You are on page 1of 103

cBSS

Network Planning Guideline

4 OM Network Planning for the cBSS System

OM Network Planning for the cBSS System

About This Chapter


This describes how to determine OM networking solutions based on bearing modes and network
security solutions.
4.1 Structure of the OM System for Huawei Mobile Networks
The OM system for Huawei mobile networks has the Network Management System (NMS),
Element Management System (EMS), and NEs.
4.2 Structure of the cBSS OM System
The cBSS OM system consists of the BAM, LMT, BSC, and BTS. The cBSS OM system can
be connected to the M2000 or the NMS.
4.3 OM-Related Requirements for the cBSS System
This describes the OM-related requirements for the physical ports, protocol ports, IP addresses,
and bandwidths of the BSC, BTS, and LMT.
4.4 OM-Related Requirements for the M2000
This describes the requirements for the hardware configuration, IP addresses, physical ports,
protocol ports, and bandwidths of the M2000 when the cBSS OM system accesses the M2000.
4.5 Network Solutions for the cBSS OM System
Huawei provides various OM solutions, such as network construction solutions, network
solutions for remote OM, and network security solutions.
4.6 cBSS OM Network Planning
The cBSS OM network planning depends on the understanding of networking requirements, the
selection of planning factors, and the operability of network planning.
4.7 Sample of cBSS OM Network Planning Based on Broadband IP
To construct the OM network based on broadband IP, you must collect a wide range of
networking requirements, well understand the networking features, and provide pertinent
network planning solutions.
4.8 Data Sheets of OM Network Planning
When a cBSS OM network is planned, the data sheets required for information collection are
the data sheet of basic networking information, data sheet of network reliability requirements,

Issue 2.0 (2008-03-12)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

4-1

4 OM Network Planning for the cBSS System

cBSS
Network Planning Guideline

data sheet of network expandability requirements, data sheet of network security requirements,
data sheet of remote OM requirements, and the data sheet of network cost requirements.

4-2

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

Issue 2.0 (2008-03-12)

cBSS
Network Planning Guideline

4 OM Network Planning for the cBSS System

4.1 Structure of the OM System for Huawei Mobile


Networks
The OM system for Huawei mobile networks has the Network Management System (NMS),
Element Management System (EMS), and NEs.
Figure 4-1 shows the structure of the OM system for Huawei mobile networks.
Figure 4-1 Structure of the OM system for Huawei mobile networks

In the OM system for Huawei mobile networks, the core part is the M2000. In conjunction with
other tools, the M2000 provides EMS functions. Through the flexible northbound interface, the
M2000 is connected to the NMS.
Structurally, the Huawei mobile network is divided into three domains, that is, the cBSS domain,
PS domain, and CS domain. The M2000 can manage all the three domains through a centralized
OM system or manage each domain independently. This document describes the OM system in
the cBSS domain.

4.2 Structure of the cBSS OM System


The cBSS OM system consists of the BAM, LMT, BSC, and BTS. The cBSS OM system can
be connected to the M2000 or the NMS.
When the M2000 manages the cBSS domain independently, the structure of the cBSS OM
system is as shown in Figure 4-2.
Issue 2.0 (2008-03-12)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

4-3

4 OM Network Planning for the cBSS System

cBSS
Network Planning Guideline

Figure 4-2 Structure of the cBSS OM system

NOTE

Figure 4-2 only shows the logical structure of the OM system, without depicting the specific bearing
methods or the distribution of devices.

Besides the M2000, the cBSS OM system incorporates the LMT, which supplements the M2000.
The LMT can be installed on the cBSS side or on the M2000 client side. When the LMT is
installed on the M2000 client side, the M2000 works as the agent of the LMT, that is, the M2000
helps to transfer the data between the LMT and the BSC or the BTS.
As the BTSs are connected to the OM system through the BSC, the OM of the BTS is performed
through the LMT that is connected to the associated BAM server. If required, the OM of the
BTS can be performed locally through Telnet.

4-4

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

Issue 2.0 (2008-03-12)

cBSS
Network Planning Guideline

4 OM Network Planning for the cBSS System

4.3 OM-Related Requirements for the cBSS System


This describes the OM-related requirements for the physical ports, protocol ports, IP addresses,
and bandwidths of the BSC, BTS, and LMT.
4.3.1 OM-Related Requirements for the BSC
This describes the OM-related requirements for the physical ports, protocol ports, IP addresses,
and bandwidths of the BSC.
4.3.2 OM-Related Requirements for the BTS
This describes the OM-related requirements for the physical ports, protocol ports, IP addresses,
and bandwidths of the BTS.
4.3.3 OM-Related Requirements for the LMT
This describes the OM-related requirements for the physical ports, protocol ports, and IP
addresses of the LMT.
4.3.4 Requirements for the OM Channels in the cBSS System
In the cBSS system, the OM channels transfer the OM-related data between the LMT or the
M2000 and the BSC or the BTS.

4.3.1 OM-Related Requirements for the BSC


This describes the OM-related requirements for the physical ports, protocol ports, IP addresses,
and bandwidths of the BSC.
4.3.1.1 Structure of the OM System of the BSC
The OM system of the BSC has multiple subnets, which consist of boards, LAN switches,
BNAMs, LMTs, and emergency workstations.
4.3.1.2 Requirements for the OM-Related IP Addresses of the BSC
This describes the requirements for the OM-related IP addresses of the BSC boards, BAM server,
and emergency workstation.
4.3.1.3 Requirements for the OM-Related Physical Ports on the BSC
This describes the requirements for the physical ports on the LAN switch of the BSC.
4.3.1.4 Requirements for the OM-Related TCP/UDP Ports on the BSC
This describes the requirements for the OM-related TCP/UDP ports on the BSC.
4.3.1.5 Requirements for the Transmission Bandwidth
The transmission bandwidth required between the cBSS system and the M2000 server depends
on the number of BTSs to be operated and maintained.

Structure of the OM System of the BSC


The OM system of the BSC has multiple subnets, which consist of boards, LAN switches,
BNAMs, LMTs, and emergency workstations.

Structure of the OM System


Figure 4-3 shows the structure of the BSC OM system.
Issue 2.0 (2008-03-12)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

4-5

4 OM Network Planning for the cBSS System

cBSS
Network Planning Guideline

Figure 4-3 Structure of the BSC OM system

Components of the OM System


Table 4-1 describes the components of the BSC OM system.
Table 4-1 Components of the BSC OM system
Equipment

Description

BAM server and


emergency
workstation

The BAM server and the emergency workstation function as the server
and the emergency workstation in the BSC OM system. Data
synchronization is regularly performed between the BAM server and the
emergency workstation.
The BAM server is equipped with at least two network adapters: one is for
internal connection and the other is for external connection.

LAN switch A
and LAN switch
B

LAN switch C,
LAN switch D

LAN switch A and LAN switch B are of S3928P, and are interconnected
in port trunk mode. Each port is divided into two Virtual Local Area
Networks (VLANs).
l

VLAN 1 connects the M2000 server to the LMT, the M2000 client, or
the hub.

VLAN 2 connects the PCF interface boards in the CMPS and the CSPS
for aggregating data services.

LAN switch C and LAN switch D are of the S3528G type and are
interconnected in port trunk mode. VLAN 1 is set up over the port.
VLAN 1 connects the FG1As in the CMPS and the CSPS for aggregating
voice services.

4-6

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

Issue 2.0 (2008-03-12)

cBSS
Network Planning Guideline

4 OM Network Planning for the cBSS System

Equipment

Description

SCUOa

The SCUOa, a main unit in the BSC OM system, provides a platform for
the maintenance management and data switching of the associated
subrack. In each subrack, two SCUOas work in 1+1 backup mode.

Hub

A hub is required when multiple LMTs are installed.

LMT

The LMT is an OM terminal. You can configure one or more LMTs as


required.

M2000

The M2000, a centralized NMS, consists of the M2000 server and the
M2000 client. For details, refer to M2000 OM Requirements.

Alarm box

The alarm box gives out audible and visual alarms.

OM subnet
Table 4-2 describes the subnets of the BSC OM system.
Table 4-2 Subnets of the BSC OM system
Network Name

Description

VLAN 1

VLAN 1 is the external OM network for the BSC. In VLAN 1,


the BAM server, M2000, and LMT are connected through LAN
switches, hubs, and Ethernet cables. Through VLAN 1, the OM
client is connected to the OM system.

(LAN switch A/B)

VLAN 2
(LAN switch A/B)
VLAN 1
(LAN switch C/D)

VLAN 2 connects the PCF interface boards in the CMPS and the
CSPS for aggregating data services.
VLAN 1 connects the FG1As in the CMPS and the CSPS for
aggregating voice services.

Requirements for the OM-Related IP Addresses of the BSC


This describes the requirements for the OM-related IP addresses of the BSC boards, BAM server,
and emergency workstation.
Table 4-3 describes the IP addresses required by the BSC OM system.
Table 4-3 IP addresses required by the BSC OM system
Subnet

Equipment

Required IP Address

VLAN 1
(LAN
switch A/B)

Emergency
workstation

One IP address is required. The IP address is in the same


network segment as the external IP address of the BAM
server.

Issue 2.0 (2008-03-12)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

4-7

cBSS
Network Planning Guideline

4 OM Network Planning for the cBSS System

Subnet

VLAN 2
(LAN
switch A/B)
VLAN 1

Equipment

Required IP Address

LMT

One IP address is required by each LMT. The IP address


is in the same network segment as the external IP address
of the BAM server.

M2000

One IP address is required. The IP address is planned


internally by the M2000.

BAM server

The IP address is 80.0.0.255.

PCF interface
board

It is the internal IP address of the board.

FG1A

It is the internal IP address of the board.

(LAN
switch C/D)

Requirements for the OM-Related Physical Ports on the BSC


This describes the requirements for the physical ports on the LAN switch of the BSC.
Table 4-4 describes the ports on the LAN switch of the BSC.
Table 4-4 Ports on the LAN switch of the BSC
Subnet

Port Number

Description

VLAN 1

1 to 10

VLAN 1 is connected to the BAM, LMT, emergency


workstation, and M2000 server, forming an external
network.

11 to 24

VLAN 2 connects the PCF interface boards in the CMPS


and the CSPS for aggregating data services.

1 to 24

VLAN 1 connects the FG1As in the CMPS and the CSPS


for aggregating voice services.

(LAN
switch A/B)
VLAN 2
(LAN
switch A/B)
VLAN 1
(LAN
switch C/D)

Requirements for the OM-Related TCP/UDP Ports on the BSC


This describes the requirements for the OM-related TCP/UDP ports on the BSC.
Table 4-5 and Table 4-6 describe the TCP and UDP ports required by the BAM server.
When the BAM server communicates with the LMT and the M2000 server by using TCP
protocols, the BAM server functions as the TCP server, and the LMT and the M2000 server
function as TCP clients.
4-8

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

Issue 2.0 (2008-03-12)

cBSS
Network Planning Guideline

4 OM Network Planning for the cBSS System

As the BAM server synchronizes with the M2000 by using SNTP protocols, the BAM server
also requires a UDP port.
Table 4-5 TCP ports required by the BAM server
Port
Numbe
r

Description

Communicate
with the LMT

Communicate with
the M2000

20

FTP data service port

21

FTP control port

23

Telnet BTS maintenance port

67

BOOTP server port

68

BOOTP client port

69

TFTP port

1500

Communication port between the


BAM server and cBSS boards

6000

MML maintenance port

6001

Port for reporting MML alarms

6002

Port for the maintenance console

6005

Port for connecting to the alarm


box

6006

Port for BTS commissioning

6007

Port for BSC commissioning

6011

Port for the device panel, message


tracing, and resource monitoring

6021

Port for reporting the loading


status

6022

Equipment platform port

6023

Port for reporting the BTS status

6024

Port for reporting the BSC status

6088

Port for performing remote


upgrade

6099

Port for user management and


configuration consistency

6024

Port for reporting the BSC status

11501

Port for reporting the BSC


performance measurement results

Issue 2.0 (2008-03-12)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

4-9

cBSS
Network Planning Guideline

4 OM Network Planning for the cBSS System

Port
Numbe
r

Description

Communicate
with the LMT

Communicate with
the M2000

11502

Port for reporting the CDR data

11503

Service port for the


commissioning console

11504

Port for monitoring the resource


status

5000~51
00

Port for Telnet proxy

Table 4-6 UDP ports required by the BAM server


Port
Number

Description

Communicate
with the LMT

Communicate with
the M2000

123

Port for enabling time


synchronization between
the SNTP and the M2000
server

1234

Port for enabling time


synchronization between
the SNTP and the M2000
client

Requirements for the Transmission Bandwidth


The transmission bandwidth required between the cBSS system and the M2000 server depends
on the number of BTSs to be operated and maintained.
Table 4-7 describes the transmission bandwidth required by the cBSS system.
Table 4-7 Transmission bandwidth required by the cBSS system (each BTS with three sectors)

4-10

Number
of BTSs

Bandwidth Required
by the BTS (kbit/s)

Bandwidth Required
by the BSC (kbit/s)

Bandwidth Required
by the cBSS (kbit/s)

100

128

256

384

200

256

256

512

400

448

320

768

600

512

320

832

800

640

384

1024

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

Issue 2.0 (2008-03-12)

cBSS
Network Planning Guideline

4 OM Network Planning for the cBSS System

Number
of BTSs

Bandwidth Required
by the BTS (kbit/s)

Bandwidth Required
by the BSC (kbit/s)

Bandwidth Required
by the cBSS (kbit/s)

1000

704

448

1152

The bandwidth between the M2000 server and the IP-based equipment can be ignored, but a 256
kbit/s bandwidth is required between the M2000 server and the M2000 client.

4.3.2 OM-Related Requirements for the BTS


This describes the OM-related requirements for the physical ports, protocol ports, IP addresses,
and bandwidths of the BTS.
4.3.2.1 Structure of the OM System of the BTS
The OM system of the BTS supports local access and remote access.
4.3.2.2 Requirements for the OM-Related IP Addresses of the BTS
This describes the requirements for the OM-related IP addresses of the BTS.
4.3.2.3 Requirements for the OM-Related Physical Ports on the BTS
No OM-related ports are required for the BTS.
4.3.2.4 Requirements for the OM-Related TCP/UDP Ports on the BTS
This describes the requirements for the OM-related TCP/UDP ports on the BTS.
4.3.2.5 Requirements for the Transmission Bandwidth
The transmission bandwidth required between the cBSS system and the M2000 server depends
on the number of BTSs to be operated and maintained.

Structure of the OM System of the BTS


The OM system of the BTS supports local access and remote access.
Figure 4-4 shows the structure of the OM system of the BTS3606C.
Figure 4-4 OM system of the BTS3606C

By using the BCKM, local OM is performed for a BTS. The BTS, however, is connected to the
centralized OM system through the BSC, which receives and forwards OM-related data.
The OM channel between the BTS and the BSC is established by using the IPoA, IPoE, or FE/
GE method.
Issue 2.0 (2008-03-12)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

4-11

cBSS
Network Planning Guideline

4 OM Network Planning for the cBSS System

Requirements for the OM-Related IP Addresses of the BTS


This describes the requirements for the OM-related IP addresses of the BTS.
Table 4-8 describes the requirements for the IP addresses of the BTS3606C.
Table 4-8 IP addresses required by the BTS
OM Mode

Required IP Address

Planning Method

Local OM

The active BCKM requires an IP address.

The IP address is
172.16.16.16 by
default.

Centralized OM

IPoA: The active BCKM requires an IP


address.

IPoE: The active BCKM requires one IP


address, and the BCIM requires two IP
addresses

FE/GE: The active BCKM requires one IP


address, and the BCIM requires two or three
IP addresses.

All the IP addresses


are planned in a
unified manner by the
BSC.

NOTE

In IPoE mode, the BCIM requires two IP addresses, one being the logical IP address of the BCIM, and
the other being the IP address of the MLPPP group.

In FE/GE mode, the BCIM requires two or three IP addresses, one being the logical IP address of the
BCIM, and the other being the IP address(es) of the FE port(s).

Requirements for the OM-Related Physical Ports on the BTS


No OM-related ports are required for the BTS.
The BTS is not directly connected to the centralized OM system. Thus, no Ethernet port is
required.

Requirements for the OM-Related TCP/UDP Ports on the BTS


This describes the requirements for the OM-related TCP/UDP ports on the BTS.
The BTS communicates with the LMT and the M2000 server based on TCP/IP protocols. Table
4-9 describes the TCP ports required by the BTS.
Table 4-9 TCP ports required by the BAM server

4-12

Port
Numbe
r

Description

Communicate
with the LMT

Communicate with
the M2000

20

FTP data service port

21

FTP control port

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

Issue 2.0 (2008-03-12)

cBSS
Network Planning Guideline

Port
Numbe
r

4 OM Network Planning for the cBSS System

Description

Communicate
with the LMT

Communicate with
the M2000

23

Telnet BTS maintenance port

1500

Communication port between the


BAM server and cBSS boards

6000

MML maintenance port

6001

Port for reporting MML alarms

6005

Port for connecting to the alarm


box

6006

Port for BTS commissioning

6007

Port for BSC commissioning

6011

Port for the device panel, message


tracing, and resource monitoring

6021

Port for reporting the loading


status

6022

Equipment platform port

6023

Port for reporting the BTS status

6088

Port for performing remote


upgrade

11501

Port for reporting the BSC


performance measurement results

11502

Port for reporting the CDR data

11503

Service port for the


commissioning console

11504

Port for monitoring the resource


status

Requirements for the Transmission Bandwidth


The transmission bandwidth required between the cBSS system and the M2000 server depends
on the number of BTSs to be operated and maintained.
Table 4-8 describes the transmission bandwidth required by the cBSS system.

Issue 2.0 (2008-03-12)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

4-13

cBSS
Network Planning Guideline

4 OM Network Planning for the cBSS System

Table 4-10 Transmission bandwidth required by the cBSS system (each BTS with three sectors)
Number
of BTSs

Bandwidth Required
by the BTS (kbit/s)

Bandwidth Required
by the BSC (kbit/s)

Bandwidth Required
by the cBSS (kbit/s)

100

128

256

384

200

256

256

512

400

448

320

768

600

512

320

832

800

640

384

1024

1000

704

448

1152

The bandwidth between the M2000 server and the IP-based equipment can be ignored, but a 256
kbit/s bandwidth is required between the M2000 server and the M2000 client.

4.3.3 OM-Related Requirements for the LMT


This describes the OM-related requirements for the physical ports, protocol ports, and IP
addresses of the LMT.
4.3.3.1 OM-Related Ports on the LMT
The LMT can be locally or remotely connected to the BSC or the BTS for facilitating OM.
4.3.3.2 Requirements for the OM-Related IP Addresses of the LMT
Only one OM-related IP address is required for an LMT.
4.3.3.3 Requirements for the OM-Related Physical Ports on the LMT
Only one OM-related physical port is required for an LMT.
4.3.3.4 Requirements for the OM-Related TCP/UDP Ports on the LMT
This describes the requirements for the OM-related TCP/UDP ports on the LMT.

OM-Related Ports on the LMT


The LMT can be locally or remotely connected to the BSC or the BTS for facilitating OM.
Table 4-11 describes the OM-related ports on the cBSS LMT.
Table 4-11 OM-related ports on the cBSS LMT

4-14

OM Mode

Port

Local OM

The port connects the Ethernet port of the LMT to the external
network of the BAM server.

Remote OM

The port connects the Ethernet port of the LMT to the M2000 server
or, by using routers, to the external network of the BAM server.

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

Issue 2.0 (2008-03-12)

cBSS
Network Planning Guideline

4 OM Network Planning for the cBSS System

Table 4-12 describes the OM-related ports on the BTS.


Table 4-12 OM-related ports on the BTS
OM Mode

Port

Local OM

The port is connected to the local OM port of the BTS through the
Telnet.

Remote OM

The port is connected to the BAM server of the BSC through the
LMT.

Requirements for the OM-Related IP Addresses of the LMT


Only one OM-related IP address is required for an LMT.
One LMT requires an IP address so that the LMT can access the local OM port of an NE.

Requirements for the OM-Related Physical Ports on the LMT


Only one OM-related physical port is required for an LMT.
An LMT uses one physical port.

Requirements for the OM-Related TCP/UDP Ports on the LMT


This describes the requirements for the OM-related TCP/UDP ports on the LMT.
The LMT communicates with the BSC and the BTS through the BAM server. For the
requirements for TCP/UDP ports, refer to the contents related to the LMT in Table 4-13 and
Table 4-14.
Table 4-13 TCP ports required by the BAM server
Port
Number

Description

Communicate with the


LMT

20

FTP data service port

21

FTP control port

23

Telnet BTS maintenance port

67

BOOTP server port

68

BOOTP client port

69

TFTP port

1500

Communication port between the BAM server


and cBSS boards

6000

MML maintenance port

6001

Port for reporting MML alarms

Issue 2.0 (2008-03-12)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

4-15

cBSS
Network Planning Guideline

4 OM Network Planning for the cBSS System

Port
Number

Description

Communicate with the


LMT

6005

Port for connecting to the alarm box

6006

Port for BTS commissioning

6007

Port for BSC commissioning

6011

Port for the device panel, message tracing, and


resource monitoring

6021

Port for reporting the loading status

6022

Equipment platform port

6023

Port for reporting the BTS status

11501

Port for reporting the BSC performance


measurement results

11502

Port for reporting the CDR data

11503

Service port for the commissioning console

11504

Port for monitoring the resource status

Table 4-14 UDP ports required by the BAM server


Port Number

Description

123

Port for enabling time synchronization


between the SNTP and the M2000 server

Communicate with the


LMT

4.3.4 Requirements for the OM Channels in the cBSS System


In the cBSS system, the OM channels transfer the OM-related data between the LMT or the
M2000 and the BSC or the BTS.
4.3.4.1 Structure of the OM Channels in the cBSS System
The OM channels between the BTS and the BSC are established by using the IPoA, IPoE, or
FE/GE methods.
4.3.4.2 Subnet Planning for the OM Channels in the cBSS System
The OM channels in the cBSS system are divided into three subnets.
4.3.4.3 Requirements for the IP Addresses on the OM Channels in the cBSS System
In the cBSS system, nine IP addresses are assigned on the OM channels, and six of them are
planned on site.
4.3.4.4 Routes of the OM Channels in the cBSS System
The transport paths for the OM information can be specified by setting the routes of OM
channels.
4-16

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

Issue 2.0 (2008-03-12)

cBSS
Network Planning Guideline

4 OM Network Planning for the cBSS System

Structure of the OM Channels in the cBSS System


The OM channels between the BTS and the BSC are established by using the IPoA, IPoE, or
FE/GE methods.
The OM channels in the cBSS system are divided into three subnets. Figure 4-5, Figure 4-6,
and Figure 4-7 show the OM channels in the cBSS system (BTS3606C illustrated).
Figure 4-5 OM channels in the cBSS system (IPoA)

Figure 4-6 OM channels in the cBSS system (IPoE)

Figure 4-7 OM channels in the cBSS system (FE/GE)

Subnet Planning for the OM Channels in the cBSS System


The OM channels in the cBSS system are divided into three subnets.
Table 4-15 describes the subnets for the OM channels in cBSS OM system.
Issue 2.0 (2008-03-12)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

4-17

4 OM Network Planning for the cBSS System

cBSS
Network Planning Guideline

Table 4-15 Subnets for the OM channels in the cBSS system


Subnet

Description

Setting

Subnet A

Subnet A refers to the OM system of the BSC. For details,


refer to Structure of the BSC OM System.

It is planned in a
unified manner.

Subnet B

Subnet B refers to the OM system of the BTS.

It is planned on site.

Subnet C

If the IPoE and FE/GE methods are used, subnet C


enables communication between the BSC and the BTS.

When the IPoA method is used, subnet C, which consist


of IP 8 and IP 9, is not required.

It is planned on site.

Requirements for the IP Addresses on the OM Channels in the cBSS System


In the cBSS system, nine IP addresses are assigned on the OM channels, and six of them are
planned on site.
Table 4-16 describes the IP addresses assigned on the OM channels (BTS3606C illustrated).
Table 4-16 IP addresses on the OM channels in the cBSS system
No.

Description

Setting

IP
address
1

Through IP address 1, the LMT or the M2000


communicates with the BAM server. Both IP address 1 and
IP address 2 belong to the external network.

It is planned on site.

IP
address
2

Through IP address 2, the BAM server communicates with


the LMT or the M2000. Both IP address 1 and IP address
2 belong to the external network.

It is planned on site.

IP
address
3

Through IP address 3 (80.0.0.255 by default), the BAM


server communicates with the SCUOa. Both IP address 3
and IP address 4 belong to the internal network.

It is planned
beforehand.

IP
address
4

Through IP address 4 (80.130.X.224, where X is eight


times the number of the associated subrack), the SCUOa
communicates with the BAM server. Both IP address 3 and
IP address 4 belong to the internal network.

It is planned
beforehand.

IP
address
5

Through IP address 5, the SCUOa communicates with


the BCKM. Both IP address 5 and IP address 6 belong
to the same subnet.

The IP address is 129.X.10.Y, where X starts from 8 and


Y ranges from 1 to 3.

Through IP address 6, the BCKM communicates with


the SCUOa. Both IP address 5 and IP address 6 belong
to the same subnet.

The IP address is 129.X.10.Y, where X starts from 8 and


Y starts from 4 and increases based on the ID of the BTS.

IP
address
6

4-18

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

It is planned on site.

It is planned
beforehand.

Issue 2.0 (2008-03-12)

cBSS
Network Planning Guideline

4 OM Network Planning for the cBSS System

No.

Description

Setting

IP
address
7

Through IP address 7, the boards in the CSPS subrack


communicate with the SCUOa.

It is planned
beforehand.

IP
address
8

When the OM channels between the BSC and the BTS


are configured in IPoE mode, one PEUBa IP address and
one PEUBa PPP IP address or one MLPPPIP IP address
are required on the BSC side.

When the OM channels between the BSC and the BTS


are configured in FE/GE mode, one FG1Ba IP address
and one to four FG1Ba FE IP addresses are required on
the BSC side.

When the OM channels between the BSC and the BTS


are configured in IPoE mode, one BCIM IP address and
one BCIM PPP IP address or one MLPPP IP address are
required on the BTS side.

If the OM channels between the BSC and the BTS are


configured in FE/GE mode, one BCIM IP address and
one or two BCIM FE IP addresses are required on the
BTS side.

IP
address
9

It is planned on site.

It is planned on site.

Routes of the OM Channels in the cBSS System


The transport paths for the OM information can be specified by setting the routes of OM
channels.
Table 4-17 describes the IP routes of the OM channels in the cBSS system.
Table 4-17 IP routes of the OM channels in the cBSS system
Node

Description

Setting

BAM

Route to the BSC boards

It needs not to
be configured.

BAM

Route to the BTS boards

It is added by
the OMC
process
automatically.

4.4 OM-Related Requirements for the M2000


This describes the requirements for the hardware configuration, IP addresses, physical ports,
protocol ports, and bandwidths of the M2000 when the cBSS OM system accesses the M2000.
4.4.1 Configuration and Management Capability of the M2000 Server
Issue 2.0 (2008-03-12)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

4-19

4 OM Network Planning for the cBSS System

cBSS
Network Planning Guideline

The M2000 servers have three types of typical configurations, and each server manages a
maximum of 15 to 120 equivalent NEs.
4.4.2 Requirements for the OM-Related IP Addresses of the M2000
This describes the IP address requirements for a single-server system and an HA system of the
M2000 server.
4.4.3 Requirements for the OM-Related Physical Ports on the M2000
This describes the Ethernet ports required on the M2000 server for the access of NEs and LMTs.
4.4.4 Requirements for the OM-Related TCP/UDP Ports on the M2000
This describes the requirements for the OM-related TCP/UDP ports on the M2000 server.
4.4.5 Requirements for the Transmission Bandwidth
The transmission bandwidth required between the cBSS system and the M2000 server depends
on the number of BTSs to be operated and maintained.

4.4.1 Configuration and Management Capability of the M2000


Server
The M2000 servers have three types of typical configurations, and each server manages a
maximum of 15 to 120 equivalent NEs.

Typical Configurations of the M2000 Server


Based on the number of NEs to be managed, you can choose an appropriate type of the M2000
server. Typically, the M2000 server can be any of the following types:
l

SUN Netra 240

SUN Fire V890

SUN Fire E4900

If required, the M2000 server can be configured with a single server or dual servers in HA mode.
l

An HA system has two nodes, an active server and a standby server. When the active server
fails, the standby server takes over the services that are normally routed to the active server,
thus ensuring high availability.

To implement HA, an additional SUN Netra 240 workstation is required, which works as
the administration console.

Management Capability
The capability of the M2000 is measured by the number of equivalent NEs that are managed by
the M2000. For the BSC and the BTS in the CDMA network, an equivalent NE consists of 50
sectors. Accordingly, if a BSC manages 100 BTSs, and each BTS has three sectors, then the
cBSS system has 300 sectors, that is, six equivalent NEs.
NOTE

This measurement method is applied only to Huawei cBSS networks because it functions based on the
existing OM data flow model.

Table 4-18 describes the hardware configuration of the M2000 server.


4-20

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

Issue 2.0 (2008-03-12)

cBSS
Network Planning Guideline

4 OM Network Planning for the cBSS System

Table 4-18 Hardware configuration of the M2000 server


Configurat
ion Mode

Network Capability

Hardware Configuration of the


M2000 Server

15 or fewer equivalent NEs

2-CPU SUN Netra 240

25 or fewer equivalent NEs

2-CPU SUN Fire V890

50 or fewer equivalent NEs

4-CPU SUN Fire V890

55 or fewer equivalent NEs

4-CPU SUN Fire E4900

90 or fewer equivalent NEs

8-CPU SUN Fire V890

120 or fewer equivalent NEs

8-CPU SUN Fire E4900

NOTE

From the aspect of reliability, the M2000 server can use the configuration of a single server or dual servers
in HA mode. Compared with a single-server system, an HA system with the same server configuration has
the same capability. The HA system stands out only in the fact that it provides much greater disastertolerance capability.

4.4.2 Requirements for the OM-Related IP Addresses of the M2000


This describes the IP address requirements for a single-server system and an HA system of the
M2000 server.

IP Addresses Required in Single-Server Systems


Table 4-19 describes the IP addresses required in single-server systems.
Table 4-19 IP addresses required in single-server systems
System
Description

Related
Component

Number of IP
Addresses

Assigned by
the Operator

Description

SUN Netra240
single-server
with single
plane

Ethernet port of
the Netra240
server

Yes

SC port of the
Netra240

Yes

One IP address
for the SC port
facilitates
Telnet
maintenance.

Total IP
Address

Issue 2.0 (2008-03-12)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

4-21

cBSS
Network Planning Guideline

4 OM Network Planning for the cBSS System

System
Description

Related
Component

Number of IP
Addresses

Assigned by
the Operator

SUN Netra240
single-server
with dual plane
(based on
IPMP)

Ethernet port of
the Netra240
server

Yes

One test IP
address is
assigned to each
Ethernet port,
and a floating IP
address is
configured as
the group IP
address of the
IPMP.

SC port of the
Netra240

Yes

One IP address
for the SC port
facilitates
Telnet
maintenance.

Number of IP
addresses
assigned by the
operator

Ethernet port of
the SUN Fire
V890

Yes

SUN Fire V890


SC

Yes

One IP address
for the SC port
facilitates
Telnet
maintenance.

StorEdge 3320
disk arrays

Yes

The StorEdge
3320 disk arrays
are optional.
One IP address
for them
facilitates
Telnet
maintenance.

Total IP
Address

SUN Fire V890


single-server
with single
plane

4-22

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

Description

Issue 2.0 (2008-03-12)

cBSS
Network Planning Guideline

4 OM Network Planning for the cBSS System

System
Description

Related
Component

Number of IP
Addresses

Assigned by
the Operator

SUN Fire V890


single-server
with dual plane
(based on
IPMP)

Ethernet port of
the SUN Fire
V890

Yes

One test IP
address is
assigned to each
Ethernet port,
and a floating IP
address is
configured as
the group IP
address of the
IPMP.

SUN Fire V890


SC

Yes

One IP address
for the SC port
facilitates
Telnet
maintenance.

StorEdge 3320
disk arrays

Yes

The StorEdge
3320 disk arrays
are optional.
One IP address
for them
facilitates
Telnet
maintenance.

Number of IP
addresses
assigned by the
operator

Ethernet port of
the SUN Fire
E4900

Yes

SUN Fire E4900


SC

No

By default, the
E4900 server is
configured with
SC 0 and SC 1,
which are
assigned
internal IP
addresses.

StorEdge6140

No

The StorEdge
6140 disk arrays
are optional.
The disk arrays
are assigned two
internal IP
addresses.

SUN Fire E4900


single-server
with single
plane

Issue 2.0 (2008-03-12)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

Description

4-23

cBSS
Network Planning Guideline

4 OM Network Planning for the cBSS System

System
Description

SUN Fire E4900


single-server
with dual plane
(based on
IPMP)

4-24

Related
Component

Number of IP
Addresses

Assigned by
the Operator

Administration
Console

Yes

By default, an
E4900 server is
configured with
one Netra240.

Number of IP
addresses
assigned by the
operator

Ethernet port of
the SUN Fire
E4900

Yes

One test IP
address is
assigned to each
Ethernet port,
and a floating IP
address is
configured as
the group IP
address of the
IPMP.

SUN Fire E4900


SC

No

By default, the
E4900 server is
configured with
SC 0 and SC 1,
which are
assigned
internal IP
addresses.

StorEdge6140

No

The StorEdge
6140 disk arrays
are optional.
The disk arrays
are assigned two
internal IP
addresses.

Administration
Console

Yes

By default, an
E4900 server is
configured with
one Netra240,
which works as
the
administration
console.

Number of IP
addresses
assigned by the
operator

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

Description

Issue 2.0 (2008-03-12)

cBSS
Network Planning Guideline

4 OM Network Planning for the cBSS System

IP Addresses Required in HA Systems


Table 4-20 describes the number of IP addresses required in HA systems
Table 4-20 IP addresses required in HA systems
System
Description

Related
Component

Number of IP
Addresses

Assigned by
the Operator

SUN Netra240
HA

Ethernet port of
the Netra240
server

Yes

Description
One test IP
address is
assigned to each
Ethernet port,
and a floating IP
address is
configured as
the group IP
address of the
IPMP.
In addition to
the six IP
addresses of the
two nodes, one
floating IP
address is
configured as an
external IP
address for both
nodes.

Issue 2.0 (2008-03-12)

SC port of the
Netra240

No

For each node,


the SC port is
assigned one
internal IP
address.

External
Ethernet port of
the
administration
console

Yes

By default, one
Netra240 is
configured as
the
administration
console to
manage the
cluster.
The Netra240
provides at least
two Ethernet
ports, one for
internal
connection and

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

4-25

cBSS
Network Planning Guideline

4 OM Network Planning for the cBSS System

System
Description

SUN Fire V890


HA

4-26

Related
Component

Number of IP
Addresses

Assigned by
the Operator

Internal
Ethernet port of
the
administration
console

No

the other for


external
connection.
Only the IP
address for
external
connection is
assigned by the
operator.

Number of IP
addresses
assigned by the
operator

Ethernet port of
the SUN Fire
V890

Yes

The IP
addresses are
configured in
the same
manner as that
for the Netra240
HA system.

SUN Fire V890


SC

No

One IP address
for the SC port
facilitates
Telnet
maintenance.
Each node is
assigned one SC
IP address.

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

Description

Issue 2.0 (2008-03-12)

cBSS
Network Planning Guideline

4 OM Network Planning for the cBSS System

System
Description

SUN Fire E4900


HA system with
single plane

Issue 2.0 (2008-03-12)

Related
Component

Number of IP
Addresses

Assigned by
the Operator

StorEdge 3320
disk arrays

No

The StorEdge
3320 disk arrays
are optional.
One IP address
for them
facilitates
Telnet
maintenance.
Each node is
assigned one IP
address for the
disk array.

External
Ethernet port of
the
administration
console

Yes

Internal
Ethernet port of
the
administration
console

No

One Netra240 is
configured as
the
administration
console to
manage the
cluster. The
Netra240
provides at least
two Ethernet
ports, one for
internal
connection and
the other for
external
connection.
Only the IP
address for
external
connection is
assigned by the
operator.

Number of IP
addresses
assigned by the
operator

Ethernet port of
the SUN Fire
E4900

Yes

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

Description

The IP
addresses are
configured in
the same
manner as that
for the Netra240
HA system.

4-27

cBSS
Network Planning Guideline

4 OM Network Planning for the cBSS System

System
Description

4-28

Related
Component

Number of IP
Addresses

Assigned by
the Operator

SUN Fire E4900


SC

No

By default, the
E4900 server is
configured with
SC 0 and SC 1,
which are
assigned
internal IP
addresses. Each
node is assigned
two internal IP
addresses.

StorEdge6140

No

The StorEdge
6140 disk arrays
are optional.
The disk arrays
are assigned two
internal IP
addresses.

External
Ethernet port of
the
administration
console

Yes

Internal
Ethernet port of
the
administration
console

No

By default, one
Netra240 is
configured as
the
administration
console to
manage the
cluster.
The Netra240
provides at least
two Ethernet
ports, one for
internal
connection and
the other for
external
connection.
Only the IP
address for
external
connection is
assigned by the
operator.

Number of IP
addresses
assigned by the
operator

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

Description

Issue 2.0 (2008-03-12)

cBSS
Network Planning Guideline

4 OM Network Planning for the cBSS System

IP Addresses Required for Other Devices


l

An M2000 client is assigned one IP address.

A dial-up server, if installed, is assigned one IP address.

A PCM2000, if installed, is assigned one IP address.

For routers and firewalls, the IP addresses are OM network-specific.

4.4.3 Requirements for the OM-Related Physical Ports on the M2000


This describes the Ethernet ports required on the M2000 server for the access of NEs and LMTs.
Table 4-21 describes the Ethernet ports required on the M2000 server.
NOTE

Besides the Ethernet ports listed below, the Ethernet ports for routers, firewalls, and cascaded LAN switches
should be taken into consideration during the actual network planning.

Table 4-21 Ethernet ports required on the M2000


Equipment

Number of
Ports

Client

1xn

The figure n indicates the number of clients,


including remote dial-up clients.

Dial-up server

A dial-up server is installed if remote dial-up access


is required.

PCM2000

A PCM2000 is installed if E1/T1 links are used.

SUN Netra 240

Two Ethernet ports for servers

One Ethernet port for the SC server

Two Ethernet ports for servers

One Ethernet port for the SC server

One Ethernet port for the StorEdge 3320 disk


array

Two Ethernet ports for servers

Two Ethernet ports for the SC server

Two Ethernet ports for StorEdge 6130 disk arrays

One Ethernet port for the administration console

Four Ethernet ports for hosts

Two Ethernet ports for the SC server

Two Ethernet ports for StorEdge 3320 disk arrays

Two Ethernet ports for the administration console

SUN Fire V890

SUN Fire E4900

SUN Netra 240 HA


system

Issue 2.0 (2008-03-12)

10

Description

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

4-29

cBSS
Network Planning Guideline

4 OM Network Planning for the cBSS System

Equipment
SUN Fire V890
HA system

SUN Fire E4900


HA system

Number of
Ports

Description

10

Four Ethernet ports for hosts

Two Ethernet ports for the RSC server

Two Ethernet ports for StorEdge 3320 disk arrays

Two Ethernet ports for the administration console

Four Ethernet ports for hosts

Four Ethernet ports for the SC server

Two Ethernet ports for StorEdge 6130 disk arrays

Two Ethernet ports for the administration console

Two Ethernet ports for fiber switches

14

4.4.4 Requirements for the OM-Related TCP/UDP Ports on the


M2000
This describes the requirements for the OM-related TCP/UDP ports on the M2000 server.

Ports Between the M2000 Server and the NEs


When firewalls are installed between the M2000 server and the NEs, the TCP/UDP ports must
be configured in the following metods:
l

Some of the ports on the NE side should be accessible to all the ports on the server side, so
that the M2000 server can penetrate the firewalls and communicate with the NEs through
any port.

Some of the ports on the server side should be accessible to all the ports on the NE side, so
that the NEs can penetrate the firewalls and communicate with the M2000 server through
any port on the server.

For details about the NE ports that should be accessible, refer to Requirements for BSC OM
TCP/UDP Ports and Requirements for BTS OM TCP/UDP Ports.

Ports Between the M2000 Server and the M2000 Client


When firewalls are installed between the M2000 server and the M2000 client, the TCP/UDP
ports must be configured in the following methods:
l

Some of the ports on the server side should be accessible to all the ports on the client side,
so that the client can penetrate the firewalls and communicate with the M2000 server
through any port.

Some of the ports on the client side should be accessible to all the ports on the server side,
so that the M2000 server can penetrate the firewalls and communicate with the client
through any port.

Table 4-22 describes the ports that should be accessible on the M2000 server.
4-30

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

Issue 2.0 (2008-03-12)

cBSS
Network Planning Guideline

4 OM Network Planning for the cBSS System

Table 4-22 Ports accessible on the M2000 server


Port
Type

Port Number

Description

TCP

20, 21

FTP ports

23

Telnet OM port

6050

Xserver port

7100

Port for SUN font services

7777

Port for M2000 log services

8088 and 9088

Ports for the report server

9025

Port for M2000 audit services

9990

Kernel monitoring port

9999

Port for the CORBA naming services of the TAO

10119

Port for the fault diagnosis

19999

Port for the notification services of the TAO

31000 to 31699

Ports for M2000 applications

123

Port for NTP time synchronization

UDP

Table 4-23 describes the ports accessbile on the M2000 client.


Table 4-23 Ports accessible to the M2000 server on the M2000 client
Port
Type

Port
Numbe
r

TCP

6000

Port for communication between the server and the client running
Winaxe

30500 to
30599

If the Citrix solution is used, all the ports should be accessible.

If the Citrix solution is not used, the number of ports that should
be accessible depends on the number of authorized clients.

123

Port for NTP time synchronization

UDP

Description

Ports Between the Citrix Client and the M2000 Client


When the Citrix solution is used, the M2000 client works as a Citrix server.
When firewalls are installed between the Citrix client and the M2000 client, some of the ports
on the M2000 client side must be accessible to all the ports on the Citrix client side, so that the
Issue 2.0 (2008-03-12)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

4-31

cBSS
Network Planning Guideline

4 OM Network Planning for the cBSS System

Citrix client can penetrate the firewalls and communicate with the M2000 client through any
port.
Table 4-24 describes the M2000 ports that should be accessible to the Citrix client.
Table 4-24 M2000 ports accessible to the Citrix client
Port Number

Description

1494

ICA protocol port

80

Web port

443

SSL protocol port

Ports Between the M2000 Server and the NMS


When firewalls are installed between the M2000 server and the NMS, some of the ports on the
server side should be accessible to all the ports on the NMS side, so that the NMS can penetrate
the firewalls and communicate with the server through any port.
Table 4-25 describes the ports that should be accessible on the M2000 server.
Table 4-25 Ports accessible to the NMS on the M2000 server
Port
Type

Port Number

Description

TCP

31100

Northbound service port on the M2000 server, serving as the


CORBA interface between the M2000 server and the upperlevel NMS

8765

Port for reporting alarms to the upper-level NMS

4100

Service port for the Sybase database

31114

Listening port of the M2000

162 and 4700

SNMP service port of the M2000 server

UDP

4.4.5 Requirements for the Transmission Bandwidth


The transmission bandwidth required between the cBSS system and the M2000 server depends
on the number of BTSs to be operated and maintained.
Table 4-18 describes the transmission bandwidth required by the cBSS system.

4-32

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

Issue 2.0 (2008-03-12)

cBSS
Network Planning Guideline

4 OM Network Planning for the cBSS System

Table 4-26 Transmission bandwidth required by the cBSS system (each BTS with three sectors)
Number
of BTSs

Bandwidth Required
by the BTS (kbit/s)

Bandwidth Required
by the BSC (kbit/s)

Bandwidth Required
by the cBSS (kbit/s)

100

128

256

384

200

256

256

512

400

448

320

768

600

512

320

832

800

640

384

1024

1000

704

448

1152

The bandwidth between the M2000 server and the IP-based equipment can be ignored, but a 256
kbit/s bandwidth is required between the M2000 server and the M2000 client.

4.5 Network Solutions for the cBSS OM System


Huawei provides various OM solutions, such as network construction solutions, network
solutions for remote OM, and network security solutions.
4.5.1 Solutions to cBSS OM Network Construction
This describes the OM network solutions in the cBSS system, such as LAN-based network
solutions, WAN-based network solutions (broadband IP), WAN-based network solutions (full
E1/T1), and WAN-based network solutions (fractional E1/T1).
4.5.2 Network Solutions for Remote OM of the cBSS System
Remote OM refers to monitoring, operating, and maintaining the cBSS equipment on remote
nodes.The current solutions are PSTN-based remote OM, IP-based remote OM, and Citrix-based
remote OM.
4.5.3 Security Domains in the cBSS OM Network
The security domain solution places the equipment and nodes that have the same requirements
and service features together and provides unified security policies. For example, the nodes in
a security domain communicate with each other based on trust. Between different security
domains, the security of each sub-domain is ensured through the policies of boundary protection
and access control.
4.5.4 Firewall Security Policies of the cBSS OM Network
This describes how to use firewalls and firewall security policies to ensure information security
in the OM network.
4.5.5 Transmission Security Policies in the cBSS OM Network
This describes how to select the appropriate VLAN policy and the MPLS VPN policy.
4.5.6 Terminal Management and Access Control Policies in the cBSS System
The cBSS OM network transmission security policies involve deploying the MA5200 as the
access controller and the Numen system as the security policy server. Different types of terminals
require different types of access control policies. Terminal access control policies are applicable
to high-end operators who have high requirements for access security.
Issue 2.0 (2008-03-12)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

4-33

4 OM Network Planning for the cBSS System

cBSS
Network Planning Guideline

4.5.7 Antivirus Solutions in the cBSS System


This describes the antivirus solutions regarding the OM network, BAM server, and LMT client
of the cBSS system.

4.5.1 Solutions to cBSS OM Network Construction


This describes the OM network solutions in the cBSS system, such as LAN-based network
solutions, WAN-based network solutions (broadband IP), WAN-based network solutions (full
E1/T1), and WAN-based network solutions (fractional E1/T1).
4.5.1.1 OM Scenarios in the cBSS System
The OM network manages and maintains the cBSS equipment through the LMT or performs
centralized management and maintenance for the cBSS equipment through the M2000.
4.5.1.2 Bearing Modes for the cBSS OM Network
The OM network for the cBSS system can be carried by the LAN, WAN, broadband IP WAN,
WAN (full E1/T1), and WAN (fractional E1/T1).
4.5.1.3 LAN-Based Network Solution
The LAN-based network solution is a common network solution. This solution is used when the
BSC equipment and the M2000 server are located at the same site.
4.5.1.4 WAN-Based Network Solution (Broadband IP)
The WAN-based broadband IP network solution is the most popular network solution. The cBSS
OM can be carried by the DCN or the Intranet.
4.5.1.5 WAN-Based Network Solutions (Full E1/T1)
This solution can be used if the E1/T1 resources are abundant and independent E1/T1 lines can
be used or rented.
4.5.1.6 WAN-Based Network Solutions (Fractional E1/T1)
This solution is used if the E1/T1 resources are abundant and the existing E1/T1 lines have idle
timeslots.

OM Scenarios in the cBSS System


The OM network manages and maintains the cBSS equipment through the LMT or performs
centralized management and maintenance for the cBSS equipment through the M2000.
The cBSS system consists of the BSC and BTS equipment. Figure 4-8 shows a typical OM
scenario for network construction.

4-34

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

Issue 2.0 (2008-03-12)

cBSS
Network Planning Guideline

4 OM Network Planning for the cBSS System

Figure 4-8 Typical OM scenario in the cBSS system

Communication between the M2000 server and the cBSS NEs


In the OM system for Huawei mobile networks, the core part is the M2000. By using the
M2000, centralized management and OM are implemented for the cBSS system.
For the BSC equipment, OM is implemented by connecting the associated BAM server to
the OM network.
For the BTS equipment, centralized OM is implemented by connecting the equipment to
the BAM server and then to the OM network. Thus, the primary issue for constructing a
cBSS OM network is how to properly connect the cBSS equipment to the OM network,
that is, how to enable the smooth communication between the cBSS equipment and the
M2000.

Communication between the LMT and the cBSS NEs


The LMT also helps to implement cBSS OM. The LMT is located at the same site as the
BSC equipment, or in the same LAN, if required.

Communication between the M2000 server and the M2000 client


In some cases, the M2000 server and the M2000 client are located in different network
segments, and firewalls are installed between them.

Communication between the M2000 server and the upper-level NMS


The upper-level NMS implements OM for the entire network. Therefore, if required, the
NMS communicates with the OMCs of different manufacturers. If the NMS provided by
the operator is located in the BSC OM network, communication between the NMS and the
M2000 server must be maintained.

Bearing Modes for the cBSS OM Network


The OM network for the cBSS system can be carried by the LAN, WAN, broadband IP WAN,
WAN (full E1/T1), and WAN (fractional E1/T1).
In a cBSS OM network, it is crucial to maintain communication between the cBSS equipment
and the M2000 or the LMT.
Therefore, the OM network can be a LAN- or WAN-based network.
Issue 2.0 (2008-03-12)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

4-35

4 OM Network Planning for the cBSS System

cBSS
Network Planning Guideline

If the cBSS equipment is located at the same site as the M2000 server, the OM network is
constructed on a LAN basis.

If the cBSS equipment and the M2000 server are located at different sites, the OM network
is constructed on a WAN basis.

In a WAN-based cBSS OM network, the networking mode and configurations depend on the
bearing mode.
l

Broadband IP networks
Broadband IP networks are constructed by operators. Take the DCN and Intranet for
example, they carry multiple services and help to provide comprehensive services
internally. With the help of ports and routers, the DCN or Intranet can also carry OM
services for the cBSS system.

Bearer networks based on private lines


Due to the significance of the OM network, many network operators use leased or private
lines, bandwidth, and routers to carry OSS-related OM services. Although there are
different types of private lines, the OM network can be implemented based on fractional
E1/T1 and full E1/T1.

LAN-Based Network Solution


The LAN-based network solution is a common network solution. This solution is used when the
BSC equipment and the M2000 server are located at the same site.

Network Topology
Figure 4-9 shows the topology of a LAN-based cBSS OM network.

4-36

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

Issue 2.0 (2008-03-12)

cBSS
Network Planning Guideline

4 OM Network Planning for the cBSS System

Figure 4-9 Topology of a LAN-based cBSS OM network

Application Scenario
If the BSC equipment and the M2000 server are located at the same site, a LAN-based OM
network is required. In this case, the M2000 server and the BAM server located in the same
LAN are connected through LAN switches.

Networking Equipment
In a LAN-based cBSS OM network, a LAN switch is configured for connecting the cBSS
equipment and the M2000 server, as shown in Figure 4-9.
NOTE

Some operators may provide the IP networking equipment themselves, such as LAN switches. Thus,
communication and agreement must be conducted in advance. If the M2000 server, the BSC equipment
and the emergency workstation must be connected to the LAN switch provided by the operator,
requirements on the LAN switch must be specified in advance.

Features and Precautions


l

Issue 2.0 (2008-03-12)

If the BAM server and the M2000 server are deployed in the same LAN, the IP addresses
assigned to them are in the same network segment. Thus, the M2000 server and clients
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd

4-37

4 OM Network Planning for the cBSS System

cBSS
Network Planning Guideline

communicate with the BAM server through layer 2 switching, and this feature facilitates
the design of the network structure.
l

Operators, however, may require strict IP regulation and routing management policies. That
is, the BSC NEs, the M2000 server, and the M2000 clients are assigned IP addresses that
belong to different network segments and the communication between them must be
implemented based on Layer 3 (that is, IP layer) switching. In this case, the M2000 server
and the BAM server must be configured with different VLANs even though they are
connected through a LAN switch that provides Layer 3 switching.

For security reasons, the ports of the LAN switch should be isolated from each other as
much as possible, so that unwanted interference is minimized.

Idle ports of the LAN switch must be blocked.

If multiple LAN switches are cascaded, connect them correctly to avoid an Ethernet ring.

WAN-Based Network Solution (Broadband IP)


The WAN-based broadband IP network solution is the most popular network solution. The cBSS
OM can be carried by the DCN or the Intranet.

Network Topology
Figure 4-10 shows the topology of a broadband IP cBSS OM network.
Figure 4-10 Topology of a broadband IP cBSS OM network

Application Scenario
Many operators provide broad IP networks for carrying comprehensive services, such as network
management, network operation, billing, and routine office. Such types of networks are called
DCN or Intranet.
A DCN or an Intranet covers all the equipment rooms concerned and communicates with the
NMS or the OSS. Therefore, an OM network in the cBSS system can be constructed based on
4-38

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

Issue 2.0 (2008-03-12)

cBSS
Network Planning Guideline

4 OM Network Planning for the cBSS System

the bearing system of the DCN or the Intranet, and such a network is called broadband IP OM
network.
With the development and maturity of the DCN and the Intranet, broadband IP OM networks
receive the widest applications.

Networking Equipment
If a broadband IP OM network is deployed, the entire bearer network is constructed by the
operator. Thus, related devices, such as switches and routers, are provided by the operator.
Each site needs to be configured with an Ethernet switch through which the cBSS equipment
accesses the OM network. Some operators, however, provide the Ethernet switches by
themselves. In this case, only the number of ports required by the M2000 server, BAM server,
and emergency workstation needs to be specified.
To sum up, it is very important to check and clarify the configuration of the related equipment
before a broadband IP OM network is constructed.

IP Address Planning
Before a broadband IP OM network is constructed, the policies regarding IP address planning
must be specified as soon as possible. Of the related issues, the requirements for network
segments and IP addresses must be paid special attention to.

Network Segment Planning


Different operators may have different requirements for network segment planning. Thus, the
communication and the agreement should be conducted in advance. The IP addresses of the
M2000 server, BAM server, emergency workstation, M2000 client, and the LMT must be
assigned to different network segments. In addition, the IP addresses of different BSC equipment
must be assigned to different network segments.

Requirements for IP address planning


For details about the planning for IP addresses of the M2000, refer to Requirements for M2000
OM IP Addresses.
For details about the planning for IP addresses of the BSC, refer to Requirements for BSC OM
IP Addresses.

Principles for Route Planning


In a broadband IP network, the policies regarding route management and distribution are
determined by the operator and invisible to Huawei. Thus, related requirements must be
negotiated upon in advance to ensure network planning. Clear and concise routing policies for
the equipment provided by Huawei must be specified, thus enabling correct and prompt fault
location in the case of network faults.
When disputes arise, the problems must be resolved based on the negotiated policies.

Route Planning for the M2000 Server


When the IP addresses of the M2000 server, M2000 client/LMT, and NEs belong to different
network segments, the following routes are configured for the M2000 server:
Issue 2.0 (2008-03-12)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

4-39

4 OM Network Planning for the cBSS System


l

l
l

cBSS
Network Planning Guideline

Routes to the NEs. The next hop points to the gateway specified by the operator. The
gateway and the M2000 server belong to the same network segment. The routes to the NEs
should be as comprehensive and specific as possible because, for an IP packet, the most
specific route is assigned with the highest priority.
Routes to the specified LMTs. The next hop points to the gateway specified by the operator.
The gateway and the M2000 server belong to the same network segment.
IP route to the upper-level NMS. The next hop points to the gateway specified by the
operator. By default, the gateway and the M2000 server belong to the same network
segment.
IP routes to other network segments with which the M2000 server communicates. The next
hop points to the gateway specified by the operator. By default, the gateway and the M2000
server belong to the same network segment.
A default route. The next hop points to the gateway specified by the operator. The gateway
and the M2000 server belong to the same network segment. The priority of the default route
is lower than those of the routes that are assigned specified network segments. Therefore,
the default route functions as a standby route. In addition, the default route is chosen for
communication establishment before a new external network segment communicates with
the M2000 server.
NOTE

The routing policies for the M2000 server must be saved to an auto-start file so that the policies function
upon the restart of the server.
When you configure the routes for the M2000 server, the related gateway IP addresses must be assigned
to the network segment to which the IP address of the M2000 server belongs. If they do not belong to the
same network segment, the M2000 server fails to communicate with other network segments. The gateways
must be capable of providing routing policies. In broadband IP networks, the gateways are provided by
operators.

Route Planning for the BAM Server and the Emergency Workstation
For the BAM server and the emergency workstation, routing policies for the internal network
are different from those for the external network.
For the internal network, IP routes between the BAM server and the BSC boards, as well those
between the internal subnets, must be planned. For details, refer to cBSS OM Channel
Route. By default, the next hop points to the IP address of the SCUO that communicates with
the internal network of the BAM server.
For the external network, the following routes must be planned and configured for the BAM
server of the BSC:
l

IP route from the BAM server or emergency workstation to the M2000 server. The next
hop points to the gateway specified by the operator. By default, the gateway and the BAM
server belong to the same network segment.
IP routes from the BAM server or emergency workstation to the M2000 clients/LMTs. The
next hop points to the gateway specified by the operator. By default, the gateway and the
BAM server belong to the same network segment.
IP routes from the BAM server or emergency workstation to the to-be-visited network
segments. The next hop points to the gateway specified by the operator. By default, the
gateway and the BAM server belong to the same network segment.

Transmission Bandwidth
If a broadband IP network solution is used, the transmission bandwidth required for the OM
network must be specified and provided by the operator. Huawei suggests that independent VPN
4-40

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

Issue 2.0 (2008-03-12)

cBSS
Network Planning Guideline

4 OM Network Planning for the cBSS System

channels and QoS policies should be provided for the BSC OM network. Thus, the OM network
does not seize the bandwidth resources of the IP bearer network.

Availability of OM Data
l

VLAN division
If both the cBSS OM services and other services are carried by a broadband IP network,
VLAN division is implemented in the LAN by the operator to avoid mutual interference.
In actual conditions, VLAN division is implemented through Layer 2 VLAN isolation or
Layer 3 VLAN isolation. By default, Layer 3 VLAN isolation is performed by assigning
each VLAN an IP address. This address is the gateway of the associated network segment.

VPN policies
If both the cBSS OM services and other services are carried by a broadband IP network,
VPN tunnel division is implemented in the WAN by the operator to avoid mutual
interference.
Many types of VPN policies are available. Huawei suggests that MPLS-based VPN policies
should be implemented.

Firewall traversal
In a broadband IP network provided by the operator, firewalls are installed between sites
for ensuring the network security. Thus, service data between sites should be capable of
firewall traversal.
During network planning, the agreement must be made to specify the ports and services
that are made accessible. This can facilitate smooth network communication.

In the cBSS OM network, open ports must be specified through the firewall configuration to
facilitate the communication between different network segments, such as the NMS and the NE,
the NMS and the upper-level NMS, the NMS server and the NMS client, and the LMT and the
NE. For details, refer to Requirements for M2000 OM TCP/UDP Ports. If the broadband IP
network provided by the operator has no firewall, Huawei suggests that firewalls must be
installed.
During network planning, key issues and details must be discussed and agreed upon between
the operator and Huawei to facilitate future construction.
Table 4-27 describes the key issues to be considered for constructing a broadband IP OM
network.
Table 4-27 Key issues to be considered for constructing a broadband IP network
Num
ber

Issue

Conclusion

Is the equipment configuration confirmed?

Are the IP addresses and subnets well planned?

Are the routes well planed?

Is the desired bandwidth specified and provided?

Are the VLANs properly isolated?

Are VPN policies available?

Issue 2.0 (2008-03-12)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

4-41

cBSS
Network Planning Guideline

4 OM Network Planning for the cBSS System

Num
ber

Issue

Conclusion

Are the firewall configurations specified?

Features and Precautions


l

The network configuration is simplified because a dedicated bearer network is not required.
The bandwidth required, however, must be fully considered.

The DCN and the Intranet are public networks and may carry various kinds of services.
Therefore, they are at high risk in security. The M2000 equipment and the cBSS equipment
require high security, secrecy, and transport performances. To avoid interference from other
service data, the OM data transmitted on the DCN or on the Intranet must be subject to
VPN-based isolating policies.

If each site is internally LAN-based, the LAN must support VLANs, thus avoiding
unwanted interference. If multiple LAN switches are cascaded, connect them correctly to
avoid an Ethernet ring.

Since the DCN and the Intranet are public networks, the cBSS equipment and the OM
network are at high risk in security. Therefore, the great attention must be paid to the
requirements for and policies of the security.

WAN-Based Network Solutions (Full E1/T1)


This solution can be used if the E1/T1 resources are abundant and independent E1/T1 lines can
be used or rented.

Network Topology
Figure 4-11 shows the topology of a full-E1/T1 cBSS OM network.

4-42

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

Issue 2.0 (2008-03-12)

cBSS
Network Planning Guideline

4 OM Network Planning for the cBSS System

Figure 4-11 Topology of a full-E1/T1 cBSS OM network

Application Scenario
E1/T1 cables are frequently used for data transmission. Therefore, E1/T1 cables can be used or
rented to carry OM data if the E1/T1 resources are abundant. If a dedicated E1/T1 cable is used
for carrying OM data between the cBSS equipment and the M2000 server, such kind of network
is called a full-E1/T1 network.

Networking Equipment
In a full-E1/T1 network, each BSC site should be equipped with a LAN switch and a router. The
router has E1/T1 ports.
If the router on the M2000 site is connected to multiple BSCs, a star topology is required and
therefore the router must provide multiple E1/T1 ports.

IP Address Planning
Before a full-E1/T1 OM network is constructed, the policies regarding IP address planning must
be specified as soon as possible. Of the related issues, the requirements for network segments
and IP addresses must be paid special attention to.
Issue 2.0 (2008-03-12)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

4-43

4 OM Network Planning for the cBSS System

cBSS
Network Planning Guideline

Network Segment Planning


Different operators may have different requirements for network segment planning. Thus, the
communication and the agreement should be conducted in advance. Generally, the IP addresses
of the M2000 server, BAM server or emergency workstation, M2000 client or LMT must be
assigned to different network segments. In addition, the IP addresses of different BSC equipment
must be assigned to different network segments.

Principles for Route Planning


In a full-E1/T1 network, the policies regarding route management and distribution are
determined by the operator and invisible to Huawei. Thus, related requirements must be
discussed and agreed upon in advance to ensure smooth network planning. Clear and concise
routing policies for the equipment provided by Huawei must be specified, thus enabling correct
and prompt fault location in the case of network faults.
When disputes arise, the problems must be resolved based on the negotiated policies.

Transmission Bandwidth
If the full-E1/T1 network solution is used, the transmission bandwidth required for the OM
network must be specified and provided by the operator. Huawei suggests that independent VPN
channels and QoS policies should be provided for the BSC OM network. Thus, the OM network
does not seize the bandwidth resources of the IP bearer network.

Features and Precautions


In a full-E1/T1 network, the E1/T1 cable is provided by the network operator, and the bandwidth
resources are abundant. Thus, the network configuration is simple. The bandwidth usage,
however, may be insufficient because the entire E1/T1 cable is used to carry OM data.

WAN-Based Network Solutions (Fractional E1/T1)


This solution is used if the E1/T1 resources are abundant and the existing E1/T1 lines have idle
timeslots.

Network Topology
Figure 4-12 shows the topology of a WAN-based network (fractional E1/T1).

4-44

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

Issue 2.0 (2008-03-12)

cBSS
Network Planning Guideline

4 OM Network Planning for the cBSS System

Figure 4-12 Topology of a fractional-E1/T1 network

Application Scenario
E1/T1 cables are widely used for data transmission. Therefore, the E1/T1 cables can be used or
rented to carry OM data if the E1/T1 resources are abundant. When an E1/T1 cable is used to
carry the traffic data or signaling data between the M2000 and the BSC, the E1/T1 cable can be
used to carry OM data between the BAM server and the M2000 if the E1/T1 cable has idle
timeslots (for example four idle timeslots). In this case, the OM network is called a fractionalE1/T1 network.

Networking Equipment
In a fractional-E1/T1 network , the equipment required includes a timeslot cross-connection
equipment (such as PCM2000), a router, and a LAN switch, as shown in Figure 4-12.
On the remote BSC side, if an E1/T1 link has idle timeslots, the OM data carried by the E1/T1
link is transmitted in the following procedure:
l

On the BSC side, the OM data is transmitted through a LAN switch and a router and then
to the timeslot cross-connection equipment. The OM data occupies port A on the PCM2000.

An E1/T1 link with idle timeslots is connected to the PCM2000 through port B.

Issue 2.0 (2008-03-12)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

4-45

4 OM Network Planning for the cBSS System

cBSS
Network Planning Guideline

The PCM2000 inserts the timeslots received on port B and port A into the E1/T1 line on
port C in sequence.

Through the E1/T1 link on port C, the OM data is transmitted to the M2000.

On the M2000 side, the OM data is transmitted in the following method:


l

The timeslot cross-connection equipment restores the OM data received on port A and
sends the data to the target device.

The timeslot cross-connection equipment sends the OM data to the M2000 through a router
and a LAN switch.

If the M2000 communicates with the cBSS equipment on multiple sites, the PCM2000 on the
M2000 side must provide sufficient E1/T1 ports so that all the OM data can be sent to the M2000
server.
In an actual OM network (fractional E1/T1), the M2000 communicates with each remote BSC
through an independent timeslot channel. Therefore, associated routes must be configured.

IP Address Planning
Before a fractional-E1/T1 OM network is constructed, the policies regarding IP address planning
must be specified as soon as possible. Of the related issues, the requirements for network
segments and IP addresses must be paid special attention to.

Network Segment Planning


Different operators may have different requirements for network segment planning. Thus, the
communication and the agreement should be conducted in advance. Generally, the IP addresses
of the M2000 server, BAM server or emergency workstation, M2000 client or LMT must be
assigned to different network segments. In addition, the IP addresses of different BSC equipment
must be assigned to different network segments.

Principles for Route Planning


In a fractional-E1/T1 network, the policies regarding route management and distribution are
determined by the operator and invisible to Huawei. Thus, related requirements must be
discussed and agreed upon in advance to ensure smooth network planning. Clear and concise
routing policies for the equipment provided by Huawei must be specified, thus enabling correct
and prompt fault location in the case of network faults.
When disputes arise, the problems must be resolved based on the negotiated policies.

Transmission Bandwidth
If the fractional-E1/T1 network solution is used, the transmission bandwidth required for the
OM network must be specified and provided by the operator. Huawei suggests that independent
VPN channels and QoS policies should be provided for the BSC OM network. Thus, the OM
network does not seize the bandwidth resources of the IP bearer network.

Features and Precautions


In a fractional-E1/T1 OM network, the transmission channels are efficiently used and the
transmission investment is greatly reduced. Therefore, fractional-E1/T1 OM networks win the
widest-scale application in WANs.
4-46

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

Issue 2.0 (2008-03-12)

cBSS
Network Planning Guideline

4 OM Network Planning for the cBSS System

The fractional-E1/T1 OM network, however, uses multiple networking devices and requires
complex network structure. Meanwhile, the bandwidth may become insufficient due to network
expansion.

4.5.2 Network Solutions for Remote OM of the cBSS System


Remote OM refers to monitoring, operating, and maintaining the cBSS equipment on remote
nodes.The current solutions are PSTN-based remote OM, IP-based remote OM, and Citrix-based
remote OM.
4.5.2.1 Precautions on Network Solutions for Remote OM
Remote OM has great security risks. Therefore, precautions should be taken for the access mode,
access control, user identification, and tracing function.
4.5.2.2 Solution to PSTN-Based Remote OM
Traditionally, remote OM is performed by using leased lines. PSTN-based remote OM requires
a dial-up server, which is connected to a telephone line. After a remote terminal is connected to
the server through PSTN and sets up a PPP-based channel, the terminal can access the OM
network.
4.5.2.3 Solution to IP-based Remote OM
IP-based remote OM is applicable when a PSTN is not available or the cost of the PSTN is high.
The IP-based remote OM has become one of the mainstreams.
4.5.2.4 Citrix-Based Remote OM
The Citrix-based remote OM solution effectively solves the bandwidth problem that exists in
the IP- or PSTN-based remote OM network.

Precautions on Network Solutions for Remote OM


Remote OM has great security risks. Therefore, precautions should be taken for the access mode,
access control, user identification, and tracing function.
The flexibility of network OM is enhanced through the remote maintenance mode. For example,
through the PSTN or the Internet, maintenance engineers can access the OM network and
perform remote OM operations, such as checking the status of the equipment.
Through remote OM, the technical support engineers of the manufacturer can perform remote
troubleshooting in the event of faults.
To ensure network security, perform the following tasks:
l

Determining whether remote access is based on the PSTN or the Internet

Identifying a remote terminal

Checking the location and authority of a remote terminal

Checking the destination to be accessed

Providing auditing and tracing functions

Checking the validity of communications

Checking the secrecy of communications

Protecting the system against attacks

Issue 2.0 (2008-03-12)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

4-47

4 OM Network Planning for the cBSS System

cBSS
Network Planning Guideline

Solution to PSTN-Based Remote OM


Traditionally, remote OM is performed by using leased lines. PSTN-based remote OM requires
a dial-up server, which is connected to a telephone line. After a remote terminal is connected to
the server through PSTN and sets up a PPP-based channel, the terminal can access the OM
network.

Network Topology
Figure 4-13 shows the topology of a PSTN-based OM network.
Figure 4-13 Topology of a PSTN-based remote OM network

In the network segment where the M2000 server is located, a dial-up server with a modem is
installed and connected to the PSTN through a telephone line. The remote M2000 client is
connected to the PSTN through a modem.
The dial-up server is connected to the M2000 server through TCP/IP connections, which enable
IP address assignment for remote OM clients. When a remote client is connected to the dial-up
server, the server checks the connection and assigns an IP address in the LAN to the client. Thus,
the client can log in to the M2000 system and conduct OM operations remotely.
For security reasons, the dial-up server provides PAP- or CHAP-based authentication policies.
Thus, the terminal user must enter the specified user name and the password before the access
is allowed.

Networking Equipment
l

Dial-up server: PC with a modem, Windows 2000 operating system, and at least one
network adapter

Dial-up client: M2000 client with a built-in or external modem

Features
Using a dedicated telephone line helps to ensure data security. The transmission of GUI
information, however, is restricted to some extent because the highest rate over a telephone line
is 56 kbit/s.
4-48

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

Issue 2.0 (2008-03-12)

cBSS
Network Planning Guideline

4 OM Network Planning for the cBSS System

In consideration of the low bandwidth and the high cost, this remote OM method is not
recommended.

Solution to IP-based Remote OM


IP-based remote OM is applicable when a PSTN is not available or the cost of the PSTN is high.
The IP-based remote OM has become one of the mainstreams.

Network Topology
Figure 4-14 shows the topology of an IP-based remote OM network.
Figure 4-14 Topology of an IP-based remote OM network

After connecting to the VPN server through the Internet, the remote terminal accesses the OM
network, thus implementing remote OM operations.
The Internet is public and open, so appropriate VPN policies are required. Before accessing the
OM network through Internet, the remote terminal must pass the authentication performed by
the VPN gateway, that is, the VPN server. The VPN server then assigns an IP address in the
LAN to the terminal.
VPN-based remote OM is implemented in client-to-gateway mode. The related VPN tunneling
protocols are as follows:
l

Point to Point Tunneling Protocol (PPTP)

Layer 2 Tunneling Protocol (L2TP)

IP Security Protocol (IPSec)

To ensure system security for the Windows operating system, you can use both the L2TP and
the IPSec protocols.
To facilitate the deployment, you can use the PPTP protocol for the VPN-based remote solution.
To meet the high requirements regarding security, especially for remote transmission, you can
use the L2TP or the IPSec protocol.

Networking Equipment
A VPN gateway needs to be configured. It can be a router, a firewall, or a PC. The actual gateway
equipment is based on the networking environment.
Issue 2.0 (2008-03-12)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

4-49

4 OM Network Planning for the cBSS System

cBSS
Network Planning Guideline

Features
IP-based remote OM features low cost and high security. Thus, it is strongly recommended by
Huawei.

Citrix-Based Remote OM
The Citrix-based remote OM solution effectively solves the bandwidth problem that exists in
the IP- or PSTN-based remote OM network.
Designed for providing remote OM operations, the Citrix solution is implemented by running
the M2000 client application or any other specified application on the Citrix server and running
the Citrix client application on a remote terminal. The Citrix server is located in the network
segment of the M2000. Through the Citrix client application, the remote terminal accesses the
Citrix server and starts the M2000 client application or any other specified application, thus
performing remote OM operations.
The Citrix-based remote OM solution has large-scale application.

4.5.3 Security Domains in the cBSS OM Network


The security domain solution places the equipment and nodes that have the same requirements
and service features together and provides unified security policies. For example, the nodes in
a security domain communicate with each other based on trust. Between different security
domains, the security of each sub-domain is ensured through the policies of boundary protection
and access control.
A commonly used security solution divides a system into different security domains. All the
devices in each security domain have the same requirements for security, and therefore you can
apply the same security policies to the devices. Different security domains are isolated and
controlled through the policies of boundary protection and access control.
During security domain planning, data types, data distribution, and data importance in each
domain must be taken into consideration. Through domain division, what concerns is the security
of subdivided domains other than a large and complex system. In this sense, domain division
enables class-based security for a large and complex system. Figure 4-15 shows the division of
security domains.

4-50

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

Issue 2.0 (2008-03-12)

cBSS
Network Planning Guideline

4 OM Network Planning for the cBSS System

Figure 4-15 Security domains in the OM network

Based on domain division, the Huawei cBSS OM network is divided into different security
domains with regard to service features and network resources. Different security domains adopt
associated security policies for communication, thus reducing the risk. Figure 4-16 shows the
typical case of divided security domains.

Issue 2.0 (2008-03-12)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

4-51

4 OM Network Planning for the cBSS System

cBSS
Network Planning Guideline

Figure 4-16 Typical case of divided security domains

After the OM network is divided into domains, the following security policies can be applied as
required:
l

Firewall deployment policies


The policies involve deployment of firewalls on the boundaries of security domains,
planning of security domains, access control list, and packet filtering policies. The purpose
of the policies is to ensure the security of the access to a lower risky domain and the security
of data exchanged between domains. For details, refer to Overview of Firewalls and
Firewall Deployment Factors.

Transmission security policies


The policies involve transmission encryption, VPN planning, and data isolation. For details,
refer to Transmission Security Policies of the cBSS OM Network.

Terminal management and access control policies


For different types of terminals, appropriate policies are applied. For details, refer to cBSS
Terminal Management and Access Control Policies.

Core Security Domain


The core domain of the OM network includes the M2000 server and other key OM equipment.
As far as security is concerned, the core domain is a trust domain.

cBSS Security Domain


The cBSS security domain includes the cBSS OM modules, such as the active and the standby
BAM servers. This domain, a trust domain too, also belongs to the core security domain.

Network Security Domain


The network security domain helps to ensure the security of the bearer network. The policies
involve transmission encryption, VPN planning, and data isolation.
4-52

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

Issue 2.0 (2008-03-12)

cBSS
Network Planning Guideline

4 OM Network Planning for the cBSS System

Terminal Security Domain


The terminal security domain includes the M2000 clients and LMTs at the central site and remote
sites. Through the terminals, OM operations are performed for the cBSS equipment. Being a
trust domain, however, the terminal security domain is not as vital as the core security domain.

Common Security Domain and DMZ Domain


This domain is optional. It includes the equipment that provides special services for the OM
network and the equipment that communicates with external networks. For example, in the
domain, the anti-virus server of the entire network, IDS, and NTP server need to interwork with
all the nodes in the OM network and may need to interwork with external networks. Therefore,
such a domain is also called a demilitarized zone (DMZ).

NMS Access Domain


The NMS is managed by the operator and the NMS may communicate with the OM networks
of multiple suppliers. Therefore, the NMS may be at risk if it is connected to multiple systems.
l

The NMS can interconnect with the multiple systems. Therefore, certain risks exist.

The NMS can pass through a bearer network with high risks.

Usually, the NMS domain is planned as a separate security domain. If there are no special
requirements, the NMS domain faces moderate risks.

Multi-Purpose Terminal Access Domain


The multi-purpose terminal access domain includes the external terminals that access the OM
network from other networks, such as offices or businesses. The domain of these external
networks is planned as a separate domain to ensure the security of the OM network. This domain
faces moderate risks.

Temporary Access Domain


The temporary access domain includes the manufacturer' or the third party's terminals that access
the OM network for performing OM operations. The terminals are not strictly controlled by the
operator, and therefore a separate domain is planned. This domain belongs to a high risky
domain.

Remote OM and Mobile Access Domain


The remote OM and mobile access domain includes the terminals that access the OM network
from remote ends and, usually, through public networks. This domain is planned as a separate
domain, and the domain belongs to a high risky domain.

4.5.4 Firewall Security Policies of the cBSS OM Network


This describes how to use firewalls and firewall security policies to ensure information security
in the OM network.
4.5.4.1 Overview of Firewalls
For different service subnets and security domains, firewalls are important means for boundary
isolation and protection.
Issue 2.0 (2008-03-12)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

4-53

4 OM Network Planning for the cBSS System

cBSS
Network Planning Guideline

4.5.4.2 Elements Related to the Deployment of the Firewall


This describes the elements related to the deployment of the firewall, such as the basic
information, dual-server redundancy policy, working mode, and security domain.
4.5.4.3 Access Control and Packet Filtering Policies of Firewalls
Access control and packet filtering policies of firewalls are essential to the security functions
provided by firewalls. Usually, firewalls filter data streams according to the associated IP
addresses and TCP/UDP port numbers.
4.5.4.4 Anti-Attack Policies of Firewalls
The anti-attack policies of firewalls are implemented to fight against DoS attacks,
reconnaissance attacks, and malicious packet attacks.
4.5.4.5 NAT Service of Firewalls
If a firewall supports the Network Address Translation (NAT) service, an NAT address pool
can be configured and only the specified IP addresses are visible to the external network.
Therefore, the NAT service helps to hide the internal IP addresses.

Overview of Firewalls
For different service subnets and security domains, firewalls are important means for boundary
isolation and protection.

Basic Features
Being an important device for ensuring network security, the firewall has the following features:
l

If a firewall is deployed between two networks, all the data packets to be exchanged between
them must pass through the firewall.

Only the data packets that pass the check by all the configured policies can pass through
the firewall.

The firewall has a powerful anti-attack and anti-penetrating capability.

The firewall can ensure the security of the internal network by preventing the internal
network being attacked by external networks.

Through firewalls, trust networks are isolated from untrust networks, and core data domains are
isolated from risky domains. Before entering a low risk and trust zone, the data from a high risk
and untrust zone must pass the check performed by the firewall. The firewall greatly reduces
the risk taken by the protected trust network.
NOTE

Firewalls are commonly used for ensuring network security, but the firewalls cannot meet all the
requirements of network security. The firewall acts as a gateway.

Security domain
The planning of security domains is a key to the deployment of firewalls. Different security
domains have different security levels. A flow from a high level domain to a low level domain
is called an outflow, and a flow in a reverse direction is called an inflow.
The firewall monitors and isolates data streams through inflows and outflows between different
security domains. The Access Control List (ACL) policy and packet filtering policy are based
on communications between security domains. Therefore, the planning of security domains is
very important to the deployment of firewalls.
4-54

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

Issue 2.0 (2008-03-12)

cBSS
Network Planning Guideline

4 OM Network Planning for the cBSS System

Table 4-28 describes the five default security domains supported by the Huawei Eudemon
firewall.
Table 4-28 Default security domains supported by the Huawei Eudemon firewall
Security
domain

Description

Security
Level

Untrust

An untrust zone has the lowest security level and is at the


highest risk. This domain includes the uncontrollable
devices in the OM network.

DMZ

A DMZ has a medium security level. The DMZ includes


the devices that need to access the internal and external
networks, for example, the anti-virus upgrade server.

50

Trust

A trust zone has a high security level. This domain includes


the core devices, such as the EMS server and NE
equipment.

85

Local

A local domain has the highest security level.

100

Self-defined
security
domain

If necessary, you can set up new security domains and


define their security levels. A maximum of 16 security
domains can be defined.

Defined
according to
the actual
networking
requirements

Working Modes
l

Routing mode: is used to plan the IP addresses between the ports of different security
domains. The IP addresses belong to different network segments, and data transmission is
implemented through three-layer switching. In this mode, the firewall works as if it is based
on a router. The routing mode is commonly used in the initial phase of network construction.

Transparent mode: allows the ports of all security domains to use the IP addresses that
belong to one segment. Data communications between different domains are implemented
on the basis of MAC addresses. In this mode, the firewall works as if it is based on a twolayer bridge. The transparent mode is used if the existing infrastructure of a network needs
not to be modified.

Hybrid mode: is a special transparent mode. It is used in dual-server deployment where the
two servers need to exchange synchronization information in routing mode.

Elements Related to the Deployment of the Firewall


This describes the elements related to the deployment of the firewall, such as the basic
information, dual-server redundancy policy, working mode, and security domain.
The key to boundary protection is the functions of firewall policies. Besides security, ensure that
the firewall deployment and boundary protection policies do not affect normally-routed OM
services.
During the deployment of firewalls and the specification of boundary protection policies, pay
attention to the following points:
Issue 2.0 (2008-03-12)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

4-55

4 OM Network Planning for the cBSS System


l

cBSS
Network Planning Guideline

Basic information
The basic information includes firewall name, time zone attributes, daylight-saving
attributes, and NTP attributes. The firewall monitors the attack situation and packet
isolation situation in real time. Therefore, the accurate time information is required. If the
accurate time information is not available, the firewall cannot implement the log function
and the post-processing function.

Redundancy policy
If the OM network uses the end-to-end dual-plane policy, the firewall should provide a
dual-server redundancy policy. If the Huawei Eudemon firewall is used, it must provide a
redundancy policy based on Huawei Redundancy Protocol (HRP).
The redundancy pair must be configured in the same manner. The Huawei Eudemon200
firewall is recommended.
If the end-to-end dual-plane policy is not required, one firewall is sufficient.

Working modes
For the firewall deployment on a new site, the routing mode is preferred. For the firewall
deployment at an existing site, the transparent mode is preferred because you do not need
to modify the network structure, IP addresses, or routing policies.
For the firewalls in the cBSS OM network, the routing mode is preferred.

Security domain
If the firewall is deployed as a security gateway of the OM network, add the internal network
into the trust zone and the external networks into the untrust zone. Add the equipment that
need communicate with both the internal and the external networks into the DMZ. Apply
different security policies to different security domains.

Access Control and Packet Filtering Policies of Firewalls


Access control and packet filtering policies of firewalls are essential to the security functions
provided by firewalls. Usually, firewalls filter data streams according to the associated IP
addresses and TCP/UDP port numbers.

Access Control Policies


By using the Access Control List (ACL) policy, the firewall can detect and block data packets.
The ACL policy is of two types:
l

Basic ACL policy: allows or inhibits the inflow or the outflow of data packets from specified
source IP addresses.

Extended ACL policy: allows or inhibits the inflow or the outflow of IP quintuples of
specified source addresses, destination addresses, source ports, destination ports, and
upper-layer applications.

The access control policy depends on the requirements of the cBSS OM network for data
communication. The policy should allow all legal data streams to pass through the firewall and
inhibit all illegal data streams.

Packet Filtering Policies


Upon receiving a data packet, the firewall obtains the header information such as the protocol
number of the application protocol carried by the IP layer, the source and destination addresses
of the data packet, the source and destination ports. The firewall then checks the information
4-56

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

Issue 2.0 (2008-03-12)

cBSS
Network Planning Guideline

4 OM Network Planning for the cBSS System

according to the ACL policy. Finally, the firewall forwards or discards the data packet based on
the check result. The packet filtering policy is an implementation solution of the ACL policy.
The ACL policy performs the following functions:
l

Specifying the default filtering policies for forwarding or rejecting a received data packet

Performing data packet filtering between different security domains

Port Setting on Firewalls


For ensuring data security, the firewall filters data streams according to the associated IP
addresses and TCP/UDP port numbers. TCP/UDP port numbers range from 0 to 65535 and are
divided into the following segments:
l

0 to 1023: This segment is used to identify standard services, such as FTP, Telnet, SMTP,
and TFTP services.

1024 to 49151: This segment is assigned by the Internet Assigned Number Authority
(IANA) to the registered application processes.

49152 to 65535: This segment is dynamically assigned for private use.

Based on the security requirements, the firewalls can be deployed in the following ways:
l

Between the M2000 server and the equipment of each NE For details about the port setting,
refer to Requirements for M2000 OM TCP/UDP Ports.

Between the M2000 server and the M2000 clients For details about the port setting, refer
to Requirements for M2000 OM TCP/UDP Ports.

Between the M2000 server and the NMS For details about the port setting, refer to
Requirements for M2000 OM TCP/UDP Ports.

Anti-Attack Policies of Firewalls


The anti-attack policies of firewalls are implemented to fight against DoS attacks,
reconnaissance attacks, and malicious packet attacks.
Common network attacks are categorized into the following types:
l

Denial of Service (DoS) attacks: By sending a large quantity of illegal data packets to the
target system, this kind of attacks makes the host illegally controlled or leads to network
congestion.

Reconnaissance attacks: By scanning the IP addresses and ports of the target system, this
kind of attacks obtains the information on the target system, such as the information on the
used ports and the network structure.

Malicious packet attacks: By sending defective IP packets to the target system, this kind
of attacks may lead to breakdown of the target system.

Sometimes, more than one type of network attacks are launched concurrently.
Through planning and configuring the anti-attack functions for the firewalls, the firewalls can
protect the cBSS OM network. Table 4-29, Table 4-30, and Table 4-31 describe the common
attacks and anti-attack policies.

Issue 2.0 (2008-03-12)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

4-57

cBSS
Network Planning Guideline

4 OM Network Planning for the cBSS System

Table 4-29 DoS attacks and anti-attack policies


Attack
Type

Description

Consequence

Anti-Attack Policy

The attacker generates a package


that has a false source address. Even
though the target system does not
respond to the packet, the attacked
system breaks down.

The attacker
accesses the
target system.

Enable the anti-IP


spoofing attack
function.

Land
attack

Set the source address and the target


address of a TCP SYN packet to the
IP addresses of the target system.
The target system sends itself an
SYN-ACK message, responds with
an ACK message, and establishes a
null connection. All such
connections are maintained until
they expire.

The target
system breaks
down or slows
down sharply.

Enable the anti-Land


attack function.

Smurf
attack

The attacker sends a large quantity


of ICMP messages to the broadcast
address of the target network. Thus,
all systems in the target network
reply to the ICMP messages, the
network congestion arises. The
attacker can also directly attack a
target system. The attacker changes
the source address of the ICMP
request to the IP address of the
target system. Thus, the target
system breaks down.

The network
congestion
arises or the
target system
breaks down.

Enable the
corresponding antiSmurf attack function.

Fraggle
attack

Similar to the Smurf attackers, the


Fraggle attackers sends the UDP
messages. Upon receipt of the UDP
messages, port 7 (ECHO) and port
19 (Chargen) responds.

The network
congestion
arises or the
target system
breaks down.

Enable the antiFraggle attack


function.

WinNuke
attack

The attacker sends the out-of-band


(OOB) data packets to the NetBIOS
port (139) of the target running
Windows system. After the
NetBIOS clips are piled, the target
system breaks down.

The target
system breaks
down.

Enable the
corresponding antiWinNuke attack
function.

IP
spoofing

4-58

The system
breaks down
due to large
numbers of
accesses.

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

Issue 2.0 (2008-03-12)

cBSS
Network Planning Guideline

Attack
Type
SYN
Flood
attack

4 OM Network Planning for the cBSS System

Description

Consequence

Anti-Attack Policy

The attacker sends the server a false


SYN message. Upon receipt of the
message, the server responds with
an SYN-ACK message but receives
no ACK message, resulting in a half
connection. After receiving a large
quantity of SYN messages, the
resources of the target are
exhausted, thus making the target
system unavailable.

The target
system is
unavailable.

To enable the
corresponding antiattack function,
perform the following
steps:
Take statistics of
incoming data of
protection domains or
IP protection domains.
Enable the anti-SYN
Flood attack function.
Configure the antiSYN Flood attack
function.

ICMP
Flood
attack

The attacker sends the target system


a large quantity of ICMP messages
in a short period, thus making the
target system overloaded.

The target
system is
unavailable.

To enable the
corresponding antiattack function,
perform the following
steps:
Take statistics of
incoming data of
protection domains or
IP protection domains.
Enable the anti-ICMP
Flood attack function.
Configure the antiICMP Flood attack
function.

UDP
Flood
attack

The attacker sends the target system


a large quantity of UDP messages in
a short period, thus making the
target system overloaded.

The target
system is
unavailable.

To enable the
corresponding antiattack function,
perform the following
steps:
Take statistics of
incoming data of
protection domains or
IP protection domains.
Enable the anti-UDP
Flood function.
Configure the antiUDP Flood attack
function.

Issue 2.0 (2008-03-12)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

4-59

cBSS
Network Planning Guideline

4 OM Network Planning for the cBSS System

Attack
Type

Description

Consequence

Anti-Attack Policy

ICMP
redirectio
n attack

The attacker sends the ICMP


redirect messages to the target
system that belongs to the same
subnet as the attacker.

In the target
system, the
routing table is
changed and
the normal IP
packet
forwarding is
interfered.

Enable the anti-ICMP


redirection attack
function.

ICMP
unreachab
le packet
attack

By sending the ICMP unreachable


packets, the attacker disrupts the
connections normally routed to the
target system.

Normal
communicatio
ns are
disrupted.

Enable the anti-ICMP


unreachable packet
attack function.

Table 4-30 Reconnaissance attacks and anti-attack policies


Attack
Type
Address
scanning

Port
scanning

4-60

Description

Consequence

Anti-Attack Policy

By running the ping command, the


attacker detects the active and
connected target systems. The
attacker may also send a TCP/UDP
message to a specified target and
check whether there is a response
message.

Take statistics of the


outgoing IP data of the
domain where the
connection is initiated.

By using the software, the attacker


sends the connection requests to a
large scale of TCP/UDP ports.
Thus, the attacker checks whether
the ports are functioning.

Configure the
corresponding antiattack function.
Determine whether to
add the source IP
address to the
blacklist.

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

Take statistics of the


outgoing IP data of the
domain where the
connection is initiated.
Configure the
corresponding antiattack function.

Issue 2.0 (2008-03-12)

cBSS
Network Planning Guideline

Attack
Type

4 OM Network Planning for the cBSS System

Description

Consequence

Anti-Attack Policy

IP packet
source
scanning

By using the source routing


function provided by the IP routing
technology, the sender can
determine the transmission path of
a packet. Thus, the route specified
by the sender overlaps the choices
made by the associated router. This
source routing function ignores the
forwarding procedure and the status
of forwarding ports. Therefore, the
attacker can scan and probe into the
network structure.

Probing into
the network
structure

Enable the control of


IP packets that are
transmitted through
source routing.

IP routing
record
scanning

Similar to the IP source routing


function, the IP routing technology
supports the routing record. By
using the IP routing record function,
the transmission path, or the related
routers, of a packet is tracked and
recorded. The IP routing record
function facilitates path diagnosis,
but it may be manipulated by
attackers for probing into the
network structure.

Enable the control of


IP packets by using the
time stamp record
function.

Tracert
scanning

Based on the ICMP timeout packets


returned when TTL is 0 and the
ICMP destination unreachable
packets returned by the target, the
Tracert function helps to probe into
the network structure.

Enable the control of


Tracert packets.

Issue 2.0 (2008-03-12)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

4-61

cBSS
Network Planning Guideline

4 OM Network Planning for the cBSS System

Table 4-31 Malicious packet attacks and anti-attack policies


Attack
Type

Description

Consequence

Anti-Attack Policy

A TCP packet contains six flags,


and they are URG, ACK, PSH,
RST, SYN, and FIN. Different
systems respond in different
manners. For example,

A TCP packet is
discarded and
logged if any of
the following
case arises:

Enable the check of


the legality of TCP
packets.

If all the six flags are set to 1, a


Xmas Tree attack is launched.

All the six flags


are set to 1.

If all the six flags are set to 0, the


target system running Windows
responds with an RST|ACK
message. Therefore, this kind of
attack helps to probe into the
operating system of the target.

All the six flags


are set to 0.

Ping of
Death
attack

An IP packet contains a maximum


of 65535 bytes. For an ICMP
ECHO Request message, if the
data contains more than 65508
bytes, the entire message (ICMP
data + Length of the IP header +
Length of the ICMP header)
contains more than 65535 bytes
because the IP header is 20 bytes in
length and the ICMP header is 8
bytes in length. By using
excessively long messages, the
Ping of Death attacks the target
system.

The target
system breaks
down or restarts
if the router or
the host fails to
handle the
attacks
properly.

Tear Drop
attack

By obtaining the information from The target


the headers of trust IP fragments,
system breaks
the Teardrop attacks the target
down.
system. In an IP packet, the flags
MF, Offset, and Length indicate
the original locations of the
segments. Upon receipt of false
segments that are overlapped and
offset, the target system based on
TCP/IP breaks down.

Malicious
TCP
packet
attack

4-62

Both SYN and


FIN are set to 1.

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

Enable the anti-Ping of


Death attack function.

Enable the anti-Tear


Drop attack function.

Issue 2.0 (2008-03-12)

cBSS
Network Planning Guideline

Attack
Type
Malicious
IP
fragment
packet
attack

4 OM Network Planning for the cBSS System

Description

Consequence

Anti-Attack Policy

In an IP packet, the fields DF, MF,


Fragment Offset, and Length are
related to segmentation.

If the
segmentationrelated fields
conflict with
each other, and
the system fails
to handle them
properly, the
target system is
affected or even
breaks down.

Enable the check of IP


fragment packet.

The attack
results in buffer
overflow or
stack
breakdown if a
vulnerable host
receives an
excessively
long ICMP
packet.

Enable the check of


super IP packets.

The target system is attacked if any


of the following cases arises:
The DF field is specified, and the
MF field is specified concurrently
or that the Fragment Offset field is
not 0.
The DF field is set to 0, but length
of Fragment Offset plus Length is
greater than 65535 bytes.

Super
ICMP
packet
attack

The kind of attack is performed by


transmitting excessively long
ICMP packets.

Configure the control


of super IP packets.

NAT Service of Firewalls


If a firewall supports the Network Address Translation (NAT) service, an NAT address pool
can be configured and only the specified IP addresses are visible to the external network.
Therefore, the NAT service helps to hide the internal IP addresses.

Application of the NAT Service


If the cBSS OM network needs to communicate with the Internet, the firewall should provide
the NAT service and thus hides the internal IP addresses.
When the internal network accesses a public network, the NAT service translates the internal IP
address into a public address. Similarly, before the public network accesses the internal network,
the public network visits a specified public address and then the NAT service translates the
public address into an internal IP address.
If it is unnecessary for the internal network to access a public network, the NAT service is not
required. Generally, the NAT service is required in the following cases:
l

A remote OM terminal accesses the cBSS equipment through an untrust network.

The OM network needs to communicate with another subnet of the existing network.

Issue 2.0 (2008-03-12)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

4-63

4 OM Network Planning for the cBSS System

cBSS
Network Planning Guideline

Planning of the NAT Service


The planning of the NAT service is simple. After you determine the nodes that need to access
external networks, plan internal IP addresses for these nodes, and then plan external IP addresses
on the firewall side. When a public network needs to access the internal network, the firewall
translates the external IP address into the internal IP address and then transmits it to the
equipment in the internal network. Similarly, when the internal network needs to access a public
network, the firewall translates the internal IP address into an external IP address to hide the
internal IP address.

4.5.5 Transmission Security Policies in the cBSS OM Network


This describes how to select the appropriate VLAN policy and the MPLS VPN policy.
4.5.5.1 Overview of Transmission Security
Transmission security is implemented to ensure the integrity, secrecy, and validity of OM data
in transmission.
4.5.5.2 VLAN Policy in the OM Network
To avoid interference between different data packets and to suppress a broadcast storm in the
LAN, you can plan different VLANs for the equipment in different subnets or domains.
4.5.5.3 MPLS VPN Policy Based on Broadband IP
The MPLS VPN policy provides a special VPN channel to each service to guarantee data
security.

Overview of Transmission Security


Transmission security is implemented to ensure the integrity, secrecy, and validity of OM data
in transmission.
During the construction of a cBSS OM network, the transmission security concerns the following
aspects:
l

Data stream isolation


Isolating the OM data streams from other service data streams can avoid data interference,
suppress a broadcast storm, and avoid the spreading of worm viruses. The isolation policies
include the LAN-based VLAN policy and the MPLS-based VPN policy. Here, MPLS
stands for Multi-Protocol Label Switching.

Data encryption and integrity guarantee


The data encryption and integrity guarantee policies are required if there are high
requirements for data transmission in the OM network. The policies are implemented by
deploying IPSec VPN policies in the OM network.

VLAN Policy in the OM Network


To avoid interference between different data packets and to suppress a broadcast storm in the
LAN, you can plan different VLANs for the equipment in different subnets or domains.
The OM data of multiple devices in the OM network may be carried on a network platform but
unrelated to each other. Together with Layer 3 switching, the VLAN policies can suppress the
spreading of broadcast packets to the fullest extent, thus helping to fight against Dos attacks and
worm virus attacks.
You can plan the VLANs in the following methods:
4-64

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

Issue 2.0 (2008-03-12)

cBSS
Network Planning Guideline

4 OM Network Planning for the cBSS System

Planning VLAN a for the cBSS domain, that is, for the cBSS equipment

Planning VLAN b for the PS domain, that is, for the equipment in the PS domain

Planning VLAN c for the CS domain, that is, for the equipment in the CS domain

Planning an independent VLAN for the M2000 server, which communicates with all other
VLANs

Planning an independent VLAN for the EMS clients, including the M2000 clients and
LMTs

If communication is not required between two VLANs, you can isolate the VLANs.
Assigning IP addresses in different network segments to different VLANs. Thus, these VLANs
must use Layer 3 IP switching for communication. This can help to control the broadcast scope
and implement the security policy.
The previous VLAN planning is commonly used. The specific planning, however, needs to be
confirmed by the customer. In principle, different types of data streams should be isolated by
VLANs to minimize the interference if the data streams do not communicate with each other.

MPLS VPN Policy Based on Broadband IP


The MPLS VPN policy provides a special VPN channel to each service to guarantee data
security.
The MPLS VPN technology labels the IP data from different data sources. The equipment on
the IP backbone network forwards the service data of a certain type through the ports and the
routes specified on the label. The other data cannot occupy the channel. Thus, the policy provides
a special VPN channel for each service.
l

MPLS-based VPN policy


If the bearer network of the OM network carries multiple data services, the VPN policies
must be applied to avoid data interference.
If the bearer network is a broadband IP network, the MPLS VPN data isolation policy is
used. The MPLS VPN policy, however, cannot guarantee the secrecy of the OM data. To
achieve data secrecy, you can use the Huawei Eudemon200 firewall that can enable IPSeebased transmission encryption.

IPSec-based transmission encryption

The OM data needs to be encrypted when it travels from an untrust zone to a trust zone.
For example, in the case of remote OM operations, you need to deploy an IPSec gateway
between the OM network and the external network for transmission encryption.

In addition, if the OM network is carried on an untrust network, transmission encryption


is required for preventing the OM data from being intercepted.
If the OM network is carried on an untrust network, transmission encryption is required
between sites. In this case, IPSec gateways must be deployed between nodes.

4.5.6 Terminal Management and Access Control Policies in the


cBSS System
The cBSS OM network transmission security policies involve deploying the MA5200 as the
access controller and the Numen system as the security policy server. Different types of terminals
require different types of access control policies. Terminal access control policies are applicable
to high-end operators who have high requirements for access security.
Issue 2.0 (2008-03-12)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

4-65

4 OM Network Planning for the cBSS System

cBSS
Network Planning Guideline

4.5.6.1 OM Terminals
This describes the OM terminals, including super terminals, special terminals, multi-purpose
terminals, remote OM terminals, and mobile terminals.
4.5.6.2 Deploying MA5200 as an Access Controller
The MA5200 works as a broadband access controller and binds the MAC address, IP address,
and VLAN. After the MA5200 is used in the network, users can access the network only through
the specified ports.
4.5.6.3 Deploying Numen as a Security Policy Server
The Numen server in the OM network helps to deploy and check the security polices of terminals.
By using the Numen server, the network is accessible only to the security policycompliant
terminals.

OM Terminals
This describes the OM terminals, including super terminals, special terminals, multi-purpose
terminals, remote OM terminals, and mobile terminals.

Super Terminals
Mobile network equipment and NM servers serve as the core part of a network. The terminals
that are deployed at the same site as the core part are called super terminals.
For example, the M2000 clients that are deployed at the same site as the M2000 server are super
terminals. Similarly, the LMT installed on the BAM server is a super terminal.
It is convenient for a super terminal to access the core part because they are deployed at the same
site. What is more, the security level of a super terminal is the highest. A super terminal can
access the core part through an Ethernet port or a serial port.

Special Terminals
An OM terminal is called a special terminal if it is in a specified OM equipment room or a routine
OM zone and specially used for operating and maintaining the equipment, especially the core
equipment, of the existing network.

Multi-Purpose Terminals
Multi-purpose terminals are PCs or other terminals on which the associated OM software or the
Citrix software for operating and maintaining the network equipment is installed. Multi-purpose
terminals are generally deployed in office environments or other environments that are not fully
controlled.
With the enhancement of network interoperability, this kind of OM is becoming a mainstream.
The multi-purpose terminal may not be provided by Huawei. The terminal, however, must be
compatible with Huawei OM software and must support remote OM operations. This access
mode is subject to high requirements for the sake of access security.

Remote OM Terminals and Mobile Terminals


Remote OM terminals and mobile terminals are terminals that facilitate OM of the network
equipment through a public network, where sufficient security polices are provided.
4-66

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

Issue 2.0 (2008-03-12)

cBSS
Network Planning Guideline

4 OM Network Planning for the cBSS System

A mobile terminal may be a laptop or any other terminal computer that can be installed with the
OM software provided by Huawei or can access the OM network remotely. The maintenance
mode can be called mobile maintenance mode.

Deploying MA5200 as an Access Controller


The MA5200 works as a broadband access controller and binds the MAC address, IP address,
and VLAN. After the MA5200 is used in the network, users can access the network only through
the specified ports.
In conjunction with the Radius Server, the MA5200 can also reject an access request if the request
is not authenticated by the Radius Server.
In an OM network, access control can be implemented by a pair of MA5200 controllers deployed
at the gateway.

Deploying Numen as a Security Policy Server


The Numen server in the OM network helps to deploy and check the security polices of terminals.
By using the Numen server, the network is accessible only to the security policycompliant
terminals.
For details about the terminal access control policies, refer to Transmission Security Policies
of the cBSS OM Network.

Access Control Policies for Super Terminals


The super terminal is in the same core domain, the same LAN, and even the same VLAN as the
host and the NM servers. Thus, the access of the super terminal to the core equipment does not
need additional security control. Instead, the super terminal can access the core equipment by
using an account and a password.

Access Control Policies for Special Terminals


Although the special terminals belong to the trust zone, Huawei suggests that the terminals
should be deployed in a VLAN different from that of the core equipment (such as the BAM
server or the M2000 server), and, if possible, on different LAN switches.
Huawei suggests that special terminals access the core equipment on the basis of IP switching.
The customer may require the special terminals to communicate with a security policy server.
Before accessing the core equipment, a special terminal must pass the check conducted by the
security policy server. If required, the IP address, MAC address, and VLAN of a special terminal
are checked by the MA5200. The MA5200 checks whether a terminal accesses the OM network
through a legal IP address and a legal MAC address. If the IP address or the MAC address is
illegal, the access is rejected.

Access Control Policies for Multi-Purpose Terminals


Multi-purpose terminals can be deployed in office environments or other environments that are
not fully controlled. Before accessing the OM network, these terminals must meet the following
requirements:
l

Issue 2.0 (2008-03-12)

Passing the check by the ACL policy and packet filtering policy of the firewall
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd

4-67

4 OM Network Planning for the cBSS System

cBSS
Network Planning Guideline

Passing the legality check of the IP address and the MAC address of the terminal

Passing the check by the security policy server

Access Control Policies for Remote OM Terminals And Mobile Terminals


For remote OM terminals and mobile terminals, IPSec-based or other VPN policies must be
conducted in addition to the access control policies for multi-purpose terminals. Currently,
network maintenance based on multi-purpose or remote terminals is generally implemented by
using the Citrix software.

4.5.7 Antivirus Solutions in the cBSS System


This describes the antivirus solutions regarding the OM network, BAM server, and LMT client
of the cBSS system.
NOTE

BAM servers and emergency workstations are the core nodes of a cBSS OM network. Therefore, a
precaution must be taken in the deployment of anti-virus tools and firewalls.

Due to the fact that anti-virus tools are risky to some extent, specific anti-virus solutions and policies
must be discussed and agreed upon between the operator and Huawei. To facilitate the deployment of
antivirus tools, accessible services and ports on the firewalls, if any, must be specified in advance.

4.5.7.1 Antivirus Solutions in the OM Network


The Officescan is used as a comprehensive antivirus tool in the OM network.
4.5.7.2 Antivirus Solutions on the BAM Server
This describes the antivirus solutions provided to the BAM server in the cBSC system. The
solutions and associated strategies help to enhance the performance of the BAM server and the
whole system.
4.5.7.3 Antivirus Solutions for the LMT
This describes the antivirus solutions conducted for the LMT clients.

Antivirus Solutions in the OM Network


The Officescan is used as a comprehensive antivirus tool in the OM network.

Requirements of the OM Network for Centralized Antivirus Management


One of the main security threats facing the OM network is virus attack and spreading. Therefore,
installing centralized antivirus software in the OM network helps to protect the OM network
against virus attacks.
In telecom networks, the antivirus software should have the following features:
l

Easy to maintain and providing comprehensive antivirus protection

Compatible with the running software or programs

Having little impact on the network performance, without affecting the system performance
even in busy hours

Officescan
The Officescan is used as a comprehensive antivirus tool in the OM network. The Officescan
provides comprehensive and centralized management of viruses and spy software for enterprise
4-68

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

Issue 2.0 (2008-03-12)

cBSS
Network Planning Guideline

4 OM Network Planning for the cBSS System

users. Currently, the Officescan is widely used by telecom enterprises. Having passed the strict
compatibility tests conducted by huawei, the Officescan is surely compatible with the running
equipment and software.
The Officescan consists of the Officescan server and the Officescan client. The Officescan
server, on which comprehensive antivirus policies are deployed, monitors and manages the
viruses on the entire network. Additionally, the Officescan server helps to scan the virus codes
on the entire network and to upgrade the antivirus engine. Through the web-based clients, users
can log in to the Officescan server and thus perform centralized management of the viruses on
the entire network.

Deployment of the Officescan


The Officescan client is installed on servers or terminal clients that run Windows. In this way,
the Officescan prevents the servers or terminal clients against virus attacks.
When required, the latest virus codes and associated upgrade packages can be obtained from the
authorized website to update or upgrade the virus codes and antivirus engine. Owing to the
importance and security requirements of the OM network, Huawei suggests that an independent
antivirus server should be deployed in the DMZ zone of the OM network.
The antivirus server deployed in the DMZ zone obtains the latest virus codes and upgrade
packages from the Internet. Therefore, the Officescan server connected to the antivirus server
can be upgraded accordingly without connecting directly to the Internet. Then, the Officescan
server automatically upgrades the virus codes and upgrade packages on the entire network.

Antivirus Solutions on the BAM Server


This describes the antivirus solutions provided to the BAM server in the cBSC system. The
solutions and associated strategies help to enhance the performance of the BAM server and the
whole system.

Patch Packet Upgrade for the Operating System


The Windows patches helps to protect the system against potential security risks. The patches,
however, are great in number and frequently released. In many cases, the patches take effect
only after the operating system restarts.
In this sense, frequent patch update interrupts the smooth operation of the BAM server because
the BAM server requires a stable operating environment.
Based on the actual OM environments of the BAM server, Huawei and Microsoft make joint
efforts to provide patch packets for the operating system of the BAM server so that only the
necessary patches are installed. The patch packets incorporate all the patches required by the
BAM server, which are strictly tested and validated. Therefore, all the patches in the packet can
be installed and activated at one time. In this sense, the packet solution helps to lower the security
risk of the BAM server and facilitates patch installation.
NOTE

When required, Huawei provides patch packets for the operating system of the BAM server deployed in
the cBSC system and refreshes the patch packets on http://support.huawei.com/support/ as required.

Customized Operating System


The Windows system provides easy-to-use and powerful security management. The easy-to-use
feature, however, may compromise system security. By default, the Windows system ensures
Issue 2.0 (2008-03-12)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

4-69

4 OM Network Planning for the cBSS System

cBSS
Network Planning Guideline

the easy-to-use feature to the largest extent, indicating that user authority and security are not
that strictly managed.
If the BAM server running Windows is located in an isolated network and provided with strict
security management, strengthening the security management in the external network also helps
to guarantee a secure environment for the BAM server. If these measures are not available, the
BAM server should be provided with strict and customized security policies so that a secure
operating environment is guaranteed.
The SIS-SetWin2000 is a tool developed by Huawei for providing customized and stringent
security policies for the operating system of the BAM server.
Through the SIS-SetWin2000 tool, the customized security policies for the BAM are loaded into
the live equipment. Currently, 70% or more of the security policies can be customized as
required.

Integrated Antivirus Software


1.

Deployment of antivirus software


Huawei provides comprehensive antivirus solutions for the entire OM network, such as
providing integrated antivirus software for the BAM server and integrated antivirus
policies.
The Officescan recommended by Huawei has passed stringent compatibility tests
conducted by Huawei, which ensures that the Officescan is completely compatible with
the live equipment and software.

2.

Scan policies of the antivirus software


The virus scanner takes CPU and memory. Therefore, the lowest-level antivirus protection
instead of scheduled scanning is recommended because the CPU resources in the BAM
server should be properly allocated. Additionally, on-demand scanning can be performed
only in non-busy hours. If the CPU usage reaches 100% within a specific period, the
scanning must be stopped.

3.

Upgrade of antivirus software


If the network operator deploys secure firewall polices, the antivirus server can obtain the
latest virus codes directly from the website of Trend Micro. After obtaining the latest virus
codes, the antivirus server automatically upgrades the virus codes on the associated
Officescan clients.
To ensure high-level security in the OM network, Huawei recommends that an independent
antivirus server be deployed in the DMZ zone. Therefore, the antivirus server obtains the
latest virus codes and upgrade packages from the Internet. Accordingly, the Officescan
server connected to the antivirus server can be upgraded without connecting directly to the
Internet. Then, the Officescan server automatically upgrades the virus codes and upgrade
packages on the entire network.

CAUTION

4-70

The Enterprise Client Firewall function must be disabled.

Real-time scan instead of scheduled scan should be selected on the Officescan clients.

Before you run the BAM server, disable the OfficeScanNT Personal Firewall service and
restart the BAM server.

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

Issue 2.0 (2008-03-12)

cBSS
Network Planning Guideline

4 OM Network Planning for the cBSS System

Antivirus Solutions for the LMT


This describes the antivirus solutions conducted for the LMT clients.
If an LMT client is at risk, the BAM server is also at risk because all the LMT clients are
connected directly to the BAM server. Experiences and statistics show that, in many cases, the
BAM server is attacked after an LMT client is attacked.

4.6 cBSS OM Network Planning


The cBSS OM network planning depends on the understanding of networking requirements, the
selection of planning factors, and the operability of network planning.
4.6.1 Factors Involved in OM Network Planning
The factors to be considered in the planning of the cBSS OM network include the requirements
for bearing modes, IP addresses, network bandwidth, network expandability, network security,
purchasability, and cost control.
4.6.2 Planning an OM Network
The key factors in the planning of the OM network are to well understand, collect, analyze, and
meet the requirements of the customer for the network.

4.6.1 Factors Involved in OM Network Planning


The factors to be considered in the planning of the cBSS OM network include the requirements
for bearing modes, IP addresses, network bandwidth, network expandability, network security,
purchasability, and cost control.
4.6.1.1 Planning Network Bearing Modes
The first factor to be considered in the planning of the cBSS OM network is the network bearig
mode.
4.6.1.2 Requirements for IP Addresses
In the cBSS OM network, the transmission of OM data is based on the TCP/IP protocol.
Therefore, the planning of IP addresses is an important part of network planning.
4.6.1.3 Requirements for Network Bandwidth
The cBSS OM network can be based on LAN or WAN. The two networking modes require
different bandwidths.
4.6.1.4 Requirements for Network Expandability
During the planning of the cBSS OM network, network expandability should be considered to
minimize the possible impact on network expansion.
4.6.1.5 Requirements for Network Security
Due to the very important role that the OM network plays in an entire network, a security problem
may lead to a heavy loss. Therefore, building a secure network ensures smooth operation, and
helps to reduce the OPEX of the operator.
4.6.1.6 Requirements for Purchasability and Cost Control for Network Construction
During network construction, the construction cost must be taken into consideration. The
network construction cost includes the equipment cost, transmission cost, network maintenance
cost, and breakdown cost.
Issue 2.0 (2008-03-12)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

4-71

4 OM Network Planning for the cBSS System

cBSS
Network Planning Guideline

Planning Network Bearing Modes


The first factor to be considered in the planning of the cBSS OM network is the network bearig
mode.

Procedure
According to the existing resources and environments, determine the bearer network of the OM
network. The cBSS OM network supports the following bearer networks:
l

LAN-based bearer networks

Broadband IPbased bearer networks

Fractional E1/T1based bearer networks

Full E1/T1based bearer networks

For details about the bearer networks, refer to Solutions to cBSS OM Network
Construction.
----End

Requirements for IP Addresses


In the cBSS OM network, the transmission of OM data is based on the TCP/IP protocol.
Therefore, the planning of IP addresses is an important part of network planning.

Procedure
Step 1 IP addresses of NEs and tools in the cBSS OM network should be planned. For details about the
planning of IP addresses, refer to cBSS OM Requirements.
Step 2 In addition, the requirements of the specific networking mode (such as dual-plane networking)
and networking equipment (such as routers and firewalls) need to be considered for the planning
of IP addresses.
----End

Requirements for Network Bandwidth


The cBSS OM network can be based on LAN or WAN. The two networking modes require
different bandwidths.

Procedure
l

For a LAN-based cBSS OM network, the planning of the bandwidth can be ignored.
NOTE

This is because that the LAN is built on the basis of LAN switches and that the bandwidth between
NEs is higher than 100 Mbit/s.

When planning bandwidths for a WAN-based OM network, manage a cBSS (a BSC and
the BTSs it controls) as a unit. Calculate the total bandwidth and the bandwidth between
sites according to the number of accessing NEs and nodes.
For the bandwidth required between the cBSS and the M2000, refer to Requirements for
Transmission Bandwidth. The bandwidth between an M2000 client and the M2000 server
is 256 kbit/s.

4-72

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

Issue 2.0 (2008-03-12)

cBSS
Network Planning Guideline

4 OM Network Planning for the cBSS System

For a WAN-based cBSS OM network, the bandwidth for accessing an NE must be properly
planned because the bandwidth provided for communication between WANs is limited.
Thus, bandwidth planning is crucial to the building of WAN-based cBSS OM network.
To ensure good network expandability, a bandwidth surplus must be ensured for future
expansion.
----End

Requirements for Network Expandability


During the planning of the cBSS OM network, network expandability should be considered to
minimize the possible impact on network expansion.

Procedure
Network expandability depends on the following factors:
l

Whether there are sufficient reservations of IP addresses and masks in each subnet segment

Whether there are sufficient reservations of ports in each service subnet (for example,
whether there are sufficient reservations of ports on the LAN switches) whether there are
sufficient reservations of WAN ports on the routers, and whether the addition of ports or
equipment affects the services in the OM network.

Whether there are sufficient reservations of bandwidths between subnets to meet the
increasing services Whether the bandwidth expansion between subnets affects the services
in the OM network

----End

Requirements for Network Security


Due to the very important role that the OM network plays in an entire network, a security problem
may lead to a heavy loss. Therefore, building a secure network ensures smooth operation, and
helps to reduce the OPEX of the operator.

Procedure
l

Security Risks and Threatens of the OSS Network


With the enhancement of network interoperability and the development of open OSS
modes, the OM network is faced with more and more risks and threatens that are inherent
in IP-based networks. The possible reasons are as follows:

Access from non-security domains to the OM network


With the development of the centralized NMS and the enhancement of the
interoperability between the OM network and other networks, users hope to perform
OM operations at the nodes in external networks. Therefore, access from non-security
domains to the OM network puts the OM network at risk or even interrupts the services.

Interference between services


An IP-based OM network may communicate or share the bearer network with other
service subnets. Thus, service interference and bandwidth competition arise.

Issue 2.0 (2008-03-12)

Improper network architecture


Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd

4-73

4 OM Network Planning for the cBSS System

cBSS
Network Planning Guideline

If the network architecture is not properly planned, hazards may arise. For example, in
a fully-open network, free communication among all subnets may lead to flooding
messages or viruses. A faulty node may lead to service disruption in the entire network.

Malicious attacks
Malicious attacks, such as detection, disguise, fraud, Dos, DDos, or Trojan, may be
disastrous to the entire network.

Leakage or interception of secret information


In an OM network, if the secret information is leaked, intercepted, or modified, the
security and reliability of existing services are challenged. In this sense, the security of
the transmission network is also important to the OM network.

Network security Target


The security target is to protect the core services, information, and notes in the OM network,
to implement secrecy, integrity, and availability through technical and management means,
and to guarantee normal operations of services.

Security Feature Requirements

Providing policies of security domain planning, isolating the core nodes from risky
subnets, and applying different security policies to different domains

Providing boundary protection policies and access control policies to avoid attacks and
security risks brought by the WAN access to OM networks

Providing VLAN and VPN divisions during network construction to ensure effective
data isolation in the OM network

Providing transmission security policies for important information and guaranteeing the
secrecy and integrity of service transmission

----End

Requirements for Purchasability and Cost Control for Network Construction


During network construction, the construction cost must be taken into consideration. The
network construction cost includes the equipment cost, transmission cost, network maintenance
cost, and breakdown cost.

Procedure
l

Determine the Equipment Cost


The equipment cost includes the cost of transmission equipment and the cost of networking
equipment. The networking equipment includes routers, LAN switches, and the timeslot
cross-connection equipment.
To reduce the equipment cost, flexible and suitable configurations must be available.
Equipment sharing, if allowed, also helps to reduce the equipment cost.

Determine the Transmission Cost


If the OM network is carried by a WAN, the transmission cost between sites is high. In this
case, accurate evaluation of the bandwidth required helps to reduce the transmission cost.
In addition, a cost-effective bearing mode is preferred.

l
4-74

Determine the Network Maintenance Cost


Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd

Issue 2.0 (2008-03-12)

cBSS
Network Planning Guideline

4 OM Network Planning for the cBSS System

Besides the equipment cost and the transmission cost, the maintenance cost should be
considered. To reduce the network maintenance cost, the following requirements are
proposed:

The networking equipment supports high maintainability and configurability, and


remote troubleshooting.

The network structure is clear and easy to understand, thus facilitating troubleshooting.

The routing protocols and security policies are simple, thus simplifying network
configurations.

Determine the Breakdown Cost


In the OM network, normal services and real-time communication must be maintained.
Once network disruption arises, for whatever reasons, possible failure in OM services may
lead to an unpredictable loss. In this sense, the breakdown cost may be far higher than other
network construction costs, such as the equipment cost. Therefore, the reliability, security,
and communication quality of the network must be guaranteed during the cost evaluation.

----End

4.6.2 Planning an OM Network


The key factors in the planning of the OM network are to well understand, collect, analyze, and
meet the requirements of the customer for the network.
4.6.2.1 Process for Planning an OM Network
According to the process for planning an OM network, you need to draw the networking mode
diagram, describe the networking mode, provide the precautions, and complete the planning and
design of the OM network.
4.6.2.2 Collecting Networking Requirements
Before the cBSS network planning, you need to fully collect the customer requirements for the
cBSS OM network, and understand the OSS mode of the customer. The requirements are related
to the availability, security, and expandability of the network.
4.6.2.3 Specifying the Networking Mode
The networking mode and the network structure can be determined based on the networking
requirements of the customer.
4.6.2.4 Specifying the Networking Solutions for Remote OM
According to the collected requirements of remote OM, the network solutions for remote OM
of the cBSS system are determined.
4.6.2.5 Specifying the Security Solutions of the OM Network
According to the collected requirements for OM network security, networking mode, dual-plane
network solution, and remote OM solution, determine the security solutions to the cBSS OM
network.
4.6.2.6 Specifying the OM Networking Equipment
Based on the networking mode, dual-plane network solution, remote OM solution, security
solution, equipment performance, and cost, specify the networking equipment, equipment
quantity, number of sites, and connection modes to be deployed in the cBSS OM network.
4.6.2.7 Specifying the IP Addresses and Routes
Based on the OM network structure, networking solution and network equipment deployment,
determine the requirements for IP addresses of the entire cBSS OM network, the IP address
assignment and the setting of routes between network segments.
Issue 2.0 (2008-03-12)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

4-75

4 OM Network Planning for the cBSS System

cBSS
Network Planning Guideline

Process for Planning an OM Network


According to the process for planning an OM network, you need to draw the networking mode
diagram, describe the networking mode, provide the precautions, and complete the planning and
design of the OM network.
Figure 4-17 shows the process for planning an OM network.
Figure 4-17 Process for planning an OM network

4-76

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

Issue 2.0 (2008-03-12)

cBSS
Network Planning Guideline

4 OM Network Planning for the cBSS System

Collecting Networking Requirements


Before the cBSS network planning, you need to fully collect the customer requirements for the
cBSS OM network, and understand the OSS mode of the customer. The requirements are related
to the availability, security, and expandability of the network.

Procedure
When collecting networking requirements, you can refer to the sheets provided in Data Sheets
of OM Network Planning.
----End

Specifying the Networking Mode


The networking mode and the network structure can be determined based on the networking
requirements of the customer.

Procedure
Step 1 LAN- or WAN-Based OM Network
According to the basic information collected, the networking mode can be determined based on
the planned locations of the BSC and the M2000 server.
l

If the BSC equipment and the M2000 server are located at the same site, a LAN-based OM
network is preferred.

If the BSC equipment and the M2000 server are located at different sites, a WAN-based OM
network is preferred.

If both the previous situations arise, a combined OM network is required.

Step 2 Network Structure and Bandwidth Requirements


For a fully or partially WAN-based OM network, the network structure is specified based on
the site distribution. In addition, the bandwidth required by each site must be evaluated.
Step 3 Bearing Mode in a WAN-Based OM Network
For a fully or partially WAN-based OM network, the bearing mode is specified based on the
network structure, requirements for the bandwidth, existing network of the customer, security,
and cost.
For the features of bearing modes supported by the Huawei cBSS system, refer to Solutions to
cBSS OM Network Construction.
----End

Specifying the Networking Solutions for Remote OM


According to the collected requirements of remote OM, the network solutions for remote OM
of the cBSS system are determined.

Issue 2.0 (2008-03-12)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

4-77

4 OM Network Planning for the cBSS System

cBSS
Network Planning Guideline

Procedure
Step 1 According to the remote OM requirements and the OSS mode of the customer, determine
whether to provide the remote OM function for the cBSS OM network.
Step 2 If the remote OM function is required, determine whether it is based on PSTN or IP.
For details about the network solutions for remote OM provided by Huawei, refer to Network
Solutions for cBSS Remote OM.
----End

Specifying the Security Solutions of the OM Network


According to the collected requirements for OM network security, networking mode, dual-plane
network solution, and remote OM solution, determine the security solutions to the cBSS OM
network.

Procedure
Step 1 Planning the Security Domains
According to the networking mode, network structure, and dual-plane network solution, divide
the OM network into several security domains and determine their security levels.
For details about the security domains, refer to Solutions to cBSS OM Network Security
Domain.
Step 2 Specifying the Firewall Deployment Solutions
The firewall deployment solutions include the firewall locations, packet filtering policies, antiattack policies, and NAT policies. Thus, the firewall deployment solutions are specified based
on the networking mode and security requirements.
For details about the firewall deployment policies in the Huawei cBSS OM network, refer to
Firewall Security Policies of the cBSS OM Network.
Step 3 Specifying the Transmission Solutions
The solutions regarding transmission encryption and VLAN division must be specified. Thus,
the transmission solutions are specified based on the OM network structure, security level of the
bearing network, and remote OM mode.
For details about the transmission security policies in Huawei cBSS OM network, refer to
Transmission Security Policies of the cBSS OM Network.
Step 4 Specifying the Terminal Access Solutions
The terminal access solutions are specified based on the network security requirements, OM
network structure, remote OM mode, and cBSS Terminal Management and Access Control
Policies.
----End

Specifying the OM Networking Equipment


Based on the networking mode, dual-plane network solution, remote OM solution, security
solution, equipment performance, and cost, specify the networking equipment, equipment
quantity, number of sites, and connection modes to be deployed in the cBSS OM network.
4-78

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

Issue 2.0 (2008-03-12)

cBSS
Network Planning Guideline

4 OM Network Planning for the cBSS System

Procedure
Step 1 Determine the networking equipment and deployment policies. For details, refer to Network
Solutions for the cBSS OM System.
NOTE

In addition, a proper balance should be achieved between the system performance and the cost. That is,
when the requirements for the system performance and the expandability are met, try to reduce the quantity
and the cost of the equipment to lower the construction cost and the maintenance complexity.

Step 2 Determine the physical port information required by the networking equipment. For details, refer
to cBSS OM Requirements.
----End

Specifying the IP Addresses and Routes


Based on the OM network structure, networking solution and network equipment deployment,
determine the requirements for IP addresses of the entire cBSS OM network, the IP address
assignment and the setting of routes between network segments.

Procedure
Step 1 Determine the IP address requirements.
For details about the IP addresses required in the cBSS OM network, refer to cBSS OM
Requirements. To allow for dual-plane networking and future expansion, extra IP addresses
must be reserved.
Step 2 Determine the IP address assignment and the setting of routes between network segments.
Then, based on the OM network structure and VLAN planning, determine the IP address
assignment and the setting of routes between network segments.
----End

4.7 Sample of cBSS OM Network Planning Based on


Broadband IP
To construct the OM network based on broadband IP, you must collect a wide range of
networking requirements, well understand the networking features, and provide pertinent
network planning solutions.
4.7.1 Scenarios for a Typical Network
In a new cBSS network, site A is a central site, and sites B and C are remote sites.
4.7.2 Collecting Typical Networking Requirements
Before planning the cBSS OM network, you need to be familiar with the OM mode of the
customer and collect networking requirements to well understand and meet the requirements of
the customer.
4.7.3 Planning a Typical Network
When planning an OM network, you need to specify the networking mode, required bandwidth,
remote networking solution, security domain, firewall deployment, boundary protection policy,
Issue 2.0 (2008-03-12)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

4-79

4 OM Network Planning for the cBSS System

cBSS
Network Planning Guideline

VLAN, terminal access and control, transmission encryption policy, networking equipment, IP
address, and route.
4.7.4 Typical Networking Examples
This describes a networking example of the broadband IPbased OM network for the cBSS
system.

4.7.1 Scenarios for a Typical Network


In a new cBSS network, site A is a central site, and sites B and C are remote sites.

Networking Requirements
In a new cBSS network, the cBSS equipment is located at sites A, B, and C. As the centralized
OM center of the cBSS OM network, the M2000 server is located at site A. Site A, the central
site, is equipped with three OM terminals for centralized OM. Sites B and C are remote sites,
and each of them is equipped with two OM terminals. According to the expectations of the
customer, office-based centralized OM should be available.
The distribution of the cBSS equipment is as follows:
l

At site A, one M2000 server, three OM terminals, one BSC, and 50 BTSs are deployed.

At site B, two OM terminals, two BSCs, and 200 BTSs (100 BTSs for each BSC) are
deployed.

On site C, two OM terminals, one BSC, and 200 BTSs are deployed.

Networking Environment
The customer provides a broadband IP network, which covers all the sites and can carry OM
services. In addition, the customer requires high security and reliability.

4.7.2 Collecting Typical Networking Requirements


Before planning the cBSS OM network, you need to be familiar with the OM mode of the
customer and collect networking requirements to well understand and meet the requirements of
the customer.
4.7.2.1 Collecting the Basic Networking Information
When collecting the basic networking information, you need to fill in the data sheet of basic
networking information.
4.7.2.2 Collecting Requirements Regarding Network Expandability
When collecting requirements regarding network expandability, you need to fill in the data sheet
of network expandability requirements.
4.7.2.3 Collecting Requirements Regarding Network Security
When collecting requirements regarding network security, you need to fill in the data sheet of
network security requirements.
4.7.2.4 Collecting Requirements Regarding Remote OM
When collecting requirements regarding remote OM, you need to fill in the data sheet of remote
OM requirements.
4.7.2.5 Collecting Requirements Regarding Network Cost
4-80

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

Issue 2.0 (2008-03-12)

cBSS
Network Planning Guideline

4 OM Network Planning for the cBSS System

When collecting requirements regarding network cost, you need to fill in the data sheet of
network cost requirements.

Collecting the Basic Networking Information


When collecting the basic networking information, you need to fill in the data sheet of basic
networking information.

Procedure
Filling in the Data sheet of basic networking information according to the actual situation.
Table 4-32 describes the basic networking information.
Table 4-32 Data sheet of basic networking information
Category

Information
Type

Central
site

Item

Information Confirmed

Basic information
on the central site

Name

Configuration of
the M2000 server

Number of M2000 servers

Single server
Dual servers

Model of the server

2-CPU SUN Netra 240


2 CPU SUN Fire V890
4-CPU SUN Fire V890
4-CPU SUN Fire E4900
8 CPU SUN Fire V890
8-CPU SUN Fire E4900

Configuration of
the M2000 clients

Number of M2000 clients

Information on
the Citrix solution

Is the Citrix solution


incorporated?

Yes
No
No is selected by default if
this item is unknown.

Information on
the cBSS
equipment

Remote
site

Basic information
on remote sites

Number of BSCs

Number of BTSs and


number of carriers
controlled by BSC A_1

Number of BTSs: 50

Number of remote sites

Names of remote sites

Number of carriers:
unknown

C
Information on
site B
Issue 2.0 (2008-03-12)

Number of M2000 clients/


LMTs

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

4-81

cBSS
Network Planning Guideline

4 OM Network Planning for the cBSS System

Category

Information
Type

Item

Information Confirmed

Number of BSCs

Number of BTSs and


number of carriers
controlled by BSC B_1

Number of BTSs: 100

Number of BTSs and


number of carriers
controlled by BSC B_2

Number of BTSs: 100

Bearing modes available


between site A and site B

Broadband IP network

Number of carriers:
unknown

Number of carriers:
unknown

Network based on partial


E1
Network based on entire
E1
X.25
ATM
Microwave

Desired OM bearing mode


between site A and site B

Broadband IP network
Network based on partial
E1
Network based on entire E1
X.25
ATM
Microwave

Information on
site C

Number of M2000 clients/


LMTs

Number of BSCs

Number of BTSs and


number of carriers
controlled by BSC C_1

Number of BTSs: 200

Bearing modes available


between site A and site B

Broadband IP network

Number of carriers:
unknown

Network based on partial


E1
Network based on entire
E1
X.25
ATM
Microwave

4-82

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

Issue 2.0 (2008-03-12)

cBSS
Network Planning Guideline

Category

4 OM Network Planning for the cBSS System

Information
Type

Item

Information Confirmed

Desired OM bearing mode


between site A and site B

Broadband IP network
Network based on partial
E1
Network based on entire E1
X.25
ATM
Microwave

----End

Collecting Requirements Regarding Network Expandability


When collecting requirements regarding network expandability, you need to fill in the data sheet
of network expandability requirements.

Procedure
Filling in the Data sheet of network expandability requirements according to the actual
situation.
Table 4-33 describes the requirements regarding network expandability.
Table 4-33 Data sheet of network expandability requirements
Category
Expansion
plan for
new sites

Information
Type
Basic
information on
the expansion
plan

Item

Information
Confirmed

Is there an expansion plan within a


year?

Yes

Number of sites to be added within a


year

No

2
3
4
5 or more

NE expansion
plan for site D

Issue 2.0 (2008-03-12)

Names of sites to be added within a


year

D, E

Number of BSCs to be added at site


D within a year

Number of BTSs and carriers to be


added at site D within a year

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

4-83

cBSS
Network Planning Guideline

4 OM Network Planning for the cBSS System

Category

NE
expansion
for
existing
sites

Information
Type

Item

NE expansion
plan of site E

Number of BSCs to be added at site


E within a year

100

Number of BTSs and carriers to be


added at site E within a year

Basic
information on
the expansion
plan

Is there an NE expansion plan within


a year?

Yes

Which site is to be expanded?

NE expansion
plan for site A

Number of BSCs to be added at site


A within a year

Number of BTSs and carriers to be


added at site A within a year

Number of BSCs to be added at site


B within a year

Yes

Number of BTSs and carriers to be


added at site B within a year

Does the customer expect to achieve


bandwidth and equipment backup in
the OM network?

Yes

NE expansion
plan of site B

Customer'
s
considerat
ion of
network
expandabi
lity

Information
Confirmed

No

No

No

----End

Collecting Requirements Regarding Network Security


When collecting requirements regarding network security, you need to fill in the data sheet of
network security requirements.

Procedure
Filling in the Data sheet of network security requirements according to the actual situation.
Table 4-34 describes requirements regarding network security.

4-84

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

Issue 2.0 (2008-03-12)

cBSS
Network Planning Guideline

4 OM Network Planning for the cBSS System

Table 4-34 Data sheet of network security requirements


Category

Information Type

Requirements
for boundary
protection and
firewall
deployment

Does Huawei need to provide firewalls during the


construction of the cBSS OM network?

Information
Confirmed
Yes
No
Unknown

Does the information transmitted between the M2000


server and the BSC NEs need to pass through the
firewalls?

Yes

Does the information transmitted between the NEs


and the M2000 clients or the LMTs need to pass
through the firewalls?

Yes

Are the firewalls installed between the M2000 server


and the M2000 clients or the LMTs?

Yes

No
Unknown

No
Unknown

No
Unknown

Are the NAT policies used for hiding the IP addresses


when the OM network equipment is communicated
with the external network?

Yes

Requirements
for data
isolation

Does the broadband IP network provide the MPLS


VPN or other VPN policies?

Yes

Requirements
for
transmission
encryption

Does the information transmission in the cBSS OM


network need to be encrypted?

No
Unknown

No
Unknown
Yes
No
Unknown

Does the information transmitted between the M2000


server and the M2000 clients need to be encrypted?

Yes
No
Unknown

Requirements
for terminal
authentication

Issue 2.0 (2008-03-12)

Does the information transmitted between the site of


the M2000 server and the site of each NE need to be
encrypted?

Yes

Does the customer need to access the M2000 server


and the host of the OM network over an office
network?

Yes

Does a terminal need to use an assigned IP address


and an MAC port to access the OM network over an
office network?

Yes

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

No
Unknown

No
Unknown

No
Unknown

4-85

cBSS
Network Planning Guideline

4 OM Network Planning for the cBSS System

Category

Information
Confirmed

Information Type
Does a terminal need to pass the security check when
accessing the OM network over an office network?

Yes
No
Unknown

Customer's
recognition of
network
security

How is the customer's recognition of the network


security?

Very high
High
Common
Low

Does the customer have special requirements for


network security?

Yes
No
Unknown

What are the customer's special requirements for


network security?

----End

Collecting Requirements Regarding Remote OM


When collecting requirements regarding remote OM, you need to fill in the data sheet of remote
OM requirements.

Prerequisite
Context
Procedure
Filling in the Data sheet of remote OM requirements according to the actual situation.
Table 4-35 describes the requirements regarding remote OM.
Table 4-35 Data sheet of remote OM requirements
Category
Remote OM
mode

Information
Type
What are the
requirements for
the remote OM
operations?

Information Confirmed
Providing remote OM solutions based on dial-up,
and accessing the cBSS OM network over the PSTN
Providing remote OM solutions based on IP, and
accessing the OM network over the Internet or other
public networks
Both

4-86

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

Issue 2.0 (2008-03-12)

cBSS
Network Planning Guideline

4 OM Network Planning for the cBSS System

Category

Information
Type

Security
requirements
for remote OM

Do remote
terminals need to
be authenticated?

Yes

Does the
information need
to be encrypted?

Yes

Information Confirmed

No
Unknown

No
Unknown

----End

Example
Postrequisite
Collecting Requirements Regarding Network Cost
When collecting requirements regarding network cost, you need to fill in the data sheet of
network cost requirements.

Procedure
Filling in the Data sheet of network cost requirements according to the actual situation.
Table 4-36 describes the requirements regarding network cost.
Table 4-36 Data sheet of network cost requirements
Item

Information Confirmed

How is the customer's recognition of the network


construction cost?

High
Plain
Low

How is the customer's recognition of the breakdown cost?

High
Plain
Low

Assume that the total weight of network construction is 100


scores, how do you put different weights on the requirements
for security, availability, expandability, and purchasability?

Availability requirements
Expandability requirements
Security requirements
Purchasability requirements

Are the lines for WAN-based networking rented?

Yes
No

Issue 2.0 (2008-03-12)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

4-87

4 OM Network Planning for the cBSS System

cBSS
Network Planning Guideline

Item

Information Confirmed

How is the importance of the line cost?

High
Plain
Low

Do some bandwidths need to be reserved?

Yes
No

----End

4.7.3 Planning a Typical Network


When planning an OM network, you need to specify the networking mode, required bandwidth,
remote networking solution, security domain, firewall deployment, boundary protection policy,
VLAN, terminal access and control, transmission encryption policy, networking equipment, IP
address, and route.
4.7.3.1 Specifying the Networking Mode and Bandwidth
Based on the collected network information, you can specify the networking mode of the NE
equipment, deployment policy and required bandwidth of the M2000. In addition, you can
specify whether to interconnect with the upper-level NMS or other systems.
4.7.3.2 Specifying the Security Domains
Based on the information collected, you can divide security domains into several domains and
provide domain-specific security policies.
4.7.3.3 Specifying the Firewall Deployment and Boundary Protection Policies
Based on the collected information in the data sheet of network security requirements, you can
specify the firewall deployment and boundary protection policies for the OM network.
4.7.3.4 Specifying the Data Isolation Policies
This describes how to specify a VLAN division policy.
4.7.3.5 Specifying the Terminal Access and Control Policies
This describes how to specify the security polices to ensure secure terminal access and control.
4.7.3.6 Specifying the Data Transmission Encryption Policies
This describes how to specify the data transmission encryption policies according to the
requirements of network security and other related information.
4.7.3.7 Specifying the Networking Mode
Based on the collected information in the data sheet of remote OM requirements, IP-based remote
OM is required. That is, terminals can access the cBSS OM network through IP-based public
networks.
4.7.3.8 Specifying the Networking Equipment
This describes how to specify the type and the number of the networking equipment that each
site requires.
4.7.3.9 Planning IP Addresses and Network Segments
This describes how to plan the IP addresses and network segments for a site.
4-88

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

Issue 2.0 (2008-03-12)

cBSS
Network Planning Guideline

4 OM Network Planning for the cBSS System

Specifying the Networking Mode and Bandwidth


Based on the collected network information, you can specify the networking mode of the NE
equipment, deployment policy and required bandwidth of the M2000. In addition, you can
specify whether to interconnect with the upper-level NMS or other systems.

Procedure
Step 1 Based on the information in the data sheet of basic networking information, use the LAN-based
networking mode on site A and to use the broadband IP-based networking mode on sites B and
C.
NOTE

To implement the broadband IP networking mode, specific requirements must be met. For details, refer to
WAN-Based Network Solutions (Broadband IP).

Step 2 According to the requirements for network expandability, specify the requirements for
bandwidths in the coming year. Since network expandability is not required, it is unnecessary
to reserve bandwidths for future expansion. For details about the bandwidth required between
the cBSS equipment and the M2000 server, refer to Requirements for Transmission
Bandwidth. Table 4-37 describes the bandwidth required by each site.
Table 4-37 Bandwidth requirements of each site
Site

Equipment quantity

Quantity

Required Bandwidth (kbit/s)

M2000 server

Unspecified in a LAN

M2000 client or LMT

BSC

BTS

50

M2000 server

M2000 client or LMT

BSC

BTS

200

M2000 server

M2000 client or LMT

BSC

BTS

200

384 x 2 + 256 x 2 = 1280

384 + 256 x 2 = 896

----End

Specifying the Security Domains


Based on the information collected, you can divide security domains into several domains and
provide domain-specific security policies.
Issue 2.0 (2008-03-12)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

4-89

4 OM Network Planning for the cBSS System

cBSS
Network Planning Guideline

Procedure
Step 1 The planned security domains are as follows:
l

Core security domain: includes the M2000 server and other key server equipment.

cBSS security domain: includes the cBSS OM modules of the central and the remote cBSS
NEs, such as the active and standby BAM servers.

Network security domain: includes the broadband IP-based bearer network provided by the
customer.

Special terminal security domain: includes the M2000 clients/LMTs located at central and
remote sites.

Common security domain or DMZ domain: is reserved for the equipment that provides
special services to the OM network and possibly communicates with external networks.

NMS access domain: is a domain of moderate risk.

Multi-purpose terminal access domain: includes the external terminals that access the OM
network from other networks, such as offices or the Intranet. The domain of these external
networks is planned as a separate domain to ensure the security of the OM network. This
domain is a domain of moderate risk.

Remote OM/mobile access domain: is a domain of high risk.

Step 2 The planned security policies are as follows:


l

The core security domain, cBSS security domain, and terminal security domain belong to
the internal OM network. Therefore, they belong to the trust domain. For the communication
within a trust domain, only VLAN-based isolation is required.

The NMS access domain, multi-purpose terminal access domain, and remote OM/mobile
access domain belong to the external OM network. Being risky for the internal OM network,
these domains belong to the untrust domain.

Although the NTP server is not required, the DMZ zone is reserved because the anti-virus
server needs to communicate with both the internal and the external networks.

Because the IP bearer network is provided by the customer, it is necessary to conduct data
isolation policies, such as a VPN policy, to protect the carried OM services from being
affected by other subnets or services.

----End

Specifying the Firewall Deployment and Boundary Protection Policies


Based on the collected information in the data sheet of network security requirements, you can
specify the firewall deployment and boundary protection policies for the OM network.

Procedure

4-90

Deploy a pair of firewalls to achieve HA redundancy because the network is an end-to-end


dual-plane network.

Choose the routing mode for firewall deployment and the IP switching technology for
communication between different domains.

There are no clear requirements for firewalls between the M2000 server and the NEs, and
between the M2000 server and the M2000 clients. Therefore, it is necessary to deploy a
security gateway between the internal and external OM networks.

It is unnecessary to deploy an IDS detection system.


Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd

Issue 2.0 (2008-03-12)

cBSS
Network Planning Guideline

4 OM Network Planning for the cBSS System

The NAT policy is required to be provided by firewalls based on the interworking access
requirements of the internal and external OM networks.

----End

Specifying the Data Isolation Policies


This describes how to specify a VLAN division policy.

Procedure
Step 1 A VLAN policy is provided to ensure valid data isolation.
Step 2 The MPLS-based VPN policy is provided to the OM network because the bearer network is a
broadband IP network.
----End

Specifying the Terminal Access and Control Policies


This describes how to specify the security polices to ensure secure terminal access and control.

Procedure
Do not deploy the MA5200 or Numen security policy server because terminal access is not
controlled.
----End

Specifying the Data Transmission Encryption Policies


This describes how to specify the data transmission encryption policies according to the
requirements of network security and other related information.

Procedure
Because the customer has no specific requirement, the IPSec-based data transmission encryption
policy is not provided between central and remote sites.
----End

Specifying the Networking Mode


Based on the collected information in the data sheet of remote OM requirements, IP-based remote
OM is required. That is, terminals can access the cBSS OM network through IP-based public
networks.

Procedure
l

Deploy an IPSec-based VPN gateway because the remote access is subject to the data
encryption policies required by the customer.

Use the existing firewall as an IPSec-based VPN gateway.

Issue 2.0 (2008-03-12)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

4-91

cBSS
Network Planning Guideline

4 OM Network Planning for the cBSS System

Conduct no authentication for remote terminals temporarily because whether to conduct


authentication is not specified.

----End

Specifying the Networking Equipment


This describes how to specify the type and the number of the networking equipment that each
site requires.

Procedure
Table 4-38 describes the networking equipment to be specified based on the requirements.
Table 4-38 Networking equipment
Site

Equipment

Quantity

Component and
Description

Remarks

LAN switch

Router

Firewall

MA5200

NUMEN Server

Dial-up server

Dedicated VPN
server

LAN switch

Router

Firewall

LAN switch

Router

Firewall

----End

Planning IP Addresses and Network Segments


This describes how to plan the IP addresses and network segments for a site.

Procedure
Table 4-39 describes IP addresses and network segments of each site equipment to be specified
based on the requirements.
4-92

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

Issue 2.0 (2008-03-12)

cBSS
Network Planning Guideline

4 OM Network Planning for the cBSS System

Table 4-39 Networking equipment


Site

Equipment

Node

IP Address

Mask

Remark
s

M2000 server

Host A

Host B

Virtual host IP
address

Disk array 1

Disk array 2

TC

Blade150

Reserve 1

Reserve 2

Active network
adapter for the
BAM(M)

Active network
adapter for the
BAM(M)

Active network
adapter for the
BAM(S)

Active network
adapter for the
BAM(S)

50

M2000 server

M2000 client or
LMT

BSC

BTS

200

M2000 server

M2000 client or
LMT

BSC
BTS

Issue 2.0 (2008-03-12)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

4-93

cBSS
Network Planning Guideline

4 OM Network Planning for the cBSS System

Site

Equipment

Node

IP Address

Mask

Remark
s

M2000 client or
LMT

BSC

BTS

100

----End

4.7.4 Typical Networking Examples


This describes a networking example of the broadband IPbased OM network for the cBSS
system.

Site Distribution and Configuration


For example, there are sites A, B, C. The M2000 server is located at site A. Therefore, site A is
the central site, while site B and C are remote sites.
Since the OM services are carried by the broadband IP network, which is provided by the
customer, only LAN switches are required for the networking.
At the central site, configure a pair of LAN switches (Quidway3526) on the two planes of the
OM network. Connect the M2000 server and the BAM server to the two LAN switches, which
connect to each other through the trunk. Configure another LAN switch at the central site as the
access equipment for special OM terminals. Connect this LAN switch to the primary OM plane.
Configure a pair of LAN switches for backup at site B and site C. Do not configure another LAN
switch for the special terminals because there are a few special terminals.

Specifying the Requirements for the IP Bearer Network


l

Provide a minimum bandwidth of 1280 kbit/s between site A and site B and a minimum
bandwidth of 896 kbit/s between site A and site C and apply QoS policies to ensure
bandwidth availability.

Provide dedicated VPN channels for ensuring network security. Huawei suggests that the
MPLS-based VPN policies should be used.

Specifying the Security Policies of the cBSS OM Network


l

Security domain
The core security domain, cBSS security domain, and terminal security domain belong to
the internal OM network. Therefore, they belong to the trust domain. For the
communication within a trust domain, only VLAN-based isolation is required.
The NMS access domain, multi-purpose terminal access domain, and remote access domain
belong to the external OM network. Being risky for the internal OM network, these domains
belong to the untrust domain.
Although the NTP server is not required, the DMZ zone is reserved because the anti-virus
server needs to communicate with both the internal and the external networks.

4-94

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

Issue 2.0 (2008-03-12)

cBSS
Network Planning Guideline

4 OM Network Planning for the cBSS System

In the network security domain, excellent isolation and VPN policies must be available.
l

Firewall deployment and boundary protection policies


At the central site, deploy a pair of firewalls as security gateways. Provide the ACL and
packet filtering policies during the communication between internal and external networks.
The firewalls can serve as the IPSec-based VPN gateway for remote access. The NAT
policy, however, is required to protect the internal network during the communication
between internal and external networks.
The firewalls provide disaster tolerance for the HA system. It works in routing mode.

VLAN division policy


At the central site, assign the M2000 server, cBSS equipment, and special terminals to
different VLANs, which have different IP segments.
At remote sites, assign the BAM server and OM terminals to different VLANs.

MPLS-based VPN
Apply the MPLS-based VPN policy to the broadband IP network and ensure that the
transmission of OM services is not affected.

Specifying the Remote OM Solution


Remote terminals access the internal network through the IP network and are authenticated by
the IPSec gateway. Before accessing the internal network, remote terminals are checked by the
firewall that provides ACL and packet filtering policies, and anti-attack policies.
The NAT policy provided by the firewall performs address translations during the transmission
of IP packets between internal and external networks, thus protecting the IP packets in the
internal network.

4.8 Data Sheets of OM Network Planning


When a cBSS OM network is planned, the data sheets required for information collection are
the data sheet of basic networking information, data sheet of network reliability requirements,
data sheet of network expandability requirements, data sheet of network security requirements,
data sheet of remote OM requirements, and the data sheet of network cost requirements.
4.8.1 Data Sheet of Basic Networking Information
The data sheet of basic networking information records the basic network information during
the cBSS OM network construction.
4.8.2 Data Sheet of Network Reliability Requirements
The data sheet of network reliability requirements records network reliability requirements
during the cBSS OM network construction.
4.8.3 Data Sheet of Network Expandability Requirements
The data sheet of network expandability requirements records network expandability
requirements during the cBSS OM network construction.
4.8.4 Data Sheet of Network Security Requirements
The data sheet of network security requirements records network security requirements during
the cBSS OM network construction.
4.8.5 Data Sheet of Remote OM Requirements
The data sheet of remote OM requirements records remote OM requirements during the cBSS
OM network construction.
Issue 2.0 (2008-03-12)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

4-95

cBSS
Network Planning Guideline

4 OM Network Planning for the cBSS System

4.8.6 Data sheet of network cost requirements


The data sheet of network cost requirements records network cost requirements during the cBSS
OM network construction.

4.8.1 Data Sheet of Basic Networking Information


The data sheet of basic networking information records the basic network information during
the cBSS OM network construction.
Table 4-40 describes the basic networking information.
Table 4-40 Data sheet of basic networking information
Category

Information
Type

Item

Information
Confirmed

Central
site

Basic information
on the central site

Name

Configuration of
the M2000 server

Number of M2000 servers

Single server
Dual servers

Model of the server

2-CPU Sun Netra 240


2-CPU Sun Fire V890
4-CPU Sun Fire V890
4-CPU Sun Fire E4900
8 CPU Sun Fire V890
8-CPU Sun Fire E4900

Configuration of
the M2000 clients

Number of M2000 clients

Information on the
Citrix solution

Is the Citrix solution


incorporated?

Yes
No
No is selected by default
if this item is unknown.

Information on the
cBSS equipment

Remote
site

4-96

Number of BSCs

Number of BTSs and number


of carriers controlled by BSC
A_1

Number of BTSs

Basic information
on remote sites

Number of remote sites

Names of remote sites

Information on
remote site 1

Number of M2000 clients/


LMTs

Number of BSCs

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

Number of carriers
Number of served
subscribers

Issue 2.0 (2008-03-12)

cBSS
Network Planning Guideline

Category

4 OM Network Planning for the cBSS System

Information
Type

Item

Information
Confirmed

Number of BTSs and number


of carriers controlled by BSC
B_1

Number of BTSs

Number of BTSs and number


of carriers controlled by BSC
B_2

Number of BTSs

Bearing modes available


between site A and site B

Broadband IP network

Number of carriers
Number of served
subscribers

Number of carriers
Number of served
subscribers

Network based on
partial E1
Network based on
entire E1
X.25
ATM
Microwave

Desired OM bearing mode


between site A and site B

Broadband IP network
Network based on
partial E1
Network based on
entire E1
X.25
ATM
Microwave

Information on
remote site 2

Issue 2.0 (2008-03-12)

Number of M2000 clients/


LMTs

Number of BSCs

Number of BTSs and number


of carriers controlled by BSC
C_1

Number of BTSs

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

Number of carriers
Number of served
subscribers

4-97

cBSS
Network Planning Guideline

4 OM Network Planning for the cBSS System

Category

Information
Type

Information
Confirmed

Item
Bearing modes available
between site A and site B

Broadband IP network
Network based on
partial E1
Network based on
entire E1
X.25
ATM
Microwave

Desired OM bearing mode


between site A and site B

Broadband IP network
Network based on
partial E1
Network based on
entire E1
X.25
ATM
Microwave

4.8.2 Data Sheet of Network Reliability Requirements


The data sheet of network reliability requirements records network reliability requirements
during the cBSS OM network construction.
Table 4-41 describes network reliability requirements.
Table 4-41 Data sheet of network reliability requirements

4-98

Item

Information Confirmed

Remarks

Are the reliability


requirements clear?

Yes

The information
denotes the
distribution of sites.

How many
requirements does
the reliability
performance have?

Mean Time Between


Failures (MTBF)

Mean Time To
Recovery (MTBF)

99.999%

Ai

DT

No

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

Issue 2.0 (2008-03-12)

cBSS
Network Planning Guideline

4 OM Network Planning for the cBSS System

Item

Information Confirmed

Remarks

Does the dual-plane


networking is
required for the cBSS
OM network?

Yes

Which level of dualplane networking can


meet the customer's
requirements?

End-to-end dual-plane networking,


including dual-backup of all networking
equipment, dual-route backup, and dual-line
backup

No

Dual-route backup and dual-line backup


Dual-backup of the equipment in the LAN

Determine the
specific dual-plane
networking mode
before the network
construction because
different network
modes have different
costs and effects.

4.8.3 Data Sheet of Network Expandability Requirements


The data sheet of network expandability requirements records network expandability
requirements during the cBSS OM network construction.
Table 4-42 describes network expandability requirements.
Table 4-42 Data sheet of network expandability requirements

Category
Expansion
plan for
new sites

Information
Type
Basic
information
on the
expansion
plan

Informatio
n
Confirmed

Remarks

Is there an expansion plan within


a year?

Yes

Number of sites to be added


within a year

Item

No
-

2
3
4
5 or more

NE expansion
plan for site D

NE expansion
plan of site E

Issue 2.0 (2008-03-12)

Names of sites to be added within


a year

D, E

Number of BSCs to be added at


site D within a year

Number of BTSs and carriers to


be added at site D within a year

Number of BSCs to be added at


site E within a year

100

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

4-99

cBSS
Network Planning Guideline

4 OM Network Planning for the cBSS System

Category

NE
expansion
for
existing
sites

Informatio
n
Confirmed

Remarks

Number of BTSs and carriers to


be added at site E within a year

Basic
information
on the
expansion
plan

Is there an NE expansion plan


within a year?

Yes

Which site is to be expanded?

NE expansion
plan for site A

Number of BSCs to be added at


site A within a year

Number of BTSs and carriers to


be added at site A within a year

Number of BSCs to be added at


site B within a year

Yes

Number of BTSs and carriers to


be added at site B within a year

Does the customer expect to


achieve bandwidth and
equipment backup in the OM
network?

Yes

Information
Type

NE expansion
plan of site B

Customer'
s
considerat
ion of
network
expandabi
lity

Item

No

No

No

4.8.4 Data Sheet of Network Security Requirements


The data sheet of network security requirements records network security requirements during
the cBSS OM network construction.
Table 4-43 describes network security requirements.
Table 4-43 Data sheet of network security requirements

4-100

Category

Information Type

Requirement
s for
boundary
protection
and firewall
deployment

Does Huawei need to provide firewalls


in the construction of the cBSS OM
network?

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

Information
Confirmed

Remarks

Yes

No
Unknown

Issue 2.0 (2008-03-12)

cBSS
Network Planning Guideline

Category

4 OM Network Planning for the cBSS System

Information Type

Information
Confirmed

Remarks

Does the IDS need to be deployed?

Yes

No
Unknown
Does the information transmitted
between the M2000 server and the BSC
need to pass through the firewalls?

Yes

Does the information transmitted


between NEs and M2000 clients or
LMTs need to pass through the
firewalls?

Yes

Are the firewalls installed between the


M2000 server and the M2000 clients or
the LMTs?

Yes

Are the NAT policies used for hiding the


internal IP addresses when the OM
network equipment is communicated
with the external network?

Yes

Requirement
s for data
isolation

Does the broadband IP network provide


the MPLS VPN or other VPN policies?

Yes

Requirement
s for
transmission
encryption

Does the information transmission in the


cBSS OM network need to be
encrypted?

Yes

Does the information transmitted


between the M2000 server and the
M2000 clients need to be encrypted?

Yes

Does the information transmitted


between the site of the M2000 server and
the site of each NE need to be encrypted?

Yes

Does the customer need to access the


M2000 server and the host of the OM
network over an office network?

Yes

Does a terminal need to use an assigned


IP address and an MAC port to access the
OM network over an office network?

Yes

Requirement
s for terminal
authenticatio
n

Issue 2.0 (2008-03-12)

No
Unknown
-

No
Unknown
-

No
Unknown
-

No
Unknown
-

No
Unknown

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

No
Unknown
-

No
Unknown
-

No
Unknown
-

No
Unknown
-

No
Unknown

4-101

cBSS
Network Planning Guideline

4 OM Network Planning for the cBSS System

Category

Customer's
recognition
of network
security

Information
Confirmed

Remarks

Does a terminal need to pass the security


check when accessing the OM network
over an office network?

Yes

How is the customer's recognition of the


network security?

Very high

Information Type

No
Unknown
-

High
Common
Low

Does the customer have special


requirements for network security?

Yes
No
Unknown

What are the customer's special


requirements for network security?

4.8.5 Data Sheet of Remote OM Requirements


The data sheet of remote OM requirements records remote OM requirements during the cBSS
OM network construction.
Table 4-44 describes remote OM requirements.
Table 4-44 Data sheet of remote OM requirements
Category
Remote OM
mode

Information
Type
What are the
requirements for
the remote OM
mode?

Information Confirmed

Remarks

Providing remote OM solutions based


on dial-up, and accessing the cBSS OM
network over the PSTN

Providing remote OM solutions based


on IP, and accessing the OM network over
the Internet or other public networks
Both

Requiremen
ts for remote
access
security

4-102

Does the dualfactor


authentication
need to be
provided?

Yes

Do remote
terminals need to
be authenticated?

Yes

No
Unknown
-

No
Unknown

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

Issue 2.0 (2008-03-12)

cBSS
Network Planning Guideline

Category

Other
requirement
s for remote
access
capability

4 OM Network Planning for the cBSS System

Information
Type

Information Confirmed

Remarks

Does the
information need
to be encrypted?

Yes

How many remote


terminals are
allowed to access
the OM network at
the same time?

No
Unknown
-

Multiple
Unknown

4.8.6 Data sheet of network cost requirements


The data sheet of network cost requirements records network cost requirements during the cBSS
OM network construction.
Table 4-45 describes network cost requirements.
Table 4-45 Data sheet of network cost requirements
Item

Information Confirmed

Remarks

How is the customer's recognition of the


network construction cost?

High

Plain
Low

How is the customer's recognition of the


breakdown cost?

High

Plain
Low

Assume that the total weight of network


construction is 100 scores, how do you put
different weights on the requirements for
security, availability, expandability, and
purchasability?

Availability requirements:

Are the lines for WAN-based networking


rented?

Yes

How is the importance of the line cost?

High

Expandability requirements:
Security requirements:
Purchasability requirements:
-

No
-

Plain
Low
Do some bandwidths need to be reserved?

Yes

No

Issue 2.0 (2008-03-12)

Huawei Proprietary and Confidential


Copyright Huawei Technologies Co., Ltd

4-103