Guest

Cisco ONS 15454 Series Multiservice Transport Platforms

Cisco ONS 15454 10Gbps Optical Encryption Line Card

  • Viewing Options

  • PDF (272.3 KB)
  • Feedback

Product Overview

The Cisco ONS 15454 10Gbps Optical Encryption Line Card brings security capabilities to Cisco ONS 15454 MSTP and Cisco Network Convergence System 2000 Series products by providing data confidentiality over a fiber-optic communication channel. It achieves this through the combined use of next-generation encryption with trusted systems technology architecture.

Figure 1. Cisco ONS 15454 10Gbps Optical Encryption Line Card

The encryption line card is a single-slot card that fits into the Cisco ONS 15454 MSTP M6 and M2 chassis, as well as the Cisco NCS 2006 and 2002 chassis.The card (part number: 15454-M-WSE-K9=) has 10 enhanced Small Form-Factor Pluggable (SFP+) ports that support five independent encryption streams, providing superb density for 10 gigabit encryption services.

Figure 2. Secure Point-to-Point Communication over DWDM Architecture

Features

Integrated transponder: The encryption card supports both grey and dense wavelength-division multiplexing (DWDM) SFP+ optics on all ports, with the option to use standard or enhanced Forward Error Correction (FEC) for longer reach.

Secure key exchange: General communication channel 2 (GCC2), secured using Transport Layer Security (TLS) to mitigate a man-in-the-middle attack, is used to exchange the symmetric key for encryption between two communicating cards.

Single GUI for management: The Cisco Transport Controller provides complete separation between security and transport operations by supporting role-based access control for different users.

Table 1 summarizes the features and benefits of the Cisco ONS 15454 10G Optical Encryption Line Card.

Table 1. Features and Benefits

Feature

Benefit

Secure boot

Helps ensure that only authentic software is running on the system at boot-up

Image signing

Helps ensure that only authentic software is running on the system at load time

Immutable identity

Helps ensure that hardware received is not counterfeit

Secure unique device identification

Provides cryptographic assertion of device identity, in turn used to authenticate the peer card

True random bit generation

Provides nondeterministic numbers used in key generation

Advanced cryptographic algorithms

Improves efficiency without sacrificing security

Cold zeroization

Erases critical security parameters on card reset or removal or chassis power down

FIPS certification

Helps guarantee protection of critical security information

General Modes of Operation

Encryption only: The card provides confidentiality for the information sent.

Transponder: With encryption disabled, the card is a normal transponder, providing grey to DWDM conversion with FEC or E-FEC available for additional reach (Figure 3).

Regenerator: The card performs standard optical-to-electrical-to-optical (O-E-O) regeneration of a DWDM signal.

Figure 3. Encryption Card Operational Modes

FIPS and Non-FIPS Mode of Operation

The encryption card is currently undergoing FIPS 140-2 level 2 validation. To satisfy the Federal Information Processing Standard (FIPS) requirement, the cryptographic module (in this case the encryption card and controller) must support a FIPS mode of operation in which only FIPS-approved algorithms are run.
When the FIPS mode is turned on, both the controller cards (active and standby transport node controllers or transport shelf controllers), as well as all encryption cards present in the chassis, will reboot. This is a traffic-affecting operation, and a warning is displayed on the craft terminal - Cisco Transport Controller or Cisco Prime Optical - when FIPS mode is turned on. During reboot, the encryption cards and controllers run the FIPS Power On Self Tests (POST). Upon successful completion, the card enters FIPS mode. When setting FIPS mode off, only the controller cards require reboot.

Licensing

A licensed version of the line card providing a single encrypted stream provides a cost-effective solution for low channel counts. A flexible software upgrade license is applied to unlock an additional encryption stream (Table 2).

Table 2. 10Gbps Optical Encryption Line Card Software Licenses

Part Number

Description

15454-M-WSE-L-K9=

Wire Speed Encryption Unit, software license upgradable

L-NCS2K-WSE-1=

NCS 2K/MSTP License WSE - 1x Encryption Stream e- Delivery

Encryption Bundles

Services with speeds lower than 10 Gbps can be encrypted by first multiplexing them into an OTU2 signal using the ONS 15454 Any Rate Muxponder or Any Rate Xponder cards. Two card bundles are available (Table 3). An unlicensed bundle is ideal for an encrypted network with a large number of services with speeds lower than 10 Gbps, and a licensed bundle is available for networks that initially have a smaller number of services with speeds lower than 10 Gbps.

Table 3. Any Rate Muxponder and Any Rate Xponder Bundles

Bundle Part Number

Constituents

15454-ARE-K9-SK

1 x 15454-M-WSE-K9, 1 x AR-XP-LIC, 1 x ONS-SC+-10G-SR and 1x ONS-XC-10G-SR-MM

15454-ARE-L-K9-SK

1 x 15454-M-WSE-L-K9, 1 x AR-MXP-LIC, 1 x ONS-SC+-10G-SR and 1x ONS-XC-10G-SR-MM

The proper feature license needs to be purchased on the Any Rate Xponder or Muxponder cards, depending on the services that need to be aggregated. The same flexible software license needs to be purchased with the second bundle for additional encrypted services.

Protocol Transparency

When used in the Cisco ONS 15454 MSTP or NCS 2000 platforms, the encryption line card can transparently deliver the 10-Gbps services listed in Table 4 for cost-effective, secure, point-to-point transport.

Table 4. Client Protocol Mapping

Client

Mapping

 

Format

Rate (Gbps)

 

10 Gigabit Ethernet LAN-PHY

10.3125

CBR-BMP clause 17.2.4 (ex G sup43 7.1) + GMP ODU2e to OPU3e4

OTU2

10.709

ODU transparent + GMP ODU2 to OPU3e4

OTU2e

11.096

ODU transparent + GMP ODU2 to OPU3e4

FEC Capability

The encryption card supports a FEC mechanism on any of the SFP+ interfaces. This can be independently enabled or disabled on all ports. Two software-configurable coding options are available:

GFEC: Standard G.975 Reed-Solomon algorithm.

EFEC: Standard G.975.1 (Sub-clause I.7) with 7 percent overhead. This FEC scheme uses two orthogonally concatenated BCH super-FEC codes, and the constructed code is decoded iteratively to rebuild the original frame.

Management

The Cisco NCS 2000 and ONS 15454 MSTP provide comprehensive management capabilities to support Operations, Administration, Maintenance, and Provisioning (OAM&P) capabilities through the integrated Cisco Transport Controller craft interface with support from the Cisco Prime Optical element management system. Role-based access control is enforced to help ensure that only authorized users are able to perform the desired operations, thus providing a complete separation between the transport and security domains.
Two new user profiles for performing security operations are available, in addition to the existing transport user profiles. They are a security super user and a security user. The former is available by default, while the latter is created by the security super user and assigned to specific encryption cards in the node.

Table 5. Security Capabilities of CTC User Profiles

Panes

 

Security Super User

Security User

Transport User

Perfomance - Encryption PM

Refresh

ü

ü

ü
 

Baseline

ü

ü

û

 

Clear

ü

ü

û

Provisioning - Security Threshold

 

ü

ü

û

Encryption - GCC2 Settings

 

ü

ü

û

Encryption - Security

 

ü

ü

û

Encryption - Key Management

 

ü

ü

û

Encryption - Advanced Settings

 

ü

û

û

Encryption - OTN Overhead for Packet Traffic

 

ü

û

û

Provisioning - Security - FIPS

 

ü

û

û

The user-card association is erased on chassis power-down or controller-card reboot. The security super user and security user passwords are hashed and stored using a FIPS-approved algorithm.

Protection Mechanism

By utilizing the ONS 15454 Protection Switch Module (PSM), the encryption card supports Optical Channel-Trail (OCH-Trail) protection, providing protection for the DWDM signal.

Product Specifications

Table 6 lists regulatory compliance information, and Table 7 shows the system requirements for the Cisco ONS 15454 encryption line card. Table 8 provides performance monitoring parameters. Table 9 provides card specifications, and Table 10 lists ordering information for the card.

Regulatory Compliance

Important: Not all compliance documentation may be completed at the time of product release. Please check with your Cisco sales representative for countries other than Canada, the United States, and the European Union.

Table 6. Regulatory Compliance

ANSI System

ETSI System

Countries Supported

• Canada
• United States
• Korea
• Japan
• European Union
• European Union
• Africa
• CSI
• Australia
• New Zealand
• China
• Korea
• India
• Saudi Arabia
• South America

EMC (Class A)

• ICES-003, 2004
• GR-1089-CORE Issue 4, NEBS EMC and Safety, June 2006
• FCC 47CFR15, 2007
• ETSI EN 300 386 V1.4.1 (2008-04) Telecommunication network equipment EMC requirements (Note: EMC-1)
• CISPR22:2008 and EN55022:2006/A1:2007 Information Technology Equipment (Emissions) (EMC-2)
• CISPR24: 1997/A1:2001/A2:2002 and EN55024:1998/A1:2001/A2:2003: Information Technology Equipment - Immunity characteristics - Limits and Methods of Measurement (test levels)

Safety

• CSA C22.2 #60950-1 - Edition 7, March 2007
• UL 60950-1 - Edition 2, March 2007
• GR-1089-CORE Issue 4, NEBS EMC and Safety, June 2006
• UL 60950-1 - Edition 2, March 2007
• IEC 60950-1 Information technology equipment Safety Part 1: General
requirements - Edition 2, 2005 and National Differences as per CB Bulletin 112A
• IEC/EN 60950-1 (2006/10) with Amendment 11:2004 to EN 60950-1:2001, 1st Edition and National Differences as per CB Bulletin 112A.
• EN 60950-1, Edition 2 (2006) Information technology equipment - Safety - Part 1: General requirements
• CE Safety Directive: 2006/95/EC

Laser

• UL 60950-1 - Edition 2, March 2007
• IEC 60825-1: 2001 Ed.1.2 (incl. am1+am2) Safety of laser products Part 1: Equipment classification, requirements and users guide
• IEC60825-2 Ed.3 (2004) Safety of laser products Part 2: Safety of optical fiber communication systems + A1:2006
• IEC 60825-1: 2001 Ed.1.2 (incl. am1+am2) Safety of laser products Part 1: Equipment classification, requirements and users guide
• IEC60825-2 Ed.3 (2004) Safety of laser products Part 2: Safety of optical fibre communication systems + A1:2006
• 21CFR1040 (2008/04) (Accession Letter and CDRH Report) Automatic Laser Shutdown and restart (ALS) according to ITU-T G.664 (03/06). Guidance for Industry and FDA Staff (Laser Notice No. 50), June 2007
• Laser Products - Conformance with IEC 60825-1 and IEC 60601-2-22; Guidance for Industry and FDA Staff (Laser Notice No. 50), June 2007

Environmental

• GR-63-CORE Issue 3, NEBS Physical Protection, March-2006
• ETS 300-019-2-1 V2.1.2 (Storage, Class 1.1)
• ETS 300-019-2-2 V2.1.2 (1999-09): Transportation, Class 2.3
• ETS 300-019-2-3 V2.2.2 (2003-04):Operational, Class 3.1E

Optical

• GR-253-CORE - Issue 04
• ITU-T G.691
• ITU-T G.709
• ITU-T G.975

Quality

• TR-NWT-000332, Issue 4, Method 1 calculation for 20-year mean time between failure (MTBF)

Miscellaneous

• GR-1089-CORE Issue 4, NEBS EMC and Safety (June 2006) (Note: NEBS-1)
• GR-63-CORE Issue 3, NEBS Physical Protection (March 2006) (Note: NEBS-2)
• ATT-TP-76200: 2008
• ANSI T1.315-2001
• GR-499: 2004 Transport Systems Generic Requirements (TSGR): Common Requirements

System Requirements and Other Specifications

Table 7. System Requirements

Component

Cisco ONS 15454 M6

Cisco ONS 15454 M2

Processor

TNC/TSC/TNC-E/TSC-E

TNC/TSC/TNC-E/TSC-E

Shelf assembly

Cisco ONS 15454-M6-SA shelf assembly with FTA2

Cisco NCS2006-SA shelf assembly

Cisco ONS 15454-M2-SA shelf assembly with FTA2

Cisco NCS2002-SA shelf assembly

System software

ONS 15454 MSTP Release 9.8 ANSI/ETSI

NCS 2000 Release 10.0

ONS 15454 MSTP Release 9.8 ANSI/ETSI

NCS 2000 Release 10.0

Slot compatibility

Slots 2 through 7

Slots 2 through 3

Table 8. Performance Monitoring Parameters

Area

Parameter Name

Description

OTN

OTUk SM

ODUk PM

 

BBE-SM

BBE-PM

Number of background block errors

BBER-SM

BBER-PM

Background block error ratio

ES-SM

ES-PM

Number of errored seconds

ESR-SM

ESR-PM

Errored seconds ratio

SES-SM

SES-PM

Number of severely errored seconds

SESR-SM

SESR-PM

Severely errored seconds ratio

UAS-SM

UAS-PM

Number of unavailable seconds

FC-SM

FC-PM

Number of failure counts

FEC

Bit errors

Number of corrected bit errors

Uncorrectable words

Number of uncorrectable words

Trunk optical performance monitoring

OPT

Transmit optical power

LBC

Transmitter laser bias current

OPR

Receiver optical power

Table 9. Card Specifications

Management

Card LEDs

Failure (FAIL)

Active or standby (ACT/STBY)

Signal fail (SF)

Red

Green/yellow

Yellow

Client port LEDs (per port)

Active input signal

Green

Power (including worst-case pluggable)

Typical

110W (25C and -48VDC)

Maximum

160W (55C and -38VDC)

Physical

Dimensions

Occupies 1 slot

Weight

1.24 kg ( 2.73 lbs)

Reliability and availability

Mean time between failures (MTBF)

111,544 hrs

Latency (end to end) with encryption off

G.709 - FEC disabled

6.8 microseconds

G.709 - Standard FEC

10 microseconds

G.709 - EFEC

144.8 microseconds

Latency (end to end) with encryption on

G.709 - FEC disabled

6 microseconds

G.709 - Standard FEC

10.5 microseconds

G.709 - EFEC

145.4 microseconds

Storage temperature

-40 to 158ºF (-40 to 70ºC)

Operating temperature

• Normal
• Short-term *

32 to 104°F (0 to 40°C)

23 to 131ºF (-5 to 55ºC)

Relative humidity

• Normal
• Short-term *

5% to 85%, noncondensing

5% to 90% but not to exceed 0.024 kg water/kg of dry air

* Short-term refers to a period of not more than 96 consecutive hours and a total of not more than 15 days in 1 year (a total of 360 hours in any given year, but no more than 15 occurrences during that 1-year period). The values shown are valid for M6 or M2 chassis.

Warranty Information

Warranty information is available on Cisco.com at the Product Warranties page.

Ordering Information

This section provides information on the components or parts needed to install and use the product. It also provides a direct link to the Cisco Ordering Tool and lists part numbers in Table 10.
To place an order, visit the Cisco Ordering Home Page. To download software, visit the Cisco Software Center.

Table 10. Ordering Information

Part Number

Description

15454-M-WSE-K9=

Full Feature Wire Speed Encryption Unit

15454-M-WSE-L-K9=

Wire Speed Encryption Unit - SW license upgradable

L-NCS2K-WSE-1=

NCS 2K/MSTP License WSE - 1x Encryption Stream e-Delivery

15454-ARE-K9-SK

Kit - Contains WSE, SFP+ SR, XFP SR & AR-XP- LIC

15454-ARE-L-K9-SK

Kit - Contains WSE-L, SFP+ SR, XFP SR & AR-MXP-LIC

For More Information