This document describes the security considerations for Cisco ONS 15454 Release 5.0 with secure operating mode. Together with the Timing, Communications, and Control Version Two Plus (TCC2P) card, you can provision the two management LAN ports either with independent IP/MAC addresses for additional network security and segregation, or with a single IP/MAC for simplicity.
Cisco recommends that you have knowledge of these topics:
Cisco ONS 15454
Cisco Transport Controller (CTC)
The information in this document is based on these software and hardware versions:
Cisco ONS 15454 Release 5.0
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Refer to Cisco Technical Tips Conventions for more information on document conventions.
Here are the security considerations for Cisco ONS 15454 Release 5.0 with TCC2P card installed:
ONS 15454 Release 5.0 with TCC2P card can isolate the front and back Ethernet traffic with dual IP address assignment, secure IP address and private IP address. Secure IP address does not appear on the network.
When you run ONS 15454 Release 5.0 with TCC2P installed, a 15454 chassis can get locked. When the chassis is locked, the craft cannot access the “LAN pins” network interface on the back of the chassis.
You cannot unlock a locked chassis, except with a special engineering procedure, which is not available to customers. You cannot unlock the chassis even if you are granted the security level of SUPERUSER. Only the field engineering or manufacturing personnel can unlock the chassis with the special procedure.
You can use CTC 5.0 to display one or both of the two IP addresses (namely, public and secure IP addresses), in the 15454 LCD display. The craft can access the public IP address. The Network Operating Center (NOC) can access the secure IP address.
The craft uses the public IP address to access the node. However, the craft cannot access the secure IP address if you have turned on security.
If you have SUPERUSER privileges, you can always see and change both the public and secure IP address. However, you cannot change the ONS 15454 node back to a single IP address if the chassis is locked.
Ensure that the public and secure IP addresses are on different subnets. CTC does not permit these two IP addresses to be on the same subnet.
When you load a new TCC2P card with ONS 15454 Release 5.0, the card displays a P in the shelf graphic of the card. When you load a TCC2P card with an older ONS 15454 release, the card does not display P, because older releases do not recognize the new TCC2P cards.
The display on the Inventory screen in ONS 15454 Release 5.0 shows both the TCC2P and TCC2 cards as TCC2, because CTC does not recognize the TCC2P designation. The new TCC2P card is recognized in inventory with a part number in the series 800-24766, whereas the TCC2 card is in the range of 800-20761.
You can use the TCC2P card in older shelves. The TCC2P card has backward compatibility with ONS 15454 releases up to release 4.0. However, Cisco recommends that you do not mix shelves with TCC2 and TCC2P cards.
Old TCC2 cards can run ONS 15454 Release 5.0. However, they do not have the new security feature and 64 Kbps timing. New ONS 15454 Release 5.0 cards (for example, the high density DS3) work well with the old TCC2 cards that run ONS 15454 Release 5.0.
If you put an old TCC2 card that runs ONS 15454 Release 5.0 into a locked chassis, the card resets continuously.
Revision | Publish Date | Comments |
---|---|---|
1.0 |
31-Aug-2005 |
Initial Release |