user manual
13-14
Cisco ONS 15454 Reference Manual, R7.0
78-17191-01
Chapter 13 Management Network Connectivity
13.2 13.2.7 IP Scenario 7: Provisioning the ONS 15454 SOCKS Proxy Server
Note If you launch CTC against a node through a Network Address Translation (NAT) or Port Address 
Translation (PAT) router and that node does not have proxy enabled, your CTC session starts and initially 
appears to be fine. However, CTC never receives alarm updates and disconnects and reconnects every 
two minutes. If the proxy is accidentally disabled, it is still possible to enable the proxy during a 
reconnect cycle and recover your ability to manage the node, even through a NAT/PAT firewall.
 • External Network Element (ENE)—If set as an ENE, the ONS 15454 neither installs nor advertises 
default or static routes. CTC computers can communicate with the ONS 15454 using the 
TCC2/TCC2P craft port, but they cannot communicate directly with any other DCC-connected 
ONS 15454. 
In addition, firewall is enabled, which means that the node prevents IP traffic from being routed 
between the DCC and the LAN port. The ONS 15454 can communicate with machines connected to 
the LAN port or connected through the DCC. However, the DCC-connected machines cannot 
communicate with the LAN-connected machines, and the LAN-connected machines cannot 
communicate with the DCC-connected machines. A CTC client using the LAN to connect to the 
firewall-enabled node can use the proxy capability to manage the DCC-connected nodes that would 
otherwise be unreachable. A CTC client connected to a DCC-connected node can only manage other 
DCC-connected nodes and the firewall itself. 
 • Gateway Network Element (GNE)—If set as a GNE, the CTC computer is visible to other 
DCC-connected nodes and firewall is enabled.
 • Proxy-only—If Proxy-only is selected, firewall is not enabled. CTC can communicate with any 
other DCC-connected ONS 15454s. 
Figure 13-11 shows an ONS 15454 SOCKS proxy server implementation. A GNE ONS 15454 is 
connected to a central office LAN and to ENE ONS 15454s. The central office LAN is connected to a 
NOC LAN, which has CTC computers. Both the NOC CTC computer and the craft technicians must be 
able to access the ONS 15454 ENEs. However, the craft technicians must be prevented from accessing 
or seeing the NOC or central office LANs.
In the example, the ONS 15454 GNE is assigned an IP address within the central office LAN and is 
physically connected to the LAN through its LAN port. ONS 15454 ENEs are assigned IP addresses that 
are outside the central office LAN and are given private network IP addresses. If the ONS 15454 ENEs 
are collocated, the craft LAN ports could be connected to a hub. However, the hub should have no other 
network connections. 










