10-1 Management Communication - (54) - 2021!12!03 (HE R14A)

Management Communication
FOX61x Multiservice Platform
2021-12-03 © 2021 Hitachi Energy. All rights reserved.

Agenda
1. Management Overview
2. Management Architecture
3. Management Access
4. FOXCST
5. SNMP
6. Syslog
7. Management Security
8. Management Configuration/Status with FOXCST
2 © 2021 Hitachi Energy. All rights reserved.

Management Overview
FOX61x Management Connections

• Element management with FOXCST:
NE are managed via standalone management tool FOXCST that
provides the necessary configuration facilities as well as alarm
and status supervision.
• Network management with FOXMAN-UN NMS:

At the network level, NEs can be managed via FOXMAN-UN that
provides the network management functions using the services of
an integrated FOXCST.

Management Overview
FOX61x Management Connections (Continued)

• Logical connection between FOXCST and NE:
• Standard unencrypted or encrypted protocol can be used for
data transport between the FOXCST and the NE.
• Upper OSI layers are ABB proprietary.
• Management interconnections between NEs:

Management interconnections can be:
• routed via Ethernet VLAN bridge (Chassis Switch), or
• routed via MPLS MCC links, or
• routed via TDM PPP links.

Management Overview
FOX61x Management Connections (Continued)

• FOX61x NE management connection:
The FOX61x NE can be accessed
• directly on local Ethernet management port (not routed);
• through Chassis Switch on a local port (routed);
• indirectly via a routed network that can consist of other FOX61x
NEs or third-party equipment.

Agenda
4. FOXCST
5. SNMP
6. Syslog

FOXCST
CESMx local port
Management Architecture for local access
(192.168.1.1/24)
OSPF Router
FOX61x Management Architecture
*)
• The NE management handles the management functions of
the NE as they are displayed in FOXCST.
• It is associated with the management router, i.e. any IP
address on the management router can be used as
management address: generally, the first loopback address
or a VLAN interface addresses is used.
• Local Management Port (core unit):
• operates as a console port, it has no connection to the
router and is always accessible.
• Management Router:
• provides both static routing and dynamic routing.
• access availability can be improved using VRRP.
7 © 2021 Hitachi Energy. All rights reserved. *) Note: CESM1/2 offer only two VLAN IF
Management Architecture

*)
• Loopback Interfaces:
• eight loopback interfaces are provided to address the
router and to lend IP addresses to unnumbered PPP and
MCC links.
• VLAN Interfaces:
• connect the Chassis Switch to the router.
• are identified by an IP address on the router and by a
VLAN ID on the switch.
• two VRRP instances are supported per VLAN interface.
• TDM Interfaces PPP:
• Up to 16 TDM interfaces are supported.
• PPP links with various modes can be configured.
Management Architecture

*)
• MPLS Interfaces MCC:
• MPLS-TP can be used for in-band management via an
MPLS-TP network.
• Up to 10 MPLS MCC interfaces are supported in order to
build meshed management networks.
• MPLS MCC links can be configured over MPLS-TP
sections or over LSPs.
• The logical MPLS router interfaces use the core unit front
ports.
Agenda
4. FOXCST
5. SNMP
6. Syslog

Management Access
User Classes
FOX61x offers 4 user classes, each with its distinctive access
level
• Information: • Session Manager:
• Read access only. • Read access plus write access for
• Maintenance: • session management (administrative states of different
access and authentication types, session times),
• Read access plus write access for performance monitoring
and diagnostics operations, e.g. setting of test modes or • session control (authority to kill any active session except
counter reset. his own),
• Manager: • RADIUS client attributes
• Read access plus write access for all operations with the • SNMP agent attributes (v1/v2 communities, v3 users),
exception of those commands and properties, which are • Modification of passwords.
reserved to the session manager.

Management Access
Session Management
• A FOX61x NE allows up to 16 simultaneous management sessions:
• Up to two sessions can be active using the local management port.
• One session is always reserved for the session manager, the other 15 sessions can be used by other user classes in any
distribution, but only one session of class “Session Manager” is allowed at a time.
• More than one simultaneous session of class “Manager” is thus accepted. It lies in the responsibility of the connected users
to avoid configuration conflicts.
• The acceptance of multiple manager sessions is essential in order not to block service provisioning by FOXMAN-UN, i.e.
FOXMAN-UN must be allowed to start a manager session to any NE at any time.
• The session manager has the authority to terminate all active sessions except his own.

Management Access
Firewall Setup - Management Communication through a firewall

Management Access
Firewall Setup - Protocols and processes used for management traffic with FOX61x NEs

Management Access
Firewall Setup - Protocols and processes used for management traffic with FOX61x NEs (Continued)

Agenda
4. FOXCST
5. SNMP
6. Syslog

FOXCST
Local management traffic access

Local Access via the Local Management Port
• Up to two sessions can be active.
• For systems with redundant control unit only the local management
*)
port of the active control unit communicates.
• Default IP address of the local management port:
• 192.168.1.1/24 (core unit plugged in slot-11) or
• 192.168.1.2/24 (redundant core unit plugged in slot-13)
• The IP address and network mask of the local management port can
be configured.
Local Access via a FOX61x VLAN Bridge Port
• via any Chassis Switch (VLAN bridge) port.
• Ethernet port, IP address and management VLAN ID of the used
VLAN interfaces need to be pre-configured via local management
connection using the local management port.

*) Note: CESM1/2 offer only two VLAN IF
FOXCST
Remote management traffic access *)
via Chassis Switch (VLAN Bridge) Port

• When connecting a FOX61x network element to a
switched or routed network, in-band management traffic
can be forwarded to any Ethernet port of the Chassis
Switch. A VLAN interface*) needs to be enabled because
it is the only IP address that can be reached by a remote
network element not using a layer 3 protocol.
via TDM Port with a DCC Connection
• The DCC connection allows a remote connection to the
FOX61x network element using an embedded
communication channel (ECC) of the SDH or PDH
transport units.
• The management router offers 16 TDM interfaces using
the PPP protocol.
FOXCST
Remote management traffic access *)
via an MPLS-TP Port with a DCN Connection

• The DCN connection allows a remote connection to the
FOX61x network element using a management
communication channel (MCC) of the core unit used as
MPLS-TP transport unit. The MCC (mcc-x) is transported
over the generic associated channel (G-ACh) which is
associated with an MPLS-TP physical or logical (VLAN
based) section (mplsif-x) or an LSP carrying the IPv4
PDUs. The management communication is terminated in
the management router instance of the core unit.
• The FOX61x management router offers 10 MCC
interfaces.
FOXCST
Cyber Security Feature
Encryption/Authentication
Session Management Control

The following parameters in the AP: /ne, Configuration - Session Management control the access to the FOX61x with FOXCST:
- Encrypted Management Communication: to support unencrypted and/or encrypted (SSH) connection with FOXCST.
- Local Management Port: to support connection with local management port or only with managem. router interface.
- Access Authentication: Local and remote authentication can be enabled or disabled for both the Local Management Port
and the management router ports separately. The remote authentication requires the configuration of the RADIUS client in
the FOX61x and an operational RADIUS server.
- Local Authentication Fallback: when using remote RADIUS authentication and none of the configured RADIUS servers is
operational the access to the FOX61x is not possible except the authentication fallback parameter is set to true.
- Retry Time Time-Out: The retry time controls the time a user class is blocked after three unsuccessful connection attempts.
It is configurable by the session manager between 0 minutes (no lock-out) and 1440 minutes (24 hours lock-out). A locked-
out user can be unlocked by the session manager by a password change for the corresponding user class.

Agenda
4. FOXCST
5. SNMP
6. Syslog

SNMP
SNMP system architecture

• FOX61x NEs offer standard SNMP interface towards NMS other than
FOXMAN-UN/FOXCST supporting:
• configuration of SNMP related parameters, i.e. tailoring the SNMP stack to
the users specific needs,
• reading and writing of SNMP objects,
• reading of packet statistics counters,
• sending of SNMP notifications (traps and informs).
• The SNMP Proxy (Agent)
• implements the SNMP v1, v2c and v3 protocol stacks.
• implements the SNMP related MIBs (SNMP-TARGET-MIB, SNMP-
COMMUNITY-MIB, …).
• translates with the support of the Management Gateway the SNMP
requests to ABB proprietary protocol requests, and translates the ABB
proprietary protocol responses to SNMP responses.
• generates spontaneous SNMP messages from system internal
notifications.

Agenda
4. FOXCST
5. SNMP
6. Syslog

Syslog
Syslog Sources
• FOX61x NE supports documented in the
sending of event informational RFC5424.
messages to external • The FOX61x supports six
syslog hosts, a de-facto facilities in the syslog
standard for logging source list:
system events. However,
• System,
the protocol component of
this event logging system • Alarm logbook,
has not been formally • Event logbook,
documented. While the • Configuration logbook,
protocol has been very • Equipment logbook,
useful and scalable, it has • Session logbook.
some known security
problems which were

Syslog
Syslog Severity
• The severity for each source is configurable except for the system and the alarm logbook sources.
• The syslog severity of system and alarm events is directly mapped from the alarm severity:
System severity mapping table Alarm severity mapping table

Syslog
Syslog Destinations
• Up to ten remote syslog hosts can be configured
individually: Destination 1 … Destination 10.
• For each destination the facilities can be added which
shall generate syslog messages.
• System and alarm events in addition provide a fil-ter

function which allows to send only syslog mes-sages
with a severity having a minimum weight.*)
The clearing message of an alarm has the same syslog severity as the activation: the clearing
*)
messages are subject to the same filter rules as the activation messages.
Agenda
4. FOXCST
5. SNMP
6. Syslog

Management Security
Cyber Security Feature
Encryption/Authentication
Security Measures Overview

• For the strong demand for secure management communication, which can be achieved on various network layers, FOX61x
provides a range of security measures:
• Using a separated network on the physical layer (OSI layer1).
• Network separation on the data link layer (OSI layer 2) by means of a dedicated management VLAN.
• Providing Management Security Management Configuration/Status with FOXCST on the network layer (OSI layer 3).
The FOX61x supports IPSec for management communication.
• Using encrypted data transport on the session layer (OSI layer 5) for CLI and FOXCST management.
• User authentication with a password via FOXCST or SNMP v3 on the application layer (OSI layer 7).
• Hardware and software firewall to protect the NE management on the core unit.

Agenda
4. FOXCST
5. SNMP
6. Syslog

Management Configuration/Status with FOXCST
Management Tab Overview

• The “Management” view provides the management router related management
functions at the AP: /managementNetwork:
• Loopback Interfaces
• MPLS Interfaces
• Router
- OSPF
- OSPF Areas
• TDM Interfaces
• VLAN Interfaces

Management Network Configuration

• Source IP Address • IP-based applications like e.g. RADIUS might use the clients
source IP address for the unique client identification. The source
IP address is determined by the client system and is usually the
IP address of the outgoing interface in the routing table.
• The management router of the FOX61x has multiple routing
interfaces (vlanInterface, mcc, ppp) and outgoing packets can
be sent potentially via different paths at different times. This
results in different source IP addresses, which creates a client
identification.
• The source IP address configuration feature allows the selection
of a logical interface of the management router (VLAN interface
or loopback interface), whose IP address is then used as the
source IP address for all outgoing traffic generated by a
specified application.

Loopback Interfaces Configuration

• IP • OSPF

Loopback Interfaces Status

• IP • OSPF

MPLS-TP MCC Interfaces

• MPLS MCC
• Up to 10 MPLS MCC interfaces can be created.

Router Configuration (Static Routing)

• Static Routes

Router Configuration (Dynamic Routing)

• OSPF

Router Configuration (Dynamic Routing) (Continued)

• OSPF (Continued)
*)
*)More parameter are available for the

Virtual Links configuration

• OSPF/area-x


• OSPF/area-x (Continued)

Router Status (Static & Dynamic Routing)

• Routing Table

Router Status (Dynamic Routing)

• OSPF • OSPF areas
• The area ranges of all areas are shown in the status

dialogue.
• The external summary addresses of all areas are shown in
the status dialogue.

TDM Interfaces Configuration

• TDM

TDM Interfaces Configuration (continued)

• ppp-z / IP

TDM Interfaces Configuration (continued)

• ppp-z / OSPF
• The TDM interface should be configured as “Point To Point”

interface type.

TDM Interfaces Status

• ppp-z / IP • ppp-z / OSPF

VLAN Interface Configuration

• Create VLAN Interfaces*)
*) in CESM1 & CESM2 up to two VLAN Interface are available,

in CESM3 up to eight VLAN Interface are available.
VLAN Interface Configuration (Continued)

• IP • VLAN


• OSPF


• VRRP

Management Configuration Step by Step

FOXCST Management Tab:
1. Select/Configure Loopback Interface
managementNetwork/loopbackInterfaces/lo-x
-> Configuration -> IP Address: set IP address
-> AdminState = Up
- To avoid over-determination, when an unnumbered interface
(with OSPF enabled) uses a loopback interface it is not
recommended to enable OSPF also for the loopback interface.
2. Configure/Enable OSPF Protocol
managementNetwork/router/OSPF -> AdminState = Up
- The area 0.0.0.0 (backbone area) is automatically enabled and
configured (default) as soon as OSPF protocol is enabled
- If no Router ID is configured, the IP Address of the first loopback
interface will be automatically used as Router ID.

Management Configuration Step by Step

FOXCST Management Tab (Continued):
• For PDH/SDH networks: • For MPLS-TP networks:
3. Create TDM Interface(s) 3. Create Section MCC Interface(s)
managementNetwork/tdmInterfaces managementNetwork/mplsMccInterfaces
-> Configuration -> Create PPP Interface: Select interface & bandwidth -> Configuration -> Create Section MCC Interface: Select mcc & mpls interface
4. Configure TDM Interface(s) 4. Configure Section MCC Interface(s)
managementNetwork/tdmInterfaces/ppp-x managementNetwork/tdmInterfaces/mcc-x
-> Configuration -> IP: Addressing Mode = Unnumbered & -> Configuration -> IP: Addressing Mode = Unnumbered &
Unnumbered From = lo-1 Unnumbered From = lo-1
-> Configuration -> OSPF: OSPF = Enabled -> Configuration -> OSPF: OSPF = Enabled
-> AdminState = Up -> AdminState = Up
5. Cross Connect TDM Interface(s)
managementNetwork/tdmInterfaces/ppp-x
-> Command -> Create Cross Connection…:
select A-End for transport: - /unit-x (SAMOx)/sdh/sdh-y/dccm (n=9),
- /unit-x (SAMOx)/sdh/sdh-y/dccr (n=3),
51
- any payload of the selected bandwidth
© 2021 Hitachi Energy. All rights reserved.
Management Configuration Step by Step (Continued)

FOXCST Management Tab (Continued): FOXCST Switching Tab:
• In the Gateway node: • In the Gateway node:
6. Create VLAN Interface 8. Select Ethernet Port for Remote Access
managementNetwork/vlanInterfaces Switching/Bridges/bridge-1 –> Ports
-> Configuration -> Create Management VLAN Interface: -> +: select Ethernet port for remote access and
-> /unit-x/port-y: Mode = Access with PVID = (e.g.) 4089
Select interface & VLAN ID (e.g.) 4089 -> AdminState = Up
7. Configure VLAN Interface
managementNetwork(/vlanInterfaces)/vlanInterface(-x)
-> Configuration -> IP: set IP address
-> Configuration -> VLAN: set VLAN ID = (e.g.) 4089
-> Configuration -> OSPF: OSPF = Enabled
- If the NE is not connected through an external OSPF router for
management OSPF Mode = Passive can be set (No hello packets
& LSAs will be sent over the VLAN interface).
-> AdminState = Up

Management Configuration Step by Step 1. - Add –p to make route persist (after reboot)
.
Management Computer (Windows): “Command Prompt” returns with OK!

- Repeat if other routes are required …
9. Add a static route to reach the remote Network Elements
(loopback interfaces) with the VLAN Interface of the local - To check the Route Table type “route print”
Network Element as Gateway:
- Run “Command Prompt” (cmd.exe) as administrator
- Type “route add” command:

route add <target subnet> mask <target mask> <gateway>
Subnet / mask that include loopback Gateway IP address = local node

IP address of remote NEs VLAN interface IP address
The Route Table shows the entry for the created route
- To delete a route type “route delete <subnet>”
Using Loopback IP Address for Connectivity

• A loopback interface is a logical virtual interface created on a router that emulates a real interface.
• In general, this interface should be used for connectivity if redundant paths are available to a NE.
• The only exception is the entry point for the element manager where the VLAN Interface can be used.
• The advantage of a loopback interface is that it is always up and ping-able independent of a physical connection and thus
reachable as long as the route to that IP address is available in the IP routing table.
• There would be no need in case of all the physical links are up and running but if a link fails the NE should be still reachable
from the other end.

10-1 Management Communication - (54) - 2021!12!03 (HE R14A)

Uploaded by

Copyright:

Available Formats

10-1 Management Communication - (54) - 2021!12!03 (HE R14A)

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

10-1 Management Communication - (54) - 2021!12!03 (HE R14A)

Uploaded by

Copyright:

Available Formats

Management Communication

FOX61x Multiservice Platform

2021-12-03 © 2021 Hitachi Energy. All rights reserved.

2 © 2021 Hitachi Energy. All rights reserved.

FOX61x Management Connections

• Network management with FOXMAN-UN NMS:

3 © 2021 Hitachi Energy. All rights reserved.

FOX61x Management Connections (Continued)

• Management interconnections between NEs:

4 © 2021 Hitachi Energy. All rights reserved.

FOX61x Management Connections (Continued)

5 © 2021 Hitachi Energy. All rights reserved.

6 © 2021 Hitachi Energy. All rights reserved.

FOX61x Management Architecture

FOX61x Management Architecture

10 © 2021 Hitachi Energy. All rights reserved.

11 © 2021 Hitachi Energy. All rights reserved.

12 © 2021 Hitachi Energy. All rights reserved.

Firewall Setup - Management Communication through a firewall

13 © 2021 Hitachi Energy. All rights reserved.

14 © 2021 Hitachi Energy. All rights reserved.

15 © 2021 Hitachi Energy. All rights reserved.

16 © 2021 Hitachi Energy. All rights reserved.

Local management traffic access

17 © 2021 Hitachi Energy. All rights reserved.

Remote management traffic access *)

via Chassis Switch (VLAN Bridge) Port

Remote management traffic access *)

via an MPLS-TP Port with a DCN Connection

Session Management Control

20 © 2021 Hitachi Energy. All rights reserved.

21 © 2021 Hitachi Energy. All rights reserved.

SNMP system architecture

22 © 2021 Hitachi Energy. All rights reserved.

23 © 2021 Hitachi Energy. All rights reserved.

24 © 2021 Hitachi Energy. All rights reserved.

25 © 2021 Hitachi Energy. All rights reserved.

• System and alarm events in addition provide a fil-ter

27 © 2021 Hitachi Energy. All rights reserved.

Security Measures Overview

28 © 2021 Hitachi Energy. All rights reserved.

29 © 2021 Hitachi Energy. All rights reserved.

Management Configuration/Status with FOXCST

Management Tab Overview

30 © 2021 Hitachi Energy. All rights reserved.

Management Configuration/Status with FOXCST

Management Network Configuration

31 © 2021 Hitachi Energy. All rights reserved.

Management Configuration/Status with FOXCST

Loopback Interfaces Configuration

32 © 2021 Hitachi Energy. All rights reserved.

Management Configuration/Status with FOXCST

Loopback Interfaces Status

33 © 2021 Hitachi Energy. All rights reserved.

Management Configuration/Status with FOXCST

MPLS-TP MCC Interfaces

• Up to 10 MPLS MCC interfaces can be created.

34 © 2021 Hitachi Energy. All rights reserved.

Management Configuration/Status with FOXCST