Chapter 8, IP Networking

This chapter provides seven scenarios showing CiscoONS15600SDH nodes in common IP network configurations. The chapter does not provide a comprehensive explanation of IP networking concepts and procedures.

Note

To set up ONS15600SDH nodes within an IP network, you must work with a LAN administrator or other individual at your site who has IP networking training and experience.

8.1 IP Networking Overview

ONS15600SDH nodes can be connected in many different ways within an IP environment:

•

You can connect ONS15600SDH nodes and LANs through direct connections or a router.

•

IP subnetting can create ONS15600SDH node groups, which allow you to provision nodes in a network that are connected using the data communications channel (DCC).

•

Different IP functions and protocols allow you to achieve specific network goals. For example, Proxy Address Resolution Protocol (ARP) enables one LAN-connected ONS15600SDH to serve as a gateway for ONS15600SDH nodes that are not connected to the LAN.

•

You can create static routes to enable connections among multiple Cisco Transport Controller (CTC) sessions with ONS15600SDH nodes that reside on the same subnet but have different destination IP addresses.

•

If ONS15600SDH nodes are connected to Open Shortest Path First (OSPF) networks, ONS15600SDH network information is automatically communicated across multiple LANs and WANs.

8.2 ONS 15600 SDH IP Addressing Scenarios

ONS15600SDH IP addressing generally has seven common scenarios or configurations. Use the scenarios as building blocks for more complex network configurations. Table8-1 provides a general list of items to check when setting up ONS15600SDH nodes in IP networks.

Table 8-1 General ONS 15600 SDH IP Troubleshooting Checklist
Item	What to Check
Link integrity	Verify that link integrity exists between: •CTC computer and network hub/switch •ONS15600SDH nodes (backplane ports or active Timing and Shelf Controller [TSC] port) and network hub/switch •Router ports and hub/switch ports
ONS15600SDH hub/switch ports	If connectivity problems occur, set the hub or switch port that is connected to the ONS15600SDH to 10 Mbps half-duplex.
Ping	Ping the node to test connections between computers and ONS15600SDH nodes.
IP addresses/subnet masks	Verify that ONS15600SDH IP addresses and subnet masks are set up correctly.
Optical connectivity	Verify that ONS15600SDH optical trunk ports are in service and that DCC is enabled on each trunk port.

8.2.1 Scenario 1: CTC and ONS 15600 SDH Nodes in the Same Subnet

Scenario 1 shows a basic ONS15600SDH LAN configuration ( Figure8-1). The ONS15600SDH nodes and CTC computer reside on the same subnet. All ONS15600SDH nodes connect to LAN A, and all ONS15600SDH nodes have DCC connections.

8.2.2 Scenario 2: CTC and ONS 15600 SDH Nodes Connected to Router

In Scenario 2, the CTC computer resides on a subnet (192.168.1.0) and attaches to LAN A ( Figure8-2). The ONS15600SDH nodes reside on a different subnet (192.168.2.0) and attach to LAN B. A router connects LAN A to LAN B. The IP address of router interface A is set to LAN A (192.168.1.1), and the IP address of router interface B is set to LAN B (192.168.2.1).

On the CTC computer, the default gateway is set to router interface A. If the LAN uses Dynamic Host Configuration Protocol (DHCP), the default gateway and IP address are assigned automatically. In the Figure8-2 example, a DHCP server is not available.

8.2.3 Scenario 3: Using Proxy ARP to Enable an ONS 15600 SDH Gateway

Scenario 3 is similar to Scenario 1, but only one ONS15600SDH (Node 1) connects to the LAN ( Figure8-3). Two ONS15600SDH nodes (Nodes 2 and 3) connect to Node 1 through the SDH DCC. Because all three ONS15600SDH nodes are on the same subnet, Proxy ARP enables Node 1 to serve as a gateway for Nodes 2 and 3.

Note

This scenario assumes that all CTC connections are to Node 1. If you connect a laptop to either Node 2 or Node 3, network partitioning will occur; neither the laptop or the CTC computer will be able to see all nodes. If you want laptops to connect directly to end network elements (ENEs), you will need to create static routes (see the "Scenario 5: Using Static Routes to Connect to LANs" section ) or enable the ONS15600SDH proxy server (see the "Scenario 7: Provisioning the ONS15600SDH Proxy Server" section ).

ARP matches higher-level IP addresses to the physical addresses of the destination host. It uses a lookup table (called the ARP cache) to perform the translation. When the address is not found in the ARP cache, a broadcast is sent out on the network with a special format called the ARP request. If one of the machines on the network recognizes its own IP address in the request, it sends an ARP reply back to the requesting host. The reply contains the physical hardware address of the receiving host. The requesting host stores this address in its ARP cache so that all subsequent datagrams (packets) to this destination IP address can be translated to a physical address.

Proxy ARP enables one LAN-connected ONS15600SDH to respond to the ARP request for ONS15600SDH nodes that are not connected to the LAN. (ONS15600SDH Proxy ARP requires no user configuration.) For this response to occur, the DCC-connected ONS15600SDH nodes must reside on the same subnet. When a LAN device sends an ARP request to an ONS15600SDH that is not connected to the LAN, the gateway ONS15600SDH returns its MAC address to the LAN device. The LAN device then sends the datagram for the remote ONS15600SDH to the MAC address of the proxy ONS15600SDH. The proxy ONS15600SDH uses its routing table to forward the datagram to the non-LAN ONS15600SDH.

8.2.4 Scenario 4: Default Gateway on CTC Computer

Scenario 4 is similar to Scenario 3, but Nodes 2 and 3 reside on different subnets, 192.168.2.0 and 192.168.3.0, respectively ( Figure8-4). Node 1 and the CTC computer are on subnet 192.168.1.0. For the CTC computer to communicate with Nodes 2 and 3, you would enter Node 1 as the default gateway on the CTC computer.

8.2.5 Scenario 5: Using Static Routes to Connect to LANs

•

To connect ONS15600SDH nodes to CTC sessions on one subnet connected by a router to ONS15600SDH nodes residing on another subnet. (These static routes are not needed if OSPF is enabled. Scenario 6 shows an OSPF example.)

•

To enable multiple CTC sessions among ONS15600SDH nodes residing on the same subnet.

In Figure8-5, one CTC residing on subnet 192.168.1.0 connects to a router through interface A. (The router is not set up with OSPF.) ONS15600SDH nodes residing on subnet 192.168.2.0 are connected through Node 1 to the router through interface B. To connect to CTC computers on LAN A, you would create a static route on Node 1.

The destination and subnet mask entries control access to the ONS15600SDH nodes:

•

If a single CTC computer will be connected to a router, enter the complete CTC host route IP address as the destination with a subnet mask of 255.255.255.255.

•

If CTC computers on a subnet are connected to a router, enter the destination subnet (in this example, 192.168.1.0) and a subnet mask of 255.255.255.0.

•

If all CTC computers are connected to router, enter a destination of 0.0.0.0 and a subnet mask of 0.0.0.0. Figure8-6 shows an example.

The IP address of router interface B is entered as the next hop (the next router that a packet traverses to reach its destination), and the cost (number of hops from source to destination) is 2.

8.2.6 Scenario 6: Using OSPF

OSPF is a link state Internet routing protocol. Link state protocols use a hello protocol to monitor their links with adjacent routers and to test their links with their neighbors. Link state protocols advertise their directly connected networks and their active links. Each link state router captures the link state advertisements (LSAs) and puts them together to create a topology of the entire network or area. From this database, the router calculates a routing table by constructing a shortest path tree. The router continuously recalculates to capture ongoing topology changes.

ONS15600SDH nodes use the OSPF protocol in internal ONS15600SDH networks for node discovery, circuit routing, and node management. You can enable OSPF on the ONS15600SDH nodes so that the ONS15600SDH topology is sent to OSPF routers on a LAN. Advertising the ONS15600SDH network topology to LAN routers means you do not need to manually enter static routes for ONS15600SDH subnetworks. Figure8-7 shows the same network enabled for OSPF. When you are logged into an ONS15600SDH node, CTC does not allow both a DCC interface and a LAN interface in the same nonzero OSPF area.

Figure8-8 shows the same network without OSPF. Static routes must be manually added to the router in order for CTC computers on LAN A to communicate with Nodes 2 and 3 because these nodes reside on different subnets.

OSPF divides networks into smaller regions, called areas. An area is a collection of networked end systems, routers, and transmission facilities organized by traffic patterns. Each OSPF area has a unique ID number, known as the area ID, that can range from 0 to 4,294,967,295. Every OSPF network has one backbone area called "area 0." All other OSPF areas must connect to area 0.

When you enable ONS15600SDH OSPF topology for advertising to an OSPF network, you must assign an OSPF area ID in decimal format to the ONS15600SDH network. Coordinate the area ID number assignment with your LAN administrator. All DCC-connected ONS15600SDH nodes should be assigned the same OSPF area ID.

The ONS15600SDH supports the multiple OSPF area feature, which allows the ability to configure and support multiple OSPF areas in each DCC-connected topology. A node is in a single OSPF area if all of its DCC or LAN interfaces are in the same OSPF area, while a node is in multiple OSPF areas if it has DCC or LAN interfaces in two or more OSPF areas. If the 15600SDH has interfaces (DCC or LAN) in multiple OSPF areas, at least one ONS15600SDH interface (DCC or LAN) must be in the backbone area 0.

If multiple ONS15600SDH nodes and routers are connected to the same LAN in OSPF backbone area0 and a link between two routers breaks, the backbone OSPF area 0 could divide into multiple gateway network elements (GNEs). If this occurs, the CTC session connected to Router 1 will not be able to communicate with the ONS15600SDH connected to Router 2. To resolve, you must repair the link between the routers or provide another form of redundancy in the network. This is standard behavior for an OSPF network.

Note

Cisco recommends limiting the number of link-state packets (LSPs) that will be forwarded over the DCC interfaces.

8.2.7 Scenario 7: Provisioning the ONS 15600 SDH Proxy Server

The ONS15600SDH proxy server is a set of functions that allows you to configure ONS15600SDH nodes in environments where visibility and accessibility between ONS15600SDH nodes and CTC computers must be restricted. For example, you can set up a network so that field technicians and network operating center (NOC) personnel can both access the same ONS15600SDH nodes while preventing the field technicians from accessing the NOC LAN. To do this, one ONS15600SDH is provisioned as a GNE and the other ONS15600SDH nodes are provisioned as ENEs. The GNE ONS15600SDH tunnels connections between CTC computers and ENE ONS15600SDH nodes, providing management capability while preventing access for non-ONS15600SDH management purposes.

•

Isolates DCC IP traffic from Ethernet (craft port) traffic and accepts packets based on filtering rules. The filtering rules (see Table8-3 and Table8-4) depend on whether the packet arrives at the ONS15600 SDH DCC or TSC Ethernet interface.

•

Monitors ARP request packets on its Ethernet port. If the ARP request is from an address that is not on the current subnet, the ONS15600SDH creates an entry in its ARP table. The ARP entry allows the ONS15600SDH to reply to an address over the local Ethernet so craft technicians can connect to ONS15600SDH nodes without changing the IP addresses of their computers.

•

Processes Simple Network Time Protocol/Network Time Protocol (SNTP/NTP) requests. Element ONS15600SDH NEs can derive time-of-day from an SNTP/NTP LAN server through the GNE ONS15600SDH.

•

Process SNMPv1 traps. The GNE ONS15600SDH receives SNMPv1 traps from the ENE ONS15600SDH nodes and forwards them to all provisioned SNMPv1 trap destinations.

The ONS15600SDH proxy server is provisioned using three check boxes on the Provisioning > Network > General tab (see Figure8-9):

•

Enable Proxy—When enabled, the ONS15600SDH serves as a proxy for connections between CTC clients and ONS15600SDH nodes that are DCC-connected to the proxy ONS15600SDH. The CTC client establishes connections to DCC-connected nodes through the proxy node. The CTC client can connect to nodes that it cannot directly reach from the host on which it runs. If Enable Proxy is off, the node does not proxy for any CTC clients, although any established proxy connections continue until the CTC client exits.

Note

If you launch CTC on a node through a network address translation (NAT) or port address translation (PAT) router and that node does not have proxy enabled, your CTC session will start as expected; however, CTC will never receive alarm updates and will disconnect and reconnect every two minutes. If the proxy is accidentally disabled, you can still enable the proxy during a reconnect cycle and recover your ability to manage the node, even through a NAT/PAT firewall.

•

Craft Access Only—When this option is enabled, the ONS15600SDH does not install or advertise default or static routes. CTC computers can communicate with the ONS15600SDH using the TSC craft port, but they cannot communicate directly with any other DCC-connected ONS15600SDH.

•

Enable Firewall—When this option is enabled, the node prevents IP traffic from being routed between the DCC and the LAN port. The ONS15600SDH can communicate with machines connected to the LAN port or connected through the DCC. However, the DCC-connected machines cannot communicate with the LAN-connected machines, and the LAN-connected machines cannot communicate with the DCC-connected machines. A CTC client using the LAN to connect to the firewall-enabled node can use the proxy capability to manage the DCC-connected nodes that would otherwise be unreachable. A CTC client connected to a DCC-connected node can only manage other DCC-connected nodes and the firewall itself.

Figure8-10 shows an ONS15600SDH proxy server implementation. A GNE ONS15600 is connected to a central office LAN and to ENE ONS15600SDH nodes. The central office LAN is connected to a NOC LAN, which has CTC computers. The NOC CTC computer and craft technicians must both be able to access the ONS15600SDH ENEs. However, the craft technicians must be prevented from accessing or seeing the NOC or central office LANs.

In the example, the ONS15600SDH GNE is assigned an IP address within the central office LAN and is physically connected to the LAN through its LAN port. ONS15600SDH ENEs are assigned IP addresses that are outside the central office LAN and given private network IP addresses. If the ONS15600SDH ENEs are colocated, the craft LAN ports could be connected to a hub. However, the hub should have no other network connections.

Figure 8-10 Scenario 7: ONS 15600 SDH Proxy Server with GNE and ENEs on the Same Subnet

Table8-2 shows recommended settings for ONS15600SDH GNEs and ENEs in the configuration shown in Figure8-10.

Table 8-2 ONS 15600 SDH Gateway and Element NE Settings
Setting	ONS 15600 SDH Gateway NE	ONS 15600 SDH Element NE
Craft Access Only	Off	On
Enable Proxy	On	On
Enable Firewall	On	On
OSPF	Off	Off
SNTP server (if used)	SNTP server IP address	Set to the ONS15600SDH GNE IP address.
SNMP (if used)	SNMPv1 trap destinations	Set SNMPv1 trap destinations to ONS15600 GNE, port 391.

Figure8-11 shows the same proxy server implementation with ONS15600SDH ENEs on different subnets. The ONS15600SDH GNEs and ENEs are provisioned with the settings shown in Table8-2.

Figure 8-11 Scenario 7: ONS 15600 SDH Proxy Server with GNE and ENEs on Different Subnets

Figure8-12 shows the Figure8-11 implementation with ONS15600SDH ENEs in multiple rings. The ONS15600 GNEs and ENEs are provisioned with the settings shown in Table8-2.

8.2.7.1 Firewall Enabled

Table8-3 shows the rules the ONS15600SDH users to filter packets when the firewall is enabled.

Table 8-3 Proxy Server Firewall Filtering Rules
Packets Arriving At:	Are Accepted if the IP Destination Address Is:
TSC Ethernet Interface	•The ONS15600SDH itself •The ONS15600SDH's subnet broadcast address •Within the 224.0.0.0/8 network (reserved network used for standard multicast messages) •Subnet mask = 255.255.255.255
DCC Interface	•The ONS15600SDH itself •Any destination connected through another DCC interface •Within the 224.0.0.0/8 network

The rules in Table8-4 are applied if a packet is addressed to the ONS15600SDH. Rejected packets are discarded.

Table 8-4 Proxy Server Firewall Filtering Rules When Packet Addressed to ONS 15600 SDH
Packets Arrive At:	Accepted	Rejected
TSC Ethernet Interface	•All user datagram protocol (UDP) packets except those in the Rejected column	•UDP packets addressed to the SNMP trap relay port (391)
DCC Interface	•All UDP packets •All TCP packets except those in the Rejected column •OSPF packets •Internet control message protocol (ICMP) packets	•TCP packets addressed to the Telnet port •TCP packets addressed to the proxy server port •All packets other than UDP, TCP, OSPF, and ICMP

If an ONS15600SDH or CTC computer resides behind a firewall that uses port filtering, you must enable an Internet Inter-ORB Protocol (IIOP) port on the ONS15600SDH and/or CTC computer, depending on whether one or both devices reside behind a firewall. You can enable an IIOP port on the Provisioning>Network>General tabs in CTC.

Figure8-13 shows ONS15600SDH nodes in a protected network and the CTC computer in an external network. For the computer to access the ONS15600SDH nodes, you must provision the IIOP listener port specified by your firewall administrator on the ONS15600SDH. The ONS15600SDH sends the port number to the CTC computer during the initial contact between the devices using HTTP. After the CTC computer obtains the ONS15600SDH IIOP port, the computer opens a direct session with the node using the specified IIOP port.

Figure8-14 shows a CTC computer and ONS15600SDH nodes behind firewalls. For the computer to access the ONS15600SDH, you must provision the IIOP port on the CTC computer and on the ONS15600SDH. Each firewall can use a different IIOP port. For example, if the CTC computer firewall uses IIOP port 4000 and the ONS15600SDH firewall uses IIOP port 5000, provision IIOP port 4000 for the CTC computer and provision IIOP port 5000 for the ONS15600SDH.

8.2.7.2 Proxy Server Implementation Guidelines

All DCC-connected ONS15600SDH nodes on the same Ethernet segment must have the same CraftAccessOnly setting in CTC. Mixed values will produce unpredictable results, and might leave some nodes unreachable through the shared Ethernet segment.

All DCC-connected ONS15600SDH nodes on the same Ethernet segment must have the same Enable Firewall setting in CTC. Mixed values will produce unpredictable results. Some nodes might become unreachable.

If you select Enable Firewall in CTC, always select Enable Proxy. If Enable Proxy is not selected, CTC will not be able to see nodes on the DCC side of the ONS15600SDH.

If Craft Access Only is enabled, select Enable Proxy. If Enable Proxy is not selected, CTC is not able to see nodes on the DCC side of the ONS15600SDH.

If nodes become unreachable in cases 1, 2, and 3, correct the setting by performing one of the following:

•

Disconnect the craft computer from the unreachable ONS15600SDH. Connect to the ONS15600SDH through another network ONS15600SDH that has a DCC connection to the unreachable ONS15600SDH.

•

Disconnect the Ethernet cable from the unreachable ONS15600SDH. Connect a CTC computer directly to the ONS15600SDH.

8.3 Routing Table

ONS15600SDH routing information appears on the Maintenance > Routing Table tabs ( Figure8-15). The routing table provides the following information:

•

Mask—Displays the subnet mask used to reach the destination host or network.

•

Gateway—Displays the IP address of the gateway used to reach the destination network or host.

–

pdcc—A section data communications channel (SDCC) interface, that is, an STM-N trunk (span) card identified as the SDCC termination (0 to 128).

–

motfcc0—Interface on the TSC that connect the TSC to all other cards except the other TSC.

–

hdlc0—Connects the two TSC cards together; traffic cards forward DCC packets over the motfcc0 Ethernet interface.

Table 8-5 Sample Routing Table Entries
Entry	Destination	Mask	Gateway	Interface
1	0.0.0.0	0.0.0.0	172.20.214.1	cpm0
2	172.20.214.0	255.255.255.0	172.20.214.92	cpm0
3	172.20.214.92	255.255.255.255	127.0.0.1	lo0
4	172.20.214.93	255.255.255.255	0.0.0.0	pdcc0
5	172.20.214.94	255.255.255.255	172.20.214.93	pdcc0

•

Destination (0.0.0.0) is the default route entry. All undefined destination network or host entries on this routing table will be mapped to the default route entry.

•

Gateway (172.20.214.1) is the default gateway address. All outbound traffic that cannot be found in this routing table or is not on the node's local subnet will be sent to this gateway.

•

Interface (cpm0) indicates that the ONS15600SDH Ethernet management interface is used to reach the gateway.

•

Mask (255.255.255.0) is a 24-bit mask, meaning all addresses within the 172.20.214.0 subnet can be destinations.

•

Gateway (172.20.214.92) is the gateway address. All outbound traffic belonging to this network is sent to this gateway.

•

Interface (cpm0) indicates that the ONS15600SDH Ethernet management interface is used to reach the gateway.

•

Mask (255.255.255.255) is a 32-bit mask, meaning only the 172.20.214.92 address is a destination.

•

Gateway (127.0.0.1) is a loopback address. The host directs network traffic to itself using this address.

•

Interface (lo0) indicates that the local loopback interface is used to reach the gateway.

•

Mask (255.255.255.255) is a 32-bit mask, meaning only the 172.20.214.93 address is a destination.

•

Gateway (0.0.0.0) means the destination host is directly attached to the node.

•

Interface (pdcc0) indicates that a SDH SDCC interface is used to reach the destination host.

Entry 5 shows a DCC-connected node that is accessible through a node that is not directly connected:

•

Mask (255.255.255.255) is a 32-bit mask, meaning only the 172.20.214.94 address is a destination.

•

Gateway (172.20.214.93) indicates that the destination host is accessed through a node with the IP address 172.20.214.93.

•

Interface (pdcc0) indicates that a SDH SDCC interface is used to reach the gateway.

Table Of Contents

IP Networking

8.1 IP Networking Overview

8.2 ONS 15600 SDH IP Addressing Scenarios

8.2.1 Scenario 1: CTC and ONS 15600 SDH Nodes in the Same Subnet

8.2.2 Scenario 2: CTC and ONS 15600 SDH Nodes Connected to Router

8.2.3 Scenario 3: Using Proxy ARP to Enable an ONS 15600 SDH Gateway

8.2.4 Scenario 4: Default Gateway on CTC Computer

8.2.5 Scenario 5: Using Static Routes to Connect to LANs

8.2.6 Scenario 6: Using OSPF

8.2.7 Scenario 7: Provisioning the ONS 15600 SDH Proxy Server

8.2.7.1 Firewall Enabled

8.2.7.2 Proxy Server Implementation Guidelines

8.3 Routing Table