|
Table Of Contents
Synchronization Status Messaging
Security and Timing
This chapter provides information about CiscoONS15600SDH user security and timing. To provision security and timing, refer to the CiscoONS15600SDH Procedure Guide.
Chapter topics include:
5.1 Users and Security
Each ONS15600SDH permits up to 500 Cisco Transport Controller (CTC) or TL1 user IDs. A user ID is assigned one of the following security levels:
•Superuser—Users can perform all of the functions of the other security levels as well as set names, passwords, and security levels for other users.
•Provisioning—Users can access provisioning and maintenance options.
•Maintenance—Users can access only the ONS15600SDH maintenance options.
•Retrieve—Users can retrieve and view CTC information but cannot set or modify parameters.
5.1.1 Security Requirements
Table5-1 shows the actions that each security level allows in node view.
Table 5-1 ONS 15600 SDH Security Levels—Node View
CTC Tab Subtab Actions Retrieve Maintenance Provisioning SuperuserAlarms
—
Synchronize, filter, and delete alarms
X
X
X
X
Conditions
—
Retrieve and filter
X
X
X
X
History
Session
Filter
X
X
X
X
Node
Retrieve and filter alarms/events
X
X
X
X
Circuits
Circuits
Create/Delete/edit/filter/search/roll
—
—
X
X
Roll
Complete circuits in the roll pending state
—
—
X
X
Provisioning
General
Edit
—
—
X
X
Network
All
—
—
—
X
Protection
Create/delete/edit
—
—
X
X
Browse groups
X
X
X
X
MS-SPRing1
All (MS-SPRing)
—
—
X
X
Security
Create/delete
—
—
—
X
Change password
Same user
Same user
Same user
All users
SNMP2
Create/delete/edit
—
—
—
X
Browse trap destinations
X
X
X
X
DCC/GCC3
Create/edit/delete
—
—
—
X
Timing
Edit
—
—
X
X
Alarm Behavior
Edit
—
—
X
X
Alarm Extenders
Edit
—
—
X
X
Inventory
—
Delete
—
—
X
X
Hard-reset
—
X
X
X
Maintenance
Database
Backup/restore
—
—
—
X
Protection
Switch/lock out operations
—
X
X
X
Diagnostic
Retrieve
—
X
X
X
MS-SPRing
MS-SPRing maintenance
—
—
X
X
Software
Download/upgrade/activate/revert
—
—
—
X
Timing
Edit
—
X
X
X
Audit
Retrieve
—
—
—
X
Routing Table
Retrieve
X
X
X
X
Test Access
Read only
X
X
X
X
Alarm Extenders
Read only
X
X
X
X
Preferred Copy
Edit
—
—
X
X
1 MS-SPRing = Multiplex Section-Shared Protection Ring
2 SNMP = Simple Network Management Protocol
3 DCC/GCC = Data Communication Channel / General Communication Channel
Table5-2 shows the actions that each user privilege level can perform in network view.
5.1.2 Initial Login
When you log into an ONS15600SDH for the first time, you use the CISCO15 user ID, which is provided with every ONS15600SDH system. You can use the CISCO15 ID, which has Superuser privileges, to create other ONS15600SDH user IDs. For detailed instructions on creating users, refer to the CiscoONS15600SDH Procedure Guide.
Note When creating a user, a Superuser must add the same user ID and password to each node that a user will access.
5.1.3 Concurrent Logins
Concurrent user ID sessions are allowed on a node, which means that multiple users can log into a node using the same user ID. For example, two or more users can log into a node with the CISCO15 user ID. The default setting is to allow concurrent user ID sessions. If the Superuser provisions a user ID to be active for a single occurrence only, concurrent logins with that user ID are not allowed. A Superuser sets a user ID as single occurrence on the Provisioning > Security > Policy tabs, Single Session per User check box.
5.1.3.1 Idle User Timeout
Each ONS15600SDH CTC or TL1 user has a specified amount of time to leave the system idle before the CTC window locks. The CTC lockouts prevent unauthorized users from making changes. Higher-level users have shorter idle times and lower-level users have longer or unlimited default idle periods, as shown in Table5-3. Superusers can change user idle times on the Provisioning > Security > Policy tabs.
Table 5-3 ONS 15600 SDH User Idle Times
Security Level Idle TimeSuperuser
15 minutes
Provisioning
30 minutes
Maintenance
60 minutes
Retrieve
Unlimited
5.1.3.2 Superuser Password and Login Privileges
A Superuser can perform ONS15600SDH user creation and management tasks from the network or node (default login) view. In network view, a Superuser can add, edit, or delete users from multiple nodes at one time. In node view, a Superuser can only add, edit, or delete users from that node.
Superuser password and login privilege criteria include:
•Privilege level—A Superuser can change the privilege level (such as Maintenance or Provisioning) of a user ID while the user is logged in. The change will become effective the next time the user logs in and will apply to all nodes within the network.
•Login visibility—Superusers can view real-time lists of users who are logged into a node (both CTC and TL1 logins) by retrieving a list of logins by node. A Superuser can also log out an active user.
•Password expiration and reuse settings—Superusers provision password reuse periods (the number of days before a user can reuse a password) and reuse intervals (the number of passwords a user must generate before reusing a password).
•User lockout settings—A Superuser can manually lock out or unlock a user ID.
•Invalid login attempts—A Superuser sets the number of invalid login attempts a user can make before the user ID is locked out. Additionally, the Superuser sets the time interval the user ID is locked out after the user reaches the login attempt limit.
5.1.4 User Audit Trail
The ONS15600SDH maintains an audit trail of user actions such as login, logout, and circuit creation or deletion. You can move the log to a local or network drive for later review. The audit log can hold up to 640 entries. The ONS15600SDH generates an event to indicate when the log is 80 percent full and another event to indicate that the oldest log entries are being overwritten. To offload the audit log, refer to the CiscoONS15600SDH Procedure Guide.
5.2 Node Timing
SDH timing parameters must be set for each ONS15600SDH node. Each ONS15600SDH independently accepts its timing reference from one of three sources:
•The building integrated timing supply (BITS) pins on the customer access panel (CAP).
•A port on an STM-N card installed in the ONS15600SDH. The timing is traceable to a node that receives timing through a BITS source.
•The internal Stratum 3E clock (ST3E) on the TSC card.
You can set ONS15600SDH timing to one of two modes: external or line. If the timing comes from BITS, set ONS15600SDH timing to external. If the timing comes from an STM-N port, set the timing to line. In typical ONS15600SDH networks:
•One node is set to external. The external node derives its timing from a BITS source wired to the BITS backplane pins. The BITS source, in turn, derives its timing from a primary reference source (PRS), such as a Stratum 1 clock or global positioning satellite (GPS) signal.
•Other nodes are set to line. The line nodes derive timing from the externally timed node through the STM-N trunk cards.
You can set three timing references for each ONS15600SDH. The first two references are typically two BITS-level sources, or two line-level sources optically traceable to a node with a BITS source. The third reference is the internal ST3E clock provided on every ONS15600SDH TSC card. If an ONS15600SDH becomes isolated, the TSC maintains timing at the ST3E level.
5.2.1 Network Timing Example
Figure5-1 shows an ONS15600SDH network timing example. Node 1 is set to external timing. Two timing references are Stratum 1 timing sources wired to the BITS input pins on the Node 1 backplane. The third reference is set to internal clock.
In the example, Slots 11 and 12 of Node 1 contain the trunk (span) cards. Timing at Nodes 2, 3, and 4 is set to line, and the timing references are set to the trunk cards according to the distance from the BITS source. Reference 1 is set to the trunk card closest to the BITS source. At Node 2, Reference 1 is Slot11/Port 1 because it is connected to Node 1. At Node 4, Reference 1 is set to Slot 12/Port 1 because it is connected to Node 1. At Node 3, Reference 1 could be either trunk card because they are an equal distance from Node 1.
Figure 5-1 ONS 15600 SDH Timing Example
5.2.2 Synchronization Status Messaging
Synchronization status messaging (SSM) is an SDH protocol that communicates information about the quality of the timing source. SSM messages are carried on the S1 byte of the SDH MS layer. They enable SDH devices to automatically select the highest quality timing reference and to avoid timing loops.
If you enable SSM for the ONS15600SDH, consult your timing reference documentation to determine which message set to use. Table5-4 lists the SSM message set.
Posted: Thu Feb 26 17:38:27 PST 2004
All contents are Copyright © 1992--2004 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.