Professional Documents
Culture Documents
Description
NetNumen U31 R20 Product Description
TABLE OF CONTENTS
1 Overview............................................................................................................................1
1.1 Network Operation & Maintenance Trend..................................................................... 1
1.2 Brief Introduction................................................................................................................1
1.3 Product Positioning............................................................................................................2
1.4 Manageable Fixed Access NE Type...............................................................................3
2 System Characteristics................................................................................................. 4
2.1 Integrated Network Management to Implement Efficient, Centralized O&M............4
2.2 Advanced Architecture and High Scalability..................................................................4
2.3 Standard Northbound Interfaces for Convenient Integration...................................... 5
2.4 Comprehensive Security Mechanism to Ensure System Reliability.......................... 6
2.5 Intelligent Service Deployment to Improve Commissioning Efficiency..................... 7
2.5.1 Fast End-To-End (E2E) Service Deployment............................................................... 7
2.6 Value-added Function Advantages.................................................................................7
2.6.1 Intelligent Fault Analysis and Diagnosis........................................................................ 7
2.6.2 Highly-efficient Alarm Compression................................................................................8
2.6.3 Automatic discovery of network objects......................................................................... 9
2.6.4 Centralized and remote software upgrade.................................................................... 9
2.6.5 A Variety of Statistics, Analysis and Report Management Functions....................... 9
3 System Architecture.................................................................................................... 10
3.1 System Hardware Architecture......................................................................................10
3.2 System Software Architecture....................................................................................... 12
5 System Interfaces......................................................................................................... 31
5.1 Interface Protocols...........................................................................................................32
5.2 Southbound Interfaces (Optional)................................................................................. 34
5.3 Northbound Interfaces.................................................................................................... 34
5.3.1 SNMP Northbound Interface..........................................................................................35
5.3.2 FTP Northbound Interface..............................................................................................35
5.3.3 TL1 Northbound Interface.............................................................................................. 36
5.3.4 WebService Northbound Interface................................................................................37
5.3.5 CORBA Northbound Interface.......................................................................................37
10 System Security..........................................................................................................103
10.1 Physical Security........................................................................................................... 104
10.2 Network Security........................................................................................................... 105
10.3 System Security Reinforcement..................................................................................108
10.3.1 Background.................................................................................................................... 108
10.3.2 Principles........................................................................................................................ 108
10.3.3 Applicable Scope...........................................................................................................109
10.3.4 Implementation.............................................................................................................. 110
10.4 Security Patch and Anti-virus Protection................................................................... 111
10.4.1 Third-party Security Patch Management................................................................... 111
10.4.2 Third-party Security Patch Effect Analysis................................................................ 111
10.4.3 Release and Deployment of Third-party Security Patches.....................................112
10.4.4 Anti-virus Software and Virus Library Update...........................................................112
10.5 Application Security.......................................................................................................113
10.5.1 Security of Human-machine Interactions...................................................................114
10.5.2 Interaction Security....................................................................................................... 122
10.5.3 Northbound Interface Security.....................................................................................123
10.5.4 Centralized Security and Single Sign-On.................................................................. 125
10.6 Key Data Encryption..................................................................................................... 127
10.6.1 Data Encryption Between the U31 Server and Clients........................................... 128
10.6.2 Data Encryption for Northbound Interfaces...............................................................129
10.6.3 Data Encryption for Databases................................................................................... 129
10.6.4 One-way Encryption for Passwords........................................................................... 130
10.6.5 Data Encryption between NetNumen™ U31 and NEs............................................130
11 Reliability...................................................................................................................... 130
11.1 Reliability Design........................................................................................................... 130
11.2 Reliability Indexes......................................................................................................... 132
11.3 HA Solution.....................................................................................................................132
11.4 Disaster Recovery Solution......................................................................................... 135
11.5 Link Protection Solution................................................................................................139
11.6 Data Backup Solution................................................................................................... 139
12 Management Capacity...............................................................................................140
12.1 Environments....................................................................................错误!未定义书签。
12.2 Network Scale Managed.................................................................错误!未定义书签。
12.3 Coefficients for Wireline-LEs..........................................................错误!未定义书签。
13 Performance Indexes.................................................................................................149
13.1 Performance Index List.................................................................................................149
13.2 Transmission Indexes...................................................................................................152
13.3 Physical Indexes............................................................................................................153
13.3.1 Dimensions.....................................................................................................................153
13.3.2 Weight............................................................................................................................. 153
13.4 Power Indexes............................................................................................................... 154
13.5 Environment Requirements......................................................................................... 154
13.5.1 Equipment Room Requirements.................................................................................154
13.5.2 Transportation Environment Requirements.............................................................. 157
13.5.3 Storage Environment Requirements.......................................................................... 159
13.5.4 Environmental Requirements...................................................................................... 161
14 Standard Compliance................................................................................................162
FIGURES
TABLES
1 Overview
With the development of the technology and the tremendous transformation in telecom
industry, broadband, mobility and convergence become the mainstream trends in
telecom network. ALL network structure requires that OAM (Operation, Administration
and Maintenance) tends to be flat to reduce OPEX and raise efficiency.
To follow the future network development trend, ZTE launched the unified network
management system NetNumen™ U31. NetNumen™ U31 manages the bearer network
equipment, fixed network equipment, VAS and microwave equipment, etc. U31 can
manage multi-domain equipment, integrate NE-layer and network-layer management,
and break hierarchical management mode to meet the requirements of flat management.
NetNumen™ U31 R20, which is one of NetNumen™ U31 versions, can manage all the
NEs of ZTE fixed network, including various devices in access layer and terminal layer. It
provides multiple standard northbound interfaces to integrate with the upper layer
systems.
NetNumen™ U31 has good openness, security, scalability and stability. It provides
unified standard interfaces and powerful value-added functions. It supports
cross-network management capability and smooth upgrade for network evolution.
2 System Characteristics
Unified management of multiple technologies: With all Fixed line, Bearer, Terminal,
Service and Microwave network management functions integrated, U31 R20 is
greatly satisfying the needs of network convergence.
remote redundancy). When the active server fails to work properly, the standby
server can take over the tasks immediately and continue the services. In-band and
out-band management channels are supported and they can serve in
active/standby mode to enable non-stop management channel.
Multiple platforms and databases provide multiple choices: JAVA-based, U31 R20
supports many types of platforms and databases such as UNIX, Windows, Linux,
MSSQL Server and Oracle.
Modular structure gives conveniences to system expansion & upgrade: U31 R20
Server and Client are composed in the manner of “platform+ network element
manager”. Network element managers and functional modules are inbuilt in the
system platform as components. During installation, users can customize their own
systems by choosing the desired components. Moreover, U31 R20 supports new
technologies and device versions, featuring sound flexibility, compatibility and
powerful capacity upgrade capability.
It has completed the integration with the third-party systems from IBM Tivoli
Netcool/OMNIbus, HP TeMIP, etc, to facilitate OSS application of carriers.
Single Sign On allows centralized device management & maintenance: Single Sign
On helps achieve centralized permission assignment & management, and centralized
data storage & management.
SSH/SFTP
Two-factor authentication
NetNumen™ U31 supports perfect service management and fast service dispatching
&management.
NetNumen™ U31 has the industry-leading alarm correlation analysis system which can
automatically analyze and locate root alarm and derived alarm according to network
resources and service relations to shorten the troubleshooting time. The diverse
association and navigation between network alarms and service data help the user to
know and evaluate network conditions quickly. Meanwhile, VIP services can be
configured with independent fault prompting and processing to offer differentiated service
for different users.
Benefits: filter the alarms layer by layer, customize alarm report, and effectively reduce
the workload of OAM staff.
Automatic discovery helps OAM staff reduce their workload and guarantee the
consistency of the data.
Automatic discovery of NEs: The network can automatically search for new devices
without manually create, to reduce the workload of manually created.
Benefits :
3 System Architecture
NetNumen™ U31 system adopts the client/server mode. That is, a server connects with
several clients in U31system. U31server can operate under Windows, CGSL or Linux OS,
providing NE data processing and storing functions. U31client can work at Windows OS,
with graphical user interface for the operators. The operators can operate and maintain
NEs through the client.
U31 system hardware consists of server, disk array, client, switch, router, etc.
Server
U31 server interacts with NEs retrieves the required results from NEs and forwards
the results to the clients. U31 server interacts with BOSS /NMS through northbound
interfaces. U31server has the functions of application and database. Generally, one
server provides all functions of application and database. These functions can also
be distributed on two or more servers for load balance. U31 also supports local or
remote cluster system, which has two or more servers for high availability.
Client
U31 system supports multiple concurrent clients to manage NEs. Operators can
manage NEs and detect the server status through client. Clients can be classified
into local and remote clients by the location.
Local client: The client is located in the same LAN with its server.
Remote client: server and NEs are located in one LAN but the client is located
in a remote LAN.
Network device
Network device is used to connect U31 server with NEs or BOSS/ NMS. It
commonly consists of switch and router.
NetNumen™ U31 system adopts a client/server working mode. Both client and server
software are independent of each other. Server software is installed in a server while the
client software is installed at a PC client. They can also be installed in the same machine
if required.
U31 system is based on J2EE platform with good expansion, flexibility and maintenance
convenience. It can operate on UNIX, Windows or Linux OS, and SQL Server or
ORACLE DB.
U31 client software provides graphical user interfaces to operate and maintain NEs.
U31 system adopts load balance design, disaster recovery design, and distributed
storage structure, to ensure the system reliability.
In-band EMS refers to configuring exclusive EMS channel such as EMS VLAN in
equipment to communicate with EMS server. EMS information and service
information can be transmitted through the equipment uplink interface
simultaneously.
The networking is divided into local networking, remote networking and mixed networking
according to the location between NetNumen™ U31 and NE.
LAN networking is the simplest and the most commonly used networking in the network
management system. In this networking, NetNumen™ U31 R20 server, client and NE
are in one LAN and are interconnected via Ethernet. U31and its NE are in one physical
location. LCT is in charge of local operation and maintenance of the NE, and U31
manages the devices in the entire network.
Remote networking can be adopted when client and NetNumen™ U31 server are not in
one LAN. For remote networking, basic topologies of the network and their principles are
the same. They use specific transmission equipment to transmits data on WAN, router
for the access from WAN to LAN, and TCP/IP for the communication among NE, server
and client, so the remote communication supported by transmission equipment and
router can adopt U31remote networking. Client can be located at remote equipment
room and can divide management domain to manage local equipment. Remote terminal
is not directly oriented to the managed equipment.
The actual networking sometimes uses the mixed networking which includes local
networking and remote networking.
Client is divided into local client and remote client. It operates and manages NE on GUI
and is connected to server via LAN or metro network. Two types of clients have the same
operation capability.
IP connectivity
The firewall Network Address Translation (NAT) function not supported by the
networking
4.3 Server
Deployment of the slave servers should take the carriers’ network scale and deployment
into consideration. U31 functions or managed domains are assigned to the servers
accordingly. The following benefits are brought: load balancing, enlarged management
scale, and improved system performance.
The solution enables carriers to manage an extra-large network, leverage their existing
server resources, and lower network investment.
NetNumen U31 system server application can be deployed on cloud data center and
provides the same functions, no matter it’s centralized mode or distributed mode. When
the servers are deployed on the cloud, the server application will deploy on the virtual
machine as well as the OS and DB. Currently, the NetNumen U31 server can be installed
on VMware, and Oracle VM virtual machine system with linux OS. The clients of
NetNumen U31 connect to the NetNumen U31 server application in cloud data center
just same as connecting the NetNumen U31 server in PC server/Unix server. The
following figure shows the architecture of cloud deployment.
4.4 Client
Command Line Interface (CLI): Just as its name implies, CLI is a command line
interface. It is an ASCII-based man-machine interface, and hence it is also called
ASCII.
Along with the development of GUIs, U31 CLI has introduces the GUI EoU features, for
example, character command input help and navigation tree, while maintaining the
existing features, namely the slim client and simple characters.
4.4.2 Single-client
It is the most basically and most common application mode. The Client, Server and
Database may run either on the same computer or separately on different computers
depending on the amount of managed equipment and the process capability of the
computer.
4.4.3 Multi-client
One Server allows logon of multiple Clients. It assures the clients of data
synchronization.
This structure is usually applied in the case that multiple operation terminals (Clients) or
display terminals are required by users, and the Clients might be distributed in various
areas, so some of the Clients need to log on the Server remotely. In this way,
management of upper layer NM can also be accessed, with a northbound interface
module needed.
U31 employs the unique PPU component technology that allows carriers to
determine the functions integrated into the EMS. This feature enables ZTE to
customize an EMS to meet the individual business needs of a carrier.
Furthermore, a variety of deployment schemes are available, and carriers can
find the very one for their current O&M mode. ZTE aims to help carriers drive
up their ROI.
Three access methods are available, namely GUI, Web, and CLI to support
the local and remote access requirements. O&M personnel can get access to
U31 anytime anywhere.
Modular design for easy rollout of new services: The modular architecture
brings good scalability to U31, which allows only small adjustments for growth
in services or changes in NE management. Investment is protected, and
customer requirements in the future can be met.
Note: The products with their names in red are not managed by U31 R20.
As telecom technologies are growing rapidly, the telecom market continues to expand,
and the carriers’ networks grow to a greater scale. This brings a series of challenges,
such as increased complexity of devices in the network, a growing number of different
devices, and rollout of a great number of new services. Carriers have to deal with the
heavy burden of network management and maintenance, which consumes more
resources than before. To lower costs and boosts network O&M efficiency, the IT
management architecture has evolved to support multi-technology and multi-level
management. Moreover, various management systems in an enterprise are gradually
integrated into one system.
Under such circumstances, carriers need to firstly answer the following questions:
Hardware: router, switch, firewall, storage, load balancing equipment, and server (or
miniserver);
Software: OS, database system, cluster system, storage management system, and
other application systems (for example DNS).
With multiple management layers combined together, the U31 integrated ICT
management solution can be deployed to satisfy the IT management demand that
devices of different types and at different network layers can be managed in a uniform
manner. It is a simple, convenient, economic and highly efficient solution.
Support of multiple vendors’ IT devices and quick scalability to bring high customer
satisfaction
Integration with the U31 system to share resources and cut down on investment
costs
The IT management component can share the same security services such as
firewalls, anti-virus systems and security gateways with U31.
After the integration among BOSS and EMS, the end to end automatic service
provisioning will be fulfilled.
CPE is plug & play. No cooperation is needed. And there is no frequent mutual
confirmation.
During the process, CRM, Service provision system, billing system, resource system and
installation dispatch system are involved.
Step 2. CRM sends command to the resource system to confirm whether the resource is
available.
Step 3. If resource is available, the service-opening order will be sent to the automatic
service provision system.
Step 4. The service provision system sends command to assign the resource.
Step 5. The service provision system sends command to the automatic activation system,
which sends command to the EMS and the service control system, such as SS, IPTV and
AAA server.
Step 6. The service provision system sends command to dispatching system for field
engineering.
Step 7. The service provision system sends command to the integrated service testing
system.
Step 8. When all commands are executed, the completion order will be feedback.
More and more enterprises and organizations now are beginning to raise concerns about
remote access techniques and products as mainstream management software has
moved from a client/server to a browser/server architecture. Customers also have the
Web access demand so as to satisfy their functional requirements of flexible access and
Single Sign-on. Network operation and maintenance becomes more convenient.
U31 provides a secured, efficient Web access solution to meet users’ requirements for
remote access.
NetNumen™ U31 provides the Citrix XenApp-based Web access solution that acts as
the U31 application virtualization solution, which allows web access and application
virtualization.
In this solution, U31 clients are installed on the Citrix XenApp server. Through the U31
clients, Citrix clients are connected to the U31 server. Multiple Citrix servers can form a
Farm, providing services in a joint effort. In this way, the cluster and load balancing
functions are achieved.
Users do not need to install the U31 client program on the Citrix XenApp clients. On them,
only a 2MB Citrix XenApp client component is necessary. Between Citrix XenApp clients
and Citrix XenApp servers, an ICA session is created. Via the ICA session, the Citrix
XenApp clients call the U31 clients on the Citrix XenApp servers and log in to the U31
servers.
U31 clients request many system resources. A single Citrix XenApp server, however,
allows a limited number of concurrent access requests. To solve this problem, we choose
to publish the U31 clients on all Citrix XenApp servers in a Farm. Via auto load balancing
finally, the number of concurrent users is enlarged greatly.
Secure access
ZTE NetNumen AOS (hereinafter referred to as AOS) provides a complete uniform portal
solution to solve the problems brought by the diversity of application systems. Through
the uniform entrance and application virtualization, AOS allows users to visit applications
through one GUI. After users are authenticated, they can get access to all the
applications, without repeated authentication activities upon a switch from one
application to another. O&M efficiency is improved, and the user experience is optimized.
Dashboard: Users can customize their own dashboard to observe the data
from different applications intuitively.
Application virtualization:
Scalability: Through the load balancer, access servers can be added to the
system conveniently to enlarge the system processing capability.
Web-based access with no need to install clients: The client applications are
not installed on users’ machines. Browsers are necessary for users to visit the
system.
Efficient upgrade: The client applications can be upgraded on the AOS server
conveniently, which improves upgrade efficiency.
Standard compliance
Security
Complete log functions: After login, any user behaviors or operations are
logged down. AOS collects periodically the operation logs from the managed
application systems for centralized storage in the Portal system.
Data security: After applications are virtualized, only the image data of the GUI
is transferred. A specific coding method is used to ensure security of service
data even if packets containing service data are captured.
Application security: To guard the portal from illegal access, AOS provides a
role-based security model that user authorization, authentication, auditing and
security management policies are employed to achieve high security of user
operations.
Low bandwidth requirement: Users can visit AOS and perform operations
under an environment of a low bandwidth (256Kbps).
5 System Interfaces
U31 provides a variety of northbound interfaces that allow flexible integration with
superior NMS/OSS/BOSS systems. Thus fast integration of U31into carriers’ existing
systems is achieved, and O&M capability is improved as well. U31 is able to manage
different types of NEs, and meanwhile it provides uniform northbound interfaces that
allow centralized management of different types of NEs after only one mediation.
Integration and maintenance costs are both lowered.
This section introduces the commonly used northbound interfaces of NetNumen™ U31:
TL1 Interface
WebService Interface
SNMP Interface
SNMP is a set of standards defined by IETF for network management. It has gained wide
acceptance in the industry because of its simple and easy-to-understand characteristics.
SNMP is implemented based on the Manager/Agent model where the manager interacts
with agents through Management Information Base (MIB) and command sets. SNMP
provides the active reporting mechanism that allows agents to send the trap messages to
the manager.
FTP/SFTP Interface
FTP/SFTP is used by U31 to transfer data files of large sizes, such as PM and RM data
files and resources topology data files.
CORBA Interface
CORBA is a standard for distributed objects being developed by the Object Management
Group (OMG).It consists of ORB, object services, common facilities,
domain-independent interfaces, and application interfaces. ORB provides the method of
implementing transparent communications between clients and objects.
NetNumen™ U31manages NEs through the southbound interfaces that provide the
following functions, such as fault/performance/configuration/topology/security
management. The supported southbound interfaces are listed as follows: SNMP, Syslog,
Telnet/SSH,NetConf/YANG, and FTP/SFTP.
TL1 √ √ √ × √
WebService √ √ √ × √
SNMP × √ × × ×
FTP/SFTP × × × √ √
Corba × √ × × ×
NetNumen™ U31 provides the uniform SNMP northbound interface for fault
management. After one mediation, U31 is able to interact with NMS/BOSS/BSS for
management of all NEs. The time spent on integration, integration costs, and
maintenance costs are all effectively reduced.U31 supports SNMP V2c and V3 versions.
SNMP OLT NEs The SNMP northbound interface for fault management
MDU NEs currently provides the following functions:
DPU NEs 1. Heartbeat
2. Alarm submission
MSAN NEs
3. Current alarm query
DSLAM NEs
4. Alarm acknowledgment/unacknowledgment
EODN NEs
5. Alarm clearing
EOMU NEs 6. Alarm synchronization
NetNumen™ U31 provides the FTP northbound interface complying with the standard
FTP specifications, including the standard file format, saving path, and naming rules.
U31 can be integrated with third-party systems in a short period of time through the FTP
northbound interface.
FTP for RM OLT NEs The module allows users to obtain the
MDU NEs configuration information. That is, NMS gets
the attributes of all network resources through
TL1 for OLT NEs Currently, the TL1 interface provides the following
FM MDU NEs FM functions:
DPU NEs 1. Heartbeat
MSAN NEs 2. Alarm submission
DSLAM NEs 3. Query the current alarms;
EODN NEs 4. Acknowledge/unacknowledge alarms
EOMU NEs 5. Clear alarms;
TL1 for OLT NEs The module gets the real-time PM data of ports.
PM MDU NEs
DPU NEs
MSAN NEs
DSLAM NEs
TL1 for OLT NEs The module provides the service configuration
CM MDU NEs functions, for example, the port activation and
DPU NEs bandwidth parameter settings.
MSAN NEs
DSLAM NEs
EODN NEs
EOMU NEs
TL1 for OLT NEs The module provides the information of such
RM MDU NEs resources items as device, board, and port by TL1
DPU NEs command.
MSAN NEs
DSLAM NEs
WebService OLT NEs The module gets the real-time PM data of ports.
for PM MDU NEs
DPU NEs
MSAN NEs
DSLAM NEs
MSAN NEs
DSLAM NEs
EODN NEs
EOMU NEs
Topology Management provides the topology view of the whole network. It enables users
to scan network key data and information on a complete and clear interface. The
topology view shows NEs, their links and their alarms. It displays all these information in
a direct way and bright colors, which makes the users get a general picture of the
network with a quick glance.
Functions Description
Functions Description
Performance
The list below the view shows performance KPI.
message
Functions Description
Fault management mainly receives various realtime equipment alarm and network event
reports reported by all network elements in the whole network. It notifies the maintenance
staff in a realtime, audible, visual and direct way to let the users know about the
abnormal operation state of the network and equipment. It helps the staff to locate the
failure cause and position so that the users can discover as soon as possible, deal with
the failure and solve it as soon as possible to guarantee normal operation of the system.
Alarm management unit receives and processes the alarm reported by the equipment
and display it to the users via the interface. It can also forward it to the designated
objective by email or short message. The maintenance staff processes it when they
confirm. All the alarm reports collected are saved in the base for various alarm statistics
and query.
Function Description
NetNumen™ U31 network management system can collect and maintain the generated
alarms, and make alarm and network state visual to users.
Function Description
Function Description
Function Description
Redefining of alarm Modify levels for different types of alarms. Support four levels
severity of critical, major, minor and warning.
Function Description
Alarm
Actively synchronize equipment alarm
synchronization
Function Description
support configuring alarm correlation management rule to
manage alarms. All rules support activating and deactivating
operations.
Alarm delay rule: This rule is mainly used to effectively
cancel minor alarms or alarms which do not interfere
network operation. These alarms can recover in a short
period System management personnel can use alarm
delay rule to configure the recovery period. Alarms which
recover during this period will not be reported. Otherwise,
they will be reported. Alarm delay rule can effectively
manage oscillation alarms.
Alarm suppression rule: This rule is configured to
suppress alarms report. The alarms to suppress other
alarms report are configured as primary alarms and the
suppressed alarms are configured as secondary alarms.
When primary alarms exist or occur, secondary alarms
will not be reported. The rule can be defined to display
the secondary alarms after primary alarms recovery or
not. Either primary or secondary alarms support being
Alarm Correlation defined by subscribers.
Management Alarm counting rule: This rule is mainly configured for
alarm frequency sample collection, which is able to verify
if the alarms occurred in specified sample collecting
period exceeds the configured threshold value. If it is over
threshold, a new alarm occurs to notify system
management personnel. The detailed information and
alarm level of this new alarm can be configured.
Alarm timing rule: This rule is configured to calculate the
total time of certain alarms duration, which conform to
specified conditions. If the duration lasts to the configured
threshold value, such specified operations will be
implemented as alarm level upgrading or new alarm
initiation.
Alarm grouping rule: This rule is configured to use one
alarm to take the place of certain alarms and report to
client thus the alarm number received by client keeps
small. For example, when several same alarms, which
indicate one kind of equipment fault, occur in one time,
configure the grouping rule to select one of them as a
representative to be displayed in the interface.
Function Description
Function Description
The users can order different performance management tasks according to the
performance variables they pay attention to. NetNumen™ U31 provides flexible task
customization modes:
Function Description
Function Description
Function Description
Function Description
output Performance history data query granularities include 15 mins,
30 mins, 1 hour, 1 day, and 1 week.
Performance history data query periods include 1 day, 1 week,
and 1 month, holiday query, and customizing starting time and
ending time based on the format of yyyy-mm-dd hh:mm:ss.
It supports selection based on week and month for valid query
of performance history data. It supports customized period
based on the format of hh:mm:ss.
The user can set high and low thresholds for the performance variable they are
concerned about by performance threshold management. When the collected
performance data exceeds the set threshold, the network management system will
generate threshold alarms automatically.
Besides, four levels of thresholds can be set, corresponding to four types of alarms;
threshold delta value can be set at the same time. For example, when the highest
threshold for critical alarm is set to 100 and the delta value is set to 2, the alarm is
generated only when the performance data is larger than 102, and the alarm is recovered
when the data is lower than 98.
System management can create database maintenance task, and regularly execute
such operations as data export, data import, and data clearance in the data table of the
database.
Function Description
System data Provide backup and restoration of such data as log, alarm and
backup and performance.
restoration Provide database and file backup.
Function Description
Function Description
Regularly execute basic data backup task. Backup all the basic
data of the network management system. Just backup data
Basic data backup records excluding the history data such as table structure and
history alarms, notifications, logs, performance raw data
(history data the has individual backup function).
Automatic
It is used to automatically confirm history alarm before the set
confirmation of
days to avoid manual way, so as to improve the maintainability.
history alarm
Function Description
The user can create, modify, copy and delete a role set as well
as assigning roles to a role set according to his rights.
The user can create, modify, copy and delete a role as well as
Role management
assigning operation rights to a role according to his rights.
The user can set role rights according to resource and
operation set. This is decentralized multi-domain management.
Log Management:
Log management is used to manage various logs of the system. Log is recorded
information of various events and operations of the system. By viewing logs, the
user can know whether the system is running properly, locate the cause of problem,
trace and audit important events. Log management is an effective tool of the system
administrator to trace system running status, locate system fault and trace user
operations.
Function Description
Syslog log management can manage the operation log reported from the equipment.
Syslog message is a necessary means to ensure normal operation of the system
and is applied to the debugging and security check. Syslog management module of
NM software can fulfill the following function: Syslog filtering, receiving, resolution,
storage, query, statistics, customization deletion policy, file storage and printing,
and user receiving Syslog log from several equipments or operation systems.
Syslog message displays in GUI so that the user can easily check the logs of
different equipments or operation systems and deal with them.
Users can know system operational status and performance through reports. Report
management system can generate reports at specified time. Users can make correct
analysis and decision through the reports.
Function Description
When the network size managed by the network management sytem (such as the
number of user ports, FTTH ONU, etc.) exceeds or will soon exceed the number of
License authorization, the network management system will generate an alarm or
notification to remind users to apply for new license in time. If the user fails to apply for
and update the license in time, after the exceedance reaches a certain extent, the new
network element or FTTH ONU will be restricted on the network management system.
does not apply for a license, he will not be able to use the function, or can only be tried
for a period of time.
License management provides the functions of license file loading, license information
viewing, license overthreshold notifications and alarms, and license overthreshold
control.
Function Description
License file loading Loads the license file into NetNumen™ U31.
License information View the license authorization items and the number of
viewing licenses currently used.
NetNumen U31 periodically synchronizes configuration data with network elements. The
NetNumen U31 database stores resource data including information on network
elements, cards, ports, ONUs and VLANs.
When device configurations are changed, corresponding data in the NetNumen U31
database will be updated in time.
The resource information in the NetNumen U31 database is also the foundation of other
network management functions. For example, using a network management client to
locate network elements, ports and ONUs across the network depends on the resource
information.
Function Description
Function Description
NetNumen U31 system monitoring provides a unified platform to maintain and manage
the network management system. Through this function, the user can add application
servers and database servers for management. The user can perform monitoring and
maintenance operations for the servers, which include monitoring the CPUs, memory
and hard disks of an application server, setting monitoring thresholds so that alarms are
sent when the thresholds are exceeded, monitoring the hard disk space and database
table space of a database server, and setting monitoring thresholds so that alarms are
sent when the thresholds are exceeded.
Function Description
Function Description
The user can set monitoring thresholds for the ratio and
size of hard disks so that alarms are generated when the
Monitoring database
thresholds are reached. The user can also set monitoring
resources
thresholds for the ratio and size of data table spaceso that
alarms are generated when the thresholds are reached.
A database can be backed up in two modes: automatically and manually. The two modes
are described below:
Automatic backup uses a policy task of the NMS to automatically, periodically back up
the database, including the database structure and basic data.
Manual backup uses an offline tool of the NMS to manually back up the database,
including the database structure and basic data.
Select "Backup Basic Data". Set "Target storage path of the backup file". Click "Execute"
to back up the basic data of the database. The database structure can also be backed up
in this way.
Select "Restore Basic Data". Set "Select the backup file", which is the path where the
restored file is stored. Click "Execute" to restore the basic data of the database. The
database structure can also be restored in this way.
NetNumen U31 server operations are performed in three scenarios: new installation,
version upgrade, and patch upgrade.
In the new installation mode, run the "setup" file in the version package and follow the
wizard to complete the installation. The client is also newly installed in the process. In the
upgrade mode, run the "update" file in the version package to upgrade the server. When
the client logs in to the new-version server for the first time, it will automatically download
the client upgrade package and complete the upgrade. In the patch upgrade mode, run
the patch program on the server to read the patch file, and then follow the wizard to
complete the upgrade. After the client logs in, it will automatically install the patch
program to complete the upgrade.
Function Description
Function Description
The EMS Client can monitor the operating status of each process of the EMS Server
including the main process of the EMS, TL1 northbound interface process, interface
process, alarm process and performance process, perform statistical analysis on TL1
northbound interface process, and find the reasons that affect process operation
efficiency through analyzing the results to help the maintainers improve EMS operation
efficiency and stability.
Function Description
Function Description
The EMS supports the task-based network patrolling function. In a patrolling task, you
can set the task name, task execution cycle, execution time and patrolling indices, and
generate a patrolling report including a list of unqualified items in the patrolling indicating
the name of the checkup item, problem level, processing suggestion, and relevant NE
information (name or IP address).
Function Description
Function Description
NE detection check
NE alarm check
NE service status 10GE and GE port operating status check
MAC address aging time check
PON port error packet detection
When the onsite EMS function is faulty, the log or configuration files need to be provided
onsite to locate the fault. The log collection function supports precise collection of logs or
configuration files.
Function Description
Function Description
designated path.
Configuration management is used to configure device and service attributes for network
commissioning and service provisioning. All managed NEs in the system support
configuration management.
The system supports batch configuration of terminals and central-office devices and the
import and export of configuration parameters.
For the different device, EMS can set and discover different configuration data, these
configurable data include shelf information / card infromation/ port information and other
relevant information.
System management mainly allows the user to manage the global properties of network
elements. It covers the basic information of network elements, boards, Trap server,
SNMPv3 configurations, and CLI configurations. It also provides common functions such
as saving configuration data, uploading/downloading configuration files, upgrading
versions, resetting network elements and resetting boards.
Function Description
Managing the
basic information Query and configure network element information such as name,
of network location, contact and runtime.
elements
Managing
Query and configure SNMPv3 access views, user groups and
SNMPv3
users.
configurations
Managing CLI Query and configure global information of CLI, user information,
configurations and session information of login users.
Overheat
protection and
Configure the overheat protection and emergency energy-saving
emergency
parameters of network elements.
energy-saving
configuration
Function Description
Environment
Query and configure the environment monitoring information of
monitoring
network elements, including environment temperature alarm
configuration
thresholds and the working mode of fans.
management
Resetting the Remotely reboot network elements. This function is used to fix
system faults, upgrade versions, restore configurations, and so on.
Card management mainly allows the user to query card information including type, status,
hardware version, software version, CPU utilization and memory utilization. The user can
configure CPU utilization thresholds and memory utilization thresholds as well as perform
operations such as resetting and switching over cards.
Function Description
Port management mainly allows the user to manage network interfaces such as uplink
ports, P2P ports, and user ports.
Function Description
OTDR management mainly allows the user to perform the OTDR test. Including fast test,
health database test and routine test.
Function Description
Function Description
Layer-2 protocol management mainly allows the user to manage Layer-2 network
protocols including VLAN, QoS, multicast and STP.
Function Description
VLAN Query and configure the VLAN attributes of network elements and
management ports, including VLAN, VLAN conversion and QinQ.
Function Description
Query and configure IGMP, MLD and IPTV. IGMP and MLD
configurations include global parameters such as protocol
enabling, service attributes such as multicast VLAN, source port
Multicast
and receiving port, and port attributes such as enabling fast-leave
management
and limiting the maximum number of multicast groups. IPTV
configurations include preview parameter profile, channel,
package, port access control, and calling detail record.
Layer-3 protocol management mainly allows the user to manage Layer-3 network
protocols including DHCP, routing, OSPF, IS-IS and BGP.
Function Description
Function Description
Function Description
Port Identification Use port Identification mechanisms such as DHCP Option 82 and
configuration PPPoE to prevent the theft of user accounts.
Current CLI Manages and detects CLI login users to prevent illegal users from
Sessions locally logging in.
Function Description
Authentication
Configure authentication and authorization modes including AAA,
and authorization
TACACS+, RADIUS and 802.1x.
configuration
Template management allows the user to manage the template list of network elements.
The templates include ONU type templates, ONU type offline templates, ONU
energy-saving templates, VoIP templates, bandwidth-related templates, VRG templates
and WAN templates.
Function Description
Define the device type and port type of an ONU by configuring the
ONU type
ONU type template. The configuration for the ONU type offline
templates
template is similar.
The common functions provided by NetNumen™ U31 for the configuration, operation
and maintenance of GPON service include GPON service provisioning configuration
based on PON service templates, ONU configuration management, network element
protocol manager, centralized ONU management, ONU query, ONU version update
management, template configuration management, and fault diagnosis management.
Step 1: Create PON service templates. The user can create ONU remote templates
and ONU line templates via GUI or CLI. While creating ONU remote templates and
ONU line templates, the user can use the templates created as described in Section
7.1.7 "Global PON Template Management", such as ONU type templates,
bandwidth templates and voice templates, to further simplify service configuration.
Step 2: Bind PON service templates. When create an ONU, specify the
corresponding templates or bind the templates through northbound interface
commands. After the PON service templates are bound, the service can be
activated.
Function Description
Function Description
ONU configuration management provides all the configurations of ONU. The ONUs
under various PON cards are flexibly displayed as needed, and the status of the
ONUs is shown as graphs for convenient viewing.
After selecting an ONU, the user can perform management functions including
physical configuration management, port configuration, line configuration, Vport
service configuration, and service configuration management.
Function Description
Function Description
Service
Service configuration management allows the user to configure
configuration
the VLANs of services, flows and UNIs ports of ONUs.
management
The network element protocol manager allows the user to configure and manage
the narrowband and broadband services of network elements in a centralized
manner. In the network element protocol manager, an operation tree provides the
entries to configuration management functions, including those for VLAN, multicast
and QoS.
Function Description
Centralized ONU management provides an ONU query view and an ONU topology
view. In the ONU query view, the user can query ONUs according to a pre-set or
self-defined template. After that, the user can view the status, configure the services
and analyze the performance of specified ONUs. In the ONU topology view,
network elements as well as their cards or ports can be displayed. At the
corresponding topology level, the user can perform service configuration and
management for the network elements, cards or ports.
Function Description
In the ONU query view, the user can query ONUs through the
pre-set template, view the information of the pre-set template,
create a new pre-set template through copying, create a
self-defined query template, query ONUs through the self-defined
query template, modify the self-defined query template, delete the
self-defined query template, create a new self-defined query
ONU query view
template through copying, open the ONU configuration
management window, display ONU details, display the current
alarms of ONUs, display and export the statistics of queried
ONUs, configure the attributes displayed in the ONU query view,
display the queried ONUs whose status is abnormal, manage and
configure ONUs, and so on.
Function Description
ONU query
ONU query allows the user to query and locate ONUs across the network before
performing operation and maintenance.
Function Description
After the query produces an ONU, the user can right-click it and
then locate it through shortcut menu items including ONU
ONU location
configuration management, network element topology, ONU
topology, port management, and main topology OLT.
ONU version update management allows the user to create version update tasks,
batch-upgrade ONU versions and upload/download ONU versions.
Function Description
Viewing ONU
View ONU version update logs, which include such information as
version update
ONU location, update status, and version.
task logs
PON optical module diagnosis allows the user to set the parameters of PON optical
modules. When the system detects that a parameter threshold is exceeded, it
generates an alarm.
An ONU sends data packets upstream according to a time stamp allocated by the
OLT. If an ONU sends optical signals while no time stamp has been allocated, the
signals will conflict with the optical signals and interference the communication of
the other ONUs. Such an ONU, which sends optical signals upstream not according
to an allocated time stamp, is called a rogue ONU. NetNumen™ U31 provides
rogue ONU detection and allows the user to detect and locate rogue ONUs.
The signaling tracing function of NetNumen™ U31 covers H.248 call signaling
observe ration, call data observation, and protocol control. SIP signaling tracing
allows the user to trace signaling during a call and to observe the whole signaling
process from speech path establishment to removal. SIP signaling tracing also
allows the user to locate call loss, thus facilitating troubleshooting.
Function Description
Displays PON port and ONU optical module information. Set PON
PON optical
port optical module alarm thresholds. Set ONU optical module
module diagnosis
alarm thresholds.
H.248 signaling Observe H.248 data, observe event data, trace H.248 signaling
tracing calls, trace multiple SLNs, and perform protocol control.
Trace SIP signaling calls. Save and clear SIP signaling call
SIP signaling tracing data. Automatically saves SIP signaling call tracing data.
tracing Displays the latest records of SIP signaling call tracing. Stop SIP
signaling call tracing.
The common functions provided by NetNumen™ U31 for the configuration, operation
and maintenance of EPON service include ONU configuration management, network
element protocol manager, centralized ONU management, ONU query, ONU version
update management, and fault diagnosis management.
ONU configuration management provides all the configurations of ONU. The ONUs
under various PON cards are flexibly displayed as needed, and the status of the
ONUs is shown as graphs for convenient viewing.
After selecting an ONU, the user can perform management functions including
physical configuration management, port configuration, line configuration, Vport
service configuration, and service configuration management.
Function Description
Vport service Vport service configuration allows the user to configure the
configuration ServicePort service of an ONU.
The network element protocol manager allows the user to configure and manage
the narrowband and broadband services of network elements in a centralized
manner. In the network element protocol manager, an operation tree provides the
entries to configuration management functions, including those for VLAN, multicast
and QoS.
Function Description
Function Description
Centralized ONU management provides an ONU query view and an ONU topology
view. In the ONU query view, the user can query ONUs according to a pre-set or
self-defined template. After that, the user can view the status, configure the services
and analyze the performance of specified ONUs. In the ONU topology view,
network elements as well as their cards or ports can be displayed. At the
corresponding topology level, the user can perform service configuration and
management for the network elements, cards or ports.
Function Description
In the ONU query view, the user can query ONUs through the
pre-set template, view the information of the pre-set template,
create a new query template through copying, create a
self-defined query template, query ONUs through the self-defined
query template, modify the self-defined query template, delete the
self-defined query template, create a new self-defined query
ONU query view
template through copying, open the ONU configuration
management window, display ONU details, display the current
alarms of ONUs, display and export the statistics of queried
ONUs, configure the attributes displayed in the ONU query view,
display the queried ONUs whose status is abnormal, manage and
configure ONUs, and so on.
Function Description
ONU query
ONU query allows the user to query and locate ONUs across the network before
performing operation and maintenance.
Function Description
After the query produces an ONU, the user can right-click it and
then locate it through shortcut menu items including ONU
ONU location
configuration management, network element topology, ONU
topology, port management, and main topology OLT.
ONU version update management allows the user to create version update tasks,
batch-upgrade ONU versions and upload/download ONU versions.
Function Description
Viewing ONU
View ONU version update logs, which include such information as
version update
ONU location, update status, and version.
task logs
PON optical module diagnosis allows the user to set the parameters of PON optical
modules. When the system detects that a parameter threshold is exceeded, it
generates an alarm.
An ONU sends data packets upstream according to a time stamp allocated by the
OLT. If an ONU sends optical signals while no time stamp has been allocated, the
signals will conflict with the optical signals and interference the communication of
the other ONUs. Such an ONU, which sends optical signals upstream not according
to an allocated time stamp, is called a rogue ONU. NetNumen™ U31 provides
rogue ONU detection configuration management and allows the user to detect and
locate rogue ONUs.
The signaling tracing function of NetNumen™ U31 covers H.248 call signaling
observe ration, call data observation, and protocol control. SIP signaling tracing
allows the user to trace signaling during a call and to observe the whole signaling
process from speech path establishment to removal. SIP signaling tracing also
allows the user to locate call loss, thus facilitating troubleshooting.
Function Description
Displays PON port and PON optical module information. Set PON
PON optical
port and PON optical module alarm thresholds. Set ONU optical
module diagnosis
module alarm thresholds.
H.248 signaling Observe H.248 data, observe event data, trace H.248 signaling
tracing calls, trace multiple SLNs, and perform protocol control.
Trace SIP signaling calls. Save and clear SIP signaling call
SIP signaling tracing data. Automatically saves SIP signaling call tracing data.
tracing Displays the latest records of SIP signaling call tracing. Stop SIP
signaling call tracing.
Function Description
ONU-side CES
Includes CES link configuration and CES attribute template
service
configuration.
configuration
ONU management includes the following functions: ONU list management, ONU
authentication and registration, and global settings. Moreover, ONU templates are
available, which simplifies ONU configuration duties.
Function Description
Users can maintain the global ONU templates that simplify the
ONU template ONU configuration duties. The commonly used templates are the
management ONU type template, ONU bandwidth template, and VoIP protocol
template.
VoIP management provides the management functions for voice services on ONU NEs.
Function Description
ONU UNI port management allows the user to manage the UNI ports of ONUs. It
comprises the following functions:
Function Description
Ethernet port The user can view and configure Ethernet port attributes,
management including management status and duplex rate mode.
Voice port The user can view and configure voice port attributes, including
management management status, impedance and gain.
Video port The user can view and configure video port attributes, including
management management status and whether power has been turned on.
Function Description
Uploading/downl
Upload ONU version files to network elements or download ONU
oading ONU
version files from network elements.
versions
Managing ONU Create offline ONU version update tasks on the NMS, and send
version update the tasks to the OLT network elements. ONU version update
tasks tasks can be executed either just once or periodically.
Viewing ONU
version update View the information on ONU version updates.
task logs
Manually
Select a single ONU or multiple ONUs under a specified PON
updating ONU
port, and then manually update the ONU version(s).
versions
Function Description
ONU service The user can configure global ONU service level templates, rules
level for automatically mapping ONU service levels, and so on, to
management achieve differentiated management of ONUs.
To enter the PON service cutover function, click the main menu – Maintenance –PON
service cutover (MAoCut).
C220 (C220v1.1, Supports data cutover, same slot cutover and different slot
C220v1.2), C300, cutover of EPON, 10G-EPON and GPON ONUs.
(C300, C 300V2),
C600
SN Function Description
1 Supports same-slot card cutover
2 Supports querying detailed command execution information after the cutover
3 Supports the preference configuration function (retry time, wait time, etc.)
4 Supports viewing all failure cutover operations
5 Supports Telnet operations
6 Supports the configuration comparison function (to check the configuration
changes before and after the cutover)
SN Function Description
1 Supports different-slot card cutover (including the cutover between IAP1.2 and
between IAP1.2 and IAP2.0)
2 Supports cross-NE cutover and the cutover within the same NE
3 Supports querying detailed command execution information after the cutover
4 Supports the preference configuration function (retry time, wait time, etc.)
5 Supports viewing all failure cutover operations
SN Function Description
6 Supports Telnet operations
7 Cross-version cutover supports command conversion
8 Supports customized functions for some areas
Functions Description
Pure Hardware On-site workers only need to complete the equipment and
Installation link installation, no need configuration operation.
Auto-Activation of device After power on, the equipment will look for PMA
and service (NetNumen U31) automatically according to
pre-configured data, and get configuration data and active
service.
Fast provision When the equipment starts up, it will connect with PMA
and load the recent configuration data mapping that saved
locally, if there is no change in planning, the set-up rate
will be accelerated.
Protocol with PMA SNMP is adopted between PMA and ZXA10 9852G
System management provides global attribute management for NEs, including NE basic
information, board information, and global protocol information. Moreover, users are
allowed to save configurations, download/upload configuration files, upgrade versions,
reset NEs, and reset boards.
Function Description
Board basic Users are allowed to query the board state and version
information information. Moreover, they can reset the boards and perform the
management switchover operation.
Global protocol
Users are allowed to query and configure the parameters of global
information
protocols, such as NTP.
management
Configuration Users are allowed to save the current configurations of NEs to the
storage configuration files to prevent a data loss upon reboot.
Function Description
Version
Users can manage the version files on NEs and upgrade the NEs.
management
DPU Uplink Port management allows users to manage the network interface such as
uplink interfaces.
Function Description
Users are allowed to query and configure the port attributes such
Ethernet port
as the Ethernet ports’ administrative state, operational state,
management
duplex, and rate.
G.fast is a digital subscriber line standard for local loops shorter than 500 m, with
performance targets between 150 Mbit/s and 1 Gbit/s, depending on loop length.
Compared to VDSL2, in G.fast, data is modulated using discrete multi-tone modulation,
as in VDSL2 and most ADSL variants.
G.fast uses time-division duplexing as opposed to ADSL2 and VDSL2, which use
frequency-division duplexing. G.fast is often used in the scenario of FTTdp, In FTTdp
deployments, a limited number of subscribers at a distance of up to 200–300 m are
attached to one fiber node, which acts as DSL access multiplexer.
ZXA10 9852G supports the G.fast technology, which provides faster Internet access
service and deployed at a closer distance to the subscribers. This procedure introduce
show to configure a G.fast line profile, which defines the parameters for G.fast services.
Function Description
G.fast port Users can query and configure the port administrative state,
management operational state, rate, and user information.
Layer-2 protocol management mainly allows the user to manage Layer-2 network
protocols including VLAN, QoS, multicast and STP.
Function Description
VLAN Query and configure the VLAN attributes of network elements and
management ports, including VLAN and QinQ.
Function Description
Query and configure IGMP, MLD and IPTV. IGMP and MLD
configurations include global parameters such as protocol
enabling, service attributes such as multicast VLAN, source port
Multicast
and receiving port, and port attributes such as enabling fast-leave
management
and limiting the maximum number of multicast groups. IPTV
configurations include preview parameter profile, channel,
package, port access control, and calling detail record.
Function Description
VDSL alarm Users can query and configure the VDSL alarm configuration
configuration template, including the Lof Seconds, Los Seconds, Errored
template Seconds, and Severely Errored Second.
U31 provides a variety of tests for VDSL ports, including the Selt
VDSL port tests
test and Delt test.
NetNumen U31 as PMAA has a PMA module which provides the basic functions for
managing DPU network elements. The NMS maintains the software versions and
manages the benchmark operational data of DPU network elements to achieve zero
touch in the activation and replacement of DPUs.
Function Description
DPU network
The user can create, modify and delete DPU network elements on
element topology
the NM topology.
management
DPU mode When a DPU is restarted, it uses the trap to register to the PMAA
initialization trap and obtain a real management IP address.
DPU retrieving
A DPU uses the trap to periodically request synchronizing version
configuration file
and operational data with the PMAA.
trap
PMAA-DPU
The operational status of DPUs is monitored in real time.
status monitoring
The global configuration file is used for configuring all the DPUs within the same domain.
It contains the global configurations of NEs, and can be generated in the EMS interface.
The extended configuration file is used for configuring a single DPU. It contains the
global configurations and port configurations, and can be generated in the EMS interface
and via the northbound interface.
Function Description
Global The users can query and configure the global configurations of a
Configuration File domain including VLAN configurations, QoS configurations,
Management system management and G.fast management.
Function Description
The users can query and configure the global and port
Extended
configurations of NEs including VLAN configurations, QoS
Configuration File
configurations, profile configurations, system management and
Management
G.fast management.
When a DPU gets offline, the TL1 configurations are stored in the configuration file and
will be synchronized to the DPU when it gets online.
The EMS supports the domain-based and multi-FTP server DPU management.
Function Description
DPU domain
Configures and queries DPU domain information
management
Function Description
Function Description
Port identification Use port identification mechanisms such as DHCP Option 82 and
configuration PPPoE to prevent the theft of user accounts.
IP and MAC Bind the IP and MAC addresses of a port to prevent use by illegal
address binding users.
Restriction of the
maximum of Restrict the maximum of MAC addresses learned to prevent MAC
MAC addresses spoofing.
learned
Reverse Power Feeding (RPF) reversely supplies 10W power for a DPU to run a single
port in a maximum range of 250 m. The core diameter of the Ethernet cable is 0.4 to 0.6
mm. The Distribution Point (DP) works with the Power Sourcing Equipment (PSE) to
perform remote RPF that provides the electricity needed by the DPU to operate. The
DPU also uses its own main control board to manage the power level of the electricity
supplied to users.
Function Description
RPF Query and configure global and port parameters, including RPF
configuration mode, port power feeding status, and power supply status.
System management provides global attribute management for NEs, including NE basic
information, board information, and global protocol information. Moreover, users are
allowed to save configurations, download/upload configuration files, upgrade versions,
reset NEs, and reset boards.
Function Description
Board basic Users are allowed to query the board state and version
information information. Moreover, they can reset the boards and perform the
management switchover operation.
Global protocol
Users are allowed to query and configure the parameters of global
information
protocols, such as NTP.
management
Configuration Users are allowed to save the current configurations of NEs to the
storage configuration files to prevent a data loss upon reboot.
Software Users can manage the software files on NEs and upgrade the
management NEs.
Layer-2 protocol management mainly allows the user to manage Layer-2 network
protocols including VLAN, QoS, multicast and STP.
Function Description
VLAN Query and configure the VLAN attributes of network elements and
management ports, including VLAN, VLAN translation and QinQ.
Query and configure IGMP, MLD and IPTV. IGMP and MLD
configurations include global parameters such as protocol
enabling, service attributes such as multicast VLAN, source port
Multicast
and destination port, and port attributes such as enabling
management
fast-leave and limiting the maximum number of multicast groups.
IPTV configurations include parameter profile, program source,
package, port rights, and user call statistics.
Layer-3 protocol management mainly allows the user to manage Layer-3 network
protocols including DHCP, routing, OSPF, IS-IS and BGP.
Function Description
Function Description
Asymmetric digital subscriber line (ADSL) is a type of technology that enables broadband
data transmission over copper telephone lines. The ADSL upstream and downstream
bandwidth requirements are asymmetrical.
Function Description
ADSL line Users can query and configure the ADSL line configuration
configuration template, including the upstream/downstream rate, SNR margin,
template the maximum interleaved delay, and minimum impulse protection.
Function Description
ADSL alarm Users can query and configure the ADSL alarm configuration
configuration template, including the upstream/downstream Lof seconds, Los
template seconds, Lpr seconds, and Errored seconds.
ADSL bridge port Users can manage the ADSL ports’ PVC parameters, including
management the VPI, VCI, administrative state, VLAN, and default priority.
U31 provides a variety of tests for ADSL ports, including the Selt
ADSL port tests
test, Delt test, and F5 loopback test.
Function Description
VDSL alarm Users can query and configure the VDSL alarm configuration
configuration template, including the Lof seconds, Los seconds, errored
template seconds, and severely errored seconds.
U31 provides a variety of tests for VDSL ports, including the Selt
VDSL port tests
test and Delt test.
Function Description
SHDSL port Users can query and configure the port administrative state,
management operational state, rate, and user information.
Function Description
Function Description
Function Description
Port identification Use port identification mechanisms such as DHCP Option 82 and
configuration PPPoE to prevent the theft of user accounts.
Current CLI Manages and detects CLI login users to prevent illegal users from
Sessions locally logging in.
Authentication
Configure authentication and authorization modes including AAA,
and authorization
TACACS+, RADIUS and 802.1x.
configuration
10 System Security
Along with the rapid development of telecom technologies and convergence of telecom
and IT domains, telecom networks are moving towards a more open era with escalating
complexity and management difficulty. Operators have to face the security problems and
risks coming after fast development. In terms of security management, operators are not
limited to the traditional simple requirements such as account management and
anti-virus software but expect to implement end-to-end security over the entire system
and cover such aspects as physical entities, all-IP network security, and security
management flow & specifications.
The NetNumen™ U31 security solution covers every aspect of system security. The
following sections describe the solution from different aspects such as physical security,
network security, system reinforcement, application security, and data encryption.
To tackle the above-mentioned physical threats, NetNumen™ U31 takes the following
measures:
Physical area security: Security requirements for equipment rooms and racks are
put forward; door lock, entrance inhibition, and key management are supported. A
unique lock is installed for the equipment room and racks where U31 is located. An
access control system is provided and is able to report alarms to U31. Certain
measures are taken to keep security of keys.
Hardware & part management: The physical parts of U31 should be managed and
their states should be traced. According to the security specifications, build the U31
system. When fixing or replacing the parts containing sensitive, obey the strict
security and confidentiality requirements. In the office, the sensitive information
should be deleted and the paper containing the information should be damaged.
Therefore, paper shredders and enterprise-level data eraser software should be
provided. Limitations on access to core entities of U31: The mobile storage devices
are not allowed to access core entities of U31 or only have certain access
permissions; the wireless access is limited also in the U31 system.
Video detection and recording: The physical environment where U31 resides is
detected so that the possibility of intrusion and thefts can be reduced. Moreover,
security events can be traced back.
The above physical security measures should be feasible for operators; namely they are
not contradictory to the operators’ enterprise management regulations and their actual
condition. Therefore, it is necessary to provide the feasible security measures during the
system deployment process (including configuration and installation) and furthermore
work with operators to build the overall physical security measures.
NetNumen™ U31 is operating in an all-IP network. The basic network facilities are
deployed for communications among U31 clients, U31 servers, NEs, and other related
systems. The information inputted by users and the data exchanged by systems need to
come through these network facilities. Therefore, it is necessary to ensure network
security for U31 both in design and deployment. The purpose is to protect the system
from illegal intrusions, illegal access, eavesdropping, and decryption.
In the above diagram, the following network components are related to security:
IP network devices, such as switches and routers: are responsible for communications
within the network. Moreover, these devices allow the network to be divided into several
areas through such technologies as VLAN.
VPN gateway: controls the remote access activities and encrypts the data transferred
over the Internet.
In terms of design and construction, U31 complies with a series of security principles for
the purpose of improved network security. The principles are listed as follows:
Overall security
U31 is a part of the whole telecom network and also belongs to the enterprise network of
operators. Therefore, the security solution for U31 should be considered as a part of the
whole network’s security solution. Moreover, U31 should comply with the security
planning for IP addresses of the whole network to ensure overall security.
The whole network is divided into different domains by function and positioning. Domains
are defined based on different service levels for easy management of network security,
which shows a clearer structure of the network. When an attack occurs, it will be isolated
in the domain. The U31 system is also divided into independent sub-domains (VLANs) by
function. Domains are isolated from each other by setting the parameters on network
devices. It will facilitate users to locate the sources of network attacks.
Security measures, such as firewall and security policies, are taken at the boundary
between U31 and other networks (for example, operators’ enterprise network or other
networks) to control the access to U31 and filter the suspicious access requests.
Moreover, attacks are not allowed from U31 to the connected external networks. These
measures are efficient in reducing the security threats and attacks, and are able to
prevent attacks from spreading to other areas.
The firewall is configured to record detailed logs that can be exported to the dedicated
log server for further detailed analysis. With this function, network administrators can
discover network intrusion events, illegal access attempts, and vulnerabilities of the
network.
Remote clients are not allowed to visit U31 from Internet as it is difficult to ensure security
of the client environment and control the remote clients. If visits from remote clients are
allowed, they need to get access to U31 through the VPN tunnels where data is
encrypted. Moreover, two-factor authentication is required for the clients. After success
authentication, the remote clients are virtualized as internal clients to interact with the
U31 server(s)
The purpose of system security reinforcement is to ensure the secure and low-risk
operation of NetNumen™ U31 and related support software, including the U31
application, database, OS, and other support software. The primary approach of system
security reinforcement is modification of the default security settings and module
configuration. It enables users to remove the known security weakness and
vulnerabilities. Attackers cannot find any vulnerability to exploit and fail to intrude into the
system.
10.3.1 Background
The NetNumen™ U31 application and the software it relies on, such as the database,
OS, and third-party software, have multiple modules and configuration items. These
systems may not be in the secure operational state when they are installed or in use.
Moreover, the default security settings of some software cannot comply with the security
requirements of the telecom network and operators. All above-mentioned need to be
modified or corrected before the systems are delivered to operators or during the
operation of the systems. Some weak security settings and vulnerabilities are subject to
virus and malicious attacks if there is no system security reinforcement measure.
Moreover, the security measures for development and design will lose effect.
10.3.2 Principles
Minimum installation: When the system is installed or deployed, only a minimum number
of mandatory modules and services are installed. Optional modules and services are not
installed, reducing the possibility of being the target of attacks. This principle is also
applicable to installation of functions in a module. For example, disabling unsecure ports,
terminating the unnecessary services, and removing the useless shared directories.
The minimum number of necessary accounts and strict authorization: Strict account
management and account policies are implemented. All useless accounts and user
groups are deleted from the system. After software is installed, it has the default security
permission settings. The settings that are not required or used by U31 need to be deleted
or disabled in time, for example the user Guest.
Latest version: if possible, it is recommended to upgrade the system to the latest version.
This measure can fix vulnerabilities and remove the problems that cannot be solved by
manual configuration. It should be notified that this principle is applicable only under the
condition that compatibility is ensured and functions are not changed.
Specific Role definition: Software systems may provide different functionalities according
to their original design. However, after they are deployed in U31, they play the roles only
defined in the project design.
System security reinforcement covers not only the NetNumen™ U31 application but also
the software related to U31 security. For example, the support software including OS and
database, and the software collaborating with U31 to provide functions and solutions,
such as remote desktop software, cluster software, and backup software. In terms of time,
system security reinforcement covers the entire lifecycle of U31 and third-party software,
from the start of the formal versions, to the following patches, and to the end of the after
sales service.
After U31 is installed, it has the fundamental configurations that provide the basic
security capability. System security reinforcement is to adjust and enforce the security
policies according to the actual situation and customer requirements. The security
policies include the password policies, account policies, and permissions of the file
systems.
With years of experience, ZTE provides the system security reinforcement solution for
the following OSs:
2. Solaris 10/11
ZTE provides the system security reinforcement solution for the following databases:
1. Oracle 12c/11gR2
Citrix, Veritas, and NetBackup are the third-party software that is a part of U31 solutions.
Security for these applications should also be guaranteed, and their security settings
should be reinforced. ZTE provides the strong password authentication and permission
modifications.
10.3.4 Implementation
The system security reinforcement solution is a typical security solution that requires
both technologies and management. System security reinforcement is a procedure
containing activities in different phases. The detailed procedure is as follows:
1. Before the system is delivered, it should be installed with the latest software. Run
the templates and scripts against the security reinforcement checklist for the OS
and database.
2. When the system is operating, perform the health check periodically and check if
system security reinforcement policies are executed successfully. Moreover,
system security reinforcement is implemented for devices that are newly deployed
in the network.
NetNumen™ U31 provides the auto-tools of system security reinforcement detection and
script execution.
The NetNumen™ U31 solution includes the third-party hardware/software systems that
can not developed by ZTE and also have security vulnerabilities. Therefore, security
patches for these systems are also managed.
A NetNumen™ U31 security group is founded in ZTE to take charge of security patch
management for related third-party hardware/software systems. Its responsibilities are
listed as follows:
Working closely with the vendors on security guarantee issues, including Microsoft,
Oracle, IBM, HP, Symantec, and Citrix.
Keeping pace with the security reports (for example CERT) released by the security
organizations in the industry, and analyzing the third-party hardware/software
security problems mentioned in the reports.
It should be noticed that not all security bulletins and patches released by third parties
are all applicable to NetNumen™ U31. Therefore, the U31 security group needs to
analyze the security bulletins and the effects brought by the security patches to figure out
if the security bulletins and patches will improve security of the U31 system. The U31
security group can obtain the security patches that are necessary for improvement of
U31 security. Then the group analyzes the effects that the patches bring to U31. It lists
the patches in the trace list and tests compatibility between the patches and U31.
If they are not compatible with U31, the group needs to contact with the vendors for a
further measure, for example a new security patch or any other method. A security patch
is released and deployed on site only when it is proved to be compatible with the U31
system.
If the security patches can pass the test successfully, the NetNumen™ U31 security
group will issue a security bulletin to internal customer service & maintenance
departments and the operators. The customer service & maintenance department will
negotiate with operators on the deployment of third-party security patches. After the
deployment solution is finally designed, it can be implemented. If the effects brought to a
system do not allow smooth and timely deployment, the group will negotiate for a temp
solution.
The anti-virus, anti-worm, and anti-Trojan software is installed to protect hosts in the
NetNumen™ U31 system. It focuses on the Windows hosts as these hosts are more
subject to the viruses and attacks.
ZTE works with the well-known security software companies in the industry, including
Symantec, Intel McAfee, and Trend Micro.
Generally, the virus libraries for anti-virus, anti-worm, and anti-Trojan software are
updated frequently. Several updates are available in a week. The following figure shows
the virus library update solution. A virus library server (AV Server) is deployed in the
network, which is allowed to visit the Internet. It is recommended to deploy the server in
the DMZ of the network. The application servers and clients of the U31 system are all
serving as clients to obtain updates from the virus library server. The update policy
should be updated once each week at least.
Application security for NetNumen™ U31 focuses on access control that identifies and
trusts users before they are allowed to visit the system, preventing misoperations and
malicious attacks aiming to obtain more permissions. Access control is committed to the
following four aims, matching the four processes respectively, authentication,
authorization, accounting, and auditing:
Allowing users to execute the permissions granted to them and obtain the
information available for them;
Rejecting the operations and information that are not granted to users;
Identifying legal users from the illegal ones, checking user permissions, and
recording user operations.
The application security solution covers the every aspect related to storage of EMS
information and resources. The aspects include the login process during human-machine
interactions, authentication activities between servers and clients, EMS resources
access control over northbound interfaces, support for third-party authentication servers,
centralized security, and single-sign on.
The permission model of NetNumen™ U31 is designed based on the RBAC model. We
design the role-based access control model for users. Role-based Security Model for
Permission is region-based and functions based. Different regions and functions
constitute different roles. Permissions are assigned to roles rather than users. Roles with
The permission model of U31 contains such basic elements as roles, resources,
operations, user groups, and users.
Resources: are the targets that users want to access or change in the system.
Resources can be NEs, a feature of EMS, or templates (for example task templates
and report templates). The smallest granularity of device allocated to roles as a
resource is NE.
Operations: are the actions where users operate resources, for example, the read,
add, delete, modify, start, and stop operations.
Role and role set: A role consists of the operations that the role can perform for the
specified resources. A role set consists of multiple well-defined roles.
Users: are granted the permissions by assigning roles or role sets to them. After
successful assignment, users can perform the allowed operations for resources
matching the ones defined in roles or role sets. If the actions of users are beyond
the allowed permissions or resources, they are regarded as illegal operations.
User group: consists of users with the specific permissions. Roles or role sets can
be assigned to a user group. The permissions of the roles or role sets are granted to
the user group accordingly. If a user is assigned to the user group, he or she
automatically has all the permissions of the users or user sets granted to the group.
User groups are used for convenient authorization.
U31 provides some default roles for operators who can define other roles based on the
default ones.
To improve security and effectiveness during user login activities, NetNumen™ U31
provides a variety of management functions for user accounts/passwords and allows
users to set the related policies; moreover, it allows users to manage the sessions. The
following lists some important policies and mechanisms for account management:
Users are allowed to set the character types that can be contained in a
password, for example, letter, digit, and non-letter character; whether the
password is case sensitive can also be specified;
It poses limitations on the following items, the login time, IP address, MAC
address, and the number of concurrent users.
5 Login address policy The access requests from It prevents the attacks
the specified IP from the hosts that are
addresses, MAC not managed or limited
addresses, and address by the system.
segments are allowed to
log into the system.
6 Login time policy Time periods for login can It prevents the attacks
be specified. initiated beyond the
specified time periods.
10.5.1.3 Authentication
Authentication is the simplest and most efficient security process for security guarantee.
Several authentication solutions are available for scenarios with different security
requirements.
Username/password-based login
Two-factor authentication
During two-factor authentication, valid physical entities should be in position (USB keys
or smart cards storing the authentication information such as the digit certificate) in
addition to the username and password. The USB keys are inserted into the USB port of
the computer for authentication; intelligent cards require installation of smart card
readers, and they are inserted into or connected to the readers that obtain the
authentication information.
The digital certificate in the USB key and smart card complies with the X.509 v3 format
standards. The application interface program is based on the PKCS#11 standard and
gets access to the CA server through LDAP. The smart cards supported by NetNumen™
U31 comply with the ISO7819-1/2/3/4 standards.
As carriers’ networks become more complex than before, a large number of applications
are deployed in the networks. Maintenance complexity and costs are driven up by
independent security management for each application. Therefore, a uniform security
platform needs to be deployed for centralized management and control of these
applications. If carriers have already built a central server for security authentication, U31
can be integrated with the third-party authentication server to implement central security
management.
Authentication
Authentication is to judge if U31 operations are illegal. The security module of U31
checks each command and operation of a login user against the authorization
information of the user. Only the authorized commands and operations are allowed. The
system will log it no matter if the command/operation is executed successfully.
The multiple clients of U31 such as GUI, command line interface, and web interface
share the security authentication server logic of U31. Correct authentication activities can
prevent misoperations and protect the system from malicious attacks such as privilege
escalation.
The log and auditing functions can record down and manage all the user activities,
including the security log collection and storage, log viewing, log query, and the functions
designed for other auditing purposes.
As logs can record the user behaviors, they are important functions that provide
non-repudiation. Log management enables NetNumen™ U31 to store the important
events that occur during operation of U31 for further reference and later analysis/auditing.
Three types of logs are available: security logs, system logs, and operation logs.
Security logs record the following events: user login/logout, user lockout/unlocking. A
record in the security logs includes the username, IP address, login time, and login result
(successful or not).
When users perform operations, the system records the operations in the operation logs.
A record in operation logs include the username, objects involved in the operation,
operation time, details, and operation result.
When system events occur, the system records them in the system logs that include the
sources and details.
Log auditing
As mentioned before, logs provide non-repudiation for user behaviors. By checking the
logs, users can find the exceptional attack behaviors and security problems in time.
Log auditing activities need to work with maintenance management flows to implement
timely, comprehensive auditing of logs and ensure reasonable settlement of problems.
U31 logs can be exported to the standard Syslog format for third-party log analysis tools
such as Splunk and Event log Analyzer to perform further analysis.
Authentication activities between the server and client can effectively prevent the
Man-in-the-Middle attacks. The NetNumen™ U31 authentication solution can be
implemented in different methods:
The username and password should be entered in authentication, and they are
transferred through SSH between the client and the server.
Public key authentication: When the clients are deployed, the public and private key pair
needs to be generated on clients. Moreover, the public key is put on the server. When a
client gets access to the server through SSH, it needs to provide the public key. After the
server confirms that the public key is within the list, it sends a request to the client. The
client returns a response generated using the private key to complete the authentication.
Host-key authentication: Clients store the host keys of the servers that they have visited.
If the host key of a server does not exist in the list on a client, the client prompts users to
authenticate the server.
Public key authentication: During server deployment and commissioning, the public and
private key pair is generated, and the public key is available for clients. When a client
visits the server, it decrypts the data from the server by using the public key.
Secured connections and communications between U31 and NEs: U31 needs to
authenticate NEs, and vice verse. Data is encrypted to prevent data interception and
alteration incidents.
U31 security management of NEs: U31 manages the accounts and passwords for login
into NEs, permission settings, and data certificates. Moreover, U31 provides such
functions as NE security log collection, integrity check of configuration parameters,
security patching, and identification of decrypted NEs (for example a “pseudo device”,
and alarming function for decrypted NEs.
The majority of the above problems is related to NE service protocols and is specific to
NEs. If the standards on NEs have already defined the security management methods,
the standards should take preference to act as the service security standards that U31
should comply with.
Regarding the connections between U31 and NEs, when NEs are not located in a
secured area, secure data tunnels can be established by using encryption methods. Two
methods are supported, namely IPSec tunnels and SSH/SFTP, to meet different NE
standards and user requirements.
U31 security management for NEs varies with NE types, but uses the security standards
and levels similar to those for U31 itself. Moreover, the NE service standards should also
be met.
Uniform telecom service standards should be used to guarantee security for NE services
where U31 is involved.
The northbound interface is the main channel for communications between NetNumen™
U31 and other NMSs/OSSs. The information exchanged through the northbound
interface is the important network operation information that should be secured properly.
Authentication
U31 northbound interfaces strictly limit the access from external systems to its managed
devices and services, according to the permission assignment defined already. The
following authentication control policies are provided for different northbound interfaces:
SNMP: SNMPv3 and high versions are supported, which have authentication
functions.
TL1 interface: Encryption and authentication are supported to prevent illegal access
from this interface to the system.
After U31 is integrated with other systems, the northbound interface can limit the visits
from certain IP addresses and ports. It allows users to specify the IP addresses and ports
in the network (firewall) settings and U31 server configuration. If the IP address and port
of a visit request do not fall in the specified scope, the northbound interface of U31
rejects the visit request, preventing potential malicious attacks.
U31 records all the operations that external systems perform through the northbound
interfaces. The operations include user authentication information, sources, time, and
operation information. The log is saved together with the security logs for local users for
further security auditing.
Encryption can be used during communications between the northbound interfaces and
external systems to protect sensitive data. For example, the FTP interface supports
secure SFTP encryption; the MTOSI/SOAP interface supports the HTTPS SSL
encryption; other interfaces encrypts data using SSH, but the encryption details should
be negotiated with the external systems during the integration process.
The NetNumen™ U31 security center is the solution that provides such functions as
centralized security, single sign-on, centralized log, and auditing, which further improves
the EOU of security systems.
Generally, a telecom system may have multiple applications and devices that require
account-based authentication and implement security management. The following
problems may occur when carriers need to guarantee security for the applications and
devices:
Each time a user needs to access a system, he or she is required to log in again,
lowering the efficiency in using these applications. If a user sets the same account and
password for different applications, it poses threats to overall security of the system. In
this case, overall system security is lowered to the security level of the most vulnerable
application.
Logs of these applications/devices are stored separately; the auditing process is complex
and tedious. The auditing functions vary in applications/devices.
To solve the above problems, the ZTE U31 security center provides a centralized
security management control platform that provides a variety of functions for users of
applications and devices, such as centralized management, centralized authorization,
centralized authentication, and single sign-on, and centralized log management (logs are
collected from the applications/devices; the collected log data is managed, analyzed, and
audited in a centralized, uniform manner).
The U31 security center consists of three modules, for example, user management
service, centralized identification authentication service, and centralized log
management service. In addition, it can be integrated with external third-party
authentication servers and user management servers.
Centralized log management: the system can collect the log data from
applications/devices through FTP/SFTP. Moreover, it exports log data to third-party log
management servers through FTP/SFTP and Syslog.
User login method: The system supports various authentication methods, such as
username/password-based login, two-factor authentication (with a digital certification),
and single sign-on that allows users to access all applications after they are
authenticated once.
Data security protection is the last defense of system security. Assume that the network,
applications, and servers are all threatened; in this case, if data security is ensured,
sensitive data will not be disclosed. Therefore, data security protection is essential to
overall system security. The core functions of key data encryption are system storage
and encryption of transferred data. The purpose is to prevent malicious attacks such as
data interception, detection, decryption and alteration incidents. Even if attackers get the
encrypted data, they find it more difficult than before to obtain useful information from the
encrypted data, which increases the attack costs.
Data that is transferred between clients, servers, NEs, and northbound interfaces.
The following diagram shows the data encryption processes within the U31 system.
The data exchanged between the NetNumen™ U31 server and clients primarily includes
the authentication data, commands initiated by clients, and responses from the server.
As sensitive data is transferred between the server and clients, it is of great necessity to
encrypt the confidential data to prevent data interception and alteration incidents.
U31 clients supports the encryption methods such as SSH for login and interactions with
the server.
SSH/SFTP is used for communications between the U31 GUI/MML clients and the
server, which encrypts the data exchanged. Currently, SSH v2.9 is supported.
SSH/SFTP supports the following encryption algorithms and protocols:
Public key exchange: RSA algorithm (private key length: 2048 bits)
Encryption algorithm for data transmission: 3DES (private key length: 168 bits),
AES (128 or 256 bits), and Blowfish
The CLI client supports putty (Windows) and the ssh command (Unix/Linux).
The data transferred over northbound interfaces is important network service data, for
example, alarms, network performance indexes, configuration parameters, and system
assets. The sensitive data needs to be encrypted so that it will be intercepted or
decrypted. NetNumen™ U31 may be integrated with a variety of systems through
northbound interfaces, and it is unable to complete encryption by itself. Therefore, U31
needs to collaborate with the systems to encrypt the data over the entire link.
The following lists the encryption methods supported by the U31 northbound interfaces:
Other interfaces: After U31 negotiates with the systems that it integrates with, they
encrypt the transferred data by using SSH.
NetNumen™ U31 uses the encryption methods that come along with the database
software. For example, Oracle uses the TDE technology and such algorithms as 3DES
(private key length: 168 bits) and AES (private key length: 128/256 bits).The transparent
encryption methods coming along with databases enable much easier data migration
and private key management compared with application-layer encryption.
As user passwords are confidential data, they should be converted into ciphertext
through one-way when they are stored in the system, for example, in the memory, files,
or databases. During data interaction process starting from data input, then
transformation, and to storage, user passwords are all in the form of ciphertext.MD5 is
used in one-way encryption.
Passwords handled through one-way encryption cannot be reconverted into plain text.
After users enter passwords upon authentication prompts, the system performs one-way
encryption and compares the ciphertext with that in the database. Authentication is
successful if the password entered is correct; otherwise, authentication fails. During
authentication, no plaintext is involved in comparison, preventing memory sniffing
attacks.
In most network designs, connections between EMS and NEs are allocated within
dedicated networks. External devices are allowed to visit NEs through EMS rather than
visit NEs directly. Data exchanged between EMS and NEs cannot be detected or
intercepted, and needs no encryption as a result.
Along with rollout of new telecom services and emergency of different NE types, some
NEs are deployed in the networks with relative lower security, or even in the Internet. In
this case, data exchanged between EMS and NEs should be encrypted. Presently,
IPSec tunnels or SSH/SFTP is used to encrypt data between EMS and NEs.
11 Reliability
Disk mirroring: The data on the active disk is copied to the standby disk, and vice
verse. It lowers the risk that U31 server(s) cannot be restarted due to damage of
disks.
Disk data protection: Raid is used to protect data on disk arrays. Raid 0, Raid 5, and
Raid 10 are all supported to achieve hardware data protection. Raid lowers the risk
that U31server(s) cannot be restarted due to damage of disk arrays.
Others: Redundant hardware parts are deployed, for example, network interfaces,
HBA cards, and switches. The purpose is to ensure reliable and secure operation of
U31.
U31software: U31 operation involves multiple processes. When a process exits with
error(s), U31will automatically restart the process or generate alarms to prompt
users to handle the process manually. The related operations are logged for O&M
personnel to locate faults and figure out causes.
Data backup: U31 data is backed up periodically. When faults occur to U31, the
service data backed up is imported to U31 for the purpose of secure operation of
the system. It prevents the service data loss caused by U31 disk/disk array
damages or database breakdown. For details, refer to 11.6.
11.3 HA Solution
In the NetNumen™ U31HA solution, dual redundancy is designed to deal with software
failures occurring to the U31 servers; by connecting both the two servers to the RAID
disk array or storage area network (SAN), data loss and network/service interruption
caused by equipment damages are well prevented. The two major problems that affect
the stability of O&M networks thus are solved to some extent.
The following figure shows a local dual-server system with a shared disk array, which is a
commonly used networking method. The U31server software and VCS are installed
respectively on each of the active and standby server. The database is installed on the
RAID disk array. Both the active and standby U31servers need to be powered on.
However, only the U31server program at the active server is started; the applications at
the standby server remain inactive. When VCS detects that the active server fails, it
starts automatically the U31server software at the standby server that then takes over
immediately as the active server.
The following figure shows the local U31 dual-server system with SAN. If the carrier’s
existing network has a SAN, simply connect the local U31dual-server system to the SAN.
Disk arrays are deployed to the SAN. The work principle is similar to the previous
networking method, namely local dual-server system with a shared disk array.
Currently, U31 supports such operating systems Solaris, Redhat Linux and CGSL Linux.
Under these operating systems, the cluster software Symantec VERITAS is used to
implement the dual-server system.
Features
Its active and backup EMS server systems are located in one equipment room
and connect with one same disk array which saves both database data and
EMS data.
In normal situation, the active EMS provides EMS services for the integrated
network while the backup system is in hot backing up status.
The active server and the backup server mutually monitor the other part status
through heartbeat line. When the backup system detects the active system
fault such as system breakdown, or a hardware and software fault, it will take
the place of the active system to support EMS. After the taking over, none
EMS data is changed and keeps exactly the same as before.
The active and backup systems share one EMS virtual floating IP address
which shields the specific running EMS thus is able to provide transparent
EMS services to EMS clients.
The active and backup systems share the same database system located in disk array.
This ensures the data consistency of both systems. Disk array is configured in mode of
RAID1+0 and provides HotSpare hard disk to automatically take place of faulty hard disk.
The RAID1+0 mode adopts RAID1 mirroring method to accomplish complete data
redundancy backup and adopts RAID0 method to accomplish disk connection and
expansion to enlarge disk space and increase I / O management efficiency.
Advantages
Disk array being divided in RAID1+0 mode with HotSpare hard disk enable
EMS data and database data to be located in the same disk array thus ensure
data security and reliability.
Because the active and backup EMSs share the same data in the same disk
array, the data is in complete consistency after active and backup alternation.
The active and backup systems share one EMS virtual floating IP address
which shields the specific running EMS thus is able to provide transparent
EMS services to EMS clients.
Because the active and backup EMSs are located in one place and use
cross-connection line as the monitoring heartbeat line, the status inspection
between dual systems is precise and free of interference caused by unstable
network thus avoids wrong alternation.
Because the two systems keep close, database and EMS server can
respectively run in two sets of equipment in the dual-system and thus can
achieve load balance and optimize EMS performance.
When telecom networks fail because of unplanned breakdowns (such as device failures,
software errors, network disruptions, power failures) or natural disasters (such as fire
disasters, floods, earthquakes, hurricanes), the local HA solution is unable to protect
normal operation of U31 and a disaster recovery solution is needed to ensure
NetNumen™ U31service continuity.
Disaster recovery refers that a remote redundant system has been constructed for a local
system. When the local system fails due to disasters, the remote redundant system can
take over as the active system using the data backed up so as to provide uninterrupted
service. Disaster recovery becomes more important than before because nowadays the
telecom industry focuses on network reliability and service availability.
If the active EMS is allocated in the same network segment as the backup EMS, the two
systems can share one EMS virtual floating IP address and accomplishes transparent
management for EMS clients. If they are not in one segment, the active and backup
systems provide EMS services through different IP addresses.
Because carriers have different requirements for disaster recovery functions and
different EMS investment budgets, there are three solutions to accomplish remote
dual-system disaster recovery EMS as the following lists.
Remote dual-system disaster recovery (1+1 mode) solution: Either the active or the
backup EMS has its own server to provide EMS data remote disaster recovery
backup and EMS remote HA.
Remote dual-system disaster recovery (2+1 mode) solution: The active EMS is
composed of a set of dual-machine EMS while the backup system consists of only
one server to provide EMS local dual-machine function at key nodes and remote
disaster recovery function.
Remote dual-system disaster recovery (2+2 mode) solution: Either the active or the
backup system is composed of a set of dual-machine EMS to provide EMS local
dual-machine function at active and backup nodes, remote disaster recovery
function and remote HA function.
Remote dual-system disaster recovery (2+2 mode) solution is designed especially for
high-end EMSs. So it is recommended to use remote dual-system disaster recovery
EMS in Unix environment not to use EMS in Windows environment.
The most frequently used solution is the 1+1 mode disaster recovery solution which is
introduced below. In this solution, either the active or the backup EMS has its own server.
Normally, the EMS is composed of one main EMS server, dual-system disaster recovery
software and one backup EMS server. It adopts VPN network to connect the active
system with the backup system. Its networking is shown in figure below.
Currently, U31 supports such operating systems as Solaris, Redhat Linux and CGSL
Linux. Disaster recovery is not supported by Windows. Solaris, Redhat Linux and CGSL
Linux supports the disaster recovery solution implemented by Symantec VERITAS.
Features:
In normal running situation, the active EMS provides EMS services for the
integrated network while the backup system is in hot backing up status. The
active EMS synchronizes database data and EMS related data with the
backup EMS.
The data will be replicated between data centers at an application level using
Veritas Cluster Server VVR component. The data will be replicated between
servers by VVR real-time. There are primary and secondary heartbeats in our
solution which help to monitor the servers running status. It’s able to configure
enable or disable an automiatc failover from Hot Standby Primary to
Secondary EMS server by setting the ClusterFailOverPolicy attribute to Auto.
When the ClusterFailOverPolicy attribute is configured to Auto, if there is a
failure detected in the active server, it will automatically switch to the remote
The active server and the backup server mutually monitor the other part status
through heartbeat line.
When the backup system detects the active system fault such as system
breakdown, or a hardware and software fault, it will take the place of the active
system to support EMS and get synchronized with previous active system.
After the taking over, the previous active EMS becomes the current backup
system and the previous backup system becomes the active system.
Advantages
EMS data remote disaster recovery function makes EMS data safe and
reliable.
Disadvantages
If they are not in one network segment, the active and backup EMSs use
different IP addresses to provide EMS services.
Due to the long distance between the active and backup systems, it is hard to
achieve load balance between database and EMS server.
The links between NetNumen™ U31 and NEs go through the gateways. If gateways are
faulty, the NEs will be disconnected from U31 and cannot be managed properly. Active
and standby gateways are deployed. If the active gateway is faulty, U31 is able to interact
with NEs through the standby. This measure improves the U31 management
effectiveness and lowers the risk that NEs are disconnected from U31 due to a faulty
gateway and its broken link.
NetNumen™ U31 provides the data backup functions that improve system reliability. The
data backup functions allow users to back up the U31 NE configurations, Topo
configurations, alarm rules, performance tasks, policy tasks, historical alarms, logs,
performance data …. These data are exported form database with a customized
frequency and saved as compressed files on hardware storage devices such as disks
and tapes. Even if the server hardware is damaged, the above-mentioned data will not
be lost. When needed, the backup data can be imported to U31 for system and data
restoration and other use. The supported functions are listed as follows:
Database backup: supports the complete backup of U31 databases, including the
database table structure and basic data (for example the topology links and
configuration data).
Log backup: backs up and stores the system logs, operation logs, and security logs.
History alarm backup: backs up and stores the history alarms in U31.
History performance data backup: backs up and stores the history performance
data in U31.
12 Management Capacity
12.1 Environments
ORACLE 11gR2/12c
The concept of “wireline-LE” is introduced for easy calculation as the different types of
NEs vary greatly in management model complexity.
Currently, the traffic volume of AM, PM, and CM within a certain period (namely, tpmc is
7) is regarded as that of a wireline-LE. A physical NE is converted to wireline-LEs
accordingly. Different types of NEs and the number of ports are converted into a number
of wireline-LEs according to the system resources occupied by them, which are easy for
further calculation. For details about the coefficient of wireline-LEs, refer to the next part
of this chapter.
U31 servers can be deployed on different hardware products. Its management capability
vary in the hardware products..
For the corresponding hardware platforms of different network scales,please refor to the
hardware configuration of this chapter.
Number of
Category NE TPMC
Wireline-LEs
ZXDSL
8210/8220/8203/921
30 (512 lines) 3
0/9210M/9203/9800/
9803
ZXDSL9836,
1.5 (24 lines) 0.15
ZXDSL9816
Number of
Category NE TPMC
Wireline-LEs
ZXA10 T600 60 6
ZXA10 U300 30 3
ZXA10 C200/C320 30 3
ZXA10 C220 60 6
ZXA10 C610 20 2
ZXA10 C620 30 3
ZXA10 C650 90 9
Number of
Category NE TPMC
Wireline-LEs
This section introduces the hardware configuration requirements for NetNumen™ U31
servers.
The following principles should be followed when server hardware planning is made:
If the network contains less than 25,000 wireline-LEs and the carrier expects to
save costs, it is recommended to deploy the U31 server on the X86 PC server.
The following table shows the available hardware configurations appropriate for different
network scales.
300 CPU:
wireline-LEs Frequency: 2.0GHZ or higher
CORE:4cores or higher
Memory: 16GB or higher
Hard disk:300GB
4000wirelin CPU:
e-LEs Frequency: 2.0GHZ or higher
CORE: 8 cores or higher
Quantity: 2
Memory: 32GB or higher
Hard disk:600GB or higher,Quantity: 2
13000wireli CPU
25000wireli CPU
ne-LEs Frequency: 2.3GHZ or higher
CORE: 8 cores or higher
Quantity: 4
Memory
64GB or higher
Hard disk
Capacity: 600GB or higher
Quantity: 4
40000wireli CPU
ne-LEs Frequency: 2.3GHZ or higher
CORE: 10 cores or higher
Quantity: 4
Memory
96GB or higher
Hard disk
Capacity: 600GB or higher
Quantity: 8
Disk Array
Hard disk:10*900GB or higher
Network PC VM or server(used to
Scale estimate AOS or Citrix server
resources)
Network PC VM or server(used to
Scale estimate AOS or Citrix server
resources)
This section introduces the software configuration including the server and clients.
It lists the software available for the server, including the system software and EMS
software.
HA software: VERITAS
Software OS Database
Platform
OS Windows 7 Professional
This section introduces the virtual machine configuration requirements for NetNumen
U31 servers. In the virtual machine situation, the operator will deploy the cloud data
center, and all the related IT systems are deployed on the cloud data center. Then in this
situation, only virtual machine configuration requirements are needed to be indicated.
The software configuration requirement is same as the standalone configuration
environment, including OS , database and HA systems.
The following tables show the available configurations appropriate for different network
scales.
U31 server:
CPU: >=2.2GHz, >=12vCore
RAM: >=24G
Storage:200G
≤ 4000 wireline-LEs
Database:
CPU: >=2.2GHz, >=12vCore
RAM: >=24G
Storage:400G
U31 server:
CPU: >=2.2GHz, >=16vCore
RAM: >=32G
Storage:300G
≤ 13000 wireline-LEs
Database:
CPU: >=2.2GHz, >=16vCore
RAM: >=32G
Storage:600G(Disk Array is Recommended)
U31 server:
CPU: >=2.4GHz, >=24vCore
RAM: >=48G
Storage:300G
≤ 25000 wireline-LEs
Database:
CPU: >=2.4GHz, >=24vCore
RAM: >=48G
Storage:900G(Disk Array is Recommended)
13 Performance Indexes
Max size of the alarm 60GB (one alarm record data size is 6KB)
data stored
Max size of the 170GB (one log record data size is 10KB)
log(Operation log,
security log and system
log) data stored
Bandwidth Requirement
Bandwidth 2M at least
between
U31
servers
Bandwidth 2M at least
between a
U31 client
and the
server
Bandwidth Requirement
The NetNumen™ U31 server and disk array are rack mounted and will be installed in a
19-inch B6080-22 rack. A U31 client can be a desktop PC or workstation.
13.3.1 Dimensions
W×D×H: 600mm×800mm×2200mm
13.3.2 Weight
An empty rack weighs about 110kg. The weight of a full rack depends on its
configuration.
The equipment room must be equipped with a UPS or an inverter, together with a
generation set.
Note:
The temperature and humidity are measured at the place 1.5m above the floor and
0.4m in front of the rack without front or rear protective boards.
Short term refers to a time period within 48 hours and the accumulated time should not
exceed 15 days.
Note: diameter ≥5 μm
frequency 2 Hz - 9 Hz 9 Hz - 200 Hz
Note:
Impact response: Max. response curve of acceleration in the appointed impact. Impact
responseII represents that the time for half-sine impact response is 6ms.
Static load: The pressure on the equipment package box when it is placed by the
appointed pile mode.
No light beam strikes a smooth surface; especially, as the monitors and control
panels are at a place 0.8m above the floor, the brightness there should be equal to
or greater than 400Lx.
Grounding Modes
Grounding Resistance:
The climate during transportation should comply with the requirements below.
Index Requirement
Temperature 0 ℃ - 40 ℃
Note:
Suspend dust: diameter ≤75 μm
Drop dust: 75 μm≤diameter≤150 μm
Sand: 150 μm≤diameter≤1000 μm
HF mg/m³ ≤0.01
O3 mg/m³ ≤0.05
The mechanical stress during transportation should comply with the requirements below.
Note:
Impact response: Max. response curve of acceleration in the appointed impact. Impact
response II represents that the time for half-sine impact response is 6ms.
Static load: The pressure on the equipments package box when it is placed by the
appointed pile mode.
The vehicle should provide rain shelter measures to ensure that no rain water
enters the packing case.
The climate for storage should comply with the requirements below.
Index Requirement
Temperature 0 ℃ - 40 ℃
Note:
Suspend dust: diameter ≤75 μm
Drop dust: 75 μm≤diameter≤150 μm
HF mg/m³ ≤0.01
O3 mg/m³ ≤0.05
The mechanical stress during storage should comply with the requirements below.
frequency 2 Hz - 9 Hz 9 Hz - 200Hz
Note:
Impact response: Max. response curve of acceleration in the appointed impact. Impact
response II represents that the time for half-sine impact response is 6ms.
Static load: The pressure on the equipments package box when it is placed by the
appointed pile mode.
No accumulated water on the ground in the room, and no water leaking onto
packing cases
Equipment should be placed away from the automatic fire protection facility,
heating apparatus, and any another places where water leakage may happen.
The vehicle should provide rain shelter measures to ensure that no rain water
enters the packing case.
14 Standard Compliance
ITU-T recommendations about TMN concepts and functions:
ITU-T X.702 Application Context for Systems Management with OSI Transaction
Processing
RFC 793 Transmission Control Protocol (Darpa Internet Program Protocol Specification)
RFC1215 A Convention for Defining Traps for use with the SNMP
RFC 3412 Message Processing and Dispatching for the Simple Network Management
Protocol (SNMP)
RFC3414 User-based Security Model (USM) for version 3 of the Simple Network
Management Protocol (SNMPv3)
RFC3415 View-based Access Control Model (VACM) for the Simple Network
Management Protocol (SNMP)
RFC3416 Version 2 of the Protocol Operations for the Simple Network Management
Protocol (SNMP)
RFC3417 Transport Mappings for the Simple Network Management Protocol (SNMP)
RFC3418 Management Information Base (MIB) for the Simple Network Management
Protocol (SNMP)
OMG, The Common Object Request Broker: Architecture and Specification ,version
2.3.1, October 1999
15.1 Numerics
Glossary Description
Glossary Description
cdmaOne 2G CDMA technology.
The partners include TIA (North America), CCSA (China),
ARIB/TTC (Japan), and TTA (Korea).
15.2 A-C
Glossary Description
AC Accessing Controller
Glossary Description
AP Accessing Point
AS Application Server
AS Authentication Server
Glossary Description
technology, is a variation of the C/S structure or improvement
of the structure.
BS Billing System
Glossary Description
centralized MSC sites.
CE Carrier-class Ethernet
Glossary Description
environment.
Glossary Description
15.3 D-F
Glossary Description
DEM Demodulator
DEMUX Demultiplexer
Glossary Description
Glossary Description
network device, often located in the telephone exchanges of
the telecommunications operators. It connects multiple
customer digital subscriber line (DSL) interfaces to a
high-speed digital communications channel using
multiplexing techniques.
Glossary Description
Glossary Description
of Virtual Private LAN Service (VPLS) or Transparent LAN
Services.
15.4 G-I
Glossary Description
Glossary Description
based on the C/S architecture, and the CLI.
Glossary Description
broadband access network.
Glossary Description
between software components that do not share a language.
CORBA uses an interface definition language (IDL) to
specify the interfaces which objects present to the outer
world. CORBA then specifies a mapping from IDL to a
specific implementation language like C++ or Java.
Glossary Description
integration with the Internet, IMS uses IETF protocols
wherever possible, e.g., SIP. According to the 3GPP, IMS is
not intended to standardize applications, but rather to aid the
access of multimedia and voice applications from wireless
and wireline terminals, i.e., to create a form of fixed-mobile
convergence (FMC). This is done by having a horizontal
control layer that isolates the access network from the
service layer. From a logical architecture perspective,
services need not have their own control functions, as the
control layer is a common horizontal layer. However in
implementation this does not necessarily map into greater
reduced cost and complexity.
15.5 J-L
Glossary Description
Glossary Description
which it is engaged.
Glossary Description
standard for wireless communication of high-speed data for
mobile phones and data terminals. It is based on the
GSM/EDGE and UMTS/HSPA network technologies,
increasing the capacity and speed using a different radio
interface together with core network improvements. The
standard is developed by the 3rd Generation Partnership
Project (3GPP) and is specified in its Release 8 document
series, with minor enhancements described in Release 9.
15.6 M-O
Glossary Description
MD Maintenance Domain
MG Media Gateway
Glossary Description
MUX Multiplexing
Glossary Description
Glossary Description
variety of operations are supported, for example, analyzing,
forecasting, planning, and configuring network and service
data. Maintenance activities include the tests and the fault
management tasks for carriers’ networks and services.
Glossary Description
marketing cost + manpower cost (+ depreciation)
OS Operating System
15.7 P-R
Glossary Description
Glossary Description
IPsec or TLS security association with the IMS terminal. This
prevents spoofing attacks and replay attacks and protects
the privacy of the subscriber. It can also compress and
decompress SIP messages using SigComp, which reduces
the round-trip over slow radio links.
It may include a Policy Decision Function (PDF), which
authorizes media plane resources e.g., quality of service
(QoS) over the media plane.
It is used for policy control, bandwidth management, etc.
The PDF can also be a separate function.
Glossary Description
Transport Multi-Protocol Label Switching (T-MPLS) and
Provider Backbone Transport (PBT). T-MPLS is the
simplified and reformed Multi-Protocol Label Switching
(MPLS). It drops MPLS’ connectionless features and its
transport-unrelated forwarding processing, but adds the
network model of the transport layer, protection switching
and Operation, Administration and Maintenance (OAM)
functionality. PBT enforces both OAM and protection
functions, adds Time Division Multiplexing (TDM) business
simulation and clock functions, and strengthens
multi-service support capability. But PBT has no functions of
traditional Ethernet address learning, address broadcast and
Spanning Tree Protocol (STP). Both T-MPLS and PBT can
well satisfy the requirements of packet transport. Compared
to PBT, T-MPLS has better OAM functions.
Glossary Description
technology that combines multiple disk drive components
into a logical unit. Data is distributed across the drives in one
of several ways called"RAID levels", depending on the level
of redundancy and performance required.
Glossary Description
tolerable period in which data might be lost from an IT
service due to a major incident.
15.8 S-U
Glossary Description
Glossary Description
devices such as hard drives and tape drives. SAS replaces
the older Parallel SCSI (pronounced "scuzzy") bus
technology that first appeared in the mid-1980s. SAS, like
its predecessor, uses the standard SCSI command set.
Glossary Description
video calls over Internet Protocol (IP) networks. It is an
application layer protocol designed to be independent of
the underlying transport layer; it can run on Transmission
Control Protocol (TCP), User Datagram Protocol (UDP), or
Stream Control Transmission Protocol (SCTP).
Glossary Description
clock synchronization between computer systems over
packet-switched, variable-latency data networks.
Compared with NTP, SNMP uses the same protocol but
without requiring the storage of state over extended
periods of time. It is used in some embedded devices and
in applications where high accuracy timing is not required.
Glossary Description
command execution and other secure network services
between two networked computers that connects, via a
secure channel over an insecure network, a server and a
client (running SSH server and SSH client programs,
respectively). The protocol specification distinguishes
between two major versions that are referred to as SSH-1
and SSH-2.
Glossary Description
Glossary Description
Recommendation series X.700.
Glossary Description
U31 enables a convenient integration of management
modules into the mainframe. Moreover, flexible integration
is supported: only selected management modules for the
target technology networks are integrated into the system
to meet the O&M needs. Therefore under NetNumen™
U31, there can be many O&M scenarios and versions such
as NetNumen™ U31 (GULCN), NetNumen™ U31
R20,and NetNumen™ U31 (CLCN), etc..
Glossary Description
from data modeling (entity relationship diagrams),
business modeling (work flows), object modeling, and
component modeling. It can be used with all processes,
throughout the software development life cycle, and across
different implementation technologies.
15.9 V-X
Glossary Description
Glossary Description
referred to as a Virtual Local Area Network (VLAN).
Glossary Description
WTR Wait-to-Restore