9-16
Cisco ONS 15600 Reference Manual, R7.2
Chapter 9 Management Network Connectivity
9.2.7 Scenario 7: Provisioning the ONS 15600 Proxy Server
The rules in Table 9-4 are applied if a packet is addressed to the ONS 15600. Rejected packets are
discarded.
If an ONS 15600 or CTC computer resides behind a firewall that uses port filtering, you must enable an
Internet Inter-ORB Protocol (IIOP) port on the ONS 15600 and/or CTC computer, depending on whether
one or both devices reside behind a firewall. You can enable an IIOP port on the
Provisioning > Network > General tabs in CTC.
Figure 9-13 shows ONS 15600s in a protected network and the CTC computer in an external network.
For the computer to access the ONS 15600s, you must provision the IIOP listener port specified by your
firewall administrator on the ONS 15600. The ONS 15600 sends the port number to the CTC computer
during the initial contact between the devices using Hyper-Text Transfer Protocol (HTTP). After the
CTC computer obtains the ONS 15600 IIOP port, the computer opens a direct session with the node
using the specified IIOP port.
Table 9-3 Proxy Server Firewall Filtering Rules
Packets Arriving At: Are Accepted if the IP Destination Address Is:
TSC Ethernet
interface
•
The ONS 15600 itself
•
The ONS 15600 subnet broadcast address
•
Within the 224.0.0.0/8 network (reserved network used for standard
multicast messages)
DCC interface
•
The ONS 15600 itself
•
Any destination connected through another DCC interface
•
Within the 224.0.0.0/8 network
Table 9-4 Proxy Server Firewall Filtering Rules When Packet Addressed to ONS 15600
Packets Arriving At: Accepts Rejects
TSC Ethernet
interface
•
All IP protocols except user
datagram protocol (UDP)
•
All UDP packets except packets
address to the SNMP trap relay
port
•
UDP packets addressed to the
SNMP trap relay port (391)
DCC interface
•
All ICMP, OSPF, RSVP, and
LMP packets
•
All TCP packets except packets
addressed to the Telnet and
proxy server ports
•
TCP packets addressed to the
Telnet port
•
TCP packets addressed to the
proxy server port
•
Protocols not listed in the
Accepted column