
MRC25G-4.OC12-PORT.pmthresholds.line.nearend.1day.PSC-W 5 (count) 0 - 57600
MRC25G-4.OC12-PORT.pmthresholds.line.nearend.1day.PSD 600
(seconds)
0 - 86400
MRC25G-4.OC12-PORT.pmthresholds.line.nearend.1day.PSD-W 600
(seconds)
0 - 86400
MRC25G-4.OC12-PORT.pmthresholds.line.nearend.1day.SES 4 (seconds) 0 - 86400
MRC25G-4.OC12-PORT.pmthresholds.line.nearend.1day.UAS 10 (seconds) 0 - 86400
MRC25G-4.OC12-PORT.pmthresholds.section.nearend.15min.CV 10000 (B1
count)
0 - 553500
MRC25G-4.OC12-PORT.pmthresholds.section.nearend.15min.ES 500
(seconds)
0 - 900
MRC25G-4.OC12-PORT.pmthresholds.section.nearend.15min.SEFS 500
(seconds)
0 - 900
MRC25G-4.OC12-PORT.pmthresholds.section.nearend.15min.SES 500
(seconds)
0 - 900
MRC25G-4.OC12-PORT.pmthresholds.section.nearend.1day.CV 100000 (B1
count)
0 - 53136000
MRC25G-4.OC12-PORT.pmthresholds.section.nearend.1day.ES 5000
(seconds)
0 - 86400
MRC25G-4.OC12-PORT.pmthresholds.section.nearend.1day.SEFS 5000
(seconds)
0 - 86400
MRC25G-4.OC12-PORT.pmthresholds.section.nearend.1day.SES 5000
(seconds)
0 - 86400
MRC25G-4.OC12-PORT.pmthresholds.sts1.farend.15min.CV 15 (B3
count)
0 - 2160000
MRC25G-4.OC12-PORT.pmthresholds.sts1.farend.15min.ES 12 (seconds) 0 - 900
MRC25G-4.OC12-PORT.pmthresholds.sts1.farend.15min.FC 10 (count) 0 - 72
MRC25G-4.OC12-PORT.pmthresholds.sts1.farend.15min.SES 3 (seconds) 0 - 900
MRC25G-4.OC12-PORT.pmthresholds.sts1.farend.15min.UAS 10 (seconds) 0 - 900
Table C-20 MRC-2.5G-4 Card Default Settings (continued)
Default Name Default Value Default DomainC-85
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
MRC25G-4.OC12-PORT.pmthresholds.sts1.farend.1day.CV 125 (B3
count)
0 - 207360000
MRC25G-4.OC12-PORT.pmthresholds.sts1.farend.1day.ES 100
(seconds)
0 - 86400
MRC25G-4.OC12-PORT.pmthresholds.sts1.farend.1day.FC 40 (count) 0 - 6912
MRC25G-4.OC12-PORT.pmthresholds.sts1.farend.1day.SES 7 (seconds) 0 - 86400
MRC25G-4.OC12-PORT.pmthresholds.sts1.farend.1day.UAS 10 (seconds) 0 - 86400
MRC25G-4.OC12-PORT.pmthresholds.sts1.nearend.15min.CV 15 (B3
count)
0 - 2160000
MRC25G-4.OC12-PORT.pmthresholds.sts1.nearend.15min.ES 12 (seconds) 0 - 900
MRC25G-4.OC12-PORT.pmthresholds.sts1.nearend.15min.FC 10 (count) 0 - 72
MRC25G-4.OC12-PORT.pmthresholds.sts1.nearend.15min.NPJC-PDET 60 (count) 0 - 7200000
MRC25G-4.OC12-PORT.pmthresholds.sts1.nearend.15min.NPJC-PGEN 60 (count) 0 - 7200000
MRC25G-4.OC12-PORT.pmthresholds.sts1.nearend.15min.PJCDIFF 60 (count) 0 - 14400000
MRC25G-4.OC12-PORT.pmthresholds.sts1.nearend.15min.PJCS-PDET 100
(seconds)
0 - 900
MRC25G-4.OC12-PORT.pmthresholds.sts1.nearend.15min.PJCS-PGEN 100
(seconds)
0 - 900
MRC25G-4.OC12-PORT.pmthresholds.sts1.nearend.15min.PPJC-PDET 60 (count) 0 - 7200000
MRC25G-4.OC12-PORT.pmthresholds.sts1.nearend.15min.PPJC-PGEN 60 (count) 0 - 7200000
MRC25G-4.OC12-PORT.pmthresholds.sts1.nearend.15min.SES 3 (seconds) 0 - 900
MRC25G-4.OC12-PORT.pmthresholds.sts1.nearend.15min.UAS 10 (seconds) 0 - 900
MRC25G-4.OC12-PORT.pmthresholds.sts1.nearend.1day.CV 125 (B3
count)
0 - 207360000
MRC25G-4.OC12-PORT.pmthresholds.sts1.nearend.1day.ES 100
(seconds)
0 - 86400
MRC25G-4.OC12-PORT.pmthresholds.sts1.nearend.1day.FC 40 (count) 0 - 6912
MRC25G-4.OC12-PORT.pmthresholds.sts1.nearend.1day.NPJC-PDET 5760 (count) 0 - 691200000
MRC25G-4.OC12-PORT.pmthresholds.sts1.nearend.1day.NPJC-PGEN 5760 (count) 0 - 691200000
MRC25G-4.OC12-PORT.pmthresholds.sts1.nearend.1day.PJCDIFF 5760 (count) 0 - 1382400000
MRC25G-4.OC12-PORT.pmthresholds.sts1.nearend.1day.PJCS-PDET 9600
(seconds)
0 - 86400
MRC25G-4.OC12-PORT.pmthresholds.sts1.nearend.1day.PJCS-PGEN 9600
(seconds)
0 - 86400
MRC25G-4.OC12-PORT.pmthresholds.sts1.nearend.1day.PPJC-PDET 5760 (count) 0 - 691200000
MRC25G-4.OC12-PORT.pmthresholds.sts1.nearend.1day.PPJC-PGEN 5760 (count) 0 - 691200000
MRC25G-4.OC12-PORT.pmthresholds.sts1.nearend.1day.SES 7 (seconds) 0 - 86400
MRC25G-4.OC12-PORT.pmthresholds.sts1.nearend.1day.UAS 10 (seconds) 0 - 86400
Table C-20 MRC-2.5G-4 Card Default Settings (continued)
Default Name Default Value Default DomainC-86
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
MRC25G-4.OC12-PORT.pmthresholds.sts12c.farend.15min.CV 75 (B3
count)
0 - 2160000
MRC25G-4.OC12-PORT.pmthresholds.sts12c.farend.15min.ES 60 (seconds) 0 - 900
MRC25G-4.OC12-PORT.pmthresholds.sts12c.farend.15min.FC 10 (count) 0 - 72
MRC25G-4.OC12-PORT.pmthresholds.sts12c.farend.15min.SES 3 (seconds) 0 - 900
MRC25G-4.OC12-PORT.pmthresholds.sts12c.farend.15min.UAS 10 (seconds) 0 - 900
MRC25G-4.OC12-PORT.pmthresholds.sts12c.farend.1day.CV 750 (B3
count)
0 - 207360000
MRC25G-4.OC12-PORT.pmthresholds.sts12c.farend.1day.ES 600
(seconds)
0 - 86400
MRC25G-4.OC12-PORT.pmthresholds.sts12c.farend.1day.FC 40 (count) 0 - 6912
MRC25G-4.OC12-PORT.pmthresholds.sts12c.farend.1day.SES 7 (seconds) 0 - 86400
MRC25G-4.OC12-PORT.pmthresholds.sts12c.farend.1day.UAS 10 (seconds) 0 - 86400
MRC25G-4.OC12-PORT.pmthresholds.sts12c.nearend.15min.CV 75 (B3
count)
0 - 2160000
MRC25G-4.OC12-PORT.pmthresholds.sts12c.nearend.15min.ES 60 (seconds) 0 - 900
MRC25G-4.OC12-PORT.pmthresholds.sts12c.nearend.15min.FC 10 (count) 0 - 72
MRC25G-4.OC12-PORT.pmthresholds.sts12c.nearend.15min.NPJC-PDET 60 (count) 0 - 7200000
MRC25G-4.OC12-PORT.pmthresholds.sts12c.nearend.15min.NPJC-PGEN 60 (count) 0 - 7200000
MRC25G-4.OC12-PORT.pmthresholds.sts12c.nearend.15min.PJCDIFF 60 (count) 0 - 14400000
MRC25G-4.OC12-PORT.pmthresholds.sts12c.nearend.15min.PJCS-PDET 100
(seconds)
0 - 900
MRC25G-4.OC12-PORT.pmthresholds.sts12c.nearend.15min.PJCS-PGEN 100
(seconds)
0 - 900
MRC25G-4.OC12-PORT.pmthresholds.sts12c.nearend.15min.PPJC-PDET 60 (count) 0 - 7200000
MRC25G-4.OC12-PORT.pmthresholds.sts12c.nearend.15min.PPJC-PGEN 60 (count) 0 - 7200000
MRC25G-4.OC12-PORT.pmthresholds.sts12c.nearend.15min.SES 3 (seconds) 0 - 900
MRC25G-4.OC12-PORT.pmthresholds.sts12c.nearend.15min.UAS 10 (seconds) 0 - 900
MRC25G-4.OC12-PORT.pmthresholds.sts12c.nearend.1day.CV 750 (B3
count)
0 - 207360000
MRC25G-4.OC12-PORT.pmthresholds.sts12c.nearend.1day.ES 600
(seconds)
0 - 86400
MRC25G-4.OC12-PORT.pmthresholds.sts12c.nearend.1day.FC 40 (count) 0 - 6912
MRC25G-4.OC12-PORT.pmthresholds.sts12c.nearend.1day.NPJC-PDET 5760 (count) 0 - 691200000
MRC25G-4.OC12-PORT.pmthresholds.sts12c.nearend.1day.NPJC-PGEN 5760 (count) 0 - 691200000
MRC25G-4.OC12-PORT.pmthresholds.sts12c.nearend.1day.PJCDIFF 5760 (count) 0 - 1382400000
MRC25G-4.OC12-PORT.pmthresholds.sts12c.nearend.1day.PJCS-PDET 9600
(seconds)
0 - 86400
Table C-20 MRC-2.5G-4 Card Default Settings (continued)
Default Name Default Value Default DomainC-87
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
MRC25G-4.OC12-PORT.pmthresholds.sts12c.nearend.1day.PJCS-PGEN 9600
(seconds)
0 - 86400
MRC25G-4.OC12-PORT.pmthresholds.sts12c.nearend.1day.PPJC-PDET 5760 (count) 0 - 691200000
MRC25G-4.OC12-PORT.pmthresholds.sts12c.nearend.1day.PPJC-PGEN 5760 (count) 0 - 691200000
MRC25G-4.OC12-PORT.pmthresholds.sts12c.nearend.1day.SES 7 (seconds) 0 - 86400
MRC25G-4.OC12-PORT.pmthresholds.sts12c.nearend.1day.UAS 10 (seconds) 0 - 86400
MRC25G-4.OC12-PORT.pmthresholds.sts3c-9c.farend.15min.CV 25 (B3
count)
0 - 2160000
MRC25G-4.OC12-PORT.pmthresholds.sts3c-9c.farend.15min.ES 20 (seconds) 0 - 900
MRC25G-4.OC12-PORT.pmthresholds.sts3c-9c.farend.15min.FC 10 (count) 0 - 72
MRC25G-4.OC12-PORT.pmthresholds.sts3c-9c.farend.15min.SES 3 (seconds) 0 - 900
MRC25G-4.OC12-PORT.pmthresholds.sts3c-9c.farend.15min.UAS 10 (seconds) 0 - 900
MRC25G-4.OC12-PORT.pmthresholds.sts3c-9c.farend.1day.CV 250 (B3
count)
0 - 207360000
MRC25G-4.OC12-PORT.pmthresholds.sts3c-9c.farend.1day.ES 200
(seconds)
0 - 86400
MRC25G-4.OC12-PORT.pmthresholds.sts3c-9c.farend.1day.FC 40 (count) 0 - 6912
MRC25G-4.OC12-PORT.pmthresholds.sts3c-9c.farend.1day.SES 7 (seconds) 0 - 86400
MRC25G-4.OC12-PORT.pmthresholds.sts3c-9c.farend.1day.UAS 10 (seconds) 0 - 86400
MRC25G-4.OC12-PORT.pmthresholds.sts3c-9c.nearend.15min.CV 25 (B3
count)
0 - 2160000
MRC25G-4.OC12-PORT.pmthresholds.sts3c-9c.nearend.15min.ES 20 (seconds) 0 - 900
MRC25G-4.OC12-PORT.pmthresholds.sts3c-9c.nearend.15min.FC 10 (count) 0 - 72
MRC25G-4.OC12-PORT.pmthresholds.sts3c-9c.nearend.15min.NPJC-PDET 60 (count) 0 - 7200000
MRC25G-4.OC12-PORT.pmthresholds.sts3c-9c.nearend.15min.NPJC-PGEN 60 (count) 0 - 7200000
MRC25G-4.OC12-PORT.pmthresholds.sts3c-9c.nearend.15min.PJCDIFF 60 (count) 0 - 14400000
MRC25G-4.OC12-PORT.pmthresholds.sts3c-9c.nearend.15min.PJCS-PDET 100
(seconds)
0 - 900
MRC25G-4.OC12-PORT.pmthresholds.sts3c-9c.nearend.15min.PJCS-PGEN 100
(seconds)
0 - 900
MRC25G-4.OC12-PORT.pmthresholds.sts3c-9c.nearend.15min.PPJC-PDET 60 (count) 0 - 7200000
MRC25G-4.OC12-PORT.pmthresholds.sts3c-9c.nearend.15min.PPJC-PGEN 60 (count) 0 - 7200000
MRC25G-4.OC12-PORT.pmthresholds.sts3c-9c.nearend.15min.SES 3 (seconds) 0 - 900
MRC25G-4.OC12-PORT.pmthresholds.sts3c-9c.nearend.15min.UAS 10 (seconds) 0 - 900
MRC25G-4.OC12-PORT.pmthresholds.sts3c-9c.nearend.1day.CV 250 (B3
count)
0 - 207360000
MRC25G-4.OC12-PORT.pmthresholds.sts3c-9c.nearend.1day.ES 200
(seconds)
0 - 86400
MRC25G-4.OC12-PORT.pmthresholds.sts3c-9c.nearend.1day.FC 40 (count) 0 - 6912
Table C-20 MRC-2.5G-4 Card Default Settings (continued)
Default Name Default Value Default DomainC-88
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
MRC25G-4.OC12-PORT.pmthresholds.sts3c-9c.nearend.1day.NPJC-PDET 5760 (count) 0 - 691200000
MRC25G-4.OC12-PORT.pmthresholds.sts3c-9c.nearend.1day.NPJC-PGEN 5760 (count) 0 - 691200000
MRC25G-4.OC12-PORT.pmthresholds.sts3c-9c.nearend.1day.PJCDIFF 5760 (count) 0 - 1382400000
MRC25G-4.OC12-PORT.pmthresholds.sts3c-9c.nearend.1day.PJCS-PDET 9600
(seconds)
0 - 86400
MRC25G-4.OC12-PORT.pmthresholds.sts3c-9c.nearend.1day.PJCS-PGEN 9600
(seconds)
0 - 86400
MRC25G-4.OC12-PORT.pmthresholds.sts3c-9c.nearend.1day.PPJC-PDET 5760 (count) 0 - 691200000
MRC25G-4.OC12-PORT.pmthresholds.sts3c-9c.nearend.1day.PPJC-PGEN 5760 (count) 0 - 691200000
MRC25G-4.OC12-PORT.pmthresholds.sts3c-9c.nearend.1day.SES 7 (seconds) 0 - 86400
MRC25G-4.OC12-PORT.pmthresholds.sts3c-9c.nearend.1day.UAS 10 (seconds) 0 - 86400
MRC25G-4.OC3-PORT.config.line.AINSSoakTime 08:00
(hours:mins)
00:00, 00:15, 00:30 ..
48:00
MRC25G-4.OC3-PORT.config.line.AlsMode Disabled Disabled, Auto Restart,
Manual Restart, Manual
Restart for Test
MRC25G-4.OC3-PORT.config.line.AlsRecoveryPulseDuration 2.0 (seconds) 2.0, 2.1, 2.2 .. 100.0 when
AlsMode Disabled, Auto
Restart, Manual Restart;
80.0, 80.1, 80.2 .. 100.0
when AlsMode Manual
Restart for Test
MRC25G-4.OC3-PORT.config.line.AlsRecoveryPulseInterval 100
(seconds)
60 - 300
MRC25G-4.OC3-PORT.config.line.PJStsMon# 0 (STS #) 0 - 3
MRC25G-4.OC3-PORT.config.line.SDBER 1.00E-07 1E-5, 1E-6, 1E-7, 1E-8,
1E-9
MRC25G-4.OC3-PORT.config.line.SendAISOnFacilityLoopback TRUE TRUE, FALSE
MRC25G-4.OC3-PORT.config.line.SendAISOnTerminalLoopback TRUE TRUE, FALSE
MRC25G-4.OC3-PORT.config.line.SFBER 1.00E-04 1E-3, 1E-4, 1E-5
MRC25G-4.OC3-PORT.config.line.sonet.SendDoNotUse FALSE FALSE when
SendDoNotUse TRUE;
FALSE, TRUE when
SendDoNotUse FALSE
MRC25G-4.OC3-PORT.config.line.sonet.SendDoNotUse FALSE FALSE, TRUE
MRC25G-4.OC3-PORT.config.line.sonet.SyncMsgIn TRUE FALSE, TRUE
MRC25G-4.OC3-PORT.config.line.State IS,AINS IS, OOS,DSBLD,
OOS,MT, IS,AINS
MRC25G-4.OC3-PORT.config.sts.IPPMEnabled FALSE TRUE, FALSE
MRC25G-4.OC3-PORT.physicalthresholds.alarm.LBC-HIGH 200 (%) LBC-LOW, LBC-LOW +
1, LBC-LOW + 2 .. 255
Table C-20 MRC-2.5G-4 Card Default Settings (continued)
Default Name Default Value Default DomainC-89
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
MRC25G-4.OC3-PORT.physicalthresholds.alarm.LBC-LOW 20 (%) 0, 1, 2 .. LBC-HIGH
MRC25G-4.OC3-PORT.physicalthresholds.alarm.OPR-HIGH 200 (%) OPR-LOW, OPR-LOW +
1, OPR-LOW + 2 .. 255
MRC25G-4.OC3-PORT.physicalthresholds.alarm.OPR-LOW 50 (%) -1, 0, 1 .. OPR-HIGH
MRC25G-4.OC3-PORT.physicalthresholds.alarm.OPT-HIGH 120 (%) OPT-LOW, OPT-LOW +
1, OPT-LOW + 2 .. 255
MRC25G-4.OC3-PORT.physicalthresholds.alarm.OPT-LOW 80 (%) 0, 1, 2 .. OPT-HIGH
MRC25G-4.OC3-PORT.physicalthresholds.warning.15min.LBC-HIGH 200 (%) LBC-LOW, LBC-LOW +
1, LBC-LOW + 2 .. 255
MRC25G-4.OC3-PORT.physicalthresholds.warning.15min.LBC-LOW 20 (%) 0, 1, 2 .. LBC-HIGH
MRC25G-4.OC3-PORT.physicalthresholds.warning.15min.OPR-HIGH 200 (%) OPR-LOW, OPR-LOW +
1, OPR-LOW + 2 .. 255
MRC25G-4.OC3-PORT.physicalthresholds.warning.15min.OPR-LOW 50 (%) -1, 0, 1 .. OPR-HIGH
MRC25G-4.OC3-PORT.physicalthresholds.warning.15min.OPT-HIGH 120 (%) OPT-LOW, OPT-LOW +
1, OPT-LOW + 2 .. 255
MRC25G-4.OC3-PORT.physicalthresholds.warning.15min.OPT-LOW 80 (%) 0, 1, 2 .. OPT-HIGH
MRC25G-4.OC3-PORT.physicalthresholds.warning.1day.LBC-HIGH 200 (%) LBC-LOW, LBC-LOW +
1, LBC-LOW + 2 .. 255
MRC25G-4.OC3-PORT.physicalthresholds.warning.1day.LBC-LOW 20 (%) 0, 1, 2 .. LBC-HIGH
MRC25G-4.OC3-PORT.physicalthresholds.warning.1day.OPR-HIGH 200 (%) OPR-LOW, OPR-LOW +
1, OPR-LOW + 2 .. 255
MRC25G-4.OC3-PORT.physicalthresholds.warning.1day.OPR-LOW 50 (%) -1, 0, 1 .. OPR-HIGH
MRC25G-4.OC3-PORT.physicalthresholds.warning.1day.OPT-HIGH 120 (%) OPT-LOW, OPT-LOW +
1, OPT-LOW + 2 .. 255
MRC25G-4.OC3-PORT.physicalthresholds.warning.1day.OPT-LOW 80 (%) 0, 1, 2 .. OPT-HIGH
MRC25G-4.OC3-PORT.pmthresholds.line.farend.15min.CV 1312 (B2
count)
0 - 137700
MRC25G-4.OC3-PORT.pmthresholds.line.farend.15min.ES 87 (seconds) 0 - 900
MRC25G-4.OC3-PORT.pmthresholds.line.farend.15min.FC 10 (count) 0 - 72
MRC25G-4.OC3-PORT.pmthresholds.line.farend.15min.SES 1 (seconds) 0 - 900
MRC25G-4.OC3-PORT.pmthresholds.line.farend.15min.UAS 3 (seconds) 0 - 900
MRC25G-4.OC3-PORT.pmthresholds.line.farend.1day.CV 13120 (B2
count)
0 - 13219200
MRC25G-4.OC3-PORT.pmthresholds.line.farend.1day.ES 864
(seconds)
0 - 86400
MRC25G-4.OC3-PORT.pmthresholds.line.farend.1day.FC 40 (count) 0 - 6912
MRC25G-4.OC3-PORT.pmthresholds.line.farend.1day.SES 4 (seconds) 0 - 86400
MRC25G-4.OC3-PORT.pmthresholds.line.farend.1day.UAS 10 (seconds) 0 - 86400
Table C-20 MRC-2.5G-4 Card Default Settings (continued)
Default Name Default Value Default DomainC-90
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
MRC25G-4.OC3-PORT.pmthresholds.line.nearend.15min.CV 1312 (B2
count)
0 - 137700
MRC25G-4.OC3-PORT.pmthresholds.line.nearend.15min.ES 87 (seconds) 0 - 900
MRC25G-4.OC3-PORT.pmthresholds.line.nearend.15min.FC 10 (count) 0 - 72
MRC25G-4.OC3-PORT.pmthresholds.line.nearend.15min.PSC 1 (count) 0 - 600
MRC25G-4.OC3-PORT.pmthresholds.line.nearend.15min.PSD 300
(seconds)
0 - 900
MRC25G-4.OC3-PORT.pmthresholds.line.nearend.15min.SES 1 (seconds) 0 - 900
MRC25G-4.OC3-PORT.pmthresholds.line.nearend.15min.UAS 3 (seconds) 0 - 900
MRC25G-4.OC3-PORT.pmthresholds.line.nearend.1day.CV 13120 (B2
count)
0 - 13219200
MRC25G-4.OC3-PORT.pmthresholds.line.nearend.1day.ES 864
(seconds)
0 - 86400
MRC25G-4.OC3-PORT.pmthresholds.line.nearend.1day.FC 40 (count) 0 - 6912
MRC25G-4.OC3-PORT.pmthresholds.line.nearend.1day.PSC 5 (count) 0 - 57600
MRC25G-4.OC3-PORT.pmthresholds.line.nearend.1day.PSD 600
(seconds)
0 - 86400
MRC25G-4.OC3-PORT.pmthresholds.line.nearend.1day.SES 4 (seconds) 0 - 86400
MRC25G-4.OC3-PORT.pmthresholds.line.nearend.1day.UAS 10 (seconds) 0 - 86400
MRC25G-4.OC3-PORT.pmthresholds.section.nearend.15min.CV 10000 (B1
count)
0 - 138600
MRC25G-4.OC3-PORT.pmthresholds.section.nearend.15min.ES 500
(seconds)
0 - 900
MRC25G-4.OC3-PORT.pmthresholds.section.nearend.15min.SEFS 500
(seconds)
0 - 900
MRC25G-4.OC3-PORT.pmthresholds.section.nearend.15min.SES 500
(seconds)
0 - 900
MRC25G-4.OC3-PORT.pmthresholds.section.nearend.1day.CV 100000 (B1
count)
0 - 13305600
MRC25G-4.OC3-PORT.pmthresholds.section.nearend.1day.ES 5000
(seconds)
0 - 86400
MRC25G-4.OC3-PORT.pmthresholds.section.nearend.1day.SEFS 5000
(seconds)
0 - 86400
MRC25G-4.OC3-PORT.pmthresholds.section.nearend.1day.SES 5000
(seconds)
0 - 86400
MRC25G-4.OC3-PORT.pmthresholds.sts1.farend.15min.CV 15 (B3
count)
0 - 2160000
MRC25G-4.OC3-PORT.pmthresholds.sts1.farend.15min.ES 12 (seconds) 0 - 900
MRC25G-4.OC3-PORT.pmthresholds.sts1.farend.15min.FC 10 (count) 0 - 72
MRC25G-4.OC3-PORT.pmthresholds.sts1.farend.15min.SES 3 (seconds) 0 - 900
Table C-20 MRC-2.5G-4 Card Default Settings (continued)
Default Name Default Value Default DomainC-91
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
MRC25G-4.OC3-PORT.pmthresholds.sts1.farend.15min.UAS 10 (seconds) 0 - 900
MRC25G-4.OC3-PORT.pmthresholds.sts1.farend.1day.CV 125 (B3
count)
0 - 207360000
MRC25G-4.OC3-PORT.pmthresholds.sts1.farend.1day.ES 100
(seconds)
0 - 86400
MRC25G-4.OC3-PORT.pmthresholds.sts1.farend.1day.FC 40 (count) 0 - 6912
MRC25G-4.OC3-PORT.pmthresholds.sts1.farend.1day.SES 7 (seconds) 0 - 86400
MRC25G-4.OC3-PORT.pmthresholds.sts1.farend.1day.UAS 10 (seconds) 0 - 86400
MRC25G-4.OC3-PORT.pmthresholds.sts1.nearend.15min.CV 15 (B3
count)
0 - 2160000
MRC25G-4.OC3-PORT.pmthresholds.sts1.nearend.15min.ES 12 (seconds) 0 - 900
MRC25G-4.OC3-PORT.pmthresholds.sts1.nearend.15min.FC 10 (count) 0 - 72
MRC25G-4.OC3-PORT.pmthresholds.sts1.nearend.15min.NPJC-PDET 60 (count) 0 - 7200000
MRC25G-4.OC3-PORT.pmthresholds.sts1.nearend.15min.NPJC-PGEN 60 (count) 0 - 7200000
MRC25G-4.OC3-PORT.pmthresholds.sts1.nearend.15min.PJCDIFF 60 (count) 0 - 14400000
MRC25G-4.OC3-PORT.pmthresholds.sts1.nearend.15min.PJCS-PDET 100
(seconds)
0 - 900
MRC25G-4.OC3-PORT.pmthresholds.sts1.nearend.15min.PJCS-PGEN 100
(seconds)
0 - 900
MRC25G-4.OC3-PORT.pmthresholds.sts1.nearend.15min.PPJC-PDET 60 (count) 0 - 7200000
MRC25G-4.OC3-PORT.pmthresholds.sts1.nearend.15min.PPJC-PGEN 60 (count) 0 - 7200000
MRC25G-4.OC3-PORT.pmthresholds.sts1.nearend.15min.SES 3 (seconds) 0 - 900
MRC25G-4.OC3-PORT.pmthresholds.sts1.nearend.15min.UAS 10 (seconds) 0 - 900
MRC25G-4.OC3-PORT.pmthresholds.sts1.nearend.1day.CV 125 (B3
count)
0 - 207360000
MRC25G-4.OC3-PORT.pmthresholds.sts1.nearend.1day.ES 100
(seconds)
0 - 86400
MRC25G-4.OC3-PORT.pmthresholds.sts1.nearend.1day.FC 40 (count) 0 - 6912
MRC25G-4.OC3-PORT.pmthresholds.sts1.nearend.1day.NPJC-PDET 5760 (count) 0 - 691200000
MRC25G-4.OC3-PORT.pmthresholds.sts1.nearend.1day.NPJC-PGEN 5760 (count) 0 - 691200000
MRC25G-4.OC3-PORT.pmthresholds.sts1.nearend.1day.PJCDIFF 5760 (count) 0 - 1382400000
MRC25G-4.OC3-PORT.pmthresholds.sts1.nearend.1day.PJCS-PDET 9600
(seconds)
0 - 86400
MRC25G-4.OC3-PORT.pmthresholds.sts1.nearend.1day.PJCS-PGEN 9600
(seconds)
0 - 86400
MRC25G-4.OC3-PORT.pmthresholds.sts1.nearend.1day.PPJC-PDET 5760 (count) 0 - 691200000
MRC25G-4.OC3-PORT.pmthresholds.sts1.nearend.1day.PPJC-PGEN 5760 (count) 0 - 691200000
MRC25G-4.OC3-PORT.pmthresholds.sts1.nearend.1day.SES 7 (seconds) 0 - 86400
MRC25G-4.OC3-PORT.pmthresholds.sts1.nearend.1day.UAS 10 (seconds) 0 - 86400
Table C-20 MRC-2.5G-4 Card Default Settings (continued)
Default Name Default Value Default DomainC-92
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
MRC25G-4.OC3-PORT.pmthresholds.sts3c.farend.15min.CV 25 (B3
count)
0 - 2160000
MRC25G-4.OC3-PORT.pmthresholds.sts3c.farend.15min.ES 20 (seconds) 0 - 900
MRC25G-4.OC3-PORT.pmthresholds.sts3c.farend.15min.FC 10 (count) 0 - 72
MRC25G-4.OC3-PORT.pmthresholds.sts3c.farend.15min.SES 3 (seconds) 0 - 900
MRC25G-4.OC3-PORT.pmthresholds.sts3c.farend.15min.UAS 10 (seconds) 0 - 900
MRC25G-4.OC3-PORT.pmthresholds.sts3c.farend.1day.CV 250 (B3
count)
0 - 207360000
MRC25G-4.OC3-PORT.pmthresholds.sts3c.farend.1day.ES 200
(seconds)
0 - 86400
MRC25G-4.OC3-PORT.pmthresholds.sts3c.farend.1day.FC 40 (count) 0 - 6912
MRC25G-4.OC3-PORT.pmthresholds.sts3c.farend.1day.SES 7 (seconds) 0 - 86400
MRC25G-4.OC3-PORT.pmthresholds.sts3c.farend.1day.UAS 10 (seconds) 0 - 86400
MRC25G-4.OC3-PORT.pmthresholds.sts3c.nearend.15min.CV 25 (B3
count)
0 - 2160000
MRC25G-4.OC3-PORT.pmthresholds.sts3c.nearend.15min.ES 20 (seconds) 0 - 900
MRC25G-4.OC3-PORT.pmthresholds.sts3c.nearend.15min.FC 10 (count) 0 - 72
MRC25G-4.OC3-PORT.pmthresholds.sts3c.nearend.15min.NPJC-PDET 60 (count) 0 - 7200000
MRC25G-4.OC3-PORT.pmthresholds.sts3c.nearend.15min.NPJC-PGEN 60 (count) 0 - 7200000
MRC25G-4.OC3-PORT.pmthresholds.sts3c.nearend.15min.PJCDIFF 60 (count) 0 - 14400000
MRC25G-4.OC3-PORT.pmthresholds.sts3c.nearend.15min.PJCS-PDET 100
(seconds)
0 - 900
MRC25G-4.OC3-PORT.pmthresholds.sts3c.nearend.15min.PJCS-PGEN 100
(seconds)
0 - 900
MRC25G-4.OC3-PORT.pmthresholds.sts3c.nearend.15min.PPJC-PDET 60 (count) 0 - 7200000
MRC25G-4.OC3-PORT.pmthresholds.sts3c.nearend.15min.PPJC-PGEN 60 (count) 0 - 7200000
MRC25G-4.OC3-PORT.pmthresholds.sts3c.nearend.15min.SES 3 (seconds) 0 - 900
MRC25G-4.OC3-PORT.pmthresholds.sts3c.nearend.15min.UAS 10 (seconds) 0 - 900
MRC25G-4.OC3-PORT.pmthresholds.sts3c.nearend.1day.CV 250 (B3
count)
0 - 207360000
MRC25G-4.OC3-PORT.pmthresholds.sts3c.nearend.1day.ES 200
(seconds)
0 - 86400
MRC25G-4.OC3-PORT.pmthresholds.sts3c.nearend.1day.FC 40 (count) 0 - 6912
MRC25G-4.OC3-PORT.pmthresholds.sts3c.nearend.1day.NPJC-PDET 5760 (count) 0 - 691200000
MRC25G-4.OC3-PORT.pmthresholds.sts3c.nearend.1day.NPJC-PGEN 5760 (count) 0 - 691200000
MRC25G-4.OC3-PORT.pmthresholds.sts3c.nearend.1day.PJCDIFF 5760 (count) 0 - 1382400000
MRC25G-4.OC3-PORT.pmthresholds.sts3c.nearend.1day.PJCS-PDET 9600
(seconds)
0 - 86400
Table C-20 MRC-2.5G-4 Card Default Settings (continued)
Default Name Default Value Default DomainC-93
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
MRC25G-4.OC3-PORT.pmthresholds.sts3c.nearend.1day.PJCS-PGEN 9600
(seconds)
0 - 86400
MRC25G-4.OC3-PORT.pmthresholds.sts3c.nearend.1day.PPJC-PDET 5760 (count) 0 - 691200000
MRC25G-4.OC3-PORT.pmthresholds.sts3c.nearend.1day.PPJC-PGEN 5760 (count) 0 - 691200000
MRC25G-4.OC3-PORT.pmthresholds.sts3c.nearend.1day.SES 7 (seconds) 0 - 86400
MRC25G-4.OC3-PORT.pmthresholds.sts3c.nearend.1day.UAS 10 (seconds) 0 - 86400
MRC25G-4.OC48-PORT.config.line.AINSSoakTime 08:00
(hours:mins)
00:00, 00:15, 00:30 ..
48:00
MRC25G-4.OC48-PORT.config.line.AlsMode Disabled Disabled, Auto Restart,
Manual Restart, Manual
Restart for Test
MRC25G-4.OC48-PORT.config.line.AlsRecoveryPulseDuration 2.0 (seconds) 2.0, 2.1, 2.2 .. 100.0 when
AlsMode Disabled, Auto
Restart, Manual Restart;
80.0, 80.1, 80.2 .. 100.0
when AlsMode Manual
Restart for Test
MRC25G-4.OC48-PORT.config.line.AlsRecoveryPulseInterval 100
(seconds)
60 - 300
MRC25G-4.OC48-PORT.config.line.PJStsMon# 0 (STS #) 0 - 48
MRC25G-4.OC48-PORT.config.line.SDBER 1.00E-07 1E-5, 1E-6, 1E-7, 1E-8,
1E-9
MRC25G-4.OC48-PORT.config.line.SendAISOnFacilityLoopback TRUE TRUE, FALSE
MRC25G-4.OC48-PORT.config.line.SendAISOnTerminalLoopback TRUE TRUE, FALSE
MRC25G-4.OC48-PORT.config.line.SFBER 1.00E-04 1E-3, 1E-4, 1E-5
MRC25G-4.OC48-PORT.config.line.sonet.SendDoNotUse FALSE FALSE when
SendDoNotUse TRUE;
FALSE, TRUE when
SendDoNotUse FALSE
MRC25G-4.OC48-PORT.config.line.sonet.SendDoNotUse FALSE FALSE, TRUE
MRC25G-4.OC48-PORT.config.line.sonet.SyncMsgIn TRUE FALSE, TRUE
MRC25G-4.OC48-PORT.config.line.State IS,AINS IS, OOS,DSBLD,
OOS,MT, IS,AINS
MRC25G-4.OC48-PORT.config.sts.IPPMEnabled FALSE TRUE, FALSE
MRC25G-4.OC48-PORT.physicalthresholds.alarm.LBC-HIGH 200 (%) LBC-LOW, LBC-LOW +
1, LBC-LOW + 2 .. 255
MRC25G-4.OC48-PORT.physicalthresholds.alarm.LBC-LOW 20 (%) 0, 1, 2 .. LBC-HIGH
MRC25G-4.OC48-PORT.physicalthresholds.alarm.OPR-HIGH 200 (%) OPR-LOW, OPR-LOW +
1, OPR-LOW + 2 .. 255
MRC25G-4.OC48-PORT.physicalthresholds.alarm.OPR-LOW 50 (%) -1, 0, 1 .. OPR-HIGH
Table C-20 MRC-2.5G-4 Card Default Settings (continued)
Default Name Default Value Default DomainC-94
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
MRC25G-4.OC48-PORT.physicalthresholds.alarm.OPT-HIGH 120 (%) OPT-LOW, OPT-LOW +
1, OPT-LOW + 2 .. 255
MRC25G-4.OC48-PORT.physicalthresholds.alarm.OPT-LOW 80 (%) 0, 1, 2 .. OPT-HIGH
MRC25G-4.OC48-PORT.physicalthresholds.warning.15min.LBC-HIGH 200 (%) LBC-LOW, LBC-LOW +
1, LBC-LOW + 2 .. 255
MRC25G-4.OC48-PORT.physicalthresholds.warning.15min.LBC-LOW 20 (%) 0, 1, 2 .. LBC-HIGH
MRC25G-4.OC48-PORT.physicalthresholds.warning.15min.OPR-HIGH 200 (%) OPR-LOW, OPR-LOW +
1, OPR-LOW + 2 .. 255
MRC25G-4.OC48-PORT.physicalthresholds.warning.15min.OPR-LOW 50 (%) -1, 0, 1 .. OPR-HIGH
MRC25G-4.OC48-PORT.physicalthresholds.warning.15min.OPT-HIGH 120 (%) OPT-LOW, OPT-LOW +
1, OPT-LOW + 2 .. 255
MRC25G-4.OC48-PORT.physicalthresholds.warning.15min.OPT-LOW 80 (%) 0, 1, 2 .. OPT-HIGH
MRC25G-4.OC48-PORT.physicalthresholds.warning.1day.LBC-HIGH 200 (%) LBC-LOW, LBC-LOW +
1, LBC-LOW + 2 .. 255
MRC25G-4.OC48-PORT.physicalthresholds.warning.1day.LBC-LOW 20 (%) 0, 1, 2 .. LBC-HIGH
MRC25G-4.OC48-PORT.physicalthresholds.warning.1day.OPR-HIGH 200 (%) OPR-LOW, OPR-LOW +
1, OPR-LOW + 2 .. 255
MRC25G-4.OC48-PORT.physicalthresholds.warning.1day.OPR-LOW 50 (%) -1, 0, 1 .. OPR-HIGH
MRC25G-4.OC48-PORT.physicalthresholds.warning.1day.OPT-HIGH 120 (%) OPT-LOW, OPT-LOW +
1, OPT-LOW + 2 .. 255
MRC25G-4.OC48-PORT.physicalthresholds.warning.1day.OPT-LOW 80 (%) 0, 1, 2 .. OPT-HIGH
MRC25G-4.OC48-PORT.pmthresholds.line.farend.15min.CV 21260 (B2
count)
0 - 2212200
MRC25G-4.OC48-PORT.pmthresholds.line.farend.15min.ES 87 (seconds) 0 - 900
MRC25G-4.OC48-PORT.pmthresholds.line.farend.15min.FC 10 (count) 0 - 72
MRC25G-4.OC48-PORT.pmthresholds.line.farend.15min.SES 1 (seconds) 0 - 900
MRC25G-4.OC48-PORT.pmthresholds.line.farend.15min.UAS 3 (seconds) 0 - 900
MRC25G-4.OC48-PORT.pmthresholds.line.farend.1day.CV 212600 (B2
count)
0 - 212371200
MRC25G-4.OC48-PORT.pmthresholds.line.farend.1day.ES 864
(seconds)
0 - 86400
MRC25G-4.OC48-PORT.pmthresholds.line.farend.1day.FC 40 (count) 0 - 6912
MRC25G-4.OC48-PORT.pmthresholds.line.farend.1day.SES 4 (seconds) 0 - 86400
MRC25G-4.OC48-PORT.pmthresholds.line.farend.1day.UAS 10 (seconds) 0 - 86400
MRC25G-4.OC48-PORT.pmthresholds.line.nearend.15min.CV 21260 (B2
count)
0 - 2212200
MRC25G-4.OC48-PORT.pmthresholds.line.nearend.15min.ES 87 (seconds) 0 - 900
MRC25G-4.OC48-PORT.pmthresholds.line.nearend.15min.FC 10 (count) 0 - 72
MRC25G-4.OC48-PORT.pmthresholds.line.nearend.15min.PSC 1 (count) 0 - 600
Table C-20 MRC-2.5G-4 Card Default Settings (continued)
Default Name Default Value Default DomainC-95
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
MRC25G-4.OC48-PORT.pmthresholds.line.nearend.15min.PSC-R 1 (count) 0 - 600
MRC25G-4.OC48-PORT.pmthresholds.line.nearend.15min.PSC-S 1 (count) 0 - 600
MRC25G-4.OC48-PORT.pmthresholds.line.nearend.15min.PSC-W 1 (count) 0 - 600
MRC25G-4.OC48-PORT.pmthresholds.line.nearend.15min.PSD 300
(seconds)
0 - 900
MRC25G-4.OC48-PORT.pmthresholds.line.nearend.15min.PSD-R 300
(seconds)
0 - 900
MRC25G-4.OC48-PORT.pmthresholds.line.nearend.15min.PSD-S 300
(seconds)
0 - 900
MRC25G-4.OC48-PORT.pmthresholds.line.nearend.15min.PSD-W 300
(seconds)
0 - 900
MRC25G-4.OC48-PORT.pmthresholds.line.nearend.15min.SES 1 (seconds) 0 - 900
MRC25G-4.OC48-PORT.pmthresholds.line.nearend.15min.UAS 3 (seconds) 0 - 900
MRC25G-4.OC48-PORT.pmthresholds.line.nearend.1day.CV 212600 (B2
count)
0 - 212371200
MRC25G-4.OC48-PORT.pmthresholds.line.nearend.1day.ES 864
(seconds)
0 - 86400
MRC25G-4.OC48-PORT.pmthresholds.line.nearend.1day.FC 40 (count) 0 - 6912
MRC25G-4.OC48-PORT.pmthresholds.line.nearend.1day.PSC 5 (count) 0 - 57600
MRC25G-4.OC48-PORT.pmthresholds.line.nearend.1day.PSC-R 5 (count) 0 - 57600
MRC25G-4.OC48-PORT.pmthresholds.line.nearend.1day.PSC-S 5 (count) 0 - 57600
MRC25G-4.OC48-PORT.pmthresholds.line.nearend.1day.PSC-W 5 (count) 0 - 57600
MRC25G-4.OC48-PORT.pmthresholds.line.nearend.1day.PSD 600
(seconds)
0 - 86400
MRC25G-4.OC48-PORT.pmthresholds.line.nearend.1day.PSD-R 600
(seconds)
0 - 86400
MRC25G-4.OC48-PORT.pmthresholds.line.nearend.1day.PSD-S 600
(seconds)
0 - 86400
MRC25G-4.OC48-PORT.pmthresholds.line.nearend.1day.PSD-W 600
(seconds)
0 - 86400
MRC25G-4.OC48-PORT.pmthresholds.line.nearend.1day.SES 4 (seconds) 0 - 86400
MRC25G-4.OC48-PORT.pmthresholds.line.nearend.1day.UAS 10 (seconds) 0 - 86400
MRC25G-4.OC48-PORT.pmthresholds.section.nearend.15min.CV 10000 (B1
count)
0 - 2151900
MRC25G-4.OC48-PORT.pmthresholds.section.nearend.15min.ES 500
(seconds)
0 - 900
MRC25G-4.OC48-PORT.pmthresholds.section.nearend.15min.SEFS 500
(seconds)
0 - 900
MRC25G-4.OC48-PORT.pmthresholds.section.nearend.15min.SES 500
(seconds)
0 - 900
Table C-20 MRC-2.5G-4 Card Default Settings (continued)
Default Name Default Value Default DomainC-96
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
MRC25G-4.OC48-PORT.pmthresholds.section.nearend.1day.CV 100000 (B1
count)
0 - 206582400
MRC25G-4.OC48-PORT.pmthresholds.section.nearend.1day.ES 5000
(seconds)
0 - 86400
MRC25G-4.OC48-PORT.pmthresholds.section.nearend.1day.SEFS 5000
(seconds)
0 - 86400
MRC25G-4.OC48-PORT.pmthresholds.section.nearend.1day.SES 5000
(seconds)
0 - 86400
MRC25G-4.OC48-PORT.pmthresholds.sts1.farend.15min.CV 15 (B3
count)
0 - 2160000
MRC25G-4.OC48-PORT.pmthresholds.sts1.farend.15min.ES 12 (seconds) 0 - 900
MRC25G-4.OC48-PORT.pmthresholds.sts1.farend.15min.FC 10 (count) 0 - 72
MRC25G-4.OC48-PORT.pmthresholds.sts1.farend.15min.SES 3 (seconds) 0 - 900
MRC25G-4.OC48-PORT.pmthresholds.sts1.farend.15min.UAS 10 (seconds) 0 - 900
MRC25G-4.OC48-PORT.pmthresholds.sts1.farend.1day.CV 125 (B3
count)
0 - 207360000
MRC25G-4.OC48-PORT.pmthresholds.sts1.farend.1day.ES 100
(seconds)
0 - 86400
MRC25G-4.OC48-PORT.pmthresholds.sts1.farend.1day.FC 40 (count) 0 - 6912
MRC25G-4.OC48-PORT.pmthresholds.sts1.farend.1day.SES 7 (seconds) 0 - 86400
MRC25G-4.OC48-PORT.pmthresholds.sts1.farend.1day.UAS 10 (seconds) 0 - 86400
MRC25G-4.OC48-PORT.pmthresholds.sts1.nearend.15min.CV 15 (B3
count)
0 - 2160000
MRC25G-4.OC48-PORT.pmthresholds.sts1.nearend.15min.ES 12 (seconds) 0 - 900
MRC25G-4.OC48-PORT.pmthresholds.sts1.nearend.15min.FC 10 (count) 0 - 72
MRC25G-4.OC48-PORT.pmthresholds.sts1.nearend.15min.NPJC-PDET 60 (count) 0 - 7200000
MRC25G-4.OC48-PORT.pmthresholds.sts1.nearend.15min.NPJC-PGEN 60 (count) 0 - 7200000
MRC25G-4.OC48-PORT.pmthresholds.sts1.nearend.15min.PJCDIFF 60 (count) 0 - 14400000
MRC25G-4.OC48-PORT.pmthresholds.sts1.nearend.15min.PJCS-PDET 100
(seconds)
0 - 900
MRC25G-4.OC48-PORT.pmthresholds.sts1.nearend.15min.PJCS-PGEN 100
(seconds)
0 - 900
MRC25G-4.OC48-PORT.pmthresholds.sts1.nearend.15min.PPJC-PDET 60 (count) 0 - 7200000
MRC25G-4.OC48-PORT.pmthresholds.sts1.nearend.15min.PPJC-PGEN 60 (count) 0 - 7200000
MRC25G-4.OC48-PORT.pmthresholds.sts1.nearend.15min.SES 3 (seconds) 0 - 900
MRC25G-4.OC48-PORT.pmthresholds.sts1.nearend.15min.UAS 10 (seconds) 0 - 900
MRC25G-4.OC48-PORT.pmthresholds.sts1.nearend.1day.CV 125 (B3
count)
0 - 207360000
Table C-20 MRC-2.5G-4 Card Default Settings (continued)
Default Name Default Value Default DomainC-97
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
MRC25G-4.OC48-PORT.pmthresholds.sts1.nearend.1day.ES 100
(seconds)
0 - 86400
MRC25G-4.OC48-PORT.pmthresholds.sts1.nearend.1day.FC 40 (count) 0 - 6912
MRC25G-4.OC48-PORT.pmthresholds.sts1.nearend.1day.NPJC-PDET 5760 (count) 0 - 691200000
MRC25G-4.OC48-PORT.pmthresholds.sts1.nearend.1day.NPJC-PGEN 5760 (count) 0 - 691200000
MRC25G-4.OC48-PORT.pmthresholds.sts1.nearend.1day.PJCDIFF 5760 (count) 0 - 1382400000
MRC25G-4.OC48-PORT.pmthresholds.sts1.nearend.1day.PJCS-PDET 9600
(seconds)
0 - 86400
MRC25G-4.OC48-PORT.pmthresholds.sts1.nearend.1day.PJCS-PGEN 9600
(seconds)
0 - 86400
MRC25G-4.OC48-PORT.pmthresholds.sts1.nearend.1day.PPJC-PDET 5760 (count) 0 - 691200000
MRC25G-4.OC48-PORT.pmthresholds.sts1.nearend.1day.PPJC-PGEN 5760 (count) 0 - 691200000
MRC25G-4.OC48-PORT.pmthresholds.sts1.nearend.1day.SES 7 (seconds) 0 - 86400
MRC25G-4.OC48-PORT.pmthresholds.sts1.nearend.1day.UAS 10 (seconds) 0 - 86400
MRC25G-4.OC48-PORT.pmthresholds.sts12c-48c.farend.15min.CV 75 (B3
count)
0 - 2160000
MRC25G-4.OC48-PORT.pmthresholds.sts12c-48c.farend.15min.ES 60 (seconds) 0 - 900
MRC25G-4.OC48-PORT.pmthresholds.sts12c-48c.farend.15min.FC 10 (count) 0 - 72
MRC25G-4.OC48-PORT.pmthresholds.sts12c-48c.farend.15min.SES 3 (seconds) 0 - 900
MRC25G-4.OC48-PORT.pmthresholds.sts12c-48c.farend.15min.UAS 10 (seconds) 0 - 900
MRC25G-4.OC48-PORT.pmthresholds.sts12c-48c.farend.1day.CV 750 (B3
count)
0 - 207360000
MRC25G-4.OC48-PORT.pmthresholds.sts12c-48c.farend.1day.ES 600
(seconds)
0 - 86400
MRC25G-4.OC48-PORT.pmthresholds.sts12c-48c.farend.1day.FC 40 (count) 0 - 6912
MRC25G-4.OC48-PORT.pmthresholds.sts12c-48c.farend.1day.SES 7 (seconds) 0 - 86400
MRC25G-4.OC48-PORT.pmthresholds.sts12c-48c.farend.1day.UAS 10 (seconds) 0 - 86400
MRC25G-4.OC48-PORT.pmthresholds.sts12c-48c.nearend.15min.CV 75 (B3
count)
0 - 2160000
MRC25G-4.OC48-PORT.pmthresholds.sts12c-48c.nearend.15min.ES 60 (seconds) 0 - 900
MRC25G-4.OC48-PORT.pmthresholds.sts12c-48c.nearend.15min.FC 10 (count) 0 - 72
MRC25G-4.OC48-PORT.pmthresholds.sts12c-48c.nearend.15min.NPJC-PDET 60 (count) 0 - 7200000
MRC25G-4.OC48-PORT.pmthresholds.sts12c-48c.nearend.15min.NPJC-PGEN 60 (count) 0 - 7200000
MRC25G-4.OC48-PORT.pmthresholds.sts12c-48c.nearend.15min.PJCDIFF 60 (count) 0 - 14400000
MRC25G-4.OC48-PORT.pmthresholds.sts12c-48c.nearend.15min.PJCS-PDET 100
(seconds)
0 - 900
MRC25G-4.OC48-PORT.pmthresholds.sts12c-48c.nearend.15min.PJCS-PGEN 100
(seconds)
0 - 900
MRC25G-4.OC48-PORT.pmthresholds.sts12c-48c.nearend.15min.PPJC-PDET 60 (count) 0 - 7200000
Table C-20 MRC-2.5G-4 Card Default Settings (continued)
Default Name Default Value Default DomainC-98
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.2.3 Defaults by Card
MRC25G-4.OC48-PORT.pmthresholds.sts12c-48c.nearend.15min.PPJC-PGEN 60 (count) 0 - 7200000
MRC25G-4.OC48-PORT.pmthresholds.sts12c-48c.nearend.15min.SES 3 (seconds) 0 - 900
MRC25G-4.OC48-PORT.pmthresholds.sts12c-48c.nearend.15min.UAS 10 (seconds) 0 - 900
MRC25G-4.OC48-PORT.pmthresholds.sts12c-48c.nearend.1day.CV 750 (B3
count)
0 - 207360000
MRC25G-4.OC48-PORT.pmthresholds.sts12c-48c.nearend.1day.ES 600
(seconds)
0 - 86400
MRC25G-4.OC48-PORT.pmthresholds.sts12c-48c.nearend.1day.FC 40 (count) 0 - 6912
MRC25G-4.OC48-PORT.pmthresholds.sts12c-48c.nearend.1day.NPJC-PDET 5760 (count) 0 - 691200000
MRC25G-4.OC48-PORT.pmthresholds.sts12c-48c.nearend.1day.NPJC-PGEN 5760 (count) 0 - 691200000
MRC25G-4.OC48-PORT.pmthresholds.sts12c-48c.nearend.1day.PJCDIFF 5760 (count) 0 - 1382400000
MRC25G-4.OC48-PORT.pmthresholds.sts12c-48c.nearend.1day.PJCS-PDET 9600
(seconds)
0 - 86400
MRC25G-4.OC48-PORT.pmthresholds.sts12c-48c.nearend.1day.PJCS-PGEN 9600
(seconds)
0 - 86400
MRC25G-4.OC48-PORT.pmthresholds.sts12c-48c.nearend.1day.PPJC-PDET 5760 (count) 0 - 691200000
MRC25G-4.OC48-PORT.pmthresholds.sts12c-48c.nearend.1day.PPJC-PGEN 5760 (count) 0 - 691200000
MRC25G-4.OC48-PORT.pmthresholds.sts12c-48c.nearend.1day.SES 7 (seconds) 0 - 86400
MRC25G-4.OC48-PORT.pmthresholds.sts12c-48c.nearend.1day.UAS 10 (seconds) 0 - 86400
MRC25G-4.OC48-PORT.pmthresholds.sts3c-9c.farend.15min.CV 25 (B3
count)
0 - 2160000
MRC25G-4.OC48-PORT.pmthresholds.sts3c-9c.farend.15min.ES 20 (seconds) 0 - 900
MRC25G-4.OC48-PORT.pmthresholds.sts3c-9c.farend.15min.FC 10 (count) 0 - 72
MRC25G-4.OC48-PORT.pmthresholds.sts3c-9c.farend.15min.SES 3 (seconds) 0 - 900
MRC25G-4.OC48-PORT.pmthresholds.sts3c-9c.farend.15min.UAS 10 (seconds) 0 - 900
MRC25G-4.OC48-PORT.pmthresholds.sts3c-9c.farend.1day.CV 250 (B3
count)
0 - 207360000
MRC25G-4.OC48-PORT.pmthresholds.sts3c-9c.farend.1day.ES 200
(seconds)
0 - 86400
MRC25G-4.OC48-PORT.pmthresholds.sts3c-9c.farend.1day.FC 40 (count) 0 - 6912
MRC25G-4.OC48-PORT.pmthresholds.sts3c-9c.farend.1day.SES 7 (seconds) 0 - 86400
MRC25G-4.OC48-PORT.pmthresholds.sts3c-9c.farend.1day.UAS 10 (seconds) 0 - 86400
MRC25G-4.OC48-PORT.pmthresholds.sts3c-9c.nearend.15min.CV 25 (B3
count)
0 - 2160000
MRC25G-4.OC48-PORT.pmthresholds.sts3c-9c.nearend.15min.ES 20 (seconds) 0 - 900
MRC25G-4.OC48-PORT.pmthresholds.sts3c-9c.nearend.15min.FC 10 (count) 0 - 72
MRC25G-4.OC48-PORT.pmthresholds.sts3c-9c.nearend.15min.NPJC-PDET 60 (count) 0 - 7200000
MRC25G-4.OC48-PORT.pmthresholds.sts3c-9c.nearend.15min.NPJC-PGEN 60 (count) 0 - 7200000
Table C-20 MRC-2.5G-4 Card Default Settings (continued)
Default Name Default Value Default DomainC-99
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.3 Node Default Settings
C.3 Node Default Settings
Table C-21 on page C-101 lists the node-level default settings for the Cisco ONS 15454. Cisco provides
the following user-configurable defaults for each Cisco ONS 15454 node:
• Circuit settings—Set the administrative state and path protection circuit defaults, and whether to
have circuits send a payload defect indication condition (PDIP).
• General settings—Set general node management defaults, including whether to use Daylight
Savings Time (DST), whether to insert Alarm Indication Signal VT (AIS-V) in each VT when the
carrying STS crosses the signal degrade (SD) path bit error rate (BER) threshold, the IP address of
the Network Time Protocol/Simple Network Time Protocol (NTP/SNTP) server to be used, the time
zone where the node is located, the SD path BER value, the defaults description, whether to raise a
condition on an empty card slot, whether automatic autonomous Transcation Language One (TL1)
reporting of PM data is enabled for cross-connect paths on the node, whether or not to allow ports
MRC25G-4.OC48-PORT.pmthresholds.sts3c-9c.nearend.15min.PJCDIFF 60 (count) 0 - 14400000
MRC25G-4.OC48-PORT.pmthresholds.sts3c-9c.nearend.15min.PJCS-PDET 100
(seconds)
0 - 900
MRC25G-4.OC48-PORT.pmthresholds.sts3c-9c.nearend.15min.PJCS-PGEN 100
(seconds)
0 - 900
MRC25G-4.OC48-PORT.pmthresholds.sts3c-9c.nearend.15min.PPJC-PDET 60 (count) 0 - 7200000
MRC25G-4.OC48-PORT.pmthresholds.sts3c-9c.nearend.15min.PPJC-PGEN 60 (count) 0 - 7200000
MRC25G-4.OC48-PORT.pmthresholds.sts3c-9c.nearend.15min.SES 3 (seconds) 0 - 900
MRC25G-4.OC48-PORT.pmthresholds.sts3c-9c.nearend.15min.UAS 10 (seconds) 0 - 900
MRC25G-4.OC48-PORT.pmthresholds.sts3c-9c.nearend.1day.CV 250 (B3
count)
0 - 207360000
MRC25G-4.OC48-PORT.pmthresholds.sts3c-9c.nearend.1day.ES 200
(seconds)
0 - 86400
MRC25G-4.OC48-PORT.pmthresholds.sts3c-9c.nearend.1day.FC 40 (count) 0 - 6912
MRC25G-4.OC48-PORT.pmthresholds.sts3c-9c.nearend.1day.NPJC-PDET 5760 (count) 0 - 691200000
MRC25G-4.OC48-PORT.pmthresholds.sts3c-9c.nearend.1day.NPJC-PGEN 5760 (count) 0 - 691200000
MRC25G-4.OC48-PORT.pmthresholds.sts3c-9c.nearend.1day.PJCDIFF 5760 (count) 0 - 1382400000
MRC25G-4.OC48-PORT.pmthresholds.sts3c-9c.nearend.1day.PJCS-PDET 9600
(seconds)
0 - 86400
MRC25G-4.OC48-PORT.pmthresholds.sts3c-9c.nearend.1day.PJCS-PGEN 9600
(seconds)
0 - 86400
MRC25G-4.OC48-PORT.pmthresholds.sts3c-9c.nearend.1day.PPJC-PDET 5760 (count) 0 - 691200000
MRC25G-4.OC48-PORT.pmthresholds.sts3c-9c.nearend.1day.PPJC-PGEN 5760 (count) 0 - 691200000
MRC25G-4.OC48-PORT.pmthresholds.sts3c-9c.nearend.1day.SES 7 (seconds) 0 - 86400
MRC25G-4.OC48-PORT.pmthresholds.sts3c-9c.nearend.1day.UAS 10 (seconds) 0 - 86400
Table C-20 MRC-2.5G-4 Card Default Settings (continued)
Default Name Default Value Default DomainC-100
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.3 Node Default Settings
to be disabled when they are providing services (when the default is set to FALSE users must remove
or disable the services first, then put the ports out of service), and whether to report loopback
conditions on Out-of-Service, Maintenance (OOS-MT) state ports.
• Power Monitor settings—Set default voltage thresholds for the node.
• Network settings—Set whether to prevent display of node IP addresses in CTC (applicable for all
users except Superusers); default gateway node type; whether to raise an alarm when the backplane
LAN cable is disconnected; and whether to display the IP address in the LCD in an editable mode
(in which you can change the IP address directly from LCD screen), to display the IP address on the
LCD as read-only, or to suppress display of the IP on the LCD entirely.
• OSI settings—Set the Open System Interconnection (OSI) main setup, generic routing
encapsulation (GRE) tunnel default, the link access protocol on the D channel (LAP-D), the router
subnet, and the TID address resolution protocol (TARP) settings.
• 1+1 and Optimized 1+1 protection settings—Set whether or not protected circuits have bidirectional
switching, are revertive, and what the reversion time is; set optimized 1+1 detection, recovery, and
verify guard timer values.
Note Optimized 1+1 supports three timers that ensure the correct state of the cards at key points
in card communication. A verification guard timer is used when a Force is issued, to ensure
that the far end has a chance to respond. A detection guard timer is used to ensure the
presence of an SF/SD condition before switching away from a card. A recover guard timer
ensures the absence of SF/SD prior to switching to a card. You can change the default
number of seconds before these timers expire by changing the NE default for the
corresponding timer to a value within its domain of allowable values.
• BLSR protection settings—Set whether BLSR-protected circuits are revertive, and what the
reversion time is, at both the ring and span levels.
• Legal Disclaimer—Set the legal disclaimer that warns users at the login screen about the possible
legal or contractual ramifications of accessing equipment, systems, or networks without
authorization.
• Security Grant Permissions—Set default user security levels for activating/reverting software, PM
data clearing, database restoring, and retrieving audit logs.
• Security DataComm settings—Set default security settings for TCC Ethernet IP address and IP
netmask, and CTC backplane IP suppression; set secure mode on and secure mode locked (for
TCC2P cards only).
Note The secure mode supported setting is not user-configurable; rather, it depends upon the presence
or absence of TCC2P cards on the node for its setting.
• Security Access settings—Set default security settings for LAN access, shell access, serial craft
access, element management system (EMS) access (including Internet Inter-Object Request Broker
Protocol [IIOP] listener port number), TL1 access, and Simple Network Management Protocol
(SNMP) access.
• Security RADIUS settings—Set default RADIUS server settings for the accounting port number and
the authentication port number, and whether to enable the node as a final authenticator.C-101
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.3 Node Default Settings
• Security Policy settings—Set the allowable failed logins before lockout, idle user timeout for each
user level, optional lockout duration or manual unlock enabled, password reuse and change
frequency policies, number of characters difference that is required between the old and new
password, password aging by security level, enforced single concurrent session per user, and option
to disable inactive user after a set inactivity period.
• Security Password settings—Set when passwords can be changed, how many characters they must
differ by, whether or not password reuse is allowed, and whether a password change is required on
first login to a new account; set password aging enforcement and user-level specific aging and
warning periods; set how many consecutive identical characters are allowed in a password,
maximum password length, minimum password length, minimum number and combination of
nonalphabetical characters required, and whether or not to allow a password that is a reversal of the
login ID associated with the password.
• BITS Timing settings—Set the AIS threshold, Admin synchronization status messaging (SSM),
coding, facility type, framing, state, and line build-out (LBO) settings for building integrated timing
supply 1 (BITS-1) and BITS2 timing.
• General Timing settings—Set the mode (External, Line, or Mixed), quality of reserved (RES) timing
(the rule that defines the order of clock quality from lowest to highest), revertive, reversion time,
and SSM message set for node timing.
Note Any node level defaults changed using the Provisioning > Defaults tab, changes existing node level
provisioning. Although this is service affecting, it depends on the type of defaults changed, for example,
general, and all timing and security attributes. The “Changing default values for some node level
attributes overrides the current provisioning.” message is displayed. The Side Effects column of the
Defaults editor (right-click a column header and select Show Column > Side Effects) explains the effect
of changing the default values. However, when the card level defaults are changed using the
Provisioning > Defaults tab, existing card provisioning remains unaffected.
Note For more information about each individual node setting, refer to the “Change Node Settings” chapter
of the Cisco ONS 15454 Procedure Guide.
Table C-21 Node Default Settings
Default Name Default Value Default Domain
NODE.circuits.SendPDIP TRUE TRUE, FALSE
NODE.circuits.State IS,AINS IS, OOS,DSBLD,
OOS,MT,
IS,AINS
NODE.circuits.pathprotection.AllowpathprotectionOverOnePlusOne FALSE TRUE, FALSE
NODE.circuits.pathprotection.ProvisionWorkingGoAndReturnOnPrimaryPath TRUE TRUE, FALSE
NODE.circuits.pathprotection.ReversionTime 5.0 (minutes) 0.5, 1.0, 1.5 ..
12.0
NODE.circuits.pathprotection.Revertive FALSE TRUE, FALSE
NODE.circuits.pathprotection.STS_SDBER 1.00E-06 1E-5, 1E-6, 1E-7,
1E-8, 1E-9
NODE.circuits.pathprotection.STS_SFBER 1.00E-04 1E-3, 1E-4, 1E-5C-102
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.3 Node Default Settings
NODE.circuits.pathprotection.SwitchOnPDIP FALSE TRUE, FALSE
NODE.circuits.pathprotection.VT_SDBER 1.00E-05 1E-5, 1E-6, 1E-7,
1E-8
NODE.circuits.pathprotection.VT_SFBER 1.00E-03 1E-3, 1E-4, 1E-5
NODE.general.AllowServiceAffectingPortChangeToDisabled TRUE FALSE, TRUE
NODE.general.AutoPM FALSE FALSE, TRUE
NODE.general.BackupNtpSntpServer 0.0.0.0 IP Address
NODE.general.DefaultsDescription Factory
Defaults
Free form field
NODE.general.InsertAISVOnSDP FALSE TRUE, FALSE
NODE.general.NtpSntpServer 0.0.0.0 IP Address
NODE.general.RaiseConditionOnEmptySlot FALSE TRUE, FALSE
NODE.general.ReportLoopbackConditionsOnOOS-MTPorts FALSE FALSE, TRUE
NODE.general.SDPBER 1.00E-06 1E-5, 1E-6, 1E-7,
1E-8, 1E-9
NODE.general.TimeZone (GMT-08:00)
Pacific Time
(US &
Canada),
Tijuana
(For applicable
time zones, see
Table C-22 on
page C-117.)
NODE.general.UseDST TRUE TRUE, FALSE
NODE.lmp.controlChannel.AdminState OOS,DSBLD IS, OOS,DSBLD
NODE.lmp.controlChannel.HelloDeadInterval 12000 (ms) maximum_of(20
00,MinHelloDea
dInterval,product
_of(HelloInterval
,3)),
maximum_of(20
00,MinHelloDea
dInterval,product
_of(HelloInterval
,3)) + 1,
maximum_of(20
00,MinHelloDea
dInterval,product
_of(HelloInterval
,3)) + 2 ..
minimum_of(200
00,MaxHelloDea
dInterval)
Table C-21 Node Default Settings (continued)
Default Name Default Value Default DomainC-103
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.3 Node Default Settings
NODE.lmp.controlChannel.HelloInterval 500 (ms) maximum_of(30
0,MinHelloInterv
al),
maximum_of(30
0,MinHelloInterv
al) + 1,
maximum_of(30
0,MinHelloInterv
al) + 2 ..
minimum_of(500
0,MaxHelloInter
val,quotient_of(
HelloDeadInterv
al,3))
NODE.lmp.controlChannel.MaxHelloDeadInterval 20000 (ms) maximum_of(20
00,HelloDeadInt
erval,sum_of(Ma
xHelloInterval,1)
),
maximum_of(20
00,HelloDeadInt
erval,sum_of(Ma
xHelloInterval,1)
) + 1,
maximum_of(20
00,HelloDeadInt
erval,sum_of(Ma
xHelloInterval,1)
) + 2 .. 20000
NODE.lmp.controlChannel.MaxHelloInterval 2000 (ms) maximum_of(30
0,HelloInterval),
maximum_of(30
0,HelloInterval)
+ 1,
maximum_of(30
0,HelloInterval)
+ 2 ..
minimum_of(500
0,difference_of(
MaxHelloDeadIn
terval,1))
Table C-21 Node Default Settings (continued)
Default Name Default Value Default DomainC-104
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.3 Node Default Settings
NODE.lmp.controlChannel.MinHelloDeadInterval 2000 (ms) maximum_of(20
00,sum_of(MinH
elloInterval,1)),
maximum_of(20
00,sum_of(MinH
elloInterval,1)) +
1,
maximum_of(20
00,sum_of(MinH
elloInterval,1)) +
2 ..
minimum_of(200
00,HelloDeadInt
erval)
NODE.lmp.controlChannel.MinHelloInterval 300 (ms) 300, 301, 302 ..
minimum_of(500
0,HelloInterval,d
ifference_of(Min
HelloDeadInterv
al,1))
NODE.lmp.dataLink.Type Port Port, Component
NODE.lmp.general.Allowed TRUE FALSE, TRUE
NODE.lmp.general.Enabled FALSE FALSE, TRUE
when Allowed
TRUE; FALSE
when Allowed
FALSE
NODE.lmp.general.LMP-WDM TRUE FALSE, TRUE
NODE.lmp.general.Role OLS PEER, OLS
NODE.lmp.teLink.AdminState OOS,DSBLD IS, OOS,DSBLD
NODE.lmp.teLink.DWDM TRUE FALSE, TRUE
NODE.lmp.teLink.MuxCapability Lambda
Switch
Packet Switch -
Level 1, Packet
Switch - Level 2,
Packet Switch -
Level 3, Packet
Switch - Level 4,
Layer 2 Switch,
TDM
Cross-connect,
Lambda Switch,
Fiber Switch
NODE.network.general.AlarmMissingBackplaneLAN FALSE TRUE, FALSE
NODE.network.general.CtcIpDisplaySuppression FALSE TRUE, FALSE
Table C-21 Node Default Settings (continued)
Default Name Default Value Default DomainC-105
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.3 Node Default Settings
NODE.network.general.GatewaySettings None LeaveAsIs,
None, ENE,
GNE,
ProxyOnlyNode
NODE.network.general.LcdSetting Allow
Configuration
Allow
Configuration,
Display Only,
Suppress Display
NODE.osi.greTunnel.OspfCost 110 110 - 65535
NODE.osi.greTunnel.SubnetMask 24 (bits) 8, 9, 10 .. 32
NODE.osi.lapd.Mode AITS AITS, UITS
NODE.osi.lapd.MTU 512 512, 513, 514 ..
1500
NODE.osi.lapd.Role Network Network, User
NODE.osi.lapd.T200 200 (ms) 200, 300, 400 ..
20000
NODE.osi.lapd.T203 10000 (ms) 4000, 4100, 4200
.. 120000
NODE.osi.mainSetup.L1L2LSPBufferSize 512 (bytes) 512 - 1500
NODE.osi.mainSetup.L1LSPBufferSize 512 (bytes) 512 - 1500
NODE.osi.mainSetup.NodeRoutingMode Intermediate
System Level 1
End System,
Intermediate
System Level 1,
Intermediate
System Level
1/Level 2
NODE.osi.subnet.DISPriority 63 1, 2, 3 .. 127
NODE.osi.subnet.ESH 10 (sec) 10, 20, 30 .. 1000
NODE.osi.subnet.GCCISISCost 60 1, 2, 3 .. 63
NODE.osi.subnet.IIH 3 (sec) 1, 2, 3 .. 600
NODE.osi.subnet.ISH 10 (sec) 10, 20, 30 .. 1000
NODE.osi.subnet.LANISISCost 20 1, 2, 3 .. 63
NODE.osi.subnet.LDCCISISCost 40 1, 2, 3 .. 63
NODE.osi.subnet.OSCISISCost 60 1, 2, 3 .. 63
NODE.osi.subnet.SDCCISISCost 60 1, 2, 3 .. 63
NODE.osi.tarp.L1DataCache TRUE FALSE, TRUE
NODE.osi.tarp.L2DataCache FALSE FALSE, TRUE
NODE.osi.tarp.LANStormSuppression TRUE FALSE, TRUE
NODE.osi.tarp.LDB TRUE FALSE, TRUE
NODE.osi.tarp.LDBEntry 5 (min) 1 - 10
Table C-21 Node Default Settings (continued)
Default Name Default Value Default DomainC-106
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.3 Node Default Settings
NODE.osi.tarp.LDBFlush 5 (min) 0 - 1440
NODE.osi.tarp.PDUsL1Propagation TRUE FALSE, TRUE
NODE.osi.tarp.PDUsL2Propagation TRUE FALSE, TRUE
NODE.osi.tarp.PDUsOrigination TRUE FALSE, TRUE
NODE.osi.tarp.T1Timer 15 (sec) 0 - 3600
NODE.osi.tarp.T2Timer 25 (sec) 0 - 3600
NODE.osi.tarp.T3Timer 40 (sec) 0 - 3600
NODE.osi.tarp.T4Timer 20 (sec) 0 - 3600
NODE.osi.tarp.Type4PDUDelay 0 (sec) 0 - 255
NODE.powerMonitor.EHIBATVG -56.5 (Vdc) -54.0, -54.5,
-55.0, -55.5,
-56.0, -56.5
NODE.powerMonitor.ELWBATVG -40.5 (Vdc) -40.5, -41.0,
-41.5, -42.0,
-42.5, -43.0,
-43.5, -44.0
NODE.powerMonitor.HIBATVG -54.0 (Vdc) -44.0, -44.5,
-45.0 .. -56.5
NODE.powerMonitor.LWBATVG -44.0 (Vdc) -40.5, -41.0,
-41.5 .. -54.0
NODE.protection.1+1.BidirectionalSwitching FALSE TRUE, FALSE
NODE.protection.1+1.DetectionGuardTimer 1 (seconds) 0, 0.05, 0.1, 0.5,
1, 2, 3, 4, 5
NODE.protection.1+1.RecoveryGuardTimer 1 (seconds) 0, 0.05, 0.1 .. 10
NODE.protection.1+1.ReversionTime 5.0 (minutes) 0.5, 1.0, 1.5 ..
12.0
NODE.protection.1+1.Revertive FALSE TRUE, FALSE
NODE.protection.1+1.VerifyGuardTimer 0.5 (seconds) 0.5, 1
NODE.protection.blsr.RingReversionTime 5.0 (minutes) 0.5, 1.0, 1.5 ..
12.0
NODE.protection.blsr.RingRevertive TRUE TRUE, FALSE
NODE.protection.blsr.SpanReversionTime 5.0 (minutes) 0.5, 1.0, 1.5 ..
12.0
NODE.protection.blsr.SpanRevertive TRUE TRUE, FALSE
NODE.protection.splitter.ReversionTime 5.0 (minutes) 0.5, 1.0, 1.5 ..
12.0
NODE.protection.splitter.Revertive FALSE TRUE, FALSE
NODE.protection.ycable.ReversionTime 5.0 (minutes) 0.5, 1.0, 1.5 ..
12.0
NODE.protection.ycable.Revertive FALSE TRUE, FALSE
Table C-21 Node Default Settings (continued)
Default Name Default Value Default DomainC-107
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.3 Node Default Settings
NODE.security.dataComm.CtcBackplaneIpDisplaySuppression NOT
SUPPORTED
FALSE; TRUE
when nothing
TRUE; (NOT
SUPPORTED)
when nothing
FALSE
NODE.security.dataComm.DefaultTCCEthernetIP 10.0.0.1 IP Address
NODE.security.dataComm.DefaultTCCEthernetIPNetmask 24 (bits) 8, 9, 10 .. 32
NODE.security.dataComm.isSecureModeSupportedOnControlCard TRUE FALSE, TRUE
NODE.security.dataComm.LcdBackplaneIpSetting NOT
SUPPORTED
Allow
Configuration;
Display Only;
Suppress Display
when nothing
TRUE; (NOT
SUPPORTED)
when nothing
FALSE
NODE.security.dataComm.SecureModeLocked NOT
SUPPORTED
FALSE; TRUE
when nothing
TRUE; (NOT
SUPPORTED)
when nothing
FALSE
NODE.security.dataComm.SecureModeOn (May reboot node) NOT
SUPPORTED
FALSE; TRUE
when nothing
TRUE; (NOT
SUPPORTED)
when nothing
FALSE
NODE.security.emsAccess.AccessState NonSecure NonSecure,
Secure
NODE.security.emsAccess.IIOPListenerPort (May reboot node) 57790 (port #) 0 - 65535
NODE.security.grantPermission.ActivateRevertSoftware Superuser Provisioning,
Superuser
NODE.security.grantPermission.PMClearingPrivilege Provisioning Provisioning,
Superuser
NODE.security.grantPermission.RestoreDB Superuser Provisioning,
Superuser
NODE.security.grantPermission.RetrieveAuditLog Superuser Provisioning,
Superuser
NODE.security.idleUserTimeout.Maintenance 01:00
(hours:mins)
00:00, 00:01,
00:02 .. 16:39
Table C-21 Node Default Settings (continued)
Default Name Default Value Default DomainC-108
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.3 Node Default Settings
NODE.security.idleUserTimeout.Provisioning 00:30
(hours:mins)
00:00, 00:01,
00:02 .. 16:39
NODE.security.idleUserTimeout.Retrieve 00:00
(hours:mins)
00:00, 00:01,
00:02 .. 16:39
NODE.security.idleUserTimeout.Superuser 00:15
(hours:mins)
00:00, 00:01,
00:02 .. 16:39
NODE.security.lanAccess.LANAccess (May disconnect CTC from node) Front &
Backplane
No LAN Access,
Front Only,
Backplane Only,
Front &
Backplane
NODE.security.lanAccess.RestoreTimeout 5 (minutes) 0 - 60
NODE.security.legalDisclaimer.LoginWarningMessage WARNIN
G This system
is restricted to
authorized
users for
business
purposes.
Unauthorized<
p>access is a
violation of the
law. This
service may be
monitored for
administrative
and
security
reasons. By
proceeding,
you consent to
this
monitoring.
Free form field
NODE.security.other.DisableInactiveUser FALSE FALSE, TRUE
NODE.security.other.InactiveDuration 45 (days) 1, 2, 3 .. 99 when
nothing TRUE;
45 when nothing
FALSE
NODE.security.other.SingleSessionPerUser FALSE TRUE, FALSE
NODE.security.passwordAging.EnforcePasswordAging FALSE TRUE, FALSE
NODE.security.passwordAging.maintenance.AgingPeriod 45 (days) 20 - 90
NODE.security.passwordAging.maintenance.WarningPeriod 5 (days) 2 - 20
NODE.security.passwordAging.provisioning.AgingPeriod 45 (days) 20 - 90
Table C-21 Node Default Settings (continued)
Default Name Default Value Default DomainC-109
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.3 Node Default Settings
NODE.security.passwordAging.provisioning.WarningPeriod 5 (days) 2 - 20
NODE.security.passwordAging.retrieve.AgingPeriod 45 (days) 20 - 90
NODE.security.passwordAging.retrieve.WarningPeriod 5 (days) 2 - 20
NODE.security.passwordAging.superuser.AgingPeriod 45 (days) 20 - 90
NODE.security.passwordAging.superuser.WarningPeriod 5 (days) 2 - 20
NODE.security.passwordChange.CannotChangeNewPassword FALSE TRUE, FALSE
NODE.security.passwordChange.CannotChangeNewPasswordForNDays 20 (days) 20 - 95
NODE.security.passwordChange.NewPasswordMustDifferFromOldByNCharacters 1 (characters) 1 - 5
NODE.security.passwordChange.PreventReusingLastNPasswords 1 (times) 1 - 10
NODE.security.passwordChange.RequirePasswordChangeOnFirstLoginToNewAccou
nt
FALSE TRUE, FALSE
NODE.security.passwordComplexity.IdenticalConsecutiveCharactersAllowed 3 or more 0-2, 3 or more
NODE.security.passwordComplexity.MaximumLength 20 20, 80
NODE.security.passwordComplexity.MinimumLength 6 6, 8, 10, 12
NODE.security.passwordComplexity.MinimumRequiredCharacters 1 num, 1 letter
& 1 TL1
special
1 num, 1 letter &
1 TL1 special, 1
num, 1 letter & 1
special, 2 each of
any 2 of num,
upper, lower &
TL1 special, 2
each of any 2 of
num, upper,
lower & special
NODE.security.passwordComplexity.ReverseUserIdAllowed TRUE TRUE, FALSE
NODE.security.radiusServer.AccountingPort 1813 (port) 0 - 32767
NODE.security.radiusServer.AuthenticationPort 1812 (port) 0 - 32767
NODE.security.radiusServer.EnableNodeAsFinalAuthenticator TRUE FALSE, TRUE
NODE.security.serialCraftAccess.EnableCraftPort TRUE TRUE, FALSE
NODE.security.shellAccess.AccessState NonSecure Disabled,
NonSecure,
Secure
NODE.security.shellAccess.EnableShellPassword FALSE TRUE, FALSE
NODE.security.shellAccess.TelnetPort 23 23 - 9999
NODE.security.snmpAccess.AccessState NonSecure Disabled,
NonSecure
NODE.security.tl1Access.AccessState NonSecure Disabled,
NonSecure,
Secure
NODE.security.userLockout.FailedLoginsAllowedBeforeLockout 5 (times) 0 - 10
Table C-21 Node Default Settings (continued)
Default Name Default Value Default DomainC-110
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.3 Node Default Settings
NODE.security.userLockout.LockoutDuration 00:30
(mins:secs)
00:00, 00:05,
00:10 .. 10:00
NODE.security.userLockout.ManualUnlockBySuperuser FALSE TRUE, FALSE
NODE.software.AllowDelayedUpgrades FALSE FALSE, TRUE
NODE.software.DefaultDelayedUpgrades FALSE FALSE, TRUE
when
AllowDelayedUp
grades TRUE;
FALSE when
AllowDelayedUp
grades FALSE
NODE.timing.bits-1.AdminSSMIn STU PRS, STU, ST2,
ST3, SMC, ST4,
DUS, RES when
//.general.SSMM
essageSet
Generation 1;
PRS, STU, ST2,
TNC, ST3E, ST3,
SMC, ST4, DUS,
RES when
//.general.SSMM
essageSet
Generation 2;
G811, STU,
G812T, G812L,
SETS, DUS when
//.general.SSMM
essageSet N/A
NODE.timing.bits-1.AISThreshold SMC PRS, STU, ST2,
ST3, SMC, ST4,
DUS, RES when
//.general.SSMM
essageSet
Generation 1;
PRS, STU, ST2,
TNC, ST3E, ST3,
SMC, ST4, DUS,
RES when
//.general.SSMM
essageSet
Generation 2;
G811, STU,
G812T, G812L,
SETS, DUS when
//.general.SSMM
essageSet N/A
Table C-21 Node Default Settings (continued)
Default Name Default Value Default DomainC-111
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.3 Node Default Settings
NODE.timing.bits-1.Coding B8ZS B8ZS, AMI when
FacilityType
DS1; HDB3,
AMI when
FacilityType E1;
N/A when
FacilityType
2MHz; AMI
when
FacilityType
64kHz+8kHz
NODE.timing.bits-1.CodingOut B8ZS B8ZS, AMI when
FacilityTypeOut
DS1; HDB3,
AMI when
FacilityTypeOut
E1; N/A when
FacilityTypeOut
2MHz; AMI
when
FacilityTypeOut
6MHz
NODE.timing.bits-1.FacilityType DS1 DS1,
64kHz+8kHz
when
//.general.Timing
Standard
SONET; E1,
64kHz+8kHz,
2MHz when
//.general.Timing
Standard SDH
NODE.timing.bits-1.FacilityTypeOut DS1 DS1, 6MHz when
//.general.Timing
Standard
SONET; E1,
6MHz, 2MHz
when
//.general.Timing
Standard SDH
Table C-21 Node Default Settings (continued)
Default Name Default Value Default DomainC-112
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.3 Node Default Settings
NODE.timing.bits-1.Framing ESF ESF, D4 when
FacilityType
DS1; FAS+CRC,
FAS+CAS,
FAS+CAS+CRC,
FAS, Unframed
when
FacilityType E1;
N/A when
FacilityType
2MHz; N/A when
FacilityType
64kHz+8kHz
NODE.timing.bits-1.FramingOut ESF ESF, D4 when
FacilityTypeOut
DS1; FAS+CRC,
FAS+CAS,
FAS+CAS+CRC,
FAS, Unframed
when
FacilityTypeOut
E1; N/A when
FacilityTypeOut
2MHz; N/A when
FacilityTypeOut
6MHz
NODE.timing.bits-1.LBO 0-133 0-133, 134-266,
267-399,
400-533,
534-655
NODE.timing.bits-1.SaBit N/A N/A when
FacilityType
DS1; 4, 5, 6, 7, 8
when
FacilityType E1;
N/A when
FacilityType
2MHz; N/A when
FacilityType
64kHz+8kHz
NODE.timing.bits-1.State OOS,DSBLD IS, OOS,DSBLD
NODE.timing.bits-1.StateOut OOS,DSBLD IS, OOS,DSBLD
Table C-21 Node Default Settings (continued)
Default Name Default Value Default DomainC-113
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.3 Node Default Settings
NODE.timing.bits-2.AdminSSMIn STU PRS, STU, ST2,
ST3, SMC, ST4,
DUS, RES when
//.general.SSMM
essageSet
Generation 1;
PRS, STU, ST2,
TNC, ST3E, ST3,
SMC, ST4, DUS,
RES when
//.general.SSMM
essageSet
Generation 2;
G811, STU,
G812T, G812L,
SETS, DUS when
//.general.SSMM
essageSet N/A
NODE.timing.bits-2.AISThreshold SMC PRS, STU, ST2,
ST3, SMC, ST4,
DUS, RES when
//.general.SSMM
essageSet
Generation 1;
PRS, STU, ST2,
TNC, ST3E, ST3,
SMC, ST4, DUS,
RES when
//.general.SSMM
essageSet
Generation 2;
G811, STU,
G812T, G812L,
SETS, DUS when
//.general.SSMM
essageSet N/A
NODE.timing.bits-2.Coding B8ZS B8ZS, AMI when
FacilityType
DS1; HDB3,
AMI when
FacilityType E1;
N/A when
FacilityType
2MHz; AMI
when
FacilityType
64kHz+8kHz
Table C-21 Node Default Settings (continued)
Default Name Default Value Default DomainC-114
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.3 Node Default Settings
NODE.timing.bits-2.CodingOut B8ZS B8ZS, AMI when
FacilityTypeOut
DS1; HDB3,
AMI when
FacilityTypeOut
E1; N/A when
FacilityTypeOut
2MHz; AMI
when
FacilityTypeOut
6MHz
NODE.timing.bits-2.FacilityType DS1 DS1,
64kHz+8kHz
when
//.general.Timing
Standard
SONET; E1,
64kHz+8kHz,
2MHz when
//.general.Timing
Standard SDH
NODE.timing.bits-2.FacilityTypeOut DS1 DS1, 6MHz when
//.general.Timing
Standard
SONET; E1,
6MHz, 2MHz
when
//.general.Timing
Standard SDH
NODE.timing.bits-2.Framing ESF ESF, D4 when
FacilityType
DS1; FAS+CRC,
FAS+CAS,
FAS+CAS+CRC,
FAS, Unframed
when
FacilityType E1;
N/A when
FacilityType
2MHz; N/A when
FacilityType
64kHz+8kHz
Table C-21 Node Default Settings (continued)
Default Name Default Value Default DomainC-115
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.3 Node Default Settings
NODE.timing.bits-2.FramingOut ESF ESF, D4 when
FacilityTypeOut
DS1; FAS+CRC,
FAS+CAS,
FAS+CAS+CRC,
FAS, Unframed
when
FacilityTypeOut
E1; N/A when
FacilityTypeOut
2MHz; N/A when
FacilityTypeOut
6MHz
NODE.timing.bits-2.LBO 0-133 0-133, 134-266,
267-399,
400-533,
534-655
NODE.timing.bits-2.SaBit N/A N/A when
FacilityType
DS1; 4, 5, 6, 7, 8
when
FacilityType E1;
N/A when
FacilityType
2MHz; N/A when
FacilityType
64kHz+8kHz
NODE.timing.bits-2.State OOS,DSBLD IS, OOS,DSBLD
NODE.timing.bits-2.StateOut OOS,DSBLD IS, OOS,DSBLD
NODE.timing.general.Mode Line External, Line,
Mixed
Table C-21 Node Default Settings (continued)
Default Name Default Value Default DomainC-116
Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
78-19870-01
Appendix C Network Element Defaults
C.3.1 Time Zones
C.3.1 Time Zones
Table C-22 lists the time zones that apply for node time zone defaults. Time zones in the table are
ordered by their relative relationships to Greenwich Mean Time (GMT), and the default values are
displayed in the correct format for valid default input.
NODE.timing.general.QualityOfRES RES=DUS PRS Ctrl-Alt-Del on the Cisco KVM Console window menu bar; or by selecting Power Cycle
Server on the Server Summary tab of the CIMC GUI.
c. Watch during bootup for the F2 prompt, and then press F2 to enter BIOS setup.
d. If you have already configured a BIOS Administrator password, enter it and skip to Step h.
e. If you have not set a BIOS Administrator password for the server, continue with this step.
On the BIOS utility screen, select the Security tab, then select Set Administrator Password. Use
the pop-up boxes to set the BIOS administrator password, then press F10 to save your settings and
reboot the server.
f. Watch during bootup for the F2 prompt, and then press F2 to enter BIOS setup.
g. Log into the BIOS Setup utility with your BIOS Administrator password.
1 TPM 3 Securing screw
2 JP2 socket on motherboard
1 3
23-33
Cisco UCS C200 Server Installation and Service Guide
OL-20732-02
Chapter 3 Maintaining the Server
Installing or Replacing Components
h. On the BIOS utility screen, select the Security tab.
i. Scroll down to TPM and select TURN ON.
j. Press F10 to save your settings and reboot the server.
k. Watch during bootup for the F2 prompt, and then press F2 to enter BIOS setup.
l. Log into the BIOS Setup utility with your BIOS Administrator password.
m. Verify that the TPM is now enabled. Select the Security tab. Verify that the TPM entry now says
Enabled.
Replacing a PCIe Riser Card Assembly
The qualified and supported part numbers for this component are subject to change over time. For the most
up-to-date list of replaceable components, see the following URL and then scroll to Technical Specifications:
http://www.cisco.com/en/US/products/ps10493/products_data_sheets_list.html
To replace a PCIe riser card assembly, follow these steps:
Step 1 Remove a PCIe riser card:
a. Power off the server as described in the “Shutting Down and Powering Off the Server” section on
page 3-7.
b. Disconnect all power cords from the power supplies.
c. Slide the server out the front of the rack far enough so that you can remove the top cover. You might
have to detach cables from the rear panel to provide clearance.
Caution If you cannot safely view and access the component, remove the server from the rack.
d. Remove the top cover as described in the “Removing and Replacing the Server Top Cover” section
on page 3-9.
e. Remove the screw that holds the riser card assembly to the rear of the chassis (see Figure 3-21).
f. Lift the assembly and any attached PCIe cards straight up and out of the chassis. Lift up on both
ends of the bracket evenly to avoid damaging the sockets or the riser cards.
g. Remove any PCIe card from the riser card assembly and set it aside.
Step 2 Install a PCIe riser card:
a. Replace any PCIe card in the new riser card assembly.
b. Set the assembly in place, aligning the riser cards with the PCIe slots on the motherboard.
c. Press down evenly on both ends of the assembly to fully engage the riser cards with the PCIe slots
on the motherboard.
d. Replace the screw that secures the assembly to the chassis.
e. Replace the top cover.
f. Replace the server in the rack, replace power cords and any other cables, and then power on the
server by pressing the Power button.3-34
Cisco UCS C200 Server Installation and Service Guide
OL-20732-02
Chapter 3 Maintaining the Server
Installing or Replacing Components
Figure 3-21 Removing and Replacing a PCIe Riser Card Assembly
Replacing a PCIe Card
This section contains the following topics:
• Replacement Procedure, page 3-35
• Special Considerations for the Cisco UCS P81E Virtual Interface Card (N2XX-ACPCI01),
page 3-37
• How to Identify Which Power Supply Model is in Your Server, page 3-37
• Installing Multiple PCIe Cards and Resolving Limited Resources, page 3-38
Note If you are installing a Cisco UCS P81E Virtual Interface Card (N2XX-ACPCI01), there are prerequisite
considerations. See Special Considerations for the Cisco UCS P81E Virtual Interface Card
(N2XX-ACPCI01), page 3-37.
Note See also RAID Controller Considerations, page C-1 for information about supported controllers and
cables.
The qualified and supported part numbers for this component are subject to change over time. For the most
up-to-date list of replaceable components, see the following URL and then scroll to Technical Specifications:
http://www.cisco.com/en/US/products/ps10493/products_data_sheets_list.html
1 Riser card assembly (top view) 2 Riser card
1
2
13-35
Cisco UCS C200 Server Installation and Service Guide
OL-20732-02
Chapter 3 Maintaining the Server
Installing or Replacing Components
Replacement Procedure
Installing a PCIe card requires that you first remove the riser card assembly from the chassis. To install
or replace a PCIe card, follow these steps:
Step 1 Remove a PCIe card:
a. Power off the server as described in the “Shutting Down and Powering Off the Server” section on
page 3-7.
b. Disconnect all power cords from the power supplies.
c. Slide the server out the front of the rack far enough so that you can remove the top cover. You might
have to detach cables from the rear panel to provide clearance.
Caution If you cannot safely view and access the component, remove the server from the rack.
d. Remove the top cover as described in the “Removing and Replacing the Server Top Cover” section
on page 3-9.
e. Pull the PCI e card retaining latch away from the card. See Figure 3-21 on page 3-34.
f. Lift the assembly and any attached PCIe cards straight up and out of the chassis. Lift up on both
ends of the assembly evenly to avoid damaging the sockets or the riser cards.
g. Pull the PCIe card retaining latch away from the card’s rear tab (see Figure 3-23).
Step 2 Pull the PCIe card connector out of the riser card socket and set the card aside.
Step 3 Install a PCIe card:
a. If you are installing a PCIe card to an empty slot on the riser card assembly, remove any blank panel
from the assembly rear slot.
Note A standard-profile PCIe card must be installed on the right side of the assembly, as viewed from
the rear of the server. A low-profile PCIe card can be installed in either the low-profile slots on
the left, or the standard-profile slots on the right if a standard-profile I/O bracket is used on the
card.
b. Align the PCIe card connector with the riser card socket and push on both ends of the card evenly
to fully engage the connector with the riser card socket.
c. Pull the PCIe card retaining latch away from the card’s rear tab, then close the latch over the tab.
d. Set the assembly in place, aligning the riser cards with the PCIe slots on the motherboard.
e. Press down evenly on both ends of the assembly to fully engage the riser cards with the PCIe slots
on the motherboard.
f. Replace the screw that secures the riser card assembly to the chassis.
g. Replace the top cover.
h. Replace the server in the rack, replace power cords and any other cables, and then power on the
server by pressing the Power button.
Step 4 If the card that you replaced was a RAID controller card, see Restoring RAID Configuration After
Replacing a RAID Controller, page C-6.3-36
Cisco UCS C200 Server Installation and Service Guide
OL-20732-02
Chapter 3 Maintaining the Server
Installing or Replacing Components
Figure 3-22 PCIe Slot Numbering and Physical Orientation, Facing Server Rear
Figure 3-23 Removing and Replacing a PCIe Card
PCIe Slot 7 PCIe Slot 6
1 Riser card assembly removed from chassis 3 PCIe card rear plate
2 PCIe socket on riser card 4 PCIe card retaining latch
2
1
3 4
3307393-37
Cisco UCS C200 Server Installation and Service Guide
OL-20732-02
Chapter 3 Maintaining the Server
Installing or Replacing Components
Special Considerations for the Cisco UCS P81E Virtual Interface Card (N2XX-ACPCI01)
The Cisco UCS P81E Virtual Interface Card is a standard-profile, half-length, dual-port 10 Gb PCIe card
with SFP+. See the following special considerations and prerequisites:
• This card is supported in server Generations M1 and M2.
• This server supports installation of one of these cards.
• This card is supported only in PCIe slot 6 of this server.
Note This card must be installed in PCIe slot 6 to use the Cisco Card NIC mode (see Figure 3-22 on
page 3-36). See also NIC Modes and NIC Redundancy Settings, page 2-12.
• This card requires that the server has CIMC firmware version 1.2(1) or later installed. There is a
heartbeat LED on the top and bottom of the card that indicates when firmware is active.
• To use this card for UCS integration (UCSM mode) with Cisco UCS Manager 2.0(2xx) or later, the
minimum card-firmware and uboot image level is 2.0(2g).
• To use this card for UCS integration (UCSM mode) with Cisco UCS Manager 1.4 or 2.0(1), the
minimum card-firmware and uboot image level is 1.4(1i).
• To connect this card to an upstream Cisco Nexus fabric interconnect (switch), the minimum NXOS
version on the fabric interconnect must be 5.0 or later.
• This card requires that you have the new power supply model R2X0-PSU2-650W-SB. A 5A standby
mode has been added to these power supplies to support this card. See How to Identify Which Power
Supply Model is in Your Server, page 3-37.
• Both power supplies must be model R2X0-PSU2-650W-SB. Do not mix power supply models in the
same server.
How to Identify Which Power Supply Model is in Your Server
There are two methods that you can use to identify which power supply is installed in your server:
1. Visually inspect the power supply at the rear of the server. The new power supply model
R2X0-PSU2-650W-SB has a black handle; the old power supply had silver handle.
2. Use the Cisco Integrated Management Controller (CIMC) GUI to view the power supply model:
a. Use a browser to connect to CIMC using the CIMC IP address.
b. Log in to CIMC using your administrator user name and password.
c. On the CIMC Server tab, click Inventory.
d. On the Inventory pane, click the Power Supplies tab.
e. View the power supply model number in the Product ID column. The new power supply is
listed by the manufacturer’s model number, R2X0-PSU2-650W-SB.3-38
Cisco UCS C200 Server Installation and Service Guide
OL-20732-02
Chapter 3 Maintaining the Server
Installing or Replacing Components
Installing Multiple PCIe Cards and Resolving Limited Resources
When a large number of PCIe add-on cards are installed in the server, the system may run out of the
following resources required for PCIe devices:
• Option ROM memory space
• 16-bit I/O space
The topics in this section provide guidelines for resolving the issues related to these limited resources.
• Resolving Insufficient Memory Space to Execute Option ROMs, page 3-38
• Resolving Insufficient 16-Bit I/O Space, page 3-39
Resolving Insufficient Memory Space to Execute Option ROMs
The system has very limited memory to execute PCIe legacy option ROMs, so when a large number of
PCIe add-on cards are installed in the server, the system BIOS might not able to execute all of the option
ROMs. The system BIOS loads and executes the option ROMs in the order that the PCIe cards are
enumerated (Slot 1, Slot 2, Slot 3, etc.).
If the system BIOS does not have sufficient memory space to load any PCIe option ROM, it skips loading
that option ROM, reports a system event log (SEL) event to the CIMC controller and reports the
following error in the Error Manager page of the BIOS Setup utility:
ERROR CODE SEVERITY INSTANCE DESCRIPTION
146 Major N/A PCI out of resources error.
Major severity requires user
intervention but does not
prevent system boot.
To resolve this issue, disable the Option ROMs that are not needed for system booting. The BIOS Setup
Utility provides the setup options to enable or disable the Option ROMs at the PCIe slot level for the
PCIe expansion slots and at the port level for the onboard NICs. These options can be found in the BIOS
Setup Utility Advanced PCI Configuration page.
• Guidelines for RAID controller booting:
If the server is configured to boot primarily from RAID storage, make sure that the option ROMs
for the slots where your RAID controllers installed are enabled in the BIOS, depending on your
RAID controller configuration.
If the RAID controller does not appear in the system boot order even with the option ROMs for those
slots are enabled, the RAID controller option ROM might not have sufficient memory space to
execute. In that case, disable other option ROMs that are not needed for the system configuration to
free up some memory space for the RAID controller option ROM.
• Guidelines for onboard NIC PXE booting:
If the system is configured to primarily perform PXE boot from onboard NICs, make sure that the
option ROMs for the onboard NICs to be booted from are enabled in the BIOS Setup Utility. Disable
other option ROMs that are not needed to create sufficient memory space for the onboard NICs.3-39
Cisco UCS C200 Server Installation and Service Guide
OL-20732-02
Chapter 3 Maintaining the Server
Installing or Replacing Components
Resolving Insufficient 16-Bit I/O Space
The system has only 64 KB of legacy 16-bit I/O resources available. This 64 KB of I/O space is divided
between the CPUs in the system because the PCIe controller is integrated into the CPUs. This server
BIOS has the capability to dynamically detect the 16-bit I/O resource requirement for each CPU and then
balance the 16-bit I/O resource allocation between the CPUs accordingly during the PCI bus
enumeration phase of the BIOS POST.
When a large number of PCIe cards are installed in the system, the system BIOS might not have
sufficient I/O space for some PCIe devices. If the system BIOS is not able to allocate the required I/O
resources for any PCIe devices, the following symptoms have been observed:
• The system might get stuck in an infinite reset loop.
• The BIOS might appear to hang while initializing PCIe devices.
• The PCIe option ROMs might take excessive time to complete, which appears to lock up the system.
• PCIe boot devices might not be accessible from the BIOS.
• PCIe option ROMs might report initialization errors. These errors are seen before the BIOS passes
control to the operating system.
• The keyboard might not work.
To work around this problem, rebalance the 16-bit I/O load using the following methods:
1. Physically remove any unused PCIe cards.
2. If the system has one or more Cisco virtual interface cards (VICs) installed, disable the PXE boot
on the VICs that are not required for the system boot configuration by using the Network Adapters
page in the CIMC WebUI to free up some 16-bit I/O resources. Each VIC uses a minimum 16 KB
of 16-bit I/O resource, so disabling PXE boot on Cisco VICs would free up some 16-bit I/O
resources that can be used for other PCIe cards that are installed in the system. 3-40
Cisco UCS C200 Server Installation and Service Guide
OL-20732-02
Chapter 3 Maintaining the Server
Installing or Replacing Components
Replacing an LSI MegaRAID Battery Backup Unit
When you install an LSI MegaRAID card and the optional BBU in this server, do not install the BBU on
top of the card as described in the LSI instructions. To avoid overheating the card, you must install the
BBU on a special bracket that is located on the fan tray.
Note LSI recommends that you replace the LSI BBU once per year or after 1,000 recharge cycles, whichever
comes first. Verify whether BBU replacement is required by looking in the CIMC. Log in to CIMC for
the server, then click Server—Inventory—Storage—Battery Backup Unit. If the Battery Replacement
Required field says, “True,” then you must purchase a replacement BBU and replace it.
Warning There is danger of explosion if the battery is replaced incorrectly. Replace the battery only with the
same or equivalent type recommended by the manufacturer. Dispose of used batteries according to
the manufacturer’s instructions.
Statement 1015
The qualified and supported part numbers for this component are subject to change over time. For the most
up-to-date list of replaceable components, see the following URL and then scroll to Technical Specifications:
http://www.cisco.com/en/US/products/ps10493/products_data_sheets_list.html
Note The instructions for installing the BBU differ depending on which BBU version you are installing. The
newer LSIiBBU08 version requires that you replace the server’s mounting bracket. Procedures for both
LSIiBBU06 and LSIiBBU08 are included here.
This section includes the following procedures:
• Replacing an LSIiBBU06 BBU, page 3-40
• Replacing an LSIiBBU08 BBU, page 3-42
Replacing an LSIiBBU06 BBU
This BBU is supported by Cisco for use with the following RAID controller cards:
• LSI MegaRAID 9260-4i (Cisco product ID R200-PL004, LSI 6G MegaRAID 9260-4i
card w/512MB write cache)
• LSI MegaRAID 9280-4i4e (Cisco product ID UCSC-RAID-C-4i4e, LSI 9280-4i4e)
To install or replace an LSIiBBU06 version BBU, follow these steps:
Step 1 Remove a BBU:
a. Remove the three screws that secure the BBU to the BBU bracket on the fan tray (see Figure 3-24).
b. Disconnect the cable from the BBU. If you are only replacing a BBU and not the LSI card, you do
not have to disconnect the other end of the cable from the card.
Step 2 Install a BBU:
a. Install the cable that is connected to the LSI controller card to socket J2 on the underside of the BBU.3-41
Cisco UCS C200 Server Installation and Service Guide
OL-20732-02
Chapter 3 Maintaining the Server
Installing or Replacing Components
Note Be careful to align the arrow-mark on the cable connector with the arrow-mark on the socket to
avoid damaging the connector pins.
b. Place the new BBU over the BBU bracket on the fan tray and align the three screw-holes in the BBU
with the three preinstalled standoffs on the bracket.
c. Replace the three securing screws that hold the BBU to the BBU bracket.
Step 3 If this is a first-time installation of the BBU rather than a replacement, install the cable from the BBU
to the LSI card.
Connect the cable from the BBU to the socket on the adapter.
Note Be careful to align the arrow-mark on the cable connector with the arrow-mark on the socket to avoid
damaging the connector pins.
Figure 3-24 Removing and Replacing an LSIiBBU06 BBU
1 BBU bracket on fan tray 3 BBU (connector J2 is on the underside)
2 Securing screws (three)
1
2 33-42
Cisco UCS C200 Server Installation and Service Guide
OL-20732-02
Chapter 3 Maintaining the Server
Installing or Replacing Components
Replacing an LSIiBBU08 BBU
This BBU is supported by Cisco for use with the following RAID controller cards:
• LSI MegaRAID 9260-4i (Cisco product ID R200-PL004, LSI 6G MegaRAID 9260-4i
card w/512MB write cache)
• LSI MegaRAID 9280-4i4e (Cisco product ID UCSC-RAID-C-4i4e, LSI 9280-4i4e)
• LSI MegaRAID 9260-8i (Cisco product ID RC460-PL001, LSI 6G MegaRAID 9260-8i
(C200 SFF only))
To install the LSIiBBU08 BBU, you must replace the mounting bracket on the fan tray with a special
adapter bracket that is included with the BBU. Use the following procedure to replace the bracket and
to install the BBU.
Step 1 Replace the mounting bracket—only if you are replacing an LSIiBBU06 with an LSIiBBU08.
Skip this step and go to Step 2 if your server is already using an LSIiBBU08 BBU and it already has the
new mounting bracket.
a. Remove any existing BBU from the existing bracket by removing the BBU retaining screws.
b. Disconnect the RAID controller-to-BBU cable from the old BBU.
c. Remove the three screws that hold the bracket to the standoffs on the fan tray (see Figure 3-25).
d. Set the new bracket in place and replace the three screws that secure it to the fan tray (see
Figure 3-26).
Figure 3-25 Replacing a Mounting Bracket for the LSIiBBU08 BBU
331001
Mounting
bracket3-43
Cisco UCS C200 Server Installation and Service Guide
OL-20732-02
Chapter 3 Maintaining the Server
Installing or Replacing Components
Figure 3-26 Replacing a Mounting Bracket for the LSIiBBU08 BBU (Enlarged)
Step 2 Install the new LSIiBBU08 BBU:
Note The LSIiBBU08 BBU requires minimum LSI MegaRAID card firmware 2.120.133.1322 or later to be
recognized. You can use the Cisco Host Upgrade Utility to upgrade your LSI MegaRAID card firmware.
Obtain the Cisco Host Upgrade Utility 1.4.1 or later package (including drivers) by navigating from the
Cisco.com software download site: http://www.cisco.com/cisco/software/navigator.html
a. Install the BBU cable from the LSI controller card to socket J2 on the new BBU.
Note Align the arrow-mark on the cable connector with the arrow-mark on the socket to avoid
damaging the connector pins.
b. Place the new BBU over the new BBU bracket on the fan tray and align the two screw-holes in the
BBU with the two preinstalled standoffs on the bracket.
c. Install the two securing screws that hold the BBU to the BBU bracket.
331002
Screws3-44
Cisco UCS C200 Server Installation and Service Guide
OL-20732-02
Chapter 3 Maintaining the Server
Installing or Replacing Components
Figure 3-27 Removing and Replacing an LSIiBBU06 BBU
1 BBU bracket on fan tray 3 BBU (connector J2 is on the underside)
2 Securing screws (two)
331003
1
2 33-45
Cisco UCS C200 Server Installation and Service Guide
OL-20732-02
Chapter 3 Maintaining the Server
Installing or Replacing Components
Installing a Mezzanine Card
The qualified and supported part numbers for this component are subject to change over time. For the most
up-to-date list of replaceable components, see the following URL and then scroll to Technical Specifications:
http://www.cisco.com/en/US/products/ps10493/products_data_sheets_list.html
To install or replace a mezzanine card, follow these steps:
Step 1 Remove a mezzanine card:
a. Power off the server as described in the “Shutting Down and Powering Off the Server” section on
page 3-7.
b. Disconnect all power cords from the power supplies.
c. Slide the server out the front of the rack far enough so that you can remove the top cover. You might
have to detach cables from the rear panel to provide clearance.
Caution If you cannot safely view and access the component, remove the server from the rack.
d. Remove the top cover as described in the “Removing and Replacing the Server Top Cover” section
on page 3-9.
e. Disconnect the cable harness from the connector on the top of the mezzanine card.
f. Use needle-nose pliers to pinch the three plastic standoff posts that hold the mezzanine card to the
motherboard. Pinching the top of the post provides clearance to lift the mezzanine card off the posts
(see Figure 3-28).
g. Lift up on both ends of the mezzanine card evenly to disengage its connector from the motherboard
socket.
Step 2 Install a mezzanine card:
a. Place the mezzanine card in the chassis, aligning the holes on the card with the three plastic standoff
posts on the motherboard.
b. Push down firmly on the card to fully engage the connector of the card with the motherboard socket.
c. Ensure that the holes in the card click down over the three plastic posts on the motherboard.
d. Reconnect the cable harness to the connector on the top of the mezzanine card.
e. Replace the top cover.
f. Replace the server in the rack, replace power cords and any other cables, and then power on the
server by pressing the Power button.3-46
Cisco UCS C200 Server Installation and Service Guide
OL-20732-02
Chapter 3 Maintaining the Server
Installing or Replacing Components
Figure 3-28 Removing and Replacing a Mezzanine Card
1 Mezzanine card retaining posts (three) 2 Mezzanine card
195954
2
1A-1
Cisco UCS C200 Server Installation and Service Guide
OL-20732-02
APPENDIX A
Technical Specifications
This appendix lists the technical specifications for the Cisco UCS C200 server and includes the
following sections:
• Physical Specifications, page A-1
• Environmental Specifications, page A-2
• Power Specifications, page A-2
Physical Specifications
Table A-1 lists the physical specifications for the server.
Table A-1 Physical Specifications
Description Specification
Height 1.70 in. (4.32 cm)
Width 16.92 in. (43.00 cm)
Depth 27.80 in. (70.60 cm)
Weight (loaded chassis) 33.00 lbs (14.97 kg)A-2
Cisco UCS C200 Server Installation and Service Guide
OL-20732-02
Appendix A Technical Specifications
Environmental Specifications
Environmental Specifications
Table A-2 lists the environmental specifications for the server.
Power Specifications
Table A-3 lists the specifications for each power supply.
You can get more specific power information for your exact server configuration by using the Cisco UCS
Power Calculator:
http://www.cisco.com/assets/cdc_content_elements/flash/dataCenter/cisco_ucs_power_calculator/
Table A-2 Environmental Specifications
Description Specification
Temperature, operating:
Derate 1°C for every 1000 ft (304 m) up to a
maximum altitude of 10,000 ft (3048 m)
50 to 95°F (10 to 35°C)
Temperature, nonoperating
within altitude: 0 to 40,000 feet (0 to 12,000
meters)
–40 to 149°F (–40 to 65°C)
Humidity (RH), noncondensing 5 to 93%
Altitude 0 to 10000 feet
Sound power level
Measure A-weighted per ISO7779 LwAd (dBA)
Operation at 73°F (23°C)
54.7 dBA
Sound power level
Measure A-weighted per ISO7779 LwAd (Bels)
Operation at 73°F (23°C)
5.7 Bels
Table A-3 Power Supply Specifications
Description Specification
AC-input voltage 115 to 230 VAC nominal
(Range: 90 to 264 VAC)
AC-input frequency 50 to 60 Hz nominal
(Range: 47 to 63 Hz)
Maximum AC-input current 10 Amps
Maximum output power for each power
supply
650 W (up to two power supplies can be installed)
Power supply output voltage Main power: 12 VDC
Standby power: 5 VDCB-1
Cisco UCS C200 Server Installation and Service Guide
OL-20732-02
APPENDIX B
Cable and Power Cord Specifications
This appendix provides cabling and port specifications for control devices and power connections and
includes the following sections:
• KVM Cable, page B-1
• Supported Power Cords and Plugs, page B-2
KVM Cable
The KVM cable provides a connection into the server, providing a DB9 serial connector, a VGA
connector for a monitor, and dual USB ports for a keyboard and mouse. With this cable, you can create
a direct connection to the operating system and the BIOS running on the server.
This server supports the following Cisco components and part numbers.
Figure B-1 KVM Cable
Supported Components Part Number
KVM cable 37-1016-01
1 Connector to server 3 VGA connection for a monitor
2 DB9 serial connector 4 Two-port USB connector for a mouse and
keyboard
192621
1
2 3
4B-2
Cisco UCS C200 Server Installation and Service Guide
OL-20732-02
Appendix B Cable and Power Cord Specifications
Supported Power Cords and Plugs
Supported Power Cords and Plugs
Each power supply has a separate power cord. Standard power cords or jumper power cords are available
for connection to the server. The jumper power cords, for use in racks, are available as an optional
alternative to the standard power cords.
Note Only the approved power cords or jumper power cords provided with the server are supported.
Table B-1 lists the power cords for the server power supplies.
Table B-1 Supported Power Cords for the Server
Description
Length Power Cord Reference
Feet Meters Illustration
SFS-250V-10A-AR
Power Cord, 250 VAC 10 A IRAM 2073 Plug
Argentina
8.2 2.5 Figure B-2
CAB-9K10A-AU
250 VAC 10 A 3112 Plug,
Australia
8.2 2.5 Figure B-3
SFS-250V-10A-CN
Power Cord, 250 VAC 10 A GB 2009 Plug
China
8.2 2.5 Figure B-4
CAB-9K10A-EU
Power Cord, 250 VAC 10 A M 2511 Plug
Europe
8.2 2.5 Figure B-5
SFS-250V-10A-ID
Power Cord, 250 VAC 16A EL-208 Plug
South Africa, United Arab Emirates, India
8.2 2.5 Figure B-6
SFS-250V-10A-IS
Power Cord, 250 VAC 10 A SI32 Plug
Israel
8.2 2.5 Figure B-7
CAB-9K10A-IT
Power Cord, 250 VAC 10 A CEI 23-16 Plug
Italy
8.2 2.5 Figure B-8
CAB-9K10A-SW
Power Cord, 250 VAC 10 A MP232 Plug
Switzerland
8.2 2.5 Figure B-9
CAB-9K10A-UK
Power Cord, 250 VAC 10 A BS1363 Plug (13 A
fuse)
United Kingdom
8.2 2.5 Figure B-10
CAB-AC-250V/13A
Power Cord, 250 VAC 13 A IEC60320 Plug
North America
6.6 2.0 Figure B-11B-3
Cisco UCS C200 Server Installation and Service Guide
OL-20732-02
Appendix B Cable and Power Cord Specifications
Supported Power Cords and Plugs
AC Power Cord Illustrations
This section contains the AC power cord illustrations.
Figure B-2 SFS-250V-10A-AR
Figure B-3 CAB-9K10A-AU
CAB-N5K6A-NA
Power Cord, 250 VAC 13 A NEMA 6-15 Plug,
North America
8.2 2.5 Figure B-12
CAB-9K12A-NA
Power cord, 125 VAC, 13 A, NEMA 5-15 Plug
North America
8.2 2.5 Figure B-13
CAB-C13-C14-JMPR
Cabinet Jumper Power Cord, 250 VAC 13 A,
C13-C14 Connectors
2.2 0.7 Figure B-14
Table B-1 Supported Power Cords for the Server (continued)
Description
Length Power Cord Reference
Feet Meters Illustration
186571
2500 mm
Cordset rating: 10 A, 250/500 V MAX
Length: 8.2 ft
Plug:
EL 219
(IRAM 2073) Connector:
EL 701
(IEC60320/C13)
Plug:
EL 206
A.S. 3112-2000)
Cordset rating: 10 A, 250 V/500V
Length: 2500mm
186581
Connector:
EL 701C
(IEC 60320/C15)B-4
Cisco UCS C200 Server Installation and Service Guide
OL-20732-02
Appendix B Cable and Power Cord Specifications
Supported Power Cords and Plugs
Figure B-4 SFS-250V-10A-CN
Figure B-5 CAB-9K10A-EU
Figure B-6 SFS-250V-10A-ID
Cordset rating 10A, 250V
(2500 mm) Plug:
EL 218
(CCEE GB2009)
186573
Connector:
EL 701
(IEC60320/C13)
Connector:
VSCC15
Cordset rating: 10A/16 A, 250 V
Length: 8 ft 2 in. (2.5 m) Plug:
M2511
186576
OVE
Cordset rating 16A, 250V
(2500mm) Plug:
EL 208
187490
Connector:
EL 701B-5
Cisco UCS C200 Server Installation and Service Guide
OL-20732-02
Appendix B Cable and Power Cord Specifications
Supported Power Cords and Plugs
Figure B-7 SFS-250V-10A-IS
Figure B-8 CAB-9K10A-IT
Figure B-9 CAB-9K10A-SW
Cordset rating 10A, 250V/500V MAX
(2500 mm)
Plug:
EL 212
(SI-32) 186574
Connector:
EL 701B
(IEC60320/C13)
EL-212
16A
250V
Plug:
I/3G
(CEI 23-16)
Connector
C15M
(EN60320/C15 )
Cordset rating: 10 A, 250 V
Length: 8 ft 2 in. (2.5 m)
186575
Plug:
MP232-R
Cordset rating: 10 A, 250 V
Length: 8 ft. 2 in (2.5 m)
186578
Connector:
IEC 60320 C15B-6
Cisco UCS C200 Server Installation and Service Guide
OL-20732-02
Appendix B Cable and Power Cord Specifications
Supported Power Cords and Plugs
Figure B-10 CAB-9K10A-UK
Figure B-11 CAB-AC-250V/13A
Figure B-12 CAB-N5K6A-NA
Plug:
Cordset rating: 10 A, 250 V/500 V MAX
Length: 2500mm
186580
Connector:
EL 701C
EL 210 (EN 60320/C15)
(BS 1363A) 13 AMP fuse
Cordset rating 13A, 250V
(6.6 feet) (79±2m)
Plug:
EL312MoldedTwistlock
(NEMA L6-20) 186568
Connector:
EL 701
(IEC60320/C13)
Cordset rating: 10 A, 250 V
Length: 8.2 ft
186570
Plug: NEMA 6-15P
Connector:
IEC60320/C13B-7
Cisco UCS C200 Server Installation and Service Guide
OL-20732-02
Appendix B Cable and Power Cord Specifications
Supported Power Cords and Plugs
Figure B-13 CAB-9K12A-NA
Figure B-14 CAB-C13-C14-JMPR, Jumper Power Cord
Connector:
IEC60320/C15
Cordset rating 13A, 125V
(8.2 feet) (2.5m)
Plug:
NEMA 5-15P 192260
Cordset rating 10A, 250V
(686mm)
Plug:
SS10A 186569
Connector:
HS10SB-8
Cisco UCS C200 Server Installation and Service Guide
OL-20732-02
Appendix B Cable and Power Cord Specifications
Supported Power Cords and PlugsC-1
Cisco UCS C200 Server Installation and Service Guide
OL-20732-02
APPENDIX C
RAID Controller Considerations
This appendix contains the following sections:
• Supported RAID Controllers and Required Cables, page C-1
• Enabling the Integrated Intel ICH10R RAID Controller in the BIOS, page C-2
• Enabling the Mezzanine Card RAID Controller in the BIOS, page C-3
• RAID Controller Cabling, page C-3
• How to Determine Which Controller Is in Your Server, page C-4
• How to Disable Quiet Boot For CIMC Firmware Earlier Than Release 1.2(1), page C-5
• How To Launch Option ROM-Based Controller Utilities, page C-5
• Restoring RAID Configuration After Replacing a RAID Controller, page C-6
• For More Information, page C-7
Supported RAID Controllers and Required Cables
The Cisco UCS C200 Large Form-Factor (LFF) and C200 Small Form-Factor (SFF) server models
support the RAID controller options and cable requirements shown in Table C-1 and Table C-2.
Note Do not mix controller types in the server. Dual controllers are not supported.
Table C-1 Cisco UCS C200 LFF RAID Options (Up to Four 3.5-Inch Internal Drives)
Controller Style
Max.
Internal
Drives SAS SATA
Opt.
BBU RAID Levels Required Cables
Intel ICH10R1
1. The integrated ICH10R controller must be enabled in the BIOS. This controller is not compatible for use with VMWare
ESX/ESXi Server software in any generation or version of the Cisco UCS C200 server.
Integrated 4 No Yes No 0, 1 1 SATA
R200-SATACBL
LSI 1064E Mezzanine 4 Yes2
2. You cannot mix SAS and SATA drives when using a 1064E-based controller.
Yes No 0, 1, 1E 1 SAS
R200-SASCBL
LSI MegaRAID
9260-4i
PCIe 4 Yes3
3. You can mix SAS and SATA drives when using an LSI MegaRAID card. However, you cannot mix SAS and SATA drives
within a volume.
Yes Yes 0, 1, 5, 6, 10,
50, 60
1 SAS
R200-SASCBL
LSI MegaRAID
9280-4i4e
PCIe 4 Yes Yes Yes 0, 1, 5, 6, 10,
50, 60
1 SAS
R200-SASCBLC-2
Cisco UCS C200 Server Installation and Service Guide
OL-20732-02
Appendix C RAID Controller Considerations
Enabling the Integrated Intel ICH10R RAID Controller in the BIOS
Enabling the Integrated Intel ICH10R RAID Controller in the BIOS
Note The integrated ICH10R RAID controller is not compatible for use with VMWare ESX/ESXi Server
software in any generation or version of the Cisco UCS C200 server.
When using the integrated RAID, you must enable the ICH10R controller in SW RAID mode.
Step 1 Boot the server and press F2 when prompted to enter the BIOS Setup utility.
Step 2 Select the Advanced tab, then Mass Storage Controllers Configuration.
Step 3 Set Onboard SATA Controller to Enabled.
Step 4 Set SATA Mode to SW RAID.
Step 5 Press F10 to save your changes and exit the utility.
Table C-2 Cisco UCS C200 SFF RAID Options (Up to Eight 2.5-Inch Internal Drives)
Controller Style
Max.
Internal
Drives SAS SATA
Opt.
BBU RAID Levels Required Cables
Intel ICH10R1
1. The integrated ICH10R controller must be enabled in the BIOS. This controller is not compatible for use with VMWare
ESX/ESXi Server software in any generation or version of the Cisco UCS C200 server.
Integrated 4 No Yes No 0, 1 1 SATA
R200-SATACBL
LSI 1068E Mezzanine 8 Yes2
2. You can mix SAS and SATA drives when using a 1068E-based controller. However, you cannot mix SAS and SATA drives
within a volume.
Yes No 0, 1, 1E 4 drives: 1 SAS
8 drives: 2 SAS
R200-SASCBL3
3. Two SAS cables (R200-SASCBL) are shipped with the Cisco UCS C200 SFF server.
LSI MegaRAID
9260-8i
PCIe 8 Yes4
4. You can mix SAS and SATA drives when using an LSI MegaRAID card. However, you cannot mix SAS and SATA drives
within a volume.
Yes Yes 0, 1, 5, 6, 10,
50, 60
4 drives: 1 SAS
8 drives: 2 SAS
R200-SASCBL
LSI MegaRAID
9280-4i4e
PCIe 4 Yes Yes Yes 0, 1, 5, 6, 10,
50, 60
1 SAS
R200-SASCBLC-3
Cisco UCS C200 Server Installation and Service Guide
OL-20732-02
Appendix C RAID Controller Considerations
Enabling the Mezzanine Card RAID Controller in the BIOS
Enabling the Mezzanine Card RAID Controller in the BIOS
When using the supported mezzanine-style RAID controller card, you must enable the ICH10R controller
in Enhanced mode.
Step 1 Make sure that a RAID cable is attached between the mezzanine card and the disk backplane.
Step 2 Boot the server and press F2 when prompted to enter the BIOS Setup utility.
Step 3 Select the Advanced tab, then Mass Storage Controllers Configuration.
Step 4 Set Onboard SATA Controller to Enabled.
Step 5 Set SATA Mode to Enhanced.
Step 6 Press F10 to save your changes and exit the BIOS Setup utility.
Step 7 To set up a RAID configuration when using the mezzanine card, boot the server and press Ctrl-C when
prompted to start the WebBIOS utility.
RAID Controller Cabling
The possible RAID controller connectors in this server are shown in Figure C-1. The blue line indicates the
recommended cable routing path from the backplane to the possible controller locations.
Note The Cisco UCS C200 SFF server is shown, with an eight-drive backplane. The LFF server has a four-drive
backplane.
Figure C-1 RAID Controller Connectors
1 Drive backplane 3 Mezzanine card connector(s)
2 Integrated RAID connector on
motherboard
4 LSI MegaRAID PCIe card connectors
1
2
4
3
332177C-4
Cisco UCS C200 Server Installation and Service Guide
OL-20732-02
Appendix C RAID Controller Considerations
How to Determine Which Controller Is in Your Server
Cisco UCS C200 LFF Server Cabling
The cable connections required for each type of controller are as follows:
• Integrated ICH10R: Connect one SATA cable from the motherboard connector to the drives 1–4
connectors on the backplane.
• 1064E mezzanine card: Connect one SAS cable from the single connector on the mezzanine card to
the drives 1–4 connectors on the backplane.
• LSI MegaRAID card: Connect one SAS cable from connector 1 on the card to the drives 1–4
connectors on the backplane.
For all controller types, connect the numbered cable connectors to the corresponding numbered
backplane connectors. Connect the cable connector labelled SGPIO to the backplane connector labeled
SGPIO.
Cisco UCS C200 SFF Server Cabling
The cable connections required for each type of controller are as follows:
Note Two SAS cables (R200-SASCBL) are shipped with the Cisco UCS C200 SFF server (but not with the
LFF version of the server). You can order a set of two spare SAS cables (Cisco PID UCSC-CBL-I2F1).
• Integrated ICH10R: Connect one SATA cable from the motherboard connector to the drives 1–4
connectors on the backplane. (Controls 4 drives only.)
• 1068E mezzanine card: Connect SAS cable 1 from connector 1 on the card to the drives 1–4
connectors on the backplane. Connect SAS cable 2 from connector 2 on the card to the drives 5–8
connectors on the backplane.
• LSI MegaRAID 9260-8i card: Connect SAS cable 1 from connector 1 on the card to the drives 1–4
connectors on the backplane. Connect SAS cable 2 from connector 2 on the card to the drives 5–8
connectors on the backplane.
• LSI MegaRAID 9280-4i4e card: Connect one SAS cable from connector 1 on the card to the drives
1–4 connectors on the backplane. (Controls 4 drives only.)
For all controller types, connect the numbered cable connectors to the corresponding numbered
backplane connectors. Connect the cable connector labelled SGPIO to the backplane connector labeled
SGPIO.
How to Determine Which Controller Is in Your Server
If you do not have a record of which device is used in the server, you can read the on-screen messages
that are displayed during system bootup. These messages display information about the devices that are
installed in your server.
• Information about the models of card installed are displayed as part of the verbose boot. You are
also prompted to press Ctrl-H to launch configuration utilities for those cards. For servers running
CIMC firmware earlier than release 1.2(1), see also How to Disable Quiet Boot For CIMC Firmware
Earlier Than Release 1.2(1), page C-5.C-5
Cisco UCS C200 Server Installation and Service Guide
OL-20732-02
Appendix C RAID Controller Considerations
How to Disable Quiet Boot For CIMC Firmware Earlier Than Release 1.2(1)
• If the mezzanine-style card is enabled, you are prompted to press Ctrl-C to launch the configuration
for these cards. See also Enabling the Mezzanine Card RAID Controller in the BIOS, page C-3
• If no models of card are displayed but there is a RAID configuration, your server is using the
onboard ICH10R controller. You are also prompted to press Ctrl-M to launch the configuration
utilities for this controller (see graphic below). See also Enabling the Integrated Intel ICH10R RAID
Controller in the BIOS, page C-2.
How to Disable Quiet Boot For CIMC Firmware Earlier Than
Release 1.2(1)
For CIMC firmware and BIOS release 1.2(1) and later, Quiet Boot has been removed. If you are running
CIMC firmware and BIOS earlier than release 1.2(1), you can use the following procedure to disable
Quiet Boot.
To disable quiet boot so that the controller information and the prompts for the option ROM-based LSI
utilities are displayed during bootup, follow these steps:
Step 1 Boot the server and watch for the F2 prompt during bootup.
Step 2 Press F2 when prompted to enter the BIOS Setup utility.
Step 3 On the Main page of the BIOS Setup utility, set Quiet Boot to Disabled. This allows non-default
messages, prompts, and POST messages to display during bootup instead of the Cisco logo screen.
Step 4 Press F10 to save your changes and exit the utility.
How To Launch Option ROM-Based Controller Utilities
To alter the RAID configurations on your hard drives, you can use your host-based utilities that you
install on top of your host OS, or you can use the LSI option ROM-based utilities that are installed on
the server. C-6
Cisco UCS C200 Server Installation and Service Guide
OL-20732-02
Appendix C RAID Controller Considerations
Restoring RAID Configuration After Replacing a RAID Controller
When you boot the server and you have quiet boot disabled (see How to Disable Quiet Boot For CIMC
Firmware Earlier Than Release 1.2(1), page C-5), information about your controller is displayed along
with the prompts for the key combination to launch the option ROM-based utilities for your controller.
Watch for the prompt for your controller during verbose boot:
• The prompt for LSI controller card utility is Ctrl-H.
• The prompt for the mezzanine-style controller cards is Ctrl-C.
• The prompt for the onboard Intel ICH10R controller utility is Ctrl-M.
Note Cisco has also developed the Cisco Server Configuration Utility for C-Series servers, which can assist
you in setting up some RAID configurations for your drives. This utility is shipped with new servers on
CD. You can also download the ISO from Cisco.com. See the user documentation for this utility at the
following URL:
http://www.cisco.com/en/US/docs/unified_computing/ucs/sw/ucsscu/user/guide/20/SCUUG20.html
Restoring RAID Configuration After Replacing a RAID Controller
When you replace a RAID controller, the RAID configuration that is stored in the controller is lost. Use
the following procedure to restore your RAID configuration to your new RAID controller.
Step 1 Replace your RAID controller. See Replacing an LSI MegaRAID Battery Backup Unit, page 3-40.
Step 2 If this was a full chassis swap, replace all drives into the drive bays, in the same order that they were
installed in the old chassis.
Step 3 If Quiet Boot is enabled, disable it in the system BIOS. See How to Disable Quiet Boot For CIMC
Firmware Earlier Than Release 1.2(1), page C-5.
Step 4 Reboot the server and watch for the prompt to press F.
Step 5 Press F when you see the following on-screen prompt:
Foreign configuration(s) found on adapter.
Press any key to continue or ‘C’ load the configuration utility,
or ‘F’ to import foreign configuration(s) and continue.
Step 6 Press any key (other than C) to continue when you see the following on-screen prompt:
All of the disks from your previous configuration are gone. If this is
an unexpected message, then please power of your system and check your cables
to ensure all disks are present.
Press any key to continue, or ‘C’ to load the configuration utility.
Step 7 Watch the subsequent screens for confirmation that your RAID configuration was imported correctly.
• If you see the following message, your configuration was successfully imported. The LSI virtual
drive is also listed among the storage devices.
N Virtual Drive(s) found on host adapter.
• If you see the following message, your configuration was not imported. This can happen if you do
not press F quickly enough when prompted. In this case, reboot the server and try the import
operation again wen you are prompted to press F.
0 Virtual Drive(s) found on host adapter.C-7
Cisco UCS C200 Server Installation and Service Guide
OL-20732-02
Appendix C RAID Controller Considerations
For More Information
For More Information
The LSI utilities have help documentation for more information about using the utilities.
For basic information about RAID and for using the utilities for the RAID controller cards, see the
Cisco UCS Servers RAID Guide.
Full LSI documentation is also available:
• LSI MegaRAID SAS Software User’s Guide (for LSI MegaRAID)
http://www.cisco.com/en/US/docs/unified_computing/ucs/3rd-party/lsi/mrsas/userguide/LSI_MR_SAS_SW_UG.pdf
• LSI SAS2 Integrated RAID Solution User Guide (for LSI SAS1064E)
http://www.cisco.com/en/US/docs/unified_computing/ucs/3rd-party/lsi/irsas/userguide/LSI_IR_SAS_UG.pdfC-8
Cisco UCS C200 Server Installation and Service Guide
OL-20732-02
Appendix C RAID Controller Considerations
For More InformationD-1
Cisco UCS C200 Server Installation and Service Guide
OL-20732-02
APPENDIX D
Installation for Cisco UCS Integration
The Cisco UCS integration instructions have been moved to the integration guides found here:
Cisco UCS C-Series Server Integration with UCS Manager Guides
Refer to the guide that is for the version of Cisco UCS Manager that you are using.D-2
Cisco UCS C200 Server Installation and Service Guide
OL-20732-02
Appendix D Installation for Cisco UCS Integration
Siège social
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
États-Unis
http://www.cisco.com
Tél. : +1 408 526-4000
+1 800 553-NETS (6387)
Fax : +1 408 526-4100
Téléphones IP Cisco Unified
7961G/7961G-GE et 7941G/7941G-GE
pour Cisco Unified CallManager 4.2
INCLUANT LA LICENCE ET LA GARANTIE
Manuel de téléphoneCopyright © 2006, Cisco Systems, Inc. Tous droits réservés. Cisco, Cisco IOS,
Cisco Systems et le logo Cisco Systems sont des marques déposées de Cisco
Systems, Inc. ou de ses filiales aux États-Unis et dans certains autres pays.
Tous les autres noms ou marques mentionnés dans ce document ou sur le site
Web sont la propriété de leurs détenteurs respectifs. L’utilisation du terme
« partenaire » n’implique nullement une relation de partenariat entre Cisco et
toute autre entreprise. (0601R)
OL-9616-01
Livret de référence
Téléphones IP Cisco
Unified 7961G/
7961G-GE et 7941G/
7941G-GE pour Cisco
Unified CallManager 4.2
Définitions des touches dynamiques
Icônes de l’écran du téléphone
Icônes de boutons
Tâches téléphoniques courantes
Définitions des touches
dynamiques
AGrpIntr Répondre à un appel en sonnerie dans un
groupe associé
Annuler Annuler une opération ou quitter un écran
sans appliquer les modifications effectuées
autres Afficher d’autres touches dynamiques
Bis Rappeler le dernier numéro composé
Compos. Composer un numéro de téléphone
Conf. Créer une conférence téléphonique
ConG Se déconnecter des groupes de recherche
pour empêcher les appels de cette
provenance de sonner sur votre téléphone
Détails Ouvrir l’enregistrement Détails d’un appel
à plusieurs interlocuteurs dans les journaux d’appels en absence et d’appels reçus
EditNum Modifier un numéro dans un journal
d’appels
Effacer Supprimer des enregistrements ou des
paramètres
Effacer Réinitialiser les valeurs par défaut des
paramètres
Enreg. Sauvegarder les paramètres choisis
Fermer Fermer la fenêtre active
FinApp. Déconnecter l’appel en cours
GrpIntr Répondre à un appel en sonnerie dans un
autre groupe
InsConf Participer à un appel sur une ligne partagée et établir une conférence téléphonique
Insert Participer à un appel sur une ligne
partagée
Intrcpt Répondre à un appel dans son groupe
Joindre Joindre plusieurs appels en cours sur une
même ligne pour établir une conférence
téléphonique
ListConf Afficher la liste des participants à la
conférence
Tâches téléphoniques
courantes
Afficher l’aide en ligne
sur le téléphone
Appuyez sur .
Passer un appel Décrochez le téléphone avant ou
après avoir composé un numéro.
Rappeler un numéro Appuyez sur Bis ou sur la touche
de navigation avec le téléphone
raccroché pour visualiser le journal
d’appels passés.
Utiliser le combiné au
cours d’un appel
Décrochez le combiné.
Utiliser le haut-parleur
ou le casque au cours
d’un appel
Appuyez sur ou sur , puis
raccrochez le combiné.
Utiliser le mode Secret
du téléphone
Appuyez sur .
Utiliser les journaux
d’appels
Appuyez sur pour
choisir un journal d’appels. Pour
composer un numéro, mettez en
surbrillance une entrée de liste et
décrochez le téléphone.
Modifier un numéro Appuyez sur EditNum, sur << ou
sur >>.
Mettre en attente/
reprendre un appel
Appuyez sur Attente ou sur
Reprend.
Transférer un appel
vers un nouveau
numéro
Appuyez sur Trnsfer et entrez un
numéro cible, puis appuyez une
nouvelle fois sur Trnsfer.
Démarrer une confé-
rence téléphonique
standard
Appuyez sur autres > Conf.,
composez le numéro du
participant, puis appuyez de
nouveau sur Conf.MàJ Actualiser le contenu
ModeVid. Choisir un mode d’affichage vidéo
MulConf Héberger une conférence téléphonique
Meet-Me
NumAbr Composer un numéro à l’aide d’un code
de numérotation abrégée
NvAppel Passer un nouvel appel
Parquer Stocker un appel à l’aide de la fonction de
parcage d’appels
Précédent Revenir à la rubrique d’aide précédente
QRT Soumettre à l’administrateur système des
problèmes relatifs aux appels
Quitter Revenir à l’écran précédent
Rappel Recevoir une notification lorsqu’un poste
occupé se libère
Recher. Effectuer une recherche dans une liste de
répertoires
RenvTt Configurer/Annuler le renvoi d’appels
Répond. Répondre à un appel
Reprend Reprendre un appel en attente
Rvoi Im Transférer un appel vers votre système de
messagerie vocale
Sélect. Sélectionner une option de menu ou un
appel
SupDerA Abandonner le dernier interlocuteur à
avoir rejoint une conférence téléphonique
Suppr. Supprimer les caractères situés à droite du
curseur lors de l’utilisation de la touche
EditNum
Suppr. Exclure un participant de la conférence
TrnsDir Transférer deux appels l’un vers l’autre
Trnsfer Transférer un appel
<< Supprimer les caractères entrés
>> Passer d’un caractère entré à un autre
Icônes de l’écran du téléphone
État de la ligne et de l’appel
Renvoi d’appels activé
Appel en attente
Appel connecté
Téléphone décroché
Téléphone raccroché
Appel entrant
Ligne partagée en cours d’utilisation
Appels sécurisés
Appel authentifié
Appel sécurisé
Périphérique sélectionné
Combiné en cours d’utilisation
Casque en cours d’utilisation
Haut-parleur en cours d’utilisation
Appels critiques
Appel prioritaire
Appel d’importance moyenne
Appel très important
Appel de la plus haute importance
Icônes de boutons
Autres fonctions
Touche de numérotation abrégée
configurée
Message en attente
Mode vidéo activé
Option sélectionnée
Fonction activée
Messages
Services
Aide
Répertoires
Paramètres
Volume
Haut-parleur
Secret
Casqueiii
Table des matières
Mise en route 1
Utilisation du présent manuel 1
Recherche d’informations supplémentaires 2
Informations supplémentaires sur la personnalisation de votre téléphone sur le Web 2
Consignes de sécurité et informations relatives aux performances 3
Fonctions d’accessibilité 5
Raccordement du téléphone 6
Présentation du téléphone 9
Présentation des boutons et du matériel 9
Présentation des fonctions de l’écran du téléphone 13
Nettoyage de l’écran du téléphone 14
Présentation des menus et des boutons de fonctions 14
Présentation du système d’aide du téléphone 15
Présentation de la distinction lignes/appels 15
Présentation des icônes de ligne et d’appel 16
Présentation de la disponibilité des fonctions 16
Gestion de base des appels 17
Établissement d’un appel : options de base 17
Établissement d’un appel : options supplémentaires 18
Réponse à un appel 20
Fin d’un appel 21
Utilisation des fonctions d’attente et de reprise 21
Utilisation du mode Secret 22
Passage d’un appel à l’autre 22
Affichage de plusieurs appels 23iv OL-9616-01
Transfert d’appels 23
Renvoi de tous les appels vers un autre numéro 25
Établissement de conférences téléphoniques 26
Présentation des types de conférences téléphoniques 26
Débuter et rejoindre une conférence téléphonique standard 27
Débuter ou rejoindre une conférence téléphonique Meet-Me 29
Gestion avancée des appels 30
Numérotation abrégée 30
Interception d’un appel redirigé vers votre téléphone 31
Utilisation d’une ligne partagée 32
Présentation des lignes partagées 32
Connexion à l’appel d’une ligne partagée 33
Procédure pour empêcher d’autres personnes d’afficher un appel
sur une ligne partagée ou de s’y connecter 34
Stockage et récupération des appels parqués 35
Établissement et réception d’appels sécurisés 36
Suivi des appels suspects 36
Attribution de priorité aux appels critiques 37
Utilisation de la fonction de substitution de poste de Cisco 38
Déconnexion de groupes de recherche 38
Utilisation du combiné, du casque et du haut-parleur 39
Acquisition d’un casque 40
Utilisation de la fonction de réponse automatique 40
Utilisation des paramètres du téléphone 41
Personnalisation des sonneries et des indicateurs de message 41
Personnalisation de l’écran du téléphone 42v
Utilisation des journaux d’appels et des répertoires 43
Utilisation des journaux d’appels 43
Utilisation du répertoire d’entreprise sur le téléphone 45
Accès aux messages vocaux 46
Accès à vos pages Web Options utilisateur 47
Connexion aux pages Web Options utilisateur 47
Abonnement aux services téléphoniques 48
Présentation des options de configuration supplémentaires 49
Dépannage du téléphone 51
Informations générales de dépannage 51
Affichage des données d’administration du téléphone 52
Utilisation de l’outil de génération de rapports qualité (QRT) 52
Conditions générales de la garantie matérielle limitée à un an de Cisco 53
Index 55vi OL-9616-011
Mise en route
Utilisation du présent manuel
Ce manuel propose une présentation générale des fonctions disponibles sur votre téléphone.
Parcourez-le dans son intégralité pour prendre connaissance de toutes les possibilités de votre
téléphone. Vous pouvez également consulter le tableau ci-après, qui permet d’atteindre d’un seul
clic les sections les plus utilisées.
Pour... Procédez comme suit :
Apprendre à utiliser le téléphone
par vous-même
Si vous avez besoin d’aide, appuyez sur le bouton du
téléphone.
Prendre connaissance des consignes
de sécurité
Reportez-vous à la section « Consignes de sécurité et
informations relatives aux performances », page 3.
Raccorder le téléphone Reportez-vous à la section« Raccordement du téléphone »,
page 6.
Utiliser le téléphone une fois installé Reportez-vous à la section « Présentation du téléphone »,
page 9 en premier.
Connaître la signification des
boutons et des voyants
Reportez-vous à la section « Présentation des boutons et du
matériel », page 9.
En savoir plus sur l’écran Reportez-vous à la section « Présentation des fonctions de
l’écran du téléphone », page 13.
Passer des appels Reportez-vous à la section« Établissement d’un appel :
options de base », page 17.
Mettre des appels en attente Reportez-vous à la section« Utilisation des fonctions
d’attente et de reprise », page 21.
Mettre des appels en mode Secret Reportez-vous à la section « Utilisation du mode Secret »,
page 22.
Transférer des appels Reportez-vous à la section « Transfert d’appels », page 23.
Établir des conférences
téléphoniques
Reportez-vous à la section « Établissement de conférences
téléphoniques », page 26.
Configurer la fonction de
numérotation abrégée
Reportez-vous à la section « Numérotation abrégée », page 30.2 OL-9616-01
Recherche d’informations supplémentaires
Pour obtenir la documentation la plus récente sur les téléphones IP Cisco Unified, reportez-vous au site
Web à l’adresse suivante :
http://www.cisco.com/univercd/cc/td/doc/product/voice/c_ipphon/index.htm
Vous pouvez accéder au site Web de Cisco à l’adresse suivante :
http://www.cisco.com/
Les sites Web internationaux de Cisco sont accessibles à l’adresse suivante :
http://www.cisco.com/public/countries_languages.shtml
Informations supplémentaires sur la personnalisation de votre
téléphone sur le Web
Votre téléphone IP Cisco Unified est un périphérique réseau qui peut partager des informations avec
les autres périphériques du même type de votre entreprise, notamment votre ordinateur. Pour
établir/personnaliser des services téléphoniques et contrôler les fonctions/paramètres du téléphone
depuis votre ordinateur, vous pouvez utiliser les pages Web Options utilisateur de Cisco Unified
CallManager. Ces fonctions font l’objet d’une présentation générale dans ce manuel. Pour obtenir
des instructions complètes, reportez-vous au manuel de personnalisation de votre téléphone IP
Cisco Unified sur le Web à l’adresse suivante :
http://www.cisco.com/univercd/cc/td/doc/product/voice/c_ipphon/index.htm
Partager un numéro de téléphone Reportez-vous à la section « Utilisation d’une ligne partagée »,
page 32.
Utiliser la fonction haut-parleur du
téléphone
Reportez-vous à la section « Utilisation du combiné, du casque
et du haut-parleur », page 39.
Modifier le volume de la sonnerie
ou de la tonalité
Reportez-vous à la section « Utilisation des paramètres du
téléphone », page 41.
Consulter vos appels en absence Reportez-vous à la section « Utilisation des journaux d’appels
et des répertoires », page 43.
Écouter vos messages vocaux Reportez-vous à la section « Accès aux messages vocaux »,
page 46.
Consulter les définitions des
touches dynamiques et des icônes
Reportez-vous au livret de référence au début du présent
manuel.
Pour... Procédez comme suit :3
Consignes de sécurité et informations relatives aux
performances
Avant d’installer ou d’utiliser votre téléphone IP Cisco Unified, lisez les consignes de sécurité suivantes.
Attention CONSIGNES DE SÉCURITÉ IMPORTANTES
Ce symbole d’avertissement signale un danger. Vous vous trouvez dans une situation
pouvant occasionner des lésions corporelles. Avant de travailler sur un équipement,
soyez conscient des risques liés aux circuits électriques et familiarisez-vous avec les
procédures couramment utilisées pour éviter les accidents. Utilisez le numéro indiqué à
la fin de chaque avertissement pour en rechercher la traduction dans votre version
localisée des consignes de sécurité fournies avec ce périphérique. Déclaration 1071.
INSTRUCTIONS À GARDER À L’ESPRIT
Attention Lisez les instructions d’installation avant de raccorder l’appareil à sa source
d’alimentation.
Attention La mise au rebut de ce produit doit se faire en conformité avec les lois et réglementations
en vigueur dans votre pays.
Attention Ne travaillez pas sur le système et ne touchez pas aux câbles pendant un orage.
Attention Pour prévenir tout risque d’électrocution, ne branchez pas de circuits de sécurité à
tension très basse (Safety extra-low voltage, SELV) sur les circuits de tension destinés
au réseau téléphonique (telephone network voltage, TNV). Les ports LAN (réseau local)
contiennent des circuits SELV et, les ports WAN (réseau étendu), des circuits TNV.
Certains ports LAN et WAN utilisent des connecteurs RJ-45. Soyez prudent lorsque vous
connectez des câbles.
Avertissement Les circuits d’alimentation directe acheminent le courant via le câble de communication. Utilisez le câble Cisco fourni ou un câble de communication AWG 24 minimum.4 OL-9616-01
Utilisation d’une alimentation externe
Les avertissements suivants s’appliquent lorsque vous utilisez une alimentation externe avec le
téléphone IP Cisco Unified.
Attention Ce produit présuppose l’installation d’une protection contre les courts-circuits liés à
une surtension. Veillez à utiliser un fusible ou un disjoncteur inférieur à 120 VCA/15 A
aux États-Unis (240 VCA/10 A dans le reste du monde) sur les conducteurs de phase
(tout conducteur de courant).
Attention Ce dispositif est conçu pour fonctionner avec des systèmes d’alimentation TN.
Attention L’ensemble de raccordement fiche-prise doit être accessible à tout moment car il sert
de dispositif principal de déconnexion.
Attention L’alimentation doit être placée en intérieur.
Avertissement Utilisez uniquement l’alimentation spécifiée par Cisco avec ce produit.
Panne de courant
Votre accessibilité à des services d’urgence par téléphone dépend de l’alimentation de l’appareil.
Lors d’une panne de courant, la numérotation des services d’entretien et d’appel d’urgence ne
fonctionnera pas. Dans ce cas, vous devrez peut-être réinitialiser ou reconfigurer l’équipement avant
d’utiliser la numérotation des services d’entretien et d’appel d’urgence.5
Utilisation de périphériques externes
Les informations suivantes s’appliquent lorsque vous utilisez des périphériques externes avec le
téléphone IP Cisco Unified :
Cisco recommande d’utiliser des périphériques externes de bonne qualité (haut-parleurs, microphones
et casques), qui soient blindés contre les interférences produites par les signaux de fréquences radio
(FR) et audio (FA).
En fonction de leur qualité et de la proximité d’autres périphériques (téléphone portable, radio
bidirectionnelle, etc.), des parasites sonores peuvent toujours se produire. Dans ce cas, Cisco vous
recommande d’effectuer une ou plusieurs des opérations suivantes :
• Éloignez le périphérique externe de la source des signaux de fréquences radio ou audio.
• Éloignez les câbles du périphérique externe de la source des signaux de fréquences radio ou audio.
• Utilisez des câbles blindés pour le périphérique externe ou des câbles dotés d’un blindage supérieur
et d’un meilleur connecteur.
• Raccourcissez le câble du périphérique externe.
• Utilisez des structures en ferrite ou d’autres dispositifs de ce type pour les câbles du périphérique
externe.
Cisco ne peut pas garantir les performances du système car elle ne dispose d’aucun moyen de contrôle
sur la qualité des périphériques externes, des câbles et des connecteurs utilisés. Le système fonctionne
de manière adéquate lorsque les périphériques appropriés sont connectés à l’aide de câbles et de
connecteurs de bonne qualité.
Avertissement Dans les pays de l’Union européenne, utilisez uniquement des haut-parleurs, des
microphones et des casques externes conformes à la Directive 89/336/CE sur la
compatibilité électromagnétique (CEM).
Fonctions d’accessibilité
La liste des fonctions d’accessibilité est disponible sur demande.6 OL-9616-01
Raccordement du téléphone
Votre administrateur système va probablement raccorder votre nouveau téléphone IP Cisco Unified au
réseau de téléphonie IP de votre entreprise. Si ce n’est pas le cas, reportez-vous à l’illustration et au
tableau ci-dessous pour raccorder le téléphone.
1 Port de l’adaptateur CC (48 V) 5 Port d’accès (10/100(/10001
) PC)
2 Alimentation CA vers CC 6 Port du combiné
3 Cordon d’alimentation CA 7 Port du casque
4 Port réseau (10/100(/10001
) SW)
1. Uniquement disponible sur les téléphones version gigabit Ethernet.
8 Bouton du socle
AUX
DC48V
10/100 SW 10/100 PC
+
113656
2
8
3
4
5
6
7
17
Réglage du socle
Pour modifier l’angle de positionnement de votre téléphone sur votre bureau, maintenez le bouton du
socle enfoncé pendant que vous réglez le socle.
Réglage du support du combiné
Lorsque vous raccordez votre téléphone, vous pouvez régler le support du combiné pour éviter que ce
dernier tombe de son support. Pour connaître la procédure, reportez-vous au tableau ci-dessous.
Enregistrement à l’aide de l’outil TAPS
Une fois votre téléphone raccordé au réseau, votre administrateur système peut vous demander
d’enregistrer automatiquement votre téléphone à l’aide de l’outil TAPS (Tool for Auto-Registered
Phones Support - Outil d’assistance des téléphones enregistrés automatiquement). Cet outil peut être
utilisé pour un nouveau téléphone ou un téléphone de remplacement.
Pour enregistrer un téléphone à l’aide de l’outil TAPS, décrochez le combiné, entrez le numéro de poste
TAPS fourni par votre administrateur système et suivez les instructions vocales. Vous pouvez avoir à
entrer le numéro entier de poste et donc à préciser l’indicatif régional. Lorsque votre téléphone affiche
un message de confirmation, raccrochez. Le processus de redémarrage du téléphone est lancé.
1
Posez le combiné de côté et tirez la plaquette plastique carrée du support du combiné.
2
Faites pivoter la plaquette de 180 degrés.
3 Replacez la plaquette sur le support du combiné en la faisant coulisser. Une extension ressort en
haut de la plaquette qui a pivoté. Replacez le combiné sur son support.
1 2 3
1205218 OL-9616-01
Informations sur le casque
Pour utiliser un casque, branchez-le sur son port situé à l’arrière du téléphone.
Bien que Cisco Systems réalise des essais internes sur des casques de fournisseurs tiers utilisés avec les
téléphones IP Cisco Unified, Cisco ne certifie, ni ne promeut de produits de fournisseurs de casques ou
de combinés. En raison des contraintes environnementales et matérielles liées aux différents sites de
déploiement des téléphones IP Cisco Unified, il n’existe pas de solution optimale unique pour tous les
environnements. Cisco recommande à ses clients de tester les casques qui fonctionnent le mieux dans
leur environnement avant de les déployer à grande échelle sur leur réseau.
Dans certains cas, les pièces mécaniques ou les composants électroniques de différents casques peuvent
provoquer un écho sur le poste des interlocuteurs des utilisateurs de téléphones IP Cisco Unified.
Cisco Systems recommande d’utiliser des périphériques externes (casques, etc.) de bonne qualité,
protégés des interférences produites par les signaux de fréquences radio et audio. En fonction de leur
qualité et de la proximité d’autres périphériques (téléphone cellulaire, radio bidirectionnelle, etc.), des
parasites sonores peuvent toujours se produire. Pour plus d’informations, reportez-vous à la section
« Utilisation de périphériques externes », page 5.
Pour déterminer si un casque donné convient au téléphone IP Cisco Unified, vérifiez avant tout qu’il
ne provoque pas de ronflement sonore. Ce ronflement peut être audible soit uniquement par votre
interlocuteur, soit par votre interlocuteur et vous (utilisateur du téléphone IP Cisco Unified). Certains
ronflements ou bourdonnements potentiels peuvent être dus à de nombreuses causes extérieures,
notamment l’éclairage électrique, la proximité de moteurs électriques et de grands écrans de PC. Dans
certains cas, il est possible de réduire ou d’éliminer le ronflement à l’aide d’un groupe amplificateur de
puissance local. Pour plus d’informations, reportez-vous à la section « Utilisation d’une alimentation
externe », page 4.
Qualité audio à l’appréciation de l’utilisateur
Au-delà des performances physiques, mécaniques et techniques, la qualité audio d’un casque doit
sembler bonne à votre interlocuteur et vous (utilisateur). Le son est un facteur subjectif et Cisco ne
peut pas garantir les performances d’un casque ou d’un combiné quelconque, mais certains des casques
et combinés disponibles sur les sites indiqués ci-dessous semblent fonctionner correctement sur les
téléphones IP Cisco Unified.
Néanmoins, il appartient en dernier ressort au client de tester cet équipement dans son propre
environnement pour déterminer si ses performances sont acceptables.
Pour plus d’informations sur les casques, reportez-vous aux pages Web suivantes :
http://www.vxicorp.com/cisco
http://www.plantronics.com/cisco9
Présentation du téléphone
Les téléphones IP Cisco Unified 7961G/7961G-GE (version gigabit Ethernet) et 7941G/7941G-GE
(version gigabit Ethernet) sont des téléphones haut de gamme qui permettent une communication
orale via le réseau de données utilisé par votre ordinateur. Ainsi, vous pouvez passer et recevoir des
appels téléphoniques, mettre des appels en attente, utiliser une numérotation abrégée, transférer des
appels, établir des conférences téléphoniques, etc. Les téléphones IP Cisco Unified 7961G-GE
et 7941G-GE version gigabit Ethernet sont équipés des toutes dernières technologies et évolutions en
matière de téléphonie VoIP Gigabit Ethernet. Les téléphones IP Cisco Unified 7961G et 7961G-GE
comptent six touches programmables pour les lignes téléphoniques, les fonctions, les numéros abrégés
et les services. En revanche, les téléphones IP Cisco Unified 7941G et 7941G-GE disposent de deux
touches de ce type (reportez-vous à la section « Présentation des boutons et du matériel », page 9 pour
en savoir plus).
Outre ses capacités de gestion de base des appels, votre téléphone peut prendre en charge certaines
fonctions de productivité destinées à améliorer le périphérique. Selon sa configuration, il permet :
• l’accès aux données du réseau, aux applications XML et aux services Web.
• la personnalisation en ligne des fonctions et des services téléphoniques depuis vos pages Web
Options utilisateur.
• un système d’aide en ligne complet qui affiche des informations à l’écran du téléphone.
Présentation des boutons et du matériel
La Figure 1 et la Figure 2 permettent d’identifier les boutons et le matériel de votre téléphone.10 OL-9616-01
Figure 1 Téléphones IP Cisco Unified 7961G et 7961G-GE
Figure 2 Téléphones IP Cisco Unified 7941G et 7941G-GE
1
16
3
4
5
7
9
6
8
15 14 13 12 11 10 137503
1
2
137504
4
5
6
7
9
15 14 13 12 11 10
16
1 3
8
1
211
Élément Description
Pour plus d’informations,
reportez-vous à la section...
1
Touches
programmables
Selon la configuration du téléphone,
les touches programmables permettent
l’accès aux :
• Lignes téléphoniques (boutons de ligne).
• Numéros abrégés (touches de
numérotation abrégée).
• Services Web (par exemple, bouton du
carnet d’adresses personnel).
• Fonctions du téléphone (par exemple,
bouton de confidentialité).
Les boutons s’allument et leur couleur indique
l’état de l’appel.
Vert fixe : appel actif
Vert clignotant : appel en attente
Orange fixe : fonction de
confidentialité en cours d’utilisation
Orange clignotant : appel entrant
Rouge fixe : ligne en cours
d’utilisation à distance
Rouge clignotant : ligne non
disponible de parcage d’appel dirigé
• Présentation des fonctions
de l’écran du téléphone,
page 13
• Gestion de base des
appels, page 17
• Numérotation abrégée,
page 30
• Utilisation d’une ligne
partagée, page 32
• Stockage et récupération
des appels parqués,
page 35
2 Écran du
téléphone
Affiche les fonctions téléphoniques. Présentation des fonctions de
l’écran du téléphone, page 13
3
Bouton du socle Permet de régler l’angle du socle du téléphone. Réglage du socle, page 7
4
Bouton Messages Compose le numéro de votre service de
messagerie vocale automatiquement
(variable selon les services).
Utilisation des journaux
d’appels, page 43.
5
Bouton
Répertoires
Active/Désactive le menu de répertoires et
permet d’accéder aux journaux
d’appels/répertoires.
Utilisation des journaux
d’appels, page 43
6
Bouton d’aide Active le menu d’aide. Présentation du système d’aide
du téléphone, page 1512 OL-9616-01
7
Bouton
Paramètres
Active/Désactive le menu de paramètres.
Il permet de contrôler le contraste de
l’écran et les sonneries.
Utilisation des paramètres du
téléphone, page 41
8
Bouton Services Active/Désactive le menu de services. Accès à vos pages Web
Options utilisateur, page 47
9
Bouton Volume Contrôle le volume du combiné, du casque et
du haut-parleur (décroché) et le volume de la
sonnerie (raccroché).
Utilisation du combiné, du
casque et du haut-parleur,
page 39
10 Bouton
Haut-parleur
Active/Désactive le mode haut-parleur.
Lorsque le mode haut-parleur est activé, le
bouton est allumé.
Utilisation du combiné, du
casque et du haut-parleur,
page 39
11 Bouton Secret Active/Désactive le mode Secret. En mode
Secret, le bouton est allumé.
Utilisation du mode Secret,
page 22
12 Bouton Casque Active/Désactive le mode casque. Lorsque le
mode casque est activé, le bouton est allumé.
Utilisation du combiné, du
casque et du haut-parleur,
page 39
13 Bouton de
navigation
Permet de faire défiler les menus et de mettre
les options en surbrillance. Lorsque le
téléphone est raccroché, le bouton permet
d’afficher les numéros de téléphone du
journal d’appels passés.
Utilisation des journaux
d’appels, page 43
14 Clavier Permet de composer les numéros de
téléphone, de saisir des lettres et de
sélectionner des options de menu.
Gestion de base des appels,
page 17
15 Touches
dynamiques
Activent chacune une option de touche
dynamique (affichée à l’écran du téléphone).
Présentation des fonctions de
l’écran du téléphone, page 13
16 Bande lumineuse
du combiné
Indique un appel entrant ou un nouveau
message vocal.
Accès aux messages vocaux,
page 46
Élément Description
Pour plus d’informations,
reportez-vous à la section...13
Présentation des fonctions de l’écran du téléphone
Lorsque des appels sont actifs et que plusieurs menus de fonctions sont ouverts, l’écran principal du
téléphone se présente de la façon suivante :
1 Ligne téléphonique
principale
Affiche le numéro de téléphone (numéro de poste) pour votre ligne
téléphonique principale. Lorsque plusieurs onglets de fonctions sont
ouverts, le numéro de téléphone, l’heure et la date s’affichent en alternance
à cet endroit.
2 Icônes de touches
programmables
Les touches programmables peuvent servir de boutons de lignes
téléphoniques, de touches de numérotation abrégée, de boutons de services
téléphoniques ou de boutons de fonctions téléphoniques. Les icônes et les
étiquettes indiquent le mode de configuration de ces boutons. Pour obtenir
des informations sur une icône, reportez-vous à la section Icônes de l’écran
du téléphone dans le livret de référence au début du présent manuel.
3 Étiquettes des
touches dynamiques
Affichent chacune une fonction de touche dynamique. Pour activer une
touche dynamique, appuyez sur le bouton correspondant.
4
Ligne d’état Affiche les icônes du mode audio, les informations d’état et les invites.
5 Zone d’activité des
appels
Affiche les appels en cours par ligne, y compris l’ID de l’appelant, la durée
et l’état de l’appel pour la ligne mise en surbrillance (en mode d’affichage
standard). Reportez-vous aux sections « Présentation des icônes de ligne et
d’appel », page 16 et « Affichage de plusieurs appels », page 23.
6 Onglet de téléphone Indique l’activité des appels.
7 Onglets de
fonctions
Indiquent chacun un menu de fonctions ouvert. Reportez-vous à la section
« Présentation des menus et des boutons de fonctions », page 14.
7 1
6
5
4
2
3
137522
7796114 OL-9616-01
Nettoyage de l’écran du téléphone
Essuyez doucement l’écran du téléphone avec un chiffon doux et sec. N’appliquez pas de produits,
qu’ils soient liquides ou en poudre, sur votre téléphone. Si vous n’utilisez pas de chiffon doux et
sec, vous risquez d’endommager les composants de votre téléphone et donc d’entraîner des
dysfonctionnements.
Présentation des menus et des boutons de fonctions
Appuyez sur un bouton de fonction pour ouvrir ou fermer un menu de fonctions.
Pour... Procédez comme suit :
Ouvrir ou fermer un menu
de fonctions
Appuyez sur un bouton de fonction :
Messages
Services
Répertoires
Paramètres
Aide
Faire défiler une liste ou un
menu
Appuyez sur le bouton de navigation.
Remonter d’un niveau dans
un menu de fonctions
Appuyez sur Quitter. Si vous appuyez sur Quitter alors que vous êtes
dans le niveau supérieur d’un menu, ce dernier se ferme.
Basculer d’un menu de
fonctions actif à un autre
Appuyez sur un onglet de fonction. Chaque menu de fonctions a un
onglet. Celui-ci est visible lorsque le menu de fonctions est ouvert.15
Présentation du système d’aide du téléphone
Votre téléphone IP Cisco Unified comprend un système d’aide en ligne complet. Les rubriques d’aide
apparaissent à l’écran du téléphone. Reportez-vous au tableau suivant pour plus de détails.
Présentation de la distinction lignes/appels
Pour éviter toute confusion entre les lignes et les appels, reportez-vous aux descriptions suivantes.
Lignes : chaque ligne est associée à un numéro de téléphone (ou de poste) que les autres peuvent
utiliser pour vous appeler. Selon la configuration, les téléphones IP Cisco Unified 7961G/7961G-GE
et 7941G/7941G-GE peuvent respectivement prendre en charge six et deux lignes maximum.
Pour connaître le nombre de lignes dont vous disposez, observez le côté droit de l’écran du téléphone.
Vous disposez d’autant de lignes que de numéros d’annuaire et d’icônes de lignes téléphoniques ( ).
Appels : chaque ligne peut prendre en charge plusieurs appels. Par défaut, le téléphone prend en charge
quatre appels connectés par ligne mais l’administrateur système peut adapter ce nombre à vos besoins.
Un seul appel peut être actif à un moment donné. Les autres appels sont automatiquement mis en
attente.
Pour... Procédez comme suit :
Afficher le menu
principal
Appuyez sur le bouton du téléphone et attendez quelques secondes
que le menu s’affiche.
Les rubriques du menu principal abordent les thèmes suivants.
• À propos de votre téléphone IP Cisco Unified : détails
• Procédures relatives aux tâches téléphoniques courantes
• Fonctions d’appel : descriptions et procédures
• Aide : conseils sur l’utilisation et l’accès
Obtenir des informations sur un bouton ou
une touche dynamique
Appuyez sur , puis rapidement sur un bouton ou une touche dynamique.
Obtenir des informations sur une option de
menu
Appuyez sur , ou pour afficher un menu de
fonctions.
Mettez une option du menu en surbrillance, puis appuyez deux fois
sur rapidement.
Apprendre à se servir
de l’aide
Appuyez sur . Choisissez Aide dans le menu principal.16 OL-9616-01
Présentation des icônes de ligne et d’appel
Votre téléphone affiche des icônes pour vous aider à déterminer l’état de la ligne et de l’appel.
Présentation de la disponibilité des fonctions
Selon la configuration de votre système téléphonique, certaines fonctions décrites dans ce manuel sont
susceptibles de ne pas être disponibles dans votre cas ou de fonctionner différemment. Si vous avez des
questions quant au fonctionnement ou à la disponibilité des fonctions, contactez un membre de
l’équipe d’assistance ou votre administrateur système.
Icône État de l’appel Description
Combiné raccroché Aucune activité d’appel sur cette ligne.
Combiné décroché Un numéro est en cours de composition ou un appel sortant est en
sonnerie. Pour connaître les différentes options de composition de
numéros, reportez-vous à la section « Établissement d’un appel :
options de base », page 17.
Appel connecté La communication avec votre interlocuteur est actuellement établie.
Appel en sonnerie Un appel entrant est en sonnerie sur l’une de vos lignes.
Reportez-vous à la section « Réponse à un appel », page 20
pour en savoir plus.
Appel en attente Vous avez mis cet appel en attente.
Utilisé à distance Un autre téléphone qui partage votre ligne a un appel connecté.
Reportez-vous à la section « Utilisation d’une ligne partagée »,
page 32 pour en savoir plus.
Appel authentifié Reportez-vous à la section « Établissement et réception d’appels
sécurisés », page 36.
Appel chiffré Reportez-vous à la section « Établissement et réception d’appels
sécurisés », page 36.17
Gestion de base des appels
Les tâches de gestion de base des appels s’appuient sur un ensemble de fonctions et de services.
La disponibilité des fonctions peut varier. Pour plus d’informations, contactez votre
administrateur système.
Établissement d’un appel : options de base
Le tableau ci-dessous présente des moyens simples de passer un appel à l’aide du téléphone IP Cisco
Unified.
Pour... Procédez comme suit :
Pour plus d’informations,
reportez-vous à la section...
Passer un appel en utilisant
le combiné
Décrochez le combiné et composez un
numéro.
Présentation du téléphone,
page 9
Passer un appel en utilisant
le haut-parleur
Appuyez sur , puis composez un
numéro.
Utilisation du combiné, du
casque et du haut-parleur,
page 39
Passer un appel en utilisant
le casque
Appuyez sur , puis composez un
numéro. Si le bouton est allumé,
vous pouvez également appuyer sur
NvAppel et composer un numéro.
Utilisation du combiné, du
casque et du haut-parleur,
page 39
Rappeler un numéro Appuyez sur Bis pour composer le
dernier numéro ou sur la touche de
navigation pour visualiser les appels
passés (dans ce dernier cas, le
téléphone doit être inactif).
Utilisation des journaux
d’appels, page 43
Passer un appel lorsqu’un
autre appel est actif (en
utilisant la même ligne)
1. Appuyez sur Attente.
2. Appuyez sur NvAppel.
3. Entrez un numéro.
Utilisation des fonctions
d’attente et de reprise,
page 21
Composer un numéro à partir
d’un journal d’appels
1. Sélectionnez > Appels en
absence, Appels reçus ou Appels
composés.
2. Sélectionnez ou recherchez une
entrée de liste, puis décrochez le
téléphone.
Utilisation des journaux
d’appels, page 4318 OL-9616-01
Conseils
• Vous pouvez composer un numéro avec le combiné raccroché et sans tonalité (prénumérotation).
Pour la prénumérotation, entrez un numéro, puis décrochez le téléphone en soulevant le combiné
ou en appuyant sur Compos., ou .
• En cas de prénumérotation, le téléphone tente d’anticiper le numéro en cours de composition.
Pour ce faire, il utilise le journal d’appels passés pour afficher les numéros correspondants (s’ils
sont disponibles). Cette opération s’appelle la numérotation automatique. Pour la lancer,
sélectionnez le numéro affiché ou recherchez une entrée de liste, puis décrochez le téléphone.
• Si vous commettez une erreur pendant la numérotation, appuyez sur << pour effacer des chiffres.
Établissement d’un appel : options supplémentaires
Vous pouvez passer des appels en utilisant des fonctions et des services spéciaux éventuellement
disponibles sur le téléphone. Pour plus d’informations sur ces options supplémentaires, contactez votre
administrateur système.
Pour... Procédez comme suit :
Pour plus d’informations,
reportez-vous à la section...
Passer un appel lorsqu’un
autre est actif (sur une ligne
différente)
1. Appuyez sur pour ouvrir la
nouvelle ligne. L’appel de la
première ligne sera mis en attente
automatiquement.
2. Entrez un numéro.
Utilisation des fonctions
d’attente et de reprise,
page 21
Composer un numéro abrégé Procédez comme suit :
• Appuyez sur (touche de
numérotation abrégée)
• Utilisez la fonction NumAbr.
• Utilisez la fonction Numéro
abrégé.
Numérotation abrégée,
page 30
Composer un numéro à partir
d’un répertoire d’entreprise
disponible sur le téléphone
1. Sélectionnez > Répertoire
d’entreprise (le nom exact de ce
service peut varier).
2. Saisissez un nom et appuyez sur
Recher.
3. Mettez en surbrillance une entrée
de liste et décrochez le téléphone.
Utilisation des journaux
d’appels, page 4319
Composer un numéro de
répertoire d’entreprise à l’aide
de Cisco WebDialer
1. Ouvrez un navigateur Web et
accédez au répertoire de votre
entreprise compatible WebDialer.
2. Cliquez sur le numéro à composer.
Personnalisation de
votre téléphone IP Cisco
Unified sur le Web :
http://www.cisco.com/
univercd/cc/td/doc/product/
voice/c_ipphon/index.htm
Utiliser la fonction de rappel
Cisco pour recevoir une
notification lorsqu’un poste
occupé ou en sonnerie se
libère
1. Appuyez sur Rappel lorsque vous
entendez la tonalité occupé ou la
sonnerie.
2. Raccrochez. Le téléphone vous
avertit lorsque la ligne se libère.
3. Passez de nouveau l’appel.
Votre administrateur
système
Passer un appel prioritaire Entrez le numéro d’accès MLPP,
puis le numéro de téléphone.
Attribution de priorité aux
appels critiques, page 37
Composer un numéro à partir
d’un carnet d’adresses
personnel
1. Choisissez >
Service Carnet d’adresses
personnel (le nom exact de
cette fonction peut varier).
2. Mettez en surbrillance une entrée
de liste et décrochez le téléphone.
Vous pouvez également appuyer
sur l’entrée de liste de l’écran
tactile.
Connexion aux pages Web
Options utilisateur, page 47
Passer un appel à l’aide d’un
code de facturation ou de
suivi
1. Composez un numéro.
2. Après la tonalité, entrez un code
d’affaire client ou un code
d’autorisation forcée.
Votre administrateur
système
Passer un appel en utilisant
votre profil de substitution
de poste Cisco
Connectez-vous au service de
substitution de poste sur un téléphone.
Utilisation de la fonction
de substitution de poste
de Cisco, page 38
Pour... Procédez comme suit :
Pour plus d’informations,
reportez-vous à la section...20 OL-9616-01
Réponse à un appel
Vous pouvez répondre à un appel en décrochant le combiné ou utiliser d’autres options éventuellement
disponibles sur le téléphone.
Pour... Procédez comme suit :
Pour plus d’informations,
reportez-vous à la section...
Répondre en utilisant un
casque
Si le bouton est éteint, appuyez
dessus.
Si le bouton est déjà allumé,
appuyez sur Répond. ou sur
(bouton de ligne clignotant).
Utilisation du combiné, du
casque et du haut-parleur,
page 39
Répondre en utilisant le
haut-parleur
Appuyez sur , Répond. ou
sur (clignotement).
Utilisation du combiné, du
casque et du haut-parleur,
page 39
Répondre à un nouvel appel
à partir d’un appel connecté
Appuyez sur Répond. ou, si l’appel
est en sonnerie sur une autre ligne,
appuyez sur (clignotement).
Utilisation des fonctions
d’attente et de reprise,
page 21
Répondre à l’aide de la
fonction d’appel en attente
Appuyez sur Répond. Utilisation des fonctions
d’attente et de reprise,
page 21
Envoyer un appel vers le
système de messagerie vocale
Appuyez sur Rvoi Im. Accès aux messages vocaux,
page 46
Connecter automatiquement
des appels
Utilisez la fonction de réponse
automatique.
Utilisation de la fonction
de réponse automatique,
page 40
Récupérer un appel parqué
sur un autre téléphone
Utilisez la fonction de parcage d’appel
ou la fonction de parcage d’appel
dirigé.
Stockage et récupération
des appels parqués, page 35
Utiliser le téléphone pour
répondre à un appel en
sonnerie sur un autre poste
Utilisez la fonction d’interception
d’appels.
Interception d’un appel
redirigé vers votre
téléphone, page 31
Répondre à un appel
prioritaire
Mettez fin à l’appel en cours en raccrochant, puis appuyez sur Répond.
Attribution de priorité aux
appels critiques, page 3721
Fin d’un appel
Pour mettre fin à un appel, raccrochez. Reportez-vous au tableau suivant pour plus de détails.
Utilisation des fonctions d’attente et de reprise
Un seul appel peut être actif à un moment donné. Tous les autres appels seront mis en attente.
Conseils
• Généralement, l’activation de la fonction de mise en attente génère de la musique ou un bip.
• Un appel en attente est indiqué par l’icône .
Pour... Procédez comme suit :
Raccrocher lorsque vous utilisez le combiné Replacez le combiné sur son support ou appuyez sur
FinApp.
Raccrocher lorsque vous utilisez le casque Appuyez sur . Pour que le mode casque reste activé,
appuyez sur FinApp.
Raccrocher lorsque vous utilisez le
haut-parleur
Appuyez sur ou sur FinApp.
Mettre fin à un appel sans mettre fin à un
autre appel de la même ligne
Appuyez sur FinApp. Si nécessaire, récupérez d’abord
l’appel mis en attente.
Pour... Procédez comme suit :
Mettre un appel en attente 1. Assurez-vous de la mise en surbrillance de l’appel à mettre en
attente.
2. Appuyez sur Attente.
Reprendre sur la ligne active
un appel mis en attente
1. Vérifiez que l’appel approprié est en surbrillance.
2. Appuyez sur Reprend.
Reprendre sur une autre
ligne un appel mis en attente
Appuyez sur pour ouvrir la ligne appropriée.
Si un seul appel est en attente sur cette ligne, sa reprise est automatique. Si plusieurs appels sont en attente, recherchez l’appel concerné
dans la liste, puis appuyez sur Reprend.22 OL-9616-01
Utilisation du mode Secret
En mode Secret, vous pouvez entendre vos interlocuteurs, mais ces derniers ne peuvent pas vous
entendre. Il est possible d’utiliser le mode Secret conjointement au combiné, au haut-parleur ou au
casque.
Passage d’un appel à l’autre
Vous pouvez passer d’un appel à l’autre, sur une ou plusieurs lignes. Si l’appel sur lequel vous voulez
basculer n’est pas automatiquement mis en surbrillance, utilisez le bouton de navigation pour
l’atteindre.
Pour... Procédez comme suit :
Passer en mode Secret Appuyez sur .
Sortir du mode Secret Appuyez sur .
Pour... Procédez comme suit :
Passer d’un appel à l’autre
sur une même ligne
1. Vérifiez que l’appel sur lequel vous voulez passer est en surbrillance.
2. Appuyez sur Reprend.
Tout appel actif est mis en attente et l’appel sélectionné est repris.
Passer d’un appel à l’autre
sur différentes lignes
Appuyez sur le bouton de la ligne sur laquelle vous souhaitez passer.
Si un seul appel est en attente sur cette ligne, sa reprise est automatique.
Si plusieurs appels sont en attente, mettez en surbrillance l’appel
concerné, puis appuyez sur Reprend.
Répondre à un appel en
sonnerie à partir d’un
appel déjà connecté
Appuyez sur Répond. ou, si l’appel est en sonnerie sur une autre ligne,
appuyez sur . Tout appel actif est mis en attente et l’appel sélectionné
est repris.23
Affichage de plusieurs appels
Une meilleure compréhension de l’affichage de plusieurs appels sur le téléphone peut vous aider à
organiser vos efforts de gestion des appels.
En mode d’affichage standard, le téléphone affiche les appels de la façon suivante pour la ligne mise
en surbrillance :
• Les appels ayant le niveau de priorité le plus important et la durée la plus longue s’affichent en
haut de la liste.
• Les appels d’un même type sont regroupés. Par exemple, tous les appels avec lesquels vous êtes
entré en interaction sont regroupés vers le haut de la liste, tandis que les appels en attente sont
regroupés en bas.
Vous pouvez utiliser les méthodes suivantes pour afficher plusieurs appels sur plusieurs lignes.
Transfert d’appels
Le transfert permet de rediriger un appel connecté. La cible est le numéro vers lequel vous souhaitez
transférer l’appel.
Pour... Procédez comme suit :
Afficher les appels
d’une autre ligne
1. Appuyez sur .
2. Appuyez immédiatement sur le bouton de ligne .
Avoir un aperçu de
l’activité de la ligne
(un appel par ligne)
Appuyez sur pour faire apparaître la ligne mise en surbrillance.
Le téléphone bascule sur le mode de présentation des appels et affiche un
seul appel par ligne. L’appel affiché est l’appel actif ou l’appel en attente le
plus ancien.
Pour revenir à l’affichage standard, appuyez sur , puis, immédiatement
après, sur le bouton de la ligne.
Pour... Procédez comme suit :
Transférer un appel sans
prévenir le destinataire du
transfert
1. Au cours d’un appel actif, appuyez sur Trnsfer.
2. Entrez le numéro cible.
3. Appuyez de nouveau sur Trnsfer pour effectuer le transfert ou sur
FinApp. pour l’annuler.
Remarque Si le téléphone prend en charge le transfert en mode combiné
raccroché, vous pouvez également effectuer le transfert en
raccrochant.24 OL-9616-01
Conseils
• Si le transfert en mode combiné raccroché est activé sur le téléphone, vous pouvez soit raccrocher
pour mettre fin à l’appel, soit appuyer sur Trnsfer, puis raccrocher.
• Si le transfert en mode combiné raccroché n’est pas activé sur le téléphone, le fait de raccrocher
sans appuyer sur Trnsfer remet l’appel en attente.
• Vous ne pouvez pas utiliser la touche Trnsfer pour rediriger un appel en attente. Appuyez sur
Reprend pour le reprendre avant de le transférer.
Consulter un destinataire
avant de lui transférer un
appel
1. Au cours d’un appel actif, appuyez sur Trnsfer.
2. Entrez le numéro cible.
3. Patientez quelques instants pour laisser le temps au destinataire du
transfert de répondre.
4. Appuyez de nouveau sur Trnsfer pour effectuer le transfert ou sur
FinApp. pour l’annuler.
Remarque Si le téléphone prend en charge le transfert en mode combiné
raccroché, vous pouvez également effectuer le transfert en
raccrochant.
Connecter deux appels en
cours sans rester en ligne
(transfert direct)
1. Faites défiler les appels pour mettre en surbrillance celui de votre
choix sur la ligne.
2. Appuyez sur Sélect.
3. Renouvelez cette procédure pour le second appel.
4. Lorsque l’un des appels sélectionnés est mis en surbrillance,
appuyez sur TrnsDir. (Pour afficher TrnsDir, vous pouvez avoir
à appuyer sur la touche autres.)
Les deux appels se connectent l’un à l’autre et vous ne participez
plus à l’appel.
Remarque Pour rester en ligne avec ces appelants, utilisez l’option
Joindre à la place.
Rediriger un appel vers le
système de messagerie
vocale
Appuyez sur Rvoi Im. L’appel est automatiquement transféré vers la
messagerie vocale, qui diffuse une annonce d’accueil. Cette fonction est
disponible lorsqu’un appel est actif, en sonnerie ou en attente.
Pour... Procédez comme suit :25
Renvoi de tous les appels vers un autre numéro
Le renvoi de tous vos appels permet de rediriger tous les appels entrants du téléphone vers un autre
numéro.
Remarque Si la fonction de renvoi des appels s’applique à toute ligne secondaire, aucune confirmation de votre téléphone n’indique la conduite de l’opération. À la place, vous devez
confirmer vos paramètres dans les pages Options utilisateur. Reportez-vous à la section
« Connexion aux pages Web Options utilisateur », page 47.
Conseils
• Vous devez entrer le numéro cible de renvoi d’appel exactement comme si vous le composiez sur
le téléphone. Par exemple, entrez un code d’accès ou l’indicatif régional (le cas échéant).
• Vous pouvez renvoyer vos appels vers un téléphone analogique traditionnel ou vers un autre
téléphone IP, même si votre administrateur système peut limiter la fonction de renvoi des appels
aux numéros utilisés dans votre entreprise.
• Vous devez configurer cette fonction pour chacune des lignes. Si un appel arrive sur une ligne sur
laquelle le renvoi d’appels n’est pas activé, la sonnerie de cet appel est normale.
Pour... Procédez comme suit :
Configurer le renvoi d’appels
sur la ligne principale
Appuyez sur RenvTt, puis entrez un numéro de téléphone cible.
Annuler un renvoi d’appels
sur la ligne principale
Appuyez sur RenvTt.
Vérifier que le renvoi d’appels
est activé sur la ligne
principale
Recherchez :
• L’icône de renvoi d’appel au-dessus du numéro de téléphone
principal ( ).
• Le numéro cible de renvoi d’appel dans la ligne d’état.
Configurer ou annuler le
renvoi d’appels à distance ou
pour une ligne différente de la
ligne principale
1. Connectez-vous aux pages Web Options utilisateur et
sélectionnez un périphérique.
2. Choisissez Renv. tous les appels...
3. Choisissez la ligne principale ou toute ligne secondaire.
4. Choisissez de réacheminer les appels vers la messagerie vocale ou
vers un autre numéro.26 OL-9616-01
Établissement de conférences téléphoniques
Votre téléphone IP Cisco Unified vous permet de réunir trois personnes ou plus dans une même
conversation téléphonique en établissant une conférence.
Présentation des types de conférences téléphoniques
Il existe deux types de conférences téléphoniques : standard et Meet-Me.
Conférences téléphoniques standard
Vous pouvez créer des conférences téléphoniques standard de différentes manières selon vos besoins et
les touches dynamiques du téléphone.
• Conf. : cette touche dynamique permet d’appeler chaque participant et d’établir ainsi une
conférence standard. La conférence téléphonique standard est une fonction par défaut disponible
sur la plupart des téléphones.
• Joindre : cette touche dynamique permet de joindre plusieurs appels déjà en cours sur une ligne et
d’établir ainsi une conférence standard.
• InsConf : cette touche dynamique permet de vous connecter à un appel existant sur une ligne
partagée et de transformer l’appel en conférence téléphonique standard. Cette fonction n’est
disponible que sur les téléphones utilisant des lignes partagées.
Pour obtenir des instructions supplémentaires, reportez-vous à la section « Débuter et rejoindre une
conférence téléphonique standard », page 27.
Conférences téléphoniques Meet-Me
Vous pouvez créer une conférence Meet-Me en appelant le numéro de conférence à l’heure prévue.
Pour obtenir des instructions supplémentaires, reportez-vous à la section « Débuter ou rejoindre une
conférence téléphonique Meet-Me », page 29.27
Débuter et rejoindre une conférence téléphonique standard
Une conférence téléphonique standard permet à trois personnes au moins de participer à un appel unique.
Pour... Procédez comme suit :
• Créer une conférence
téléphonique en appelant
les participants
• Ajouter de nouveaux
participants à une
conférence téléphonique
existante
1. À partir d’un appel connecté, appuyez sur Conf.
(Pour afficher cette option, vous pouvez avoir à
appuyer sur la touche dynamique autres.)
2. Entrez le numéro de téléphone du participant.
3. Patientez pendant la connexion de l’appel.
4. Appuyez de nouveau sur Conf. pour ajouter ce participant
à l’appel.
5. Répétez cette procédure pour ajouter d’autres participants.
Créer une conférence en
joignant au moins deux appels
existants
1. Assurez-vous d’avoir deux appels minimum sur une même ligne.
2. Mettez en surbrillance un appel à ajouter à la conférence.
3. Appuyez sur Sélect.
L’appel sélectionné affiche cette icône .
4. Répétez cette opération pour chacun des appels à ajouter.
5. À partir de l’un des appels sélectionnés, appuyez sur Joindre.
(Pour afficher cette option, vous pouvez avoir à appuyer d’abord
sur la touche dynamique autres.)
Remarque L’appel actif est sélectionné automatiquement.
Participer à une conférence Répondez au téléphone lorsqu’il sonne.
Créer une conférence
téléphonique en insérant un
appel sur une ligne partagée
Mettez en surbrillance un appel sur une ligne partagée et appuyez sur
InsConf. (Vous pouvez avoir à appuyer d’abord sur la touche
dynamique autres.)
Reportez-vous à la section « Utilisation d’une ligne partagée »,
page 32.
Afficher la liste des
participants à une conférence
1. Mettez en surbrillance une conférence active.
2. Appuyez sur ListConf.
Les participants sont répertoriés dans l’ordre dans lequel ils
rejoignent la conférence, les derniers à la rejoindre apparaissant en
tête de liste.28 OL-9616-01
Conseils
• Il n’est possible d’ajouter à une conférence que les appels présents sur une même ligne. S’ils sont
sur des lignes différentes, transférez-les sur une seule ligne avant d’appuyer sur Conf. ou sur
Joindre.
• Selon la configuration du téléphone, vous risquez de mettre fin à une conférence si vous la quittez
alors que vous en êtes l’initiateur. Pour éviter ce problème, transférez la conférence avant de
raccrocher.
Mettre à jour la liste des
participants à une conférence
Lorsque vous affichez la liste des participants à la conférence,
appuyez sur MàJ.
Afficher l’initiateur de la
conférence
Lorsque la liste des participants à la conférence est affichée,
recherchez la personne répertoriée au bas de la liste, avec un
astérisque (*) à côté de son nom.
Abandonner le dernier
interlocuteur à avoir
rejoint la conférence
Appuyez sur SupDerA.
Vous ne pouvez exclure des participants que si vous êtes l’initiateur
de la conférence téléphonique.
Exclure un participant
de la conférence
1. Mettez en surbrillance le nom du participant.
2. Appuyez sur Suppr.
Vous ne pouvez exclure des participants que si vous êtes l’initiateur
de la conférence.
Quitter une conférence
standard
Raccrochez ou appuyez sur FinApp.
Pour... Procédez comme suit :29
Débuter ou rejoindre une conférence téléphonique Meet-Me
La conférence téléphonique Meet-Me permet de démarrer une conférence ou de composer son numéro
pour s’y connecter.
Pour... Procédez comme suit :
Démarrer une conférence
Meet-Me
1. Demandez un numéro de conférence Meet-Me à votre
administrateur système.
2. Distribuez le numéro aux participants.
3. Lorsque vous êtes prêt à démarrer la réunion, décrochez le
téléphone pour obtenir la tonalité et appuyez sur MulConf.
4. Composez le numéro de la conférence Meet-Me.
Les participants peuvent rejoindre la conférence en
composant son numéro.
Remarque Les participants entendent une tonalité occupé s’ils
appellent le numéro de la conférence avant la connexion
de l’organisateur. Dans ce cas, ils doivent rappeler.
Rejoindre une conférence
Meet-Me
Composez le numéro de la conférence Meet-Me (que vous a
communiqué l’organisateur de la conférence).
Remarque Vous entendez une tonalité occupé si vous appelez le
numéro de la conférence avant la connexion de
l’organisateur. Dans ce cas, rappelez ultérieurement.
Mettre fin à une conférence
Meet-Me
Tous les participants doivent raccrocher.
La conférence ne se termine pas automatiquement lorsque
l’organisateur se déconnecte.30 OL-9616-01
Gestion avancée des appels
Les tâches de gestion avancée des appels comprennent des fonctions spéciales que l’administrateur
système peut configurer sur le téléphone, en fonction de vos besoins en la matière et de votre
environnement de travail.
Numérotation abrégée
La numérotation abrégée permet d’entrer un code, d’appuyer sur un bouton ou de sélectionner un
élément de l’écran du téléphone pour passer un appel. Selon la configuration du téléphone, plusieurs
fonctions de numérotation abrégée peuvent être disponibles :
• Touches de numérotation abrégée
• Numérotation abrégée
• Numéros abrégés
Remarque • Pour configurer des touches de numérotation abrégée et la numérotation abrégée,
vous devez accéder aux pages Web Options utilisateur. Reportez-vous à la section
« Connexion aux pages Web Options utilisateur », page 47.
• Votre administrateur système peut également configurer des fonctions de numérotation abrégée pour vous.
Pour... Procédez comme suit :
Utiliser des touches de numérotation abrégée
1. Configurez des touches de numérotation abrégée depuis les pages Web
Options utilisateur.
2. Pour passer un appel, appuyez sur (touche de numérotation abrégée).
Utiliser NumAbr 1. Configurez des codes de numérotation abrégée depuis les pages Web Options
utilisateur.
2. Pour passer un appel, entrez le code de numérotation abrégée et appuyez sur
NumAbr.
Utiliser Numéro
abrégé
1. Abonnez-vous au service de numérotation abrégée et configurez des codes de
numérotation abrégée depuis les pages Web Options utilisateur. Reportezvous à la section « Abonnement aux services téléphoniques », page 48.
2. Pour passer un appel, choisissez > Service de numérotation abrégée
sur le téléphone (le nom exact de cette fonction peut varier), puis mettez en
surbrillance une entrée de liste et décrochez le téléphone. Vous pouvez
également appuyer sur l’entrée de la liste de l’écran du téléphone.31
Interception d’un appel redirigé vers votre téléphone
Grâce à cette fonction, vous pouvez répondre à un appel en sonnerie sur le téléphone d’un collègue en
le redirigeant vers votre appareil. Vous pouvez utiliser la fonction d’interception d’appels si vous
partagez la gestion des appels avec des collègues.
Pour... Procédez comme suit :
Répondre à un appel
en sonnerie sur un
autre poste de votre
groupe de prise d’appel
1. Procédez comme suit :
• Appuyez sur la touche dynamique Intrcpt si elle est disponible.
• Dans le cas contraire, décrochez le téléphone pour l’afficher et
appuyez sur Intrcpt.
• Si le téléphone prend en charge la fonction d’interception
automatique, vous êtes connecté à l’appel.
2. Lorsque le téléphone sonne, appuyez sur Répond. pour vous connecter
à l’appel.
Répondre à un appel
en sonnerie sur un
poste hors de votre
groupe
1. Procédez comme suit :
• Appuyez sur la touche dynamique GrpIntr si elle est disponible.
• Dans le cas contraire, décrochez le téléphone pour l’afficher et
appuyez sur GrpIntr.
2. Entrez le code d’interception du groupe.
Si le téléphone prend en charge la fonction d’interception automatique,
vous êtes connecté à l’appel.
3. Lorsque le téléphone sonne, appuyez sur Répond. pour vous connecter
à l’appel.
Répondre à un appel
en sonnerie sur un
autre poste de votre
groupe ou sur celui
d’un groupe associé
1. Procédez comme suit :
• Appuyez sur la touche dynamique AGrpIntr si elle est disponible.
• Dans le cas contraire, décrochez le téléphone pour l’afficher et
appuyez sur AGrpIntr.
• Si le téléphone prend en charge la fonction d’interception
automatique, vous êtes connecté à l’appel.
2. Lorsque le téléphone sonne, appuyez sur Répond. pour vous connecter
à l’appel.32 OL-9616-01
Conseils
• Selon la configuration du téléphone, vous pouvez recevoir un signal sonore et/ou visuel à propos
d’un appel vers votre groupe de prise d’appel.
• Le fait d’appuyer sur Intrcpt et sur GrpIntr vous connecte à l’appel qui sonne depuis plus
longtemps.
• Le fait d’appuyer sur AGrpIntr vous connecte à l’appel du groupe de prise d’appel de niveau de
priorité supérieur.
• Si vous avez plusieurs lignes et si vous voulez prendre l’appel sur une ligne secondaire, appuyez
sur le bouton de la ligne souhaitée, puis sur une touche dynamique d’interception d’appel.
Utilisation d’une ligne partagée
Votre administrateur système peut vous demander d’utiliser une ligne partagée si vous :
• Avez plusieurs téléphones et souhaitez n’avoir qu’un seul numéro de téléphone.
• Partagez des tâches de gestion d’appels avec des collègues.
• Gérez des appels pour le compte d’un manager.
Présentation des lignes partagées
Utilisation à distance
L’icône Utilisé à distance apparaît lorsqu’un autre téléphone de votre ligne partagée a un appel
connecté. Vous pouvez passer et recevoir des appels normalement sur la ligne partagée, même si l’icône
Utilisé à distance s’affiche.
Partage des informations relatives aux appels et insertion
Les autres téléphones qui partagent une ligne affichent chacun des informations sur les appels passés
et reçus de la ligne partagée. Ces informations peuvent inclure l’ID de l’appelant et la durée de l’appel.
(Pour obtenir des informations sur les cas d’exception, reportez-vous à la section Confidentialité.)
Lorsque des informations d’appels s’affichent ainsi, vos collègues et vous qui partagez une ligne pouvez
vous connecter aux appels en utilisant la fonction Insert ou InsConf. Reportez-vous à la section
« Connexion à l’appel d’une ligne partagée », page 33.
Confidentialité
Pour empêcher les collègues qui partagent votre ligne de voir les informations sur vos appels, activez
la fonction de confidentialité. Ainsi, ils ne peuvent pas se connecter à vos appels. Reportez-vous à la
section « Procédure pour empêcher d’autres personnes d’afficher un appel sur une ligne partagée ou
de s’y connecter », page 34.
Remarque Le nombre maximum d’appels pris en charge sur une ligne partagée varie selon les
téléphones.33
Connexion à l’appel d’une ligne partagée
Selon la configuration de votre téléphone, vous pouvez vous connecter à l’appel d’une ligne partagée
à l’aide de la fonction Insert ou InsConf.
Conseils
• Si vous partagez la ligne avec un téléphone dont la fonction de confidentialité est activée, les
informations d’appels et les touches dynamiques d’insertion n’apparaissent pas sur les autres
téléphones qui partagent la ligne.
• Lorsque vous vous connectez à un appel à l’aide de la touche Insert, vous pouvez en être
déconnecté s’il est mis en attente, transféré ou transformé en conférence téléphonique.
Pour... Procédez comme suit :
Vérifier si la ligne partagée
est en cours d’utilisation
Recherchez l’icône Utilisé à distance ( en regard d’un bouton de ligne
rouge ).
Afficher les détails sur les
appels en cours de la ligne
partagée
Appuyez sur le bouton de ligne rouge correspondant à la ligne
utilisée à distance. Tout appel non confidentiel s’affiche dans la zone
d’activité des appels de l’écran du téléphone.
Vous connecter à un appel
sur une ligne partagée à
l’aide de la touche
dynamique Insert
1. Mettez en surbrillance un appel utilisé à distance.
2. Appuyez sur Insert. (Vous pouvez avoir à appuyer d’abord sur la
touche dynamique autres.)
Les autres interlocuteurs entendent un bip leur annonçant votre
présence.
Vous connecter à un appel
sur une ligne partagée à
l’aide de la touche
dynamique InsConf
À la différence de la fonction Insert, InsConf transforme l’appel en
conférence téléphonique standard et permet ainsi d’y ajouter de
nouveaux participants. Reportez-vous à la section « Établissement de
conférences téléphoniques », page 26.
Vous connecter à un appel
par insertion et ajouter des
participants à une
conférence
Insérez l’appel en utilisant l’option InsConf, si elle est disponible.
Contrairement à la fonction Insert, InsConf transforme l’appel en
conférence téléphonique standard et permet ainsi d’y ajouter de
nouveaux participants. Reportez-vous à la section « Établissement de
conférences téléphoniques », page 26.
Vous déconnecter d’un
appel par insertion
Raccrochez.
Si vous raccrochez après avoir utilisé la fonction Insert, les autres
interlocuteurs entendent une tonalité de déconnexion et l’appel initial
continue.
Si vous raccrochez après avoir utilisé la fonction InsConf, l’appel reste
en mode conférence (à condition qu’il reste au moins trois participants
sur la ligne).34 OL-9616-01
Procédure pour empêcher d’autres personnes d’afficher un appel sur
une ligne partagée ou de s’y connecter
Si vous partagez une ligne téléphonique, vous pouvez utiliser la fonction de confidentialité pour
empêcher les personnes qui partagent votre ligne d’afficher vos appels ou de s’y connecter.
Conseils
• Si vous partagez la ligne avec un téléphone dont la fonction de confidentialité est activée,
vous pouvez passer et recevoir des appels normalement sur la ligne partagée.
• La fonction de confidentialité s’applique à toutes les lignes partagées du téléphone. Par consé-
quent, si vous avez plusieurs lignes partagées et si la fonction de confidentialité est activée, vos
collègues ne pourront pas afficher les appels sur vos lignes partagées, ni s’y connecter.
• Lorsque vous mettez un appel en attente, le nom et le numéro de l’appelant (ID) s’affichent sur la
ligne partagée même si la fonction de confidentialité est activée. Toutefois, votre administrateur
système peut empêcher l’affichage de l’ID d’un appelant en attente si la fonction de confidentialité
est activée. Dans ce cas, vous ne pouvez récupérer l’appel que depuis le téléphone utilisé pour le
mettre en attente.
Pour... Procédez comme suit :
Empêcher d’autres personnes
d’afficher ou de joindre les appels
sur une ligne partagée
1. Appuyez sur Confidentiel .
2. Pour vérifier que la fonction de confidentialité est activée,
recherchez l’icône de confidentialité activée située à côté
d’un bouton de ligne orange .
Autoriser les autres personnes à
afficher des appels ou à s’y
connecter sur une ligne partagée
1. Appuyez sur Confidentiel .
2. Pour vérifier que la fonction de confidentialité est
désactivée, recherchez l’icône de confidentialité désactivée
située à côté d’un bouton de ligne non allumé .35
Stockage et récupération des appels parqués
Si vous souhaitez stocker un appel, vous pouvez le parquer pour qu’une autre personne et vous puissiez
le récupérer sur un autre téléphone du système Cisco Unified CallManager (par exemple, le téléphone
du bureau d’un collègue ou celui d’une salle de conférence). Vous pouvez parquer un appel en utilisant
les méthodes suivantes.
• Pour stocker l’appel, appuyez sur la touche dynamique Parquer. Le téléphone affiche le numéro de
parcage où le système a stocké l’appel. Vous devez enregistrer ce numéro et utiliser le même pour
récupérer l’appel.
• Pour diriger l’appel vers un numéro spécifique de parcage abrégé ou non, utilisez la touche
dynamique Trnsfer. La récupération de l’appel implique la composition du préfixe de récupération
d’appels parqués suivi du numéro de parcage (abrégé ou non).
• À l’aide du bouton de parcage d’appel dirigé, vous pouvez composer le numéro abrégé de parcage
et déterminer s’il est disponible ou non.
Conseils
• Vous disposez d’un délai limité pour récupérer un appel parqué avant qu’il recommence à sonner
sur le poste initial. Pour en savoir plus, contactez votre administrateur système.
• Votre administrateur système peut affecter des boutons de parcage d’appel dirigé à des boutons de
ligne disponibles sur le téléphone ou le module d’extension pour téléphones IP Cisco Unified 7914.
• Vous pouvez composer des numéros de parcage d’appel dirigé si vous n’avez pas de boutons
de parcage d’appel dirigé sur le téléphone. Toutefois, vous ne pourrez pas voir l’état du numéro
de parcage d’appel dirigé.
Pour... Procédez comme suit :
Stocker un appel actif
à l’aide de la fonction
de parcage d’appels
1. Au cours d’un appel, appuyez sur Parquer. (Vous pouvez avoir à
appuyer d’abord sur la touche dynamique autres.)
2. Notez le numéro de parcage affiché à l’écran du téléphone.
3. Raccrochez.
Récupérer un appel
parqué
Entrez le numéro de parcage sur tout téléphone IP Cisco Unified du réseau
pour vous connecter à l’appel.
Diriger et stocker un
appel actif vers un
numéro de parcage
d’appel dirigé
1. Au cours d’un appel, appuyez sur Trnsfer.
2. Pour composer le numéro abrégé de parcage, appuyez sur le bouton de
parcage d’appel dirigé si vous disposez de l’icône de parcage non
occupé . Un bouton clignotant de parcage d’appel dirigé et
l’icône de parcage occupé indiquent que le numéro de parcage
d’appel dirigé n’est pas disponible.
3. Appuyez de nouveau sur Trnsfer pour valider le stockage de l’appel.
Récupérer un appel
parqué depuis un
numéro de parcage
d’appel dirigé
Depuis tout téléphone du réseau, entrez le préfixe de récupération d’appels
parqués et composez le numéro de parcage d’appel dirigé. Pour vous
connecter à l’appel, vous pouvez également appuyer sur le bouton de
parcage d’appel dirigé si vous disposez de l’icône de parcage occupé .36 OL-9616-01
Établissement et réception d’appels sécurisés
En fonction de la configuration du système téléphonique choisie par votre administrateur système,
votre téléphone peut prendre en charge la fonction d’établissement et de réception d’appels sécurisés.
Il peut prendre en charge les types d’appels suivants.
• Appel authentifié : l’identité de tous les téléphones participant à l’appel a été vérifiée.
• Appel chiffré : le téléphone reçoit et transmet (sur le réseau IP Cisco Unified) des données audio
chiffrées (votre conversation). Les appels chiffrés sont également authentifiés.
• Appel non sécurisé : au moins l’un des téléphones en cours d’appel ou la connexion ne prend pas en
charge ces fonctions de sécurité. Il peut également être impossible de vérifier l’identité des téléphones.
Remarque Des interactions, des restrictions et des limites affectent les fonctions de sécurité du
téléphone. Pour en savoir plus, contactez votre administrateur système.
Suivi des appels suspects
Si vous faites l’objet d’appels suspects ou malveillants, votre administrateur système peut ajouter la
fonction d’identification des appels malveillants (MAL) sur le téléphone. Cette fonction permet de
déterminer si un appel actif est suspect. Dans l’affirmative, le lancement d’une série de messages
automatisés de suivi et de notification se produit.
Pour... Procédez comme suit :
Contrôler le niveau de sécurité d’un
appel
Vérifiez si l’une des icônes de sécurité suivantes apparaît
en haut à droite de la zone d’activité des appels (en regard
de l’indicateur de durée d’appel) :
Appel authentifié
Appel chiffré
Aucune icône de sécurité n’apparaît si l’appel n’est pas
sécurisé.
Déterminer s’il est possible de passer des
appels sécurisés dans votre entreprise
Contactez votre administrateur système.
Pour... Procédez comme suit :
Informer votre administrateur
système d’un appel suspect ou
malveillant
Appuyez sur MAL.
Le téléphone émet une tonalité et affiche le message MAL réussie.37
Attribution de priorité aux appels critiques
Dans certains environnements spécialisés, tels que des bureaux de l’armée ou de l’État, vous pouvez
avoir à passer et à recevoir des appels urgents ou critiques. Si vous avez besoin de ce traitement
spécialisé des appels, votre administrateur système peut ajouter une fonction de préséance et
préemption à plusieurs niveaux (MLPP) sur le téléphone.
Gardez ces termes à l’esprit :
• La préséance indique la priorité associée à un appel.
• La préemption est le processus qui permet de mettre fin à un appel de priorité inférieure et
d’accepter parallèlement un appel de priorité supérieure.
Conseils
• Lorsque vous passez ou recevez un appel compatible MLPP, vous entendez une sonnerie et une
tonalité d’attente spéciales, différentes des sonneries et tonalités standard.
• Si vous entrez un numéro d’accès MLPP incorrect, un message vocal vous en avertit.
Si vous... Procédez comme suit :
Souhaitez pouvoir choisir le niveau de
priorité (préséance) d’un appel sortant
Contactez votre administrateur système pour obtenir la liste des
numéros de priorité correspondant aux appels.
Souhaitez passer un appel prioritaire
(qui a la préséance)
Entrez le numéro d’accès MLPP (fourni par votre administrateur
système), puis le numéro de téléphone.
Entendez une sonnerie différente (plus
rapide que d’habitude) ou une tonalité
d’attente spéciale
Vous recevez un appel prioritaire (qui a la préséance). Une icône
MLPP s’affiche à l’écran du téléphone pour indiquer le niveau de
priorité de l’appel.
Souhaitez afficher le niveau de priorité
d’un appel
Recherchez une icône MLPP à l’écran du téléphone :
Appel prioritaire
Appel d’importance moyenne (immédiat)
Appel très important (rapide)
Appel de la plus haute importance (suppression rapide)
ou appel prioritaire
Les appels les plus importants s’affichent en haut de la liste des
appels. Si aucune icône MLPP n’apparaît, l’appel est un appel
normal (routine).
Souhaitez accepter un appel plus
important
Répondez normalement à l’appel. Le cas échéant, mettez d’abord
fin à l’appel actif.
Entendez une tonalité continue qui
interrompt votre appel
En d’autres termes, un appel reçu par votre interlocuteur ou vous
est prioritaire sur l’appel en cours. Raccrochez immédiatement
pour permettre à l’appel plus important de sonner sur votre
téléphone.38 OL-9616-01
Utilisation de la fonction de substitution de poste de Cisco
La fonction de substitution de poste de Cisco (EM) permet de configurer temporairement un téléphone
IP Cisco Unified comme étant le vôtre. Dès que vous vous connectez, le téléphone adopte votre profil
d’utilisateur, y compris vos lignes, vos fonctions, vos services actifs et vos paramètres Web.
L’administrateur système doit configurer la fonction EM à votre place.
Conseils
• Lors de la substitution de poste, vous êtes automatiquement déconnecté au bout d’un certain
temps. Ce délai est défini par l’administrateur système.
• Les modifications apportées au profil de substitution de poste (dans les pages Web Options
utilisateur) prennent effet lors de la prochaine connexion au service de substitution de poste sur
un téléphone.
• Les paramètres contrôlés uniquement sur le téléphone ne sont pas gérés dans le profil de
substitution de poste.
Déconnexion de groupes de recherche
Si votre entreprise reçoit un grand nombre d’appels entrants, vous pouvez être membre d’un groupe
de recherche. Un groupe de recherche inclut une série de numéros d’annuaire partageant la charge des
appels entrants. Lorsque le premier numéro d’annuaire du groupe de recherche est occupé, le système
recherche le numéro d’annuaire suivant disponible dans le groupe et dirige les appels vers ce téléphone.
Lorsque vous vous éloignez du téléphone, vous pouvez vous déconnecter des groupes de recherche et
empêcher ainsi les appels de cette provenance de sonner.
Conseil
La déconnexion des groupes de recherche n’empêche pas les appels d’autres groupes de sonner sur
votre téléphone.
Pour... Procédez comme suit :
Vous connecter
au service EM
1. Sélectionnez > Service de substitution de poste (le nom de cette fonction
peut varier).
2. Entrez votre ID utilisateur et votre PIN (fournis par votre administrateur système).
3. Si le programme le demande, sélectionnez un profil de périphérique.
Vous déconnecter
du service EM
1. Sélectionnez > Service de substitution de poste (le nom de cette fonction
peut varier).
2. Lorsque vous êtes invité à vous déconnecter, appuyez sur Oui.
Pour... Procédez comme suit :
Vous déconnecter des groupes de recherche pour bloquer
temporairement les appels des groupes de recherche
Appuyez sur ConG. L’écran du téléphone
affiche Déconnecté du grpe rech.
Vous connecter pour recevoir des appels des groupes de
recherche
Appuyez sur ConG.39
Utilisation du combiné, du casque et du haut-parleur
Vous pouvez utiliser votre téléphone avec un combiné, un casque ou un haut-parleur.
Pour... Procédez comme suit :
Utiliser le combiné Soulevez-le pour le décrocher. Remettez-le en place pour le
raccrocher.
Utiliser un casque Appuyez sur pour activer/désactiver le mode casque. Si vous
utilisez la fonction de réponse automatique, reportez-vous à la
section « Utilisation de la fonction de réponse automatique »,
page 40 pour obtenir des informations sur les cas d’exception.
Vous pouvez utiliser le casque avec tous les contrôles de votre
téléphone, notamment et .
Utiliser le haut-parleur Appuyez sur pour activer/désactiver le mode haut-parleur.
La plupart des opérations de composition de numéro ou de prise
d’appel déclenchent automatiquement le mode haut-parleur, à
condition que le combiné soit sur son support et que la touche
soit éteinte.
Basculer vers le mode casque ou
haut-parleur au cours d’un
appel (en mode combiné)
Appuyez sur ou sur , puis raccrochez le combiné.
Basculer vers le mode combiné
au cours d’un appel (en mode
haut-parleur ou casque)
Soulevez le combiné (n’appuyez sur aucun bouton).
Régler le volume d’un appel Appuyez sur au cours de l’appel ou après obtention
de la tonalité.
Cette opération règle le volume du combiné, du casque ou du
haut-parleur, selon le dispositif utilisé.
Appuyez sur Enreg. pour conserver le niveau du volume lors des
prochains appels.40 OL-9616-01
Acquisition d’un casque
Votre téléphone peut prendre en charge quatre ou six prises casque. Pour plus d’informations sur
l’achat d’un casque, reportez-vous à la section « Informations sur le casque », page 8.
Utilisation de la fonction de réponse automatique
Lorsque la fonction de réponse automatique est activée, votre téléphone répond automatiquement
aux appels entrants après quelques sonneries. Votre administrateur système configure la fonction de
réponse automatique de sorte qu’elle fonctionne avec votre haut-parleur ou avec votre casque. Vous
pouvez utiliser la fonction de réponse automatique si vous recevez un grand nombre d’appels entrants.
Si vous... Procédez comme suit :
Utilisez la fonction de
réponse automatique
avec un casque
Même si vous n’êtes pas en ligne, restez en mode casque (en d’autres termes,
le bouton doit rester allumé).
Pour que le mode casque reste activé, procédez comme suit :
• Appuyez sur FinApp. pour raccrocher.
• Appuyez sur NvAppel ou sur Compos. pour passer d’autres appels.
Si votre téléphone est configuré pour utiliser la fonction de réponse
automatique en mode casque, la réponse aux appels est automatique à
condition que le bouton soit allumé. Dans le cas contraire, les appels
sonnent normalement et vous devez y répondre manuellement.
Utilisez la fonction de
réponse automatique
avec le haut-parleur
Laissez le combiné raccroché et gardez le mode casque inactif
(bouton éteint).
Dans le cas contraire, les appels sonnent normalement et vous devez y
répondre manuellement.41
Utilisation des paramètres du téléphone
Vous pouvez personnaliser votre téléphone IP Cisco Unified en réglant la sonnerie, l’image
d’arrière-plan et d’autres paramètres.
Personnalisation des sonneries et des indicateurs de message
Vous pouvez personnaliser la manière dont votre téléphone signale la présence d’un appel entrant et
d’un nouveau message vocal. Vous pouvez également régler le volume de la sonnerie du téléphone.
Pour... Procédez comme suit :
Changer la sonnerie 1. Sélectionnez > Préférences utilisateur > Sonneries.
2. Choisissez une ligne téléphonique ou la sonnerie par défaut.
3. Sélectionnez une sonnerie pour en entendre un échantillon.
4. Appuyez sur Sélect. et sur Enreg. pour définir la sonnerie, ou appuyez
sur Annuler.
(Appuyez sur Défaut pour appliquer le paramètre de sonnerie par défaut
à une ligne téléphonique sélectionnée.)
Modifier la séquence
de la sonnerie (clignotement seulement, une
sonnerie, bip seulement, etc.)
1. Connectez-vous à vos pages Web Options utilisateur. (Reportez-vous à
la section « Connexion aux pages Web Options utilisateur », page 47.)
2. Choisissez Modification des paramètres de sonnerie de votre téléphone.
Remarque Avant de pouvoir changer les paramètres de sonnerie dans les pages
Web Options utilisateur, votre administrateur système peut avoir à
activer cette option de modification de la configuration du téléphone.
Régler le volume de la
sonnerie du téléphone
Appuyez sur lorsque le combiné est raccroché et que les
touches du casque et du haut-parleur sont désactivées. Le nouveau volume
de la sonnerie est automatiquement enregistré.
Modifier la façon dont
le témoin lumineux de
votre combiné signale
les messages vocaux
1. Connectez-vous à vos pages Web Options utilisateur. (Reportez-vous à
la section « Connexion aux pages Web Options utilisateur », page 47.)
2. Choisissez Modification du comportement de votre Indicateur de
messages en attente...
Remarque Généralement, la politique du système par défaut pour le témoin de
la messagerie vocale sur votre combiné indique à votre téléphone de
toujours indiquer un nouveau message vocal en l’éclairant.42 OL-9616-01
Personnalisation de l’écran du téléphone
Vous pouvez régler certains paramètres de l’écran du téléphone selon vos besoins.
Pour... Procédez comme suit :
Modifier le niveau
de contraste de
l’écran du téléphone
1. Sélectionnez > Préférences utilisateur > Contraste.
2. Pour procéder aux réglages, appuyez sur Plus, Moins ou sur la touche
.
3. Appuyez sur Enreg. ou sur Annuler.
Remarque Si vous enregistrez par erreur un niveau de contraste très faible ou très
élevé et si vous ne voyez plus l’affichage de l’écran du téléphone :
Appuyez sur , puis sur 1, 3 sur le clavier.
Appuyez ensuite sur pour modifier le contraste jusqu’à
ce que l’affichage de l’écran du téléphone soit lisible, puis appuyez sur
Enreg.
Modifier l’image
d’arrière-plan
1. Sélectionnez > Préférences utilisateur > Images arrière-plan.
2. Faites défiler les images disponibles et appuyez sur Sélect. pour en choisir une.
3. Appuyez sur Aperçu pour afficher une vue plus grande de l’image
d’arrière-plan.
4. Appuyez sur Quitter pour retourner au menu de sélection.
5. Appuyez sur Enreg. pour accepter l’image ou sur Annuler.
Remarque Si la sélection d’images ne s’affiche pas, cette option n’a pas été activée
sur votre système.
Modifier la langue 1. Connectez-vous à vos pages Web Options utilisateur. (Reportez-vous à la
section « Connexion aux pages Web Options utilisateur », page 47.)
2. Sélectionnez Modifier la langue...
Changer le libellé 1. Connectez-vous à vos pages Web Options utilisateur. (Reportez-vous à la
section « Connexion aux pages Web Options utilisateur », page 47.)
2. Sélectionnez l’option de modification du libellé de ligne.
Remarque L’administrateur système doit activer l’accès à cette fonction à votre
place.43
Utilisation des journaux d’appels et des répertoires
Cette section explique comment utiliser les journaux d’appels et les répertoires. Pour accéder aux deux
fonctions, utilisez le bouton Répertoires .
Utilisation des journaux d’appels
Le téléphone gère des enregistrements des appels en absence, passés et reçus.
Pour... Procédez comme suit :
Afficher les
journaux d’appels
Sélectionnez > Appels en absence, Appels composés ou Appels reçus.
Chaque journal contient 100 enregistrements maximum. Pour afficher une
entrée de liste tronquée, mettez-la en surbrillance et appuyez sur EditNum.
Effacer les journaux
d’appels
Appuyez sur , puis sur Effacer. Cette procédure permet d’effacer les
enregistrements d’appel de tous les journaux.
Composer un
numéro à partir d’un
journal d’appels
(sans connexion à
un autre appel)
1. Sélectionnez > Appels en absence, Appels composés ou Appels
reçus.
2. Mettez en surbrillance un enregistrement d’appel à partir du journal.
Remarque Si la touche dynamique Détails s’affiche, l’appel est l’entrée principale
d’un appel à plusieurs interlocuteurs. Reportez-vous à la section
Conseils ci-dessous.
3. Si vous devez modifier le numéro affiché, appuyez sur EditNum, puis sur
<< ou >>. Pour supprimer le numéro, appuyez sur EditNum, puis sur
Suppr. (Vous pouvez avoir à appuyer sur la touche dynamique autres pour
afficher Suppr.)
4. Décrochez pour passer l’appel.44 OL-9616-01
Conseils
Pour afficher l’enregistrement complet d’un appel à plusieurs interlocuteurs, appuyez sur Détails.
L’enregistrement Détails affiche deux entrées pour chaque appel à plusieurs interlocuteurs en absence
ou reçu. Les entrées apparaissent dans l’ordre chronologique inverse :
• La première entrée enregistrée est le nom/numéro du dernier appel à plusieurs interlocuteurs
terminé, reçu sur votre téléphone.
• La seconde entrée enregistrée est le nom/numéro du premier appel à plusieurs interlocuteurs
terminé, reçu sur votre téléphone.
Composer un
numéro à partir d’un
journal d’appels
(lors d’une
connexion à un
autre appel)
1. Sélectionnez > Appels en absence, Appels composés ou
Appels reçus.
2. Mettez en surbrillance un enregistrement d’appel à partir du journal.
Remarque Si la touche dynamique Détails s’affiche, l’appel est l’entrée principale
d’un appel à plusieurs interlocuteurs. Reportez-vous à la section
Conseils ci-dessous.
3. Si vous devez modifier le numéro affiché, appuyez sur EditNum, puis sur
<< ou >>. Pour supprimer le numéro, appuyez sur EditNum, puis sur
Suppr. (Vous pouvez avoir à appuyer sur la touche dynamique autres pour
afficher Suppr.)
4. Appuyez sur Compos.
5. Choisissez une option de menu pour traiter l’appel initial.
• Attente : met le premier appel en attente et compose le second.
• Transfert : transfère le premier interlocuteur vers le second et vous
déconnecte de l’appel. (Sélectionnez de nouveau cette option après
avoir composé le numéro pour que l’opération soit effectuée.)
• Conférence : établit une conférence téléphonique entre tous les
interlocuteurs, vous y compris. (Appuyez sur Conf. après avoir
composé le numéro pour que l’opération soit effectuée.)
• FinApp. : déconnecte le premier appel et compose le second.
Pour... Procédez comme suit :45
Utilisation du répertoire d’entreprise sur le téléphone
Selon sa configuration, le téléphone peut donner accès à un répertoire d’entreprise et donc aux
numéros de collègues. Le répertoire d’entreprise est configuré et géré par votre administrateur système.
Conseil
Utilisez les numéros du clavier pour entrer des caractères à l’écran du téléphone. Utilisez le bouton de
navigation du téléphone pour vous déplacer parmi les champs de saisie.
Pour... Procédez comme suit :
Composer un numéro
à partir d’un répertoire d’entreprise
(sans connexion à un
autre appel)
1. Sélectionnez > Répertoire d’entreprise (le nom exact de ce service
peut varier).
2. Entrez un nom complet ou partiel, puis appuyez sur Recher.
3. Pour composer un numéro, sélectionnez ou recherchez une entrée de liste,
puis décrochez le téléphone.
Composer un numéro
à partir d’un répertoire d’entreprise
(lors d’une connexion
à un autre appel)
1. Sélectionnez > Répertoire d’entreprise (le nom exact de ce service
peut varier).
2. Entrez un nom complet ou partiel, puis appuyez sur Recher.
3. Recherchez une entrée de liste et appuyez sur Compos.
4. Choisissez une option de menu pour traiter l’appel initial.
• Attente : met le premier appel en attente et compose le second.
• Transfert : transfère le premier interlocuteur vers le second et vous
déconnecte de l’appel. (Sélectionnez de nouveau cette option après
avoir composé le numéro pour que l’opération soit effectuée.)
• Conférence : établit une conférence téléphonique entre tous les
interlocuteurs, vous y compris. (Appuyez sur Conf. après avoir
composé le numéro pour que l’opération soit effectuée.)
• FinApp. : déconnecte le premier appel et compose le second.46 OL-9616-01
Accès aux messages vocaux
Pour accéder aux messages vocaux, utilisez le bouton .
Remarque Votre entreprise détermine le service de messagerie vocale utilisé par votre système
téléphonique. Pour obtenir des informations précises et détaillées, reportez-vous à la
documentation livrée avec votre service de messagerie vocale.
Pour... Procédez comme suit :
Configurer et personnaliser votre service de
messagerie vocale
Appuyez sur et suivez les instructions vocales.
Si un menu apparaît à l’écran, sélectionnez l’option appropriée.
Vérifier si vous avez un
nouveau message vocal
Recherchez :
• Un témoin lumineux rouge fixe sur votre combiné. (Cet indicateur peut
varier. Reportez-vous à la section « Personnalisation des sonneries et
des indicateurs de message », page 41.)
• L’icône clignotante de message en attente et un message affiché à
l’écran.
Écouter vos messages
vocaux ou accéder au
menu des messages
vocaux
Appuyez sur .
Selon votre service de messagerie vocale, cette opération permet de
composer automatiquement le numéro du service de messagerie ou
d’afficher un menu.
Transférer un appel
vers votre système de
messagerie vocale
Appuyez sur Rvoi Im.
Cette fonction transfère automatiquement un appel, notamment un
appel en sonnerie ou en attente, vers votre système de messagerie vocale.
Les appelants entendent le message d’accueil de votre messagerie vocale
et peuvent laisser un message.47
Accès à vos pages Web Options utilisateur
Comme le téléphone IP Cisco Unified est un périphérique réseau, il peut partager des données avec
d’autres périphériques réseau de votre entreprise, notamment votre ordinateur et vos services Web
accessibles via un navigateur.
Vous pouvez mettre en place des services téléphoniques et contrôler les paramètres et les fonctions
depuis l’ordinateur en utilisant les pages Web Options utilisateur de Cisco Unified CallManager.
Lorsque vous avez configuré les fonctions et services des pages Web, vous pouvez y accéder depuis
le téléphone.
Par exemple, vous pouvez configurer des touches de numérotation abrégée depuis les pages Web,
puis y accéder depuis votre téléphone.
Cette section explique comment accéder aux pages Web Options utilisateur et comment
s’abonner aux services téléphoniques. Pour plus d’informations sur les fonctions
configurables et sur les services téléphoniques avec abonnement, reportez-vous au manuel
Personnalisation de votre téléphone IP Cisco Unified sur le Web à l’adresse suivante :
http://www.cisco.com/univercd/cc/td/doc/product/voice/c_ipphon/index.htm
Connexion aux pages Web Options utilisateur
Procédure
Étape 1 Demandez à votre administrateur système de vous fournir une URL de page
Options utilisateur, un ID utilisateur et un mot de passe par défaut.
Étape 2 Ouvrez un navigateur Web sur l’ordinateur et entrez l’URL (fournie par votre administrateur
système), puis connectez-vous.
Étape 3 Dans le menu général, sélectionnez le type de périphérique (modèle de téléphone) dans la liste
déroulante « Sélectionner un périphérique ».
Une fois la sélection effectuée, un menu contextuel apparaît et propose les options appropriées
à ce type de périphérique.
Étape 4 Sélectionnez une option pour afficher la page de configuration, puis effectuez les sélections ou
modifications appropriées.
Étape 5 Cliquez sur MàJ pour appliquer et enregistrer vos modifications.
Étape 6 Cliquez sur Retour au menu pour revenir au menu contextuel, ou sur Déconnecter pour
quitter les pages Utilisateur.48 OL-9616-01
Abonnement aux services téléphoniques
Pour accéder à ces services, vous devez commencer par vous y abonner en vous connectant aux
pages Web Options utilisateur depuis l’ordinateur. (Pour obtenir de l’aide sur la connexion,
reportez-vous à la section « Connexion aux pages Web Options utilisateur », page 47.)
Les services téléphoniques peuvent comprendre :
• Des services d’informations accessibles via le Web, notamment les cours de la bourse, les
programmes de cinéma et la météo.
• Des données réseau, notamment les calendriers et les répertoires d’entreprise dans lesquels vous
pouvez effectuer des recherches.
• Des fonctions téléphoniques, telles que Mes numéros abrégés et un carnet d’adresses personnel.
Pour plus d’informations, reportez-vous au tableau ci-après.
Pour...
Après vous être connecté et avoir sélectionné le type de périphérique,
procédez comme suit :
Vous abonner à un
service
Dans le menu principal, sélectionnez Configurer vos Services téléphoniques
IP Cisco Unified. Sélectionnez un service dans la liste déroulante « Services
disponibles », puis cliquez sur Continuer. Saisissez les renseignements
supplémentaires sur demande (par exemple, un code postal ou un code PIN),
puis cliquez sur S’abonner.
Modifier ou supprimer un abonnement
Dans le menu principal, sélectionnez Configurer vos Services téléphoniques
IP Cisco Unified. Cliquez sur un service du volet « Vos abonnements ».
Cliquez sur MàJ après avoir effectué vos modifications ou sur Se désabonner.
Associer un service
à une touche
programmable
Après vous être abonné à un service, sélectionnez Ajouter/mettre à jour vos
boutons URL de service dans le menu principal. Pour chaque touche
disponible, sélectionnez un service dans la liste déroulante, puis saisissez une
description. Une fois vos modifications effectuées, cliquez sur MàJ. Votre
administrateur système détermine le nombre de touches programmables
pouvant être associées à des services. Il peut également affecter des touches
de service au téléphone.
Accéder à un service
sur le téléphone
Appuyez sur le bouton du téléphone. À la place, vous pouvez appuyer
sur une touche programmable associée à un service (le cas échéant).
Apprendre à utiliser
les services
téléphoniques
Reportez-vous au manuel Personnalisation de votre téléphone IP Cisco
Unified sur le Web à l’adresse suivante :
http://www.cisco.com/univercd/cc/td/doc/product/voice/c_ipphon/index.htm49
Présentation des options de configuration
supplémentaires
Votre administrateur système peut configurer le téléphone de manière à ce qu’il utilise, le cas échéant,
des modèles de boutons et de touches dynamiques spécifiques, associés à des fonctions et à des services
particuliers. Le tableau ci-dessous fournit une présentation de certaines options de configuration que
vous pouvez demander à l’administrateur de votre système téléphonique en fonction de vos besoins en
matière d’appels ou de votre environnement de travail.
Remarque Vous trouverez les manuels des téléphones et autres documents auxquels il est
fait référence dans ce tableau sur le Web :
http://www.cisco.com/univercd/cc/td/doc/product/voice/c_ipphon/index.htm
Si vous... Procédez comme suit : Pour plus d’informations...
Devez gérer plusieurs
appels sur la ligne
téléphonique
Demandez à votre administrateur système
de configurer la ligne pour qu’elle prenne
en charge plusieurs appels.
Contactez votre administrateur
système ou l’équipe d’assistance
téléphonique.
Avez besoin de
plusieurs lignes
téléphoniques
Demandez à votre administrateur système
de vous configurer un ou plusieurs
numéros d’annuaire supplémentaires.
Contactez votre administrateur
système ou l’équipe d’assistance
téléphonique.
Avez besoin de plus
de touches de numé-
rotation abrégée
Vérifiez d’abord que vous utilisez déjà la
totalité des touches de numérotation
abrégée disponibles.
Si vous avez besoin de touches de
numérotation abrégée supplémentaires,
utilisez la fonction de numérotation
abrégée ou abonnez-vous au service de
numérotation abrégée.
Vous pouvez également ajouter à votre
téléphone le module d’extension 7914
pour téléphone IP Cisco Unified.
Reportez-vous aux références
suivantes :
• « Numérotation abrégée »,
page 30
• « Abonnement aux services
téléphoniques », page 48
• Cisco IP Phone Expansion
Module 7914 Phone Guide
Travaillez en collaboration avec un assistant administratif (ou
en tant qu’assistant
administratif)
Pensez à utiliser :
• Le service Cisco IP Manager
Assistant.
• Une ligne partagée.
Reportez-vous aux références
suivantes :
• « Utilisation d’une ligne
partagée », page 32
• Guide de l’utilisateur de
Cisco IP Manager Assistant50 OL-9616-01
Souhaitez utiliser un
même numéro de
poste pour plusieurs
téléphones
Demandez une ligne partagée. Cette
opération permet par exemple d’utiliser
un numéro de poste unique pour les
téléphones du bureau et du laboratoire.
Reportez-vous à la section
« Utilisation d’une ligne
partagée », page 32.
Partagez vos téléphones ou votre bureau
avec des collègues
Pensez à utiliser :
• La fonction de parcage d’appels pour
enregistrer et récupérer des appels
sans utiliser la fonction de transfert.
• La fonction d’interception d’appels
pour répondre à des appels en
sonnerie sur un autre téléphone.
• Une ligne partagée pour afficher ou
joindre les appels de vos collègues.
• La fonction de substitution de poste
de Cisco pour affecter vos numéro de
téléphone et profil utilisateur à un
téléphone IP Cisco Unified partagé.
Demandez des détails sur ces
fonctions à votre administrateur
système et reportez-vous aux
sections suivantes :
• « Gestion avancée des
appels », page 30
• « Utilisation d’une ligne
partagée », page 32
• « Utilisation de la fonction
de substitution de poste de
Cisco », page 38
Répondez à de nombreux appels ou gérez
des appels pour le
compte d’une autre
personne
Demandez à votre administrateur système
de configurer la fonction de réponse
automatique sur le téléphone.
Reportez-vous à la section
« Utilisation de la fonction de
réponse automatique », page 40.
Devez passer des
appels vidéo
Pensez à utiliser Cisco VT Advantage
pour passer des appels vidéo avec le
téléphone IP Cisco Unified, un ordinateur
et une caméra vidéo externe.
Si vous avez besoin d’aide,
contactez votre administrateur
système et reportez-vous aux
documents Cisco VT Advantage
Quick Start Guide et Cisco VT
Advantage User Guide.
Souhaitez affecter
temporairement vos
numéro de téléphone
et paramètres à un
téléphone IP Cisco
Unified partagé
Demandez des détails sur le service de
substitution de poste de Cisco à votre
administrateur système.
Reportez-vous à la section
« Utilisation de la fonction de
substitution de poste de Cisco »,
page 38.
Si vous... Procédez comme suit : Pour plus d’informations...51
Dépannage du téléphone
Cette section fournit des informations de dépannage sur le téléphone IP Cisco Unified.
Informations générales de dépannage
Cette section vous aide à résoudre les problèmes du téléphone. Pour en savoir plus, contactez votre
administrateur système.
Signe Explication
Vous n’entendez pas la
tonalité ou vous ne pouvez
pas passer un appel
Un ou plusieurs des éléments suivants peuvent être en cause :
• Vous devez vous connecter au service de substitution de poste.
• Vous devez entrer un code d’affaire client ou un code
d’autorisation forcée après avoir composé un numéro.
• Le téléphone est soumis à des restrictions horaires pendant
lesquelles certaines fonctions ne sont pas disponibles.
Le bouton de paramètres
ne répond pas
Votre administrateur système peut avoir désactivé sur le
téléphone.
La touche dynamique à
utiliser n’apparaît pas
Un ou plusieurs des éléments suivants peuvent être en cause :
• Vous devez appuyer sur autres pour afficher des touches
dynamiques supplémentaires.
• Vous devez changer l’état de la ligne (par exemple, décrochez
ou établissez une communication).
• Le téléphone n’est pas configuré pour prendre en charge la
fonction associée à cette touche dynamique.
L’action Joindre échoue L’action Joindre nécessite plusieurs appels sélectionnés. Assurez-vous
de sélectionner au moins un appel en plus de l’appel actif automatiquement. L’action Joindre requiert également que les appels sélectionnés se trouvent sur la même ligne. Si nécessaire, transférez les appels
vers une ligne avant de les joindre.
L’utilisation de la touche
dynamique Insert aboutit à
un échec sous forme de
tonalité d’occupation rapide
Vous ne pouvez pas vous connecter à un appel chiffré si le téléphone
utilisé n’est pas configuré pour le chiffrement. Si la tentative de
connexion échoue pour cette raison, le téléphone émet une tonalité
d’occupation rapide.52 OL-9616-01
Affichage des données d’administration du téléphone
Votre administrateur système peut vous demander d’accéder aux données d’administration du
téléphone à des fins de dépannage.
Utilisation de l’outil de génération de rapports qualité (QRT)
L’administrateur système peut configurer temporairement le téléphone avec l’outil de génération de
rapports qualité pour régler les problèmes de performances. Vous pouvez appuyer sur QRT pour
envoyer des informations à votre administrateur système. Selon sa configuration, QRT permet de :
• signaler immédiatement un problème audio sur un appel en cours.
• sélectionner un problème général dans une liste et choisir des codes motifs.
Vous êtes déconnecté d’un
appel joint à l’aide de la
touche dynamique Insert
Lorsque vous vous connectez à un appel à l’aide de la touche Insert,
vous pouvez en être déconnecté s’il est mis en attente, transféré ou
transformé en conférence téléphonique.
Le rappel Cisco échoue L’interlocuteur a peut-être activé le renvoi d’appels.
Si vous devez... Procédez comme suit :
Accéder aux données de
configuration du réseau
Sélectionnez > Config. réseau, puis l’élément de configuration
réseau à afficher.
Accéder aux données d’état Sélectionnez > État, puis l’élément d’état à afficher.
Accéder aux caractéristiques
du téléphone
Sélectionnez > Caractéristiques.
Accéder aux informations
de qualité d’appel et de
qualité vocale du téléphone
Choisissez > État > Statistiques d’appel.
Signe Explication53
Conditions générales de la garantie matérielle
limitée à un an de Cisco
Des conditions spéciales s’appliquent à votre garantie matérielle et plusieurs services sont à votre
disposition au cours de la période couverte par cette garantie. Vous trouverez votre déclaration de
garantie formelle, comprenant la garantie applicable aux logiciels Cisco, sur le CD de documentation
de Cisco et sur Cisco.com. Procédez comme suit pour télécharger le pack d’informations Cisco et le
document de garantie (depuis le CD ou depuis le site Cisco.com).
1. Lancez votre navigateur et saisissez l’URL suivante :
http://www.cisco.com/univercd/cc/td/doc/es_inpck/cetrans.htm
La page des garanties et des accords de licence s’affiche.
2. Pour consulter le pack d’informations Cisco, procédez comme suit :
a. Cliquez sur le champ Information Packet Number et vérifiez que la référence 78-5235-02F0
est mise en surbrillance.
b. Sélectionnez la langue souhaitée pour la lecture du document.
c. Cliquez sur Go.
d. La page de garantie limitée et de licence pour les logiciels Cisco correspondant au pack
d’informations s’affiche.
e. Reportez-vous à ce document en ligne ou cliquez sur l’icône PDF pour le télécharger et
l’imprimer au format PDF (Portable Document Format) d’Adobe.
Remarque Vous devez avoir installé Adobe Acrobat Reader pour afficher et imprimer les
fichiers PDF. Vous pouvez télécharger le logiciel Reader sur le site Web d’Adobe :
http://www.adobe.com.54 OL-9616-01
3. Pour lire la version traduite et localisée des informations de garantie relatives à votre produit,
procédez comme suit.
a. Entrez la référence suivante dans le champ Warranty Document Number :
78-10747-01C0
b. Sélectionnez la langue souhaitée pour l’affichage du document.
c. Cliquez sur Go.
La page de garantie de Cisco s’affiche.
d. Reportez-vous à ce document en ligne ou cliquez sur l’icône PDF pour le télécharger et
l’imprimer au format PDF (Portable Document Format) d’Adobe.
Vous pouvez également vous reporter au site Web de service et d’assistance de Cisco pour obtenir
de l’aide :
http://www.cisco.com/public/Support_root.shtml.
Durée de la garantie matérielle
Un (1) an
Politique de remplacement, de réparation ou de remboursement du matériel
Cisco ou son centre de réparation feront leur possible (dans des limites commerciales raisonnables)
pour expédier une pièce de rechange sous dix (10) jours ouvrables après réception d’une demande
d’autorisation de renvoi de matériel. Les délais de livraison réels peuvent varier selon la situation
géographique du client.
Cisco se réserve le droit de rembourser le montant de l’achat comme recours exclusif sous garantie.
Obtention d’un numéro d’autorisation de renvoi de matériel
Contactez l’entreprise auprès de laquelle vous avez acheté le produit. Si vous avez acheté le produit
directement auprès de Cisco, contactez votre représentant commercial et de service après-vente Cisco.
Fournissez les renseignements ci-dessous et conservez-les.
Produit acheté auprès de
Numéro de téléphone de l’entreprise
Référence du produit
Numéro de série du produit
Numéro du contrat de maintenance55
Index
A
Accessibilité, fonctions 5
Aide en ligne, utilisation 15
Aide, utilisation 15
Appel en attente 20
Appels
affich. 13
affichage 22
attente et reprise 21
attribution de priorité 37
avec plusieurs interlocuteurs 26
différences avec une ligne 15
établissement 17
fin 21
fonctions de conférence 26
gestion 22
icônes 16
multiples, affichage 23
nombre maximum par ligne 15
parcage 35
rapports sur les problèmes 52
réacheminement d’appels en sonnerie 20, 31
renvoi 25
réponse 20
sécurisés 36
stockage et récupération 35
transfert 23
utilisation du mode Secret 22
Appels composés, enregistrements 43
Appels en absence, enregistrements 43
Appels reçus, enregistrements 43
Appels suspects, suivi 36
Attente
et passage d’un appel à l’autre 22
et transfert 23
utilisation 21
Attribution de priorité aux appels 37
Authentifiés, appels 36
B
Bouton d’aide, description 11
Bouton de navigation, description 12
Bouton Messages, description 11
Bouton Paramètres, description 12
Bouton Répertoires, description 11
Bouton Secret, description 12
Bouton Services, description 12
Bouton Volume, description 12
Boutons de fonctions
aide 11
Messages 11
Paramètres 12
Répertoires 11
Services 12
Boutons de ligne, identification 1156 OL-9616-01
C
Carnet d’adresses personnel
abonnement 48
numérotation 19
Casque
bouton, identification 12
mode 39
raccrochage 21
réponse à des appels 20
Chiffrés, appels 36
Clavier
description 12
Combiné
bande lumineuse 12
fixation sur son support 7
utilisation 39
Composition, options 17
Conférences Meet-Me 26, 29
Conférences téléphoniques
Meet-Me 26, 29
standard 26, 27
Confidentialité
et lignes partagées 32
utilisation 34
Consignes, sécurité 3
D
Déconnexion de groupes de recherche 38
Dépannage 51
Données d’état, recherche 51
Données de configuration du réseau,
recherche 51
E
Écran du téléphone
fonction 13
modification de la langue 42
nettoyage 14
réglage du contraste 42
Établissement d’appels, options 17
F
Fin d’un appel, options 21
Fonctions, disponibilité 16, 49
G
Gestion de plusieurs appels 22
Groupe de recherche 38
H
Haut-parleur
bouton, identification 12
mode 39
raccrochage 21
réponse à des appels 20
I
Icône Utilisé à distance pour les lignes
partagées 32
Icônes
pour les états d’appel 16
Identification des appels malveillants (MAL),
utilisation 3657
Indicateur de messages vocaux 46
InsConf, voir Insert
Insert
et confidentialité 34
et lignes partagées 32
utilisation 33
Installation du téléphone IP Cisco Unified 6
Interception d’appels 31
Interception d’appels de groupe 31
J
Journaux d’appels
affichage et composition d’un numéro 43
effacement 43
L
Ligne état 13
Ligne téléphonique
affich. 13
boutons 11
description 15
Lignes
affich. 13
description 15
Lignes partagées
avec insertion 33
avec la fonction de confidentialité 34
description 32
et icône Utilisé à distance 32
M
Menus d’options, utilisation 16
Menus, utilisation 16
Messages
écoute 46
indicateur 41, 46
MLPP, utilisation 37
Mode Secret, utilisation 22
N
Numéro abrégé 30
boutons, identification 11
étiquettes 13
utilisation 18
Numéro de poste 13
Numérotation automatique 18
Numérotation avec le combiné raccroché 18
O
Outil d’assistance des téléphones enregistrés
automatiquement (TAPS, Tool for
Auto-Registered Phones Support) 7
P
Pages Web Options utilisateur
accès 47
et aux services téléphoniques 48
Parcage d’appel dirigé 35
Parcage d’appels 35
Passage d’un appel à l’autre 22
Performances du casque, généralités 8
Prénumérotation 18
Problèmes audio 5258 OL-9616-01
Q
QRT, utilisation 52
R
Raccrochage, options 21
Rappel 17
Renvoi d’appels 25
Renvoi d’appels, options 25
Répertoire
numérotation à partir d’une page Web 19
utilisation sur un téléphone 18, 43
Répertoire d’entreprise
numérotation à partir d’une page Web 19
utilisation sur un téléphone 18
Réponse à des appels, options 20
Réponse automatique 40
Reprise, utilisation 21
S
Sécurisés, appels 36
Sécurité, consignes 3
Service de messagerie vocale 46
Service de numérotation abrégée
abonnement 48
numérotation 19
Services, abonnement 48
Socle
bouton, identification 11
réglage 7
Sonnerie
indicateur 12
personnalisation 41
Substitution de poste
connexion 38
déconnexion 38
T
TAPS, utilisation 7
Téléphone IP Cisco Unified
aide en ligne 15
configuration des fonctions 16, 49
description 9
enregistrement 7
fixation du support du combiné 7
illustration 10
raccordement 6
réglage de la hauteur 7
services Web 47
Texte saisi sur le téléphone 16
Touches dynamiques
description 12
étiquettes 13
Touches programmables
description 11
étiquettes 13
Traitement des appels
avancé 30
de base 17
Transfert, options 23
W
WebDialer 19
Z
Zone d’activité des appels 13Siège social
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
États-Unis
www.cisco.com
Tél. : +1 408 526-4000
+1 800 553-NETS (6387)
Fax : +1 408 526-4100
Siège social en Europe
Cisco Systems International BV
Haarlerbergpark
Haarlerbergweg 13-19
1101 CH Amsterdam
Pays-Bas
www-europe.cisco.com
Tél. : +31 0 20 357 1000
Fax : +31 0 20 357 1100
Siège social aux États-Unis
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
États-Unis
www.cisco.com
Tél. : +1 408 526-7660
Fax : +1 408 527-0883
Siège social en Asie-Pacifique
Cisco Systems, Inc.
168 Robinson Road
#28-01 Capital Tower
Singapour 068912
www.cisco.com
Tél. : +65 6317 7777
Fax : +65 6317 7799
Cisco Systems possède plus de 200 bureaux dans les pays ci-dessous. Les adresses, numéros
de téléphone et numéros de fax sont indiqués sur le site Web de Cisco à l’adresse suivante :
www.cisco.com/go/offices
Afrique du Sud • Allemagne • Arabie Saoudite • Argentine • Australie • Autriche • Belgique • Brésil • Bulgarie • Canada • Chili • Chypre • Colombie
Corée • Costa Rica • Croatie • Danemark • Dubai, État des Émirats Arabes Unis • Écosse • Espagne • États-Unis • Finlande • France • Grèce
Hongrie • Inde • Indonésie • Irlande • Israël • Italie • Japon • Luxembourg • Malaisie • Mexique • Norvège • Nouvelle-Zélande • Pays-Bas • Pérou
Philippines • Pologne • Portugal • Puerto Rico • RAS de Hong Kong • République populaire de Chine • République Tchèque • Roumanie • Royaume-Uni
Russie • Singapour • Slovaquie • Slovénie • Suède • Suisse • Taïwan • Thaïlande • Turquie • Ukraine • Venezuela • Viêtnam • Zimbabwe
CCSP, CCVP, le logo Cisco Square Bridge, Follow Me Browsing et StackWise sont des marques de Cisco Systems, Inc. Changing the Way We Work, Live, Play, and Learn et
iQuick Study sont des marques de service de Cisco Systems, Inc. Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, le logo Cisco
Certified Internetwork Expert, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, le logo Cisco Systems, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast,
EtherSwitch, Fast Step, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, le logo iQ, iQ Net Readiness Scorecard, LightStream, Linksys,
MeetingPlace, MGX, le logo Networkers, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, ProConnect, RateMUX, ScriptShare, SlideCast,
SMARTnet, The Fastest Way to Increase Your Internet Quotient et TransPath sont des marques déposées de Cisco Systems, Inc. et/ou de ses filiales aux États-Unis et dans certains
autres pays.
Toutes les autres marques mentionnées dans ce document ou sur le site Web sont la propriété de leurs détenteurs respectifs. L’utilisation du terme « partenaire » n’implique
nullement une relation de partenariat entre Cisco et toute autre entreprise. (0601R)
© 2006 Cisco Systems, Inc. Tous droits réservés.
OL-9616-01
Le logo Java est une marque ou une marque déposée de Sun Microsystems, Inc. aux États-Unis ou dans d’autres pays.
Copyright © 2011, Meraki, Inc.
Meraki Cloud Controller
Product Manual
December 2011
® Meraki Cloud Controller Product Manual | 2
www.meraki.com
660 Alabama St.
San Francisco, California 94110
Phone: +1 415 632 5800
Fax: +1 415 632 5899
Copyright: © 2011 Meraki, Inc. All rights reserved.
Trademarks: Meraki® is a registered trademark of Meraki, Inc.
® Meraki Cloud Controller Product Manual | 3
Table of Contents
1 Introduction............................................................................................................. 10
1.1 Primary MCC Functions..................................................................................................................... 10
1.2 MCC Versions.................................................................................................................................... 10
1.3 MCC Layout....................................................................................................................................... 11
1.4 How to Use This Document............................................................................................................... 11
2 System Overview .................................................................................................... 13
2.1 Data Flow........................................................................................................................................... 14
2.2 Centralized Management and Monitoring.......................................................................................... 14
2.3 Security.............................................................................................................................................. 14
2.4 Network Optimization......................................................................................................................... 14
2.5 Availability.......................................................................................................................................... 14
2.6 Mesh Networking............................................................................................................................... 15
2.7 Over-the-Air Upgrades....................................................................................................................... 15
3 Getting Started........................................................................................................ 16
4 Configuring SSIDs .................................................................................................. 17
5 Assigning IP Addresses to Wireless Clients........................................................ 18
5.1 NAT Mode.......................................................................................................................................... 18
5.2 Bridge Mode (Enterprise Only).......................................................................................................... 18
5.3 VPNs.................................................................................................................................................. 19
6 Configuring the LAN............................................................................................... 20
6.1 Firewall Settings ................................................................................................................................ 20
6.2 Assigning IP Addresses to Meraki APs ............................................................................................. 20
6.2.1 Configuring a Static IP Address Directly on a Meraki AP............................................................... 20
6.2.2 Configuring a Static IP Address for a Meraki AP via DHCP Reservations ..................................... 21
7 Wireless Encryption and Authentication.............................................................. 22
7.1 Association Requirements................................................................................................................. 22
7.1.1 Open............................................................................................................................................... 23
7.1.2 MAC-Based Access Control (Enterprise Only)............................................................................... 23
7.1.3 Pre-Shared Keys (WEP, WPA/WPA2-Personal)............................................................................ 23
7.1.4 WPA2-Enterprise with 802.1x Authentication (Enterprise Only)..................................................... 24
7.2 Network Sign-On Methods................................................................................................................. 24Meraki Cloud Controller Product Manual | 4
7.2.1 Direct Access.................................................................................................................................. 25
7.2.2 Click-Through Splash Page............................................................................................................ 25
7.2.3 Sign-On Splash Page ..................................................................................................................... 25
7.2.4 Billing .............................................................................................................................................. 26
7.2.5 Hosting Your Own Splash Page..................................................................................................... 26
7.3 Configuring an Authentication Server................................................................................................ 26
7.3.1 Meraki-Hosted Authentication Server............................................................................................. 26
7.3.2 Externally Hosted RADIUS Server ................................................................................................. 27
7.3.3 Externally Hosted Active Directory Server...................................................................................... 29
7.3.4 Externally Hosted LDAP Server...................................................................................................... 31
8 Monitoring................................................................................................................ 33
8.1 Overview Page .................................................................................................................................. 33
8.2 All-Network Overview Page............................................................................................................... 34
8.3 Maps Page (Enterprise Only) ............................................................................................................ 34
8.4 Access Points Page........................................................................................................................... 35
8.5 Access Point Details Page................................................................................................................. 36
8.5.1 AP Tagging..................................................................................................................................... 37
8.6 Clients Page ...................................................................................................................................... 39
8.6.1 Clients Overview Page Features .................................................................................................... 39
8.6.2 Traffic Analysis (Enterprise Only)................................................................................................... 40
8.6.3 Client Details Page ......................................................................................................................... 41
8.6.4 Client Location Services ................................................................................................................. 43
8.7 Event Log Page (Enterprise Only)..................................................................................................... 44
8.8 Rogue APs Page (Enterprise Only)................................................................................................... 45
8.9 WIPS Page (Enterprise Only)............................................................................................................ 45
8.10 Summary Report Page (Enterprise Only)......................................................................................... 45
8.11 PCI Reports Page (Enterprise Only)................................................................................................. 45
8.12 Live Updates (Enterprise Only)......................................................................................................... 46
8.13 Search Tool....................................................................................................................................... 46
8.14 Email Alerts....................................................................................................................................... 46
8.15 Export XML Data .............................................................................................................................. 46
8.16 Logins Page...................................................................................................................................... 47
8.17 Account Activity Page....................................................................................................................... 47
9 VLAN Tagging (Enterprise Only)........................................................................... 48
9.1 Per-SSID VLAN Tagging................................................................................................................... 49Meraki Cloud Controller Product Manual | 5
9.2 Per-User VLAN Tagging.................................................................................................................... 49
9.3 Per-Device Type VLAN Tagging........................................................................................................ 50
9.4 Management Traffic........................................................................................................................... 50
9.5 Configuring the LAN to Support VLAN Tagging ................................................................................ 50
9.6 Other Considerations......................................................................................................................... 50
10 User Access Control Features .............................................................................. 51
10.1 Network Access Control.................................................................................................................... 51
10.2 MAC Whitelist ................................................................................................................................... 52
10.3 MAC Blacklist.................................................................................................................................... 52
10.4 Bandwidth Shaping........................................................................................................................... 53
10.5 Adult Content Filtering ...................................................................................................................... 53
10.6 Firewall Rules for Wireless Users..................................................................................................... 54
10.6.1 LAN Isolation ................................................................................................................................ 54
10.6.2 Custom Firewall Rules (Enterprise Only)...................................................................................... 54
10.7 Captive Portal Strength..................................................................................................................... 55
10.8 Enable/Disable Simultaneous Logins ............................................................................................... 55
10.9 Walled Garden (Enterprise Only)...................................................................................................... 55
11 Identity Policy Manager (Enterprise Only) ........................................................... 57
11.1 How IPM Works................................................................................................................................ 57
11.2 How to Configure IPM....................................................................................................................... 58
11.2.1 Define a Group Policy on the RADIUS Server.............................................................................. 58
11.2.2 Define a Group Policy on the MCC............................................................................................... 58
11.2.3 Test the IPM Configuration........................................................................................................... 60
12 Traffic Shaper (Enterprise Only) ........................................................................... 61
12.1 Configuring Shaping Policies............................................................................................................ 61
12.1.1 Creating Shaping Rules................................................................................................................ 61
12.1.2 Example Shaping Policy............................................................................................................... 62
13 Guest Management (Enterprise Only) .................................................................. 63
14 Rogue AP Detection (Enterprise Only)................................................................. 64
15 Wireless Intrusion Prevention System (Enterprise Only)................................... 66
16 Wireless Features................................................................................................... 67
16.1 AutoRF.............................................................................................................................................. 67
16.2 Channel Selection............................................................................................................................. 67Meraki Cloud Controller Product Manual | 6
16.3 Channel Spreading (Enterprise Only)............................................................................................... 68
When automatic channel selection is configured, an administrator can configure “channel spreading”,
which allows Meraki APs to operate on different channels. Channel spreading selects channels that
minimize RF utilization and interference in the network, thereby maximizing overall network performance
and client capacity (i.e., the number of wireless clients that can connect to the network). ......................... 68
16.4 Network Scans (Enterprise Only)...................................................................................................... 68
16.5 Spectrum Analysis (Enterprise Only)................................................................................................ 68
16.6 Transmit Power Control (Enterprise Only)........................................................................................ 69
16.7 Radio Settings Page (Enterprise Only)............................................................................................. 69
16.7.1 Radio Controls.............................................................................................................................. 69
16.7.2 Channel Planning Report.............................................................................................................. 69
16.8 SSID Availability Page...................................................................................................................... 69
16.8.1 SSID Visibility (Enterprise Only)................................................................................................... 69
16.8.2 SSID Broadcast Controls By AP (Enterprise Only)....................................................................... 70
16.8.3 Timed SSID Broadcasting (Enterprise Only)................................................................................ 71
16.9 Band Selection and Band Steering (Enterprise Only)....................................................................... 71
16.10 Disabling Legacy 802.11b Bitrates (Enterprise Only)....................................................................... 71
16.11 Software Upgrades........................................................................................................................... 72
16.11.1 Preferred Maintenance Window (Enterprise Only)..................................................................... 72
16.12 Mesh Networking.............................................................................................................................. 72
16.13 Wired Clients..................................................................................................................................... 73
16.14 Wireless Bridging.............................................................................................................................. 73
16.15 Quality of Service.............................................................................................................................. 73
16.16 Power Save....................................................................................................................................... 74
16.17 Run Dark........................................................................................................................................... 74
16.18 Accessing the AP’s Local Web Page................................................................................................ 74
17 Branding.................................................................................................................. 75
17.1 Splash Page ..................................................................................................................................... 75
17.1.1 Meraki-Hosted Splash Page......................................................................................................... 75
17.1.2 Externally Hosted Splash Page.................................................................................................... 75
17.1.3 Splash Page Frequency ............................................................................................................... 75
18 Billing....................................................................................................................... 77
19 Administering Multiple Networks.......................................................................... 78
19.1 Organizations.................................................................................................................................... 78Meraki Cloud Controller Product Manual | 7
An “organization” consists of a collection of networks and a collection of administrative accounts. Every
administrator has an account in the MCC that is part of an organization. An organization is covered by a
single license. (For more information on licensing, see Chapter Licensing21, “Licensing”)....................... 78
19.2 Administrators................................................................................................................................... 78
19.2.1 Organization Administrators ......................................................................................................... 78
19.2.2 Network Administrators................................................................................................................. 79
19.3 Moving APs between Networks or Organizations............................................................................. 79
20 Teleworker VPN ...................................................................................................... 80
20.1 Typical Use Cases............................................................................................................................ 80
20.2 How It Works..................................................................................................................................... 80
20.3 The Virtual Concentrator................................................................................................................... 80
20.4 Creating the Virtual Concentrator Network....................................................................................... 81
20.5 Installing the Virtual Concentrator..................................................................................................... 81
20.6 Monitoring the Virtual Concentrator.................................................................................................. 82
20.6.1 Overview....................................................................................................................................... 82
20.6.2 Concentrator Status...................................................................................................................... 82
20.6.3 Clients........................................................................................................................................... 82
20.6.4 Event Log...................................................................................................................................... 82
20.6.5 Summary Report........................................................................................................................... 82
20.7 Configuring the Virtual Concentrator ................................................................................................ 83
20.7.1 Concentrator Settings................................................................................................................... 83
20.7.2 Alerts and Administrators.............................................................................................................. 83
20.8 Configuring Remote APs .................................................................................................................. 83
20.9 Create Remote Site Network and Add APs...................................................................................... 84
20.9.1 Configure SSIDs to Tunnel........................................................................................................... 84
20.9.2 Configure Split Tunnel.................................................................................................................. 84
20.9.3 Tunneling wired client traffic ......................................................................................................... 84
20.10 Configuration Best Practices ............................................................................................................ 85
20.10.1 Concentrator Location(s)............................................................................................................ 85
20.10.2 Firewall Settings ......................................................................................................................... 86
21 Licensing................................................................................................................. 87
21.1 Adding Licenses ............................................................................................................................... 87
21.2 Cloud Controller Upgrades ............................................................................................................... 88
21.3 Renewing Licenses........................................................................................................................... 88
21.4 Expired Licenses or Exceeding the Licensed AP Limit..................................................................... 88
22 Troubleshooting ..................................................................................................... 89Meraki Cloud Controller Product Manual | 8
23 References .............................................................................................................. 90
24 Appendix A: Example Office Configuration......................................................... 91
24.1 Objectives......................................................................................................................................... 91
24.2 Implementation Alternatives ............................................................................................................. 92
24.3 Assumptions ..................................................................................................................................... 92
24.4 Configuration for Guests................................................................................................................... 93
24.4.1 Configuration Settings .................................................................................................................. 93
24.4.2 Configure a Splash Page.............................................................................................................. 93
24.4.3 Create a Guest Ambassador........................................................................................................ 94
24.5 Configuration for Employees ............................................................................................................ 95
24.5.1 Dashboard Configuration.............................................................................................................. 95
24.5.2 Configure Meraki APs as RADIUS Clients in NPS....................................................................... 96
24.5.3 Testing RADIUS Authentication.................................................................................................... 97
24.6 Configuration for Contractors............................................................................................................ 98
24.6.1 Configuration for Users................................................................................................................. 98
24.6.2 Configuration of NPS Policies..................................................................................................... 100
24.6.3 Configuration of Group Policy in the Meraki Cloud Controller.................................................... 103
24.6.4 Testing the Group Policy Application.......................................................................................... 104
24.7 Traffic Shaping Configuration ......................................................................................................... 105
24.8 Summary......................................................................................................................................... 106
25 Appendix B: Example Teleworker VPN Configuration...................................... 107
25.1 Objectives....................................................................................................................................... 107
25.2 Virtual Concentrator Installation...................................................................................................... 108
25.2.1 Virtual Concentrator Network...................................................................................................... 108
25.2.2 Virtual Concentrator Configuration Settings ............................................................................... 109
25.2.3 Installing the Virtual Concentrator in VMware............................................................................. 110
25.3 Remote Site Network Configuration ............................................................................................... 111
25.3.1 Remote Site Network.................................................................................................................. 111
25.4 AP Pre-Configuration...................................................................................................................... 113
26 Appendix B: Miscellaneous Configuration Settings ......................................... 115
26.1 FreeRADIUS Configuration............................................................................................................. 115
26.1.1 Configuration for APs (clients.conf file)....................................................................................... 115
26.1.2 Configuration for Users (Users file) ............................................................................................ 115
26.1.3 Configuration for WPA2-Enterprise with 802.1x Authentication (eap.conf file)........................... 116
26.2 Switch Configuration for VLAN Tagging ......................................................................................... 116Meraki Cloud Controller Product Manual | 9
27 Appendix C: RADIUS Attributes.......................................................................... 117
27.1 Authentication Attributes................................................................................................................. 117
27.1.1 Attributes Supported in Access-Request Messages................................................................... 117
27.1.2 Attributes Supported in Access-Accept Messages..................................................................... 117
27.1.3 Attributes Supported in Access-Reject Messages...................................................................... 118
27.2 Accounting Attributes...................................................................................................................... 119
28 Appendix D: Meraki-Hosted Splash Page Variables ......................................... 120Meraki Cloud Controller Product Manual | 10
1 Introduction
The Meraki Cloud Controller (MCC) provides centralized management,
optimization, and monitoring of a Meraki wireless LAN system. The MCC is not
an appliance that an administrator must purchase and install in a data center to
manage wireless access points (APs). Rather, the MCC is a cloud-based service
that is constantly monitoring, optimizing, and reporting on the behavior of the
network.
1.1 Primary MCC Functions
An administrator uses the MCC to configure and monitor Meraki wireless
networks. The MCC provides the following primary functions:
• Centralized configuration:
o Configuration of multiple geographically distributed networks.
o Secure access to configuration settings via a web browser.
• Network optimization:
o Performance optimization through RF management.
o Diagnostic tools to enable proper AP placement.
• Centralized monitoring:
o Usage statistics, login history, and alerts.
o Remote troubleshooting and issue diagnosis.
1.2 MCC Versions
There are two versions of the MCC:
• Meraki Enterprise Cloud Controller: The Meraki Enterprise Cloud
Controller enables companies and organizations to setup secure
wireless LANs. Examples include offices, warehouses, retail stores,
educational campuses, and healthcare institutions.
• Meraki Pro Cloud Controller: The Meraki Pro Cloud Controller is for
basic wireless deployments that require Internet-only access. Examples
include fee-based wireless hotspots, coffee shops, and other amenity
networks.
This manual addresses all features supported by the Meraki Enterprise Cloud
Controller and the Meraki Pro Cloud Controller. Some features in the Meraki
Enterprise Cloud Controller are not available in the Meraki Pro Cloud Controller;
these features are designated as “Enterprise Only”.Meraki Cloud Controller Product Manual | 11
1.3 MCC Layout
Figure 1 is a screenshot of the main page of the Meraki Enterprise Cloud
Controller’s administrator interface.
Figure 1 – Meraki Enterprise Cloud Controller Administrator Interface
The 3 tabs in the left navigation panel are as follows:
• Monitor: View information about APs, client devices, and users.
• Configure: Configure the various features of the MCC, such as SSIDs,
authentication, and branding.
• Help: Get access to technical support and the Meraki knowledge base.
1.4 How to Use This Document
The chapters in this manual begin with more basic topics and progress to more
advanced topics. The chapters are roughly grouped as follows:
Chapters 1-2
Overview
These chapters provide an introduction to the Meraki
wireless solution.
Chapters 3-8
Basic Topics
These chapters enable an administrator to get a simple
wireless network up and running. Wireless and
networking fundamentals are reviewed.Meraki Cloud Controller Product Manual | 12
Chapters 9-17
Advanced Topics
These chapters describe sophisticated features that
enable administrators to manage and monitor their Meraki
wireless networks more effectively.
Chapters 18-20
Administrative Topics
These chapters discuss some of features and functions
pertaining to Meraki network administrators.
Chapters 21-25 References and AppendicesMeraki Cloud Controller Product Manual | 13
2 System Overview
This chapter explains how the MCC operates and fits into the overall Meraki
system.
In the Meraki architecture, there is only one type of hardware: access points
(APs). There is no need for specialized hardware controllers or management
appliances. Meraki APs tunnel back to the MCC via a secure Internet connection.
All control, configuration, optimization, and mobility control functions are
centralized in Meraki’s network operations centers (NOCs), which are distributed
geographically around the world. These NOCs provide physical security to the
MCC, as well as high availability through power backups and redundant servers
in hot standby mode. The geographical distribution of the NOCs also improves
the performance of Meraki wireless networks by minimizing the distance that
networks need to travel to contact the MCC.
An administrator can use the MCC to make configuration changes and obtain
reporting information on his networks. For example, the administrator may wish
to change the bandwidth available to guests accessing the network. Once that
change is made through the MCC, all APs automatically receive the new
configuration.
Figure 2 depicts the primary components of a Meraki wireless system.
!"#$%
!#&'(#"")(
!"#$%&''
()*
)+ )+ )+ )+
,'"$-.
/-.$#-$.
Figure 2 – Meraki Wireless System ArchitectureMeraki Cloud Controller Product Manual | 14
2.1 Data Flow
The MCC is “out of band,” which means that client traffic never flows through the
MCC. This architecture is important both for performance as well as security
reasons. It is not possible for an unauthorized person having access to the MCC
to see user data, and the MCC is not a bottleneck for data traffic flows. Thus, the
system operates securely and efficiently.
2.2 Centralized Management and Monitoring
MCC management and monitoring activities are performed remotely through the
Meraki Dashboard, the web-based interface to the MCC. Dashboard can be
accessed using any JavaScript-capable Internet web browser, including Firefox,
Internet Explorer, and Chrome. Unlike other solutions, there is no need to install
and maintain separate management servers or appliances. The administrator
can troubleshoot multiple wireless networks remotely from a single interface.
Through the Meraki Dashboard, administrators have access to standard
troubleshooting tools, such as ping and throughput tests. In addition,
administrators can monitor bandwidth and usage data, either through the Meraki
Dashboard or with existing monitoring infrastructure using Meraki’s XML-based
API. An administrator can build custom monitoring and reporting applications
based on historical statistics without installing additional software or hardware on
site.
2.3 Security
Control traffic flows between the APs and the MCC via a persistent secure
tunnel. All sensitive data, such as configuration details, user names, and
passwords, are encrypted. In addition, traffic between APs in a Meraki network is
encrypted using a per-network Advanced Encryption Standard (AES) key. The
MCC distributes the secret network key over SSL when each AP downloads its
configuration. The in-network encryption is performed with the assistance of
hardware accelerators, and does not cause performance degradation or
increased latency on a per-hop basis. Furthermore, security keys (such as WEP
or WPA2 encryption keys) cannot be retrieved off an access point even if an
attacker has physical possession of the device.
2.4 Network Optimization
The MCC provides round-the-clock optimization of the Meraki wireless network.
Meraki’s Auto RF optimization capability monitors channel utilization and
interference, ensuring the network is operating at peak performance. The MCC
can minimize channel utilization in any given part of the network by assigning
channels to the individual radios and by adjusting the radio transmit powers.
Mesh routes are also constantly updated to ensure maximum client throughput.
2.5 Availability
Multiple geographically distributed Meraki data centers are used to ensure that
networks continue to function even in the event of a catastrophic failure. In case
the MCC is ever unreachable (e.g., because the Internet route to the MCC has Meraki Cloud Controller Product Manual | 15
gone down temporarily), Meraki networks that do not use the MCC for
authentication or splash page hosting continue to operate, providing wireless
connectivity to users using the last configuration it obtained from the MCC.
Configuration changes and firmware upgrades resume when the MCC is
reachable again.
2.6 Mesh Networking
All Meraki APs support mesh networking. A Meraki AP automatically configures
as either a mesh gateway or a mesh repeater. A mesh gateway is an AP that
connects directly to a wired network, such as an enterprise LAN or T1 modem. A
mesh repeater does not require a wired connection. Instead, it identifies the
nearest mesh gateway in its network and spreads wireless connectivity from that
mesh gateway over a wider coverage area. A collection of mesh repeaters and
mesh gateways form a wireless mesh network. The data flowing from a client
may go through several mesh repeaters before reaching a mesh gateway, at
which point the data enters the wired network.
2.7 Over-the-Air Upgrades
New features require no client- or server-side upgrades, but instead are added to
the MCC several times per year with minimal downtime. Meraki also manages
firmware upgrades centrally, freeing the administrator from having to worry about
keeping the APs up-to-date. Firmware upgrades take place over the air in a
secure, fault-tolerant fashion. Network administrators receive an email alert
several weeks in advance of a firmware upgrade and a notice will be posted in
Dashboard notifying them of the exact time that the upgrade will occur. If
necessary the upgrade can be delayed or rescheduled by contacting Meraki
Support.Meraki Cloud Controller Product Manual | 16
3 Getting Started
This chapter describes how to configure a Meraki wireless network for the first
time.
There are 3 simple steps to creating and configuring a Meraki wireless network:
Step 1: Create an account.
To manage Meraki wireless networks through the MCC, an administrator needs
to create an account at http://dashboard.meraki.com. The administrator’s email
address will be used as the login ID.
Step 2: Run the Quick Start application.
After logging into an account, the administrator can use the Quick Start
application to create the first wireless network. The steps include naming the
network, adding APs, and configuring the APs with access policies.
If creating multiple, similar networks for different sites (eg. a chain of retail
stores), an administrator has the option to copy configuration settings from an
existing Dashboard network to save time. In this case, all SSID and networkwide settings (eg. administrators, alerts, etc) will be copied to the new network.
Note: An administrator can create a “live demo” network at this step, which
provides a fully configurable wireless network without any physical APs. With a
simulated network, an administrator can manage a network consisting of virtual
APs and sample usage data to experience the MCC with minimal investment.
Step 3: Test the network.
The administrator can now test the basic settings in the wireless network. The
administrator can then iteratively test and configure additional wireless settings.Meraki Cloud Controller Product Manual | 17
4 Configuring SSIDs
An SSID is a logical wireless network, sometimes referred to as a virtual access
point (VAP). In practice, the SSID is the name of a wireless network that a client
“discovers” when it probes for available wireless networks in the environment.
Multiple SSIDs allow an administrator to use a single physical Meraki network to
support multiple applications with different configuration requirements. For
example, one SSID can allow visitor access to only the Internet without any
encryption, and another SSID can require employees to utilize encryption for
access to company servers.
The MCC supports multiple SSIDs. The Enterprise Cloud Controller supports up
to 16 SSIDs in networks that contain all 802.11n APs, and up to 4 SSIDs in
networks that contain 802.11b/g APs. The Pro Cloud Controller supports up to 2
SSIDs. Each SSID is configurable with its own settings for authentication,
encryption, bandwidth limits, etc.
SSID settings are located under the Configure tab in the MCC. Figure 3 is a
screenshot of the SSID Overview page:
Figure 3 – SSID Overview Page
The following elements can be configured on a per-SSID basis and are described
in subsequent chapters:
• Client IP addressing
• LAN configuration (e.g., VLAN tagging)
• Wireless encryption and authentication (e.g., WPA2-Personal, WPA2-
Enterprise with 802.1x authentication)
• User access control (e.g., per-user and group policies)
• Traffic shaping (eg. application-specific usage policies)
• Wireless features (e.g., band steering)
• Branding (e.g., splash page / captive portal)Meraki Cloud Controller Product Manual | 18
5 Assigning IP Addresses to Wireless Clients
The administrator can assign IP addresses to wireless clients via one of the
following two addressing modes. The addressing mode is configured on a perSSID basis under the Configure tab on the Access Control page.
5.1 NAT Mode
In NAT mode, the Meraki APs run as DHCP servers to assign IP addresses to
wireless clients out of a private 10.x.x.x IP address pool behind a NAT.
NAT mode should be enabled when any of the following is true:
• Wireless clients associated to the SSID require Internet-only access.
• There is no DHCP server on the LAN that can assign IP addresses to
the wireless clients.
• There is a DHCP server on the LAN, but it does not have enough IP
addresses to assign to wireless clients.
• There are multiple DHCP servers in the network assigning IP addresses
from different subnets. This is common when there are heterogeneous
backhaul connections (e.g., some APs in the network obtain Internet
connectivity from a T1, while other APs in the same network obtain
Internet connectivity from a business-class DSL).
The implications of enabling NAT mode are as follows:
• Devices outside of the wireless network cannot initiate a connection to a
wireless client.
• Wireless clients cannot use Layer 2 discovery protocols to find other
devices on either the wired or wireless network.
• Legacy VPN clients (i.e., those that do not support NAT Traversal) may
not be able to establish IPSec tunnels over the wireless network. (One
workaround is to upgrade the VPN client or configure the VPN client to
establish an IPSec tunnel over TCP, e.g. SSL.)
• VLAN tagging wireless traffic is not supported in NAT mode.
5.2 Bridge Mode (Enterprise Only)
In bridge mode, the Meraki APs act as bridges, allowing wireless clients to obtain
their IP addresses from an upstream DHCP server.
Bridge mode should be enabled when any of the following is true:
• Wired and wireless clients in the network need to reach each other
(e.g., a wireless laptop needs to discover the IP address of a network Meraki Cloud Controller Product Manual | 19
printer, or wired desktop needs to connect to a wireless surveillance
camera).
• Layer 2 multicast and broadcast packets (e.g., ARP, Bonjour) need to
propagate in a limited manner to both wired and wireless clients for
device discovery, networking, etc.
• The wireless network needs to support legacy VPN clients (i.e., those
that do not support NAT Traversal).
• Wired and wireless clients need to have IP addresses in the same
subnet for monitoring and/or access control reasons (e.g., a web
gateway in the network allows/denies Internet access based on the
client’s IP address).
• Wireless traffic needs to be VLAN-tagged between the Meraki AP and
the upstream wired infrastructure.
The implications of enabling bridge mode are as follows:
• An administrator cannot enable adult content filtering on the SSID.
Because the adult content filtering feature is DNS-based, bridge mode
disables adult content filtering by using the DNS server(s) advertised by
the network’s DHCP server.
• Multiple DHCP servers are allowed, but they must assign IP addresses
to wireless clients from the same subnet. This enables these IP
addresses to be routed by the LAN to which the Meraki APs are
connected.
5.3 VPNs
Meraki supports most VPN solutions by default. Any IPSec implementation that
has support for NAT Traversal (NAT-T) will work on a Meraki network. Certain
IPSec-based VPN solutions do not work well behind a NAT. If difficulties occur
when using VPNs, an administrator should consider switching VPN clients to use
SSL instead of IPSec, or enabling bridge mode as the wireless client IP
addressing mode. Note that most wireless networking solutions that use NAT
share the same problems with IPSec VPNs.Meraki Cloud Controller Product Manual | 20
6 Configuring the LAN
The following section describes how to configure your LAN to support a Meraki
system. While a Meraki wireless network imposes minimal requirements on the
wired LAN infrastructure, some small changes may be required.
6.1 Firewall Settings
If a firewall is in place, it must allow outgoing connections on particular ports to
particular IP addresses. The most current list of outbound ports and IP
addresses can be found here:
http://tinyurl.com/y79une3
6.2 Assigning IP Addresses to Meraki APs
All Meraki gateway APs (APs with Ethernet connections to the LAN) must be
assigned routable IP addresses. These IP addresses can be configured directly
on each AP (see instructions below), or assigned to the APs via an upstream
DHCP server.
In general, static IP address assignment is recommended for Meraki APs, even
when the APs obtain their IP addresses via DHCP. (The DHCP server should be
configured to assign a static IP address for each MAC address belonging to a
Meraki AP.) Other features of the wireless network, such as 802.1x
authentication, may rely on the property that the APs have static IP addresses.
6.2.1 Configuring a Static IP Address Directly on a Meraki AP
A static IP address can be configured directly on a given AP through the
following steps:
1. Using a client machine (e.g., a laptop), connect to the AP either
wirelessly (by associating to any SSID broadcasted by the AP) or over a
wired connection (by plugging one end of an Ethernet cable into the
client machine, and the other end of the Ethernet cable into the AP’s
Ethernet jack; it may be necessary to unplug the AP from its existing
Ethernet connection in order to connect the client machine).
2. Using a web browser on the client machine, access the AP’s built-in
web server by browsing to http://my.meraki.com.
3. Click on the “Static IP Configuration” tab. You will be prompted to login.
The default username is “admin” and the default password is the AP’s
serial number, with hyphens included.
4. Configure the static IP address, net mask, gateway IP address, and
DNS servers that this AP will use on its wired connection to the Internet.
5. If necessary, reconnect the AP to its Ethernet connection to the LAN.Meraki Cloud Controller Product Manual | 21
6.2.2 Configuring a Static IP Address for a Meraki AP via DHCP Reservations
Instead of associating to each Meraki AP and configuring a static IP address on
each AP, an administrator can configure static IP addresses to assign to Meraki
APs on the upstream DHCP server. Through “DHCP reservations”, IP addresses
are “reserved” for the MAC addresses of the Meraki APs. Please consult the
documentation for the DHCP server to configure DHCP reservations.Meraki Cloud Controller Product Manual | 22
7 Wireless Encryption and Authentication
The MCC supports a wide variety of encryption and authentication methods—
from simple, open access to WPA2-Enterprise with 802.1x authentication. This
chapter explains the different encryption and authentication modes available in
the MCC.
Encryption and authentication are configured in the MCC under the Configure tab
on the Access Control page. Generally speaking, the encryption method is
configured under “Association requirements”, while the authentication method is
configured under “Network sign-on method”. To associate to a wireless network,
a client must have the correct encryption keys (association requirements). Once
associated the wireless client may need to enter information (network sign-on
method) before accessing resources on the wireless network.
The combinations of encryption and authentication methods that are supported
are as follows:
Network sign-on method
Association
requirements
Direct
access
Clickthrough
splash page
Sign-on
splash page
Billing (paid
access)
Open (no
encryption)
ü ü ü ü
MAC-based
access control
(no encryption)
ü ü
WEP (shared
network key) ü ü ü
WPA2-PSK
(shared
network key)
ü ü ü
WPA2-
Enterprise with
802.1x
authentication
ü ü
7.1 Association Requirements
In the “Association requirements” of the Access Control page, an administrator
configures the parameters that need to be satisfied at wireless association time
in order for a device to connect successfully to a wireless network.Meraki Cloud Controller Product Manual | 23
7.1.1 Open
Open mode allows any device to connect to the wireless network. The major
advantage of open mode is its simplicity: Any client can connect easily and
without complex configuration. Open mode is recommended when there are
guests who need to get onto the network, or more generally, when ease of
connectivity is paramount and access control is not required.
In most environments, the administrator should ensure that wireless clients
associated on an open network cannot access LAN resources, such as file
shares. Administrators can control access using VLAN tagging, the LAN isolation
feature, or custom firewall rules (see Section 10.6.2, “Custom Firewall Rules
(Enterprise Only)”).
7.1.2 MAC-Based Access Control (Enterprise Only)
MAC-based access control admits or denies wireless association based on the
connecting device’s MAC address. When a wireless device attempts to
associate, the Meraki AP queries a customer-premise RADIUS server with an
Access-Request message. The RADIUS server can admit or deny the device
based on the MAC address, responding to the Meraki AP with either an AccessAccept message or an Access-Reject message, respectively.
This authentication method requires no client-side configuration. However, it
suffers from a poor user experience. Wireless clients that are denied wireless
association simply cannot connect to the SSID, and they do not receive any
explicit notification about why they cannot connect.
If this authentication method is selected, at least 1 RADIUS server must be
configured on the Access Control page in the “RADIUS for MAC-based access
control” section. This section includes a test tool that simulates the wireless
device connecting to every Meraki AP in the network. (See Section 7.3,
“Configuring an Authentication Server”, for more information.)
7.1.3 Pre-Shared Keys (WEP, WPA/WPA2-Personal)
A pre-shared key (PSK) allows anyone who has the key to use the wireless
network.
Wired Equivalent Privacy (WEP) is the original 802.11 pre-shared key
mechanism, utilizing RC4 encryption. WEP is vulnerable to being hacked; the
encryption key can be derived by an eavesdropper who sees enough traffic. Only
use WEP if it is not possible to utilize more advanced security—for instance,
when there are legacy client devices in the network that do not support
WPA/WPA2.
WPA- and WPA2-Personal (Wi-Fi Protected Access) use stronger encryption
than WEP. (WPA-Personal uses TKIP with RC4 encryption, while WPA2-
Personal uses AES encryption.) WPA2-Personal is preferred.
Though it requires some client-side configuration, a PSK is relatively easy to
configure. It can be a good choice when there is a small number of users or
when clients do not support more sophisticated authentication mechanisms, such
as WPA2-Enterprise. A deployment based on a PSK does not scale well, Meraki Cloud Controller Product Manual | 24
however. With a large number of users, it becomes more difficult to change the
PSK, an operation that should be performed periodically to ensure that the PSK
has not been shared with unwanted users.
7.1.4 WPA2-Enterprise with 802.1x Authentication (Enterprise Only)
802.1x is an IEEE standard framework for encrypting and authenticating a user
who is trying to associate to a wired or wireless network. WPA-Enterprise uses
TKIP with RC4 encryption, while WPA2-Enterprise adds AES encryption.
802.1x can be transparent to wireless users. For example, Windows machines
can be configured for single sign-on, such that the same credentials that a user
enters to log into his machine are passed automatically to the authentication
server for wireless authentication. The user is never prompted to re-enter his
credentials.
802.1x utilizes the Extensible Authentication Protocol (EAP) to establish a secure
tunnel between participants involved in an authentication exchange. The MCC
supports multiple EAP types, depending on whether the network is using a
Meraki-hosted authentication server or a customer-hosted authentication server.
(See Section 7.3, “Configuring an Authentication Server”, for more information.)
The following table shows the EAP types supported by the MCC:
EAP Mode Customer RADIUS Meraki RADIUS
PEAPv0/EAP-MSCHAPv2 ü ü
EAP-TTLS/MSCHAPv2 ü ü
EAP-TLS ü
PEAPv1/EAP-GTC ü
WPA2-Enterprise with 802.1x authentication is typically used with a customerpremise RADIUS server. The RADIUS server must be configured to allow
authentication requests from the IP addresses of the Meraki APs. This
configuration is necessary to successfully complete the EAP exchange and is
one more reason to configure static IP addresses on the Meraki APs.
Note: 802.1x is typically only performed once a user’s credentials have been
entered into the machine. If you would like to be able to authenticate a machine
before the user signs in (also known as “machine authentication”), please see the
Meraki Knowledge Base online.
7.2 Network Sign-On Methods
The network sign-on method is the mechanism by which a wireless client gains
access to network resources. It occurs after a wireless client has associated to
an SSID.Meraki Cloud Controller Product Manual | 25
7.2.1 Direct Access
With direct access, a wireless client is granted network access as soon as he
associates to the SSID. No splash page is presented to the wireless client.
7.2.2 Click-Through Splash Page
When configured, a click-through splash page displays a fully customizable
HTML page to the wireless client the first time the client makes an HTTP request.
An administrator may use this splash page to display an acceptable use policy or
network announcements. The client is only granted network access after clicking
the “Continue” button on the splash page.
The click-through splash page is hosted by the MCC. As such, the network must
have connectivity to the MCC in order to display the splash page. If the MCC is
unreachable for some reason, the administrator can configure whether new
wireless users should be admitted to the wireless network without seeing the
splash page. This setting is under the Configure tab on the Access Control page
in the “Disconnection behavior” section.
While the click-through splash page requires no client-side configuration, it
should only be enabled on an SSID whose clients are all capable of displaying
the splash page. When there are clients that are not browser-capable (e.g.,
wireless barcode scanners), the splash page should be disabled on the SSID. An
administrator can configure whether new wireless clients are able to obtain
network access when the click-through splash page cannot be displayed (i.e.,
when the MCC becomes temporarily unavailable).
See Chapter 17, “Branding”, for additional information on customizing the clickthrough splash page, including the ability to configure the splash page interval.
7.2.3 Sign-On Splash Page
A sign-on splash page provides the functionality of the click-through splash page,
but adds the ability to prompt the wireless client for a username and password.
The client is only granted network access after he enters a username and
password that are validated against a backend authentication server (either a
Meraki-hosted authentication server or a customer-hosted RADIUS, Active
Directory or LDAP server). (See Section 7.3, “Configuring an Authentication
Server”, for more information.)
The sign-on splash page may be hosted by the MCC or on an external web
server (see Section 17.1, “Splash Page”). An administrator can configure
whether new wireless clients are able to obtain network access when the sign-on
splash page cannot be displayed or when the username/password credentials
cannot be validated (i.e., the authentication server is unreachable). This setting
is under the Configure tab on the Access Control page in the “Disconnection
behavior” section.
Sign-on splash page is an authentication option that requires no client-side
configuration. In addition, it is secured by SSL (HTTPS), so that usernames and
passwords are sent to the MCC confidentially. However, when enabled, it
requires clients to remember usernames and passwords, which they will need to Meraki Cloud Controller Product Manual | 26
enter periodically. As with the click-through splash page, clients that are
incapable of displaying the splash page need to be considered.
See Section 17.1, “Branding”, for additional information on customizing the
splash pages or using an externally.
7.2.4 Billing
When configuring an SSID as a wireless hotspot, an administrator can utilize
Meraki’s integrated billing features to grant network access only to paying users.
For additional information on integrated billing, see Chapter 18, “Billing”.
7.2.5 Hosting Your Own Splash Page
Meraki also supports the ability for you to host splash pages on your own web
server. This capability is referred to as “EXCAP” for externally hosted captive
portals. For additional information, please search for EXCAP in the Meraki
Knowledge Base.
7.3 Configuring an Authentication Server
There are 5 different applications of authentication servers that are supported by
the MCC:
1. Meraki-hosted authentication server
2. Externally hosted RADIUS server for MAC-based access control and/or
WPA2-Enterprise with 802.1x authentication
3. Externally hosted RADIUS server for sign-on splash page authentication
4. Externally hosted Active Directory server for sign-on splash page
authentication
5. Externally hosted LDAP server for sign-on splash page authentication
The authentication server type is configured on a per-SSID basis under the
Configure tab on the Access Control page. For instance, an administrator could
use the Meraki-hosted authentication server to manage guest user accounts for
the guest SSID, while using a customer-hosted RADIUS or Active Directory
server to authenticate employees for the employee SSID.
7.3.1 Meraki-Hosted Authentication Server
The Meraki-hosted authentication server is configured through the MCC. For
each user account, an administrator can configure the user’s name, the e-mail
address and password that the user will use to log in, and optionally, an
expiration time (to create a user account that self-expires after some period of
time).
The option to select a Meraki-hosted authentication server appears when any of
the following is configured:
• Sign-on splash pageMeraki Cloud Controller Product Manual | 27
• WPA2-Enterprise with 802.1x authentication
On the Access Control page, an administrator can create, edit, and remove user
accounts. An expiration time can also be configured on a user account, so that
the account becomes invalid after a certain amount of time elapses. (This
feature is useful for guest accounts.) Finally, the Access Control page provides
an option for “self-registration”, which allows users to create their own accounts.
However, administrators still need to manually add those accounts to the list of
users allowed on the network before the account has access.
User accounts configured in the Meraki-hosted authentication server are global
to the networks in the organization. So, a password change to a user account in
one network applies to other networks in which the user account may be used.
(For more information, see Section 19.1, “Organizations”.)
Meraki APs must be able to reach the MCC in order to use the Meraki-hosted
authentication server. If the MCC becomes temporarily unavailable, existing
wireless clients (already authenticated) remain connected, but new wireless
clients are unable to authenticate to access the wireless network. An
administrator can configure whether new wireless clients are able to obtain
network access when the MCC is unavailable under the Configure tab on the
Access Control page in the “Disconnection behavior” section.
7.3.2 Externally Hosted RADIUS Server
Many organizations have an existing user authentication or directory server that
they would like to use to control access to the wireless LAN. Common server
types include LDAP and Active Directory. Any type of authentication server with
a RADIUS interface can be integrated with a Meraki wireless network. The MCC
allows an administrator to configure multiple RADIUS servers for failover.
When an externally hosted RADIUS server is used with either MAC-based
access control or WPA2-Enterprise with 802.1x authentication, the Meraki APs
must be able to reach the RADIUS server. The MCC offers a test tool that
enables an administrator to verify connectivity of all of the Meraki APs to the
RADIUS server, and to check a particular set of user credentials against the
RADIUS server. The test tool appears under the Configure tab on the Access
Control page.
When an externally hosted RADIUS server is used with sign-on splash page, an
administrator can configure the Meraki wireless network to use an externally
hosted RADIUS server for user authentication. The MCC acts as an
intermediary in this configuration to provide (1) a consistent end user experience
(e.g., the wireless user is not presented with the splash page again if he reassociates to another AP) and (2) RADIUS accounting features (see “Appendix
C: RADIUS ”).
If the sign-on splash page is hosted by the MCC, the conversation is a
straightforward RADIUS exchange between the MCC and the external RADIUS
server.Meraki Cloud Controller Product Manual | 28
If the sign-on splash page is itself externally hosted, the conversation involves
exchanges between the splash page server, the MCC, and the RADIUS server.
Specifically:
1. The wireless client associates with the Meraki wireless network.
2. The user makes an initial request for a URL in his web browser.
3. The Meraki AP redirects the user to a URL on the splash page server.
(The administrator configures this URL in the MCC, under the Configure
tab on the Splash Page page.) When the Meraki AP redirects the user
to the splash page server, it includes the following HTTP parameters in
the HTTP redirect:
• continue_url: The URL that the user originally requested.
This parameter may be interpreted by the splash page server
to decide where the user should be redirected if he
authenticates successfully.
• login_url: The URL at the MCC to which the splash page
server should send an HTTP POST with collected user
credentials (see Step 4). This parameter is escaped to include
the continue_url embedded within it, and should not be
interpreted by the splash page server.
• ap_mac: MAC address of the Meraki AP to which the user is
associated.
• ap_name: Name (if configured) of the Meraki AP to which the
user is associated.
• ap_tags: Tags (if configured) applied to the Meraki AP to
which the user is associated.
• mauth: An opaque string used by the MCC for authentication
and security.
4. The external splash page server presents the user with a web form that
captures the user’s credentials and causes the user to send an HTTP
POST to the MCC, using the URL specified in login_url (see Step 3).
In this HTTP POST, the server includes the following parameters:
• username: The username that the wireless user provided to
the splash page server.
• password: The password that the wireless user provided to
the splash page server.
• success_url (optional): The URL to which the wireless user is
redirected if he passes authentication. The splash page server
can use this parameter to override the continue_url that the
user originally requested.Meraki Cloud Controller Product Manual | 29
5. The MCC receives the HTTP POST from the splash page server, and in
turn, sends a RADIUS Access-Request to the external RADIUS server
with the username and password.
6. The RADIUS server processes the RADIUS Access-Request from the
MCC, and responds to the MCC with a RADIUS Access-Accept or
Access-Reject. The RADIUS server may optionally send RADIUS
attributes to the MCC to enforce over the wireless user. (For a list of
supported RADIUS attributes, see Section 27.1, “Authentication
Attributes”.)
7. The MCC processes the response from the RADIUS server and
redirects the wireless user accordingly.
a. If the MCC receives an Access-Accept message from the
RADIUS server, the user has successfully authenticated. The
MCC redirects the user to the original URL he requested
(continue_url), or the URL specified by the splash page
server in the (optional) success_url (see Step 4).
b. If the MCC receives an Access-Reject message from the
RADIUS server, the user has failed authentication and is
redirected back to the splash page server’s URL (in Step 3).
Because the MCC needs to contact an external RADIUS server, the MCC must
be able to reach the RADIUS server. This requirement may necessitate firewall
changes that allow inbound connections to the RADIUS server. If the RADIUS
server becomes temporarily unavailable, existing wireless clients (already
authenticated) remain connected, but new wireless clients are unable to
authenticate to access the network.
7.3.3 Externally Hosted Active Directory Server
Meraki wireless networks can also integrate natively with Active Directory without
requiring RADIUS when sign-on splash page is used. If your network does not
require the additional configuration options provided by RADIUS integration,
there are certain advantages if the APs can communicate directly with Active
Directory without a RADIUS server acting as an intermediary. Native AD
integration eliminates the need to configure Microsoft NPS (or any other RADIUS
server). Also, when using RADIUS integration with multi-domain forests, for
example a school that has one domain for faculty and another for students that is
using sign-on splash authentication, users must remember to include their
domain with their username, which can easily be forgotten. Or alternatively, a
complex hierarchy of RADIUS proxy servers or custom scripts might be required
to make the log in process easier for the user.
In order to configure native Active Directory integration, sign-on splash must be
configured and Use My Active Directory Server selected from the
Authentication Server drop-down menu under Configure->Access control. (See
Figure 4)Meraki Cloud Controller Product Manual | 30
Figure 4 - Configuring Sign-on Splash with Native Active Directory
Once Active Directory server option has been selected, the internal IP addresses
of any domain controllers that will be used for authentication should be entered,
along with the credentials of an Active Directory administrator that has read rights
to all domain controllers that will used. (See Figure 5)
It is highly recommended that a separate account is created for the purpose of
providing Active Directory authentication. Users should take the following steps to
secure the account:
1. Create a Global Security Group in your domain (or forest)
2. Create a user account and add it to the new group.
3. Update the user account so that the new Security group is the
user’s primary group.
4. Remove the Domain Users group from the account.
This will isolate the account from acting like a normal domain user.Meraki Cloud Controller Product Manual | 31
Figure 5 - Dashboard Active Directory Server Configuration
In addition, the Global Catalog (port 3269) must be enabled for each domain
controller.
7.3.4 Externally Hosted LDAP Server
Similarly to Active Directory, Meraki wireless networks can natively integrate with
LDAP authentication servers when using sign-on splash page. The manner with
which this authentication is configured is very similar to that described for Active
Directory in Section 7.3.3. In order to configure native LDAP integration, sign-on
splash must be configured and Use My LDAP Server selected from the
Authentication Server drop-down menu under Configure->Access control. (See
Figure 6)
Figure 6 - Configuring Sign-on Splash with Native LDAP Authentication
Once the LDAP server option has been selected, the internal IP addresses of
any LDAP servers that will be used for authentication should be entered, along
with the appropriate port number and the credentials of an LDAP administrator
with administrative rights to all domains that will be used. The common name Meraki Cloud Controller Product Manual | 32
(cn) and domain components (dn) should be entered in the format shown in
Figure 7.
Figure 7 - Dashboard Native LDAP Authentication Server ConfigurationMeraki Cloud Controller Product Manual | 33
8 Monitoring
This chapter describes the extensive monitoring features under the Monitor tab in
the MCC.
8.1 Overview Page
The Overview page shows a summary of network usage and network status. An
administrator can see how many users have associated to the network in the last
day/week, how much data those users transferred in that timeframe, and how
bandwidth usage has fluctuated over the last week (a network usage graph).
The aerial map shows the latest information about the APs in the network. The
options in the upper-right corner enable an administrator to view the APs on top
of a graphical map, a satellite image, or a hybrid view. In the upper-left corner,
the arrow controls enable the administrator to pan. Panning can also be achieved
by clicking-and-dragging the map. Below the arrow controls, a scale control
enables the administrator to adjust the zoom level. The zoom level can also be
controlled with the magnifying glass next to the arrow controls, or by doubleclicking on a particular region to zoom into.
On the map, the colored dots represent APs. The status of the AP is indicated
by its color:
• Green: The AP is not reporting any problems.
• Yellow: The AP is up, but experienced a problem recently. In some
cases, the administrator may be able to clear this alert on the Access
Points page.
• Red: The AP is currently down.
• Gray: The AP has been down for more than 7 days.
An administrator can click on an AP to get its name, its mesh mode (mesh
gateway or mesh repeater), the number of users that have associated to it in the
last 24 hours (also indicated by the number inside the AP), and the amount of
data that it has transferred in the last 24 hours. Gray lines between APs
represent mesh links. Mousing over a mesh repeater highlights a line that shows
the path that the AP is taking through the mesh network to reach a mesh
gateway (and the LAN).
The “Options” box in the upper right part of the map lets users select what the
numbers in the APs represent (e.g., number of clients connected or mesh hops
to gateway), as well as preferences about how to display mesh links.
The “Current clients” link under the network name in the upper left corner, when
clicked, will open up a table showing a summary of the distribution of current
clients at that moment across the various SSIDs and channels in the network.
Clicking on the link directly above the network name in the upper left corner or
selecting the All-network Overview option under the Network drop-down selector Meraki Cloud Controller Product Manual | 34
at the top of the screen will take the administrator to the All Network Overview
page.
8.2 All-Network Overview Page
The all-network overview page shows a summary of all of the networks in a
particular organization. The usage graph at the top summarizes cumulative
usage across all networks, and the map shows network locations with markers
that are color-coded to the networks listed in the network list to the left of the
usage graph. If the user mouses over a network in the list, the network marker
on the map will be highlighted along with the usage for that particular network in
the usage graph. Clicking on a particular network marker on the map or network
name in the list will allow the user to “drill down” to the Overview page for that
particular network. Figure 8 is an example of an all-network Overview page.
Figure 8 – All-Network Overview Page
Configuring Sign-on Splash with Native Active Directory
8.3 Maps Page (Enterprise Only)
The Maps page enables an administrator to upload custom maps and floorplans
for better network visualization. For instance, an administrator could upload
multiple images to visualize AP placement on multiple floors of an office building,
or different branch offices in the organization. Figure 9 is an example of an AP
placement on a floorplan.Meraki Cloud Controller Product Manual | 35
Figure 9 – Maps Page
An administrator can add a map or floorplan image (GIF, PNG, JPG, or PDF
format up to 10 MB per image) under the Configure tab on the Maps &
Floorplans page. This is also where an administrator would modify or delete an
existing image. After uploading the image, the administrator can return to the
Maps page to place APs on the image. The “Place APs” button in the upper-right
corner produces a checklist of APs that the administrator can add to the image.
The administrator then places the APs by dragging-and-dropping the AP icons
onto the image.
8.4 Access Points Page
The Access Points page identifies the APs on the network and shows their
status, activity, and usage. The top-level page provides a list of APs in the
network. The Access Points page has the following features:
• Can be sorted by clicking on a column header.
• Columns can be added, removed, or reordered in the list by clicking on
“Display Options”.
• Search by AP name, serial number or MAC address
Figure 10 is a screenshot that shows a top-level Access Points page.
Figure 10 – Access Points PageMeraki Cloud Controller Product Manual | 36
8.5 Access Point Details Page
To get additional information about an individual AP, an administrator can click
on the AP in the list to bring up a page that contains the following:
• Identifying information (e.g., MAC address, serial number, status)
• Performance data (e.g., connectivity, throughput, latency, mesh
neighbors), with zoom and pan features across various time ranges
• Live tools for remote troubleshooting
There are a variety of real-time tools that can be used for
troubleshooting and debugging wireless issues remotely.
Administrators can see a list of current clients associated to a particular
AP and ping associated clients as well as the AP itself, run a throughput
test, ping a particular MAC address and run an interference scan of the
local RF environment (Caution: live interference scan will disconnect
currently associated clients). Interference scan will also be discussed
as part of the spectrum analysis capabilities in Section 16.5).
• Link to the event log for this specific AP (see Section 8.7, “Event Log
Page (Enterprise Only)”)
• Lists of strong and weak mesh neighbors (adjacent APs in the mesh) in
the Neighbors tables
Figure 11 shows a screenshot of the AP details page.
Figure 11 – AP Details Page
Throughput statistics for mesh gateways are throughput numbers to meraki.com.
Gateway speeds are often limited by the Internet uplink speed. Administrators
should use these statistics to troubleshoot problems either within the LAN or with
the Internet service provider.Meraki Cloud Controller Product Manual | 37
Throughput statistics for mesh repeaters are throughput numbers within the
mesh network, not through the Internet uplink. As such, it is possible to see 6
Mbps throughput within the mesh network, but 1.5 Mbps throughput through the
DSL uplink. Administrators should use these statistics to troubleshoot problems
within the wireless network, such as poor mesh connections or channel
interference.
8.5.1 AP Tagging
A convenient way to make it easier to find, sort and filter APs in a large network
with hundreds or thousands of APs is using AP tagging. Alphanumeric tags can
be assigned to access points to create groups of APs by location (e.g.
Building_1, Floor_4, West_Campus, etc.) or by other criteria. The Access Points
page (See Section 8.4) is searchable by tag to make filtering for specific groups
of APs fast and easy. Figure 12 shows a screenshot of an AP with the tag
“Lobby” applied.
Figure 12 - Access Point with Tag Applied
Tags can be added to APs either individually or in groups. Figure 13 - Editing AP
Configuration to Add Tag
Figure 14 and Figure 14 show how to add a tag to an individual AP by editing its
configuration. Meraki Cloud Controller Product Manual | 38
Figure 13 - Editing AP Configuration to Add Tag
Figure 14 - Adding a Tag to an Individual AP
Figure 15 illustrates how to add a tag to a group of APs from the Access Points
page.Meraki Cloud Controller Product Manual | 39
Figure 15 - Adding Tags to Many APs
8.6 Clients Page
The Clients page shows how the network is being used and by which client
devices. Figure 16 is a screenshot of the Clients page:
Figure 16 – Clients Page
8.6.1 Clients Overview Page Features
The Clients page has the following features:
• Displays clients that have associated on any SSID advertised by the
wireless network, or only those clients that have associated on a given
SSID. This can be selected using the SSID drop down menu at the top
of the screen.Meraki Cloud Controller Product Manual | 40
• Search for clients by MAC, OS, device type or NetBIOS/Bonjour name.
• Zoom control, which enables the administrator to see only those clients
that have associated within the specified time span.
• The administrator can also click on the “blocked list” to view only those
clients on the MAC blacklist (see Section 10.3, “MAC Blacklist”).
• Like the Access Points page, the Clients page has a list that can be
customized (adding, removing, and reordering columns) and resorted
(by clicking on a column header).
• The “Description” column shows the device name, if it can be
determined (i.e., through NetBIOS); otherwise, it simply displays the
device’s MAC address.
• The “Operating system” column shows the operating system of the
device, which is determined through OS fingerprinting (the unique
pattern by which a particular operating system requests an IP address
via DHCP).
• An administrator can mouse over a row in the device list to see a new
line appear in the usage graph, which depicts the fraction of total
bandwidth that the highlighted device used.
8.6.2 Traffic Analysis (Enterprise Only)
Meraki Enterprise networks offer powerful application visibility and control tools.
Packet inspection engines running custom parsers in each AP provide this
information by fingerprinting and identifying applications and application groups.
Traffic Shaper (to be discussed in Section 12) then provides the ability to create
custom per-user shaping policies based on this application-level visibility. Since
Meraki’s parsers are designed to run at line rate, there is no performance
decrease when enabling Traffic Analysis or Traffic Shaping
Next to the usage graph at the top of the screen is a pie chart that can display a
breakdown of the traffic currently displayed on the page by application, HTTP
content type, port number or custom criteria. The gray arrows flip from one chart
to the next. Custom pie charts can be configured on the Network-wide Settings
page under the Configure tab.
Clicking on either the pie chart itself or the “More” link underneath the pie chart
will open up the Traffic Analysis Details page, showing a detailed list of the
specific applications and content types that make up the data shown in the pie
chart. The applications have been assigned to groups to make classifying
applications and creating shaping policies simpler. An up to date list of which
applications are included in each group can be found here:
http://bit.ly/cUFXnv
The percent of total usage is shown by application as well as by application
group. Figure 17 shows a screen shot of the Clients page with the Traffic
Analysis details page expanded.Meraki Cloud Controller Product Manual | 41
Figure 17 - Traffic Analysis Details Page
Clicking on a particular application or content type within the Traffic Analysis
Details page will take you to the Rule Details page, where you will find detailed
information about that particular application or content type rule, including which
users are contributing to usage of this type and details such as which application
group that item belongs to, port number, description of the application or rule and
links to additional information. Figure 18 shows the Rule Details page for Netflix,
a video streaming site.
Figure 18 - Rule Details Page
8.6.3 Client Details Page
An administrator can click on a particular device in the device list to obtain
additional information about the wireless client. Figure 19 is a screenshot of the
Client details page for a specific device.Meraki Cloud Controller Product Manual | 42
Figure 19 – Information about a Specific Client
This page provides detailed information about the client device and user as well
as their network usage. Features include:
• Client configuration details
At the top of the page administrators can see detailed information about
this particular client, including MAC address and IP address, device
type and manufacturer, operating system, Bonjour/DHCP/NetBIOS
hostname, wireless card capabilities, most recent SSID, AP and time on
the network as well as Active Directory username for most recent user.
• Client location
The approximate location of the wireless client is indicated on a Google
map or a custom floor plan. More details about Client Location Services
can be found in section 8.5.4.
• Traffic analysis
Pie charts similar to those on the Client Overview page show details
about this particular client’s usage of the network.
• Dynamic access control
On this page, an administrator can create a dynamic access control
policy to either block a wireless device or bypass the wireless device
from seeing a splash page. (To configure these settings, an
administrator clicks the “Edit” button to change the “Network access”
field to either “normal”, “blocked”, or “whitelisted”.) Optionally, the
administrator can configure a message that appears on the block page
for a blacklisted user. The user can also be manually assigned a group
policy which can be configured per SSID.
• Event logMeraki Cloud Controller Product Manual | 43
This page also provides a link to the event log for this specific client
(see Section 8.7, “Event Log Page (Enterprise Only)”).
• Live tools
Similar to the live tools on the AP details page, an administrator can
locate a client, ping a client or even see a real-time packet counter
showing the user’s activity from this page.
8.6.4 Client Location Services
In the upper-right corner of the Client details page is a map where the
approximate location of the client is indicated with a blue dot. Figure 20 below is
a screenshot of the client location map.
Figure 20 - Client Location Map on Client Details Page
Client location is determined using advanced triangulation techniques that
employ calibrated weighted averages and AP selection algorithms to ensure
accuracy. Data from up to the last 24 hours will be used to calculate client
location. In order to view a client’s location on a custom floor plan, all of the AP’s
that “see” the client that were used to calculate location must be located on the
same floor plan. Otherwise, the client’s location can still be viewed on a Google
map. To update the client location data from the access point the client is
currently associated to, click the “Locate Client’ button under the Live Tools
section of this page.
To ensure location accuracy, at least three access points are required. In
addition, the access points should not be deployed such that all of the access
points are in a linear pattern (see Figure 21 below). In this situation, client
location will always appear that they are in line with the access points. Meraki Cloud Controller Product Manual | 44
Figure 21 - Poor AP Deployment for Accurate Location
For best accuracy, the access points should be deployed in a non-linear pattern,
or scatter pattern (see Figure 22 below).
Figure 22 - Good AP Deployment for Accurate Location
8.7 Event Log Page (Enterprise Only)
The Event Log page provides detailed logging about various client activities,
including the following:
• Associations/disassociations
• Authentication attempts and outcomes
• DHCP activity
• Initial traffic
An administrator can use these logs to troubleshoot a client that may be
experiencing issues on the wireless network. Figure 23 is a screenshot of an
Event Log page.Meraki Cloud Controller Product Manual | 45
Figure 23 – Event Log Page
The Event Log page allows an administrator to adjust the time interval over which
the event log reports. In addition, the Event Log page supports the search tool.
(See Section 8.13, “Search Tool”.) The administrator can view the event log for a
given AP or a given client. Both filters can be applied through the search tool, or
by accessing the event log links through the Access Points page and Clients
page, respectively.
8.8 Rogue APs Page (Enterprise Only)
The Rogue APs page lists nearby APs that are detected by the Meraki APs
during periodic scans. (See Chapter 14, “Rogue AP Detection (Enterprise
Only)”.)
8.9 WIPS Page (Enterprise Only)
The Wireless Intrusion Prevention System (WIPS) page classifies and maps
intrusions including AP Spoofs, Rogue SSIDs, Interfering SSIDs, Malicious
Broadcasts, and Packet Floods. The Rogue Containment feature can be used to
contain Rogue SSIDs by sending deauthentication frames to Rogue AP clients.
(See Chapter 15, “Wireless Intrusion Preventions SystemRogue AP Detection
(Enterprise Only)”.)
8.10 Summary Report Page (Enterprise Only)
An administrator can obtain network analytics from the Summary Report page
under the Monitor tab. This report provides information about the usage and
uptime of the Meraki wireless network, and can be e-mailed on a configurable
schedule for constant visibility. Administrators can also add their organization’s
logo to the report.
8.11 PCI Reports Page (Enterprise Only)
An administrator can check network settings against PCI DSS v2.0 WLAN
requirements using the PCI Report page under the Monitor tab. The results will
indicate a pass/fail for each WLAN PCI requirement, with details on why. In the
case of a failure, guidance is provided on what network settings need to be
changed to get into compliance. The report can be printed and filed away or
given to a security auditor.Meraki Cloud Controller Product Manual | 46
8.12 Live Updates (Enterprise Only)
The Maps, Access Points, and Clients pages under the Monitor tab support live
updates, which provide real-time information about network status and client
usage. An administrator can click on the “Live updates” link on a page on which
the feature is offered. When live updates are enabled, the MCC will fetch up-todate information for that page from the wireless network approximately every 30
seconds, for as long as the administrator stays on the page. (The live updates
are disabled as soon as the administrator browses to a different page.) Live
updates are an effective way to troubleshoot and closely monitor AP status (e.g.,
when an AP loses network connectivity) and client usage (e.g., to see which
clients are currently associated to the wireless network and how much bandwidth
they are using).
8.13 Search Tool
The Maps, Access Points, Clients, Event Log, and Rogue APs pages under the
Monitor tab all have search capabilities, which enable an administrator to find or
filter a list of APs or wireless devices with tremendous flexibility and ease. Any
string can be entered; the MCC will attempt to match on that string across all
available fields. For example, an administrator can search/filter by device
description, Ethernet address, or IP address. In addition, searches can be
bookmarked for future use.
The search tool also supports a number of keywords, which can be used to
search/filter by specific characteristics. For example, an administrator can
search/filter on a combination of strings, usage data, or mesh hop count. All of
the available keyword options are enumerated in the “Help” link next to the
search tool.
The search tool operates instantaneously over the data in the AP or device list. It
is an effective way to manage and monitor a large number of APs and/or a large
number of wireless clients.
8.14 Email Alerts
Administrators can subscribe to receive email alerts from the MCC about various
notable network events. Events that can trigger alerts include AP or network
outages, detection of new rogue APs or configuration changes being saved in
Dashboard by administrators. The time sensitivity of these alerts are
configurable from five minutes to one hour, which can help to reduce false
positives.
Alerts are configured under the Configure tab on the Network-Wide Settings
page.
8.15 Export XML Data
List data on the Access Points and Clients pages can be exported in XML format
for further processing and analysis outside of the MCC. An administrator can Meraki Cloud Controller Product Manual | 47
click on the “Download as XML” link to retrieve the data. Most spreadsheet
programs, such as Microsoft Excel, can open an XML file.
8.16 Logins Page
While the Clients page shows a list of devices, the Logins page shows a list of
users. A user can login with multiple devices.
The Logins page shows users who have logged in with one of the following
authentication methods:
• Sign-on splash pages with a Meraki-hosted authentication server
• Billing logins
Like the Clients page, the Logins page allows an administrator to filter users by
the SSID on which they associated, display different columns of information, sort
by different columns, and adjust the zoom level by timeframe.
8.17 Account Activity Page
The Account Activity page provides transaction information for networks that use
Meraki’s integrated billing. Payments received from an end user appear as a
credit, while payments made from Meraki to the network administrator appear as
a debit. Transactions also show the timestamp, the user’s login name, the MAC
address of the device from which the user made a payment, and the price plan
the user purchased. Administrators may view the transaction history for any
given month. (For more information, see Chapter 18, “Billing”.)Meraki Cloud Controller Product Manual | 48
9 VLAN Tagging (Enterprise Only)
Virtual Local Area Networks (VLANs) allow a single physical Ethernet network to
appear to be multiple logical networks. There are a couple of reasons to use
VLANs, including:
• Enhance network security by preventing wireless devices from
accessing LAN resources.
• Increase performance by limiting broadcast domains.
Note that VLAN tagging typically requires a non-trivial amount of LAN
configuration on the upstream switches, routers, and firewalls. If the primary
motivation for VLAN tagging is the first use case, an administrator should
consider using Meraki’s LAN isolation or Custom Firewall rules features (see
Section 10.6, “Firewall Rules for Wireless Users”).
A typical VLAN configuration might break up a physical LAN by department (e.g.,
Engineering, HR, Marketing) or by user class (Employee, Guest). Figure 24
shows an example configuration.
Figure 24 – Example Network with VLANs
VLANs can be port-based (assigning a physical port on a device to a VLAN) or
tag-based (tagging particular kinds of traffic with a VLAN tag, as defined by
802.1q). Meraki APs use tag-based VLANs (i.e., VLAN tagging) to identify
wireless traffic to an upstream switch/router. When the switch/router sees VLANtagged traffic from a Meraki AP, it can apply different policies to that traffic,
including access control (e.g., send traffic straight to the firewall for Internet-only
access) or QoS (e.g., prioritize traffic on the VOIP SSID). Conversely, when the
AP receives VLAN-tagged traffic from the upstream switch/router, it forwards that
traffic to the correct client and/or SSID. The AP drops all packets with VLAN IDs
that are not associated to any of its wireless users or SSIDs.Meraki Cloud Controller Product Manual | 49
VLAN tagging can be configured either per SSID, per user, or per device type. In
either case, the SSID must be configured in bridge mode (see Section 5.2,
“Bridge Mode (Enterprise Only)”).
9.1 Per-SSID VLAN Tagging
When VLAN tagging is configured per SSID, all data traffic from wireless users
associated to that SSID is tagged with the configured VLAN ID. Multiple SSIDs
also can be configured to use the same VLAN tag. For instance, a single VLAN
ID could be used to identify all wireless traffic traversing the network, regardless
of the SSID.
VLAN tagging is configured for an SSID under the Configure tab on the Access
Control page.
9.2 Per-User VLAN Tagging
When VLAN tagging is configured per user, multiple users can be associated to
the same SSID, but their traffic is tagged with different VLAN IDs. This
configuration is achieved by authenticating wireless devices or users against a
customer-premise RADIUS server, which can return RADIUS attributes that
convey the VLAN ID that should be assigned to a particular user’s traffic.
In order to perform per-user VLAN tagging, a RADIUS server must be used with
one of the following settings:
• MAC-based access control (no encryption)
• WPA2-Enterprise with 802.1x authentication
A per-user VLAN tag can be applied in 3 different ways:
1. The RADIUS server returns a Tunnel-Private-Group-ID attribute in the
Access-Accept message, which specifies the VLAN ID that should be
applied to the wireless user. This VLAN ID could override whatever
may be configured in the MCC (which could be no VLAN tagging, or a
per-SSID VLAN tag). To have this VLAN ID take effect, “RADIUS
override” must be set to “RADIUS response can override VLAN tag”
under the Configure tab on the Access Control page in the “VLAN
setup” section.
2. The RADIUS server returns a group policy attribute (e.g., Filter-ID) in
the Access-Accept message. The group policy attribute specifies a
group policy that should be applied to the wireless user, overriding the
policy configured on the SSID itself. If the group policy includes a VLAN
ID, the group policy’s VLAN ID will be applied to the user. (See Chapter
11, “Identity Policy Manager (Enterprise Only)”.)
3. On the Client Details page, a client can be manually assigned a group
policy. If the group policy includes a VLAN ID< the group policy’s VLAN
ID will be applied to the user.Meraki Cloud Controller Product Manual | 50
9.3 Per-Device Type VLAN Tagging
Group policies can automatically be assigned to different device types such as
Android, iPad, iPhone, iPod, Mac OS X, Windows, etc. If the group policy
includes a VLAN ID, then group policy’s VLAN ID will be applied to the user and
override other VLAN settings for that SSID or user.
9.4 Management Traffic
Management traffic is always untagged between the Meraki AP and the
upstream switch/router. (VLAN tagging applies only to data traffic to/from
wireless clients.) The wired network must be configured to allow untagged traffic
from the APs to the Internet (so that the APs can communicate with the MCC)
and to other network appliances that the APs would contact for user or network
management (e.g., Active Directory or RADIUS servers for user authentication).
9.5 Configuring the LAN to Support VLAN Tagging
Because a Meraki AP can be sending/receiving tagged data traffic as well as
untagged management traffic, all Meraki APs must be connected to a trunk port
on the upstream switch/router that is configured to handle any of the VLANs used
by the wireless network. See Section 26.2, “Switch Configuration for VLAN
Tagging”.
9.6 Other Considerations
• For greater security, no SSID should be untagged (i.e., on the “native
VLAN”).
• The amount of broadcast traffic on the trunk port to which the Meraki AP
is attached should be limited. Limiting broadcast traffic improves
wireless performance.
• Currently, VLAN tagging is not supported in a deployment in which
Meraki APs are used to form a wireless bridge between two wired
LANs.Meraki Cloud Controller Product Manual | 51
10 User Access Control Features
This chapter describes the access control options available in the MCC. Most of
these options appear under the Configure tab on the Access Control page.
Meraki’s Identity Policy Manager (IPM) is covered separately in Chapter 11,
“Identity Policy Manager (Enterprise Only)”.
10.1 Network Access Control
Network access control (NAC) scans clients connecting to an SSID to check to
see if they are running anti-virus software to ensure that the network is protected
from infected machines. To enable this feature, either click-through splash page
or sign-on splash page must be enabled on the SSID (See Chapter 7, Network
Sign-On Methods). Meraki NAC is enabled on a per-SSID basis.
The scan is done by a Java applet in the browser. If supported anti-virus
software is detected as running on the client machine, the client will be allowed
onto the network. If not, the client will be quarantined behind to a walled garden
where they can be remediated by downloading anti-virus software.
Clients running Windows XP, 7 or Vista will be scanned for supported anti-virus
software. Non-Windows clients are not scanned. An updated list of detected
anti-virus software can be found here:
http://bit.ly/eXCWuQ
If a device fails the scan, they will be quarantined by the AP’s policy firewall and
sent either to a standard splash page that allow them to download Microsoft
Security Essentials, or to a remediation page. The remediation page is a custom
URL that the administrator can set to allow non-compliant clients to download
other anti-virus software. This could be an internal website or a public website
from an anti-virus software vendor. If selecting a custom URL, the IP of the host
must be added to the walled garden as well (See section 10.9 “Walled Garden
(Enterprise Only)”).
To enable NAC on an SSID, select “Check clients for antivirus software” under
Access Control. Then select either “Show default NAC failure page” or “Show
custom URL”. Figure 25 shows an example of an SSID that is using NAC and
where non-compliant clients are sent to McAfee’s download page for
remediation.
Figure 25 - Network Access Control SettingsMeraki Cloud Controller Product Manual | 52
Once NAC has been enabled on an SSID, NAC activity can be monitored from
the NAC page under the Monitor tab. Figure 26 shows the NAC logs on the NAC
page. From this page, both successful and unsuccessful attempts to access an
SSID with NAC enabled can be viewed and searched.
Figure 26 - NAC Monitoring Page
10.2 MAC Whitelist
If a splash page is enabled on an SSID, the administrator can identify devices by
MAC address that will bypass the splash page and immediately gain network
access. This is useful to enable devices that cannot display a splash page to still
be able to associate to an SSID that has a splash page enabled.
Devices on the whitelist will:
• Never be shown a splash page.
• Be able to access the network without logging in (if sign-on splash page
is configured) or paying (if billing is configured).
• Not be subject to the bandwidth limits set on the network.
Although this whitelist is configured under the Configure tab on the Access
Control page for a specific SSID, it applies to all SSIDs in then network.
Alternatively, an administrator can dynamically add wireless clients to the
whitelist from the Monitor tab on the Clients page. An administrator can select a
client device and change the Access Status from “normal” to “whitelisted.”
Using this whitelist is not recommended for access control, but rather, as a
temporary workaround. Managing a list of MAC addresses does not scale well
from a management perspective. Moreover, MAC addresses can be spoofed,
which may enable unwanted users from accessing the wireless network. The
recommended approach is to migrate client devices that are unable to display
splash pages to a separate SSID that does not have the splash page enabled.
10.3 MAC Blacklist
An administrator can block specific wireless devices from network access by
MAC address. A device is added to the blacklist from the Monitor tab on the Meraki Cloud Controller Product Manual | 53
Clients page, by changing the Access Status from “normal” to “blocked.” An
administrator can optionally enter a message, which is displayed to the wireless
client on the page that he receives when he tries to access the network. This
message could be used to communicate remediation steps to the blocked client.
As with the splash page bypass list, the MAC blacklist is not recommended for
access control. A list of MAC addresses quickly becomes unmanageable with a
large number of client devices. Moreover, MAC addresses can be spoofed to
circumvent this blacklist. Blocking users and devices should occur by employing
a combination of wireless encryption and authentication methods. (See Chapter
7, “Wireless Encryption and Authentication”.)
10.4 Bandwidth Shaping
Bandwidth shaping ensures that users do not consume more bandwidth than
they should. The MCC includes an integrated bandwidth shaping module that
enforces upload and download limits. This setting could be used, for instance, to
assign more bandwidth for VOIP handsets on one SSID and less bandwidth for
data-only users on another SSID. The bandwidth limits are enforced by the
Meraki APs so that they are applied consistently to a wireless client, even if that
client roams from one AP to another.
The MCC supports separate upload and download limits. Asymmetric upload and
download limits are useful, for example, when a user only needs to periodically
download large images (e.g., CAD drawings) but not upload them. Specific
application requirements and available bandwidth should be considered to
determine the optimum bandwidth settings.
Bandwidth limits can be applied per SSID or per user. To configure per SSID
bandwidth limits, go to the Access Control page under the Configure tab.
To provide a better user experience when using bandwidth shaping, an
administrator can enable SpeedBurst using the checkbox in the Bandwidth Limits
section on the Access Control page. SpeedBurst allows each client to exceed
their assigned limit in a “burst” for a short period of time, making their experience
feel snappier while still preventing any one user from using more than their fair
share of bandwidth over the longer term. A user is allowed up to four times their
allotted bandwidth limit for a period of up to five seconds.
The MCC supports per-user bandwidth limits when a customer-hosted RADIUS
server is used. See Section 7.3.2, "Externally Hosted RADIUS Server”, for
details.
Finally, if billing is enabled, it is possible to configure bandwidth limits that apply
to each billing tier. See Chapter 18, “Billing” for details.
10.5 Adult Content Filtering
Adult content filtering prevents a wireless client from accessing sites that contain
pornographic, sexual, or otherwise adult material. The filtering is performed at the
DNS level via OpenDNS. Users may be redirected to a safe OpenDNS landing
page.Meraki Cloud Controller Product Manual | 54
This feature provides basic adult content filtering for applications in which
advanced filtering techniques are not required (e.g., filtering for guests in the
office lobby). If more advanced filtering is required, a separate content filtering
solution is recommended.
This feature is configured on a per-SSID basis under the Configure tab on the
Access Control page. It is only available when NAT mode is selected for client IP
addressing.
10.6 Firewall Rules for Wireless Users
The administrator can define firewall rules that restrict which network resources
users can access. There are 3 options:
1. Allow wireless clients to access my LAN (LAN isolation disabled)
2. Prevent wireless clients from accessing my LAN (LAN isolation enabled)
3. Custom firewall rules
10.6.1 LAN Isolation
LAN isolation is designed to allow clients to access the Internet but not be able to
access LAN resources. Guest access networks are a common use case. LAN
isolation is quick to enable and does not require that the network support VLANs.
LAN isolation blocks access to the following IP ranges:
• 10/8
• 172.16/12
• 192.168/16
10.6.2 Custom Firewall Rules (Enterprise Only)
Custom firewall rules provide an administrator with more granular access control
beyond LAN isolation. An administrator can define a set of firewall rules that is
evaluated for every request sent by a wireless user associated to that SSID.
Firewall rules are evaluated from top to bottom. The first rule that matches is
applied, and subsequent rules are not evaluated. If no rules match, the default
rule (allow all traffic) is applied.
As an example, Figure 27 depicts a sample set of custom firewall rules.
Figure 27 – Example Custom Firewall RulesMeraki Cloud Controller Product Manual | 55
Different kinds of requests will match different rules, as the table below shows.
For a web request to CNN, rules 1-4 do not match, so rule #5 (the default rule)
applies, and the request is allowed. In contrast, for a BitTorrent request over
TCP port 6881, rule #1 does not match, but rule #2 matches. The request is
denied, and no subsequent rules are evaluated.
Rule # Attempted Action
Example #1:
Web request to
www.cnn.com.
Example #2:
Print to
192.168.1.37.
Example #3:
Send BitTorrent
traffic.
Example #4:
Access file
server on LAN.
1 (no match) (no match) (no match) (no match)
2 (no match) (no match) MATCH (deny) (no match)
3 (no match) MATCH (allow) (no match)
4 (no match) MATCH (deny)
5 MATCH (allow)
Firewall rules can be applied for a given SSID or as part of a group policy (see
Chapter 11, “Identity Policy Manager (Enterprise Only)”).
10.7 Captive Portal Strength
The administrator can configure this feature to block all traffic (including non-web
traffic) from wireless users until they have clicked through the splash page. The
administrator can configure this setting for each SSID.
This feature is configured under the Configure tab on the Access Control page
when either the click-through splash page or the splash page with
username/password login is configured.
10.8 Enable/Disable Simultaneous Logins
This feature prevents wireless users from using the same sign-on splash page
credentials on multiple computers simultaneously. This setting only applies to
sign-on splash page with either the Meraki-hosted authentication server or
customer-hosted authentication server. This setting does not have any effect on
802.1x users, who are not prevented from logging in simultaneously from multiple
computers.
This feature is configured under the Configure tab on the Access Control page
when the splash page with username/password login is configured.
10.9 Walled Garden (Enterprise Only)
A walled garden defines a set of IP addresses that a wireless user can access
before he has authenticated. For instance, the walled garden might include the
“company info” pages from a company’s website. In designing these companion
web pages, ensure that users can easily get back to the login page.Meraki Cloud Controller Product Manual | 56
A walled garden is configured under the Configure tab on the Access Control
page when either the click-through splash page or the splash page with
username/password login is configured.Meraki Cloud Controller Product Manual | 57
11 Identity Policy Manager (Enterprise Only)
The Meraki Identity Policy Manager (IPM) enables administrators to apply
different security settings for different groups of users.
IPM can be used to implement a variety of policies over a single SSID. For
example, a university wants to have three tiers of access for students, staff, and
guests. All users should have access to the Internet, students should have
access to network printers, and staff should have access to internal applications
and servers. This university’s policy could be implemented with 3 distinct SSIDs
in which each SSID is mapped to its own unique VLAN tag (see Section 9.2,
“Per-User VLAN Tagging”). However, not all networks have VLAN tagging
enabled, and VLAN administration can be complex. IPM enables the university
to implement sophisticated policies over a single SSID.
Note that IPM is also useful for implementing Payment Card Industry (PCI)
compliance. For additional information on PCI, please see the Meraki PCI white
paper.
IPM is compatible with the following access control modes:
• MAC-based access control
• WPA2-Enterprise with 802.1x authentication
11.1 How IPM Works
The following outlines how the system behaves when IPM has been configured.
1. A user associates with a network.
2. The Meraki AP sends a RADIUS Access-Request message to the
RADIUS server. The Access-Request message contains RADIUS
attributes that help the RADIUS server to identify the wireless user.
3. The RADIUS server determines which group it should assign to the
user. This determination could be based on any combination of criteria
to which the RADIUS server is privy (e.g., the user’s MAC address,
username, domain, AP, SSID, time of day, etc.).
4. If the RADIUS server admits the user, it returns a RADIUS AccessAccept message to the Meraki AP. The Access-Accept message
contains RADIUS attributes that indicate the group policy to which the
user belongs.
5. The Meraki AP receives the Access-Accept message from the RADIUS
server, and applies the appropriate group policy to that user.
These policies are “identity-based” because they are based upon the user’s
identity, as determined by the RADIUS server. The mapping of a user to a group
policy is performed by the RADIUS server; the configuration of a group policy, by
the Meraki Cloud Controller; and the application of a group policy, by a Meraki
AP.Meraki Cloud Controller Product Manual | 58
Group policies are at the core of IPM and are discussed below. (Per-user VLAN
tagging is a subset of IPM and is described in Section 9.2, “Per-User VLAN
Tagging”).
11.2 How to Configure IPM
A “group policy” is a named policy that contains a group of settings that can be
applied to a particular user. When the Meraki AP receives the Access-Accept
message from the RADIUS server (step #5 above), the RADIUS server may
include a RADIUS attribute that identifies this group policy by name. If the group
policy identified in the RADIUS attribute matches a group policy configured in the
MCC, the Meraki AP will apply the settings in that group policy to the user.
There are 3 key steps to configuring a group policy:
1. Create a group policy on the RADIUS server.
2. Define a corresponding group policy on the MCC.
3. Test the group policy configuration.
The following sections describe each step in more detail. See “Appendix A:
Example Office Configuration” for example configurations of group policies.
11.2.1 Define a Group Policy on the RADIUS Server
How an administrator defines a group policy on the RADIUS server depends on
the RADIUS implementation.
For example, in Windows Server, the administrator creates a policy in the
Network Policy Server (NPS) that defines the following:
1. Conditions (i.e., what needs to match). Examples of conditions include
the user’s domain, user group, SSID to which the user connected, and
MAC address of the AP to which the user connected.
2. Settings (i.e., what should be applied if the conditions match). Here, the
administrator specifies what RADIUS attribute (and attribute value, i.e.,
the group policy name) the RADIUS server returns to the Meraki AP.
When a user matches an NPS policy’s conditions, the RADIUS server sends the
group policy name as a RADIUS attribute to the Meraki AP.
11.2.2 Define a Group Policy on the MCC
Group policies are configured in the MCC under the Configure tab on the Group
Policies page. (Figure 28 shows a sample screenshot.) Group policies are
configured on a per-SSID basis. In this way, two different SSIDs could have
group policies with the same name, but different settings.Meraki Cloud Controller Product Manual | 59
Figure 28 – Group Policies Page
For a given SSID, an administrator can configure the following:
1. RADIUS attribute identifying the group policy. (Figure 29 defines the
RADIUS attributes that can be used to identify a group policy.)
2. One or more group policies that can be applied to users connecting to
this SSID. For a given group policy, an administrator can configure the
following:
a. Bandwidth limits
b. VLAN tagging
c. Splash page bypass
d. Firewall rules
In each case, the administrator can choose to (1) use the default setting
configured on the SSID (under the Configure tab on the Access Control
page for the given SSID), or (2) override the default setting configured
on the SSID with a setting configured in the group policy.
Since there is no universally accepted RADIUS attribute to pass group
policy information, Meraki supports a variety of different attributes, as
shown in the following table.
Figure 29 – RADIUS Attributes for Group Policy
Attribute Name Vendor ID
Filter-Id (Defined in RFC 2865, Type 11.)
Reply-Message (Defined in RFC 2865, Type 18.)
Airespace-ACL-Name Vendor number=14179
Vendor-assigned attribute number=6
Aruba-User-Role Vendor number=14823
Vendor-assigned attribute number=1Meraki Cloud Controller Product Manual | 60
Note that group policies can only be configured on an SSID that uses a local
(customer-premise) RADIUS server for authentication at association time.
11.2.3 Test the IPM Configuration
Since policies and permission rules can be complex and sometimes result in
counter-intuitive behavior, it is important to test out a configuration thoroughly
before deploying it in a live environment.
An administrator can utilize the following tools to confirm that IPM is configured
and operating correctly:
• Event log: The event log shows RADIUS attributes that were received
and/or applied for a particular user. (See Section 8.7, “Event Log Page
(Enterprise Only)”.)
• Authentication test tools: The RADIUS test tools under the Configure
tab on the Access Control page simulate a user authentication, and they
show the RADIUS attributes that were received and/or applied for a
particular test user. (See Section 7.3.2, “Externally Hosted RADIUS
Server”.)Meraki Cloud Controller Product Manual | 61
12 Traffic Shaper (Enterprise Only)
Section 8.6.2 introduced the granular, application-specific network usage data
that is at an administrator’s disposal through Traffic Analysis. In addition to
providing this level of visibility into how the wireless network is being used,
administrators can create shaping policies to apply per user controls on a per
application basis. This allows the throttling of recreational applications such as
peer-to-peer filesharing programs and the prioritization of enterprise applications
such as Salesforce.com, ensuring that business-critical application performance
is not compromised.
12.1 Configuring Shaping Policies
Shaping policies can be created on the Traffic Shaping page under the Configure
tab. Shaping policies are created and applied per SSID by selecting the
appropriate SSID from the drop-down selector at the top of the page. Shaping
policies can also be turned on and off using the “Shape traffic” drop down
selector underneath the SSID selector.
12.1.1 Creating Shaping Rules
Traffic shaping policies consist of a series of rules that are evaluated in the order
in which they appear in the policy, similar to custom firewall rules. There are two
main components to each rule: rule definitions and rule actions.
• Rule Definition
Rules can be defined in two ways. An administrator can select from
various pre-defined application categories such as Video & Music, Peerto-Peer or Email. More information about which applications are
included in each category can be found in Section 8.6.2. The second
method of defining rules is to use custom rule definitions.
Administrators can create rules by specifying HTTP hostnames (eg.
salesforce.com), port number (eg. 80), IP ranges (eg. 192.168.0.0/16),
or IP range and port combinations (eg. 192.168.0.0/16:80).
• Rule Actions
Traffic matching specified rule sets can be shaped and/or prioritized.
o Bandwidth limits can be specified to either 1. Ignore any limits
specified for a particular SSID on the Access Control page
(allow unlimited bandwidth usage), 2. Obey the specified SSID
limits or 3. Apply more restrictive limits that than the SSID
limits. To specify asymmetric limits on uploads and
downloads, click on the Details link next to the bandwidth slider
control.
o Quality of Service (QoS) prioritization can be applied to traffic
at Layers 2 and 3. Layer 2 prioritization is accomplished by Meraki Cloud Controller Product Manual | 62
specifying a value for the PCP tag in the 802.1q header on
outgoing traffic from the access point. This feature is only
available for SSIDs where VLAN tagging is enabled. To
prioritize traffic at Layer 3, a value is selected for the DSCP tag
in the IP header on all incoming and outgoing IP packets. This
also affects the WMM priority of the traffic. To fully benefit
from this feature, upstream wired switches and routers must be
configured for QoS prioritization as well.
12.1.2 Example Shaping Policy
Figure 30 shows a typical shaping policy that might be found in an office setting.
Figure 30 - Example Shaping PolicyMeraki Cloud Controller Product Manual | 63
13 Guest Management (Enterprise Only)
Many organizations want to be able to quickly and easily get guests online, and
at the same time, control who is on the network.
The MCC allows administrators to create “guest ambassadors”, who can create
guest user accounts but cannot otherwise modify the system. For example, a
network administrator can create a guest ambassador account for a receptionist.
In turn, the receptionist can create user accounts for guests who need temporary
access to the wireless network.
Guest ambassador accounts are configured under the Configure tab on the
Network-Wide Settings page. A guest ambassador who logs into the MCC can
access the “Guest Management Portal”, which only allows the creation of user
accounts on SSIDs that are configured with a sign-on splash page using Merakihosted authentication server. The guest ambassador can add, edit, and remove
user accounts, and can specify expiration times for user accounts (e.g., to expire
in 1 day).
Figure 31 shows a screenshot of the Guest Management Portal used by guest
ambassadors.
Figure 31 – Guest Management PortalMeraki Cloud Controller Product Manual | 64
14 Rogue AP Detection (Enterprise Only)
Meraki APs can detect nearby APs that may pose a security threat to either
wireless users or to the organization’s network. Meraki identifies 2 types of
rogue APs:
1. APs that are broadcasting the same SSID as the administrator’s
configured SSID can trick clients into connecting to the wrong AP.
These clients could then potentially divulge personal or confidential
information to the wrong host.
2. APs could be connected to the organization’s wired network without any
of the necessary encryption or authentication settings, thereby opening
a security hole into the organization’s wired network. (These APs may
not necessarily be introduced into the network maliciously. For
instance, an employee might bring a consumer-grade AP into work for
his own convenience. He plugs the AP into the LAN near his desk and
intentionally does not configure any encryption or authentication settings
so that he can connect to his AP without having to log in.)
Figure 32 is a screenshot of a Rogue APs page.
Figure 32 – Rogue APs Page
Like the Access Points and Clients pages, the Rogue APs page has a list that
can be customized (adding, removing, and reordering columns) and resorted (by
clicking on a column header).
The Rogue AP page supports the following features:
• Rogue APs that are spoofing an SSID (the first type of rogue APs
described above) can be found by sorting on the “SSID” column.
• Rogue APs that are connected to the wired network (the second type of
rogue APs described above) can be found by sorting on the “Wired
MAC” column.Meraki Cloud Controller Product Manual | 65
• The location of a rogue AP can be triangulated with the information in
the “Seen by” column, which lists the Meraki APs that are detecting a
given rogue AP and the signal strength between a Meraki AP and the
rogue AP.
• A nearby AP that does not pose a security threat (e.g., an AP deployed
in a neighboring office) can be marked as “known” by selecting the AP,
then selecting the action (from the “Actions” drop-down menu) “Mark as
known”. Known APs are colored green in the “Status” column; unknown
APs are colored red.
Scans for rogue APs occur periodically according to the “Network Scans”
configuration on the Network-Wide Settings page under the Configure tab (see
Section 16.4, “Network Scans (Enterprise Only)”). An administrator can force an
immediate scan by clicking the “Scan now” button at the top of the Rogue APs
page. Note that a forced scan disassociates all clients that may be connected to
Meraki APs at the time the scan is initiated.Meraki Cloud Controller Product Manual | 66
15 Wireless Intrusion Prevention System (Enterprise Only)
Meraki’s Wireless Intrusion Prevention System (WIPS) can detect, classify,
locate, and remediate a variety of intrusions on the WLAN. Intrusions are
classified as:
1. AP Spoofs: AP's that are broadcasting your SSID and copying the MAC
address of one of your AP's. A very high priority threat.
2. Rogue SSIDs which are broadcast from:
a. A rouge AP that is broadcasting your SSID, perhaps in
attempts to lure your clients to associate.
b. An AP that is detected to be plugged into the wired LAN.
Someone who may have malicious or innocent intent has
plugged an unauthorized access point into the wired LAN.
c. Ad-hoc networks. A client associated to your WLAN is
operating in ad-hoc mode. This could allow unauthorized
clients access to your WLAN through the ad-hoc network.
3. Interfering SSIDs: Other AP’s detected in the area.
4. Malicious broadcasts: DOS attacks attempting to bring down your APs.
5. Packet floods: Client floods or AP floods that try to bring down your
APs.
The location of the intrusions will be triangulated and placed on a map provided
you have also placed the location of your APs on the map. For accurate results, it
is recommended that you have at least three AP’s which are not placed in a
straight line. The intrusions can then be physically located and removed.
Rogue SSIDs can also be wirelessly using Rogue Containment. The Meraki
AP’s will send periodic deauthentication messages to the clients trying to
associate to the Rogue SSIDs.
Figure 32 is a screenshot of a WIPS page.
Figure 33 – WIPS PageMeraki Cloud Controller Product Manual | 67
16 Wireless Features
This chapter describes the various wireless features that can be configured in the
MCC.
16.1 AutoRF
The MCC features AutoRF, Meraki’s integrated RF intelligence. AutoRF
constantly scans the local RF environment and performs system-wide network
optimizations of AP channel selection and transmit power (Enterprise only),
resulting in maximized network performance and reliability. The various
components of Meraki’s RF analysis and control features will be described in the
following sections.
16.2 Channel Selection
Channel selection involves the assignment of RF channels to the radios on the
Meraki APs. Optimizing channel assignments reduces channel interference and
channel utilization, thereby improving overall network performance and
increasing the network’s client capacity.
Channel selection is configured under the Configure tab on the Radio Settings
page in Enterprise networks (more detail on the Radio Settings page can be
found in Section 16.6) and on the Network-Wide Settings page in Pro networks.
Two options are available:
1. Manual: In this case, the administrator can manually configure the
channels used by the Meraki APs on the 2.4 GHz and 5 GHz bands.
These channel assignments apply across the entire network.
2. Automatic: In this case, the administrator allows the MCC to
automatically assign the optimal channels to the radios. The MCC
determines the optimal channel configuration for a network by
periodically measuring the global network performance and issuing new
channel assignments to APs.
Changing channel assignments can cause noticeable network downtime. The
administrator can configure the MCC to automatically reassign channels in the
wireless network during periods of inactivity (when the channel reassignment
would cause the least amount of disruption). Or, the administrator can perform
the MCC-calculated channel assignments on demand.
The list of available channels that can be assigned to radios is populated based
on which country the APs are deployed in. As such, the “Country” setting needs
to be configured correctly in order for channel management to comply with
region-specific wireless regulations. The Country selector can be found above
the Channel Selection controls.Meraki Cloud Controller Product Manual | 68
16.3 Channel Spreading (Enterprise Only)
When automatic channel selection is configured, an administrator can configure
“channel spreading”, which allows Meraki APs to operate on different channels.
Channel spreading selects channels that minimize RF utilization and interference
in the network, thereby maximizing overall network performance and client
capacity (i.e., the number of wireless clients that can connect to the network).
Channel spreading is ideal for environments in which a high number of clients
could saturate a single channel. For instance, in an auditorium with hundreds of
wireless clients and numerous APs broadcasting in the same space, channel
spreading should be enabled.
Channel spreading is configured under the Configure tab on the Radio Settings
page.
16.4 Network Scans (Enterprise Only)
Meraki APs perform networks scans to collect information about the RF
environment (e.g., channel utilization, channel interference, etc.), and to detect
rogue APs. There are 2 types of network scans:
• Opportunistic scans are performed when an individual AP has no
clients associated to it.
• Mandatory scans are performed at a specific time of day (on specific
days of the week) by all APs in the network. Note that a mandatory
scan disconnects any clients that may be associated to Meraki APs at
the time a scan begins.
Whether a network performs only opportunistic scans or performs both
opportunistic and mandatory scans is configured under the Configure tab on the
Network-Wide Settings page. The schedule for mandatory scans is also
configured in this section.
16.5 Spectrum Analysis (Enterprise Only)
Meraki 802.11n APs feature built-in spectrum analysis capabilities. The APs scan
for both 802.11 (other APs) and non-802.11 sources of RF interference (eg.
Bluetooth headsets, cordless phones and microwaves). This data is then fed into
the Meraki AutoRF planning algorithms to determine optimal channel plan (if
auto-channel selection is enabled) and transmit power settings. No separate
sensor APs need to be deployed as the APs can both serve clients and perform
network scans.
A real-time interference scan can be run from the Live Tools section of the
Access Point Details page (see Section 8.4), giving an administrator both
instantaneous and historical data about interference sources in the area of a
particular AP.Meraki Cloud Controller Product Manual | 69
16.6 Transmit Power Control (Enterprise Only)
Administrators have the option of having all APs in the network set at 100%
transmit power or allowing the Cloud Controller to determine the best power
settings for optimal performance. In cases where APs are deployed with high
density and significant overlap in coverage, the Cloud Controller may determine
that interference could be minimized by a reduction in transmit power. In this
situation, if an AP were to go down resulting in a gap in coverage, the adjacent
AP power levels would then be automatically increased to compensate.
Administrators can select full transmit power or automated transmit power
selection on the Radio Settings Page (See Section 16.7). Channel spreading
must be enabled in order to enable automatic power adjustments.
16.7 Radio Settings Page (Enterprise Only)
AP radio controls and channel plan data can be found on the Radio Settings
Page under the Configure tab. There are two main sections of this page:
Controls and Channel Planning reporting.
16.7.1 Radio Controls
Controls found in this section include the Country selector (see Section 16.2),
Manual versus Automatic Channel Selection (see Section 16.2), Channel
Spreading (see Section 16.3) and Full versus Automatic Radio Power Selection
(see Section 16.6).
16.7.2 Channel Planning Report
This report shows administrators a summary of the current channel plan in the
network as well as all APs, both Meraki and non-Meraki or “rogue”, that were
detected on each channel during the last network scan performed. This table
gives administrators insight into the current channel plan. Clicking on the Details
links next to each channel that has APs assigned to it will bring you to the
Channel Interference table that shows more detail about current transmit power
and interference sources seen by each AP on that channel, both current and
historically.
16.8 SSID Availability Page
The SSID Availability page is where an administrator can manage the visibility
and availability of SSIDs based on time and location.
16.8.1 SSID Visibility (Enterprise Only)
Administrators can “hide” an SSID by disabling advertisement of the SSID in:
• The Beacon frame that the AP periodically broadcasts.
• The Probe response frame that the AP sends in response to a Probe
request frame from a wireless client.
Only wireless clients that are manually configured with the hidden SSID’s
settings can connect to the hidden SSID. Other clients that are not configured to
connect to the hidden SSID cannot discover it as an available wireless network.Meraki Cloud Controller Product Manual | 70
This feature can be used to discourage wireless users from connecting to a
particular SSID. For instance, at a school, the “VOIP” SSID could be hidden so
that students would be less likely to connect to it. However, phones could be
configured to connect to the SSID.
It is important to note that this ability to hide an SSID is not a security feature.
Basic wireless snooping or eavesdropping techniques can be used to uncover a
hidden SSID. A hidden SSID should still be used in conjunction with the
appropriate wireless security methods, such as wireless encryption and
authentication (see Section 7, “Wireless Encryption and Authentication”).
The option to hide an SSID appears under the Configure tab on the Access
Control page.
16.8.2 SSID Broadcast Controls By AP (Enterprise Only)
By using AP tagging (See Section 8.5.1), an administrator can choose to
broadcast an SSID from certain APs only.
As an example, a guest SSID is only to be broadcast in the lobby of an office
building. APs located in the lobby area have been tagged with the tag “Lobby”.
To choose to broadcast the guest SSID only from the tagged APs, use the AP
selection drop-down menu under SSID availability section, choosing “This SSID
is enabled on some APs…”. See Figure 34 for selector location on SSID
Availability page.
Figure 34 - Selecting to Broadcast SSID on certain Tagged APs
See Figure 35 for an illustration of an SSID configured to only broadcast from
APs tagged “Lobby”.Meraki Cloud Controller Product Manual | 71
Figure 35 - SSID Enabled on Tagged APs Only
16.8.3 Timed SSID Broadcasting (Enterprise Only)
For certain deployment types such as a retail store offering free public wireless
access, an administrator may only want to offer network access during certain
business hours. With timed SSID broadcasting, the hours in which an SSID are
broadcast can be configured in Dashboard rather than requiring an administrator
to manually disable an SSID at the end of the day. This feature actually disables
the SSID in contrast to hiding an SSID (See 16.8, “Hidden SSID”).
The option to set broadcast hours for an SSID appears under the Configure tab
on the Access Control page.
16.9 Band Selection and Band Steering (Enterprise Only)
Band selection enables an administrator to configure an SSID to broadcast on
both 2.4 and 5 GHz bands, on both bands with band steering enabled, or on the
5 GHz band only.
Band steering steers 5 GHz-capable clients from the 2.4 GHz band, which is
typically heavily utilized by wireless devices, to the 5 GHz band, which is much
less utilized. Band steering increases the total bandwidth and capacity available
to clients, while improving client performance at 5 GHz.
Band selection and band steering are configured under the Configure tab on the
Access Control page.
For networks containing the Meraki MR11 (a single-radio AP), a separate band
selection setting appears under the Configure tab on the Network-Wide Settings
page. This setting allows an administrator to configure whether the MR11 APs
broadcast on the 2.4 GHz band or on the 5 GHz band.
16.10Disabling Legacy 802.11b Bitrates (Enterprise Only)
An administrator can improve the performance of clients on the 2.4 GHz band by
disabling legacy 802.11b bitrates (1, 2, and 5.5 Mbps). If these legacy bitrates
are disabled, 802.11b clients will be unable to associate to the SSID at those
bitrates.
This feature is configured under the Configure tab on the Access Control page.Meraki Cloud Controller Product Manual | 72
16.11Software Upgrades
Meraki strives to minimize the administrative cost of its systems. One of the ways
Meraki realizes this goal is by centrally managing the software upgrade process.
Meraki releases MCC and AP firmware upgrades periodically to licensed
organizations, in a manner that is minimally disruptive to administrators and
wireless users.
For a Meraki network to upgrade to the latest firmware, the network simply needs
to be connected to the Internet to reach the MCC. If an upgrade is available, it is
scheduled and deployed. An AP’s local web page (see the section below on
accessing the AP’s local web page) shows whether an upgrade is in progress.
An upgrade takes about 30 minutes over a fast Internet connection. When the
upgrade completes, the node reboots itself.
16.11.1 Preferred Maintenance Window (Enterprise Only)
Enterprise Customers can configure a weekly preferred maintenance window
during which firmware upgrades should occur. This maintenance window is
configured on the Network-Wide Settings page under the Configure tab.
16.12Mesh Networking
In a wireless mesh deployment, multiple APs (with or without connections to
wired Ethernet) communicate over wireless interfaces to form a single network.
Each AP develops a list of neighboring devices and exchanges information with
the rest of the network to form routes through the network. When a Meraki AP is
connected to a wired Ethernet connection and obtains an IP address (either
through static IP configuration or DHCP), the AP takes the identity of a “mesh
gateway”. If an AP is not connected to a wired Ethernet connection or does not
obtain an IP address over that connection, the AP operates as a “mesh
repeater”, which relays wireless traffic through the mesh network, either to a
gateway or through other repeaters.
Meraki devices in a mesh network configuration communicate using a proprietary
routing protocol designed by Meraki. The protocol is designed specifically for
wireless mesh networking, and accounts for several unique characteristics of
wireless networks including variable link quality caused by noise or multi-path
interference, as well as the performance impact of routing traffic through multiple
hops. The protocol is also designed to provide ease of deployment and rapid
convergence while maintaining low channel overhead.
Occasionally, a mesh repeater in the network will become unavailable, due to
disconnection or changes in the environment. Each AP in the Meraki mesh
network constantly updates its routing tables with the optimal path to the network
gateways. If the best path changes due to node failure or route metric, traffic will
flow via the best known path.
In the event of a mesh gateway failure or the emergence of a new mesh gateway
with a better routing metric, all new traffic flows will be routed to the new mesh
gateway. Because certain mesh gateways may be located on different IP
subnets from each other, each TCP flow is mapped to a particular mesh gateway Meraki Cloud Controller Product Manual | 73
to avoid breaking established connections. The route through the network to the
specified mesh gateway may change over time, to adapt to network conditions.
Refer to the Meraki Network Design Guide for more information about designing
a Meraki mesh network.
16.13Wired Clients
Administrators can plug computers, switches, and other devices into the Ethernet
jack of a Meraki AP. The administrator can decide how to treat device that are
plugged into a wired port on the AP. Options include:
• Disable wired clients
• Wired clients are treated as part of a specified SSID
The treatment of wired clients is configured under the Configure tab on the
Network-Wide Settings page.
If wired traffic is allowed, the AP will route all packets received on its wired port
as if they came from the specified SSID. Wired clients would be subject to any
network sign-on methods configured on that SSID (e.g., sign-on splash page).
However, wireless settings (e.g., link encryption or 802.1x authentication) or
networking settings (e.g., VLAN tagging) would not be applied.
16.14Wireless Bridging
Two Meraki APs can be used to create a wireless bridge between two LANs. For
details about this configuration, reference the Meraki Point-to-Point Whitepaper.
16.15Quality of Service
The MCC supports the Wireless Multimedia Extensions (WMM) standard for
traffic prioritization. WMM is a Wi-Fi Alliance standard based on the IEEE
802.11e specification, with a focus on the EDCA component to help ensure that
devices such as wireless VOIP phones operate well when connected to a Meraki
wireless network. WMM provides four different traffic classes: voice, video, best
effort, and background. Devices that support WMM and request a higher level of
service, such as Wi-Fi handsets, will receive higher priority on the Meraki
wireless network.
QoS keeps latency, jitter, and loss for selected traffic types within acceptable
boundaries. When providing QoS for downstream traffic (AP to client), upstream
traffic (client to AP) is treated as best-effort. The application of QoS features
might not be noticeable on lightly loaded networks. If latency, jitter, and loss are
noticeable when the media is lightly loaded, it indicates a system fault, a network
design problem, or a mismatch between the latency, jitter, and loss requirements
of the application and the network over which the application is being run. QoS
features start to be applied to application performance as the load on the network
increases.Meraki Cloud Controller Product Manual | 74
16.16Power Save
Meraki also supports WMM Power Save mode, which helps wireless devices
avoid excessive battery drain. WMM Power Save improves on the standard
802.11 Power Save Polling mode by allowing devices to “sleep” differently when
they receive critical vs. non-critical packets. Devices that support WMM Power
Save should experience extended battery life when using a Meraki network.
16.17Run Dark
Run dark disables the LED lights on all APs. This feature is useful in situations
where the lights may be annoying or distracting. For example, it can be enabled
to prevent outdoor APs from drawing attention at night.
This feature is configured under the Configure tab on the Network-Wide Settings
page.
16.18Accessing the AP’s Local Web Page
In general, Meraki networks are configured using the MCC, rather than on the
individual APs. However, there are a small number of tasks for which information
on the AP’s local web page is useful.
The steps to access an AP’s local web page are as follows:
1. Associate with the AP either wirelessly or as a wired client (using an
Ethernet cable attached to the AP’s Ethernet port).
2. Go to http://my.meraki.com.
The AP’s local web page can be used for a variety of configuration, monitoring,
and troubleshooting activities, including the following:
• View the AP’s status (e.g., setup, connectivity, firmware upgrade, etc.).
• View channel utilization and the AP’s signal strength to the client.
• Run client-to-AP speed tests.
• View statistics about the AP’s mesh neighbors.
• Configure a static IP address on the AP. (See Section 6.2.1,
“Configuring a Static IP Address Directly on a Meraki AP”.)Meraki Cloud Controller Product Manual | 75
17 Branding
This chapter describes the MCC’s capabilities related to branding.
17.1 Splash Page
A splash page can provide a unified branding experience to wireless users in
addition to prompting for username/password credentials. For example, the
splash page can display a corporate logo and color scheme. The splash page
can also show the terms of service, which might include an acceptable use
agreement or a privacy statement.
Administrators can set up a separate splash page for each SSID. Splash pages
can be hosted by Meraki or by an external host.
17.1.1 Meraki-Hosted Splash Page
Meraki-hosted splash pages (both click-through splash pages and sign-on splash
pages) are configured under the Configure tab on the Splash Page page. These
built-in splash page capabilities enable administrators to eliminate the need to set
up a local web server. Administrators can choose to customize one of Meraki’s
pre-defined splash page templates or create a fully custom page.
Splash page variables can be added to splash pages to display dynamic
information to the user (e.g., the error returned from a customer-hosted RADIUS
server when authentication fails). For a list of splash page variables, see
“Appendix D: Meraki-Hosted Splash Page Variables”.
17.1.2 Externally Hosted Splash Page
Both click-through splash pages and sign-on splash pages can be externally
hosted. Externally hosted sign-on splash pages are covered in Section 7.3.2,
“Externally Hosted RADIUS Server”.
When an SSID is configured with a click-through splash page, an administrator
can redirect a wireless user to a URL. This feature enables the administrator to
host the splash page, rather than having it hosted by Meraki. To use this feature,
the IP address of the URL’s web server must be inside the walled garden (see
Section 10.9, “Walled Garden (Enterprise Only)”). The redirect URL for a clickthrough splash page is configured under the Configure tab on the Splash Page
page.
For additional information on hosting your own splash page, search the Meraki
knowledge base for “EXCAP” or externally hosted captive portal.
17.1.3 Splash Page Frequency
Regardless of whether the splash page is Meraki-hosted or externally hosted, the
frequency with which a wireless client is presented with a splash page can be
configured, since the frequency is enforced on the Meraki AP. This splash page
frequency is configured under the Configure tab on the Splash Page page.Meraki Cloud Controller Product Manual | 76Meraki Cloud Controller Product Manual | 77
18 Billing
Meraki provides an integrated billing module that administrators can use to
quickly and easily charge for network access.
Billing is enabled as a network sign-on method (see Section 7.2, “Network SignOn Methods”). It is configured under the Configure tab on the Access Control
page.
Meraki processes end user credit card transactions, so that administrators do not
have to configure or maintain a credit card payment gateway. At the end of each
month, if the generated revenue exceeds $20 USD, Meraki sends a payout to the
network operator, less a 20% processing fee. Payouts are sent via PayPal (all
currencies). The administrator can view payment and payout history on the
Account Activity page under the Monitor tab.
The administrator can configure the currency for a billed network. Note, however,
that once a transaction has occurred on the network, it is not possible to change
the currency of the billed network.
An administrator can create up to five billing plans (tiers of service). The
administrator can specify the fees charged over a particular amount of time with
a specific performance limit. For example:
• $5 per month for .5 Mbps of bandwidth
• $10 per month for 1 Mbps of bandwidth
In addition, the administrator can check the “Free access” option, which provides
free access for a limited amount of time (and possibly subject to a bandwidth
limit). This limited free access can serve as a trial period for wireless users
before they purchase a paid plan.
Note that it is not possible to customize the splash page when billing is enabled.Meraki Cloud Controller Product Manual | 78
19 Administering Multiple Networks
This chapter describes the relationships between an administrator’s account and
the “organization” of networks the administrator can monitor and configure.
19.1 Organizations
An “organization” consists of a collection of networks and a collection of
administrative accounts. Every administrator has an account in the MCC that is
part of an organization. An organization is covered by a single license. (For
more information on licensing, see Chapter Licensing21, “Licensing”)
Organizations can only be created. To delete an organization, please contact
Meraki Support.
19.2 Administrators
An administrator can belong to multiple organizations, but his credentials
(username and password) may be different for each organization.
There are two types of administrators: organization administrators and network
administrators.
19.2.1 Organization Administrators
An organization administrator has visibility into all networks in the organization.
There are two types of organization administrators, full, or read/write, and readonly. Organization administrative accounts are managed under the Organization
tab on the Configure page.
A full organization administrator can perform the following operations within a
given organization to which he belongs:
• Create, edit, and delete organization full or ready-only organization
administrator accounts or any network administrator account for the
organization.
o When an administrator resets the password on an administrative
account, a new password is emailed to the administrator. An
administrator can reset his own password by clicking the “my
profile” link at the top of any page in the MCC.
• Create, edit, and delete networks
• Add licenses for new access points
The administrator that creates the first network in a new organization will
automatically be designated an organization administrator. Meraki Cloud Controller Product Manual | 79
19.2.2 Network Administrators
A network administrator has visibility into all networks in the organization for
which he has been designated a network administrator. There are two types of
network administrators, full, or read/write, and read-only. Administrative
accounts are managed under the Configure tab on the Network-Wide Settings
page.
A network administrator can perform the following operations within a given
organization to which he belongs:
• Create, edit, and delete administrator accounts for the organization.
o When an administrator resets the password on an administrative
account, a new password is emailed to the administrator. An
administrator can reset his own password by clicking the “my
profile” link at the top of any page in the MCC.
• Create, edit, and delete networks for which he has been granted
administrative privileges.
o By definition, an administrator has administrative privileges over
any network that he creates himself. However, another
administrator who did not create the network must first be granted
administrative access to the network (by another administrator with
administrative access to the network) before he can access it.
19.3 Moving APs between Networks or Organizations
An administrator can move APs between networks in a given organization. This
operation is performed under the Monitor tab on the Access Points page. After
selecting the AP to move, the administrator selects the action (from the “Actions”
drop-down menu) to “Change network”, which presents a drop-down menu with
the names of the other networks in the organization. The administrator can then
select the network to which to move the selected AP.
An administrator can also move APs between organizations. This is
accomplished through the following steps:
1. The administrator records the serial number of the AP to move.
2. The administrator removes the AP from its current network. To do this,
the administrator goes to the Access Points page under the Monitor tab,
selects the AP to remove, and selects the action (from the “Actions”
drop-down menu) to “Remove from network”.
3. The administrator logs out of the current organization, then logs into the
target organization. After selecting the target network, the administrator
adds the AP to the network under the Configure tab on the Add Access
Points page. (He will need the serial number he recorded for this step.)Meraki Cloud Controller Product Manual | 80
20 Teleworker VPN
Meraki Teleworker VPN enables administrators to extend the corporate LAN to
employees at remote sites with Meraki AP’s without requiring client devices to
have client VPN software installed and running. The experience of wireless
clients connected to remote AP’s will be the same as though they were located at
headquarters, with full corporate network access.
20.1 Typical Use Cases
Teleworker VPN can be used to connect small branch offices (<5 people),
teleworker or executive home offices, temporary site offices (eg. construction
site) and traveling employees on the road back to the corporate LAN and provide
access to corporate resources back at headquarters.
20.2 How It Works
A Meraki AP at a remote site establishes a layer 2 connection using an IPSecencrypted, UDP tunnel back to the corporate LAN. Tunnels are established on a
per SSID basis, and terminate at headquarters on a Meraki virtual concentrator
appliance.
Since most corporate LAN’s are located behind a firewall and NAT, the Meraki
Cloud Controller can negotiate a connection between the remote AP and the
virtual concentrator across a NAT, or a manual port-forwarding method can be
used to establish a connection.
Both wireless and wired client traffic at the remote site can be tunneled. Wired
clients connected directly to a Meraki AP can have their traffic tunneled. For
example, a ShoreTel IP phone can be plugged into the second Ethernet port on
an MR12 AP and connect via the VPN tunnel to the corporate PBX.
Teleworker VPN is compatible with any Meraki Enterprise MR-series AP.
20.3 The Virtual Concentrator
Meraki VPN tunnels terminate on a virtual concentrator rather than on a typical
hardware VPN concentrator appliance. The concentrator image can be
downloaded from Dashboard and installed in VMware (vSphere Hypervisor
(ESXi), Workstation and Player are supported) on any enterprise-grade server.
The virtual concentrator can then be managed using Dashboard like any other
Meraki networking hardware. Full monitoring and logging capabilities (eg.
connected clients, traffic analysis, etc) can be utilized in the concentrator
network. Just like a Meraki AP, the concentrator firmware is automatically
updated by the Cloud Controller.Meraki Cloud Controller Product Manual | 81
20.4 Creating the Virtual Concentrator Network
A virtual concentrator is located in a separate concentrator network, separate
from the networks containing the access points that will be connected via VPN.
A concentrator network is created in the same manner as an AP network, using
the network drop-down selector at the top of the Dashboard.
Figure 36 - Creating a Virtual Concentrator Network
20.5 Installing the Virtual Concentrator
Once the concentrator network has been created, the concentrator virtual
machine image can be downloaded from Dashboard from the Status page under
the Monitor tab in the concentrator network.
Figure 37 - Downloading the Virtual Concentrator Image
Once the image has been downloaded, it can be run in VMware on an existing
server in the LAN. Minimum hardware requirements for the server are:
-1 GHz processor
-1 GB available hard drive space
-500 MB dedicated RAMMeraki Cloud Controller Product Manual | 82
20.6 Monitoring the Virtual Concentrator
Once the virtual concentrator is running, it can be monitored in Dashboard
similarly to Meraki APs. The following is a short description of each page under
the Monitor tab and what features can be found there:
20.6.1 Overview
The overview page shows high-level summary information about the
concentrator network including geographic location of the concentrator on a
Google map, overall bandwidth usage of VPN clients and recent and currently
connected client counts. For more information about the features on this page,
see Section 8.1, “Overview”.
20.6.2 Concentrator Status
The concentrator status page is very similar to the AP status page. Configuration
settings can be edited here including device name, tags and address (this
address is what determines where the concentrator location is displayed in the
Google map on the Overview page). The concentrator virtual machine image
can be downloaded from this page. Various live troubleshooting tests such as
list active clients, ping and throughput tests are located on this page, as are
various diagnostic graphs showing connectivity and latency. For more
information about the features on this page, see Section 8.4, “Access Points
Page”.
20.6.3 Clients
The clients page shows a list of all recent VPN clients and network usage,
including application-level traffic analysis. See Section 8.6, “Clients Page”, for
more details.
20.6.4 Event Log
The Event Log page provides detailed logging about various client activities,
including the following:
• Associations/disassociations
• Authentication attempts and outcomes
• DHCP activity
• Initial traffic
For more details about this page, see Section 8.7, “Event Log Page”.
20.6.5 Summary Report
An administrator can obtain network analytics from the Summary Report page
under the Monitor tab. This report provides information about the VPN usage
and uptime of the Meraki VPN concentrators, and can be e-mailed on a Meraki Cloud Controller Product Manual | 83
configurable schedule for constant visibility. Administrators can also add their
organization’s logo to the report.
20.7 Configuring the Virtual Concentrator
Minimal configuration is required for the virtual concentrator. The configuration
settings that are required can be managed under the Configure tab.
20.7.1 Concentrator Settings
There are three configuration settings that can be found on this page:
concentrator name, tunneling settings and traffic analysis.
Concentrator name – The device name can be set or changed from this page.
Tunneling – In order for a remote AP to successfully connect to the virtual
concentrator, it will likely have to traverse a NAT. There are two methods for
doing this NAT traversal: automatic and manual.
Automatic – NAT traversal is auto-negotiated by the Cloud Controller.
The method works for most NATs and requires an active Internet
connection to function properly. In order for automatic NAT traversal to
work, outbound UDP port 9350 should be opened to allow the virtual
concentrator to communicate with the Cloud Controller during initial
negotiation of NAT traversal connection. After connection is established
between remote AP and the virtual concentrator, the Cloud Controller is
no longer involved in VPN communication.
Manual – With certain types of NATs, automatic NAT traversal will not
work. In this case, a connection can be manually established via port
forwarding by specifying the IP address of the NAT and an open port on
the NAT. The specified NAT port should be configured to forward to the
concentrator’s IP address at port 9350. The concentrator’s IP address
can be found on the Concentrator status page (see 20.6.2,
“Concentrator Status”).
Traffic Analysis – This feature may be enabled and disabled on this page, and
custom pie charts created. See Section 8.6.2, “Traffic Analysis” for more details.
20.7.2 Alerts and Administrators
On this page, the network time zone may be set, email alerts configured for
concentrator outages, administrators designated and firmware update time
windows specified. See related manual sections for AP network for more details.
20.8 Configuring Remote APs
No pre-provisioning of remote APs is required. Once a remote site network is
created in Dashboard and APs are added to the network, the APs will
automatically download their configurations once they are connected to the
Internet.Meraki Cloud Controller Product Manual | 84
20.9 Create Remote Site Network and Add APs
It is recommended that a separate network be created in Dashboard for each
remote site location for purposes of manageability and usage tracking. Remote
site networks should be created and access points added to the networks using
the Quick Start guide. Get started by selecting “Create a New Network” from the
network selector in Dashboard.
Figure 38 - Creating a Remote Site Network
If creating multiple, similar remote networks such as retail store locations,
identical networks can be quickly created by selecting “Copy settings from an
existing network” during the quick start process. It is highly recommended that in
this scenario, a single remote network is completely configured and then other
networks are created by cloning this configuration.
Figure 39 - Network Cloning During Quick Start Process
20.9.1 Configure SSIDs to Tunnel
VPN tunnels are configured on a per SSID basis. A typical configuration for a
small branch office might be a tunneled SSID for corporate use that is copied
from the headquarters network, with 802.1x authentication, bridge mode and
custom firewall rules, and a second personal SSID with WPA2-PSK for personal
and family use that is not tunneled. To select an SSID to be tunneled, select the
concentrator to be used with the VPN drop-down selector on the Access Control
page under the Configure tab in the remote site network.
20.9.2 Configure Split Tunnel
To avoid all traffic from being tunneled to the concentrator in the main office,
select tunnel type: “Split tunnel”. Then select the IP ranges and ports that you
wish to tunnel back to the concentrator. All other traffic will use the local LAN or
WAN connection. This can dramatically reduce the traffic load on the corporate
network.
20.9.3 Tunneling wired client traffic
Wired traffic can be tunneled as well if an MR12 is used as a remote AP by
connecting clients such as an IP phone or desktop computer to the Eth1 port.
Wired client traffic will be tunneled if the port has been associated to an SSID Meraki Cloud Controller Product Manual | 85
that is tunneled. This setting can be found on the Network-wide Settings page
under the Configure tab in the remote network.
Figure 40 - Configuring MR12 port to Tunnel Wired Traffic
20.10Configuration Best Practices
There are a variety of best practices that will result in the smoothest possible
deployment and operation of remote sites with Teleworker VPN that shall be
discussed in the following sections.
20.10.1 Concentrator Location(s)
Depending on the VLAN and firewall configuration of an administrator’s network
as well as how the VPN will be used, the optimal concentrator location and
number of concentrators may vary.
Multiple VLAN Deployments
The concentrator does not currently support VLAN tagging. Clients will be
assigned to the VLAN that the concentrator is located in. Depending on the
desired VPN usage and the network configuration, this will dictate where the
VPN concentrator is located and whether multiple concentrators are required.
Example:
At Acme Corporation, two VLANs exist: VLAN 30, for end user data traffic
(including wireless users) and VLAN 20, for traffic from their PBX phone system
(the PBX at HQ sits in this VLAN). The administrator would like to deploy remote
APs and IP phones to all of the company’s traveling salespersons.
In this scenario there are two concentrator deployment options:
Option 1 – Single concentrator
In this scenario, a single concentrator can be deployed in either VLAN 20 or 30,
and static routes or firewall exceptions created in the LAN to allow the IP phones
to communicate with the PBX or to allow wireless clients to access corporate
resources in VLAN 30.
Option 2 – Two concentrators
In this scenario, a concentrator is placed in both VLAN 20 and 30. Data traffic on
the corporate SSID is tunneled to the VLAN 30 concentrator, and voice traffic
from the IP phones is tunneled to the VLAN 20 concentrator using a second
tunneled SSID associated to the Ethernet port on the AP that the phone is
connected to.Meraki Cloud Controller Product Manual | 86
20.10.2 Firewall Settings
Depending on the administrator’s corporate firewall policies, the IP addresses of
the concentrator might need to be whitelisted for outbound UDP traffic, and the
cloud controller IP addresses for inbound UDP traffic. In addition, if using
automatic NAT traversal, certain IP addresses in the Cloud Controller might need
to be whitelisted to allow the Cloud Controller to negotiate the connection
between the concentrator and the remote APs. A list of the required Cloud
Controller IP addresses can be found here:
http://bit.ly/iaQ8K0Meraki Cloud Controller Product Manual | 87
21 Licensing
This chapter explains licensing for Meraki networks.
An organization must have a current license for the MCC to work properly. Each
organization is licensed for a maximum number of APs, for either the Enterprise
or the Pro Cloud Controller, for a certain amount of time (typically 1 year or 3
years). For example, the organization may be licensed for 250 APs through
January 30, 2011, for the Enterprise Cloud Controller.
Administrators can manage the organization’s licenses on the License Info page
under the Configure tab. The page displays the following:
• Status: OK or problem
• Cloud Controller: Enterprise or Pro
• Expiration date
• Device limit
• Current device count
• License history (list of licenses that have been applied to the network)
When a new organization is created, the organization is granted a 30-day grace
period. Before the grace period expires, the administrator must enter a valid
license key, whose format is a 12-character string (e.g., “Z2A7-32TE-A8Y4”).
Networks using the Pro Cloud Controller do not require a license key.
21.1 Adding Licenses
An administrator can increase the licensed AP limit on the License Info page by
clicking the “Increase device limit” button. The new license key must be at least
as long as the existing license applied to the organization. The MCC will
automatically extend the renewal date of the organization’s license in order to
enforce co-termination.
Example: An organization contains one Enterprise network with ten APs, each of
which was purchased at the same time with a one-year license. Four months
into the license term six more APs are added, each with one-year licenses. The
network now has twenty-four AP-months ((12-8=4 months)*6 APs) of “extra
credit”. These 24 AP-months are distributed over the 16 AP network, adding an
additional 1.5 months onto the original one-year term of the network. So all the
licenses for all 16 APs will expire in 9.5 months. Figure 41 illustrates how this
pro-ration calculation works.Meraki Cloud Controller Product Manual | 88
Figure 41 - License Proration Calculation
21.2 Cloud Controller Upgrades
An administrator can upgrade from Pro Cloud Controller to Enterprise Cloud
Controller by contacting Meraki Sales.
21.3 Renewing Licenses
The administrator can renew the license within 30 days of the renewal date. To
renew, simply click on the “Renew license” button on the License Info page and
enter a license key.
21.4 Expired Licenses or Exceeding the Licensed AP Limit
If an organization’s license is expired or the number of APs in the organization
exceeds the licensed limit, the administrator has 30 days to return the
organization to a valid licensed state. During this grace period, the system will
remind the administrator to add additional licenses. After 30 days, administrators
will not be able to access the MCC (except to add additional licenses), and client
access to the Meraki wireless network will no longer be possible.Meraki Cloud Controller Product Manual | 89
22 Troubleshooting
For troubleshooting tips, please refer to the Meraki Knowledge Base, which can
be accessed from the Help tab.Meraki Cloud Controller Product Manual | 90
23 References
Meraki provides resources that administrators can reference when implementing
and managing a Meraki wireless network, including the following:
• Meraki Network Design Guide
• Meraki Hosted Architecture White Paper
• Wireless Guest Access at the Workplace White Paper
• Wireless User Authentication White Paper
• Wireless Network Security White Paper
These resources are available at the following locations:
http://www.meraki.com/library/collateral/
http://www.meraki.com/library/product/
In addition, numerous tools are available to administrators to help configure and
monitor wireless networks, including:
• Wi-Fi Stumbler
• Wi-Fi Mapper
• Client Insight
• Simulated networks
• Coverage calculator
These tools can be found here:
http://www.meraki.com/toolsMeraki Cloud Controller Product Manual | 91
24 Appendix A: Example Office Configuration
This chapter describes a typical office network configuration for a Meraki wireless
network.
24.1 Objectives
In this example, the network administrator would like to have a single physical
Meraki network provide wireless access to employees, guests and on-site
contractors, each with their own unique access requirements.
Employees – These users need access to all LAN resources, as well as the
Internet. They are authenticated against the company’s existing Active Directory
database using RADIUS via 802.1x. No bandwidth limitations are applied, and
they are not required to view a splash page before gaining network access.
Guests – These users are allowed Internet-only access; all other LAN resources
are blocked. To avoid letting guests consume too much bandwidth, limits of 500
kbps up and down are applied. Guests see a branded splash page when they
first associate to the wireless network where they must enter a temporary
username and password provided by the receptionist. Guest accounts are valid
for two hours.
Contractors – These users have access to a specific printer on the LAN as well
as the Internet. Like employees, contractors authenticate against the company’s
Active Directory server. No bandwidth limitations or access time limits are
applied. Contractors also do not see a splash page.
Guests and contractors share an SSID, while guests have their own SSID.
In addition, employees are allowed to use the wireless network for recreational
purposes, while at the same time certain employee groups need to use video
conferencing as well as access business-critical enterprise web applications
reliably and without performance degradation from bandwidth starvation. To
manage these constraints, the administrator will create traffic shaping rules to
control employee and contractor usage of recreational applications and to
prioritize bandwidth for certain business-critical enterprise applications.
The requirements for the access policies of each user group are summarized in
the table below:Meraki Cloud Controller Product Manual | 92
User Group Required
Access
Access
Control
Band
width
Limit
Traffic
Shaping Time
Limit
Sign-on
Splash
Page
Employees Full LAN WPA2-
Enterpris
e with
802.1x
None Yes None No
Guests Internet
only
Open,
NAC
500
kbps
No Two
hours
Yes
Contractors Internet +
printer
WPA2-
Enterpris
e with
802.1x
None Yes None No
24.2 Implementation Alternatives
Broadly speaking, there are at least two ways to achieve the desired
configuration above: VLANs and firewall policies.
The first approach uses VLANs to enforce different permissions. One advantage
of VLANs is that many administrators are comfortable with VLANs. Some
disadvantages are that VLANs can be fairly hard to configure and may not scale
well across large or geographically distributed networks (e.g., multiple branch
sites). VLANs can be set per SSID or per user/machine using RADIUS
attributes.
The second approach uses Meraki’s Identity Policy Manger (IPM). With IPM,
Meraki access points enforce IP-level firewall rules on a per-user basis to
achieve the desired security policies. No VLANs are required and configurations
are highly flexible.
For the rest of this chapter we focus on the IPM approach.
24.3 Assumptions
In this particular example, it is assumed that the administrator will be configuring
Microsoft NPS with Active Directory for WPA2-Enterprise with 802.1x
authentication and to apply group policies to authenticated users in conjunction
with Meraki’s Identity Policy Manager. Network Policy Server (NPS) is the
RADIUS implementation that runs on Windows Server 2008; earlier versions of
Windows called this services IAS. This example uses NPS.
For more information on NPS configuration, please refer to the following
Microsoft documentation:
http://technet.microsoft.com/en-us/network/bb629414.aspx.Meraki Cloud Controller Product Manual | 93
In addition, we will assume that the network is comprised of MR14 dual-radio
802.11n APs, that the network will be configured for best performance, and that
all of the APs are gateways (i.e., each AP is connected to the LAN).
24.4 Configuration for Guests
This section describes how to configure the guest SSID in Dashboard.
24.4.1 Configuration Settings
On the Overview page under the Configuration tab, enable one SSID for guest
access and another SSID for employees and contractors. In this example, the
guest access SSID is named Meraki-Guest and the employee/contractor SSID is
named Meraki-Corp.
Figure 42 shows the creation of the two SSIDs.
Figure 42 - Creation of Employee and Guest SSIDs
On the Access Control page under the Configure tab, select the Meraki-Guest
SSID. Configure the following settings:
Association requirements: Open (no encryption)
Network sign-on method: Sign-on splash page
Bandwidth limit: 500 kbps
Client IP assignment: NAT Mode: use Meraki DHCP
Content filtering: Block adult content
Network Access Control: Enabled
Firewall: Prevent wireless clients from accessing my LAN
SSID Visibility: Show this SSID
Band selection: Dual band operation with band steering
24.4.2 Configure a Splash Page
The splash page can be customized on the Splash Page menu under the
Configure tab. In this example a custom theme has been uploaded called
“ACME Terms and Conditions”.Meraki Cloud Controller Product Manual | 94
Figure 43 shows the completed splash page configuration settings.
Figure 43 - Splash Page Configuration Settings
24.4.3 Create a Guest Ambassador
In order for the receptionist to be able to access Dashboard to create timeexpiring user accounts for guests, a guest ambassador account needs to be
created. On the Network-wide settings page under the Configure tab, add the
receptionist as a user in the “Guest Ambassadors”.
Figure 44 shows the creation of guest ambassadors using the Guest
Ambassador widget.
Figure 44 – Creating a Guest AmbassadorMeraki Cloud Controller Product Manual | 95
The receptionist now has the ability to create expiring guest accounts and only
has access to the Guest Management Portal.
When a guest visiting the office requires access, the receptionist logs into the
guest management portal and creates guest accounts as necessary.
Figure 45 shows the Guest Management Portal configured to create accounts
that are valid for two hours.
Figure 45 - Guest Management Portal
24.5 Configuration for Employees
The Meraki Corp SSID will now be configured for employee access. Since
802.1x with RADIUS authentication will be used with RADIUS against an on-site
Active Directory server, some configuration of NPS will be required as well.
24.5.1 Dashboard Configuration
On the Access Control page under the Configure tab, select the Meraki-Corp
SSID, which will be used for both employee and contractor access.
Configure the following settings:
Association requirements: WPA2-Enterprise with 802.1x
Network sign-on method: Direct access
Authentication Server: Use my RADIUS server
RADIUS for 802.1x: Enter IP, port and secret for on-site RADIUS
server
Bandwidth limit: Unlimited
Client IP assignment: Bridge Mode (clients will receive IP
addresses from the LAN DHCP server)Meraki Cloud Controller Product Manual | 96
Content filtering: Block adult content
Firewall: Allow wireless clients to access my LAN
SSID Visibility: Show this SSID
Band selection: Dual band operation with Band Steering
A summary of the configuration settings for both Meraki-Guest and Meraki-Corp
can be seen on the Overview page under the Configure tab.
Figure 46 shows the Configuration Overview page with summary of settings for
both SSIDs.
Figure 46 - Summary of Configuration Settings for Both SSIDs
24.5.2 Configure Meraki APs as RADIUS Clients in NPS
In order to complete the 802.1x configuration for employee access, the Meraki
APs need to be configured as RADIUS clients in Microsoft NPS.
Each RADIUS client needs to specify the IP address of the Meraki AP and the
shared secret in use between the Meraki APs and the RADIUS server. This
requirement makes it important to ensure that the APs always get the same IP
address, either through assigning fixed IPs through DHCP or assigning them a
static IP address (see section 6.2.1).
Note that many other RADIUS servers (e.g., Free RADIUS) do not require each
AP to be entered.
Figure 47 is a screenshot of the RADIUS client configuration in NPS.Meraki Cloud Controller Product Manual | 97
Figure 47 - RADIUS Client Configuration in NPS
24.5.3 Testing RADIUS Authentication
Once Dashboard and NPS have been configured for RADIUS authentication, the
configuration should be tested using the Dashboard built-in 802.1x test tool under
Configuration tab by entering a set of user credentials that will be verified against
all APs in the network.
Figure 48 shows the results of a successful 802.1x test, verifying that the
configuration is correct.
Figure 48 - 802.1x Test ResultsMeraki Cloud Controller Product Manual | 98
24.6 Configuration for Contractors
Contractor access is controlled via application of a group policy that specifies
custom firewall policies when a user in this group associates to the Meraki-Corp
SSID. The following sections show how to create a Contractors user group in
NPS, create an NPS access control policy, configure the group policy in
Dashboard, create the custom firewall rules, and test the policy.
24.6.1 Configuration for Users
User accounts for wired and wireless users are configured in Active Directory
(AD). Users can be added to Windows groups or user groups so that NPS
policies can subsequently be defined for a group of users.
Figure 49 shows creation of the Contractors group within Active Directory.
Figure 49 - Active Directory Group Creation
The appropriate users then need to be added to the defined group. Figure 50
shows the addition of a user account to the “Contractors” group.Meraki Cloud Controller Product Manual | 99
Figure 50 - Adding a User to an Active Directory Group
Figure 51 is a screenshot of a user account configured within AD that has been
added to the “Contractors” user group.Meraki Cloud Controller Product Manual | 100
Figure 51 - User Account Group Membership
24.6.2 Configuration of NPS Policies
NPS policies are applied to users when they authenticate against an AD server.
A policy specifies (1) conditions, which must match in order for the policy to be
applied, and (2) settings, which are applied by the policy.
There are two types of NPS policies that are most relevant to a wireless network:
• Connection Request Policies apply before a user authenticates. The
conditions specified for a connection request policy are limited to those
that can be determined prior to authentication (e.g., the MAC address of
the Meraki AP performing the authentication).
• Network Policies apply after a user authenticates and is “authorized”
for network access. Any information about the user that becomes
available after authentication can be used to set conditions for a
network policy (e.g., the user group to which the user belongs).
In this example, a connection request policy for wireless users has been created
that simply specifies which type of authentication protocol will be applied. Here,
Protected Extensible Authentication Protocol (PEAP) is used for all wireless
users requesting network access.Meraki Cloud Controller Product Manual | 101
Figure 52 shows the NPS connection request policy for wireless users on this
network.
Figure 52- Wireless Connection Request NPS Policy
After the connection request policy has been applied and the user has been
authenticated, then the network policy is applied. In this example, the network
policy to be applied is that a RADIUS Filter-ID attribute value of “Contractors” is
returned to the RADIUS client (i.e., the Meraki AP) whenever a member of the
“Contractors” group authenticates to the network.
Figure 53 depicts a network policy with a condition that matches any members of
user group “Contractors”. Meraki Cloud Controller Product Manual | 102
Figure 53 - Network Policy Condition to Match User Group
Figure 54 shows the setting (i.e., the action) of the network policy that causes a
Filter-ID RADIUS attribute with the value “Contractors” to be sent to the RADIUS
client.
Figure 54 - Network Policy Setting to Send RADIUS AttributeMeraki Cloud Controller Product Manual | 103
Figure 55 shows a summary of the “Contractor” network policy, listing that
access should be granted to the user, the Filter-ID RADIUS attribute should be
returned and encryption should be used.
Figure 55 - NPS Network Policy Summary
24.6.3 Configuration of Group Policy in the Meraki Cloud Controller
Once NPS has been configured to return the specified RADIUS attribute for
users from a particular group then the Meraki AP can match this RADIUS
attribute against an IPM group policy that has been configured in the MCC.
In this particular example, a group policy has been configured called
“Contractors” that will be applied to any user whose RADIUS access-accept
contains the value “Contractors” in the Filter-ID attribute. The policy allows
unlimited bandwidth usage, tags traffic with an SSID’s default VLAN tag (if
configured) and applies custom firewall rules. These rules allow TCP traffic to a
printer at 172.16.30.231, block both TCP and UDP traffic to the rest of the LAN
(172.16/16) and allow Internet access. This custom firewall policy will override
the SSID firewall settings for users from this group.
Figure 56 shows the configuration of the Contractors group policy in the MCC. Meraki Cloud Controller Product Manual | 104
Figure 56 - MCC Configuration of IPM Group Policy
24.6.4 Testing the Group Policy Application
Once the MCC group policy has been configured, the final step is to test to make
sure that the policy is being applied correctly to users from the specified group at
authentication. The MCC contains two built-in test tools for this purpose; the
802.1x test tool on the Configure->Access Control page and the Event log.
The 802.1x test tool will simulate a user from this group attempting to
authenticate to each of the APs in the network. If 802.1x and the group policy
have been configured correctly and the correct credentials are entered, the test
will show successful authentication against each AP in the network as well as
any RADIUS attributes that are being returned.
Figure 57 shows the results of a successful 802.1x test. The user’s credentials
were passed by all six APs and a Filter-ID attribute of “Contractors” is being
returned.Meraki Cloud Controller Product Manual | 105
Figure 57 - Successful Result from MCC 802.1x Test Tool
Finally, when a user from this group authenticates to the wireless network the
event log will show any group policies that have been applied.
Figure 58 shows the event log after a user from the Contractor group has
successfully authenticated to the wireless network, in this case to the AP named
“southwest-corner”. The log shows the user has been assigned to the group
“Contractor” and the appropriate policy applied.
Figure 58 - Event Log for Contractor Group User
24.7 Traffic Shaping Configuration
The administrator will create two shaping rules. The first rule will enforce a
bandwidth limit of 1 Mbps per user for streaming video applications (eg.
YouTube), streaming audio applications (eg. Pandora) and peer-to-peer
filesharing applications (eg. BitTorrent), which tend to be the most bandwidthintensive applications used recreationally by employees in this office. The
second rule.will prioritize all traffic to salesforce.com and VoIP and
videoconferencing at Layer 3 by setting the highest possible DSCP bit value of 7,
as well as allow unlimited bandwidth to these applications. Figure 59 shows how
these rules would be configured.Meraki Cloud Controller Product Manual | 106
Figure 59 - Example Traffic Shaping Policy
24.8 Summary
This section shows how a relatively sophisticated corporate environment would
configure a multi-user, authenticated LAN. Environments with fewer
requirements may find they have no need for firewall rules or VLANs, while those
with more complex requirements may find themselves combining VLAN and
multiple firewall rules to achieve the desired configuration.Meraki Cloud Controller Product Manual | 107
25 Appendix B: Example Teleworker VPN Configuration
This chapter describes a typical VPN configuration for a remote site using the
Meraki Teleworker VPN.
25.1 Objectives
In this example, the network administrator at Acme Enterprise would like to
configure a home office with a secure LAN connection for a company executive.
The network will need to support two user groups at the remote site, an
employee (the executive) and family members.
Employee – The executive needs full access to all LAN resources, as well as the
Internet. The user should be authenticated against the company’s existing Active
Directory database using RADIUS via 802.1x, just as though she were trying to
access the wireless LAN at the office. No bandwidth limitations will be applied,
and she is not required to view a splash page before gaining network access.
She will also be provided an IP phone that will require a connection to the PBX at
headquarters. A shaping policy assuring VoIP traffic of unlimited bandwidth is to
be used.
Family Members – These users are allowed Internet and local access for printing
to a local printer; no tunneled LAN access is to be provided. To avoid letting
guests consume too much bandwidth, limits of 1 Mbps up and down are applied
along with a shaping policy limiting streaming audio and video to 500 kbps. A
pre-shared key will be used for authentication and adult content filtering will be
applied.
The requirements for the access policies of each user group are summarized in
the table below:
User Group Required
Access
Access
Control Bandwidth
Limit
Adult
Content
Filtering
Traffic
Shaping
Employees Full LAN WPA2-
Enterprise
with
802.1x
None None Unlimited
bandwidth
for VoIP
Guests Internet
and local
WPA2-
PSK
1 Mbps Enabled Limit P2P,
streaming
video and
audio to
500 kbpsMeraki Cloud Controller Product Manual | 108
25.2 Virtual Concentrator Installation
Before secure LAN access can be provided to remote sites, the virtual
concentrator must be created and deployed in the LAN.
25.2.1 Virtual Concentrator Network
The virtual concentrator resides in a separate network in Dashboard from the
APs at headquarters or the APs at the remote site that will be connecting to it. A
virtual concentrator network is created in the same manner as a network for APs,
by selecting “Create a new VPN concentrator” from the network selector dropdown menu at the top of the screen in Dashboard. See Figure 60, “Creating the
VPN Concentrator Network”.
Figure 60 - Creating the VPN Concentrator Network
The administrator will then be prompted to name the VPN concentrator network.
In this example, the network will be named “HQ Concentrator”. See Figure 61,
“Naming the VPN Concentrator Network”.
Figure 61 - Naming the VPN Concentrator Network
After the network is created, it will appear in the network selector drop-down
menu along with the other AP networks in the organization (see Figure 62).Meraki Cloud Controller Product Manual | 109
Figure 62 – New VPN Concentrator Network
25.2.2 Virtual Concentrator Configuration Settings
For most deployments, minimal configuration of the concentrator is required in
Dashboard. In order for the concentrator to establish a connection with the
remote AP, a NAT must likely be traversed at headquarters. The concentrator
will be configured for automatic NAT traversal, in which case the Meraki Cloud
Controller will negotiate the connection automatically. This setting is found on
the Concentrator settings page under the Configure tab.
Figure 63 - Concentrator Settings
To alert the administrator in case the concentrator were to go offline for any
reason or in case another administrator were to make a configuration change,
alerts for both of these scenarios will be enabled on the Alerts and administration
page under the Configure tab.
Figure 64 - Configuring Alerts for the ConcentratorMeraki Cloud Controller Product Manual | 110
25.2.3 Installing the Virtual Concentrator in VMware
The concentrator virtual machine image can be downloaded directly from the
Concentrator status page under the Monitor tab.
Figure 65 - Downloading the Concentrator Image
Once the image is downloaded it can be run in either VMware Player or
Workstation on an existing server in the LAN at headquarters that is connected to
the Internet. In this example, the concentrator is installed and running in VMware
Player.Meraki Cloud Controller Product Manual | 111
Figure 66 - Virtual Concentrator Running in VMware
Note that clients connected to remote APs that are connected to the concentrator
will be assigned to the VLAN in which the concentrator resides, as they are
connected to a Layer 2 extension of the LAN through the VPN tunnel.
25.3 Remote Site Network Configuration
After the concentrator is configured, installed and running, a network for the
remote site will now be created.
25.3.1 Remote Site Network
A new network for the executive’s home office will be created called “VP Home”.
During the network creation process, the configuration settings of the corporate
network “Acme Enterprise” will be copied to the new network.Meraki Cloud Controller Product Manual | 112
Figure 67 - Creating Remote Network in Dashboard
Copying these settings will copy the configuration of the corporate SSID,
“Corporate”, to the VP Home network including RADIUS configuration settings for
802.1x authentication. This SSID will be selected to have traffic tunneled to the
concentrator. This setting is found on the Access Control page under the
Configure tab for the Corporate SSID.
Figure 68 - Selecting Concentrator to Tunnel SSID Traffic
This SSID is now completely configured for remote LAN access via the VPN
connection.
A second SSID will be configured for family access. The following settings will
be configured:
Association requirements: WPA2-PSK
Network sign-on method: Direct access
Bandwidth limit: 1 Mbps
Client IP assignment: Bridge Mode (clients will receive IP
addresses from the DSL modem/router from local ISP)
Content filtering: Block adult content
Firewall: Allow wireless clients to access my LAN (to print)
Traffic Shaping: Streaming Music and Video limited to 500 kbpsMeraki Cloud Controller Product Manual | 113
VPN: Not tunneled
A third SSID will also be configured for VoIP access so that an IP phone can be
connected at the remote site and connect to the corporate PBX. The following
settings will be configured:
Association requirements: WPA2-PSK
Network sign-on method: Direct access
Bandwidth limit: Unlimited
Client IP assignment: Bridge Mode (clients will receive IP
addresses from the LAN DHCP server)
Firewall: Allow wireless clients to access my LAN
VPN: Tunneled to concentrator
The IP phone will be connected to the 2nd Ethernet port on the MR12 AP that will
be deployed to the executive’s home. To associate the wired port to the VoIP
SSID, the setting “Clients wired directly to Meraki APs” should be set to “Behave
like they are connected to “VoIP”.
Figure 69 - Associating Wired Port on AP to SSID
The following is an overview of the configuration of the various SSIDs in the VP
Home network:
Figure 70 - Overview of SSID Configurations at Remote Site
In this example, the PBX server is located in a different VLAN than the
concentrator, so a static routes or firewall exception must be created in the LAN
to allow the IP phone to communicate with the PBX server.
25.4 AP Pre-Configuration
No pre-provisioning or configuration of the APs is required. An AP can be sent
home with the executive with instructions to plug it into their DSL connection. Meraki Cloud Controller Product Manual | 114
The AP will then download its configuration from the Meraki Enterprise Cloud
Controller automatically.Meraki Cloud Controller Product Manual | 115
26 Appendix B: Miscellaneous Configuration Settings
This section describes how to configure various 3rd party networking products
that were not covered in Appendix A, such as FreeRADIUS servers and Cisco
switches.
26.1 FreeRADIUS Configuration
FreeRADIUS is an open-source alternative to Microsoft NPS/IAS. The following
configuration examples come from a FreeRADIUS server running version 2.1.8.
For more information on FreeRADIUS configuration, please refer to the
FreeRADIUS Wiki:
http://wiki.freeradius.org
26.1.1 Configuration for APs (clients.conf file)
APs are configured as RADIUS clients in the FreeRADIUS clients.conf file. (In
the context of wireless, a RADIUS “client” is not the wireless device itself, but
rather, the AP that contacts the RADIUS server on the wireless device’s behalf.)
An entry in clients.conf can define a single IP address or an IP address range.
The following is an example IP address entry. (Note that the IP address entry
has its own RADIUS shared secret, which overrides the global RADIUS shared
secret that is configured in the “client localhost {}” configuration block.)
client 172.16.2.0/24 {
secret = randomkey
}
26.1.2 Configuration for Users (Users file)
Users and devices are configured in the FreeRADIUS Users file. (The Users file
defines users locally on the FreeRADIUS server. Alternatively, the FreeRADIUS
server can be configured to query an external authentication database. This
latter configuration is outside the scope of this section.)
Example 1: The following is an example user entry for Steve, which causes the
FreeRADIUS server to send back a Filter-Id RADIUS attribute with the value
“Guest”. If the Meraki wireless network is configured to evaluate the Filter-Id
attribute to match a group policy, and if a group policy called “Guest” exists, the
Meraki AP applies this policy to the user.
Steve Cleartext-Password := "test"
Filter-Id = "Guest",
(For more information on group policies configured as part of IPM, see Section
11.2, “How to Configure IPM”.)
Example 2: The following is an example user entry for Bob, which applies a
VLAN ID of 5 to Bob’s traffic:Meraki Cloud Controller Product Manual | 116
Bob Cleartext-Password := "test"
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = 5
(For more information on per-user VLAN tagging, see Section 9.2, “Per-User
VLAN Tagging”.)
Example 3: The following is an example device entry for MAC-based access
control (MAC address 00:1b:77:18:44:00), which applies a VLAN ID of 30 to this
device’s traffic:
001b77184400 Cleartext-Password := "001b77184400"
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-ID = 30
(For more information on MAC-based access control, see Section 7.1.2, “MACBased Access Control (Enterprise Only)”. For more information on per-user
VLAN tagging, see Section 9.2, “Per-User VLAN Tagging”.)
26.1.3 Configuration for WPA2-Enterprise with 802.1x Authentication (eap.conf file)
When using a FreeRADIUS server for WPA2-Enterprise with 802.1x
authentication, the RADIUS client (in this case, the Meraki AP) must receive the
RADIUS attributes in the EAP tunnel that is established.
The following configuration in the eap.conf file allows a PEAP tunnel to receive
these RADIUS attributes. These lines should appear in the existing “peap {}”
configuration block in eap.conf.
# the PEAP module also has these configuration
# items, which are the same as for TTLS.
copy_request_to_tunnel = yes
use_tunneled_reply = yes
26.2 Switch Configuration for VLAN Tagging
The following configuration from a Cisco switch can be used on a port that is
connected to a Meraki AP. The configuration puts the port in trunk mode, which
enables the port to handle VLAN tagged and untagged packets.
interface FastEthernet0/3
duplex full
speed 100
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport mode trunkMeraki Cloud Controller Product Manual | 117
27 Appendix C: RADIUS Attributes
The following sections describe the RADIUS attributes that the MCC supports for
both splash page sign-on with RADIUS and 802.1x with RADIUS. In the below
tables, “X” means attribute is supported.
27.1 Authentication Attributes
For further details, see the RADIUS RFC (RFC 2865) and the Meraki Knowledge
Base at http://meraki.com/support/knowledge_base.
27.1.1 Attributes Supported in Access-Request Messages
Attribute Splash
page with
RADIUS
802.1x
with
RADIUS
Notes
User-Name X X
User-Password X X
NAS-IP-Address X X
NAS-Identifier X X
NAS-Port X X Set to 0
NAS-Port-Id X
NAS-Port-Type X X Set to “WirelessIEEE-802-11”
Calling-Station-Id X X
Framed-IPAddress
X
Framed-MTU X
Connect-Info X
Acct-Session-Id X X
Service-Type X Set to 1
Meraki-DeviceName
X Meraki VSA
containing the AP
name as a string.
Vendor ID=29671
Vendor Type=1
27.1.2 Attributes Supported in Access-Accept Messages
Attribute Splash
Page with
802.1x with NotesMeraki Cloud Controller Product Manual | 118
RADIUS RADIUS
Maximum-DataRate-Upstream
X In bit/s
Maximum-DataRate-Downstream
X In bit/s
Session-Timeout X X In seconds
Idle-Timeout X X In seconds
Tunnel-PrivateGroup-ID
X
Tunnel-Type X
Tunnel-MediumType
X
Reply-Message X X Useful for error
reporting
Filter-Id X Used for
assigning group
policies
Reply-Message X X Used for
assigning group
policies
Airespace-ACLName
X Used for
assigning group
policies
Aruba-User-Role X Used for
assigning group
policies
27.1.3 Attributes Supported in Access-Reject Messages
Attribute Splash
Page with
RADIUS
802.1x with
RADIUS
Notes
Reply-Message X Can be displayed
to userMeraki Cloud Controller Product Manual | 119
27.2 Accounting Attributes
For further details, see the RADIUS accounting RFC (RFC 2866).
Attribute Supported in
Accounting-Start
Supported in
Accounting-Stop
Acct-Status-Type X X
Acct-Input-Octets X
Acct-Output-Octets X
Acct-Session-Id X X
Acct-Session-Time X
Acct-Input-Packets X
Acct-Output-Packets X
Acct-Terminate-Cause X
Acct-Input-Gigawords X
Acct-Output-Gigawords X
Event-Timestamp X X
User-Name X X
Framed-IP-Address X X
NAS-Port-Id X X
NAS-Port-Type X X
NAS-Identifier X X
Calling-Station-Id X X
Called-Station-Id X X
Meraki-Device-Name X X
NAS-IP-Address X X
NAS-Port X XMeraki Cloud Controller Product Manual | 120
28 Appendix D: Meraki-Hosted Splash Page Variables
Meraki defines a set of variables to represent custom values in the HTML and
CSS of the click-through splash page, the splash page with username/password
login, or the blocked access page. Each of these pages is editable within a
splash page theme under the Configure tab on the Splash Page page.
The following pages are used by the MCC:
• continue.html: Displayed for the click-through splash page.
• auth.html: Displayed for the splash page with username/password
login.
• blocked.html: Displayed when a user or device has been blocked.
When a user is served a splash page, each of these custom strings will be
replaced with its underlying value in a simple substitution. The variables can be
used anywhere in the HTML or CSS. They should only be used in places where
the underlying value will make sense.
For example, the variable $MERAKI:CONTENT2_LINK_COLOR$ will return a
value representing a color in the form "#rrggbb" and thus is appropriate for use in
style sheets or HTML style attributes where a color is required.
The following custom variables are defined:
$MERAKI:AD_TAG_300x250$
• Returns: HTML (including Javascript)
• Value: An ad tag that inserts a 300 x 250 ad frame.
• Arguments: None
$MERAKI:AUTH_ALREADY_HAVE_ACCOUNT_SIGN_IN_HERE_FORM$
• Returns: HTML
• Value: The login form, with fields for the user's email address and
password. Used for networks with user-based authentication enabled.
• Arguments: None
$MERAKI:AUTH_ALREADY_HAVE_ACCOUNT_SIGN_IN_HERE_TEXT$
• Returns: Text string
• Value: “If you already have an account on this network, sign in here” in
the local language of the network.
• Arguments: None
$MERAKI:AUTH_AND_CONTINUE_URL$
• Returns: URL
• Value: The URL that the user should follow to get authorized on the
network. The user will be redirected to the URL that he was trying to Meraki Cloud Controller Product Manual | 121
fetch when he was served the splash page. Used to create the
"Continue to the Internet" link. Used for open access (free) networks.
• Arguments: None
$MERAKI:AUTH_CREATE_ACCOUNT_FORM$
• Returns: HTML
• Value: The form that allows the user to create an account.
• Arguments: None
$MERAKI:AUTH_CREATE_ACCOUNT_TEXT$
• Returns: Text string
• Value: “If you don’t have an account, create one here” in the local
language of the network.
• Arguments: None
$MERAKI:AUTH_ON_PAGE_LOAD$
• Returns: JavaScript
• Value: Authorizes the user on the network as soon as the splash page
is loaded. Used when advertising is enabled to allow user to click
straight through to an ad without having to click on the “Continue to the
Internet” button.
• Arguments: None
$MERAKI:AUTH_URL(http://example.com/)$
• Returns: URL
• Value: Similar to AUTH_AND_CONTINUE_URL, but redirects to a URL
that the administrator specifies, rather than the URL the user was
originally trying to load. This can be used to display a post-splash
"Welcome" or "Thank you" message.
• Arguments: URL
$MERAKI:BODY_BACKGROUND_COLOR$
• Returns: Color value in the form "#ffffff"
• Value: The background color of the splash page.
• Arguments: None
$MERAKI:BODY_LINK_COLOR$
• Returns: Color value in the form "#ffffff"
• Value: The color for links as specified in the tag on the splash
page.
• Arguments: None
$MERAKI:BODY_TEXT_COLOR$
• Returns: Color value in the form "#ffffff"
• Value: The color for the body as specified in the tag on the
splash page.
• Arguments: None
$MERAKI:CLASSIC_TOP_HALF_RIGHT_PADDING$
• Returns: “0” or “215px”Meraki Cloud Controller Product Manual | 122
• Value:
o 0 = there is no custom image on the splash screen
o 215px = there is a custom image on the splash screen
• Arguments: None
$MERAKI:CONTENT1_BACKGROUND_COLOR$
• Returns: Color value in the form "#ffffff"
• Value: Background color to the row of colors with the same name as
“CONTENT1”.
• Arguments: None
$MERAKI:CONTENT1_LINK_COLOR$
• Returns: Color value in the form "#ffffff"
• Value: The color for links for the row of colors with the same name as
“CONTENT1”.
• Arguments: None
$MERAKI:CONTENT1_TEXT_COLOR$
• Returns: Color value in the form "#ffffff"
• Value: Text color for the row of colors with the same name as
“CONTENT1”.
• Arguments: None
$MERAKI:CONTENT2_BACKGROUND_COLOR$
• Returns: Color value in the form "#ffffff"
• Value: Background color for the row of colors with the same name as
“CONTENT2”.
• Arguments: None
$MERAKI:CONTENT2_LINK_COLOR$
• Returns: Color value in the form "#ffffff"
• Value: Link color for the row of colors with the same name as
“CONTENT2”.
• Arguments: None
$MERAKI:CONTENT2_TEXT_COLOR$
• Returns: Color value in the form "#ffffff"
• Value: Text color for the row of colors with the same name as
“CONTENT2”.
• Arguments: None
$MERAKI:NETWORK_ADMIN_BLOCK_MESSAGE$
• Returns: HTML
• Value: Contains the message the administrator entered on the Clients
page of the MCC to be displayed for blocked users.
• Arguments: None
$MERAKI:NETWORK_ADMIN_BLOCKED_YOU$
• Returns: TextMeraki Cloud Controller Product Manual | 123
• Value: “This network administrator has prevented you from using the
network” in the local language of the network.
• Arguments: None
$MERAKI:NETWORK_LOGO_IMG_TAG $
• Returns: HTML tag
• Value: References the network’s logo.
• Arguments: None
$MERAKI:NETWORK_MESSAGE$
• Returns: Text String
• Value: The custom message entered on the Splash Page page in the
MCC. Does not include HTML tags in the text.
• Arguments: None
$MERAKI:NETWORK_NAME$
• Returns: Text String
• Value: The name of the network.
• Arguments: None
$MERAKI:NETWORK_SPLASH_IMAGE_IMG_SRC$
• Returns: URL
• Value: Link to the custom image on the splash page.
• Arguments: None
$MERAKI:NETWORK_SPLASH_IMAGE_VISIBILITY$
• Returns: “block” or “none
• Represents: Presence of a custom image on the splash page.
o “block” = Image present
o “none” = Image not present
• Arguments: None
$MERAKI:ROUND_CORNERS(div_name,rounding_preferences)$
• Returns: JavaScript
• Value: Rounds the corners of the specified division ("div")
• Arguments: name of the div, a comma, followed by a list of space
separated values indicating what corner is to be rounded. Valid
rounding_preferences are: Top, Bottom, Left, Right, or any of tl, bl, br,
or tr, corresponding to top-left, bottom-left, etc.
• Example: $MERAKI:ROUND_CORNERS(DIVISION_NAME, top
bottom)$
$MERAKI:TOOLBAR_PRIVACY_POLICY_LINK$
• Returns: Text String
• Value: “The use of this network is subject to Meraki’s privacy policy” The
words “Privacy policy” are a link to Meraki’s privacy policy statement. If
the toolbar is disabled this returns an empty string
• Arguments: None
$MERAKI:USER_ALERTS$Meraki Cloud Controller Product Manual | 124
• Returns: HTML
• Value: A div containing alert messages resulting from the submission of
a form (e.g., "login incorrect").
• Arguments: None
IPsec Manual Keying Between Routers
Configuration Example
Document ID: 14140
Introduction
Prerequisites
Requirements
Components Used
Conventions
Configure
Network Diagram
Configurations
Verify
Troubleshoot
Troubleshooting Commands
Transform Sets Do Not Match
ACLs Do Not Match
One Side has crypto map and the Other Does Not
The Crypto Engine Accelerator Card is Enabled
Related Information
Introduction
This sample configuration allows you to encrypt traffic between the 12.12.12.x and the 14.14.14.x networks
with the help of IPsec manual keying. For test purposes, an access control list (ACL) and extended ping from
host 12.12.12.12 to 14.14.14.14 were used.
Manual keying is usually only necessary when a Cisco device is configured to encrypt traffic to another
vendor's device which does not support Internet Key Exchange (IKE). If IKE is configurable on both devices,
it is preferable to use automatic keying. Cisco device security parameter indexes (SPIs) are in decimal
however some vendors do SPIs in hexadecimal. If this is the case, then sometimes conversion is needed.
Prerequisites
Requirements
There are no specific prerequisites for this document.
Components Used
The information in this document is based on these software and hardware versions:
• Cisco 3640 and 1605 routers
• Cisco IOS® Software Release 12.3.3.a
Note: On all platforms that contain hardware encryption adapters, manual encryption is not supported when
the hardware encryption adapter is enabled.
The information presented in this document was created from devices in a specific lab environment. All of the
devices used in this document started with a cleared (default) configuration. If your network is live, make surethat you understand the potential impact of any command before you use it.
Conventions
Refer to Cisco Technical Tips Conventions for more information on document conventions.
Configure
In this section, you are presented with the information to configure the features described in this document.
Note: Use the Command Lookup Tool (registered customers only) to find more information on the commands
used in this document.
Network Diagram
This document uses this network setup:
Configurations
This document uses these configurations:
• Light Configuration
• House Configuration
Light Configuration
light#show running−config
Building configuration...
Current configuration : 1177 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password−encryption
!
hostname light!
boot−start−marker
boot−end−marker
!
enable password cisco
!
no aaa new−model
ip subnet−zero
!
no crypto isakmp enable
!
!−−− IPsec configuration
crypto ipsec transform−set encrypt−des esp−des esp−sha−hmac
!
!
crypto map testcase 8 ipsec−manual
set peer 11.11.11.12
set session−key inbound esp 1001 cipher 1234abcd1234abcd authenticator 20
set session−key outbound esp 1000 cipher abcd1234abcd1234 authenticator 20
set transform−set encrypt−des
!−−− Traffic to encrypt
match address 100
!
!
interface Ethernet2/0
ip address 12.12.12.12 255.255.255.0
half−duplex !
interface Ethernet2/1
ip address 11.11.11.11 255.255.255.0
half−duplex
!−−− Apply crypto map.
crypto map testcase
!
ip http server
no ip http secure−server
ip classless
ip route 0.0.0.0 0.0.0.0 11.11.11.12
!
!
!−−− Traffic to encrypt
access−list 100 permit ip host 12.12.12.12 host 14.14.14.14
!
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
!
!
House Configuration
house#show running−configCurrent configuration : 1194 bytes
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password−encryption
!
hostname house
!
!
logging buffered 50000 debugging
enable password cisco
!
no aaa new−model
ip subnet−zero
ip domain name cisco.com
!
ip cef
!
!
no crypto isakmp enable
!
!
!−−− IPsec configuration
crypto ipsec transform−set encrypt−des esp−des esp−sha−hmac
!
crypto map testcase 8 ipsec−manual
set peer 11.11.11.11
set session−key inbound esp 1000 cipher abcd1234abcd1234 authenticator 20
set session−key outbound esp 1001 cipher 1234abcd1234abcd authenticator 20
set transform−set encrypt−des
!−−− Traffic to encrypt
match address 100
!
!
interface Ethernet0
ip address 11.11.11.12 255.255.255.0
!−−− Apply crypto map.
crypto map testcase
!
interface Ethernet1
ip address 14.14.14.14 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 11.11.11.11
no ip http server
no ip http secure−server
!
!
!−−− Traffic to encrypt
access−list 100 permit ip host 14.14.14.14 host 12.12.12.12
!
!
line con 0
exec−timeout 0 0
transport preferred none
transport output noneline vty 0 4
exec−timeout 0 0
password cisco
login
transport preferred none
transport input none
transport output none
!
!
end
Verify
This section provides information you can use to confirm your configuration functions properly.
The Output Interpreter Tool (registered customers only) (OIT) supports certain show commands. Use the OIT
to view an analysis of show command output.
• show crypto ipsec saShows the phase two security associations.
Troubleshoot
This section provides information you can use to troubleshoot your configuration.
Troubleshooting Commands
The Output Interpreter Tool (registered customers only) (OIT) supports certain show commands. Use the OIT
to view an analysis of show command output.
Note: Refer to Important Information on Debug Commands before you use debug commands.
• debug crypto ipsecDisplays the IPsec negotiations of phase two.
• debug crypto engineDisplays the traffic that is encrypted.
Transform Sets Do Not Match
Light has ah−sha−hmac and House has esp−des.
*Mar 2 01:16:09.849: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 11.11.11.11, remote= 11.11.11.12,
local_proxy= 12.12.12.12/255.255.255.255/0/0 (type=1),
remote_proxy= 14.14.14.14/255.255.255.255/0/0 (type=1),
protocol= AH, transform= ah−sha−hmac ,
lifedur= 3600s and 4608000kb,
spi= 0xACD76816(2899798038), conn_id= 0, keysize= 0, flags= 0x400A
*Mar 2 01:16:09.849: IPSEC(manual_key_stuffing):
keys missing for addr 11.11.11.12/prot 51/spi 0.....
ACLs Do Not Match
On side_A (the "light" router) there is an inside host−to−inside−host and on side_B (the "house" router) there
is an interface−to−interface. ACLs must always be symmetric (these are not).
hostname house
match address 101
access−list 101 permit ip host 11.11.11.12 host 11.11.11.11!
hostname light
match address 100
access−list 100 permit ip host 12.12.12.12 host 14.14.14.14
This output is taken from the side_A initiating ping:
nothing
light#show crypto engine connections active
ID Interface IP−Address State Algorithm Encrypt Decrypt
2000 Ethernet2/1 11.11.11.11 set DES_56_CBC 5 0
2001 Ethernet2/1 11.11.11.11 set DES_56_CBC 0 0
This output is taken from the side_B when side_A is initiating ping:
house#
1d00h: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
1d00h: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
1d00h: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
1d00h: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
1d00h: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
house#show crypto engine connections active
ID Interface IP−Address State Algorithm Encrypt Decrypt
2000 Ethernet0 11.11.11.12 set DES_56_CBC 0 0
2001 Ethernet0 11.11.11.12 set DES_56_CBC 0 5
This output is taken from the side_B initiating ping:
side_ B
%CRYPTO−4−RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
(ip) vrf/dest_addr= /12.12.12.12, src_addr= 14.14.14.14, prot= 1
One Side has crypto map and the Other Does Not
%CRYPTO−4−RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
(ip) vrf/dest_addr= /14.14.14.14, src_addr= 12.12.12.12, prot= 1
This output is taken from the side_B that has a crypto map:
house#show crypto engine connections active
ID Interface IP−Address State Algorithm Encrypt Decrypt
2000 Ethernet0 11.11.11.12 set DES_56_CBC 5 0
2001 Ethernet0 11.11.11.12 set DES_56_CBC 0 0
The Crypto Engine Accelerator Card is Enabled
1d05h: %HW_VPN−1−HPRXERR: Hardware VPN0/13: Packet
Encryption/Decryption error, status=4098.....
Related Information
• IPsec Negotiation/IKE Protocols
• Technical Support & Documentation − Cisco SystemsContacts & Feedback | Help | Site Map
© 2012 − 2013 Cisco Systems, Inc. All rights reserved. Terms & Conditions | Privacy Statement | Cookie Policy | Trademarks of
Cisco Systems, Inc.
Updated: Oct 29, 2006 Document ID: 14140
Description de la gamme Cisco ASA Description de la gamme Cisco ASA 5500
Les serveurs de sécurité adaptatifs de la gamme Cisco® ASA
5500 s’appuient sur une plate-forme modulaire capable de
fournir des services de sécurité et de VPN de prochaine
génération à tous les environnements, depuis les petits bureaux,
les bureaux à domicile et les PME/PMI jusqu’aux grandes
entreprises. La gamme Cisco ASA 5500 met à la disposition de
l’entreprise une gamme complète de services personnalisés au
travers de ses diverses éditions spécifiquement conçues pour le
pare-feu, la prévention des intrusions, la protection des contenus
et les VPN.
Ces éditions offrent une protection de haute qualité en
fournissant les services adaptés à chaque site. Chaque édition
associe un ensemble spécialisé de services Cisco ASA qui
répondent très exactement aux besoins des environnements
spécifiques du réseau de l’entreprise. En satisfaisant aux besoins
de sécurité de chaque domaine du réseau, c’est la sécurité de
l’ensemble du réseau qui se trouve renforcée.
La gamme Cisco ASA 5500 permet la normalisation sur une
unique plate-forme afin de réduire les frais opérationnels
associés à la sécurité. L’environnement commun de configuration
simplifie la gestion et réduit les coûts de formation du personnel
tandis que la plate-forme matérielle commune de la gamme
permet de réaliser des économies sur les pièces de rechange.
Chaque édition répond aux besoins spécifiques d’un
environnement du réseau de l’entreprise :
• Firewall Edition : grâce à cette édition pare-feu, l’entreprise
peut déployer ses applications et ses réseaux vitaux de
manière fiable et sécurisée. La conception modulaire unique
du Cisco ASA 5500 garantit une remarquable protection de
l’investissement et des frais d’exploitation réduits.
• IPS Edition : dotée d’un ensemble de services de pare-feu, de
sécurité applicative et de prévention des intrusions, cette
édition protège les serveurs et l’infrastructure essentiels de
l’entreprise contre les vers, les pirates et les autres
menaces.
• Content Security Edition : avec son ensemble complet de
services de sécurité, cette édition protège les utilisateurs
des petits sites et des sites distants. Les services de parefeu et de VPN de qualité entreprise assurent une
connectivité sécurisée vers le réseau du siège social. A la
pointe de la technologie actuelle, les services de protection
des contenus de Trend Micro mettent le système client à
l’abri des sites Web malveillants et des autres menaces à
base de contenus comme les virus, les logiciels espions et le
phishing.
• SSL/IPsec VPN Edition : cette édition protège l’accès des
utilisateurs distants vers les systèmes et les équipements du
réseau interne et supporte la mise en grappe des VPN pour
les déploiements de grande taille en entreprise. Les
technologies d’accès VPN à distance protégées par les
normes SSL (Secure Sockets Layer) et IPSec (IP Security)
sont renforcées par des technologies de réduction des
menaces, comme Cisco Secure Desktop, et des services de
pare-feu et de prévention des intrusions qui garantissent
que le trafic VPN ne fera pas courir de risques au réseau de
l’entreprise.
Cinq raisons d’acheter les serveurs de sécurité
adaptatifs de la gamme Cisco ASA 5500 adaptatifs de la gamme Cisco ASA 5500
1. .. Technologie de pare 1. Technologie de pare Technologie de pare----feu sécurisé et de protection feu sécurisé et de protection
des VPN contre les menaces des VPN contre les menaces
Développée autour de la même technologie éprouvée qui a fait
le succès du serveur de sécurité Cisco PIX et de la gamme des
concentrateurs Cisco VPN 3000, la gamme Cisco ASA 5500 est
la première solution à proposer des services VPN SSL et IPSec
protégés par la première technologie de pare-feu du marché.
2. .. Services de protection des contenus à la pointe de 2. Services de protection des contenus à la pointe de
l’industrie l’industrie
Réunit la maîtrise de Trend Micro en matière de protection
contre les menaces et de contrôle des contenus à la périphérie
Internet et les solutions éprouvées de Cisco pour fournir des
services anti-X complets – protection contre les virus, les
logiciels espions, le courrier indésirable et le phishing, ainsi que
le blocage de fichiers, le blocage et le filtrage des URL et le
filtrage des contenus.
3. .. Services 3. Services Services évolués de prévention des intrusions évolués de prévention des intrusions évolués de prévention des intrusions
Les services proactifs de prévention des intrusions offrent toutes
les fonctionnalités qui permettent de bloquer un large éventail de
menaces – vers, attaques sur la couche applicative ou au niveau
du système d'exploitation, rootkits, logiciels espions, partages de
fichiers en « peer-to-peer » et messagerie instantanée.
4. .. Services multifonctions de gestion et de surveillance 4. Services multifonctions de gestion et de surveillance Services multifonctions de gestion et de surveillance
Sur une même plate-forme, la gamme Cisco ASA 5500 fournit
des services de gestion et de surveillance utilisables de manière
intuitive grâce au gestionnaire Cisco ASDM (Adaptive Security
Device Manager) ainsi que des services de gestion de catégorie
entreprise avec Cisco Security Management Suite.
5. .. Réduction des frais de déploiement et d’exploitati 5. Réduction des frais de déploiement et d’exploitati Réduction des frais de déploiement et d’exploitationononon
Développée autour d’un concept et d’une interface analogues à
ceux des solutions de sécurité existantes de Cisco, la gamme
Cisco ASA 5500 permet de réduire considérablement le coût
d’acquisition que ce soit dans le cadre d’un premier déploiement
d’une solution de sécurité ou d’une gestion au jour le jour.
Serveurs de sécurité adaptatifs de la gamme Cisco ASA 5500
PRESENTATION SYNOPTIQUEACRONYMES ACRONYMES
SSC : Security Services Card, SSM SSC SSM :::: Security Services Module, AIP----SSM :::: Advanced Inspection and Prevention Security Services Module, CSC----SSM :::: Content Security and Control Security
Services Module, 4GE----SSM :::: Module de services de sécurité à 4 ports Ethernet Gigabit
Modèles et licences de la gamme Cisco ASA Modèles et licences de la gamme Cisco ASA 5500
Cisco ASA 5505 Base /
Security Plus
Cisco ASA 5510 Base /
Security Plus
Cisco ASA 5520 Cisco ASA 5520 Cisco ASA 5550 Cisco ASA 5550 Cisco ASA 5540 Cisco ASA 5540
Utilisateur type
Petit bureau / bureau à
domicile ROBO / MSSP /
Télétravailleur d’entreprise
PME / Petite société Petite société
Entreprise de taille
moyenne
Grande entreprise
Résumé des performances Résumé des performances
Débit maximal du pare-feu (Mbits/s) 150 300 450 650 1200
Débit maximal des VPN 3DES ou AES (Mbits/s) 100 170 225 325 425
Nombre maximal connexions VPN à distance et de site à
site
10 / 25 250 750 5000 5000
Nombre maximal de connexions VPN SSL 1 25 250 750 2500 5000
Nombre maximal de connexions 10 000 / 25 000 50 000 / 130 000 280 000 400 000 650 000
Nombre maximal de connexions / seconde 3000 6000 9000 20 000 28 000
Paquets par seconde (64 octets) 85 000 190 000 320 000 500 000 600 000
Récapitulatif technique Récapitulatif technique
Mémoire (Mo) 256 256 512 1024 4096
Mémoire Flash système (Mo) 64 64 64 64 64
Ports intégrés
Commutateur 10/100 8
ports avec 2 ports à
alimentation en ligne (PoE)
5-10/100 4-10/100/1000,1-10/100 4-10/100/1000,1-10/100 8-10/100/1000,1-10/100
Nombre maximal d’interfaces virtuelles (VLAN)
3 (ligne réseau désactivée)
/ 20 (ligne réseau activée)
50 /100 150 200 250
Emplacement d’extension SSC ou SSM Emplacement d’extension SSC ou SSM Oui (SSC) Oui (SSC) Oui (SSC) Oui (SSM) Oui (SSM) Oui (SSM) Oui (SSM) Oui (SSM) Oui (SSM) Oui (SSM) Oui (SSM) Oui (SSM) Nononon
Capacités SSC/SSM
Modules SSC/SSM supportés Ultérieurement, SSC
CSC-SSM, AIP-SSM,4GESSM
CSC-SSM, AIP-SSM,4GESSM
CSC-SSM, AIP-SSM, 4GESSM
Non
Prévention des intrusions Non disponible Oui avec AIP-SSM Oui avec AIP-SSM Oui avec AIP-SSM Non
Débit des services simultanés de limitation des risques
(pare-feu et services IPS) (Mbits/s)
Non disponible
150 (avec AIP-SSM-10)
300 (avec AIP-SSM-20)
225 (avec AIP-SSM-10)
375 (avec AIP-SSM-20)
450 avec AIP-SSM-20 Non disponible
Protection des contenus (antivirus, anti-logiciel espion,
blocage de fichiers, anti-courrier indésirable, anti-phishing,
et filtrage des URL)
Non disponible Oui avec CSC-SSM Oui avec CSC-SSM Oui avec CSC-SSM Non disponible
Nombre maximal d’utilisateurs antivirus, anti-logiciel espion,
blocage de fichiers (CSC-SSM seulement)
Non disponible
500 (avec CSC-SSM-10)
1000 (avec CSC-SSM-20)
500 (avec CSC-SSM-10)
1000 (avec CSC-SSM-20)
500 (avec CSC-SSM-10)
1000 (avec CSC-SSM-20)
Non disponible
Fonctionnalités de la licence CSC SSM Plus Non disponible
Anti-spam, anti-phishing,
filtrage des URL
Anti-spam, anti-phishing,
filtrage des URL
Anti-spam, anti-phishing,
filtrage des URL
Non disponible
Caractéristiques Caractéristiques
Protection de la couche applicative Oui Oui Oui Oui Oui
Pare-feu de couche 2 transparent Oui Oui Oui Oui Oui
Contextes de sécurité (intégrés / maximum) 2 0/0 0/0 / 2/5 2/20 2/50 2/50
Inspection GTP/GPRS 2 Non disponible Non disponible Oui Oui Oui
Haute disponibilité 3
Non disponible / A/V à
inspection d’état
Non disponible / A/A et
A/V
A/A et A/V A/A et A/V A/A et A/V
équilibrage de charge et mise en grappe des VPN Non disponible Non disponible / Oui Oui Oui Oui
1 A partir de la version v7.1 du logiciel Cisco ASA, la fonctionnalité VPN SSL (WebVPN) nécessite une licence. Les systèmes autorisent par défaut 2 utilisateurs VPN SSL pour évaluation et gestion à distance
2 Fonctionnalités sous licence
3 A/V= Actif/Veille ; A/A = Actif/Actif
Copyright © 2007, Cisco Systems, Inc. Tous droits réservés. Cisco, Cisco IOS, Cisco Systems et le logo Cisco Systèmes sont des marques déposées de Cisco Systems, Inc. ou de ses filiales aux Etats-Unis et dans
certains autres pays. C45-345380-04 6/07
Serveurs de sécurité adaptatifs de la gamme Cisco ASA 5500
PRESENTATION SYNOPTIQUE
© 2007 Cisco Systems, Inc. Tous droits réservés.Les mentions légales, la charte sur la vie privée et les marques de Cisco
Systems, Inc. sont fournies sur cisco.com
Page 1/24
Description des Serveurs de Sécurité Adaptatifs de
la gamme
Cisco ASA 5500
Les Serveurs de Sécurité Adaptatifs Cisco® ASA 5500 combinent les meilleurs services de
VPN et de sécurité, et l’architecture évolutive AIM (Adaptive Identification and Mitigation),
pour constituer une solution de sécurité spécifique. Conçue comme l’élément principal de la
solution Self-Defending Network de Cisco (le réseau qui se défend tout seul), la gamme
Cisco ASA 5500 permet de mettre en place une défense proactive face aux menaces et de
bloquer les attaques avant qu’elles ne se diffusent à travers le réseau, de contrôler l’activité
du réseau et le trafic applicatif et d’offrir une connectivité VPN flexible. Le résultat est une
gamme de puissants serveurs de sécurité réseau multifonctions capables d’assurer en
profondeur la protection élargie des réseaux des PME/PMI et des grandes entreprises tout
en réduisant l’ensemble des frais de déploiement et d’exploitation et en simplifiant les tâches
généralement associées à un tel niveau de sécurité.
Réunissant sur une même plate-forme une combinaison puissante de nombreuses
technologies éprouvées, la gamme Cisco ASA 5500 vous donne les moyens opérationnels et
économiques de déployer des services de sécurité complets vers un plus grand nombre de
sites. La gamme complète des services disponibles avec la famille Cisco ASA 5500 permet
de répondre aux besoins spécifiques de chaque site grâce à des éditions produits conçues
pour les PME comme pour les grandes entreprises. Ces différentes éditions offrent une
protection de qualité supérieure en apportant à chaque installation les services dont elle a
besoin. Chaque édition de la gamme Cisco ASA 5500 regroupe un ensemble spécialisé de
services – firewall, VPN SSL et IPSec, protection contre les intrusions, services Anti-X, etc. –
qui répondent exactement aux besoins des différents environnements du réseau d’entreprise.
Et lorsque les besoins de sécurité de chaque site sont correctement assurés, c’est l’ensemble
de la sécurité du réseau qui en bénéficie.
Figure 1. Les serveurs de sécurité adaptatifs de la gamme Cisco ASA 5500
Fiche Technique © 2007 Cisco Systems, Inc. Tous droits réservés.Les mentions légales, la charte sur la vie privée et les marques de Cisco
Systems, Inc. sont fournies sur cisco.com
Page 2/24
La gamme Cisco ASA 5500 aide les entreprises à protéger plus efficacement leurs réseaux
tout en garantissant une exceptionnelle protection de leurs investissements grâce
notamment, aux éléments clés suivants :
• Des fonctionnalités éprouvées de sécurité et de connectivité VPN. Le système de
prévention des intrusions (IPS) et de firewall multifonctions, ainsi que les technologies
anti-X et VPN IPSec ou SSL (IP Security/Secure Sockets Layer) garantissent la
robustesse de la sécurité des applications, le contrôle d’accès par utilisateur et par
application, la protection contre les vers, les virus et les logiciels malveillants, le filtrage
des contenus ainsi qu’une connectivité à distance par site ou par utilisateur.
• L’architecture évolutive des services AIM (Adaptive Identification and Mitigation).
Exploitant un cadre modulaire de traitement et de politique de services, l’architecture
AIM de Cisco ASA 5500 autorise l’application, par flux de trafic, de services spécifiques
de sécurité ou de réseau qui permettent des contrôles de politiques d’une très grande
précision ainsi que la protection anti-X tout en accélérant le traitement du trafic. Les
avantages en termes de performances et d’économies offerts par l’architecture AIM de
la gamme Cisco ASA 5500, ainsi que l’évolutivité logicielle et matérielle garantie par les
modules SSM (Security Service Module), permettent de faire évoluer les services
existants et d’en déployer de nouveaux, sans remplacer la plate-forme et sans réduire
les performances.
Fondement architectural de la gamme Cisco ASA 5500, AIM permet l’application de
politiques de sécurité hautement personnalisables ainsi qu’une évolutivité de service
sans précédent qui renforce la protection des entreprises contre l’environnement
toujours plus dangereux qui les menace.
• La réduction des frais de déploiement et d’exploitation. La solution multifonctions
Cisco ASA 5500 permet la normalisation de la plate-forme, de la configuration et de la
gestion, contribuant à réduire les frais de déploiement et d’exploitation récurrents.
PRÉSENTATION DE LA GAMME CISCO ASA 5500
La gamme Cisco ASA 5500 inclut les boîtiers de sécurité adaptatifs Cisco ASA 5505, 5510,
5520 et 5540. Il s’agit de quatre serveurs de sécurité ultra-performants issus de l’expertise
de Cisco Systems® en matière de développement de solutions de sécurité et VPN
reconnues et leaders sur leur marché. Cette gamme utilise les dernières technologies des
serveurs de sécurité Cisco PIX® 500, des capteurs Cisco IPS 4200 et des concentrateurs
Cisco VPN 3000. . Conçue comme l’élément principal de la solution Self-Defending Network
de Cisco (réseau qui se défend tout seul), la gamme Cisco ASA 5500 permet de mettre en © 2007 Cisco Systems, Inc. Tous droits réservés.Les mentions légales, la charte sur la vie privée et les marques de Cisco
Systems, Inc. sont fournies sur cisco.com
Page 3/24
place une défense proactive face aux menaces et de bloquer les attaques avant qu’elles ne
se diffusent à travers le réseau, de contrôler l’activité du réseau et le trafic applicatif et d’offrir
une connectivité VPN flexible. Le résultat est une gamme de puissants serveurs de sécurité
réseau multifonctions capables d’assurer en profondeur la protection élargie des réseaux
des PME/PMI et des grandes entreprises tout en réduisant l’ensemble des frais de
déploiement et d’exploitation et en simplifiant les tâches généralement associées à un tel
niveau de sécurité.
L’architecture extensible de services AIM de Cisco et la conception multiprocesseurs flexible
de la gamme Cisco ASA 5500 offrent aux Serveurs de Sécurité Adaptatifs des performances
sans précédent pour de multiples services de sécurité simultanés, tout en offrant une
protection exceptionnelle des investissements. Les serveurs de sécurité adaptatifs de la
gamme Cisco ASA 5500 associent plusieurs processeurs ultra-performants qui travaillent de
concert pour fournir des services de firewall évolués. L’entreprise peut également installer
les modules de services de sécurité de Cisco ASA 5500 : le module AIP-SSM (Advanced
Inspection and Prevention Security Services Module) pour les services de prévention des
intrusions ou le module CSC-SSM (Content Security and Control Security Services Module)
pour les services anti-X évolués. Grâce à cette conception flexible, la gamme Cisco ASA
5500 est la seule capable de s’adapter pour protéger les réseaux face à des menaces
évoluant sans cesse. Elle offre également une protection des investissements exceptionnelle
grâce à du matériel programmable rendant la plate-forme évolutive à long terme. Ces
fonctionnalités de sécurité et VPN ultra-performantes et éprouvées, se combinent à la
connectivité Gigabit Ethernet intégrée et à une architecture sans disque dur local et à
mémoire flash. Ainsi, la gamme Cisco ASA 5500 représente le choix idéal pour les
entreprises qui recherchent la meilleure solution de sécurité haute performance, flexible,
fiable et protégeant les investissements.
.Chaque serveur de la gamme Cisco ASA 5500 accepte, sur le système de base, le nombre
maximal d’utilisateurs de VPN IPSec. L’achat et l’octroi de licences des services VPN SSL se
font séparément. En faisant converger les services VPN IPSec et SSL VPN avec les
technologies complètes de défense contre les menaces, la gamme Cisco ASA 5500 fournit
un accès réseau personnalisable adapté aux besoins de différents environnements de
déploiement. Et cela en proposant un VPN totalement sécurisé avec une sécurité complète
au niveau du réseau et du point d’extrémité.
SERVEUR DE SÉCURITÉ ADAPTATIF CISCO ASA 5505
Le Cisco ASA 5505 est un Serveur de Sécurité Adaptatif complet de prochaine génération
destiné aux petites entreprises, aux agences d’entreprise et aux environnements de
télétravail. De conception modulaire et utilisable dès l’installation (« plug and pay »),il offre des
services haute performance de firewall, de VPN SSL et IPSec ainsi que des services de © 2007 Cisco Systems, Inc. Tous droits réservés.Les mentions légales, la charte sur la vie privée et les marques de Cisco
Systems, Inc. sont fournies sur cisco.com
Page 4/24
réseau multifonctions. Son gestionnaire Web intégré, Cisco Adaptive Security Device
Manager, permet de déployer rapidement et de gérer en toute simplicité le Cisco ASA 5505,
contribuant ainsi à réduire les frais d’exploitation de l’entreprise. Le Cisco ASA 5505 est doté
d’un commutateur Fast Ethernet à 8 ports qui peuvent être groupés dynamiquement afin de
créer jusqu’à trois VLAN distincts pour l’utilisation domestique, les besoins professionnels et
le trafic Internet – une répartition qui améliore la segmentation du trafic et la sécurité du
réseau. Le Cisco ASA 5505 dispose également de deux ports à alimentation en ligne PoE
(Power over Ethernet) pour simplifier le déploiement de téléphones IP Cisco avec leurs
fonctionnalités VoIP automatiques sécurisées, et celui de points d’accès extérieurs sans fil
pour apporter la mobilité au réseau. Particulièrement évolutif, comme les autres modèles de
la gamme, le Cisco ASA 5505 protège les investissements grâce à sa conception modulaire
et dispose d’un emplacement d’extension et de plusieurs ports USB en prévision de futurs
services.
A mesure que les besoins de l’entreprise augmenteront, vous pourrez installer une licence
Security Plus complémentaire qui permettra au Serveur de Sécurité Adaptatif Cisco ASA
5505 d’évoluer pour supporter des capacités plus importantes de connexion et un plus grand
nombre d’utilisateurs VPN IPSec, le support d’une zone démilitarisée (DMZ) et l’intégration
aux environnements de réseau commuté avec le support des lignes réseaux VLAN. Plus
encore, cette licence de mise à niveau maximise la continuité de l’entreprise en offrant un
support pour les connexions redondantes vers les fournisseurs d’accès Internet et des
services de haute disponibilité à inspection d’état Actif/Veille. Grâce à cette combinaison de
services de sécurité et VPN à la pointe de l’industrie, de fonctionnalités réseaux évoluées, de
gestion à distance et d’extensibilité, le Cisco ASA 5505 constitue la solution idéale de
sécurité haut de gamme pour les petites entreprises, les agences et les télétravailleurs.
Le Tableau 1 décrit les caractéristiques du Cisco ASA 5505.
Tableau 1 : Fonctionnalités et capacités du Serveur de Sécurité Adaptatif Cisco ASA 5505
Fonction Description
Débit du firewall Jusqu’à 150 Mbits/s
Débit du VPN Jusqu’à 100 Mbits/s
Connexions 10 000 ; 25 000*
Homologues VPN IPSec 10 ; 25 *
Niveaux de licence des
homologues VPN SSL**
10, ou 25
Interfaces Commutateur Fast Ethernet 8 ports avec
groupage dynamique des ports (dont 2
ports PoE) © 2007 Cisco Systems, Inc. Tous droits réservés.Les mentions légales, la charte sur la vie privée et les marques de Cisco
Systems, Inc. sont fournies sur cisco.com
Page 5/24
Interfaces virtuelles (VLAN) 3 (sans support de l’aggrégation de
VLAN)/20 (avec support de l’aggrégation
de VLAN) *
Haute disponibilité Non prise en charge ; mode actif/veille à
inspection d’état et support ISP
redondant *
* Mise à niveau disponible avec la licence Security Plus de Cisco ASA 5505
** Fonction fournie sous licence distincte ; licence pour 2 homologues incluse dans le système de base
SERVEUR DE SÉCURITÉ ADAPTATIF CISCO ASA 5510
Le Serveur de Sécurité Adaptatif Cisco ASA 5510 propose des services évolués de réseau
et de sécurité aux PME et aux filiales et agences des grandes entreprises, sous la forme
d’une solution économique et facile à déployer. L’application Web Adaptive Security Device
Manager de Cisco, intégrée à la solution, permet de gérer et de surveiller facilement ces
services. Les coûts de déploiement et d’exploitation liés à un tel niveau de sécurité sont ainsi
réduits. Le serveur de sécurité adaptatif Cisco ASA 5510 fournit des services ultraperformants de firewall et VPN, trois interfaces 10/100 Fast Ethernet intégrées, des services
optionnels de lutte contre les vers et de prévention des intrusions via le module AIP-SSM ou
des services complets de protection contre les programmes nuisibles via le module CSCSSM.
La combinaison exceptionnelle de ces services sur une plate-forme unique fait de Cisco ASA
5510 un choix idéal pour les entreprises cherchant une solution de sécurité économique et
extensible avec DMZ. Pour répondre à la multiplication des besoins des entreprises, le
serveur Cisco ASA 5510 peut évoluer vers une densité d’interfaces supérieure et s’intégrer
dans des environnements de réseau commuté via la prise en charge VLAN, grâce à
l’installation d’une licence de mise à niveau Security Plus. Cette licence de mise à niveau
optimise également la continuité des activités grâce aux services de haute disponibilité de
type actif/veille.
Le tableau 2 dresse la liste des fonctionnalités du Cisco ASA 5510.
Tableau 2 : Fonctionnalités et capacité de la plate-forme Cisco ASA 5510
Fonction Description
Débit du firewall Jusqu’à 300 Mbits/s
Débit de protection simultanée
contre les menaces
(firewall + services IPS)
Jusqu’à 150 Mbits/s avec l’AIP-SSM-10
Débit du VPN Jusqu’à 170 Mbits/s © 2007 Cisco Systems, Inc. Tous droits réservés.Les mentions légales, la charte sur la vie privée et les marques de Cisco
Systems, Inc. sont fournies sur cisco.com
Page 6/24
Connexions 50 000 ; 130 000*
Homologues VPN IPSec 250
Niveaux de licence des
homologues VPN SSL**
10, 25, 50, 100 ou 250
Contextes de sécurité Jusqu’à 5 ***
Interfaces 3 ports Fast Ethernet + 1 port de
gestion ; 5 ports Fast Ethernet*
Interfaces virtuelles (VLAN) 0 ; 25 *
Haute disponibilité Non prise en charge ; mode actif/veille*
* Mise à niveau disponible avec la licence Security Plus de Cisco ASA 5510
** Fonction fournie sous licence distincte ; licence pour deux homologues incluse dans le système de
base
*** Fonction fournie sous licence distincte ; deux niveaux inclus avec la licence Cisco ASA 5010 Security
Plus
SERVEUR DE SÉCURITÉ ADAPTATIF CISCO ASA 5520
Le Serveur de Sécurité Adaptatif Cisco ASA 5520 fournit des services de sécurité à haute
disponibilité de type actif/actif et une connectivité Gigabit Ethernet pour les réseaux des
PME, dans une solution modulaire ultra-performante. Les quatre interfaces Gigabit Ethernet et
la prise en charge de 100 VLAN permettent aux entreprises de déployer facilement le Cisco
ASA 5520 dans plusieurs zones au sein de leur réseau.
Ce serveur évolue avec l’entreprise, au rythme de ses besoins de sécurité réseau, et offre
une solide protection des investissements.
Les entreprises peuvent étendre leur capacité VPN IPSec et SSL pour gérer un plus grand
nombre de travailleurs nomades, de sites distants et de partenaires commerciaux. Les
fonctionnalités intégrées d’équilibrage de charge et de mise en grappe des VPN offertes par
le Cisco ASA 5520 permettent d’augmenter la capacité des VPN. Il est également possible
de mettre à niveau la capacité VPN SSL de chaque plate-forme via l’installation des licences
de mise à niveau, au fur et à mesure de l’évolution des besoins de l’entreprise. Pour étendre
les fonctions évoluées de sécurité de la couche applicative et de défenses anti-X offertes par
ce serveur, il convient de déployer les fonctionnalités ultra-performantes de lutte contre les
vers et de prévention des intrusions du module AIP-SSM ou la protection complète contre les
programmes nuisibles du module CSC-SSM. Grâce aux fonctionnalités optionnelles de
contexte de sécurité du Cisco ASA 5520, les entreprises peuvent déployer jusqu’à 10
firewall virtuels dans un serveur afin d’activer le contrôle compartimenté des règles de
sécurité au niveau de leurs services. Cette virtualisation permet de renforcer la sécurité et de
réduire les frais d’administration et d’assistance technique, en regroupant les multiples
solutions de sécurité dans un seul serveur. © 2007 Cisco Systems, Inc. Tous droits réservés.Les mentions légales, la charte sur la vie privée et les marques de Cisco
Systems, Inc. sont fournies sur cisco.com
Page 7/24
Le tableau 3 dresse la liste des fonctionnalités du Cisco ASA 5520.
Tableau 3 : Fonctionnalités et capacité de la plate-forme Cisco ASA 5520
Fonction Description
Débit du firewall Jusqu’à 450 Mbits/s
Débit de protection simultanée
contre les menaces
(firewall + services IPS)
Jusqu’à 225 Mbits/s avec l’AIP-SSM-10
Jusqu’à 375 Mbits/s avec l’AIP-SSM-20
Débit du VPN Jusqu’à 225 Mbits/s
Connexions 280 000
Homologues VPN IPSec 750
Niveaux de licence des homologues
VPN SSL*
10, 25, 50, 100, 250, 500 ou 750
Contextes de sécurité Jusqu’à 20 *
Interfaces 4 ports Gigabit Ethernet et 1 port Fast
Ethernet
Interfaces virtuelles (VLAN) 100
Évolutivité Équilibrage de charge et mise en grappe
des VPN
Haute disponibilité Actif/actif, actif/veille
*Fonction fournie sous licence distincte ; licences pour 2 homologues incluse dans le système de base
SERVEUR DE SÉCURITÉ ADAPTATIF CISCO ASA 5540
Le serveur de sécurité adaptatif Cisco ASA 5540 fournit des services de sécurité haute
performance et haute densité, avec une haute disponibilité de type actif/actif et une
connectivité Gigabit Ethernet. Il est destiné aux réseaux des grandes et moyennes
entreprises et des fournisseurs d’accès, dans une solution modulaire et fiable. Grâce à quatre
interfaces Gigabit Ethernet et à la prise en charge de 200 VLAN, le Cisco ASA 5540 permet
aux entreprises de segmenter leur réseau en plusieurs zones, pour une plus grande sécurité.
Ce serveur évolue avec l’entreprise, au rythme de ses besoins de sécurité, offrant une
protection des investissements et une évolutivité des services exceptionnelles. Pour étendre
les fonctions évoluées de sécurité au niveau de la couche applicative et du réseau, et de
défenses anti-X offertes par le serveur, il convient de déployer le module AIP-SSM pour les
fonctions ultra-performantes de prévention des intrusions et de lutte contre les vers.
Les entreprises peuvent dimensionner leur capacité VPN IPSec et SSL de différentes façons
pour gérer un plus grand nombre de travailleurs nomades, de sites distants et de partenaires
commerciaux. Les fonctionnalités intégrées d’équilibrage de charge et de mise en grappe
des VPN offertes par le Cisco ASA 5540 permettent d’augmenter la résistance et la capacité
des VPN. Il prend en charge jusqu’à 10 serveurs par grappe, pour un maximum de 50 000 © 2007 Cisco Systems, Inc. Tous droits réservés.Les mentions légales, la charte sur la vie privée et les marques de Cisco
Systems, Inc. sont fournies sur cisco.com
Page 8/24
homologues VPN IPSec par grappe. Les entreprises peuvent aller jusqu’à 2 500 homologues
VPN SSL sur chaque Cisco ASA 5540, en installant une licence de mise à niveau VPN SSL. La
plate-forme de base peut prendre en charge 5 000 homologues VPN IPSec. Grâce aux
fonctionnalités optionnelles de contexte de sécurité du Cisco ASA 5540, les entreprises
peuvent déployer jusqu’à 50 firewall virtuels dans un serveur afin d’activer le contrôle
compartimenté des règles de sécurité par service ou par client et générer une réduction des
coûts de gestion et d’assistance technique.
Le tableau 4 dresse la liste des fonctionnalités du Cisco ASA 5540.
Tableau 4 : Fonctionnalités et capacité de la plate-forme Cisco ASA 5540
Fonction Description
Débit du firewall Jusqu’à 650 Mbits/s
Débit de protection simultanée
contre les menaces
(firewall + services IPS)
Jusqu’à 450 Mbits/s avec l’AIP-SSM-20
Débit du VPN Jusqu’à 325 Mbits/s
Connexions 400 000
Homologues VPN IPSec 5 000
Niveaux de licence des
homologues VPN SSL*
10, 25, 50, 100, 250, 500, 750, 1000 et
2500
Contextes de sécurité Jusqu’à 50*
Interfaces 4 ports Gigabit Ethernet et 1 port Fast
Ethernet
Interfaces virtuelles (VLAN) 200
Évolutivité Équilibrage des charges et mise en grappe
des VPN
Haute disponibilité Actif/actif, actif/veille
*Fonction fournie sous licence distincte ; licence pour 2 homologues incluse dans le système de base
SERVEUR DE SÉCURITÉ ADAPTATIF CISCO ASA 5550
De format compact (1 RU), le Serveur de Sécurité Adaptatif Cisco ASA 5550 fournit de
manière fiable des services de sécurité de classe Gigabit avec haute disponibilité actif/actif
et une connectivité fibre et Ethernet Gigabit pour les réseaux des grandes entreprises et des
fournisseurs de services. Grâce à ses huit interfaces Ethernet Gigabit, ses quatre interfaces
fibres SFP (Small Form-Factor Pluggable) et sa capacité à supporter jusqu’à 200 VLAN, il
donne à l’entreprise les moyens de segmenter son réseau en un grand nombre de zones
haute performance pour plus de sécurité. © 2007 Cisco Systems, Inc. Tous droits réservés.Les mentions légales, la charte sur la vie privée et les marques de Cisco
Systems, Inc. sont fournies sur cisco.com
Page 9/24
A mesure que les besoins de sécurité de l’entreprise augmentent, le Serveur de Sécurité
Adaptatif Cisco ASA 5550 évolue avec eux pour garantir une exceptionnelle protection de
l’investissement et des niveaux de services toujours adaptés. L’entreprise peut augmenter sa
capacité VPN IPSec et SSL pour servir un nombre croissant de travailleurs mobiles, de sites
distants et de partenaires : une licence de mise à niveau permet de supporter jusqu’à 5000
homologues VPN SSL sur chaque Cisco ASA 5550, tandis que la plate-forme de base
accepte jusqu’à 5000 homologues VPN IPSec. Les fonctionnalités intégrées d’équilibrage de
charge et de mise en grappes des VPN contribuent encore à augmenter la capacité et la
robustesse VPN du Cisco ASA 5550 : jusqu’à 10 serveurs peuvent être mis en grappe pour
une capacité maximale de 50 000 homologues VPN SSL et 50 000 homologues VPN IPSec
par grappe. Grâce aux fonctionnalités de sécurité contextuelles en option du Serveur de
Sécurité Adaptatif Cisco ASA 5550, l’entreprise peut déployer jusqu’à 50 firewall virtuels sur
un même appareil afin de permettre le contrôle compartimenté des politiques de sécurité par
service ou par client, ce qui réduit considérablement les frais de gestion et d’assistance.
Note : Le système dispose de douze ports Ethernet Gigabit au total, dont huit peuvent être
utilisés en même temps. Pour donner encore plus de souplesse à la connectivité de data
centre, de réseau campus ou de périphérie de l’entreprise, le serveur de sécurité adaptatif
Cisco ASA 5550 accepte les connectivités cuivre et fibre.
Le Tableau 5 donne la liste des caractéristiques du Cisco ASA 5550
Tableau 5 : Fonctionnalités et capacité de la plate-forme Cisco ASA 5550
Fonction Description
Débit du firewall Jusqu’à 1,2 Gbits/s
Débit du VPN Jusqu’à 425 Mbits/s
Connexions 650 000
Homologues VPN IPSec 5 000
Niveaux de licence des
homologues VPN SSL*
10, 25, 50, 100, 250, 500, 750, 1000, 2500
et 5000
Contextes de sécurité Jusqu’à 50*
Interfaces 8 ports Gigabit Ethernet, 4 ports fibres SFP
et 1 port Fast Ethernet
Interfaces virtuelles (VLAN) 200
Évolutivité Équilibrage de charge et mise en grappe
des VPN
Haute disponibilité Actif/actif, actif/veille
*Fonction fournie sous licence distincte ; licence pour 2 homologues incluse dans le système de base © 2007 Cisco Systems, Inc. Tous droits réservés.Les mentions légales, la charte sur la vie privée et les marques de Cisco
Systems, Inc. sont fournies sur cisco.com
Page 10/24
CARACTÉRISTIQUES DES PRODUITS
Le tableau 6 permet de comparer les Serveurs de Sécurité Adaptatifs Cisco ASA 5510, 5520
et 5540.
Tableau 6 : Caractéristiques des Serveurs de Sécurité Adaptatifs de la gamme Cisco ASA
5500
Cisco ASA
5505
Cisco ASA
5510
Cisco ASA
5520
Cisco ASA
5540
Cisco ASA
5550
Utilisateurs/nœ
uds
10, 50 ou illimité Illimité Illimité Illimité Illimité
Débit du
firewall
Débit de
protection
simultanée
contre les
menaces
(firewall +
services IPS)
Jusqu’à 150
Mbits/s
Non disponible
Jusqu’à 300
Mbits/s
Jusqu’à 150
Mbits/s avec
l’AIP-SSM-10
Jusqu’à 375
Mbits/s avec
l’AIP-SSM-20
Jusqu’à 450 M
Jusqu’à 225
Mbits/s avec
l’AIP-SSM-
10bits/s
Jusqu’à 650
Jusqu’à 450
Mbits/s avec
l’AIP-SSM-
20Mbits/s
Jusqu’à 1,2
Gbits/s
Non
disponible
Débit du VPN
3DES/AES
Jusqu’à 100
Mbits/s
Jusqu’à 170
Mbits/s
Jusqu’à 225
Mbits/s
Jusqu’à 325
Mbits/s
Jusqu’à 425
Mbits/s
Homologues
VPN IPSec
10 ; 25 * 250 750 5000 5000
Homologues
VPN SSL*
(inclus/maximu
m)
2/25 2 /250 2/750 2/2 500 2/5000
Connexions
Nouvelles
sessions/secon
de
10 000 ; 25 000 *
3 000
50 000 ;
130 000*
6 000
280 000
9 000
400 000
20 000
650000
28 000
Ports réseau
intégrés
Commutateur
Fast Ethernet 8
ports (dont deux
ports PoE)
3 ports Fast
Ethernet + ;
1 port de
gestion ;
5 ports Fast
Ethernet*
4 ports Gigabit
Ethernet ; 1 port
Fast Ethernet
4 ports Gigabit
Ethernet ;
1 port Fast
Ethernet
8 ports
Gigabit
Ethernet, 4
ports fibres
SFP ;
1 port Fast
Ethernet
Interfaces
virtuelles
(VLAN)
3 (sans support
de ligne
réseau)/20 (avec
support de lignes
réseaux) *
50/100* 100 200 250 © 2007 Cisco Systems, Inc. Tous droits réservés.Les mentions légales, la charte sur la vie privée et les marques de Cisco
Systems, Inc. sont fournies sur cisco.com
Page 11/24
Contextes de
sécurité
(inclus/max.)
0/0 0/0 (base) ; 2/5
(Security Plus)
2/20 2/50 2/50
Haute
disponibilité
Non prise en
charge ; mode
actif/veille à
inspection d’état
et support ISP
redondant *
Non prise en
charge ; mode
actif/veille*
Actif/actif et
actif/veille
Actif/actif et
actif/veille
Actif/actif et
actif/veille
Emplacement
d’extension
SSM
1, SSC 1, SSM 1, SSM 1, SSM 0
Emplacement
accessible
mémoire flash
0 1 1 1 1
Ports USB 2.0
Ports série
3 (1 à l’avant, 2 à
l’arrière)
1 RJ-45 console
2
2 RJ-45,
console et
auxiliaire
2
2 RJ-45, console
et auxiliaire
2
2 RJ-45, console
et auxiliaire
2
2 RJ-45,
console et
auxiliaire
Ports série 1 RJ-45 console 2 RJ-45,
console et
auxiliaire
2 RJ-45, console
et auxiliaire
2 RJ-45, console
et auxiliaire
2 RJ-45,
console et
auxiliaire
Montage sur
rack
Oui, avec kit de
montage sur rack
(disponible
ultérieurement)
Oui Oui Oui Oui
Montage au
mur
Oui, avec kit de
montage au mur
(disponible
ultérieurement)
Non Non Non Non
Spécifications techniques
Mémoire 256 Mo 256 Mo 512 Mo 1024 Mo 4096 Mo
Mémoire flash
système
minimum
64 Mo 64 Mo 64 Mo 64 Mo 64 Mo
Bus système Architecture
multi-bus
Architecture
multi-bus
Architecture
multi-bus
Architecture
multi-bus
Architecture
multi-bus
Conditions de fonctionnement
En fonctionnement
Température 0 à 40ºC 0 à 40ºC
Humidité
relative
5 à 95 % sans
condensation
5 à 95 % sans condensation
Altitude 0 à 3000 m 0 à 3000 m
Tolérance aux
chocs
1/2 sinusoïdale à
1,14 m/s
1/2 sinusoïdale à 1,14 m/s
Vibrations Aléatoire, 0,41
Grms2 (3 à 500
Hz)
Aléatoire, 0,41 Grms2 (3 à 500 Hz) © 2007 Cisco Systems, Inc. Tous droits réservés.Les mentions légales, la charte sur la vie privée et les marques de Cisco
Systems, Inc. sont fournies sur cisco.com
Page 12/24
Bruit
acoustique
0 dBa maximum 60 dBa maximum
En mode stockage
Température -25 à 70ºC -25 à 70ºC
Humidité
relative
5 à 95 % sans
condensation
5 à 95 % sans condensation
Altitude 0 à 4570 m 0 à 4570 m
Tolérance aux
chocs
30 G 30 G
Vibrations Aléatoire, 0,41
Grms2 (3 à 500
Hz)
Aléatoire, 0,41 Grms2 (3 à 500 Hz)
Alimentation électrique
Entrée (par alimentation électrique)
Plage de
tension
100 à 240 V c.a. 100 à 240 V c.a.
Tension
normale
100 à 240 V c.a. 100 à 240 V c.a.
Courant 1,8 A 3 A
Fréquence 50 à 60 Hz,
monophasé
47 à 63 Hz, monophasé
Sortie
Régime
permanent
20 W 150 W
Pic maximal 96 W 190 W
Dissipation
thermique
maximale
72 BTU/h 648 BTU/h
Données physiques
Facteur de
forme
Ordinateur de
bureau
Montage en rack 1 U de 19 pouces
Dimensions (H
x L x P)
4,45 x 20,04x
17,45 cm
4,45 x 44,5 x 33,5 cm
Poids (avec
l’alimentation)
1,8 kg 9,07 kg
Conformité à la réglementation et aux normes
Sécurité UL 60950, CSA
C22.2 No. 60950,
EN 60950, IEC
60950,
AS/NZS3260
UL 1950, CSA C22.2 No. 950, EN 60950 IEC 60950, AS/NZS3260,
TS001
Compatibilité
électromagnéti
que
Marquage CE,
FCC Part 15
Classe B,
AS/NZS 3548
Classe B, VCCI
Classe B,
Marquage CE, FCC Part 15 Classe A, AS/NZS 3548 Classe A, VCCI
Classe A, © 2007 Cisco Systems, Inc. Tous droits réservés.Les mentions légales, la charte sur la vie privée et les marques de Cisco
Systems, Inc. sont fournies sur cisco.com
Page 13/24
(EMC) EN55022 Classe
B, CISPR22
Classe B,
EN61000-3-2,
EN61000-3-3
EN55022 Classe A, CISPR22 Classe A, EN61000-3-2, EN61000-3-3
Certifications
industrielles
En cours : ICSA
Firewall, ICSA
IPSec, Common
Criteria EAL4,
FIPS 140-2 Level
2
Common Criteria EAL4+ US DoD Application-Level Firewall for
Medium- Robustness Environnements, FIPS 140-2 Level 2, NEBS Level
3, ICSA Firewall, ICSA IPSec, ICSA Gateway Anti-Virus (couplé à CSC
SSM-10 ou CSC SSM-20). En cours: Common Criteria EAL4 for VPN,
Common Criteria EAL2 for IPS on AIP SSM.
*Disponible par l’intermédiaire d’une licence de mise à niveau
MODULES DE SERVICES DE SÉCURITÉ
La gamme Cisco ASA 5500 permet aux réseaux de franchir un nouveau palier en matière de
sécurité intégrée, grâce à son architecture matérielle multi-processeurs et des services AIM
exceptionnels. Cette architecture permet aux entreprises d’adapter et d’élargir le profil de
services de sécurité haute performance de la gamme Cisco ASA 5500. Les clients peuvent
ajouter des services de sécurité haute performance supplémentaires à l’aide des modules de
services de sécurité associés à des coprocesseurs de sécurité dédiés. Ils peuvent
également personnaliser les règles propres aux flux à l’aide d’une infrastructure extrêmement
souple de définitions des règles. Cette architecture adaptable permet aux entreprises de
déployer de nouveaux services de sécurité dès qu’elles en ont besoin. Par exemple, elles
peuvent ajouter la vaste gamme de services évolués de lutte contre les vers et de prévention
des intrusions fournis par le module AIP-SSM ou les services complets anti-X et de
protection contre les programmes nuisibles offerts par le module CSC-SSM. D’autre part,
cette architecture permet à Cisco de lancer de nouveaux services répondant à de nouvelles
menaces, offrant aux entreprises une excellente protection des investissements pour la
gamme Cisco ASA 5500.
Module adaptatif de prévention et d’inspection
Le module Cisco ASA 5500 AIP-SSM est une solution réseau en ligne conçue pour identifier
avec précision, classifier et bloquer le trafic malveillant, avant qu’il n’entraîne des
répercussions sur votre activité. Utilisant le logiciel IPS pour Cisco ASA 5500, le module AIPSSM combine les services de prévention en ligne et des technologies innovantes. Cela
permet une confiance totale vis-à-vis de la protection offerte par la solution IPS déployée,
sans crainte de suppression du trafic légitime. Le module AIP-SSM propose également une
protection complète du réseau grâce à sa capacité exceptionnelle à collaborer avec d’autres
ressources de sécurité, offrant une approche proactive de la protection du réseau. Il utilise
des technologies précises de prévention en ligne, qui permettent de prendre des mesures
préventives vis-à-vis d’un panel plus vaste de menaces, sans risque de suppression du trafic
légitime. Ces technologies exceptionnelles offrent une analyse intelligente, automatisée et
contextuelle des données, permettant de s’assurer que les entreprises exploitent au © 2007 Cisco Systems, Inc. Tous droits réservés.Les mentions légales, la charte sur la vie privée et les marques de Cisco
Systems, Inc. sont fournies sur cisco.com
Page 14/24
maximum leurs solutions de prévention des intrusions. Le module AIP-SSM utilise également
une identification des menaces liées aux attaques multivecteurs pour protéger le réseau
contre les violations de règles, l’exploitation des vulnérabilités et les activités anormales,
grâce à une inspection minutieuse du trafic sur les couches 2 à 7.
Le tableau 7 détaille les deux modèles AIP-SSM proposés, ainsi que leurs caractéristiques
physiques et leurs performances respectives.
Tableau 7 : Caractéristiques du module AIP-SSM pour la gamme Cisco ASA 5500
Cisco ASA 5500 AIP-SSM-10 Cisco ASA 5500 AIP-SSM-
20
Débit de protection
simultanée
contre les
menaces
(firewall + services
IPS)
150 Mbits/s avec le Cisco ASA
5510
225 Mbits/s avec le Cisco ASA
5520
300 Mbits/s avec le Cisco
ASA 5510
375 Mbits/s avec le Cisco
ASA 5520
450 Mbits/s avec le Cisco
ASA 5540
Spécifications techniques
Mémoire 1 Go 2 Go
Mémoire flash 256 Mo 256 Mo
Conditions de fonctionnement
En fonctionnement
Température 0 à 40ºC
Humidité relative 5 à 95 % sans condensation
En mode stockage
Température -25 à 70ºC
Consommation
électrique
90 W maximum
Données physiques
Dimensions (H x L x
P)
4,32 x 17,27 x 27,.94 cm
Poids (avec
l’alimentation)
1,36 kg © 2007 Cisco Systems, Inc. Tous droits réservés.Les mentions légales, la charte sur la vie privée et les marques de Cisco
Systems, Inc. sont fournies sur cisco.com
Page 15/24
Conformité à la réglementation et aux normes
Sécurité UL 1950, CSA C22.2 No. 950, EN 60950 IEC 60950,
AS/NZS3260, TS001
Compatibilité
électromagnétique
(EMC)
Marquage CE, FCC Part 15 Classe A, AS/NZS 3548 Classe A,
VCCI Classe A, EN55022 Classe A, CISPR22 Classe A, EN61000-
3-2, EN61000-3-3
Module de contrôle et de sécurité du contenu
Le module CSC-SSM de la gamme Cisco ASA 5500 offre le meilleur service du marché en
matière de contrôle du contenu et de protection contre les menaces Internet à la périphérie
du réseau. Cette solution facile à administrer comporte des fonctions complètes d’antivirus,
d’antilogiciels espions, de blocage de fichiers, d’antispam, d’antiphishing, de blocage et
filtrage d’URL et de filtrage du contenu.
Le module CSC-SSM ajoute des fonctionnalités de sécurité performantes à la gamme Cisco
ASA 5500, offrant aux clients une protection supplémentaire et le contrôle du contenu de
leurs communications d’entreprise. Ce module procure une souplesse et un choix
supplémentaire vis-à-vis du fonctionnement et du déploiement des serveurs de la gamme
Cisco ASA 5500. Les options de licence permettent aux entreprises de personnaliser les
fonctionnalités conformément aux besoins de chaque groupe d’utilisateurs, grâce à des
fonctions incluant des services de contenu évolués et un nombre d’utilisateurs accru. Le
module CSC-SSM est livré avec un ensemble de fonctions par défaut offrant des services
d’antivirus, d’antilogiciels espions et de blocage des fichiers. Une licence «Plus» est
disponible pour chaque module CSC-SSM ,à un coût additionnel. Cette licence permet de
bénéficier de fonctionnalités d’antispam, d’antiphishing, de blocage et de filtrage d’URL et de
contrôle du contenu. Pour augmenter la capacité utilisateur du module CSC-SSM, les
entreprises peuvent acheter et installer des licences utilisateurs supplémentaires. Le tableau
ci-dessous contient la liste détaillée de ces options, que vous retrouverez également dans la
fiche technique du module CSC-SSM.
Tableau 8 : Caractéristiques du module CSC-SSM pour la gamme Cisco ASA 5500
Cisco ASA 5500 CSC-SSM-
10
Cisco ASA 5500 CSC-SSM-
20
Plates-formes
prises en charge
• Serveur de Sécurité
Adaptatif
Cisco ASA 5510
• Serveur de Sécurité
Adaptatif Cisco ASA 5510 © 2007 Cisco Systems, Inc. Tous droits réservés.Les mentions légales, la charte sur la vie privée et les marques de Cisco
Systems, Inc. sont fournies sur cisco.com
Page 16/24
• Serveur de Sécurité
Adaptatif
Cisco ASA 5520
• Serveur de Sécurité
Adaptatif Cisco ASA 5520
• Serveur de Sécurité
Adaptatif Cisco ASA 5540
Fonctionnalités standard et optionnelles
Licence utilisateur
standard
50 utilisateurs 500 utilisateurs
Fonctionnalités
standard
Antivirus, antilogiciels espions, blocage des fichiers
Mises à niveau
facultatives du
nombre
d’utilisateurs
(nombre total)
• 100 utilisateurs
• 250 utilisateurs
• 500 utilisateurs
• 750 utilisateurs
• 1 000 utilisateurs
Fonctionnalités en
option
Licence Plus : permet d’ajouter l’antispam, l’antiphishing, le
blocage et le
filtrage d’URL et le contrôle du contenu
Spécifications techniques
Mémoire 1 Go 2 Go
Mémoire flash
système
256 Mo 256 Mo
Mémoire cache 256 Ko 512 Ko
Conditions de fonctionnement
En fonctionnement
Température 0 à 40ºC
Humidité relative 10 à 90 %, sans condensation
En mode stockage
Température -25 à 70ºC
Consommation
électrique
90 W maximum
Données physiques
Dimensions (H x L x
P)
4,32 x 17,27 x 27,.94 cm
Poids (avec
l’alimentation)
1,36 kg
Conformité à la réglementation et aux normes
Sécurité UL 1950, CSA C22.2 No. 950, EN 60950 IEC 60950,
AS/NZS3260, TS001 © 2007 Cisco Systems, Inc. Tous droits réservés.Les mentions légales, la charte sur la vie privée et les marques de Cisco
Systems, Inc. sont fournies sur cisco.com
Page 17/24
Compatibilité
électromagnétique
(EMC)
Marquage CE, FCC Part 15 Classe A, AS/NZS 3548 Classe A,
VCCI Classe A,
EN55022 Classe A, CISPR22 Classe A, EN61000-3-2, EN61000-
3-3
Module Gigabit Ethernet 4 ports Cisco ASA
Le module de services de sécurité Gigabit Ethernet 4 ports de Cisco ASA permet aux
responsables de sécurité de mieux segmenter le trafic réseau et de créer des zones de
sécurité séparées, chacune étant associée à son propre ensemble de règles de sécurité
personnalisées. Ces séparations peuvent aller d’Internet aux sites/services internes
d’entreprise, en passant par les zones démilitarisées (DMZ). Ce module ultra-performant
prend en charge les options de connexion cuivre et optique via la sélection des quatre ports
RJ-45 cuivre 10/100/1000 standard ou des quatre ports compacts enfichables (SFP, Small
Form-Factor Pluggable) pour le SFP optique Gigabit Ethernet. Il offre une grande flexibilité
pour la connectivité des centres de données, des campus ou à la périphérie de l’entreprise. Il
est possible de configurer un mélange de types de port cuivre ou optique (jusqu’à 4 ports).
Ce module étend le profil d’E/S de la gamme Cisco ASA 5500 à un total de cinq ports Fast
Ethernet et quatre ports Gigabit Ethernet sur le Cisco ASA 5510, huit ports Gigabit Ethernet
et un port Fast Ethernet sur les serveurs Cisco ASA 5520 et 5540 (Tableau 9).
Tableau 9 : Caractéristiques du module SSM Ethernet Gigabit 4 ports de la gamme Cisco
ASA 5500
Cisco ASA 5500 SSM-4GE
Spécifications techniques
Ports LAN intégrés Quatre 10/100/1000BASE-T (RJ-45)
Ports SFP intégrés Quatre (SFP optique Gigabit Ethernet 1000BASE-SX ou
émetteur-récepteur LX/LH pris en charge)
Conditions de fonctionnement
En fonctionnement
Température 0 à 40ºC
Humidité relative 5 à 95 % sans condensation
En mode stockage
Température -25 à 70ºC
Consommation
électrique
25 W maximum © 2007 Cisco Systems, Inc. Tous droits réservés.Les mentions légales, la charte sur la vie privée et les marques de Cisco
Systems, Inc. sont fournies sur cisco.com
Page 18/24
Données physiques
Dimensions (H x L x
P)
3,81 x 17,27 x 27,.94 cm
Poids (avec
l’alimentation)
0,91 kg
Conformité à la réglementation et aux normes
Sécurité UL 1950, CSA C22.2 No. 950, EN 60950 IEC 60950,
AS/NZS3260, TS001
Compatibilité
électromagnétique
(EMC)
Marquage CE, FCC Part 15 Classe A, AS/NZS 3548 Classe A,
VCCI Classe A,
EN55022 Classe A, CISPR22 Classe A, EN61000-3-2, EN61000-
3-3
© 2007 Cisco Systems, Inc. Tous droits réservés.Les mentions légales, la charte sur la vie privée et les marques de Cisco
Systems, Inc. sont fournies sur cisco.com
Page 19/24
INFORMATIONS DE COMMANDE
Pour passer une commande, rendez-vous sur le site Cisco
(http://www.cisco.com/web/FR/acheter/acheter_home.html). Le tableau 8 fournit des
informations nécessaires à l’achat de produits de la gamme Cisco ASA 5500.
Tableau 10 : Informations de commande
Nom du produit
Packs Cisco ASA 5500 Firewall Edition
Référence produit
Pack Cisco ASA 5505 10 utilisateurs avec commutateur
Fast Ethernet 8 ports, 10 homologues VPN IPsec, 2
homologues VPN SSL, licence 3DES/AES (Triple Data
Encryption Standard/Advanced Encryption Standard)
ASA5505-BUN-K9
Pack Cisco ASA 5505 50 utilisateurs avec commutateur
Fast Ethernet 8 ports, 10 homologues VPN IPsec, 2
homologues VPN SSL, licence 3DES/AES
ASA5505-50-BUN-K9
Pack Cisco ASA 5505 nombre illimité d’utilisateurs avec
commutateur Fast Ethernet 8 ports, 10 homologues VPN
IPsec, 2 homologues VPN SSL, licence 3DES/AES
ASA5505-UL-BUN-K9
Pack Cisco ASA 5505 nombre illimité d’utilisateurs avec
Security Plus, commutateur Fast Ethernet 8 ports, 25
homologues VPN IPsec, 2 homologues VPN SSL, zone
démilitarisée (DMZ), haute disponibilité actif/veille à
inspection d’état, licence 3DES/AES
ASA5505-SEC-BUN-K9
Cisco ASA 5510 Firewall Edition, avec 3 interfaces Fast
Ethernet, 250 homologues VPN IPSec, 2 homologues VPN
SSL, licence 3DES/AES
ASA5510-BUN-K9
Cisco ASA 5510 Security Plus Firewall Edition, avec 5
interfaces Fast Ethernet, 250 homologues VPN IPSec,
2 homologues VPN SSL, haute disponibilité actif/veille,
licence 3DES/AES
ASA5510-SEC-BUN-K9
Cisco ASA 5520 Firewall Edition, avec 4 interfaces Gigabit
Ethernet et 1 interface Fast Ethernet, 750 homologues
VPN IPSec et 2 homologues VPN
SSL, , haute disponibilité actif/veille et actif/actif, licence
3DES/AES
ASA5520-BUN-K9
Cisco ASA 5540 Firewall Edition, avec 4 interfaces Gigabit
Ethernet et 1 interface Fast Ethernet, 5 000 homologues
VPN IPSec et 2 homologues
ASA5540-BUN-K9 © 2007 Cisco Systems, Inc. Tous droits réservés.Les mentions légales, la charte sur la vie privée et les marques de Cisco
Systems, Inc. sont fournies sur cisco.com
Page 20/24
VPN SSL, licence 3DES/AES
Cisco ASA 5550 Firewall Edition, avec 8 interfaces Gigabit
Ethernet et 1 interface Fast Ethernet, 4 interfaces SFP
Gigabit, 5 000 homologues VPN IPSec et 2 homologues
VPN SSL, licence 3DES/AES
ASA5550-BUN-K9
Packs Cisco ASA 5500 IPS Edition
Cisco ASA 5510 IPS Edition, avec le module AIP-SSM-10,
les services de firewall,
250 homologues VPN IPSec, 2 homologues VPN SSL, 3
interfaces Fast Ethernet
ASA5510-AIP10-K9
Cisco ASA 5520 IPS Edition, avec le module AIP-SSM-10,
les services de firewall,
250 homologues VPN IPSec, 2 homologues VPN SSL, 4
interfaces Gigabit Ethernet et 1 interface Fast Ethernet
ASA5520-AIP10-K9
Cisco ASA 5520 IPS Edition, avec le module AIP-SSM-20,
les services de firewall,
750 homologues VPN IPSec, 2 homologues VPN SSL, 4
interfaces Gigabit Ethernet et 1 interface Fast Ethernet
ASA5520-AIP20-K9
Cisco ASA 5540 IPS Edition, avec le module AIP-SSM-20,
les services de firewall,
5 000 homologues VPN IPSec, 2 homologues VPN SSL, 4
interfaces Gigabit Ethernet et 1 interface Fast Ethernet
ASA5540-AIP20-K9
Packs Cisco ASA 5500 Anti-X Edition
Cisco ASA 5510 Anti-X Edition, avec le module CSC-SSM-
10, un antivirus/antilogiciels
espions pour 50 utilisateurs avec abonnement d’un an, des
services de firewall,
250 homologues VPN IPSec, 2 homologues VPN SSL, 3
interfaces Fast Ethernet
ASA5510-CSC10-K9
Cisco ASA 5510 Anti-X Edition, avec le module CSC-SSM-
20, un antivirus/antilogiciels
espions pour 500 utilisateurs avec abonnement d’un an,
des services de firewall,
250 homologues VPN IPSec, 2 homologues VPN SSL, 3
interfaces Fast Ethernet
ASA5510-CSC20-K9
Cisco ASA 5520 Anti-X Edition, avec le module CSC-SSM-
10, un antivirus/antilogiciels
espions pour 50 utilisateurs avec abonnement d’un an, des
services de firewall,
ASA5520-CSC10-K9 © 2007 Cisco Systems, Inc. Tous droits réservés.Les mentions légales, la charte sur la vie privée et les marques de Cisco
Systems, Inc. sont fournies sur cisco.com
Page 21/24
750 homologues VPN IPSec, 2 homologues VPN SSL, 4
interfaces Gigabit Ethernet et 1 interface Fast Ethernet
Cisco ASA 5520 Anti-X Edition, avec le module CSC-SSM-
20, un antivirus/antilogiciels
espions pour 500 utilisateurs avec abonnement d’un an,
des services de firewall,
750 homologues VPN IPSec, 2 homologues VPN SSL, 4
interfaces Gigabit Ethernet et 1 interface Fast Ethernet
ASA5520-CSC20-K9
Packs Cisco ASA 5500 VPN Edition
Cisco ASA 5505 SSL/IPsec VPN Edition, avec 10
homologues VPN Ipsec, 10 homologues VPN SSL, 50
utilisateurs de services de firewall, commutateur Fast
Ethernet 8 ports
ASA5505-SSL10-K9
Cisco ASA 5505 SSL/IPsec VPN Edition, avec 25
homologues VPN Ipsec, 25 homologues VPN SSL, 50
utilisateurs de services de firewall, commutateur Fast
Ethernet 8 ports, licence Security Plus
ASA5505-SSL25-K9
Cisco ASA 5510 SSL/IPsec VPN Edition, 250 homologues
VPN IPsec et 50 homologues VPN SSL, services de
firewall, 3 interfaces Fast Ethernet
ASA5510-SSL50-K9
Cisco ASA 5510 SSL/IPsec VPN Edition, 250 homologues
VPN IPsec, 100 homologues VPN SSL, services de firewall,
3 interfaces Fast Ethernet
ASA5510-SSL100-K9
Cisco ASA 5510 SSL/IPsec VPN Edition, 250 homologues
VPN IPsec et 250 homologues VPN SSL, services de
firewall, 3 interfaces Fast Ethernet
ASA5510-SSL250-K9
Cisco ASA 5520 SSL/IPsec VPN Edition, 750 homologues
VPN IPsec et 500 homologues VPN SSL, services de
firewall, 4 interfaces Ethernet Gigabit, 1 interface Fast
Ethernet
ASA5520-SSL500-K9
Cisco ASA 5540 SSL/IPsec VPN Edition, 5000 homologues
VPN IPsec et 1000 homologues VPN SSL, services de
firewall, 4 interfaces Ethernet Gigabit, 1 interface Fast
Ethernet
ASA5540-SSL1000-K9
Cisco ASA 5540 SSL/IPsec VPN Edition, 5000 homologues
VPN IPsec et 2500 homologues VPN SSL, services de
firewall, 4 interfaces Ethernet Gigabit, 1 interface Fast
Ethernet
ASA5540-SSL2500-K9
Cisco ASA 5550 SSL/IPsec VPN Edition, 5000 homologues ASA5550-SSL2500-K9 © 2007 Cisco Systems, Inc. Tous droits réservés.Les mentions légales, la charte sur la vie privée et les marques de Cisco
Systems, Inc. sont fournies sur cisco.com
Page 22/24
VPN IPsec et 2500 homologues VPN SSL, services de
firewall, 8 interfaces Ethernet Gigabit, 1 interface Fast
Ethernet
Cisco ASA 5550 SSL/IPsec VPN Edition, 5000 homologues
VPN IPsec et 5000 homologues VPN SSL, services de
firewall, 8 interfaces Ethernet Gigabit, 1 interface Fast
Ethernet
ASA5550-SSL5000-K9
Modules de services de sécurité
Cisco ASA Advanced Inspection and Prevention Security
Services Module 10
ASA-SSM-AIP-10-K9=
Cisco ASA Advanced Inspection and Prevention Security
Services Module 20
ASA-SSM-AIP-20-K9=
Cisco ASA Content Security and Control Security Services
Module 10 pour 50 utilisateurs
Antivirus/antilogiciels espions, abonnement d’un an
ASA-SSM-CSC-10-K9=
Cisco ASA Content Security and Control Security Services
Module 20 pour 500 utilisateurs
Antivirus/antilogiciels espions, abonnement d’un an
ASA-SSM-CSC-20-K9=
Cisco ASA 4-Port Gigabit Ethernet Security Services
Module
SSM-4GE=
Logiciels de la gamme Cisco ASA 5500
Mise à niveau unique du logiciel Cisco ASA pour les clients
non pris en charge
ASA-SW-UPGRADE=
Accessoires de la gamme Cisco ASA 5500
Mémoire compact flash pour la gamme Cisco ASA 5500,
256 Mo
ASA5500-CF-256MB=
Mémoire compact flash pour la gamme Cisco ASA 5500,
512 Mo
ASA5500-CF-512MB=
Bloc d’alimentation 180 W c.a. pour la gamme Cisco ASA ASA-180W-PWR-AC=
Connecteur SFP Gigabit Ethernet optique, émetteurrécepteur 1000BASE-SX à courte longueur d’onde
GLC-SX-MM=
Connecteur SFP Gigabit Ethernet optique, émetteurrécepteur 1000BASE-LX/LH longue distance/à grande
longueur d’onde
GLC-LH-SM=
© 2007 Cisco Systems, Inc. Tous droits réservés.Les mentions légales, la charte sur la vie privée et les marques de Cisco
Systems, Inc. sont fournies sur cisco.com
Page 23/24
POUR TÉLÉCHARGER LE LOGICIEL
Pour télécharger le logiciel Cisco ASA, visitez le Centre de téléchargement Cisco.
MAINTENANCE ET ASSISTANCE
Cisco propose une large gamme de programmes de services pour accélérer la réussite de
ses clients. Ces programmes de services innovants sont proposés grâce à une combinaison
unique de personnes, de processus, d’outils et de partenaires pour augmenter la satisfaction
de nos clients. Cisco Services vous aide à protéger votre investissement en matière de
réseaux, à optimiser leur exploitation et à les préparer aux nouvelles applications afin d’en
étendre l’intelligence et d’accroître le succès de votre activité. Pour plus d’informations sur
Cisco Services, consultez les services d’assistance technique de Cisco ou Cisco Advanced
Services. Pour les services propres aux fonctionnalités de prévention des intrusions (IPS)
offertes via le module AIP-SSM, visitez le site Cisco Services for IPS.
POUR PLUS D’INFORMATIONS
Pour plus d’informations, consultez les sites suivants :
• Serveur de Sécurité Adaptatif Cisco ASA 5500 : http://www.cisco.com/go/asa
• Cisco Adaptive Security Device Manager : http://www.cisco.com/go/asdm© 2007 Cisco Systems, Inc. Tous droits réservés.Les mentions légales, la charte sur la vie privée et les marques de Cisco
Systems, Inc. sont fournies sur cisco.com
Page 24/24
Siège social
Cisco Systems, Inc.
170 West Tasman
Drive
San Jose, CA 95134
1706
Etats-Unis
www.cisco.com
Tél. : 408 526-4000
800 553-NETS (6387)
Fax : 408 526-4100
Siège Europe
Cisco Systems
International BV
Haarlerbergpark
Haarlerbergweg 13-19
1101 CH Amsterdam
Pays-Bas
wwweurope.cisco.com
Tél. : 31 0 20 357 1000
Fax : 31 0 20 357 1100
Siège Etats-Unis
Cisco Systems, Inc.
170 West Tasman
Drive
San Jose, CA 95134
1706
Etats-Unis
www.cisco.com
Tél. : 408 526-7660
Fax : 408 527-0883
Siège Asie Pacifi que
Cisco Systems, Inc.
168 Robinson Road
#28-01 Capital
Tower
Singapour 068912
www.cisco.com
Tél. : +65 6317 7777
Fax : +65 6317 7799
Cisco has more than 200 offi ces in the following countries and regions. Addresses, phone numbers, and fax numbers are listed
on the Cisco Website at www.cisco.com/go/offices
Copyright©2007 Cisco Systems, Inc. Tous droits réservés. CCSP, CCVP, le logo Cisco Square Bridge, Follow Me Browsing et
StackWise sont des marques de Cisco Systems, Inc. ; Changing the Way We Work, Live, Play, and Learn, et iQuick Study sont des
marques de service de Cisco Systems, Inc. ; et Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco,
le logo Cisco Certifi ed Internetwork Expert, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, le logo Cisco Systems,
Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, FormShare, GigaDrive, GigaStack, HomeLink, Internet
Quotient, IOS, IP/TV, iQ Expertise, le logo iQ, iQ Net Readiness Scorecard, LightStream, Linksys, MeetingPlace, MGX, le logo Networkers,
Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, ProConnect, RateMUX, ScriptShare, SlideCast,
SMARTnet, The Fastest Way to Increase Your Internet Quotient et TransPath sont des marques déposées de Cisco Systems, Inc. et/ou
de ses fi liales aux États-Unis et dans d’autres pays.
Toutes les autres marques mentionnées dans ce document ou sur le site Web appartiennent à leurs propriétaires respectifs. L’emploi du
mot partenaire n’implique pas nécessairement une relation de partenariat entre Cisco et une autre société. (0601R)
Manuel de migration de Cisco PIX 500
vers la gamme Cisco ASA 5500
PRESENTATION SYNOPTIQUE
Réunissant sur une même plate- Réunissant sur une même plate---forme une combinaison puissante de nombreuses forme une combinaison puissante de nombreuses
technologies éprouvées, la gamme Cisco ASA 5500 (Adaptive Security Appliance)
donne à l’entreprise les moyens opérationnels et économiques de déployer des
services de sécurité complets vers un plus grand nom services de sécurité complets vers un plus grand nombre de sites. plets vers un plus grand nombre de sites. bre de sites. Faites migrer dès Faites migrer dès
maintenant vos serveurs de sécurité Cisco PIX® vers la gamme Cisco ASA 5500 pour
bénéficier, sur une même plate- bénéficier, sur une même plate---forme, de services de sécurité et de VPN convergen forme, de services de sécurité et de VPN convergents s
et multifonctions. et multifonctions.
Principaux avantages économiques Principaux avantages économiques avantages économiques
Options souples de déploiement Options souples de déploiement
Editions produits personnalisées qui s’adaptent exactement aux besoins spécifiques de
l’entreprise
• Firewall Edition - Firewall
• IPS Edition - système de prévention d'intrusions
• Anti-X Edition - protection antivirus, anti logiciels espions, etc.
• SSL/IPsec VPN Edition - VPN sécurisés
Frais d’exploitations réduits Frais d’exploitations réduits
Gestion et surveillance unifiée des équipements pour diminuer les frais généraux
d’installation et de maintenance. Plate-forme unique qui réduit la complexité et simplifie
les opérations de déploiement et d’assistance technique courantes.
Frais d’investissements réduits Frais d’investissements réduits
La convergence et les crédits de reprise d’ancien matériel TMP (Technology Migration
Plan) renforcés font dès maintenant baisser le coût total de migration.
Avantage du leasing Avantage du leasing
Avec Cisco Finance, bénéficiez de nos promotions en leasing pour réduire encore plus
vos coûts et obtenir dès maintenant votre nouvelle solution.
Principaux avantages technologiques et nouveautés d Principaux avantages technologiques et nouveautés de la gamme ASA 5500 e la gamme ASA 5500
Technologie reconnue de firewall et VPN protégé contre les menaces tre les menaces
Développée autour de la même technologie éprouvée qui a fait le succès du serveur de
sécurité Cisco PIX et de la gamme des concentrateurs Cisco VPN 3000, la gamme
Cisco ASA 5500 est la première solution à proposer des services VPN SSL (Secure
Sockets Layer) et IPSec (IP Security) protégés par la première technologie de firewall
du marché. Avec le VPN SSL, l’ASA 5500 est une passerelle SSL performante qui
permet l’accès distant sécurisé au réseau au travers d’un navigateur web banalisé pour
les utilisateurs nomades.
Service évolué de prévention des intrusions Service évolué de prévention des intrusions
Les services proactifs de prévention des intrusions offrent toutes les fonctionnalités qui
permettent de bloquer un large éventail de menaces – vers, attaques sur la couche
applicative ou au niveau du système d'exploitation, rootkits, logiciels espions,
messagerie instantanée, P2P, et bien plus encore. En combinant plusieurs méthodes
d’analyse détaillée du trafic, l’IPS de l’ASA 5500 protège le réseau des violations de
politique de sécurité, de l’exploitation des vulnérabilités des systèmes et du trafic
anormal. L’IPS collabore avec d’autres systèmes Cisco de gestion de la sécurité pour
assurer une mise à jour constante de la posture de sécurité du réseau et une réactivité
totale aux nouvelles attaques ou vulnérabilités.
Services Anti- Services Anti---X à la pointe de l’industrie X à la pointe de l’industrie X à la pointe de l’industrie
La gamme Cisco ASA 5500 offre des services complets anti-X à la pointe de la
technologie – protection contre les virus, les logiciels espions, le courrier indésirable et
le phishing ainsi que le blocage de fichiers, le blocage et le filtrage des URL et le filtrage
de contenu – en associant le savoir-faire de Trend Micro en matière de protection
informatique à une solution Cisco de sécurité réseau éprouvée. Ces services anti-X
embarqués dans le module d’extension hardware CSC SSM et le renouvellement des
abonnements Trend Micro pour la gamme ASA sont commercialisés par Cisco au
travers de ses partenaires agréés.
Migration transparente pour l’utilisateur Migration transparente pour l’utilisateur
Les utilisateurs actuels des serveurs de sécurité Cisco PIX n’auront aucune difficulté à
s’adapter aux solutions Cisco ASA 5500. Les fichiers de configuration des Cisco PIX
sont transposables sur les serveurs ASA 5500. Le logiciel d’administration graphique
Cisco Adaptive Security Device Manager (ASDM) livré avec la gamme ASA est un
logiciel puissant et facile à utiliser Il accélère la création de politiques de sécurité, et
réduit la charge de travail et les erreurs humaines, grâce à des assistants graphiques,
des outils de débogage et de surveillance. ASDM permet de gérer aussi bien des
serveurs Cisco PIX que des serveurs ASA 5500, facilitant la migration vers la dernière
génération de matériel et ses nouvelles fonctions. Manuel de migration de Cisco PIX 500
vers la gamme Cisco ASA 5500
PRESENTATION SYNOPTIQUE
Chemins de migration Chemins de migration
Firewall IPS Anti-X VPN
Modèle de serveur de
sécurité Cisco PIX sécurité Cisco PIX
Référence de la gamme
Cisco ASA Cisco ASA 5500
Description du Cisco ASA Description du Cisco ASA 5500
ASA5505-K8 Cisco ASA 5505 Firewall Edition 10 utilisateurs, commutateur Fast Ethernet 8 ports, 10 homologues VPN IPsec et 2 SSL, DES
ASA5505-BUN-K9 Cisco ASA 5505 Firewall Edition 10 utilisateurs, commutateur Fast Ethernet 8 ports, 10 homologues VPN IPsec et 2 SSL,
3DES/AES
ASA5505-50-BUN-K9 Cisco ASA 5505 Firewall Edition 50 utilisateurs, commutateur Fast Ethernet 8 ports, 10 homologues VPN IPsec et 2 SSL,
3DES/AES
Cisco PIX 501 pour
10 utilisateurs 10 utilisateurs
ASA5505-SSL10-K9 Cisco ASA 5505 SSL/IPsec VPN Edition, 10 homologues VPN IPsec et 10 SSL, services de firewall, commutateur Fast Ethernet
8 ports
ASA5505-50-BUN-K9 Cisco ASA 5505 Firewall Edition 50 utilisateurs, commutateur Fast Ethernet 8 ports, 10 homologues VPN IPsec et 2 SSL,
3DES/AES
ASA5505-UL-BUN-K9 Cisco ASA 5505 Firewall Edition nombre d’utilisateurs illimité, commutateur Fast Ethernet 8 ports, 10 homologues VPN IPsec et
2 SSL, 3DES/AES
Cisco PIX 501 pour
50 utilisateurs 50 utilisateurs
ASA5505-SSL10-K9 Cisco ASA 5505 SSL/IPsec VPN Edition, 10 homologues VPN IPsec et 10 SSL, services de firewall, commutateur Fast Ethernet
8 ports
ASA5505-UL-BUN-K9 Cisco ASA 5505 Firewall Edition nombre d’utilisateurs illimité, commutateur Fast Ethernet 8 ports, 10 homologues VPN IPsec et
2 SSL, 3DES/AES
ASA5505-SEC-BUN-K9 Cisco ASA 5505 Firewall Edition nombre d’utilisateurs illimité Security Plus, commutateur Fast Ethernet 8 ports, 25 homologues
VPN IPsec et 2 SSL,DMZ, haute disponibilité Actif / Veille à inspection d’état, 3DES/AES
Cisco PIX 501 pour un
nombre d’utilisateurs
illimité illimité
ASA5505-SSL10-K9 Cisco ASA 5505 SSL/IPsec VPN Edition, 10 homologues VPN IPsec et 10 SSL, services de firewall, commutateur Fast Ethernet
8 ports
ASA5505-SEC-BUN-K9 Cisco ASA 5505 Firewall Edition nombre d’utilisateurs illimité Security Plus, commutateur Fast Ethernet 8 ports, 25 homologues
VPN IPsec et 2 SSL,DMZ, haute disponibilité Actif / Veille à inspection d’état, 3DES/AES
ASA5505-SSL25-K9 Cisco ASA 5505 SSL/IPsec VPN Edition, 25 homologues VPN IPsec et 25 SSL, services de firewall, commutateur Fast Ethernet
8 ports, licence Security Plus
ASA5510-K8 Cisco ASA 5510 Firewall Edition, 3 ports Fast Ethernet, 250 homologues VPN IPsec et 2 SSL, DES
ASA5510-BUN-K9 Cisco ASA 5510 Firewall Edition, 3 ports Fast Ethernet, 250 homologues VPN IPsec et 2 SSL, 3DES/AES
ASA5510-AIP10-K9 Cisco ASA 5510 IPS Edition, module AIP SSM 10, services de firewall, 250 homologues VPN IPsec et 2 SSL, 3 ports Fast
Ethernet
ASA5510-CSC10-K9 Cisco ASA 5510 Anti X Edition, module CSC SSM 10, 50 utilisateurs antivirus / anti logiciels espions avec un an d’abonnement,
services de firewall, 250 homologues VPN IPsec et 2 SSL, 3 ports Fast Ethernet
ASA5510-CSC20-K9 Cisco ASA 5510 Anti X Edition, module CSC SSM 20, 500 utilisateurs antivirus / anti logiciels espions avec un an d’abonnement,
services de firewall, 250 homologues VPN IPsec et 2 SSL, 3 ports Fast Ethernet
ASA5510-SSL50-K9 Cisco ASA 5510 SSL/IPsec VPN Edition, 250 homologues VPN IPsec et 50 SSL, services de firewall, 3 ports Fast Ethernet
ASA5510-SSL100-K9 Cisco ASA 5510 SSL/IPsec VPN Edition, 250 homologues VPN IPsec et 100 SSL, services de firewall, 3 ports Fast Ethernet
Cisco PIX 506E Cisco PIX 506E
ASA5510-SSL250-K9 Cisco ASA 5510 SSL/IPsec VPN Edition, 250 homologues VPN IPsec et 250 SSL, services de firewall, 3 ports Fast Ethernet
ASA5510-K8 Cisco ASA 5510 Firewall Edition, 3 ports Fast Ethernet, 250 homologues VPN IPsec et 2 SSL, DES
ASA5510-BUN-K9 Cisco ASA 5510 Firewall Edition, 3 ports Fast Ethernet, 250 homologues VPN IPsec et 2 SSL, 3DES/AES
ASA5510-SEC-BUN-K9 Cisco ASA 5510 Firewall Edition Security Plus, 5 ports Fast Ethernet, 250 homologues VPN IPsec et 2 SSL, haute disponibilité
Actif / Veille, 3DES/AES
ASA5510-AIP10-K9 Cisco ASA 5510 IPS Edition, module AIP SSM 10, services de firewall, 250 homologues VPN IPsec et 2 SSL, 3 ports Fast
Ethernet
Cisco PIX 515E
R/DMZ
ASA5510-CSC10-K9 Cisco ASA 5510 Anti X Edition, module CSC SSM 10, 50 utilisateurs antivirus / anti logiciels espions avec un an d’abonnement, Manuel de migration de Cisco PIX 500
vers la gamme Cisco ASA 5500
PRESENTATION SYNOPTIQUE
services de firewall, 250 homologues VPN IPsec et 2 SSL, 3 ports Fast Ethernet
ASA5510-CSC20-K9 Cisco ASA 5510 Anti X Edition, module CSC SSM 20, 500 utilisateurs antivirus / anti logiciels espions avec un an d’abonnement,
services de firewall, 250 homologues VPN IPsec et 2 SSL, 3 ports Fast Ethernet
ASA5510-SSL50-K9 Cisco ASA 5510 SSL/IPsec VPN Edition, 250 homologues VPN IPsec et 50 SSL, services de firewall, 3 ports Fast Ethernet
ASA5510-SSL100-K9 Cisco ASA 5510 SSL/IPsec VPN Edition, 250 homologues VPN IPsec et 100 SSL, services de firewall, 3 ports Fast Ethernet
ASA5510-SSL250-K9 Cisco ASA 5510 SSL/IPsec VPN Edition, 250 homologues VPN IPsec et 250 SSL, services de firewall, 3 ports Fast Ethernet
ASA5510-SEC-BUN-K9 Cisco ASA 5510 Firewall Edition Security Plus, 5 ports Fast Ethernet, 250 homologues VPN IPsec et 2 SSL, haute disponibilité
Actif / Veille, 3DES/AES
ASA5510-AIP10-K9 Cisco ASA 5510 IPS Edition, module AIP SSM 10, services de firewall, 250 homologues VPN IPsec et 2 SSL, 3 ports Fast
Ethernet
ASA5510-CSC10-K9 Cisco ASA 5510 Anti X Edition, module CSC SSM 10, 50 utilisateurs antivirus / anti logiciels espions avec un an d’abonnement,
services de firewall, 250 homologues VPN IPsec et 2 SSL, 3 ports Fast Ethernet
ASA5510-CSC20-K9 Cisco ASA 5510 Anti X Edition, module CSC SSM 20, 500 utilisateurs antivirus / anti logiciels espions avec un an d’abonnement,
services de firewall, 250 homologues VPN IPsec et 2 SSL, 3 ports Fast Ethernet
ASA5510-SSL50-K9 Cisco ASA 5510 SSL/IPsec VPN Edition, 250 homologues VPN IPsec et 50 SSL, services de firewall, 3 ports Fast Ethernet
ASA5510-SSL100-K9 Cisco ASA 5510 SSL/IPsec VPN Edition, 250 homologues VPN IPsec et 100 SSL, services de firewall, 3 ports Fast Ethernet
Cisco PIX 515E
UR/FO/FO AA UR/FO/FO AA
ASA5510-SSL250-K9 Cisco ASA 5510 SSL/IPsec VPN Edition, 250 homologues VPN IPsec et 250 SSL, services de firewall, 3 ports Fast Ethernet
ASA5520-K8 Cisco ASA 5520 Firewall Edition, 4 ports Ethernet Gigabit + 1 interface Fast Ethernet, 750 homologues VPN IPsec et 2 SSL,
haute disponibilité Actif / Actif et Actif / Veille, DES
ASA5520-BUN-K9 Cisco ASA 5520 Firewall Edition, 4 ports Ethernet Gigabit + 1 interface Fast Ethernet, 750 homologues VPN IPsec et 2 SSL,
haute disponibilité Actif / Actif et Actif / Veille, 3DES/AES
ASA5520-AIP10-K9 Cisco ASA 5520 IPS Edition, module AIP SSM 10, services de firewall, 750 homologues VPN IPsec et 2 SSL, 4 ports Ethernet
Gigabit, 1 interface Fast Ethernet
ASA5520-AIP20-K9 Cisco ASA 5520 IPS Edition, module AIP SSM 20, services de firewall, 750 homologues VPN IPsec et 2 SSL, 4 ports Ethernet
Gigabit, 1 interface Fast Ethernet
ASA5520-CSC10-K9 Cisco ASA 5520 Anti X Edition, module CSC SSM 10, 50 utilisateurs antivirus / anti logiciels espions avec un an d’abonnement,
services de firewall, 750 homologues VPN IPsec et 2 SSL, 4 ports Ethernet Gigabit, 1 interface Fast Ethernet
ASA5520-CSC20-K9 Cisco ASA 5520 Anti X Edition, module CSC SSM 20, 500 utilisateurs antivirus / anti logiciels espions avec un an d’abonnement,
services de firewall, 750 homologues VPN IPsec et 2 SSL, 4 ports Ethernet Gigabit, 1 interface Fast Ethernet
Cisco PIX 520 (Fin de
vie – ve ––– juin 2006) juin 2006) juin 2006)
ASA5520-SSL500-K9 Cisco ASA 5520 SSL/IPsec VPN Edition, 750 homologues VPN IPsec et 500 SSL, services de firewall, 4 ports Ethernet Gigabit,
1 interface Fast Ethernet
ASA5520-K8 Cisco ASA 5520 Firewall Edition, 4 ports Ethernet Gigabit + 1 interface Fast Ethernet, 750 homologues VPN IPsec et 2 SSL,
haute disponibilité Actif / Actif et Actif / Veille, DES
ASA5520-BUN-K9 Cisco ASA 5520 Firewall Edition, 4 ports Ethernet Gigabit + 1 interface Fast Ethernet, 750 homologues VPN IPsec et 2 SSL,
haute disponibilité Actif / Actif et Actif / Veille, 3DES/AES
ASA5520-AIP10-K9 Cisco ASA 5520 IPS Edition, module AIP SSM 10, services de firewall, 750 homologues VPN IPsec et 2 SSL, 4 ports Ethernet
Gigabit, 1 interface Fast Ethernet
ASA5520-AIP20-K9 Cisco ASA 5520 IPS Edition, module AIP SSM 20, services de firewall, 750 homologues VPN IPsec et 2 SSL, 4 ports Ethernet
Gigabit, 1 interface Fast Ethernet
ASA5520-CSC10-K9 Cisco ASA 5520 Anti X Edition, module CSC SSM 10, 50 utilisateurs antivirus / anti logiciels espions avec un an d’abonnement,
services de firewall, 750 homologues VPN IPsec et 2 SSL, 4 ports Ethernet Gigabit, 1 interface Fast Ethernet
ASA5520-CSC20-K9 Cisco ASA 5520 Anti X Edition, module CSC SSM 20, 500 utilisateurs antivirus / anti logiciels espions avec un an d’abonnement,
services de firewall, 750 homologues VPN IPsec et 2 SSL, 4 ports Ethernet Gigabit, 1 interface Fast Ethernet
Cisco PIX 525R Cisco PIX 525R
ASA5520-SSL500-K9 Cisco ASA 5520 SSL/IPsec VPN Edition, 750 homologues VPN IPsec et 500 SSL, services de firewall, 4 ports Ethernet Gigabit,
1 interface Fast Ethernet
ASA5520-K8 Cisco ASA 5520 Firewall Edition, 4 ports Ethernet Gigabit + 1 interface Fast Ethernet, 750 homologues VPN IPsec et 2 SSL,
haute disponibilité Actif / Actif et Actif / Veille, DES
Cisco PIX 525
UR/FO/FO AA UR/FO/FO AA
ASA5520-BUN-K9 Cisco ASA 5520 Firewall Edition, 4 ports Ethernet Gigabit + 1 interface Fast Ethernet, 750 homologues VPN IPsec et 2 SSL,
haute disponibilité Actif / Actif et Actif / Veille, 3DES/AES Manuel de migration de Cisco PIX 500
vers la gamme Cisco ASA 5500
PRESENTATION SYNOPTIQUE
ASA5520-AIP10-K9 Cisco ASA 5520 IPS Edition, module AIP SSM 10, services de firewall, 750 homologues VPN IPsec et 2 SSL, 4 ports Ethernet
Gigabit, 1 interface Fast Ethernet
ASA5520-AIP20-K9 Cisco ASA 5520 IPS Edition, module AIP SSM 20, services de firewall, 750 homologues VPN IPsec et 2 SSL, 4 ports Ethernet
Gigabit, 1 interface Fast Ethernet
ASA5520-CSC10-K9 Cisco ASA 5520 Anti X Edition, module CSC SSM 10, 50 utilisateurs antivirus / anti logiciels espions avec un an d’abonnement,
services de firewall, 750 homologues VPN IPsec et 2 SSL, 4 ports Ethernet Gigabit, 1 interface Fast Ethernet
ASA5520-CSC20-K9 Cisco ASA 5520 Anti X Edition, module CSC SSM 20, 500 utilisateurs antivirus / anti logiciels espions avec un an d’abonnement,
services de firewall, 750 homologues VPN IPsec et 2 SSL, 4 ports Ethernet Gigabit, 1 interface Fast Ethernet
ASA5520-SSL500-K9 Cisco ASA 5520 SSL/IPsec VPN Edition, 750 homologues VPN IPsec et 500 SSL, services de firewall, 4 ports Ethernet Gigabit,
1 interface Fast Ethernet
ASA5540-K8 Cisco ASA 5540 Firewall Edition, 4 ports Ethernet Gigabit, 1 interface Fast Ethernet, 5000 homologues VPN IPsec et 2 SSL, DES
ASA5540-BUN-K9 Cisco ASA 5540 Firewall Edition, 4 ports Ethernet Gigabit, 1 interface Fast Ethernet, 5000 homologues VPN IPsec et 2 SSL,
3DES/AES
ASA5540-AIP20-K9 Cisco ASA 5540 IPS Edition, module AIP SSM 20, services de firewall, 5000 homologues VPN IPsec et 2 SSL, 4 ports Ethernet
Gigabit, 1 interface Fast Ethernet
ASA5540-SSL1000-K9 Cisco ASA 5540 SSL/IPsec VPN Edition, 5000 homologues VPN IPsec et 1000 SSL, services de firewall, 4 ports Ethernet
Gigabit, 1 interface Fast Ethernet
ASA5540-SSL2500-K9 Cisco ASA 5540 SSL/IPsec VPN Edition, 5000 homologues VPN IPsec et 2500 SSL, services de firewall, 4 ports Ethernet
Gigabit, 1 interface Fast Ethernet
ASA5550-K8 Cisco ASA 5550 Firewall Edition, 8 ports Ethernet Gigabit, 1 interface Fast Ethernet, 4 ports SFP Gigabit, 5000 homologues VPN
IPsec et 2 SSL, DES
ASA5550-BUN-K9 Cisco ASA 5550 Firewall Edition, 8 ports Ethernet Gigabit, 1 interface Fast Ethernet, 4 ports SFP Gigabit, 5000 homologues VPN
IPsec et 2 SSL, 3DES/AES
ASA5550-SSL2500-K9 Cisco ASA 5550 SSL/IPsec VPN Edition, 5000 homologues VPN IPsec et 2500 SSL, services de firewall, 8 ports Ethernet
Gigabit, 1 interface Fast Ethernet
Cisco PIX 535 Cisco PIX 535
ASA5550-SSL5000-K9 Cisco ASA 5550 SSL/IPsec VPN Edition, 5000 homologues VPN IPsec et 5000 SSL, services de firewall, 8 ports Ethernet
Gigabit, 1 interface Fast Ethernet
Caractéristiques techniques Caractéristiques techniques
Cisco ASA 5505 Cisco ASA 5505 Cisco ASA 5510 Cisco ASA 5510 Cisco ASA 5520 Cisco ASA 5520 Cisco ASA 5540 Cisco ASA 5540 Cisco ASA 5550 Cisco ASA 5550
Utilisateurs et nœuds Utilisateurs et nœuds 10, 50 ou illimité Illimité Illimité Illimité Illimité
Débit du firewall Débit du firewall Jusqu’à 150 Mbits/s Jusqu’à 300 Mbits/s Jusqu’à 450 Mbits/s Jusqu’à 650 Mbits/s Jusqu’à 1,2 Gbits/s
Débit des services
simultanés de
limitation des risques
(firewall et services
IPS)
Non disponible Jusqu’à 150 Mbits/s avec le
module AIP SSM (Advanced
Inspection and Prevention
Security Services Module) 10
(référence AIP SSM 10) pour
la gamme Cisco ASA 5500 –
Jusqu’à 300 Mbits/s avec le
module AIP SSM 20
(référence AIP SSM 20) pour
la gamme Cisco ASA 5500
Jusqu’à 225 Mbits/s avec le
module AIP SSM 10 – Jusqu’à
375 225 Mbits/s avec le
module AIP SSM 20
Jusqu‘à 450 Mbits/s, avec le
module AIP-SSM20
Non disponible
Débit des VPN 3DES
ou AES ou
Jusqu’à 100 Mbits/s Jusqu’à 170 Mbits/s Jusqu’à 225 Mbits/s Jusqu’à 325 Mbits/s Jusqu’à 360 Mbits/s
Homologues VPN
IPSecec
10 ; 25* 250 750 5000 5000
Homologues VPN 2/25 2/250 2/750 2/2500 2/5000 Homologues VPN Manuel de migration de Cisco PIX 500
vers la gamme Cisco ASA 5500
PRESENTATION SYNOPTIQUE
SSL *
(inclus/maximum) (inclus/maximum)
Sessions simultanées 10 000 ; 25 000* 50 000 ; 130 Sessions simultanées 000* 280 000 400 000 650 000
Nouvelles sessions
par seconde par seconde
3 000 6 000 9 000 20 000 28 000
Port s réseaux Port s réseaux
intégrés intégrés
Commutateur Fast Ethernet 8
ports (dont 2 ports PoE)
5 ports Fast Ethernet 4 ports Ethernet Gigabit + 1
port Fast Ethernet
4 ports Ethernet Gigabit + 1
port Fast Ethernet
8 ports Ethernet Gigabit, fibre
SFP et 1 port Fast Ethernet
Interfaces virtuelles Interfaces virtuelles
(VLAN)
3 (ligne réseau désactivée) /
20* (ligne réseau activée)
50/100 * 150 200 250
Contextes de sécurité
(intégrés / maximum) (intégrés / maximum)
0/0 0/0 (Base) ; 2/5 (Security
Plus)
2/20 2/50 2/50
Haute disponibilité Haute disponibilité Non supportée / Actif/Veille*
à inspection d’état
Non supportée / Actif/Actif et
Actif/Veille*
Actif/Actif et Actif/Veille Actif/Actif et Actif/Veille Actif/Actif et Actif/Veille
Emplacement
d'extension d'extension
1, SSC 1, SSM 1, SSM 1, SSM 0
* Exige une licence de mise à niveau.
Copyright © 2007, Cisco Systems, Inc. Tous droits réservés. Cisco, Cisco IOS, Cisco Systems et le logo Cisco Systèmes sont des marques déposées de Cisco Systems, Inc. ou de ses
filiales aux Etats-Unis et dans certains autres pays. C45 364598 01 01/07
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
Cisco Security Appliance Command Line
Configuration Guide
For the Cisco ASA 5500 Series and Cisco PIX 500 Series
Software Version 7.2
Customer Order Number: N/A, Online only
Text Part Number: OL-10088-02THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL
STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public
domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
CCDE, CCSI, CCENT, Cisco Eos, Cisco HealthPresence, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect, Cisco Stackpower, Cisco StadiumVision,
Cisco TelePresence, Cisco WebEx, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are
service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the
Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without
Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study,
IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar,
PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath,
WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship
between Cisco and any other company. (0903R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the
document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
Cisco Security Appliance Command Line Configuration Guide
Copyright © 2008 Cisco Systems, Inc. All rights reserved.iii
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
C O N T E N T S
About This Guide xxxv
Document Objectives xxxv
Audience xxxv
Related Documentation xxxvi
Document Organization xxxvi
Document Conventions xxxix
Obtaining Documentation and Submitting a Service Request xxxix
1-xl
P A R T 1 Getting Started and General Information
C H A P T E R 1 Introduction to the Security Appliance 1-1
Firewall Functional Overview 1-1
Security Policy Overview 1-2
Permitting or Denying Traffic with Access Lists 1-2
Applying NAT 1-2
Using AAA for Through Traffic 1-2
Applying HTTP, HTTPS, or FTP Filtering 1-3
Applying Application Inspection 1-3
Sending Traffic to the Advanced Inspection and Prevention Security Services Module 1-3
Sending Traffic to the Content Security and Control Security Services Module 1-3
Applying QoS Policies 1-3
Applying Connection Limits and TCP Normalization 1-3
Firewall Mode Overview 1-3
Stateful Inspection Overview 1-4
VPN Functional Overview 1-5
Intrusion Prevention Services Functional Overview 1-5
Security Context Overview 1-6
C H A P T E R 2 Getting Started 2-1
Getting Started with Your Platform Model 2-1
Factory Default Configurations 2-1
Restoring the Factory Default Configuration 2-2Contents
iv
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
ASA 5505 Default Configuration 2-2
ASA 5510 and Higher Default Configuration 2-3
PIX 515/515E Default Configuration 2-4
Accessing the Command-Line Interface 2-4
Setting Transparent or Routed Firewall Mode 2-5
Working with the Configuration 2-6
Saving Configuration Changes 2-6
Saving Configuration Changes in Single Context Mode 2-7
Saving Configuration Changes in Multiple Context Mode 2-7
Copying the Startup Configuration to the Running Configuration 2-8
Viewing the Configuration 2-8
Clearing and Removing Configuration Settings 2-9
Creating Text Configuration Files Offline 2-9
C H A P T E R 3 Enabling Multiple Context Mode 3-1
Security Context Overview 3-1
Common Uses for Security Contexts 3-1
Unsupported Features 3-2
Context Configuration Files 3-2
Context Configurations 3-2
System Configuration 3-2
Admin Context Configuration 3-2
How the Security Appliance Classifies Packets 3-3
Valid Classifier Criteria 3-3
Invalid Classifier Criteria 3-4
Classification Examples 3-5
Cascading Security Contexts 3-8
Management Access to Security Contexts 3-9
System Administrator Access 3-9
Context Administrator Access 3-10
Enabling or Disabling Multiple Context Mode 3-10
Backing Up the Single Mode Configuration 3-10
Enabling Multiple Context Mode 3-10
Restoring Single Context Mode 3-11
C H A P T E R 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security
Appliance 4-1
Interface Overview 4-1
Understanding ASA 5505 Ports and Interfaces 4-2Contents
v
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Maximum Active VLAN Interfaces for Your License 4-2
Default Interface Configuration 4-4
VLAN MAC Addresses 4-4
Power Over Ethernet 4-4
Monitoring Traffic Using SPAN 4-4
Security Level Overview 4-5
Configuring VLAN Interfaces 4-5
Configuring Switch Ports as Access Ports 4-9
Configuring a Switch Port as a Trunk Port 4-11
Allowing Communication Between VLAN Interfaces on the Same Security Level 4-13
C H A P T E R 5 Configuring Ethernet Settings and Subinterfaces 5-1
Configuring and Enabling RJ-45 Interfaces 5-1
Configuring and Enabling Fiber Interfaces 5-3
Configuring and Enabling VLAN Subinterfaces and 802.1Q Trunking 5-3
C H A P T E R 6 Adding and Managing Security Contexts 6-1
Configuring Resource Management 6-1
Classes and Class Members Overview 6-1
Resource Limits 6-2
Default Class 6-3
Class Members 6-4
Configuring a Class 6-4
Configuring a Security Context 6-7
Automatically Assigning MAC Addresses to Context Interfaces 6-11
Changing Between Contexts and the System Execution Space 6-11
Managing Security Contexts 6-12
Removing a Security Context 6-12
Changing the Admin Context 6-13
Changing the Security Context URL 6-13
Reloading a Security Context 6-14
Reloading by Clearing the Configuration 6-14
Reloading by Removing and Re-adding the Context 6-15
Monitoring Security Contexts 6-15
Viewing Context Information 6-15
Viewing Resource Allocation 6-16
Viewing Resource Usage 6-19
Monitoring SYN Attacks in Contexts 6-20Contents
vi
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
C H A P T E R 7 Configuring Interface Parameters 7-1
Security Level Overview 7-1
Configuring the Interface 7-2
Allowing Communication Between Interfaces on the Same Security Level 7-6
C H A P T E R 8 Configuring Basic Settings 8-1
Changing the Login Password 8-1
Changing the Enable Password 8-1
Setting the Hostname 8-2
Setting the Domain Name 8-2
Setting the Date and Time 8-2
Setting the Time Zone and Daylight Saving Time Date Range 8-3
Setting the Date and Time Using an NTP Server 8-4
Setting the Date and Time Manually 8-5
Setting the Management IP Address for a Transparent Firewall 8-5
C H A P T E R 9 Configuring IP Routing 9-1
How Routing Behaves Within the ASA Security Appliance 9-1
Egress Interface Selection Process 9-1
Next Hop Selection Process 9-2
Configuring Static and Default Routes 9-2
Configuring a Static Route 9-3
Configuring a Default Route 9-4
Configuring Static Route Tracking 9-5
Defining Route Maps 9-7
Configuring OSPF 9-8
OSPF Overview 9-9
Enabling OSPF 9-10
Redistributing Routes Into OSPF 9-10
Configuring OSPF Interface Parameters 9-11
Configuring OSPF Area Parameters 9-13
Configuring OSPF NSSA 9-14
Configuring Route Summarization Between OSPF Areas 9-15
Configuring Route Summarization When Redistributing Routes into OSPF 9-16
Defining Static OSPF Neighbors 9-16
Generating a Default Route 9-17
Configuring Route Calculation Timers 9-17
Logging Neighbors Going Up or Down 9-18Contents
vii
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Displaying OSPF Update Packet Pacing 9-19
Monitoring OSPF 9-19
Restarting the OSPF Process 9-20
Configuring RIP 9-20
Enabling and Configuring RIP 9-20
Redistributing Routes into the RIP Routing Process 9-22
Configuring RIP Send/Receive Version on an Interface 9-22
Enabling RIP Authentication 9-23
Monitoring RIP 9-23
The Routing Table 9-24
Displaying the Routing Table 9-24
How the Routing Table is Populated 9-24
Backup Routes 9-26
How Forwarding Decisions are Made 9-26
Dynamic Routing and Failover 9-26
C H A P T E R 10 Configuring DHCP, DDNS, and WCCP Services 10-1
Configuring a DHCP Server 10-1
Enabling the DHCP Server 10-2
Configuring DHCP Options 10-3
Using Cisco IP Phones with a DHCP Server 10-4
Configuring DHCP Relay Services 10-5
Configuring Dynamic DNS 10-6
Example 1: Client Updates Both A and PTR RRs for Static IP Addresses 10-7
Example 2: Client Updates Both A and PTR RRs; DHCP Server Honors Client Update Request; FQDN
Provided Through Configuration 10-7
Example 3: Client Includes FQDN Option Instructing Server Not to Update Either RR; Server Overrides
Client and Updates Both RRs. 10-8
Example 4: Client Asks Server To Perform Both Updates; Server Configured to Update PTR RR Only;
Honors Client Request and Updates Both A and PTR RR 10-8
Example 5: Client Updates A RR; Server Updates PTR RR 10-9
Configuring Web Cache Services Using WCCP 10-9
WCCP Feature Support 10-9
WCCP Interaction With Other Features 10-10
Enabling WCCP Redirection 10-10
C H A P T E R 11 Configuring Multicast Routing 11-13
Multicast Routing Overview 11-13
Enabling Multicast Routing 11-14Contents
viii
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Configuring IGMP Features 11-14
Disabling IGMP on an Interface 11-15
Configuring Group Membership 11-15
Configuring a Statically Joined Group 11-15
Controlling Access to Multicast Groups 11-15
Limiting the Number of IGMP States on an Interface 11-16
Modifying the Query Interval and Query Timeout 11-16
Changing the Query Response Time 11-17
Changing the IGMP Version 11-17
Configuring Stub Multicast Routing 11-17
Configuring a Static Multicast Route 11-17
Configuring PIM Features 11-18
Disabling PIM on an Interface 11-18
Configuring a Static Rendezvous Point Address 11-19
Configuring the Designated Router Priority 11-19
Filtering PIM Register Messages 11-19
Configuring PIM Message Intervals 11-20
Configuring a Multicast Boundary 11-20
Filtering PIM Neighbors 11-20
Supporting Mixed Bidirectional/Sparse-Mode PIM Networks 11-21
For More Information about Multicast Routing 11-22
C H A P T E R 12 Configuring IPv6 12-1
IPv6-enabled Commands 12-1
Configuring IPv6 12-2
Configuring IPv6 on an Interface 12-3
Configuring a Dual IP Stack on an Interface 12-4
Enforcing the Use of Modified EUI-64 Interface IDs in IPv6 Addresses 12-4
Configuring IPv6 Duplicate Address Detection 12-4
Configuring IPv6 Default and Static Routes 12-5
Configuring IPv6 Access Lists 12-6
Configuring IPv6 Neighbor Discovery 12-7
Configuring Neighbor Solicitation Messages 12-7
Configuring Router Advertisement Messages 12-9
Multicast Listener Discovery Support 12-11
Configuring a Static IPv6 Neighbor 12-11
Verifying the IPv6 Configuration 12-11
The show ipv6 interface Command 12-12
The show ipv6 route Command 12-12Contents
ix
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
The show ipv6 mld traffic Command 12-13
C H A P T E R 13 Configuring AAA Servers and the Local Database 13-1
AAA Overview 13-1
About Authentication 13-1
About Authorization 13-2
About Accounting 13-2
AAA Server and Local Database Support 13-2
Summary of Support 13-3
RADIUS Server Support 13-3
Authentication Methods 13-4
Attribute Support 13-4
RADIUS Authorization Functions 13-4
TACACS+ Server Support 13-4
SDI Server Support 13-4
SDI Version Support 13-5
Two-step Authentication Process 13-5
SDI Primary and Replica Servers 13-5
NT Server Support 13-5
Kerberos Server Support 13-5
LDAP Server Support 13-6
Authentication with LDAP 13-6
Authorization with LDAP for VPN 13-7
LDAP Attribute Mapping 13-8
SSO Support for WebVPN with HTTP Forms 13-9
Local Database Support 13-9
User Profiles 13-10
Fallback Support 13-10
Configuring the Local Database 13-10
Identifying AAA Server Groups and Servers 13-12
Using Certificates and User Login Credentials 13-15
Using User Login Credentials 13-15
Using certificates 13-16
Supporting a Zone Labs Integrity Server 13-16
Overview of Integrity Server and Security Appliance Interaction 13-17
Configuring Integrity Server Support 13-17
C H A P T E R 14 Configuring Failover 14-1
Understanding Failover 14-1Contents
x
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Failover System Requirements 14-2
Hardware Requirements 14-2
Software Requirements 14-2
License Requirements 14-2
The Failover and Stateful Failover Links 14-3
Failover Link 14-3
Stateful Failover Link 14-5
Active/Active and Active/Standby Failover 14-6
Active/Standby Failover 14-6
Active/Active Failover 14-10
Determining Which Type of Failover to Use 14-15
Regular and Stateful Failover 14-15
Regular Failover 14-16
Stateful Failover 14-16
Failover Health Monitoring 14-16
Unit Health Monitoring 14-17
Interface Monitoring 14-17
Failover Feature/Platform Matrix 14-18
Failover Times by Platform 14-18
Configuring Failover 14-19
Failover Configuration Limitations 14-19
Configuring Active/Standby Failover 14-19
Prerequisites 14-20
Configuring Cable-Based Active/Standby Failover (PIX Security Appliance Only) 14-20
Configuring LAN-Based Active/Standby Failover 14-21
Configuring Optional Active/Standby Failover Settings 14-25
Configuring Active/Active Failover 14-27
Prerequisites 14-27
Configuring Cable-Based Active/Active Failover (PIX security appliance) 14-27
Configuring LAN-Based Active/Active Failover 14-29
Configuring Optional Active/Active Failover Settings 14-33
Configuring Unit Health Monitoring 14-39
Configuring Failover Communication Authentication/Encryption 14-39
Verifying the Failover Configuration 14-40
Using the show failover Command 14-40
Viewing Monitored Interfaces 14-48
Displaying the Failover Commands in the Running Configuration 14-48
Testing the Failover Functionality 14-49
Controlling and Monitoring Failover 14-49
Forcing Failover 14-49Contents
xi
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Disabling Failover 14-50
Restoring a Failed Unit or Failover Group 14-50
Monitoring Failover 14-50
Failover System Messages 14-51
Debug Messages 14-51
SNMP 14-51
P A R T 2 Configuring the Firewall
C H A P T E R 15 Firewall Mode Overview 15-1
Routed Mode Overview 15-1
IP Routing Support 15-1
Network Address Translation 15-2
How Data Moves Through the Security Appliance in Routed Firewall Mode 15-3
An Inside User Visits a Web Server 15-3
An Outside User Visits a Web Server on the DMZ 15-4
An Inside User Visits a Web Server on the DMZ 15-6
An Outside User Attempts to Access an Inside Host 15-7
A DMZ User Attempts to Access an Inside Host 15-8
Transparent Mode Overview 15-8
Transparent Firewall Network 15-9
Allowing Layer 3 Traffic 15-9
Allowed MAC Addresses 15-9
Passing Traffic Not Allowed in Routed Mode 15-9
MAC Address Lookups 15-10
Using the Transparent Firewall in Your Network 15-10
Transparent Firewall Guidelines 15-10
Unsupported Features in Transparent Mode 15-11
How Data Moves Through the Transparent Firewall 15-13
An Inside User Visits a Web Server 15-14
An Outside User Visits a Web Server on the Inside Network 15-15
An Outside User Attempts to Access an Inside Host 15-16
C H A P T E R 16 Identifying Traffic with Access Lists 16-1
Access List Overview 16-1
Access List Types 16-2
Access Control Entry Order 16-2
Access Control Implicit Deny 16-3
IP Addresses Used for Access Lists When You Use NAT 16-3Contents
xii
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Adding an Extended Access List 16-5
Extended Access List Overview 16-5
Allowing Broadcast and Multicast Traffic through the Transparent Firewall 16-6
Adding an Extended ACE 16-6
Adding an EtherType Access List 16-8
EtherType Access List Overview 16-8
Supported EtherTypes 16-8
Implicit Permit of IP and ARPs Only 16-9
Implicit and Explicit Deny ACE at the End of an Access List 16-9
IPv6 Unsupported 16-9
Using Extended and EtherType Access Lists on the Same Interface 16-9
Allowing MPLS 16-9
Adding an EtherType ACE 16-10
Adding a Standard Access List 16-11
Adding a Webtype Access List 16-11
Simplifying Access Lists with Object Grouping 16-11
How Object Grouping Works 16-12
Adding Object Groups 16-12
Adding a Protocol Object Group 16-13
Adding a Network Object Group 16-13
Adding a Service Object Group 16-14
Adding an ICMP Type Object Group 16-15
Nesting Object Groups 16-15
Using Object Groups with an Access List 16-16
Displaying Object Groups 16-17
Removing Object Groups 16-17
Adding Remarks to Access Lists 16-18
Scheduling Extended Access List Activation 16-18
Adding a Time Range 16-18
Applying the Time Range to an ACE 16-19
Logging Access List Activity 16-20
Access List Logging Overview 16-20
Configuring Logging for an Access Control Entry 16-21
Managing Deny Flows 16-22
C H A P T E R 17 Applying NAT 17-1
NAT Overview 17-1
Introduction to NAT 17-2
NAT Control 17-3Contents
xiii
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
NAT Types 17-5
Dynamic NAT 17-5
PAT 17-7
Static NAT 17-7
Static PAT 17-8
Bypassing NAT When NAT Control is Enabled 17-9
Policy NAT 17-9
NAT and Same Security Level Interfaces 17-13
Order of NAT Commands Used to Match Real Addresses 17-14
Mapped Address Guidelines 17-14
DNS and NAT 17-14
Configuring NAT Control 17-16
Using Dynamic NAT and PAT 17-17
Dynamic NAT and PAT Implementation 17-17
Configuring Dynamic NAT or PAT 17-23
Using Static NAT 17-26
Using Static PAT 17-27
Bypassing NAT 17-29
Configuring Identity NAT 17-30
Configuring Static Identity NAT 17-30
Configuring NAT Exemption 17-32
NAT Examples 17-33
Overlapping Networks 17-34
Redirecting Ports 17-35
C H A P T E R 18 Permitting or Denying Network Access 18-1
Inbound and Outbound Access List Overview 18-1
Applying an Access List to an Interface 18-2
C H A P T E R 19 Applying AAA for Network Access 19-1
AAA Performance 19-1
Configuring Authentication for Network Access 19-1
Authentication Overview 19-2
One-Time Authentication 19-2
Applications Required to Receive an Authentication Challenge 19-2
Security Appliance Authentication Prompts 19-2
Static PAT and HTTP 19-3
Enabling Network Access Authentication 19-3Contents
xiv
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Enabling Secure Authentication of Web Clients 19-5
Authenticating Directly with the Security Appliance 19-6
Enabling Direct Authentication Using HTTP and HTTPS 19-6
Enabling Direct Authentication Using Telnet 19-6
Configuring Authorization for Network Access 19-6
Configuring TACACS+ Authorization 19-7
Configuring RADIUS Authorization 19-8
Configuring a RADIUS Server to Send Downloadable Access Control Lists 19-9
Configuring a RADIUS Server to Download Per-User Access Control List Names 19-12
Configuring Accounting for Network Access 19-13
Using MAC Addresses to Exempt Traffic from Authentication and Authorization 19-14
C H A P T E R 20 Applying Filtering Services 20-1
Filtering Overview 20-1
Filtering ActiveX Objects 20-2
ActiveX Filtering Overview 20-2
Enabling ActiveX Filtering 20-2
Filtering Java Applets 20-3
Filtering URLs and FTP Requests with an External Server 20-4
URL Filtering Overview 20-4
Identifying the Filtering Server 20-4
Buffering the Content Server Response 20-6
Caching Server Addresses 20-6
Filtering HTTP URLs 20-7
Configuring HTTP Filtering 20-7
Enabling Filtering of Long HTTP URLs 20-7
Truncating Long HTTP URLs 20-7
Exempting Traffic from Filtering 20-8
Filtering HTTPS URLs 20-8
Filtering FTP Requests 20-9
Viewing Filtering Statistics and Configuration 20-9
Viewing Filtering Server Statistics 20-10
Viewing Buffer Configuration and Statistics 20-11
Viewing Caching Statistics 20-11
Viewing Filtering Performance Statistics 20-11
Viewing Filtering Configuration 20-12Contents
xv
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
C H A P T E R 21 Using Modular Policy Framework 21-1
Modular Policy Framework Overview 21-1
Modular Policy Framework Features 21-1
Modular Policy Framework Configuration Overview 21-2
Default Global Policy 21-3
Identifying Traffic (Layer 3/4 Class Map) 21-4
Default Class Maps 21-4
Creating a Layer 3/4 Class Map for Through Traffic 21-5
Creating a Layer 3/4 Class Map for Management Traffic 21-7
Configuring Special Actions for Application Inspections (Inspection Policy Map) 21-7
Inspection Policy Map Overview 21-8
Defining Actions in an Inspection Policy Map 21-8
Identifying Traffic in an Inspection Class Map 21-11
Creating a Regular Expression 21-12
Creating a Regular Expression Class Map 21-14
Defining Actions (Layer 3/4 Policy Map) 21-15
Layer 3/4 Policy Map Overview 21-15
Policy Map Guidelines 21-16
Supported Feature Types 21-16
Hierarchical Policy Maps 21-16
Feature Directionality 21-17
Feature Matching Guidelines within a Policy Map 21-17
Feature Matching Guidelines for multiple Policy Maps 21-18
Order in Which Multiple Feature Actions are Applied 21-18
Default Layer 3/4 Policy Map 21-18
Adding a Layer 3/4 Policy Map 21-19
Applying Actions to an Interface (Service Policy) 21-21
Modular Policy Framework Examples 21-21
Applying Inspection and QoS Policing to HTTP Traffic 21-22
Applying Inspection to HTTP Traffic Globally 21-22
Applying Inspection and Connection Limits to HTTP Traffic to Specific Servers 21-23
Applying Inspection to HTTP Traffic with NAT 21-24
C H A P T E R 22 Managing AIP SSM and CSC SSM 22-1
Managing the AIP SSM 22-1
About the AIP SSM 22-1
Getting Started with the AIP SSM 22-2
Diverting Traffic to the AIP SSM 22-2
Sessioning to the AIP SSM and Running Setup 22-4Contents
xvi
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Managing the CSC SSM 22-5
About the CSC SSM 22-5
Getting Started with the CSC SSM 22-7
Determining What Traffic to Scan 22-9
Limiting Connections Through the CSC SSM 22-11
Diverting Traffic to the CSC SSM 22-11
Checking SSM Status 22-13
Transferring an Image onto an SSM 22-14
C H A P T E R 23 Preventing Network Attacks 23-1
Configuring TCP Normalization 23-1
TCP Normalization Overview 23-1
Enabling the TCP Normalizer 23-2
Configuring Connection Limits and Timeouts 23-6
Connection Limit Overview 23-7
TCP Intercept Overview 23-7
Disabling TCP Intercept for Management Packets for Clientless SSL Compatibility 23-7
Dead Connection Detection (DCD) Overview 23-7
TCP Sequence Randomization Overview 23-8
Enabling Connection Limits and Timeouts 23-8
Preventing IP Spoofing 23-10
Configuring the Fragment Size 23-11
Blocking Unwanted Connections 23-11
Configuring IP Audit for Basic IPS Support 23-12
C H A P T E R 24 Configuring QoS 24-1
QoS Overview 24-1
Supported QoS Features 24-2
What is a Token Bucket? 24-2
Policing Overview 24-3
Priority Queueing Overview 24-3
Traffic Shaping Overview 24-4
How QoS Features Interact 24-4
DSCP and DiffServ Preservation 24-5
Creating the Standard Priority Queue for an Interface 24-5
Determining the Queue and TX Ring Limits 24-6
Configuring the Priority Queue 24-7
Identifying Traffic for QoS Using Class Maps 24-8Contents
xvii
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Creating a QoS Class Map 24-8
QoS Class Map Examples 24-8
Creating a Policy for Standard Priority Queueing and/or Policing 24-9
Creating a Policy for Traffic Shaping and Hierarchical Priority Queueing 24-11
Viewing QoS Statistics 24-13
Viewing QoS Police Statistics 24-13
Viewing QoS Standard Priority Statistics 24-14
Viewing QoS Shaping Statistics 24-14
Viewing QoS Standard Priority Queue Statistics 24-15
C H A P T E R 25 Configuring Application Layer Protocol Inspection 25-1
Inspection Engine Overview 25-2
When to Use Application Protocol Inspection 25-2
Inspection Limitations 25-2
Default Inspection Policy 25-3
Configuring Application Inspection 25-5
CTIQBE Inspection 25-9
CTIQBE Inspection Overview 25-9
Limitations and Restrictions 25-10
Verifying and Monitoring CTIQBE Inspection 25-10
DCERPC Inspection 25-11
DCERPC Overview 25-11
Configuring a DCERPC Inspection Policy Map for Additional Inspection Control 25-12
DNS Inspection 25-13
How DNS Application Inspection Works 25-13
How DNS Rewrite Works 25-14
Configuring DNS Rewrite 25-15
Using the Static Command for DNS Rewrite 25-15
Using the Alias Command for DNS Rewrite 25-16
Configuring DNS Rewrite with Two NAT Zones 25-16
DNS Rewrite with Three NAT Zones 25-17
Configuring DNS Rewrite with Three NAT Zones 25-19
Verifying and Monitoring DNS Inspection 25-20
Configuring a DNS Inspection Policy Map for Additional Inspection Control 25-20
ESMTP Inspection 25-23
Configuring an ESMTP Inspection Policy Map for Additional Inspection Control 25-24
FTP Inspection 25-26
FTP Inspection Overview 25-27Contents
xviii
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Using the strict Option 25-27
Configuring an FTP Inspection Policy Map for Additional Inspection Control 25-28
Verifying and Monitoring FTP Inspection 25-31
GTP Inspection 25-32
GTP Inspection Overview 25-32
Configuring a GTP Inspection Policy Map for Additional Inspection Control 25-33
Verifying and Monitoring GTP Inspection 25-37
H.323 Inspection 25-38
H.323 Inspection Overview 25-38
How H.323 Works 25-38
Limitations and Restrictions 25-39
Configuring an H.323 Inspection Policy Map for Additional Inspection Control 25-40
Configuring H.323 and H.225 Timeout Values 25-42
Verifying and Monitoring H.323 Inspection 25-43
Monitoring H.225 Sessions 25-43
Monitoring H.245 Sessions 25-43
Monitoring H.323 RAS Sessions 25-44
HTTP Inspection 25-44
HTTP Inspection Overview 25-44
Configuring an HTTP Inspection Policy Map for Additional Inspection Control 25-45
Instant Messaging Inspection 25-49
IM Inspection Overview 25-49
Configuring an Instant Messaging Inspection Policy Map for Additional Inspection Control 25-49
ICMP Inspection 25-52
ICMP Error Inspection 25-52
ILS Inspection 25-53
IPSec Pass Through Inspection 25-54
IPSec Pass Through Inspection Overview 25-54
Configuring an IPSec Pass Through Inspection Policy Map for Additional Inspection Control 25-54
MGCP Inspection 25-56
MGCP Inspection Overview 25-56
Configuring an MGCP Inspection Policy Map for Additional Inspection Control 25-58
Configuring MGCP Timeout Values 25-59
Verifying and Monitoring MGCP Inspection 25-59
NetBIOS Inspection 25-60
Configuring a NetBIOS Inspection Policy Map for Additional Inspection Control 25-60
PPTP Inspection 25-62
RADIUS Accounting Inspection 25-62Contents
xix
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Configuring a RADIUS Inspection Policy Map for Additional Inspection Control 25-63
RSH Inspection 25-63
RTSP Inspection 25-63
RTSP Inspection Overview 25-63
Using RealPlayer 25-64
Restrictions and Limitations 25-64
SIP Inspection 25-65
SIP Inspection Overview 25-65
SIP Instant Messaging 25-65
Configuring a SIP Inspection Policy Map for Additional Inspection Control 25-66
Configuring SIP Timeout Values 25-70
Verifying and Monitoring SIP Inspection 25-70
Skinny (SCCP) Inspection 25-71
SCCP Inspection Overview 25-71
Supporting Cisco IP Phones 25-71
Restrictions and Limitations 25-72
Verifying and Monitoring SCCP Inspection 25-72
Configuring a Skinny (SCCP) Inspection Policy Map for Additional Inspection Control 25-73
SMTP and Extended SMTP Inspection 25-74
SNMP Inspection 25-76
SQL*Net Inspection 25-76
Sun RPC Inspection 25-77
Sun RPC Inspection Overview 25-77
Managing Sun RPC Services 25-77
Verifying and Monitoring Sun RPC Inspection 25-78
TFTP Inspection 25-79
XDMCP Inspection 25-80
C H A P T E R 26 Configuring ARP Inspection and Bridging Parameters 26-1
Configuring ARP Inspection 26-1
ARP Inspection Overview 26-1
Adding a Static ARP Entry 26-2
Enabling ARP Inspection 26-2
Customizing the MAC Address Table 26-3
MAC Address Table Overview 26-3
Adding a Static MAC Address 26-3
Setting the MAC Address Timeout 26-4
Disabling MAC Address Learning 26-4Contents
xx
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Viewing the MAC Address Table 26-4
P A R T 3 Configuring VPN
C H A P T E R 27 Configuring IPsec and ISAKMP 27-1
Tunneling Overview 27-1
IPsec Overview 27-2
Configuring ISAKMP 27-2
ISAKMP Overview 27-2
Configuring ISAKMP Policies 27-5
Enabling ISAKMP on the Outside Interface 27-6
Disabling ISAKMP in Aggressive Mode 27-6
Determining an ID Method for ISAKMP Peers 27-6
Enabling IPsec over NAT-T 27-7
Using NAT-T 27-7
Enabling IPsec over TCP 27-8
Waiting for Active Sessions to Terminate Before Rebooting 27-9
Alerting Peers Before Disconnecting 27-9
Configuring Certificate Group Matching 27-9
Creating a Certificate Group Matching Rule and Policy 27-10
Using the Tunnel-group-map default-group Command 27-11
Configuring IPsec 27-11
Understanding IPsec Tunnels 27-11
Understanding Transform Sets 27-12
Defining Crypto Maps 27-12
Applying Crypto Maps to Interfaces 27-20
Using Interface Access Lists 27-20
Changing IPsec SA Lifetimes 27-22
Creating a Basic IPsec Configuration 27-22
Using Dynamic Crypto Maps 27-24
Providing Site-to-Site Redundancy 27-26
Viewing an IPsec Configuration 27-26
Clearing Security Associations 27-27
Clearing Crypto Map Configurations 27-27
Supporting the Nokia VPN Client 27-28
C H A P T E R 28 Configuring L2TP over IPSec 28-1
L2TP Overview 28-1Contents
xxi
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
IPSec Transport and Tunnel Modes 28-2
Configuring L2TP over IPSec Connections 28-2
Tunnel Group Switching 28-5
Viewing L2TP over IPSec Connection Information 28-5
Using L2TP Debug Commands 28-7
Enabling IPSec Debug 28-7
Getting Additional Information 28-8
C H A P T E R 29 Setting General IPSec VPN Parameters 29-1
Configuring VPNs in Single, Routed Mode 29-1
Configuring IPSec to Bypass ACLs 29-1
Permitting Intra-Interface Traffic 29-2
NAT Considerations for Intra-Interface Traffic 29-3
Setting Maximum Active IPSec VPN Sessions 29-3
Using Client Update to Ensure Acceptable Client Revision Levels 29-3
Understanding Load Balancing 29-5
Implementing Load Balancing 29-6
Prerequisites 29-6
Eligible Platforms 29-7
Eligible Clients 29-7
VPN Load-Balancing Cluster Configurations 29-7
Some Typical Mixed Cluster Scenarios 29-8
Scenario 1: Mixed Cluster with No WebVPN Connections 29-8
Scenario 2: Mixed Cluster Handling WebVPN Connections 29-8
Configuring Load Balancing 29-9
Configuring the Public and Private Interfaces for Load Balancing 29-9
Configuring the Load Balancing Cluster Attributes 29-10
Configuring VPN Session Limits 29-11
C H A P T E R 30 Configuring Tunnel Groups, Group Policies, and Users 30-1
Overview of Tunnel Groups, Group Policies, and Users 30-1
Tunnel Groups 30-2
General Tunnel-Group Connection Parameters 30-2
IPSec Tunnel-Group Connection Parameters 30-3
WebVPN Tunnel-Group Connection Parameters 30-4
Configuring Tunnel Groups 30-5
Maximum Tunnel Groups 30-5
Default IPSec Remote Access Tunnel Group Configuration 30-5Contents
xxii
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Configuring IPSec Tunnel-Group General Attributes 30-6
Configuring IPSec Remote-Access Tunnel Groups 30-6
Specifying a Name and Type for the IPSec Remote Access Tunnel Group 30-6
Configuring IPSec Remote-Access Tunnel Group General Attributes 30-7
Configuring IPSec Remote-Access Tunnel Group IPSec Attributes 30-10
Configuring IPSec Remote-Access Tunnel Group PPP Attributes 30-12
Configuring LAN-to-LAN Tunnel Groups 30-13
Default LAN-to-LAN Tunnel Group Configuration 30-13
Specifying a Name and Type for a LAN-to-LAN Tunnel Group 30-14
Configuring LAN-to-LAN Tunnel Group General Attributes 30-14
Configuring LAN-to-LAN IPSec Attributes 30-15
Configuring WebVPN Tunnel Groups 30-17
Specifying a Name and Type for a WebVPN Tunnel Group 30-17
Configuring WebVPN Tunnel-Group General Attributes 30-17
Configuring WebVPN Tunnel-Group WebVPN Attributes 30-20
Customizing Login Windows for WebVPN Users 30-23
Configuring Microsoft Active Directory Settings for Password Management 30-24
Using Active Directory to Force the User to Change Password at Next Logon 30-25
Using Active Directory to Specify Maximum Password Age 30-27
Using Active Directory to Override an Account Disabled AAA Indicator 30-28
Using Active Directory to Enforce Minimum Password Length 30-29
Using Active Directory to Enforce Password Complexity 30-30
Group Policies 30-31
Default Group Policy 30-32
Configuring Group Policies 30-34
Configuring an External Group Policy 30-34
Configuring an Internal Group Policy 30-35
Configuring Group Policy Attributes 30-35
Configuring WINS and DNS Servers 30-35
Configuring VPN-Specific Attributes 30-36
Configuring Security Attributes 30-39
Configuring the Banner Message 30-41
Configuring IPSec-UDP Attributes 30-41
Configuring Split-Tunneling Attributes 30-42
Configuring Domain Attributes for Tunneling 30-43
Configuring Attributes for VPN Hardware Clients 30-45
Configuring Backup Server Attributes 30-48
Configuring Microsoft Internet Explorer Client Parameters 30-49
Configuring Network Admission Control Parameters 30-51
Configuring Address Pools 30-54Contents
xxiii
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Configuring Firewall Policies 30-55
Configuring Client Access Rules 30-58
Configuring Group-Policy WebVPN Attributes 30-59
Configuring User Attributes 30-70
Viewing the Username Configuration 30-71
Configuring Attributes for Specific Users 30-71
Setting a User Password and Privilege Level 30-71
Configuring User Attributes 30-72
Configuring VPN User Attributes 30-72
Configuring WebVPN for Specific Users 30-76
C H A P T E R 31 Configuring IP Addresses for VPNs 31-1
Configuring an IP Address Assignment Method 31-1
Configuring Local IP Address Pools 31-2
Configuring AAA Addressing 31-2
Configuring DHCP Addressing 31-3
C H A P T E R 32 Configuring Remote Access IPSec VPNs 32-1
Summary of the Configuration 32-1
Configuring Interfaces 32-2
Configuring ISAKMP Policy and Enabling ISAKMP on the Outside Interface 32-3
Configuring an Address Pool 32-4
Adding a User 32-4
Creating a Transform Set 32-4
Defining a Tunnel Group 32-5
Creating a Dynamic Crypto Map 32-6
Creating a Crypto Map Entry to Use the Dynamic Crypto Map 32-7
C H A P T E R 33 Configuring Network Admission Control 33-1
Uses, Requirements, and Limitations 33-1
Configuring Basic Settings 33-1
Specifying the Access Control Server Group 33-2
Enabling NAC 33-2
Configuring the Default ACL for NAC 33-3
Configuring Exemptions from NAC 33-4
Changing Advanced Settings 33-5
Changing Clientless Authentication Settings 33-5
Enabling and Disabling Clientless Authentication 33-5Contents
xxiv
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Changing the Login Credentials Used for Clientless Authentication 33-6
Configuring NAC Session Attributes 33-7
Setting the Query-for-Posture-Changes Timer 33-8
Setting the Revalidation Timer 33-9
C H A P T E R 34 Configuring Easy VPN Services on the ASA 5505 34-1
Specifying the Client/Server Role of the Cisco ASA 5505 34-1
Specifying the Primary and Secondary Servers 34-2
Specifying the Mode 34-3
NEM with Multiple Interfaces 34-3
Configuring Automatic Xauth Authentication 34-4
Configuring IPSec Over TCP 34-4
Comparing Tunneling Options 34-5
Specifying the Tunnel Group or Trustpoint 34-6
Specifying the Tunnel Group 34-6
Specifying the Trustpoint 34-7
Configuring Split Tunneling 34-7
Configuring Device Pass-Through 34-8
Configuring Remote Management 34-8
Guidelines for Configuring the Easy VPN Server 34-9
Group Policy and User Attributes Pushed to the Client 34-9
Authentication Options 34-11
C H A P T E R 35 Configuring the PPPoE Client 35-1
PPPoE Client Overview 35-1
Configuring the PPPoE Client Username and Password 35-2
Enabling PPPoE 35-3
Using PPPoE with a Fixed IP Address 35-3
Monitoring and Debugging the PPPoE Client 35-4
Clearing the Configuration 35-5
Using Related Commands 35-5
C H A P T E R 36 Configuring LAN-to-LAN IPsec VPNs 36-1
Summary of the Configuration 36-1
Configuring Interfaces 36-2
Configuring ISAKMP Policy and Enabling ISAKMP on the Outside Interface 36-2
Creating a Transform Set 36-4Contents
xxv
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Configuring an ACL 36-4
Defining a Tunnel Group 36-5
Creating a Crypto Map and Applying It To an Interface 36-6
Applying Crypto Maps to Interfaces 36-7
C H A P T E R 37 Configuring WebVPN 37-1
Getting Started with WebVPN 37-1
Observing WebVPN Security Precautions 37-2
Understanding Features Not Supported for WebVPN 37-2
Using SSL to Access the Central Site 37-3
Using HTTPS for WebVPN Sessions 37-3
Configuring WebVPN and ASDM on the Same Interface 37-3
Setting WebVPN HTTP/HTTPS Proxy 37-4
Configuring SSL/TLS Encryption Protocols 37-4
Authenticating with Digital Certificates 37-5
Enabling Cookies on Browsers for WebVPN 37-5
Managing Passwords 37-5
Using Single Sign-on with WebVPN 37-6
Configuring SSO with HTTP Basic or NTLM Authentication 37-6
Configuring SSO Authentication Using SiteMinder 37-7
Configuring SSO with the HTTP Form Protocol 37-9
Authenticating with Digital Certificates 37-15
Creating and Applying WebVPN Policies 37-15
Creating Port Forwarding, URL, and Access Lists in Global Configuration Mode 37-16
Assigning Lists to Group Policies and Users in Group-Policy or User Mode 37-16
Enabling Features for Group Policies and Users 37-16
Assigning Users to Group Policies 37-16
Using the Security Appliance Authentication Server 37-16
Using a RADIUS Server 37-16
Configuring WebVPN Tunnel Group Attributes 37-17
Configuring WebVPN Group Policy and User Attributes 37-17
Configuring Application Access 37-18
Downloading the Port-Forwarding Applet Automatically 37-18
Closing Application Access to Prevent hosts File Errors 37-18
Recovering from hosts File Errors When Using Application Access 37-18
Understanding the hosts File 37-19
Stopping Application Access Improperly 37-19
Reconfiguring a hosts File 37-20
Configuring File Access 37-22Contents
xxvi
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Configuring Access to Citrix MetaFrame Services 37-24
Using WebVPN with PDAs 37-25
Using E-Mail over WebVPN 37-26
Configuring E-mail Proxies 37-26
E-mail Proxy Certificate Authentication 37-27
Configuring MAPI 37-27
Configuring Web E-mail: MS Outlook Web Access 37-27
Optimizing WebVPN Performance 37-28
Configuring Caching 37-28
Configuring Content Transformation 37-28
Configuring a Certificate for Signing Rewritten Java Content 37-29
Disabling Content Rewrite 37-29
Using Proxy Bypass 37-29
Configuring Application Profile Customization Framework 37-30
APCF Syntax 37-30
APCF Example 37-32
WebVPN End User Setup 37-32
Defining the End User Interface 37-32
Viewing the WebVPN Home Page 37-33
Viewing the WebVPN Application Access Panel 37-33
Viewing the Floating Toolbar 37-34
Customizing WebVPN Pages 37-35
Using Cascading Style Sheet Parameters 37-35
Customizing the WebVPN Login Page 37-36
Customizing the WebVPN Logout Page 37-37
Customizing the WebVPN Home Page 37-38
Customizing the Application Access Window 37-40
Customizing the Prompt Dialogs 37-41
Applying Customizations to Tunnel Groups, Groups and Users 37-42
Requiring Usernames and Passwords 37-43
Communicating Security Tips 37-44
Configuring Remote Systems to Use WebVPN Features 37-44
Capturing WebVPN Data 37-50
Creating a Capture File 37-51
Using a Browser to Display Capture Data 37-51
C H A P T E R 38 Configuring SSL VPN Client 38-1
Installing SVC 38-1
Platform Requirements 38-1Contents
xxvii
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Installing the SVC Software 38-2
Enabling SVC 38-3
Enabling Permanent SVC Installation 38-4
Enabling Rekey 38-5
Enabling and Adjusting Dead Peer Detection 38-5
Enabling Keepalive 38-6
Using SVC Compression 38-6
Viewing SVC Sessions 38-7
Logging Off SVC Sessions 38-8
Updating SVCs 38-8
C H A P T E R 39 Configuring Certificates 39-1
Public Key Cryptography 39-1
About Public Key Cryptography 39-1
Certificate Scalability 39-2
About Key Pairs 39-2
About Trustpoints 39-3
About Revocation Checking 39-3
About CRLs 39-3
About OCSP 39-4
Supported CA Servers 39-5
Certificate Configuration 39-5
Preparing for Certificates 39-5
Configuring Key Pairs 39-6
Generating Key Pairs 39-6
Removing Key Pairs 39-7
Configuring Trustpoints 39-7
Obtaining Certificates 39-9
Obtaining Certificates with SCEP 39-9
Obtaining Certificates Manually 39-11
Configuring CRLs for a Trustpoint 39-13
Exporting and Importing Trustpoints 39-14
Exporting a Trustpoint Configuration 39-15
Importing a Trustpoint Configuration 39-15
Configuring CA Certificate Map Rules 39-15
P A R T 4 System AdministrationContents
xxviii
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
C H A P T E R 40 Managing System Access 40-1
Allowing Telnet Access 40-1
Allowing SSH Access 40-2
Configuring SSH Access 40-2
Using an SSH Client 40-3
Allowing HTTPS Access for ASDM 40-3
Configuring ASDM and WebVPN on the Same Interface 40-4
Configuring AAA for System Administrators 40-5
Configuring Authentication for CLI Access 40-5
Configuring Authentication To Access Privileged EXEC Mode 40-6
Configuring Authentication for the Enable Command 40-6
Authenticating Users Using the Login Command 40-6
Configuring Command Authorization 40-7
Command Authorization Overview 40-7
Configuring Local Command Authorization 40-8
Configuring TACACS+ Command Authorization 40-11
Configuring Command Accounting 40-14
Viewing the Current Logged-In User 40-14
Recovering from a Lockout 40-15
Configuring a Login Banner 40-16
C H A P T E R 41 Managing Software, Licenses, and Configurations 41-1
Managing Licenses 41-1
Obtaining an Activation Key 41-1
Entering a New Activation Key 41-2
Viewing Files in Flash Memory 41-2
Retrieving Files from Flash Memory 41-3
Downloading Software or Configuration Files to Flash Memory 41-3
Downloading a File to a Specific Location 41-4
Downloading a File to the Startup or Running Configuration 41-4
Configuring the Application Image and ASDM Image to Boot 41-5
Configuring the File to Boot as the Startup Configuration 41-6
Performing Zero Downtime Upgrades for Failover Pairs 41-6
Upgrading an Active/Standby Failover Configuration 41-7
Upgrading and Active/Active Failover Configuration 41-8
Backing Up Configuration Files 41-8
Backing up the Single Mode Configuration or Multiple Mode System Configuration 41-9
Backing Up a Context Configuration in Flash Memory 41-9Contents
xxix
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Backing Up a Context Configuration within a Context 41-9
Copying the Configuration from the Terminal Display 41-10
Configuring Auto Update Support 41-10
Configuring Communication with an Auto Update Server 41-10
Configuring Client Updates as an Auto Update Server 41-12
Viewing Auto Update Status 41-13
C H A P T E R 42 Monitoring the Security Appliance 42-1
Using SNMP 42-1
SNMP Overview 42-1
Enabling SNMP 42-3
Configuring and Managing Logs 42-5
Logging Overview 42-5
Logging in Multiple Context Mode 42-5
Enabling and Disabling Logging 42-6
Enabling Logging to All Configured Output Destinations 42-6
Disabling Logging to All Configured Output Destinations 42-6
Viewing the Log Configuration 42-6
Configuring Log Output Destinations 42-7
Sending System Log Messages to a Syslog Server 42-7
Sending System Log Messages to the Console Port 42-8
Sending System Log Messages to an E-mail Address 42-9
Sending System Log Messages to ASDM 42-10
Sending System Log Messages to a Telnet or SSH Session 42-11
Sending System Log Messages to the Log Buffer 42-12
Filtering System Log Messages 42-14
Message Filtering Overview 42-15
Filtering System Log Messages by Class 42-15
Filtering System Log Messages with Custom Message Lists 42-17
Customizing the Log Configuration 42-18
Customizing the Log Configuration 42-18
Configuring the Logging Queue 42-19
Including the Date and Time in System Log Messages 42-19
Including the Device ID in System Log Messages 42-19
Generating System Log Messages in EMBLEM Format 42-20
Disabling a System Log Message 42-20
Changing the Severity Level of a System Log Message 42-21
Changing the Amount of Internal Flash Memory Available for Logs 42-22
Understanding System Log Messages 42-23Contents
xxx
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
System Log Message Format 42-23
Severity Levels 42-23
C H A P T E R 43 Troubleshooting the Security Appliance 43-1
Testing Your Configuration 43-1
Enabling ICMP Debug Messages and System Messages 43-1
Pinging Security Appliance Interfaces 43-2
Pinging Through the Security Appliance 43-4
Disabling the Test Configuration 43-5
Traceroute 43-6
Packet Tracer 43-6
Reloading the Security Appliance 43-6
Performing Password Recovery 43-7
Performing Password Recovery for the ASA 5500 Series Adaptive Security Appliance 43-7
Password Recovery for the PIX 500 Series Security Appliance 43-8
Disabling Password Recovery 43-9
Resetting the Password on the SSM Hardware Module 43-10
Other Troubleshooting Tools 43-10
Viewing Debug Messages 43-11
Capturing Packets 43-11
Viewing the Crash Dump 43-11
Common Problems 43-11
P A R T 2 Reference
Supported Platforms and Feature Licenses A-1
Security Services Module Support A-9
VPN Specifications A-10
Cisco VPN Client Support A-11
Cisco Secure Desktop Support A-11
Site-to-Site VPN Compatibility A-11
Cryptographic Standards A-12
Example 1: Multiple Mode Firewall With Outside Access B-1
Example 1: System Configuration B-2
Example 1: Admin Context Configuration B-4
Example 1: Customer A Context Configuration B-4
Example 1: Customer B Context Configuration B-4
Example 1: Customer C Context Configuration B-5
Example 2: Single Mode Firewall Using Same Security Level B-6Contents
xxxi
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Example 3: Shared Resources for Multiple Contexts B-8
Example 3: System Configuration B-9
Example 3: Admin Context Configuration B-9
Example 3: Department 1 Context Configuration B-10
Example 3: Department 2 Context Configuration B-11
Example 4: Multiple Mode, Transparent Firewall with Outside Access B-12
Example 4: System Configuration B-13
Example 4: Admin Context Configuration B-14
Example 4: Customer A Context Configuration B-15
Example 4: Customer B Context Configuration B-15
Example 4: Customer C Context Configuration B-16
Example 5: WebVPN Configuration B-16
Example 6: IPv6 Configuration B-18
Example 7: Cable-Based Active/Standby Failover (Routed Mode) B-20
Example 8: LAN-Based Active/Standby Failover (Routed Mode) B-21
Example 8: Primary Unit Configuration B-21
Example 8: Secondary Unit Configuration B-22
Example 9: LAN-Based Active/Active Failover (Routed Mode) B-22
Example 9: Primary Unit Configuration B-23
Example 9: Primary System Configuration B-23
Example 9: Primary admin Context Configuration B-24
Example 9: Primary ctx1 Context Configuration B-25
Example 9: Secondary Unit Configuration B-25
Example 10: Cable-Based Active/Standby Failover (Transparent Mode) B-26
Example 11: LAN-Based Active/Standby Failover (Transparent Mode) B-27
Example 11: Primary Unit Configuration B-27
Example 11: Secondary Unit Configuration B-28
Example 12: LAN-Based Active/Active Failover (Transparent Mode) B-28
Example 12: Primary Unit Configuration B-29
Example 12: Primary System Configuration B-29
Example 12: Primary admin Context Configuration B-30
Example 12: Primary ctx1 Context Configuration B-31
Example 12: Secondary Unit Configuration B-31
Example 13: Dual ISP Support Using Static Route Tracking B-31
Example 14: ASA 5505 Base License B-33
Example 15: ASA 5505 Security Plus License with Failover and Dual-ISP Backup B-35
Example 15: Primary Unit Configuration B-35
Example 15: Secondary Unit Configuration B-37Contents
xxxii
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Example 16: Network Traffic Diversion B-37
Inspecting All Traffic with the AIP SSM B-43
Inspecting Specific Traffic with the AIP SSM B-44
Verifying the Recording of Alert Events B-45
Troubleshooting the Configuration B-47
Firewall Mode and Security Context Mode C-1
Command Modes and Prompts C-2
Syntax Formatting C-3
Abbreviating Commands C-3
Command-Line Editing C-3
Command Completion C-4
Command Help C-4
Filtering show Command Output C-4
Command Output Paging C-5
Adding Comments C-6
Text Configuration Files C-6
How Commands Correspond with Lines in the Text File C-6
Command-Specific Configuration Mode Commands C-6
Automatic Text Entries C-7
Line Order C-7
Commands Not Included in the Text Configuration C-7
Passwords C-7
Multiple Security Context Files C-7
IPv4 Addresses and Subnet Masks D-1
Classes D-1
Private Networks D-2
Subnet Masks D-2
Determining the Subnet Mask D-3
Determining the Address to Use with the Subnet Mask D-3
IPv6 Addresses D-5
IPv6 Address Format D-5
IPv6 Address Types D-6
Unicast Addresses D-6
Multicast Address D-8
Anycast Address D-9
Required Addresses D-10
IPv6 Address Prefixes D-10
Protocols and Applications D-11Contents
xxxiii
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
TCP and UDP Ports D-11
Local Ports and Protocols D-14
ICMP Types D-15
Selecting LDAP, RADIUS, or Local Authentication and Authorization E-1
Understanding Policy Enforcement of Permissions and Attributes E-2
Configuring an External LDAP Server E-2
Reviewing the LDAP Directory Structure and Configuration Procedure E-3
Organizing the Security Appliance LDAP Schema E-3
Searching the Hierarchy E-4
Binding the Security Appliance to the LDAP Server E-5
Defining the Security Appliance LDAP Schema E-5
Cisco -AV-Pair Attribute Syntax E-14
Example Security Appliance Authorization Schema E-15
Loading the Schema in the LDAP Server E-18
Defining User Permissions E-18
Example User File E-18
Reviewing Examples of Active Directory Configurations E-19
Example 1: Configuring LDAP Authorization with Microsoft Active Directory (ASA/PIX) E-19
Example 2: Configuring LDAP Authentication with Microsoft Active Directory E-20
Example 3: LDAP Authentication and LDAP Authorization with Microsoft Active Directory E-22
Configuring an External RADIUS Server E-24
Reviewing the RADIUS Configuration Procedure E-24
Security Appliance RADIUS Authorization Attributes E-25
Security Appliance TACACS+ Attributes E-32
GL O S S A R Y
I N D E XContents
xxxiv
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02xxxv
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
About This Guide
This preface introduce the Cisco Security Appliance Command Line Configuration Guide, and includes
the following sections:
• Document Objectives, page xxxv
• Audience, page xxxv
• Related Documentation, page xxxvi
• Document Organization, page xxxvi
• Document Conventions, page xxxix
• , page xxxix
Document Objectives
The purpose of this guide is to help you configure the security appliance using the command-line
interface. This guide does not cover every feature, but describes only the most common configuration
scenarios.
You can also configure and monitor the security appliance by using ASDM, a web-based GUI
application. ASDM includes configuration wizards to guide you through some common configuration
scenarios, and online Help for less common scenarios. For more information, see:
http://www.cisco.com/univercd/cc/td/doc/product/netsec/secmgmt/asdm/index.htm
This guide applies to the Cisco PIX 500 series security appliances (PIX 515E, PIX 525, and PIX 535)
and the Cisco ASA 5500 series security appliances (ASA 5505, ASA 5510, ASA 5520, ASA 5540, and
ASA 5550). Throughout this guide, the term “security appliance” applies generically to all supported
models, unless specified otherwise. The PIX 501, PIX 506E, and PIX 520 security appliances are not
supported.
Audience
This guide is for network managers who perform any of the following tasks:
• Manage network security
• Install and configure firewalls/security appliances
• Configure VPNs
• Configure intrusion detection softwarexxxvi
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
About This Guide
Related Documentation
For more information, refer to the following documentation:
• Cisco PIX Security Appliance Release Notes
• Cisco ASDM Release Notes
• Cisco PIX 515E Quick Start Guide
• Guide for Cisco PIX 6.2 and 6.3 Users Upgrading to Cisco PIX Software Version 7.0
• Migrating to ASA for VPN 3000 Series Concentrator Administrators
• Cisco Security Appliance Command Reference
• Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
• Cisco ASA 5500 Series Release Notes
• Cisco Security Appliance Logging Configuration and System Log Messages
• Cisco Secure Desktop Configuration Guide for Cisco ASA 5500 Series Administrators
Document Organization
This guide includes the chapters and appendixes described in Table 1.
Table 1 Document Organization
Chapter/Appendix Definition
Part 1: Getting Started and General Information
Chapter 1, “Introduction to the
Security Appliance”
Provides a high-level overview of the security appliance.
Chapter 2, “Getting Started” Describes how to access the command-line interface, configure the firewall mode, and
work with the configuration.
Chapter 3, “Enabling Multiple
Context Mode”
Describes how to use security contexts and enable multiple context mode.
Chapter 4, “Configuring Switch
Ports and VLAN Interfaces for
the Cisco ASA 5505 Adaptive
Security Appliance”
Describes how to configure switch ports and VLAN interfaces for the ASA 5505 adaptive
security appliance.
Chapter 5, “Configuring
Ethernet Settings and
Subinterfaces”
Describes how to configure Ethernet settings for physical interfaces and add subinterfaces.
Chapter 6, “Adding and
Managing Security Contexts”
Describes how to configure multiple security contexts on the security appliance.
Chapter 7, “Configuring
Interface Parameters”
Describes how to configure each interface and subinterface for a name, security, level, and
IP address.
Chapter 8, “Configuring Basic
Settings”
Describes how to configure basic settings that are typically required for a functioning
configuration.
Chapter 9, “Configuring IP
Routing”
Describes how to configure IP routing.xxxvii
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
About This Guide
Chapter 10, “Configuring
DHCP, DDNS, and WCCP
Services”
Describes how to configure the DHCP server and DHCP relay.
Chapter 11, “Configuring
Multicast Routing”
Describes how to configure multicast routing.
Chapter 12, “Configuring IPv6” Describes how to enable and configure IPv6.
Chapter 13, “Configuring AAA
Servers and the Local Database”
Describes how to configure AAA servers and the local database.
Chapter 14, “Configuring
Failover”
Describes the failover feature, which lets you configure two security appliances so that one
will take over operation if the other one fails.
Part 2: Configuring the Firewall
Chapter 15, “Firewall Mode
Overview”
Describes in detail the two operation modes of the security appliance, routed and
transparent mode, and how data is handled differently with each mode.
Chapter 16, “Identifying Traffic
with Access Lists”
Describes how to identify traffic with access lists.
Chapter 17, “Applying NAT” Describes how address translation is performed.
Chapter 18, “Permitting or
Denying Network Access”
Describes how to control network access through the security appliance using access lists.
Chapter 19, “Applying AAA for
Network Access”
Describes how to enable AAA for network access.
Chapter 20, “Applying Filtering
Services”
Describes ways to filter web traffic to reduce security risks or prevent inappropriate use.
Chapter 21, “Using Modular
Policy Framework”
Describes how to use the Modular Policy Framework to create security policies for TCP,
general connection settings, inspection, and QoS.
Chapter 22, “Managing AIP
SSM and CSC SSM”
Describes how to configure the security appliance to send traffic to an AIP SSM or a CSC
SSM, how to check the status of an SSM, and how to update the software image on an
intelligent SSM.
Chapter 23, “Preventing
Network Attacks”
Describes how to configure protection features to intercept and respond to network attacks.
Chapter 24, “Configuring QoS” Describes how to configure the network to provide better service to selected network
traffic over various technologies, including Frame Relay, Asynchronous Transfer Mode
(ATM), Ethernet and 802.1 networks, SONET, and IP routed networks.
Chapter 25, “Configuring
Application Layer Protocol
Inspection”
Describes how to use and configure application inspection.
Chapter 26, “Configuring
ARP Inspection and Bridging
Parameters”
Describes how to enable ARP inspection and how to customize bridging operations.
Part 3: Configuring VPN
Chapter 27, “Configuring IPsec
and ISAKMP”
Describes how to configure ISAKMP and IPSec tunneling to build and manage VPN
“tunnels,” or secure connections between remote users and a private corporate network.
Table 1 Document Organization (continued)
Chapter/Appendix Definitionxxxviii
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
About This Guide
Chapter 28, “Configuring L2TP
over IPSec”
Describes how to configure IPSec over L2TP on the security appliance.
Chapter 29, “Setting General
IPSec VPN Parameters”
Describes miscellaneous VPN configuration procedures.
Chapter 30, “Configuring
Tunnel Groups, Group Policies,
and Users”
Describes how to configure VPN tunnel groups, group policies, and users.
Chapter 31, “Configuring IP
Addresses for VPNs”
Describes how to configure IP addresses in your private network addressing scheme, which
let the client function as a tunnel endpoint.
Chapter 32, “Configuring
Remote Access IPSec VPNs”
Describes how to configure a remote access VPN connection.
Chapter 33, “Configuring
Network Admission Control”
Describes how to configure Network Admission Control (NAC).
Chapter 34, “Configuring Easy
VPN Services on the ASA 5505”
Describes how to configure Easy VPN on the ASA 5505 adaptive security appliance.
Chapter 35, “Configuring the
PPPoE Client”
Describes how to configure the PPPoE client provided with the security appliance.
Chapter 36, “Configuring
LAN-to-LAN IPsec VPNs”
Describes how to build a LAN-to-LAN VPN connection.
Chapter 37, “Configuring
WebVPN”
Describes how to establish a secure, remote-access VPN tunnel to a security appliance
using a web browser.
Chapter 38, “Configuring SSL
VPN Client”
Describes how to install and configure the SSL VPN Client.
Chapter 39, “Configuring
Certificates”
Describes how to configure a digital certificates, which contains information that identifies
a user or device. Such information can include a name, serial number, company,
department, or IP address. A digital certificate also contains a copy of the public key for
the user or device.
Part 4: System Administration
Chapter 40, “Managing System
Access”
Describes how to access the security appliance for system management through Telnet,
SSH, and HTTPS.
Chapter 41, “Managing
Software, Licenses, and
Configurations”
Describes how to enter license keys and download software and configurations files.
Chapter 42, “Monitoring the
Security Appliance”
Describes how to monitor the security appliance.
Chapter 43, “Troubleshooting
the Security Appliance”
Describes how to troubleshoot the security appliance.
Part 4: Reference
Appendix A, “Feature Licenses
and Specifications”
Describes the feature licenses and specifications.
Appendix B, “Sample
Configurations”
Describes a number of common ways to implement the security appliance.
Table 1 Document Organization (continued)
Chapter/Appendix Definitionxxxix
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
About This Guide
Document Conventions
Command descriptions use these conventions:
• Braces ({ }) indicate a required choice.
• Square brackets ([ ]) indicate optional elements.
• Vertical bars ( | ) separate alternative, mutually exclusive elements.
• Boldface indicates commands and keywords that are entered literally as shown.
• Italics indicate arguments for which you supply values.
Examples use these conventions:
• Examples depict screen displays and the command line in screen font.
• Information you need to enter in examples is shown in boldface screen font.
• Variables for which you must supply a value are shown in italic screen font.
Note Means reader take note. Notes contain helpful suggestions or references to material not covered in the
manual.
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional
information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and
revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What’s New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed
and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free
service and Cisco currently supports RSS Version 2.0.
Appendix C, “Using the
Command-Line Interface”
Describes how to use the CLI to configure the the security appliance.
Appendix D, “Addresses,
Protocols, and Ports”
Provides a quick reference for IP addresses, protocols, and applications.
Appendix E, “Configuring an
External Server for
Authorization and
Authentication”
Provides information about configuring LDAP and RADIUS authorization servers.
“Glossary” Provides a handy reference for commonly-used terms and acronyms.
“Index” Provides an index for the guide.
Table 1 Document Organization (continued)
Chapter/Appendix Definitionxl
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
About This Guide
P A R T 1
Getting Started and General InformationC H A P T E R
1-1
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
1
Introduction to the Security Appliance
The security appliance combines advanced stateful firewall and VPN concentrator functionality in one
device, and for some models, an integrated intrusion prevention module called the AIP SSM or an
integrated content security and control module called the CSC SSM. The security appliance includes
many advanced features, such as multiple security contexts (similar to virtualized firewalls), transparent
(Layer 2) firewall or routed (Layer 3) firewall operation, advanced inspection engines, IPSec and
WebVPN support, and many more features. See Appendix A, “Feature Licenses and Specifications,” for
a list of supported platforms and features. For a list of new features, see the Cisco ASA 5500 Series
Release Notes or the Cisco PIX Security Appliance Release Notes.
Note The Cisco PIX 501 and PIX 506E security appliances are not supported.
This chapter includes the following sections:
• Firewall Functional Overview, page 1-1
• VPN Functional Overview, page 1-5
• Intrusion Prevention Services Functional Overview, page 1-5
• Security Context Overview, page 1-6
Firewall Functional Overview
Firewalls protect inside networks from unauthorized access by users on an outside network. A firewall
can also protect inside networks from each other, for example, by keeping a human resources network
separate from a user network. If you have network resources that need to be available to an outside user,
such as a web or FTP server, you can place these resources on a separate network behind the firewall,
called a demilitarized zone (DMZ). The firewall allows limited access to the DMZ, but because the DMZ
only includes the public servers, an attack there only affects the servers and does not affect the other
inside networks. You can also control when inside users access outside networks (for example, access to
the Internet), by allowing only certain addresses out, by requiring authentication or authorization, or by
coordinating with an external URL filtering server.
When discussing networks connected to a firewall, the outside network is in front of the firewall, the
inside network is protected and behind the firewall, and a DMZ, while behind the firewall, allows limited
access to outside users. Because the security appliance lets you configure many interfaces with varied
security policies, including many inside interfaces, many DMZs, and even many outside interfaces if
desired, these terms are used in a general sense only.1-2
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 1 Introduction to the Security Appliance
Firewall Functional Overview
This section includes the following topics:
• Security Policy Overview, page 1-2
• Firewall Mode Overview, page 1-3
• Stateful Inspection Overview, page 1-4
Security Policy Overview
A security policy determines which traffic is allowed to pass through the firewall to access another
network. By default, the security appliance allows traffic to flow freely from an inside network (higher
security level) to an outside network (lower security level). You can apply actions to traffic to customize
the security policy. This section includes the following topics:
• Permitting or Denying Traffic with Access Lists, page 1-2
• Applying NAT, page 1-2
• Using AAA for Through Traffic, page 1-2
• Applying HTTP, HTTPS, or FTP Filtering, page 1-3
• Applying Application Inspection, page 1-3
• Sending Traffic to the Advanced Inspection and Prevention Security Services Module, page 1-3
• Sending Traffic to the Content Security and Control Security Services Module, page 1-3
• Applying QoS Policies, page 1-3
• Applying Connection Limits and TCP Normalization, page 1-3
Permitting or Denying Traffic with Access Lists
You can apply an access list to limit traffic from inside to outside, or allow traffic from outside to inside.
For transparent firewall mode, you can also apply an EtherType access list to allow non-IP traffic.
Applying NAT
Some of the benefits of NAT include the following:
• You can use private addresses on your inside networks. Private addresses are not routable on the
Internet.
• NAT hides the local addresses from other networks, so attackers cannot learn the real address of a
host.
• NAT can resolve IP routing problems by supporting overlapping IP addresses.
Using AAA for Through Traffic
You can require authentication and/or authorization for certain types of traffic, for example, for HTTP.
The security appliance also sends accounting information to a RADIUS or TACACS+ server.1-3
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 1 Introduction to the Security Appliance
Firewall Functional Overview
Applying HTTP, HTTPS, or FTP Filtering
Although you can use access lists to prevent outbound access to specific websites or FTP servers,
configuring and managing web usage this way is not practical because of the size and dynamic nature of
the Internet. We recommend that you use the security appliance in conjunction with a separate server
running one of the following Internet filtering products:
• Websense Enterprise
• Secure Computing SmartFilter
Applying Application Inspection
Inspection engines are required for services that embed IP addressing information in the user data packet
or that open secondary channels on dynamically assigned ports. These protocols require the security
appliance to do a deep packet inspection.
Sending Traffic to the Advanced Inspection and Prevention Security Services Module
If your model supports the AIP SSM for intrusion prevention, then you can send traffic to the AIP SSM
for inspection.
Sending Traffic to the Content Security and Control Security Services Module
If your model supports it, the CSC SSM provides protection against viruses, spyware, spam, and other
unwanted traffic. It accomplishes this by scanning the FTP, HTTP, POP3, and SMTP traffic that you
configure the adaptive security appliance to send to it.
Applying QoS Policies
Some network traffic, such as voice and streaming video, cannot tolerate long latency times. QoS is a
network feature that lets you give priority to these types of traffic. QoS refers to the capability of a
network to provide better service to selected network traffic.
Applying Connection Limits and TCP Normalization
You can limit TCP and UDP connections and embryonic connections. Limiting the number of
connections and embryonic connections protects you from a DoS attack. The security appliance uses the
embryonic limit to trigger TCP Intercept, which protects inside systems from a DoS attack perpetrated
by flooding an interface with TCP SYN packets. An embryonic connection is a connection request that
has not finished the necessary handshake between source and destination.
TCP normalization is a feature consisting of advanced TCP connection settings designed to drop packets
that do not appear normal.
Firewall Mode Overview
The security appliance runs in two different firewall modes:
• Routed
• Transparent 1-4
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 1 Introduction to the Security Appliance
Firewall Functional Overview
In routed mode, the security appliance is considered to be a router hop in the network.
In transparent mode, the security appliance acts like a “bump in the wire,” or a “stealth firewall,” and is
not considered a router hop. The security appliance connects to the same network on its inside and
outside interfaces.
You might use a transparent firewall to simplify your network configuration. Transparent mode is also
useful if you want the firewall to be invisible to attackers. You can also use a transparent firewall for
traffic that would otherwise be blocked in routed mode. For example, a transparent firewall can allow
multicast streams using an EtherType access list.
Stateful Inspection Overview
All traffic that goes through the security appliance is inspected using the Adaptive Security Algorithm
and either allowed through or dropped. A simple packet filter can check for the correct source address,
destination address, and ports, but it does not check that the packet sequence or flags are correct. A filter
also checks every packet against the filter, which can be a slow process.
A stateful firewall like the security appliance, however, takes into consideration the state of a packet:
• Is this a new connection?
If it is a new connection, the security appliance has to check the packet against access lists and
perform other tasks to determine if the packet is allowed or denied. To perform this check, the first
packet of the session goes through the “session management path,” and depending on the type of
traffic, it might also pass through the “control plane path.”
The session management path is responsible for the following tasks:
– Performing the access list checks
– Performing route lookups
– Allocating NAT translations (xlates)
– Establishing sessions in the “fast path”
Note The session management path and the fast path make up the “accelerated security path.”
Some packets that require Layer 7 inspection (the packet payload must be inspected or altered) are
passed on to the control plane path. Layer 7 inspection engines are required for protocols that have
two or more channels: a data channel, which uses well-known port numbers, and a control channel,
which uses different port numbers for each session. These protocols include FTP, H.323, and SNMP.
• Is this an established connection?
If the connection is already established, the security appliance does not need to re-check packets;
most matching packets can go through the fast path in both directions. The fast path is responsible
for the following tasks:
– IP checksum verification
– Session lookup
– TCP sequence number check
– NAT translations based on existing sessions
– Layer 3 and Layer 4 header adjustments1-5
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 1 Introduction to the Security Appliance
VPN Functional Overview
For UDP or other connectionless protocols, the security appliance creates connection state
information so that it can also use the fast path.
Data packets for protocols that require Layer 7 inspection can also go through the fast path.
Some established session packets must continue to go through the session management path or the
control plane path. Packets that go through the session management path include HTTP packets that
require inspection or content filtering. Packets that go through the control plane path include the
control packets for protocols that require Layer 7 inspection.
VPN Functional Overview
A VPN is a secure connection across a TCP/IP network (such as the Internet) that appears as a private
connection. This secure connection is called a tunnel. The security appliance uses tunneling protocols to
negotiate security parameters, create and manage tunnels, encapsulate packets, transmit or receive them
through the tunnel, and unencapsulate them. The security appliance functions as a bidirectional tunnel
endpoint: it can receive plain packets, encapsulate them, and send them to the other end of the tunnel
where they are unencapsulated and sent to their final destination. It can also receive encapsulated
packets, unencapsulate them, and send them to their final destination. The security appliance invokes
various standard protocols to accomplish these functions.
The security appliance performs the following functions:
• Establishes tunnels
• Negotiates tunnel parameters
• Authenticates users
• Assigns user addresses
• Encrypts and decrypts data
• Manages security keys
• Manages data transfer across the tunnel
• Manages data transfer inbound and outbound as a tunnel endpoint or router
The security appliance invokes various standard protocols to accomplish these functions.
Intrusion Prevention Services Functional Overview
The Cisco ASA 5500 series adaptive security appliance supports the AIP SSM, an intrusion prevention
services module that monitors and performs real-time analysis of network traffic by looking for
anomalies and misuse based on an extensive, embedded signature library. When the system detects
unauthorized activity, it can terminate the specific connection, permanently block the attacking host, log
the incident, and send an alert to the device manager. Other legitimate connections continue to operate
independently without interruption. For more information, see Configuring the Cisco Intrusion
Prevention System Sensor Using the Command Line Interface.1-6
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 1 Introduction to the Security Appliance
Security Context Overview
Security Context Overview
You can partition a single security appliance into multiple virtual devices, known as security contexts.
Each context is an independent device, with its own security policy, interfaces, and administrators.
Multiple contexts are similar to having multiple standalone devices. Many features are supported in
multiple context mode, including routing tables, firewall features, IPS, and management. Some features
are not supported, including VPN and dynamic routing protocols.
In multiple context mode, the security appliance includes a configuration for each context that identifies
the security policy, interfaces, and almost all the options you can configure on a standalone device. The
system administrator adds and manages contexts by configuring them in the system configuration,
which, like a single mode configuration, is the startup configuration. The system configuration identifies
basic settings for the security appliance. The system configuration does not include any network
interfaces or network settings for itself; rather, when the system needs to access network resources (such
as downloading the contexts from the server), it uses one of the contexts that is designated as the admin
context.
The admin context is just like any other context, except that when a user logs into the admin context,
then that user has system administrator rights and can access the system and all other contexts.
Note You can run all your contexts in routed mode or transparent mode; you cannot run some contexts in one
mode and others in another.
Multiple context mode supports static routing only.C H A P T E R
2-1
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
2
Getting Started
This chapter describes how to access the command-line interface, configure the firewall mode, and work
with the configuration. This chapter includes the following sections:
• Getting Started with Your Platform Model, page 2-1
• Factory Default Configurations, page 2-1
• Accessing the Command-Line Interface, page 2-4
• Setting Transparent or Routed Firewall Mode, page 2-5
• Working with the Configuration, page 2-6
Getting Started with Your Platform Model
This guide applies to multiple security appliance platforms and models: the PIX 500 series security
appliances and the ASA 5500 series adaptive security appliances. There are some hardware differences
between the PIX and the ASA security appliance. Moreover, the ASA 5505 includes a built-in switch,
and requires some special configuration. For these hardware-based differences, the platforms or models
supported are noted directly in each section.
Some models do not support all features covered in this guide. For example, the ASA 5505 adaptive
security appliance does not support security contexts. This guide might not list each supported model
when discussing a feature. To determine the features that are supported for your model before you start
your configuration, see the “Supported Platforms and Feature Licenses” section on page A-1 for a
detailed list of the features supported for each model.
Factory Default Configurations
The factory default configuration is the configuration applied by Cisco to new security appliances. The
factory default configuration is supported on all models except for the PIX 525 and PIX 535 security
appliances.
For the PIX 515/515E and the ASA 5510 and higher security appliances, the factory default
configuration configures an interface for management so you can connect to it using ASDM, with which
you can then complete your configuration.
For the ASA 5505 adaptive security appliance, the factory default configuration configures interfaces
and NAT so that the security appliance is ready to use in your network immediately.2-2
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 2 Getting Started
Factory Default Configurations
The factory default configuration is available only for routed firewall mode and single context mode. See
Chapter 3, “Enabling Multiple Context Mode,” for more information about multiple context mode. See
the “Setting Transparent or Routed Firewall Mode” section on page 2-5 for more information about
routed and transparent firewall mode.
This section includes the following topics:
• Restoring the Factory Default Configuration, page 2-2
• ASA 5505 Default Configuration, page 2-2
• ASA 5510 and Higher Default Configuration, page 2-3
• PIX 515/515E Default Configuration, page 2-4
Restoring the Factory Default Configuration
To restore the factory default configuration, enter the following command:
hostname(config)# configure factory-default [ip_address [mask]]
If you specify the ip_address, then you set the inside or management interface IP address, depending on
your model, instead of using the default IP address of 192.168.1.1. The http command uses the subnet
you specify. Similarly, the dhcpd address command range consists of addresses within the subnet that
you specify.
After you restore the factory default configuration, save it to internal Flash memory using the write
memory command. The write memory command saves the running configuration to the default location
for the startup configuration, even if you previously configured the boot config command to set a
different location; when the configuration was cleared, this path was also cleared.
Note This command also clears the boot system command, if present, along with the rest of the configuration.
The boot system command lets you boot from a specific image, including an image on the external Flash
memory card. The next time you reload the security appliance after restoring the factory configuration,
it boots from the first image in internal Flash memory; if you do not have an image in internal Flash
memory, the security appliance does not boot.
To configure additional settings that are useful for a full configuration, see the setup command.
ASA 5505 Default Configuration
The default factory configuration for the ASA 5505 adaptive security appliance configures the
following:
• An inside VLAN 1 interface that includes the Ethernet 0/1 through 0/7 switch ports. If you did not
set the IP address in the configure factory-default command, then the VLAN 1 IP address and mask
are 192.168.1.1 and 255.255.255.0.
• An outside VLAN 2 interface that includes the Ethernet 0/0 switch port. VLAN 2 derives its IP
address using DHCP.
• The default route is also derived from DHCP.
• All inside IP addresses are translated when accessing the outside using interface PAT.
• By default, inside users can access the outside with an access list, and outside users are prevented
from accessing the inside.2-3
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 2 Getting Started
Factory Default Configurations
• The DHCP server is enabled on the security appliance, so a PC connecting to the VLAN 1 interface
receives an address between 192.168.1.2 and 192.168.1.254.
• The HTTP server is enabled for ASDM and is accessible to users on the 192.168.1.0 network.
The configuration consists of the following commands:
interface Ethernet 0/0
switchport access vlan 2
no shutdown
interface Ethernet 0/1
switchport access vlan 1
no shutdown
interface Ethernet 0/2
switchport access vlan 1
no shutdown
interface Ethernet 0/3
switchport access vlan 1
no shutdown
interface Ethernet 0/4
switchport access vlan 1
no shutdown
interface Ethernet 0/5
switchport access vlan 1
no shutdown
interface Ethernet 0/6
switchport access vlan 1
no shutdown
interface Ethernet 0/7
switchport access vlan 1
no shutdown
interface vlan2
nameif outside
no shutdown
ip address dhcp setroute
interface vlan1
nameif inside
ip address 192.168.1.1 255.255.255.0
security-level 100
no shutdown
global (outside) 1 interface
nat (inside) 1 0 0
http server enable
http 192.168.1.0 255.255.255.0 inside
dhcpd address 192.168.1.2-192.168.1.254 inside
dhcpd auto_config outside
dhcpd enable inside
logging asdm informational
ASA 5510 and Higher Default Configuration
The default factory configuration for the ASA 5510 and higher adaptive security appliance configures
the following:
• The management interface, Management 0/0. If you did not set the IP address in the configure
factory-default command, then the IP address and mask are 192.168.1.1 and 255.255.255.0.
• The DHCP server is enabled on the security appliance, so a PC connecting to the interface receives
an address between 192.168.1.2 and 192.168.1.254.
• The HTTP server is enabled for ASDM and is accessible to users on the 192.168.1.0 network.2-4
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 2 Getting Started
Accessing the Command-Line Interface
The configuration consists of the following commands:
interface management 0/0
ip address 192.168.1.1 255.255.255.0
nameif management
security-level 100
no shutdown
asdm logging informational 100
asdm history enable
http server enable
http 192.168.1.0 255.255.255.0 management
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable management
PIX 515/515E Default Configuration
The default factory configuration for the PIX 515/515E security appliance configures the following:
• The inside Ethernet1 interface. If you did not set the IP address in the configure factory-default
command, then the IP address and mask are 192.168.1.1 and 255.255.255.0.
• The DHCP server is enabled on the security appliance, so a PC connecting to the interface receives
an address between 192.168.1.2 and 192.168.1.254.
• The HTTP server is enabled for ASDM and is accessible to users on the 192.168.1.0 network.
The configuration consists of the following commands:
interface ethernet 1
ip address 192.168.1.1 255.255.255.0
nameif management
security-level 100
no shutdown
asdm logging informational 100
asdm history enable
http server enable
http 192.168.1.0 255.255.255.0 management
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable management
Accessing the Command-Line Interface
For initial configuration, access the command-line interface directly from the console port. Later, you
can configure remote access using Telnet or SSH according to Chapter 40, “Managing System Access.”
If your system is already in multiple context mode, then accessing the console port places you in the
system execution space. See Chapter 3, “Enabling Multiple Context Mode,” for more information about
multiple context mode.
Note If you want to use ASDM to configure the security appliance instead of the command-line interface, you
can connect to the default management address of 192.168.1.1 (if your security appliance includes a
factory default configuration. See the “Factory Default Configurations” section on page 2-1.). On the 2-5
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 2 Getting Started
Setting Transparent or Routed Firewall Mode
ASA 5510 and higher adaptive security appliances, the interface to which you connect with ASDM is
Management 0/0. For the ASA 5505 adaptive security appliance, the switch port to which you connect
with ASDM is any port, except for Ethernet 0/0. For the PIX 515/515E security appliance, the interface
to which you connect with ASDM is Ethernet 1. If you do not have a factory default configuration, follow
the steps in this section to access the command-line interface. You can then configure the minimum
parameters to access ASDM by entering the setup command.
To access the command-line interface, perform the following steps:
Step 1 Connect a PC to the console port using the provided console cable, and connect to the console using a
terminal emulator set for 9600 baud, 8 data bits, no parity, 1 stop bit, no flow control.
See the hardware guide that came with your security appliance for more information about the console
cable.
Step 2 Press the Enter key to see the following prompt:
hostname>
This prompt indicates that you are in user EXEC mode.
Step 3 To access privileged EXEC mode, enter the following command:
hostname> enable
The following prompt appears:
Password:
Step 4 Enter the enable password at the prompt.
By default, the password is blank, and you can press the Enter key to continue. See the “Changing the
Enable Password” section on page 8-1 to change the enable password.
The prompt changes to:
hostname#
To exit privileged mode, enter the disable, exit, or quit command.
Step 5 To access global configuration mode, enter the following command:
hostname# configure terminal
The prompt changes to the following:
hostname(config)#
To exit global configuration mode, enter the exit, quit, or end command.
Setting Transparent or Routed Firewall Mode
You can set the security appliance to run in routed firewall mode (the default) or transparent firewall
mode.
For multiple context mode, you can use only one firewall mode for all contexts. You must set the mode
in the system execution space.2-6
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 2 Getting Started
Working with the Configuration
When you change modes, the security appliance clears the configuration because many commands are
not supported for both modes. If you already have a populated configuration, be sure to back up your
configuration before changing the mode; you can use this backup for reference when creating your new
configuration. See the “Backing Up Configuration Files” section on page 41-8. For multiple context
mode, the system configuration is erased. This action removes any contexts from running. If you then
re-add a context that has an existing configuration that was created for the wrong mode, the context
configuration will not work correctly. Be sure to recreate your context configurations for the correct
mode before you re-add them, or add new contexts with new paths for the new configurations.
If you download a text configuration to the security appliance that changes the mode with the
firewall transparent command, be sure to put the command at the top of the configuration; the security
appliance changes the mode as soon as it reads the command and then continues reading the
configuration you downloaded. If the command is later in the configuration, the security appliance clears
all the preceding lines in the configuration. See the “Downloading Software or Configuration Files to
Flash Memory” section on page 41-3 for information about downloading text files.
• To set the mode to transparent, enter the following command in the system execution space:
hostname(config)# firewall transparent
This command also appears in each context configuration for informational purposes only; you
cannot enter this command in a context.
• To set the mode to routed, enter the following command in the system execution space:
hostname(config)# no firewall transparent
Working with the Configuration
This section describes how to work with the configuration. The security appliance loads the
configuration from a text file, called the startup configuration. This file resides by default as a hidden
file in internal Flash memory. You can, however, specify a different path for the startup configuration.
(For more information, see Chapter 41, “Managing Software, Licenses, and Configurations.”)
When you enter a command, the change is made only to the running configuration in memory. You must
manually save the running configuration to the startup configuration for your changes to remain after a
reboot.
The information in this section applies to both single and multiple security contexts, except where noted.
Additional information about contexts is in Chapter 3, “Enabling Multiple Context Mode.”
This section includes the following topics:
• Saving Configuration Changes, page 2-6
• Copying the Startup Configuration to the Running Configuration, page 2-8
• Viewing the Configuration, page 2-8
• Clearing and Removing Configuration Settings, page 2-9
• Creating Text Configuration Files Offline, page 2-9
Saving Configuration Changes
This section describes how to save your configuration, and includes the following topics:
• Saving Configuration Changes in Single Context Mode, page 2-72-7
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 2 Getting Started
Working with the Configuration
• Saving Configuration Changes in Multiple Context Mode, page 2-7
Saving Configuration Changes in Single Context Mode
To save the running configuration to the startup configuration, enter the following command:
hostname# write memory
Note The copy running-config startup-config command is equivalent to the write memory command.
Saving Configuration Changes in Multiple Context Mode
You can save each context (and system) configuration separately, or you can save all context
configurations at the same time. This section includes the following topics:
• Saving Each Context and System Separately, page 2-7
• Saving All Context Configurations at the Same Time, page 2-7
Saving Each Context and System Separately
To save the system or context configuration, enter the following command within the system or context:
hostname# write memory
Note The copy running-config startup-config command is equivalent to the write memory command.
For multiple context mode, context startup configurations can reside on external servers. In this case, the
security appliance saves the configuration back to the server you identified in the context URL, except
for an HTTP or HTTPS URL, which do not let you save the configuration to the server.
Saving All Context Configurations at the Same Time
To save all context configurations at the same time, as well as the system configuration, enter the
following command in the system execution space:
hostname# write memory all [/noconfirm]
If you do not enter the /noconfirm keyword, you see the following prompt:
Are you sure [Y/N]:
After you enter Y, the security appliance saves the system configuration and each context. Context
startup configurations can reside on external servers. In this case, the security appliance saves the
configuration back to the server you identified in the context URL, except for an HTTP or HTTPS URL,
which do not let you save the configuration to the server.
After the security appliance saves each context, the following message appears:
‘Saving context ‘b’ ... ( 1/3 contexts saved ) ’
Sometimes, a context is not saved because of an error. See the following information for errors:
• For contexts that are not saved because of low memory, the following message appears:
The context 'context a' could not be saved due to Unavailability of resources2-8
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 2 Getting Started
Working with the Configuration
• For contexts that are not saved because the remote destination is unreachable, the following message
appears:
The context 'context a' could not be saved due to non-reachability of destination
• For contexts that are not saved because the context is locked, the following message appears:
Unable to save the configuration for the following contexts as these contexts are
locked.
context ‘a’ , context ‘x’ , context ‘z’ .
A context is only locked if another user is already saving the configuration or in the process of
deleting the context.
• For contexts that are not saved because the startup configuration is read-only (for example, on an
HTTP server), the following message report is printed at the end of all other messages:
Unable to save the configuration for the following contexts as these contexts have
read-only config-urls:
context ‘a’ , context ‘b’ , context ‘c’ .
• For contexts that are not saved because of bad sectors in the Flash memory, the following message
appears:
The context 'context a' could not be saved due to Unknown errors
Copying the Startup Configuration to the Running Configuration
Copy a new startup configuration to the running configuration using one of these options:
• To merge the startup configuration with the running configuration, enter the following command:
hostname(config)# copy startup-config running-config
A merge adds any new commands from the new configuration to the running configuration. If the
configurations are the same, no changes occur. If commands conflict or if commands affect the
running of the context, then the effect of the merge depends on the command. You might get errors,
or you might have unexpected results.
• To load the startup configuration and discard the running configuration, restart the security
appliance by entering the following command:
hostname# reload
Alternatively, you can use the following commands to load the startup configuration and discard the
running configuration without requiring a reboot:
hostname/contexta(config)# clear configure all
hostname/contexta(config)# copy startup-config running-config
Viewing the Configuration
The following commands let you view the running and startup configurations.
• To view the running configuration, enter the following command:
hostname# show running-config2-9
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 2 Getting Started
Working with the Configuration
• To view the running configuration of a specific command, enter the following command:
hostname# show running-config command
• To view the startup configuration, enter the following command:
hostname# show startup-config
Clearing and Removing Configuration Settings
To erase settings, enter one of the following commands.
• To clear all the configuration for a specified command, enter the following command:
hostname(config)# clear configure configurationcommand [level2configurationcommand]
This command clears all the current configuration for the specified configuration command. If you
only want to clear the configuration for a specific version of the command, you can enter a value for
level2configurationcommand.
For example, to clear the configuration for all aaa commands, enter the following command:
hostname(config)# clear configure aaa
To clear the configuration for only aaa authentication commands, enter the following command:
hostname(config)# clear configure aaa authentication
• To disable the specific parameters or options of a command, enter the following command:
hostname(config)# no configurationcommand [level2configurationcommand] qualifier
In this case, you use the no command to remove the specific configuration identified by qualifier.
For example, to remove a specific nat command, enter enough of the command to identify it
uniquely as follows:
hostname(config)# no nat (inside) 1
• To erase the startup configuration, enter the following command:
hostname(config)# write erase
• To erase the running configuration, enter the following command:
hostname(config)# clear configure all
Note In multiple context mode, if you enter clear configure all from the system configuration, you
also remove all contexts and stop them from running.
Creating Text Configuration Files Offline
This guide describes how to use the CLI to configure the security appliance; when you save commands,
the changes are written to a text file. Instead of using the CLI, however, you can edit a text file directly
on your PC and paste a configuration at the configuration mode command-line prompt in its entirety, or
line by line. Alternatively, you can download a text file to the security appliance internal Flash memory.
See Chapter 41, “Managing Software, Licenses, and Configurations,” for information on downloading
the configuration file to the security appliance.2-10
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 2 Getting Started
Working with the Configuration
In most cases, commands described in this guide are preceded by a CLI prompt. The prompt in the
following example is “hostname(config)#”:
hostname(config)# context a
In the text configuration file you are not prompted to enter commands, so the prompt is omitted as
follows:
context a
For additional information about formatting the file, see Appendix C, “Using the Command-Line
Interface.”C H A P T E R
3-1
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
3
Enabling Multiple Context Mode
This chapter describes how to use security contexts and enable multiple context mode. This chapter
includes the following sections:
• Security Context Overview, page 3-1
• Enabling or Disabling Multiple Context Mode, page 3-10
Security Context Overview
You can partition a single security appliance into multiple virtual devices, known as security contexts.
Each context is an independent device, with its own security policy, interfaces, and administrators.
Multiple contexts are similar to having multiple standalone devices. Many features are supported in
multiple context mode, including routing tables, firewall features, IPS, and management. Some features
are not supported, including VPN and dynamic routing protocols.
This section provides an overview of security contexts, and includes the following topics:
• Common Uses for Security Contexts, page 3-1
• Unsupported Features, page 3-2
• Context Configuration Files, page 3-2
• How the Security Appliance Classifies Packets, page 3-3
• Cascading Security Contexts, page 3-8
• Management Access to Security Contexts, page 3-9
Common Uses for Security Contexts
You might want to use multiple security contexts in the following situations:
• You are a service provider and want to sell security services to many customers. By enabling
multiple security contexts on the security appliance, you can implement a cost-effective,
space-saving solution that keeps all customer traffic separate and secure, and also eases
configuration.
• You are a large enterprise or a college campus and want to keep departments completely separate.
• You are an enterprise that wants to provide distinct security policies to different departments.
• You have any network that requires more than one security appliance.3-2
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 3 Enabling Multiple Context Mode
Security Context Overview
Unsupported Features
Multiple context mode does not support the following features:
• Dynamic routing protocols
Security contexts support only static routes. You cannot enable OSPF or RIP in multiple context
mode.
• VPN
• Multicast
Context Configuration Files
This section describes how the security appliance implements multiple context mode configurations and
includes the following sections:
• Context Configurations, page 3-2
• System Configuration, page 3-2
• Admin Context Configuration, page 3-2
Context Configurations
The security appliance includes a configuration for each context that identifies the security policy,
interfaces, and almost all the options you can configure on a standalone device. You can store context
configurations on the internal Flash memory or the external Flash memory card, or you can download
them from a TFTP, FTP, or HTTP(S) server.
System Configuration
The system administrator adds and manages contexts by configuring each context configuration location,
allocated interfaces, and other context operating parameters in the system configuration, which, like a
single mode configuration, is the startup configuration. The system configuration identifies basic
settings for the security appliance. The system configuration does not include any network interfaces or
network settings for itself; rather, when the system needs to access network resources (such as
downloading the contexts from the server), it uses one of the contexts that is designated as the admin
context. The system configuration does include a specialized failover interface for failover traffic only.
Admin Context Configuration
The admin context is just like any other context, except that when a user logs in to the admin context,
then that user has system administrator rights and can access the system and all other contexts. The
admin context is not restricted in any way, and can be used as a regular context. However, because
logging into the admin context grants you administrator privileges over all contexts, you might need to
restrict access to the admin context to appropriate users. The admin context must reside on Flash
memory, and not remotely.
If your system is already in multiple context mode, or if you convert from single mode, the admin context
is created automatically as a file on the internal Flash memory called admin.cfg. This context is named
“admin.” If you do not want to use admin.cfg as the admin context, you can change the admin context.3-3
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 3 Enabling Multiple Context Mode
Security Context Overview
How the Security Appliance Classifies Packets
Each packet that enters the security appliance must be classified, so that the security appliance can
determine to which context to send a packet. This section includes the following topics:
• Valid Classifier Criteria, page 3-3
• Invalid Classifier Criteria, page 3-4
• Classification Examples, page 3-5
Note If the destination MAC address is a multicast or broadcast MAC address, the packet is duplicated and
delivered to each context.
Valid Classifier Criteria
This section describes the criteria used by the classifier, and includes the following topics:
• Unique Interfaces, page 3-3
• Unique MAC Addresses, page 3-3
• NAT Configuration, page 3-3
Unique Interfaces
If only one context is associated with the ingress interface, the security appliance classifies the packet
into that context. In transparent firewall mode, unique interfaces for contexts are required, so this method
is used to classify packets at all times.
Unique MAC Addresses
If multiple contexts share an interface, then the classifier uses the interface MAC address. The security
appliance lets you assign a different MAC address in each context to the same shared interface, whether
it is a shared physical interface or a shared subinterface. By default, shared interfaces do not have unique
MAC addresses; the interface uses the physical interface burned-in MAC address in every context. An
upstream router cannot route directly to a context without unique MAC addresses. You can set the MAC
addresses manually when you configure each interface (see the “Configuring the Interface” section on
page 7-2), or you can automatically generate MAC addresses (see the “Automatically Assigning MAC
Addresses to Context Interfaces” section on page 6-11).
NAT Configuration
If you do not have unique MAC addresses, then the classifier intercepts the packet and performs a
destination IP address lookup. All other fields are ignored; only the destination IP address is used. To
use the destination address for classification, the classifier must have knowledge about the subnets
located behind each security context. The classifier relies on the NAT configuration to determine the
subnets in each context. The classifier matches the destination IP address to either a static command or
a global command. In the case of the global command, the classifier does not need a matching nat
command or an active NAT session to classify the packet. Whether the packet can communicate with the
destination IP address after classification depends on how you configure NAT and NAT control.
For example, the classifier gains knowledge about subnets 10.10.10.0, 10.20.10.0 and 10.30.10.0 when
the context administrators configure static commands in each context:
• Context A:3-4
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 3 Enabling Multiple Context Mode
Security Context Overview
static (inside,shared) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
• Context B:
static (inside,shared) 10.20.10.0 10.20.10.0 netmask 255.255.255.0
• Context C:
static (inside,shared) 10.30.10.0 10.30.10.0 netmask 255.255.255.0
Note For management traffic destined for an interface, the interface IP address is used for classification.
Invalid Classifier Criteria
The following configurations are not used for packet classification:
• NAT exemption—The classifier does not use a NAT exemption configuration for classification
purposes because NAT exemption does not identify a mapped interface.
• Routing table—If a context includes a static route that points to an external router as the next-hop
to a subnet, and a different context includes a static command for the same subnet, then the classifier
uses the static command to classify packets destined for that subnet and ignores the static route.3-5
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 3 Enabling Multiple Context Mode
Security Context Overview
Classification Examples
Figure 3-2 shows multiple contexts sharing an outside interface. The classifier assigns the packet to
Context B because Context B includes the MAC address to which the router sends the packet.
Figure 3-1 Packet Classification with a Shared Interface using MAC Addresses
Classifier
Context A Context B
MAC 000C.F142.4CDA MAC 000C.F142.4CDB MAC 000C.F142.4CDC
GE 0/1.2 GE 0/1.3
GE 0/0.1 (Shared Interface)
Admin
Context
GE 0/1.1
Host
209.165.201.1
Host
209.165.200.225
Host
209.165.202.129
Packet Destination:
209.165.201.1 via MAC 000C.F142.4CDC
Internet
Inside
Customer A
Inside
Customer B
Admin
Network
1533673-6
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 3 Enabling Multiple Context Mode
Security Context Overview
Figure 3-2 shows multiple contexts sharing an outside interface without MAC addresses assigned. The
classifier assigns the packet to Context B because Context B includes the address translation that
matches the destination address.
Figure 3-2 Packet Classification with a Shared Interface using NAT
Note that all new incoming traffic must be classified, even from inside networks. Figure 3-3 shows a host
on the Context B inside network accessing the Internet. The classifier assigns the packet to Context B
because the ingress interface is Gigabit Ethernet 0/1.3, which is assigned to Context B.
Note If you share an inside interface and do not use unique MAC addresses, the classifier imposes some major
restrictions. The classifier relies on the address translation configuration to classify the packet within a
context, and you must translate the destination addresses of the traffic. Because you do not usually
perform NAT on outside addresses, sending packets from inside to outside on a shared interface is not
always possible; the outside network is large, (the Web, for example), and addresses are not predictable
for an outside NAT configuration. If you share an inside interface, we suggest you use unique MAC
addresses.
Classifier
Context A Context B
GE 0/1.2 GE 0/1.3
GE 0/0.1 (Shared Interface)
Admin
Context
GE 0/1.1
Host
10.1.1.13
Host
10.1.1.13
Host
10.1.1.13
Dest Addr Translation
209.165.201.3
Packet Destination:
209.165.201.3
10.1.1.13
Internet
Inside
Customer A
Inside
Customer B
Admin
Network
923993-7
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 3 Enabling Multiple Context Mode
Security Context Overview
Figure 3-3 Incoming Traffic from Inside Networks
Host
10.1.1.13
Host
10.1.1.13
Host
10.1.1.13
Classifier
Context A Context B
GE 0/1.2 GE 0/1.3
GE 0/0.1
Admin
Context
GE 0/1.1
Inside
Customer A
Inside
Customer B
Internet
Admin
Network
923953-8
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 3 Enabling Multiple Context Mode
Security Context Overview
For transparent firewalls, you must use unique interfaces. Figure 3-4 shows a host on the Context B
inside network accessing the Internet. The classifier assigns the packet to Context B because the ingress
interface is Gigabit Ethernet 1/0.3, which is assigned to Context B.
Figure 3-4 Transparent Firewall Contexts
Cascading Security Contexts
Placing a context directly in front of another context is called cascading contexts; the outside interface
of one context is the same interface as the inside interface of another context. You might want to cascade
contexts if you want to simplify the configuration of some contexts by configuring shared parameters in
the top context.
Note Cascading contexts requires that you configure unique MAC addresses for each context interface.
Because of the limitations of classifying packets on shared interfaces without MAC addresses, we do not
recommend using cascading contexts without unique MAC addresses.
Host
10.1.3.13
Host
10.1.2.13
Host
10.1.1.13
Context A Context B
GE 1/0.2 GE 1/0.3
Admin
Context
GE 1/0.1
GE 0/0.1 GE 0/0.3
GE 0/0.2
Classifier
Inside
Customer A
Inside
Customer B
Internet
Admin
Network
924013-9
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 3 Enabling Multiple Context Mode
Security Context Overview
Figure 3-5 shows a gateway context with two contexts behind the gateway.
Figure 3-5 Cascading Contexts
Management Access to Security Contexts
The security appliance provides system administrator access in multiple context mode as well as access
for individual context administrators. The following sections describe logging in as a system
administrator or as a a context administrator:
• System Administrator Access, page 3-9
• Context Administrator Access, page 3-10
System Administrator Access
You can access the security appliance as a system administrator in two ways:
• Access the security appliance console.
From the console, you access the system execution space.
• Access the admin context using Telnet, SSH, or ASDM.
See Chapter 40, “Managing System Access,” to enable Telnet, SSH, and SDM access.
As the system administrator, you can access all contexts.
When you change to a context from admin or the system, your username changes to the default
“enable_15” username. If you configured command authorization in that context, you need to either
configure authorization privileges for the “enable_15” user, or you can log in as a different name for
which you provide sufficient privileges in the command authorization configuration for the context. To
log in with a username, enter the login command. For example, you log in to the admin context with the
Admin
Context
Context A
Gateway
Context
GE 1/1.43
GE 0/0.2
Outside
GE 1/1.8
GE 0/0.1
(Shared Interface)
Internet
Inside Inside
Outside
Inside
Outside
1533663-10
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 3 Enabling Multiple Context Mode
Enabling or Disabling Multiple Context Mode
username “admin.” The admin context does not have any command authorization configuration, but all
other contexts include command authorization. For convenience, each context configuration includes a
user “admin” with maximum privileges. When you change from the admin context to context A, your
username is altered, so you must log in again as “admin” by entering the login command. When you
change to context B, you must again enter the login command to log in as “admin.”
The system execution space does not support any AAA commands, but you can configure its own enable
password, as well as usernames in the local database to provide individual logins.
Context Administrator Access
You can access a context using Telnet, SSH, or ASDM. If you log in to a non-admin context, you can
only access the configuration for that context. You can provide individual logins to the context. See See
Chapter 40, “Managing System Access,” to enable Telnet, SSH, and SDM access and to configure
management authentication.
Enabling or Disabling Multiple Context Mode
Your security appliance might already be configured for multiple security contexts depending on how
you ordered it from Cisco. If you are upgrading, however, you might need to convert from single mode
to multiple mode by following the procedures in this section. ASDM does not support changing modes,
so you need to change modes using the CLI.
This section includes the following topics:
• Backing Up the Single Mode Configuration, page 3-10
• Enabling Multiple Context Mode, page 3-10
• Restoring Single Context Mode, page 3-11
Backing Up the Single Mode Configuration
When you convert from single mode to multiple mode, the security appliance converts the running
configuration into two files. The original startup configuration is not saved, so if it differs from the
running configuration, you should back it up before proceeding.
Enabling Multiple Context Mode
The context mode (single or multiple) is not stored in the configuration file, even though it does endure
reboots. If you need to copy your configuration to another device, set the mode on the new device to
match using the mode command.
When you convert from single mode to multiple mode, the security appliance converts the running
configuration into two files: a new startup configuration that comprises the system configuration, and
admin.cfg that comprises the admin context (in the root directory of the internal Flash memory). The
original running configuration is saved as old_running.cfg (in the root directory of the internal Flash
memory). The original startup configuration is not saved. The security appliance automatically adds an
entry for the admin context to the system configuration with the name “admin.”
To enable multiple mode, enter the following command:
hostname(config)# mode multiple3-11
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 3 Enabling Multiple Context Mode
Enabling or Disabling Multiple Context Mode
You are prompted to reboot the security appliance.
Restoring Single Context Mode
If you convert from multiple mode to single mode, you might want to first copy a full startup
configuration (if available) to the security appliance; the system configuration inherited from multiple
mode is not a complete functioning configuration for a single mode device. Because the system
configuration does not have any network interfaces as part of its configuration, you must access the
security appliance from the console to perform the copy.
To copy the old running configuration to the startup configuration and to change the mode to single
mode, perform the following steps in the system execution space:
Step 1 To copy the backup version of your original running configuration to the current startup configuration,
enter the following command in the system execution space:
hostname(config)# copy flash:old_running.cfg startup-config
Step 2 To set the mode to single mode, enter the following command in the system execution space:
hostname(config)# mode single
The security appliance reboots.3-12
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 3 Enabling Multiple Context Mode
Enabling or Disabling Multiple Context ModeC H A P T E R
4-1
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
4
Configuring Switch Ports and VLAN Interfaces
for the Cisco ASA 5505 Adaptive Security
Appliance
This chapter describes how to configure the switch ports and VLAN interfaces of the ASA 5505 adaptive
security appliance.
Note To configure interfaces of other models, see Chapter 5, “Configuring Ethernet Settings and
Subinterfaces,” and Chapter 7, “Configuring Interface Parameters.”
This chapter includes the following sections:
• Interface Overview, page 4-1
• Configuring VLAN Interfaces, page 4-5
• Configuring Switch Ports as Access Ports, page 4-9
• Configuring a Switch Port as a Trunk Port, page 4-11
• Allowing Communication Between VLAN Interfaces on the Same Security Level, page 4-13
Interface Overview
This section describes the ports and interfaces of the ASA 5505 adaptive security appliance, and includes
the following topics:
• Understanding ASA 5505 Ports and Interfaces, page 4-2
• Maximum Active VLAN Interfaces for Your License, page 4-2
• Default Interface Configuration, page 4-4
• VLAN MAC Addresses, page 4-4
• Power Over Ethernet, page 4-4
• Security Level Overview, page 4-54-2
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance
Interface Overview
Understanding ASA 5505 Ports and Interfaces
The ASA 5505 adaptive security appliance supports a built-in switch. There are two kinds of ports and
interfaces that you need to configure:
• Physical switch ports—The adaptive security appliance has eight Fast Ethernet switch ports that
forward traffic at Layer 2, using the switching function in hardware. Two of these ports are PoE
ports. See the “Power Over Ethernet” section on page 4-4 for more information. You can connect
these interfaces directly to user equipment such as PCs, IP phones, or a DSL modem. Or you can
connect to another switch.
• Logical VLAN interfaces—In routed mode, these interfaces forward traffic between VLAN
networks at Layer 3, using the configured security policy to apply firewall and VPN services. In
transparent mode, these interfaces forward traffic between the VLANs on the same network at Layer
2, using the configured security policy to apply firewall services. See the “Maximum Active VLAN
Interfaces for Your License” section for more information about the maximum VLAN interfaces.
VLAN interfaces let you divide your equipment into separate VLANs, for example, home, business,
and Internet VLANs.
To segregate the switch ports into separate VLANs, you assign each switch port to a VLAN interface.
Switch ports on the same VLAN can communicate with each other using hardware switching. But when
a switch port on VLAN 1 wants to communicate with a switch port on VLAN 2, then the adaptive
security appliance applies the security policy to the traffic and routes or bridges between the two
VLANs.
Note Subinterfaces are not available for the ASA 5505 adaptive security appliance.
Maximum Active VLAN Interfaces for Your License
In transparent firewall mode, you can configure two active VLANs in the Base license and three active
VLANs in the Security Plus license, one of which must be for failover.
In routed mode, you can configure up to three active VLANs with the Base license, and up to 20 active
VLANs with the Security Plus license.
An active VLAN is a VLAN with a nameif command configured.4-3
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance
Interface Overview
With the Base license, the third VLAN can only be configured to initiate traffic to one other VLAN. See
Figure 4-1 for an example network where the Home VLAN can communicate with the Internet, but
cannot initiate contact with Business.
Figure 4-1 ASA 5505 Adaptive Security Appliance with Base License
With the Security Plus license, you can configure 20 VLAN interfaces. You can configure trunk ports to
accomodate multiple VLANs per port.
Note The ASA 5505 adaptive security appliance supports Active/Standby failover, but not Stateful failover.
See Figure 4-2 for an example network.
Figure 4-2 ASA 5505 Adaptive Security Appliance with Security Plus License
ASA 5505
with Base License
Business
Internet
Home
153364
ASA 5505
with Security Plus
License
Failover
ASA 5505
Inside
Backup ISP
Primary ISP
DMZ
Failover Link
1533654-4
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance
Interface Overview
Default Interface Configuration
If your adaptive security appliance includes the default factory configuration, your interfaces are
configured as follows:
• The outside interface (security level 0) is VLAN 2.
Ethernet0/0 is assigned to VLAN 2 and is enabled.
The VLAN 2 IP address is obtained from the DHCP server.
• The inside interface (security level 100) is VLAN 1
Ethernet 0/1 through Ethernet 0/7 are assigned to VLAN 1 and is enabled.
VLAN 1 has IP address 192.168.1.1.
Restore the default factory configuration using the configure factory-default command.
Use the procedures in this chapter to modify the default configuration, for example, to add VLAN
interfaces.
If you do not have a factory default configuration, all switch ports are in VLAN 1, but no other
parameters are configured.
VLAN MAC Addresses
In routed firewall mode, all VLAN interfaces share a MAC address. Ensure that any connected switches
can support this scenario. If the connected switches require unique MAC addresses, you can manually
assign MAC addresses.
In transparent firewall mode, each VLAN has a unique MAC address. You can override the generated
MAC addresses if desired by manually assigning MAC addresses.
Power Over Ethernet
Ethernet 0/6 and Ethernet 0/7 support PoE for devices such as IP phones or wireless access points. If you
install a non-PoE device or do not connect to these switch ports, the adaptive security appliance does not
supply power to the switch ports.
If you shut down the switch port using the shutdown command, you disable power to the device. Power
is restored when you enter no shutdown. See the “Configuring Switch Ports as Access Ports” section on
page 4-9 for more information about shutting down a switch port.
To view the status of PoE switch ports, including the type of device connected (Cisco or IEEE 802.3af),
use the show power inline command.
Monitoring Traffic Using SPAN
If you want to monitor traffic that enters or exits one or more switch ports, you can enable SPAN, also
known as switch port monitoring. The port for which you enable SPAN (called the destination port)
receives a copy of every packet transmitted or received on a specified source port. The SPAN feature lets
you attach a sniffer to the destination port so you can monitor all traffic; without SPAN, you would have
to attach a sniffer to every port you want to monitor. You can only enable SPAN for one destination port. 4-5
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance
Configuring VLAN Interfaces
See the switchport monitor command in the Cisco Security Appliance Command Reference for more
information.
Security Level Overview
Each VLAN interface must have a security level in the range 0 to 100 (from lowest to highest). For
example, you should assign your most secure network, such as the inside business network, to level 100.
The outside network connected to the Internet can be level 0. Other networks, such as a home network
can be in-between. You can assign interfaces to the same security level.
The level controls the following behavior:
• Network access—By default, there is an implicit permit from a higher security interface to a lower
security interface (outbound). Hosts on the higher security interface can access any host on a lower
security interface. You can limit access by applying an access list to the interface.
• If you enable communication for same security interfaces, there is an implicit permit for interfaces
to access other interfaces on the same security level or lower. See the “Allowing Communication
Between VLAN Interfaces on the Same Security Level” section on page 4-13 for more information.
• Inspection engines—Some application inspection engines are dependent on the security level. For
same security interfaces, inspection engines apply to traffic in either direction.
– NetBIOS inspection engine—Applied only for outbound connections.
– SQL*Net inspection engine—If a control connection for the SQL*Net (formerly OraServ) port
exists between a pair of hosts, then only an inbound data connection is permitted through the
adaptive security appliance.
• Filtering—HTTP(S) and FTP filtering applies only for outbound connections (from a higher level
to a lower level).
For same security interfaces, you can filter traffic in either direction.
• NAT control—When you enable NAT control, you must configure NAT for hosts on a higher security
interface (inside) when they access hosts on a lower security interface (outside).
Without NAT control, or for same security interfaces, you can choose to use NAT between any
interface, or you can choose not to use NAT. Keep in mind that configuring NAT for an outside
interface might require a special keyword.
• established command—This command allows return connections from a lower security host to a
higher security host if there is already an established connection from the higher level host to the
lower level host.
For same security interfaces, you can configure established commands for both directions.
Configuring VLAN Interfaces
For each VLAN to pass traffic, you need to configure an interface name (the nameif command), and for
routed mode, an IP address. You should also change the security level from the default, which is 0. If
you name an interface “inside” and you do not set the security level explicitly, then the adaptive security
appliance sets the security level to 100.
For information about how many VLANs you can configure, see the “Maximum Active VLAN
Interfaces for Your License” section on page 4-2.4-6
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance
Configuring VLAN Interfaces
Note If you are using failover, do not use this procedure to name interfaces that you are reserving for failover
communications. See Chapter 14, “Configuring Failover,” to configure the failover link.
If you change the security level of an interface, and you do not want to wait for existing connections to
time out before the new security information is used, you can clear the connections using the
clear local-host command.
To configure a VLAN interface, perform the following steps:
Step 1 To specify the VLAN ID, enter the following command:
hostname(config)# interface vlan number
Where the number is between 1 and 4090.
For example, enter the following command:
hostname(config)# interface vlan 100
To remove this VLAN interface and all associated configuration, enter the no interface vlan command.
Because this interface also includes the interface name configuration, and the name is used in other
commands, those commands are also removed.
Step 2 (Optional) For the Base license, allow this interface to be the third VLAN by limiting it from initiating
contact to one other VLAN using the following command:
hostname(config-if)# no forward interface vlan number
Where number specifies the VLAN ID to which this VLAN interface cannot initiate traffic.
With the Base license, you can only configure a third VLAN if you use this command to limit it.
For example, you have one VLAN assigned to the outside for Internet access, one VLAN assigned to an
inside business network, and a third VLAN assigned to your home network. The home network does not
need to access the business network, so you can use the no forward interface command on the home
VLAN; the business network can access the home network, but the home network cannot access the
business network.
If you already have two VLAN interfaces configured with a nameif command, be sure to enter the no
forward interface command before the nameif command on the third interface; the adaptive security
appliance does not allow three fully functioning VLAN interfaces with the Base license on the ASA 5505
adaptive security appliance.
Note If you upgrade to the Security Plus license, you can remove this command and achieve full
functionality for this interface. If you leave this command in place, this interface continues to be
limited even after upgrading.
Step 3 To name the interface, enter the following command:
hostname(config-if)# nameif name
The name is a text string up to 48 characters, and is not case-sensitive. You can change the name by
reentering this command with a new value. Do not enter the no form, because that command causes all
commands that refer to that name to be deleted.
Step 4 To set the security level, enter the following command:
hostname(config-if)# security-level number4-7
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance
Configuring VLAN Interfaces
Where number is an integer between 0 (lowest) and 100 (highest).
Step 5 (Routed mode only) To set the IP address, enter one of the following commands.
Note To set an IPv6 address, see the “Configuring IPv6 on an Interface” section on page 12-3.
To set the management IP address for transparent firewall mode, see the “Setting the
Management IP Address for a Transparent Firewall” section on page 8-5. In transparent mode,
you do not set the IP address for each interface, but rather for the whole adaptive security
appliance or context.
For failover, you must set the IP address an standby address manually; DHCP and PPPoE are not
supported.
• To set the IP address manually, enter the following command:
hostname(config-if)# ip address ip_address [mask] [standby ip_address]
The standby keyword and address is used for failover. See Chapter 14, “Configuring Failover,” for
more information.
• To obtain an IP address from a DHCP server, enter the following command:
hostname(config-if)# ip address dhcp [setroute]
Reenter this command to reset the DHCP lease and request a new lease.
If you do not enable the interface using the no shutdown command before you enter the ip address
dhcp command, some DHCP requests might not be sent.
• To obtain an IP address from a PPPoE server, see Chapter 35, “Configuring the PPPoE Client.”
Step 6 (Optional) To assign a private MAC address to this interface, enter the following command:
hostname(config-if)# mac-address mac_address [standby mac_address]
By default in routed mode, all VLANs use the same MAC address. In transparent mode, the VLANs use
unique MAC addresses. You might want to set unique VLANs or change the generated VLANs if your
switch requires it, or for access control purposes.
Step 7 (Optional) To set an interface to management-only mode, so that it does not allow through traffic, enter
the following command:
hostname(config-if)# management-only
Step 8 By default, VLAN interfaces are enabled. To enable the interface, if it is not already enabled, enter the
following command:
hostname(config-if)# no shutdown
To disable the interface, enter the shutdown command.
The following example configures seven VLAN interfaces, including the failover interface which is
configured separately using the failover lan command:
hostname(config)# interface vlan 100
hostname(config-if)# nameif outside
hostname(config-if)# security-level 0
hostname(config-if)# ip address 10.1.1.1 255.255.255.04-8
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance
Configuring VLAN Interfaces
hostname(config-if)# no shutdown
hostname(config-if)# interface vlan 200
hostname(config-if)# nameif inside
hostname(config-if)# security-level 100
hostname(config-if)# ip address 10.2.1.1 255.255.255.0
hostname(config-if)# no shutdown
hostname(config-if)# interface vlan 201
hostname(config-if)# nameif dept1
hostname(config-if)# security-level 90
hostname(config-if)# ip address 10.2.2.1 255.255.255.0
hostname(config-if)# no shutdown
hostname(config-if)# interface vlan 202
hostname(config-if)# nameif dept2
hostname(config-if)# security-level 90
hostname(config-if)# ip address 10.2.3.1 255.255.255.0
hostname(config-if)# no shutdown
hostname(config-if)# interface vlan 300
hostname(config-if)# nameif dmz
hostname(config-if)# security-level 50
hostname(config-if)# ip address 10.3.1.1 255.255.255.0
hostname(config-if)# no shutdown
hostname(config-if)# interface vlan 400
hostname(config-if)# nameif backup-isp
hostname(config-if)# security-level 50
hostname(config-if)# ip address 10.1.2.1 255.255.255.0
hostname(config-if)# no shutdown
hostname(config-if)# failover lan faillink vlan500
hostname(config)# failover interface ip faillink 10.4.1.1 255.255.255.0 standby 10.4.1.2
255.255.255.0
The following example configures three VLAN interfaces for the Base license. The third home interface
cannot forward traffic to the business interface.
hostname(config)# interface vlan 100
hostname(config-if)# nameif outside
hostname(config-if)# security-level 0
hostname(config-if)# ip address dhcp
hostname(config-if)# no shutdown
hostname(config-if)# interface vlan 200
hostname(config-if)# nameif business
hostname(config-if)# security-level 100
hostname(config-if)# ip address 10.1.1.1 255.255.255.0
hostname(config-if)# no shutdown
hostname(config-if)# interface vlan 300
hostname(config-if)# no forward interface vlan 200
hostname(config-if)# nameif home
hostname(config-if)# security-level 50
hostname(config-if)# ip address 10.2.1.1 255.255.255.0
hostname(config-if)# no shutdown4-9
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance
Configuring Switch Ports as Access Ports
Configuring Switch Ports as Access Ports
By default, all switch ports are shut down. To assign a switch port to one VLAN, configure it as an access
port. To create a trunk port to carry multiple VLANs, see the “Configuring a Switch Port as a Trunk Port”
section on page 4-11.
By default, the speed and duplex for switch ports are set to auto-negotiate. The default auto-negotiation
setting also includes the Auto-MDI/MDIX feature. Auto-MDI/MDIX eliminates the need for crossover
cabling by performing an internal crossover when a straight cable is detected during the auto-negotiation
phase. Either the speed or duplex must be set to auto-negotiate to enable Auto-MDI/MDIX for the
interface. If you explicitly set both the speed and duplex to a fixed value, thus disabling auto-negotiation
for both settings, then Auto-MDI/MDIX is also disabled.
Caution The ASA 5505 adaptive security appliance does not support Spanning Tree Protocol for loop detection
in the network. Therefore you must ensure that any connection with the adaptive security appliance does
not end up in a network loop.
To configure a switch port, perform the following steps:
Step 1 To specify the switch port you want to configure, enter the following command:
hostname(config)# interface ethernet0/port
Where port is 0 through 7. For example, enter the following command:
hostname(config)# interface ethernet0/1
Step 2 To assign this switch port to a VLAN, enter the following command:
hostname(config-if)# switchport access vlan number
Where number is the VLAN ID, between 1 and 4090.
Note You might assign multiple switch ports to the primary or backup VLANs if the Internet access device
includes Layer 2 redundancy.
Step 3 (Optional) To prevent the switch port from communicating with other protected switch ports on the same
VLAN, enter the following command:
hostname(config-if)# switchport protected
You might want to prevent switch ports from communicating with each other if the devices on those
switch ports are primarily accessed from other VLANs, you do not need to allow intra-VLAN access,
and you want to isolate the devices from each other in case of infection or other security breach. For
example, if you have a DMZ that hosts three web servers, you can isolate the web servers from each other
if you apply the switchport protected command to each switch port. The inside and outside networks
can both communicate with all three web servers, and vice versa, but the web servers cannot
communicate with each other.
Step 4 (Optional) To set the speed, enter the following command:
hostname(config-if)# speed {auto | 10 | 100}4-10
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance
Configuring Switch Ports as Access Ports
The auto setting is the default. If you set the speed to anything other than auto on PoE ports Ethernet
0/6 or 0/7, then Cisco IP phones and Cisco wireless access points that do not support IEEE 802.3af will
not be detected and supplied with power.
Step 5 (Optional) To set the duplex, enter the following command:
hostname(config-if)# duplex {auto | full | half}
The auto setting is the default. If you set the duplex to anything other than auto on PoE ports Ethernet
0/6 or 0/7, then Cisco IP phones and Cisco wireless access points that do not support IEEE 802.3af will
not be detected and supplied with power.
Step 6 To enable the switch port, if it is not already enabled, enter the following command:
hostname(config-if)# no shutdown
To disable the switch port, enter the shutdown command.
The following example configures five VLAN interfaces, including the failover interface which is
configured using the failover lan command:
hostname(config)# interface vlan 100
hostname(config-if)# nameif outside
hostname(config-if)# security-level 0
hostname(config-if)# ip address 10.1.1.1 255.255.255.0
hostname(config-if)# no shutdown
hostname(config-if)# interface vlan 200
hostname(config-if)# nameif inside
hostname(config-if)# security-level 100
hostname(config-if)# ip address 10.2.1.1 255.255.255.0
hostname(config-if)# no shutdown
hostname(config-if)# interface vlan 300
hostname(config-if)# nameif dmz
hostname(config-if)# security-level 50
hostname(config-if)# ip address 10.3.1.1 255.255.255.0
hostname(config-if)# no shutdown
hostname(config-if)# interface vlan 400
hostname(config-if)# nameif backup-isp
hostname(config-if)# security-level 50
hostname(config-if)# ip address 10.1.2.1 255.255.255.0
hostname(config-if)# no shutdown
hostname(config-if)# failover lan faillink vlan500
hostname(config)# failover interface ip faillink 10.4.1.1 255.255.255.0 standby 10.4.1.2
255.255.255.0
hostname(config)# interface ethernet 0/0
hostname(config-if)# switchport access vlan 100
hostname(config-if)# no shutdown
hostname(config-if)# interface ethernet 0/1
hostname(config-if)# switchport access vlan 200
hostname(config-if)# no shutdown
hostname(config-if)# interface ethernet 0/2
hostname(config-if)# switchport access vlan 300
hostname(config-if)# no shutdown
hostname(config-if)# interface ethernet 0/34-11
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance
Configuring a Switch Port as a Trunk Port
hostname(config-if)# switchport access vlan 400
hostname(config-if)# no shutdown
hostname(config-if)# interface ethernet 0/4
hostname(config-if)# switchport access vlan 500
hostname(config-if)# no shutdown
Configuring a Switch Port as a Trunk Port
By default, all switch ports are shut down. This procedure tells how to create a trunk port that can carry
multiple VLANs using 802.1Q tagging. Trunk mode is available only with the Security Plus license.
To create an access port, where an interface is assigned to only one VLAN, see the “Configuring Switch
Ports as Access Ports” section on page 4-9.
By default, the speed and duplex for switch ports are set to auto-negotiate. The default auto-negotiation
setting also includes the Auto-MDI/MDIX feature. Auto-MDI/MDIX eliminates the need for crossover
cabling by performing an internal crossover when a straight cable is detected during the auto-negotiation
phase. Either the speed or duplex must be set to auto-negotiate to enable Auto-MDI/MDIX for the
interface. If you explicitly set both the speed and duplex to a fixed value, thus disabling auto-negotiation
for both settings, then Auto-MDI/MDIX is also disabled.
To configure a trunk port, perform the following steps:
Step 1 To specify the switch port you want to configure, enter the following command:
hostname(config)# interface ethernet0/port
Where port is 0 through 7. For example, enter the following command:
hostname(config)# interface ethernet0/1
Step 2 To assign VLANs to this trunk, enter one or more of the following commands.
• To assign native VLANs, enter the following command:
hostname(config-if)# switchport trunk native vlan vlan_id
where the vlan_id is a single VLAN ID between 1 and 4090.
Packets on the native VLAN are not modified when sent over the trunk. For example, if a port has
VLANs 2, 3 and 4 assigned to it, and VLAN 2 is the native VLAN, then packets on VLAN 2 that
egress the port are not modified with an 802.1Q header. Frames which ingress (enter) this port and
have no 802.1Q header are put into VLAN 2.
Each port can only have one native VLAN, but every port can have either the same or a different
native VLAN.
• To assign VLANs, enter the following command:
hostname(config-if)# switchport trunk allowed vlan vlan_range
where the vlan_range (with VLANs between 1 and 4090) can be identified in one of the following
ways:
A single number (n)
A range (n-x)
Separate numbers and ranges by commas, for example:4-12
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance
Configuring a Switch Port as a Trunk Port
5,7-10,13,45-100
You can enter spaces instead of commas, but the command is saved to the configuration with
commas.
You can include the native VLAN in this command, but it is not required; the native VLAN is passed
whether it is included in this command or not.
This switch port cannot pass traffic until you assign at least one VLAN to it, native or non-native.
Step 3 To make this switch port a trunk port, enter the following command:
hostname(config-if)# switchport mode trunk
To restore this port to access mode, enter the switchport mode access command.
Step 4 (Optional) To prevent the switch port from communicating with other protected switch ports on the same
VLAN, enter the following command:
hostname(config-if)# switchport protected
You might want to prevent switch ports from communicating with each other if the devices on those
switch ports are primarily accessed from other VLANs, you do not need to allow intra-VLAN access,
and you want to isolate the devices from each other in case of infection or other security breach. For
example, if you have a DMZ that hosts three web servers, you can isolate the web servers from each other
if you apply the switchport protected command to each switch port. The inside and outside networks
can both communicate with all three web servers, and vice versa, but the web servers cannot
communicate with each other.
Step 5 (Optional) To set the speed, enter the following command:
hostname(config-if)# speed {auto | 10 | 100}
The auto setting is the default.
Step 6 (Optional) To set the duplex, enter the following command:
hostname(config-if)# duplex {auto | full | half}
The auto setting is the default.
Step 7 To enable the switch port, if it is not already enabled, enter the following command:
hostname(config-if)# no shutdown
To disable the switch port, enter the shutdown command.
The following example configures seven VLAN interfaces, including the failover interface which is
configured using the failover lan command. VLANs 200, 201, and 202 are trunked on Ethernet 0/1.
hostname(config)# interface vlan 100
hostname(config-if)# nameif outside
hostname(config-if)# security-level 0
hostname(config-if)# ip address 10.1.1.1 255.255.255.0
hostname(config-if)# no shutdown
hostname(config-if)# interface vlan 200
hostname(config-if)# nameif inside
hostname(config-if)# security-level 100
hostname(config-if)# ip address 10.2.1.1 255.255.255.0
hostname(config-if)# no shutdown
hostname(config-if)# interface vlan 201
hostname(config-if)# nameif dept14-13
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance
Allowing Communication Between VLAN Interfaces on the Same Security Level
hostname(config-if)# security-level 90
hostname(config-if)# ip address 10.2.2.1 255.255.255.0
hostname(config-if)# no shutdown
hostname(config-if)# interface vlan 202
hostname(config-if)# nameif dept2
hostname(config-if)# security-level 90
hostname(config-if)# ip address 10.2.3.1 255.255.255.0
hostname(config-if)# no shutdown
hostname(config-if)# interface vlan 300
hostname(config-if)# nameif dmz
hostname(config-if)# security-level 50
hostname(config-if)# ip address 10.3.1.1 255.255.255.0
hostname(config-if)# no shutdown
hostname(config-if)# interface vlan 400
hostname(config-if)# nameif backup-isp
hostname(config-if)# security-level 50
hostname(config-if)# ip address 10.1.2.1 255.255.255.0
hostname(config-if)# no shutdown
hostname(config-if)# failover lan faillink vlan500
hostname(config)# failover interface ip faillink 10.4.1.1 255.255.255.0 standby 10.4.1.2
255.255.255.0
hostname(config)# interface ethernet 0/0
hostname(config-if)# switchport access vlan 100
hostname(config-if)# no shutdown
hostname(config-if)# interface ethernet 0/1
hostname(config-if)# switchport mode trunk
hostname(config-if)# switchport trunk allowed vlan 200-202
hostname(config-if)# switchport trunk native vlan 5
hostname(config-if)# no shutdown
hostname(config-if)# interface ethernet 0/2
hostname(config-if)# switchport access vlan 300
hostname(config-if)# no shutdown
hostname(config-if)# interface ethernet 0/3
hostname(config-if)# switchport access vlan 400
hostname(config-if)# no shutdown
hostname(config-if)# interface ethernet 0/4
hostname(config-if)# switchport access vlan 500
hostname(config-if)# no shutdown
Allowing Communication Between VLAN Interfaces on the
Same Security Level
By default, interfaces on the same security level cannot communicate with each other. Allowing
communication between same security interfaces lets traffic flow freely between all same security
interfaces without access lists.4-14
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance
Allowing Communication Between VLAN Interfaces on the Same Security Level
Note If you enable NAT control, you do not need to configure NAT between same security level interfaces.
See the “NAT and Same Security Level Interfaces” section on page 17-13 for more information on NAT
and same security level interfaces.
If you enable same security interface communication, you can still configure interfaces at different
security levels as usual.
To enable interfaces on the same security level so that they can communicate with each other, enter the
following command:
hostname(config)# same-security-traffic permit inter-interface
To disable this setting, use the no form of this command.C H A P T E R
5-1
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
5
Configuring Ethernet Settings and Subinterfaces
This chapter describes how to configure and enable physical Ethernet interfaces and how to add
subinterfaces. If you have both fiber and copper Ethernet ports (for example, on the 4GE SSM for the
ASA 5510 and higher series adaptive security appliance), this chapter describes how to configure the
inteface media type.
In single context mode, complete the procedures in this chapter and then continue your interface
configuration in Chapter 7, “Configuring Interface Parameters.” In multiple context mode, complete the
procedures in this chapter in the system execution space, then assign interfaces and subinterfaces to
contexts according to Chapter 6, “Adding and Managing Security Contexts,” and finally configure the
interface parameters within each context according to Chapter 7, “Configuring Interface Parameters.”
Note To configure interfaces for the ASA 5505 adaptive security appliance, see Chapter 4, “Configuring
Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance.”
This chapter includes the following sections:
• Configuring and Enabling RJ-45 Interfaces, page 5-1
• Configuring and Enabling Fiber Interfaces, page 5-3
• Configuring and Enabling VLAN Subinterfaces and 802.1Q Trunking, page 5-3
Configuring and Enabling RJ-45 Interfaces
This section describes how to configure Ethernet settings for physical interfaces, and how to enable the
interface. By default, all physical interfaces are shut down. You must enable the physical interface before
any traffic can pass through it or through a subinterface. For multiple context mode, if you allocate a
physical interface or subinterface to a context, the interfaces are enabled by default in the context.
However, before traffic can pass through the context interface, you must also enable the interface in the
system configuration according to this procedure.
By default, the speed and duplex for copper (RJ-45) interfaces are set to auto-negotiate.
The ASA 5550 adaptive security appliance and the 4GE SSM for the ASA 5510 and higher adaptive
security appliance includes two connector types: copper RJ-45 and fiber SFP. RJ-45 is the default. If you
want to configure the security appliance to use the fiber SFP connectors, see the “Configuring and
Enabling Fiber Interfaces” section on page 5-3.
For RJ-45 interfaces on the ASA 5500 series adaptive security appliance, the default auto-negotiation
setting also includes the Auto-MDI/MDIX feature. Auto-MDI/MDIX eliminates the need for crossover
cabling by performing an internal crossover when a straight cable is detected during the auto-negotiation 5-2
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 5 Configuring Ethernet Settings and Subinterfaces
Configuring and Enabling RJ-45 Interfaces
phase. Either the speed or duplex must be set to auto-negotiate to enable Auto-MDI/MDIX for the
interface. If you explicitly set both the speed and duplex to a fixed value, thus disabling auto-negotiation
for both settings, then Auto-MDI/MDIX is also disabled. For Gigabit Ethernet, when the speed and
duplex are set to 1000 and full, then the interface always auto-negotiates; therefore Auto-MDI/MDIX is
always enabled and you cannot disable it.
To enable the interface, or to set a specific speed and duplex, perform the following steps:
Step 1 To specify the interface you want to configure, enter the following command:
hostname(config)# interface physical_interface
The physical_interface ID includes the type, slot, and port number as type[slot/]port.
The physical interface types include the following:
• ethernet
• gigabitethernet
For the PIX 500 series security appliance, enter the type followed by the port number, for example,
ethernet0.
For the ASA 5500 series adaptive security appliance, enter the type followed by slot/port, for example,
gigabitethernet0/1. Interfaces that are built into the chassis are assigned to slot 0, while interfaces on
the 4GE SSM are assigned to slot 1.
The ASA 5500 series adaptive security appliance also includes the following type:
• management
The management interface is a Fast Ethernet interface designed for management traffic only, and is
specified as management0/0. You can, however, use it for through traffic if desired (see the
management-only command). In transparent firewall mode, you can use the management interface
in addition to the two interfaces allowed for through traffic. You can also add subinterfaces to the
management interface to provide management in each security context for multiple context mode.
Step 2 (Optional) To set the speed, enter the following command:
hostname(config-if)# speed {auto | 10 | 100 | 1000 | nonegotiate}
The auto setting is the default. The speed nonegotiate command disables link negotiation.
Step 3 (Optional) To set the duplex, enter the following command:
hostname(config-if)# duplex {auto | full | half}
The auto setting is the default.
Step 4 To enable the interface, enter the following command:
hostname(config-if)# no shutdown
To disable the interface, enter the shutdown command. If you enter the shutdown command for a
physical interface, you also shut down all subinterfaces. If you shut down an interface in the system
execution space, then that interface is shut down in all contexts that share it.5-3
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 5 Configuring Ethernet Settings and Subinterfaces
Configuring and Enabling Fiber Interfaces
Configuring and Enabling Fiber Interfaces
This section describes how to configure Ethernet settings for physical interfaces, and how to enable the
interface. By default, all physical interfaces are shut down. You must enable the physical interface before
any traffic can pass through it or through a subinterface. For multiple context mode, if you allocate a
physical interface or subinterface to a context, the interfaces are enabled by default in the context.
However, before traffic can pass through the context interface, you must also enable the interface in the
system configuration according to this procedure.
By default, the connectors used on the 4GE SSM or for built-in interfaces in slot 1 on the ASA 5550
adaptive security appliance are the RJ-45 connectors. To use the fiber SFP connectors, you must set the
media type to SFP. The fiber interface has a fixed speed and does not support duplex, but you can set the
interface to negotiate link parameters (the default) or not to negotiate.
To enable the interface, set the media type, or to set negotiation settings, perform the following steps:
Step 1 To specify the interface you want to configure, enter the following command:
hostname(config)# interface gigabitethernet 1/port
The 4GE SSM interfaces are assigned to slot 1, as shown in the interface ID in the syntax (the interfaces
built into the chassis are assigned to slot 0).
Step 2 To set the media type to SFP, enter the following command:
hostname(config-if)# media-type sfp
To restore the defaukt RJ-45, enter the media-type rj45 command.
Step 3 (Optional) To disable link negotiation, enter the following command:
hostname(config-if)# speed nonegotiate
For fiber Gigabit Ethernet interfaces, the default is no speed nonegotiate, which sets the speed to 1000
Mbps and enables link negotiation for flow-control parameters and remote fault information. The speed
nonegotiate command disables link negotiation.
Step 4 To enable the interface, enter the following command:
hostname(config-if)# no shutdown
To disable the interface, enter the shutdown command. If you enter the shutdown command for a
physical interface, you also shut down all subinterfaces. If you shut down an interface in the system
execution space, then that interface is shut down in all contexts that share it.
Configuring and Enabling VLAN Subinterfaces and 802.1Q
Trunking
This section describes how to configure and enable a VLAN subinterface. An interface with one or more
VLAN subinterfaces is automatically configured as an 802.1Q trunk.5-4
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 5 Configuring Ethernet Settings and Subinterfaces
Configuring and Enabling VLAN Subinterfaces and 802.1Q Trunking
You must enable the physical interface before any traffic can pass through an enabled subinterface (see
the “Configuring and Enabling RJ-45 Interfaces” section on page 5-1 or the “Configuring and Enabling
Fiber Interfaces” section on page 5-3). For multiple context mode, if you allocate a subinterface to a
context, the interfaces are enabled by default in the context. However, before traffic can pass through the
context interface, you must also enable the interface in the system configuration with this procedure.
Subinterfaces let you divide a physical interface into multiple logical interfaces that are tagged with
different VLAN IDs. Because VLANs allow you to keep traffic separate on a given physical interface,
you can increase the number of interfaces available to your network without adding additional physical
interfaces or security appliances. This feature is particularly useful in multiple context mode so you can
assign unique interfaces to each context.
To determine how many subinterfaces are allowed for your platform, see Appendix A, “Feature Licenses
and Specifications.”
Note If you use subinterfaces, you typically do not also want the physical interface to pass traffic, because the
physical interface passes untagged packets. Because the physical interface must be enabled for the
subinterface to pass traffic, ensure that the physical interface does not pass traffic by leaving out the
nameif command. If you want to let the physical interface pass untagged packets, you can configure the
nameif command as usual. See the “Configuring Interface Parameters” section on page 7-1 for more
information about completing the interface configuration.
To add a subinterface and assign a VLAN to it, perform the following steps:
Step 1 To specify the new subinterface, enter the following command:
hostname(config)# interface physical_interface.subinterface
See the “Configuring and Enabling RJ-45 Interfaces” section for a description of the physical interface
ID.
The subinterface ID is an integer between 1 and 4294967293.
For example, enter the following command:
hostname(config)# interface gigabitethernet0/1.100
Step 2 To specify the VLAN for the subinterface, enter the following command:
hostname(config-subif)# vlan vlan_id
The vlan_id is an integer between 1 and 4094. Some VLAN IDs might be reserved on connected
switches, so check the switch documentation for more information.
You can only assign a single VLAN to a subinterface, and not to the physical interface. Each subinterface
must have a VLAN ID before it can pass traffic. To change a VLAN ID, you do not need to remove the
old VLAN ID with the no option; you can enter the vlan command with a different VLAN ID, and the
security appliance changes the old ID.
Step 3 To enable the subinterface, enter the following command:
hostname(config-subif)# no shutdown
To disable the interface, enter the shutdown command. If you shut down an interface in the system
execution space, then that interface is shut down in all contexts that share it.C H A P T E R
6-1
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
6
Adding and Managing Security Contexts
This chapter describes how to configure multiple security contexts on the security appliance, and
includes the following sections:
• Configuring Resource Management, page 6-1
• Configuring a Security Context, page 6-7
• Automatically Assigning MAC Addresses to Context Interfaces, page 6-11
• Changing Between Contexts and the System Execution Space, page 6-11
• Managing Security Contexts, page 6-12
For information about how contexts work and how to enable multiple context mode, see Chapter 3,
“Enabling Multiple Context Mode.”
Configuring Resource Management
By default, all security contexts have unlimited access to the resources of the security appliance, except
where maximum limits per context are enforced. However, if you find that one or more contexts use too
many resources, and they cause other contexts to be denied connections, for example, then you can
configure resource management to limit the use of resources per context.
This section includes the following topics:
• Classes and Class Members Overview, page 6-1
• Configuring a Class, page 6-4
Classes and Class Members Overview
The security appliance manages resources by assigning contexts to resource classes. Each context uses
the resource limits set by the class. This section includes the following topics:
• Resource Limits, page 6-2
• Default Class, page 6-3
• Class Members, page 6-46-2
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 6 Adding and Managing Security Contexts
Configuring Resource Management
Resource Limits
When you create a class, the security appliance does not set aside a portion of the resources for each
context assigned to the class; rather, the security appliance sets the maximum limit for a context. If you
oversubscribe resources, or allow some resources to be unlimited, a few contexts can “use up” those
resources, potentially affecting service to other contexts.
You can set the limit for individual resources, as a percentage (if there is a hard system limit) or as an
absolute value.
You can oversubscribe the security appliance by assigning more than 100 percent of a resource across
all contexts. For example, you can set the Bronze class to limit connections to 20 percent per context,
and then assign 10 contexts to the class for a total of 200 percent. If contexts concurrently use more than
the system limit, then each context gets less than the 20 percent you intended. (See Figure 6-1.)
Figure 6-1 Resource Oversubscription
If you assign an absolute value to a resource across all contexts that exceeds the practical limit of the
security appliance, then the performance of the security appliance might be impaired.
The security appliance lets you assign unlimited access to one or more resources in a class, instead of a
percentage or absolute number. When a resource is unlimited, contexts can use as much of the resource
as the system has available or that is practically available. For example, Context A, B, and C are in the
Silver Class, which limits each class member to 1 percent of the connections, for a total of 3 percent; but
the three contexts are currently only using 2 percent combined. Gold Class has unlimited access to
connections. The contexts in the Gold Class can use more than the 97 percent of “unassigned”
connections; they can also use the 1 percent of connections not currently in use by Context A, B, and C,
even if that means that Context A, B, and C are unable to reach their 3 percent combined limit. (See
Figure 6-2.) Setting unlimited access is similar to oversubscribing the security appliance, except that you
have less control over how much you oversubscribe the system.
Total Number of System Connections = 999,900
Maximum connections
allowed.
Connections denied
because system limit
was reached.
Connections in use.
1 2 3 4 5 6 7 8 9 10
Max. 20%
(199,800)
16%
(159,984)
12%
(119,988)
8%
(79,992)
4%
(39,996)
Contexts in Class
1048956-3
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 6 Adding and Managing Security Contexts
Configuring Resource Management
Figure 6-2 Unlimited Resources
Default Class
All contexts belong to the default class if they are not assigned to another class; you do not have to
actively assign a context to the default class.
If a context belongs to a class other than the default class, those class settings always override the default
class settings. However, if the other class has any settings that are not defined, then the member context
uses the default class for those limits. For example, if you create a class with a 2 percent limit for all
concurrent connections, but no other limits, then all other limits are inherited from the default class.
Conversely, if you create a class with a limit for all resources, the class uses no settings from the default
class.
By default, the default class provides unlimited access to resources for all contexts, except for the
following limits, which are by default set to the maximum allowed per context:
• Telnet sessions—5 sessions.
• SSH sessions—5 sessions.
• IPSec sessions—5 sessions.
• MAC addresses—65,535 entries.
Maximum connections
allowed.
Connections denied
because system limit
was reached.
Connections in use.
A B C 1 2 3
1%
2%
3%
5%
4%
Contexts Silver Class Contexts Gold Class
50% 43%
1532116-4
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 6 Adding and Managing Security Contexts
Configuring Resource Management
Figure 6-3 shows the relationship between the default class and other classes. Contexts A and C belong
to classes with some limits set; other limits are inherited from the default class. Context B inherits no
limits from default because all limits are set in its class, the Gold class. Context D was not assigned to
a class, and is by default a member of the default class.
Figure 6-3 Resource Classes
Class Members
To use the settings of a class, assign the context to the class when you define the context. All contexts
belong to the default class if they are not assigned to another class; you do not have to actively assign a
context to default. You can only assign a context to one resource class. The exception to this rule is that
limits that are undefined in the member class are inherited from the default class; so in effect, a context
could be a member of default plus another class.
Configuring a Class
To configure a class in the system configuration, perform the following steps. You can change the value
of a particular resource limit by reentering the command with a new value.
Step 1 To specify the class name and enter the class configuration mode, enter the following command in the
system execution space:
hostname(config)# class name
The name is a string up to 20 characters long. To set the limits for the default class, enter default for the
name.
Step 2 To set the resource limits, see the following options:
• To set all resource limits (shown in Table 6-1) to be unlimited, enter the following command:
hostname(config-resmgmt)# limit-resource all 0
Default Class
Class Gold
(All Limits
Set)
Class Silver
(Some Limits
Set)
Class
Bronze
(Some
Limits
Set)
Context A
Context B
Context C
Context D
1046896-5
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 6 Adding and Managing Security Contexts
Configuring Resource Management
For example, you might want to create a class that includes the admin context that has no limitations.
The default class has all resources set to unlimited by default.
• To set a particular resource limit, enter the following command:
hostname(config-resmgmt)# limit-resource [rate] resource_name number[%]
For this particular resource, the limit overrides the limit set for all. Enter the rate argument to set
the rate per second for certain resources. For resources that do not have a system limit, you cannot
set the percentage (%) between 1 and 100; you can only set an absolute value. See Table 6-1 for
resources for which you can set the rate per second and which to not have a system limit.
Table 6-1 lists the resource types and the limits. See also the show resource types command.6-6
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 6 Adding and Managing Security Contexts
Configuring Resource Management
For example, to set the default class limit for conns to 10 percent instead of unlimited, enter the
following commands:
hostname(config)# class default
hostname(config-class)# limit-resource conns 10%
All other resources remain at unlimited.
To add a class called gold, enter the following commands:
hostname(config)# class gold
Table 6-1 Resource Names and Limits
Resource Name
Rate or
Concurrent
Minimum and
Maximum Number
per Context System Limit
1
1. If this column value is N/A, then you cannot set a percentage of the resource because there is no hard system limit for the resource.
Description
mac-addresses Concurrent N/A 65,535 For transparent firewall mode, the number of
MAC addresses allowed in the MAC address
table.
conns Concurrent
or Rate
N/A Concurrent connections:
See the “Supported
Platforms and Feature
Licenses” section on
page A-1 for the
connection limit for your
platform.
Rate: N/A
TCP or UDP connections between any two
hosts, including connections between one
host and multiple other hosts.
inspects Rate N/A N/A Application inspections.
hosts Concurrent N/A N/A Hosts that can connect through the security
appliance.
asdm Concurrent 1 minimum
5 maximum
32 ASDM management sessions.
Note ASDM sessions use two HTTPS
connections: one for monitoring that
is always present, and one for making
configuration changes that is present
only when you make changes. For
example, the system limit of 32
ASDM sessions represents a limit of
64 HTTPS sessions.
ssh Concurrent 1 minimum
5 maximum
100 SSH sessions.
syslogs Rate N/A N/A System log messages.
telnet Concurrent 1 minimum
5 maximum
100 Telnet sessions.
xlates Concurrent N/A N/A Address translations.6-7
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 6 Adding and Managing Security Contexts
Configuring a Security Context
hostname(config-class)# limit-resource mac-addresses 10000
hostname(config-class)# limit-resource conns 15%
hostname(config-class)# limit-resource rate conns 1000
hostname(config-class)# limit-resource rate inspects 500
hostname(config-class)# limit-resource hosts 9000
hostname(config-class)# limit-resource asdm 5
hostname(config-class)# limit-resource ssh 5
hostname(config-class)# limit-resource rate syslogs 5000
hostname(config-class)# limit-resource telnet 5
hostname(config-class)# limit-resource xlates 36000
Configuring a Security Context
The security context definition in the system configuration identifies the context name, configuration file
URL, and interfaces that a context can use.
Note If you do not have an admin context (for example, if you clear the configuration) then you must first
specify the admin context name by entering the following command:
hostname(config)# admin-context name
Although this context name does not exist yet in your configuration, you can subsequently enter the
context name command to match the specified name to continue the admin context configuration.
To add or change a context in the system configuration, perform the following steps:
Step 1 To add or modify a context, enter the following command in the system execution space:
hostname(config)# context name
The name is a string up to 32 characters long. This name is case sensitive, so you can have two contexts
named “customerA” and “CustomerA,” for example. You can use letters, digits, or hyphens, but you
cannot start or end the name with a hyphen.
“System” or “Null” (in upper or lower case letters) are reserved names, and cannot be used.
Step 2 (Optional) To add a description for this context, enter the following command:
hostname(config-ctx)# description text
Step 3 To specify the interfaces you can use in the context, enter the command appropriate for a physical
interface or for one or more subinterfaces.
• To allocate a physical interface, enter the following command:
hostname(config-ctx)# allocate-interface physical_interface [map_name]
[visible | invisible]
• To allocate one or more subinterfaces, enter the following command:
hostname(config-ctx)# allocate-interface
physical_interface.subinterface[-physical_interface.subinterface]
[map_name[-map_name]] [visible | invisible]6-8
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 6 Adding and Managing Security Contexts
Configuring a Security Context
You can enter these commands multiple times to specify different ranges. If you remove an allocation
with the no form of this command, then any context commands that include this interface are removed
from the running configuration.
Transparent firewall mode allows only two interfaces to pass through traffic; however, on the ASA
adaptive security appliance, you can use the dedicated management interface, Management 0/0, (either
the physical interface or a subinterface) as a third interface for management traffic.
Note The management interface for transparent mode does not flood a packet out the interface when that
packet is not in the MAC address table.
You can assign the same interfaces to multiple contexts in routed mode, if desired. Transparent mode
does not allow shared interfaces.
The map_name is an alphanumeric alias for the interface that can be used within the context instead of
the interface ID. If you do not specify a mapped name, the interface ID is used within the context. For
security purposes, you might not want the context administrator to know which interfaces are being used
by the context.
A mapped name must start with a letter, end with a letter or digit, and have as interior characters only
letters, digits, or an underscore. For example, you can use the following names:
int0
inta
int_0
For subinterfaces, you can specify a range of mapped names.
If you specify a range of subinterfaces, you can specify a matching range of mapped names. Follow these
guidelines for ranges:
• The mapped name must consist of an alphabetic portion followed by a numeric portion. The
alphabetic portion of the mapped name must match for both ends of the range. For example, enter
the following range:
int0-int10
If you enter gigabitethernet0/1.1-gigabitethernet0/1.5 happy1-sad5, for example, the command
fails.
• The numeric portion of the mapped name must include the same quantity of numbers as the
subinterface range. For example, both ranges include 100 interfaces:
gigabitethernet0/0.100-gigabitethernet0/0.199 int1-int100
If you enter gigabitethernet0/0.100-gigabitethernet0/0.199 int1-int15, for example, the command
fails.
Specify visible to see physical interface properties in the show interface command even if you set a
mapped name. The default invisible keyword specifies to only show the mapped name.
The following example shows gigabitethernet0/1.100, gigabitethernet0/1.200, and
gigabitethernet0/2.300 through gigabitethernet0/1.305 assigned to the context. The mapped names are
int1 through int8.
hostname(config-ctx)# allocate-interface gigabitethernet0/1.100 int1
hostname(config-ctx)# allocate-interface gigabitethernet0/1.200 int2
hostname(config-ctx)# allocate-interface gigabitethernet0/2.300-gigabitethernet0/2.305
int3-int86-9
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 6 Adding and Managing Security Contexts
Configuring a Security Context
Step 4 To identify the URL from which the system downloads the context configuration, enter the following
command:
hostname(config-ctx)# config-url url
When you add a context URL, the system immediately loads the context so that it is running, if the
configuration is available.
Note Enter the allocate-interface command(s) before you enter the config-url command. The security
appliance must assign interfaces to the context before it loads the context configuration; the context
configuration might include commands that refer to interfaces (interface, nat, global...). If you enter the
config-url command first, the security appliance loads the context configuration immediately. If the
context contains any commands that refer to interfaces, those commands fail.
See the following URL syntax:
• disk:/[path/]filename
This URL indicates the internal Flash memory. The filename does not require a file extension,
although we recommend using “.cfg”. If the configuration file is not available, you see the following
message:
WARNING: Could not fetch the URL disk:/url
INFO: Creating context with default config
You can then change to the context, configure it at the CLI, and enter the write memory command
to write the file to Flash memory.
Note The admin context file must be stored on the internal Flash memory.
• ftp://[user[:password]@]server[:port]/[path/]filename[;type=xx]
The type can be one of the following keywords:
– ap—ASCII passive mode
– an—ASCII normal mode
– ip—(Default) Binary passive mode
– in—Binary normal mode
The server must be accessible from the admin context. The filename does not require a file
extension, although we recommend using “.cfg”. If the configuration file is not available, you see
the following message:
WARNING: Could not fetch the URL ftp://url
INFO: Creating context with default config
You can then change to the context, configure it at the CLI, and enter the write memory command
to write the file to the FTP server.
• http[s]://[user[:password]@]server[:port]/[path/]filename
The server must be accessible from the admin context. The filename does not require a file
extension, although we recommend using “.cfg”. If the configuration file is not available, you see
the following message:
WARNING: Could not fetch the URL http://url
INFO: Creating context with default config6-10
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 6 Adding and Managing Security Contexts
Configuring a Security Context
If you change to the context and configure the context at the CLI, you cannot save changes back to
HTTP or HTTPS servers using the write memory command. You can, however, use the copy tftp
command to copy the running configuration to a TFTP server.
• tftp://[user[:password]@]server[:port]/[path/]filename[;int=interface_name]
The server must be accessible from the admin context. Specify the interface name if you want to
override the route to the server address. The filename does not require a file extension, although we
recommend using “.cfg”. If the configuration file is not available, you see the following message:
WARNING: Could not fetch the URL tftp://url
INFO: Creating context with default config
You can then change to the context, configure it at the CLI, and enter the write memory command
to write the file to the TFTP server.
To change the URL, reenter the config-url command with a new URL.
See the “Changing the Security Context URL” section on page 6-13 for more information about
changing the URL.
For example, enter the following command:
hostname(config-ctx)# config-url ftp://joe:passw0rd1@10.1.1.1/configlets/test.cfg
Step 5 (Optional) To assign the context to a resource class, enter the following command:
hostname(config-ctx)# member class_name
If you do not specify a class, the context belongs to the default class. You can only assign a context to
one resource class.
For example, to assign the context to the gold class, enter the following command:
hostname(config-ctx)# member gold
Step 6 To view context information, see the show context command in the Cisco Security Appliance Command
Reference.
The following example sets the admin context to be “administrator,” creates a context called
“administrator” on the internal Flash memory, and then adds two contexts from an FTP server:
hostname(config)# admin-context administrator
hostname(config)# context administrator
hostname(config-ctx)# allocate-interface gigabitethernet0/0.1
hostname(config-ctx)# allocate-interface gigabitethernet0/1.1
hostname(config-ctx)# config-url flash:/admin.cfg
hostname(config-ctx)# context test
hostname(config-ctx)# allocate-interface gigabitethernet0/0.100 int1
hostname(config-ctx)# allocate-interface gigabitethernet0/0.102 int2
hostname(config-ctx)# allocate-interface gigabitethernet0/0.110-gigabitethernet0/0.115
int3-int8
hostname(config-ctx)# config-url ftp://user1:passw0rd@10.1.1.1/configlets/test.cfg
hostname(config-ctx)# member gold
hostname(config-ctx)# context sample
hostname(config-ctx)# allocate-interface gigabitethernet0/1.200 int1
hostname(config-ctx)# allocate-interface gigabitethernet0/1.212 int2
hostname(config-ctx)# allocate-interface gigabitethernet0/1.230-gigabitethernet0/1.235
int3-int86-11
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 6 Adding and Managing Security Contexts
Automatically Assigning MAC Addresses to Context Interfaces
hostname(config-ctx)# config-url ftp://user1:passw0rd@10.1.1.1/configlets/sample.cfg
hostname(config-ctx)# member silver
Automatically Assigning MAC Addresses to Context Interfaces
To allow contexts to share interfaces, we suggest that you assign unique MAC addresses to each context
interface. The MAC address is used to classify packets within a context. If you share an interface, but do
not have unique MAC addresses for the interface in each context, then the destination IP address is used
to classify packets. The destination address is matched with the context NAT configuration, and this
method has some limitations compared to the MAC address method. See the “How the Security
Appliance Classifies Packets” section on page 3-3 for information about classifying packets.
By default, the physical interface uses the burned-in MAC address, and all subinterfaces of a physical
interface use the same burned-in MAC address.
You can automatically assign private MAC addresses to each shared context interface by entering the
following command in the system configuration:
hostname(config)# mac-address auto
For use with failover, the security appliance generates both an active and standby MAC address for each
interface. If the active unit fails over and the standby unit becomes active, the new active unit starts using
the active MAC addresses to minimize network disruption.
When you assign an interface to a context, the new MAC address is generated immediately. If you enable
this command after you create context interfaces, then MAC addresses are generated for all interfaces
immediately after you enter the command. If you use the no mac-address auto command, the MAC
address for each interface reverts to the default MAC address. For example, subinterfaces of
GigabitEthernet 0/1 revert to using the MAC address of GigabitEthernet 0/1.
The MAC address is generated using the following format:
• Active unit MAC address: 12_slot.port_subid.contextid.
• Standby unit MAC address: 02_slot.port_subid.contextid.
For platforms with no interface slots, the slot is always 0. The port is the interface port. The subid is an
internal ID for the subinterface, which is not viewable. The contextid is an internal ID for the context,
viewable with the show context detail command. For example, the interface GigabitEthernet 0/1.200 in
the context with the ID 1 has the following generated MAC addresses, where the internal ID for
subinterface 200 is 31:
• Active: 1200.0131.0001
• Standby: 0200.0131.0001
In the rare circumstance that the generated MAC address conflicts with another private MAC address in
your network, you can manually set the MAC address for the interface within the context. See the
“Configuring the Interface” section on page 7-2 to manually set the MAC address.
Changing Between Contexts and the System Execution Space
If you log in to the system execution space (or the admin context using Telnet or SSH), you can change
between contexts and perform configuration and monitoring tasks within each context. The running
configuration that you edit in a configuration mode, or that is used in the copy or write commands, 6-12
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 6 Adding and Managing Security Contexts
Managing Security Contexts
depends on your location. When you are in the system execution space, the running configuration
consists only of the system configuration; when you are in a context, the running configuration consists
only of that context. For example, you cannot view all running configurations (system plus all contexts)
by entering the show running-config command. Only the current configuration displays.
To change between the system execution space and a context, or between contexts, see the following
commands:
• To change to a context, enter the following command:
hostname# changeto context name
The prompt changes to the following:
hostname/name#
• To change to the system execution space, enter the following command:
hostname/admin# changeto system
The prompt changes to the following:
hostname#
Managing Security Contexts
This section describes how to manage security contexts, and includes the following topics:
• Removing a Security Context, page 6-12
• Changing the Admin Context, page 6-13
• Changing the Security Context URL, page 6-13
• Reloading a Security Context, page 6-14
• Monitoring Security Contexts, page 6-15
Removing a Security Context
You can only remove a context by editing the system configuration. You cannot remove the current
admin context, unless you remove all contexts using the clear context command.
Note If you use failover, there is a delay between when you remove the context on the active unit and when
the context is removed on the standby unit. You might see an error message indicating that the number
of interfaces on the active and standby units are not consistent; this error is temporary and can be
ignored.
Use the following commands for removing contexts:
• To remove a single context, enter the following command in the system execution space:
hostname(config)# no context name
All context commands are also removed.
• To remove all contexts (including the admin context), enter the following command in the system
execution space:6-13
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 6 Adding and Managing Security Contexts
Managing Security Contexts
hostname(config)# clear context
Changing the Admin Context
The system configuration does not include any network interfaces or network settings for itself; rather,
when the system needs to access network resources (such as downloading the contexts from the server),
it uses one of the contexts that is designated as the admin context.
The admin context is just like any other context, except that when a user logs in to the admin context,
then that user has system administrator rights and can access the system and all other contexts. The
admin context is not restricted in any way, and can be used as a regular context. However, because
logging into the admin context grants you administrator privileges over all contexts, you might need to
restrict access to the admin context to appropriate users.
You can set any context to be the admin context, as long as the configuration file is stored in the internal
Flash memory. To set the admin context, enter the following command in the system execution space:
hostname(config)# admin-context context_name
Any remote management sessions, such as Telnet, SSH, or HTTPS, that are connected to the admin
context are terminated. You must reconnect to the new admin context.
Note A few system commands, including ntp server, identify an interface name that belongs to the admin
context. If you change the admin context, and that interface name does not exist in the new admin
context, be sure to update any system commands that refer to the interface.
Changing the Security Context URL
You cannot change the security context URL without reloading the configuration from the new URL.
The security appliance merges the new configuration with the current running configuration. Reentering
the same URL also merges the saved configuration with the running configuration. A merge adds any
new commands from the new configuration to the running configuration. If the configurations are the
same, no changes occur. If commands conflict or if commands affect the running of the context, then the
effect of the merge depends on the command. You might get errors, or you might have unexpected
results. If the running configuration is blank (for example, if the server was unavailable and the
configuration was never downloaded), then the new configuration is used. If you do not want to merge
the configurations, you can clear the running configuration, which disrupts any communications through
the context, and then reload the configuration from the new URL.
To change the URL for a context, perform the following steps:
Step 1 If you do not want to merge the configuration, change to the context and clear its configuration by
entering the following commands. If you want to perform a merge, skip to Step 2.
hostname# changeto context name
hostname/name# configure terminal
hostname/name(config)# clear configure all
Step 2 If required, change to the system execution space by entering the following command:
hostname/name(config)# changeto system6-14
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 6 Adding and Managing Security Contexts
Managing Security Contexts
Step 3 To enter the context configuration mode for the context you want to change, enter the following
command:
hostname(config)# context name
Step 4 To enter the new URL, enter the following command:
hostname(config)# config-url new_url
The system immediately loads the context so that it is running.
Reloading a Security Context
You can reload the context in two ways:
• Clear the running configuration and then import the startup configuration.
This action clears most attributes associated with the context, such as connections and NAT tables.
• Remove the context from the system configuration.
This action clears additional attributes, such as memory allocation, which might be useful for
troubleshooting. However, to add the context back to the system requires you to respecify the URL
and interfaces.
This section includes the following topics:
• Reloading by Clearing the Configuration, page 6-14
• Reloading by Removing and Re-adding the Context, page 6-15
Reloading by Clearing the Configuration
To reload the context by clearing the context configuration, and reloading the configuration from the
URL, perform the following steps:
Step 1 To change to the context that you want to reload, enter the following command:
hostname# changeto context name
Step 2 To access configuration mode, enter the following command:
hostname/name# configure terminal
Step 3 To clear the running configuration, enter the following command:
hostname/name(config)# clear configure all
This command clears all connections.
Step 4 To reload the configuration, enter the following command:
hostname/name(config)# copy startup-config running-config
The security appliance copies the configuration from the URL specified in the system configuration. You
cannot change the URL from within a context.6-15
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 6 Adding and Managing Security Contexts
Managing Security Contexts
Reloading by Removing and Re-adding the Context
To reload the context by removing the context and then re-adding it, perform the steps in the following
sections:
1. “Automatically Assigning MAC Addresses to Context Interfaces” section on page 6-11
2. “Configuring a Security Context” section on page 6-7
Monitoring Security Contexts
This section describes how to view and monitor context information, and includes the following topics:
• Viewing Context Information, page 6-15
• Viewing Resource Allocation, page 6-16
• Viewing Resource Usage, page 6-19
• Monitoring SYN Attacks in Contexts, page 6-20
Viewing Context Information
From the system execution space, you can view a list of contexts including the name, allocated
interfaces, and configuration file URL.
From the system execution space, view all contexts by entering the following command:
hostname# show context [name | detail| count]
The detail option shows additional information. See the following sample displays below for more
information.
If you want to show information for a particular context, specify the name.
The count option shows the total number of contexts.
The following is sample output from the show context command. The following sample display shows
three contexts:
hostname# show context
Context Name Interfaces URL
*admin GigabitEthernet0/1.100 disk0:/admin.cfg
GigabitEthernet0/1.101
contexta GigabitEthernet0/1.200 disk0:/contexta.cfg
GigabitEthernet0/1.201
contextb GigabitEthernet0/1.300 disk0:/contextb.cfg
GigabitEthernet0/1.301
Total active Security Contexts: 3
Table 6-2 shows each field description.
Table 6-2 show context Fields
Field Description
Context Name Lists all context names. The context name with the asterisk (*) is the admin context.
Interfaces The interfaces assigned to the context.
URL The URL from which the security appliance loads the context configuration.6-16
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 6 Adding and Managing Security Contexts
Managing Security Contexts
The following is sample output from the show context detail command:
hostname# show context detail
Context "admin", has been created, but initial ACL rules not complete
Config URL: disk0:/admin.cfg
Real Interfaces: Management0/0
Mapped Interfaces: Management0/0
Flags: 0x00000013, ID: 1
Context "ctx", has been created, but initial ACL rules not complete
Config URL: ctx.cfg
Real Interfaces: GigabitEthernet0/0.10, GigabitEthernet0/1.20,
GigabitEthernet0/2.30
Mapped Interfaces: int1, int2, int3
Flags: 0x00000011, ID: 2
Context "system", is a system resource
Config URL: startup-config
Real Interfaces:
Mapped Interfaces: Control0/0, GigabitEthernet0/0,
GigabitEthernet0/0.10, GigabitEthernet0/1, GigabitEthernet0/1.10,
GigabitEthernet0/1.20, GigabitEthernet0/2, GigabitEthernet0/2.30,
GigabitEthernet0/3, Management0/0, Management0/0.1
Flags: 0x00000019, ID: 257
Context "null", is a system resource
Config URL: ... null ...
Real Interfaces:
Mapped Interfaces:
Flags: 0x00000009, ID: 258
See the Cisco Security Appliance Command Reference for more information about the detail output.
The following is sample output from the show context count command:
hostname# show context count
Total active contexts: 2
Viewing Resource Allocation
From the system execution space, you can view the allocation for each resource across all classes and
class members.
To view the resource allocation, enter the following command:
hostname# show resource allocation [detail]
This command shows the resource allocation, but does not show the actual resources being used. See the
“Viewing Resource Usage” section on page 6-19 for more information about actual resource usage.
The detail argument shows additional information. See the following sample displays for more
information.
The following sample display shows the total allocation of each resource as an absolute value and as a
percentage of the available system resources:
hostname# show resource allocation
Resource Total % of Avail
Conns [rate] 35000 N/A
Inspects [rate] 35000 N/A
Syslogs [rate] 10500 N/A
Conns 305000 30.50%
Hosts 78842 N/A6-17
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 6 Adding and Managing Security Contexts
Managing Security Contexts
SSH 35 35.00%
Telnet 35 35.00%
Xlates 91749 N/A
All unlimited
Table 6-3 shows each field description.
The following is sample output from the show resource allocation detail command:
hostname# show resource allocation detail
Resource Origin:
A Value was derived from the resource 'all'
C Value set in the definition of this class
D Value set in default class
Resource Class Mmbrs Origin Limit Total Total %
Conns [rate] default all CA unlimited
gold 1 C 34000 34000 N/A
silver 1 CA 17000 17000 N/A
bronze 0 CA 8500
All Contexts: 3 51000 N/A
Inspects [rate] default all CA unlimited
gold 1 DA unlimited
silver 1 CA 10000 10000 N/A
bronze 0 CA 5000
All Contexts: 3 10000 N/A
Syslogs [rate] default all CA unlimited
gold 1 C 6000 6000 N/A
silver 1 CA 3000 3000 N/A
bronze 0 CA 1500
All Contexts: 3 9000 N/A
Conns default all CA unlimited
gold 1 C 200000 200000 20.00%
silver 1 CA 100000 100000 10.00%
bronze 0 CA 50000
All Contexts: 3 300000 30.00%
Hosts default all CA unlimited
gold 1 DA unlimited
silver 1 CA 26214 26214 N/A
bronze 0 CA 13107
All Contexts: 3 26214 N/A
SSH default all C 5
gold 1 D 5 5 5.00%
Table 6-3 show resource allocation Fields
Field Description
Resource The name of the resource that you can limit.
Total The total amount of the resource that is allocated across all contexts. The amount
is an absolute number of concurrent instances or instances per second. If you
specified a percentage in the class definition, the security appliance converts the
percentage to an absolute number for this display.
% of Avail The percentage of the total system resources that is allocated across all contexts, if
the resource has a hard system limit. If a resource does not have a system limit, this
column shows N/A.6-18
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 6 Adding and Managing Security Contexts
Managing Security Contexts
silver 1 CA 10 10 10.00%
bronze 0 CA 5
All Contexts: 3 20 20.00%
Telnet default all C 5
gold 1 D 5 5 5.00%
silver 1 CA 10 10 10.00%
bronze 0 CA 5
All Contexts: 3 20 20.00%
Xlates default all CA unlimited
gold 1 DA unlimited
silver 1 CA 23040 23040 N/A
bronze 0 CA 11520
All Contexts: 3 23040 N/A
mac-addresses default all C 65535
gold 1 D 65535 65535 100.00%
silver 1 CA 6553 6553 9.99%
bronze 0 CA 3276
All Contexts: 3 137623 209.99%
Table 6-4 shows each field description.
Table 6-4 show resource allocation detail Fields
Field Description
Resource The name of the resource that you can limit.
Class The name of each class, including the default class.
The All contexts field shows the total values across all classes.
Mmbrs The number of contexts assigned to each class.
Origin The origin of the resource limit, as follows:
• A—You set this limit with the all option, instead of as an individual resource.
• C—This limit is derived from the member class.
• D—This limit was not defined in the member class, but was derived from the
default class. For a context assigned to the default class, the value will be “C”
instead of “D.”
The security appliance can combine “A” with “C” or “D.”
Limit The limit of the resource per context, as an absolute number. If you specified a
percentage in the class definition, the security appliance converts the percentage to
an absolute number for this display.
Total The total amount of the resource that is allocated across all contexts in the class.
The amount is an absolute number of concurrent instances or instances per second.
If the resource is unlimited, this display is blank.
% of Avail The percentage of the total system resources that is allocated across all contexts in
the class. If the resource is unlimited, this display is blank. If the resource does not
have a system limit, then this column shows N/A.6-19
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 6 Adding and Managing Security Contexts
Managing Security Contexts
Viewing Resource Usage
From the system execution space, you can view the resource usage for each context and display the
system resource usage.
From the system execution space, view the resource usage for each context by entering the following
command:
hostname# show resource usage [context context_name | top n | all | summary | system]
[resource {resource_name | all} | detail] [counter counter_name [count_threshold]]
By default, all context usage is displayed; each context is listed separately.
Enter the top n keyword to show the contexts that are the top n users of the specified resource. You must
specify a single resource type, and not resource all, with this option.
The summary option shows all context usage combined.
The system option shows all context usage combined, but shows the system limits for resources instead
of the combined context limits.
For the resource resource_name, see Table 6- 1 for available resource names. See also the show resource
type command. Specify all (the default) for all types.
The detail option shows the resource usage of all resources, including those you cannot manage. For
example, you can view the number of TCP intercepts.
The counter counter_name is one of the following keywords:
• current—Shows the active concurrent instances or the current rate of the resource.
• denied—Shows the number of instances that were denied because they exceeded the resource limit
shown in the Limit column.
• peak—Shows the peak concurrent instances, or the peak rate of the resource since the statistics were
last cleared, either using the clear resource usage command or because the device rebooted.
• all—(Default) Shows all statistics.
The count_threshold sets the number above which resources are shown. The default is 1. If the usage of
the resource is below the number you set, then the resource is not shown. If you specify all for the
counter name, then the count_threshold applies to the current usage.
Note To show all resources, set the count_threshold to 0.
The following is sample output from the show resource usage context command, which shows the
resource usage for the admin context:
hostname# show resource usage context admin
Resource Current Peak Limit Denied Context
Telnet 1 1 5 0 admin
Conns 44 55 N/A 0 admin
Hosts 45 56 N/A 0 admin
The following is sample output from the show resource usage summary command, which shows the
resource usage for all contexts and all resources. This sample shows the limits for 6 contexts.
hostname# show resource usage summary
Resource Current Peak Limit Denied Context
Syslogs [rate] 1743 2132 N/A 0 Summary
Conns 584 763 280000(S) 0 Summary6-20
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 6 Adding and Managing Security Contexts
Managing Security Contexts
Xlates 8526 8966 N/A 0 Summary
Hosts 254 254 N/A 0 Summary
Conns [rate] 270 535 N/A 1704 Summary
Inspects [rate] 270 535 N/A 0 Summary
S = System: Combined context limits exceed the system limit; the system limit is shown.
The following is sample output from the show resource usage summary command, which shows the
limits for 25 contexts. Because the context limit for Telnet and SSH connections is 5 per context, then
the combined limit is 125. The system limit is only 100, so the system limit is shown.
hostname# show resource usage summary
Resource Current Peak Limit Denied Context
Telnet 1 1 100[S] 0 Summary
SSH 2 2 100[S] 0 Summary
Conns 56 90 N/A 0 Summary
Hosts 89 102 N/A 0 Summary
S = System: Combined context limits exceed the system limit; the system limit is shown.
The following is sample output from the show resource usage system command, which shows the
resource usage for all contexts, but it shows the system limit instead of the combined context limits. The
counter all 0 option is used to show resources that are not currently in use. The Denied statistics indicate
how many times the resource was denied due to the system limit, if available.
hostname# show resource usage system counter all 0
Resource Current Peak Limit Denied Context
Telnet 0 0 100 0 System
SSH 0 0 100 0 System
ASDM 0 0 32 0 System
Syslogs [rate] 1 18 N/A 0 System
Conns 0 1 280000 0 System
Xlates 0 0 N/A 0 System
Hosts 0 2 N/A 0 System
Conns [rate] 1 1 N/A 0 System
Inspects [rate] 0 0 N/A 0 System
Monitoring SYN Attacks in Contexts
The security appliance prevents SYN attacks using TCP Intercept. TCP Intercept uses the SYN cookies
algorithm to prevent TCP SYN-flooding attacks. A SYN-flooding attack consists of a series of SYN
packets usually originating from spoofed IP addresses. The constant flood of SYN packets keeps the
server SYN queue full, which prevents it from servicing connection requests. When the embryonic
connection threshold of a connection is crossed, the security appliance acts as a proxy for the server and
generates a SYN-ACK response to the client SYN request. When the security appliance receives an ACK
back from the client, it can then authenticate the client and allow the connection to the server.
You can monitor the rate of attacks for individual contexts using the show perfmon command; you can
monitor the amount of resources being used by TCP intercept for individual contexts using the show
resource usage detail command; you can monitor the resources being used by TCP intercept for the
entire system using the show resource usage summary detail command.
The following is sample output from the show perfmon command that shows the rate of TCP intercepts
for a context called admin.
hostname/admin# show perfmon
Context:admin
PERFMON STATS: Current Average
Xlates 0/s 0/s6-21
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 6 Adding and Managing Security Contexts
Managing Security Contexts
Connections 0/s 0/s
TCP Conns 0/s 0/s
UDP Conns 0/s 0/s
URL Access 0/s 0/s
URL Server Req 0/s 0/s
WebSns Req 0/s 0/s
TCP Fixup 0/s 0/s
HTTP Fixup 0/s 0/s
FTP Fixup 0/s 0/s
AAA Authen 0/s 0/s
AAA Author 0/s 0/s
AAA Account 0/s 0/s
TCP Intercept 322779/s 322779/s
The following is sample output from the show resource usage detail command that shows the amount
of resources being used by TCP Intercept for individual contexts. (Sample text in italics shows the TCP
intercept information.)
hostname(config)# show resource usage detail
Resource Current Peak Limit Denied Context
memory 843732 847288 unlimited 0 admin
chunk:channels 14 15 unlimited 0 admin
chunk:fixup 15 15 unlimited 0 admin
chunk:hole 1 1 unlimited 0 admin
chunk:ip-users 10 10 unlimited 0 admin
chunk:list-elem 21 21 unlimited 0 admin
chunk:list-hdr 3 4 unlimited 0 admin
chunk:route 2 2 unlimited 0 admin
chunk:static 1 1 unlimited 0 admin
tcp-intercepts 328787 803610 unlimited 0 admin
np-statics 3 3 unlimited 0 admin
statics 1 1 unlimited 0 admin
ace-rules 1 1 unlimited 0 admin
console-access-rul 2 2 unlimited 0 admin
fixup-rules 14 15 unlimited 0 admin
memory 959872 960000 unlimited 0 c1
chunk:channels 15 16 unlimited 0 c1
chunk:dbgtrace 1 1 unlimited 0 c1
chunk:fixup 15 15 unlimited 0 c1
chunk:global 1 1 unlimited 0 c1
chunk:hole 2 2 unlimited 0 c1
chunk:ip-users 10 10 unlimited 0 c1
chunk:udp-ctrl-blk 1 1 unlimited 0 c1
chunk:list-elem 24 24 unlimited 0 c1
chunk:list-hdr 5 6 unlimited 0 c1
chunk:nat 1 1 unlimited 0 c1
chunk:route 2 2 unlimited 0 c1
chunk:static 1 1 unlimited 0 c1
tcp-intercept-rate 16056 16254 unlimited 0 c1
globals 1 1 unlimited 0 c1
np-statics 3 3 unlimited 0 c1
statics 1 1 unlimited 0 c1
nats 1 1 unlimited 0 c1
ace-rules 2 2 unlimited 0 c1
console-access-rul 2 2 unlimited 0 c1
fixup-rules 14 15 unlimited 0 c1
memory 232695716 232020648 unlimited 0 system
chunk:channels 17 20 unlimited 0 system
chunk:dbgtrace 3 3 unlimited 0 system
chunk:fixup 15 15 unlimited 0 system
chunk:ip-users 4 4 unlimited 0 system
chunk:list-elem 1014 1014 unlimited 0 system
chunk:list-hdr 1 1 unlimited 0 system
chunk:route 1 1 unlimited 0 system6-22
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 6 Adding and Managing Security Contexts
Managing Security Contexts
block:16384 510 885 unlimited 0 system
block:2048 32 34 unlimited 0 system
The following sample output shows the resources being used by TCP intercept for the entire system.
(Sample text in italics shows the TCP intercept information.)
hostname(config)# show resource usage summary detail
Resource Current Peak Limit Denied Context
memory 238421312 238434336 unlimited 0 Summary
chunk:channels 46 48 unlimited 0 Summary
chunk:dbgtrace 4 4 unlimited 0 Summary
chunk:fixup 45 45 unlimited 0 Summary
chunk:global 1 1 unlimited 0 Summary
chunk:hole 3 3 unlimited 0 Summary
chunk:ip-users 24 24 unlimited 0 Summary
chunk:udp-ctrl-blk 1 1 unlimited 0 Summary
chunk:list-elem 1059 1059 unlimited 0 Summary
chunk:list-hdr 10 11 unlimited 0 Summary
chunk:nat 1 1 unlimited 0 Summary
chunk:route 5 5 unlimited 0 Summary
chunk:static 2 2 unlimited 0 Summary
block:16384 510 885 unlimited 0 Summary
block:2048 32 35 unlimited 0 Summary
tcp-intercept-rate 341306 811579 unlimited 0 Summary
globals 1 1 unlimited 0 Summary
np-statics 6 6 unlimited 0 Summary
statics 2 2 N/A 0 Summary
nats 1 1 N/A 0 Summary
ace-rules 3 3 N/A 0 Summary
console-access-rul 4 4 N/A 0 Summary
fixup-rules 43 44 N/A 0 SummaryC H A P T E R
7-1
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
7
Configuring Interface Parameters
This chapter describes how to configure each interface and subinterface for a name, security level, and
IP address. For single context mode, the procedures in this chapter continue the interface configuration
started in Chapter 5, “Configuring Ethernet Settings and Subinterfaces.” For multiple context mode, the
procedures in Chapter 5, “Configuring Ethernet Settings and Subinterfaces,” are performed in the system
execution space, while the procedures in this chapter are performed within each security context.
Note To configure interfaces for the ASA 5505 adaptive security appliance, see Chapter 4, “Configuring
Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance.”
This chapter includes the following sections:
• Security Level Overview, page 7-1
• Configuring the Interface, page 7-2
• Allowing Communication Between Interfaces on the Same Security Level, page 7-6
Security Level Overview
Each interface must have a security level from 0 (lowest) to 100 (highest). For example, you should
assign your most secure network, such as the inside host network, to level 100. While the outside
network connected to the Internet can be level 0. Other networks, such as DMZs can be in between. You
can assign interfaces to the same security level. See the “Allowing Communication Between Interfaces
on the Same Security Level” section on page 7-6 for more information.
The level controls the following behavior:
• Network access—By default, there is an implicit permit from a higher security interface to a lower
security interface (outbound). Hosts on the higher security interface can access any host on a lower
security interface. You can limit access by applying an access list to the interface.
If you enable communication for same security interfaces (see the “Allowing Communication
Between Interfaces on the Same Security Level” section on page 7-6), there is an implicit permit for
interfaces to access other interfaces on the same security level or lower.
• Inspection engines—Some application inspection engines are dependent on the security level. For
same security interfaces, inspection engines apply to traffic in either direction.
– NetBIOS inspection engine—Applied only for outbound connections.7-2
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 7 Configuring Interface Parameters
Configuring the Interface
– SQL*Net inspection engine—If a control connection for the SQL*Net (formerly OraServ) port
exists between a pair of hosts, then only an inbound data connection is permitted through the
security appliance.
• Filtering—HTTP(S) and FTP filtering applies only for outbound connections (from a higher level
to a lower level).
For same security interfaces, you can filter traffic in either direction.
• NAT control—When you enable NAT control, you must configure NAT for hosts on a higher security
interface (inside) when they access hosts on a lower security interface (outside).
Without NAT control, or for same security interfaces, you can choose to use NAT between any
interface, or you can choose not to use NAT. Keep in mind that configuring NAT for an outside
interface might require a special keyword.
• established command—This command allows return connections from a lower security host to a
higher security host if there is already an established connection from the higher level host to the
lower level host.
For same security interfaces, you can configure established commands for both directions.
Configuring the Interface
By default, all physical interfaces are shut down. You must enable the physical interface before any
traffic can pass through an enabled subinterface. For multiple context mode, if you allocate a physical
interface or subinterface to a context, the interfaces are enabled by default in the context. However,
before traffic can pass through the context interface, you must also enable the interface in the system
configuration. If you shut down an interface in the system execution space, then that interface is down
in all contexts that share it.
Before you can complete your configuration and allow traffic through the security appliance, you need
to configure an interface name, and for routed mode, an IP address. You should also change the security
level from the default, which is 0. If you name an interface “inside” and you do not set the security level
explicitly, then the security appliance sets the security level to 100.
Note If you are using failover, do not use this procedure to name interfaces that you are reserving for failover
and Stateful Failover communications. See Chapter 14, “Configuring Failover.” to configure the failover
and state links.
For multiple context mode, follow these guidelines:
• Configure the context interfaces from within each context.
• You can only configure context interfaces that you already assigned to the context in the system
configuration.
• The system configuration only lets you configure Ethernet settings and VLANs. The exception is
for failover interfaces; do not configure failover interfaces with this procedure. See the Failover
chapter for more information.
Note If you change the security level of an interface, and you do not want to wait for existing connections to
time out before the new security information is used, you can clear the connections using the
clear local-host command.7-3
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 7 Configuring Interface Parameters
Configuring the Interface
To configure an interface or subinterface, perform the following steps:
Step 1 To specify the interface you want to configure, enter the following command:
hostname(config)# interface {physical_interface[.subinterface] | mapped_name}
The physical_interface ID includes the type, slot, and port number as type[slot/]port.
The physical interface types include the following:
• ethernet
• gigabitethernet
For the PIX 500 series security appliance, enter the type followed by the port number, for example,
ethernet0.
For the ASA 5500 series adaptive security appliance, enter the type followed by slot/port, for example,
gigabitethernet0/1. Interfaces that are built into the chassis are assigned to slot 0, while interfaces on
the 4GE SSM are assigned to slot 1. For the ASA 5550 adaptive security appliance, for maximum
throughput, be sure to balance your traffic over the two interface slots; for example, assign the inside
interface to slot 1 and the outside interface to slot 0.
The ASA 5510 and higher adaptive security appliance also includes the following type:
• management
The management interface is a Fast Ethernet interface designed for management traffic only, and is
specified as management0/0. You can, however, use it for through traffic if desired (see the
management-only command). In transparent firewall mode, you can use the management interface
in addition to the two interfaces allowed for through traffic. You can also add subinterfaces to the
management interface to provide management in each security context for multiple context mode.
Append the subinterface ID to the physical interface ID separated by a period (.).
In multiple context mode, enter the mapped name if one was assigned using the allocate-interface
command.
For example, enter the following command:
hostname(config)# interface gigabitethernet0/1.1
Step 2 To name the interface, enter the following command:
hostname(config-if)# nameif name
The name is a text string up to 48 characters, and is not case-sensitive. You can change the name by
reentering this command with a new value. Do not enter the no form, because that command causes all
commands that refer to that name to be deleted.
Step 3 To set the security level, enter the following command:
hostname(config-if)# security-level number
Where number is an integer between 0 (lowest) and 100 (highest).
Step 4 (Optional) To set an interface to management-only mode, enter the following command:
hostname(config-if)# management-only
The ASA 5510 and higher adaptive security appliance includes a dedicated management interface called
Management 0/0, which is meant to support traffic to the security appliance. However, you can configure
any interface to be a management-only interface using the management-only command. Also, for
Management 0/0, you can disable management-only mode so the interface can pass through traffic just
like any other interface.7-4
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 7 Configuring Interface Parameters
Configuring the Interface
Note Transparent firewall mode allows only two interfaces to pass through traffic; however, on the
The ASA 5510 and higher adaptive security appliance, you can use the Management 0/0
interface (either the physical interface or a subinterface) as a third interface for management
traffic. The mode is not configurable in this case and must always be management-only.
Step 5 To set the IP address, enter one of the following commands.
In routed firewall mode, you set the IP address for all interfaces. In transparent firewall mode, you do
not set the IP address for each interface, but rather for the whole security appliance or context. The
exception is for the Management 0/0 management-only interface, which does not pass through traffic.
To set the management IP address for transparent firewall mode, see the “Setting the Management IP
Address for a Transparent Firewall” section on page 8-5. To set the IP address of the Management 0/0
interface or subinterface, use one of the following commands.
To set an IPv6 address, see the “Configuring IPv6 on an Interface” section on page 12-3.
For failover, you must set the IP address an standby address manually; DHCP and PPPoE are not
supported.
• To set the IP address manually, enter the following command:
hostname(config-if)# ip address ip_address [mask] [standby ip_address]
The standby keyword and address is used for failover. See Chapter 14, “Configuring Failover,” for
more information.
• To obtain an IP address from a DHCP server, enter the following command:
hostname(config-if)# ip address dhcp [setroute]
Reenter this command to reset the DHCP lease and request a new lease.
If you do not enable the interface using the no shutdown command before you enter the ip address
dhcp command, some DHCP requests might not be sent.
• To obtain an IP address from a PPPoE server, see Chapter 35, “Configuring the PPPoE Client.”
Step 6 (Optional) To assign a private MAC address to this interface, enter the following command:
hostname(config-if)# mac-address mac_address [standby mac_address]
The mac_address is in H.H.H format, where H is a 16-bit hexadecimal digit. For example, the
MAC address 00-0C-F1-42-4C-DE would be entered as 000C.F142.4CDE.
By default, the physical interface uses the burned-in MAC address, and all subinterfaces of a physical
interface use the same burned-in MAC address.
For use with failover, set the standby MAC address. If the active unit fails over and the standby unit
becomes active, the new active unit starts using the active MAC addresses to minimize network
disruption, while the old active unit uses the standby address.
In multiple context mode, if you share an interface between contexts, you can assign a unique MAC
address to the interface in each context. This feature lets the security appliance easily classify packets
into the appropriate context. Using a shared interface without unique MAC addresses is possible, but has
some limitations. See the “How the Security Appliance Classifies Packets” section on page 3-3 for more
information. You can assign each MAC address manually, or you can automatically generate MAC
addresses for shared interfaces in contexts. See the “Automatically Assigning MAC Addresses to
Context Interfaces” section on page 6-11 to automatically generate MAC addresses. If you automatically
generate MAC addresses, you can use the mac-address command to override the generated address.7-5
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 7 Configuring Interface Parameters
Configuring the Interface
For single context mode, or for interfaces that are not shared in multiple context mode, you might want
to assign unique MAC addresses to subinterfaces. For example, your service provider might perform
access control based on the MAC address.
Step 7 To enable the interface, if it is not already enabled, enter the following command:
hostname(config-if)# no shutdown
To disable the interface, enter the shutdown command. If you enter the shutdown command for a
physical interface, you also shut down all subinterfaces. If you shut down an interface in the system
execution space, then that interface is shut down in all contexts that share it, even though the context
configurations show the interface as enabled.
The following example configures parameters for the physical interface in single mode:
hostname(config)# interface gigabitethernet0/1
hostname(config-if)# speed 1000
hostname(config-if)# duplex full
hostname(config-if)# nameif inside
hostname(config-if)# security-level 100
hostname(config-if)# ip address 10.1.1.1 255.255.255.0
hostname(config-if)# no shutdown
The following example configures parameters for a subinterface in single mode:
hostname(config)# interface gigabitethernet0/1.1
hostname(config-subif)# vlan 101
hostname(config-subif)# nameif dmz1
hostname(config-subif)# security-level 50
hostname(config-subif)# ip address 10.1.2.1 255.255.255.0
hostname(config-subif)# mac-address 000C.F142.4CDE standby 020C.F142.4CDE
hostname(config-subif)# no shutdown
The following example configures interface parameters in multiple context mode for the system
configuration, and allocates the gigabitethernet 0/1.1 subinterface to contextA:
hostname(config)# interface gigabitethernet0/1
hostname(config-if)# speed 1000
hostname(config-if)# duplex full
hostname(config-if)# no shutdown
hostname(config-if)# interface gigabitethernet0/1.1
hostname(config-subif)# vlan 101
hostname(config-subif)# no shutdown
hostname(config-subif)# context contextA
hostname(config-ctx)# ...
hostname(config-ctx)# allocate-interface gigabitethernet0/1.1
The following example configures parameters in multiple context mode for the context configuration:
hostname/contextA(config)# interface gigabitethernet0/1.1
hostname/contextA(config-if)# nameif inside
hostname/contextA(config-if)# security-level 100
hostname/contextA(config-if)# ip address 10.1.2.1 255.255.255.0
hostname/contextA(config-if)# mac-address 030C.F142.4CDE standby 040C.F142.4CDE
hostname/contextA(config-if)# no shutdown7-6
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 7 Configuring Interface Parameters
Allowing Communication Between Interfaces on the Same Security Level
Allowing Communication Between Interfaces on the Same
Security Level
By default, interfaces on the same security level cannot communicate with each other. Allowing
communication between same security interfaces provides the following benefits:
• You can configure more than 101 communicating interfaces.
If you use different levels for each interface and do not assign any interfaces to the same security
level, you can configure only one interface per level (0 to 100).
• You want traffic to flow freely between all same security interfaces without access lists.
Note If you enable NAT control, you do not need to configure NAT between same security level interfaces.
See the “NAT and Same Security Level Interfaces” section on page 17-13 for more information on NAT
and same security level interfaces.
If you enable same security interface communication, you can still configure interfaces at different
security levels as usual.
To enable interfaces on the same security level so that they can communicate with each other, enter the
following command:
hostname(config)# same-security-traffic permit inter-interface
To disable this setting, use the no form of this command.C H A P T E R
8-1
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
8
Configuring Basic Settings
This chapter describes how to configure basic settings on your security appliance that are typically
required for a functioning configuration. This chapter includes the following sections:
• Changing the Login Password, page 8-1
• Changing the Enable Password, page 8-1
• Setting the Hostname, page 8-2
• Setting the Domain Name, page 8-2
• Setting the Date and Time, page 8-2
• Setting the Management IP Address for a Transparent Firewall, page 8-5
Changing the Login Password
The login password is used for Telnet and SSH connections. By default, the login password is “cisco.”
To change the password, enter the following command:
hostname(config)# {passwd | password} password
You can enter passwd or password. The password is a case-sensitive password of up to 16 alphanumeric
and special characters. You can use any character in the password except a question mark or a space.
The password is saved in the configuration in encrypted form, so you cannot view the original password
after you enter it. Use the no password command to restore the password to the default setting.
Changing the Enable Password
The enable password lets you enter privileged EXEC mode. By default, the enable password is blank. To
change the enable password, enter the following command:
hostname(config)# enable password password
The password is a case-sensitive password of up to 16 alphanumeric and special characters. You can use
any character in the password except a question mark or a space.
This command changes the password for the highest privilege level. If you configure local command
authorization, you can set enable passwords for each privilege level from 0 to 15.8-2
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 8 Configuring Basic Settings
Setting the Hostname
The password is saved in the configuration in encrypted form, so you cannot view the original password
after you enter it. Enter the enable password command without a password to set the password to the
default, which is blank.
Setting the Hostname
When you set a hostname for the security appliance, that name appears in the command line prompt. If
you establish sessions to multiple devices, the hostname helps you keep track of where you enter
commands. The default hostname depends on your platform.
For multiple context mode, the hostname that you set in the system execution space appears in the
command line prompt for all contexts. The hostname that you optionally set within a context does not
appear in the command line, but can be used by the banner command $(hostname) token.
To specify the hostname for the security appliance or for a context, enter the following command:
hostname(config)# hostname name
This name can be up to 63 characters. A hostname must start and end with a letter or digit, and have as
interior characters only letters, digits, or a hyphen.
This name appears in the command line prompt. For example:
hostname(config)# hostname farscape
farscape(config)#
Setting the Domain Name
The security appliance appends the domain name as a suffix to unqualified names. For example, if you
set the domain name to “example.com,” and specify a syslog server by the unqualified name of “jupiter,”
then the security appliance qualifies the name to “jupiter.example.com.”
The default domain name is default.domain.invalid.
For multiple context mode, you can set the domain name for each context, as well as within the system
execution space.
To specify the domain name for the security appliance, enter the following command:
hostname(config)# domain-name name
For example, to set the domain as example.com, enter the following command:
hostname(config)# domain-name example.com
Setting the Date and Time
This section describes how to set the date and time, either manually or dynamically using an NTP server.
Time derived from an NTP server overrides any time set manually. This section also describes how to
set the time zone and daylight saving time date range.
Note In multiple context mode, set the time in the system configuration only.8-3
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 8 Configuring Basic Settings
Setting the Date and Time
This section includes the following topics:
• Setting the Time Zone and Daylight Saving Time Date Range, page 8-3
• Setting the Date and Time Using an NTP Server, page 8-4
• Setting the Date and Time Manually, page 8-5
Setting the Time Zone and Daylight Saving Time Date Range
By default, the time zone is UTC and the daylight saving time date range is from 2:00 a.m. on the first
Sunday in April to 2:00 a.m. on the last Sunday in October. To change the time zone and daylight saving
time date range, perform the following steps:
Step 1 To set the time zone, enter the following command in global configuration mode:
hostname(config)# clock timezone zone [-]hours [minutes]
Where zone specifies the time zone as a string, for example, PST for Pacific Standard Time.
The [-]hours value sets the number of hours of offset from UTC. For example, PST is -8 hours.
The minutes value sets the number of minutes of offset from UTC.
Step 2 To change the date range for daylight saving time from the default, enter one of the following commands.
The default recurring date range is from 2:00 a.m. on the first Sunday in April to 2:00 a.m. on the last
Sunday in October.
• To set the start and end dates for daylight saving time as a specific date in a specific year, enter the
following command:
hostname(config)# clock summer-time zone date {day month | month day} year hh:mm {day
month | month day} year hh:mm [offset]
If you use this command, you need to reset the dates every year.
The zone value specifies the time zone as a string, for example, PDT for Pacific Daylight Time.
The day value sets the day of the month, from 1 to 31. You can enter the day and month as April 1
or as 1 April, for example, depending on your standard date format.
The month value sets the month as a string. You can enter the day and month as April 1 or as 1 April,
for example, depending on your standard date format.
The year value sets the year using four digits, for example, 2004. The year range is 1993 to 2035.
The hh:mm value sets the hour and minutes in 24-hour time.
The offset value sets the number of minutes to change the time for daylight saving time. By default,
the value is 60 minutes.
• To specify the start and end dates for daylight saving time, in the form of a day and time of the
month, and not a specific date in a year, enter the following command.
hostname(config)# clock summer-time zone recurring [week weekday month hh:mm week
weekday month hh:mm] [offset]
This command lets you set a recurring date range that you do not need to alter yearly.
The zone value specifies the time zone as a string, for example, PDT for Pacific Daylight Time.
The week value specifies the week of the month as an integer between 1 and 4 or as the words first
or last. For example, if the day might fall in the partial fifth week, then specify last.8-4
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 8 Configuring Basic Settings
Setting the Date and Time
The weekday value specifies the day of the week: Monday, Tuesday, Wednesday, and so on.
The month value sets the month as a string.
The hh:mm value sets the hour and minutes in 24-hour time.
The offset value sets the number of minutes to change the time for daylight saving time. By default,
the value is 60 minutes.
Setting the Date and Time Using an NTP Server
To obtain the date and time from an NTP server, perform the following steps:
Step 1 To configure authentication with an NTP server, perform the following steps:
a. To enable authentication, enter the following command:
hostname(config)# ntp authenticate
b. To specify an authentication key ID to be a trusted key, which is required for authentication with an
NTP server, enter the following command:
hostname(config)# ntp trusted-key key_id
Where the key_id is between 1 and 4294967295. You can enter multiple trusted keys for use with
multiple servers.
c. To set a key to authenticate with an NTP server, enter the following command:
hostname(config)# ntp authentication-key key_id md5 key
Where key_id is the ID you set in Step 1b using the ntp trusted-key command, and key is a string
up to 32 characters in length.
Step 2 To identify an NTP server, enter the following command:
hostname(config)# ntp server ip_address [key key_id] [source interface_name] [prefer]
Where the key_id is the ID you set in Step 1b using the ntp trusted-key command.
The source interface_name identifies the outgoing interface for NTP packets if you do not want to use
the default interface in the routing table. Because the system does not include any interfaces in multiple
context mode, specify an interface name defined in the admin context.
The prefer keyword sets this NTP server as the preferred server if multiple servers have similar
accuracy. NTP uses an algorithm to determine which server is the most accurate and synchronizes to that
one. If servers are of similar accuracy, then the prefer keyword specifies which of those servers to use.
However, if a server is significantly more accurate than the preferred one, the security appliance uses the
more accurate one. For example, the security appliance uses a server of stratum 2 over a server of
stratum 3 that is preferred.
You can identify multiple servers; the security appliance uses the most accurate server.
Note SNTP is not supported; only NTP is supported.8-5
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 8 Configuring Basic Settings
Setting the Management IP Address for a Transparent Firewall
Setting the Date and Time Manually
To set the date time manually, enter the following command:
hostname# clock set hh:mm:ss {month day | day month} year
Where hh:mm:ss sets the hour, minutes, and seconds in 24-hour time. For example, set 20:54:00 for 8:54
pm.
The day value sets the day of the month, from 1 to 31. You can enter the day and month as april 1 or as
1 april, for example, depending on your standard date format.
The month value sets the month. Depending on your standard date format, you can enter the day and
month as april 1 or as 1 april.
The year value sets the year using four digits, for example, 2004. The year range is 1993 to 2035.
The default time zone is UTC. If you change the time zone after you enter the clock set command using
the clock timezone command, the time automatically adjusts to the new time zone.
This command sets the time in the hardware chip, and does not save the time in the configuration file.
This time endures reboots. Unlike the other clock commands, this command is a privileged EXEC
command. To reset the clock, you need to set a new time for the clock set command.
Setting the Management IP Address for a Transparent Firewall
Transparent firewall mode only
A transparent firewall does not participate in IP routing. The only IP configuration required for the
security appliance is to set the management IP address. This address is required because the security
appliance uses this address as the source address for traffic originating on the security appliance, such
as system messages or communications with AAA servers. You can also use this address for remote
management access.
For multiple context mode, set the management IP address within each context.
To set the management IP address, enter the following command:
hostname(config)# ip address ip_address [mask] [standby ip_address]
This address must be on the same subnet as the upstream and downstream routers. You cannot set the
subnet to a host subnet (255.255.255.255). This address must be IPv4; the transparent firewall does not
support IPv6.
The standby keyword and address is used for failover. See Chapter 14, “Configuring Failover,” for more
information.8-6
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 8 Configuring Basic Settings
Setting the Management IP Address for a Transparent FirewallC H A P T E R
9-1
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
9
Configuring IP Routing
This chapter describes how to configure IP routing on the security appliance. This chapter includes the
following sections:
• How Routing Behaves Within the ASA Security Appliance, page 9-1
• Configuring Static and Default Routes, page 9-2
• Defining Route Maps, page 9-7
• Configuring OSPF, page 9-8
• Configuring RIP, page 9-20
• The Routing Table, page 9-24
• Dynamic Routing and Failover, page 9-26
How Routing Behaves Within the ASA Security Appliance
The ASA security appliance uses both routing table and XLATE tables for routing decisions. To handle
destination IP translated traffic, that is, untranslated traffic, ASA searches for existing XLATE, or static
translation to select the egress interface. The selection process is as follows:
Egress Interface Selection Process
1. If destination IP translating XLATE already exists, the egress interface for the packet is determined
from the XLATE table, but not from the routing table.
2. If destination IP translating XLATE does not exist, but a matching static translation exists, then the
egress interface is determined from the static route and an XLATE is created, and the routing table
is not used.
3. If destination IP translating XLATE does not exist and no matching static translation exists, the
packet is not destination IP translated. The security appliance processes this packet by looking up
the route to select egress interface, then source IP translation is performed (if necessary).
For regular dynamic outbound NAT, initial outgoing packets are routed using the route table and
then creating the XLATE. Incoming return packets are forwarded using existing XLATE only. For
static NAT, destination translated incoming packets are always forwarded using existing XLATE or
static translation rules.9-2
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 9 Configuring IP Routing
Configuring Static and Default Routes
Next Hop Selection Process
After selecting egress interface using any method described above, an additional route lookup is
performed to find out suitable next hop(s) that belong to previously selected egress interface. If there are
no routes in routing table that explicitly belong to selected interface, the packet is dropped with level 6
error message 110001 "no route to host", even if there is another route for a given destination network
that belongs to different egress interface. If the route that belongs to selected egress interface is found,
the packet is forwarded to corresponding next hop.
Load sharing on the security appliance is possible only for multiple next-hops available using single
egress interface. Load sharing cannot share multiple egress interfaces.
If dynamic routing is in use on security appliance and route table changes after XLATE creation, for
example route flap, then destination translated traffic is still forwarded using old XLATE, not via route
table, until XLATE times out. It may be either forwarded to wrong interface or dropped with message
110001 "no route to host" if old route was removed from the old interface and attached to another one
by routing process.
The same problem may happen when there is no route flaps on the security appliance itself, but some
routing process is flapping around it, sending source translated packets that belong to the same flow
through the security appliance using different interfaces. Destination translated return packets may be
forwarded back using the wrong egress interface.
This issue has a high probability in same security traffic configuration, where virtually any traffic may
be either source-translated or destination-translated, depending on direction of initial packet in the flow.
When this issue occurs after a route flap, it can be resolved manually by using the clear xlate
command, or automatically resolved by an XLATE timeout. XLATE timeout may be decreased if
necessary. To ensure that this rarely happens, make sure that there is no route flaps on security appliance
and around it. That is, ensure that destination translated packets that belong to the same flow are always
forwarded the same way through the security appliance.
Configuring Static and Default Routes
This section describes how to configure static and default routes on the security appliance.
Multiple context mode does not support dynamic routing, so you must use static routes for any networks
to which the security appliance is not directly connected; for example, when there is a router between a
network and the security appliance.
You might want to use static routes in single context mode in the following cases:
• Your networks use a different router discovery protocol from RIP or OSPF.
• Your network is small and you can easily manage static routes.
• You do not want the traffic or CPU overhead associated with routing protocols.
The simplest option is to configure a default route to send all traffic to an upstream router, relying on the
router to route the traffic for you. However, in some cases the default gateway might not be able to reach
the destination network, so you must also configure more specific static routes. For example, if the
default gateway is outside, then the default route cannot direct traffic to any inside networks that are not
directly connected to the security appliance.
In transparent firewall mode, for traffic that originates on the security appliance and is destined for a
non-directly connected network, you need to configure either a default route or static routes so the
security appliance knows out of which interface to send traffic. Traffic that originates on the security 9-3
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 9 Configuring IP Routing
Configuring Static and Default Routes
appliance might include communications to a syslog server, Websense or N2H2 server, or AAA server.
If you have servers that cannot all be reached through a single default route, then you must configure
static routes.
The security appliance supports up to three equal cost routes on the same interface for load balancing.
This section includes the following topics:
• Configuring a Static Route, page 9-3
• Configuring a Default Route, page 9-4
• Configuring Static Route Tracking, page 9-5
For information about configuring IPv6 static and default routes, see the “Configuring IPv6 Default and
Static Routes” section on page 12-5.
Configuring a Static Route
To add a static route, enter the following command:
hostname(config)# route if_name dest_ip mask gateway_ip [distance]
The dest_ip and mask is the IP address for the destination network and the gateway_ip is the address of
the next-hop router.The addresses you specify for the static route are the addresses that are in the packet
before entering the security appliance and performing NAT.
The distance is the administrative distance for the route. The default is 1 if you do not specify a value.
Administrative distance is a parameter used to compare routes among different routing protocols. The
default administrative distance for static routes is 1, giving it precedence over routes discovered by
dynamic routing protocols but not directly connect routes. The default administrative distance for routes
discovered by OSPF is 110. If a static route has the same administrative distance as a dynamic route, the
static routes take precedence. Connected routes always take precedence over static or dynamically
discovered routes.
Static routes remain in the routing table even if the specified gateway becomes unavailable. If the
specified gateway becomes unavailable, you need to remove the static route from the routing table
manually. However, static routes are removed from the routing table if the specified interface goes down.
They are reinstated when the interface comes back up.
Note If you create a static route with an administrative distance greater than the administrative distance of the
routing protocol running on the security appliance, then a route to the specified destination discovered
by the routing protocol takes precedence over the static route. The static route is used only if the
dynamically discovered route is removed from the routing table.
The following example creates a static route that sends all traffic destined for 10.1.1.0/24 to the router
(10.1.2.45) connected to the inside interface:
hostname(config)# route inside 10.1.1.0 255.255.255.0 10.1.2.45 1
You can define up to three equal cost routes to the same destination per interface. ECMP is not supported
across multiple interfaces. With ECMP, the traffic is not necessarily divided evenly between the routes;
traffic is distributed among the specified gateways based on an algorithm that hashes the source and
destination IP addresses.
The following example shows static routes that are equal cost routes that direct traffic to three different
gateways on the outside interface. The security appliance distributes the traffic among the specified
gateways.9-4
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 9 Configuring IP Routing
Configuring Static and Default Routes
hostname(config)# route outside 10.10.10.0 255.255.255.0 192.168.1.1
hostname(config)# route outside 10.10.10.0 255.255.255.0 192.168.1.2
hostname(config)# route outside 10.10.10.0 255.255.255.0 192.168.1.3
Configuring a Default Route
A default route identifies the gateway IP address to which the security appliance sends all IP packets for
which it does not have a learned or static route. A default route is simply a static route with 0.0.0.0/0 as
the destination IP address. Routes that identify a specific destination take precedence over the default
route.
Note In ASA software Versions 7.0 and later, if you have two default routes configured on different interfaces
that have different metrics, the connection to the ASA firewall that is made from the higher metric
interface fails, but connections to the ASA firewall from the lower metric interface succeed as expected.
PIX software Version 6.3 supports connections from both the the higher and the lower metric interfaces.
You can define up to three equal cost default route entries per device. Defining more than one equal cost
default route entry causes the traffic sent to the default route to be distributed among the specified
gateways. When defining more than one default route, you must specify the same interface for each
entry.
If you attempt to define more than three equal cost default routes, or if you attempt to define a default
route with a different interface than a previously defined default route, you receive the message
“ERROR: Cannot add route entry, possible conflict with existing routes.”
You can define a separate default route for tunneled traffic along with the standard default route. When
you create a default route with the tunneled option, all traffic from a tunnel terminating on the security
appliance that cannot be routed using learned or static routes, is sent to this route. For traffic emerging
from a tunnel, this route overrides over any other configured or learned default routes.
The following restrictions apply to default routes with the tunneled option:
• Do not enable unicast RPF (ip verify reverse-path) on the egress interface of tunneled route.
Enabling uRPF on the egress interface of a tunneled route causes the session to fail.
• Do not enable TCP intercept on the egress interface of the tunneled route. Doing so causes the
session to fail.
• Do not use the VoIP inspection engines (CTIQBE, H.323, GTP, MGCP, RTSP, SIP, SKINNY), the
DNS inspect engine, or the DCE RPC inspection engine with tunneled routes. These inspection
engines ignore the tunneled route.
You cannot define more than one default route with the tunneled option; ECMP for tunneled traffic is
not supported.
To define the default route, enter the following command:
hostname(config)# route if_name 0.0.0.0 0.0.0.0 gateway_ip [distance | tunneled]
Tip You can enter 0 0 instead of 0.0.0.0 0.0.0.0 for the destination network address and mask, for example:
hostname(config)# route outside 0 0 192.168.1 19-5
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 9 Configuring IP Routing
Configuring Static and Default Routes
The following example shows a security appliance configured with three equal cost default routes and a
default route for tunneled traffic. Unencrypted traffic received by the security appliance for which there
is no static or learned route is distributed among the gateways with the IP addresses 192.168.2.1,
192.168.2.2, 192.168.2.3. Encrypted traffic receive by the security appliance for which there is no static
or learned route is passed to the gateway with the IP address 192.168.2.4.
hostname(config)# route outside 0 0 192.168.2.1
hostname(config)# route outside 0 0 192.168.2.2
hostname(config)# route outside 0 0 192.168.2.3
hostname(config)# route outside 0 0 192.168.2.4 tunneled
Configuring Static Route Tracking
One of the problems with static routes is that there is no inherent mechanism for determining if the route
is up or down. They remain in the routing table even if the next hop gateway becomes unavailable. Static
routes are only removed from the routing table if the associated interface on the security appliance goes
down.
The static route tracking feature provides a method for tracking the availability of a static route and
installing a backup route if the primary route should fail. This allows you to, for example, define a
default route to an ISP gateway and a backup default route to a secondary ISP in case the primary ISP
becomes unavailable.
The security appliance does this by associating a static route with a monitoring target that you define. It
monitors the target using ICMP echo requests. If an echo reply is not received within a specified time
period, the object is considered down and the associated route is removed from the routing table. A
previously configured backup route is used in place of the removed route.
When selecting a monitoring target, you need to make sure it can respond to ICMP echo requests. The
target can be any network object that you choose, but you should consider using:
• the ISP gateway (for dual ISP support) address
• the next hop gateway address (if you are concerned about the availability of the gateway)
• a server on the target network, such as a AAA server, that the security appliance needs to
communicate with
• a persistent network object on the destination network (a desktop or notebook computer that may be
shut down at night is not a good choice)
You can configure static route tracking for statically defined routes or default routes obtained through
DHCP or PPPoE. You can only enable PPPoE clients on multiple interface with route tracking.
To configure static route tracking, perform the following steps:
Step 1 Configure the tracked object monitoring parameters:
a. Define the monitoring process:
hostname(config)# sla monitor sla_id
If you are configuring a new monitoring process, you are taken to SLA monitor configuration mode.
If you are changing the monitoring parameters for an unscheduled monitoring process that already
has a type defined, you are taken directly to the SLA protocol configuration mode.
b. Specify the monitoring protocol. If you are changing the monitoring parameters for an unscheduled
monitoring process that already has a type defined, you are taken directly to SLA protocol
configuration mode and cannot change this setting.9-6
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 9 Configuring IP Routing
Configuring Static and Default Routes
hostname(config-sla-monitor)# type echo protocol ipIcmpEcho target_ip interface
if_name
The target_ip is the IP address of the network object whose availability the tracking process
monitors. While this object is available, the tracking process route is installed in the routing table.
When this object becomes unavailable, the tracking process removed the route and the backup route
is used in its place.
c. Schedule the monitoring process:
hostname(config)# sla monitor schedule sla_id [life {forever | seconds}] [start-time
{hh:mm[:ss] [month day | day month] | pending | now | after hh:mm:ss}] [ageout
seconds] [recurring]
Typically, you will use sla monitor schedule sla_id life forever start-time now for the monitoring
schedule, and allow the monitoring configuration determine how often the testing occurs. However,
you can schedule this monitoring process to begin in the future and to only occur at specified times.
Step 2 Associate a tracked static route with the SLA monitoring process by entering the following command:
hostname(config)# track track_id rtr sla_id reachability
The track_id is a tracking number you assign with this command. The sla_id is the ID number of the
SLA process you defined in Step 1.
Step 3 Define the static route to be installed in the routing table while the tracked object is reachable using one
of the following options:
• To track a static route, enter the following command:
hostname(config)# route if_name dest_ip mask gateway_ip [admin_distance] track
track_id
You cannot use the tunneled option with the route command with static route tracking.
• To track a default route obtained through DHCP, enter the following commands:
hostname(config)# interface phy_if
hostname(config-if)# dhcp client route track track_id
hostname(config-if)# ip addresss dhcp setroute
hostname(config-if)# exit
Note You must use the setroute argument with the ip address dhcp command to obtain the
default route using DHCP.
• To track a default route obtained through PPPoE, enter the following commands:
hostname(config)# interface phy_if
hostname(config-if)# pppoe client route track track_id
hostname(config-if)# ip addresss pppoe setroute
hostname(config-if)# exit
Note You must use the setroute argument with the ip address pppoe command to obtain the
default route using PPPoE.
Step 4 Define the backup route to use when the tracked object is unavailable using one of the following options.
The administrative distance of the backup route must be greater than the administrative distance of the
tracked route. If it is not, the backup route will be installed in the routing table instead of the tracked
route.9-7
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 9 Configuring IP Routing
Defining Route Maps
• To use a static route, enter the following command:
hostname(config)# route if_name dest_ip mask gateway_ip [admin_distance]
The static route must have the same destination and mask as the tracked route. If you are tracking a
default route obtained through DHCP or PPPoE, then the address and mask would be 0.0.0.0 0.0.0.0.
• To use a default route obtained through DHCP, enter the following commands:
hostname(config)# interface phy_if
hostname(config-if)# dhcp client route track track_id
hostname(config-if)# dhcp client route distance admin_distance
hostname(config-if)# ip addresss dhcp setroute
hostname(config-if)# exit
You must use the setroute argument with the ip address dhcp command to obtain the default route
using DHCP. Make sure the administrative distance is greater than the administrative distance of the
tracked route.
• To use a default route obtained through PPPoE, enter the following commands:
hostname(config)# interface phy_if
hostname(config-if)# pppoe client route track track_id
hostname(config-if)# pppoe client route distance admin_distance
hostname(config-if)# ip addresss pppoe setroute
hostname(config-if)# exit
You must use the setroute argument with the ip address pppoe command to obtain the default route
using PPPoE. Make sure the administrative distance is greater than the administrative distance of
the tracked route.
Defining Route Maps
Route maps are used when redistributing routes into an OSPF or RIP routing process. They are also used
when generating a default route into an OSPF routing process. A route map defines which of the routes
from the specified routing protocol are allowed to be redistributed into the target routing process.
To define a route map, perform the following steps:
Step 1 To create a route map entry, enter the following command:
hostname(config)# route-map name {permit | deny} [sequence_number]
Route map entries are read in order. You can identify the order using the sequence_number option, or
the security appliance uses the order in which you add the entries.
Step 2 Enter one or more match commands:
• To match any routes that have a destination network that matches a standard ACL, enter the
following command:
hostname(config-route-map)# match ip address acl_id [acl_id] [...]
If you specify more than one ACL, then the route can match any of the ACLs.
• To match any routes that have a specified metric, enter the following command:
hostname(config-route-map)# match metric metric_value9-8
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 9 Configuring IP Routing
Configuring OSPF
The metric_value can be from 0 to 4294967295.
• To match any routes that have a next hop router address that matches a standard ACL, enter the
following command:
hostname(config-route-map)# match ip next-hop acl_id [acl_id] [...]
If you specify more than one ACL, then the route can match any of the ACLs.
• To match any routes with the specified next hop interface, enter the following command:
hostname(config-route-map)# match interface if_name
If you specify more than one interface, then the route can match either interface.
• To match any routes that have been advertised by routers that match a standard ACL, enter the
following command:
hostname(config-route-map)# match ip route-source acl_id [acl_id] [...]
If you specify more than one ACL, then the route can match any of the ACLs.
• To match the route type, enter the following command:
hostname(config-route-map)# match route-type {internal | external [type-1 | type-2]}
Step 3 Enter one or more set commands.
If a route matches the match commands, then the following set commands determine the action to
perform on the route before redistributing it.
• To set the metric, enter the following command:
hostname(config-route-map)# set metric metric_value
The metric_value can be a value between 0 and 294967295
• To set the metric type, enter the following command:
hostname(config-route-map)# set metric-type {type-1 | type-2}
The following example shows how to redistribute routes with a hop count equal to 1 into OSPF. The
security appliance redistributes these routes as external LSAs with a metric of 5, metric type of Type 1.
hostname(config)# route-map 1-to-2 permit
hostname(config-route-map)# match metric 1
hostname(config-route-map)# set metric 5
hostname(config-route-map)# set metric-type type-1
Configuring OSPF
This section describes how to configure OSPF. This section includes the following topics:
• OSPF Overview, page 9-9
• Enabling OSPF, page 9-10
• Redistributing Routes Into OSPF, page 9-10
• Configuring OSPF Interface Parameters, page 9-11
• Configuring OSPF Area Parameters, page 9-139-9
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 9 Configuring IP Routing
Configuring OSPF
• Configuring OSPF NSSA, page 9-14
• Defining Static OSPF Neighbors, page 9-16
• Configuring Route Summarization Between OSPF Areas, page 9-15
• Configuring Route Summarization When Redistributing Routes into OSPF, page 9-16
• Generating a Default Route, page 9-17
• Configuring Route Calculation Timers, page 9-17
• Logging Neighbors Going Up or Down, page 9-18
• Displaying OSPF Update Packet Pacing, page 9-19
• Monitoring OSPF, page 9-19
• Restarting the OSPF Process, page 9-20
OSPF Overview
OSPF uses a link-state algorithm to build and calculate the shortest path to all known destinations. Each
router in an OSPF area contains an identical link-state database, which is a list of each of the router
usable interfaces and reachable neighbors.
The advantages of OSPF over RIP include the following:
• OSPF link-state database updates are sent less frequently than RIP updates, and the link-state
database is updated instantly rather than gradually as stale information is timed out.
• Routing decisions are based on cost, which is an indication of the overhead required to send packets
across a certain interface. The security appliance calculates the cost of an interface based on link
bandwidth rather than the number of hops to the destination. The cost can be configured to specify
preferred paths.
The disadvantage of shortest path first algorithms is that they require a lot of CPU cycles and memory.
The security appliance can run two processes of OSPF protocol simultaneously, on different sets of
interfaces. You might want to run two processes if you have interfaces that use the same IP addresses
(NAT allows these interfaces to coexist, but OSPF does not allow overlapping addresses). Or you might
want to run one process on the inside, and another on the outside, and redistribute a subset of routes
between the two processes. Similarly, you might need to segregate private addresses from public
addresses.
You can redistribute routes into an OSPF routing process from another OSPF routing process, a RIP
routing process, or from static and connected routes configured on OSPF-enabled interfaces.
The security appliance supports the following OSPF features:
• Support of intra-area, interarea, and external (Type I and Type II) routes.
• Support of a virtual link.
• OSPF LSA flooding.
• Authentication to OSPF packets (both password and MD5 authentication).
• Support for configuring the security appliance as a designated router or a designated backup router.
The security appliance also can be set up as an ABR; however, the ability to configure the security
appliance as an ASBR is limited to default information only (for example, injecting a default route).
• Support for stub areas and not-so-stubby-areas.9-10
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 9 Configuring IP Routing
Configuring OSPF
• Area boundary router type-3 LSA filtering.
• Advertisement of static and global address translations.
Enabling OSPF
To enable OSPF, you need to create an OSPF routing process, specify the range of IP addresses
associated with the routing process, then assign area IDs associated with that range of IP addresses.
To enable OSPF, perform the following steps:
Step 1 To create an OSPF routing process, enter the following command:
hostname(config)# router ospf process_id
This command enters the router configuration mode for this OSPF process.
The process_id is an internally used identifier for this routing process. It can be any positive integer. This
ID does not have to match the ID on any other device; it is for internal use only. You can use a maximum
of two processes.
Step 2 To define the IP addresses on which OSPF runs and to define the area ID for that interface, enter the
following command:
hostname(config-router)# network ip_address mask area area_id
The following example shows how to enable OSPF:
hostname(config)# router ospf 2
hostname(config-router)# network 10.0.0.0 255.0.0.0 area 0
Redistributing Routes Into OSPF
The security appliance can control the redistribution of routes between OSPF routing processes. The
security appliance matches and changes routes according to settings in the redistribute command or by
using a route map. See also the “Generating a Default Route” section on page 9-17 for another use for
route maps.
To redistribute static, connected, RIP, or OSPF routes into an OSPF process, perform the following steps:
Step 1 (Optional) Create a route-map to further define which routes from the specified routing protocol are
redistributed in to the OSPF routing process. See the “Defining Route Maps” section on page 9-7.
Step 2 If you have not already done so, enter the router configuration mode for the OSPF process you want to
redistribute into by entering the following command:
hostname(config)# router ospf process_id
Step 3 To specify the routes you want to redistribute, enter the following command:
hostname(config-router)# redistribute {ospf process_id
[match {internal | external 1 | external 2}] | static | connected | rip}
[metric metric-value] [metric-type {type-1 | type-2}] [tag tag_value] [subnets] [route-map
map_name]9-11
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 9 Configuring IP Routing
Configuring OSPF
The ospf process_id, static, connected, and rip keywords specify from where you want to redistribute
routes.
You can either use the options in this command to match and set route properties, or you can use a route
map. The tag and subnets options do not have equivalents in the route-map command. If you use both
a route map and options in the redistribute command, then they must match.
The following example shows route redistribution from OSPF process 1 into OSPF process 2 by
matching routes with a metric equal to 1. The security appliance redistributes these routes as external
LSAs with a metric of 5, metric type of Type 1, and a tag equal to 1.
hostname(config)# route-map 1-to-2 permit
hostname(config-route-map)# match metric 1
hostname(config-route-map)# set metric 5
hostname(config-route-map)# set metric-type type-1
hostname(config-route-map)# set tag 1
hostname(config-route-map)# router ospf 2
hostname(config-router)# redistribute ospf 1 route-map 1-to-2
The following example shows the specified OSPF process routes being redistributed into OSPF
process 109. The OSPF metric is remapped to 100.
hostname(config)# router ospf 109
hostname(config-router)# redistribute ospf 108 metric 100 subnets
The following example shows route redistribution where the link-state cost is specified as 5 and the
metric type is set to external, indicating that it has lower priority than internal metrics.
hostname(config)# router ospf 1
hostname(config-router)# redistribute ospf 2 metric 5 metric-type external
Configuring OSPF Interface Parameters
You can alter some interface-specific OSPF parameters as necessary. You are not required to alter any
of these parameters, but the following interface parameters must be consistent across all routers in an
attached network: ospf hello-interval, ospf dead-interval, and ospf authentication-key. Be sure that if
you configure any of these parameters, the configurations for all routers on your network have
compatible values.
To configure OSPF interface parameters, perform the following steps:
Step 1 To enter the interface configuration mode, enter the following command:
hostname(config)# interface interface_name
Step 2 Enter any of the following commands:
• To specify the authentication type for an interface, enter the following command:
hostname(config-interface)# ospf authentication [message-digest | null]
• To assign a password to be used by neighboring OSPF routers on a network segment that is using
the OSPF simple password authentication, enter the following command:
hostname(config-interface)# ospf authentication-key key
The key can be any continuous string of characters up to 8 bytes in length.9-12
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 9 Configuring IP Routing
Configuring OSPF
The password created by this command is used as a key that is inserted directly into the OSPF header
when the security appliance software originates routing protocol packets. A separate password can
be assigned to each network on a per-interface basis. All neighboring routers on the same network
must have the same password to be able to exchange OSPF information.
• To explicitly specify the cost of sending a packet on an OSPF interface, enter the following
command:
hostname(config-interface)# ospf cost cost
The cost is an integer from 1 to 65535.
• To set the number of seconds that a device must wait before it declares a neighbor OSPF router down
because it has not received a hello packet, enter the following command:
hostname(config-interface)# ospf dead-interval seconds
The value must be the same for all nodes on the network.
• To specify the length of time between the hello packets that the security appliance sends on an OSPF
interface, enter the following command:
hostname(config-interface)# ospf hello-interval seconds
The value must be the same for all nodes on the network.
• To enable OSPF MD5 authentication, enter the following command:
hostname(config-interface)# ospf message-digest-key key_id md5 key
Set the following values:
– key_id—An identifier in the range from 1 to 255.
– key—Alphanumeric password of up to 16 bytes.
Usually, one key per interface is used to generate authentication information when sending packets
and to authenticate incoming packets. The same key identifier on the neighbor router must have the
same key value.
We recommend that you not keep more than one key per interface. Every time you add a new key,
you should remove the old key to prevent the local system from continuing to communicate with a
hostile system that knows the old key. Removing the old key also reduces overhead during rollover.
• To set the priority to help determine the OSPF designated router for a network, enter the following
command:
hostname(config-interface)# ospf priority number_value
The number_value is between 0 to 255.
• To specify the number of seconds between LSA retransmissions for adjacencies belonging to an
OSPF interface, enter the following command:
hostname(config-interface)# ospf retransmit-interval seconds
The seconds must be greater than the expected round-trip delay between any two routers on the
attached network. The range is from 1 to 65535 seconds. The default is 5 seconds.
• To set the estimated number of seconds required to send a link-state update packet on an OSPF
interface, enter the following command:
hostname(config-interface)# ospf transmit-delay seconds9-13
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 9 Configuring IP Routing
Configuring OSPF
The seconds is from 1 to 65535 seconds. The default is 1 second.
The following example shows how to configure the OSPF interfaces:
hostname(config)# router ospf 2
hostname(config-router)# network 2.0.0.0 255.0.0.0 area 0
hostname(config-router)# interface inside
hostname(config-interface)# ospf cost 20
hostname(config-interface)# ospf retransmit-interval 15
hostname(config-interface)# ospf transmit-delay 10
hostname(config-interface)# ospf priority 20
hostname(config-interface)# ospf hello-interval 10
hostname(config-interface)# ospf dead-interval 40
hostname(config-interface)# ospf authentication-key cisco
hostname(config-interface)# ospf message-digest-key 1 md5 cisco
hostname(config-interface)# ospf authentication message-digest
The following is sample output from the show ospf command:
hostname(config)# show ospf
Routing Process "ospf 2" with ID 20.1.89.2 and Domain ID 0.0.0.2
Supports only single TOS(TOS0) routes
Supports opaque LSA
SPF schedule delay 5 secs, Hold time between two SPFs 10 secs
Minimum LSA interval 5 secs. Minimum LSA arrival 1 secs
Number of external LSA 5. Checksum Sum 0x 26da6
Number of opaque AS LSA 0. Checksum Sum 0x 0
Number of DCbitless external and opaque AS LSA 0
Number of DoNotAge external and opaque AS LSA 0
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
External flood list length 0
Area BACKBONE(0)
Number of interfaces in this area is 1
Area has no authentication
SPF algorithm executed 2 times
Area ranges are
Number of LSA 5. Checksum Sum 0x 209a3
Number of opaque link LSA 0. Checksum Sum 0x 0
Number of DCbitless LSA 0
Number of indication LSA 0
Number of DoNotAge LSA 0
Flood list length 0
Configuring OSPF Area Parameters
You can configure several area parameters. These area parameters (shown in the following task table)
include setting authentication, defining stub areas, and assigning specific costs to the default summary
route. Authentication provides password-based protection against unauthorized access to an area.
Stub areas are areas into which information on external routes is not sent. Instead, there is a default
external route generated by the ABR, into the stub area for destinations outside the autonomous system.
To take advantage of the OSPF stub area support, default routing must be used in the stub area. To further
reduce the number of LSAs sent into a stub area, you can configure the no-summary keyword of the
area stub command on the ABR to prevent it from sending summary link advertisement (LSA type 3)
into the stub area.
To specify area parameters for your network, perform the following steps:9-14
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 9 Configuring IP Routing
Configuring OSPF
Step 1 If you have not already done so, enter the router configuration mode for the OSPF process you want to
configure by entering the following command:
hostname(config)# router ospf process_id
Step 2 Enter any of the following commands:
• To enable authentication for an OSPF area, enter the following command:
hostname(config-router)# area area-id authentication
• To enable MD5 authentication for an OSPF area, enter the following command:
hostname(config-router)# area area-id authentication message-digest
• To define an area to be a stub area, enter the following command:
hostname(config-router)# area area-id stub [no-summary]
• To assign a specific cost to the default summary route used for the stub area, enter the following
command:
hostname(config-router)# area area-id default-cost cost
The cost is an integer from 1 to 65535. The default is 1.
The following example shows how to configure the OSPF area parameters:
hostname(config)# router ospf 2
hostname(config-router)# area 0 authentication
hostname(config-router)# area 0 authentication message-digest
hostname(config-router)# area 17 stub
hostname(config-router)# area 17 default-cost 20
Configuring OSPF NSSA
The OSPF implementation of an NSSA is similar to an OSPF stub area. NSSA does not flood type 5
external LSAs from the core into the area, but it can import autonomous system external routes in a
limited way within the area.
NSSA imports type 7 autonomous system external routes within an NSSA area by redistribution. These
type 7 LSAs are translated into type 5 LSAs by NSSA ABRs, which are flooded throughout the whole
routing domain. Summarization and filtering are supported during the translation.
You can simplify administration if you are an ISP or a network administrator that must connect a central
site using OSPF to a remote site that is using a different routing protocol using NSSA.
Before the implementation of NSSA, the connection between the corporate site border router and the
remote router could not be run as an OSPF stub area because routes for the remote site could not be
redistributed into the stub area, and two routing protocols needed to be maintained. A simple protocol
such as RIP was usually run and handled the redistribution. With NSSA, you can extend OSPF to cover
the remote connection by defining the area between the corporate router and the remote router as an
NSSA.9-15
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 9 Configuring IP Routing
Configuring OSPF
To specify area parameters for your network as needed to configure OSPF NSSA, perform the following
steps:
Step 1 If you have not already done so, enter the router configuration mode for the OSPF process you want to
configure by entering the following command:
hostname(config)# router ospf process_id
Step 2 Enter any of the following commands:
• To define an NSSA area, enter the following command:
hostname(config-router)# area area-id nssa [no-redistribution]
[default-information-originate]
• To summarize groups of addresses, enter the following command:
hostname(config-router)# summary address ip_address mask [not-advertise] [tag tag]
This command helps reduce the size of the routing table. Using this command for OSPF causes an
OSPF ASBR to advertise one external route as an aggregate for all redistributed routes that are
covered by the address.
OSPF does not support summary-address 0.0.0.0 0.0.0.0.
In the following example, the summary address 10.1.0.0 includes address 10.1.1.0, 10.1.2.0,
10.1.3.0, and so on. Only the address 10.1.0.0 is advertised in an external link-state advertisement:
hostname(config-router)# summary-address 10.1.1.0 255.255.0.0
Before you use this feature, consider these guidelines:
– You can set a type 7 default route that can be used to reach external destinations. When
configured, the router generates a type 7 default into the NSSA or the NSSA area boundary
router.
– Every router within the same area must agree that the area is NSSA; otherwise, the routers will
not be able to communicate.
Configuring Route Summarization Between OSPF Areas
Route summarization is the consolidation of advertised addresses. This feature causes a single summary
route to be advertised to other areas by an area boundary router. In OSPF, an area boundary router
advertises networks in one area into another area. If the network numbers in an area are assigned in a
way such that they are contiguous, you can configure the area boundary router to advertise a summary
route that covers all the individual networks within the area that fall into the specified range.
To define an address range for route summarization, perform the following steps:
Step 1 If you have not already done so, enter the router configuration mode for the OSPF process you want to
configure by entering the following command:
hostname(config)# router ospf process_id9-16
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 9 Configuring IP Routing
Configuring OSPF
Step 2 To set the address range, enter the following command:
hostname(config-router)# area area-id range ip-address mask [advertise | not-advertise]
The following example shows how to configure route summarization between OSPF areas:
hostname(config)# router ospf 1
hostname(config-router)# area 17 range 12.1.0.0 255.255.0.0
Configuring Route Summarization When Redistributing Routes into OSPF
When routes from other protocols are redistributed into OSPF, each route is advertised individually in
an external LSA. However, you can configure the security appliance to advertise a single route for all
the redistributed routes that are covered by a specified network address and mask. This configuration
decreases the size of the OSPF link-state database.
To configure the software advertisement on one summary route for all redistributed routes covered by a
network address and mask, perform the following steps:
Step 1 If you have not already done so, enter the router configuration mode for the OSPF process you want to
configure by entering the following command:
hostname(config)# router ospf process_id
Step 2 To set the summary address, enter the following command:
hostname(config-router)# summary-address ip_address mask [not-advertise] [tag tag]
Note OSPF does not support summary-address 0.0.0.0 0.0.0.0.
The following example shows how to configure route summarization. The summary address 10.1.0.0
includes address 10.1.1.0, 10.1.2.0, 10.1.3.0, and so on. Only the address 10.1.0.0 is advertised in an
external link-state advertisement:
hostname(config)# router ospf 1
hostname(config-router)# summary-address 10.1.0.0 255.255.0.0
Defining Static OSPF Neighbors
You need to define static OSPF neighbors to advertise OSPF routes over a point-to-point, non-broadcast
network. This lets you broadcast OSPF advertisements across an existing VPN connection without
having to encapsulate the advertisements in a GRE tunnel.
To define a static OSPF neighbor, perform the following tasks:
Step 1 Create a static route to the OSPF neighbor. See the “Configuring Static and Default Routes” section on
page 9-2 for more information about creating static routes.9-17
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 9 Configuring IP Routing
Configuring OSPF
Step 2 Define the OSPF neighbor by performing the following tasks:
a. Enter router configuration mode for the OSPF process. Enter the following command:
hostname(config)# router ospf pid
b. Define the OSPF neighbor by entering the following command:
hostname(config-router)# neighbor addr [interface if_name]
The addr argument is the IP address of the OSPF neighbor. The if_name is the interface used to
communicate with the neighbor. If the OSPF neighbor is not on the same network as any of the
directly-connected interfaces, you must specify the interface.
Generating a Default Route
You can force an autonomous system boundary router to generate a default route into an OSPF routing
domain. Whenever you specifically configure redistribution of routes into an OSPF routing domain, the
router automatically becomes an autonomous system boundary router. However, an autonomous system
boundary router does not by default generate a default route into the OSPF routing domain.
To generate a default route, perform the following steps:
Step 1 If you have not already done so, enter the router configuration mode for the OSPF process you want to
configure by entering the following command:
hostname(config)# router ospf process_id
Step 2 To force the autonomous system boundary router to generate a default route, enter the following
command:
hostname(config-router)# default-information originate [always] [metric metric-value]
[metric-type {1 | 2}] [route-map map-name]
The following example shows how to generate a default route:
hostname(config)# router ospf 2
hostname(config-router)# default-information originate always
Configuring Route Calculation Timers
You can configure the delay time between when OSPF receives a topology change and when it starts an
SPF calculation. You also can configure the hold time between two consecutive SPF calculations.
To configure route calculation timers, perform the following steps:
Step 1 If you have not already done so, enter the router configuration mode for the OSPF process you want to
configure by entering the following command:
hostname(config)# router ospf process_id9-18
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 9 Configuring IP Routing
Configuring OSPF
Step 2 To configure the route calculation time, enter the following command:
hostname(config-router)# timers spf spf-delay spf-holdtime
The spf-delay is the delay time (in seconds) between when OSPF receives a topology change and when
it starts an SPF calculation. It can be an integer from 0 to 65535. The default time is 5 seconds. A value
of 0 means that there is no delay; that is, the SPF calculation is started immediately.
The spf-holdtime is the minimum time (in seconds) between two consecutive SPF calculations. It can be
an integer from 0 to 65535. The default time is 10 seconds. A value of 0 means that there is no delay;
that is, two SPF calculations can be done, one immediately after the other.
The following example shows how to configure route calculation timers:
hostname(config)# router ospf 1
hostname(config-router)# timers spf 10 120
Logging Neighbors Going Up or Down
By default, the system sends a system message when an OSPF neighbor goes up or down.
Configure this command if you want to know about OSPF neighbors going up or down without turning
on the debug ospf adjacency command. The log-adj-changes router configuration command provides
a higher level view of the peer relationship with less output. Configure log-adj-changes detail if you
want to see messages for each state change.
To log neighbors going up or down, perform the following steps:
Step 1 If you have not already done so, enter the router configuration mode for the OSPF process you want to
configure by entering the following command:
hostname(config)# router ospf process_id
Step 2 To configure logging for neighbors going up or down, enter the following command:
hostname(config-router)# log-adj-changes [detail]
Note Logging must be enabled for the the neighbor up/down messages to be sent.
The following example shows how to log neighbors up/down messages:
hostname(config)# router ospf 1
hostname(config-router)# log-adj-changes detail9-19
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 9 Configuring IP Routing
Configuring OSPF
Displaying OSPF Update Packet Pacing
OSPF update packets are automatically paced so they are not sent less than 33 milliseconds apart.
Without pacing, some update packets could get lost in situations where the link is slow, a neighbor could
not receive the updates quickly enough, or the router could run out of buffer space. For example, without
pacing packets might be dropped if either of the following topologies exist:
• A fast router is connected to a slower router over a point-to-point link.
• During flooding, several neighbors send updates to a single router at the same time.
Pacing is also used between resends to increase efficiency and minimize lost retransmissions. You also
can display the LSAs waiting to be sent out an interface. The benefit of the pacing is that OSPF update
and retransmission packets are sent more efficiently.
There are no configuration tasks for this feature; it occurs automatically.
To observe OSPF packet pacing by displaying a list of LSAs waiting to be flooded over a specified
interface, enter the following command:
hostname# show ospf flood-list if_name
Monitoring OSPF
You can display specific statistics such as the contents of IP routing tables, caches, and databases. You
can use the information provided to determine resource utilization and solve network problems. You can
also display information about node reachability and discover the routing path that your device packets
are taking through the network.
To display various OSPF routing statistics, perform one of the following tasks, as needed:
• To display general information about OSPF routing processes, enter the following command:
hostname# show ospf [process-id [area-id]]
• To display the internal OSPF routing table entries to the ABR and ASBR, enter the following
command:
hostname# show ospf border-routers
• To display lists of information related to the OSPF database for a specific router, enter the following
command:
hostname# show ospf [process-id [area-id]] database
• To display a list of LSAs waiting to be flooded over an interface (to observe OSPF packet pacing),
enter the following command:
hostname# show ospf flood-list if-name
• To display OSPF-related interface information, enter the following command:
hostname# show ospf interface [if_name]
• To display OSPF neighbor information on a per-interface basis, enter the following command:
hostname# show ospf neighbor [interface-name] [neighbor-id] [detail]
• To display a list of all LSAs requested by a router, enter the following command:
hostname# show ospf request-list neighbor if_name9-20
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 9 Configuring IP Routing
Configuring RIP
• To display a list of all LSAs waiting to be resent, enter the following command:
hostname# show ospf retransmission-list neighbor if_name
• To display a list of all summary address redistribution information configured under an OSPF
process, enter the following command:
hostname# show ospf [process-id] summary-address
• To display OSPF-related virtual links information, enter the following command:
hostname# show ospf [process-id] virtual-links
Restarting the OSPF Process
To restart an OSPF process, clear redistribution, or counters, enter the following command:
hostname(config)# clear ospf pid {process | redistribution | counters
[neighbor [neighbor-interface] [neighbor-id]]}
Configuring RIP
Devices that support RIP send routing-update messages at regular intervals and when the network
topology changes. These RIP packets contain information about the networks that the devices can reach,
as well as the number of routers or gateways that a packet must travel through to reach the destination
address. RIP generates more traffic than OSPF, but is easier to configure.
RIP has advantages over static routes because the initial configuration is simple, and you do not need to
update the configuration when the topology changes. The disadvantage to RIP is that there is more
network and processing overhead than static routing.
The security appliance supports RIP Version 1 and RIP Version 2.
This section describes how to configure RIP. This section includes the following topics:
• Enabling and Configuring RIP, page 9-20
• Redistributing Routes into the RIP Routing Process, page 9-22
• Configuring RIP Send/Receive Version on an Interface, page 9-22
• Enabling RIP Authentication, page 9-23
• Monitoring RIP, page 9-23
Enabling and Configuring RIP
You can only enable one RIP routing process on the security appliance. After you enable the RIP routing
process, you must define the interfaces that will participate in that routing process using the network
command. By default, the security appliance sends RIP Version 1 updates and accepts RIP Version 1 and
Version 2 updates.9-21
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 9 Configuring IP Routing
Configuring RIP
To enable and configure the RIP routing process, perform the following steps:
Step 1 Start the RIP routing process by entering the following command in global configuration mode:
hostname(config): router rip
You enter router configuration mode for the RIP routing process.
Step 2 Specify the interfaces that will participate in the RIP routing process. Enter the following command for
each interface that will participate in the RIP routing process:
hostname(config-router): network network_address
If an interface belongs to a network defined by this command, the interface will participate in the RIP
routing process. If an interface does not belong to a network defined by this command, it will not send
or receive RIP updates.
Step 3 (Optional) Specify the version of RIP used by the security appliance by entering the following command:
hostname(config-router): version [1 | 2]
You can override this setting on a per-interface basis.
Step 4 (Optional) To generate a default route into RIP, enter the following command:
hostname(config-router): default-information originate
Step 5 (Optional) To specify an interface to operate in passive mode, enter the following command:
hostname(config-router): passive-interface [default | if_name]
Using the default keyword causes all interfaces to operate in passive mode. Specifying an interface name
sets only that interface to passive RIP mode. In passive mode, RIP routing updates are accepted by but
not sent out of the specified interface. You can enter this command for each interface you want to set to
passive mode.
Step 6 (Optional) Disable automatic route summarization by entering the following command:
hostname(config-router): no auto-summarize
RIP Version 1 always uses automatic route summarization; you cannot disable it for RIP Version 1. RIP
Version 2 uses route summarization by default; you can disable it using this command.
Step 7 (Optional) To filter the networks received in updates, perform the following steps:
a. Create a standard access list permitting the networks you want the RIP process to allow in the
routing table and denying the networks you want the RIP process to discard.
b. Enter the following command to apply the filter. You can specify an interface to apply the filter to
only those updates received by that interface.
hostname(config-router): distribute-list acl in [interface if_name]
You can enter this command for each interface you want to apply a filter to. If you do not specify an
interface name, the filter is applied to all RIP updates.
Step 8 (Optional) To filter the networks sent in updates, perform the following steps:
a. Create a standard access list permitting the networks you want the RIP process to advertise and
denying the networks you do not want the RIP process to advertise.
b. Enter the following command to apply the filter. You can specify an interface to apply the filter to
only those updates sent by that interface.
hostname(config-router): distribute-list acl out [interface if_name]9-22
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 9 Configuring IP Routing
Configuring RIP
You can enter this command for each interface you want to apply a filter to. If you do not specify an
interface name, the filter is applied to all RIP updates.
Redistributing Routes into the RIP Routing Process
You can redistribute routes from the OSPF, static, and connected routing processes into the RIP routing
process.
To redistribute a routes into the RIP routing process, perform the following steps:
Step 1 (Optional) Create a route-map to further define which routes from the specified routing protocol are
redistributed in to the RIP routing process. See the “Defining Route Maps” section on page 9-7 for more
information about creating a route map.
Step 2 Choose one of the following options to redistribute the selected route type into the RIP routing process.
• To redistribute connected routes into the RIP routing process, enter the following command:
hostname(config-router): redistribute connected [metric {metric_value | transparent}]
[route-map map_name]
• To redistribute static routes into the RIP routing process, enter the following command:
hostname(config-router): redistribute static [metric {metric_value | transparent}]
[route-map map_name]
• To redistribute routes from an OSPF routing process into the RIP routing process, enter the
following command:
hostname(config-router): redistribute ospf pid [match {internal | external [1 | 2] |
nssa-external [1 | 2]}] [metric {metric_value | transparent}] [route-map map_name]
Configuring RIP Send/Receive Version on an Interface
You can override the globally-set version of RIP the security appliance uses to send and receive RIP
updates on a per-interface basis.
To configure the RIP send and receive
Step 1 (Optional) To specify the version of RIP advertisements sent from an interface, perform the following
steps:
a. Enter interface configuration mode for the interface you are configuring by entering the following
command:
hostname(config)# interface phy_if
b. Specify the version of RIP to use when sending RIP updates out of the interface by entering the
following command:
hostname(config-if)# rip send version {[1] [2]}9-23
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 9 Configuring IP Routing
Configuring RIP
Step 2 (Optional) To specify the version of RIP advertisements permitted to be received by an interface,
perform the following steps:
a. Enter interface configuration mode for the interface you are configuring by entering the following
command:
hostname(config)# interface phy_if
b. Specify the version of RIP to allow when receiving RIP updates on the interface by entering the
following command:
hostname(config-if)# rip receive version {[1] [2]}
RIP updates received on the interface that do not match the allowed version are dropped.
Enabling RIP Authentication
The security appliance supports RIP message authentication for RIP Version 2 messages.
To enable RIP message authentication, perform the following steps:
Step 1 Enter interface configuration mode for the interface you are configuring by entering the following
command:
hostname(config)# interface phy_if
Step 2 (Optional) Set the authentication mode by entering the following command. By default, text
authentication is used. MD5 authentication is recommended.
hostname(config-if)# rip authentication mode {text | md5}
Step 3 Enable authentication and configure the authentication key by entering the following command:
hostname(config-if)# rip authentication key key key_id key-id
Monitoring RIP
To display various RIP routing statistics, perform one of the following tasks, as needed:
• To display the contents of the RIP routing database, enter the following command:
hostname# show rip database
• To display the RIP commands in the running configuration, enter the following command:
hostname# show running-config router rip
Use the following debug commands only to troubleshoot specific problems or during troubleshooting
sessions with Cisco TAC. Debugging output is assigned high priority in the CPU process and can render
the system unusable. It is best to use debug commands during periods of lower network traffic and fewer
users. Debugging during these periods decreases the likelihood that increased debug command
processing overhead will affect system performance.
• To display RIP processing events, enter the following command:
hostname# debug rip events9-24
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 9 Configuring IP Routing
The Routing Table
• To display RIP database events, enter the following command:
hostname# debug rip database
The Routing Table
This section contains the following topics:
• Displaying the Routing Table, page 9-24
• How the Routing Table is Populated, page 9-24
• How Forwarding Decisions are Made, page 9-26
Displaying the Routing Table
To view the entries in the routing table, enter the following command:
hostname# show route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 10.86.194.1 to network 0.0.0.0
S 10.1.1.0 255.255.255.0 [3/0] via 10.86.194.1, outside
C 10.86.194.0 255.255.254.0 is directly connected, outside
S* 0.0.0.0 0.0.0.0 [1/0] via 10.86.194.1, outside
On the ASA 5505 adaptive security appliance, the following route is also shown. It is the internal
loopback interface, which is used by the VPN Hardware Client feature for individual user authentication.
C 127.1.0.0 255.255.0.0 is directly connected, _internal_loopback
How the Routing Table is Populated
The security appliance routing table can be populated by statically defined routes, directly connected
routes, and routes discovered by the RIP and OSPF routing protocols. Because the security appliance
can run multiple routing protocols in addition to having static and connected routed in the routing table,
it is possible that the same route is discovered or entered in more than one manner. When two routes to
the same destination are put into the routing table, the one that remains in the routing table is determined
as follows:
• If the two routes have different network prefix lengths (network masks), then both routes are
considered unique and are entered in to the routing table. The packet forwarding logic then
determines which of the two to use.
For example, if the RIP and OSPF processes discovered the following routes:
– RIP: 192.168.32.0/249-25
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 9 Configuring IP Routing
The Routing Table
– OSPF: 192.168.32.0/19
Even though OSPF routes have the better administrative distance, both routes are installed in the
routing table because each of these routes has a different prefix length (subnet mask). They are
considered different destinations and the packet forwarding logic determine which route to use.
• If the security appliance learns about multiple paths to the same destination from a single routing
protocol, such as RIP, the route with the better metric (as determined by the routing protocol) is
entered into the routing table.
Metrics are values associated with specific routes, ranking them from most preferred to least
preferred. The parameters used to determine the metrics differ for different routing protocols. The
path with the lowest metric is selected as the optimal path and installed in the routing table. If there
are multiple paths to the same destination with equal metrics, load balancing is done on these equal
cost paths.
• If the security appliance learns about a destination from more than one routing protocol, the
administrative distances of the routes are compared and the routes with lower administrative
distance is entered into the routing table.
Administrative distance is a route parameter that security appliance uses to select the best path when
there are two or more different routes to the same destination from two different routing protocols.
Because the routing protocols have metrics based on algorithms that are different from the other
protocols, it is not always possible to determine the “best path” for two routes to the same destination
that were generated by different routing protocols.
Each routing protocol is prioritized using an administrative distance value. Table 9-1 shows the default
administrative distance values for the routing protocols supported by the security appliance.
The smaller the administrative distance value, the more preference is given to the protocol. For example,
if the security appliance receives a route to a certain network from both an OSPF routing process (default
administrative distance - 110) and a RIP routing process (default administrative distance - 100), the
security appliance chooses the OSPF route because OSPF has a higher preference. This means the router
adds the OSPF version of the route to the routing table.
In the above example, if the source of the OSPF-derived route was lost (for example, due to a power
shutdown), the security appliance would then use the RIP-derived route until the OSPF-derived route
reappears.
The administrative distance is a local setting. For example, if you use the distance-ospf command to
change the administrative distance of routes obtained through OSPF, that change would only affect the
routing table for the security appliance the command was entered on. The administrative distance is not
advertised in routing updates.
Administrative distance does not affect the routing process. The OSPF and RIP routing processes only
advertise the routes that have been discovered by the routing process or redistributed into the routing
process. For example, the RIP routing process advertises RIP routes, even if routes discovered by the
OSPF routing process are used in the security appliance routing table.
Table 9-1 Default Administrative Distance for Supported Routing Protocols
Route Source Default Administrative Distance
Connected interface 0
Static route 1
OSPF 110
RIP 1209-26
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 9 Configuring IP Routing
Dynamic Routing and Failover
Backup Routes
A backup route is registered when the initial attempt to install the route in the routing table fails because
another route was installed instead. If the route that was installed in the routing table fails, the routing
table maintenance process calls each routing protocol process that has registered a backup route and
requests them to reinstall the route in the routing table. If there are multiple protocols with registered
backup routes for the failed route, the preferred route is chosen based on administrative distance.
Because of this process, you can create “floating” static routes that are installed in the routing table when
the route discovered by a dynamic routing protocol fails. A floating static route is simply a static route
configured with a greater administrative distance than the dynamic routing protocols running on the
security appliance. When the corresponding route discover by a dynamic routing process fails, the static
route is installed in the routing table.
How Forwarding Decisions are Made
Forwarding decisions are made as follows:
• If the destination does not match an entry in the routing table, the packet is forwarded through the
interface specified for the default route. If a default route has not been configured, the packet is
discarded.
• If the destination matches a single entry in the routing table, the packet is forwarded through the
interface associated with that route.
• If the destination matches more than one entry in the routing table, and the entries all have the same
network prefix length, the packets for that destination are distributed among the interfaces
associated with that route.
• If the destination matches more than one entry in the routing table, and the entries have different
network prefix lengths, then the packet is forwarded out of the interface associated with the route
that has the longer network prefix length.
For example, a packet destined for 192.168.32.1 arrives on an interface of a security appliance with the
following routes in the routing table:
hostname# show route
....
R 192.168.32.0/24 [120/4] via 10.1.1.2
O 192.168.32.0/19 [110/229840] via 10.1.1.3
....
In this case, a packet destined to 192.168.32.1 is directed toward 10.1.1.2, because 192.168.32.1 falls
within the 192.168.32.0/24 network. It also falls within the other route in the routing table, but the
192.168.32.0/24 has the longest prefix within the routing table (24 bits verses 19 bits). Longer prefixes
are always preferred over shorter ones when forwarding a packet.
Dynamic Routing and Failover
Dynamic routes are not replicated to the standby unit or failover group in a failover configuration.
Therefore, immediately after a failover occurs, some packets received by the security appliance may be
dropped because of a lack of routing information or routed to a default static route while the routing table
is repopulated by the configured dynamic routing protocols.C H A P T E R
10-1
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
10
Configuring DHCP, DDNS, and WCCP Services
This chapter describes how to configure the DHCP server, dynamic DNS (DDNS) update methods, and
WCCP on the security appliance. DHCP provides network configuration parameters, such as IP
addresses, to DHCP clients. The security appliance can provide a DHCP server or DHCP relay services
to DHCP clients attached to security appliance interfaces. The DHCP server provides network
configuration parameters directly to DHCP clients. DHCP relay passes DHCP requests received on one
interface to an external DHCP server located behind a different interface.
DDNS update integrates DNS with DHCP. The two protocols are complementary: DHCP centralizes and
automates IP address allocation; DDNS update automatically records the association between assigned
addresses and hostnames at pre-defined intervals. DDNS allows frequently changing address-hostname
associations to be updated frequently. Mobile hosts, for example, can then move freely on a network
without user or administrator intervention. DDNS provides the necessary dynamic updating and
synchronizing of the name to address and address to name mappings on the DNS server.
WCCP specifies interactions between one or more routers, Layer 3 switches, or security appliances and
one or more web caches. The feature transparently redirects selected types of traffic to a group of web
cache engines to optimize resource usage and lower response times.
This chapter includes the following sections:
• Configuring a DHCP Server, page 10-1
• Configuring DHCP Relay Services, page 10-5
• Configuring Dynamic DNS, page 10-6
• Configuring Web Cache Services Using WCCP, page 10-9
Configuring a DHCP Server
This section describes how to configure DHCP server provided by the security appliance. This section
includes the following topics:
• Enabling the DHCP Server, page 10-2
• Configuring DHCP Options, page 10-3
• Using Cisco IP Phones with a DHCP Server, page 10-410-2
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 10 Configuring DHCP, DDNS, and WCCP Services
Configuring a DHCP Server
Enabling the DHCP Server
The security appliance can act as a DHCP server. DHCP is a protocol that supplies network settings to
hosts including the host IP address, the default gateway, and a DNS server.
Note The security appliance DHCP server does not support BOOTP requests.
In multiple context mode, you cannot enable the DHCP server or DHCP relay on an interface that is used
by more than one context.
You can configure a DHCP server on each interface of the security appliance. Each interface can have
its own pool of addresses to draw from. However the other DHCP settings, such as DNS servers, domain
name, options, ping timeout, and WINS servers, are configured globally and used by the DHCP server
on all interfaces.
You cannot configure a DHCP client or DHCP Relay services on an interface on which the server is
enabled. Additionally, DHCP clients must be directly connected to the interface on which the server is
enabled.
To enable the DHCP server on a given security appliance interface, perform the following steps:
Step 1 Create a DHCP address pool. Enter the following command to define the address pool:
hostname(config)# dhcpd address ip_address-ip_address interface_name
The security appliance assigns a client one of the addresses from this pool to use for a given length of time.
These addresses are the local, untranslated addresses for the directly connected network.
The address pool must be on the same subnet as the security appliance interface.
Step 2 (Optional) To specify the IP address(es) of the DNS server(s) the client will use, enter the following
command:
hostname(config)# dhcpd dns dns1 [dns2]
You can specify up to two DNS servers.
Step 3 (Optional) To specify the IP address(es) of the WINS server(s) the client will use, enter the following
command:
hostname(config)# dhcpd wins wins1 [wins2]
You can specify up to two WINS servers.
Step 4 (Optional) To change the lease length to be granted to the client, enter the following command:
hostname(config)# dhcpd lease lease_length
This lease equals the amount of time (in seconds) the client can use its allocated IP address before the
lease expires. Enter a value between 300 to 1,048,575. The default value is 3600 seconds.
Step 5 (Optional) To configure the domain name the client uses, enter the following command:
hostname(config)# dhcpd domain domain_name
Step 6 (Optional) To configure the DHCP ping timeout value, enter the following command:
hostname(config)# dhcpd ping_timeout milliseconds
To avoid address conflicts, the security appliance sends two ICMP ping packets to an address before
assigning that address to a DHCP client. This command specifies the timeout value for those packets.10-3
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 10 Configuring DHCP, DDNS, and WCCP Services
Configuring a DHCP Server
Step 7 (Transparent Firewall Mode) Define a default gateway. To define the default gateway that is sent to
DHCP clients, enter the following command.
hostname(config)# dhcpd option 3 ip gateway_ip
If you do not use the DHCP option 3 to define the default gateway, DHCP clients use the IP address of
the management interface. The management interface does not route traffic.
Step 8 To enable the DHCP daemon within the security appliance to listen for DHCP client requests on the
enabled interface, enter the following command:
hostname(config)# dhcpd enable interface_name
For example, to assign the range 10.0.1.101 to 10.0.1.110 to hosts connected to the inside interface, enter
the following commands:
hostname(config)# dhcpd address 10.0.1.101-10.0.1.110 inside
hostname(config)# dhcpd dns 209.165.201.2 209.165.202.129
hostname(config)# dhcpd wins 209.165.201.5
hostname(config)# dhcpd lease 3000
hostname(config)# dhcpd domain example.com
hostname(config)# dhcpd enable inside
Configuring DHCP Options
You can configure the security appliance to send information for the DHCP options listed in RFC 2132.
The DHCP options fall into one of three categories:
• Options that return an IP address.
• Options that return a text string.
• Options that return a hexadecimal value.
The security appliance supports all three categories of DHCP options. To configure a DHCP option, do
one of the following:
• To configure a DHCP option that returns one or two IP addresses, enter the following command:
hostname(config)# dhcpd option code ip addr_1 [addr_2]
• To configure a DHCP option that returns a text string, enter the following command:
hostname(config)# dhcpd option code ascii text
• To configure a DHCP option that returns a hexadecimal value, enter the following command:
hostname(config)# dhcpd option code hex value
Note The security appliance does not verify that the option type and value that you provide match the expected
type and value for the option code as defined in RFC 2132. For example, you can enter the dhcpd option
46 ascii hello command and the security appliance accepts the configuration although option 46 is
defined in RFC 2132 as expecting a single-digit, hexadecimal value. For more information about the
option codes and their associated types and expected values, refer to RFC 2132.
Table 10-1 shows the DHCP options that are not supported by the dhcpd option command.10-4
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 10 Configuring DHCP, DDNS, and WCCP Services
Configuring a DHCP Server
Specific options, DHCP option 3, 66, and 150, are used to configure Cisco IP Phones. See the “Using
Cisco IP Phones with a DHCP Server” section on page 10-4 topic for more information about
configuring those options.
Using Cisco IP Phones with a DHCP Server
Enterprises with small branch offices that implement a Cisco IP Telephony Voice over IP solution
typically implement Cisco CallManager at a central office to control Cisco IP Phones at small branch
offices. This implementation allows centralized call processing, reduces the equipment required, and
eliminates the administration of additional Cisco CallManager and other servers at branch offices.
Cisco IP Phones download their configuration from a TFTP server. When a Cisco IP Phone starts, if it
does not have both the IP address and TFTP server IP address preconfigured, it sends a request with
option 150 or 66 to the DHCP server to obtain this information.
• DHCP option 150 provides the IP addresses of a list of TFTP servers.
• DHCP option 66 gives the IP address or the hostname of a single TFTP server.
Cisco IP Phones might also include DHCP option 3 in their requests, which sets the default route.
Cisco IP Phones might include both option 150 and 66 in a single request. In this case, the security
appliance DHCP server provides values for both options in the response if they are configured on the
security appliance.
You can configure the security appliance to send information for most options listed in RFC 2132. The
following example shows the syntax for any option number, as well as the syntax for commonly-used
options 66, 150, and 3:
• To provide information for DHCP requests that include an option number as specified in RFC-2132,
enter the following command:
Table 10-1 Unsupported DHCP Options
Option Code Description
0 DHCPOPT_PAD
1 HCPOPT_SUBNET_MASK
12 DHCPOPT_HOST_NAME
50 DHCPOPT_REQUESTED_ADDRESS
51 DHCPOPT_LEASE_TIME
52 DHCPOPT_OPTION_OVERLOAD
53 DHCPOPT_MESSAGE_TYPE
54 DHCPOPT_SERVER_IDENTIFIER
58 DHCPOPT_RENEWAL_TIME
59 DHCPOPT_REBINDING_TIME
61 DHCPOPT_CLIENT_IDENTIFIER
67 DHCPOPT_BOOT_FILE_NAME
82 DHCPOPT_RELAY_INFORMATION
255 DHCPOPT_END10-5
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 10 Configuring DHCP, DDNS, and WCCP Services
Configuring DHCP Relay Services
hostname(config)# dhcpd option number value
• To provide the IP address or name of a TFTP server for option 66, enter the following command:
hostname(config)# dhcpd option 66 ascii server_name
• To provide the IP address or names of one or two TFTP servers for option 150, enter the following
command:
hostname(config)# dhcpd option 150 ip server_ip1 [server_ip2]
The server_ip1 is the IP address or name of the primary TFTP server while server_ip2 is the
IP address or name of the secondary TFTP server. A maximum of two TFTP servers can be
identified using option 150.
• To set the default route, enter the following command:
hostname(config)# dhcpd option 3 ip router_ip1
Configuring DHCP Relay Services
A DHCP relay agent allows the security appliance to forward DHCP requests from clients to a router
connected to a different interface.
The following restrictions apply to the use of the DHCP relay agent:
• The relay agent cannot be enabled if the DHCP server feature is also enabled.
• Clients must be directly connected to the security appliance and cannot send requests through
another relay agent or a router.
• For multiple context mode, you cannot enable DHCP relay on an interface that is used by more than
one context.
Note DHCP Relay services are not available in transparent firewall mode. A security appliance in transparent
firewall mode only allows ARP traffic through; all other traffic requires an access list. To allow DHCP
requests and replies through the security appliance in transparent mode, you need to configure two
access lists, one that allows DCHP requests from the inside interface to the outside, and one that allows
the replies from the server in the other direction.
Note When DHCP relay is enabled and more than one DHCP relay server is defined, the security appliance
forwards client requests to each defined DHCP relay server. Replies from the servers are also forwarded
to the client until the client DHCP relay binding is removed. The binding is removed when the security
appliance receives any of the following DHCP messages: ACK, NACK, or decline.
To enable DHCP relay, perform the following steps:
Step 1 To set the IP address of a DHCP server on a different interface from the DHCP client, enter the following
command:
hostname(config)# dhcprelay server ip_address if_name
You can use this command up to 4 times to identify up to 4 servers.
Step 2 To enable DHCP relay on the interface connected to the clients, enter the following command:10-6
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 10 Configuring DHCP, DDNS, and WCCP Services
Configuring Dynamic DNS
hostname(config)# dhcprelay enable interface
Step 3 (Optional) To set the number of seconds allowed for relay address negotiation, enter the following
command:
hostname(config)# dhcprelay timeout seconds
Step 4 (Optional) To change the first default router address in the packet sent from the DHCP server to the
address of the security appliance interface, enter the following command:
hostname(config)# dhcprelay setroute interface_name
This action allows the client to set its default route to point to the security appliance even if the DHCP
server specifies a different router.
If there is no default router option in the packet, the security appliance adds one containing the interface
address.
The following example enables the security appliance to forward DHCP requests from clients connected
to the inside interface to a DHCP server on the outside interface:
hostname(config)# dhcprelay server 201.168.200.4
hostname(config)# dhcprelay enable inside
hostname(config)# dhcprelay setroute inside
Configuring Dynamic DNS
This section describes examples for configuring the security appliance to support Dynamic DNS. DDNS
update integrates DNS with DHCP. The two protocols are complementary—DHCP centralizes and
automates IP address allocation, while dynamic DNS update automatically records the association
between assigned addresses and hostnames. When you use DHCP and dynamic DNS update, this
configures a host automatically for network access whenever it attaches to the IP network. You can locate
and reach the host using its permanent, unique DNS hostname. Mobile hosts, for example, can move
freely without user or administrator intervention.
DDNS provides address and domain name mappings so hosts can find each other even though their
DHCP-assigned IP addresses change frequently. The DDNS name and address mappings are held on the
DHCP server in two resource records: the A RR contains the name to IP address mapping while the PTR
RR maps addresses to names. Of the two methods for performing DDNS updates—the IETF standard
defined by RFC 2136 and a generic HTTP method—the security appliance supports the IETF method in
this release.
The two most common DDNS update configurations are:
• The DHCP client updates the A RR while the DHCP server updates PTR RR.
• The DHCP server updates both the A and PTR RRs.
In general, the DHCP server maintains DNS PTR RRs on behalf of clients. Clients may be configured
to perform all desired DNS updates. The server may be configured to honor these updates or not. To
update the PTR RR, the DHCP server must know the Fully Qualified Domain Name of the client. The
client provides an FQDN to the server using a DHCP option called Client FQDN.
The following examples present these common scenarios:
• Example 1: Client Updates Both A and PTR RRs for Static IP Addresses, page 10-710-7
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 10 Configuring DHCP, DDNS, and WCCP Services
Configuring Dynamic DNS
• Example 2: Client Updates Both A and PTR RRs; DHCP Server Honors Client Update Request;
FQDN Provided Through Configuration, page 10-7
• Example 3: Client Includes FQDN Option Instructing Server Not to Update Either RR; Server
Overrides Client and Updates Both RRs., page 10-8
• Example 4: Client Asks Server To Perform Both Updates; Server Configured to Update PTR RR
Only; Honors Client Request and Updates Both A and PTR RR, page 10-8
• Example 5: Client Updates A RR; Server Updates PTR RR, page 10-9
Example 1: Client Updates Both A and PTR RRs for Static IP Addresses
The following example configures the client to request that it update both A and PTR resource records
for static IP addresses. To configure this example, perform the following steps:
Step 1 To define a DDNS update method called ddns-2 that requests that the client update both the A and PTR
RRs, enter the following commands:
hostname(config)# ddns update method ddns-2
hostname(DDNS-update-method)# ddns both
Step 2 To associate the method ddns-2 with the eth1 interface, enter the following commands:
hostname(DDNS-update-method)# interface eth1
hostname(config-if)# ddns update ddns-2
hostname(config-if)# ddns update hostname asa.example.com
Step 3 To configure a static IP address for eth1, enter the following commands:
hostname(config-if)# ip address 10.0.0.40 255.255.255.0
Example 2: Client Updates Both A and PTR RRs; DHCP Server Honors Client
Update Request; FQDN Provided Through Configuration
The following example configures 1) the DHCP client to request that it update both the A and PTR RRs,
and 2) the DHCP server to honor the requests. To configure this example, perform the following steps:
Step 1 To configure the DHCP client to request that the DHCP server perform no updates, enter the following
command:
hostname(config)# dhcp-client update dns server none
Step 2 To create a DDNS update method named ddns-2 on the DHCP client that requests that the client perform
both A and PTR updates, enter the following commands:
hostname(config)# ddns update method ddns-2
hostname(DDNS-update-method)# ddns both
Step 3 To associate the method named ddns-2 with the security appliance interface named Ethernet0, and enable
DHCP on the interface, enter the following commands:
hostname(DDNS-update-method)# interface Ethernet0
hostname(if-config)# ddns update ddns-2
hostname(if-config)# ddns update hostname asa.example.com
hostname(if-config)# ip address dhcp10-8
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 10 Configuring DHCP, DDNS, and WCCP Services
Configuring Dynamic DNS
Step 4 To configure the DHCP server, enter the following command:
hostname(if-config)# dhcpd update dns
Example 3: Client Includes FQDN Option Instructing Server Not to Update Either
RR; Server Overrides Client and Updates Both RRs.
The following example configures the DHCP client to include the FQDN option instructing the DHCP
server not to update either the A or PTR updates. The example also configures the server to override the
client request. As a result, the client backs off without performing any updates.
To configure this scenario, perform the following steps:
Step 1 To configure the update method named ddns-2 to request that it make both A and PTR RR updates, enter
the following commands:
hostname(config)# ddns update method ddns-2
hostname(DDNS-update-method)# ddns both
Step 2 To assign the DDNS update method named ddns-2 on interface Ethernet0 and provide the client
hostname (asa), enter the following commands:
hostname(DDNS-update-method)# interface Ethernet0
hostname(if-config)# ddns update ddns-2
hostname(if-config)# ddns update hostname asa.example.com
Step 3 To enable the DHCP client feature on the interface, enter the following commands:
hostname(if-config)# dhcp client update dns server none
hostname(if-config)# ip address dhcp
Step 4 To configure the DHCP server to override the client update requests, enter the following command:
hostname(if-config)# dhcpd update dns both override
Example 4: Client Asks Server To Perform Both Updates; Server Configured to
Update PTR RR Only; Honors Client Request and Updates Both A and PTR RR
The following example configures the server to perform only PTR RR updates by default. However, the
server honors the client request that it perform both A and PTR updates. The server also forms the FQDN
by appending the domain name (example.com) to the hostname provided by the client (asa).
To configure this scenario, perform the following steps:
Step 1 To configure the DHCP client on interface Ethernet0, enter the following commands:
hostname(config)# interface Ethernet0
hostname(config-if)# dhcp client update dns both
hostname(config-if)# ddns update hostname asa
Step 2 To configure the DHCP server, enter the following commands:
hostname(config-if)# dhcpd update dns10-9
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 10 Configuring DHCP, DDNS, and WCCP Services
Configuring Web Cache Services Using WCCP
hostname(config-if)# dhcpd domain example.com
Example 5: Client Updates A RR; Server Updates PTR RR
The following example configures the client to update the A resource record and the server to update the
PTR records. Also, the client uses the domain name from the DHCP server to form the FQDN.
To configure this scenario, perform the following steps:
Step 1 To define the DDNS update method named ddns-2, enter the following commands:
hostname(config)# ddns update method ddns-2
hostname(DDNS-update-method)# ddns
Step 2 To configure the DHCP client for interface Ethernet0 and assign the update method to the interface, enter
the following commands:
hostname(DDNS-update-method)# interface Ethernet0
hostname(config-if)# dhcp client update dns
hostname(config-if)# ddns update ddns-2
hostname(config-if)# ddns update hostname asa
Step 3 To configure the DHCP server, enter the following commands:
hostname(config-if)# dhcpd update dns
hostname(config-if)# dhcpd domain example.com
Configuring Web Cache Services Using WCCP
The purpose of web caching is to reduce latency and network traffic. Previously-accessed web pages are
stored in a cache buffer, so if a user needs the page again, they can retrieve it from the cache instead of
the web server.
WCCP specifies interactions between the security appliance and external web caches. The feature
transparently redirects selected types of traffic to a group of web cache engines to optimize resource
usage and lower response times. The security appliance only supports WCCP version 2.
Using a security appliance as an intermediary eliminates the need for a separate router to do the WCCP
redirect because the security appliance takes care of redirecting requests to cache engines. When the
security appliance knows when a packet needs redirection, it skips TCP state tracking, TCP sequence
number randomization, and NAT on these traffic flows.
This section includes the following topics:
• WCCP Feature Support, page 10-9
• WCCP Interaction With Other Features, page 10-10
• Enabling WCCP Redirection, page 10-10
WCCP Feature Support
The following WCCPv2 features are supported with the security appliance:10-10
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 10 Configuring DHCP, DDNS, and WCCP Services
Configuring Web Cache Services Using WCCP
• Redirection of multiple TCP/UDP port-destined traffic.
• Authentication for cache engines in a service group.
The following WCCPv2 features are not supported with the security appliance:
• Multiple routers in a service group is not supported. Multiple Cache Engines in a service group is
still supported.
• Multicast WCCP is not supported.
• The Layer 2 redirect method is not supported; only GRE encapsulation is supported.
• WCCP source address spoofing.
WCCP Interaction With Other Features
In the security appliance implementation of WCCP, the following applies as to how the protocol interacts
with other configurable features:
• An ingress access list entry always takes higher priority over WCCP. For example, if an access list
does not permit a client to communicate with a server then traffic will not be redirected to a cache
engine. Both ingress interface access lists and egress interface access lists will be applied.
• TCP intercept, authorization, URL filtering, inspect engines, and IPS features are not applied to a
redirected flow of traffic.
• When a cache engine cannot service a request and packet is returned, or when a cache miss happens
on a cache engine and it requests data from a web server, then the contents of the traffic flow will
be subject to all the other configured features of the security appliance.
• In failover, WCCP redirect tables are not replicated to standby units. After a failover, packets will
not be redirected until the tables are rebuilt. Sessions redirected prior to failover will likely be reset
by the web server.
Enabling WCCP Redirection
There are two steps to configuring WCCP redirection on the security appliance. The first involves
identifying the service to be redirected with the wccp command, and the second is defining on which
interface the redirection occurs with the wccp redirect command. The wccp command can optionally
also define which cache engines can participate in the service group, and what traffic should be
redirected to the cache engine.
WCCP redirect is supported only on the ingress of an interface. The only topology that the security
appliance supports is when client and cache engine are behind the same interface of the security
appliance and the cache engine can directly communicate with the client without going through the
security appliance.
The following configuration tasks assume you have already installed and configured the cache engines
you wish to include in your network.
To configure WCCP redirection, perform the following steps:
Step 1 To enable a WCCP service group, enter the following command:
hostname(config)# wccp {web-cache | service_number} [redirect-list access_list]
[group-list access_list] [password password]10-11
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 10 Configuring DHCP, DDNS, and WCCP Services
Configuring Web Cache Services Using WCCP
The standard service is web-cache, which intercepts TCP port 80 (HTTP) traffic and redirects that traffic
to the cache engines, but you can identify a service number if desired between 0 and 254. For example,
to transparently redirect native FTP traffic to a cache engine, use WCCP service 60. You can enter this
command multiple times for each service group you want to enable.
The redirect-list access_list argument controls traffic redirected to this service group.
The group-list access_list argument determines which web cache IP addresses are allowed to participate
in the service group.
The password password argument specifies MD5 authentication for messages received from the service
group. Messages that are not accepted by the authentication are discarded.
Step 2 To enable WCCP redirection on an interface, enter the following command:
hostname(config)# wccp interface interface_name {web-cache | service_number} redirect in
The standard service is web-cache, which intercepts TCP port 80 (HTTP) traffic and redirects that traffic
to the cache engines, but you can identify a service number if desired between 0 and 254. For example,
to transparently redirect native FTP traffic to a cache engine, use WCCP service 60. You can enter this
command multiple times for each service group you want to participate in.
For example, to enable the standard web-cache service and redirect HTTP traffic that enters the inside
interface to a web cache, enter the following commands:
hostname(config)# wccp web-cache
hostname(config)# wccp interface inside web-cache redirect in10-12
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 10 Configuring DHCP, DDNS, and WCCP Services
Configuring Web Cache Services Using WCCPC H A P T E R
11-13
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
11
Configuring Multicast Routing
This chapter describes how to configure multicast routing. This section includes the following topics:
• Multicast Routing Overview, page 11-13
• Enabling Multicast Routing, page 11-14
• Configuring IGMP Features, page 11-14
• Configuring Stub Multicast Routing, page 11-17
• Configuring a Static Multicast Route, page 11-17
• Configuring PIM Features, page 11-18
• For More Information about Multicast Routing, page 11-22
Multicast Routing Overview
The security appliance supports both stub multicast routing and PIM multicast routing. However, you
cannot configure both concurrently on a single security appliance.
Stub multicast routing provides dynamic host registration and facilitates multicast routing. When
configured for stub multicast routing, the security appliance acts as an IGMP proxy agent. Instead of
fully participating in multicast routing, the security appliance forwards IGMP messages to an upstream
multicast router, which sets up delivery of the multicast data. When configured for stub multicast
routing, the security appliance cannot be configured for PIM.
The security appliance supports both PIM-SM and bi-directional PIM. PIM-SM is a multicast routing
protocol that uses the underlying unicast routing information base or a separate multicast-capable
routing information base. It builds unidirectional shared trees rooted at a single Rendezvous Point per
multicast group and optionally creates shortest-path trees per multicast source.
Bi-directional PIM is a variant of PIM-SM that builds bi-directional shared trees connecting multicast
sources and receivers. Bi-directional trees are built using a DF election process operating on each link
of the multicast topology. With the assistance of the DF, multicast data is forwarded from sources to the
Rendezvous Point, and therefore along the shared tree to receivers, without requiring source-specific
state. The DF election takes place during Rendezvous Point discovery and provides a default route to the
Rendezvous Point.
Note If the security appliance is the PIM RP, use the untranslated outside address of the security appliance as
the RP address.11-14
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 11 Configuring Multicast Routing
Enabling Multicast Routing
Enabling Multicast Routing
Enabling multicast routing lets the security appliance forward multicast packets. Enabling multicast
routing automatically enables PIM and IGMP on all interfaces. To enable multicast routing, enter the
following command:
hostname(config)# multicast-routing
The number of entries in the multicast routing tables are limited by the amount of RAM on the system.
Table 11-1 lists the maximum number of entries for specific multicast tables based on the amount of
RAM on the security appliance. Once these limits are reached, any new entries are discarded.
Configuring IGMP Features
IP hosts use IGMP to report their group memberships to directly connected multicast routers. IGMP uses
group addresses (Class D IP address) as group identifiers. Host group address can be in the range
224.0.0.0 to 239.255.255.255. The address 224.0.0.0 is never assigned to any group. The address
224.0.0.1 is assigned to all systems on a subnet. The address 224.0.0.2 is assigned to all routers on a
subnet.
When you enable multicast routing on the security appliance, IGMP Version 2 is automatically enabled
on all interfaces.
Note Only the no igmp command appears in the interface configuration when you use the show run
command. If the multicast-routing command appears in the device configuration, then IGMP is
automatically enabled on all interfaces.
This section describes how to configure optional IGMP setting on a per-interface basis. This section
includes the following topics:
• Disabling IGMP on an Interface, page 11-15
• Configuring Group Membership, page 11-15
• Configuring a Statically Joined Group, page 11-15
• Controlling Access to Multicast Groups, page 11-15
• Limiting the Number of IGMP States on an Interface, page 11-16
• Modifying the Query Interval and Query Timeout, page 11-16
• Changing the Query Response Time, page 11-17
• Changing the IGMP Version, page 11-17
Table 11-1 Entry Limits for Multicast Tables
Table 16 MB 128 MB 128+ MB
MFIB 1000 3000 5000
IGMP Groups 1000 3000 5000
PIM Routes 3000 7000 1200011-15
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 11 Configuring Multicast Routing
Configuring IGMP Features
Disabling IGMP on an Interface
You can disable IGMP on specific interfaces. This is useful if you know that you do not have any
multicast hosts on a specific interface and you want to prevent the security appliance from sending host
query messages on that interface.
To disable IGMP on an interface, enter the following command:
hostname(config-if)# no igmp
To reenable IGMP on an interface, enter the following command:
hostname(config-if)# igmp
Note Only the no igmp command appears in the interface configuration.
Configuring Group Membership
You can configure the security appliance to be a member of a multicast group. Configuring the security
appliance to join a multicast group causes upstream routers to maintain multicast routing table
information for that group and keep the paths for that group active.
To have the security appliance join a multicast group, enter the following command:
hostname(config-if)# igmp join-group group-address
Configuring a Statically Joined Group
Sometimes a group member cannot report its membership in the group, or there may be no members of
a group on the network segment, but you still want multicast traffic for that group to be sent to that
network segment. You can have multicast traffic for that group sent to the segment in one of two ways:
• Using the igmp join-group command (see Configuring Group Membership, page 11-15). This
causes the security appliance to accept and to forward the multicast packets.
• Using the igmp static-group command. The security appliance does not accept the multicast
packets but rather forwards them to the specified interface.
To configure a statically joined multicast group on an interface, enter the following command:
hostname(config-if)# igmp static-group group-address
Controlling Access to Multicast Groups
To control the multicast groups that hosts on the security appliance interface can join, perform the
following steps:
Step 1 Create an access list for the multicast traffic. You can create more than one entry for a single access list.
You can use extended or standard access lists.
• To create a standard access list, enter the following command:11-16
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 11 Configuring Multicast Routing
Configuring IGMP Features
hostname(config)# access-list name standard [permit | deny] ip_addr mask
The ip_addr argument is the IP address of the multicast group being permitted or denied.
• To create an extended access list, enter the following command:
hostname(config)# access-list name extended [permit | deny] protocol src_ip_addr
src_mask dst_ip_addr dst_mask
The dst_ip_addr argument is the IP address of the multicast group being permitted or denied.
Step 2 Apply the access list to an interface by entering the following command:
hostname(config-if)# igmp access-group acl
The acl argument is the name of a standard or extended IP access list.
Limiting the Number of IGMP States on an Interface
You can limit the number of IGMP states resulting from IGMP membership reports on a per-interface
basis. Membership reports exceeding the configured limits are not entered in the IGMP cache and traffic
for the excess membership reports is not forwarded.
To limit the number of IGMP states on an interface, enter the following command:
hostname(config-if)# igmp limit number
Valid values range from 0 to 500, with 500 being the default value. Setting this value to 0 prevents
learned groups from being added, but manually defined memberships (using the igmp join-group and
igmp static-group commands) are still permitted. The no form of this command restores the default
value.
Modifying the Query Interval and Query Timeout
The security appliance sends query messages to discover which multicast groups have members on the
networks attached to the interfaces. Members respond with IGMP report messages indicating that they
want to receive multicast packets for specific groups. Query messages are addressed to the all-systems
multicast group, which has an address of 224.0.0.1, with a time-to-live value of 1.
These messages are sent periodically to refresh the membership information stored on the security
appliance. If the security appliance discovers that there are no local members of a multicast group still
attached to an interface, it stops forwarding multicast packet for that group to the attached network and
it sends a prune message back to the source of the packets.
By default, the PIM designated router on the subnet is responsible for sending the query messages. By
default, they are sent once every 125 seconds. To change this interval, enter the following command:
hostname(config-if)# igmp query-interval seconds
If the security appliance does not hear a query message on an interface for the specified timeout value
(by default, 255 seconds), then the security appliance becomes the designated router and starts sending
the query messages. To change this timeout value, enter the following command:
hostname(config-if)# igmp query-timeout seconds11-17
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 11 Configuring Multicast Routing
Configuring Stub Multicast Routing
Note The igmp query-timeout and igmp query-interval commands require IGMP Version 2.
Changing the Query Response Time
By default, the maximum query response time advertised in IGMP queries is 10 seconds. If the security
appliance does not receive a response to a host query within this amount of time, it deletes the group.
To change the maximum query response time, enter the following command:
hostname(config-if)# igmp query-max-response-time seconds
Changing the IGMP Version
By default, the security appliance runs IGMP Version 2, which enables several additional features such
as the igmp query-timeout and igmp query-interval commands.
All multicast routers on a subnet must support the same version of IGMP. The security appliance does
not automatically detect version 1 routers and switch to version 1. However, a mix of IGMP Version 1
and 2 hosts on the subnet works; the security appliance running IGMP Version 2 works correctly when
IGMP Version 1 hosts are present.
To control which version of IGMP is running on an interface, enter the following command:
hostname(config-if)# igmp version {1 | 2}
Configuring Stub Multicast Routing
A security appliance acting as the gateway to the stub area does not need to participate in PIM. Instead,
you can configure it to act as an IGMP proxy agent and forward IGMP messages from hosts connected
on one interface to an upstream multicast router on another. To configure the security appliance as an
IGMP proxy agent, forward the host join and leave messages from the stub area interface to an upstream
interface.
To forward the host join and leave messages, enter the following command from the interface attached
to the stub area:
hostname(config-if)# igmp forward interface if_name
Note Stub Multicast Routing and PIM are not supported concurrently.
Configuring a Static Multicast Route
When using PIM, the security appliance expects to receive packets on the same interface where it sends
unicast packets back to the source. In some cases, such as bypassing a route that does not support
multicast routing, you may want unicast packets to take one path and multicast packets to take another.
Static multicast routes are not advertised or redistributed.11-18
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 11 Configuring Multicast Routing
Configuring PIM Features
To configure a static multicast route for PIM, enter the following command:
hostname(config)# mroute src_ip src_mask {input_if_name | rpf_addr) [distance]
To configure a static multicast route for a stub area, enter the following command:
hostname(config)# mroute src_ip src_mask input_if_name [dense output_if_name] [distance]
Note The dense output_if_name keyword and argument pair is only supported for stub multicast routing.
Configuring PIM Features
Routers use PIM to maintain forwarding tables for forwarding multicast diagrams. When you enable
multicast routing on the security appliance, PIM and IGMP are automatically enabled on all interfaces.
Note PIM is not supported with PAT. The PIM protocol does not use ports and PAT only works with protocols
that use ports.
This section describes how to configure optional PIM settings. This section includes the following
topics:
• Disabling PIM on an Interface, page 11-18
• Configuring a Static Rendezvous Point Address, page 11-19
• Configuring the Designated Router Priority, page 11-19
• Filtering PIM Register Messages, page 11-19
• Configuring PIM Message Intervals, page 11-20
• Configuring a Multicast Boundary, page 11-20
• Filtering PIM Neighbors, page 11-20
• Supporting Mixed Bidirectional/Sparse-Mode PIM Networks, page 11-21
Disabling PIM on an Interface
You can disable PIM on specific interfaces. To disable PIM on an interface, enter the following
command:
hostname(config-if)# no pim
To reenable PIM on an interface, enter the following command:
hostname(config-if)# pim
Note Only the no pim command appears in the interface configuration.11-19
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 11 Configuring Multicast Routing
Configuring PIM Features
Configuring a Static Rendezvous Point Address
All routers within a common PIM sparse mode or bidir domain require knowledge of the PIM RP
address. The address is statically configured using the pim rp-address command.
Note The security appliance does not support Auto-RP or PIM BSR; you must use the pim rp-address
command to specify the RP address.
You can configure the security appliance to serve as RP to more than one group. The group range
specified in the access list determines the PIM RP group mapping. If an access list is not specified, then
the RP for the group is applied to the entire multicast group range (224.0.0.0/4).
To configure the address of the PIM PR, enter the following command:
hostname(config)# pim rp-address ip_address [acl] [bidir]
The ip_address argument is the unicast IP address of the router to be a PIM RP. The acl argument is the
name or number of a standard access list that defines which multicast groups the RP should be used with.
Do not use a host ACL with this command. Excluding the bidir keyword causes the groups to operate
in PIM sparse mode.
Note The security appliance always advertises the bidir capability in the PIM hello messages regardless of the
actual bidir configuration.
Configuring the Designated Router Priority
The DR is responsible for sending PIM register, join, and prune messaged to the RP. When there is more
than one multicast router on a network segment, there is an election process to select the DR based on
DR priority. If multiple devices have the same DR priority, then the device with the highest IP address
becomes the DR.
By default, the security appliance has a DR priority of 1. You can change this value by entering the
following command:
hostname(config-if)# pim dr-priority num
The num argument can be any number from 1 to 4294967294.
Filtering PIM Register Messages
You can configure the security appliance to filter PIM register messages. To filter PIM register messages,
enter the following command:
hostname(config)# pim accept-register {list acl | route-map map-name}11-20
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 11 Configuring Multicast Routing
Configuring PIM Features
Configuring PIM Message Intervals
Router query messages are used to elect the PIM DR. The PIM DR is responsible for sending router
query messages. By default, router query messages are sent every 30 seconds. You can change this value
by entering the following command:
hostname(config-if)# pim hello-interval seconds
Valid values for the seconds argument range from 1 to 3600 seconds.
Every 60 seconds, the security appliance sends PIM join/prune messages. To change this value, enter the
following command:
hostname(config-if)# pim join-prune-interval seconds
Valid values for the seconds argument range from 10 to 600 seconds.
Configuring a Multicast Boundary
Address scoping defines domain boundaries so that domains with RPs that have the same IP address do
not leak into each other. Scoping is performed on the subnet boundaries within large domains and on the
boundaries between the domain and the Internet.
You can set up an administratively scoped boundary on an interface for multicast group addresses using
the multicast boundary command. IANA has designated the multicast address range 239.0.0.0 to
239.255.255.255 as the administratively scoped addresses. This range of addresses can be reused in
domains administered by different organizations. They would be considered local, not globally unique.
To configure a multicast boundary, enter the following command:
hostname(config-if)# multicast boundary acl [filter-autorp]
A standard ACL defines the range of addresses affected. When a boundary is set up, no multicast data
packets are allowed to flow across the boundary from either direction. The boundary allows the same
multicast group address to be reused in different administrative domains.
You can configure the filter-autorp keyword to examine and filter Auto-RP discovery and
announcement messages at the administratively scoped boundary. Any Auto-RP group range
announcements from the Auto-RP packets that are denied by the boundary access control list (ACL) are
removed. An Auto-RP group range announcement is permitted and passed by the boundary only if all
addresses in the Auto-RP group range are permitted by the boundary ACL. If any address is not
permitted, the entire group range is filtered and removed from the Auto-RP message before the Auto-RP
message is forwarded.
Filtering PIM Neighbors
You can define the routers that can become PIM neighbors with the pim neighbor-filter command. By
filtering the routers that can become PIM neighbors, you can:
• Prevent unauthorized routers from becoming PIM neighbors.
• Prevent attached stub routers from participating in PIM.
To define the neighbors that can become a PIM neighbor, perform the following steps:11-21
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 11 Configuring Multicast Routing
Configuring PIM Features
Step 1 Use the access-list command to define a standard access list defines the routers you want to participate
in PIM.
For example the following access list, when used with the pim neighbor-filter command, prevents the
10.1.1.1 router from becoming a PIM neighbor:
hostname(config)# access-list pim_nbr deny 10.1.1.1 255.255.255.255
Step 2 Use the pim neighbor-filter command on an interface to filter the neighbor routers.
For example, the following commands prevent the 10.1.1.1 router from becoming a PIM neighbor on
interface GigabitEthernet0/3:
hostname(config)# interface GigabitEthernet0/3
hostname(config-if)# pim neighbor-filter pim_nbr
Supporting Mixed Bidirectional/Sparse-Mode PIM Networks
Bidirectional PIM allows multicast routers to keep reduced state information. All of the multicast routers
in a segment must be bidirectionally enabled in order for bidir to elect a DF.
The pim bidir-neighbor-filter command enables the transition from a sparse-mode-only network to a
bidir network by letting you specify the routers that should participate in DF election while still allowing
all routers to participate in the sparse-mode domain. The bidir-enabled routers can elect a DF from
among themselves, even when there are non-bidir routers on the segment. Multicast boundaries on the
non-bidir routers prevent PIM messages and data from the bidir groups from leaking in or out of the bidir
subset cloud.
When the pim bidir-neighbor-filter command is enabled, the routers that are permitted by the ACL are
considered to be bidir-capable. Therefore:
• If a permitted neighbor does not support bidir, the DF election does not occur.
• If a denied neighbor supports bidir, then DF election does not occur.
• If a denied neighbor des not support bidir, the DF election occurs.
To control which neighbors can participate in the DF election, perform the following steps:
Step 1 Use the access-list command to define a standard access list that permits the routers you want to
participate in the DF election and denies all others.
For example, the following access list permits the routers at 10.1.1.1 and 10.2.2.2 to participate in the
DF election and denies all others:
hostname(config)# access-list pim_bidir permit 10.1.1.1 255.255.255.255
hostname(config)# access-list pim_bidir permit 10.1.1.2 255.255.255.255
hostname(config)# access-list pim_bidir deny any
Step 2 Enable the pim bidir-neighbor-filter command on an interface.
The following example applies the access list created previous step to the interface GigabitEthernet0/3.
hostname(config)# interface GigabitEthernet0/3
hostname(config-if)# pim bidir-neighbor-filter pim_bidir11-22
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 11 Configuring Multicast Routing
For More Information about Multicast Routing
For More Information about Multicast Routing
The following RFCs from the IETF provide technical details about the IGMP and multicast routing
standards used for implementing the SMR feature:
• RFC 2236 IGMPv2
• RFC 2362 PIM-SM
• RFC 2588 IP Multicast and Firewalls
• RFC 2113 IP Router Alert Option
• IETF draft-ietf-idmr-igmp-proxy-01.txtC H A P T E R
12-1
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
12
Configuring IPv6
This chapter describes how to enable and configure IPv6 on the security appliance. IPv6 is available in
Routed firewall mode only.
This chapter includes the following sections:
• IPv6-enabled Commands, page 12-1
• Configuring IPv6, page 12-2
• Verifying the IPv6 Configuration, page 12-11
For an sample IPv6 configuration, see Appendix B, “Sample Configurations.”
IPv6-enabled Commands
The following security appliance commands can accept and display IPv6 addresses:
• capture
• configure
• copy
• http
• name
• object-group
• ping
• show conn
• show local-host
• show tcpstat
• ssh
• telnet
• tftp-server
• who
• write12-2
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 12 Configuring IPv6
Configuring IPv6
Note Failover does not support IPv6. The ipv6 address command does not support setting standby addresses
for failover configurations. The failover interface ip command does not support using IPv6 addresses
on the failover and Stateful Failover interfaces.
When entering IPv6 addresses in commands that support them, simply enter the IPv6 address using
standard IPv6 notation, for example ping fe80::2e0:b6ff:fe01:3b7a. The security appliance correctly
recognizes and processes the IPv6 address. However, you must enclose the IPv6 address in square
brackets ([ ]) in the following situations:
• You need to specify a port number with the address, for example
[fe80::2e0:b6ff:fe01:3b7a]:8080.
• The command uses a colon as a separator, such as the write net and config net commands, for
example configure net [fe80::2e0:b6ff:fe01:3b7a]:/tftp/config/pixconfig.
The following commands were modified to work for IPv6:
• debug
• fragment
• ip verify
• mtu
• icmp (entered as ipv6 icmp)
The following inspection engines support IPv6:
• FTP
• HTTP
• ICMP
• SMTP
• TCP
• UDP
Configuring IPv6
This section contains the following topics:
• Configuring IPv6 on an Interface, page 12-3
• Configuring a Dual IP Stack on an Interface, page 12-4
• Enforcing the Use of Modified EUI-64 Interface IDs in IPv6 Addresses, page 12-4
• Configuring IPv6 Duplicate Address Detection, page 12-4
• Configuring IPv6 Default and Static Routes, page 12-5
• Configuring IPv6 Access Lists, page 12-6
• Configuring IPv6 Neighbor Discovery, page 12-7
• Configuring a Static IPv6 Neighbor, page 12-1112-3
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 12 Configuring IPv6
Configuring IPv6
Configuring IPv6 on an Interface
At a minimum, each interface needs to be configured with an IPv6 link-local address. Additionally, you
can add a site-local and global address to the interface.
Note The security appliance does not support IPv6 anycast addresses.
You can configure both IPv6 and IPv4 addresses on an interface.
To configure IPv6 on an interface, perform the following steps:
Step 1 Enter interface configuration mode for the interface on which you are configuring the IPv6 addresses:
hostname(config)# interface if
Step 2 Configure an IPv6 address on the interface. You can assign several IPv6 addresses to an interface, such
as an IPv6 link-local, site-local, and global address. However, at a minimum, you must configure a
link-local address.
There are several methods for configuring IPv6 addresses. Pick the method that suits your needs from
the following:
• The simplest method is to enable stateless autoconfiguration on the interface. Enabling stateless
autoconfiguration on the interface configures IPv6 addresses based on prefixes received in Router
Advertisement messages. A link-local address, based on the Modified EUI-64 interface ID, is
automatically generated for the interface when stateless autoconfiguration is enabled. To enable
stateless autoconfiguration, enter the following command:
hostname(config-if)# ipv6 address autoconfig
• If you only need to configure a link-local address on the interface and are not going to assign any
other IPv6 addresses to the interface, you have the option of manually defining the link-local address
or generating one based on the interface MAC address (Modified EUI-64 format):
– Enter the following command to manually specify the link-local address:
hostname(config-if)# ipv6 address ipv6-address link-local
– Enter the following command to enable IPv6 on the interface and automatically generate the
link-local address using the Modified EUI-64 interface ID based on the interface MAC address:
hostname(config-if)# ipv6 enable
Note You do not need to use the ipv6 enable command if you enter any other ipv6 address
commands on an interface; IPv6 support is automatically enabled as soon as you assign an
IPv6 address to the interface.
• Assign a site-local or global address to the interface. When you assign a site-local or global address,
a link-local address is automatically created. Enter the following command to add a global or
site-local address to the interface. Use the optional eui-64 keyword to use the Modified EUI-64
interface ID in the low order 64 bits of the address.
hostname(config-if)# ipv6 address ipv6-address [eui-64]12-4
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 12 Configuring IPv6
Configuring IPv6
Step 3 (Optional) Suppress Router Advertisement messages on an interface. By default, Router Advertisement
messages are automatically sent in response to router solicitation messages. You may want to disable
these messages on any interface for which you do not want the security appliance to supply the IPv6
prefix (for example, the outside interface).
Enter the following command to suppress Router Advertisement messages on an interface:
hostname(config-if)# ipv6 nd suppress-ra
Configuring a Dual IP Stack on an Interface
The security appliance supports the configuration of both IPv6 and IPv4 on an interface. You do not need
to enter any special commands to do so; simply enter the IPv4 configuration commands and IPv6
configuration commands as you normally would. Make sure you configure a default route for both IPv4
and IPv6.
Enforcing the Use of Modified EUI-64 Interface IDs in IPv6 Addresses
RFC 3513: Internet Protocol Version 6 (IPv6) Addressing Architecture requires that the interface
identifier portion of all unicast IPv6 addresses, except those that start with binary value 000, be 64 bits
long and be constructed in Modified EUI-64 format. The security appliance can enforce this requirement
for hosts attached to the local link.
To enforce the use of Modified EUI-64 format interface identifiers in IPv6 addresses on a local link,
enter the following command:
hostname(config)# ipv6 enforce-eui64 if_name
The if_name argument is the name of the interface, as specified by the namif command, on which you
are enabling the address format enforcement.
When this command is enabled on an interface, the source addresses of IPv6 packets received on that
interface are verified against the source MAC addresses to ensure that the interface identifiers use the
Modified EUI-64 format. If the IPv6 packets do not use the Modified EUI-64 format for the interface
identifier, the packets are dropped and the following system log message is generated:
%PIX|ASA-3-325003: EUI-64 source address check failed.
The address format verification is only performed when a flow is created. Packets from an existing flow
are not checked. Additionally, the address verification can only be performed for hosts on the local link.
Packets received from hosts behind a router will fail the address format verification, and be dropped,
because their source MAC address will be the router MAC address and not the host MAC address.
Configuring IPv6 Duplicate Address Detection
During the stateless autoconfiguration process, duplicate address detection verifies the uniqueness of
new unicast IPv6 addresses before the addresses are assigned to interfaces (the new addresses remain in
a tentative state while duplicate address detection is performed). Duplicate address detection is
performed first on the new link-local address. When the link local address is verified as unique, then
duplicate address detection is performed all the other IPv6 unicast addresses on the interface. 12-5
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 12 Configuring IPv6
Configuring IPv6
Duplicate address detection is suspended on interfaces that are administratively down. While an
interface is administratively down, the unicast IPv6 addresses assigned to the interface are set to a
pending state. An interface returning to an administratively up state restarts duplicate address detection
for all of the unicast IPv6 addresses on the interface.
When a duplicate address is identified, the state of the address is set to DUPLICATE, the address is not
used, and the following error message is generated:
%PIX|ASA-4-325002: Duplicate address ipv6_address/MAC_address on interface
If the duplicate address is the link-local address of the interface, the processing of IPv6 packets is
disabled on the interface. If the duplicate address is a global address, the address is not used. However,
all configuration commands associated with the duplicate address remain as configured while the state
of the address is set to DUPLICATE.
If the link-local address for an interface changes, duplicate address detection is performed on the new
link-local address and all of the other IPv6 address associated with the interface are regenerated
(duplicate address detection is performed only on the new link-local address).
The security appliance uses neighbor solicitation messages to perform duplicate address detection. By
default, the number of times an interface performs duplicate address detection is 1.
To change the number of duplicate address detection attempts, enter the following command:
hostname(config-if)# ipv6 nd dad attempts value
The value argument can be any value from 0 to 600. Setting the value argument to 0 disables duplicate
address detection on the interface.
When you configure an interface to send out more than one duplicate address detection attempt, you can
also use the ipv6 nd ns-interval command to configure the interval at which the neighbor solicitation
messages are sent out. By default, they are sent out once every 1000 milliseconds.
To change the neighbor solicitation message interval, enter the following command:
hostname(config-if)# ipv6 nd ns-interval value
The value argument can be from 1000 to 3600000 milliseconds.
Note Changing this value changes it for all neighbor solicitation messages sent out on the interface, not just
those used for duplicate address detection.
Configuring IPv6 Default and Static Routes
The security appliance automatically routes IPv6 traffic between directly connected hosts if the
interfaces to which the hosts are attached are enabled for IPv6 and the IPv6 ACLs allow the traffic.
The security appliance does not support dynamic routing protocols. Therefore, to route IPv6 traffic to a
non-connected host or network, you need to define a static route to the host or network or, at a minimum,
a default route. Without a static or default route defined, traffic to non-connected hosts or networks
generate the following error message:
%PIX|ASA-6-110001: No route to dest_address from source_address
You can add a default route and static routes using the ipv6 route command.
To configure an IPv6 default route and static routes, perform the following steps:12-6
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 12 Configuring IPv6
Configuring IPv6
Step 1 To add the default route, use the following command:
hostname(config)# ipv6 route if_name ::/0 next_hop_ipv6_addr
The address ::/0 is the IPv6 equivalent of “any.”
Step 2 (Optional) Define IPv6 static routes. Use the following command to add an IPv6 static route to the IPv6
routing table:
hostname(config)# ipv6 route if_name destination next_hop_ipv6_addr [admin_distance]
Note The ipv6 route command works like the route command used to define IPv4 static routes.
Configuring IPv6 Access Lists
Configuring an IPv6 access list is similar configuring an IPv4 access, but with IPv6 addresses.
To configure an IPv6 access list, perform the following steps:
Step 1 Create an access entry. To create an access list, use the ipv6 access-list command to create entries for
the access list. There are two main forms of this command to choose from, one for creating access list
entries specifically for ICMP traffic, and one to create access list entries for all other types of IP traffic.
• To create an IPv6 access list entry specifically for ICMP traffic, enter the following command:
hostname(config)# ipv6 access-list id [line num] {permit | deny} icmp source
destination [icmp_type]
• To create an IPv6 access list entry, enter the following command:
hostname(config)# ipv6 access-list id [line num] {permit | deny} protocol source
[src_port] destination [dst_port]
The following describes the arguments for the ipv6 access-list command:
• id—The name of the access list. Use the same id in each command when you are entering multiple
entries for an access list.
• line num—When adding an entry to an access list, you can specify the line number in the list where
the entry should appear.
• permit | deny—Determines whether the specified traffic is blocked or allowed to pass.
• icmp—Indicates that the access list entry applies to ICMP traffic.
• protocol—Specifies the traffic being controlled by the access list entry. This can be the name (ip,
tcp, or udp) or number (1-254) of an IP protocol. Alternatively, you can specify a protocol object
group using object-group grp_id.
• source and destination—Specifies the source or destination of the traffic. The source or destination
can be an IPv6 prefix, in the format prefix/length, to indicate a range of addresses, the keyword any,
to specify any address, or a specific host designated by host host_ipv6_addr. 12-7
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 12 Configuring IPv6
Configuring IPv6
• src_port and dst_port—The source and destination port (or service) argument. Enter an operator (lt
for less than, gt for greater than, eq for equal to, neq for not equal to, or range for an inclusive
range) followed by a space and a port number (or two port numbers separated by a space for the
range keyword).
• icmp_type—Specifies the ICMP message type being filtered by the access rule. The value can be a
valid ICMP type number (from 0 to 155) or one of the ICMP type literals as shown in Appendix D,
“Addresses, Protocols, and Ports”. Alternatively, you can specify an ICMP object group using
object-group id.
Step 2 To apply the access list to an interface, enter the following command:
hostname(config)# access-group access_list_name {in | out} interface if_name
Configuring IPv6 Neighbor Discovery
The IPv6 neighbor discovery process uses ICMPv6 messages and solicited-node multicast addresses to
determine the link-layer address of a neighbor on the same network (local link), verify the reachability
of a neighbor, and keep track of neighboring routers.
This section contains the following topics:
• Configuring Neighbor Solicitation Messages, page 12-7
• Configuring Router Advertisement Messages, page 12-9
• Multicast Listener Discovery Support, page 12-11
Configuring Neighbor Solicitation Messages
Neighbor solicitation messages (ICMPv6 Type 135) are sent on the local link by nodes attempting to
discover the link-layer addresses of other nodes on the local link. The neighbor solicitation message is
sent to the solicited-node multicast address.The source address in the neighbor solicitation message is
the IPv6 address of the node sending the neighbor solicitation message. The neighbor solicitation
message also includes the link-layer address of the source node.
After receiving a neighbor solicitation message, the destination node replies by sending a neighbor
advertisement message (ICPMv6 Type 136) on the local link. The source address in the neighbor
advertisement message is the IPv6 address of the node sending the neighbor advertisement message; the
destination address is the IPv6 address of the node that sent the neighbor solicitation message. The data
portion of the neighbor advertisement message includes the link-layer address of the node sending the
neighbor advertisement message.
After the source node receives the neighbor advertisement, the source node and destination node can
communicate. Figure 12-1 shows the neighbor solicitation and response process.12-8
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 12 Configuring IPv6
Configuring IPv6
Figure 12-1 IPv6 Neighbor Discovery—Neighbor Solicitation Message
Neighbor solicitation messages are also used to verify the reachability of a neighbor after the link-layer
address of a neighbor is identified. When a node wants to verifying the reachability of a neighbor, the
destination address in a neighbor solicitation message is the unicast address of the neighbor.
Neighbor advertisement messages are also sent when there is a change in the link-layer address of a node
on a local link. When there is such a change, the destination address for the neighbor advertisement is
the all-nodes multicast address.
You can configure the neighbor solicitation message interval and neighbor reachable time on a
per-interface basis. See the following topics for more information:
• Configuring the Neighbor Solicitation Message Interval, page 12-8
• Configuring the Neighbor Reachable Time, page 12-8
Configuring the Neighbor Solicitation Message Interval
To configure the interval between IPv6 neighbor solicitation retransmissions on an interface, enter the
following command:
hostname(config-if)# ipv6 nd ns-interval value
Valid values for the value argument range from 1000 to 3600000 milliseconds. The default value is 1000
milliseconds.
This setting is also sent in router advertisement messages.
Configuring the Neighbor Reachable Time
The neighbor reachable time enables detecting unavailable neighbors. Shorter configured times enable
detecting unavailable neighbors more quickly; however, shorter times consume more IPv6 network
bandwidth and processing resources in all IPv6 network devices. Very short configured times are not
recommended in normal IPv6 operation.
To configure the amount of time that a remote IPv6 node is considered reachable after a reachability
confirmation event has occurred, enter the following command:
hostname(config-if)# ipv6 nd reachable-time value
132958
A and B can now exchange
packets on this link
ICMPv6 Type = 135
Src = A
Dst = solicited-node multicast of B
Data = link-layer address of A
Query = what is your link address?
ICMPv6 Type = 136
Src = B
Dst = A
Data = link-layer address of B12-9
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 12 Configuring IPv6
Configuring IPv6
Valid values for the value argument range from 0 to 3600000 milliseconds. The default is 0.
This information is also sent in router advertisement messages.
When 0 is used for the value, the reachable time is sent as undetermined. It is up to the receiving devices
to set and track the reachable time value. To see the time used by the security appliance when this value
is set to 0, use the show ipv6 interface command to display information about the IPv6 interface,
including the ND reachable time being used.
Configuring Router Advertisement Messages
Router advertisement messages (ICMPv6 Type 134) are periodically sent out each IPv6 configured
interface of security appliance. The router advertisement messages are sent to the all-nodes multicast
address.
Figure 12-2 IPv6 Neighbor Discovery—Router Advertisement Message
Router advertisement messages typically include the following information:
• One or more IPv6 prefix that nodes on the local link can use to automatically configure their IPv6
addresses.
• Lifetime information for each prefix included in the advertisement.
• Sets of flags that indicate the type of autoconfiguration (stateless or stateful) that can be completed.
• Default router information (whether the router sending the advertisement should be used as a default
router and, if so, the amount of time (in seconds) the router should be used as a default router).
• Additional information for hosts, such as the hop limit and MTU a host should use in packets that it
originates.
• The amount of time between neighbor solicitation message retransmissions on a given link.
• The amount of time a node considers a neighbor reachable.
Router advertisements are also sent in response to router solicitation messages (ICMPv6 Type 133).
Router solicitation messages are sent by hosts at system startup so that the host can immediately
autoconfigure without needing to wait for the next scheduled router advertisement message. Because
router solicitation messages are usually sent by hosts at system startup, and the host does not have a
configured unicast address, the source address in router solicitation messages is usually the unspecified
IPv6 address (0:0:0:0:0:0:0:0). If the host has a configured unicast address, the unicast address of the
interface sending the router solicitation message is used as the source address in the message. The
destination address in router solicitation messages is the all-routers multicast address with a scope of the
link. When a router advertisement is sent in response to a router solicitation, the destination address in
the router advertisement message is the unicast address of the source of the router solicitation message.
132917
Router advertisement packet definitions:
ICMPv6 Type = 134
Src = router link-local address
Dst = all-nodes multicast address
Data = options, prefix, lifetime, autoconfig flag
Router
advertisement
Router
advertisement12-10
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 12 Configuring IPv6
Configuring IPv6
You can configure the following settings for router advertisement messages:
• The time interval between periodic router advertisement messages.
• The router lifetime value, which indicates the amount of time IPv6 nodes should consider security
appliance to be the default router.
• The IPv6 network prefixes in use on the link.
• Whether or not an interface transmits router advertisement messages.
Unless otherwise noted, the router advertisement message settings are specific to an interface and are
entered in interface configuration mode. See the following topics for information about changing these
settings:
• Configuring the Router Advertisement Transmission Interval, page 12-10
• Configuring the Router Lifetime Value, page 12-10
• Configuring the IPv6 Prefix, page 12-10
• Suppressing Router Advertisement Messages, page 12-11
Configuring the Router Advertisement Transmission Interval
By default, router advertisements are sent out every 200 seconds. To change the interval between router
advertisement transmissions on an interface, enter the following command:
ipv6 nd ra-interval [msec] value
Valid values range from 3 to 1800 seconds (or 500 to 1800000 milliseconds if the msec keyword is used).
The interval between transmissions should be less than or equal to the IPv6 router advertisement lifetime
if security appliance is configured as a default router by using the ipv6 nd ra-lifetime command. To
prevent synchronization with other IPv6 nodes, randomly adjust the actual value used to within 20
percent of the desired value.
Configuring the Router Lifetime Value
The router lifetime value specifies how long nodes on the local link should consider security appliance
as the default router on the link.
To configure the router lifetime value in IPv6 router advertisements on an interface, enter the following
command:
hostname(config-if)# ipv6 nd ra-lifetime seconds
Valid values range from 0 to 9000 seconds. The default is 1800 seconds. Entering 0 indicates that
security appliance should not be considered a default router on the selected interface.
Configuring the IPv6 Prefix
Stateless autoconfiguration uses IPv6 prefixes provided in router advertisement messages to create the
global unicast address from the link-local address.
To configure which IPv6 prefixes are included in IPv6 router advertisements, enter the following
command:
hostname(config-if)# ipv6 nd prefix ipv6-prefix/prefix-length
Note For stateless autoconfiguration to work properly, the advertised prefix length in router advertisement
messages must always be 64 bits. 12-11
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 12 Configuring IPv6
Verifying the IPv6 Configuration
Suppressing Router Advertisement Messages
By default, Router Advertisement messages are automatically sent in response to router solicitation
messages. You may want to disable these messages on any interface for which you do not want security
appliance to supply the IPv6 prefix (for example, the outside interface).
To suppress IPv6 router advertisement transmissions on an interface, enter the following command:
hostname(config-if)# ipv6 nd suppress-ra
Entering this command causes the security appliance to appear as a regular IPv6 neighbor on the link
and not as an IPv6 router.
Multicast Listener Discovery Support
Multicast Listener Discovery Protocol (MLD) Version 2 is supported to discover the presence of
multicast address listeners on their directly attached links, and to discover specifically which multicast
addresses are of interest to those neighboring nodes. ASA becomes a multicast address listener, or a
host, but not a multicast router, and responds to Multicast Listener Queries and sends Multicast Listener Reports only.
The following commands were added or enhanced to support MLD:
• clear ipv6 mld traffic Command
• show ipv6 mld Command
Configuring a Static IPv6 Neighbor
You can manually define a neighbor in the IPv6 neighbor cache. If an entry for the specified IPv6 address
already exists in the neighbor discovery cache—learned through the IPv6 neighbor discovery
process—the entry is automatically converted to a static entry. Static entries in the IPv6 neighbor
discovery cache are not modified by the neighbor discovery process.
To configure a static entry in the IPv6 neighbor discovery cache, enter the following command:
hostname(config-if)# ipv6 neighbor ipv6_address if_name mac_address
The ipv6_address argument is the link-local IPv6 address of the neighbor, the if_name argument is the
interface through which the neighbor is available, and the mac_address argument is the MAC address of
the neighbor interface.
Note The clear ipv6 neighbors command does not remove static entries from the IPv6 neighbor discovery
cache; it only clears the dynamic entries.
Verifying the IPv6 Configuration
This section describes how to verify your IPv6 configuration. You can use various clear, and show
commands to verify your IPv6 settings.
This section includes the following topics:
• The show ipv6 interface Command, page 12-1212-12
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 12 Configuring IPv6
Verifying the IPv6 Configuration
• The show ipv6 route Command, page 12-12
• The show ipv6 mld traffic Command, page 12-13
The show ipv6 interface Command
To display the IPv6 interface settings, enter the following command:
hostname# show ipv6 interface [if_name]
Including the interface name, such as “outside”, displays the settings for the specified interface.
Excluding the name from the command displays the setting for all interfaces that have IPv6 enabled on
them. The output for the command shows the following:
• The name and status of the interface.
• The link-local and global unicast addresses.
• The multicast groups the interface belongs to.
• ICMP redirect and error message settings.
• Neighbor discovery settings.
The following is sample output from the show ipv6 interface command:
hostname# show ipv6 interface
ipv6interface is down, line protocol is down
IPv6 is enabled, link-local address is fe80::20d:88ff:feee:6a82 [TENTATIVE]
No global unicast address is configured
Joined group address(es):
ff02::1
ff02::1:ffee:6a82
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
Note The show interface command only displays the IPv4 settings for an interface. To see the IPv6
configuration on an interface, you need to use the show ipv6 interface command. The show ipv6
interface command does not display any IPv4 settings for the interface (if both types of addresses are
configured on the interface).
The show ipv6 route Command
To display the routes in the IPv6 routing table, enter the following command:
hostname# show ipv6 route
The output from the show ipv6 route command is similar to the IPv4 show route command. It displays
the following information:
• The protocol that derived the route.
• The IPv6 prefix of the remote network.
• The administrative distance and metric for the route.
• The address of the next-hop router.12-13
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 12 Configuring IPv6
Verifying the IPv6 Configuration
• The interface through which the next hop router to the specified network is reached.
The following is sample output from the show ipv6 route command:
hostname# show ipv6 route
IPv6 Routing Table - 7 entries
Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP
U - Per-user Static route
I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea
O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
L fe80::/10 [0/0]
via ::, inside
L fec0::a:0:0:a0a:a70/128 [0/0]
via ::, inside
C fec0:0:0:a::/64 [0/0]
via ::, inside
L ff00::/8 [0/0]
via ::, inside
The show ipv6 mld traffic Command
To display the MLD traffic counters in the IPv6 routing table, enter the following command:
hostname# show ipv6 mld traffic
The output from the show ipv6 mld traffic command displays whether the expected number of MLD
protocol messages have been received and sent.
The following is sample output from the show ipv6 mld traffic command:
hostname# show ipv6 mld traffic
show ipv6 mld traffic
MLD Traffic Counters
Elapsed time since counters cleared: 00:01:19
Received Sent
Valid MLD Packets 1 3
Queries 1 0
Reports 0 3
Leaves 0 0
Mtrace packets 0 0
Errors:
Malformed Packets 0
Martian source 0
Non link-local source 0
Hop limit is not equal to 1 012-14
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 12 Configuring IPv6
Verifying the IPv6 ConfigurationC H A P T E R
13-1
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
13
Configuring AAA Servers and the Local Database
This chapter describes support for AAA (pronounced “triple A”) and how to configure AAA servers and
the local database.
This chapter contains the following sections:
• AAA Overview, page 13-1
• AAA Server and Local Database Support, page 13-2
• Configuring the Local Database, page 13-10
• Identifying AAA Server Groups and Servers, page 13-12
• Using Certificates and User Login Credentials, page 13-15
• Supporting a Zone Labs Integrity Server, page 13-16
AAA Overview
AAA enables the security appliance to determine who the user is (authentication), what the user can do
(authorization), and what the user did (accounting).
AAA provides an extra level of protection and control for user access than using access lists alone. For
example, you can create an access list allowing all outside users to access Telnet on a server on the DMZ
network. If you want only some users to access the server and you might not always know IP addresses
of these users, you can enable AAA to allow only authenticated and/or authorized users to make it
through the security appliance. (The Telnet server enforces authentication, too; the security appliance
prevents unauthorized users from attempting to access the server.)
You can use authentication alone or with authorization and accounting. Authorization always requires a
user to be authenticated first. You can use accounting alone, or with authentication and authorization.
This section includes the following topics:
• About Authentication, page 13-1
• About Authorization, page 13-2
• About Accounting, page 13-2
About Authentication
Authentication controls access by requiring valid user credentials, which are typically a username and
password. You can configure the security appliance to authenticate the following items:13-2
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 13 Configuring AAA Servers and the Local Database
AAA Server and Local Database Support
• All administrative connections to the security appliance including the following sessions:
– Telnet
– SSH
– Serial console
– ASDM (using HTTPS)
– VPN management access
• The enable command
• Network access
• VPN access
About Authorization
Authorization controls access per user after users authenticate. You can configure the security appliance
to authorize the following items:
• Management commands
• Network access
• VPN access
Authorization controls the services and commands available to each authenticated user. Were you not to
enable authorization, authentication alone would provide the same access to services for all
authenticated users.
If you need the control that authorization provides, you can configure a broad authentication rule, and
then have a detailed authorization configuration. For example, you authenticate inside users who attempt
to access any server on the outside network and then limit the outside servers that a particular user can
access using authorization.
The security appliance caches the first 16 authorization requests per user, so if the user accesses the same
services during the current authentication session, the security appliance does not resend the request to
the authorization server.
About Accounting
Accounting tracks traffic that passes through the security appliance, enabling you to have a record of
user activity. If you enable authentication for that traffic, you can account for traffic per user. If you do
not authenticate the traffic, you can account for traffic per IP address. Accounting information includes
when sessions start and stop, username, the number of bytes that pass through the security appliance for
the session, the service used, and the duration of each session.
AAA Server and Local Database Support
The security appliance supports a variety of AAA server types and a local database that is stored on the
security appliance. This section describes support for each AAA server type and the local database.
This section contains the following topics:
• Summary of Support, page 13-313-3
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 13 Configuring AAA Servers and the Local Database
AAA Server and Local Database Support
• RADIUS Server Support, page 13-3
• TACACS+ Server Support, page 13-4
• SDI Server Support, page 13-4
• NT Server Support, page 13-5
• Kerberos Server Support, page 13-5
• LDAP Server Support, page 13-6
• SSO Support for WebVPN with HTTP Forms, page 13-9
• Local Database Support, page 13-9
Summary of Support
Table 13-1 summarizes the support for each AAA service by each AAA server type, including the local
database. For more information about support for a specific AAA server type, refer to the topics
following the table.
RADIUS Server Support
The security appliance supports RADIUS servers.
Table 13-1 Summary of AAA Support
AAA Service
Database Type
Local RADIUS TACACS+ SDI NT Kerberos LDAP
HTTP
Form
Authentication of...
VPN u s er s Yes Yes Yes Yes Yes Yes Yes Yes
1
1. HTTP Form protocol supports single sign-on authentication for WebVPN users only.
Fir ewall s es s ion s Yes Yes Yes Yes Yes Yes Yes No
Administrators Yes Yes Yes Yes
2
2. SDI is not supported for HTTP administrative access.
Yes Yes Yes No
Authorization of...
VPN users Yes Yes No No No No Yes No
Firewall sessions No Yes
3
3. For firewall sessions, RADIUS authorization is supported with user-specific access lists only, which are received or
specified in a RADIUS authentication response.
Yes No No No No No
Administrators Yes
4
4. Local command authorization is supported by privilege level only.
No Yes No No No No No
Accounting of...
VPN connections No Yes Yes No No No No No
Firewall sessions No Yes Yes No No No No No
Administrators No Yes
5
5. Command accounting is available for TACACS+ only.
Yes No No No No No13-4
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 13 Configuring AAA Servers and the Local Database
AAA Server and Local Database Support
This section contains the following topics:
• Authentication Methods, page 13-4
• Attribute Support, page 13-4
• RADIUS Authorization Functions, page 13-4
Authentication Methods
The security appliance supports the following authentication methods with RADIUS:
• PAP—For all connection types.
• CHAP—For L2TP-over-IPSec.
• MS-CHAPv1—For L2TP-over-IPSec.
• MS-CHAPv2—For L2TP-over-IPSec, and for regular IPSec remote access connections when the
password management feature is enabled.
Attribute Support
The security appliance supports the following sets of RADIUS attributes:
• Authentication attributes defined in RFC 2138.
• Accounting attributes defined in RFC 2139.
• RADIUS attributes for tunneled protocol support, defined in RFC 2868.
• Cisco IOS VSAs, identified by RADIUS vendor ID 9.
• Cisco VPN-related VSAs, identified by RADIUS vendor ID 3076.
• Microsoft VSAs, defined in RFC 2548.
RADIUS Authorization Functions
The security appliance can use RADIUS servers for user authorization for network access using dynamic
access lists or access list names per user. To implement dynamic access lists, you must configure the
RADIUS server to support it. When the user authenticates, the RADIUS server sends a downloadable
access list or access list name to the security appliance. Access to a given service is either permitted or
denied by the access list. The security appliance deletes the access list when the authentication session
expires.
TACACS+ Server Support
The security appliance supports TACACS+ authentication with ASCII, PAP, CHAP, and MS-CHAPv1.
SDI Server Support
The RSA SecureID servers are also known as SDI servers.
This section contains the following topics:
• SDI Version Support, page 13-513-5
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 13 Configuring AAA Servers and the Local Database
AAA Server and Local Database Support
• Two-step Authentication Process, page 13-5
• SDI Primary and Replica Servers, page 13-5
SDI Version Support
The security appliance supports SDI Version 5.0 and 6.0. SDI uses the concepts of an SDI primary and
SDI replica servers. Each primary and its replicas share a single node secret file. The node secret file has
its name based on the hexadecimal value of the ACE/Server IP address with .sdi appended.
A version 5.0 or 6.0 SDI server that you configure on the security appliance can be either the primary or
any one of the replicas. See the “SDI Primary and Replica Servers” section on page 13-5 for information
about how the SDI agent selects servers to authenticate users.
Two-step Authentication Process
SDI version 5.0 and 6.0 uses a two-step process to prevent an intruder from capturing information from
an RSA SecurID authentication request and using it to authenticate to another server. The Agent first
sends a lock request to the SecurID server before sending the user authentication request. The server
locks the username, preventing another (replica) server from accepting it. This means that the same user
cannot authenticate to two security appliances using the same authentication servers simultaneously.
After a successful username lock, the security appliance sends the passcode.
SDI Primary and Replica Servers
The security appliance obtains the server list when the first user authenticates to the configured server,
which can be either a primary or a replica. The security appliance then assigns priorities to each of the
servers on the list, and subsequent server selection derives at random from those assigned priorities. The
highest priority servers have a higher likelihood of being selected.
NT Server Support
The security appliance supports Microsoft Windows server operating systems that support NTLM
version 1, collectively referred to as NT servers.
Note NT servers have a maximum length of 14 characters for user passwords. Longer passwords are truncated.
This is a limitation of NTLM version 1.
Kerberos Server Support
The security appliance supports 3DES, DES, and RC4 encryption types.
Note The security appliance does not support changing user passwords during tunnel negotiation. To avoid
this situation happening inadvertently, disable password expiration on the Kerberos/Active Directory
server for users connecting to the security appliance.
For a simple Kerberos server configuration example, see Example 13-2.13-6
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 13 Configuring AAA Servers and the Local Database
AAA Server and Local Database Support
LDAP Server Support
This section describes using an LDAP directory with the security appliance for user authentication and
VPN authorization. This section includes the following topics:
• Authentication with LDAP, page 13-6
• Authorization with LDAP for VPN, page 13-7
• LDAP Attribute Mapping, page 13-8
For example configuration procedures used to set up LDAP authentication or authorization, see
Appendix E, “Configuring an External Server for Authorization and Authentication”.
Authentication with LDAP
During authentication, the security appliance acts as a client proxy to the LDAP server for the user, and
authenticates to the LDAP server in either plain text or using the Simple Authentication and Security
Layer (SASL) protocol. By default, the security appliance passes authentication parameters, usually a
username and password, to the LDAP server in plain text. Whether using SASL or plain text, you can
secure the communications between the security appliance and the LDAP server with SSL using the
ldap-over-ssl command.
Note If you do not configure SASL, we strongly recommend that you secure LDAP communications with
SSL. See the ldap-over-ssl command in the Cisco Security Appliance Command Reference.
When user LDAP authentication has succeeded, the LDAP server returns the attributes for the
authenticated user. For VPN authentication, these attributes generally include authorization data which
is applied to the VPN session. Thus, using LDAP accomplishes authentication and authorization in a
single step.
Securing LDAP Authentication with SASL
The security appliance supports the following SASL mechanisms, listed in order of increasing strength:
• Digest-MD5 — The security appliance responds to the LDAP server with an MD5 value computed
from the username and password.
• Kerberos — The security appliance responds to the LDAP server by sending the username and realm
using the GSSAPI (Generic Security Services Application Programming Interface) Kerberos
mechanism.
You can configure the security appliance and LDAP server to support any combination of these SASL
mechanisms. If you configure multiple mechanisms, the security appliance retrieves the list of SASL
mechanisms configured on the server and sets the authentication mechanism to the strongest mechanism
configured on both the security appliance and the server. For example, if both the LDAP server and the
security appliance support both mechanisms, the security appliance selects Kerberos, the stronger of the
mechanisms.
The following example configures the security appliance for authentication to an LDAP directory server
named ldap_dir_1 using the digest-MD5 SASL mechanism, and communicating over an SSL-secured
connection:
hostname(config)# aaa-server ldap_dir_1 protocol ldap
hostname(config-aaa-server-group)# aaa-server ldap_dir_1 host 10.1.1.4
hostname(config-aaa-server-host)# sasl-mechanism digest-md5
hostname(config-aaa-server-host)# ldap-over-ssl enable13-7
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 13 Configuring AAA Servers and the Local Database
AAA Server and Local Database Support
hostname(config-aaa-server-host)#
Setting the LDAP Server Type
The security appliance supports LDAP Version 3. In the current release, it is compatible only with the
Sun Microsystems JAVA System Directory Server (formerly named the Sun ONE Directory Server) and
the Microsoft Active Directory. In later releases, the security appliance will support other OpenLDAP
servers.
By default, the security appliance auto-detects whether it is connected to a Microsoft or a Sun LDAP
directory server. However, if auto-detection fails to determine the LDAP server type, and you know the
server is either a Microsoft or Sun server, you can manually configure the server type. The following
example sets the LDAP directory server ldap_dir_1 to the Sun Microsystems type:
hostname(config)# aaa-server ldap_dir_1 protocol ldap
hostname(config-aaa-server-group)# aaa-server ldap_dir_1 host 10.1.1.4
hostname(config-aaa-server-host)# server-type sun
hostname(config-aaa-server-host)#
Note • Sun—The DN configured on the security appliance to access a Sun directory server must be able to
access the default password policy on that server. We recommend using the directory administrator,
or a user with directory administrator privileges, as the DN. Alternatively, you can place an ACI on
the default password policy.
• Microsoft—You must configure LDAP over SSL to enable password management with Microsoft
Active Directory.
Authorization with LDAP for VPN
When user LDAP authentication for VPN access has succeeded, the security appliance queries the LDAP
server which returns LDAP attributes. These attributes generally include authorization data that applies
to the VPN session. Thus, using LDAP accomplishes authentication and authorization in a single step.
There may be cases, however, where you require authorization from an LDAP directory server that is
separate and distinct from the authentication mechanism. For example, if you use an SDI or certificate
server for authentication, no authorization information is passed back. For user authorizations in this
case, you can query an LDAP directory after successful authentication, accomplishing authentication
and authorization in two steps.
To set up VPN user authorization using LDAP, you must first create a AAA server group and a tunnel
group. You then associate the server and tunnel groups using the tunnel-group general-attributes
command. While there are other authorization-related commands and options available for specific
requirements, the following example shows fundamental commands for enabling user authorization with
LDAP. This example then creates an IPSec remote access tunnel group named remote-1, and assigns that
new tunnel group to the previously created ldap_dir_1 AAA server for authorization.
hostname(config)# tunnel-group remote-1 type ipsec-ra
hostname(config)# tunnel-group remote-1 general-attributes
hostname(config-general)# authorization-server-group ldap_dir_1
hostname(config-general)#13-8
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 13 Configuring AAA Servers and the Local Database
AAA Server and Local Database Support
After you complete this fundamental configuration work, you can configure additional LDAP
authorization parameters such as a directory password, a starting point for searching a directory, and the
scope of a directory search:
hostname(config)# aaa-server ldap_dir_1 protocol ldap
hostname(config-aaa-server-group)# aaa-server ldap_dir_1 host 10.1.1.4
hostname(config-aaa-server-host)# ldap-login-dn obscurepassword
hostname(config-aaa-server-host)# ldap-base-dn starthere
hostname(config-aaa-server-host)# ldap-scope subtree
hostname(config-aaa-server-host)#
See LDAP commands in the Cisco Security Appliance Command Reference for more information.
LDAP Attribute Mapping
If you are introducing a security appliance to an existing LDAP directory, your existing LDAP attribute
names and values are probably different from the existing ones. You must create LDAP attribute maps
that map your existing user-defined attribute names and values to Cisco attribute names and values that
are compatible with the security appliance. You can then bind these attribute maps to LDAP servers or
remove them as needed. You can also show or clear attribute maps.
Note To use the attribute mapping features correctly, you need to understand the Cisco LDAP attribute names
and values as well as the user-defined attribute names and values.
The following command, entered in global configuration mode, creates an unpopulated LDAP attribute
map table named att_map_1:
hostname(config)# ldap attribute-map att_map_1
hostname(config-ldap-attribute-map)#
The following commands map the user-defined attribute name department to the Cisco attribute name
cVPN3000-IETF-Radius-Class. The second command maps the user-defined attribute value Engineering
to the user-defined attribute department and the Cisco-defined attribute value group1.
hostname(config)# ldap attribute-map att_map_1
hostname(config-ldap-attribute-map)# map-name department cVPN3000-IETF-Radius-Class
hostname(config-ldap-attribute-map)# map-value department Engineering group1
hostname(config-ldap-attribute-map)#
The following commands bind the attribute map att_map_1 to the LDAP server ldap_dir_1:
hostname(config)# aaa-server ldap_dir_1 host 10.1.1.4
hostname(config-aaa-server-host)# ldap-attribute-map att_map_1
hostname(config-aaa-server-host)#
Note The command to create an attribute map (ldap attribute-map) and the command to bind it to an LDAP
server (ldap-attribute-map) differ only by a hyphen and the mode.
The following commands display or clear all LDAP attribute maps in the running configuration:
hostname# show running-config all ldap attribute-map
hostname(config)# clear configuration ldap attribute-map
hostname(config)#
The names of frequently mapped Cisco LDAP attributes and the type of user-defined attributes they
would commonly be mapped to include:13-9
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 13 Configuring AAA Servers and the Local Database
AAA Server and Local Database Support
cVPN3000-IETF-Radius-Class — Department or user group
cVPN3000-IETF-Radius-Filter-Id — Access control list
cVPN3000-IETF-Radius-Framed-IP-Address — A static IP address
cVPN3000-IPSec-Banner1 — A organization title
cVPN3000-Tunneling-Protocols — Allow or deny dial-in
For a list of Cisco LDAP attribute names and values, see Appendix E, “Configuring an External Server
for Authorization and Authentication”. Alternatively, you can enter “?” within ldap-attribute-map mode
to display the complete list of Cisco LDAP attribute names, as shown in the following example:
hostname(config)# ldap attribute-map att_map_1
hostname(config-ldap-attribute-map)# map-name att_map_1 ?
ldap mode commands/options:
cisco-attribute-names:
cVPN3000-Access-Hours
cVPN3000-Allow-Network-Extension-Mode
cVPN3000-Auth-Service-Type
cVPN3000-Authenticated-User-Idle-Timeout
cVPN3000-Authorization-Required
cVPN3000-Authorization-Type
:
:
cVPN3000-X509-Cert-Data
hostname(config-ldap-attribute-map)#
SSO Support for WebVPN with HTTP Forms
The security appliance can use the HTTP Form protocol for single sign-on (SSO) authentication of
WebVPN users only. Single sign-on support lets WebVPN users enter a username and password only
once to access multiple protected services and Web servers. The WebVPN server running on the security
appliance acts as a proxy for the user to the authenticating server. When a user logs in, the WebVPN
server sends an SSO authentication request, including username and password, to the authenticating
server using HTTPS. If the server approves the authentication request, it returns an SSO authentication
cookie to the WebVPN server. The security appliance keeps this cookie on behalf of the user and uses it
to authenticate the user to secure websites within the domain protected by the SSO server.
In addition to the HTTP Form protocol, WebVPN administrators can choose to configure SSO with the
HTTP Basic and NTLM authentication protocols (the auto-signon command), or with Computer
Associates eTrust SiteMinder SSO server (formerly Netegrity SiteMinder) as well. For an in-depth
discussion of configuring SSO with either HTTP Forms, auto-signon or SiteMinder, see the Configuring
WebVPN chapter.
Local Database Support
The security appliance maintains a local database that you can populate with user profiles.
This section contains the following topics:
• User Profiles, page 13-10
• Fallback Support, page 13-1013-10
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 13 Configuring AAA Servers and the Local Database
Configuring the Local Database
User Profiles
User profiles contain, at a minimum, a username. Typically, a password is assigned to each username,
although passwords are optional.
The username attributes command lets you enter the username mode. In this mode, you can add other
information to a specific user profile. The information you can add includes VPN-related attributes, such
as a VPN session timeout value.
Fallback Support
The local database can act as a fallback method for several functions. This behavior is designed to help
you prevent accidental lockout from the security appliance.
For users who need fallback support, we recommend that their usernames and passwords in the local
database match their usernames and passwords in the AAA servers. This provides transparent fallback
support. Because the user cannot determine whether a AAA server or the local database is providing the
service, using usernames and passwords on AAA servers that are different than the usernames and
passwords in the local database means that the user cannot be certain which username and password
should be given.
The local database supports the following fallback functions:
• Console and enable password authentication—When you use the aaa authentication console
command, you can add the LOCAL keyword after the AAA server group tag. If the servers in the
group all are unavailable, the security appliance uses the local database to authenticate
administrative access. This can include enable password authentication, too.
• Command authorization—When you use the aaa authorization command command, you can
add the LOCAL keyword after the AAA server group tag. If the TACACS+ servers in the group all
are unavailable, the local database is used to authorize commands based on privilege levels.
• VPN authentication and authorization—VPN authentication and authorization are supported to
enable remote access to the security appliance if AAA servers that normally support these VPN
services are unavailable. The authentication-server-group command, available in tunnel-group
general attributes mode, lets you specify the LOCAL keyword when you are configuring attributes
of a tunnel group. When VPN client of an administrator specifies a tunnel group configured to
fallback to the local database, the VPN tunnel can be established even if the AAA server group is
unavailable, provided that the local database is configured with the necessary attributes.
Configuring the Local Database
This section describes how to manage users in the local database. You can use the local database for
CLI access authentication, privileged mode authentication, command authorization, network access
authentication, and VPN authentication and authorization. You cannot use the local database for network
access authorization. The local database does not support accounting.
For multiple context mode, you can configure usernames in the system execution space to provide
individual logins using the login command; however, you cannot configure any aaa commands in the
system execution space.
Caution If you add to the local database users who can gain access to the CLI but who should not be allowed to
enter privileged mode, enable command authorization. (See the “Configuring Local Command
Authorization” section on page 40-8.) Without command authorization, users can access privileged 13-11
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 13 Configuring AAA Servers and the Local Database
Configuring the Local Database
mode (and all commands) at the CLI using their own password if their privilege level is 2 or greater (2 is
the default). Alternatively, you can use RADIUS or TACACS+ authentication so that the user cannot use
the login command, or you can set all local users to level 1 so you can control who can use the system
enable password to access privileged mode.
To define a user account in the local database, perform the following steps:
Step 1 Create the user account. To do so, enter the following command:
hostname(config)# username name {nopassword | password password [mschap]} [privilege
priv_level]
where the options are as follows:
• username—A string from 4 to 64 characters long.
• password password—A string from 3 to 16 characters long.
• mschap—Specifies that the password will be converted to unicode and hashed using MD4 after you
enter it. Use this keyword if users are authenticated using MSCHAPv1 or MSCHAPv2.
• privilege level—The privilege level that you want to assign to the new user account (from 0 to 15).
The default is 2. This privilege level is used with command authorization.
• nopassword—Creates a user account with no password.
The encrypted and nt-encrypted keywords are typically for display only. When you define a password
in the username command, the security appliance encrypts it when it saves it to the configuration for
security purposes. When you enter the show running-config command, the username command does
not show the actual password; it shows the encrypted password followed by the encrypted or
nt-encrypted keyword (when you specify mschap). For example, if you enter the password “test,” the
show running-config display would appear to be something like the following:
username pat password DLaUiAX3l78qgoB5c7iVNw== nt-encrypted
The only time you would actually enter the encrypted or nt-encrypted keyword at the CLI is if you are
cutting and pasting a configuration to another security appliance and you are using the same password.
Step 2 To configure a local user account with VPN attributes, follow these steps:
a. Enter the following command:
hostname(config)# username username attributes
When you enter a username attributes command, you enter username mode. The commands
available in this mode are as follows:
• group-lock
• password-storage
• vpn-access-hours
• vpn-filter
• vpn-framed-ip-address
• vpn-group-policy
• vpn-idle-timeout
• vpn-session-timeout
• vpn-simultaneous-logins
• vpn-tunnel-protocol13-12
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 13 Configuring AAA Servers and the Local Database
Identifying AAA Server Groups and Servers
• webvpn
Use these commands as needed to configure the user profile. For more information about these
commands, see the Cisco Security Appliance Command Reference.
b. When you have finished configuring the user profiles, enter exit to return to config mode.
For example, the following command assigns a privilege level of 15 to the admin user account:
hostname(config)# username admin password passw0rd privilege 15
The following command creates a user account with no password:
hostname(config)# username bcham34 nopassword
The following commands creates a user account with a password, enters username mode, and specifies
a few VPN attributes:
hostname(config)# username rwilliams password gOgeOus
hostname(config)# username rwilliams attributes
hostname(config-username)# vpn-tunnel-protocol IPSec
hostname(config-username)# vpn-simultaneous-logins 6
hostname(config-username)# exit
Identifying AAA Server Groups and Servers
If you want to use an external AAA server for authentication, authorization, or accounting, you must first
create at least one AAA server group per AAA protocol and add one or more servers to each group. You
identify AAA server groups by name. Each server group is specific to one type of server: Kerberos,
LDAP, NT, RADIUS, SDI, or TACACS+.
The security appliance contacts the first server in the group. If that server is unavailable, the security
appliance contacts the next server in the group, if configured. If all servers in the group are unavailable,
the security appliance tries the local database if you configured it as a fallback method (management
authentication and authorization only). If you do not have a fallback method, the security appliance
continues to try the AAA servers.
To create a server group and add AAA servers to it, follow these steps:
Step 1 For each AAA server group you need to create, follow these steps:
a. Identify the server group name and the protocol. To do so, enter the following command:
hostname(config)# aaa-server server_group protocol {kerberos | ldap | nt | radius |
sdi | tacacs+}
For example, to use RADIUS to authenticate network access and TACACS+ to authenticate CLI
access, you need to create at least two server groups, one for RADIUS servers and one for TACACS+
servers.
You can have up to 15 single-mode server groups or 4 multi-mode server groups. Each server group
can have up to 16 servers in single mode or up to 4 servers in multi-mode.
When you enter a aaa-server protocol command, you enter group mode.
b. If you want to specify the maximum number of requests sent to a AAA server in the group before
trying the next server, enter the following command:13-13
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 13 Configuring AAA Servers and the Local Database
Identifying AAA Server Groups and Servers
hostname(config-aaa-server-group)# max-failed-attempts number
The number can be between 1 and 5. The default is 3.
If you configured a fallback method using the local database (for management access only; see the
“Configuring AAA for System Administrators” section on page 40-5 and the “Configuring
TACACS+ Command Authorization” section on page 40-11 to configure the fallback mechanism),
and all the servers in the group fail to respond, then the group is considered to be unresponsive, and
the fallback method is tried. The server group remains marked as unresponsive for a period of 10
minutes (by default) so that additional AAA requests within that period do not attempt to contact
the server group, and the fallback method is used immediately. To change the unresponsive period
from the default, see the reactivation-mode command in the following step.
If you do not have a fallback method, the security appliance continues to retry the servers in the
group.
c. If you want to specify the method (reactivation policy) by which failed servers in a group are
reactivated, enter the following command:
hostname(config-aaa-server-group)# # reactivation-mode {depletion [deadtime minutes] |
timed}
Where the depletion keyword reactivates failed servers only after all of the servers in the group are
inactive.
The deadtime minutes argument specifies the amount of time in minutes, between 0 and 1440, that
elapses between the disabling of the last server in the group and the subsequent re-enabling of all
servers. The default is 10 minutes.
The timed keyword reactivates failed servers after 30 seconds of down time.
d. If you want to send accounting messages to all servers in the group (RADIUS or TACACS+ only),
enter the following command:
hostname(config-aaa-server-group)# accounting-mode simultaneous
To restore the default of sending messages only to the active server, enter the accounting-mode
single command.
Step 2 For each AAA server on your network, follow these steps:
a. Identify the server, including the AAA server group it belongs to. To do so, enter the following
command:
hostname(config)# aaa-server server_group (interface_name) host server_ip
When you enter a aaa-server host command, you enter host mode.
b. As needed, use host mode commands to further configure the AAA server.
The commands in host mode do not apply to all AAA server types. Table 13-2 lists the available
commands, the server types they apply to, and whether a new AAA server definition has a default
value for that command. Where a command is applicable to the server type you specified and no
default value is provided (indicated by “—”), use the command to specify the value. For more
information about these commands, see the Cisco Security Appliance Command Reference.13-14
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 13 Configuring AAA Servers and the Local Database
Identifying AAA Server Groups and Servers
Example 13-1 shows commands that add one TACACS+ group with one primary and one backup server,
one RADIUS group with a single server, and an NT domain server.
Example 13-1 Multiple AAA Server Groups and Servers
hostname(config)# aaa-server AuthInbound protocol tacacs+
hostname(config-aaa-server-group)# max-failed-attempts 2
hostname(config-aaa-server-group)# reactivation-mode depletion deadtime 20
hostname(config-aaa-server-group)# exit
hostname(config)# aaa-server AuthInbound (inside) host 10.1.1.1
hostname(config-aaa-server-host)# key TACPlusUauthKey
Table 13-2 Host Mode Commands, Server Types, and Defaults
Command Applicable AAA Server Types Default Value
accounting-port RADIUS 1646
acl-netmask-convert RADIUS standard
authentication-port RADIUS 1645
kerberos-realm Kerberos —
key RADIUS —
TACACS+ —
ldap-attribute-map LDAP —
ldap-base-dn LDAP —
ldap-login-dn LDAP —
ldap-login-password LDAP —
ldap-naming-attribute LDAP —
ldap-over-ssl LDAP —
ldap-scope LDAP —
nt-auth-domain-controller NT —
radius-common-pw RADIUS —
retry-interval Kerberos 10 seconds
RADIUS 10 seconds
SDI 10 seconds
sasl-mechanism LDAP —
server-port Kerberos 88
LDAP 389
NT 139
SDI 5500
TACACS+ 49
server-type LDAP auto-discovery
timeout All 10 seconds13-15
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 13 Configuring AAA Servers and the Local Database
Using Certificates and User Login Credentials
hostname(config-aaa-server-host)# exit
hostname(config)# aaa-server AuthInbound (inside) host 10.1.1.2
hostname(config-aaa-server-host)# key TACPlusUauthKey2
hostname(config-aaa-server-host)# exit
hostname(config)# aaa-server AuthOutbound protocol radius
hostname(config-aaa-server-group)# exit
hostname(config)# aaa-server AuthOutbound (inside) host 10.1.1.3
hostname(config-aaa-server-host)# key RadUauthKey
hostname(config-aaa-server-host)# exit
hostname(config)# aaa-server NTAuth protocol nt
hostname(config-aaa-server-group)# exit
hostname(config)# aaa-server NTAuth (inside) host 10.1.1.4
hostname(config-aaa-server-host)# nt-auth-domain-controller primary1
hostname(config-aaa-server-host)# exit
Example 13-2 shows commands that configure a Kerberos AAA server group named watchdogs, add a
AAA server to the group, and define the Kerberos realm for the server. Because Example 13-2 does not
define a retry interval or the port that the Kerberos server listens to, the security appliance uses the
default values for these two server-specific parameters. Table 13-2 lists the default values for all AAA
server host mode commands.
Note Kerberos realm names use numbers and upper-case letters only. Although the security appliance accepts
lower-case letters for a realm name, it does not translate lower-case letters to upper-case letters. Be sure
to use upper-case letters only.
Example 13-2 Kerberos Server Group and Server
hostname(config)# aaa-server watchdogs protocol kerberos
hostname(config-aaa-server-group)# aaa-server watchdogs host 192.168.3.4
hostname(config-aaa-server-host)# kerberos-realm EXAMPLE.COM
hostname(config-aaa-server-host)# exit
hostname(config)#
Using Certificates and User Login Credentials
The following section describes the different methods of using certificates and user login credentials
(username and password) for authentication and authorization. This applies to both IPSec and WebVPN.
In all cases, LDAP authorization does not use the password as a credential. RADIUS authorization uses
either a common password for all users or the username as a password.
Using User Login Credentials
The default method for authentication and authorization uses the user login credentials.
• Authentication
– Enabled by authentication server group setting
– Uses the username and password as credentials
• Authorization
– Enabled by authorization server group setting
– Uses the username as a credential13-16
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 13 Configuring AAA Servers and the Local Database
Supporting a Zone Labs Integrity Server
Using certificates
If user digital certificates are configured, the security appliance first validates the certificate. It does not,
however, use any of the DNs from the certificates as a username for the authentication.
If both authentication and authorization are enabled, the security appliance uses the user login
credentials for both user authentication and authorization.
• Authentication
– Enabled by authentication server group setting
– Uses the username and password as credentials
• Authorization
– Enabled by authorization server group setting
– Uses the username as a credential
If authentication is disabled and authorization is enabled, the security appliance uses the primary DN
field for authorization.
• Authentication
– DISABLED (set to None) by authentication server group setting
– No credentials used
• Authorization
– Enabled by authorization server group setting
– Uses the username value of the certificate primary DN field as a credential
Note If the primary DN field is not present in the certificate, the security appliance uses the secondary DN
field value as the username for the authorization request.
For example, consider a user certificate that contains the following Subject DN fields and values:
Cn=anyuser,OU=sales;O=XYZCorporation;L=boston;S=mass;C=us;ea=anyuser@example.com.
If the Primary DN = EA (E-mail Address) and the Secondary DN = CN (Common Name), then the
username used in the authorization request would be anyuser@example.com.
Supporting a Zone Labs Integrity Server
This section introduces the Zone Labs Integrity Server, also called Check Point Integrity Server, and
presents an example procedure for configuring the security appliance to support the Zone Labs Integrity
Server. The Integrity server is a central management station for configuring and enforcing security
policies on remote PCs. If a remote PC does not conform to the security policy dictated by the Integrity
Server, it will not be granted access to the private network protected by the Integrity Server and security
appliance.
This section includes the following topics:
• Overview of Integrity Server and Security Appliance Interaction, page 13-17
• Configuring Integrity Server Support, page 13-1713-17
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 13 Configuring AAA Servers and the Local Database
Supporting a Zone Labs Integrity Server
Overview of Integrity Server and Security Appliance Interaction
The VPN client software and the Integrity client software are co-resident on a remote PC. The following
steps summarize the actions of the remote PC, security appliance, and Integrity server in the
establishment of a session between the PC and the enterprise private network:
1. The VPN client software (residing on the same remote PC as the Integrity client software) connects
to the security appliance and tells the security appliance what type of firewall client it is.
2. Once it approves the client firewall type, the security appliance passes Integrity server address
information back to the Integrity client.
3. With the security appliance acting as a proxy, the Integrity client establishes a restricted connection
with the Integrity server. A restricted connection is only between the Integrity client and server.
4. The Integrity server determines if the Integrity client is in compliance with the mandated security
policies. If the client is in compliance with security policies, the Integrity server instructs the
security appliance to open the connection and provide the client with connection details.
5. On the remote PC, the VPN client passes connection details to the Integrity client and signals that
policy enforcement should begin immediately and the client can no enter the private network.
6. Once the connection is established, the server continues to monitor the state of the client using client
heartbeat messages.
Note The current release of the security appliance supports one Integrity Server at a time even though the user
interfaces support the configuration of up to five Integrity Servers. If the active Server fails, configure
another Integrity Server on the security appliance and then reestablish the client VPN session.
Configuring Integrity Server Support
This section describes an example procedure for configuring the security appliance to support the Zone
Labs Integrity Servers. The procedure involves configuring address, port, connection fail timeout and
fail states, and SSL certificate parameters.
First, you must configure the hostname or IP address of the Integrity server. The following example
commands, entered in global configuration mode, configure an Integrity server using the IP address
10.0.0.5. They also specify port 300 (the default port is 5054) and the inside interface for
communications with the Integrity server.
hostname(config)# zonelabs-integrity server-address 10.0.0.5
hostname(config)# zonelabs-integrity port 300
hostname(config)# zonelabs-integrity interface inside
hostname(config)#
If the connection between the security appliance and the Integrity server fails, the VPN client
connections remain open by default so that the enterprise VPN is not disrupted by the failure of an
Integrity server. However, you may want to close the VPN connections if the Zone Labs Integrity Server
fails. The following commands ensure that the security appliance waits 12 seconds for a response from
either the active or standby Integrity servers before declaring an the Integrity server as failed and closing
the VPN client connections:
hostname(config)# zonelabs-integrity fail-timeout 12
hostname(config)# zonelabs-integrity fail-close
hostname(config)# 13-18
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 13 Configuring AAA Servers and the Local Database
Supporting a Zone Labs Integrity Server
The following command returns the configured VPN client connection fail state to the default and
ensures the client connections remain open:
hostname(config)# zonelabs-integrity fail-open
hostname(config)#
The following example commands specify that the Integrity server connects to port 300 (default is port
80) on the security appliance to request the server SSL certificate. While the server SSL certificate is
always authenticated, these commands also specify that the client SSL certificate of the Integrity server
be authenticated.
hostname(config)# zonelabs-integrity ssl-certificate-port 300
hostname(config)# zonelabs-integrity ssl-client-authentication
hostname(config)#
To set the firewall client type to the Zone Labs Integrity type, use the client-firewall command as
described in the “Configuring Firewall Policies” section on page 30-55. The command arguments that
specify firewall policies are not used when the firewall type is zonelabs-integrity because the Integrity
server determines the policies.C H A P T E R
14-1
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
14
Configuring Failover
This chapter describes the security appliance failover feature, which lets you configure two security
appliances so that one takes over operation if the other one fails.
Note The ASA 5505 series adaptive security appliance does not support Stateful Failover or Active/Active
failover.
This chapter includes the following sections:
• Understanding Failover, page 14-1
• Configuring Failover, page 14-19
• Controlling and Monitoring Failover, page 14-49
For failover configuration examples, see Appendix B, “Sample Configurations.”
Understanding Failover
The failover configuration requires two identical security appliances connected to each other through a
dedicated failover link and, optionally, a Stateful Failover link. The health of the active interfaces and
units is monitored to determine if specific failover conditions are met. If those conditions are met,
failover occurs.
The security appliance supports two failover configurations, Active/Active failover and Active/Standby
failover. Each failover configuration has its own method for determining and performing failover.
With Active/Active failover, both units can pass network traffic. This lets you configure load balancing
on your network. Active/Active failover is only available on units running in multiple context mode.
With Active/Standby failover, only one unit passes traffic while the other unit waits in a standby state.
Active/Standby failover is available on units running in either single or multiple context mode.
Both failover configurations support stateful or stateless (regular) failover.
Note VPN failover is not supported on units running in multiple context mode. VPN failover available for
Active/Standby failover configurations only. 14-2
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Understanding Failover
This section includes the following topics:
• Failover System Requirements, page 14-2
• The Failover and Stateful Failover Links, page 14-3
• Active/Active and Active/Standby Failover, page 14-6
• Regular and Stateful Failover, page 14-15
• Failover Health Monitoring, page 14-16
• Failover Feature/Platform Matrix, page 14-18
• Failover Times by Platform, page 14-18
Failover System Requirements
This section describes the hardware, software, and license requirements for security appliances in a
failover configuration. This section contains the following topics:
• Hardware Requirements, page 14-2
• Software Requirements, page 14-2
• License Requirements, page 14-2
Hardware Requirements
The two units in a failover configuration must have the same hardware configuration. They must be the
same model, have the same number and types of interfaces, and the same amount of RAM.
Note The two units do not have to have the same size Flash memory. If using units with different Flash
memory sizes in your failover configuration, make sure the unit with the smaller Flash memory has
enough space to accommodate the software image files and the configuration files. If it does not,
configuration synchronization from the unit with the larger Flash memory to the unit with the smaller
Flash memory will fail.
Software Requirements
The two units in a failover configuration must be in the operating modes (routed or transparent, single
or multiple context). They have the same major (first number) and minor (second number) software
version. However, you can use different versions of the software during an upgrade process; for example,
you can upgrade one unit from Version 7.0(1) to Version 7.0(2) and have failover remain active. We
recommend upgrading both units to the same version to ensure long-term compatibility.
See “Performing Zero Downtime Upgrades for Failover Pairs” section on page 41-6 for more
information about upgrading the software on a failover pair.
License Requirements
On the PIX 500 series security appliance, at least one of the units must have an unrestricted (UR) license.
The other unit can have a Failover Only (FO) license, a Failover Only Active-Active (FO_AA) license,
or another UR license. Units with a Restricted license cannot be used for failover, and two units with FO
or FO_AA licenses cannot be used together as a failover pair.14-3
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Understanding Failover
Note The FO license does not support Active/Active failover.
The FO and FO_AA licenses are intended to be used solely for units in a failover configuration and not
for units in standalone mode. If a failover unit with one of these licenses is used in standalone mode, the
unit reboots at least once every 24 hours until the unit is returned to failover duty. A unit with an FO or
FO_AA license operates in standalone mode if it is booted without being connected to a failover peer
with a UR license. If the unit with a UR license in a failover pair fails and is removed from the
configuration, the unit with the FO or FO_AA license does not automatically reboot every 24 hours; it
operates uninterrupted unless the it is manually rebooted.
When the unit automatically reboots, the following message displays on the console:
=========================NOTICE=========================
This machine is running in secondary mode without
a connection to an active primary PIX. Please
check your connection to the primary system.
REBOOTING....
========================================================
The ASA 5500 series adaptive security appliance platform does not have this restriction.
The Failover and Stateful Failover Links
This section describes the failover and the Stateful Failover links, which are dedicated connections
between the two units in a failover configuration. This section includes the following topics:
• Failover Link, page 14-3
• Stateful Failover Link, page 14-5
Failover Link
The two units in a failover pair constantly communicate over a failover link to determine the operating
status of each unit. The following information is communicated over the failover link:
• The unit state (active or standby).
• Power status (cable-based failover only—available only on the PIX 500 series security appliance).
• Hello messages (keep-alives).
• Network link status.
• MAC address exchange.
• Configuration replication and synchronization.
Caution All information sent over the failover and Stateful Failover links is sent in clear text unless you secure
the communication with a failover key. If the security appliance is used to terminate VPN tunnels, this
information includes any usernames, passwords and preshared keys used for establishing the tunnels.
Transmitting this sensitive data in clear text could pose a significant security risk. We recommend
securing the failover communication with a failover key if you are using the security appliance to
terminate VPN tunnels.14-4
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Understanding Failover
On the PIX 500 series security appliance, the failover link can be either a LAN-based connection or a
dedicated serial Failover cable. On the ASA 5500 series adaptive security appliance, the failover link can
only be a LAN-based connection.
This section includes the following topics:
• LAN-Based Failover Link, page 14-4
• Serial Cable Failover Link (PIX Security Appliance Only), page 14-4
LAN-Based Failover Link
You can use any unused Ethernet interface on the device as the failover link; however, you cannot specify
an interface that is currently configured with a name. The LAN failover link interface is not configured
as a normal networking interface. It exists for failover communication only. This interface should only
be used for the LAN failover link (and optionally for the stateful failover link).
Connect the LAN failover link in one of the following two ways:
• Using a switch, with no other device on the same network segment (broadcast domain or VLAN) as
the LAN failover interfaces of the ASA.
• Using a crossover Ethernet cable to connect the appliances directly, without the need for an external
switch.
Note When you use a crossover cable for the LAN failover link, if the LAN interface fails, the link is brought
down on both peers. This condition may hamper troubleshooting efforts because you cannot easily
determine which interface failed and caused the link to come down.
Note The ASA supports Auto-MDI/MDIX on its copper Ethernet ports, so you can either use a crossover cable
or a straight-through cable. If you use a straight-through cable, the interface automatically detects the
cable and swaps one of the transmit/receive pairs to MDIX.
Serial Cable Failover Link (PIX Security Appliance Only)
The serial Failover cable, or “cable-based failover,” is only available on the PIX 500 series security
appliance. If the two units are within six feet of each other, then we recommend that you use the serial
Failover cable.
The cable that connects the two units is a modified RS-232 serial link cable that transfers data at
117,760 bps (115 Kbps). One end of the cable is labeled “Primary”. The unit attached to this end of the
cable automatically becomes the primary unit. The other end of the cable is labeled “Secondary”. The
unit attached to this end of the cable automatically becomes the secondary unit. You cannot override
these designations in the PIX 500 series security appliance software. If you purchased a PIX 500 series
security appliance failover bundle, this cable is included. To order a spare, use part number PIX-FO=.
The benefits of using cable-based failover include:
• The PIX 500 series security appliance can immediately detect a power loss on the peer unit and
differentiate between a power loss from an unplugged cable.
• The standby unit can communicate with the active unit and can receive the entire configuration
without having to be bootstrapped for failover. In LAN-based failover you need to configure the
failover link on the standby unit before it can communicate with the active unit.
• The switch between the two units in LAN-based failover can be another point of hardware failure;
cable-based failover eliminates this potential point of failure.14-5
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Understanding Failover
• You do not have to dedicate an Ethernet interface (and switch) to the failover link.
• The cable determines which unit is primary and which is secondary, eliminating the need to
manually enter that information in the unit configurations.
The disadvantages include:
• Distance limitation—the units cannot be separated by more than 6 feet.
• Slower configuration replication.
Stateful Failover Link
To use Stateful Failover, you must configure a Stateful Failover link to pass all state information. You
have three options for configuring a Stateful Failover link:
• You can use a dedicated Ethernet interface for the Stateful Failover link.
• If you are using LAN-based failover, you can share the failover link.
• You can share a regular data interface, such as the inside interface. However, this option is not
recommended.
If you are using a dedicated Ethernet interface for the Stateful Failover link, you can use either a switch
or a crossover cable to directly connect the units. If you use a switch, no other hosts or routers should be
on this link.
Note Enable the PortFast option on Cisco switch ports that connect directly to the security appliance.
If you use a data interface as the Stateful Failover link, you receive the following warning when you
specify that interface as the Stateful Failover link:
******* WARNING ***** WARNING ******* WARNING ****** WARNING *********
Sharing Stateful failover interface with regular data interface is not
a recommended configuration due to performance and security concerns.
******* WARNING ***** WARNING ******* WARNING ****** WARNING *********
Sharing a data interface with the Stateful Failover interface can leave you vulnerable to replay attacks.
Additionally, large amounts of Stateful Failover traffic may be sent on the interface, causing
performance problems on that network segment.
Note Using a data interface as the Stateful Failover interface is only supported in single context, routed mode.
In multiple context mode, the Stateful Failover link resides in the system context. This interface and the
failover interface are the only interfaces in the system context. All other interfaces are allocated to and
configured from within security contexts.
Note The IP address and MAC address for the Stateful Failover link does not change at failover unless the
Stateful Failover link is configured on a regular data interface.
Caution All information sent over the failover and Stateful Failover links is sent in clear text unless you secure
the communication with a failover key. If the security appliance is used to terminate VPN tunnels, this
information includes any usernames, passwords and preshared keys used for establishing the tunnels. 14-6
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Understanding Failover
Transmitting this sensitive data in clear text could pose a significant security risk. We recommend
securing the failover communication with a failover key if you are using the security appliance to
terminate VPN tunnels.
Failover Interface Speed for Stateful Links
If you use the failover link as the Stateful Failover link, you should use the fastest Ethernet interface
available. If you experience performance problems on that interface, consider dedicating a separate
interface for the Stateful Failover interface.
Use the following failover interface speed guidelines for Cisco PIX security appliances and Cisco ASA
adaptive security appliances:
• Cisco ASA 5520/5540/5550 and PIX 515E/535
– The stateful link speed should match the fastest data link
• Cisco ASA 5510 and PIX 525
– Stateful link speed can be 100 Mbps, even though the data interface can operate at 1 Gigabit due
to the CPU speed limitation.
For optimum performance when using long distance LAN failover, the latency for the failover link
should be less than 10 milliseconds and no more than 250 milliseconds. If latency is less than 10
milliseconds, some performance degradation occurs due to retransmission of failover messages.
All platforms support sharing of failover heartbeat and stateful link, but we recommend using a separate
heartbeat link on systems with high Stateful Failover traffic.
Active/Active and Active/Standby Failover
This section describes each failover configuration in detail. This section includes the following topics:
• Active/Standby Failover, page 14-6
• Active/Active Failover, page 14-10
• Determining Which Type of Failover to Use, page 14-15
Active/Standby Failover
This section describes Active/Standby failover and includes the following topics:
• Active/Standby Failover Overview, page 14-6
• Primary/Secondary Status and Active/Standby Status, page 14-7
• Device Initialization and Configuration Synchronization, page 14-7
• Command Replication, page 14-8
• Failover Triggers, page 14-9
• Failover Actions, page 14-9
Active/Standby Failover Overview
Active/Standby failover lets you use a standby security appliance to take over the functionality of a failed
unit. When the active unit fails, it changes to the standby state while the standby unit changes to the
active state. The unit that becomes active assumes the IP addresses (or, for transparent firewall, the 14-7
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Understanding Failover
management IP address) and MAC addresses of the failed unit and begins passing traffic. The unit that
is now in standby state takes over the standby IP addresses and MAC addresses. Because network
devices see no change in the MAC to IP address pairing, no ARP entries change or time out anywhere
on the network.
Note For multiple context mode, the security appliance can fail over the entire unit (including all contexts)
but cannot fail over individual contexts separately.
Primary/Secondary Status and Active/Standby Status
The main differences between the two units in a failover pair are related to which unit is active and which
unit is standby, namely which IP addresses to use and which unit actively passes traffic.
However, a few differences exist between the units based on which unit is primary (as specified in the
configuration) and which unit is secondary:
• The primary unit always becomes the active unit if both units start up at the same time (and are of
equal operational health).
• The primary unit MAC addresses are always coupled with the active IP addresses. The exception to
this rule occurs when the secondary unit is active, and cannot obtain the primary unit MAC addresses
over the failover link. In this case, the secondary unit MAC addresses are used.
Device Initialization and Configuration Synchronization
Configuration synchronization occurs when one or both devices in the failover pair boot. Configurations
are always synchronized from the active unit to the standby unit. When the standby unit completes its
initial startup, it clears its running configuration (except for the failover commands needed to
communicate with the active unit), and the active unit sends its entire configuration to the standby unit.
The active unit is determined by the following:
• If a unit boots and detects a peer already running as active, it becomes the standby unit.
• If a unit boots and does not detect a peer, it becomes the active unit.
• If both units boot simultaneously, then the primary unit becomes the active unit and the secondary
unit becomes the standby unit.
Note If the secondary unit boots without detecting the primary unit, it becomes the active unit. It uses its own
MAC addresses for the active IP addresses. However, when the primary unit becomes available, the
secondary unit changes the MAC addresses to those of the primary unit, which can cause an interruption
in your network traffic. To avoid this, configure the failover pair with virtual MAC addresses. See the
“Configuring Virtual MAC Addresses” section on page 14-26 for more information.
When the replication starts, the security appliance console on the active unit displays the message
“Beginning configuration replication: Sending to mate,” and when it is complete, the security appliance
displays the message “End Configuration Replication to mate.” During replication, commands entered
on the active unit may not replicate properly to the standby unit, and commands entered on the standby
unit may be overwritten by the configuration being replicated from the active unit. Avoid entering
commands on either unit in the failover pair during the configuration replication process. Depending
upon the size of the configuration, replication can take from a few seconds to several minutes.
On the standby unit, the configuration exists only in running memory. To save the configuration to Flash
memory after synchronization:14-8
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Understanding Failover
• For single context mode, enter the write memory command on the active unit. The command is
replicated to the standby unit, which proceeds to write its configuration to Flash memory.
• For multiple context mode, enter the write memory all command on the active unit from the system
execution space. The command is replicated to the standby unit, which proceeds to write its
configuration to Flash memory. Using the all keyword with this command causes the system and all
context configurations to be saved.
Note Startup configurations saved on external servers are accessible from either unit over the network and do
not need to be saved separately for each unit. Alternatively, you can copy the contexts on disk from the
active unit to an external server, and then copy them to disk on the standby unit, where they become
available when the unit reloads.
Command Replication
Command replication always flows from the active unit to the standby unit. As commands are entered
on the active unit, they are sent across the failover link to the standby unit. You do not have to save the
active configuration to Flash memory to replicate the commands.
The following commands are replicated to the standby unit:
• all configuration commands except for the mode, firewall, and failover lan unit commands
• copy running-config startup-config
• delete
• mkdir
• rename
• rmdir
• write memory
The following commands are not replicated to the standby unit:
• all forms of the copy command except for copy running-config startup-config
• all forms of the write command except for write memory
• debug
• failover lan unit
• firewall
• mode
• show
Note Changes made on the standby unit are not replicated to the active unit. If you enter a command on the
standby unit, the security appliance displays the message **** WARNING **** Configuration
Replication is NOT performed from Standby unit to Active unit. Configurations are no
longer synchronized. This message displays even when you enter many commands that do not affect
the configuration.
If you enter the write standby command on the active unit, the standby unit clears its running
configuration (except for the failover commands used to communicate with the active unit), and the
active unit sends its entire configuration to the standby unit.14-9
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Understanding Failover
For multiple context mode, when you enter the write standby command in the system execution space,
all contexts are replicated. If you enter the write standby command within a context, the command
replicates only the context configuration.
Replicated commands are stored in the running configuration. To save the replicated commands to the
Flash memory on the standby unit:
• For single context mode, enter the copy running-config startup-config command on the active unit.
The command is replicated to the standby unit, which proceeds to write its configuration to Flash
memory.
• For multiple context mode, enter the copy running-config startup-config command on the active
unit from the system execution space and within each context on disk. The command is replicated
to the standby unit, which proceeds to write its configuration to Flash memory. Contexts with startup
configurations on external servers are accessible from either unit over the network and do not need
to be saved separately for each unit. Alternatively, you can copy the contexts on disk from the active
unit to an external server, and then copy them to disk on the standby unit.
Failover Triggers
The unit can fail if one of the following events occurs:
• The unit has a hardware failure or a power failure.
• The unit has a software failure.
• Too many monitored interfaces fail.
• The no failover active command is entered on the active unit or the failover active command is
entered on the standby unit.
Failover Actions
In Active/Standby failover, failover occurs on a unit basis. Even on systems running in multiple context
mode, you cannot fail over individual or groups of contexts.
Table 14-1 shows the failover action for each failure event. For each failure event, the table shows the
failover policy (failover or no failover), the action taken by the active unit, the action taken by the
standby unit, and any special notes about the failover condition and actions.
Table 14-1 Failover Behavior
Failure Event Policy Active Action Standby Action Notes
Active unit failed (power or
hardware)
Failover n/a Become active
Mark active as
failed
No hello messages are received on
any monitored interface or the
failover link.
Formerly active unit recovers No failover Become standby No action None.
Standby unit failed (power or
hardware)
No failover Mark standby as
failed
n/a When the standby unit is marked as
failed, then the active unit does not
attempt to fail over, even if the
interface failure threshold is
surpassed.
Failover link failed during
operation
No failover Mark failover
interface as failed
Mark failover
interface as failed
You should restore the failover link
as soon as possible because the
unit cannot fail over to the standby
unit while the failover link is down.14-10
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Understanding Failover
Active/Active Failover
This section describes Active/Active failover. This section includes the following topics:
• Active/Active Failover Overview, page 14-10
• Primary/Secondary Status and Active/Standby Status, page 14-11
• Device Initialization and Configuration Synchronization, page 14-11
• Command Replication, page 14-12
• Failover Triggers, page 14-13
• Failover Actions, page 14-14
Active/Active Failover Overview
Active/Active failover is only available to security appliances in multiple context mode. In an
Active/Active failover configuration, both security appliances can pass network traffic.
In Active/Active failover, you divide the security contexts on the security appliance into failover groups.
A failover group is simply a logical group of one or more security contexts. You can create a maximum
of two failover groups on the security appliance. The admin context is always a member of failover
group 1. Any unassigned security contexts are also members of failover group 1 by default.
The failover group forms the base unit for failover in Active/Active failover. Interface failure monitoring,
failover, and active/standby status are all attributes of a failover group rather than the unit. When an
active failover group fails, it changes to the standby state while the standby failover group becomes
active. The interfaces in the failover group that becomes active assume the MAC and IP addresses of the
interfaces in the failover group that failed. The interfaces in the failover group that is now in the standby
state take over the standby MAC and IP addresses.
Note A failover group failing on a unit does not mean that the unit has failed. The unit may still have another
failover group passing traffic on it.
When creating the failover groups, you should create them on the unit that will have failover group 1 in
the active state.
Failover link failed at startup No failover Mark failover
interface as failed
Become active If the failover link is down at
startup, both units become active.
Stateful Failover link failed No failover No action No action State information becomes out of
date, and sessions are terminated if
a failover occurs.
Interface failure on active unit
above threshold
Failover Mark active as
failed
Become active None.
Interface failure on standby
unit above threshold
No failover No action Mark standby as
failed
When the standby unit is marked as
failed, then the active unit does not
attempt to fail over even if the
interface failure threshold is
surpassed.
Table 14-1 Failover Behavior (continued)
Failure Event Policy Active Action Standby Action Notes14-11
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Understanding Failover
Note Active/Active failover generates virtual MAC addresses for the interfaces in each failover group. If you
have more than one Active/Active failover pair on the same network, it is possible to have the same
default virtual MAC addresses assigned to the interfaces on one pair as are assigned to the interfaces of
the other pairs because of the way the default virtual MAC addresses are determined. To avoid having
duplicate MAC addresses on your network, make sure you assign each physical interface a virtual active
and standby MAC address.
Primary/Secondary Status and Active/Standby Status
As in Active/Standby failover, one unit in an Active/Active failover pair is designated the primary unit,
and the other unit the secondary unit. Unlike Active/Standby failover, this designation does not indicate
which unit becomes active when both units start simultaneously. Instead, the primary/secondary
designation does two things:
• Determines which unit provides the running configuration to the pair when they boot
simultaneously.
• Determines on which unit each failover group appears in the active state when the units boot
simultaneously. Each failover group in the configuration is configured with a primary or secondary
unit preference. You can configure both failover groups be in the active state on a single unit in the
pair, with the other unit containing the failover groups in the standby state. However, a more typical
configuration is to assign each failover group a different role preference to make each one active on
a different unit, distributing the traffic across the devices.
Note The security appliance does not provide load balancing services. Load balancing must be
handled by a router passing traffic to the security appliance.
Which unit each failover group becomes active on is determined as follows:
• When a unit boots while the peer unit is not available, both failover groups become active on the
unit.
• When a unit boots while the peer unit is active (with both failover groups in the active state), the
failover groups remain in the active state on the active unit regardless of the primary or secondary
preference of the failover group until one of the following:
– A failover occurs.
– You manually force the failover group to the other unit with the no failover active command.
– You configured the failover group with the preempt command, which causes the failover group
to automatically become active on the preferred unit when the unit becomes available.
• When both units boot at the same time, each failover group becomes active on its preferred unit after
the configurations have been synchronized.
Device Initialization and Configuration Synchronization
Configuration synchronization occurs when one or both units in a failover pair boot. The configurations
are synchronized as follows:
• When a unit boots while the peer unit is active (with both failover groups active on it), the booting
unit contacts the active unit to obtain the running configuration regardless of the primary or
secondary designation of the booting unit. 14-12
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Understanding Failover
• When both units boot simultaneously, the secondary unit obtains the running configuration from the
primary unit.
When the replication starts, the security appliance console on the unit sending the configuration displays
the message “Beginning configuration replication: Sending to mate,” and when it is complete, the
security appliance displays the message “End Configuration Replication to mate.” During replication,
commands entered on the unit sending the configuration may not replicate properly to the peer unit, and
commands entered on the unit receiving the configuration may be overwritten by the configuration being
received. Avoid entering commands on either unit in the failover pair during the configuration
replication process. Depending upon the size of the configuration, replication can take from a few
seconds to several minutes.
On the unit receiving the configuration, the configuration exists only in running memory. To save the
configuration to Flash memory after synchronization enter the write memory all command in the system
execution space on the unit that has failover group 1 in the active state. The command is replicated to
the peer unit, which proceeds to write its configuration to Flash memory. Using the all keyword with this
command causes the system and all context configurations to be saved.
Note Startup configurations saved on external servers are accessible from either unit over the network and do
not need to be saved separately for each unit. Alternatively, you can copy the contexts configuration files
from the disk on the primary unit to an external server, and then copy them to disk on the secondary unit,
where they become available when the unit reloads.
Command Replication
After both units are running, commands are replicated from one unit to the other as follows:
• Commands entered within a security context are replicated from the unit on which the security
context appears in the active state to the peer unit.
Note A context is considered in the active state on a unit if the failover group to which it belongs is
in the active state on that unit.
• Commands entered in the system execution space are replicated from the unit on which failover
group 1 is in the active state to the unit on which failover group 1 is in the standby state.
• Commands entered in the admin context are replicated from the unit on which failover group 1 is in
the active state to the unit on which failover group 1 is in the standby state.
All configuration and file commands (copy, rename, delete, mkdir, rmdir, and so on) are replicated,
with the following exceptions. The show, debug, mode, firewall, and failover lan unit commands are
not replicated.
Failure to enter the commands on the appropriate unit for command replication to occur causes the
configurations to be out of synchronization. Those changes may be lost the next time the initial
configuration synchronization occurs.
The following commands are replicated to the standby unit:
• all configuration commands except for the mode, firewall, and failover lan unit commands
• copy running-config startup-config
• delete
• mkdir
• rename14-13
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Understanding Failover
• rmdir
• write memory
The following commands are not replicated to the standby unit:
• all forms of the copy command except for copy running-config startup-config
• all forms of the write command except for write memory
• debug
• failover lan unit
• firewall
• mode
• show
You can use the write standby command to resynchronize configurations that have become out of sync.
For Active/Active failover, the write standby command behaves as follows:
• If you enter the write standby command in the system execution space, the system configuration
and the configurations for all of the security contexts on the security appliance is written to the peer
unit. This includes configuration information for security contexts that are in the standby state. You
must enter the command in the system execution space on the unit that has failover group 1 in the
active state.
Note If there are security contexts in the active state on the peer unit, the write standby command
causes active connections through those contexts to be terminated. Use the failover active
command on the unit providing the configuration to make sure all contexts are active on that
unit before entering the write standby command.
• If you enter the write standby command in a security context, only the configuration for the security
context is written to the peer unit. You must enter the command in the security context on the unit
where the security context appears in the active state.
Replicated commands are not saved to the Flash memory when replicated to the peer unit. They are
added to the running configuration. To save replicated commands to Flash memory on both units, use
the write memory or copy running-config startup-config command on the unit that you made the
changes on. The command is replicated to the peer unit and cause the configuration to be saved to Flash
memory on the peer unit.
Failover Triggers
In Active/Active failover, failover can be triggered at the unit level if one of the following events occurs:
• The unit has a hardware failure.
• The unit has a power failure.
• The unit has a software failure.
• The no failover active or the failover active command is entered in the system execution space.
Failover is triggered at the failover group level when one of the following events occurs:
• Too many monitored interfaces in the group fail.
• The no failover active group group_id or failover active group group_id command is entered. 14-14
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Understanding Failover
You configure the failover threshold for each failover group by specifying the number or percentage of
interfaces within the failover group that must fail before the group fails. Because a failover group can
contain multiple contexts, and each context can contain multiple interfaces, it is possible for all
interfaces in a single context to fail without causing the associated failover group to fail.
See the “Failover Health Monitoring” section on page 14-16 for more information about interface and
unit monitoring.
Failover Actions
In an Active/Active failover configuration, failover occurs on a failover group basis, not a system basis.
For example, if you designate both failover groups as active on the primary unit, and failover group 1
fails, then failover group 2 remains active on the primary unit while failover group 1 becomes active on
the secondary unit.
Note When configuring Active/Active failover, make sure that the combined traffic for both units is within the
capacity of each unit.
Table 14-2 shows the failover action for each failure event. For each failure event, the policy (whether
or not failover occurs), actions for the active failover group, and actions for the standby failover group
are given.
Table 14-2 Failover Behavior for Active/Active Failover
Failure Event Policy
Active Group
Action
Standby Group
Action Notes
A unit experiences a power or
software failure
Failover Become standby
Mark as failed
Become active
Mark active as
failed
When a unit in a failover pair fails,
any active failover groups on that
unit are marked as failed and
become active on the peer unit.
Interface failure on active failover
group above threshold
Failover Mark active
group as failed
Become active None.
Interface failure on standby failover
group above threshold
No failover No action Mark standby
group as failed
When the standby failover group is
marked as failed, the active failover
group does not attempt to fail over,
even if the interface failure
threshold is surpassed.
Formerly active failover group
recovers
No failover No action No action Unless configured with the
preempt command, the failover
groups remain active on their
current unit.
Failover link failed at startup No failover Become active Become active If the failover link is down at
startup, both failover groups on
both units become active.14-15
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Understanding Failover
Determining Which Type of Failover to Use
The type of failover you choose depends upon your security appliance configuration and how you plan
to use the security appliances.
If you are running the security appliance in single mode, then you can only use Active/Standby failover.
Active/Active failover is only available to security appliances running in multiple context mode.
If you are running the security appliance in multiple context mode, then you can configure either
Active/Active failover or Active/Standby failover.
• To provide load balancing, use Active/Active failover.
• If you do not want to provide load balancing, use Active/Standby or Active/Active failover.
Table 14-3 provides a comparison of some of the features supported by each type of failover
configuration:
Regular and Stateful Failover
The security appliance supports two types of failover, regular and stateful. This section includes the
following topics:
• Regular Failover, page 14-16
• Stateful Failover, page 14-16
Stateful Failover link failed No failover No action No action State information becomes out of
date, and sessions are terminated if
a failover occurs.
Failover link failed during operation No failover n/a n/a Each unit marks the failover
interface as failed. You should
restore the failover link as soon as
possible because the unit cannot fail
over to the standby unit while the
failover link is down.
Table 14-2 Failover Behavior for Active/Active Failover (continued)
Failure Event Policy
Active Group
Action
Standby Group
Action Notes
Table 14-3 Failover Configuration Feature Support
Feature Active/Active Active/Standby
Single Context Mode No Yes
Multiple Context Mode Yes Yes
Load Balancing Network Configurations Yes No
Unit Failover Yes Yes
Failover of Groups of Contexts Yes No
Failover of Individual Contexts No No14-16
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Understanding Failover
Regular Failover
When a failover occurs, all active connections are dropped. Clients need to reestablish connections when
the new active unit takes over.
Stateful Failover
When Stateful Failover is enabled, the active unit continually passes per-connection state information to
the standby unit. After a failover occurs, the same connection information is available at the new active
unit. Supported end-user applications are not required to reconnect to keep the same communication
session.
The state information passed to the standby unit includes the following:
• NAT translation table.
• TCP connection states.
• UDP connection states.
• The ARP table.
• The Layer 2 bridge table (when running in transparent firewall mode).
• The HTTP connection states (if HTTP replication is enabled).
• The ISAKMP and IPSec SA table.
• GTP PDP connection database.
The information that is not passed to the standby unit when Stateful Failover is enabled includes the
following:
• The HTTP connection table (unless HTTP replication is enabled).
• The user authentication (uauth) table.
• The routing tables. After a failover occurs, some packets may be lost our routed out of the wrong
interface (the default route) while the dynamic routing protocols rediscover routes.
• State information for Security Service Modules.
• DHCP server address leases.
• L2TP over IPSec sessions.
Note If failover occurs during an active Cisco IP SoftPhone session, the call remains active because the call
session state information is replicated to the standby unit. When the call is terminated, the IP SoftPhone
client loses connection with the Call Manager. This occurs because there is no session information for
the CTIQBE hangup message on the standby unit. When the IP SoftPhone client does not receive a
response back from the Call Manager within a certain time period, it considers the Call Manager
unreachable and unregisters itself.
Failover Health Monitoring
The security appliance monitors each unit for overall health and for interface health. See the following
sections for more information about how the security appliance performs tests to determine the state of
each unit:
• Unit Health Monitoring, page 14-1714-17
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Understanding Failover
• Interface Monitoring, page 14-17
Unit Health Monitoring
The security appliance determines the health of the other unit by monitoring the failover link. When a
unit does not receive three consecutive hello messages on the failover link, the unit sends an ARP request
on all interfaces, including the failover interface. The action the security appliance takes depends on the
response from the other unit. See the following possible actions:
• If the security appliance receives a response on the failover interface, then it does not fail over.
• If the security appliance does not receive a response on the failover link, but receives a response on
another interface, then the unit does not failover. The failover link is marked as failed. You should
restore the failover link as soon as possible because the unit cannot fail over to the standby while
the failover link is down.
• If the security appliance does not receive a response on any interface, then the standby unit switches
to active mode and classifies the other unit as failed.
Note If a failed unit does not recover and you believe it should not be failed, you can reset the state by entering
the failover reset command. If the failover condition persists, however, the unit will fail again.
You can configure the frequency of the hello messages and the hold time before failover occurs. A faster
poll time and shorter hold time speed the detection of unit failures and make failover occur more quickly,
but it can also cause “false” failures due to network congestion delaying the keepalive packets. See
Configuring Unit Health Monitoring, page 14-39 for more information about configuring unit health
monitoring.
Interface Monitoring
You can monitor up to 250 interfaces divided between all contexts. You should monitor important
interfaces, for example, you might configure one context to monitor a shared interface (because the
interface is shared, all contexts benefit from the monitoring).
When a unit does not receive hello messages on a monitored interface for half of the configured hold
time, it runs the following tests:
1. Link Up/Down test—A test of the interface status. If the Link Up/Down test indicates that the
interface is operational, then the security appliance performs network tests. The purpose of these
tests is to generate network traffic to determine which (if either) unit has failed. At the start of each
test, each unit clears its received packet count for its interfaces. At the conclusion of each test, each
unit looks to see if it has received any traffic. If it has, the interface is considered operational. If one
unit receives traffic for a test and the other unit does not, the unit that received no traffic is
considered failed. If neither unit has received traffic, then the next test is used.
2. Network Activity test—A received network activity test. The unit counts all received packets for up
to 5 seconds. If any packets are received at any time during this interval, the interface is considered
operational and testing stops. If no traffic is received, the ARP test begins.
3. ARP test—A reading of the unit ARP cache for the 2 most recently acquired entries. One at a time,
the unit sends ARP requests to these machines, attempting to stimulate network traffic. After each
request, the unit counts all received traffic for up to 5 seconds. If traffic is received, the interface is
considered operational. If no traffic is received, an ARP request is sent to the next machine. If at the
end of the list no traffic has been received, the ping test begins.14-18
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Understanding Failover
4. Broadcast Ping test—A ping test that consists of sending out a broadcast ping request. The unit then
counts all received packets for up to 5 seconds. If any packets are received at any time during this
interval, the interface is considered operational and testing stops.
If all network tests fail for an interface, but this interface on the other unit continues to successfully pass
traffic, then the interface is considered to be failed. If the threshold for failed interfaces is met, then a
failover occurs. If the other unit interface also fails all the network tests, then both interfaces go into the
“Unknown” state and do not count towards the failover limit.
An interface becomes operational again if it receives any traffic. A failed security appliance returns to
standby mode if the interface failure threshold is no longer met.
Note If a failed unit does not recover and you believe it should not be failed, you can reset the state by entering
the failover reset command. If the failover condition persists, however, the unit will fail again.
Failover Feature/Platform Matrix
Table 14-4 shows the failover features supported by each hardware platform.
Failover Times by Platform
Table 14-5 shows the minimum, default, and maximum failover times for the PIX 500 series security
appliance.
Table 14-6 shows the minimum, default, and maximum failover times for the ASA 5500 series adaptive
security appliance.
Table 14-4 Failover Feature Support by Platform
Platform Cable-Base Failover LAN-Based Failover Stateful Failover
ASA 5505 series adaptive
security appliance
No Yes No
ASA 5500 series adaptive
security appliance (other than
the ASA 5505)
No Yes Yes
PIX 500 series security
appliance
Yes Yes Yes
Table 14-5 PIX 500 series security appliance failover times.
Failover Condition Minimum Default Maximum
Active unit loses power or stops normal operation. 800 milliseconds 45 seconds 45 seconds
Active unit interface link down. 500 milliseconds 5 seconds 15 seconds
Active unit interface up, but connection problem
causes interface testing.
5 seconds 25 seconds 75 seconds14-19
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
Configuring Failover
This section describes how to configure failover and includes the following topics:
• Failover Configuration Limitations, page 14-19
• Configuring Active/Standby Failover, page 14-19
• Configuring Active/Active Failover, page 14-27
• Configuring Unit Health Monitoring, page 14-39
• Configuring Failover Communication Authentication/Encryption, page 14-39
• Verifying the Failover Configuration, page 14-40
Failover Configuration Limitations
You cannot configure failover with the following type of IP addresses:
• IP addresses obtained through DHCP
• IP addresses obtained through PPPoE
• IPv6 addresses
Additionally, the following restrictions apply:
• Stateful Failover is not supported on the ASA 5505 adaptive security appliance.
• Active/Active failover is not supported on the ASA 5505 adaptive security appliance.
• You cannot configure failover when Easy VPN Remote is enabled on the ASA 5505 adaptive
security appliance.
• VPN failover is not supported in multiple context mode.
Configuring Active/Standby Failover
This section provides step-by-step procedures for configuring Active/Standby failover. This section
includes the following topics:
• Prerequisites, page 14-20
• Configuring Cable-Based Active/Standby Failover (PIX Security Appliance Only), page 14-20
Table 14-6 ASA 5500 series adaptive security appliance failover times.
Failover Condition Minimum Default Maximum
Active unit loses power or stops normal operation. 800 milliseconds 15 seconds 45 seconds
Active unit main board interface link down. 500 milliseconds 5 seconds 15 seconds
Active unit 4GE card interface link down. 2 seconds 5 seconds 15 seconds
Active unit IPS or CSC card fails. 2 seconds 2 seconds 2 seconds
Active unit interface up, but connection problem
causes interface testing.
5 seconds 25 seconds 75 seconds14-20
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
• Configuring LAN-Based Active/Standby Failover, page 14-21
• Configuring Optional Active/Standby Failover Settings, page 14-25
Prerequisites
Before you begin, verify the following:
• Both units have the same hardware, software configuration, and proper license.
• Both units are in the same mode (single or multiple, transparent or routed).
Configuring Cable-Based Active/Standby Failover (PIX Security Appliance Only)
Follow these steps to configure Active/Standby failover using a serial cable as the failover link. The
commands in this task are entered on the primary unit in the failover pair. The primary unit is the unit
that has the end of the cable labeled “Primary” plugged into it. For devices in multiple context mode, the
commands are entered in the system execution space unless otherwise noted.
You do not need to bootstrap the secondary unit in the failover pair when you use cable-based failover.
Leave the secondary unit powered off until instructed to power it on.
Cable-based failover is only available on the PIX 500 series security appliance.
To configure cable-based Active/Standby failover, perform the following steps:
Step 1 Connect the Failover cable to the PIX 500 series security appliances. Make sure that you attach the end
of the cable marked “Primary” to the unit you use as the primary unit, and that you attach the end of the
cable marked “Secondary” to the other unit.
Step 2 Power on the primary unit.
Step 3 If you have not done so already, configure the active and standby IP addresses for each data interface
(routed mode), for the management IP address (transparent mode), or for the management-only
interface. To receive packets from both units in a failover pair, standby IP addresses need to be
configured on all interfaces. The standby IP address is used on the security appliance that is currently
the standby unit, and it must be in the same subnet as the active IP address.
Note Do not configure an IP address for the Stateful Failover link if you are going to use a dedicated
Stateful Failover interface. You use the failover interface ip command to configure a dedicated
Stateful Failover interface in a later step.
hostname(config-if)# ip address active_addr netmask standby standby_addr
In routed firewall mode and for the management-only interface, this command is entered in interface
configuration mode for each interface. In transparent firewall mode, the command is entered in global
configuration mode.
In multiple context mode, you must configure the interface addresses from within each context. Use the
changeto context command to switch between contexts. The command prompt changes to
hostname/context(config-if)#, where context is the name of the current context. You must enter a
management IP address for each context in transparent firewall multiple context mode.
Step 4 (Optional) To enable Stateful Failover, configure the Stateful Failover link. 14-21
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
Note Stateful Failover is not available on the ASA 5505 series adaptive security appliance.
a. Specify the interface to be used as the Stateful Failover link:
hostname(config)# failover link if_name phy_if
The if_name argument assigns a logical name to the interface specified by the phy_if argument. The
phy_if argument can be the physical port name, such as Ethernet1, or a previously created
subinterface, such as Ethernet0/2.3. This interface should not be used for any other purpose.
b. Assign an active and standby IP address to the Stateful Failover link:
hostname(config)# failover interface ip if_name ip_addr mask standby ip_addr
Note If the Stateful Failover link uses a data interface, skip this step. You have already defined the
active and standby IP addresses for the interface.
The standby IP address must be in the same subnet as the active IP address. You do not need to
identify the standby IP address subnet mask.
The Stateful Failover link IP address and MAC address do not change at failover unless it uses a data
interface. The active IP address always stays with the primary unit, while the standby IP address
stays with the secondary unit.
c. Enable the interface:
hostname(config)# interface phy_if
hostname(config-if)# no shutdown
Step 5 Enable failover:
hostname(config)# failover
Step 6 Power on the secondary unit and enable failover on the unit if it is not already enabled:
hostname(config)# failover
The active unit sends the configuration in running memory to the standby unit. As the configuration
synchronizes, the messages “Beginning configuration replication: sending to mate.” and “End
Configuration Replication to mate” appear on the primary console.
Step 7 Save the configuration to Flash memory on the primary unit. Because the commands entered on the
primary unit are replicated to the secondary unit, the secondary unit also saves its configuration to Flash
memory.
hostname(config)# copy running-config startup-config
Configuring LAN-Based Active/Standby Failover
This section describes how to configure Active/Standby failover using an Ethernet failover link. When
configuring LAN-based failover, you must bootstrap the secondary device to recognize the failover link
before the secondary device can obtain the running configuration from the primary device.14-22
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
Note If you are changing from cable-based failover to LAN-based failover, you can skip any steps, such as
assigning the active and standby IP addresses for each interface, that you completed for the cable-based
failover configuration.
This section includes the following topics:
• Configuring the Primary Unit, page 14-22
• Configuring the Secondary Unit, page 14-24
Configuring the Primary Unit
Follow these steps to configure the primary unit in a LAN-based, Active/Standby failover configuration.
These steps provide the minimum configuration needed to enable failover on the primary unit. For
multiple context mode, all steps are performed in the system execution space unless otherwise noted.
To configure the primary unit in an Active/Standby failover pair, perform the following steps:
Step 1 If you have not done so already, configure the active and standby IP addresses for each data interface
(routed mode), for the management IP address (transparent mode), or for the management-only
interface. To receive packets from both units in a failover pair, standby IP addresses need to be
configured on all interfaces. The standby IP address is used on the security appliance that is currently
the standby unit, and it must be in the same subnet as the active IP address.
Note Do not configure an IP address for the Stateful Failover link if you are going to use a dedicated
Stateful Failover interface. You use the failover interface ip command to configure a dedicated
Stateful Failover interface in a later step.
hostname(config-if)# ip address active_addr netmask standby standby_addr
In routed firewall mode and for the management-only interface, this command is entered in interface
configuration mode for each interface. In transparent firewall mode, the command is entered in global
configuration mode.
In multiple context mode, you must configure the interface addresses from within each context. Use the
changeto context command to switch between contexts. The command prompt changes to
hostname/context(config-if)#, where context is the name of the current context. You must enter a
management IP address for each context in transparent firewall multiple context mode.
Step 2 (PIX security appliance only) Enable LAN-based failover:
hostname(config)# failover lan enable
Step 3 Designate the unit as the primary unit:
hostname(config)# failover lan unit primary
Step 4 Define the failover interface:
a. Specify the interface to be used as the failover interface:
hostname(config)# failover lan interface if_name phy_if
The if_name argument assigns a name to the interface specified by the phy_if argument. The phy_if
argument can be the physical port name, such as Ethernet1, or a previously created subinterface,
such as Ethernet0/2.3. On the ASA 5505 adaptive security appliance, the phy_if specifies a VLAN.14-23
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
b. Assign the active and standby IP address to the failover link:
hostname(config)# failover interface ip if_name ip_addr mask standby ip_addr
The standby IP address must be in the same subnet as the active IP address. You do not need to
identify the standby address subnet mask.
The failover link IP address and MAC address do not change at failover. The active IP address for
the failover link always stays with the primary unit, while the standby IP address stays with the
secondary unit.
c. Enable the interface:
hostname(config)# interface phy_if
hostname(config-if)# no shutdown
Step 5 (Optional) To enable Stateful Failover, configure the Stateful Failover link.
Note Stateful Failover is not available on the ASA 5505 series adaptive security appliance.
a. Specify the interface to be used as Stateful Failover link:
hostname(config)# failover link if_name phy_if
Note If the Stateful Failover link uses the failover link or a data interface, then you only need to
supply the if_name argument.
The if_name argument assigns a logical name to the interface specified by the phy_if argument. The
phy_if argument can be the physical port name, such as Ethernet1, or a previously created
subinterface, such as Ethernet0/2.3. This interface should not be used for any other purpose (except,
optionally, the failover link).
b. Assign an active and standby IP address to the Stateful Failover link.
Note If the Stateful Failover link uses the failover link or data interface, skip this step. You have
already defined the active and standby IP addresses for the interface.
hostname(config)# failover interface ip if_name ip_addr mask standby ip_addr
The standby IP address must be in the same subnet as the active IP address. You do not need to
identify the standby address subnet mask.
The Stateful Failover link IP address and MAC address do not change at failover unless it uses a data
interface. The active IP address always stays with the primary unit, while the standby IP address
stays with the secondary unit.
c. Enable the interface.
Note If the Stateful Failover link uses the failover link or data interface, skip this step. You have
already enabled the interface.
hostname(config)# interface phy_if
hostname(config-if)# no shutdown
Step 6 Enable failover:14-24
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
hostname(config)# failover
Step 7 Save the system configuration to Flash memory:
hostname(config)# copy running-config startup-config
Configuring the Secondary Unit
The only configuration required on the secondary unit is for the failover interface. The secondary unit
requires these commands to initially communicate with the primary unit. After the primary unit sends
its configuration to the secondary unit, the only permanent difference between the two configurations is
the failover lan unit command, which identifies each unit as primary or secondary.
For multiple context mode, all steps are performed in the system execution space unless noted otherwise.
To configure the secondary unit, perform the following steps:
Step 1 (PIX security appliance only) Enable LAN-based failover:
hostname(config)# failover lan enable
Step 2 Define the failover interface. Use the same settings as you used for the primary unit.
a. Specify the interface to be used as the failover interface:
hostname(config)# failover lan interface if_name phy_if
The if_name argument assigns a name to the interface specified by the phy_if argument.
b. Assign the active and standby IP address to the failover link. To receive packets from both units in
a failover pair, standby IP addresses need to be configured on all interfaces.
hostname(config)# failover interface ip if_name ip_addr mask standby ip_addr
Note Enter this command exactly as you entered it on the primary unit when you configured the
failover interface on the primary unit.
c. Enable the interface:
hostname(config)# interface phy_if
hostname(config-if)# no shutdown
Step 3 (Optional) Designate this unit as the secondary unit:
hostname(config)# failover lan unit secondary
Note This step is optional because by default units are designated as secondary unless previously
configured.
Step 4 Enable failover:
hostname(config)# failover
After you enable failover, the active unit sends the configuration in running memory to the standby unit.
As the configuration synchronizes, the messages “Beginning configuration replication: Sending to mate”
and “End Configuration Replication to mate” appear on the active unit console.14-25
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
Step 5 After the running configuration has completed replication, save the configuration to Flash memory:
hostname(config)# copy running-config startup-config
Configuring Optional Active/Standby Failover Settings
You can configure the following optional Active/Standby failover setting when you are initially
configuring failover or after failover has already been configured. Unless otherwise noted, the
commands should be entered on the active unit.
This section includes the following topics:
• Enabling HTTP Replication with Stateful Failover, page 14-25
• Disabling and Enabling Interface Monitoring, page 14-25
• Configuring Interface Health Monitoring, page 14-26
• Configuring Failover Criteria, page 14-26
• Configuring Virtual MAC Addresses, page 14-26
Enabling HTTP Replication with Stateful Failover
To allow HTTP connections to be included in the state information replication, you need to enable HTTP
replication. Because HTTP connections are typically short-lived, and because HTTP clients typically
retry failed connection attempts, HTTP connections are not automatically included in the replicated state
information.
Enter the following command in global configuration mode to enable HTTP state replication when
Stateful Failover is enabled:
hostname(config)# failover replication http
Disabling and Enabling Interface Monitoring
By default, monitoring physical interfaces is enabled and monitoring subinterfaces is disabled. You can
monitor up to 250 interfaces on a unit. You can control which interfaces affect your failover policy by
disabling the monitoring of specific interfaces and enabling the monitoring of others. This lets you
exclude interfaces attached to less critical networks from affecting your failover policy.
For units in multiple configuration mode, use the following commands to enable or disable health
monitoring for specific interfaces:
• To disable health monitoring for an interface, enter the following command within a context:
hostname/context(config)# no monitor-interface if_name
• To enable health monitoring for an interface, enter the following command within a context:
hostname/context(config)# monitor-interface if_name
For units in single configuration mode, use the following commands to enable or disable health
monitoring for specific interfaces:
• To disable health monitoring for an interface, enter the following command in global configuration
mode:
hostname(config)# no monitor-interface if_name14-26
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
• To enable health monitoring for an interface, enter the following command in global configuration
mode:
hostname(config)# monitor-interface if_name
Configuring Interface Health Monitoring
The security appliance sends hello packets out of each data interface to monitor interface health. If the
security appliance does not receive a hello packet from the corresponding interface on the peer unit for
over half of the hold time, then the additional interface testing begins. If a hello packet or a successful
test result is not received within the specified hold time, the interface is marked as failed. Failover occurs
if the number of failed interfaces meets the failover criteria.
Decreasing the poll and hold times enables the security appliance to detect and respond to interface
failures more quickly, but may consume more system resources.
To change the interface poll time, enter the following command in global configuration mode:
hostname(config)# failover polltime interface [msec] time [holdtime time]
Valid values for the poll time are from 1 to 15 seconds or, if the optional msec keyword is used, from
500 to 999 milliseconds. The hold time determines how long it takes from the time a hello packet is
missed to when the interface is marked as failed. Valid values for the hold time are from 5 to 75 seconds.
You cannot enter a hold time that is less than 5 times the poll time.
Note If the interface link is down, interface testing is not conducted and the standby unit could become active
in just one interface polling period if the number of failed interface meets or exceeds the configured
failover criteria.
Configuring Failover Criteria
By default, a single interface failure causes failover. You can specify a specific number of interfaces or
a percentage of monitored interfaces that must fail before a failover occurs.
To change the default failover criteria, enter the following command in global configuration mode:
hostname(config)# failover interface-policy num[%]
When specifying a specific number of interfaces, the num argument can be from 1 to 250. When
specifying a percentage of interfaces, the num argument can be from 1 to 100.
Configuring Virtual MAC Addresses
In Active/Standby failover, the MAC addresses for the primary unit are always associated with the active
IP addresses. If the secondary unit boots first and becomes active, it uses the burned-in MAC address for
its interfaces. When the primary unit comes online, the secondary unit obtains the MAC addresses from
the primary unit. The change can disrupt network traffic.
You can configure virtual MAC addresses for each interface to ensure that the secondary unit uses the
correct MAC addresses when it is the active unit, even if it comes online before the primary unit. If you
do not specify virtual MAC addresses the failover pair uses the burned-in NIC addresses as the MAC
addresses.
Note You cannot configure a virtual MAC address for the failover or Stateful Failover links. The MAC and IP
addresses for those links do not change during failover.14-27
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
Enter the following command on the active unit to configure the virtual MAC addresses for an interface:
hostname(config)# failover mac address phy_if active_mac standby_mac
The phy_if argument is the physical name of the interface, such as Ethernet1. The active_mac and
standby_mac arguments are MAC addresses in H.H.H format, where H is a 16-bit hexadecimal digit. For
example, the MAC address 00-0C-F1-42-4C-DE would be entered as 000C.F142.4CDE.
The active_mac address is associated with the active IP address for the interface, and the standby_mac
is associated with the standby IP address for the interface.
There are multiple ways to configure virtual MAC addresses on the security appliance. When more than
one method has been used to configure virtual MAC addresses, the security appliance uses the following
order of preference to determine which virtual MAC address is assigned to an interface:
1. The mac-address command (in interface configuration mode) address.
2. The failover mac address command address.
3. The mac-address auto command generated address.
4. The burned-in MAC address.
Use the show interface command to display the MAC address used by an interface.
Configuring Active/Active Failover
This section describes how to configure Active/Active failover.
Note Active/Active failover is not available on the ASA 5505 series adaptive security appliance.
This section includes the following topics:
• Prerequisites, page 14-27
• Configuring Cable-Based Active/Active Failover (PIX security appliance), page 14-27
• Configuring LAN-Based Active/Active Failover, page 14-29
• Configuring Optional Active/Active Failover Settings, page 14-33
Prerequisites
Before you begin, verify the following:
• Both units have the same hardware, software configuration, and proper license.
• Both units are in multiple context mode.
Configuring Cable-Based Active/Active Failover (PIX security appliance)
Follow these steps to configure Active/Active failover using a serial cable as the failover link. The
commands in this task are entered on the primary unit in the failover pair. The primary unit is the unit
that has the end of the cable labeled “Primary” plugged into it. For devices in multiple context mode, the
commands are entered in the system execution space unless otherwise noted.
You do not need to bootstrap the secondary unit in the failover pair when you use cable-based failover.
Leave the secondary unit powered off until instructed to power it on.14-28
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
Cable-based failover is only available on the PIX 500 series security appliance.
To configure cable-based, Active/Active failover, perform the following steps:
Step 1 Connect the failover cable to the PIX 500 series security appliances. Make sure that you attach the end
of the cable marked “Primary” to the unit you use as the primary unit, and that you attach the end of the
cable marked “Secondary” to the unit you use as the secondary unit.
Step 2 Power on the primary unit.
Step 3 If you have not done so already, configure the active and standby IP addresses for each data interface
(routed mode), for the management IP address (transparent mode), or for the management-only
interface. To receive packets from both units in a failover pair, standby IP addresses need to be
configured on all interfaces. The standby IP address is used on the security appliance that is currently
the standby unit, and it must be in the same subnet as the active IP address.
You must configure the interface addresses from within each context. Use the changeto context
command to switch between contexts. The command prompt changes to
hostname/context(config-if)#, where context is the name of the current context. You must enter a
management IP address for each context in transparent firewall multiple context mode.
Note Do not configure an IP address for the Stateful Failover link if you are going to use a dedicated
Stateful Failover interface. You use the failover interface ip command to configure a dedicated
Stateful Failover interface in a later step.
hostname/context(config-if)# ip address active_addr netmask standby standby_addr
In routed firewall mode and for the management-only interface, this command is entered in interface
configuration mode for each interface. In transparent firewall mode, the command is entered in global
configuration mode.
Step 4 (Optional) To enable Stateful Failover, configure the Stateful Failover link.
a. Specify the interface to be used as Stateful Failover link:
hostname(config)# failover link if_name phy_if
The if_name argument assigns a logical name to the interface specified by the phy_if argument. The
phy_if argument can be the physical port name, such as Ethernet1, or a previously created
subinterface, such as Ethernet0/2.3. This interface should not be used for any other purpose (except,
optionally, the failover link).
b. Assign an active and standby IP address to the Stateful Failover link:
hostname(config)# failover interface ip if_name ip_addr mask standby ip_addr
The standby IP address must be in the same subnet as the active IP address. You do not need to
identify the standby IP address subnet mask.
The Stateful Failover link IP address and MAC address do not change at failover except for when
Stateful Failover uses a regular data interface. The active IP address always stays with the primary
unit, while the standby IP address stays with the secondary unit.
c. Enable the interface:
hostname(config)# interface phy_if
hostname(config-if)# no shutdown
Step 5 Configure the failover groups. You can have at most two failover groups. The failover group command
creates the specified failover group if it does not exist and enters the failover group configuration mode.14-29
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
For each failover group, you need to specify whether the failover group has primary or secondary
preference using the primary or secondary command. You can assign the same preference to both
failover groups. For load balancing configurations, you should assign each failover group a different unit
preference.
The following example assigns failover group 1 a primary preference and failover group 2 a secondary
preference:
hostname(config)# failover group 1
hostname(config-fover-group)# primary
hostname(config-fover-group)# exit
hostname(config)# failover group 2
hostname(config-fover-group)# secondary
hostname(config-fover-group)# exit
Step 6 Assign each user context to a failover group using the join-failover-group command in context
configuration mode.
Any unassigned contexts are automatically assigned to failover group 1. The admin context is always a
member of failover group 1.
Enter the following commands to assign each context to a failover group:
hostname(config)# context context_name
hostname(config-context)# join-failover-group {1 | 2}
hostname(config-context)# exit
Step 7 Enable failover:
hostname(config)# failover
Step 8 Power on the secondary unit and enable failover on the unit if it is not already enabled:
hostname(config)# failover
The active unit sends the configuration in running memory to the standby unit. As the configuration
synchronizes, the messages “Beginning configuration replication: Sending to mate” and “End
Configuration Replication to mate” appear on the primary console.
Step 9 Save the configuration to Flash memory on the Primary unit. Because the commands entered on the
primary unit are replicated to the secondary unit, the secondary unit also saves its configuration to Flash
memory.
hostname(config)# copy running-config startup-config
Step 10 If necessary, force any failover group that is active on the primary to the active state on the secondary.
To force a failover group to become active on the secondary unit, issue the following command in the
system execution space on the primary unit:
hostname# no failover active group group_id
The group_id argument specifies the group you want to become active on the secondary unit.
Configuring LAN-Based Active/Active Failover
This section describes how to configure Active/Active failover using an Ethernet failover link. When
configuring LAN-based failover, you must bootstrap the secondary device to recognize the failover link
before the secondary device can obtain the running configuration from the primary device.
This section includes the following topics:14-30
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
• Configure the Primary Unit, page 14-30
• Configure the Secondary Unit, page 14-32
Configure the Primary Unit
To configure the primary unit in an Active/Active failover configuration, perform the following steps:
Step 1 If you have not done so already, configure the active and standby IP addresses for each data interface
(routed mode), for the management IP address (transparent mode), or for the management-only
interface.To receive packets from both units in a failover pair, standby IP addresses need to be configured
on all interfaces. The standby IP address is used on the security appliance that is currently the standby
unit, and it must be in the same subnet as the active IP address.
You must configure the interface addresses from within each context. Use the changeto context
command to switch between contexts. The command prompt changes to
hostname/context(config-if)#, where context is the name of the current context. In transparent
firewall mode, you must enter a management IP address for each context.
Note Do not configure an IP address for the Stateful Failover link if you are going to use a dedicated
Stateful Failover interface. You use the failover interface ip command to configure a dedicated
Stateful Failover interface in a later step.
hostname/context(config-if)# ip address active_addr netmask standby standby_addr
In routed firewall mode and for the management-only interface, this command is entered in interface
configuration mode for each interface. In transparent firewall mode, the command is entered in global
configuration mode.
Step 2 Configure the basic failover parameters in the system execution space.
a. (PIX security appliance only) Enable LAN-based failover:
hostname(config)# hostname(config)# failover lan enable
b. Designate the unit as the primary unit:
hostname(config)# failover lan unit primary
c. Specify the failover link:
hostname(config)# failover lan interface if_name phy_if
The if_name argument assigns a logical name to the interface specified by the phy_if argument. The
phy_if argument can be the physical port name, such as Ethernet1, or a previously created
subinterface, such as Ethernet0/2.3. On the ASA 5505 adaptive security appliance, the phy_if
specifies a VLAN. This interface should not be used for any other purpose (except, optionally, the
Stateful Failover link).
d. Specify the failover link active and standby IP addresses:
hostname(config)# failover interface ip if_name ip_addr mask standby ip_addr
The standby IP address must be in the same subnet as the active IP address. You do not need to
identify the standby IP address subnet mask. The failover link IP address and MAC address do not
change at failover. The active IP address always stays with the primary unit, while the standby IP
address stays with the secondary unit. 14-31
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
Step 3 (Optional) To enable Stateful Failover, configure the Stateful Failover link:
a. Specify the interface to be used as Stateful Failover link:
hostname(config)# failover link if_name phy_if
The if_name argument assigns a logical name to the interface specified by the phy_if argument. The
phy_if argument can be the physical port name, such as Ethernet1, or a previously created
subinterface, such as Ethernet0/2.3. This interface should not be used for any other purpose (except,
optionally, the failover link).
Note If the Stateful Failover link uses the failover link or a regular data interface, then you only
need to supply the if_name argument.
b. Assign an active and standby IP address to the Stateful Failover link.
Note If the Stateful Failover link uses the failover link or a regular data interface, skip this step.
You have already defined the active and standby IP addresses for the interface.
hostname(config)# failover interface ip if_name ip_addr mask standby ip_addr
The standby IP address must be in the same subnet as the active IP address. You do not need to
identify the standby address subnet mask.
The state link IP address and MAC address do not change at failover. The active IP address always
stays with the primary unit, while the standby IP address stays with the secondary unit.
c. Enable the interface.
Note If the Stateful Failover link uses the failover link or regular data interface, skip this step. You
have already enabled the interface.
hostname(config)# interface phy_if
hostname(config-if)# no shutdown
Step 4 Configure the failover groups. You can have at most two failover groups. The failover group command
creates the specified failover group if it does not exist and enters the failover group configuration mode.
For each failover group, specify whether the failover group has primary or secondary preference using
the primary or secondary command. You can assign the same preference to both failover groups. For
load balancing configurations, you should assign each failover group a different unit preference.
The following example assigns failover group 1 a primary preference and failover group 2 a secondary
preference:
hostname(config)# failover group 1
hostname(config-fover-group)# primary
hostname(config-fover-group)# exit
hostname(config)# failover group 2
hostname(config-fover-group)# secondary
hostname(config-fover-group)# exit
Step 5 Assign each user context to a failover group using the join-failover-group command in context
configuration mode.
Any unassigned contexts are automatically assigned to failover group 1. The admin context is always a
member of failover group 1.14-32
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
Enter the following commands to assign each context to a failover group:
hostname(config)# context context_name
hostname(config-context)# join-failover-group {1 | 2}
hostname(config-context)# exit
Step 6 Enable failover:
hostname(config)# failover
Configure the Secondary Unit
When configuring LAN-based Active/Active failover, you need to bootstrap the secondary unit to
recognize the failover link. This allows the secondary unit to communicate with and receive the running
configuration from the primary unit.
To bootstrap the secondary unit in an Active/Active failover configuration, perform the following steps:
Step 1 (PIX security appliance only) Enable LAN-based failover:
hostname(config)# failover lan enable
Step 2 Define the failover interface. Use the same settings as you used for the primary unit:
a. Specify the interface to be used as the failover interface:
hostname(config)# failover lan interface if_name phy_if
The if_name argument assigns a logical name to the interface specified by the phy_if argument. The
phy_if argument can be the physical port name, such as Ethernet1, or a previously created
subinterface, such as Ethernet0/2.3. On the ASA 5505 adaptive security appliance, the phy_if
specifies a VLAN.
b. Assign the active and standby IP address to the failover link. To receive packets from both units in
a failover pair, standby IP addresses need to be configured on all interfaces.
hostname(config)# failover interface ip if_name ip_addr mask standby ip_addr
Note Enter this command exactly as you entered it on the primary unit when you configured the
failover interface.
The standby IP address must be in the same subnet as the active IP address. You do not need to
identify the standby address subnet mask.
c. Enable the interface:
hostname(config)# interface phy_if
hostname(config-if)# no shutdown
Step 3 (Optional) Designate this unit as the secondary unit:
hostname(config)# failover lan unit secondary
Note This step is optional because by default units are designated as secondary unless previously
configured otherwise.14-33
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
Step 4 Enable failover:
hostname(config)# failover
After you enable failover, the active unit sends the configuration in running memory to the standby unit.
As the configuration synchronizes, the messages Beginning configuration replication: Sending to
mate and End Configuration Replication to mate appear on the active unit console.
Step 5 After the running configuration has completed replication, enter the following command to save the
configuration to Flash memory:
hostname(config)# copy running-config startup-config
Step 6 If necessary, force any failover group that is active on the primary to the active state on the secondary
unit. To force a failover group to become active on the secondary unit, enter the following command in
the system execution space on the primary unit:
hostname# no failover active group group_id
The group_id argument specifies the group you want to become active on the secondary unit.
Configuring Optional Active/Active Failover Settings
The following optional Active/Active failover settings can be configured when you are initially
configuring failover or after you have already established failover. Unless otherwise noted, the
commands should be entered on the unit that has failover group 1 in the active state.
This section includes the following topics:
• Configuring Failover Group Preemption, page 14-33
• Enabling HTTP Replication with Stateful Failover, page 14-34
• Disabling and Enabling Interface Monitoring, page 14-34
• Configuring Interface Health Monitoring, page 14-34
• Configuring Failover Criteria, page 14-34
• Configuring Virtual MAC Addresses, page 14-35
• Configuring Asymmetric Routing Support, page 14-35
Configuring Failover Group Preemption
Assigning a primary or secondary priority to a failover group specifies which unit the failover group
becomes active on when both units boot simultaneously. However, if one unit boots before the other, then
both failover groups become active on that unit. When the other unit comes online, any failover groups
that have the unit as a priority do not become active on that unit unless manually forced over, a failover
occurs, or the failover group is configured with the preempt command. The preempt command causes
a failover group to become active on the designated unit automatically when that unit becomes available.
Enter the following commands to configure preemption for the specified failover group:
hostname(config)# failover group {1 | 2}
hostname(config-fover-group)# preempt [delay]
You can enter an optional delay value, which specifies the number of seconds the failover group remains
active on the current unit before automatically becoming active on the designated unit.14-34
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
Enabling HTTP Replication with Stateful Failover
To allow HTTP connections to be included in the state information, you need to enable HTTP
replication. Because HTTP connections are typically short-lived, and because HTTP clients typically
retry failed connection attempts, HTTP connections are not automatically included in the replicated state
information. You can use the replication http command to cause a failover group to replicate HTTP state
information when Stateful Failover is enabled.
To enable HTTP state replication for a failover group, enter the following command. This command only
affects the failover group in which it was configured. To enable HTTP state replication for both failover
groups, you must enter this command in each group. This command should be entered in the system
execution space.
hostname(config)# failover group {1 | 2}
hostname(config-fover-group)# replication http
Disabling and Enabling Interface Monitoring
You can monitor up to 250 interfaces on a unit. By default, monitoring of physical interfaces is enabled
and the monitoring of subinterfaces is disabled. You can control which interfaces affect your failover
policy by disabling the monitoring of specific interfaces and enabling the monitoring of others. This lets
you exclude interfaces attached to less critical networks from affecting your failover policy.
To disable health monitoring on an interface, enter the following command within a context:
hostname/context(config)# no monitor-interface if_name
To enable health monitoring on an interface, enter the following command within a context:
hostname/context(config)# monitor-interface if_name
Configuring Interface Health Monitoring
The security appliance sends hello packets out of each data interface to monitor interface health. If the
security appliance does not receive a hello packet from the corresponding interface on the peer unit for
over half of the hold time, then the additional interface testing begins. If a hello packet or a successful
test result is not received within the specified hold time, the interface is marked as failed. Failover occurs
if the number of failed interfaces meets the failover criteria.
Decreasing the poll and hold times enables the security appliance to detect and respond to interface
failures more quickly, but may consume more system resources.
To change the default interface poll time, enter the following commands:
hostname(config)# failover group {1 | 2}
hostname(config-fover-group)# polltime interface seconds
Valid values for the poll time are from 1 to 15 seconds or, if the optional msec keyword is used, from
500 to 999 milliseconds. The hold time determines how long it takes from the time a hello packet is
missed to when the interface is marked as failed. Valid values for the hold time are from 5 to 75 seconds.
You cannot enter a hold time that is less than 5 times the poll time.
Configuring Failover Criteria
By default, if a single interface fails failover occurs. You can specify a specific number of interfaces or
a percentage of monitored interfaces that must fail before a failover occurs. The failover criteria is
specified on a failover group basis.14-35
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
To change the default failover criteria for the specified failover group, enter the following commands:
hostname(config)# failover group {1 | 2}
hostname(config-fover-group)# interface-policy num[%]
When specifying a specific number of interfaces, the num argument can be from 1 to 250. When
specifying a percentage of interfaces, the num argument can be from 1 to 100.
Configuring Virtual MAC Addresses
Active/Active failover uses virtual MAC addresses on all interfaces. If you do not specify the virtual
MAC addresses, then they are computed as follows:
• Active unit default MAC address: 00a0.c9physical_port_number.failover_group_id01.
• Standby unit default MAC address: 00a0.c9physical_port_number.failover_group_id02.
Note If you have more than one Active/Active failover pair on the same network, it is possible to have the
same default virtual MAC addresses assigned to the interfaces on one pair as are assigned to the
interfaces of the other pairs because of the way the default virtual MAC addresses are determined. To
avoid having duplicate MAC addresses on your network, make sure you assign each physical interface
a virtual active and standby MAC address for all failover groups.
You can configure specific active and standby MAC addresses for an interface by entering the following
commands:
hostname(config)# failover group {1 | 2}
hostname(config-fover-group)# mac address phy_if active_mac standby_mac
The phy_if argument is the physical name of the interface, such as Ethernet1. The active_mac and
standby_mac arguments are MAC addresses in H.H.H format, where H is a 16-bit hexadecimal digit. For
example, the MAC address 00-0C-F1-42-4C-DE would be entered as 000C.F142.4CDE.
The active_mac address is associated with the active IP address for the interface, and the standby_mac
is associated with the standby IP address for the interface.
There are multiple ways to configure virtual MAC addresses on the security appliance. When more than
one method has been used to configure virtual MAC addresses, the security appliance uses the following
order of preference to determine which virtual MAC address is assigned to an interface:
1. The mac-address command (in interface configuration mode) address.
2. The failover mac address command address.
3. The mac-address auto command generate address.
4. The automatically generated failover MAC address.
Use the show interface command to display the MAC address used by an interface.
Configuring Asymmetric Routing Support
When running in Active/Active failover, a unit may receive a return packet for a connection that
originated through its peer unit. Because the security appliance that receives the packet does not have
any connection information for the packet, the packet is dropped. This most commonly occurs when the
two security appliances in an Active/Active failover pair are connected to different service providers and
the outbound connection does not use a NAT address.14-36
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
You can prevent the return packets from being dropped using the asr-group command on interfaces
where this is likely to occur. When an interface configured with the asr-group command receives a
packet for which it has no session information, it checks the session information for the other interfaces
that are in the same group. If it does not find a match, the packet is dropped. If it finds a match, then one
of the following actions occurs:
• If the incoming traffic originated on a peer unit, some or all of the layer 2 header is rewritten and
the packet is redirected to the other unit. This redirection continues as long as the session is active.
• If the incoming traffic originated on a different interface on the same unit, some or all of the layer
2 header is rewritten and the packet is reinjected into the stream.
Note Using the asr-group command to configure asymmetric routing support is more secure than using the
static command with the nailed option.
The asr-group command does not provide asymmetric routing; it restores asymmetrically routed packets
to the correct interface.
Prerequisites
You must have to following configured for asymmetric routing support to function properly:
• Active/Active Failover
• Stateful Failover—passes state information for sessions on interfaces in the active failover group to
the standby failover group.
• replication http—HTTP session state information is not passed to the standby failover group, and
therefore is not present on the standby interface. For the security appliance to be able re-route
asymmetrically routed HTTP packets, you need to replicate the HTTP state information.
You can configure the asr-group command on an interface without having failover configured, but it
does not have any effect until Stateful Failover is enabled.
Configuring Support for Asymmetrically Routed Packets
To configure support for asymmetrically routed packets, perform the following steps:
Step 1 Configure Active/Active Stateful Failover for the failover pair. See Configuring Active/Active Failover,
page 14-27.
Step 2 For each interface that you want to participate in asymmetric routing support enter the following
command. You must enter the command on the unit where the context is in the active state so that the
command is replicated to the standby failover group. For more information about command replication,
see Command Replication, page 14-12.
hostname/ctx(config)# interface phy_if
hostname/ctx(config-if)# asr-group num
Valid values for num range from 1 to 32. You need to enter the command for each interface that
participates in the asymmetric routing group. You can view the number of ASR packets transmitted,
received, or dropped by an interface using the show interface detail command. You can have more than
one ASR group configured on the security appliance, but only one per interface. Only members of the
same ASR group are checked for session information.14-37
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
Example
Figure 14-1 shows an example of using the asr-group command for asymmetric routing support.
Figure 14-1 ASR Example
The two units have the following configuration (configurations show only the relevant commands). The
device labeled SecAppA in the diagram is the primary unit in the failover pair.
Example 14-1 Primary Unit System Configuration
hostname primary
interface GigabitEthernet0/1
description LAN/STATE Failover Interface
interface GigabitEthernet0/2
no shutdown
interface GigabitEthernet0/3
no shutdown
interface GigabitEthernet0/4
no shutdown
interface GigabitEthernet0/5
no shutdown
failover
failover lan unit primary
failover lan interface folink GigabitEthernet0/1
failover link folink
failover interface ip folink 10.0.4.1 255.255.255.0 standby 10.0.4.11
failover group 1
primary
failover group 2
secondary
admin-context admin
context admin
description admin
250093
192.168.1.1 192.168.2.2
SecAppA SecAppB
ISP A
Inside
network
Failover/State link
Outbound Traffic
Return Traffic
ISP B
192.168.2.1 192.168.1.214-38
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
allocate-interface GigabitEthernet0/2
allocate-interface GigabitEthernet0/3
config-url flash:/admin.cfg
join-failover-group 1
context ctx1
description context 1
allocate-interface GigabitEthernet0/4
allocate-interface GigabitEthernet0/5
config-url flash:/ctx1.cfg
join-failover-group 2
Example 14-2 admin Context Configuration
hostname SecAppA
interface GigabitEthernet0/2
nameif outsideISP-A
security-level 0
ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
asr-group 1
interface GigabitEthernet0/3
nameif inside
security-level 100
ip address 10.1.0.1 255.255.255.0 standby 10.1.0.11
monitor-interface outside
Example 14-3 ctx1 Context Configuration
hostname SecAppB
interface GigabitEthernet0/4
nameif outsideISP-B
security-level 0
ip address 192.168.2.2 255.255.255.0 standby 192.168.2.1
asr-group 1
interface GigabitEthernet0/5
nameif inside
security-level 100
ip address 10.2.20.1 255.255.255.0 standby 10.2.20.11
Figure 14-1 on page 14-37 shows the ASR support working as follows:
1. An outbound session passes through security appliance SecAppA. It exits interface outsideISP-A
(192.168.1.1).
2. Because of asymmetric routing configured somewhere upstream, the return traffic comes back
through the interface outsideISP-B (192.168.2.2) on security appliance SecAppB.
3. Normally the return traffic would be dropped because there is no session information for the traffic
on interface 192.168.2.2. However, the interface is configure with the command asr-group 1. The
unit looks for the session on any other interface configured with the same ASR group ID.
4. The session information is found on interface outsideISP-A (192.168.1.2), which is in the standby
state on the unit SecAppB. Stateful Failover replicated the session information from SecAppA to
SecAppB.
5. Instead of being dropped, the layer 2 header is re-written with information for interface 192.168.1.1
and the traffic is redirected out of the interface 192.168.1.2, where it can then return through the
interface on the unit from which it originated (192.168.1.1 on SecAppA). This forwarding continues
as needed until the session ends.14-39
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
Configuring Unit Health Monitoring
The security appliance sends hello packets over the failover interface to monitor unit health. If the
standby unit does not receive a hello packet from the active unit for two consecutive polling periods, it
sends additional testing packets through the remaining device interfaces. If a hello packet or a response
to the interface test packets is not received within the specified hold time, the standby unit becomes
active.
You can configure the frequency of hello messages when monitoring unit health. Decreasing the poll
time allows a unit failure to be detected more quickly, but consumes more system resources.
To change the unit poll time, enter the following command in global configuration mode:
hostname(config)# failover polltime [msec] time [holdtime [msec] time]
You can configure the polling frequency from 1 to 15 seconds or, if the optional msec keyword is used,
from 200 to 999 milliseconds. The hold time determines how long it takes from the time a hello packet
is missed to when failover occurs. The hold time must be at least 3 times the poll time. You can configure
the hold time from 1 to 45 seconds or, if the optional msec keyword is used, from 800 to 990
milliseconds.
Setting the security appliance to use the minimum poll and hold times allows it to detect and respond to
unit failures in under a second, but it also increases system resource usage and can cause false failure
detection in cases where the networks are congested or where the security appliance is running near full
capacity.
Configuring Failover Communication Authentication/Encryption
You can encrypt and authenticate the communication between failover peers by specifying a shared
secret or hexadecimal key.
Note On the PIX 500 series security appliance, if you are using the dedicated serial failover cable to connect
the units, then communication over the failover link is not encrypted even if a failover key is configured.
The failover key only encrypts LAN-based failover communication.
Caution All information sent over the failover and Stateful Failover links is sent in clear text unless you secure
the communication with a failover key. If the security appliance is used to terminate VPN tunnels, this
information includes any usernames, passwords and preshared keys used for establishing the tunnels.
Transmitting this sensitive data in clear text could pose a significant security risk. We recommend
securing the failover communication with a failover key if you are using the security appliance to
terminate VPN tunnels.
Enter the following command on the active unit of an Active/Standby failover pair or on the unit that has
failover group 1 in the active state of an Active/Active failover pair:
hostname(config)# failover key {secret | hex key}
The secret argument specifies a shared secret that is used to generate the encryption key. It can be from
1 to 63 characters. The characters can be any combination of numbers, letters, or punctuation. The hex
key argument specifies a hexadecimal encryption key. The key must be 32 hexadecimal characters (0-9,
a-f).14-40
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
Note To prevent the failover key from being replicated to the peer unit in clear text for an existing failover
configuration, disable failover on the active unit (or in the system execution space on the unit that has
failover group 1 in the active state), enter the failover key on both units, and then re-enable failover.
When failover is re-enabled, the failover communication is encrypted with the key.
For new LAN-based failover configurations, the failover key command should be part of the failover
pair bootstrap configuration.
Verifying the Failover Configuration
This section describes how to verify your failover configuration. This section includes the following
topics:
• Using the show failover Command, page 14-40
• Viewing Monitored Interfaces, page 14-48
• Displaying the Failover Commands in the Running Configuration, page 14-48
• Testing the Failover Functionality, page 14-49
Using the show failover Command
This section describes the show failover command output. On each unit you can verify the failover status
by entering the show failover command. The information displayed depends upon whether you are using
Active/Standby or Active/Active failover.
This section includes the following topics:
• show failover—Active/Standby, page 14-40
• Show Failover—Active/Active, page 14-44
show failover—Active/Standby
The following is sample output from the show failover command for Active/Standby Failover.
Table 14-7 provides descriptions for the information shown.
hostname# show failover
Failover On
Cable status: N/A - LAN-based failover enabled
Failover unit Primary
Failover LAN Interface: fover Ethernet2 (up)
Unit Poll frequency 1 seconds, holdtime 3 seconds
Interface Poll frequency 15 seconds
Interface Policy 1
Monitored Interfaces 2 of 250 maximum
failover replication http
Last Failover at: 22:44:03 UTC Dec 8 2004
This host: Primary - Active
Active time: 13434 (sec)
Interface inside (10.130.9.3): Normal
Interface outside (10.132.9.3): Normal
Other host: Secondary - Standby Ready
Active time: 0 (sec)
Interface inside (10.130.9.4): Normal
Interface outside (10.132.9.4): Normal 14-41
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
Stateful Failover Logical Update Statistics
Link : fover Ethernet2 (up)
Stateful Obj xmit xerr rcv rerr
General 1950 0 1733 0
sys cmd 1733 0 1733 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 6 0 0 0
UDP conn 0 0 0 0
ARP tbl 106 0 0 0
Xlate_Timeout 0 0 0 0
VPN IKE upd 15 0 0 0
VPN IPSEC upd 90 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 2 1733
Xmit Q: 0 2 15225
In multiple context mode, using the show failover command in a security context displays the failover
information for that context. The information is similar to the information shown when using the
command in single context mode. Instead of showing the active/standby status of the unit, it displays the
active/standby status of the context. Table 14-7 provides descriptions for the information shown.
Failover On
Last Failover at: 04:03:11 UTC Jan 4 2003
This context: Negotiation
Active time: 1222 (sec)
Interface outside (192.168.5.121): Normal
Interface inside (192.168.0.1): Normal
Peer context: Not Detected
Active time: 0 (sec)
Interface outside (192.168.5.131): Normal
Interface inside (192.168.0.11): Normal
Stateful Failover Logical Update Statistics
Status: Configured.
Stateful Obj xmit xerr rcv rerr
RPC services 0 0 0 0
TCP conn 99 0 0 0
UDP conn 0 0 0 0
ARP tbl 22 0 0 0
Xlate_Timeout 0 0 0 0
GTP PDP 0 0 0 0
GTP PDPMCB 0 0 0 0 14-42
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
Table 14-7 Show Failover Display Description
Field Options
Failover • On
• Off
Cable status: • Normal—The cable is connected to both units, and they both have
power.
• My side not connected—The serial cable is not connected to this
unit. It is unknown if the cable is connected to the other unit.
• Other side is not connected—The serial cable is connected to this
unit, but not to the other unit.
• Other side powered off—The other unit is turned off.
• N/A—LAN-based failover is enabled.
Failover Unit Primary or Secondary.
Failover LAN Interface Displays the logical and physical name of the failover link.
Unit Poll frequency Displays the number of seconds between hello messages sent to the
peer unit and the number of seconds during which the unit must receive
a hello message on the failover link before declaring the peer failed.
Interface Poll frequency n seconds
The number of seconds you set with the failover polltime interface
command. The default is 15 seconds.
Interface Policy Displays the number or percentage of interfaces that must fail to trigger
failover.
Monitored Interfaces Displays the number of interfaces monitored out of the maximum
possible.
failover replication http Displays if HTTP state replication is enabled for Stateful Failover.
Last Failover at: The date and time of the last failover in the following form:
hh:mm:ss UTC DayName Month Day yyyy
UTC (Coordinated Universal Time) is equivalent to GMT (Greenwich
Mean Time).
This host:
Other host:
For each host, the display shows the following information.
Primary or Secondary • Active
• Standby
Active time: n (sec)
The amount of time the unit has been active. This time is cumulative,
so the standby unit, if it was active in the past, also shows a value.
slot x Information about the module in the slot or empty.14-43
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
Interface name (n.n.n.n): For each interface, the display shows the IP address currently being
used on each unit, as well as one of the following conditions:
• Failed—The interface has failed.
• No Link—The interface line protocol is down.
• Normal—The interface is working correctly.
• Link Down—The interface has been administratively shut down.
• Unknown—The security appliance cannot determine the status of
the interface.
• Waiting—Monitoring of the network interface on the other unit has
not yet started.
Stateful Failover Logical
Update Statistics
The following fields relate to the Stateful Failover feature. If the Link
field shows an interface name, the Stateful Failover statistics are shown.
Link • interface_name—The interface used for the Stateful Failover link.
• Unconfigured—You are not using Stateful Failover.
• up—The interface is up and functioning.
• down—The interface is either administratively shutdown or is
physically down.
• failed—The interface has failed and is not passing stateful data.
Stateful Obj For each field type, the following statistics are shown. They are
counters for the number of state information packets sent between the
two units; the fields do not necessarily show active connections through
the unit.
• xmit—Number of transmitted packets to the other unit.
• xerr—Number of errors that occurred while transmitting packets to
the other unit.
• rcv—Number of received packets.
• rerr—Number of errors that occurred while receiving packets from
the other unit.
General Sum of all stateful objects.
sys cmd Logical update system commands; for example, LOGIN and Stay
Alive.
up time Up time, which the active unit passes to the standby unit.
RPC services Remote Procedure Call connection information.
TCP conn TCP connection information.
UDP conn Dynamic UDP connection information.
ARP tbl Dynamic ARP table information.
L2BRIDGE tbl Layer 2 bridge table information (transparent firewall mode only).
Xlate_Timeout Indicates connection translation timeout information.
VPN IKE upd IKE connection information.
Table 14-7 Show Failover Display Description (continued)
Field Options14-44
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
Show Failover—Active/Active
The following is sample output from the show failover command for Active/Active Failover. Table 14-8
provides descriptions for the information shown.
hostname# show failover
Failover On
Failover unit Primary
Failover LAN Interface: third GigabitEthernet0/2 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 4 seconds
Interface Policy 1
Monitored Interfaces 8 of 250 maximum
failover replication http
Group 1 last failover at: 13:40:18 UTC Dec 9 2004
Group 2 last failover at: 13:40:06 UTC Dec 9 2004
This host: Primary
Group 1 State: Active
Active time: 2896 (sec)
Group 2 State: Standby Ready
Active time: 0 (sec)
slot 0: ASA-5530 hw/sw rev (1.0/7.0(0)79) status (Up Sys)
slot 1: SSM-IDS-20 hw/sw rev (1.0/5.0(0.11)S91(0.11)) status (Up)
admin Interface outside (10.132.8.5): Normal
admin Interface third (10.132.9.5): Normal
admin Interface inside (10.130.8.5): Normal
admin Interface fourth (10.130.9.5): Normal
ctx1 Interface outside (10.1.1.1): Normal
ctx1 Interface inside (10.2.2.1): Normal
ctx2 Interface outside (10.3.3.2): Normal
ctx2 Interface inside (10.4.4.2): Normal
Other host: Secondary
VPN IPSEC upd IPSec connection information.
VPN CTCP upd cTCP tunnel connection information.
VPN SDI upd SDI AAA connection information.
VPN DHCP upd Tunneled DHCP connection information.
GTP PDP GTP PDP update information. This information appears only if inspect
GTP is enabled.
GTP PDPMCB GTP PDPMCB update information. This information appears only if
inspect GTP is enabled.
Logical Update Queue
Information
For each field type, the following statistics are used:
• Cur—Current number of packets
• Max—Maximum number of packets
• Total—Total number of packets
Recv Q The status of the receive queue.
Xmit Q The status of the transmit queue.
Table 14-7 Show Failover Display Description (continued)
Field Options14-45
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
Group 1 State: Standby Ready
Active time: 190 (sec)
Group 2 State: Active
Active time: 3322 (sec)
slot 0: ASA-5530 hw/sw rev (1.0/7.0(0)79) status (Up Sys)
slot 1: SSM-IDS-20 hw/sw rev (1.0/5.0(0.1)S91(0.1)) status (Up)
admin Interface outside (10.132.8.6): Normal
admin Interface third (10.132.9.6): Normal
admin Interface inside (10.130.8.6): Normal
admin Interface fourth (10.130.9.6): Normal
ctx1 Interface outside (10.1.1.2): Normal
ctx1 Interface inside (10.2.2.2): Normal
ctx2 Interface outside (10.3.3.1): Normal
ctx2 Interface inside (10.4.4.1): Normal
Stateful Failover Logical Update Statistics
Link : third GigabitEthernet0/2 (up)
Stateful Obj xmit xerr rcv rerr
General 1973 0 1895 0
sys cmd 380 0 380 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 1435 0 1450 0
UDP conn 0 0 0 0
ARP tbl 124 0 65 0
Xlate_Timeout 0 0 0 0
VPN IKE upd 15 0 0 0
VPN IPSEC upd 90 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 1 1895
Xmit Q: 0 0 1940
The following is sample output from the show failover group command for Active/Active Failover. The
information displayed is similar to that of the show failover command, but limited to the specified
group. Table 14-8 provides descriptions for the information shown.
hostname# show failover group 1
Last Failover at: 04:09:59 UTC Jan 4 2005
This host: Secondary
State: Active
Active time: 186 (sec)
admin Interface outside (192.168.5.121): Normal
admin Interface inside (192.168.0.1): Normal
Other host: Primary
State: Standby
Active time: 0 (sec)
admin Interface outside (192.168.5.131): Normal
admin Interface inside (192.168.0.11): Normal
Stateful Failover Logical Update Statistics
Status: Configured.14-46
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
RPC services 0 0 0 0
TCP conn 33 0 0 0
UDP conn 0 0 0 0
ARP tbl 12 0 0 0
Xlate_Timeout 0 0 0 0
GTP PDP 0 0 0 0
GTP PDPMCB 0 0 0 0
Table 14-8 Show Failover Display Description
Field Options
Failover • On
• Off
Failover Unit Primary or Secondary.
Failover LAN Interface Displays the logical and physical name of the failover link.
Unit Poll frequency Displays the number of seconds between hello messages sent to the
peer unit and the number of seconds during which the unit must receive
a hello message on the failover link before declaring the peer failed.
Interface Poll frequency n seconds
The number of seconds you set with the failover polltime interface
command. The default is 15 seconds.
Interface Policy Displays the number or percentage of interfaces that must fail before
triggering failover.
Monitored Interfaces Displays the number of interfaces monitored out of the maximum
possible.
Group 1 Last Failover at:
Group 2 Last Failover at:
The date and time of the last failover for each group in the following
form:
hh:mm:ss UTC DayName Month Day yyyy
UTC (Coordinated Universal Time) is equivalent to GMT (Greenwich
Mean Time).
This host:
Other host:
For each host, the display shows the following information.
Role Primary or Secondary
System State • Active or Standby Ready
• Active Time in seconds
Group 1 State
Group 2 State
• Active or Standby Ready
• Active Time in seconds
slot x Information about the module in the slot or empty.14-47
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
context Interface name
(n.n.n.n):
For each interface, the display shows the IP address currently being
used on each unit, as well as one of the following conditions:
• Failed—The interface has failed.
• No link—The interface line protocol is down.
• Normal—The interface is working correctly.
• Link Down—The interface has been administratively shut down.
• Unknown—The security appliance cannot determine the status of
the interface.
• Waiting—Monitoring of the network interface on the other unit has
not yet started.
Stateful Failover Logical
Update Statistics
The following fields relate to the Stateful Failover feature. If the Link
field shows an interface name, the Stateful Failover statistics are shown.
Link • interface_name—The interface used for the Stateful Failover link.
• Unconfigured—You are not using Stateful Failover.
• up—The interface is up and functioning.
• down—The interface is either administratively shutdown or is
physically down.
• failed—The interface has failed and is not passing stateful data.
Stateful Obj For each field type, the following statistics are used. They are counters
for the number of state information packets sent between the two units;
the fields do not necessarily show active connections through the unit.
• xmit—Number of transmitted packets to the other unit
• xerr—Number of errors that occurred while transmitting packets to
the other unit
• rcv—Number of received packets
• rerr—Number of errors that occurred while receiving packets from
the other unit
General Sum of all stateful objects.
sys cmd Logical update system commands; for example, LOGIN and Stay
Alive.
up time Up time, which the active unit passes to the standby unit.
RPC services Remote Procedure Call connection information.
TCP conn TCP connection information.
UDP conn Dynamic UDP connection information.
ARP tbl Dynamic ARP table information.
L2BRIDGE tbl Layer 2 bridge table information (transparent firewall mode only).
Xlate_Timeout Indicates connection translation timeout information.
VPN IKE upd IKE connection information.
Table 14-8 Show Failover Display Description (continued)
Field Options14-48
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
Viewing Monitored Interfaces
To view the status of monitored interfaces, enter the following command. In single context mode, enter
this command in global configuration mode. In multiple context mode, enter this command within a
context.
primary/context(config)# show monitor-interface
For example:
hostname/context(config)# show monitor-interface
This host: Primary - Active
Interface outside (192.168.1.2): Normal
Interface inside (10.1.1.91): Normal
Other host: Secondary - Standby
Interface outside (192.168.1.3): Normal
Interface inside (10.1.1.100): Normal
Displaying the Failover Commands in the Running Configuration
To view the failover commands in the running configuration, enter the following command:
hostname(config)# show running-config failover
All of the failover commands are displayed. On units running multiple context mode, enter this command
in the system execution space. Entering show running-config all failover displays the failover
commands in the running configuration and includes commands for which you have not changed the
default value.
VPN IPSEC upd IPSec connection information.
VPN CTCP upd cTCP tunnel connection information.
VPN SDI upd SDI AAA connection information.
VPN DHCP upd Tunneled DHCP connection information.
GTP PDP GTP PDP update information. This information appears only if inspect
GTP is enabled.
GTP PDPMCB GTP PDPMCB update information. This information appears only if
inspect GTP is enabled.
Logical Update Queue
Information
For each field type, the following statistics are used:
• Cur—Current number of packets
• Max—Maximum number of packets
• Total—Total number of packets
Recv Q The status of the receive queue.
Xmit Q The status of the transmit queue.
Table 14-8 Show Failover Display Description (continued)
Field Options14-49
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Controlling and Monitoring Failover
Testing the Failover Functionality
To test failover functionality, perform the following steps:
Step 1 Test that your active unit or failover group is passing traffic as expected by using FTP (for example) to
send a file between hosts on different interfaces.
Step 2 Force a failover to the standby unit by entering the following command:
• For Active/Standby failover, enter the following command on the active unit:
hostname(config)# no failover active
• For Active/Active failover, enter the following command on the unit where the failover group
containing the interface connecting your hosts is active:
hostname(config)# no failover active group group_id
Step 3 Use FTP to send another file between the same two hosts.
Step 4 If the test was not successful, enter the show failover command to check the failover status.
Step 5 When you are finished, you can restore the unit or failover group to active status by enter the following
command:
• For Active/Standby failover, enter the following command on the active unit:
hostname(config)# failover active
• For Active/Active failover, enter the following command on the unit where the failover group
containing the interface connecting your hosts is active:
hostname(config)# failover active group group_id
Controlling and Monitoring Failover
This sections describes how to control and monitor failover. This section includes the following topics:
• Forcing Failover, page 14-49
• Disabling Failover, page 14-50
• Restoring a Failed Unit or Failover Group, page 14-50
• Monitoring Failover, page 14-50
Forcing Failover
To force the standby unit or failover group to become active, enter one of the following commands:
• For Active/Standby failover:
Enter the following command on the standby unit:
hostname# failover active
Or, enter the following command on the active unit:14-50
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Controlling and Monitoring Failover
hostname# no failover active
• For Active/Active failover:
Enter the following command in the system execution space of the unit where the failover group is
in the standby state:
hostname# failover active group group_id
Or, enter the following command in the system execution space of the unit where the failover group
is in the active state:
hostname# no failover active group group_id
Entering the following command in the system execution space causes all failover groups to become
active:
hostname# failover active
Disabling Failover
To disable failover, enter the following command:
hostname(config)# no failover
Disabling failover on an Active/Standby pair causes the active and standby state of each unit to be
maintained until you restart. For example, the standby unit remains in standby mode so that both units
do not start passing traffic. To make the standby unit active (even with failover disabled), see the
“Forcing Failover” section on page 14-49.
Disabling failover on an Active/Active pair causes the failover groups to remain in the active state on
whichever unit they are currently active on, no matter which unit they are configured to prefer. The no
failover command should be entered in the system execution space.
Restoring a Failed Unit or Failover Group
To restore a failed unit to an unfailed state, enter the following command:
hostname(config)# failover reset
To restore a failed Active/Active failover group to an unfailed state, enter the following command:
hostname(config)# failover reset group group_id
Restoring a failed unit or group to an unfailed state does not automatically make it active; restored units
or groups remain in the standby state until made active by failover (forced or natural). An exception is a
failover group configured with the preempt command. If previously active, a failover group becomes
active if it is configured with the preempt command and if the unit on which it failed is the preferred
unit.
Monitoring Failover
When a failover occurs, both security appliances send out system messages. This section includes the
following topics:
• Failover System Messages, page 14-5114-51
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Controlling and Monitoring Failover
• Debug Messages, page 14-51
• SNMP, page 14-51
Failover System Messages
The security appliance issues a number of system messages related to failover at priority level 2, which
indicates a critical condition. To view these messages, see the Cisco Security Appliance Logging
Configuration and System Log Messages to enable logging and to see descriptions of the system
messages.
Note During switchover, failover logically shuts down and then bring up interfaces, generating syslog 411001
and 411002 messages. This is normal activity.
Debug Messages
To see debug messages, enter the debug fover command. See the Cisco Security Appliance Command
Reference for more information.
Note Because debugging output is assigned high priority in the CPU process, it can drastically affect system
performance. For this reason, use the debug fover commands only to troubleshoot specific problems or
during troubleshooting sessions with Cisco TAC.
SNMP
To receive SNMP syslog traps for failover, configure the SNMP agent to send SNMP traps to SNMP
management stations, define a syslog host, and compile the Cisco syslog MIB into your SNMP
management station. See the snmp-server and logging commands in the Cisco Security Appliance
Command Reference for more information. 14-52
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Controlling and Monitoring FailoverP A R T 2
Configuring the FirewallC H A P T E R
15-1
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
15
Firewall Mode Overview
This chapter describes how the firewall works in each firewall mode. To set the firewall mode, see the
“Setting Transparent or Routed Firewall Mode” section on page 2-5.
Note In multiple context mode, you cannot set the firewall mode separately for each context; you can only set
the firewall mode for the entire security appliance.
This chapter includes the following sections:
• Routed Mode Overview, page 15-1
• Transparent Mode Overview, page 15-8
Routed Mode Overview
In routed mode, the security appliance is considered to be a router hop in the network. It can perform
NAT between connected networks, and can use OSPF or RIP (in single context mode). Routed mode
supports many interfaces. Each interface is on a different subnet. You can share interfaces between
contexts.
This section includes the following topics:
• IP Routing Support, page 15-1
• Network Address Translation, page 15-2
• How Data Moves Through the Security Appliance in Routed Firewall Mode, page 15-3
IP Routing Support
The security appliance acts as a router between connected networks, and each interface requires an
IP address on a different subnet. In single context mode, the routed firewall supports OSPF and RIP.
Multiple context mode supports static routes only. We recommend using the advanced routing
capabilities of the upstream and downstream routers instead of relying on the security appliance for
extensive routing needs.15-2
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 15 Firewall Mode Overview
Routed Mode Overview
Network Address Translation
NAT substitutes the local address on a packet with a global address that is routable on the destination
network. By default, NAT is not required. If you want to enforce a NAT policy that requires hosts on a
higher security interface (inside) to use NAT when communicating with a lower security interface
(outside), you can enable NAT control (see the nat-control command).
Note NAT control was the default behavior for software versions earlier than Version 7.0. If you upgrade a
security appliance from an earlier version, then the nat-control command is automatically added to your
configuration to maintain the expected behavior.
Some of the benefits of NAT include the following:
• You can use private addresses on your inside networks. Private addresses are not routable on the
Internet.
• NAT hides the local addresses from other networks, so attackers cannot learn the real address of a
host.
• NAT can resolve IP routing problems by supporting overlapping IP addresses.
Figure 15-1 shows a typical NAT scenario, with a private network on the inside. When the inside user
sends a packet to a web server on the Internet, the local source address of the packet is changed to a
routable global address. When the web server responds, it sends the response to the global address, and
the security appliance receives the packet. The security appliance then translates the global address to
the local address before sending it on to the user.
Figure 15-1 NAT Example
Web Server
www.example.com
209.165.201.2
10.1.2.1
10.1.2.27
Source Addr Translation
10.1.2.27 209.165.201.10
Originating
Packet
Dest Addr Translation
209.165.201.10 10.1.2.27
Responding
Packet
Outside
Inside
9240515-3
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 15 Firewall Mode Overview
Routed Mode Overview
How Data Moves Through the Security Appliance in Routed Firewall Mode
This section describes how data moves through the security appliance in routed firewall mode, and
includes the following topics:
• An Inside User Visits a Web Server, page 15-3
• An Outside User Visits a Web Server on the DMZ, page 15-4
• An Inside User Visits a Web Server on the DMZ, page 15-6
• An Outside User Attempts to Access an Inside Host, page 15-7
• A DMZ User Attempts to Access an Inside Host, page 15-8
An Inside User Visits a Web Server
Figure 15-2 shows an inside user accessing an outside web server.
Figure 15-2 Inside to Outside
The following steps describe how data moves through the security appliance (see Figure 15-2):
1. The user on the inside network requests a web page from www.example.com.
2. The security appliance receives the packet and because it is a new session, the security appliance
verifies that the packet is allowed according to the terms of the security policy (access lists, filters,
AAA).
Web Server
10.1.1.3
www.example.com
User
10.1.2.27
209.165.201.2
10.1.2.1 10.1.1.1
Source Addr Translation
10.1.2.27 209.165.201.10
Outside
Inside DMZ
9240415-4
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 15 Firewall Mode Overview
Routed Mode Overview
For multiple context mode, the security appliance first classifies the packet according to either a
unique interface or a unique destination address associated with a context; the destination address
is associated by matching an address translation in a context. In this case, the interface would be
unique; the www.example.com IP address does not have a current address translation in a context.
3. The security appliance translates the local source address (10.1.2.27) to the global address
209.165.201.10, which is on the outside interface subnet.
The global address could be on any subnet, but routing is simplified when it is on the outside
interface subnet.
4. The security appliance then records that a session is established and forwards the packet from the
outside interface.
5. When www.example.com responds to the request, the packet goes through the security appliance,
and because the session is already established, the packet bypasses the many lookups associated
with a new connection. The security appliance performs NAT by translating the global destination
address to the local user address, 10.1.2.27.
6. The security appliance forwards the packet to the inside user.
An Outside User Visits a Web Server on the DMZ
Figure 15-3 shows an outside user accessing the DMZ web server.
Figure 15-3 Outside to DMZ
Web Server
10.1.1.3
User
209.165.201.2
10.1.2.1 10.1.1.1
Dest Addr Translation
209.165.201.3 10.1.1.13
Outside
Inside DMZ
9240615-5
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 15 Firewall Mode Overview
Routed Mode Overview
The following steps describe how data moves through the security appliance (see Figure 15-3):
1. A user on the outside network requests a web page from the DMZ web server using the global
destination address of 209.165.201.3, which is on the outside interface subnet.
2. The security appliance receives the packet and because it is a new session, the security appliance
verifies that the packet is allowed according to the terms of the security policy (access lists, filters,
AAA).
For multiple context mode, the security appliance first classifies the packet according to either a
unique interface or a unique destination address associated with a context; the destination address
is associated by matching an address translation in a context. In this case, the classifier “knows” that
the DMZ web server address belongs to a certain context because of the server address translation.
3. The security appliance translates the destination address to the local address 10.1.1.3.
4. The security appliance then adds a session entry to the fast path and forwards the packet from the
DMZ interface.
5. When the DMZ web server responds to the request, the packet goes through the security appliance
and because the session is already established, the packet bypasses the many lookups associated
with a new connection. The security appliance performs NAT by translating the local source address
to 209.165.201.3.
6. The security appliance forwards the packet to the outside user.15-6
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 15 Firewall Mode Overview
Routed Mode Overview
An Inside User Visits a Web Server on the DMZ
Figure 15-4 shows an inside user accessing the DMZ web server.
Figure 15-4 Inside to DMZ
The following steps describe how data moves through the security appliance (see Figure 15-4):
1. A user on the inside network requests a web page from the DMZ web server using the destination
address of 10.1.1.3.
2. The security appliance receives the packet and because it is a new session, the security appliance
verifies that the packet is allowed according to the terms of the security policy (access lists, filters,
AAA).
For multiple context mode, the security appliance first classifies the packet according to either a
unique interface or a unique destination address associated with a context; the destination address
is associated by matching an address translation in a context. In this case, the interface is unique;
the web server IP address does not have a current address translation.
3. The security appliance then records that a session is established and forwards the packet out of the
DMZ interface.
4. When the DMZ web server responds to the request, the packet goes through the fast path, which lets
the packet bypass the many lookups associated with a new connection.
5. The security appliance forwards the packet to the inside user.
Web Server
10.1.1.3
User
10.1.2.27
209.165.201.2
10.1.2.1 10.1.1.1
Inside DMZ
Outside
9240315-7
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 15 Firewall Mode Overview
Routed Mode Overview
An Outside User Attempts to Access an Inside Host
Figure 15-5 shows an outside user attempting to access the inside network.
Figure 15-5 Outside to Inside
The following steps describe how data moves through the security appliance (see Figure 15-5):
1. A user on the outside network attempts to reach an inside host (assuming the host has a routable
IP address).
If the inside network uses private addresses, no outside user can reach the inside network without
NAT. The outside user might attempt to reach an inside user by using an existing NAT session.
2. The security appliance receives the packet and because it is a new session, the security appliance
verifies if the packet is allowed according to the security policy (access lists, filters, AAA).
3. The packet is denied, and the security appliance drops the packet and logs the connection attempt.
If the outside user is attempting to attack the inside network, the security appliance employs many
technologies to determine if a packet is valid for an already established session.
www.example.com
User
10.1.2.27
209.165.201.2
10.1.2.1 10.1.1.1
Outside
Inside DMZ
9240715-8
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 15 Firewall Mode Overview
Transparent Mode Overview
A DMZ User Attempts to Access an Inside Host
Figure 15-6 shows a user in the DMZ attempting to access the inside network.
Figure 15-6 DMZ to Inside
The following steps describe how data moves through the security appliance (see Figure 15-6):
1. A user on the DMZ network attempts to reach an inside host. Because the DMZ does not have to
route the traffic on the internet, the private addressing scheme does not prevent routing.
2. The security appliance receives the packet and because it is a new session, the security appliance
verifies if the packet is allowed according to the security policy (access lists, filters, AAA).
3. The packet is denied, and the security appliance drops the packet and logs the connection attempt.
Transparent Mode Overview
Traditionally, a firewall is a routed hop and acts as a default gateway for hosts that connect to one of its
screened subnets. A transparent firewall, on the other hand, is a Layer 2 firewall that acts like a “bump
in the wire,” or a “stealth firewall,” and is not seen as a router hop to connected devices.
This section describes transparent firewall mode, and includes the following topics:
• Transparent Firewall Network, page 15-9
• Allowing Layer 3 Traffic, page 15-9
• Passing Traffic Not Allowed in Routed Mode, page 15-9
• MAC Address Lookups, page 15-10
• Using the Transparent Firewall in Your Network, page 15-10
• Transparent Firewall Guidelines, page 15-10
Web Server
10.1.1.3
User
10.1.2.27
209.165.201.2
10.1.2.1 10.1.1.1
Outside
Inside DMZ
9240215-9
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 15 Firewall Mode Overview
Transparent Mode Overview
• Unsupported Features in Transparent Mode, page 15-11
• How Data Moves Through the Transparent Firewall, page 15-13
Transparent Firewall Network
The security appliance connects the same network on its inside and outside interfaces. Because the
firewall is not a routed hop, you can easily introduce a transparent firewall into an existing network; IP
readdressing is unnecessary.
Allowing Layer 3 Traffic
IPv4 traffic is allowed through the transparent firewall automatically from a higher security interface to
a lower security interface, without an access list. ARPs are allowed through the transparent firewall in
both directions without an access list. ARP traffic can be controlled by ARP inspection. For Layer 3
traffic travelling from a low to a high security interface, an extended access list is required.
Allowed MAC Addresses
The following destination MAC addresses are allowed through the transparent firewall. Any MAC
address not on this list is dropped.
• TRUE broadcast destination MAC address equal to FFFF.FFFF.FFFF
• IPv4 multicast MAC addresses from 0100.5E00.0000 to 0100.5EFE.FFFF
• IPv6 multicast MAC addresses from 3333.0000.0000 to 3333.FFFF.FFFF
• BPDU multicast address equal to 0100.0CCC.CCCD
• Appletalk multicast MAC addresses from 0900.0700.0000 to 0900.07FF.FFFF
Passing Traffic Not Allowed in Routed Mode
In routed mode, some types of traffic cannot pass through the security appliance even if you allow it in
an access list. The transparent firewall, however, can allow almost any traffic through using either an
extended access list (for IP traffic) or an EtherType access list (for non-IP traffic).
Note The transparent mode security appliance does not pass CDP packets or IPv6 packets, or any packets that
do not have a valid EtherType greater than or equal to 0x600. For example, you cannot pass IS-IS
packets. An exception is made for BPDUs, which are supported.
For example, you can establish routing protocol adjacencies through a transparent firewall; you can
allow OSPF, RIP, EIGRP, or BGP traffic through based on an extended access list. Likewise, protocols
like HSRP or VRRP can pass through the security appliance.
Non-IP traffic (for example AppleTalk, IPX, BPDUs, and MPLS) can be configured to go through using
an EtherType access list.15-10
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 15 Firewall Mode Overview
Transparent Mode Overview
For features that are not directly supported on the transparent firewall, you can allow traffic to pass
through so that upstream and downstream routers can support the functionality. For example, by using
an extended access list, you can allow DHCP traffic (instead of the unsupported DHCP relay feature) or
multicast traffic such as that created by IP/TV.
MAC Address Lookups
When the security appliance runs in transparent mode, the outgoing interface of a packet is determined
by performing a MAC address lookup instead of a route lookup. Route statements can still be configured,
but they only apply to security appliance-originated traffic. For example, if your syslog server is located
on a remote network, you must use a static route so the security appliance can reach that subnet.
Using the Transparent Firewall in Your Network
Figure 15-7 shows a typical transparent firewall network where the outside devices are on the same
subnet as the inside devices. The inside router and hosts appear to be directly connected to the outside
router.
Figure 15-7 Transparent Firewall Network
Transparent Firewall Guidelines
Follow these guidelines when planning your transparent firewall network:
10.1.1.1
10.1.1.2
Management IP
10.1.1.3
192.168.1.2
Network A
Network B
Internet
9241115-11
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 15 Firewall Mode Overview
Transparent Mode Overview
• A management IP address is required; for multiple context mode, an IP address is required for each
context.
Unlike routed mode, which requires an IP address for each interface, a transparent firewall has an
IP address assigned to the entire device. The security appliance uses this IP address as the source
address for packets originating on the security appliance, such as system messages or AAA
communications.
The management IP address must be on the same subnet as the connected network. You cannot set
the subnet to a host subnet (255.255.255.255).
You can configure an IP address for the Management 0/0 management-only interface. This IP
address can be on a separate subnet from the main management IP address.
Note If the management IP address is not configured, transient traffic does not pass through the
transparent firewall. For multiple context mode, transient traffic does not pass through virtual
contexts.
• The transparent security appliance uses an inside interface and an outside interface only. If your
platform includes a dedicated management interface, you can also configure the management
interface or subinterface for management traffic only.
In single mode, you can only use two data interfaces (and the dedicated management interface, if
available) even if your security appliance includes more than two interfaces.
• Each directly connected network must be on the same subnet.
• Do not specify the security appliance management IP address as the default gateway for connected
devices; devices need to specify the router on the other side of the security appliance as the default
gateway.
• For multiple context mode, each context must use different interfaces; you cannot share an interface
across contexts.
• For multiple context mode, each context typically uses a different subnet. You can use overlapping
subnets, but your network topology requires router and NAT configuration to make it possible from
a routing standpoint.
Unsupported Features in Transparent Mode
Table 15-1 lists the features are not supported in transparent mode.
Table 15-1 Unsupported Features in Transparent Mode
Feature Description
Dynamic DNS —
DHCP relay The transparent firewall can act as a DHCP server, but it does not
support the DHCP relay commands. DHCP relay is not required
because you can allow DHCP traffic to pass through using two
extended access lists: one that allows DCHP requests from the inside
interface to the outside, and one that allows the replies from the server
in the other direction.15-12
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 15 Firewall Mode Overview
Transparent Mode Overview
Dynamic routing protocols You can, however, add static routes for traffic originating on the
security appliance. You can also allow dynamic routing protocols
through the security appliance using an extended access list.
IPv6 You also cannot allow IPv6 using an EtherType access list.
Multicast You can allow multicast traffic through the security appliance by
allowing it in an extended access list.
NAT NAT is performed on the upstream router.
QoS —
VPN termination for through
traffic
The transparent firewall supports site-to-site VPN tunnels for
management connections only. It does not terminate VPN connections
for traffic through the security appliance. You can pass VPN traffic
through the security appliance using an extended access list, but it
does not terminate non-management connections. WebVPN is also not
supported.
Table 15-1 Unsupported Features in Transparent Mode (continued)
Feature Description15-13
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 15 Firewall Mode Overview
Transparent Mode Overview
How Data Moves Through the Transparent Firewall
Figure 15-8 shows a typical transparent firewall implementation with an inside network that contains a
public web server. The security appliance has an access list so that the inside users can access Internet
resources. Another access list lets the outside users access only the web server on the inside network.
Figure 15-8 Typical Transparent Firewall Data Path
This section describes how data moves through the security appliance, and includes the following topics:
• An Inside User Visits a Web Server, page 15-14
• An Outside User Visits a Web Server on the Inside Network, page 15-15
• An Outside User Attempts to Access an Inside Host, page 15-16
www.example.com
209.165.201.2
Management IP
209.165.201.6
209.165.200.230
Web Server
209.165.200.225
Host
209.165.201.3
Internet
9241215-14
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 15 Firewall Mode Overview
Transparent Mode Overview
An Inside User Visits a Web Server
Figure 15-9 shows an inside user accessing an outside web server.
Figure 15-9 Inside to Outside
The following steps describe how data moves through the security appliance (see Figure 15-9):
1. The user on the inside network requests a web page from www.example.com.
2. The security appliance receives the packet and adds the source MAC address to the MAC address
table, if required. Because it is a new session, it verifies that the packet is allowed according to the
terms of the security policy (access lists, filters, AAA).
For multiple context mode, the security appliance first classifies the packet according to a unique
interface.
3. The security appliance records that a session is established.
4. If the destination MAC address is in its table, the security appliance forwards the packet out of the
outside interface. The destination MAC address is that of the upstream router, 209.186.201.2.
If the destination MAC address is not in the security appliance table, the security appliance attempts
to discover the MAC address by sending an ARP request and a ping. The first packet is dropped.
5. The web server responds to the request; because the session is already established, the packet
bypasses the many lookups associated with a new connection.
6. The security appliance forwards the packet to the inside user.
Management IP
209.165.201.6
www.example.com
209.165.201.2
Host
209.165.201.3
Internet
9240815-15
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 15 Firewall Mode Overview
Transparent Mode Overview
An Outside User Visits a Web Server on the Inside Network
Figure 15-10 shows an outside user accessing the inside web server.
Figure 15-10 Outside to Inside
The following steps describe how data moves through the security appliance (see Figure 15-10):
1. A user on the outside network requests a web page from the inside web server.
2. The security appliance receives the packet and adds the source MAC address to the MAC address
table, if required. Because it is a new session, it verifies that the packet is allowed according to the
terms of the security policy (access lists, filters, AAA).
For multiple context mode, the security appliance first classifies the packet according to a unique
interface.
3. The security appliance records that a session is established.
4. If the destination MAC address is in its table, the security appliance forwards the packet out of the
inside interface. The destination MAC address is that of the downstream router, 209.186.201.1.
If the destination MAC address is not in the security appliance table, the security appliance attempts
to discover the MAC address by sending an ARP request and a ping. The first packet is dropped.
5. The web server responds to the request; because the session is already established, the packet
bypasses the many lookups associated with a new connection.
Host
209.165.201.2
209.165.201.1
209.165.200.230
Web Server
209.165.200.225
Management IP
209.165.201.6
Internet
9240915-16
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 15 Firewall Mode Overview
Transparent Mode Overview
6. The security appliance forwards the packet to the outside user.
An Outside User Attempts to Access an Inside Host
Figure 15-11 shows an outside user attempting to access a host on the inside network.
Figure 15-11 Outside to Inside
The following steps describe how data moves through the security appliance (see Figure 15-11):
1. A user on the outside network attempts to reach an inside host.
2. The security appliance receives the packet and adds the source MAC address to the MAC address
table, if required. Because it is a new session, it verifies if the packet is allowed according to the
terms of the security policy (access lists, filters, AAA).
For multiple context mode, the security appliance first classifies the packet according to a unique
interface.
3. The packet is denied, and the security appliance drops the packet.
4. If the outside user is attempting to attack the inside network, the security appliance employs many
technologies to determine if a packet is valid for an already established session.
Management IP
209.165.201.6
Host
209.165.201.2
Host
209.165.201.3
Internet
92410C H A P T E R
16-1
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
16
Identifying Traffic with Access Lists
This chapter describes how to identify traffic with access lists. This chapter includes the following
topics:
• Access List Overview, page 16-1
• Adding an Extended Access List, page 16-5
• Adding an EtherType Access List, page 16-8
• Adding a Standard Access List, page 16-11
• Adding a Webtype Access List, page 16-11
• Simplifying Access Lists with Object Grouping, page 16-11
• Adding Remarks to Access Lists, page 16-18
• Scheduling Extended Access List Activation, page 16-18
• Logging Access List Activity, page 16-20
For information about IPv6 access lists, see the “Configuring IPv6 Access Lists” section on page 12-6.
Access List Overview
Access lists are made up of one or more Access Control Entries. An ACE is a single entry in an access
list that specifies a permit or deny rule, and is applied to a protocol, a source and destination IP address
or network, and optionally the source and destination ports.
Access lists are used in a variety of features. If your feature uses Modular Policy Framework, you can
use an access list to identify traffic within a traffic class map. For more information on Modular Policy
Framework, see Chapter 21, “Using Modular Policy Framework.”
This section includes the following topics:
• Access List Types, page 16-2
• Access Control Entry Order, page 16-2
• Access Control Implicit Deny, page 16-3
• IP Addresses Used for Access Lists When You Use NAT, page 16-316-2
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 16 Identifying Traffic with Access Lists
Access List Overview
Access List Types
Table 16-1 lists the types of access lists and some common uses for them.
Access Control Entry Order
An access list is made up of one or more Access Control Entries. Depending on the access list type, you
can specify the source and destination addresses, the protocol, the ports (for TCP or UDP), the ICMP
type (for ICMP), or the EtherType.
Each ACE that you enter for a given access list name is appended to the end of the access list.
The order of ACEs is important. When the security appliance decides whether to forward or drop a
packet, the security appliance tests the packet against each ACE in the order in which the entries are
listed. After a match is found, no more ACEs are checked. For example, if you create an ACE at the
beginning of an access list that explicitly permits all traffic, no further statements are ever checked.
Table 16-1 Access List Types and Common Uses
Access List Use Access List Type Description
Control network access for IP traffic
(routed and transparent mode)
Extended The security appliance does not allow any traffic from a
lower security interface to a higher security interface
unless it is explicitly permitted by an extended access list.
Note To access the security appliance interface for
management access, you do not also need an
access list allowing the host IP address. You only
need to configure management access according
to Chapter 40, “Managing System Access.”
Identify traffic for AAA rules Extended AAA rules use access lists to identify traffic.
Control network access for IP traffic for a
given user
Extended,
downloaded from a
AAA server per user
You can configure the RADIUS server to download a
dynamic access list to be applied to the user, or the server
can send the name of an access list that you already
configured on the security appliance.
Identify addresses for NAT (policy NAT
and NAT exemption)
Extended Policy NAT lets you identify local traffic for address
translation by specifying the source and destination
addresses in an extended access list.
Establish VPN access Extended You can use an extended access list in VPN commands.
Identify traffic in a traffic class map for
Modular Policy Framework
Extended
EtherType
Access lists can be used to identify traffic in a class map,
which is used for features that support Modular Policy
Framework. Features that support Modular Policy
Framework include TCP and general connection settings,
and inspection.
For transparent firewall mode, control
network access for non-IP traffic
EtherType You can configure an access list that controls traffic based
on its EtherType.
Identify OSPF route redistribution Standard Standard access lists include only the destination address.
You can use a standard access list to control the
redistribution of OSPF routes.
Filtering for WebVPN Webtype You can configure a Webtype access list to filter URLs.16-3
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 16 Identifying Traffic with Access Lists
Access List Overview
You can disable an ACE by specifying the keyword inactive in the access-list command.
Access Control Implicit Deny
Access lists have an implicit deny at the end of the list, so unless you explicitly permit it, traffic cannot
pass. For example, if you want to allow all users to access a network through the security appliance
except for particular addresses, then you need to deny the particular addresses and then permit all others.
For EtherType access lists, the implicit deny at the end of the access list does not affect IP traffic or
ARPs; for example, if you allow EtherType 8037, the implicit deny at the end of the access list does not
now block any IP traffic that you previously allowed with an extended access list (or implicitly allowed
from a high security interface to a low security interface). However, if you explicitly deny all traffic with
an EtherType ACE, then IP and ARP traffic is denied.
IP Addresses Used for Access Lists When You Use NAT
When you use NAT, the IP addresses you specify for an access list depend on the interface to which the
access list is attached; you need to use addresses that are valid on the network connected to the interface.
This guideline applies for both inbound and outbound access lists: the direction does not determine the
address used, only the interface does.
For example, you want to apply an access list to the inbound direction of the inside interface. You
configure the security appliance to perform NAT on the inside source addresses when they access outside
addresses. Because the access list is applied to the inside interface, the source addresses are the original
untranslated addresses. Because the outside addresses are not translated, the destination address used in
the access list is the real address (see Figure 16-1).
Figure 16-1 IP Addresses in Access Lists: NAT Used for Source Addresses
See the following commands for this example:
hostname(config)# access-list INSIDE extended permit ip 10.1.1.0 255.255.255.0 host
209.165.200.225
209.165.200.225
Inside
Outside
Inbound ACL
Permit from 10.1.1.0/24 to 209.165.200.225
10.1.1.0/24
PAT
10.1.1.0/24 209.165.201.4:port
10463416-4
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 16 Identifying Traffic with Access Lists
Access List Overview
hostname(config)# access-group INSIDE in interface inside
If you want to allow an outside host to access an inside host, you can apply an inbound access list on the
outside interface. You need to specify the translated address of the inside host in the access list because
that address is the address that can be used on the outside network (see Figure 16-2).
Figure 16-2 IP Addresses in Access Lists: NAT used for Destination Addresses
See the following commands for this example:
hostname(config)# access-list OUTSIDE extended permit ip host 209.165.200.225 host
209.165.201.5
hostname(config)# access-group OUTSIDE in interface outside
209.165.200.225
Inside
Outside
Static NAT
10.1.1.34 209.165.201.5
ACL
Permit from 209.165.200.225 to 209.165.201.5
10463616-5
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 16 Identifying Traffic with Access Lists
Adding an Extended Access List
If you perform NAT on both interfaces, keep in mind the addresses that are visible to a given interface.
In Figure 16-3, an outside server uses static NAT so that a translated address appears on the inside
network.
Figure 16-3 IP Addresses in Access Lists: NAT used for Source and Destination Addresses
See the following commands for this example:
hostname(config)# access-list INSIDE extended permit ip 10.1.1.0 255.255.255.0 host
10.1.1.56
hostname(config)# access-group INSIDE in interface inside
Adding an Extended Access List
This section describes how to add an extended access list, and includes the following sections:
• Extended Access List Overview, page 16-5
• Allowing Broadcast and Multicast Traffic through the Transparent Firewall, page 16-6
• Adding an Extended ACE, page 16-6
Extended Access List Overview
An extended access list is made up of one or more ACEs, in which you can specify the line number to
insert the ACE, source and destination addresses, and, depending on the ACE type, the protocol, the
ports (for TCP or UDP), or the ICMP type (for ICMP). You can identify all of these parameters within
the access-list command, or you can use object groups for each parameter. This section describes how
to identify the parameters within the command. To use object groups, see the “Simplifying Access Lists
with Object Grouping” section on page 16-11.
209.165.200.225
10.1.1.0/24
Inside
Outside
Static NAT
10.1.1.56
ACL
Permit from 10.1.1.0/24 to 10.1.1.56
PAT
10.1.1.0/24 209.165.201.4:port
10463516-6
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 16 Identifying Traffic with Access Lists
Adding an Extended Access List
For information about logging options that you can add to the end of the ACE, see the “Logging Access
List Activity” section on page 16-20. For information about time range options, see “Scheduling
Extended Access List Activation” section on page 16-18.
For TCP and UDP connections, you do not need an access list to allow returning traffic, because the
FWSM allows all returning traffic for established, bidirectional connections. For connectionless
protocols such as ICMP, however, the security appliance establishes unidirectional sessions, so you
either need access lists to allow ICMP in both directions (by applying access lists to the source and
destination interfaces), or you need to enable the ICMP inspection engine. The ICMP inspection engine
treats ICMP sessions as bidirectional connections.
You can apply only one access list of each type (extended and EtherType) to each direction of an
interface. You can apply the same access lists on multiple interfaces. See Chapter 18, “Permitting or
Denying Network Access,” for more information about applying an access list to an interface.
Note If you change the access list configuration, and you do not want to wait for existing connections to time
out before the new access list information is used, you can clear the connections using the clear
local-host command.
Allowing Broadcast and Multicast Traffic through the Transparent Firewall
In routed firewall mode, broadcast and multicast traffic is blocked even if you allow it in an access list,
including unsupported dynamic routing protocols and DHCP (unless you configure DHCP relay).
Transparent firewall mode can allow any IP traffic through. This feature is especially useful in multiple
context mode, which does not allow dynamic routing, for example.
Note Because these special types of traffic are connectionless, you need to apply an extended access list to
both interfaces, so returning traffic is allowed through.
Table 16-2 lists common traffic types that you can allow through the transparent firewall.
Adding an Extended ACE
When you enter the access-list command for a given access list name, the ACE is added to the end of
the access list unless you specify the line number.
Table 16-2 Transparent Firewall Special Traffic
Traffic Type Protocol or Port Notes
DHCP UDP ports 67 and 68 If you enable the DHCP server, then the security
appliance does not pass DHCP packets.
EIGRP Protocol 88 —
OSPF Protocol 89 —
Multicast streams The UDP ports vary depending
on the application.
Multicast streams are always destined to a
Class D address (224.0.0.0 to 239.x.x.x).
RIP (v1 or v2) UDP port 520 —16-7
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 16 Identifying Traffic with Access Lists
Adding an Extended Access List
To add an ACE, enter the following command:
hostname(config)# access-list access_list_name [line line_number] [extended]
{deny | permit} protocol source_address mask [operator port] dest_address mask
[operator port | icmp_type] [inactive]
Tip Enter the access list name in upper case letters so the name is easy to see in the configuration. You might
want to name the access list for the interface (for example, INSIDE), or for the purpose for which it is
created (for example, NO_NAT or VPN).
Typically, you identify the ip keyword for the protocol, but other protocols are accepted. For a list of
protocol names, see the “Protocols and Applications” section on page D-11.
Enter the host keyword before the IP address to specify a single address. In this case, do not enter a mask.
Enter the any keyword instead of the address and mask to specify any address.
You can specify the source and destination ports only for the tcp or udp protocols. For a list of permitted
keywords and well-known port assignments, see the “TCP and UDP Ports” section on page D-11. DNS,
Discard, Echo, Ident, NTP, RPC, SUNRPC, and Talk each require one definition for TCP and one for
UDP. TACACS+ requires one definition for port 49 on TCP.
Use an operator to match port numbers used by the source or destination. The permitted operators are
as follows:
• lt—less than
• gt—greater than
• eq—equal to
• neq—not equal to
• range—an inclusive range of values. When you use this operator, specify two port numbers, for
example:
range 100 200
You can specify the ICMP type only for the icmp protocol. Because ICMP is a connectionless protocol,
you either need access lists to allow ICMP in both directions (by applying access lists to the source and
destination interfaces), or you need to enable the ICMP inspection engine (see the “Adding an ICMP
Type Object Group” section on page 16-15). The ICMP inspection engine treats ICMP sessions as
stateful connections. To control ping, specify echo-reply (0) (security appliance to host) or echo (8)
(host to security appliance). See the “Adding an ICMP Type Object Group” section on page 16-15 for a
list of ICMP types.
When you specify a network mask, the method is different from the Cisco IOS software access-list
command. The security appliance uses a network mask (for example, 255.255.255.0 for a Class C mask).
The Cisco IOS mask uses wildcard bits (for example, 0.0.0.255).
To make an ACE inactive, use the inactive keyword. To reenable it, enter the entire ACE without the
inactive keyword. This feature lets you keep a record of an inactive ACE in your configuration to make
reenabling easier.
To remove an ACE, enter the no access-list command with the entire command syntax string as it
appears in the configuration:
hostname(config)# no access-list access_list_name [line line_number] [extended]
{deny | permit} protocol source_address mask [operator port] dest_address mask
[operator port | icmp_type] [inactive]
If the entry that you are removing is the only entry in the access list, the entire access list is removed.16-8
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 16 Identifying Traffic with Access Lists
Adding an EtherType Access List
See the following examples:
The following access list allows all hosts (on the interface to which you apply the access list) to go
through the security appliance:
hostname(config)# access-list ACL_IN extended permit ip any any
The following sample access list prevents hosts on 192.168.1.0/24 from accessing the 209.165.201.0/27
network. All other addresses are permitted.
hostname(config)# access-list ACL_IN extended deny tcp 192.168.1.0 255.255.255.0
209.165.201.0 255.255.255.224
hostname(config)# access-list ACL_IN extended permit ip any any
If you want to restrict access to only some hosts, then enter a limited permit ACE. By default, all other
traffic is denied unless explicitly permitted.
hostname(config)# access-list ACL_IN extended permit ip 192.168.1.0 255.255.255.0
209.165.201.0 255.255.255.224
The following access list restricts all hosts (on the interface to which you apply the access list) from
accessing a website at address 209.165.201.29. All other traffic is allowed.
hostname(config)# access-list ACL_IN extended deny tcp any host 209.165.201.29 eq www
hostname(config)# access-list ACL_IN extended permit ip any any
Adding an EtherType Access List
Transparent firewall mode only
This section describes how to add an EtherType access list, and includes the following sections:
• EtherType Access List Overview, page 16-8
• Adding an EtherType ACE, page 16-10
EtherType Access List Overview
An EtherType access list is made up of one or more ACEs that specify an EtherType. This section
includes the following topics:
• Supported EtherTypes, page 16-8
• Implicit Permit of IP and ARPs Only, page 16-9
• Implicit and Explicit Deny ACE at the End of an Access List, page 16-9
• IPv6 Unsupported, page 16-9
• Using Extended and EtherType Access Lists on the Same Interface, page 16-9
• Allowing MPLS, page 16-9
Supported EtherTypes
An EtherType ACE controls any EtherType identified by a 16-bit hexadecimal number.
EtherType access lists support Ethernet V2 frames.16-9
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 16 Identifying Traffic with Access Lists
Adding an EtherType Access List
802.3-formatted frames are not handled by the access list because they use a length field as opposed to
a type field.
BPDUs, which are handled by the access list, are the only exception: they are SNAP-encapsulated, and
the security appliance is designed to specifically handle BPDUs.
The security appliance receives trunk port (Cisco proprietary) BPDUs. Trunk BPDUs have VLAN
information inside the payload, so the security appliance modifies the payload with the outgoing VLAN
if you allow BPDUs.
Note If you use failover, you must allow BPDUs on both interfaces with an EtherType access list to avoid
bridging loops.
Implicit Permit of IP and ARPs Only
IPv4 traffic is allowed through the transparent firewall automatically from a higher security interface to
a lower security interface, without an access list. ARPs are allowed through the transparent firewall in
both directions without an access list. ARP traffic can be controlled by ARP inspection.
However, to allow any traffic with EtherTypes other than IPv4 and ARP, you need to apply an EtherType
access list, even from a high security to a low security interface.
Because EtherTypes are connectionless, you need to apply the access list to both interfaces if you want
traffic to pass in both directions.
Implicit and Explicit Deny ACE at the End of an Access List
For EtherType access lists, the implicit deny at the end of the access list does not affect IP traffic or
ARPs; for example, if you allow EtherType 8037, the implicit deny at the end of the access list does not
now block any IP traffic that you previously allowed with an extended access list (or implicitly allowed
from a high security interface to a low security interface). However, if you explicitly deny all traffic with
an EtherType ACE, then IP and ARP traffic is denied.
IPv6 Unsupported
EtherType ACEs do not allow IPv6 traffic, even if you specify the IPv6 EtherType.
Using Extended and EtherType Access Lists on the Same Interface
You can apply only one access list of each type (extended and EtherType) to each direction of an
interface. You can also apply the same access lists on multiple interfaces.
Allowing MPLS
If you allow MPLS, ensure that Label Distribution Protocol and Tag Distribution Protocol TCP
connections are established through the security appliance by configuring both MPLS routers connected
to the security appliance to use the IP address on the security appliance interface as the router-id for LDP
or TDP sessions. (LDP and TDP allow MPLS routers to negotiate the labels (addresses) used to forward
packets.)
On Cisco IOS routers, enter the appropriate command for your protocol, LDP or TDP. The interface is
the interface connected to the security appliance.16-10
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 16 Identifying Traffic with Access Lists
Adding an EtherType Access List
hostname(config)# mpls ldp router-id interface force
Or
hostname(config)# tag-switching tdp router-id interface force
Adding an EtherType ACE
To add an EtherType ACE, enter the following command:
hostname(config)# access-list access_list_name ethertype {permit | deny} {ipx | bpdu |
mpls-unicast | mpls-multicast | any | hex_number}
The hex_number is any EtherType that can be identified by a 16-bit hexadecimal number greater than or
equal to 0x600. See RFC 1700, “Assigned Numbers,” at http://www.ietf.org/rfc/rfc1700.txt for a list of
EtherTypes.
To remove an ACE, enter the no access-list command with the entire command syntax string as it
appears in the configuration:
hostname(config)# no access-list access_list_name [line line_number] [extended]
{deny | permit} protocol source_address mask [operator port] dest_address mask
[operator port | icmp_type] [inactive]
To remove an EtherType ACE, enter the no access-list command with the entire command syntax string
as it appears in the configuration:
ehostname(config)# no access-list access_list_name ethertype {permit | deny} {ipx | bpdu |
mpls-unicast | mpls-multicast | any | hex_number}
Note If an EtherType access list is configured to deny all, all ethernet frames are discarded. Only physical
protocol traffic, such as auto-negotiation, is still allowed.
When you enter the access-list command for a given access list name, the ACE is added to the end of
the access list.
Tip Enter the access_list_name in upper case letters so the name is easy to see in the configuration. You
might want to name the access list for the interface (for example, INSIDE), or for the purpose (for
example, MPLS or IPX).
For example, the following sample access list allows common EtherTypes originating on the inside
interface:
hostname(config)# access-list ETHER ethertype permit ipx
hostname(config)# access-list ETHER ethertype permit bpdu
hostname(config)# access-list ETHER ethertype permit mpls-unicast
hostname(config)# access-group ETHER in interface inside
The following access list allows some EtherTypes through the security appliance, but denies IPX:
hostname(config)# access-list ETHER ethertype deny ipx
hostname(config)# access-list ETHER ethertype permit 0x1234
hostname(config)# access-list ETHER ethertype permit bpdu
hostname(config)# access-list ETHER ethertype permit mpls-unicast
hostname(config)# access-group ETHER in interface inside
hostname(config)# access-group ETHER in interface outside16-11
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 16 Identifying Traffic with Access Lists
Adding a Standard Access List
The following access list denies traffic with EtherType 0x1256, but allows all others on both interfaces:
hostname(config)# access-list nonIP ethertype deny 1256
hostname(config)# access-list nonIP ethertype permit any
hostname(config)# access-group ETHER in interface inside
hostname(config)# access-group ETHER in interface outside
Adding a Standard Access List
Single context mode only
Standard access lists identify the destination IP addresses of OSPF routes, and can be used in a route
map for OSPF redistribution. Standard access lists cannot be applied to interfaces to control traffic.
The following command adds a standard ACE. To add another ACE at the end of the access list, enter
another access-list command specifying the same access list name. Apply the access list using the
“Defining Route Maps” section on page 9-7.
To add an ACE, enter the following command:
hostname(config)# access-list access_list_name standard {deny | permit} {any | ip_address
mask}
To remove an ACE, enter the no access-list command with the entire command syntax string as it
appears in the configuration:
hostname(config)# no access-list access_list_name standard {deny | permit} {any |
ip_address mask}
The following sample access list identifies routes to 192.168.1.0/24:
hostname(config)# access-list OSPF standard permit 192.168.1.0 255.255.255.0
Adding a Webtype Access List
To add an access list to the configuration that supports filtering for WebVPN, enter the following
command:
hostname(config)# access-list access_list_name webtype {deny | permit} url [url_string | any]
To remove a Webtype access list, enter the no access-list command with the entire syntax string as it
appears in the configuration:
hostname(config)# access-list access_list_name webtype {deny | permit} url [url_string | any]
For information about logging options that you can add to the end of the ACE, see the “Logging Access
List Activity” section on page 16-20.
Simplifying Access Lists with Object Grouping
This section describes how to use object grouping to simplify access list creation and maintenance.
This section includes the following topics:
• How Object Grouping Works, page 16-12
• Adding Object Groups, page 16-1216-12
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 16 Identifying Traffic with Access Lists
Simplifying Access Lists with Object Grouping
• Nesting Object Groups, page 16-15
• Displaying Object Groups, page 16-17
• Removing Object Groups, page 16-17
• Using Object Groups with an Access List, page 16-16
How Object Grouping Works
By grouping like-objects together, you can use the object group in an ACE instead of having to enter an
ACE for each object separately. You can create the following types of object groups:
• Protocol
• Network
• Service
• ICMP type
For example, consider the following three object groups:
• MyServices—Includes the TCP and UDP port numbers of the service requests that are allowed
access to the internal network
• TrustedHosts—Includes the host and network addresses allowed access to the greatest range of
services and servers
• PublicServers—Includes the host addresses of servers to which the greatest access is provided
After creating these groups, you could use a single ACE to allow trusted hosts to make specific service
requests to a group of public servers.
You can also nest object groups in other object groups.
Note The ACE system limit applies to expanded access lists. If you use object groups in ACEs, the number of
actual ACEs that you enter is fewer, but the number of expanded ACEs is the same as without object
groups. In many cases, object groups create more ACEs than if you added them manually, because
creating ACEs manually leads you to summarize addresses more than an object group does. To view the
number of expanded ACEs in an access list, enter the show access-list access_list_name command.
Adding Object Groups
This section describes how to add object groups.
This section includes the following topics:
• Adding a Protocol Object Group, page 16-13
• Adding a Network Object Group, page 16-13
• Adding a Service Object Group, page 16-14
• Adding an ICMP Type Object Group, page 16-1516-13
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 16 Identifying Traffic with Access Lists
Simplifying Access Lists with Object Grouping
Adding a Protocol Object Group
To add or change a protocol object group, follow these steps. After you add the group, you can add more
objects as required by following this procedure again for the same group name and specifying additional
objects. You do not need to reenter existing objects; the commands you already set remain in place unless
you remove them with the no form of the command.
To add a protocol group, follow these steps:
Step 1 To add a protocol group, enter the following command:
hostname(config)# object-group protocol grp_id
The grp_id is a text string up to 64 characters in length.
The prompt changes to protocol configuration mode.
Step 2 (Optional) To add a description, enter the following command:
hostname(config-protocol)# description text
The description can be up to 200 characters.
Step 3 To define the protocols in the group, enter the following command for each protocol:
hostname(config-protocol)# protocol-object protocol
The protocol is the numeric identifier of the specific IP protocol (1 to 254) or a keyword identifier (for
example, icmp, tcp, or udp). To include all IP protocols, use the keyword ip. For a list of protocols you
can specify, see the “Protocols and Applications” section on page D-11.
For example, to create a protocol group for TCP, UDP, and ICMP, enter the following commands:
hostname(config)# object-group protocol tcp_udp_icmp
hostname(config-protocol)# protocol-object tcp
hostname(config-protocol)# protocol-object udp
hostname(config-protocol)# protocol-object icmp
Adding a Network Object Group
To add or change a network object group, follow these steps. After you add the group, you can add more
objects as required by following this procedure again for the same group name and specifying additional
objects. You do not need to reenter existing objects; the commands you already set remain in place unless
you remove them with the no form of the command.
Note A network object group supports IPv4 and IPv6 addresses, depending on the type of access list. For more
information about IPv6 access lists, see “Configuring IPv6 Access Lists” section on page 12-6.
To add a network group, follow these steps:
Step 1 To add a network group, enter the following command:
hostname(config)# object-group network grp_id
The grp_id is a text string up to 64 characters in length.
The prompt changes to network configuration mode.16-14
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 16 Identifying Traffic with Access Lists
Simplifying Access Lists with Object Grouping
Step 2 (Optional) To add a description, enter the following command:
hostname(config-network)# description text
The description can be up to 200 characters.
Step 3 To define the networks in the group, enter the following command for each network or address:
hostname(config-network)# network-object {host ip_address | ip_address mask}
For example, to create network group that includes the IP addresses of three administrators, enter the
following commands:
hostname(config)# object-group network admins
hostname(config-network)# description Administrator Addresses
hostname(config-network)# network-object host 10.1.1.4
hostname(config-network)# network-object host 10.1.1.78
hostname(config-network)# network-object host 10.1.1.34
Adding a Service Object Group
To add or change a service object group, follow these steps. After you add the group, you can add more
objects as required by following this procedure again for the same group name and specifying additional
objects. You do not need to reenter existing objects; the commands you already set remain in place unless
you remove them with the no form of the command.
To add a service group, follow these steps:
Step 1 To add a service group, enter the following command:
hostname(config)# object-group service grp_id {tcp | udp | tcp-udp}
The grp_id is a text string up to 64 characters in length.
Specify the protocol for the services (ports) you want to add, either tcp, udp, or tcp-udp keywords.
Enter tcp-udp keyword if your service uses both TCP and UDP with the same port number, for example,
DNS (port 53).
The prompt changes to service configuration mode.
Step 2 (Optional) To add a description, enter the following command:
hostname(config-service)# description text
The description can be up to 200 characters.
Step 3 To define the ports in the group, enter the following command for each port or range of ports:
hostname(config-service)# port-object {eq port | range begin_port end_port}
For a list of permitted keywords and well-known port assignments, see the “Protocols and Applications”
section on page D-11.
For example, to create service groups that include DNS (TCP/UDP), LDAP (TCP), and RADIUS (UDP),
enter the following commands:
hostname(config)# object-group service services1 tcp-udp
hostname(config-service)# description DNS Group
hostname(config-service)# port-object eq domain16-15
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 16 Identifying Traffic with Access Lists
Simplifying Access Lists with Object Grouping
hostname(config-service)# object-group service services2 udp
hostname(config-service)# description RADIUS Group
hostname(config-service)# port-object eq radius
hostname(config-service)# port-object eq radius-acct
hostname(config-service)# object-group service services3 tcp
hostname(config-service)# description LDAP Group
hostname(config-service)# port-object eq ldap
Adding an ICMP Type Object Group
To add or change an ICMP type object group, follow these steps. After you add the group, you can add
more objects as required by following this procedure again for the same group name and specifying
additional objects. You do not need to reenter existing objects; the commands you already set remain in
place unless you remove them with the no form of the command.
To add an ICMP type group, follow these steps:
Step 1 To add an ICMP type group, enter the following command:
hostname(config)# object-group icmp-type grp_id
The grp_id is a text string up to 64 characters in length.
The prompt changes to ICMP type configuration mode.
Step 2 (Optional) To add a description, enter the following command:
hostname(config-icmp-type)# description text
The description can be up to 200 characters.
Step 3 To define the ICMP types in the group, enter the following command for each type:
hostname(config-icmp-type)# icmp-object icmp_type
See the “ICMP Types” section on page D-15 for a list of ICMP types.
For example, to create an ICMP type group that includes echo-reply and echo (for controlling ping),
enter the following commands:
hostname(config)# object-group icmp-type ping
hostname(config-service)# description Ping Group
hostname(config-icmp-type)# icmp-object echo
hostname(config-icmp-type)# icmp-object echo-reply
Nesting Object Groups
To nest an object group within another object group of the same type, first create the group that you want
to nest according to the “Adding Object Groups” section on page 16-12. Then follow these steps:
Step 1 To add or edit an object group under which you want to nest another object group, enter the following
command:
hostname(config)# object-group {{protocol | network | icmp-type} grp_id | service grp_id
{tcp | udp | tcp-udp}}16-16
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 16 Identifying Traffic with Access Lists
Simplifying Access Lists with Object Grouping
Step 2 To add the specified group under the object group you specified in Step 1, enter the following command:
hostname(config-group_type)# group-object grp_id
The nested group must be of the same type.
You can mix and match nested group objects and regular objects within an object group.
For example, you create network object groups for privileged users from various departments:
hostname(config)# object-group network eng
hostname(config-network)# network-object host 10.1.1.5
hostname(config-network)# network-object host 10.1.1.9
hostname(config-network)# network-object host 10.1.1.89
hostname(config-network)# object-group network hr
hostname(config-network)# network-object host 10.1.2.8
hostname(config-network)# network-object host 10.1.2.12
hostname(config-network)# object-group network finance
hostname(config-network)# network-object host 10.1.4.89
hostname(config-network)# network-object host 10.1.4.100
You then nest all three groups together as follows:
hostname(config)# object-group network admin
hostname(config-network)# group-object eng
hostname(config-network)# group-object hr
hostname(config-network)# group-object finance
You only need to specify the admin object group in your ACE as follows:
hostname(config)# access-list ACL_IN extended permit ip object-group admin host
209.165.201.29
Using Object Groups with an Access List
To use object groups in an access list, replace the normal protocol (protocol), network
(source_address mask, etc.), service (operator port), or ICMP type (icmp_type) parameter with
object-group grp_id parameter.
For example, to use object groups for all available parameters in the access-list {tcp | udp} command,
enter the following command:
hostname(config)# access-list access_list_name [line line_number] [extended] {deny |
permit} {tcp | udp} object-group nw_grp_id [object-group svc_grp_id] object-group
nw_grp_id [object-group svc_grp_id] [log [[level] [interval secs] | disable | default]]
[inactive | time-range time_range_name]
You do not have to use object groups for all parameters; for example, you can use an object group for
the source address, but identify the destination address with an address and mask.
The following normal access list that does not use object groups restricts several hosts on the inside
network from accessing several web servers. All other traffic is allowed.
hostname(config)# access-list ACL_IN extended deny tcp host 10.1.1.4 host 209.165.201.29
eq www
hostname(config)# access-list ACL_IN extended deny tcp host 10.1.1.78 host 209.165.201.29
eq www
hostname(config)# access-list ACL_IN extended deny tcp host 10.1.1.89 host 209.165.201.29
eq www16-17
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 16 Identifying Traffic with Access Lists
Simplifying Access Lists with Object Grouping
hostname(config)# access-list ACL_IN extended deny tcp host 10.1.1.4 host 209.165.201.16
eq www
hostname(config)# access-list ACL_IN extended deny tcp host 10.1.1.78 host 209.165.201.16
eq www
hostname(config)# access-list ACL_IN extended deny tcp host 10.1.1.89 host 209.165.201.16
eq www
hostname(config)# access-list ACL_IN extended deny tcp host 10.1.1.4 host 209.165.201.78
eq www
hostname(config)# access-list ACL_IN extended deny tcp host 10.1.1.78 host 209.165.201.78
eq www
hostname(config)# access-list ACL_IN extended deny tcp host 10.1.1.89 host 209.165.201.78
eq www
hostname(config)# access-list ACL_IN extended permit ip any any
hostname(config)# access-group ACL_IN in interface inside
If you make two network object groups, one for the inside hosts, and one for the web servers, then the
configuration can be simplified and can be easily modified to add more hosts:
hostname(config)# object-group network denied
hostname(config-network)# network-object host 10.1.1.4
hostname(config-network)# network-object host 10.1.1.78
hostname(config-network)# network-object host 10.1.1.89
hostname(config-network)# object-group network web
hostname(config-network)# network-object host 209.165.201.29
hostname(config-network)# network-object host 209.165.201.16
hostname(config-network)# network-object host 209.165.201.78
hostname(config-network)# access-list ACL_IN extended deny tcp object-group denied
object-group web eq www
hostname(config)# access-list ACL_IN extended permit ip any any
hostname(config)# access-group ACL_IN in interface inside
Displaying Object Groups
To display a list of the currently configured object groups, enter the following command:
hostname(config)# show object-group [protocol | network | service | icmp-type | id grp_id]
If you enter the command without any parameters, the system displays all configured object groups.
The following is sample output from the show object-group command:
hostname# show object-group
object-group network ftp_servers
description: This is a group of FTP servers
network-object host 209.165.201.3
network-object host 209.165.201.4
object-group network TrustedHosts
network-object host 209.165.201.1
network-object 192.168.1.0 255.255.255.0
group-object ftp_servers
Removing Object Groups
To remove an object group, enter one of the following commands.
Note You cannot remove an object group or make an object group empty if it is used in an access list.16-18
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 16 Identifying Traffic with Access Lists
Adding Remarks to Access Lists
• To remove a specific object group, enter the following command:
hostname(config)# no object-group grp_id
• To remove all object groups of the specified type, enter the following command:
hostname(config)# clear object-group [protocol | network | services | icmp-type]
If you do not enter a type, all object groups are removed.
Adding Remarks to Access Lists
You can include remarks about entries in any access list, including extended, EtherType, and standard
access lists. The remarks make the access list easier to understand.
To add a remark after the last access-list command you entered, enter the following command:
hostname(config)# access-list access_list_name remark text
If you enter the remark before any access-list command, then the remark is the first line in the access list.
If you delete an access list using the no access-list access_list_name command, then all the remarks are
also removed.
The text can be up to 100 characters in length. You can enter leading spaces at the beginning of the text.
Trailing spaces are ignored.
For example, you can add remarks before each ACE, and the remark appears in the access list in this
location. Entering a dash (-) at the beginning of the remark helps set it apart from ACEs.
hostname(config)# access-list OUT remark - this is the inside admin address
hostname(config)# access-list OUT extended permit ip host 209.168.200.3 any
hostname(config)# access-list OUT remark - this is the hr admin address
hostname(config)# access-list OUT extended permit ip host 209.168.200.4 any
Scheduling Extended Access List Activation
You can schedule each ACE to be activated at specific times of the day and week by applying a time
range to the ACE. This section includes the following topics:
• Adding a Time Range, page 16-18
• Applying the Time Range to an ACE, page 16-19
Adding a Time Range
To add a time range to implement a time-based access list, perform the following steps:
Step 1 Identify the time-range name by entering the following command:
hostname(config)# time-range name
Step 2 Specify the time range as either a recurring time range or an absolute time range.16-19
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 16 Identifying Traffic with Access Lists
Scheduling Extended Access List Activation
Note Users could experience a delay of approximately 80 to 100 seconds after the specified end time
for the ACL to become inactive. For example, if the specified end time is 3:50, because the end
time is inclusive, the command is picked up anywhere between 3:51:00 and 3:51:59. After the
command is picked up, the security appliance finishes any currently running task and then
services the command to deactivate the ACL.
Multiple periodic entries are allowed per time-range command. If a time-range command has both
absolute and periodic values specified, then the periodic commands are evaluated only after the
absolute start time is reached, and are not further evaluated after the absolute end time is reached.
• Recurring time range:
hostname(config-time-range)# periodic days-of-the-week time to [days-of-the-week] time
You can specify the following values for days-of-the-week:
– monday, tuesday, wednesday, thursday, friday, saturday, and sunday.
– daily
– weekdays
– weekend
The time is in the format hh:mm. For example, 8:00 is 8:00 a.m. and 20:00 is 8:00 p.m.
• Absolute time range:
hostname(config-time-range)# absolute start time date [end time date]
The time is in the format hh:mm. For example, 8:00 is 8:00 a.m. and 20:00 is 8:00 p.m.
The date is in the format day month year; for example, 1 january 2006.
The following is an example of an absolute time range beginning at 8:00 a.m. on January 1, 2006.
Because no end time and date are specified, the time range is in effect indefinitely.
hostname(config)# time-range for2006
hostname(config-time-range)# absolute start 8:00 1 january 2006
The following is an example of a weekly periodic time range from 8:00 a.m. to 6:00 p.m on weekdays.:
hostname(config)# time-range workinghours
hostname(config-time-range)# periodic weekdays 8:00 to 18:00
Applying the Time Range to an ACE
To apply the time range to an ACE, use the following command:
hostname(config)# access-list access_list_name [extended] {deny | permit}...[time-range
name]
See the “Adding an Extended Access List” section on page 16-5 for complete access-list command
syntax.16-20
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 16 Identifying Traffic with Access Lists
Logging Access List Activity
Note If you also enable logging for the ACE, use the log keyword before the time-range keyword. If you
disable the ACE using the inactive keyword, use the inactive keyword as the last keyword.
The following example binds an access list named “Sales” to a time range named “New_York_Minute.”
hostname(config)# access-list Sales line 1 extended deny tcp host 209.165.200.225 host
209.165.201.1 time-range New_York_Minute
Logging Access List Activity
This section describes how to configure access list logging for extended access lists and Webtype access
lists.
This section includes the following topics:
• Access List Logging Overview, page 16-20
• Configuring Logging for an Access Control Entry, page 16-21
• Managing Deny Flows, page 16-22
Access List Logging Overview
By default, when traffic is denied by an extended ACE or a Webtype ACE, the security appliance
generates system message 106023 for each denied packet, in the following form:
%ASA|PIX-4-106023: Deny protocol src [interface_name:source_address/source_port] dst
interface_name:dest_address/dest_port [type {string}, code {code}] by access_group acl_id
If the security appliance is attacked, the number of system messages for denied packets can be very large.
We recommend that you instead enable logging using system message 106100, which provides statistics
for each ACE and lets you limit the number of system messages produced. Alternatively, you can disable
all logging.
Note Only ACEs in the access list generate logging messages; the implicit deny at the end of the access list
does not generate a message. If you want all denied traffic to generate messages, add the implicit ACE
manually to the end of the access list, as follows.
hostname(config)# access-list TEST deny ip any any log
The log options at the end of the extended access-list command lets you to set the following behavior:
• Enable message 106100 instead of message 106023
• Disable all logging
• Return to the default logging using message 106023
System message 106100 is in the following form:
%ASA|PIX-n-106100: access-list acl_id {permitted | denied} protocol
interface_name/source_address(source_port) -> interface_name/dest_address(dest_port)
hit-cnt number ({first hit | number-second interval})16-21
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 16 Identifying Traffic with Access Lists
Logging Access List Activity
When you enable logging for message 106100, if a packet matches an ACE, the security appliance
creates a flow entry to track the number of packets received within a specific interval. The security
appliance generates a system message at the first hit and at the end of each interval, identifying the total
number of hits during the interval. At the end of each interval, the security appliance resets the hit count
to 0. If no packets match the ACE during an interval, the security appliance deletes the flow entry.
A flow is defined by the source and destination IP addresses, protocols, and ports. Because the source
port might differ for a new connection between the same two hosts, you might not see the same flow
increment because a new flow was created for the connection. See the “Managing Deny Flows” section
on page 16-22 to limit the number of logging flows.
Permitted packets that belong to established connections do not need to be checked against access lists;
only the initial packet is logged and included in the hit count. For connectionless protocols, such as
ICMP, all packets are logged even if they are permitted, and all denied packets are logged.
See the Cisco Security Appliance Logging Configuration and System Log Messages for detailed
information about this system message.
Configuring Logging for an Access Control Entry
To configure logging for an ACE, see the following information about the log option:
hostname(config)# access-list access_list_name [extended] {deny | permit}...[log [[level]
[interval secs] | disable | default]]
See the “Adding an Extended Access List” section on page 16-5 and “Adding a Webtype Access List”
section on page 16-11 for complete access-list command syntax.
If you enter the log option without any arguments, you enable system log message 106100 at the default
level (6) and for the default interval (300 seconds). See the following options:
• level—A severity level between 0 and 7. The default is 6.
• interval secs—The time interval in seconds between system messages, from 1 to 600. The default
is 300. This value is also used as the timeout value for deleting an inactive flow.
• disable—Disables all access list logging.
• default—Enables logging to message 106023. This setting is the same as having no log option.
For example, you configure the following access list:
hostname(config)# access-list outside-acl permit ip host 1.1.1.1 any log 7 interval 600
hostname(config)# access-list outside-acl permit ip host 2.2.2.2 any
hostname(config)# access-list outside-acl deny ip any any log 2
hostname(config)# access-group outside-acl in interface outside
When a packet is permitted by the first ACE of outside-acl, the security appliance generates the
following system message:
%ASA|PIX-7-106100: access-list outside-acl permitted tcp outside/1.1.1.1(12345) ->
inside/192.168.1.1(1357) hit-cnt 1 (first hit)
Although 20 additional packets for this connection arrive on the outside interface, the traffic does not
have to be checked against the access list, and the hit count does not increase.
If one more connection by the same host is initiated within the specified 10 minute interval (and the
source and destination ports remain the same), then the hit count is incremented by 1 and the following
message is displayed at the end of the 10 minute interval:
%ASA|PIX-7-106100: access-list outside-acl permitted tcp outside/1.1.1.1(12345)->
inside/192.168.1.1(1357) hit-cnt 2 (600-second interval)16-22
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 16 Identifying Traffic with Access Lists
Logging Access List Activity
When a packet is denied by the third ACE, the security appliance generates the following system
message:
%ASA|PIX-2-106100: access-list outside-acl denied ip outside/3.3.3.3(12345) ->
inside/192.168.1.1(1357) hit-cnt 1 (first hit)
20 additional attempts within a 5 minute interval (the default) result in the following message at the end
of 5 minutes:
%ASA|PIX-2-106100: access-list outside-acl denied ip outside/3.3.3.3(12345) ->
inside/192.168.1.1(1357) hit-cnt 21 (300-second interval)
Managing Deny Flows
When you enable logging for message 106100, if a packet matches an ACE, the security appliance
creates a flow entry to track the number of packets received within a specific interval. The security
appliance has a maximum of 32 K logging flows for ACEs. A large number of flows can exist
concurrently at any point of time. To prevent unlimited consumption of memory and CPU resources, the
security appliance places a limit on the number of concurrent deny flows; the limit is placed only on deny
flows (and not permit flows) because they can indicate an attack. When the limit is reached, the security
appliance does not create a new deny flow for logging until the existing flows expire.
For example, if someone initiates a DoS attack, the security appliance can create a large number of deny
flows in a short period of time. Restricting the number of deny flows prevents unlimited consumption of
memory and CPU resources.
When you reach the maximum number of deny flows, the security appliance issues system message
106100:
%ASA|PIX-1-106101: The number of ACL log deny-flows has reached limit (number).
To configure the maximum number of deny flows and to set the interval between deny flow alert
messages (106101), enter the following commands:
• To set the maximum number of deny flows permitted per context before the security appliance stops
logging, enter the following command:
hostname(config)# access-list deny-flow-max number
The number is between 1 and 4096. 4096 is the default.
• To set the amount of time between system messages (number 106101) that identify that the
maximum number of deny flows was reached, enter the following command:
hostname(config)# access-list alert-interval secs
The seconds are between 1 and 3600. 300 is the default.C H A P T E R
17-1
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
17
Applying NAT
This chapter describes Network Address Translation (NAT). In routed firewall mode, the security
appliance can perform NAT between each network.
Note In transparent firewall mode, the security appliance does not support NAT.
This chapter contains the following sections:
• NAT Overview, page 17-1
• Configuring NAT Control, page 17-16
• Using Dynamic NAT and PAT, page 17-17
• Using Static NAT, page 17-26
• Using Static PAT, page 17-27
• Bypassing NAT, page 17-29
• NAT Examples, page 17-33
NAT Overview
This section describes how NAT works on the security appliance, and includes the following topics:
• Introduction to NAT, page 17-2
• NAT Control, page 17-3
• NAT Types, page 17-5
• Policy NAT, page 17-9
• NAT and Same Security Level Interfaces, page 17-13
• Order of NAT Commands Used to Match Real Addresses, page 17-14
• Mapped Address Guidelines, page 17-14
• DNS and NAT, page 17-1417-2
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
NAT Overview
Introduction to NAT
Address translation substitutes the real address in a packet with a mapped address that is routable on the
destination network. NAT is comprised of two steps: the process in which a real address is translated into
a mapped address, and then the process to undo translation for returning traffic.
The security appliance translates an address when a NAT rule matches the traffic. If no NAT rule
matches, processing for the packet continues. The exception is when you enable NAT control.
NAT control requires that packets traversing from a higher security interface (inside) to a lower security
interface (outside) match a NAT rule, or else processing for the packet stops. (See the “Security Level
Overview” section on page 7-1 for more information about security levels, and see “NAT Control”
section on page 17-3 for more information about NAT control).
Note In this document, all types of translation are generally referred to as NAT. When discussing NAT, the
terms inside and outside are relative, and represent the security relationship between any two interfaces.
The higher security level is inside and the lower security level is outside; for example, interface 1 is at
60 and interface 2 is at 50, so interface 1 is “inside” and interface 2 is “outside.”
Some of the benefits of NAT are as follows:
• You can use private addresses on your inside networks. Private addresses are not routable on the
Internet. (See the “Private Networks” section on page D-2 for more information.)
• NAT hides the real addresses from other networks, so attackers cannot learn the real address of a
host.
• You can resolve IP routing problems such as overlapping addresses.
See Table 25-1 on page 25-3 for information about protocols that do not support NAT.
Figure 17-1 shows a typical NAT scenario, with a private network on the inside. When the inside host at
10.1.2.27 sends a packet to a web server, the real source address, 10.1.2.27, of the packet is changed to
a mapped address, 209.165.201.10. When the server responds, it sends the response to the mapped
address, 209.165.201.10, and the security appliance receives the packet. The security appliance then
undoes the translation of the mapped address, 209.165.201.10 back to the real address, 10.1.2.27 before
sending it on to the host.17-3
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
NAT Overview
Figure 17-1 NAT Example
See the following commands for this example:
hostname(config)# nat (inside) 1 10.1.2.0 255.255.255.0
hostname(config)# global (outside) 1 209.165.201.1-209.165.201.15
NAT Control
NAT control requires that packets traversing from an inside interface to an outside interface match a NAT
rule; for any host on the inside network to access a host on the outside network, you must configure NAT
to translate the inside host address (see Figure 17-2).
Figure 17-2 NAT Control and Outbound Traffic
Web Server
www.cisco.com
Outside
Inside
209.165.201.2
10.1.2.1
10.1.2.27 130023
Translation
10.1.2.27 209.165.201.10
Originating
Packet
Undo Translation
209.165.201.10 10.1.2.27
Responding
Security Packet
Appliance
10.1.1.1 NAT
No NAT
209.165.201.1
Inside Outside
10.1.2.1
Security
Appliance
13221217-4
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
NAT Overview
Interfaces at the same security level are not required to use NAT to communicate. However, if you
configure dynamic NAT or PAT on a same security interface, then all traffic from the interface to a same
security interface or an outside interface must match a NAT rule (see Figure 17-3).
Figure 17-3 NAT Control and Same Security Traffic
Similarly, if you enable outside dynamic NAT or PAT, then all outside traffic must match a NAT rule
when it accesses an inside interface (see Figure 17-4).
Figure 17-4 NAT Control and Inbound Traffic
Static NAT does not cause these restrictions.
By default, NAT control is disabled, so you do not need to perform NAT on any networks unless you
choose to perform NAT. If you upgraded from an earlier version of software, however, NAT control
might be enabled on your system. Even with NAT control disabled, you need to perform NAT on any
addresses for which you configure dynamic NAT. See the “Dynamic NAT and PAT Implementation”
section on page 17-17 for more information on how dynamic NAT is applied.
If you want the added security of NAT control but do not want to translate inside addresses in some cases,
you can apply a NAT exemption or identity NAT rule on those addresses. (See the “Bypassing NAT”
section on page 17-29 for more information).
To configure NAT control, see the “Configuring NAT Control” section on page 17-16.
Note In multiple context mode, the packet classifier might rely on the NAT configuration to assign packets to
contexts if you do not enable unique MAC addresses for shared interfaces. See the “How the Security
Appliance Classifies Packets” section on page 3-3 for more information about the relationship between
the classifier and NAT.
10.1.1.1 Dyn. NAT
No NAT
209.165.201.1
Level 50 Level 50
or
Outside
10.1.2.1
Security
Appliance
10.1.1.1 10.1.1.1 No NAT
Level 50 Level 50
Security
Appliance
132215
209.165.202.129 No NAT 209.165.202.129
Outside Inside
Security
Appliance
209.165.202.129
209.165.200.240
Dyn. NAT 10.1.1.50
Outside Inside
Security
Appliance
No NAT
13221317-5
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
NAT Overview
NAT Types
This section describes the available NAT types. You can implement address translation as dynamic NAT,
Port Address Translation, static NAT, or static PAT or as a mix of these types. You can also configure
rules to bypass NAT, for example, if you enable NAT control but do not want to perform NAT. This
section includes the following topics:
• Dynamic NAT, page 17-5
• PAT, page 17-7
• Static NAT, page 17-7
• Static PAT, page 17-8
• Bypassing NAT When NAT Control is Enabled, page 17-9
Dynamic NAT
Dynamic NAT translates a group of real addresses to a pool of mapped addresses that are routable on the
destination network. The mapped pool can include fewer addresses than the real group. When a host you
want to translate accesses the destination network, the security appliance assigns it an IP address from
the mapped pool. The translation is added only when the real host initiates the connection. The
translation is in place only for the duration of the connection, and a given user does not keep the same
IP address after the translation times out (see the timeout xlate command in the Cisco Security
Appliance Command Reference). Users on the destination network, therefore, cannot reliably initiate a
connection to a host that uses dynamic NAT (even if the connection is allowed by an access list), and the
security appliance rejects any attempt to connect to a real host address directly. See the following “Static
NAT” or “Static PAT” sections for reliable access to hosts.
Note In some cases, a translation is added for a connection (see the show xlate command) even though the
session is denied by the security appliance. This condition occurs with an outbound access list, a
management-only interface, or a backup interface. The translation times out normally.
Figure 17-5 shows a remote host attempting to connect to the real address. The connection is denied
because the security appliance only allows returning connections to the mapped address.17-6
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
NAT Overview
Figure 17-5 Remote Host Attempts to Connect to the Real Address
Figure 17-6 shows a remote host attempting to initiate a connection to a mapped address. This address
is not currently in the translation table, so the security appliance drops the packet.
Figure 17-6 Remote Host Attempts to Initiate a Connection to a Mapped Address
Note For the duration of the translation, a remote host can initiate a connection to the translated host if an
access list allows it. Because the address is unpredictable, a connection to the host is unlikely. However
in this case, you can rely on the security of the access list.
Web Server
www.example.com
Outside
Inside
209.165.201.2
10.1.2.1
10.1.2.27
Translation
10.1.2.27 209.165.201.10
10.1.2.27
Security
Appliance
132216
Web Server
www.example.com
Outside
Inside
209.165.201.2
10.1.2.1
10.1.2.27
Security
Appliance
209.165.201.10
13221717-7
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
NAT Overview
Dynamic NAT has these disadvantages:
• If the mapped pool has fewer addresses than the real group, you could run out of addresses if the
amount of traffic is more than expected.
Use PAT if this event occurs often, because PAT provides over 64,000 translations using ports of a
single address.
• You have to use a large number of routable addresses in the mapped pool; if the destination network
requires registered addresses, such as the Internet, you might encounter a shortage of usable
addresses.
The advantage of dynamic NAT is that some protocols cannot use PAT. For example, PAT does not work
with IP protocols that do not have a port to overload, such as GRE version 0. PAT also does not work
with some applications that have a data stream on one port and the control path on another and are not
open standard, such as some multimedia applications. See the “When to Use Application Protocol
Inspection” section on page 25-2 for more information about NAT and PAT support.
PAT
PAT translates multiple real addresses to a single mapped IP address. Specifically, the security appliance
translates the real address and source port (real socket) to the mapped address and a unique port above
1024 (mapped socket). Each connection requires a separate translation, because the source port differs
for each connection. For example, 10.1.1.1:1025 requires a separate translation from 10.1.1.1:1026.
After the connection expires, the port translation also expires after 30 seconds of inactivity. The timeout
is not configurable. Users on the destination network cannot reliably initiate a connection to a host that
uses PAT (even if the connection is allowed by an access list). Not only can you not predict the real or
mapped port number of the host, but the security appliance does not create a translation at all unless the
translated host is the initiator. See the following “Static NAT” or “Static PAT” sections for reliable access
to hosts.
PAT lets you use a single mapped address, thus conserving routable addresses. You can even use the
security appliance interface IP address as the PAT address. PAT does not work with some multimedia
applications that have a data stream that is different from the control path. See the “When to Use
Application Protocol Inspection” section on page 25-2 for more information about NAT and PAT
support.
Note For the duration of the translation, a remote host can initiate a connection to the translated host if an
access list allows it. Because the port address (both real and mapped) is unpredictable, a connection to
the host is unlikely. Nevertheless, in this case, you can rely on the security of the access list. However,
policy PAT does not support time-based ACLs.
Static NAT
Static NAT creates a fixed translation of real address(es) to mapped address(es).With dynamic NAT and
PAT, each host uses a different address or port for each subsequent translation. Because the mapped
address is the same for each consecutive connection with static NAT, and a persistent translation rule
exists, static NAT allows hosts on the destination network to initiate traffic to a translated host (if there
is an access list that allows it).
The main difference between dynamic NAT and a range of addresses for static NAT is that static NAT
allows a remote host to initiate a connection to a translated host (if there is an access list that allows it),
while dynamic NAT does not. You also need an equal number of mapped addresses as real addresses with
static NAT.17-8
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
NAT Overview
Static PAT
Static PAT is the same as static NAT, except it lets you specify the protocol (TCP or UDP) and port for
the real and mapped addresses.
This feature lets you identify the same mapped address across many different static statements, so long
as the port is different for each statement (you cannot use the same mapped address for multiple static
NAT statements).
For applications that require application inspection for secondary channels (FTP, VoIP, etc.), the security
appliance automatically translates the secondary ports.
For example, if you want to provide a single address for remote users to access FTP, HTTP, and SMTP,
but these are all actually different servers on the real network, you can specify static PAT statements for
each server that uses the same mapped IP address, but different ports (see Figure 17-7).
Figure 17-7 Static PAT
See the following commands for this example:
hostname(config)# static (inside,outside) tcp 209.165.201.3 ftp 10.1.2.27 ftp netmask
255.255.255.255
hostname(config)# static (inside,outside) tcp 209.165.201.3 http 10.1.2.28 http netmask
255.255.255.255
hostname(config)# static (inside,outside) tcp 209.165.201.3 smtp 10.1.2.29 smtp netmask
255.255.255.255
You can also use static PAT to translate a well-known port to a non-standard port or vice versa. For
example, if your inside web servers use port 8080, you can allow outside users to connect to port 80, and
then undo translation to the original port 8080. Similarly, if you want to provide extra security, you can
tell your web users to connect to non-standard port 6785, and then undo translation to port 80.
Host
Outside
Inside
Undo Translation
209.165.201.3:21 10.1.2.27
Undo Translation
209.165.201.3:80 10.1.2.28
Undo Translation
209.165.201.3:25 10.1.2.29
FTP server
10.1.2.27
HTTP server
10.1.2.28
SMTP server
10.1.2.29
13003117-9
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
NAT Overview
Bypassing NAT When NAT Control is Enabled
If you enable NAT control, then inside hosts must match a NAT rule when accessing outside hosts. If
you do not want to perform NAT for some hosts, then you can bypass NAT for those hosts (alternatively,
you can disable NAT control). You might want to bypass NAT, for example, if you are using an
application that does not support NAT (see the “When to Use Application Protocol Inspection” section
on page 25-2 for information about inspection engines that do not support NAT).
You can configure traffic to bypass NAT using one of three methods. All methods achieve compatibility
with inspection engines. However, each method offers slightly different capabilities, as follows:
• Identity NAT (nat 0 command)—When you configure identity NAT (which is similar to dynamic
NAT), you do not limit translation for a host on specific interfaces; you must use identity NAT for
connections through all interfaces. Therefore, you cannot choose to perform normal translation on
real addresses when you access interface A, but use identity NAT when accessing interface B.
Regular dynamic NAT, on the other hand, lets you specify a particular interface on which to translate
the addresses. Make sure that the real addresses for which you use identity NAT are routable on all
networks that are available according to your access lists.
For identity NAT, even though the mapped address is the same as the real address, you cannot initiate
a connection from the outside to the inside (even if the interface access list allows it). Use static
identity NAT or NAT exemption for this functionality.
• Static identity NAT (static command)—Static identity NAT lets you specify the interface on which
you want to allow the real addresses to appear, so you can use identity NAT when you access
interface A, and use regular translation when you access interface B. Static identity NAT also lets
you use policy NAT, which identifies the real and destination addresses when determining the real
addresses to translate (see the “Policy NAT” section on page 17-9 for more information about policy
NAT). For example, you can use static identity NAT for an inside address when it accesses the
outside interface and the destination is server A, but use a normal translation when accessing the
outside server B.
• NAT exemption (nat 0 access-list command)—NAT exemption allows both translated and remote
hosts to initiate connections. Like identity NAT, you do not limit translation for a host on specific
interfaces; you must use NAT exemption for connections through all interfaces. However,
NAT exemption does let you specify the real and destination addresses when determining the real
addresses to translate (similar to policy NAT), so you have greater control using NAT exemption.
However unlike policy NAT, NAT exemption does not consider the ports in the access list.
Policy NAT
Policy NAT lets you identify real addresses for address translation by specifying the source and
destination addresses in an extended access list. You can also optionally specify the source and
destination ports. Regular NAT can only consider the real addresses. For example, you can use translate
the real address to mapped address A when it accesses server A, but translate the real address to mapped
address B when it accesses server B.
Note Policy NAT does not support time-based ACLs.
When you specify the ports in policy NAT for applications that require application inspection for
secondary channels (FTP, VoIP, etc.), the security appliance automatically translates the secondary ports.17-10
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
NAT Overview
Note All types of NAT support policy NAT except for NAT exemption. NAT exemption uses an access list to
identify the real addresses, but differs from policy NAT in that the ports are not considered. See the
“Bypassing NAT” section on page 17-29 for other differences. You can accomplish the same result as
NAT exemption using static identity NAT, which does support policy NAT.
Figure 17-8 shows a host on the 10.1.2.0/24 network accessing two different servers. When the host
accesses the server at 209.165.201.11, the real address is translated to 209.165.202.129. When the host
accesses the server at 209.165.200.225, the real address is translated to 209.165.202.130 so that the host
appears to be on the same network as the servers, which can help with routing.
Figure 17-8 Policy NAT with Different Destination Addresses
See the following commands for this example:
hostname(config)# access-list NET1 permit ip 10.1.2.0 255.255.255.0 209.165.201.0
255.255.255.224
hostname(config)# access-list NET2 permit ip 10.1.2.0 255.255.255.0 209.165.200.224
255.255.255.224
hostname(config)# nat (inside) 1 access-list NET1
hostname(config)# global (outside) 1 209.165.202.129
hostname(config)# nat (inside) 2 access-list NET2
hostname(config)# global (outside) 2 209.165.202.130
Server 1
209.165.201.11
Server 2
209.165.200.225
DMZ
Inside
10.1.2.27
10.1.2.0/24
130039
209.165.201.0/27 209.165.200.224/27
Translation
10.1.2.27 209.165.202.129
Translation
10.1.2.27 209.165.202.130
Packet
Dest. Address:
209.165.201.11
Packet
Dest. Address:
209.165.200.22517-11
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
NAT Overview
Figure 17-9 shows the use of source and destination ports. The host on the 10.1.2.0/24 network accesses
a single host for both web services and Telnet services. When the host accesses the server for web
services, the real address is translated to 209.165.202.129. When the host accesses the same server for
Telnet services, the real address is translated to 209.165.202.130.
Figure 17-9 Policy NAT with Different Destination Ports
See the following commands for this example:
hostname(config)# access-list WEB permit tcp 10.1.2.0 255.255.255.0 209.165.201.11
255.255.255.255 eq 80
hostname(config)# access-list TELNET permit tcp 10.1.2.0 255.255.255.0 209.165.201.11
255.255.255.255 eq 23
hostname(config)# nat (inside) 1 access-list WEB
hostname(config)# global (outside) 1 209.165.202.129
hostname(config)# nat (inside) 2 access-list TELNET
hostname(config)# global (outside) 2 209.165.202.130
For policy static NAT (and for NAT exemption, which also uses an access list to identify traffic), both
translated and remote hosts can originate traffic. For traffic originated on the translated network, the
NAT access list specifies the real addresses and the destination addresses, but for traffic originated on
the remote network, the access list identifies the real addresses and the source addresses of remote hosts
who are allowed to connect to the host using this translation.
Web and Telnet server:
209.165.201.11
Internet
Inside
Translation
10.1.2.27:80 209.165.202.129
10.1.2.27
10.1.2.0/24
Translation
10.1.2.27:23 209.165.202.130
Web Packet
Dest. Address:
209.165.201.11:80
Telnet Packet
Dest. Address:
209.165.201.11:23
13004017-12
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
NAT Overview
Figure 17-10 shows a remote host connecting to a translated host. The translated host has a policy static
NAT translation that translates the real address only for traffic to and from the 209.165.201.0/27
network. A translation does not exist for the 209.165.200.224/27 network, so the translated host cannot
connect to that network, nor can a host on that network connect to the translated host.
Figure 17-10 Policy Static NAT with Destination Address Translation
See the following commands for this example:
hostname(config)# access-list NET1 permit ip 10.1.2.0 255.255.255.224 209.165.201.0
255.255.255.224
hostname(config)# static (inside,outside) 209.165.202.128 access-list NET1
Note For policy static NAT, in undoing the translation, the ACL in the static command is not used. If the
destination address in the packet matches the mapped address in the static rule, the static rule is used to
untranslate the address.
Note Policy NAT does not support SQL*Net, but it is supported by regular NAT. See the “When to Use
Application Protocol Inspection” section on page 25-2 for information about NAT support for other
protocols.
You cannot use policy static NAT to translate different real addresses to the same mapped address. For
example, Figure 17-11 shows two inside hosts, 10.1.1.1 and 10.1.1.2, that you want to be translated to
209.165.200.225. When outside host 209.165.201.1 connects to 209.165.200.225, then the connection
goes to 10.1.1.1. When outside host 209.165.201.2 connects to the same mapped address,
209.165.200.225, you want the connection to go to 10.1.1.2. However, only one source address in the
access list can be used. Since the first ACE is for 10.1.1.1, then all inbound connections sourced from
209.165.201.1 and 209.165.201.2 and destined to 209.165.200.255 will have their destination address
translated to 10.1.1.1.
209.165.201.11 209.165.200.225
DMZ
Inside
No Translation
10.1.2.27
10.1.2.27
10.1.2.0/27
209.165.201.0/27 209.165.200.224/27
Undo Translation
209.165.202.128
13003717-13
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
NAT Overview
Figure 17-11 Real Addresses Cannot Share the Same Mapped Address
See the following commands for this example. (Although the second ACE in the example does allow
209.165.201.2 to connect to 209.165.200.225, it only allows 209.165.200.225 to be translated to
10.1.1.1.)
hostname(config)# static (in,out) 209.165.200.225 access-list policy-nat
hostname(config)# access-list policy-nat permit ip host 10.1.1.1 host 209.165.201.1
hostname(config)# access-list policy-nat permit ip host 10.1.1.2 host 209.165.201.2
NAT and Same Security Level Interfaces
NAT is not required between same security level interfaces even if you enable NAT control. You can
optionally configure NAT if desired. However, if you configure dynamic NAT when NAT control is
enabled, then NAT is required. See the “NAT Control” section on page 17-3 for more information. Also,
when you specify a group of IP address(es) for dynamic NAT or PAT on a same security interface, then
you must perform NAT on that group of addresses when they access any lower or same security level
interface (even when NAT control is not enabled). Traffic identified for static NAT is not affected.
See the “Allowing Communication Between Interfaces on the Same Security Level” section on page 7-6
to enable same security communication.
Note The security appliance does not support VoIP inspection engines when you configure NAT on same
security interfaces. These inspection engines include Skinny, SIP, and H.323. See the “When to Use
Application Protocol Inspection” section on page 25-2 for supported inspection engines.
209.165.201.1
Outside
Inside
10.1.1.1
209.165.201.2
10.1.1.2
Undo Translation
209.165.200.225 10.1.1.1
209.165.200.225 10.1.1.2
No Undo Translation
24298117-14
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
NAT Overview
Order of NAT Commands Used to Match Real Addresses
The security appliance matches real addresses to NAT commands in the following order:
1. NAT exemption (nat 0 access-list)—In order, until the first match. Identity NAT is not included in
this category; it is included in the regular static NAT or regular NAT category. We do not recommend
overlapping addresses in NAT exemption statements because unexpected results can occur.
2. Static NAT and Static PAT (regular and policy) (static)—In order, until the first match. Static
identity NAT is included in this category.
3. Policy dynamic NAT (nat access-list)—In order, until the first match. Overlapping addresses are
allowed.
4. Regular dynamic NAT (nat)—Best match. Regular identity NAT is included in this category. The
order of the NAT commands does not matter; the NAT statement that best matches the real address
is used. For example, you can create a general statement to translate all addresses (0.0.0.0) on an
interface. If you want to translate a subset of your network (10.1.1.1) to a different address, then you
can create a statement to translate only 10.1.1.1. When 10.1.1.1 makes a connection, the specific
statement for 10.1.1.1 is used because it matches the real address best. We do not recommend using
overlapping statements; they use more memory and can slow the performance of the security
appliance.
Mapped Address Guidelines
When you translate the real address to a mapped address, you can use the following mapped addresses:
• Addresses on the same network as the mapped interface.
If you use addresses on the same network as the mapped interface (through which traffic exits the
security appliance), the security appliance uses proxy ARP to answer any requests for mapped
addresses, and thus intercepts traffic destined for a real address. This solution simplifies routing,
because the security appliance does not have to be the gateway for any additional networks.
However, this approach does put a limit on the number of available addresses used for translations.
For PAT, you can even use the IP address of the mapped interface.
• Addresses on a unique network.
If you need more addresses than are available on the mapped interface network, you can identify
addresses on a different subnet. The security appliance uses proxy ARP to answer any requests for
mapped addresses, and thus intercepts traffic destined for a real address. If you use OSPF, and you
advertise routes on the mapped interface, then the security appliance advertises the mapped
addresses. If the mapped interface is passive (not advertising routes) or you are using static routing,
then you need to add a static route on the upstream router that sends traffic destined for the mapped
addresses to the security appliance.
DNS and NAT
You might need to configure the security appliance to modify DNS replies by replacing the address in
the reply with an address that matches the NAT configuration. You can configure DNS modification
when you configure each translation.
For example, a DNS server is accessible from the outside interface. A server, ftp.cisco.com, is on the
inside interface. You configure the security appliance to statically translate the ftp.cisco.com real address
(10.1.3.14) to a mapped address (209.165.201.10) that is visible on the outside network (see 17-15
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
NAT Overview
Figure 17-12). In this case, you want to enable DNS reply modification on this static statement so that
inside users who have access to ftp.cisco.com using the real address receive the real address from the
DNS server, and not the mapped address.
When an inside host sends a DNS request for the address of ftp.cisco.com, the DNS server replies with
the mapped address (209.165.201.10). The security appliance refers to the static statement for the inside
server and translates the address inside the DNS reply to 10.1.3.14. If you do not enable DNS reply
modification, then the inside host attempts to send traffic to 209.165.201.10 instead of accessing
ftp.cisco.com directly.
Figure 17-12 DNS Reply Modification
See the following command for this example:
hostname(config)# static (inside,outside) 209.165.201.10 10.1.3.14 netmask 255.255.255.255
dns
Note If a user on a different network (for example, DMZ) also requests the IP address for ftp.cisco.com from
the outside DNS server, then the IP address in the DNS reply is also modified for this user, even though
the user is not on the Inside interface referenced by the static command.
DNS Server
Outside
Inside
User
130021
1
2
3
4
5
DNS Reply Modification
209.165.201.10 10.1.3.14
DNS Reply
209.165.201.10
DNS Reply
10.1.3.14
DNS Query
ftp.cisco.com?
FTP Request
10.1.3.14
Security
Appliance
ftp.cisco.com
10.1.3.14
Static Translation
on Outside to:
209.165.201.1017-16
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
Configuring NAT Control
Figure 17-13 shows a web server and DNS server on the outside. The security appliance has a static
translation for the outside server. In this case, when an inside user requests the address for ftp.cisco.com
from the DNS server, the DNS server responds with the real address, 209.165.20.10. Because you want
inside users to use the mapped address for ftp.cisco.com (10.1.2.56) you need to configure DNS reply
modification for the static translation.
Figure 17-13 DNS Reply Modification Using Outside NAT
See the following command for this example:
hostname(config)# static (outside,inside) 10.1.2.56 209.165.201.10 netmask 255.255.255.255
dns
Configuring NAT Control
NAT control requires that packets traversing from an inside interface to an outside interface match a NAT
rule. See the “NAT Control” section on page 17-3 for more information.
To enable NAT control, enter the following command:
hostname(config)# nat-control
To disable NAT control, enter the no form of the command.
ftp.cisco.com
209.165.201.10
DNS Server
Outside
Inside
User
10.1.2.27
Static Translation on Inside to:
10.1.2.56
130022
1
2
7
6
5
4
3
DNS Query
ftp.cisco.com?
DNS Reply
209.165.201.10
DNS Reply Modification
209.165.201.10 10.1.2.56
DNS Reply
10.1.2.56
FTP Request
209.165.201.10
Dest Addr. Translation
10.1.2.56 209.165.201.10
FTP Request
10.1.2.56
Security
Appliance17-17
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
Using Dynamic NAT and PAT
Using Dynamic NAT and PAT
This section describes how to configure dynamic NAT and PAT, and includes the following topics:
• Dynamic NAT and PAT Implementation, page 17-17
• Configuring Dynamic NAT or PAT, page 17-23
Dynamic NAT and PAT Implementation
For dynamic NAT and PAT, you first configure a nat command identifying the real addresses on a given
interface that you want to translate. Then you configure a separate global command to specify the
mapped addresses when exiting another interface (in the case of PAT, this is one address). Each nat
command matches a global command by comparing the NAT ID, a number that you assign to each
command (see Figure 17-14).
Figure 17-14 nat and global ID Matching
See the following commands for this example:
hostname(config)# nat (inside) 1 10.1.2.0 255.255.255.0
hostname(config)# global (outside) 1 209.165.201.3-209.165.201.10
130027
Web Server:
www.cisco.com
Outside
Inside
Global 1: 209.165.201.3-
209.165.201.10
NAT 1: 10.1.2.0/24
10.1.2.27
Translation
10.1.2.27 209.165.201.317-18
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
Using Dynamic NAT and PAT
You can enter a nat command for each interface using the same NAT ID; they all use the same global
command when traffic exits a given interface. For example, you can configure nat commands for Inside
and DMZ interfaces, both on NAT ID 1. Then you configure a global command on the Outside interface
that is also on ID 1. Traffic from the Inside interface and the DMZ interface share a mapped pool or a
PAT address when exiting the Outside interface (see Figure 17-15).
Figure 17-15 nat Commands on Multiple Interfaces
See the following commands for this example:
hostname(config)# nat (inside) 1 10.1.2.0 255.255.255.0
hostname(config)# nat (dmz) 1 10.1.1.0 255.255.255.0
hostname(config)# global (outside) 1 209.165.201.3-209.165.201.10
Web Server:
www.cisco.com
Outside
DMZ
Inside
Global 1: 209.165.201.3-
209.165.201.10
NAT 1: 10.1.2.0/24
NAT 1: 10.1.1.0/24
10.1.1.15
10.1.2.27
130028
Translation
10.1.2.27 209.165.201.3
Translation
10.1.1.15 209.165.201.417-19
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
Using Dynamic NAT and PAT
You can also enter a global command for each interface using the same NAT ID. If you enter a global
command for the Outside and DMZ interfaces on ID 1, then the Inside nat command identifies traffic to
be translated when going to both the Outside and the DMZ interfaces. Similarly, if you also enter a nat
command for the DMZ interface on ID 1, then the global command on the Outside interface is also used
for DMZ traffic. (See Figure 17-16).
Figure 17-16 global and nat Commands on Multiple Interfaces
See the following commands for this example:
hostname(config)# nat (inside) 1 10.1.2.0 255.255.255.0
hostname(config)# nat (dmz) 1 10.1.1.0 255.255.255.0
hostname(config)# global (outside) 1 209.165.201.3-209.165.201.10
hostname(config)# global (dmz) 1 10.1.1.23
If you use different NAT IDs, you can identify different sets of real addresses to have different mapped
addresses. For example, on the Inside interface, you can have two nat commands on two different
NAT IDs. On the Outside interface, you configure two global commands for these two IDs. Then, when
traffic from Inside network A exits the Outside interface, the IP addresses are translated to pool A
addresses; while traffic from Inside network B are translated to pool B addresses (see Figure 17-17). If
you use policy NAT, you can specify the same real addresses for multiple nat commands, as long as the
the destination addresses and ports are unique in each access list.
Web Server:
www.cisco.com
Outside
DMZ
Inside
Global 1: 209.165.201.3-
209.165.201.10
NAT 1: 10.1.2.0/24
NAT 1: 10.1.1.0/24
Global 1: 10.1.1.23
10.1.1.15
10.1.2.27
130024
Translation
10.1.2.27 209.165.201.3
Translation
10.1.1.15 209.165.201.4
Translation
10.1.2.27 10.1.1.23:2024
Security
Appliance17-20
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
Using Dynamic NAT and PAT
Figure 17-17 Different NAT IDs
See the following commands for this example:
hostname(config)# nat (inside) 1 10.1.2.0 255.255.255.0
hostname(config)# nat (inside) 2 192.168.1.0 255.255.255.0
hostname(config)# global (outside) 1 209.165.201.3-209.165.201.10
hostname(config)# global (outside) 2 209.165.201.11
You can enter multiple global commands for one interface using the same NAT ID; the security
appliance uses the dynamic NAT global commands first, in the order they are in the configuration, and
then uses the PAT global commands in order. You might want to enter both a dynamic NAT global
command and a PAT global command if you need to use dynamic NAT for a particular application, but
want to have a backup PAT statement in case all the dynamic NAT addresses are depleted. Similarly, you
might enter two PAT statements if you need more than the approximately 64,000 PAT sessions that a
single PAT mapped statement supports (see Figure 17-18).
Web Server:
www.cisco.com
Outside
Inside
Global 1: 209.165.201.3-
209.165.201.10
Global 2: 209.165.201.11
NAT 1: 10.1.2.0/24
NAT 2: 192.168.1.0/24
10.1.2.27
192.168.1.14
Translation
10.1.2.27 209.165.201.3
Translation
192.168.1.14 209.165.201.11:4567
130025
Security
Appliance17-21
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
Using Dynamic NAT and PAT
Figure 17-18 NAT and PAT Together
See the following commands for this example:
hostname(config)# nat (inside) 1 10.1.2.0 255.255.255.0
hostname(config)# global (outside) 1 209.165.201.3-209.165.201.4
hostname(config)# global (outside) 1 209.165.201.5
For outside NAT, you need to identify the nat command for outside NAT (the outside keyword). If you
also want to translate the same traffic when it accesses an inside interface (for example, traffic on a DMZ
is translated when accessing the Inside and the Outside interfaces), then you must configure a separate
nat command without the outside option. In this case, you can identify the same addresses in both
statements and use the same NAT ID (see Figure 17-19). Note that for outside NAT (DMZ interface to
Inside interface), the inside host uses a static command to allow outside access, so both the source and
destination addresses are translated.
Web Server:
www.cisco.com
Outside
Inside
Global 1: 209.165.201.3-
209.165.201.4
Global 1: 209.165.201.5
NAT 1: 10.1.2.0/24
10.1.2.27
10.1.2.28
10.1.2.29
130026
Translation
10.1.2.27 209.165.201.3
Translation
10.1.2.28 209.165.201.4
Translation
10.1.2.29 209.165.201.5:609617-22
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
Using Dynamic NAT and PAT
Figure 17-19 Outside NAT and Inside NAT Combined
See the following commands for this example:
hostname(config)# nat (dmz) 1 10.1.1.0 255.255.255.0 outside
hostname(config)# nat (dmz) 1 10.1.1.0 255.255.255.0
hostname(config)# static (inside,dmz) 10.1.1.5 10.1.2.27 netmask 255.255.255.255
hostname(config)# global (outside) 1 209.165.201.3-209.165.201.4
hostname(config)# global (inside) 1 10.1.2.30-1-10.1.2.40
When you specify a group of IP address(es) in a nat command, then you must perform NAT on that group
of addresses when they access any lower or same security level interface; you must apply a global
command with the same NAT ID on each interface, or use a static command. NAT is not required for
that group when it accesses a higher security interface, because to perform NAT from outside to inside,
you must create a separate nat command using the outside keyword. If you do apply outside NAT, then
the NAT requirements preceding come into effect for that group of addresses when they access all higher
security interfaces. Traffic identified by a static command is not affected.
Outside
DMZ
Inside
Global 1: 209.165.201.3-
209.165.201.10
Global 1: 10.1.2.30-
10.1.2.40 Static to DMZ: 10.1.2.27 10.1.1.5
Outside NAT 1: 10.1.1.0/24
NAT 1: 10.1.1.0/24
10.1.1.15
10.1.2.27
Translation
10.1.1.15 209.165.201.4
Translation
10.1.1.15 10.1.2.30
Undo Translation
10.1.1.5 10.1.2.27
13003817-23
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
Using Dynamic NAT and PAT
Configuring Dynamic NAT or PAT
This section describes how to configure dynamic NAT or dynamic PAT. The configuration for dynamic
NAT and PAT are almost identical; for NAT you specify a range of mapped addresses, and for PAT you
specify a single address.
Figure 17-20 shows a typical dynamic NAT scenario. Only translated hosts can create a NAT session,
and responding traffic is allowed back. The mapped address is dynamically assigned from a pool defined
by the global command.
Figure 17-20 Dynamic NAT
Figure 17-21 shows a typical dynamic PAT scenario. Only translated hosts can create a NAT session, and
responding traffic is allowed back. The mapped address defined by the global command is the same for
each translation, but the port is dynamically assigned.
Figure 17-21 Dynamic PAT
For more information about dynamic NAT, see the “Dynamic NAT” section on page 17-5. For more
information about PAT, see the “PAT” section on page 17-7.
Note If you change the NAT configuration, and you do not want to wait for existing translations to time out
before the new NAT information is used, you can clear the translation table using the clear xlate
command. However, clearing the translation table disconnects all current connections that use
translations.
10.1.1.1 209.165.201.1
Inside Outside
10.1.1.2 209.165.201.2
130032
Security
Appliance
10.1.1.1:1025 209.165.201.1:2020
Inside Outside
10.1.1.1:1026 209.165.201.1:2021
10.1.1.2:1025 209.165.201.1:2022
130034
Security
Appliance17-24
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
Using Dynamic NAT and PAT
To configure dynamic NAT or PAT, perform the following steps:
Step 1 To identify the real addresses that you want to translate, enter one of the following commands:
• Policy NAT:
hostname(config)# nat (real_interface) nat_id access-list acl_name [dns] [outside]
[norandomseq] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns]
You can identify overlapping addresses in other nat commands. For example, you can identify
10.1.1.0 in one command, but 10.1.1.1 in another. The traffic is matched to a policy NAT command
in order, until the first match, or for regular NAT, using the best match.
See the following description about options for this command:
– access-list acl_name—Identify the real addresses and destination addresses using an extended
access list. Create the access list using the access-list command (see the “Adding an Extended
Access List” section on page 16-5). This access list should include only permit ACEs. You can
optionally specify the real and destination ports in the access list using the eq operator. Policy
NAT considers the inactive and time-range keywords, but it does not support ACL with all
inactive and time-range ACEs.
– nat_id—An integer between 1 and 65535. The NAT ID should match a global command NAT
ID. See the “Dynamic NAT and PAT Implementation” section on page 17-17 for more
information about how NAT IDs are used. 0 is reserved for NAT exemption. (See the
“Configuring NAT Exemption” section on page 17-32 for more information about NAT
exemption.)
– dns—If your nat command includes the address of a host that has an entry in a DNS server, and
the DNS server is on a different interface from a client, then the client and the DNS server need
different addresses for the host; one needs the mapped address and one needs the real address.
This option rewrites the address in the DNS reply to the client. The translated host needs to be
on the same interface as either the client or the DNS server. Typically, hosts that need to allow
access from other interfaces use a static translation, so this option is more likely to be used with
the static command. (See the “DNS and NAT” section on page 17-14 for more information.)
– outside—If this interface is on a lower security level than the interface you identify by the
matching global statement, then you must enter outside to identify the NAT instance as
outside NAT.
– norandomseq, tcp tcp_max_conns, udp udp_max_conns, and emb_limit—These keywords set
connection limits. However, we recommend using a more versatile method for setting
connection limits; see the “Configuring Connection Limits and Timeouts” section on page 23-6.
• Regular NAT:
hostname(config)# nat (real_interface) nat_id real_ip [mask [dns] [outside]
[norandomseq] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns]]
The nat_id is an integer between 1 and 2147483647. The NAT ID must match a global command
NAT ID. See the “Dynamic NAT and PAT Implementation” section on page 17-17 for more
information about how NAT IDs are used. 0 is reserved for identity NAT. See the “Configuring
Identity NAT” section on page 17-30 for more information about identity NAT.
See the preceding policy NAT command for information about other options.
Step 2 To identify the mapped address(es) to which you want to translate the real addresses when they exit a
particular interface, enter the following command:
hostname(config)# global (mapped_interface) nat_id {mapped_ip[-mapped_ip] | interface}17-25
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
Using Dynamic NAT and PAT
This NAT ID should match a nat command NAT ID. The matching nat command identifies the addresses
that you want to translate when they exit this interface.
You can specify a single address (for PAT) or a range of addresses (for NAT). The range can go across
subnet boundaries if desired. For example, you can specify the following “supernet”:
192.168.1.1-192.168.2.254
For example, to translate the 10.1.1.0/24 network on the inside interface, enter the following command:
hostname(config)# nat (inside) 1 10.1.1.0 255.255.255.0
hostname(config)# global (outside) 1 209.165.201.1-209.165.201.30
To identify a pool of addresses for dynamic NAT as well as a PAT address for when the NAT pool is
exhausted, enter the following commands:
hostname(config)# nat (inside) 1 10.1.1.0 255.255.255.0
hostname(config)# global (outside) 1 209.165.201.5
hostname(config)# global (outside) 1 209.165.201.10-209.165.201.20
To translate the lower security dmz network addresses so they appear to be on the same network as the
inside network (10.1.1.0), for example, to simplify routing, enter the following commands:
hostname(config)# nat (dmz) 1 10.1.2.0 255.255.255.0 outside dns
hostname(config)# global (inside) 1 10.1.1.45
To identify a single real address with two different destination addresses using policy NAT, enter the
following commands (see Figure 17-8 on page 17-10 for a related figure):
hostname(config)# access-list NET1 permit ip 10.1.2.0 255.255.255.0 209.165.201.0
255.255.255.224
hostname(config)# access-list NET2 permit ip 10.1.2.0 255.255.255.0 209.165.200.224
255.255.255.224
hostname(config)# nat (inside) 1 access-list NET1 tcp 0 2000 udp 10000
hostname(config)# global (outside) 1 209.165.202.129
hostname(config)# nat (inside) 2 access-list NET2 tcp 1000 500 udp 2000
hostname(config)# global (outside) 2 209.165.202.130
To identify a single real address/destination address pair that use different ports using policy NAT, enter
the following commands (see Figure 17-9 on page 17-11 for a related figure):
hostname(config)# access-list WEB permit tcp 10.1.2.0 255.255.255.0 209.165.201.11
255.255.255.255 eq 80
hostname(config)# access-list TELNET permit tcp 10.1.2.0 255.255.255.0 209.165.201.11
255.255.255.255 eq 23
hostname(config)# nat (inside) 1 access-list WEB
hostname(config)# global (outside) 1 209.165.202.129
hostname(config)# nat (inside) 2 access-list TELNET
hostname(config)# global (outside) 2 209.165.202.13017-26
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
Using Static NAT
Using Static NAT
This section describes how to configure a static translation.
Figure 17-22 shows a typical static NAT scenario. The translation is always active so both translated and
remote hosts can originate connections, and the mapped address is statically assigned by the static
command.
Figure 17-22 Static NAT
You cannot use the same real or mapped address in multiple static commands between the same two
interfaces. Do not use a mapped address in the static command that is also defined in a global command
for the same mapped interface.
For more information about static NAT, see the “Static NAT” section on page 17-7.
Note If you remove a static command, existing connections that use the translation are not affected. To remove
these connections, enter the clear local-host command.
You cannot clear static translations from the translation table with the clear xlate command; you must
remove the static command instead. Only dynamic translations created by the nat and global commands
can be removed with the clear xlate command.
To configure static NAT, enter one of the following commands.
• For policy static NAT, enter the following command:
hostname(config)# static (real_interface,mapped_interface) {mapped_ip | interface}
access-list acl_name [dns] [norandomseq] [[tcp] tcp_max_conns [emb_limit]]
[udp udp_max_conns]
Create the access list using the access-list command (see the “Adding an Extended Access List”
section on page 16-5). This access list should include only permit ACEs. The source subnet mask
used in the access list is also used for the mapped addresses. You can also specify the real and
destination ports in the access list using the eq operator. Policy NAT does not consider the inactive
or time-range keywords; all ACEs are considered to be active for policy NAT configuration. See the
“Policy NAT” section on page 17-9 for more information.
If you specify a network for translation (for example, 10.1.1.0 255.255.255.0), then the security
appliance translates the .0 and .255 addresses. If you want to prevent access to these addresses, be
sure to configure an access list to deny access.
See the “Configuring Dynamic NAT or PAT” section on page 17-23 for information about the other
options.
10.1.1.1 209.165.201.1
Inside Outside
10.1.1.2 209.165.201.2
130035
Security
Appliance17-27
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
Using Static PAT
• To configure regular static NAT, enter the following command:
hostname(config)# static (real_interface,mapped_interface) {mapped_ip | interface}
real_ip [netmask mask] [dns] [norandomseq] [[tcp] tcp_max_conns [emb_limit]]
[udp udp_max_conns]
See the “Configuring Dynamic NAT or PAT” section on page 17-23 for information about the
options.
For example, the following policy static NAT example shows a single real address that is translated to
two mapped addresses depending on the destination address (see Figure 17-8 on page 17-10 for a related
figure):
hostname(config)# access-list NET1 permit ip host 10.1.2.27 209.165.201.0 255.255.255.224
hostname(config)# access-list NET2 permit ip host 10.1.2.27 209.165.200.224
255.255.255.224
hostname(config)# static (inside,outside) 209.165.202.129 access-list NET1
hostname(config)# static (inside,outside) 209.165.202.130 access-list NET2
The following command maps an inside IP address (10.1.1.3) to an outside IP address (209.165.201.12):
hostname(config)# static (inside,outside) 209.165.201.12 10.1.1.3 netmask 255.255.255.255
The following command maps the outside address (209.165.201.15) to an inside address (10.1.1.6):
hostname(config)# static (outside,inside) 10.1.1.6 209.165.201.15 netmask 255.255.255.255
The following command statically maps an entire subnet:
hostname(config)# static (inside,dmz) 10.1.1.0 10.1.2.0 netmask 255.255.255.0
Using Static PAT
This section describes how to configure a static port translation. Static PAT lets you translate the real IP
address to a mapped IP address, as well as the real port to a mapped port. You can choose to translate
the real port to the same port, which lets you translate only specific types of traffic, or you can take it
further by translating to a different port.
Figure 17-23 shows a typical static PAT scenario. The translation is always active so both translated and
remote hosts can originate connections, and the mapped address and port is statically assigned by the
static command.
Figure 17-23 Static PAT
For applications that require application inspection for secondary channels (FTP, VoIP, etc.), the security
appliance automatically translates the secondary ports.
10.1.1.1:23 209.165.201.1:23
Inside Outside
10.1.1.2:8080 209.165.201.2:80
130044
Security
Appliance17-28
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
Using Static PAT
You cannot use the same real or mapped address in multiple static statements between the same two
interfaces. Do not use a mapped address in the static command that is also defined in a global command
for the same mapped interface.
For more information about static PAT, see the “Static PAT” section on page 17-8.
Note If you remove a static command, existing connections that use the translation are not affected. To remove
these connections, enter the clear local-host command.
You cannot clear static translations from the translation table with the clear xlate command; you must
remove the static command instead. Only dynamic translations created by the nat and global commands
can be removed with the clear xlate command.
To configure static PAT, enter one of the following commands.
• For policy static PAT, enter the following command:
hostname(config)# static (real_interface,mapped_interface) {tcp | udp}
{mapped_ip | interface} mapped_port access-list acl_name [dns] [norandomseq]
[[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns]
Create the access list using the access-list command (see the “Adding an Extended Access List”
section on page 16-5). The protocol in the access list must match the protocol you set in this
command. For example, if you specify tcp in the static command, then you must specify tcp in the
access list. Specify the port using the eq operator. This access list should include only permit ACEs.
The source subnet mask used in the access list is also used for the mapped addresses. Policy NAT
does not consider the inactive or time-range keywords; all ACEs are considered to be active for
policy NAT configuration.
If you specify a network for translation (for example, 10.1.1.0 255.255.255.0), then the security
appliance translates the .0 and .255 addresses. If you want to prevent access to these addresses, be
sure to configure an access list to deny access.
See the “Configuring Dynamic NAT or PAT” section on page 17-23 for information about the other
options.
• To configure regular static PAT, enter the following command:
hostname(config)# static (real_interface,mapped_interface) {tcp | udp} {mapped_ip |
interface} mapped_port real_ip real_port [netmask mask] [dns] [norandomseq] [[tcp]
tcp_max_conns [emb_limit]] [udp udp_max_conns]
See the “Configuring Dynamic NAT or PAT” section on page 17-23 for information about the
options.
Note When configuring static PAT with FTP, you need to add entries for both TCP ports 20 and 21. You must
specify port 20 so that the source port for the active transfer is not modified to another port, which may
interfere with other devices that perform NAT on FTP traffic.
For example, for Telnet traffic initiated from hosts on the 10.1.3.0 network to the security appliance
outside interface (10.1.2.14), you can redirect the traffic to the inside host at 10.1.1.15 by entering the
following commands:
hostname(config)# access-list TELNET permit tcp host 10.1.1.15 eq telnet 10.1.3.0
255.255.255.0 eq telnet
hostname(config)# static (inside,outside) tcp 10.1.2.14 telnet access-list TELNET17-29
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
Bypassing NAT
For HTTP traffic initiated from hosts on the 10.1.3.0 network to the security appliance outside interface
(10.1.2.14), you can redirect the traffic to the inside host at 10.1.1.15 by entering:
hostname(config)# access-list HTTP permit tcp host 10.1.1.15 eq http 10.1.3.0
255.255.255.0 eq http
hostname(config)# static (inside,outside) tcp 10.1.2.14 http access-list HTTP
To redirect Telnet traffic from the security appliance outside interface (10.1.2.14) to the inside host at
10.1.1.15, enter the following command:
hostname(config)# static (inside,outside) tcp 10.1.2.14 telnet 10.1.1.15 telnet netmask
255.255.255.255
If you want to allow the preceding real Telnet server to initiate connections, though, then you need to
provide additional translation. For example, to translate all other types of traffic, enter the following
commands. The original static command provides translation for Telnet to the server, while the nat and
global commands provide PAT for outbound connections from the server.
hostname(config)# static (inside,outside) tcp 10.1.2.14 telnet 10.1.1.15 telnet netmask
255.255.255.255
hostname(config)# nat (inside) 1 10.1.1.15 255.255.255.255
hostname(config)# global (outside) 1 10.1.2.14
If you also have a separate translation for all inside traffic, and the inside hosts use a different mapped
address from the Telnet server, you can still configure traffic initiated from the Telnet server to use the
same mapped address as the static statement that allows Telnet traffic to the server. You need to create
a more exclusive nat statement just for the Telnet server. Because nat statements are read for the best
match, more exclusive nat statements are matched before general statements. The following example
shows the Telnet static statement, the more exclusive nat statement for initiated traffic from the Telnet
server, and the statement for other inside hosts, which uses a different mapped address.
hostname(config)# static (inside,outside) tcp 10.1.2.14 telnet 10.1.1.15 telnet netmask
255.255.255.255
hostname(config)# nat (inside) 1 10.1.1.15 255.255.255.255
hostname(config)# global (outside) 1 10.1.2.14
hostname(config)# nat (inside) 2 10.1.1.0 255.255.255.0
hostname(config)# global (outside) 2 10.1.2.78
To translate a well-known port (80) to another port (8080), enter the following command:
hostname(config)# static (inside,outside) tcp 10.1.2.45 80 10.1.1.16 8080 netmask
255.255.255.255
Bypassing NAT
This section describes how to bypass NAT. You might want to bypass NAT when you enable NAT control.
You can bypass NAT using identity NAT, static identity NAT, or NAT exemption. See the “Bypassing
NAT When NAT Control is Enabled” section on page 17-9 for more information about these methods.
This section includes the following topics:
• Configuring Identity NAT, page 17-30
• Configuring Static Identity NAT, page 17-30
• Configuring NAT Exemption, page 17-3217-30
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
Bypassing NAT
Configuring Identity NAT
Identity NAT translates the real IP address to the same IP address. Only “translated” hosts can create
NAT translations, and responding traffic is allowed back.
Figure 17-24 shows a typical identity NAT scenario.
Figure 17-24 Identity NAT
Note If you change the NAT configuration, and you do not want to wait for existing translations to time out
before the new NAT information is used, you can clear the translation table using the clear xlate
command. However, clearing the translation table disconnects all current connections that use
translations.
To configure identity NAT, enter the following command:
hostname(config)# nat (real_interface) 0 real_ip [mask [dns] [outside] [norandomseq]
[[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns]
See the “Configuring Dynamic NAT or PAT” section on page 17-23 for information about the options.
For example, to use identity NAT for the inside 10.1.1.0/24 network, enter the following command:
hostname(config)# nat (inside) 0 10.1.1.0 255.255.255.0
Configuring Static Identity NAT
Static identity NAT translates the real IP address to the same IP address. The translation is always active,
and both “translated” and remote hosts can originate connections. Static identity NAT lets you use
regular NAT or policy NAT. Policy NAT lets you identify the real and destination addresses when
determining the real addresses to translate (see the “Policy NAT” section on page 17-9 for more
209.165.201.1 209.165.201.1
Inside Outside
209.165.201.2 209.165.201.2
130033
Security
Appliance17-31
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
Bypassing NAT
information about policy NAT). For example, you can use policy static identity NAT for an inside address
when it accesses the outside interface and the destination is server A, but use a normal translation when
accessing the outside server B.
Figure 17-25 shows a typical static identity NAT scenario.
Figure 17-25 Static Identity NAT
Note If you remove a static command, existing connections that use the translation are not affected. To remove
these connections, enter the clear local-host command.
You cannot clear static translations from the translation table with the clear xlate command; you must
remove the static command instead. Only dynamic translations created by the nat and global commands
can be removed with the clear xlate command.
To configure static identity NAT, enter one of the following commands:
• To configure policy static identity NAT, enter the following command:
hostname(config)# static (real_interface,mapped_interface) real_ip access-list acl_id
[dns] [norandomseq] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns]
Create the access list using the access-list command (see the “Adding an Extended Access List”
section on page 16-5). This access list should include only permit ACEs. Make sure the source
address in the access list matches the real_ip in this command. Policy NAT does not consider the
inactive or time-range keywords; all ACEs are considered to be active for policy NAT
configuration. See the “Policy NAT” section on page 17-9 for more information.
See the “Configuring Dynamic NAT or PAT” section on page 17-23 for information about the other
options.
• To configure regular static identity NAT, enter the following command:
hostname(config)# static (real_interface,mapped_interface) real_ip real_ip [netmask
mask] [dns] [norandomseq] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns]
Specify the same IP address for both real_ip arguments.
See the “Configuring Dynamic NAT or PAT” section on page 17-23 for information about the other
options.
For example, the following command uses static identity NAT for an inside IP address (10.1.1.3) when
accessed by the outside:
hostname(config)# static (inside,outside) 10.1.1.3 10.1.1.3 netmask 255.255.255.255
209.165.201.1 209.165.201.1
Inside Outside
209.165.201.2 209.165.201.2
130036
Security
Appliance17-32
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
Bypassing NAT
The following command uses static identity NAT for an outside address (209.165.201.15) when accessed
by the inside:
hostname(config)# static (outside,inside) 209.165.201.15 209.165.201.15 netmask
255.255.255.255
The following command statically maps an entire subnet:
hostname(config)# static (inside,dmz) 10.1.2.0 10.1.2.0 netmask 255.255.255.0
The following static identity policy NAT example shows a single real address that uses identity NAT
when accessing one destination address, and a translation when accessing another:
hostname(config)# access-list NET1 permit ip host 10.1.2.27 209.165.201.0 255.255.255.224
hostname(config)# access-list NET2 permit ip host 10.1.2.27 209.165.200.224
255.255.255.224
hostname(config)# static (inside,outside) 10.1.2.27 access-list NET1
hostname(config)# static (inside,outside) 209.165.202.130 access-list NET2
Configuring NAT Exemption
NAT exemption exempts addresses from translation and allows both real and remote hosts to originate
connections. NAT exemption lets you specify the real and destination addresses when determining the
real traffic to exempt (similar to policy NAT), so you have greater control using NAT exemption than
identity NAT. However unlike policy NAT, NAT exemption does not consider the ports in the access list.
Use static identity NAT to consider ports in the access list.
Figure 17-26 shows a typical NAT exemption scenario.
Figure 17-26 NAT Exemption
Note If you remove a NAT exemption configuration, existing connections that use NAT exemption are not
affected. To remove these connections, enter the clear local-host command.
To configure NAT exemption, enter the following command:
hostname(config)# nat (real_interface) 0 access-list acl_name [outside] [norandomseq]
[[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns]
Create the access list using the access-list command (see the “Adding an Extended Access List” section
on page 16-5). This access list can include both permit ACEs and deny ACEs. Do not specify the real
and destination ports in the access list; NAT exemption does not consider the ports. NAT exemption
considers the inactive and time-range keywords, but it does not support ACL with all inactive and
time-range ACEs.
209.165.201.1 209.165.201.1
Inside Outside
209.165.201.2 209.165.201.2
130036
Security
Appliance17-33
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
NAT Examples
See the “Configuring Dynamic NAT or PAT” section on page 17-23 for information about the other
options.
By default, this command exempts traffic from inside to outside. If you want traffic from outside to
inside to bypass NAT, then add an additional nat command and enter outside to identify the NAT
instance as outside NAT. You might want to use outside NAT exemption if you configure dynamic NAT
for the outside interface and want to exempt other traffic.
For example, to exempt an inside network when accessing any destination address, enter the following
command:
hostname(config)# access-list EXEMPT permit ip 10.1.2.0 255.255.255.0 any
hostname(config)# nat (inside) 0 access-list EXEMPT
To use dynamic outside NAT for a DMZ network, and exempt another DMZ network, enter the following
command:
hostname(config)# nat (dmz) 1 10.1.2.0 255.255.255.0 outside dns
hostname(config)# global (inside) 1 10.1.1.45
hostname(config)# access-list EXEMPT permit ip 10.1.3.0 255.255.255.0 any
hostname(config)# nat (dmz) 0 access-list EXEMPT
To exempt an inside address when accessing two different destination addresses, enter the following
commands:
hostname(config)# access-list NET1 permit ip 10.1.2.0 255.255.255.0 209.165.201.0
255.255.255.224
hostname(config)# access-list NET1 permit ip 10.1.2.0 255.255.255.0 209.165.200.224
255.255.255.224
hostname(config)# nat (inside) 0 access-list NET1
NAT Examples
This section describes typical scenarios that use NAT solutions, and includes the following topics:
• Overlapping Networks, page 17-34
• Redirecting Ports, page 17-3517-34
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
NAT Examples
Overlapping Networks
In Figure 17-27, the security appliance connects two private networks with overlapping address ranges.
Figure 17-27 Using Outside NAT with Overlapping Networks
Two networks use an overlapping address space (192.168.100.0/24), but hosts on each network must
communicate (as allowed by access lists). Without NAT, when a host on the inside network tries to access
a host on the overlapping DMZ network, the packet never makes it past the security appliance, which
sees the packet as having a destination address on the inside network. Moreover, if the destination
address is being used by another host on the inside network, that host receives the packet.
To solve this problem, use NAT to provide non-overlapping addresses. If you want to allow access in
both directions, use static NAT for both networks. If you only want to allow the inside interface to access
hosts on the DMZ, then you can use dynamic NAT for the inside addresses, and static NAT for the DMZ
addresses you want to access. This example shows static NAT.
To configure static NAT for these two interfaces, perform the following steps. The 10.1.1.0/24 network
on the DMZ is not translated.
Step 1 Translate 192.168.100.0/24 on the inside to 10.1.2.0 /24 when it accesses the DMZ by entering the
following command:
hostname(config)# static (inside,dmz) 10.1.2.0 192.168.100.0 netmask 255.255.255.0
Step 2 Translate the 192.168.100.0/24 network on the DMZ to 10.1.3.0/24 when it accesses the inside by
entering the following command:
hostname(config)# static (dmz,inside) 10.1.3.0 192.168.100.0 netmask 255.255.255.0
Step 3 Configure the following static routes so that traffic to the dmz network can be routed correctly by the
security appliance:
hostname(config)# route dmz 192.168.100.128 255.255.255.128 10.1.1.2 1
hostname(config)# route dmz 192.168.100.0 255.255.255.128 10.1.1.2 1
192.168.100.2
inside
192.168.100.0/24
outside
10.1.1.2
192.168.100.1
192.168.100.2
dmz
192.168.100.0/24
192.168.100.3
10.1.1.1
130029
192.168.100.317-35
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
NAT Examples
The security appliance already has a connected route for the inside network. These static routes allow
the security appliance to send traffic for the 192.168.100.0/24 network out the DMZ interface to the
gateway router at 10.1.1.2. (You need to split the network into two because you cannot create a static
route with the exact same network as a connected route.) Alternatively, you could use a more broad route
for the DMZ traffic, such as a default route.
If host 192.168.100.2 on the DMZ network wants to initiate a connection to host 192.168.100.2 on the
inside network, the following events occur:
1. The DMZ host 192.168.100.2 sends the packet to IP address 10.1.2.2.
2. When the security appliance receives this packet, the security appliance translates the source address
from 192.168.100.2 to 10.1.3.2.
3. Then the security appliance translates the destination address from 10.1.2.2 to 192.168.100.2, and
the packet is forwarded.
Redirecting Ports
Figure 17-28 illustrates a typical network scenario in which the port redirection feature might be useful.
Figure 17-28 Port Redirection Using Static PAT
In the configuration described in this section, port redirection occurs for hosts on external networks as
follows:
• Telnet requests to IP address 209.165.201.5 are redirected to 10.1.1.6.
• FTP requests to IP address 209.165.201.5 are redirected to 10.1.1.3.
• HTTP request to security appliance outside IP address 209.165.201.25 are redirected to 10.1.1.5.
• HTTP port 8080 requests to PAT address 209.165.201.15 are redirected to 10.1.1.7 port 80.
Telnet Server
10.1.1.6
209.165.201.25
209.165.201.5
209.165.201.15
10.1.1.1
Inside
FTP Server
10.1.1.3
Web Server
10.1.1.5
Web Server
10.1.1.7
Outside
13003017-36
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
NAT Examples
To implement this scenario, perform the following steps:
Step 1 Configure PAT for the inside network by entering the following commands:
hostname(config)# nat (inside) 1 0.0.0.0 0.0.0.0 0 0
hostname(config)# global (outside) 1 209.165.201.15
Step 2 Redirect Telnet requests for 209.165.201.5 to 10.1.1.6 by entering the following command:
hostname(config)# static (inside,outside) tcp 209.165.201.5 telnet 10.1.1.6 telnet netmask
255.255.255.255
Step 3 Redirect FTP requests for IP address 209.165.201.5 to 10.1.1.3 by entering the following command:
hostname(config)# static (inside,outside) tcp 209.165.201.5 ftp 10.1.1.3 ftp netmask
255.255.255.255
Step 4 Redirect HTTP requests for the security appliance outside interface address to 10.1.1.5 by entering the
following command:
hostname(config)# static (inside,outside) tcp interface www 10.1.1.5 www netmask
255.255.255.255
Step 5 Redirect HTTP requests on port 8080 for PAT address 209.165.201.15 to 10.1.1.7 port 80 by entering
the following command:
hostname(config)# static (inside,outside) tcp 209.165.201.15 8080 10.1.1.7 www netmask
255.255.255.255C H A P T E R
18-1
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
18
Permitting or Denying Network Access
This chapter describes how to control network access through the security appliance using access lists.
To create an extended access lists or an EtherType access list, see Chapter 16, “Identifying Traffic with
Access Lists.”
Note You use ACLs to control network access in both routed and transparent firewall modes. In transparent
mode, you can use both extended ACLs (for Layer 3 traffic) and EtherType ACLs (for Layer 2 traffic).
To access the security appliance interface for management access, you do not also need an access list
allowing the host IP address. You only need to configure management access according to Chapter 40,
“Managing System Access.”
This chapter includes the following sections:
• Inbound and Outbound Access List Overview, page 18-1
• Applying an Access List to an Interface, page 18-2
Inbound and Outbound Access List Overview
By default, all traffic from a higher-security interface to a lower-security interface is allowed. Access
lists let you either allow traffic from lower-security interfaces, or restrict traffic from higher-security
interfaces.
The security appliance supports two types of access lists:
• Inbound—Inbound access lists apply to traffic as it enters an interface.
• Outbound—Outbound access lists apply to traffic as it exits an interface.
Note “Inbound” and “outbound” refer to the application of an access list on an interface, either to traffic
entering the security appliance on an interface or traffic exiting the security appliance on an interface.
These terms do not refer to the movement of traffic from a lower security interface to a higher security
interface, commonly known as inbound, or from a higher to lower interface, commonly known as
outbound.
An outbound access list is useful, for example, if you want to allow only certain hosts on the inside
networks to access a web server on the outside network. Rather than creating multiple inbound access
lists to restrict access, you can create a single outbound access list that allows only the specified hosts 18-2
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 18 Permitting or Denying Network Access
Applying an Access List to an Interface
(see Figure 18-1). See the “IP Addresses Used for Access Lists When You Use NAT” section on
page 16-3 for information about NAT and IP addresses. The outbound access list prevents any other hosts
from reaching the outside network.
Figure 18-1 Outbound Access List
See the following commands for this example:
hostname(config)# access-list OUTSIDE extended permit tcp host 209.165.201.4
host 209.165.200.225 eq www
hostname(config)# access-list OUTSIDE extended permit tcp host 209.165.201.6
host 209.165.200.225 eq www
hostname(config)# access-list OUTSIDE extended permit tcp host 209.165.201.8
host 209.165.200.225 eq www
hostname(config)# access-group OUTSIDE out interface outside
Applying an Access List to an Interface
To apply an extended access list to the inbound or outbound direction of an interface, enter the following
command:
hostname(config)# access-group access_list_name {in | out} interface interface_name
[per-user-override]
You can apply one access list of each type (extended and EtherType) to both directions of the interface.
See the “Inbound and Outbound Access List Overview” section on page 18-1 for more information about
access list directions.
Web Server:
209.165.200.225
Inside HR Eng
Outside
Static NAT
10.1.1.14 209.165.201.4
Static NAT
10.1.2.67 209.165.201.6
Static NAT
10.1.3.34 209.165.201.8
ACL Outbound
Permit HTTP from 209.165.201.4, 209.165.201.6,
and 209.165.201.8 to 209.165.200.225
Deny all others
132210
ACL Inbound
Permit from any to any
ACL Inbound
Permit from any to any
ACL Inbound
Permit from any to any
Security
appliance18-3
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 18 Permitting or Denying Network Access
Applying an Access List to an Interface
The per-user-override keyword allows dynamic access lists that are downloaded for user authorization
to override the access list assigned to the interface. For example, if the interface access list denies all
traffic from 10.0.0.0, but the dynamic access list permits all traffic from 10.0.0.0, then the dynamic
access list overrides the interface access list for that user. See the “Configuring RADIUS Authorization”
section for more information about per-user access lists. The per-user-override keyword is only
available for inbound access lists.
For connectionless protocols, you need to apply the access list to the source and destination interfaces
if you want traffic to pass in both directions.
The following example illustrates the commands required to enable access to an inside web server with
the IP address 209.165.201.12 (this IP address is the address visible on the outside interface after NAT):
hostname(config)# access-list ACL_OUT extended permit tcp any host 209.165.201.12 eq www
hostname(config)# access-group ACL_OUT in interface outside
You also need to configure NAT for the web server.
The following access lists allow any hosts to communicate between the inside and hr networks, but only
specific hosts (209.168.200.3 and 209.168.200.4) to access the outside network, as shown in the last line
below:
hostname(config)# access-list ANY extended permit ip any any
hostname(config)# access-list OUT extended permit ip host 209.168.200.3 any
hostname(config)# access-list OUT extended permit ip host 209.168.200.4 any
hostname(config)# access-group ANY in interface inside
hostname(config)# access-group ANY in interface hr
hostname(config)# access-group OUT out interface outside
For example, the following sample access list allows common EtherTypes originating on the inside
interface:
hostname(config)# access-list ETHER ethertype permit ipx
hostname(config)# access-list ETHER ethertype permit bpdu
hostname(config)# access-list ETHER ethertype permit mpls-unicast
hostname(config)# access-group ETHER in interface inside
The following access list allows some EtherTypes through the security appliance, but denies all others:
hostname(config)# access-list ETHER ethertype permit 0x1234
hostname(config)# access-list ETHER ethertype permit bpdu
hostname(config)# access-list ETHER ethertype permit mpls-unicast
hostname(config)# access-group ETHER in interface inside
hostname(config)# access-group ETHER in interface outside
The following access list denies traffic with EtherType 0x1256 but allows all others on both interfaces:
hostname(config)# access-list nonIP ethertype deny 1256
hostname(config)# access-list nonIP ethertype permit any
hostname(config)# access-group ETHER in interface inside
hostname(config)# access-group ETHER in interface outside18-4
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 18 Permitting or Denying Network Access
Applying an Access List to an InterfaceC H A P T E R
19-1
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
19
Applying AAA for Network Access
This chapter describes how to enable AAA (pronounced “triple A”) for network access.
For information about AAA for management access, see the “Configuring AAA for System
Administrators” section on page 40-5.
This chapter contains the following sections:
• AAA Performance, page 19-1
• Configuring Authentication for Network Access, page 19-1
• Configuring Authorization for Network Access, page 19-6
• Configuring Accounting for Network Access, page 19-13
• Using MAC Addresses to Exempt Traffic from Authentication and Authorization, page 19-14
AAA Performance
The security appliance uses “cut-through proxy” to significantly improve performance compared to a
traditional proxy server. The performance of a traditional proxy server suffers because it analyzes every
packet at the application layer of the OSI model. The security appliance cut-through proxy challenges a
user initially at the application layer and then authenticates against standard AAA servers or the local
database. After the security appliance authenticates the user, it shifts the session flow, and all traffic
flows directly and quickly between the source and destination while maintaining session state
information.
Configuring Authentication for Network Access
This section includes the following topics:
• Authentication Overview, page 19-2
• Enabling Network Access Authentication, page 19-3
• Enabling Secure Authentication of Web Clients, page 19-5
• Authenticating Directly with the Security Appliance, page 19-619-2
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 19 Applying AAA for Network Access
Configuring Authentication for Network Access
Authentication Overview
The security appliance lets you configure network access authentication using AAA servers. This section
includes the following topics:
• One-Time Authentication, page 19-2
• Applications Required to Receive an Authentication Challenge, page 19-2
• Security Appliance Authentication Prompts, page 19-2
• Static PAT and HTTP, page 19-3
• Enabling Network Access Authentication, page 19-3
One-Time Authentication
A user at a given IP address only needs to authenticate one time for all rules and types, until the
authentication session expires. (See the timeout uauth command in the Cisco Security Appliance
Command Reference for timeout values.) For example, if you configure the security appliance to
authenticate Telnet and FTP, and a user first successfully authenticates for Telnet, then as long as the
authentication session exists, the user does not also have to authenticate for FTP.
Applications Required to Receive an Authentication Challenge
Although you can configure the security appliance to require authentication for network access to any
protocol or service, users can authenticate directly with HTTP, HTTPS, Telnet, or FTP only. A user must
first authenticate with one of these services before the security appliance allows other traffic requiring
authentication.
The authentication ports that the security appliance supports for AAA are fixed:
• Port 21 for FTP
• Port 23 for Telnet
• Port 80 for HTTP
• Port 443 for HTTPS
Security Appliance Authentication Prompts
For Telnet and FTP, the security appliance generates an authentication prompt.
For HTTP, the security appliance uses basic HTTP authentication by default, and provides an
authentication prompt. You can optionally configure the security appliance to redirect users to an
internal web page where they can enter their username and password (configured with the aaa
authentication listener command).
For HTTPS, the security appliance generates a custom login screen. You can optionally configure the
security appliance to redirect users to an internal web page where they can enter their username and
password (configured with the aaa authentication listener command).
Redirection is an improvement over the basic method because it provides an improved user experience
when authenticating, and an identical user experience for HTTP and HTTPS in both Easy VPN and
firewall modes. It also supports authenticating directly with the security appliance.19-3
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 19 Applying AAA for Network Access
Configuring Authentication for Network Access
You might want to continue to use basic HTTP authentication if: you do not want the security appliance
to open listening ports; if you use NAT on a router and you do not want to create a translation rule for
the web page served by the security appliance; basic HTTP authentication might work better with your
network. For example non-browser applications, like when a URL is embedded in email, might be more
compatible with basic authentication.
After you authenticate correctly, the security appliance redirects you to your original destination. If the
destination server also has its own authentication, the user enters another username and password. If you
use basic HTTP authentication and need to enter another username and password for the destination
server, then you need to configure the virtual http command.
Note If you use HTTP authentication without using the aaa authentication secure-http-client command, the
username and password are sent from the client to the security appliance in clear text. We recommend
that you use the aaa authentication secure-http-client command whenever you enable HTTP
authentication. For more information about the aaa authentication secure-http-client command, see
the “Enabling Secure Authentication of Web Clients” section on page 19-5.
For FTP, a user has the option of entering the security appliance username followed by an at sign (@)
and then the FTP username (name1@name2). For the password, the user enters the security appliance
password followed by an at sign (@) and then the FTP password (password1@password2). For example,
enter the following text.
name> jamiec@jchrichton
password> letmein@he110
This feature is useful when you have cascaded firewalls that require multiple logins. You can separate
several names and passwords by multiple at signs (@).
Static PAT and HTTP
For HTTP authentication, the security appliance checks real ports when static PAT is configured. If it
detects traffic destined for real port 80, regardless of the mapped port, the security appliance intercepts
the HTTP connection and enforces authentication.
For example, assume that outside TCP port 889 is translated to port 80 (www) and that any relevant
access lists permit the traffic:
static (inside,outside) tcp 10.48.66.155 889 192.168.123.10 www netmask 255.255.255.255
Then when users try to access 10.48.66.155 on port 889, the security appliance intercepts the traffic and
enforces HTTP authentication. Users see the HTTP authentication page in their web browsers before the
security appliance allows HTTP connection to complete.
If the local port is different than port 80, as in the following example:
static (inside,outside) tcp 10.48.66.155 889 192.168.123.10 111 netmask 255.255.255.255
Then users do not see the authentication page. Instead, the security appliance sends to the web browser
an error message indicating that the user must be authenticated prior using the requested service.
Enabling Network Access Authentication
To enable network access authentication, perform the following steps:19-4
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 19 Applying AAA for Network Access
Configuring Authentication for Network Access
Step 1 Using the aaa-server command, identify your AAA servers. If you have already identified your AAA
servers, continue to the next step.
For more information about identifying AAA servers, see the “Identifying AAA Server Groups and
Servers” section on page 13-12.
Step 2 Using the access-list command, create an access list that identifies the source addresses and destination
addresses of traffic you want to authenticate. For steps, see the “Adding an Extended Access List”
section on page 16-5.
The permit ACEs mark matching traffic for authentication, while deny entries exclude matching traffic
from authentication. Be sure to include the destination ports for either HTTP, HTTPS, Telnet, or FTP in
the access list because the user must authenticate with one of these services before other services are
allowed through the security appliance.
Step 3 To configure authentication, enter the following command:
hostname(config)# aaa authentication match acl_name interface_name server_group
Where acl_name is the name of the access list you created in Step 2, interface_name is the name of the
interface as specified with the nameif command, and server_group is the AAA server group you created
in Step 1.
Note You can alternatively use the aaa authentication include command (which identifies traffic within the
command). However, you cannot use both methods in the same configuration. See the Cisco Security
Appliance Command Reference for more information.
Step 4 (Optional) To enable the redirection method of authentication for HTTP or HTTPS connections, enter
the following command:
hostname(config)# aaa authentication listener http[s] interface_name [port portnum]
redirect
where the interface_name argument is the interface on which you want to enable listening ports.
The port portnum argument specifies the port number that the security appliance listens on; the defaults
are 80 (HTTP) and 443 (HTTPS).
Enter this command separately for HTTP and for HTTPS.
Step 5 (Optional) If you are using the local database for network access authentication and you want to limit
the number of consecutive failed login attempts that the security appliance allows any given user
account, use the following command:
hostname(config)# aaa local authentication attempts max-fail number
Where number is between 1 and 16.
For example:
hostname(config)# aaa local authentication attempts max-fail 7
Tip To clear the lockout status of a specific user or all users, use the clear aaa local user lockout command.
For example, the following commands authenticate all inside HTTP traffic and SMTP traffic:
hostname(config)# aaa-server AuthOutbound protocol tacacs+19-5
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 19 Applying AAA for Network Access
Configuring Authentication for Network Access
hostname(config-aaa-server-group)# exit
hostname(config)# aaa-server AuthOutbound (inside) host 10.1.1.1
hostname(config-aaa-server-host)# key TACPlusUauthKey
hostname(config-aaa-server-host)# exit
hostname(config)# access-list MAIL_AUTH extended permit tcp any any eq smtp
hostname(config)# access-list MAIL_AUTH extended permit tcp any any eq www
hostname(config)# aaa authentication match MAIL_AUTH inside AuthOutbound
hostname(config)# aaa authentication listener http inside redirect
The following commands authenticate Telnet traffic from the outside interface to a particular server
(209.165.201.5):
hostname(config)# aaa-server AuthInbound protocol tacacs+
hostname(config-aaa-server-group)# exit
hostname(config)# aaa-server AuthInbound (inside) host 10.1.1.1
hostname(config-aaa-server-host)# key TACPlusUauthKey
hostname(config-aaa-server-host)# exit
hostname(config)# access-list TELNET_AUTH extended permit tcp any host 209.165.201.5 eq
telnet
hostname(config)# aaa authentication match TELNET_AUTH outside AuthInbound
Enabling Secure Authentication of Web Clients
The security appliance provides a method of securing HTTP authentication. Without securing HTTP
authentication, usernames and passwords from the client to the security appliance would be passed as
clear text. By using the aaa authentication secure-http-client command, you enable the exchange of
usernames and passwords between a web client and the security appliance with HTTPS.
After enabling this feature, when a user requires authentication when using HTTP, the security appliance
redirects the HTTP user to an HTTPS prompt. After you authenticate correctly, the security appliance
redirects you to the original HTTP URL.
To enable secure authentication of web clients, enter the following command:
hostname(config)# aaa authentication secure-http-client
Secured web-client authentication has the following limitations:
• A maximum of 16 concurrent HTTPS authentication sessions are allowed. If all 16 HTTPS
authentication processes are running, a new connection requiring authentication will not succeed.
• When uauth timeout 0 is configured (the uauth timeout is set to 0), HTTPS authentication might
not work. If a browser initiates multiple TCP connections to load a web page after HTTPS
authentication, the first connection is let through, but the subsequent connections trigger
authentication. As a result, users are continuously presented with an authentication page, even if the
correct username and password are entered each time. To work around this, set the uauth timeout
to 1 second with the timeout uauth 0:0:1 command. However, this workaround opens a 1-second
window of opportunity that might allow non-authenticated users to go through the firewall if they
are coming from the same source IP address.
• Because HTTPS authentication occurs on the SSL port 443, users must not configure an access-list
command statement to block traffic from the HTTP client to HTTP server on port 443. Furthermore,
if static PAT is configured for web traffic on port 80, it must also be configured for the SSL port. In
the following example, the first line configures static PAT for web traffic and the second line must
be added to support the HTTPS authentication configuration.
static (inside,outside) tcp 10.132.16.200 www 10.130.16.10 www
static (inside,outside) tcp 10.132.16.200 443 10.130.16.10 44319-6
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 19 Applying AAA for Network Access
Configuring Authorization for Network Access
Authenticating Directly with the Security Appliance
If you do not want to allow HTTP, HTTPS, Telnet, or FTP through the security appliance but want to
authenticate other types of traffic, you can authenticate with the security appliance directly using HTTP,
HTTPS, or Telnet.
This section includes the following topics:
• Enabling Direct Authentication Using HTTP and HTTPS, page 19-6
• Enabling Direct Authentication Using Telnet, page 19-6
Enabling Direct Authentication Using HTTP and HTTPS
If you enabled the redirect method of HTTP and HTTPS authentication in the “Enabling Network Access
Authentication” section on page 19-3, then you also automatically enabled direct authentication. If you
want to continue to use basic HTTP authentication, but want to enable direct authentication for HTTP
and HTTPS, then enter the following command:
hostname(config)# aaa authentication listener http[s] interface_name [port portnum]
where the interface_name argument is the interface on which you want to enable direct authentication.
The port portnum argument specifies the port number that the security appliance listens on; the defaults
are 80 (HTTP) and 443 (HTTPS).
Enter this command separately for HTTP and for HTTPS.
You can authenticate directly with the security appliance at the following URLs when you enable AAA
for the interface:
http://interface_ip[:port]/netaccess/connstatus.html
https://interface_ip[:port]/netaccess/connstatus.html
Enabling Direct Authentication Using Telnet
To enable direct authentication with Telnet, configure a virtual Telnet server. With virtual Telnet, the user
Telnets to a given IP address configured on the security appliance, and the security appliance provides a
Telnet prompt. To configure a virtual Telnet server, enter the following command:
hostname(config)# virtual telnet ip_address
where the ip_address argument sets the IP address for the virtual Telnet server. Make sure this address
is an unused address that is routed to the security appliance. For example, if you perform NAT for inside
addresses when they access the outside, and you want to provide outside access to the virtual Telnet
server, you can use one of the global NAT addresses for the virtual Telnet server address.
Configuring Authorization for Network Access
After a user authenticates for a given connection, the security appliance can use authorization to further
control traffic from the user.
This section includes the following topics:
• Configuring TACACS+ Authorization, page 19-7
• Configuring RADIUS Authorization, page 19-819-7
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 19 Applying AAA for Network Access
Configuring Authorization for Network Access
Configuring TACACS+ Authorization
You can configure the security appliance to perform network access authorization with TACACS+. You
identify the traffic to be authorized by specifying access lists that authorization rules must match.
Alternatively, you can identify the traffic directly in authorization rules themselves.
Tip Using access lists to identify traffic to be authorized can greatly reduced the number of authorization
commands you must enter. This is because each authorization rule you enter can specify only one source
and destination subnet and service, whereas an access list can include many entries.
Authentication and authorization statements are independent; however, any unauthenticated traffic
matched by an authorization statement will be denied. For authorization to succeed, a user must first
authenticate with the security appliance. Because a user at a given IP address only needs to authenticate
one time for all rules and types, if the authentication session hasn’t expired, authorization can occur even
if the traffic is matched by an authentication statement.
After a user authenticates, the security appliance checks the authorization rules for matching traffic. If
the traffic matches the authorization statement, the security appliance sends the username to the
TACACS+ server. The TACACS+ server responds to the security appliance with a permit or a deny for
that traffic, based on the user profile. The security appliance enforces the authorization rule in the
response.
See the documentation for your TACACS+ server for information about configuring network access
authorizations for a user.
To configure TACACS+ authorization, perform the following steps:
Step 1 Enable authentication. For more information, see the “Enabling Network Access Authentication” section
on page 19-3. If you have already enabled authentication, continue to the next step.
Step 2 Using the access-list command, create an access list that identifies the source addresses and destination
addresses of traffic you want to authorize. For steps, see the “Adding an Extended Access List” section
on page 16-5.
The permit ACEs mark matching traffic for authorization, while deny entries exclude matching traffic
from authorization. The access list you use for authorization matching should contain rules that are equal
to or a subset of the rules in the access list used for authentication matching.
Note If you have configured authentication and want to authorize all the traffic being authenticated,
you can use the same access list you created for use with the aaa authentication match
command.
Step 3 To enable authorization, enter the following command:
hostname(config)# aaa authorization match acl_name interface_name server_group
where acl_name is the name of the access list you created in Step 2, interface_name is the name of the
interface as specified with the nameif command or by default, and server_group is the AAA server group
you created when you enabled authentication.19-8
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 19 Applying AAA for Network Access
Configuring Authorization for Network Access
Note Alternatively, you can use the aaa authorization include command (which identifies traffic
within the command) but you cannot use both methods in the same configuration. See the Cisco
Security Appliance Command Reference for more information.
The following commands authenticate and authorize inside Telnet traffic. Telnet traffic to servers other
than 209.165.201.5 can be authenticated alone, but traffic to 209.165.201.5 requires authorization.
hostname(config)# access-list TELNET_AUTH extended permit tcp any any eq telnet
hostname(config)# access-list SERVER_AUTH extended permit tcp any host 209.165.201.5 eq
telnet
hostname(config)# aaa-server AuthOutbound protocol tacacs+
hostname(config-aaa-server-group)# exit
hostname(config)# aaa-server AuthOutbound (inside) host 10.1.1.1
hostname(config-aaa-server-host)# key TACPlusUauthKey
hostname(config-aaa-server-host)# exit
hostname(config)# aaa authentication match TELNET_AUTH inside AuthOutbound
hostname(config)# aaa authorization match SERVER_AUTH inside AuthOutbound
Configuring RADIUS Authorization
When authentication succeeds, the RADIUS protocol returns user authorizations in the access-accept
message sent by a RADIUS server. For more information about configuring authentication, see the
“Configuring Authentication for Network Access” section on page 19-1.
When you configure the security appliance to authenticate users for network access, you are also
implicitly enabling RADIUS authorizations; therefore, this section contains no information about
configuring RADIUS authorization on the security appliance. It does provide information about how the
security appliance handles access list information received from RADIUS servers.
You can configure a RADIUS server to download an access list to the security appliance or an access list
name at the time of authentication. The user is authorized to do only what is permitted in the
user-specific access list.
Note If you have used the access-group command to apply access lists to interfaces, be aware of the following
effects of the per-user-override keyword on authorization by user-specific access lists:
• Without the per-user-override keyword, traffic for a user session must be permitted by both the
interface access list and the user-specific access list.
• With the per-user-override keyword, the user-specific access list determines what is permitted.
For more information, see the access-group command entry in the Cisco Security Appliance Command
Reference.
This section includes the following topics:
• Configuring a RADIUS Server to Send Downloadable Access Control Lists, page 19-9
• Configuring a RADIUS Server to Download Per-User Access Control List Names, page 19-1219-9
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 19 Applying AAA for Network Access
Configuring Authorization for Network Access
Configuring a RADIUS Server to Send Downloadable Access Control Lists
This section describes how to configure Cisco Secure ACS or a third-party RADIUS server, and includes
the following topics:
• About the Downloadable Access List Feature and Cisco Secure ACS, page 19-9
• Configuring Cisco Secure ACS for Downloadable Access Lists, page 19-10
• Configuring Any RADIUS Server for Downloadable Access Lists, page 19-11
• Converting Wildcard Netmask Expressions in Downloadable Access Lists, page 19-12
About the Downloadable Access List Feature and Cisco Secure ACS
Downloadable access lists is the most scalable means of using Cisco Secure ACS to provide the
appropriate access lists for each user. It provides the following capabilities:
• Unlimited access list size—Downloadable access lists are sent using as many RADIUS packets as
required to transport the full access list from Cisco Secure ACS to the security appliance.
• Simplified and centralized management of access lists—Downloadable access lists enable you to
write a set of access lists once and apply it to many user or group profiles and distribute it to many
security appliances.
This approach is most useful when you have very large access list sets that you want to apply to more
than one Cisco Secure ACS user or group; however, its ability to simplify Cisco Secure ACS user and
group management makes it useful for access lists of any size.
The security appliance receives downloadable access lists from Cisco Secure ACS using the following
process:
1. The security appliance sends a RADIUS authentication request packet for the user session.
2. If Cisco Secure ACS successfully authenticates the user, Cisco Secure ACS returns a RADIUS
access-accept message that contains the internal name of the applicable downloadable access list.
The Cisco IOS cisco-av-pair RADIUS VSA (vendor 9, attribute 1) contains the following
attribute-value pair to identify the downloadable access list set:
ACS:CiscoSecure-Defined-ACL=acl-set-name
where acl-set-name is the internal name of the downloadable access list, which is a combination of
the name assigned to the access list by the Cisco Secure ACS administrator and the date and time
that the access list was last modified.
3. The security appliance examines the name of the downloadable access list and determines if it has
previously received the named downloadable access list.
– If the security appliance has previously received the named downloadable access list,
communication with Cisco Secure ACS is complete and the security appliance applies the
access list to the user session. Because the name of the downloadable access list includes the
date and time it was last modified, matching the name sent by Cisco Secure ACS to the name of
an access list previous downloaded means that the security appliance has the most recent
version of the downloadable access list.
– If the security appliance has not previously received the named downloadable access list, it may
have an out-of-date version of the access list or it may not have downloaded any version of the
access list. In either case, the security appliance issues a RADIUS authentication request using
the downloadable access list name as the username in the RADIUS request and a null password
attribute. In a cisco-av-pair RADIUS VSA, the request also includes the following
attribute-value pairs:19-10
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 19 Applying AAA for Network Access
Configuring Authorization for Network Access
AAA:service=ip-admission
AAA:event=acl-download
In addition, the security appliance signs the request with the Message-Authenticator attribute
(IETF RADIUS attribute 80).
4. Upon receipt of a RADIUS authentication request that has a username attribute containing the name
of a downloadable access list, Cisco Secure ACS authenticates the request by checking the
Message-Authenticator attribute. If the Message-Authenticator attribute is missing or incorrect,
Cisco Secure ACS ignores the request. The presence of the Message-Authenticator attribute
prevents malicious use of a downloadable access list name to gain unauthorized network access. The
Message-Authenticator attribute and its use are defined in RFC 2869, RADIUS Extensions,
available at http://www.ietf.org.
5. If the access list required is less than approximately 4 KB in length, Cisco Secure ACS responds
with an access-accept message containing the access list. The largest access list that can fit in a
single access-accept message is slightly less than 4 KB because some of the message must be other
required attributes.
Cisco Secure ACS sends the downloadable access list in a cisco-av-pair RADIUS VSA. The access
list is formatted as a series of attribute-value pairs that each contain an ACE and are numbered
serially:
ip:inacl#1=ACE-1
ip:inacl#2=ACE-2
.
.
.
ip:inacl#n=ACE-n
An example of an attribute-value pair follows:
ip:inacl#1=permit tcp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0
6. If the access list required is more than approximately 4 KB in length, Cisco Secure ACS responds
with an access-challenge message that contains a portion of the access list, formatted as described
above, and an State attribute (IETF RADIUS attribute 24), which contains control data used by
Cisco Secure ACS to track the progress of the download. Cisco Secure ACS fits as many complete
attribute-value pairs into the cisco-av-pair RADIUS VSA as it can without exceeding the maximum
RADIUS message size.
The security appliance stores the portion of the access list received and responds with another
access-request message containing the same attributes as the first request for the downloadable
access list plus a copy of the State attribute received in the access-challenge message.
This repeats until Cisco Secure ACS sends the last of the access list in an access-accept message.
Configuring Cisco Secure ACS for Downloadable Access Lists
You can configure downloadable access lists on Cisco Secure ACS as a shared profile component and
then assign the access list to a group or to an individual user.
The access list definition consists of one or more security appliance commands that are similar to the
extended access-list command (see the “Adding an Extended Access List” section on page 16-5), except
without the following prefix:
access-list acl_name extended
The following example is a downloadable access list definition on Cisco Secure ACS version 3.3:
+--------------------------------------------+19-11
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 19 Applying AAA for Network Access
Configuring Authorization for Network Access
| Shared profile Components |
| |
| Downloadable IP ACLs Content |
| |
| Name: acs_ten_acl |
| |
| ACL Definitions |
| |
| permit tcp any host 10.0.0.254 |
| permit udp any host 10.0.0.254 |
| permit icmp any host 10.0.0.254 |
| permit tcp any host 10.0.0.253 |
| permit udp any host 10.0.0.253 |
| permit icmp any host 10.0.0.253 |
| permit tcp any host 10.0.0.252 |
| permit udp any host 10.0.0.252 |
| permit icmp any host 10.0.0.252 |
| permit ip any any |
+--------------------------------------------+
For more information about creating downloadable access lists and associating them with users, see the
user guide for your version of Cisco Secure ACS.
On the security appliance, the downloaded access list has the following name:
#ACSACL#-ip-acl_name-number
The acl_name argument is the name that is defined on Cisco Secure ACS (acs_ten_acl in the preceding
example), and number is a unique version ID generated by Cisco Secure ACS.
The downloaded access list on the security appliance consists of the following lines:
access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 permit tcp any host 10.0.0.254
access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 permit udp any host 10.0.0.254
access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 permit icmp any host 10.0.0.254
access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 permit tcp any host 10.0.0.253
access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 permit udp any host 10.0.0.253
access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 permit icmp any host 10.0.0.253
access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 permit tcp any host 10.0.0.252
access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 permit udp any host 10.0.0.252
access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 permit icmp any host 10.0.0.252
access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 permit ip any any
Configuring Any RADIUS Server for Downloadable Access Lists
You can configure any RADIUS server that supports Cisco IOS RADIUS VSAs to send user-specific
access lists to the security appliance in a Cisco IOS RADIUS cisco-av-pair VSA (vendor 9, attribute 1).
In the cisco-av-pair VSA, configure one or more ACEs that are similar to the access-list extended
command (see the “Adding an Extended Access List” section on page 16-5), except that you replace the
following command prefix:
access-list acl_name extended
with the following text:
ip:inacl#nnn=
The nnn argument is a number in the range from 0 to 999999999 that identifies the order of the command
statement to be configured on the security appliance. If this parameter is omitted, the sequence value is
0, and the order of the ACEs inside the cisco-av-pair RADIUS VSA is used.19-12
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 19 Applying AAA for Network Access
Configuring Authorization for Network Access
The following example is an access list definition as it should be configured for a cisco-av-pair VSA on
a RADIUS server:
ip:inacl#1=permit tcp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0
ip:inacl#99=deny tcp any any
ip:inacl#2=permit udp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0
ip:inacl#100=deny udp any any
ip:inacl#3=permit icmp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0
For information about making unique per user the access lists that are sent in the cisco-av-pair attribute,
see the documentation for your RADIUS server.
On the security appliance, the downloaded access list name has the following format:
AAA-user-username
The username argument is the name of the user that is being authenticated.
The downloaded access list on the security appliance consists of the following lines. Notice the order
based on the numbers identified on the RADIUS server.
access-list AAA-user-bcham34-79AD4A08 permit tcp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0
access-list AAA-user-bcham34-79AD4A08 permit udp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0
access-list AAA-user-bcham34-79AD4A08 permit icmp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0
access-list AAA-user-bcham34-79AD4A08 deny tcp any any
access-list AAA-user-bcham34-79AD4A08 deny udp any any
Downloaded access lists have two spaces between the word “access-list” and the name. These spaces
serve to differentiate a downloaded access list from a local access list. In this example, “79AD4A08” is
a hash value generated by the security appliance to help determine when access list definitions have
changed on the RADIUS server.
Converting Wildcard Netmask Expressions in Downloadable Access Lists
If a RADIUS server provides downloadable access lists to Cisco VPN 3000 Series Concentrators as well
as to the security appliance, you may need the security appliance to convert wildcard netmask
expressions to standard netmask expressions. This is because Cisco VPN 3000 Series Concentrators
support wildcard netmask expressions but the security appliance only supports standard netmask
expressions. Configuring the security appliance to convert wildcard netmask expressions helps minimize
the effects of these differences upon how you configure downloadable access lists on your RADIUS
servers. Translation of wildcard netmask expressions means that downloadable access lists written for
Cisco VPN 3000 Series Concentrators can be used by the security appliance without altering the
configuration of the downloadable access lists on the RADIUS server.
You configure access list netmask conversion on a per server basis, using the acl-netmask-convert
command, available in the AAA-server configuration mode. For more information about configuring a
RADIUS server, see “Identifying AAA Server Groups and Servers” section on page 13-12. For more
information about the acl-netmask-convert command, see the Cisco Security Appliance Command
Reference.
Configuring a RADIUS Server to Download Per-User Access Control List Names
To download a name for an access list that you already created on the security appliance from the
RADIUS server when a user authenticates, configure the IETF RADIUS filter-id attribute (attribute
number 11) as follows:
filter-id=acl_name19-13
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 19 Applying AAA for Network Access
Configuring Accounting for Network Access
Note In Cisco Secure ACS, the value for filter-id attributes are specified in boxes in the HTML interface,
omitting filter-id= and entering only acl_name.
For information about making unique per user the filter-id attribute value, see the documentation for your
RADIUS server.
See the “Adding an Extended Access List” section on page 16-5 to create an access list on the security
appliance.
Configuring Accounting for Network Access
The security appliance can send accounting information to a RADIUS or TACACS+ server about any
TCP or UDP traffic that passes through the security appliance. If that traffic is also authenticated, then
the AAA server can maintain accounting information by username. If the traffic is not authenticated, the
AAA server can maintain accounting information by IP address. Accounting information includes when
sessions start and stop, username, the number of bytes that pass through the security appliance for the
session, the service used, and the duration of each session.
To configure accounting, perform the following steps:
Step 1 If you want the security appliance to provide accounting data per user, you must enable authentication.
For more information, see the “Enabling Network Access Authentication” section on page 19-3. If you
want the security appliance to provide accounting data per IP address, enabling authentication is not
necessary and you can continue to the next step.
Step 2 Using the access-list command, create an access list that identifies the source addresses and destination
addresses of traffic you want accounted. For steps, see the “Adding an Extended Access List” section on
page 16-5.
The permit ACEs mark matching traffic for authorization, while deny entries exclude matching traffic
from authorization.
Note If you have configured authentication and want accounting data for all the traffic being
authenticated, you can use the same access list you created for use with the aaa authentication
match command.
Step 3 To enable accounting, enter the following command:
hostname(config)# aaa accounting match acl_name interface_name server_group
Note Alternatively, you can use the aaa accounting include command (which identifies traffic within
the command) but you cannot use both methods in the same configuration. See the Cisco
Security Appliance Command Reference for more information.
The following commands authenticate, authorize, and account for inside Telnet traffic. Telnet traffic to
servers other than 209.165.201.5 can be authenticated alone, but traffic to 209.165.201.5 requires
authorization and accounting.19-14
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 19 Applying AAA for Network Access
Using MAC Addresses to Exempt Traffic from Authentication and Authorization
hostname(config)# aaa-server AuthOutbound protocol tacacs+
hostname(config-aaa-server-group)# exit
hostname(config)# aaa-server AuthOutbound (inside) host 10.1.1.1
hostname(config-aaa-server-host)# key TACPlusUauthKey
hostname(config-aaa-server-host)# exit
hostname(config)# access-list TELNET_AUTH extended permit tcp any any eq telnet
hostname(config)# access-list SERVER_AUTH extended permit tcp any host 209.165.201.5 eq
telnet
hostname(config)# aaa authentication match TELNET_AUTH inside AuthOutbound
hostname(config)# aaa authorization match SERVER_AUTH inside AuthOutbound
hostname(config)# aaa accounting match SERVER_AUTH inside AuthOutbound
Using MAC Addresses to Exempt Traffic from Authentication
and Authorization
The security appliance can exempt from authentication and authorization any traffic from specific MAC
addresses. For example, if the security appliance authenticates TCP traffic originating on a particular
network but you want to allow unauthenticated TCP connections from a specific server, you would use
a MAC exempt rule to exempt from authentication and authorization any traffic from the server specified
by the rule.
This feature is particularly useful to exempt devices such as IP phones that cannot respond to
authentication prompts.
To use MAC addresses to exempt traffic from authentication and authorization, perform the following
steps:
Step 1 To configure a MAC list, enter the following command:
hostname(config)# mac-list id {deny | permit} mac macmask
Where the id argument is the hexadecimal number that you assign to the MAC list. To group a set of
MAC addresses, enter the mac-list command as many times as needed with the same ID value. Because
you can only use one MAC list for AAA exemption, be sure that your MAC list includes all the MAC
addresses you want to exempt. You can create multiple MAC lists, but you can only use one at a time.
The order of entries matters, because the packet uses the first entry it matches, as opposed to a best match
scenario. If you have a permit entry, and you want to deny an address that is allowed by the permit entry,
be sure to enter the deny entry before the permit entry.
The mac argument specifies the source MAC address in 12-digit hexadecimal form; that is,
nnnn.nnnn.nnnn.
The macmask argument specifies the portion of the MAC address that should be used for matching. For
example, ffff.ffff.ffff matches the MAC address exactly. ffff.ffff.0000 matches only the first 8 digits.
Step 2 To exempt traffic for the MAC addresses specified in a particular MAC list, enter the following
command:
hostname(config)# aaa mac-exempt match id
Where id is the string identifying the MAC list containing the MAC addresses whose traffic is to be
exempt from authentication and authorization. You can only enter one instance of the aaa mac-exempt
command.19-15
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 19 Applying AAA for Network Access
Using MAC Addresses to Exempt Traffic from Authentication and Authorization
The following example bypasses authentication for a single MAC address:
hostname(config)# mac-list abc permit 00a0.c95d.0282 ffff.ffff.ffff
hostname(config)# aaa mac-exempt match abc
The following entry bypasses authentication for all Cisco IP Phones, which have the hardware ID
0003.E3:
hostname(config)# mac-list acd permit 0003.E300.0000 FFFF.FF00.0000
hostname(config)# aaa mac-exempt match acd
The following example bypasses authentication for a a group of MAC addresses except for
00a0.c95d.02b2. Enter the deny statement before the permit statement, because 00a0.c95d.02b2 matches
the permit statement as well, and if it is first, the deny statement will never be matched.
hostname(config)# mac-list 1 deny 00a0.c95d.0282 ffff.ffff.ffff
hostname(config)# mac-list 1 permit 00a0.c95d.0000 ffff.ffff.0000
hostname(config)# aaa mac-exempt match 119-16
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 19 Applying AAA for Network Access
Using MAC Addresses to Exempt Traffic from Authentication and AuthorizationC H A P T E R
20-1
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
20
Applying Filtering Services
This chapter describes ways to filter web traffic to reduce security risks or prevent inappropriate use.
This chapter contains the following sections:
• Filtering Overview, page 20-1
• Filtering ActiveX Objects, page 20-2
• Filtering Java Applets, page 20-3
• Filtering URLs and FTP Requests with an External Server, page 20-4
• Viewing Filtering Statistics and Configuration, page 20-9
Filtering Overview
This section describes how filtering can provide greater control over traffic passing through the security
appliance. Filtering can be used in two distinct ways:
• Filtering ActiveX objects or Java applets
• Filtering with an external filtering server
Instead of blocking access altogether, you can remove specific undesirable objects from HTTP traffic,
such as ActiveX objects or Java applets, that may pose a security threat in certain situations.
You can also use URL filtering to direct specific traffic to an external filtering server, such an Secure
Computing SmartFilter (formerly N2H2) or Websense filtering server. Long URL, HTTPS, and FTP
filtering can now be enabled using both Websense and Secure Computing SmartFilter for URL filtering.
Filtering servers can block traffic to specific sites or types of sites, as specified by the security policy.
Note URL caching will only work if the version of the URL server software from the URL server vender
supports it.
Because URL filtering is CPU-intensive, using an external filtering server ensures that the throughput of
other traffic is not affected. However, depending on the speed of your network and the capacity of your
URL filtering server, the time required for the initial connection may be noticeably slower when filtering
traffic with an external filtering server.20-2
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 20 Applying Filtering Services
Filtering ActiveX Objects
Filtering ActiveX Objects
This section describes how to apply filtering to remove ActiveX objects from HTTP traffic passing
through the firewall. This section includes the following topics:
• ActiveX Filtering Overview, page 20-2
• Enabling ActiveX Filtering, page 20-2
ActiveX Filtering Overview
ActiveX objects may pose security risks because they can contain code intended to attack hosts and
servers on a protected network. You can disable ActiveX objects with ActiveX filtering.
ActiveX controls, formerly known as OLE or OCX controls, are components you can insert in a web
page or other application. These controls include custom forms, calendars, or any of the extensive
third-party forms for gathering or displaying information. As a technology, ActiveX creates many
potential problems for network clients including causing workstations to fail, introducing network
security problems, or being used to attack servers.
The filter activex command blocks the HTML commands by commenting them out within the
HTML web page. ActiveX filtering of HTML files is performed by selectively replacing the
and and and tags with comments. Filtering of nested
tags is supported by converting top-level tags to comments.
Caution This command also blocks any Java applets, image files, or multimedia objects that are embedded in
object tags .
If the or HTML tags split across network packets or if the code in the tags is longer
than the number of bytes in the MTU, security appliance cannot block the tag.
ActiveX blocking does not occur when users access an IP address referenced by the alias command or
for WebVPN traffic.
Enabling ActiveX Filtering
This section describes how to remove ActiveX objects in HTTP traffic passing through the security
appliance. To remove ActiveX objects, enter the following command in global configuration mode:
hostname(config)# filter activex port[-port] local_ip local_mask foreign_ip foreign_mask
To use this command, replace port with the TCP port to which filtering is applied. Typically, this is port
80, but other values are accepted. The http or url literal can be used for port 80. You can specify a range
of ports by using a hyphen between the starting port number and the ending port number.
The local IP address and mask identify one or more internal hosts that are the source of the traffic to be
filtered. The foreign address and mask specify the external destination of the traffic to be filtered.
You can set either address to 0.0.0.0 (or in shortened form, 0) to specify all hosts. You can use 0.0.0.0
for either mask (or in shortened form, 0) to specify all hosts.
The following example specifies that ActiveX objects are blocked on all outbound connections:
hostname(config)# filter activex 80 0 0 0 020-3
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 20 Applying Filtering Services
Filtering Java Applets
This command specifies that the ActiveX object blocking applies to web traffic on port 80 from any local
host and for connections to any foreign host.
To remove the configuration, use the no form of the command, as in the following example:
hostname(config)# no filter activex 80 0 0 0 0
Filtering Java Applets
This section describes how to apply filtering to remove Java applets from HTTP traffic passing through
the firewall. Java applets may pose security risks because they can contain code intended to attack hosts
and servers on a protected network. You can remove Java applets with the filter java command.
The filter java command filters out Java applets that return to the security appliance from an outbound
connection. The user still receives the HTML page, but the web page source for the applet is commented
out so that the applet cannot execute. The filter java command does not filter WebVPN traffic.
Note Use the filter activex command to remove Java applets that are embedded in tags.
To remove Java applets in HTTP traffic passing through the firewall, enter the following command in
global configuration mode:
hostname(config)# filter java port[-port] local_ip local_mask foreign_ip foreign_mask
To use this command, replace port with the TCP port to which filtering is applied. Typically, this is port
80, but other values are accepted. The http or url literal can be used for port 80. You can specify a range
of ports by using a hyphen between the starting port number and the ending port number.
The local IP address and mask identify one or more internal hosts that are the source of the traffic to be
filtered. The foreign address and mask specify the external destination of the traffic to be filtered.
You can set either address to 0.0.0.0 (or in shortened form, 0) to specify all hosts. You can use 0.0.0.0
for either mask (or in shortened form, 0) to specify all hosts.
You can set either address to 0.0.0.0 (or in shortened form, 0) to specify all hosts. You can use 0.0.0.0
for either mask (or in shortened form, 0) to specify all hosts.
The following example specifies that Java applets are blocked on all outbound connections:
hostname(config)# filter java 80 0 0 0 0
This command specifies that the Java applet blocking applies to web traffic on port 80 from any local
host and for connections to any foreign host.
The following example blocks downloading of Java applets to a host on a protected network:
hostname(config)# filter java http 192.168.3.3 255.255.255.255 0 0
This command prevents host 192.168.3.3 from downloading Java applets.
To remove the configuration, use the no form of the command, as in the following example:
hostname(config)# no filter java http 192.168.3.3 255.255.255.255 0 020-4
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 20 Applying Filtering Services
Filtering URLs and FTP Requests with an External Server
Filtering URLs and FTP Requests with an External Server
This section describes how to filter URLs and FTP requests with an external server. This section includes
the following topics:
• URL Filtering Overview, page 20-4
• Identifying the Filtering Server, page 20-4
• Buffering the Content Server Response, page 20-6
• Caching Server Addresses, page 20-6
• Filtering HTTP URLs, page 20-7
• Filtering HTTPS URLs, page 20-8
• Filtering FTP Requests, page 20-9
URL Filtering Overview
You can apply filtering to connection requests originating from a more secure network to a less secure
network. Although you can use ACLs to prevent outbound access to specific content servers, managing
usage this way is difficult because of the size and dynamic nature of the Internet. You can simplify
configuration and improve security appliance performance by using a separate server running one of the
following Internet filtering products:
• Websense Enterprise for filtering HTTP, HTTPS, and FTP.
• Secure Computing SmartFilter (formerly N2H2) for filtering HTTP, HTTPS, FTP, and long URL
filtering.
Note URL caching will only work if the version of the URL server software from the URL server vender
supports it.
Although security appliance performance is less affected when using an external server, users may notice
longer access times to websites or FTP servers when the filtering server is remote from the security
appliance.
When filtering is enabled and a request for content is directed through the security appliance, the request
is sent to the content server and to the filtering server at the same time. If the filtering server allows the
connection, the security appliance forwards the response from the content server to the originating client.
If the filtering server denies the connection, the security appliance drops the response and sends a
message or return code indicating that the connection was not successful.
If user authentication is enabled on the security appliance, then the security appliance also sends the user
name to the filtering server. The filtering server can use user-specific filtering settings or provide
enhanced reporting regarding usage.
Identifying the Filtering Server
You can identify up to four filtering servers per context. The security appliance uses the servers in order
until a server responds. You can only configure a single type of server (Websense or Secure Computing
SmartFilter ) in your configuration.20-5
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 20 Applying Filtering Services
Filtering URLs and FTP Requests with an External Server
Note You must add the filtering server before you can configure filtering for HTTP or HTTPS with the filter
command. If you remove the filtering servers from the configuration, then all filter commands are also
removed.
Identify the address of the filtering server using the url-server command:
For Websense:
hostname(config)# url-server (if_name) host local_ip [timeout seconds] [protocol TCP | UDP
version [1|4] [connections num_conns] ]
For Secure Computing SmartFilter (formerly N2H2):
hostname(config)# url-server (if_name) vendor {secure-computing | n2h2} host
[port ] [timeout ] [protocol {TCP [connections ]} |
UDP]
where is the name of the security appliance interface connected to the filtering server (the
default is inside).
For the vendor {secure-computing | n2h2}, you can use ‘secure-computing as a vendor string, however,
‘n2h2’ is acceptable for backward compatibility. When the configuration entries are generated,
‘secure-computing’ is saved as the vendor string.
The host is the IP address of the URL filtering server.
The port is the Secure Computing SmartFilter server port number of the filtering server; the
security appliance also listens for UDP replies on this port.
Note The default port is 4005. This is the default port used by the Secure Computing SmartFilter server to
communicate to the security appliance via TCP or UDP. For information on changing the default port,
please refer to the Filtering by N2H2 Administrator's Guide.
The timeout is the number of seconds the security appliance should keep trying to connect
to the filtering server.
The connections is the number of tries to attempt to make a connection between the host and
server.
For example, to identify a single Websense filtering server, enter the following command:
hostname(config)# url-server (perimeter) host 10.0.1.1 protocol TCP version 4
This identifies a Websense filtering server with the IP address 10.0.1.1 on a perimeter interface of the
security appliance.Version 4, which is enabled in this example, is recommended by Websense because it
supports caching.
To identify redundant Secure Computing SmartFilter servers, enter the following commands:
hostname(config)# url-server (perimeter) vendor n2h2 host 10.0.1.1
hostname(config)# url-server (perimeter) vendor n2h2 host 10.0.1.2
This identifies two Sentian filtering servers, both on a perimeter interface of the security appliance.20-6
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 20 Applying Filtering Services
Filtering URLs and FTP Requests with an External Server
Buffering the Content Server Response
When a user issues a request to connect to a content server, the security appliance sends the request to
the content server and to the filtering server at the same time. If the filtering server does not respond
before the content server, the server response is dropped. This delays the web server response from the
point of view of the web client because the client must reissue the request.
By enabling the HTTP response buffer, replies from web content servers are buffered and the responses
are forwarded to the requesting client if the filtering server allows the connection. This prevents the
delay that might otherwise occur.
To configure buffering for responses to HTTP or FTP requests, perform the following steps:
Step 1 To enable buffering of responses for HTTP or FTP requests that are pending a response from the filtering
server, enter the following command:
hostname(config)# url-block block block-buffer-limit
Replace block-buffer with the maximum number of HTTP responses that can be buffered while awaiting
responses from the url-server.
Note Buffering URLs longer than 3072 bytes are not supported.
Step 2 To configure the maximum memory available for buffering pending URLs (and for buffering long
URLs), enter the following command:
hostname(config)# url-block mempool-size memory-pool-size
Replace memory-pool-size with a value from 2 to 10240 for a maximum memory allocation of 2 KB to
10 MB.
Caching Server Addresses
After a user accesses a site, the filtering server can allow the security appliance to cache the server
address for a certain amount of time, as long as every site hosted at the address is in a category that is
permitted at all times. Then, when the user accesses the server again, or if another user accesses the
server, the security appliance does not need to consult the filtering server again.
Note Requests for cached IP addresses are not passed to the filtering server and are not logged. As a result,
this activity does not appear in any reports. You can accumulate Websense run logs before using the
url-cache command.
Use the url-cache command if needed to improve throughput, as follows:
hostname(config)# url-cache dst | src_dst size
Replace size with a value for the cache size within the range 1 to 128 (KB).
Use the dst keyword to cache entries based on the URL destination address. Select this mode if all users
share the same URL filtering policy on the Websense server.20-7
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 20 Applying Filtering Services
Filtering URLs and FTP Requests with an External Server
Use the src_dst keyword to cache entries based on both the source address initiating the URL request as
well as the URL destination address. Select this mode if users do not share the same URL filtering policy
on the Websense server.
Filtering HTTP URLs
This section describes how to configure HTTP filtering with an external filtering server. This section
includes the following topics:
• Configuring HTTP Filtering, page 20-7
• Enabling Filtering of Long HTTP URLs, page 20-7
• Truncating Long HTTP URLs, page 20-7
• Exempting Traffic from Filtering, page 20-8
Configuring HTTP Filtering
You must identify and enable the URL filtering server before enabling HTTP filtering.
When the filtering server approves an HTTP connection request, the security appliance allows the reply
from the web server to reach the originating client. If the filtering server denies the request, the security
appliance redirects the user to a block page, indicating that access was denied.
To enable HTTP filtering, enter the following command:
hostname(config)# filter url [http | port[-port] local_ip local_mask foreign_ip
foreign_mask] [allow] [proxy-block]
Replace port with one or more port numbers if a different port than the default port for HTTP (80) is
used. Replace local_ip and local_mask with the IP address and subnet mask of a user or subnetwork
making requests. Replace foreign_ip and foreign_mask with the IP address and subnet mask of a server
or subnetwork responding to requests.
The allow option causes the security appliance to forward HTTP traffic without filtering when the
primary filtering server is unavailable. Use the proxy-block command to drop all requests to proxy
servers.
Enabling Filtering of Long HTTP URLs
By default, the security appliance considers an HTTP URL to be a long URL if it is greater than 1159
characters. You can increase the maximum length allowed.
Configure the maximum size of a single URL with the following command:
hostname(config)# url-block url-size long-url-size
Replace long-url-size with the maximum size in KB for each long URL being buffered. For Websense,
this is a value from 2 to 4 for a maximum URL size of 2 KB to 4 KB; for Secure Computing, this is a
value between 2 to 3 for a maximum URL size of 2 KB to 3 KB. The default value is 2.
Truncating Long HTTP URLs
By default, if a URL exceeds the maximum permitted size, then it is dropped. To avoid this, you can set
the security appliance to truncate a long URL by entering the following command:20-8
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 20 Applying Filtering Services
Filtering URLs and FTP Requests with an External Server
hostname(config)# filter url [longurl-truncate | longurl-deny | cgi-truncate]
The longurl-truncate option causes the security appliance to send only the hostname or IP address
portion of the URL for evaluation to the filtering server when the URL is longer than the maximum
length permitted. Use the longurl-deny option to deny outbound URL traffic if the URL is longer than
the maximum permitted.
Use the cgi-truncate option to truncate CGI URLs to include only the CGI script location and the script
name without any parameters. Many long HTTP requests are CGI requests. If the parameters list is very
long, waiting and sending the complete CGI request including the parameter list can use up memory
resources and affect firewall performance.
Exempting Traffic from Filtering
To exempt specific traffic from filtering, enter the following command:
hostname(config)# filter url except source_ip source_mask dest_ip dest_mask
For example, the following commands cause all HTTP requests to be forwarded to the filtering server
except for those from 10.0.2.54.
hostname(config)# filter url http 0 0 0 0
hostname(config)# filter url except 10.0.2.54 255.255.255.255 0 0
Filtering HTTPS URLs
You must identify and enable the URL filtering server before enabling HTTPS filtering.
Note Websense and Smartfilter currently support HTTPS; older versions of Secure Computing SmartFilter
(formerly N2H2) did not support HTTPS filtering.
Because HTTPS content is encrypted, the security appliance sends the URL lookup without directory
and filename information. When the filtering server approves an HTTPS connection request, the security
appliance allows the completion of SSL connection negotiation and allows the reply from the web server
to reach the originating client. If the filtering server denies the request, the security appliance prevents
the completion of SSL connection negotiation. The browser displays an error message such as “The Page
or the content cannot be displayed.”
Note The security appliance does not provide an authentication prompt for HTTPS, so a user must
authenticate with the security appliance using HTTP or FTP before accessing HTTPS servers.
To enable HTTPS filtering, enter the following command:
hostname(config)# filter https port[-port] localIP local_mask foreign_IP foreign_mask
[allow]
Replace port[-port] with a range of port numbers if a different port than the default port for HTTPS (443)
is used.
Replace local_ip and local_mask with the IP address and subnet mask of a user or subnetwork making
requests. 20-9
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 20 Applying Filtering Services
Viewing Filtering Statistics and Configuration
Replace foreign_ip and foreign_mask with the IP address and subnet mask of a server or subnetwork
responding to requests.
The allow option causes the security appliance to forward HTTPS traffic without filtering when the
primary filtering server is unavailable.
Filtering FTP Requests
You must identify and enable the URL filtering server before enabling FTP filtering.
Note Websense and Smartfilter currently support FTP; older versions of Secure Computing SmartFilter
(formerly known as N2H2) did not support FTP filtering.
When the filtering server approves an FTP connection request, the security appliance allows the
successful FTP return code to reach originating client. For example, a successful return code is “250:
CWD command successful.” If the filtering server denies the request, alters the FTP return code to show
that the connection was denied. For example, the security appliance changes code 250 to “550 Requested
file is prohibited by URL filtering policy.”
To enable FTP filtering, enter the following command:
hostname(config)# filter ftp port[-port] localIP local_mask foreign_IP foreign_mask
[allow] [interact-block]
Replace port[-port] with a range of port numbers if a different port than the default port for FTP (21) is
used.
Replace local_ip and local_mask with the IP address and subnet mask of a user or subnetwork making
requests.
Replace foreign_ip and foreign_mask with the IP address and subnet mask of a server or subnetwork
responding to requests.
The allow option causes the security appliance to forward HTTPS traffic without filtering when the
primary filtering server is unavailable.
Use the interact-block option to prevent interactive FTP sessions that do not provide the entire directory
path. An interactive FTP client allows the user to change directories without typing the entire path. For
example, the user might enter cd ./files instead of cd /public/files.
Viewing Filtering Statistics and Configuration
This section describes how to monitor filtering statistics. This section includes the following topics:
• Viewing Filtering Server Statistics, page 20-10
• Viewing Buffer Configuration and Statistics, page 20-11
• Viewing Caching Statistics, page 20-11
• Viewing Filtering Performance Statistics, page 20-11
• Viewing Filtering Configuration, page 20-1220-10
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 20 Applying Filtering Services
Viewing Filtering Statistics and Configuration
Viewing Filtering Server Statistics
To show information about the filtering server, enter the following command:
hostname# show running-config url-server
The following is sample output from the show running-config url-server command:
hostname# show running-config url-server
url-server (outside) vendor n2h2 host 128.107.254.202 port 4005 timeout 5 protocol TCP
To show information about the filtering server or to show statistics, enter the following command:
The following is sample output from the show running-config url-server statistics command, which
shows filtering statistics:
hostname# show running-config url-server statistics
Global Statistics:
--------------------
URLs total/allowed/denied 13/3/10
URLs allowed by cache/server 0/3
URLs denied by cache/server 0/10
HTTPSs total/allowed/denied 138/137/1
HTTPSs allowed by cache/server 0/137
HTTPSs denied by cache/server 0/1
FTPs total/allowed/denied 0/0/0
FTPs allowed by cache/server 0/0
FTPs denied by cache/server 0/0
Requests dropped 0
Server timeouts/retries 0/0
Processed rate average 60s/300s 0/0 requests/second
Denied rate average 60s/300s 0/0 requests/second
Dropped rate average 60s/300s 0/0 requests/second
Server Statistics:
--------------------
10.125.76.20 UP
Vendor websense
Port 15868
Requests total/allowed/denied 151/140/11
Server timeouts/retries 0/0
Responses received 151
Response time average 60s/300s 0/0
URL Packets Sent and Received Stats:
------------------------------------
Message Sent Received
STATUS_REQUEST 1609 1601
LOOKUP_REQUEST 1526 1526
LOG_REQUEST 0 NA
Errors:
-------
RFC noncompliant GET method 0
URL buffer update failure 020-11
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 20 Applying Filtering Services
Viewing Filtering Statistics and Configuration
Viewing Buffer Configuration and Statistics
The show running-config url-block command displays the number of packets held in the url-block
buffer and the number (if any) dropped due to exceeding the buffer limit or retransmission.
The following is sample output from the show running-config url-block command:
hostname# show running-config url-block
url-block url-mempool 128
url-block url-size 4
url-block block 128
This shows the configuration of the URL block buffer.
The following is sample output from the show url-block block statistics command:
hostname# show running-config url-block block statistics
URL Pending Packet Buffer Stats with max block 128
-----------------------------------------------------
Cumulative number of packets held: 896
Maximum number of packets held (per URL): 3
Current number of packets held (global): 38
Packets dropped due to
exceeding url-block buffer limit: 7546
HTTP server retransmission: 10
Number of packets released back to client: 0
This shows the URL block statistics.
Viewing Caching Statistics
The following is sample output from the show url-cache stats command:
hostname# show url-cache stats
URL Filter Cache Stats
----------------------
Size : 128KB
Entries : 1724
In Use : 456
Lookups : 45
Hits : 8
This shows how the cache is used.
Viewing Filtering Performance Statistics
The following is sample output from the show perfmon command:
hostname# show perfmon
PERFMON STATS: Current Average
Xlates 0/s 0/s
Connections 0/s 2/s
TCP Conns 0/s 2/s
UDP Conns 0/s 0/s
URL Access 0/s 2/s
URL Server Req 0/s 3/s
TCP Fixup 0/s 0/s
TCPIntercept 0/s 0/s
HTTP Fixup 0/s 3/s20-12
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 20 Applying Filtering Services
Viewing Filtering Statistics and Configuration
FTP Fixup 0/s 0/s
AAA Authen 0/s 0/s
AAA Author 0/s 0/s
AAA Account 0/s 0/s
This shows URL filtering performance statistics, along with other performance statistics. The filtering
statistics are shown in the URL Access and URL Server Req rows.
Viewing Filtering Configuration
The following is sample output from the show running-config filter command:
hostname# show running-config filter
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 C H A P T E R
21-1
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
21
Using Modular Policy Framework
This chapter describes how to use Modular Policy Framework to create security policies for TCP and
general connection settings, inspections, IPS, CSC, and QoS.
This chapter includes the following sections:
• Modular Policy Framework Overview, page 21-1
• Identifying Traffic (Layer 3/4 Class Map), page 21-4
• Configuring Special Actions for Application Inspections (Inspection Policy Map), page 21-7
• Defining Actions (Layer 3/4 Policy Map), page 21-15
• Applying Actions to an Interface (Service Policy), page 21-21
• Modular Policy Framework Examples, page 21-21
Modular Policy Framework Overview
Modular Policy Framework provides a consistent and flexible way to configure security appliance
features. For example, you can use Modular Policy Framework to create a timeout configuration that is
specific to a particular TCP application, as opposed to one that applies to all TCP applications. This
section includes the following topics:
• Modular Policy Framework Features, page 21-1
• Modular Policy Framework Configuration Overview, page 21-2
• Default Global Policy, page 21-3
Modular Policy Framework Features
Modular Policy Framework supports the following features:
• QoS input policing
• TCP normalization, TCP and UDP connection limits and timeouts, and TCP sequence number
randomization
• CSC
• Application inspection
• IPS
• QoS output policing21-2
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 21 Using Modular Policy Framework
Modular Policy Framework Overview
• QoS standard priority queue
• QoS traffic shaping, hierarchical priority queue
Modular Policy Framework Configuration Overview
Configuring Modular Policy Framework consists of the following tasks:
1. Identify the traffic on which you want to perform Modular Policy Framework actions by creating
Layer 3/4 class maps. For example, you might want to perform actions on all traffic that passes
through the security appliance; or you might only want to perform certain actions on traffic from
10.1.1.0/24 to any destination address.
See the “Identifying Traffic (Layer 3/4 Class Map)” section on page 21-4.
2. If one of the actions you want to perform is application inspection, and you want to perform
additional actions on some inspection traffic, then create an inspection policy map. The inspection
policy map identifies the traffic and specifies what to do with it. For example, you might want to
drop all HTTP requests with a body length greater than 1000 bytes.
You can create a self-contained inspection policy map that identifies the traffic directly with match
commands, or you can create an inspection class map for reuse or for more complicated matching.
See the “Defining Actions in an Inspection Policy Map” section on page 21-8 and the “Identifying
Traffic in an Inspection Class Map” section on page 21-11.
3. If you want to match text with a regular expression within inspected packets, you can create a
regular expression or a group of regular expressions (a regular expression class map). Then, when
you define the traffic to match for the inspection policy map, you can call on an existing regular
expression. For example, you might want to drop all HTTP requests with a URL including the text
“example.com.”
Layer 3/4 Class Map Layer 3/4 Class Map
241506
Inspection Class Map/
Match Commands
Inspection Policy Map Actions
24150721-3
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 21 Using Modular Policy Framework
Modular Policy Framework Overview
See the “Creating a Regular Expression” section on page 21-12 and the “Creating a Regular
Expression Class Map” section on page 21-14.
4. Define the actions you want to perform on each Layer 3/4 class map by creating a Layer 3/4 policy
map. Then, determine on which interfaces you want to apply the policy map using a service policy.
See the “Defining Actions (Layer 3/4 Policy Map)” section on page 21-15 and the “Applying
Actions to an Interface (Service Policy)” section on page 21-21.
Default Global Policy
By default, the configuration includes a policy that matches all default application inspection traffic and
applies certain inspections to the traffic on all interfaces (a global policy). Not all inspections are enabled
by default. You can only apply one global policy, so if you want to alter the global policy, you need to
either edit the default policy or disable it and apply a new one. (An interface policy overrides the global
policy for a particular feature.)
Regular Expression Statement/
Regular Expression Class Map
Inspection Class Map/
Match Commands
Inspection Policy Map Actions
241509
Inspection
Connection Limits
Layer 3/4 Policy Map
Service Policy
IPS
Inspection
Connection Limits
24150821-4
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 21 Using Modular Policy Framework
Identifying Traffic (Layer 3/4 Class Map)
The default policy configuration includes the following commands:
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
Identifying Traffic (Layer 3/4 Class Map)
A Layer 3/4 class map identifies Layer 3 and 4 traffic to which you want to apply actions. The maximum
number of Layer 3/4 class maps is 255 in single mode or per context in multiple mode.You can create
multiple Layer 3/4 class maps for each Layer 3/4 policy map. You can create the following types of class
maps:
• Default Class Maps, page 21-4
• Creating a Layer 3/4 Class Map for Through Traffic, page 21-5
• Creating a Layer 3/4 Class Map for Management Traffic, page 21-7
Default Class Maps
The configuration includes a default Layer 3/4 class map that the security appliance uses in the default
global policy. It is called inspection_default and matches the default inspection traffic:
class-map inspection_default
match default-inspection-traffic
Another class map that exists in the default configuration is called class-default, and it matches all
traffic:
class-map class-default
match any
This class map appears at the end of all Layer 3/4 policy maps and essentially tells the security appliance
to not perform any actions on all other traffic. You can use the class-default class map if desired, rather
than making your own match any class map. In fact, some features are only available for class-default,
such as QoS traffic shaping.21-5
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 21 Using Modular Policy Framework
Identifying Traffic (Layer 3/4 Class Map)
Creating a Layer 3/4 Class Map for Through Traffic
A Layer 3/4 class map matches traffic based on protocols, ports, IP addresses and other Layer 3 or 4
attributes.
To define a Layer 3/4 class map, perform the following steps:
Step 1 Create a Layer 3/4 class map by entering the following command:
hostname(config)# class-map class_map_name
hostname(config-cmap)#
Where class_map_name is a string up to 40 characters in length. The name “class-default” is reserved.
All types of class maps use the same name space, so you cannot reuse a name already used by another
type of class map. The CLI enters class-map configuration mode.
Step 2 (Optional) Add a description to the class map by entering the following command:
hostname(config-cmap)# description string
Step 3 Define the traffic to include in the class by matching one of the following characteristics. Unless
otherwise specified, you can include only one match command in the class map.
• Any traffic—The class map matches all traffic.
hostname(config-cmap)# match any
• Access list—The class map matches traffic specified by an extended access list. If the security
appliance is operating in transparent firewall mode, you can use an EtherType access list.
hostname(config-cmap)# match access-list access_list_name
For more information about creating access lists, see the “Adding an Extended Access List” section
on page 16-5 or the “Adding an EtherType Access List” section on page 16-8.
For information about creating access lists with NAT, see the “IP Addresses Used for Access Lists
When You Use NAT” section on page 16-3.
• TCP or UDP destination ports—The class map matches a single port or a contiguous range of ports.
hostname(config-cmap)# match port {tcp | udp} {eq port_num | range port_num port_num}
Tip For applications that use multiple, non-contiguous ports, use the match access-list command
and define an ACE to match each port.
For a list of ports you can specify, see the “TCP and UDP Ports” section on page D-11.
For example, enter the following command to match TCP packets on port 80 (HTTP):
hostname(config-cmap)# match tcp eq 80
• Default traffic for inspection—The class map matches the default TCP and UDP ports used by all
applications that the security appliance can inspect.
hostname(config-cmap)# match default-inspection-traffic
See the “Default Inspection Policy” section on page 25-3 for a list of default ports. The security
appliance includes a default global policy that matches the default inspection traffic, and applies
common inspections to the traffic on all interfaces. Not all applications whose ports are included in
the match default-inspection-traffic command are enabled by default in the policy map.21-6
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 21 Using Modular Policy Framework
Identifying Traffic (Layer 3/4 Class Map)
You can specify a match access-list command along with the match default-inspection-traffic
command to narrow the matched traffic. Because the match default-inspection-traffic command
specifies the ports to match, any ports in the access list are ignored.
• DSCP value in an IP header—The class map matches up to eight DSCP values.
hostname(config-cmap)# match dscp value1 [value2] [...] [value8]
For example, enter the following:
hostname(config-cmap)# match dscp af43 cs1 ef
• Precedence—The class map matches up to four precedence values, represented by the Type of
Service (TOS) byte in the IP header.
hostname(config-cmap)# match precedence value1 [value2] [value3] [value4]
where value1 through value4 can be 0 to 7, corresponding to the possible precedences.
• RTP traffic—The class map matches RTP traffic.
hostname(config-cmap)# match rtp starting_port range
The starting_port specifies an even-numbered UDP destination port between 2000 and 65534. The
range specifies the number of additional UDP ports to match above the starting_port, between 0 and
16383.
• Tunnel group traffic—The class map matches traffic for a tunnel group to which you want to apply
QoS.
hostname(config-cmap)# match tunnel-group name
You can also specify one other match command to refine the traffic match. You can specify any of
the preceding commands, except for the match any, match access-list, or match
default-inspection-traffic commands. Or you can enter the following command to police each
flow:
hostname(config-cmap)# match flow ip destination address
All traffic going to a unique IP destination address is considered a flow.
The following is an example for the class-map command:
hostname(config)# access-list udp permit udp any any
hostname(config)# access-list tcp permit tcp any any
hostname(config)# access-list host_foo permit ip any 10.1.1.1 255.255.255.255
hostname(config)# class-map all_udp
hostname(config-cmap)# description "This class-map matches all UDP traffic"
hostname(config-cmap)# match access-list udp
hostname(config-cmap)# class-map all_tcp
hostname(config-cmap)# description "This class-map matches all TCP traffic"
hostname(config-cmap)# match access-list tcp
hostname(config-cmap)# class-map all_http
hostname(config-cmap)# description "This class-map matches all HTTP traffic"
hostname(config-cmap)# match port tcp eq http
hostname(config-cmap)# class-map to_server
hostname(config-cmap)# description "This class-map matches all traffic to server 10.1.1.1"
hostname(config-cmap)# match access-list host_foo21-7
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 21 Using Modular Policy Framework
Configuring Special Actions for Application Inspections (Inspection Policy Map)
Creating a Layer 3/4 Class Map for Management Traffic
For management traffic to the security appliance, you might want to perform actions specific to this kind
of traffic. You can specify a management class map that can match TCP or UDP ports. The types of
actions available for a management class map in the policy map are specialized for management traffic.
Namely, this type of class map lets you inspect RADIUS accounting traffic.
To create a class map for management traffic to the security appliance, perform the following steps:
Step 1 Create a class map by entering the following command:
hostname(config)# class-map type management class_map_name
hostname(config-cmap)#
Where class_map_name is a string up to 40 characters in length. The name “class-default” is reserved.
All types of class maps use the same name space, so you cannot reuse a name already used by another
type of class map. The CLI enters class-map configuration mode.
Step 2 (Optional) Add a description to the class map by entering the following command:
hostname(config-cmap)# description string
Step 3 Define the traffic to include in the class by matching the TCP or UDP port. You can include only one
match command in the class map.
hostname(config-cmap)# match port {tcp | udp} {eq port_num | range port_num port_num}
For a list of ports you can specify, see the “TCP and UDP Ports” section on page D-11.
For example, enter the following command to match TCP packets on port 10000:
hostname(config-cmap)# match tcp eq 10000
Configuring Special Actions for Application Inspections
(Inspection Policy Map)
Modular Policy Framework lets you configure special actions for many application inspections. When
you enable an inspection engine in the Layer 3/4 policy map, you can also optionally enable actions as
defined in an inspection policy map. When the inspection policy map matches traffic within the Layer
3/4 class map for which you have defined an inspection action, then that subset of traffic will be acted
upon as specified (for example, dropped or rate-limited).
This section includes the following topics:
• Inspection Policy Map Overview, page 21-8
• Defining Actions in an Inspection Policy Map, page 21-8
• Identifying Traffic in an Inspection Class Map, page 21-11
• Creating a Regular Expression, page 21-12
• Creating a Regular Expression Class Map, page 21-1421-8
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 21 Using Modular Policy Framework
Configuring Special Actions for Application Inspections (Inspection Policy Map)
Inspection Policy Map Overview
See the “Configuring Application Inspection” section on page 25-5 for a list of applications that support
inspection policy maps.
An inspection policy map consists of one or more of the following elements. The exact options available
for an inspection policy map depends on the application.
• Traffic matching command—You can define a traffic matching command directly in the inspection
policy map to match application traffic to criteria specific to the application, such as a URL string,
for which you then enable actions.
– Some traffic matching commands can specify regular expressions to match text inside a packet.
Be sure to create and test the regular expressions before you configure the policy map, either
singly or grouped together in a regular expression class map.
• Inspection class map—(Not available for all applications. See the CLI help for a list of supported
applications.) An inspection class map includes traffic matching commands that match application
traffic with criteria specific to the application, such as a URL string. You then identify the class map
in the policy map and enable actions. The difference between creating a class map and defining the
traffic match directly in the inspection policy map is that you can create more complex match criteria
and you can reuse class maps.
– Some traffic matching commands can specify regular expressions to match text inside a packet.
Be sure to create and test the regular expressions before you configure the policy map, either
singly or grouped together in a regular expression class map.
• Parameters—Parameters affect the behavior of the inspection engine.
The default inspection policy map configuration includes the following commands, which sets the
maximum message length for DNS packets to be 512 bytes:
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
Note There are other default inspection policy maps such as policy-map type inspect esmtp
_default_esmtp_map. These default policy maps are created implicitly by the command inspect
protocol. For example, inspect esmtp implicitly uses the policy map “_default_esmtp_map.” All the
default policy maps can be shown by using the show running-config all policy-map command.
Defining Actions in an Inspection Policy Map
When you enable an inspection engine in the Layer 3/4 policy map, you can also optionally enable
actions as defined in an inspection policy map.
To create an inspection policy map, perform the following steps:
Step 1 To create the HTTP inspection policy map, enter the following command:
hostname(config)# policy-map type inspect application policy_map_name
hostname(config-pmap)#
See the “Configuring Application Inspection” section on page 25-5 for a list of applications that support
inspection policy maps.21-9
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 21 Using Modular Policy Framework
Configuring Special Actions for Application Inspections (Inspection Policy Map)
The policy_map_name argument is the name of the policy map up to 40 characters in length. All types
of policy maps use the same name space, so you cannot reuse a name already used by another type of
policy map. The CLI enters policy-map configuration mode.
Step 2 To apply actions to matching traffic, perform the following steps:
a. Specify the traffic on which you want to perform actions using one of the following methods:
• Specify the inspection class map that you created in the “Identifying Traffic in an Inspection
Class Map” section on page 21-11 by entering the following command:
hostname(config-pmap)# class class_map_name
hostname(config-pmap-c)#
• Specify traffic directly in the policy map using one of the match commands described for each
application in Chapter 25, “Configuring Application Layer Protocol Inspection.” If you use a
match not command, then any traffic that matches the criterion in the match not command does
not have the action applied.
b. Specify the action you want to perform on the matching traffic by entering the following command:
hostname(config-pmap-c)# {[drop [send-protocol-error] |
drop-connection [send-protocol-error]| mask | reset] [log] | rate-limit message_rate}
Not all options are available for each application. Other actions specific to the application might also
be available. See Chapter 25, “Configuring Application Layer Protocol Inspection,” for the exact
options available.
The drop keyword drops all packets that match.
The send-protocol-error keyword sends a protocol error message.
The drop-connection keyword drops the packet and closes the connection.
The mask keyword masks out the matching portion of the packet.
The reset keyword drops the packet, closes the connection, and sends a TCP reset to the server
and/or client.
The log keyword, which you can use alone or with one of the other keywords, sends a system log
message.
The rate-limit message_rate argument limits the rate of messages.
Note You can specify multiple class or match commands in the policy map.
If a packet matches multiple different match or class commands, then the order in which the security
appliance applies the actions is determined by internal security appliance rules, and not by the order they
are added to the policy map. The internal rules are determined by the application type and the logical
progression of parsing a packet, and are not user-configurable. For example for HTTP traffic, parsing a
Request Method field precedes parsing the Header Host Length field; an action for the Request Method
field occurs before the action for the Header Host Length field. For example, the following match
commands can be entered in any order, but the match request method get command is matched first.
match request header host length gt 100
reset
match request method get
log21-10
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 21 Using Modular Policy Framework
Configuring Special Actions for Application Inspections (Inspection Policy Map)
If an action drops a packet, then no further actions are performed in the inspection policy map. For
example, if the first action is to reset the connection, then it will never match any further match or class
commands. If the first action is to log the packet, then a second action, such as resetting the connection,
can occur. (You can configure both the reset (or drop-connection, and so on.) and the log action for the
same match or class command, in which case the packet is logged before it is reset for a given match.)
If a packet matches multiple match or class commands that are the same, then they are matched in the
order they appear in the policy map. For example, for a packet with the header length of 1001, it will
match the first command below, and be logged, and then will match the second command and be reset.
If you reverse the order of the two match commands, then the packet will be dropped and the connection
reset before it can match the second match command; it will never be logged.
match request header length gt 100
log
match request header length gt 1000
reset
A class map is determined to be the same type as another class map or match command based on the
lowest priority match command in the class map (the priority is based on the internal rules). If a class
map has the same type of lowest priority match command as another class map, then the class maps are
matched according to the order they are added to the policy map. If the lowest priority command for each
class map is different, then the class map with the higher priority match command is matched first. For
example, the following three class maps contain two types of match commands: match request-cmd
(higher priority) and match filename (lower priority). The ftp3 class map includes both commands, but
it is ranked according to the lowest priority command, match filename. The ftp1 class map includes the
highest priority command, so it is matched first, regardless of the order in the policy map. The ftp3 class
map is ranked as being of the same priority as the ftp2 class map, which also contains the match
filename command. They are matched according to the order in the policy map: ftp3 and then ftp2.
class-map inspect type ftp ftp1
match request-cmd get
class-map inspect type ftp ftp2
match filename regex abc
class-map inspect type ftp ftp3
match request-cmd get
match filename regex abc
policy-map type inspect ftp ftp
class ftp3
log
class ftp2
log
class ftp1
log
Step 3 To configure parameters that affect the inspection engine, enter the following command:
hostname(config-pmap)# parameters
hostname(config-pmap-p)#
The CLI enters parameters configuration mode. For the parameters available for each application, see
Chapter 25, “Configuring Application Layer Protocol Inspection.”
The following is an example of an HTTP inspection policy map and the related class maps. This policy
map is activated by the Layer 3/4 policy map, which is enabled by the service policy.
hostname(config)# regex url_example example.com21-11
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 21 Using Modular Policy Framework
Configuring Special Actions for Application Inspections (Inspection Policy Map)
hostname(config)# regex url_example2 example2.com
hostname(config)# class-map type regex match-any URLs
hostname(config-cmap)# match regex url_example
hostname(config-cmap)# match regex url_example2
hostname(config-cmap)# class-map type inspect http match-all http-traffic
hostname(config-cmap)# match req-resp content-type mismatch
hostname(config-cmap)# match request body length gt 1000
hostname(config-cmap)# match not request uri regex class URLs
hostname(config-cmap)# policy-map type inspect http http-map1
hostname(config-pmap)# class http-traffic
hostname(config-pmap-c)# drop-connection log
hostname(config-pmap-c)# match req-resp content-type mismatch
hostname(config-pmap-c)# reset log
hostname(config-pmap-c)# parameters
hostname(config-pmap-p)# protocol-violation action log
hostname(config-pmap-p)# policy-map test
hostname(config-pmap)# class test (a Layer 3/4 class map not shown)
hostname(config-pmap-c)# inspect http http-map1
hostname(config-pmap-c)# service-policy test interface outside
Identifying Traffic in an Inspection Class Map
This type of class map allows you to match criteria that is specific to an application. For example, for
DNS traffic, you can match the domain name in a DNS query.
Note Not all applications support inspection class maps. See the CLI help for a list of supported applications.
A class map groups multiple traffic matches. Traffic must match all of the match criteria to match the
class map. You can alternatively identify the traffic you want to match directly in the policy map. The
difference between creating a class map and defining the traffic match directly in the inspection policy
map is that the class map lets you group multiple matches, and you can reuse class maps. For the traffic
that you identify in this class map, you can specify actions such as dropping, resetting, and/or logging
the connection in the inspection policy map. If you want to perform different actions on different types
of traffic, you should identify the traffic directly in the policy map.
To define an inspection class map, perform the following steps:
Step 1 Create a class map by entering the following command:
hostname(config)# class-map type inspect application [match-all] class_map_name
hostname(config-cmap)#
Where the application is the application you want to inspect. For supported applications, see Chapter 25,
“Configuring Application Layer Protocol Inspection.”
The class_map_name argument is the name of the class map up to 40 characters in length.
The match-all keyword is the default, and specifies that traffic must match all criteria to match the class
map.
The CLI enters class-map configuration mode, where you can enter one or more match commands.
Step 2 (Optional) To add a description to the class map, enter the following command:21-12
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 21 Using Modular Policy Framework
Configuring Special Actions for Application Inspections (Inspection Policy Map)
hostname(config-cmap)# description string
Step 3 Define the traffic to include in the class by entering one or more match commands available for your
application.
To specify traffic that should not match the class map, use the match not command. For example, if the
match not command specifies the string “example.com,” then any traffic that includes “example.com”
does not match the class map.
To see the match commands available for each application, see Chapter 25, “Configuring Application
Layer Protocol Inspection.”
The following example creates an HTTP class map that must match all criteria:
hostname(config-cmap)# class-map type inspect http match-all http-traffic
hostname(config-cmap)# match req-resp content-type mismatch
hostname(config-cmap)# match request body length gt 1000
hostname(config-cmap)# match not request uri regex class URLs
Creating a Regular Expression
A regular expression matches text strings either literally as an exact string, or by using metacharacters
so you can match multiple variants of a text string. You can use a regular expression to match the content
of certain application traffic; for example, you can match a URL string inside an HTTP packet.
Use Ctrl+V to escape all of the special characters in the CLI, such as question mark (?) or a tab. For
example, type d[Ctrl+V]g to enter d?g in the configuration.
See the regex command in the Cisco Security Appliance Command Reference for performance impact
information when matching a regular expression to packets.
Note As an optimization, the security appliance searches on the deobfuscated URL. Deobfuscation
compresses multiple forward slashes (/) into a single slash. For strings that commonly use double
slashes, like “http://”, be sure to search for “http:/” instead.
Table 21-1 lists the metacharacters that have special meanings.
Table 21-1 regex Metacharacters
Character Description Notes
. Dot Matches any single character. For example, d.g matches
dog, dag, dtg, and any word that contains those
characters, such as doggonnit.
(exp) Subexpression A subexpression segregates characters from surrounding
characters, so that you can use other metacharacters on
the subexpression. For example, d(o|a)g matches dog
and dag, but do|ag matches do and ag. A subexpression
can also be used with repeat quantifiers to differentiate
the characters meant for repetition. For example,
ab(xy){3}z matches abxyxyxyz.21-13
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 21 Using Modular Policy Framework
Configuring Special Actions for Application Inspections (Inspection Policy Map)
| Alternation Matches either expression it separates. For example,
dog|cat matches dog or cat.
? Question mark A quantifier that indicates that there are 0 or 1 of the
previous expression. For example, lo?se matches lse or
lose.
Note You must enter Ctrl+V and then the question
mark or else the help function is invoked.
* Asterisk A quantifier that indicates that there are 0, 1 or any
number of the previous expression. For example, lo*se
matches lse, lose, loose, and so on.
+ Plus A quantifier that indicates that there is at least 1 of the
previous expression. For example, lo+se matches lose
and loose, but not lse.
{x} Repeat quantifier Repeat exactly x times. For example, ab(xy){3}z
matches abxyxyxyz.
{x,} Minimum repeat quantifier Repeat at least x times. For example, ab(xy){2,}z
matches abxyxyz, abxyxyxyz, and so on.
[abc] Character class Matches any character in the brackets. For example,
[abc] matches a, b, or c.
[^abc] Negated character class Matches a single character that is not contained within
the brackets. For example, [^abc] matches any character
other than a, b, or c. [^A-Z] matches any single
character that is not an uppercase letter.
[a-c] Character range class Matches any character in the range. [a-z] matches any
lowercase letter. You can mix characters and ranges:
[abcq-z] matches a, b, c, q, r, s, t, u, v, w, x, y, z, and so
does [a-cq-z].
The dash (-) character is literal only if it is the last or the
first character within the brackets: [abc-] or [-abc].
"" Quotation marks Preserves trailing or leading spaces in the string. For
example, " test" preserves the leading space when it
looks for a match.
^ Caret Specifies the beginning of a line.
\ Escape character When used with a metacharacter, matches a literal
character. For example, \[ matches the left square
bracket.
char Character When character is not a metacharacter, matches the
literal character.
\r Carriage return Matches a carriage return 0x0d.
\n Newline Matches a new line 0x0a.
\t Tab Matches a tab 0x09.
\f Formfeed Matches a form feed 0x0c.
Table 21-1 regex Metacharacters (continued)
Character Description Notes21-14
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 21 Using Modular Policy Framework
Configuring Special Actions for Application Inspections (Inspection Policy Map)
To test and create a regular expression, perform the following steps:
Step 1 To test a regular expression to make sure it matches what you think it will match, enter the following
command:
hostname(config)# test regex input_text regular_expression
Where the input_text argument is a string you want to match using the regular expression, up to 201
characters in length.
The regular_expression argument can be up to 100 characters in length.
Use Ctrl+V to escape all of the special characters in the CLI. For example, to enter a tab in the input
text in the test regex command, you must enter test regex "test[Ctrl+V Tab]" "test\t".
If the regular expression matches the input text, you see the following message:
INFO: Regular expression match succeeded.
If the regular expression does not match the input text, you see the following message:
INFO: Regular expression match failed.
Step 2 To add a regular expression after you tested it, enter the following command:
hostname(config)# regex name regular_expression
Where the name argument can be up to 40 characters in length.
The regular_expression argument can be up to 100 characters in length.
The following example creates two regular expressions for use in an inspection policy map:
hostname(config)# regex url_example example\.com
hostname(config)# regex url_example2 example2\.com
Creating a Regular Expression Class Map
A regular expression class map identifies one or more regular expressions. You can use a regular
expression class map to match the content of certain traffic; for example, you can match URL strings
inside HTTP packets.
To create a regular expression class map, perform the following steps:
Step 1 Create one or more regular expressions according to the “Creating a Regular Expression” section.
\xNN Escaped hexadecimal number Matches an ASCII character using hexadecimal (exactly
two digits).
\NNN Escaped octal number Matches an ASCII character as octal (exactly three
digits). For example, the character 040 represents a
space.
Table 21-1 regex Metacharacters (continued)
Character Description Notes21-15
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 21 Using Modular Policy Framework
Defining Actions (Layer 3/4 Policy Map)
Step 2 Create a class map by entering the following command:
hostname(config)# class-map type regex match-any class_map_name
hostname(config-cmap)#
Where class_map_name is a string up to 40 characters in length. The name “class-default” is reserved.
All types of class maps use the same name space, so you cannot reuse a name already used by another
type of class map.
The match-any keyword specifies that the traffic matches the class map if it matches only one of the
regular expressions.
The CLI enters class-map configuration mode.
Step 3 (Optional) Add a description to the class map by entering the following command:
hostname(config-cmap)# description string
Step 4 Identify the regular expressions you want to include by entering the following command for each regular
expression:
hostname(config-cmap)# match regex regex_name
The following example creates two regular expressions, and adds them to a regular expression class map.
Traffic matches the class map if it includes the string “example.com” or “example2.com.”
hostname(config)# regex url_example example\.com
hostname(config)# regex url_example2 example2\.com
hostname(config)# class-map type regex match-any URLs
hostname(config-cmap)# match regex url_example
hostname(config-cmap)# match regex url_example2
Defining Actions (Layer 3/4 Policy Map)
This section describes how to associate actions with Layer 3/4 class maps by creating a Layer 3/4 policy
map. This section includes the following topics:
• Layer 3/4 Policy Map Overview, page 21-15
• Default Layer 3/4 Policy Map, page 21-18
• Adding a Layer 3/4 Policy Map, page 21-19
Layer 3/4 Policy Map Overview
This section describes how Layer 3/4 policy maps work, and includes the following topics:
• Policy Map Guidelines, page 21-16
• Supported Feature Types, page 21-16
• Hierarchical Policy Maps, page 21-16
• Feature Directionality, page 21-17
• Feature Matching Guidelines within a Policy Map, page 21-17
• Feature Matching Guidelines for multiple Policy Maps, page 21-1821-16
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 21 Using Modular Policy Framework
Defining Actions (Layer 3/4 Policy Map)
• Order in Which Multiple Feature Actions are Applied, page 21-18
Policy Map Guidelines
See the following guidelines for using policy maps:
• You can only assign one policy map per interface.
• You can apply the same policy map to multiple interfaces.
• You can identify multiple Layer 3/4 class maps in a Layer 3/4 policy map.
• For each class map, you can assign multiple actions from one or more feature types.
• You can create a hierarchical policy map. See the “Hierarchical Policy Maps” section on page 21-16.
Supported Feature Types
Feature types supported by the Modular Policy Framework that you can enable in the policy map include
the following:
• QoS input policing
• TCP normalization, TCP and UDP connection limits and timeouts, and TCP sequence number
randomization
• CSC
• Application inspection
• IPS
• QoS output policing
• QoS standard priority queue
• QoS traffic shaping, hierarchical priority queue
Hierarchical Policy Maps
If you enable QoS traffic shaping for a class map, then you can optionally enable priority queueing for
a subset of shaped traffic. To do so, you need to create a policy map for the priority queueing, and then
within the traffic shaping policy map, you can call the priority class map. Only the traffic shaping class
map is applied to an interface.
See Chapter 24, “Configuring QoS,” for more information about this feature.
Hierarchical policy maps are only supported for traffic shaping and priority queueing.
To implement a hierarchical policy map, perform the following tasks:
1. Identify the prioritized traffic according to the “Identifying Traffic (Layer 3/4 Class Map)” section
on page 21-4.
You can create multiple class maps to be used in the hierarchical policy map.
2. Create a policy map according to the “Defining Actions (Layer 3/4 Policy Map)” section on
page 21-15, and identify the sole action for each class map as priority.
3. Create a separate policy map according to the “Defining Actions (Layer 3/4 Policy Map)” section
on page 21-15, and identify the shape action for the class-default class map.
Traffic shaping can only be applied the to class-default class map.21-17
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 21 Using Modular Policy Framework
Defining Actions (Layer 3/4 Policy Map)
4. For the same class map, identify the priority policy map that you created in Step 2 using the
service-policy priority_policy_map command.
5. Apply the shaping policy map to the interface accrding to “Applying Actions to an Interface (Service
Policy)” section on page 21-21.
Feature Directionality
Actions are applied to traffic bidirectionally or unidirectionally depending on the feature. For features
that are applied bidirectionally, all traffic that enters or exits the interface to which you apply the policy
map is affected if the traffic matches the class map for both directions.
Note When you use a global policy, all features are unidirectional; features that are normally bidirectional
when applied to a single interface only apply to the ingress of each interface when applied globally.
Because the policy is applied to all interfaces, the policy will be applied in both directions so
bidirectionality in this case is redundant.
For features that are applied unidirectionally, for example QoS priority queue, only traffic that exits the
interface to which you apply the policy map is affected. See Table 21-2 for the directionality of each
feature.
Feature Matching Guidelines within a Policy Map
See the following guidelines for how a packet matches class maps in a policy map:
• A packet can match only one class map in the policy map for each feature type.
• When the packet matches a class map for a feature type, the security appliance does not attempt to
match it to any subsequent class maps for that feature type.
• If the packet matches a subsequent class map for a different feature type, however, then the security
appliance also applies the actions for the subsequent class map.
For example, if a packet matches a class map for connection limits, and also matches a class map for
application inspection, then both class map actions are applied.
Table 21-2 Feature Directionality
Feature Single Interface Direction Global Direction
TCP normalization, TCP and UDP connection
limits and timeouts, and TCP sequence number
randomization
Bidirectional Ingress
CSC Bidirectional Ingress
Application inspection Bidirectional Ingress
IPS Bidirectional Ingress
QoS input policing Ingress Ingress
QoS output policing Egress Egress
QoS standard priority queue Egress Egress
QoS traffic shaping, hierarchical priority
queue
Egress Egress21-18
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 21 Using Modular Policy Framework
Defining Actions (Layer 3/4 Policy Map)
If a packet matches a class map for application inspection, but also matches another class map that
includes application inspection, then the second class map actions are not applied.
Feature Matching Guidelines for multiple Policy Maps
For TCP and UDP traffic (and ICMP when you enable stateful ICMP inspection), Modular Policy
Framework operates on traffic flows, and not just individual packets. If traffic is part of an existing
connection that matches a feature in a policy on one interface, that traffic flow cannot also match the
same feature in a policy on another interface; only the first policy is used.
For example, if HTTP traffic matches a policy on the inside interface to inspect HTTP traffic, and you
have a separate policy on the outside interface for HTTP inspection, then that traffic is not also inspected
on the egress of the outside interface. Similarly, the return traffic for that connection will not be
inspected by the ingress policy of the outside interface, nor by the egress policy of the inside interface.
For traffic that is not treated as a flow, for example ICMP when you do not enable stateful ICMP
inspection, returning traffic can match a different policy map on the returning interface. For example, if
you configure IPS inspection on the inside and outside interfaces, but the inside policy uses virtual
sensor 1 while the outside policy uses virtual sensor 2, then a non-stateful Ping will match virtual sensor
1 outbound, but will match virtual sensor 2 inbound.
Order in Which Multiple Feature Actions are Applied
The order in which different types of actions in a policy map are performed is independent of the order
in which the actions appear in the policy map. Actions are performed in the following order:
• QoS input policing
• TCP normalization, TCP and UDP connection limits and timeouts, and TCP sequence number
randomization
Note When a the security appliance performs a proxy service (such as AAA or CSC) or it modifies
the TCP payload (such as FTP inspection), the TCP normalizer acts in dual mode, where it is
applied before and after the proxy or payload modifying service.
• CSC
• Application inspection
• IPS
• QoS output policing
• QoS standard priority queue
• QoS traffic shaping, hierarchical priority queue
Default Layer 3/4 Policy Map
The configuration includes a default Layer 3/4 policy map that the security appliance uses in the default
global policy. It is called global_policy and performs inspection on the default inspection traffic. You
can only apply one global policy, so if you want to alter the global policy, you need to either reconfigure
the default policy or disable it and apply a new one.
The default policy map configuration includes the following commands:21-19
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 21 Using Modular Policy Framework
Defining Actions (Layer 3/4 Policy Map)
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
Adding a Layer 3/4 Policy Map
The maximum number of policy maps is 64. To create a Layer 3/4 policy map, perform the following
steps:
Step 1 Add the policy map by entering the following command:
hostname(config)# policy-map policy_map_name
The policy_map_name argument is the name of the policy map up to 40 characters in length. All types
of policy maps use the same name space, so you cannot reuse a name already used by another type of
policy map. The CLI enters policy-map configuration mode.
Step 2 (Optional) Specify a description for the policy map:
hostname(config-pmap)# description text
Step 3 Specify a previously configured Layer 3/4 class map using the following command:
hostname(config-pmap)# class class_map_name
See the “Identifying Traffic (Layer 3/4 Class Map)” section on page 21-4 to add a class map.
Step 4 Specify one or more actions for this class map.
• IPS. See the “Diverting Traffic to the AIP SSM” section on page 22-2.
• CSC. See the “Diverting Traffic to the CSC SSM” section on page 22-11.
• TCP normalization. See the “Configuring TCP Normalization” section on page 23-1.
• TCP and UDP connection limits and timeouts, and TCP sequence number randomization. See the
“Configuring Connection Limits and Timeouts” section on page 23-6.
• QoS. See Chapter 24, “Configuring QoS.”
Note You can configure a hierarchical policy map for the traffic shaping and priority queue
features. See the “Hierarchical Policy Maps” section on page 21-16 for more information.
• Application inspection. See Chapter 25, “Configuring Application Layer Protocol Inspection.”21-20
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 21 Using Modular Policy Framework
Defining Actions (Layer 3/4 Policy Map)
Note If there is no match default_inspection_traffic command in a class map, then at most one
inspect command is allowed to be configured under the class.
Step 5 Repeat Step 3 and Step 4 for each class map you want to include in this policy map.
The following is an example of a policy-map command for connection policy. It limits the number of
connections allowed to the web server 10.1.1.1:
hostname(config)# access-list http-server permit tcp any host 10.1.1.1
hostname(config)# class-map http-server
hostname(config-cmap)# match access-list http-server
hostname(config)# policy-map global-policy
hostname(config-pmap)# description This policy map defines a policy concerning connection
to http server.
hostname(config-pmap)# class http-server
hostname(config-pmap-c)# set connection conn-max 256
The following example shows how multi-match works in a policy map:
hostname(config)# class-map inspection_default
hostname(config-cmap)# match default-inspection-traffic
hostname(config)# class-map http_traffic
hostname(config-cmap)# match port tcp eq 80
hostname(config)# policy-map outside_policy
hostname(config-pmap)# class inspection_default
hostname(config-pmap-c)# inspect http http_map
hostname(config-pmap-c)# inspect sip
hostname(config-pmap)# class http_traffic
hostname(config-pmap-c)# set connection timeout tcp 0:10:0
The following example shows how traffic matches the first available class map, and will not match any
subsequent class maps that specify actions in the same feature domain:
hostname(config)# class-map telnet_traffic
hostname(config-cmap)# match port tcp eq 23
hostname(config)# class-map ftp_traffic
hostname(config-cmap)# match port tcp eq 21
hostname(config)# class-map tcp_traffic
hostname(config-cmap)# match port tcp range 1 65535
hostname(config)# class-map udp_traffic
hostname(config-cmap)# match port udp range 0 65535
hostname(config)# policy-map global_policy
hostname(config-pmap)# class telnet_traffic
hostname(config-pmap-c)# set connection timeout tcp 0:0:0
hostname(config-pmap-c)# set connection conn-max 100
hostname(config-pmap)# class ftp_traffic
hostname(config-pmap-c)# set connection timeout tcp 0:5:0
hostname(config-pmap-c)# set connection conn-max 50
hostname(config-pmap)# class tcp_traffic
hostname(config-pmap-c)# set connection timeout tcp 2:0:0
hostname(config-pmap-c)# set connection conn-max 2000
When a Telnet connection is initiated, it matches class telnet_traffic. Similarly, if an FTP connection is
initiated, it matches class ftp_traffic. For any TCP connection other than Telnet and FTP, it will match
class tcp_traffic. Even though a Telnet or FTP connection can match class tcp_traffic, the security
appliance does not make this match because they previously matched other classes.21-21
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 21 Using Modular Policy Framework
Applying Actions to an Interface (Service Policy)
Applying Actions to an Interface (Service Policy)
To activate the Layer 3/4 policy map, create a service policy that applies it to one or more interfaces or
that applies it globally to all interfaces. Interface service policies take precedence over the global service
policy for a given feature. For example, if you have a global policy with inspections, and an interface
policy with TCP normalization, then both inspections and TCP normalization are applied to the
interface. However, if you have a global policy with inspections, and an interface policy with
inspections, then only the interface policy inspections are applied to that interface.
• To create a service policy by associating a policy map with an interface, enter the following
command:
hostname(config)# service-policy policy_map_name interface interface_name
• To create a service policy that applies to all interfaces that do not have a specific policy, enter the
following command:
hostname(config)# service-policy policy_map_name global
By default, the configuration includes a global policy that matches all default application inspection
traffic and applies inspection to the traffic globally. You can only apply one global policy, so if you
want to alter the global policy, you need to either edit the default policy or disable it and apply a new
one.
The default service policy includes the following command:
service-policy global_policy global
For example, the following command enables the inbound_policy policy map on the outside interface:
hostname(config)# service-policy inbound_policy interface outside
The following commands disable the default global policy, and enables a new one called
new_global_policy on all other security appliance interfaces:
hostname(config)# no service-policy global_policy global
hostname(config)# service-policy new_global_policy global
Modular Policy Framework Examples
This section includes several Modular Policy Framework examples, and includes the following topics:
• Applying Inspection and QoS Policing to HTTP Traffic, page 21-22
• Applying Inspection to HTTP Traffic Globally, page 21-22
• Applying Inspection and Connection Limits to HTTP Traffic to Specific Servers, page 21-23
• Applying Inspection to HTTP Traffic with NAT, page 21-2421-22
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 21 Using Modular Policy Framework
Modular Policy Framework Examples
Applying Inspection and QoS Policing to HTTP Traffic
In this example (see Figure 21-1), any HTTP connection (TCP traffic on port 80) that enters or exits the
security appliance through the outside interface is classified for HTTP inspection. Any HTTP traffic that
exits the outside interface is classified for policing.
Figure 21-1 HTTP Inspection and QoS Policing
See the following commands for this example:
hostname(config)# class-map http_traffic
hostname(config-cmap)# match port tcp eq 80
hostname(config)# policy-map http_traffic_policy
hostname(config-pmap)# class http_traffic
hostname(config-pmap-c)# inspect http
hostname(config-pmap-c)# police output 250000
hostname(config)# service-policy http_traffic_policy interface outside
Applying Inspection to HTTP Traffic Globally
In this example (see Figure 21-2), any HTTP connection (TCP traffic on port 80) that enters the security
appliance through any interface is classified for HTTP inspection. Because the policy is a global policy,
inspection occurs only as the traffic enters each interface.
Figure 21-2 Global HTTP Inspection
See the following commands for this example:
hostname(config)# class-map http_traffic
hostname(config-cmap)# match port tcp eq 80
143356
inside
port 80
outside
A
Host A Host B
port 80
Security
appliance
insp.
insp.
police
inside
port 80
outside
A
Host A Host B
port 80
insp.
insp.
Security
appliance
14341421-23
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 21 Using Modular Policy Framework
Modular Policy Framework Examples
hostname(config)# policy-map http_traffic_policy
hostname(config-pmap)# class http_traffic
hostname(config-pmap-c)# inspect http
hostname(config)# service-policy http_traffic_policy global
Applying Inspection and Connection Limits to HTTP Traffic to Specific Servers
In this example (see Figure 21-3), any HTTP connection destined for Server A (TCP traffic on port 80)
that enters the security appliance through the outside interface is classified for HTTP inspection and
maximum connection limits. Connections initiated from server A to Host A does not match the access
list in the class map, so it is not affected.
Any HTTP connection destined for Server B that enters the security appliance through the inside
interface is classified for HTTP inspection. Connections initiated from server B to Host B does not match
the access list in the class map, so it is not affected.
Figure 21-3 HTTP Inspection and Connection Limits to Specific Servers
See the following commands for this example:
hostname(config)# static (inside,outside) 209.165.201.1 192.168.1.2
hostname(config)# nat (inside) 1 192.168.1.0 255.255.255.0
hostname(config)# global (outside) 1 209.165.201.2
hostname(config)# access-list serverA extended permit tcp any host 209.165.201.1 eq 80
hostname(config)# access-list ServerB extended permit tcp any host 209.165.200.227 eq 80
hostname(config)# class-map http_serverA
hostname(config-cmap)# match access-list serverA
hostname(config)# class-map http_serverB
hostname(config-cmap)# match access-list serverB
hostname(config)# policy-map policy_serverA
hostname(config-pmap)# class http_serverA
hostname(config-pmap-c)# inspect http
hostname(config-pmap-c)# set connection conn-max 100
hostname(config)# policy-map policy_serverB
hostname(config-pmap)# class http_serverB
hostname(config-pmap-c)# inspect http
hostname(config)# service-policy policy_serverB interface inside
hostname(config)# service-policy policy_serverA interface outside
inside outside
Server A
Real Address: 192.168.1.2
Mapped Address: 209.165.201.1
Host B
Real Address: 192.168.1.1
Mapped Address: 209.165.201.2:port
Host A
209.165.200.226
Server B
209.165.200.227
port 80
port 80
insp.
insp.
set conns
143357
Security
appliance21-24
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 21 Using Modular Policy Framework
Modular Policy Framework Examples
Applying Inspection to HTTP Traffic with NAT
In this example, the Host on the inside network has two addresses: one is the real IP address 192.168.1.1,
and the other is a mapped IP address used on the outside network, 209.165.200.225. Because the policy
is applied to the inside interface, where the real address is used, then you must use the real IP address in
the access list in the class map. If you applied it to the outside interface, you would use the mapped
address.
Figure 21-4 HTTP Inspection with NAT
See the following commands for this example:
hostname(config)# static (inside,outside) 209.165.200.225 192.168.1.1
hostname(config)# access-list http_client extended permit tcp host 192.168.1.1 any eq 80
hostname(config)# class-map http_client
hostname(config-cmap)# match access-list http_client
hostname(config)# policy-map http_client
hostname(config-pmap)# class http_client
hostname(config-pmap-c)# inspect http
hostname(config)# service-policy http_client interface inside
inside outside
Host
Real IP: 192.168.1.1
Mapped IP: 209.165.200.225
Server
209.165.201.1
port 80
insp.
Security
appliance
143416C H A P T E R
22-1
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
22
Managing AIP SSM and CSC SSM
The Cisco ASA 5500 series adaptive security appliance supports a variety of SSMs. This chapter
describes how to configure the adaptive security appliance to support an AIP SSM or a CSC SSM,
including how to send traffic to these SSMs.
For information about the 4GE SSM for the ASA 5000 series adaptive security appliance, see Chapter 5,
“Configuring Ethernet Settings and Subinterfaces”.
Note The Cisco PIX 500 series security appliances cannot support SSMs.
This chapter includes the following sections:
• Managing the AIP SSM, page 22-1
• Managing the CSC SSM, page 22-5
• Checking SSM Status, page 22-13
• Transferring an Image onto an SSM, page 22-14
Managing the AIP SSM
This section contains the following topics:
• About the AIP SSM, page 22-1
• Getting Started with the AIP SSM, page 22-2
• Diverting Traffic to the AIP SSM, page 22-2
• Sessioning to the AIP SSM and Running Setup, page 22-4
About the AIP SSM
The ASA 5500 series adaptive security appliance supports the AIP SSM, which runs advanced
IPS software that provides further security inspection. The adaptive security appliance diverts packets
to the AIP SSM just before the packet exits the egress interface (or before VPN encryption occurs, if
configured) and after other firewall policies are applied. For example, packets that are blocked by an
access list are not forwarded to the AIP SSM.22-2
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 22 Managing AIP SSM and CSC SSM
Managing the AIP SSM
The AIP SSM can operate in one of two modes, as follows:
• Inline mode—Places the AIP SSM directly in the traffic flow. No traffic can continue through the
adaptive security appliance without first passing through, and being inspected by, the AIP SSM. This
mode is the most secure because every packet is analyzed before being allowed through. Also, the
AIP SSM can implement a blocking policy on a packet-by-packet basis. This mode, however, can
affect throughput. You specify this mode with the inline keyword of the ips command.
• Promiscuous mode—Sends a duplicate stream of traffic to the AIP SSM. This mode is less secure,
but has little impact on traffic throughput. Unlike operation in inline mode, the SSM operating in
promiscuous mode can only block traffic by instructing the adaptive security appliance to shun the
traffic or by resetting a connection on the adaptive security appliance. Also, while the AIP SSM is
analyzing the traffic, a small amount of traffic might pass through the adaptive security appliance
before the AIP SSM can block it. You specify this mode with the inline keyword of the ips
command.
You can specify how the adaptive security appliance treats traffic when the AIP SSM is unavailable due
to hardware failure or other causes. Two keywords of the ips command control this behavior. The
fail-close keyword sets the adaptive security appliance to block all traffic if the AIP SSM is unavailable.
The fail-open keyword sets the adaptive security appliance to allow all traffic through, uninspected, if
the AIP SSM is unavailable.
For more information about configuring the operating mode of the AIP SSM and how the adaptive
security appliance treats traffic during an AIP SSM failure, see the “Diverting Traffic to the AIP SSM”
section on page 22-2.
Getting Started with the AIP SSM
Configuring the AIP SSM is a two-part process that involves configuration of the ASA 5500 series
adaptive security appliance first, and then configuration of the AIP SSM:
1. On the ASA 5500 series adaptive security appliance, identify traffic to divert to the AIP SSM (as
described in the “Diverting Traffic to the AIP SSM” section on page 22-2).
2. On the AIP SSM, configure the inspection and protection policy, which determines how to inspect
traffic and what to do when an intrusion is detected. Because the IPS software that runs on the AIP
SSM is very robust and beyond the scope of this document, detailed configuration information is
available in the following separate documentation:
• Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface
• Cisco Intrusion Prevention System Command Reference
Diverting Traffic to the AIP SSM
You use MPF commands to configure the adaptive security appliance to divert traffic to the AIP SSM.
Before configuring the adaptive security appliance to do so, read Chapter 21, “Using Modular Policy
Framework,” which introduces MPF concepts and common commands.
To identify traffic to divert from the adaptive security appliance to the AIP SSM, perform the following
steps:
Step 1 Create an access list that matches all traffic:
hostname(config)# access-list acl-name permit ip any any22-3
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 22 Managing AIP SSM and CSC SSM
Managing the AIP SSM
Step 2 Create a class map to identify the traffic that should be diverted to the AIP SSM. Use the class-map
command to do so, as follows:
hostname(config)# class-map class_map_name
hostname(config-cmap)#
where class_map_name is the name of the traffic class. When you enter the class-map command, the
CLI enters class map configuration mode.
Step 3 With the access list you created in Step 1, use a match access-list command to identify the traffic to be
scanned:
hostname(config-cmap)# match access-list acl-name
Step 4 Create a policy map or modify an existing policy map that you want to use to send traffic to the AIP
SSM. To do so, use the policy-map command, as follows.
hostname(config-cmap)# policy-map policy_map_name
hostname(config-pmap)#
where policy_map_name is the name of the policy map. The CLI enters the policy map configuration
mode and the prompt changes accordingly.
Step 5 Specify the class map, created in Step 2, that identifies the traffic to be scanned. Use the class command
to do so, as follows.
hostname(config-pmap)# class class_map_name
hostname(config-pmap-c)#
where class_map_name is the name of the class map you created in Step 2. The CLI enters the policy
map class configuration mode and the prompt changes accordingly.
Step 6 Assign the traffic identified by the class map as traffic to be sent to the AIP SSM. Use the ips command
to do so, as follows.
hostname(config-pmap-c)# ips {inline | promiscuous} {fail-close | fail-open}
The inline and promiscuous keywords control the operating mode of the AIP SSM. The fail-close and
fail-open keywords control how the adaptive security appliance treats traffic when the AIP SSM is
unavailable. For more information about the operating modes and failure behavior, see the “About the
AIP SSM” section on page 22-1.
Step 7 Use the service-policy command to apply the policy map globally or to a specific interface, as follows:
hostname(config-pmap-c)# service-policy policy_map_name [global | interface interface_ID]
hostname(config)#
where policy_map_name is the policy map you configured in Step 4. If you want to apply the policy map
to traffic on all the interfaces, use the global keyword. If you want to apply the policy map to traffic on
a specific interface, use the interface interface_ID option, where interface_ID is the name assigned to
the interface with the nameif command.
Only one global policy is allowed. You can override the global policy on an interface by applying a
service policy to that interface. You can only apply one policy map to each interface.
The adaptive security appliance begins diverting traffic to the AIP SSM as specified.
The following example diverts all IP traffic to the AIP SSM in promiscuous mode, and blocks all IP
traffic should the AIP SSM card fail for any reason:
hostname(config)# access-list IPS permit ip any any
hostname(config)# class-map my-ips-class22-4
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 22 Managing AIP SSM and CSC SSM
Managing the AIP SSM
hostname(config-cmap)# match access-list IPS
hostname(config-cmap)# policy-map my-ips-policy
hostname(config-pmap)# class my-ips-class
hostname(config-pmap-c)# ips promiscuous fail-close
hostname(config-pmap-c)# service-policy my-ips-policy global
For a complete example of network traffic diversion from the adaptive security appliance to the AIP
SSM, see Example 16: Network Traffic Diversion.
Sessioning to the AIP SSM and Running Setup
After you have completed configuration of the ASA 5500 series adaptive security appliance to divert
traffic to the AIP SSM, session to the AIP SSM and run the setup utility for initial configuration.
Note You can either session to the SSM from the adaptive security appliance (by using the session 1
command) or you can connect directly to the SSM using SSH or Telnet on its management interface.
Alternatively, you can use ASDM.
To session to the AIP SSM from the adaptive security appliance, perform the following steps:
Step 1 Enter the session 1 command to session from the ASA 5500 series adaptive security appliance to the AIP
SSM:
hostname# session 1
Opening command session with slot 1.
Connected to slot 1. Escape character sequence is 'CTRL-^X'.
Step 2 Enter the username and password. The default username and password are both cisco.
Note The first time you log in to the AIP SSM you are prompted to change the default password.
Passwords must be at least eight characters long and not a dictionary word.
login: cisco
Password:
Last login: Fri Sep 2 06:21:20 from xxx.xxx.xxx.xxx
***NOTICE***
This product contains cryptographic features and is subject to United States
and local country laws governing import, export, transfer and use. Delivery
of Cisco cryptographic products does not imply third-party authority to import,
export, distribute or use encryption. Importers, exporters, distributors and
users are responsible for compliance with U.S. and local country laws. By using
this product you agree to comply with applicable laws and regulations. If you
are unable to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
***LICENSE NOTICE***
There is no license key installed on the system.
Please go to http://www.cisco.com/go/license
to obtain a new license or install a license.
AIP SSM# 22-5
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 22 Managing AIP SSM and CSC SSM
Managing the CSC SSM
Note If you see the preceding license notice (which displays only in some versions of software), you can
ignore the message until you need to upgrade the signature files on the AIP SSM. The AIP SSM
continues to operate at the current signature level until a valid license key is installed. You can install
the license key at a later time. The license key does not affect the current functionality of the AIP SSM.
Step 3 Enter the setup command to run the setup utility for initial configuration of the AIP SSM:
AIP SSM# setup
You are now ready to configure the AIP SSM for intrusion prevention. See the following two guides for
AIP SSM configuration information:
• Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface
• Cisco Intrusion Prevention System Command Reference
Managing the CSC SSM
This section contains the following topics:
• About the CSC SSM, page 22-5
• Getting Started with the CSC SSM, page 22-7
• Determining What Traffic to Scan, page 22-9
• Limiting Connections Through the CSC SSM, page 22-11
• Diverting Traffic to the CSC SSM, page 22-11
About the CSC SSM
The ASA 5500 series adaptive security appliance supports the CSC SSM, which runs Content Security
and Control software. The CSC SSM provides protection against viruses, spyware, spam, and other
unwanted traffic. It accomplishes this by scanning the FTP, HTTP, POP3, and SMTP traffic that you
configure the adaptive security appliance to send to it.
Figure 22-1 illustrates the flow of traffic through an adaptive security appliance that has the following:
• A CSC SSM installed and setup.
• A service policy that determines what traffic is diverted to the SSM for scans.
In this example, the client could be a network user who is accessing a website, downloading files from
an FTP server, or retrieving mail from a POP3 server. SMTP scans differ in that you should configure
the adaptive security appliance to scan traffic sent from outside to SMTP servers protected by the
adaptive security appliance.
Note The CSC SSM can scan FTP file transfers only when FTP inspection is enabled on the adaptive security
appliance. By default, FTP inspection is enabled.22-6
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 22 Managing AIP SSM and CSC SSM
Managing the CSC SSM
Figure 22-1 Flow of Scanned Traffic with CSC SSM
You use ASDM for system setup and monitoring of the CSC SSM. For advanced configuration of content
security policies in the CSC SSM software, you access the web-based GUI for the CSC SSM by clicking
links within ASDM. Use of the CSC SSM GUI is explained in the Trend Micro InterScan for Cisco CSC
SSM Administrator Guide.
Note ASDM and the CSC SSM maintain separate passwords. You can configure their passwords to be
identical; however, changing one of these two passwords does not affect the other password.
The connection between the host running ASDM and the adaptive security appliance is made through a
management port on the adaptive security appliance. The connection to the CSC SSM GUI is made
through the SSM management port. Because these two connections are required to manage the CSC
SSM, any host running ASDM must be able to reach the IP address of both the adaptive security
appliance management port and the SSM management port.
Figure 22-2 shows an adaptive security appliance with a CSC SSM that is connected to a dedicated
management network. While use of a dedicated management network is not required, we recommend it.
Of particular interest in Figure 22-2 are the following:
• An HTTP proxy server is connected to the inside network and to the management network. This
enables the CSC SSM to contact the Trend Micro update server.
• The management port of the adaptive security appliance is connected to the management network.
To permit management of the adaptive security appliance and the CSC SSM, hosts running ASDM
must be connected to the management network.
• The management network includes an SMTP server for email notifications for the CSC SSM and a
syslog server that the CSC SSM can send syslog messages to.
148386
Adaptive
Security Appliance
Main System
Request sent
Client
Reply forwarded
inside
modular
service
policy
Request forwarded
Reply sent
CSC SSM
Server
Diverted Traffic
content security scan
outside22-7
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 22 Managing AIP SSM and CSC SSM
Managing the CSC SSM
Figure 22-2 CSC SSM Deployment with a Management Network
CSC SSM cannot suport stateful failover, because the CSC SSM does not maintain connection
information and therefore cannot provide the failover unit with information necessary for stateful
failover. The connections that a CSC SSM is scanning are dropped upon failure of the security appliance
that the CSC SSM is installed in. When the standby adaptive security appliance becomes active, it will
forward the scanned traffic to its CSC SSM and the connections will be reset.
Getting Started with the CSC SSM
Before you receive the security benefits provided by a CSC SSM, you must perform several steps beyond
simple hardware installation of the SSM. This procedure provides an overview of those steps.
To configure the adaptive security appliance and the CSC SSM, follow these steps:
Step 1 If the CSC SSM did not come pre-installed in a Cisco ASA 5500 series adaptive security appliance,
install it and connect a network cable to the management port of the SSM. For assistance with installation
and connecting the SSM, see the Cisco ASA 5500 Series Hardware Installation Guide.
The management port of the CSC SSM must be connected to your network to allow management of
and automatic updates to the CSC SSM software. Additionally, the CSC SSM uses the management
port for email notifications and syslogging.
Step 2 With the CSC SSM, you should have received a Product Authorization Key (PAK). Use the PAK to
register the CSC SSM at the following URL.
http://www.cisco.com/go/license
After you register, you will receive activation keys by email. The activation keys are required before you
can complete Step 6
Step 3 Gather the following information, for use in Step 6.
• Activation keys, received after completing Step 2.
• SSM management port IP address, netmask, and gateway IP address.
148387
192.168.100.1
192.168.50.1
Notifications
SMTP Server
192.168.50.38
SSM
management
port
10.6.13.67
Trend Micro
Update Server
Adaptive Security
Appliance
Main System
inside
CSC SSM
HTTP outside
Proxy management port
ASDM
Syslog
Internet22-8
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 22 Managing AIP SSM and CSC SSM
Managing the CSC SSM
Note The SSM management port IP address must be accessible by the hosts used to run ASDM.
The IP addresses for the SSM management port and the adaptive security appliance
management interface can be in different subnets.
• DNS server IP address.
• HTTP proxy server IP address (required only if your security policies require use of a proxy server
for HTTP access to the Internet).
• Domain name and hostname for the SSM.
• An email address and an SMTP server IP address and port number, for email notifications.
• IP addresses of hosts or networks allowed to manage the CSC SSM.
• Password for the CSC SSM.
Step 4 In a web browser, access ASDM for the adaptive security appliance that the CSC SSM is in.
Note If you are accessing ASDM for the first time, see the Cisco ASA 5500 Series Adaptive Security
Appliance Getting Started Guide for assistance with the Startup Wizard.
For more information about enabling ASDM access, see the “Allowing HTTPS Access for ASDM”
section on page 40-3.
Step 5 Verify time settings on the adaptive security appliance. Time setting accuracy is important for logging
of security events and for automatic updates of CSC SSM software.
• If you manually control time settings, verify the clock settings, including time zone. Choose
Configuration > Properties > Device Administration > Clock.
• If you are using NTP, verify the NTP configuration. Choose Configuration > Properties > Device
Administration > NTP.
Step 6 In ASDM, run the Content Security setup wizard. To do so, access the ASDM GUI in a supported web
browser and on the Home page, click the Content Security tab. The Content Security setup wizard runs.
For assistance with the Content Security setup wizard, click the Help button.
Note If you are accessing ASDM for the first time, see the Cisco ASA 5500 Series Adaptive Security
Appliance Getting Started Guide for assistance with the Startup Wizard.
Step 7 On the ASA 5500 series adaptive security appliance, identify traffic to divert to the CSC SSM (as
described in the “Diverting Traffic to the CSC SSM” section on page 22-11).
Step 8 (Optional) Review the default content security policies in the CSC SSM GUI. The default content
security policies are suitable for most implementations. Modifying them is advanced configuration that
you should perform only after reading the Trend Micro InterScan for Cisco CSC SSM Administrator
Guide.
You review the content security policies by viewing the enabled features in the CSC SSM GUI. The
availability of features depends on the license level you purchased. By default, all features included in
the license you purchased are enabled.
With a Base License, the features enabled by default are SMTP virus scanning, POP3 virus scanning and
content filtering, webmail virus scanning, HTTP file blocking, FTP virus scanning and file blocking,
logging, and automatic updates.22-9
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 22 Managing AIP SSM and CSC SSM
Managing the CSC SSM
With a Plus License, the additional features enabled by default are SMTP anti-spam, SMTP content
filtering, POP3 anti-spam, URL blocking, and URL filtering.
To access the CSC SSM GUI, in ASDM choose Configuration > Trend Micro Content Security, and
then select one of the following: Web, Mail, File Transfer, or Updates. The blue links on these panes,
beginning with the word “Configure”, open the CSC SSM GUI.
Determining What Traffic to Scan
The CSC SSM can scan FTP, HTTP, POP3, and SMTP traffic. It supports these protocols only when the
destination port of the packet requesting the connection is the well known port for the protocol, that is,
CSC SSM can scan only the following connections:
• FTP connections opened to TCP port 21.
• HTTP connections opened to TCP port 80.
• POP3 connections opened to TCP port 110.
• SMTP connections opened to TCP port 25.
You can choose to scan traffic for all of these protocols or any combination of them. For example, if you
do not allow network users to receive POP3 email, you would not want to configure the adaptive security
appliance to divert POP3 traffic to the CSC SSM (you would want to block it instead).
To maximize performance of the adaptive security appliance and the CSC SSM, divert to the CSC SSM
only the traffic that you want the CSC SSM to scan. Needlessly diverting traffic that you do not want to
scan, such as traffic between a trusted source and destination, can adversely affect network performance.
The action of scanning traffic with the CSC SSM is enabled with the csc command, which must be part
of a service policy. Service policies can be applied globally or to specific interfaces; therefore, you can
choose to enable the csc command globally or for specific interfaces.
Adding the csc command to your global policy ensures that all unencrypted connections through the
adaptive security appliance are scanned by the CSC SSM; however, this may mean that traffic from
trusted sources is needlessly scanned.
If you enable the csc command in interface-specific service policies, it is bi-directional. This means that
when the adaptive security appliance opens a new connection, if the csc command is active on either the
inbound or the outbound interface of the connection and if the class map for the policy identifies traffic
for scanning, the adaptive security appliance diverts it to the CSC SSM.
However, bi-directionality means that if you divert to the CSC SSM any of the supported traffic types
that cross a given interface, the CSC SSM is likely performing needless scans on traffic from your trusted
inside networks. For example, URLs and files requested from web servers on a DMZ network are
unlikely to pose content security risks to hosts on an inside network and you probably do not want the
adaptive security appliance to divert such traffic to the CSC SSM.
Therefore, we highly recommend using access lists to further limit the traffic selected by the class maps
of CSC SSM service policies. Specifically, use access lists that match the following:
• HTTP connections to outside networks.
• FTP connections from clients inside the adaptive security appliance to servers outside the adaptive
security appliance.
• POP3 connections from clients inside the security appliance to servers outside the adaptive security
appliance.22-10
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 22 Managing AIP SSM and CSC SSM
Managing the CSC SSM
• Incoming SMTP connections destined to inside mail servers.
In Figure 22-3, the adaptive security appliance should be configured to divert traffic to CSC SSM
requests from clients on the inside network for HTTP, FTP, and POP3 connections to the outside network
and incoming SMTP connections from outside hosts to the mail server on the DMZ network. HTTP
requests from the inside network to the web server on the DMZ network should not be scanned.
Figure 22-3 Common Network Configuration for CSC SSM Scanning
There are many ways you could configure the adaptive security appliance to identify the traffic that you
want to scan. One approach is to define two service policies, one on the inside interface and the other on
the outside interface, each with an access list that matches traffic to be scanned. The following access
list could be used on the policy applied to the inside interface:
access-list csc_out permit tcp 192.168.10.0 255.255.255.0 any eq 21
access-list csc_out deny tcp 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0 eq 80
access-list csc_out permit tcp 192.168.10.0 255.255.255.0 any eq 80
access-list csc_out permit tcp 192.168.10.0 255.255.255.0 any eq 110
As previously mentioned, policies applying the csc command to a specific interface are effective on both
ingress and egress traffic, but by specifying 192.168.10.0 as the source network in the csc_out access list
the policy applied to the inside interface matches only connections initiated by the hosts on the inside
network. Notice also that the second ACE of the access list uses the deny keyword. This ACE does not
mean the adaptive security appliance blocks traffic sent from the 192.168.10.0 network to TCP port 80
on the 192.168.20.0 network. It simply exempts the traffic from being matched by the policy map and
thus prevents the adaptive security appliance from sending it to the CSC SSM.
You can use deny statements in an access list to exempt connections with trusted external hosts from
being scanned. For example, to reduce the load on the CSC SSM, you might want to exempt HTTP traffic
to a well known, trusted site. If the web server at such a site had the IP address 209.165.201.7, you could
add the following ACE to the csc_out access list to exclude HTTP connections between the trusted
external web server and inside hosts from being scanned by CSC SSM:
access-list csc_out deny tcp 192.168.10.0 255.255.255.0 209.165.201.7 255.255.255.255 eq 80
The second policy in this example, applied to the outside interface, could use the following access list:
access-list csc_in permit tcp any 192.168.20.0 255.255.255.0 eq 25
192.168.30.0
192.168.20.0
(dmz)
Web server Mail server
192.168.10.0
inside outside Internet
Adaptive Security
Appliance
14380022-11
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 22 Managing AIP SSM and CSC SSM
Managing the CSC SSM
This access list matches inbound SMTP connections from any external host to any host on the DMZ
network. The policy applied to the outside interface would therefore ensure that incoming SMTP email
would be diverted to the CSC SSM for scanning. It would not match SMTP connections from hosts on
the inside network to the mail server on the DMZ network because those connections never use the
outside interface.
If the web server on the DMZ network receives files uploaded by HTTP from external hosts, you could
add the following ACE to the csc_in access list to use the CSC SSM to protect the web server from
infected files:
access-list csc_in permit tcp any 192.168.20.0 255.255.255.0 eq 80
For a complete example service policy configuration using the access lists in this section, see
Example 22-1.
Limiting Connections Through the CSC SSM
The adaptive security appliance can prevent the CSC SSM and the destinations of connections it scans
from accepting or even receiving requests for more connections than desired. It can do so for embryonic
connections or fully established connections. Also, you can specify limits for all clients included in a
class-map and per-client limits. The set connection command lets you configure limits for embryonic
connections or fully established connections.
Also, you can specify limits for all clients included in a class-map and per-client limits. The
per-client-embryonic-max and per-client-max parameters limit the maximum number of connections
that individual clients can open. If a client uses more network resources simultaneously than is desired,
you can use these parameters to limit the number of connections that the adaptive security appliance
allows each client.
DoS attacks seek to disrupt networks by overwhelming the capacity of key hosts with connections or
requests for connections. You can use the set connection command to thwart DoS attacks. After you
configure a per-client maximum that can be supported by hosts likely to be attacked, malicious clients
will be unable to overwhelm hosts on protected networks.
Use of the set connection command to protect the CSC SSM and the destinations of connections it scans
is included in the “Diverting Traffic to the CSC SSM” section on page 22-11.
Diverting Traffic to the CSC SSM
You use MPF commands to configure the adaptive security appliance to divert traffic to the CSC SSM.
Before configuring the adaptive security appliance to do so, read Chapter 21, “Using Modular Policy
Framework,” which introduces MPF concepts and common commands.
To identify traffic to divert from the adaptive security appliance to the CSC SSM, perform the following
steps:
Step 1 Create an access list that matches the traffic you want scanned by the CSC SSM. To do so, use the
access-list extended command. Create as many ACEs as needed to match all the traffic. For example, if
you want to specify FTP, HTTP, POP3, and SMTP traffic, you would need four ACEs. For guidance on
identifying the traffic you want to scan, see the “Determining What Traffic to Scan” section on
page 22-9.
Step 2 Create a class map to identify the traffic that should be diverted to the CSC SSM. Use the class-map
command to do so, as follows.22-12
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 22 Managing AIP SSM and CSC SSM
Managing the CSC SSM
hostname(config)# class-map class_map_name
hostname(config-cmap)#
where class_map_name is the name of the traffic class. When you enter the class-map command, the
CLI enters class map configuration mode.
Step 3 With the access list you created in Step 1, use a match access-list command to identify the traffic to be
scanned:
hostname(config-cmap)# match access-list acl-name
Step 4 Create a policy map or modify an existing policy map that you want to use to send traffic to the CSC
SSM. To do so, use the policy-map command, as follows.
hostname(config-cmap)# policy-map policy_map_name
hostname(config-pmap)#
where policy_map_name is the name of the policy map. The CLI enters the policy map configuration
mode and the prompt changes accordingly.
Step 5 Specify the class map, created in Step 2, that identifies the traffic to be scanned. Use the class command
to do so, as follows.
hostname(config-pmap)# class class_map_name
hostname(config-pmap-c)#
where class_map_name is the name of the class map you created in Step 2. The CLI enters the policy
map class configuration mode and the prompt changes accordingly.
Step 6 If you want to enforce a per-client limit for simultaneous connections that the adaptive security appliance
diverts to the CSC SSM, use the set connection command, as follows:
hostname(config-pmap-c)# set connection per-client-max n
where n is the maximum simultaneous connections the adaptive security appliance will allow per client.
This prevents a single client from abusing the services of the CSC SSM or any server protected by the
SSM, including prevention of attempts at DoS attacks on HTTP, FTP, POP3, or SMTP servers that the
CSC SSM protects.
Step 7 Assign the traffic identified by the class map as traffic to be sent to the CSC SSM. Use the csc command
to do so, as follows.
hostname(config-pmap-c)# csc {fail-close | fail-open}
The fail-close and fail-open keywords control how the adaptive security appliance treats traffic when
the CSC SSM is unavailable. For more information about the operating modes and failure behavior, see
the “About the CSC SSM” section on page 22-5.
Step 8 Use the service-policy command to apply the policy map globally or to a specific interface, as follows:
hostname(config-pmap-c)# service-policy policy_map_name [global | interface interface_ID]
hostname(config)#
where policy_map_name is the policy map you configured in Step 4. If you want to apply the policy map
to traffic on all the interfaces, use the global keyword. If you want to apply the policy map to traffic on
a specific interface, use the interface interface_ID option, where interface_ID is the name assigned to
the interface with the nameif command.
Only one global policy is allowed. You can override the global policy on an interface by applying a
service policy to that interface. You can only apply one policy map to each interface.
The adaptive security appliance begins diverting traffic to the CSC SSM as specified.22-13
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 22 Managing AIP SSM and CSC SSM
Checking SSM Status
Example 22-1 is based on the network shown in Figure 22-3. It creates two service policies. The first
policy, csc_out_policy, is applied to the inside interface and uses the csc_out access list to ensure that
all outbound requests for FTP and POP3 are scanned. The csc_out access list also ensures that HTTP
connections from inside to networks on the outside interface are scanned but it includes a deny ACE to
exclude HTTP connections from inside to servers on the DMZ network.
The second policy, csc_in_policy, is applied to the outside interface and uses the csc_in access list to
ensure that requests for SMTP and HTTP originating on the outside interface and destined for the DMZ
network are scanned by the CSC SSM. Scanning HTTP requests protects the web server from HTTP file
uploads.
Example 22-1 Service Policies for a Common CSC SSM Scanning Scenario
hostname(config)# access-list csc_out permit tcp 192.168.10.0 255.255.255.0 any eq 21
hostname(config)# access-list csc_out deny tcp 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0 eq 80
hostname(config)# access-list csc_out permit tcp 192.168.10.0 255.255.255.0 any eq 80
hostname(config)# access-list csc_out permit tcp 192.168.10.0 255.255.255.0 any eq 110
hostname(config)# class-map csc_outbound_class
hostname(config-cmap)# match access-list csc_out
hostname(config)# policy-map csc_out_policy
hostname(config-pmap)# class csc_outbound_class
hostname(config-pmap-c)# csc fail-close
hostname(config)# service-policy csc_out_policy interface inside
hostname(config)# access-list csc_in permit tcp any 192.168.20.0 255.255.255.0 eq 25
hostname(config)# access-list csc_in permit tcp any 192.168.20.0 255.255.255.0 eq 80
hostname(config)# class-map csc_inbound_class
hostname(config-cmap)# match access-list csc_in
hostname(config)# policy-map csc_in_policy
hostname(config-pmap)# class csc_inbound_class
hostname(config-pmap-c)# csc fail-close
hostname(config)# service-policy csc_in_policy interface outside
Note FTP inspection must be enabled for CSC SSM to scan files transferred by FTP. FTP inspection is enabled
by default.
Checking SSM Status
To check the status of an SSM, use the show module command.
The follow example output is from an adaptive security appliance with a CSC SSM installed. The Status
field indicates the operational status of the SSM. An SSM operating normally has a status of “Up” in the
output of the show module command. While the adaptive security appliance transfers an application
image to the SSM, the Status field in the output reads “Recover”. For more information about possible
statuses, see the entry for the show module command in the Cisco Security Appliance Command
Reference.
hostname# show module 1
Mod Card Type Model Serial No.
--- -------------------------------------------- ------------------ -----------22-14
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 22 Managing AIP SSM and CSC SSM
Transferring an Image onto an SSM
0 ASA 5520 Adaptive Security Appliance ASA5520 P3000000034
1 ASA 5500 Series Security Services Module-20 ASA-SSM-20 0
Mod MAC Address Range Hw Version Fw Version Sw Version
--- --------------------------------- ------------ ------------ ---------------
0 000b.fcf8.c30d to 000b.fcf8.c311 1.0 1.0(10)0 7.1(0)1
1 000b.fcf8.012c to 000b.fcf8.012c 1.0 1.0(10)0 Trend Micro InterScan Security Module Version 5.0
Mod SSM Application Name SSM Application Version
--- ------------------------------ --------------------------
1 Trend Micro InterScan Security Version 5.0
Mod Status Data Plane Status Compatability
--- ------------------ --------------------- -------------
0 Up Sys Not Applicable
1 Up Up
The argument 1, at the end of the command, is the slot number occupied by the SSM. If you do not know
the slot number, you can omit it and see information about all modules, including the adaptive security
appliance, which is considered to occupy slot 0 (zero).
Use the details keyword to view additional information for the SSM.
The follow example output is from an adaptive security appliance with a CSC SSM installed.
hostname# show module 1 details
Getting details from the Service Module, please wait...
ASA 5500 Series Security Services Module-20
Model: ASA-SSM-20
Hardware version: 1.0
Serial Number: 0
Firmware version: 1.0(10)0
Software version: Trend Micro InterScan Security Module Version 5.0
App. name: Trend Micro InterScan Security Module
App. version: Version 5.0
Data plane Status: Up
Status: Up
HTTP Service: Up
Mail Service: Up
FTP Service: Up
Activated: Yes
Mgmt IP addr: 10.23.62.92
Mgmt web port: 8443
Transferring an Image onto an SSM
For an intelligent SSM, such as AIP SSM or CSC SSM, you can transfer application images from a TFTP
server to the SSM. This process supports upgrade images and maintenance images.
Note If you are upgrading the application on the SSM, the SSM application may support backup of its
configuration. If you do not back up the configuration of the SSM application, it is lost when you transfer
an image onto the SSM. For more information about how your SSM supports backups, see the
documentation for your SSM.22-15
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 22 Managing AIP SSM and CSC SSM
Transferring an Image onto an SSM
To transfer an image onto an intelligent SSM, perform the following steps:
Step 1 Create or modify a recovery configuration for the SSM. To do so, perform the following steps:
a. Determine if there is a recovery configuration for the SSM. To do so, use the show module
command with the recover keyword, as follows.
hostname# show module slot recover
where slot is the slot number occupied by the SSM.
If the recover keyword is not valid, a recovery configuration does not exist. The recover keyword
of the show module command is available only when a recovery configuration exists for the SSM.
Note When the adaptive security appliance operates in multiple context mode, the configure
keyword is available only in the system context.
If there is a recovery configuration for the SSM, the adaptive security appliance displays it. Examine
the recovery configuration closely to ensure that it is correct, especially the Image URL field. The
following example show a recovery configuration for an SSM in slot 1.
hostname# show module 1 recover
Module 1 recover parameters. . .
Boot Recovery Image: Yes
Image URL: tftp://10.21.18.1/ids-oldimg
Port IP Address: 10.1.2.10
Port Mask : 255.255.255.0
Gateway IP Address: 10.1.2.254
b. If you need to create or modify the recovery configuration, use the hw-module module recover
command with the configure keyword, as follows:
hostname# hw-module module slot recover configure
where slot is the slot number occupied by the SSM.
Complete the prompts as applicable. If you are modifying a configuration, you can keep the
previously configured value by pressing Enter. The following example shows the prompts. For more
information about them, see the entry for the hw-module module recover command in the Cisco
Security Appliance Command Reference.
Image URL [tftp://0.0.0.0/]:
Port IP Address [0.0.0.0]:
VLAN ID [0]:
Gateway IP Address [0.0.0.0]:
Note Be sure the TFTP server you specify can transfer files up to 60 MB in size. Also, be sure the
TFTP server can connect to the management port IP address that you specify for the SSM.
After you complete the prompts, the adaptive security appliance is ready to transfer to the SSM the
image that it finds at the URL you specified.
Step 2 Transfer the image from the TFTP server to the SSM and restart the SSM. To do so, use the hw-module
module recover command with the boot keyword, as follows.
hostname# hw-module module slot recover boot
where slot is the slot number occupied by the SSM.22-16
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 22 Managing AIP SSM and CSC SSM
Transferring an Image onto an SSM
Step 3 Check the progress of the image transfer and SSM restart process. To do so, use the show module
command. For details, see the “Checking SSM Status” section on page 22-13.
When the adaptive security appliance completes the image transfer and restart of the SSM, the SSM is
running the newly transferred image.
Note If your SSM supports configuration backups and you want to restore the configuration of the application
running on the SSM, see the documentation for your SSM for details.C H A P T E R
23-1
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
23
Preventing Network Attacks
This chapter describes how to prevent network attacks by configuring TCP normalization, limiting TCP
and UDP connections, and many other protection features.
This chapter includes the following sections:
• Configuring TCP Normalization, page 23-1
• Configuring Connection Limits and Timeouts, page 23-6
• Preventing IP Spoofing, page 23-10
• Configuring the Fragment Size, page 23-11
• Blocking Unwanted Connections, page 23-11
• Configuring IP Audit for Basic IPS Support, page 23-12
Configuring TCP Normalization
The TCP normalization feature identifies abnormal packets that the security appliance can act on when
they are detected; for example, the security appliance can allow, drop, or clear the packets. TCP
normalization helps protect the security appliance from attacks. This section includes the following
topics:
• TCP Normalization Overview, page 23-1
• Enabling the TCP Normalizer, page 23-2
TCP Normalization Overview
The TCP normalizer includes non-configurable actions and configurable actions. Typically,
non-configurable actions that drop or clear connections apply to packets that are always bad.
Configurable actions (as detailed in “Enabling the TCP Normalizer” section on page 23-2) might need
to be customized depending on your network needs.
See the following guidelines for TCP normalization:
• The normalizer does not protect from SYN floods. The security appliance includes SYN flood
protection in other ways.
• The normalizer always sees the SYN packet as the first packet in a flow unless the security appliance
is in loose mode due to failover.23-2
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 23 Preventing Network Attacks
Configuring TCP Normalization
Enabling the TCP Normalizer
This feature uses Modular Policy Framework, so that implementing TCP normalization consists of
identifying traffic, specifying the TCP normalization actions, and activating TCP normalization on an
interface. See Chapter 21, “Using Modular Policy Framework,” for more information.
To configure TCP normalization, perform the following steps:
Step 1 To specify the TCP normalization criteria that you want to look for, create a TCP map by entering the
following command:
hostname(config)# tcp-map tcp-map-name
For each TCP map, you can customize one or more settings.
Step 2 (Optional) Configure the TCP map criteria by entering one or more of the following commands (see
Table 23-1). If you want to use the default settings for all criteria, you do not need to enter any commands
for the TCP map. If you want to customize some settings, then the defaults are used for any commands
you do not enter. The default configuration includes the following settings:
no check-retransmission
no checksum-verification
exceed-mss allow
queue-limit 0 timeout 4
reserved-bits allow
syn-data allow
synack-data drop
invalid-ack drop
seq-past-window drop
tcp-options range 6 7 clear
tcp-options range 9 255 clear
tcp-options selective-ack allow
tcp-options timestamp allow
tcp-options window-scale allow
ttl-evasion-protection
urgent-flag clear
window-variation allow-connection
Table 23-1 tcp-map Commands
Command Notes
check-retransmission Prevents inconsistent TCP retransmissions.
checksum-verification Verifies the checksum.
exceed-mss {allow | drop} Sets the action for packets whose data length exceeds the TCP
maximum segment size.
(Default) The allow keyword allows packets whose data length
exceeds the TCP maximum segment size.
The drop keyword drops packets whose data length exceeds the
TCP maximum segment size.23-3
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 23 Preventing Network Attacks
Configuring TCP Normalization
invalid-ack {allow | drop} Sets the action for packets with an invalid ACK. You might see
invalid ACKs in the following instances:
• In the TCP connection SYN-ACK-received status, if the ACK
number of a received TCP packet is not exactly same as the
sequence number of the next TCP packet sending out, it is an
invalid ACK.
• Whenever the ACK number of a received TCP packet is
greater than the sequence number of the next TCP packet
sending out, it is an invalid ACK.
The allow keyword allows packets with an invalid ACK.
(Default) The drop keyword drops packets with an invalid ACK.
Note TCP packets with an invalid ACK are automatically
allowed for WAAS connections.
queue-limit pkt_num
[timeout seconds]
Sets the maximum number of out-of-order packets that can be
buffered and put in order for a TCP connection, between 1 and 250
packets. The default is 0, which means this setting is disabled and
the default system queue limit is used depending on the type of
traffic:
• Connections for application inspection (the inspect
command), IPS (the ips command), and TCP
check-retransmission (the TCP map check-retransmission
command) have a queue limit of 3 packets. If the security
appliance receives a TCP packet with a different window size,
then the queue limit is dynamically changed to match the
advertised setting.
• For other TCP connections, out-of-order packets are passed
through untouched.
If you set the queue-limit command to be 1 or above, then the
number of out-of-order packets allowed for all TCP traffic matches
this setting. For application inspection, IPS, and TCP
check-retransmission traffic, any advertised settings are ignored.
For other TCP traffic, out-of-order packets are now buffered and
put in order instead of passed through untouched.
The timeout seconds argument sets the maximum amount of time
that out-of-order packets can remain in the buffer, between 1 and
20 seconds; if they are not put in order and passed on within the
timeout period, then they are dropped. The default is 4 seconds.
You cannot change the timeout for any traffic if the pkt_num
argument is set to 0; you need to set the limit to be 1 or above for
the timeout keyword to take effect.
Table 23-1 tcp-map Commands (continued)
Command Notes23-4
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 23 Preventing Network Attacks
Configuring TCP Normalization
reserved-bits {allow | clear |
drop}
Sets the action for reserved bits in the TCP header.
(Default) The allow keyword allows packets with the reserved bits
in the TCP header.
The clear keyword clears the reserved bits in the TCP header and
allows the packet.
The drop keyword drops the packet with the reserved bits in the
TCP header.
seq-past-window {allow | drop} Sets the action for packets that have past-window sequence
numbers, namely the sequence number of a received TCP packet
is greater than the right edge of the TCP receiving window.
The allow keyword allows packets that have past-window
sequence numbers. This action is only allowed if the queue-limit
command is set to 0 (disabled).
(Default) The drop keyword drops packets that have past-window
sequence numbers.
synack-data {allow | drop} Sets the action for TCP SYNACK packets that contain data.
The allow keyword allows TCP SYNACK packets that contain
data.
(Default) The drop keyword drops TCP SYNACK packets that
contain data.
syn-data {allow | drop} Sets the action for SYN packets with data.
(Default) The allow keyword allows SYN packets with data.
The drop keyword drops SYN packets with data.
tcp-options {selective-ack |
timestamp | window-scale}
{allow | clear}
Or
tcp-options range lower upper
{allow | clear | drop}
Sets the action for packets with TCP options, including the
selective-ack, timestamp, or window-scale TCP options.
(Default) The allow keyword allows packets with the specified
option.
(Default for range) The clear keyword clears the option and
allows the packet.
The drop keyword drops the packet with the specified option.
The selective-ack keyword sets the action for the SACK option.
The timestamp keyword sets the action for the timestamp option.
Clearing the timestamp option disables PAWS and RTT.
The widow-scale keyword sets the action for the window scale
mechanism option.
The range keyword specifies a range of options. The lower
argument sets the lower end of the range as 6, 7, or 9 through 255.
The upper argument sets the upper end of the range as 6, 7, or 9
through 255.
Table 23-1 tcp-map Commands (continued)
Command Notes23-5
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 23 Preventing Network Attacks
Configuring TCP Normalization
Step 3 To identify the traffic, add a class map using the class-map command. See the “Creating a Layer 3/4
Class Map for Through Traffic” section on page 21-5 for more information.
For example, you can match all traffic using the following commands:
hostname(config)# class-map TCPNORM
hostname(config-cmap)# match any
To match specific traffic, you can match an access list:
hostname(config)# access list TCPNORM extended permit ip any 10.1.1.1 255.255.255.255
hostname(config)# class-map TCP_norm_class
hostname(config-cmap)# match access-list TCPNORM
Step 4 To add or edit a policy map that sets the actions to take with the class map traffic, enter the following
commands:
hostname(config)# policy-map name
hostname(config-pmap)# class class_map_name
hostname(config-pmap-c)#
ttl-evasion-protection Disables the TTL evasion protection. Do not enter this command
it you want to prevent attacks that attempt to evade security policy.
For example, an attacker can send a packet that passes policy with
a very short TTL. When the TTL goes to zero, a router between the
security appliance and the endpoint drops the packet. It is at this
point that the attacker can send a malicious packet with a long TTL
that appears to the security appliance to be a retransmission and is
passed. To the endpoint host, however, it is the first packet that has
been received by the attacker. In this case, an attacker is able to
succeed without security preventing the attack.
urgent-flag {allow | clear} Sets the action for packets with the URG flag. The URG flag is
used to indicate that the packet contains information that is of
higher priority than other data within the stream. The TCP RFC is
vague about the exact interpretation of the URG flag, therefore end
systems handle urgent offsets in different ways, which may make
the end system vulnerable to attacks.
The allow keyword allows packets with the URG flag.
(Default) The clear keyword clears the URG flag and allows the
packet.
window-variation {allow | drop} Sets the action for a connection that has changed its window size
unexpectedly. The window size mechanism allows TCP to
advertise a large window and to subsequently advertise a much
smaller window without having accepted too much data. From the
TCP specification, “shrinking the window” is strongly
discouraged. When this condition is detected, the connection can
be dropped.
(Default) The allow keyword allows connections with a window
variation.
The drop keyword drops connections with a window variation.
Table 23-1 tcp-map Commands (continued)
Command Notes23-6
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 23 Preventing Network Attacks
Configuring Connection Limits and Timeouts
where the class_map_name is the class map from Step 1.
For example:
hostname(config)# policy-map TCP_norm_policy
hostname(config-pmap)# class TCP_norm_class
hostname(config-pmap-c)#
Step 5 Apply the TCP map to the class map by entering the following command.
hostname(config-pmap-c)# set connection advanced-options tcp-map-name
Step 6 To activate the policy map on one or more interfaces, enter the following command:
hostname(config)# service-policy policymap_name {global | interface interface_name}
Where global applies the policy map to all interfaces, and interface applies the policy to one interface.
Only one global policy is allowed. Interface service policies take precedence over the global service
policy for a given feature. For example, if you have a global policy with inspections, and an interface
policy with TCP normalization, then both inspections and TCP normalization are applied to the
interface. However, if you have a global policy with inspections, and an interface policy with
inspections, then only the interface policy inspections are applied to that interface.
For example, to allow urgent flag and urgent offset packets for all traffic sent to the range of TCP ports
between the well known FTP data port and the Telnet port, enter the following commands:
hostname(config)# tcp-map tmap
hostname(config-tcp-map)# urgent-flag allow
hostname(config-tcp-map)# class-map urg-class
hostname(config-cmap)# match port tcp range ftp-data telnet
hostname(config-cmap)# policy-map pmap
hostname(config-pmap)# class urg-class
hostname(config-pmap-c)# set connection advanced-options tmap
hostname(config-pmap-c)# service-policy pmap global
Configuring Connection Limits and Timeouts
This section describes how to set maximum TCP and UDP connections, maximum embryonic
connections, maximum per-client connections, connection timeouts, dead connection detection, and how
to disable TCP sequence randomization. You can set limits for connections that go through the security
appliance, or for management connections to the security appliance. This section includes the following
topics:
• Connection Limit Overview, page 23-7
• Enabling Connection Limits and Timeouts, page 23-8
Note You can also configure maximum connections, maximum embryonic connections, and TCP sequence
randomization in the NAT configuration. If you configure these settings for the same traffic using both
methods, then the security appliance uses the lower limit. For TCP sequence randomization, if it is
disabled using either method, then the security appliance disables TCP sequence randomization.23-7
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 23 Preventing Network Attacks
Configuring Connection Limits and Timeouts
Connection Limit Overview
This section describes why you might want to limit connections, and includes the following topics:
• TCP Intercept Overview, page 23-7
• Disabling TCP Intercept for Management Packets for Clientless SSL Compatibility, page 23-7
• Dead Connection Detection (DCD) Overview, page 23-7
• TCP Sequence Randomization Overview, page 23-8
TCP Intercept Overview
Limiting the number of embryonic connections protects you from a DoS attack. The security appliance
uses the per-client limits and the embryonic connection limit to trigger TCP Intercept, which protects
inside systems from a DoS attack perpetrated by flooding an interface with TCP SYN packets. An
embryonic connection is a connection request that has not finished the necessary handshake between
source and destination. TCP Intercept uses the SYN cookies algorithm to prevent TCP SYN-flooding
attacks. A SYN-flooding attack consists of a series of SYN packets usually originating from spoofed IP
addresses. The constant flood of SYN packets keeps the server SYN queue full, which prevents it from
servicing connection requests. When the embryonic connection threshold of a connection is crossed, the
security appliance acts as a proxy for the server and generates a SYN-ACK response to the client SYN
request. When the security appliance receives an ACK back from the client, it can then authenticate the
client and allow the connection to the server.
Disabling TCP Intercept for Management Packets for Clientless SSL Compatibility
By default, TCP management connections have TCP Intercept always enabled. When TCP Intercept is
enabled, it intercepts the 3-way TCP connection establishment handshake packets and thus deprives the
security appliance from processing the packets for clientless SSL. Clientless SSL requires the ability to
process the 3-way handshake packets to provide selective ACK and other TCP options for clientless SSL
connections. To disable TCP Intercept for management traffic, you can set the embryonic connection
limit; only after the embryonic connection limit is reached is TCP Intercept enabled.
Dead Connection Detection (DCD) Overview
DCD detects a dead connection and allows it to expire, without expiring connections that can still handle
traffic. You configure DCD when you want idle, but valid connections to persist.
When you enable DCD, idle timeout behavior changes. With idle timeout, DCD probes are sent to each
of the two end-hosts to determine the validity of the connection. If an end-host fails to respond after
probes are sent at the configured intervals, the connection is freed, and reset values, if configured, are
sent to each of the end-hosts. If both end-hosts respond that the connection is valid, the activity timeout
is updated to the current time and the idle timeout is rescheduled accordingly.
Enabling DCD changes the behavior of idle-timeout handling in the TCP normalizer. DCD probing
resets the idle timeout on the connections seen in the show conn command. To determine when a
connection that has exceeded the configured timeout value in the timeout command but is kept alive due
to DCD probing, the show service-policy command includes counters to show the amount of activity
from DCD.23-8
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 23 Preventing Network Attacks
Configuring Connection Limits and Timeouts
TCP Sequence Randomization Overview
Each TCP connection has two ISNs: one generated by the client and one generated by the server. The
security appliance randomizes the ISN of the TCP SYN passing in both the inbound and outbound
directions.
Randomizing the ISN of the protected host prevents an attacker from predicting the next ISN for a new
connection and potentially hijacking the new session.
TCP initial sequence number randomization can be disabled if required. For example:
• If another in-line firewall is also randomizing the initial sequence numbers, there is no need for both
firewalls to be performing this action, even though this action does not affect the traffic.
• If you use eBGP multi-hop through the security appliance, and the eBGP peers are using MD5.
Randomization breaks the MD5 checksum.
• You use a WAAS device that requires the security appliance not to randomize the sequence numbers
of connections.
Enabling Connection Limits and Timeouts
To set connection limits and timeouts, perform the following steps:
Step 1 To identify the traffic, add a class map using the class-map command. See the “Creating a Layer 3/4
Class Map for Through Traffic” section on page 21-5 for more information.
For example, you can match all traffic using the following commands:
hostname(config)# class-map CONNS
hostname(config-cmap)# match any
To match specific traffic, you can match an access list:
hostname(config)# access list CONNS extended permit ip any 10.1.1.1 255.255.255.255
hostname(config)# class-map CONNS
hostname(config-cmap)# match access-list CONNS
Step 2 To add or edit a policy map that sets the actions to take with the class map traffic, enter the following
commands:
hostname(config)# policy-map name
hostname(config-pmap)# class class_map_name
hostname(config-pmap-c)#
where the class_map_name is the class map from Step 1.
For example:
hostname(config)# policy-map CONNS
hostname(config-pmap)# class CONNS
hostname(config-pmap-c)#
Step 3 To set maximum connection limits or whether TCP sequence randomization is enabled, enter the
following command:
hostname(config-pmap-c)# set connection {[conn-max n] [embryonic-conn-max n]
[per-client-embryonic-max n] [per-client-max n] [random-sequence-number {enable |
disable}]}23-9
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 23 Preventing Network Attacks
Configuring Connection Limits and Timeouts
where the conn-max n argument sets the maximum number of simultaneous TCP and/or UDP
connections that are allowed, between 0 and 65535. The default is 0, which allows unlimited
connections.
The embryonic-conn-max n argument sets the maximum number of simultaneous embryonic
connections allowed, between 0 and 65535. The default is 0, which allows unlimited connections.
The per-client-embryonic-max n argument sets the maximum number of simultaneous embryonic
connections allowed per client, between 0 and 65535. The default is 0, which allows unlimited
connections.
The per-client-max n argument sets the maximum number of simultaneous connections allowed per
client, between 0 and 65535. The default is 0, which allows unlimited connections.
The random-sequence-number {enable | disable} keyword enables or disables TCP sequence number
randomization. See the “TCP Sequence Randomization Overview” section on page 23-8 section for
more information.
You can enter this command all on one line (in any order), or you can enter each attribute as a separate
command. The security appliance combines the command into one line in the running configuration.
Step 4 To set connection timeouts, enter the following command:
hostname(config-pmap-c)# set connection timeout {[embryonic hh:mm:ss] {tcp hh:mm:ss
[reset]] [half-closed hh:mm:ss] [dcd hh:mm:ss [max_retries]]}
where the embryonic hh:mm:ss keyword sets the timeout period until a TCP embryonic (half-open)
connection is closed, between 0:0:5 and 1193:00:00. The default is 0:0:30. You can also set this value to
0, which means the connection never times out.
The tcp hh:mm:ss keyword sets the idle timeout between 0:5:0 and 1193:00:00. The default is 1:0:0. You
can also set this value to 0, which means the connection never times out. The reset keyword sends a reset
to TCP endpoints when the connection times out. The security appliance sends the reset packet only in
response to a host sending another packet for the timed-out flow (on the same source and destination
port). The host then removes the connection from its connection table after receiving the reset packet.
The host application can then attempt to establish a new connection using a SYN packet.
The half-closed hh:mm:ss keyword sets the idle timeout between 0:5:0 and 1193:00:00. The default is
0:10:0. Half-closed connections are not affected by DCD. Also, the security appliance does not send a
reset when taking down half-closed connections.
The dcd keyword enables DCD. DCD detects a dead connection and allows it to expire, without expiring
connections that can still handle traffic. You configure DCD when you want idle, but valid connections
to persist. After a TCP connection times out, the security appliance sends DCD probes to the end hosts
to determine the validity of the connection. If one of the end hosts fails to respond after the maximum
retries are exhausted, the security appliance frees the connection. If both end hosts respond that the
connection is valid, the security appliance updates the activity timeout to the current time and
reschedules the idle timeout accordingly. The retry-interval sets the time duration in hh:mm:ss format
to wait after each unresponsive DCD probe before sending another probe, between 0:0:1 and 24:0:0. The
default is 0:0:15. The max-retries sets the number of consecutive failed retries for DCD before declaring
the connection as dead. The minimum value is 1 and the maximum value is 255. The default is 5.
You can enter this command all on one line (in any order), or you can enter each attribute as a separate
command. The command is combined onto one line in the running configuration.
Step 5 To activate the policy map on one or more interfaces, enter the following command:
hostname(config)# service-policy policymap_name {global | interface interface_name}23-10
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 23 Preventing Network Attacks
Preventing IP Spoofing
Where global applies the policy map to all interfaces, and interface applies the policy to one interface.
Only one global policy is allowed. Interface service policies take precedence over the global service
policy for a given feature. For example, if you have a global policy with inspections, and an interface
policy with TCP normalization, then both inspections and TCP normalization are applied to the
interface. However, if you have a global policy with inspections, and an interface policy with
inspections, then only the interface policy inspections are applied to that interface.
The following example sets the connection limits and timeouts for all traffic:
hostname(config)# class-map CONNS
hostname(config-cmap)# match any
hostname(config-cmap)# policy-map CONNS
hostname(config-pmap)# class CONNS
hostname(config-pmap-c)# set connection conn-max 1000 embryonic-conn-max 3000
hostname(config-pmap-c)# set connection timeout tcp 2:0:0 embryonic 0:40:0 half-closed
0:20:0 dcd
hostname(config-pmap-c)# service-policy CONNS interface outside
You can enter set connection commands with multiple parameters or you can enter each parameter as a
separate command. The security appliance combines the commands into one line in the running
configuration. For example, if you entered the following two commands in class configuration mode:
hostname(config-pmap-c)# set connection conn-max 600
hostname(config-pmap-c)# set connection embryonic-conn-max 50
the output of the show running-config policy-map command would display the result of the two
commands in a single, combined command:
set connection conn-max 600 embryonic-conn-max 50
Preventing IP Spoofing
This section lets you enable Unicast Reverse Path Forwarding on an interface. Unicast RPF guards
against IP spoofing (a packet uses an incorrect source IP address to obscure its true source) by ensuring
that all packets have a source IP address that matches the correct source interface according to the
routing table.
Normally, the security appliance only looks at the destination address when determining where to
forward the packet. Unicast RPF instructs the security appliance to also look at the source address; this
is why it is called Reverse Path Forwarding. For any traffic that you want to allow through the security
appliance, the security appliance routing table must include a route back to the source address. See
RFC 2267 for more information.
For outside traffic, for example, the security appliance can use the default route to satisfy the
Unicast RPF protection. If traffic enters from an outside interface, and the source address is not known
to the routing table, the security appliance uses the default route to correctly identify the outside
interface as the source interface.
If traffic enters the outside interface from an address that is known to the routing table, but is associated
with the inside interface, then the security appliance drops the packet. Similarly, if traffic enters the
inside interface from an unknown source address, the security appliance drops the packet because the
matching route (the default route) indicates the outside interface.
Unicast RPF is implemented as follows:
• ICMP packets have no session, so each packet is checked.23-11
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 23 Preventing Network Attacks
Configuring the Fragment Size
• UDP and TCP have sessions, so the initial packet requires a reverse route lookup. Subsequent
packets arriving during the session are checked using an existing state maintained as part of the
session. Non-initial packets are checked to ensure they arrived on the same interface used by the
initial packet.
To enable Unicast RPF, enter the following command:
hostname(config)# ip verify reverse-path interface interface_name
Configuring the Fragment Size
By default, the security appliance allows up to 24 fragments per IP packet, and up to 200 fragments
awaiting reassembly. You might need to let fragments on your network if you have an application that
routinely fragments packets, such as NFS over UDP. However, if you do not have an application that
fragments traffic, we recommend that you do not allow fragments through the security appliance.
Fragmented packets are often used as DoS attacks. To set disallow fragments, enter the following
command:
hostname(config)# fragment chain 1 [interface_name]
Enter an interface name if you want to prevent fragmentation on a specific interface. By default, this
command applies to all interfaces.
Blocking Unwanted Connections
If you know that a host is attempting to attack your network (for example, system log messages show an
attack), then you can block (or shun) connections based on the source IP address and other identifying
parameters. No new connections can be made until you remove the shun.
Note If you have an IPS that monitors traffic, such as an AIP SSM, then the IPS can shun connections
automatically.
To shun a connection manually, perform the following steps:
Step 1 If necessary, view information about the connection by entering the following command:
hostname# show conn
The security appliance shows information about each connection, such as the following:
TCP out 64.101.68.161:4300 in 10.86.194.60:23 idle 0:00:00 bytes 1297 flags UIO
Step 2 To shun connections from the source IP address, enter the following command:
hostname(config)# shun src_ip [dst_ip src_port dest_port [protocol]] [vlan vlan_id]
If you enter only the source IP address, then all future connections are shunned; existing connections
remain active.
To drop an existing connection, as well as blocking future connections from the source IP address, enter
the destination IP address, source and destination ports, and the protocol. By default, the protocol is 0
for IP.23-12
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 23 Preventing Network Attacks
Configuring IP Audit for Basic IPS Support
For multiple context mode, you can enter this command in the admin context, and by specifying a
VLAN ID that is assigned to an interface in other contexts, you can shun the connection in other
contexts.
Step 3 To remove the shun, enter the following command:
hostname(config)# no shun src_ip [vlan vlan_id]
Configuring IP Audit for Basic IPS Support
The IP audit feature provides basic IPS support for a security appliance that does not have an AIP SSM.
It supports a basic list of signatures, and you can configure the security appliance to perform one or more
actions on traffic that matches a signature.
To enable IP audit, perform the following steps:
Step 1 To define an IP audit policy for informational signatures, enter the following command:
hostname(config)# ip audit name name info [action [alarm] [drop] [reset]]
Where alarm generates a system message showing that a packet matched a signature, drop drops the
packet, and reset drops the packet and closes the connection. If you do not define an action, then the
default action is to generate an alarm.
Step 2 To define an IP audit policy for attack signatures, enter the following command:
hostname(config)# ip audit name name attack [action [alarm] [drop] [reset]]
Where alarm generates a system message showing that a packet matched a signature, drop drops the
packet, and reset drops the packet and closes the connection. If you do not define an action, then the
default action is to generate an alarm.
Step 3 To assign the policy to an interface, enter the following command:
ip audit interface interface_name policy_name
Step 4 To disable signatures, or for more information about signatures, see the ip audit signature command in
the Cisco Security Appliance Command Reference.C H A P T E R
24-1
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
24
Configuring QoS
Have you ever participated in a long-distance phone call that involved a satellite connection? The
conversation might be interrupted with brief, but perceptible, gaps at odd intervals. Those gaps are the
time, called the latency, between the arrival of packets being transmitted over the network. Some network
traffic, such as voice and video, cannot tolerate long latency times. Quality of Service (QoS) is a feature
that lets you give priority to critical traffic, prevent bandwidth hogging, and manage network bottlenecks
to prevent packet drops.
This chapter describes how to apply QoS policies, and includes the following sections:
• QoS Overview, page 24-1
• Creating the Standard Priority Queue for an Interface, page 24-5
• Identifying Traffic for QoS Using Class Maps, page 24-8
• Creating a Policy for Standard Priority Queueing and/or Policing, page 24-9
• Creating a Policy for Traffic Shaping and Hierarchical Priority Queueing, page 24-11
• Viewing QoS Statistics, page 24-13
QoS Overview
You should consider that in an ever-changing network environment, QoS is not a one-time deployment,
but an ongoing, essential part of network design.
Note QoS is only available in single context mode.
This section describes the QoS features supported by the security appliance, and includes the following
topics:
• Supported QoS Features, page 24-2
• What is a Token Bucket?, page 24-2
• Policing Overview, page 24-3
• Priority Queueing Overview, page 24-3
• Traffic Shaping Overview, page 24-4
• DSCP and DiffServ Preservation, page 24-524-2
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 24 Configuring QoS
QoS Overview
Supported QoS Features
The security appliance supports the following QoS features:
• Policing—To prevent individual flows from hogging the network bandwidth, you can limit the
maximum bandwidth used per flow. See the “Policing Overview” section on page 24-3 for more
information.
• Priority queuing—For critical traffic that cannot tolerate latency, such as Voice over IP (VoIP), you
can identify traffic for Low Latency Queuing (LLQ) so that it is always transmitted ahead of other
traffic. See the “Priority Queueing Overview” section on page 24-3 for more information.