9-23
Cisco ONS 15600 SDH Reference Manual, Release 9.0
78-18400-01
Chapter 9 Management Network Connectivity
9.5 Open GNE
access-list 100 remark
access-list 100 permit tcp host 192.168.10.10 host 10.10.10.100 eq www
access-list 100 remark *** allows initial contact with ONS 15600 SDH using http (port 80)
***
access-list 100 remark
access-list 100 permit tcp host 192.168.10.10 host 10.10.10.100 eq 57790
access-list 100 remark *** allows CTC communication with ONS 15600 SDH GNE (port 57790)
***
access-list 100 remark
access-list 100 permit tcp host 192.168.10.10 host 10.10.10.100 established
access-list 100 remark *** allows ACKs back from CTC to ONS 15600 SDH GNE ***
access-list 101 remark *** Outbound ACL, NE -> CTC ***
access-list 101 remark
access-list 101 permit tcp host 10.10.10.100 host 192.168.10.10 eq 683
access-list 101 remark *** allows alarms etc., from the 15600 SDH (random port) to the CTC
workstation (port 683) ***
access-list 100 remark
access-list 101 permit tcp host 10.10.10.100 host 192.168.10.10 established
access-list 101 remark *** allows ACKs from the 15600 SDH GNE to CTC ***
The following ACL (access control list) example shows a firewall configuration when the SOCKS proxy
server gateway setting is enabled. As with the first example, the CTC workstation address is
192.168.10.10 and the ONS 15600 SDH address is 10.10.10.100. The firewall is attached to the GNE,
so inbound is CTC to the GNE and outbound is from the GNE to CTC. CTC CORBA Standard constant
(683) and TCC CORBA Default is TCC Fixed (57790).
access-list 100 remark *** Inbound ACL, CTC -> NE ***
access-list 100 remark
access-list 100 permit tcp host 192.168.10.10 host 10.10.10.100 eq www
access-list 100 remark *** allows initial contact with the 15600 SDH using http (port 80)
***
access-list 100 remark
access-list 100 permit tcp host 192.168.10.10 host 10.10.10.100 eq 1080
access-list 100 remark *** allows CTC communication with the 15600 SDH GNE (port 1080) ***
access-list 100 remark
access-list 101 remark *** Outbound ACL, NE -> CTC ***
access-list 101 remark
access-list 101 permit tcp host 10.10.10.100 host 192.168.10.10 established
access-list 101 remark *** allows ACKs from the 15600 SDH GNE to CTC ***
9.5 Open GNE
The ONS 15600 SDH can communicate with non-ONS nodes that do not support point-to-point protocol
(PPP) vendor extensions or OSPF type 10 opaque link-state advertisements (LSA), both of which are
necessary for automatic node and link discovery. An open GNE configuration allows the DCC-based
network to function as an IP network for non-ONS nodes.
To configure an open GNE network, you can provision RS-DCC and MS-DCC terminations to include
a far-end, non-ONS node using either the default IP address of 0.0.0.0 or a specified IP address. You
provision a far-end, non-ONS node by checking the “Far End is Foreign” check box during RS-DCC and
MS-DCC creation. The default 0.0.0.0 IP address allows the far-end, non-ONS node to provide the IP
address; if you set an IP address other than 0.0.0.0, a link is established only if the far-end node identifies
itself with that IP address, providing an extra level of security.
By default, the proxy server only allows connections to discovered ONS peers and the firewall blocks
all IP traffic between the DCC network and LAN. You can, however, provision proxy tunnels to allow
up to 12 additional destinations for SOCKS version 5 connections to non-ONS nodes. You can also