cc/td/doc/product/ong/600_sdh/sdh60014
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table Of Contents

Security and Timing

Users and Security

Security Requirements

Initial Login

Concurrent Logins

User Audit Trail

Node Timing

Network Timing Example

Synchronization Status Messaging

Security and Timing

This chapter provides information about CiscoONS15600SDH user security and timing. To provision security and timing, refer to the CiscoONS15600SDH Procedure Guide.

Chapter topics include:

Users and Security

Node Timing

5.1  Users and Security

Each ONS15600SDH permits up to 500 Cisco Transport Controller (CTC) or TL1 user IDs. A user ID is assigned one of the following security levels:

Superuser—Users can perform all of the functions of the other security levels as well as set names, passwords, and security levels for other users.

Provisioning—Users can access provisioning and maintenance options.

Maintenance—Users can access only the ONS15600SDH maintenance options.

Retrieve—Users can retrieve and view CTC information but cannot set or modify parameters.

5.1.1  Security Requirements

Table5-1 shows the actions that each security level allows in node view.

Table 5-1 ONS 15600 SDH Security Levels—Node View 

CTC Tab
Subtab
Actions
Retrieve
Maintenance
Provisioning
Superuser

Alarms

Synchronize, filter, and delete alarms

X

X

X

X

Conditions

Retrieve and filter

X

X

X

X

History

Session

Filter

X

X

X

X

Node

Retrieve and filter alarms/events

X

X

X

X

Circuits

Circuits

Create/Delete/edit/filter/search/roll

X

X

Roll

Complete circuits in the roll pending state

X

X

Provisioning

General

Edit

X

X

Network

All

X

Protection

Create/delete/edit

X

X

Browse groups

X

X

X

X

MS-SPRing1

All (MS-SPRing)

X

X

Security

Create/delete

X

Change password

Same user

Same user

Same user

All users

SNMP2

Create/delete/edit

X

Browse trap destinations

X

X

X

X

DCC/GCC3

Create/edit/delete

X

Timing

Edit

X

X

Alarm Behavior

Edit

X

X

Alarm Extenders

Edit

X

X

Inventory

Delete

X

X

Hard-reset

X

X

X

Maintenance

Database

Backup/restore

X

Protection

Switch/lock out operations

X

X

X

Diagnostic

Retrieve

X

X

X

MS-SPRing

MS-SPRing maintenance

X

X

Software

Download/upgrade/activate/revert

X

Timing

Edit

X

X

X

Audit

Retrieve

X

Routing Table

Retrieve

X

X

X

X

Test Access

Read only

X

X

X

X

Alarm Extenders

Read only

X

X

X

X

Preferred Copy

Edit

X

X

1 MS-SPRing = Multiplex Section-Shared Protection Ring

2 SNMP = Simple Network Management Protocol

3 DCC/GCC = Data Communication Channel / General Communication Channel


Table5-2 shows the actions that each user privilege level can perform in network view.

Table 5-2 ONS 15600 SDH Security Levels—Network View 

CTC Tab
Subtab
Actions
Retrieve
Maintenance
Provisioning
Superuser

Alarms

Synchronize/filter/delete cleared alarms

X

X

X

X

Conditions

Retrieve/filter

X

X

X

X

History

Filter

X

X

X

X

Circuits

Circuits

Create/delete/edit/filter/search/
roll

X

X

Roll

Complete circuits in the roll pending state

X

X

Provisioning

Security

Users tab: create/change/delete

X

Active logins tab: logout

X

Policy tab: change

X

Alarm Profiles

Load/store/delete

X

X

Compare/available/usage

X

X

X

MS-SPRing

All (MS-SPRing)

X

X

Overhead Circuits

Edit

X

X

Maintenance

Software

Download

X

X


5.1.2  Initial Login

When you log into an ONS15600SDH for the first time, you use the CISCO15 user ID, which is provided with every ONS15600SDH system. You can use the CISCO15 ID, which has Superuser privileges, to create other ONS15600SDH user IDs. For detailed instructions on creating users, refer to the CiscoONS15600SDH Procedure Guide.

Note When creating a user, a Superuser must add the same user ID and password to each node that a user will access.

5.1.3  Concurrent Logins

Concurrent user ID sessions are allowed on a node, which means that multiple users can log into a node using the same user ID. For example, two or more users can log into a node with the CISCO15 user ID. The default setting is to allow concurrent user ID sessions. If the Superuser provisions a user ID to be active for a single occurrence only, concurrent logins with that user ID are not allowed. A Superuser sets a user ID as single occurrence on the Provisioning > Security > Policy tabs, Single Session per User check box.

5.1.3.1  Idle User Timeout

Each ONS15600SDH CTC or TL1 user has a specified amount of time to leave the system idle before the CTC window locks. The CTC lockouts prevent unauthorized users from making changes. Higher-level users have shorter idle times and lower-level users have longer or unlimited default idle periods, as shown in Table5-3. Superusers can change user idle times on the Provisioning > Security > Policy tabs.

Table 5-3 ONS 15600 SDH User Idle Times

Security Level
Idle Time

Superuser

15 minutes

Provisioning

30 minutes

Maintenance

60 minutes

Retrieve

Unlimited


5.1.3.2  Superuser Password and Login Privileges

A Superuser can perform ONS15600SDH user creation and management tasks from the network or node (default login) view. In network view, a Superuser can add, edit, or delete users from multiple nodes at one time. In node view, a Superuser can only add, edit, or delete users from that node.

Superuser password and login privilege criteria include:

Privilege level—A Superuser can change the privilege level (such as Maintenance or Provisioning) of a user ID while the user is logged in. The change will become effective the next time the user logs in and will apply to all nodes within the network.

Login visibility—Superusers can view real-time lists of users who are logged into a node (both CTC and TL1 logins) by retrieving a list of logins by node. A Superuser can also log out an active user.

Password expiration and reuse settings—Superusers provision password reuse periods (the number of days before a user can reuse a password) and reuse intervals (the number of passwords a user must generate before reusing a password).

User lockout settings—A Superuser can manually lock out or unlock a user ID.

Invalid login attempts—A Superuser sets the number of invalid login attempts a user can make before the user ID is locked out. Additionally, the Superuser sets the time interval the user ID is locked out after the user reaches the login attempt limit.

5.1.4  User Audit Trail

The ONS15600SDH maintains an audit trail of user actions such as login, logout, and circuit creation or deletion. You can move the log to a local or network drive for later review. The audit log can hold up to 640 entries. The ONS15600SDH generates an event to indicate when the log is 80 percent full and another event to indicate that the oldest log entries are being overwritten. To offload the audit log, refer to the CiscoONS15600SDH Procedure Guide.

5.2  Node Timing

SDH timing parameters must be set for each ONS15600SDH node. Each ONS15600SDH independently accepts its timing reference from one of three sources:

The building integrated timing supply (BITS) pins on the customer access panel (CAP).

A port on an STM-N card installed in the ONS15600SDH. The timing is traceable to a node that receives timing through a BITS source.

The internal Stratum 3E clock (ST3E) on the TSC card.

You can set ONS15600SDH timing to one of two modes: external or line. If the timing comes from BITS, set ONS15600SDH timing to external. If the timing comes from an STM-N port, set the timing to line. In typical ONS15600SDH networks:

One node is set to external. The external node derives its timing from a BITS source wired to the BITS backplane pins. The BITS source, in turn, derives its timing from a primary reference source (PRS), such as a Stratum 1 clock or global positioning satellite (GPS) signal.

Other nodes are set to line. The line nodes derive timing from the externally timed node through the STM-N trunk cards.

You can set three timing references for each ONS15600SDH. The first two references are typically two BITS-level sources, or two line-level sources optically traceable to a node with a BITS source. The third reference is the internal ST3E clock provided on every ONS15600SDH TSC card. If an ONS15600SDH becomes isolated, the TSC maintains timing at the ST3E level.

5.2.1  Network Timing Example

Figure5-1 shows an ONS15600SDH network timing example. Node 1 is set to external timing. Two timing references are Stratum 1 timing sources wired to the BITS input pins on the Node 1 backplane. The third reference is set to internal clock.

In the example, Slots 11 and 12 of Node 1 contain the trunk (span) cards. Timing at Nodes 2, 3, and 4 is set to line, and the timing references are set to the trunk cards according to the distance from the BITS source. Reference 1 is set to the trunk card closest to the BITS source. At Node 2, Reference 1 is Slot11/Port 1 because it is connected to Node 1. At Node 4, Reference 1 is set to Slot 12/Port 1 because it is connected to Node 1. At Node 3, Reference 1 could be either trunk card because they are an equal distance from Node 1.

Figure 5-1 ONS 15600 SDH Timing Example

5.2.2  Synchronization Status Messaging

Synchronization status messaging (SSM) is an SDH protocol that communicates information about the quality of the timing source. SSM messages are carried on the S1 byte of the SDH MS layer. They enable SDH devices to automatically select the highest quality timing reference and to avoid timing loops.

If you enable SSM for the ONS15600SDH, consult your timing reference documentation to determine which message set to use. Table5-4 lists the SSM message set.

Table 5-4 SDH SSM Message Set 

Message
Quality
Description

G811

1

Primary reference clock

STU

2

Sync traceability unknown

G812T

3

Transit node clock traceable

G812L

4

Local node clock traceable

SETS

5

Synchronous equipment

DUS

6

Do not use for timing synchronization


hometocprevnextglossaryfeedbacksearchhelp

Posted: Thu Feb 26 17:38:27 PST 2004
All contents are Copyright © 1992--2004 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.