DDDD PDF

Title page
Alcatel-Lucent 1830
PHOTONIC SERVICE SWITCH (PSS) | Release 3.6.0 and
3.6.1
DATA COMMUNICATIONS NETWORK (DCN) PLANNING GUIDE
8DG60888RAAA
Issue 1
July 2011
Legal notice
Legal notice
Alcatel, Lucent, Alcatel-Lucent and the Alcatel-Lucent logo are trademarks of Alcatel-Lucent. All other trademarks are the property of their respective
owners.
The information presented is subject to change without notice. Alcatel-Lucent assumes no responsibility for inaccuracies contained herein.
Copyright 2011 Alcatel-Lucent. All rights reserved.
Notice
Every effort has been made to ensure that the information in this document is complete and accurate at the time of printing. However, information is subject
to change.
This manual applies to Alcatel-Lucent 1830 PSS.
Documentation support
Please contact your Technical Support Services (TSS) team.

Table of Contents
Page
1 ABOUT THIS DOCUMENT....................................................................................4

1.1 Document conventions .................................................................................................................................5
2 INTRODUCTION ................................................................................................... 7
2.1 The 1830 PSS management network ........................................................................................................ 7
2.2 Networks overview...................................................................................................................................... 9
2.3 The GMPLS network ...............................................................................................................................11
3 1830 IP ARCHITECTURE................................................................................... 12
3.1 NE IP architecture....................................................................................................................................12
3.2 Network IP architecture ..........................................................................................................................16
3.3 IP networks summary of a 1830PSS....................................................................................................... 21
4 PHYSICAL NETWORK DESCRIPTION ............................................................. 24

4.1 1830 PSS boards........................................................................................................................................24
5 BUILDING 1830PSS DCN NETWORKS ............................................................ 28

5.1 Single OSPF area ......................................................................................................................................30
6 NETWORK REQUIREMENTS ............................................................................ 34

6.1 External routers ........................................................................................................................................ 34
6.2 Time management ....................................................................................................................................36
6.3 Address plan.............................................................................................................................................. 36
7 SECURITY........................................................................................................... 39
7.1 Use RADIUS for user identification ....................................................................................................... 39
7.2 Secure/unsecure mode..............................................................................................................................39
7.3 Firewall configuration, list of protocols/ports ....................................................................................... 42
7.4 IPSec tunnel............................................................................................................................................... 44
7.5 Syslog server.............................................................................................................................................. 46
Alcatel-Lucent 1830 PSS Data Communication Page 3 of 47

Network (DCN) Planning Guide Guide
8DG60888RAAA Release 3.6.0 and 3.6.1
Issue 1 July 2011
1 About this document
The document applies to 1830PSS R3.6.x.
This document presents the global architecture of the 1830 PSS management network and details
the engineering rules to apply for network design and during the installation.
1830 PSS nodes belong to a WDM sub-network.
A WDM sub-network is composed of several NEs inter-connected via OTS physical connections.
It corresponds to a tuning entity; there is 3R regeneration at the border of a WDM sub-network.
PSS1/PSS4 can be considered as extensions of nodes to which they are connected and they also
belong to the same WDM sub-network.
External devices directly connected to a 1830PSS also belong to the WDM sub-network.
DCN of WDM 1830PSS WDM sub-network relies on OSPF routing protocol.
Other boxes of the network (for example 1850TSS, 1678, 1660 ) can run another routing protocol
and we strongly suggest that they belong to another routing domain.

Issue 1 July 2011
1.1 Document conventions
Within this document, following conventions are used:

The product associated rules are presented as follows. Those aim at describing what is
supported or not:
Rule: <Domain> <Name> (<Nature>)
Rule 1: Rule format presentation
The Engineering Guidelines are presented as follows. These are recommendations to get the
best of the product and/or network within supported space:
Engineering Guidelines: <Domain> <Name> (<Nature>)
The rule is always written in bold

Justification and/or examples are always written in italic
Guideline 1.1-1: Guideline format presentation
The restrictions are presented as the following. Typically when the behaviour is not as
predicted, is not as described into standards
Restriction: <Domain> <Name> (<Nature>)
The Customer Inputs which points to high level information required to implement associated
network design:
Network Design: <Domain> <Name> (<Nature>)
And where:
<Domain>: Identifies which Node, Network Element, Interface it is applicable (e.g.
LR, OADM, )
<Name>: Gives a title to the rule
<Nature>: Indicates the root cause for it (see Table 1 : Meaning of <Nature>)

Issue 1 July 2011
<Nature> <Nature> Meaning
(Short Name) (Long Name)
HC Hard Coded Either Hardware or Software is responsible for this.
M Mandatory No control but must be followed for the system to

operate properly into a supported environment.
S Standard Required by Standard
D Design Mainly for restriction and if related with Design
T Test Mainly for restriction and if related with Tests
R Recommended No control and not mandatory but recommended

(Optional) for:
- Design: To follow good Network Design
basis and principles.
- Availability: To ensure Network robustness.
- Performances: To provide with an
optimized usage of resources.
- Security: To secure network against
potential attacks.
Operations: To offer better operational
effectiveness for site or network extension,
upgrade, reconfiguration
Table 1 : Meaning of <Nature>

Issue 1 July 2011
2 Introduction
2.1 The 1830 PSS management network
The following figure depicts a 1830 network and its associated management network consisting in
managers and DCN: Data Communication Network.
Management information and control from the Operations System (OS) is carried from one NE to the
other over the internal 1830 PSS network via the Optical Supervisory Channel (OSC). Management
communication can also be carried over the GCC, and is a necessary design feature for the 1830 PSS
because of expected support for the 1830 PSS-1 Edge Device, a.k.a. the Small Pizza-Box (SPB). The
following figure shows the high-level management overview.
FTP Servers
NMS
Management
DCN
IP
1830
GNE
-
1830-PSS
Network
1830
RNE
IP
Remotely
Managed
Device
Fig. 1 - 1830PSS Network Management Overview
The remotely managed device, as shown in the above figure, can be an IP-device co-located with
the 1830 NE (e.g. Raman amplifier) connected via the extension LAN. Or, the device could be the
1830 PSS-1 Edge Device which connects to the 1830 PSS over the GCC. Connection over the GCC is
illustrated in the following figure:

Issue 1 July 2011
NMS
OSC
OSC
NE2
GNE NE3
135.1.1.2/32
135.1.1.3/32
IP
OSC
PPP-GCC
1 PPP-GCC
1
PPP-GCC PPP-GCC
1, 2, 3 1, 2, 3
135 . 10 . 10 . 1 / 32 135 .10 . 10 . 2/ 32 135 .10 . 10 . 3 /32
135 . 10 . 10 . 4 / 32 135 . 10 . 10 . 6 / 32 135 .10 . 10 . 8 / 32
135 . 10 . 10 . 5 / 32 135 .10 . 10 . 7 / 32
Fig. 2 - 1830PSS Communicating with PSS-1 Edge Device over the GCC
The basic communications network architecture for the 1830 PSS-32 includes all LAN interfaces,
OSC interfaces, and GCC interfaces. LAN interfaces include the OAMP, VoIP, E1, E2, CIT, and
Extension Shelf (ES) connections. The OSC interfaces can vary from one up to 20, one for each
degree. The OSC carries node-to-node communication, sharing of OSPF LSAs, Wave Tracker keys,
SCOT messages, etc.
The GCC interfaces can vary from 1 up to 32, depending on the number of supported OTs that are
provisioned for GCC0 termination. GCC0 terminations on the 1830 PSS-32 system are supported by
the 11STAR1 (client port), 11STMM10 (client port), 4DPA4 (line port),11DPE12, PSS1GBE, PSS1MD4,
11QPA4, 11DPE12E, 11DPM12 OTs. The other end of this 11STAR1 OT is the 1830 PSS-1 Edge Device.
Engineering Guidelines: 1830 PSS1/PSS4 specific rule for GCC - R
A GCC channel can transport management flow of up-to 16 NEs (typically

PSS1/PSS4) serially connected via GCC.
(See previous picture).

Issue 1 July 2011
The full gamut of communications network sizing architecture is shown in the following figure:
135.1.1.4/32
192 .168. 1.2 /30 135.1.1.2/32 NMS
N4 192 .168 .1 .1/ 30 N2

135.1.1.1/32
OSC
OSC
OSC GNE
OSC
135.1.1.3/32
IP
135.1.1.5/32 N3
OSC
N5
1830-PSS
Network OSC
192 .168 .1. 5/30
OSC
192.168 .1.6/30
135.1.1.7/32
135.1.1.6/32
N7
N6
OSC
Co- E1-LAN
135.50.10.1/30
Located OSC
135.1.1.8/32
135.50.10.2/30
SNMP-managed
External device N8
192.168 .1 .9/30
PPP-GCC
PPP-GCC
1 192 . 168.1.10/30
1
-PSS1 Network
PPP-GCC PPP-GCC
135.10.10.1/32 1, 2, 3 135.10.10.2/32 1, 2, 3 135.10.10.3/32
135.10.10.4/32 135.10.10.6/32 135.10.10.8/32
135.10.10.5/32 135.10.10.7/32
Fig. 3 Complete Management View with PSS and PSS-1
2.2 Networks overview

The 1830PSS is not standalone equipment; it is part of WDM sub-networks. The communications,
internal and external, are IP based. It has to be managed through an IP network.
An 1830 network includes mainly three kinds of equipments. Basically the same boards and shelves
but with different functions:
- Line terminal
- OADM (ROADM, TOADM, FOADM)
- ILA (In Line Repeater)
Each 1830 NE can be configured as GNE (Gateway Network Element) to provide an access from
the DCN to all the NEs on the optical network.
They can be installed following three topologies

Issue 1 July 2011
Linear Architecture:
At least the two NEs terminating the line must be configured as GNEs, providing redundancy for
management access to the other intermediate NEs.
Line Terminal Line Terminal
OADM
as GNE as GNE
LILA ILA
L
Fig. 3 1830 Linear architecture
Ring architecture:
At least 2 distinct NEs can be chosen to function as GNEs to provide redundant access to the WDM
sub-network
OADM as GNE
Line Terminal
as GNE ILA
L
OADM
Fig. 4 1830 Ring architecture

Issue 1 July 2011
Meshed architecture:
This kind of architecture may lead to isolated NEs which must be accessible for management. It
needs more than two GNEs for redundancy.
Example below: On failure of the optical link between them and their neighbor, the two WDM
Terminals remain reachable for management.
OADM
OADM as GNE
LineTerminal TOADM IL
as GNE L
OADM
OADM
Line Terminal as
GNE
Fig. 5 1830 Meshed architecture
2.3 The GMPLS network

GMPLS for Generalized Multi Protocol Label Switching is not the purpose of this document but is,
from the 1830PSS network point of view, one of the main functions of the 1830. This chapter recalls
some basic information about GMPLS because the DCN design cant be done without taking into
account some GMPLS network constraint.
GMPLS applies in the 1830PSS, on PSS36/32/16. It does not apply to PSS1/4. The visible part is the
control plane. Through the DCN, orders can be sent to the control plane which will be able to
manage the photonic routing and switching and convert an input wavelength on an incoming
interface to an output wavelength on an outgoing interface.
GMPLS in 1830PSSLM provides

- Path provisioning
- Path restoration
In a WDM sub-network, activation of GMPLS is optional.
On 1830PSS, GMRE embedded application is in charge of GMPLS. GMRE addresses shall be defined
on nodes which have to run the GMRE application.
GMPLS Control messages are transported by the WDM DCN like Management messages. The same
DCN is used both for management Plane and Control Plane.
Activation of GMPLS has low impact on WDM DCN (GMRE addresses added + additional traffic on the
same WDM DCN).

Issue 1 July 2011
3 1830 IP architecture
3.1 NE IP architecture
The 1830 brings a full IP communication architecture.
On each 1830PSS, IP is used for
- External communication:
- Management purpose (communication between manager and NE)
- Inter-NE communication
- VoIP for the IP phone facility
- Connection of external devices
- On internal private networks

- Internal LAN for Inter-shelves / inter-boards communication
- Local management connection of the Craft Terminal
-
The 1830PSS-36 functional interfaces:

On MTX (Matrix) board:
- VoIP: connection for IP phone
- E1-LAN, E2-LAN: for connections with externally managed devices.
- ES1, ES2: internal ports used for connections with the extension shelves.
On FLC (First Level Controller) board:
- CIT: Craft Interface Terminal, local communication, corresponds to port 1 of the active EC
in main shelf
- OAMP: external communication with the EMS (External Management System)
The 1830PSS-32/16 functional interfaces:

On USRPNL board:
- VoIP: connection for IP phone
- E1-LAN, E2-LAN: for connections with externally managed devices.
On EC board:
- CIT: Craft Interface Terminal, local communication
The 1830PSS-4 functional interfaces:

On EC board:
- CIT LAN port /CRAFT port (pin1/2/3/6 for CIT, pin7/8 for RS232Rx/Tx, pin4 GND for RS232)

Issue 1 July 2011
:craft interface terminal , local communication (specific cable)
On EC board:
- CIT: Craft Interface Terminal, local communication
The 1830PSS-1 Edge Device functional interfaces:

On FAN board:
- CIT: local communication (PhM, CLI, WebUI)
- LAN1 master shelf: external communication (PhM, CLI, WebUI)
- LAN1 (expansion) and LAN2 internal communication and daisy chaining
IP addresses set at initial commissioning

- OAMP: One Interface address with the backbone. The front router will have an interface in
the same subnet. Could be routed or not. At least /30 subnet.
- SYSTEM (*): Loopback address assigned to the SYSTEM interface. It is the management
address of the NE. Must be routed toward the backbone. The value is set during the initial
commissioning phase or via ED-IP-IF (see chapter 3.3)
(*) SYSTEM can also be named RID (Router ID) Loopback IP or NE address in other
documents.
- GMRENODE (or CPN): Loopback address assigned to the GMRE node interface. It is the main
control plane address of the GMRE. Must be routed toward the backbone for redundancy. It
must be defined during the initial commissioning phase (see chapter 3.3).
- GMRENOTIFY(or CPNOTIFY): Loopback address assigned to the GMRE notify interface. It is
a secondary control plane address of the GMRE. Must be routed toward the backbone for
redundancy. It must be defined during the initial commissioning phase (see chapter 3.3).
Protocols:
- CLI, Telnet, SSH, SSL, SNMP, TL1, HTTP, HTTPs: Used for management of 1830PSS
- CLI and MTNM/Corba : Used for the management of the GMPLS network
- OSPF-TE for SCOT : used for WDM power adjustment automation
- Application sFTP/tFTP/FTP : used for file transfer as upgrade or Data Base backup/restore.
- NTP for time management

Issue 1 July 2011
3.1.1 Protocols stacks
The TCP/IP protocol stack supported for an IP-based DCN will be as shown in the following table:
Protocol stack network part

Appli-
cation Upper Layers
IP
L4 UDP OSPF TCP
minimal
L3 IPv4 + IP forwarding
ARP+ IPv4 over DIX

L2 PPP
OSC GCC0
Ethernet interface
OAMP CIT E1 E2 ES1 ES2

LAN External Shelves
LAPTOP
(->NMS) Devices daisy chain
3.1.2 IP routing
IP forwarding table is built on 1830 PSS thanks to OSPF routing protocol.

EMS
CIT
OAMP
ES1, ES2
OSPF
E1, E2
PPP
(OSC,GCC0)
VoIP
Fig. 2 Routing architecture

Issue 1 July 2011
OSPF is enabled by interface:
- OSPF is always enabled on the PPP Serial interfaces (OSC/GCC0).
- OSPF is always enabled in passive mode on SYSTEM Management Loopback address
(In some documents, the management Node address can be identified another way).
- OSPF is enabled in passive mode on GMRE Loopback addresses if GMRE application is used; it is
disabled otherwise.
- By default, OSPF is disabled on LAN interfaces.
It can be enabled or enabled in Passive mode on any of them:
- OSPF is typically enabled on the OAMP interface if GNE.
- OSPF is typically disabled on CIT since it is not assigned a routable address.
CIT can be provisioned with a routable address and set to Passive mode.
- OSPF is typically enabled in passive mode on E1 and E2 interfaces when an external
device is connected.
- OSPF is typically enabled in passive mode on VOIP interface can be activated on the
VoIP interface.
- OSPF is disabled within the Internal Network (ES1,ES2)
OSPF advertisement:
OSPF advertises the Loopback addresses, the serial interfaces and the directly connected
sub-networks if it is enabled on the interface.
When OSPF is enabled in passive mode on an interface, no OSPF message is sent on this
interface but OSPF advertises this interface subnet on all other OSPF enabled interfaces.
When OSPF is enabled on an interface, OSPF messages are exchanged via this interface.
Remark:
On 1830, OSPF is:
Disabled on an interface by setting the STATUS to DISABLE,
Enabled on an interface by setting the STATUS to ENABLE,
Enabled in passive mode on an interface by setting the STATUS to REDISTRIBUTE.

Issue 1 July 2011
3.2 Network IP architecture
This will be illustrated on a meshed network but applies to all the topologies
Workstation EMS
@PhM @OMS
1830 EMS
Customer Management Backbone Subnet
@W1
Workstation
@OAMP_1 @OAMP_6 @OAMP_8
@SYSTEM_3 @SYSTEM_8
@SYSTEM_1@SYSTEM_2
@SYSTEM_4 @SYSTEM_7 @SYSTEM_9 DCN
OSPF @SYSTEM_5 Customer
@VoIP_2 @E1 addresses
area @SYSTEM_6
TOADM
LR
ILA TOADM ILA
LR
1830PSS GNE
Internal
addresses
1830PSS GNE
ZIC 172.16.1.0/24
IP phone
Local dhcp connection SNMP external device
Local dhcp connection
(1 per 1830) (1 per 1830) Local dhcp connection
(2 per 1830)
@GMRE_3 @GMRE_8
@GMRE_1 @GMRE_9
@GMRE_4
@GMRE_2@GMRE_5 @GMRE_7
@GMRE_6 Per @GMRE_#:
Control OSPF area @GMRENODE
@GMRENOTIFY
Fig. 3 1830 IP Architecture overview
The inside routers are logical routers running in Linux environment. The routing protocol is OSPF.
Customer addresses
- They are used for the network management.
- Only the GNEs are directly connected to the management network

Issue 1 July 2011
- Each 1830 NE must be reachable from the management network through a GNE even on a
single failure of an OSC/GCC link.
- In order help summarization, routing and filtering at the border of a WDM sub-network, IP
addresses shall be assigned depending on the nature and usage of the interface.
For that purpose, we shall identify several types of networks (a dedicated range of
addresses shall be reserved for each sub-network.
Different types of networks:
- MGMT network for Management Loopback addresses (SYSTEM): Each 1830PSS is
assigned a management address. Typically, this network is advertized outside the
WDM sub-network in order to reach EMS/NMS managers.
- CP network for Control Plane Loopback addresses (GMRENODE & GMRENOTIFY):
when GMPLS is used in a WDM sub-network, each 1830PSS (excepted PSS1 & PSS4) is
assigned 2 GMRE addresses.
- VOIP network for VoIP addresses: used for IP phone access.
Each 1830PSS can be assigned a VOIP /30 subnet (-> 1 IP address for PSS VOIP LAN
interface + 1 IP address for IP phone) in order to connect an IP phone to the
1830PSS. This network which is the summarization of all VOIP subnets can be
advertized or not outside the WDM sub-network depending if the Phone network
goes on beyond thee WDM sub-network or not.
- EXTD network for External Devices addresses (E1 & E2). When connecting an
external Device to E1 or E2 LAN port, the NE can be assigned a /30 subnet (-> 1 IP
address for 1830 LAN interface + 1 IP address for External device). Typically, this
network is advertized outside the WDM sub-network in order to reach EMS/NMS
managers.
- INT network for addresses needed in order to reach interfaces which are involved
in routing process. This network is useful within an Area and it is not advertized
outside the WDM sub-network. For example, LAN1 & LAN2 for inter-connection of
PSS1 shall be taken in INT network range since these addresses dont need to be
known outside the Area. Another example could be the assignment of a routable
address to CIT interface in order to manage remotely another NE from CIT port.
- OAMP addresses several cases are possible (typically the OAMP address is different
from the SYSTEM address):
In case of direct link between OAMP and external router, a /30 subnet
within the INT network range can be used;
In case there are also other Devices on the same LAN, it could be useful to
take several contiguous /30 (we need in that case at least a /29) within the
EXTD network;
Otherwise, the need is to assign a free IP address to OAMP port within an
already existing sub-network.
Internal addresses (not advertised in by OSPF protocol)

- Internal sub-network: 100.0.0.0/16 sub-network is reserved for the NE internal sub-
network. Internal addresses are automatically assigned by NE starting from the (Rack,
Shelf, Slot, Port) information of the Element to be addressed.
- CIT address: 172.16.0.1/24. Dedicated to the local craft terminal.

Issue 1 July 2011
Rule: 1830PSS Number of OSPF Areas
The rule is to have only one area for all 1830 NEs of a WDM sub-network.
See the specific design described in chapter 3.3.

Issue 1 July 2011
Organization of the networks which belong to the Area corresponding to a WDM sub-network:
Organization of the Network
(based on a /24 network)
Name Function Subnet address
Number
First address Last address
of groups
x.x.x.0
Loopback addresses for (given by MGMT0= MGMT255=
MGMT 256
Management customer) x.x.x.0/32 x.x.x.255/32
GMPLS control plane x.x.x.0

CP0= CP127=
CP (2 @ per node which (given by 128
x.x.x.0/31 x.x.x.254/31
run GMPLS) customer)
x.x.x.0
VOIP0= VOIP63=
VoIP IP phone (given by 64
x.x.x.0/30 x.x.x.252/30
customer)
x.x.x.0
External Devices EXTD0= EXTD63=
EXTD (given by 64
addresses x.x.x.0/30 x.x.x.252/30
customer)
LAN interfaces which
are advertised by OSPF
but are internal in the x.x.x.0
INT0= INT63=
INT Area. (given by 64
x.x.x.0/30 x.x.x.252/30
INT range does not customer)
need to be advertised
outside the Area.
External DCN access.
(Recommended
At least 2
configure as a Point to Customer
OAMP (1 per - -
Point network between defined
GNE)
the GNE and its front
router)
Engineering Guidelines: 1830PSS Organization of Networks within a WDM

sub-network - M
MGMT network addresses range shall be provided by customer for NEs

management addresses assignment.
CP network addresses range shall be provided by customer for NEs Control
Plane addresses assignment if GMPLS is enabled in the WDM sub-network.
VoIP network addresses range shall be provided by customer for NEs VoIP
addresses assignment if Voice over IP solution is used in the WDM sub-

Issue 1 July 2011
network.
EXTD network addresses range shall be provided by customer for External
Devices addresses assignment if needed.
INT network addresses range shall be provided by customer for enabling LAN
interfaces involved in routing process within an Area but unknown by manager.
Address range of each Network cannot correspond to 1830PSS internal

addresses (100.0.0.0/16 and 172.16.0.1/24)
Size of each network depends of the WDM sub-network size.
Typically each range of addresses correspond to a /24 sub-network.
Engineering Guidelines: 1830PSS(16,32,36) NE addresses assignment - M
1830PSS (PSS16, PSS32 or PSS36) shall be assigned:

A Management Loopback address within the MGMT range
GMRE Loopback addresses in the CP range if it is a PSS16/32/36 and if
GMPLS is enabled in the WDM sub-network
Optionally CIT address within the INT or EXTD range
Optionally VOIP address within the VOIP range
Optionally E1/E2 addresses within the EXTD range
Optionally OAMP address
Engineering Guidelines: 1830PSS(1,4) NE addresses assignment - M
1830PSS (PSS16, PSS32 or PSS36) shall be assigned:

A Management Loopback address within the MGMT range
Optionally CIT address within the INT or EXTD range
Optionally LAN1/LAN2 addresses within the INT (general) or EXTD
(specific need) range

Issue 1 July 2011
3.3 IP networks summary of a 1830PSS
Table 2 : DCN IP networks summary of a 1830PSS
Initial commissioning
mas Manually
Name Function Subnet address Initial updated or interface
k OSPF
setting acknowledg
ed
External DCN access.
(Recommended d OAMP on
At
configure as a Point Customer ENABLE USRPNL (PSS-
OAMP least None Yes
to Point network defined if GNE 16/32) or FLC
/30
between the GNE (PSS-36)
and its front router)
Initial
SYSTEM Loopback address MGMT PASSIV
/32 commissio Yes Loopback0
(R_ID) for management E
ning
GMREnod CP (even addr)
GMPLS control plane PASSIV
e for PSS 16/32/36 /32 None Yes Loopback1
Loopback address E
(=CPN)
GMREnotif Additional GMPLS

GMREnode+1 PASSIV
y control plane /32 None Yes Loopback2
for PSS 16/32/36 E
(=CPNOTIFY) Loopback address
CIT port on EC
ZIC/Local craft (*) Default or INT (PSS-16/32) or
CIT /30 172.16.0.1 Yes No
terminal or EXTD FLC (PSS-36) or
FAN (PSS-1)
VoIP on
PASSIV
USRPNL (PSS-
VoIP IP phone access VOIP /30 0.0.0.0/0 Yes E
16/32) or MT0
if used
(PSS-36)
E1-LAN, E2-LAN
Connection with PASSIV
on USRPNL
E1/2-LAN externally managed 135.50.10.1 /30 0.0.0.0/0 Yes E
(PSS-16/32) or
device if used
MT0(PSS-36)
(*) several possibilities for CIT port:

- if only local NE managed, keep the default address (default mask is /24)
- if purpose is to reach other NEs within the WDM sub-network, assign a /30 within the INT
range
- if purpose is to reach any NE, assign a /30 within the EXTD range
SYSTEM@ is the only IP address which must always be set on an 1830PSS.

Issue 1 July 2011
Issue 1 July 2011
Engineering Guidelines: 1830PSS SYSTEM@ unique - M
The operator must be sure the SYSTEM address is unique in the scope of its
DCN. ,
It can be performed by:
Assignation of a MGMT addresses range to the WDM sub-network taken into
account further extensions.
Each node is assigned a MGMT address.
Example where NE is assigned the MGMT4 address within the MGMT 135.1.1.0/24
network:
SYSTEM=MGMT4=135.1.1.4
Engineering Guidelines: 1830PSS GMRE@ unique - M
The operator must be sure the GMRENODE and GMRENOTIFY addresses are
not duplicated in the Area.
In order to be ready for further GMPLS evolutions, it is recommended that these
addresses are unique in the customer DCN.
It can be performed by:

Assignation of a CP addresses range to the WDM sub-network taken into
account further extensions.
Each node which runs GMRE application is assigned a CP address.
Example where NE is assigned the CP2 addresses within the CP 135.1.5.0/24

network:
GMRENODE=CP2_node=135.1.5.4
GMRENOTIFY=CP2_notify=135.1.5.5

Issue 1 July 2011
4 Physical Network description
4.1 1830 PSS boards
4.1.1 FLC & MTX (MT0C) PSS36
FLC (First Level Controller) provides two (2) general purpose switched auto-sensing LAN ports
(10/100BaseTX),
Ethernet #1 CIT - is dedicated to CIT connection
Ethernet #2 - OAMP - is dedicated to DCN backbone connection but can be used to connect
local third party equipment.
MTX (matrix) provides four (4) general purpose switched auto-sensing LAN ports (10/100BaseTX),
Ethernet #1 - VoIP - and externally managed devices. The VoIP port can be used to connect
to an IP phone.
Ethernet #2 - AUX for future use.
Ethernet #3 and #4 E1 and E2 - two External LAN ports (which can be used to connect to
externally managed devices), labeled E1-LAN and E2-LAN. These ports are auto-sensing, so
either a cross-over or straight-thru Ethernet cable can be used
IP phone
FAN 41
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 .
42 43 Disabled
BTC VoIP
BTC
AUX
CIT interface
23 24 25 26 27 28 29 30 31 ES1 32 33 34 35 36 37 38 39 40
Daisy chain
ES2
CIT
E1
OAMP
E2
FLC MT0C MT0C FLC
Front router to
customer network
PF 44 PF 45
In PSS36 LAN interface redundancy is strictly coupled to FLC/MT0C redundancy, i.e. only
the LAN interfaces, which are hosted on the active FLC/MT0C, are enabled. The LAN interfaces of
the standby FLC/MT0C are disabled.
But, R3.6 PSS36 doesnt really support redundancy for FLC/MT0 packs

Issue 1 July 2011
4.1.2 User panel PSS32/ PSS16
USRPNL (User panel) provides four (4) general purpose switched auto-sensing LAN ports
(10/100BaseTX),
Ethernet #1 OAMP - for connection to EMS/NMS, The OAMP port shall be used to connect
to the External Management System (EMS).
Ethernet #2 VoIP - and externally managed devices. The VoIP port can be used to connect
to an IP phone.
Ethernet #3 and #4 E-LAN1 and E-LAN2 - two External LAN ports (which can be used to
connect to externally managed devices), labeled E1-LAN and E2-LAN. These ports are auto-
sensing, so either a cross-over or straight-thru Ethernet cable can be used
The NE shall support 2 craft ports. There will be a female (DB9) and a USB-B port. Both will
support local RS-232C Serial interface (support setting: 34800 baud, 1 stop bit, no parity) for
connection to craft terminal via serial link.
Front router to customer network
IP phone External devices

The role of USRPNL in EC redundancy
In case of failure of active EC, the communication towards NMS should be kept. The
applications will be launched on the standby EC. Through the back plane a LAN communication is
establish between USRPLN board and the two EC boards. The USRPNL board will update its ARP
table with the MAC address of the new EC active.
4.1.3 EC - Controller board PSS32/ PSS16
EC (Equipment Shelf Controller) provides four (4) general purpose switched auto-sensing LAN ports
(10/100BaseTX),
Ethernet #2 - AUX - is dedicated to DCN backbone connection but can be used to connect
local third party equipment. This port is for future use.
Ethernet #3 and #4 ES1 and ES2 - are reserved for Inter-shelves connectivity (between
Master/slave or between slaves shelves)

Issue 1 July 2011
Disabled
From previous
Shelf
Inter shelves links
To next shelf
4.1.4 EC - Controller board PSS-4

EC provides four (4) general purpose switched auto-sensing LAN ports (10/100BaseTX), for
connection to EMS/NMS, cascading and externally managed devices (in future release).
The OAMP port shall be used to connect to the Element Management System (EMS).
The CIT port and CRAFT port are reused one LAN Port , ( pin1/2/3/6 for CIT, pin7/8 for
RS232Rx/Tx, pin4 GND for RS232) .The CIT port is used for the local NE commissioning
Local RS-232 Serial interface (support setting: 38400 baud, 1 stop bit, no parity)is for
connection to craft terminal via serial link.
The bottom two ports (labeled ES1 and ES2; ES for extension shelf) shall be used to connect
to 1830 PSS-4 extension shelves, a.k.a. sub-shelves.
4.1.5 FAN - PSS-1 Edge Device
FAN provides three (3) general purpose switched auto-sensing LAN ports (10/100BaseTX) the ports
are physically connected to the Ethernet switch on the equipment controller through back plane
links

Issue 1 July 2011
Ethernet #2 and #3 LAN1 and LAN2 - are used to support the management network
connection (see table bellow) or daisy-chained LAN connections among Edge Devices.
Management Port User Interface IP Service

CIT PhM, CLI, WebUI DHCP
LAN1 (Master) PhM, CLI, WebUI
LAN2 -- --
LAN1 and LAN2 operational mode

Master Shelf Master Shelf Sub-shelf
Stand-alone Mode Mini-NE mode Mini-NE mode
LAN1 DCN DCN Internal LAN
LAN2 Disabled Internal LAN Internal LAN
4.1.6 Managers
1830 PSS provides several management interfaces (SNMP, TL1, Web UI, CLI).
It can be managed by following Alcatel-Lucent managers:
The 1350 OMS is the network management product that provides unified end-to-end
network management and operational support for all network element products in the
Alcatel-Lucent's Optics portfolio. It includes including service provisioning over multi-
technology optical infrastructures.
It provides the ASON (Automatically Switched Optical Network) management of the
network.
It is the management solution of Alcatel-Lucent when GMPLS is used.
The PhM is another network management product focussed on 1830PSS that provides WDM
management.
The 5620 SAM is designed to manage IP/Optics networks.

Issue 1 July 2011
5 Building 1830PSS DCN networks
We define a WDM sub-network by:
- Group of 1830 PSS linked together via WDM links
- PSS1 & PSS4 nodes which are connected to a WDM 1830 PSS are also part of the WDM sub-
network
- 3R regeneration at the border of the WDM sub-network (OTU Trail is terminated)
Other characteristics:
- Nodes of a WDM sun-network belong to the same management Area and have a centralized
Management System (ALU 1350 OMS).
- If GMPLS is used in the WDM sub-network, there is One, undividable Control Plan area
The 1830 DCN network architecture ensures the reliability of the connections for DCN and WDM
networks.
To ensure the reliability of the 1830 DCN network, several solutions are implemented.
- Meshed architecture.
- At least two GNE per subnet
- Dynamic routing protocol OSPF
Remind:
A Node belongs to an OSPF Area if at least one interface is enabled in this Area.
It is possible that an area is defined without any interface enabled in this Area
(for example, Area#0 is always defined on 1830).
The main rule is that each NE must have at least two links to two different neighbors. Links can be
OSC, GCC or Ethernet; neighbors can be 1830PSS or IP router.
Engineering Guidelines: 1830PSS - Routes redundancy - R
Each 1830PSS must be connected at least to two NEs/routers within the same
OSPF Area, by OSC or GCC link or by Ethernet link.

Issue 1 July 2011
This request is a nice-to-have in PSS1 & PSS4 cases.
Engineering Guidelines: 1830 OAMP on GNE - R
A 1830PSS plays the GNE role when it provides an access to the external DCN.
Typically:
this access is performed via OAMP interface towards an external

router
OSPF is enabled on OAMP interface and it is in the same Area as other

interfaces.
OAMP access is secured by other GNEs and there is no need to be

locally resilient to OAMP failure.
Nerveless, it is not forbidden to use another LAN interface (for example
E1 or E2) in order to locally secure the OAMP link.
Engineering Guidelines: 1830 - GNE number - R
The recommendation is to have at least two GNE must be configured per OSPF
area.
Additional rules (fair load sharing of outgoing traffic between GNEs):
GNEs are defined in such a way that any RNE is at a reasonable
distance from closest GNE.
Typically, 2 GNEs are requested for areas of up-to 100 NEs + 1 GNE per
additional group of 100 NEs in the Area.
With the OSPF protocol, each area must be connected to the 0 area for inter-area exchanges.
The area 0 is called the backbone. Here, that means WDM management backbone. The 0 area is
dedicated to the DCN 1830PSS network. If connections are needed toward a higher level network it
is up to the network design team to provide a solution for network connections.

Issue 1 July 2011
5.1 Single OSPF area
1350 O MS
Customer OSPF area is
Eth
-> AREA #0
0
Customer IP Network
Customer Network
Direct link
Eth Eth
IP I P only
IP
GNE 1 OSC GNE 2
Terminal
Terminal
Repeater OSC OSC
#i
OADM
Only one OSPF area is needed

-> AREA #i
Fig. 4 Single OSPF area, linear WDM
The diagram above describes the standard case of a single area. All the 1830PSS belong to the same
area (#i) and the customer backbone is the area 0.
Redundancy within the Area #i is provided thanks to a Direct Link between the Routers at the
border of the area. This link can be made over a tunnel through the backbone (tunnel is configured
on external router only, not available on 1830). The constraint is to maintain it within the area #i.
1350 O MS
Customer OSPF area is
Eth
-> AREA #0
0
Customer IP Network
Customer Network
Eth Eth
IP
IP
GNE 1 OSC
I P only
GNE 2
Terminal
Terminal
Repeater OSC OSC
#i
OADM
Only one OSPF area is needed

-> AREA #i
Fig. 5 Single OSPF area, ring WDM

Issue 1 July 2011
In this case, redundancy within the Area #i is provided thanks WDM redundancy.
In both previous cases, when the backbone is very simple and dedicated to the management of the
WDM network, this can be simplified in a single area#0 (-> Area#i=Area#0). Its up to the network
designer and the customer to decide.
Engineering Guidelines: 1830PSS WDM sub-network and OSPF Area- M
All Nodes of a WDM sub-network must belong to the same OSPF Area.
It is requested for wavelength keys distribution constraints.
Typically, a DCN OSPF area is assigned per WDM sub-network
It is possible to set several WDM sub-networks in the same OSPF area if it is compatible with
maximum number of NEs.

Issue 1 July 2011
Engineering Guidelines: 1830PSS Default OSPF parameters - D
Dynamic routing configuration
- The routing protocol is OSPF, it runs on all 1830 PSS.
- The 1830PSS default OSPF parameters are:
- Hello interval : 10
- Dead interval : 40
- Metric : 10(OSC), 40(GCC OTU1), 30(GCC OTU2), 20(GCC OTU3), 10(OAMP)
- Route priority : 1
- Subnets advertised by the NE :
- SYSTEM (NE management address = IP_RID).
- Optionally
GMRE addresses (GMRENODE & GMRENOTIFY) if GMRE application is

activated. It does not apply to PSS1/PSS4.
OAMP subnet (typically GNE case)
Subnets used to reach external devices (E1, E2)
Subnets used for NE DCN inter-connection via LAN (LAN1,LAN2)
VOIP
CIT if routable address assigned to CIT port
Engineering Guidelines: 1830PSS number of NEs per OSPF Area- D
In the DCN network, the maximum number of Nodes per Area is 500.

Issue 1 July 2011
Engineering Guidelines: 1830PSS number GMPLS NEs in a WDM sub-network- D
If GMPLS is enabled in a WDM sub-network, the maximum number of 1830 PSS which run
GMPLS is 100 (PSS1 & PSS4 dont run GMPLS).
5.2 Multiple OSPF areas
OSPF area is AREA #0

Dynamic routes
Through the
backbone
Summarization
on ABRs
Eth Eth
Eth
GNE 2i GNE1j
Eth
GNE 1i OSC GNE 2j
External
Device
OSC OSC
WDM sub-network WDM sub-network
OSPF area -> AREA #i OSPF area -> AREA #j
Fig. 6 Multiple OSPF area
In a multi-area environment, each WDM sub-network is in a dedicated Area.

Issue 1 July 2011
6 Network requirements
6.1 External routers
Front routers for 1830PSS DCN must provide routes to join the Management equipments (1350 OMS)
and the other 1830PSS through the DCN.
The rules are:
Engineering Guidelines: 1830PSS Router - D
- One router per GNE
- Dynamic routing is recommended (see also next Engineering Guidelines Routes

management for front router).
- No redundancy required on each GNE, it is based on routes toward the other GNE.
(Ref rule Engineering Guidelines GNE number)
- The router needs one physical interface connected to the 1830PSS (10/100 Mb/s).
- The connection port is called OAMP. Depending of the type of the PSS shelf
used the port can be placed on User Panel, FLC or MTX.
- The IP address of the interface toward the 1830PSS must be in the OAMP subnet
Engineering Guidelines: 1830PSS - Routes management for front router - D
Dynamic routing configuration
- The routing protocol is OSPF; it must be activated at the interface with the GNE.
- The interface to the GNE must be set in the same area than the 1830 OAMP
interface.
- The configuration of interface to the backbone will depend on the customer DCN
(for example, routing protocol is Customer specific). It is the responsibility of the
network design team to adapt the external interface to particular needs (backbone
routing protocol, .

Issue 1 July 2011
- Summarization: Routes summarization has to be activated at the border of the area.
Only a subset of the addresses shall be summarized (see 3.2).
- Routes to advertise to the GNE

We recommend to use a totally stubby area so only a default route is advertised to
the GNE.
If standard area must be used (not recommended), the following routes must be
advertised
- Management subnet. This avoids routes recalculation if the 1350 OMS has to
move inside the management subnet and is not so wide than a default route.
Other optional routers features
Depending of other capabilities of the router, the following features are useful:
- Access lists. They can restrict the access to the 1350 OMS (the active one and the
standby one) inside the management subnet.
- Ip port filtering
- Qos marking
- IPsec tunneling. Mandatory if IP flow has to cross an unsecure network.
Engineering Guidelines: 1830PSS Intra area path redundancy - D
A direct path has to set between each front router inside a DCN area, if the path
redundancy is not ensured by a fully meshed architecture of the WDM network (through the
OSC/GCC).
Due to hosts (1830PSS) routes summarization inside the front routers, this path must be an intra
area path. Depending of project constraints, it can be any kind of direct link or a tunnel via
the backbone.

Issue 1 July 2011
This path will ensure the defense of routing in case of OSC/GCC failure in a linear network for
instance.
6.2 Time management

The NE shall support the NTP protocol version 3 (RFC 1305) and version 4 (see ntp.org). This
provides the mechanisms to synchronize time and coordinate time distribution in large networks. It
uses a retunable-time design in which a distributed subnet of time servers operating in a self-
organizing, hierarchical-master-slave configuration synchronizes local clocks within the subnet to
national time standards via wire or radio. The servers can also redistribute reference time via local
routing algorithms and time daemons. NTP has been designed to work in TCP/IP environment using
UDP datagrams.
Rule: 1830PSS - NTP version
The 1830 NTP release is version 3 (RFC 1305) and version 4 (4.2.6p2).
The NE shall interoperate transparently with NTP servers that support either version 3
or version 4.
Engineering Guideline: 1830PSS NTP server - M
It is mandatory to provide an access to a NTP server for each 1830PSS in such a way that all
1830 PSS of a WDM sub-network are synchonized on the same time
The recommendation is to use the Network Manager as NTP server. Notice that the EMS is a NTP
tier 2 server which shall be connected to a tier 1 server.
Up to three NTP servers can be declared. It is mandatory to keep them synchronized. The backup
server must send the same time than the main one.
The NTP feature can be activated from ZIC or via management interface commands.
6.3 Address plan

A WDM sub-network will request one OSPF area.
To design a WDM sub-network, the customer must provide following information:

Issue 1 July 2011
Table 3 : Network addresses plan
Router
NE type Address subnet Mask Address
gateway
For Management systems
1350 OMS DCN Mngt . . . . . . / BR1 . . .
1350 OMS GMPLS Mngt . . . . . . / BR2 . . .
W_i WS Mngt . . . . . . / BR3 . . .
2
As many lines as WorkStation for management ( )
WDM sub-network
OSPF Area :
Router
Network type Address subnet Mask Address
gateway
MGMT . . . /
CP /
VoIP . . . /
EXTD . . . /
INT . . . /
Ext. router 1 subnet (ER1) . . . /30
Ext. router 2 subnet (ER2) . . . /30
As many external routers as
/30
GNEs
Router
NE Name Interface Address subnet Mask Address
gateway
For 1830PSS of GNE type

OAMP . . . . . . . /30 R1 . . .
SYSTEM MGMT. . . . /32
GMRENODE CP. . . . /32
GNE_1 GMRENOTIFY CP. . . . /32
PSS. CIT local 172.16.0.1 172.16.0.0 /24
VOIP VOIP. . . . . . . /30
E1 EXTD. . . . . . . /30
E2 EXTD. . . . . . . /30
OAMP . . . . . . . /30 R2 . . .
GNE_2
GMRENOTIFY CP. . . . /32
PSS.
CIT local 172.16.0.1 172.16.0.0 /24
VOIP VOIP. . . . . . . /30
E1 EXTD. . . . . . . /30
E2 EXTD. . . . . . . /30

Issue 1 July 2011
As many 8 lines as GNE (at least 2 GNEs)
For PSS16/PSS32/PSS36 of non GNE type

GMRENOTIFY CP. . . . /32
NE_i CIT local 172.16.0.1 172.16.0.0 /24
VOIP VOIP. . . . . . . /30
E1 EXTD. . . . . . . /30
E2 EXTD. . . . . . . /30
OAMP . . . . . . . /30
As many 8 lines as PSS
For PSS1/PSS4 of non GNE type

NE_i CIT local 172.16.0.1 172.16.0.0 /24
LAN1 INT. . . . . . . /30
LAN2 INT. . . . . . . /30
As many 4 lines as PSS
R1 R2 intra area link (tunnel)
Route Backbone Tunnel

r @interface Subnet Area @ Subnet Area Source dest
R1 . . . . . . / . . . . . . . . .
. . . /
R2 . . . . . . / . . . . . . . . .

Issue 1 July 2011
7 Security
7.1 Use RADIUS for user identification

At first installation the 1830PSS user authentication is done with local database user definitions.
Using RADIUS will permit to reinforce this security and share between several NE the same user
definitions.
The procedure for setting RADIUS is:
1. Choose a RADIUS server
2. Activate the server for user authentication.
7.1.1 Set the RADIUS server
The following command will set the RADIUS server on the 1830PSS.
[TL1]ENT-RADIUS-SERVER:::::RAD1,ENABLE:IPADDR=<ip>[,PORT=<port>],SECRET=<
sharedSecret>;
[CLI] config admin authentication radius add RAD1 <ip> [:<port>]
<sharedSecret>
<ip> Is the IP address of the RADIUS server
<port> Is the IP port used by your RADIUS server, from 1 to 65000. Default value is 1812.
<sharedSecret> is a 5 to 32 chars password.
7.1.2 Enable RADIUS usage
The following command will force user authentication using RADIUS server on the 1830PSS.
[TL1]SET-RADIUS-AUTH:::::RADIUS;
[CLI]config admin authentication order radius
7.2 Secure/unsecure mode

At commissioning the 1830PSS is provided in unsecure mode. In secure mode, for the TL1/CLI flow,
the telnet (23, 3082, 3083), ftp (20&21) and http (80) flow will be disabled and only SSH (22), SFTP
and HTTPs (443) will be available.
This protocol implements ciphering and provides authentication of the 1830PSS. It has to be
implemented on each 1830PSS NE (GNE or not) and the 1830PSS will act as a server, clients are
applications on the 1350 OMS or any other terminal or customer OMS.
As described below, the customer network administrator can choose to install the public key and
the certificate in his network or let the user accept the certificate and key at the first connection.
The procedure for implementing the secure mode is:
1. Generate the SSH key
2. Set the secure mode on.
In secure mode the user will not be able to connect without SSH. So the key must have
been generated before commuting to secure mode.

Issue 1 July 2011
7.2.1 Certificate generation
7.2.1.1 SSH/SFTP
The 1830PSS is provided without any SSH key. A standard certificate can be generated using TL1 or
CLI :
Public and private keys will be generated on the 1830PSS.
[TL1]INIT-SSH-KEY:[TID]::[CTAG]:::[KEYTYPE=][,MODULUS=];
KEYTYPE is DSA.
MODULUS is 0.
[CLI]crypto key generate
Examples:
- To generate a DSA key:
[TL1]INIT-SSH-KEY::::::KEYTYPE=DSA,MODULUS=0;
The network administrator can then get the public key (7.2.2.1.1) and install it on his servers.

Issue 1 July 2011
7.2.1.2 HTTPs
The 1830PSS is provided with a self signed certificate. Its up to the customer to allow this
certificate in his network by adding it to his trusted certificates list.
The first time a user will connect to the NE, he will obtain the following screen.
Fig. 7: Internet Explorer and Mozilla Certificates alert
The right action is to select No or Do not accept this certificate and contact your
network administrator.
Customer Administrator
The network administrator should examine the certificate and if he recognizes it, add it to
the trusted certificates list.

Issue 1 July 2011
7.2.2 Secure mode initialization
The TL1 or CLI commands allows setting the SECURE MODE

The syntax is:
[TL1]SET-ATTR-SECUDFLT::::::SECACC=ENCRYPTED;
[CLI]crypto admin ui mode encrypted
Restriction: 1830PSS Secure mode compatibility
Warning:
- Before changing the secure mode to ENCRYPTED, check the ability of
the managers to use SSH, HTTPs and sFTP. All the remote systems
must be compliants.
- Changing the secure mode will provoque a reboot of the 1830PSS and if
the remote systems can not use SSH, HTTPs and sFTP, they will no
longer be able to connect the the 1830PSS.
7.2.2.1.1 Getting the public key
The TL1 or CLI command allows to get the public key of the NE.
[TL1]RTRV-SSH-KEY;
[CLI]crypto key details
This key should be distributed on the ssh clients. If it is not, the client must be allowed to accept
the key at first connection.
This command can be used whatever is the secure mode (secure or insecure).
7.2.2.1.2 Certificate modification
To modify the certificate, a new generation must be launched
7.3 Firewall configuration, list of protocols/ports

7.3.1 Ports in secure mode
Table 4 : Management flows and ports toward the GNE 1830PSS
Src
Name Dest Port Dialogue initiator Comment
port
SSH 22/tcp Manager Secured telnet and ftp. Use SSH
TL1 secure session
opened through CLI
session over SSH
Manager
port 22
using tools tl1 CLI
command
HTTPS 443/tcp Manager HTTPS

Issue 1 July 2011
Table 5 : Management flows and ports from the GNE 1830PSS
Src Dialogue
Name Dest Port Comment
port initiator
sFTP 22/tcp 1830PSS
NTP 123/udp 1830PSS Network time of day sync port.
7.3.2 Ports in non secured mode
Table 6 : Management flows and ports toward the GNE 1830PSS
Src
Name Dest Port Dialogue initiator Comment
port
Telnet 23/tcp Manager
HTTP 80/tcp Manager
Destination port opened by OAM
TL1 3082/tcp Manager
server TL1 agent raw mode
Destination port opened by OAM
3083/tcp Manager
server TL1 agent
MTNM/Corba 34567/tcp Manager GMPLS MTNM management
GMRE CLI 30000/tcp manager GMPLS CLI management
Table 7 : Management flows and ports from the GNE 1830PSS
Src Dialogue
Name Dest Port Comment
port initiator
FTP 20&21/tcp 1830PSS
sFTP 22/tcp 1830PSS Secured FTP
MTNM/Corba 5066/tcp 1830PSS GMPLS MTNM management
NTP 123/udp 1830PSS Network time of day sync port.

Issue 1 July 2011
7.4 IPSec tunnel
If an IPSec tunnel is needed, the feature must be implemented in the front router. This will be a
requirement for the routers features.
Rule: 1830PSS Network security level
It is up to the customer to determine the security level of his network and so to

decide if IPSec is required.
The customer is in charge of its own networks. The 1830PSS product is
provided with engeeniring rules allowing the customer to maintain a high level
of security.
Engineering Guidelines 1: 1830PSS - IPSec tunneling - R
Alcatel-Lucent recommendation is to implement IPSec tunnel. Front router

must be able to manage IPSec tunneling (this feature is not available on
1830PSS).
If the management system has to go through an unsecure network between the
OMS and the 1830 GNE, IPSec tunneling is highly recommended and tunneling
it to be implemented in the front router.
Same recommendation about the intra area link between the front routers of the
GNEs.
An unsecure network could be the internet domain or a third party network for
instance.

Issue 1 July 2011
IPSEC tunnel,
for management
Management Centre
through internet
EMS/ NMS
Customer Intranet
Customer
Emergency
Access
Customer Management Internet

network
Customer Aggregation network
IPSEC or GRE
Boston LAN Miami LAN
tunnel,
for management Direct link throught
R1 IPSEC or GRE tunnel,
IP R2
inside Area # i IP
OSPF area GNE 1 OSC GNE 2
OADM
#i Terminal
Terminal
Repeater OSC OSC
Optional firewall Mandatory firewall End/Start of tunnel
Fig. 8: IPSEC tunneling
The figure above describes three uses of tunnels.

- The first one is to secure the rescue intra area link between R1 and R2. This allows the
extension of the OSPF area and builds a ring with the 1830PSS, R1 and R2 inside the area #i.
(green surrounded).
Example in appendix.
- The second one is to secure communications coming through a not trusted network (ie.
Internet) (orange). Tunnel must be established to cross the unsecured network. Firewalls
are mandatory. Typically, these tunnels are set towards the management centre
- The third one is to secure the communication channel between R1 and the management
centre (blue). In the example, a tunnel is set between the customer LAN and R1; another
one is set between the customer LAN and R2. Here there is a tunnel between
router/firewall. Firewalls are optional (grey), depending on the security level of each zone.
Notice that it is recommended to end tunnel before crossing a firewall (and reopen it on
the other side of the firewall if needed).
WARNING: This is not a real security diagram. It is here only to introduce IPSec tunnels

Issue 1 July 2011
7.5 Syslog server
Rule: 1830PSS - Syslog server
The 1830PSS do not support syslog server
7.6 Hardening advices

7.6.1 1830PSS
Some TL1 commands are available for hardening the 1830PSS

- SET-ATTR-SECUDFLT
- SET-ATTR-SECULOG
- ED-USER-SECU
We strongly advise to use these commands for hardening the 1830PSS DCN interface.
Engineering Guidelines: 1830PSS - SET-ATTR-SECUDFLT R
SET-ATTR-SECUDFLT:
MINPIDLEN=10 Minimum password length

PAGE=30 Default value for password aging in days
PCND=7 Default number of days to change the password after PAGE.
PCNN=3 Default number of login with aged password after PAGE
POINT=180 Default value for password obsolescence value in days
MINITVL=15 Default value for minimum interval in seconds between two
invalid login attempts.
MXINV=3 Max Invalid Attempts, indicates the maximum number of
consecutive invalid login attempts (regardless of time interval
or number of sessions), before an NE shall logout a user and
lockout the user channel.
TMOUT=15 Default number of minutes of inactivity before closing session
KMINTVL=0 Keep Alive Message Interval,
Not activated (not implemented in 1830PSS)
SECACC=SECURE Secure / unsecure mode
For more details about SET-ATTR-SECUDFLT command, read the document ref Error!
Reference source not found.

Issue 1 July 2011
7.6.2 Router
Engineering Guidelines: 1830PSS - Router hardening - R
The security features of the router should be activated. Policies, access lists,
authentication, encryption
7.6.3 Architecture
Engineering Guidelines: 1830PSS - Firewall - R
Firewalls can be implemented at the border of a WDM sub-network in order to

filter flows at going From/To WDM.
Firewalls must be implemented if the IP flow has to go through unsecure zones.

Issue 1 July 2011

DDDD PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

DDDD PDF

Uploaded by

Copyright:

Available Formats

Title page

This manual applies to Alcatel-Lucent 1830 PSS.

Please contact your Technical Support Services (TSS) team.

1 ABOUT THIS DOCUMENT....................................................................................4

2.2 Networks overview...................................................................................................................................... 9

2.3 The GMPLS network ...............................................................................................................................11

3.2 Network IP architecture ..........................................................................................................................16

3.3 IP networks summary of a 1830PSS....................................................................................................... 21

4 PHYSICAL NETWORK DESCRIPTION ............................................................. 24

5 BUILDING 1830PSS DCN NETWORKS ............................................................ 28

6 NETWORK REQUIREMENTS ............................................................................ 34

6.2 Time management ....................................................................................................................................36

6.3 Address plan.............................................................................................................................................. 36

7.2 Secure/unsecure mode..............................................................................................................................39

7.3 Firewall configuration, list of protocols/ports ....................................................................................... 42

7.4 IPSec tunnel............................................................................................................................................... 44

7.5 Syslog server.............................................................................................................................................. 46

Alcatel-Lucent 1830 PSS Data Communication Page 3 of 47

Alcatel-Lucent 1830 PSS Data Communication Page 4 of 47

Within this document, following conventions are used:

Rule: <Domain> <Name> (<Nature>)

Rule 1: Rule format presentation

Engineering Guidelines: <Domain> <Name> (<Nature>)

The rule is always written in bold

Guideline 1.1-1: Guideline format presentation

Restriction: <Domain> <Name> (<Nature>)

Network Design: <Domain> <Name> (<Nature>)

Alcatel-Lucent 1830 PSS Data Communication Page 5 of 47

HC Hard Coded Either Hardware or Software is responsible for this.

M Mandatory No control but must be followed for the system to

S Standard Required by Standard

D Design Mainly for restriction and if related with Design

T Test Mainly for restriction and if related with Tests

R Recommended No control and not mandatory but recommended

Table 1 : Meaning of <Nature>

Alcatel-Lucent 1830 PSS Data Communication Page 6 of 47

Fig. 1 - 1830PSS Network Management Overview

Alcatel-Lucent 1830 PSS Data Communication Page 7 of 47

135 . 10 . 10 . 4 / 32 135 . 10 . 10 . 6 / 32 135 .10 . 10 . 8 / 32

135 . 10 . 10 . 5 / 32 135 .10 . 10 . 7 / 32

Engineering Guidelines: 1830 PSS1/PSS4 specific rule for GCC - R

A GCC channel can transport management flow of up-to 16 NEs (typically

Alcatel-Lucent 1830 PSS Data Communication Page 8 of 47

N4 192 .168 .1 .1/ 30 N2

135.10.10.4/32 135.10.10.6/32 135.10.10.8/32

Fig. 3 Complete Management View with PSS and PSS-1

2.2 Networks overview

Alcatel-Lucent 1830 PSS Data Communication Page 9 of 47

Fig. 3 1830 Linear architecture

Fig. 4 1830 Ring architecture

Alcatel-Lucent 1830 PSS Data Communication Page 10 of 47

Fig. 5 1830 Meshed architecture

2.3 The GMPLS network

GMPLS in 1830PSSLM provides

Alcatel-Lucent 1830 PSS Data Communication Page 11 of 47

- On internal private networks

The 1830PSS-36 functional interfaces:

The 1830PSS-32/16 functional interfaces:

The 1830PSS-4 functional interfaces:

Alcatel-Lucent 1830 PSS Data Communication Page 12 of 47

The 1830PSS-1 Edge Device functional interfaces:

IP addresses set at initial commissioning

Alcatel-Lucent 1830 PSS Data Communication Page 13 of 47