|
See also: PDF version
System Overview
Managed Connection of Remote Devices
Fiber to the Workgroup
Service Provider Applications
Advanced Features
Management
The Management Aggregation Converter (MAC) is a cost-effective 10/100 Mbps
solution with in-band remote end management. The system consists of two types of
units: main management units and reporting units. Each of the units has one fiber
interface and four 10/100 TX ports. The system is deployed in an Ethernet cloud and a
main management unit monitors and manages several reporting units. Note that a Point
System Chassis with a management module can be used in place of a main management
unit. Before a network administrator deploys the units, each unit is programmed with a
software key. In order for a reporting unit to communicate with a main management
unit the keys must match. Once deployed, the main management unit sends out a
discovery packet to locate the reporting units it is managing. To gather information
about a reporting unit the main management unit sends out a request packet to the
reporting unit. If the embedded key in the reporting unit matches that of the packet
received from the main management unit, the reporting unit then generates an Ethernet
packet with all of its MIB variables and sends it to the main management unit. If the
keys do not match the packet is discarded. The main management unit also sends
configuration instructions to the reporting unit in order to change one of the
manageable features of the reporting unit; such as force 10Mbps or 100Mbps on a
link. The in-band management enables network administrators to manage each port of the
remote reporting units of the system separately and in-band. It is done in-band
because management data is securely embedded in the Ethernet packet and it travels on
the same fiber as network data. MAC answers the demand for a product in relatively
low port density applications where in-band management and cost efficiency are
crucial. The product is a very attractive solution for the following applications: - Managed connection of remote devices
- Fiber to the work group
- Service provider offering data services
Figure 1: Managed connection of remote devices in the
LAN 
There may be devices such as work stations or even servers located remotely from
the data center or wiring closet (e.g. Shipping & Receiving stations.) If those
distances exceed 100 meters, you may need to use fiber optical cabling. Yet, you do
not need to replace your copper equipment (fiber network devices are usually 30 - 50%
more expensive.) Use MAC Converters as a 10/100BASE-TX to 100BASE-FX back-to-back
configuration to extend distance between those full or half duplex switches, hubs,
and PCs from 100 meters to up to 80km (single mode fiber with long wavelength
optics.) Install a main management unit in your data center and a reporting unit at
the remote end. In a large enterprise network or a network with satellite locations
data connections to each device on the far end is managed and monitored by
administrator from the local data center. With remote end management, troubleshooting
is made simpler and the need to send a network manager to the remote location can be
minimized. The MAC has an option for auto-negotiation which will automatically sense
which mode should be in operation for each port. Should the administrator require a
certain configuration for any of the ports (completely disable the port, 10 or 100,
full or half duplex, port VLAN assignment) he/she can do it remotely.
Figure 2: Fiber to the Workgroup 
Network managers can now deploy fiber to the work group while keeping their
existing copper based networking equipment. Use the Point System™ line of
converters to convert existing copper ports from the switch and run fiber links to
the workgroups. The MAC reporting units are then de installed in the work group area.
The fiber cable is connected to the fiber port and the 10/100 ports are connected
either to the copper NICs or hubs installed in each work group. Mac Converters
includes port based VLAN. Since two or more departments may be connected to one
Reporting unit, you may want to further segment the network by assigning each port of
the reporting unit to a specific VLAN. In this way you will separate the traffic and
make devices connected to each port invisible to each other. Administrators can set
up separate VLANs for each of the port (MAC Converters use port based VLAN). Every
port has the ability to accept or reject packets from every other port on the
converter. The converters will pass (are transparent to) VLAN tagging (802.1Q), so
when you are using a 802.1Q switch with VLANs already set up, the port based VLAN
feature on the MAC should not be activated. In addition to the port based VLANs, the networks can further be isolated by using
unique embedded keys for multiple units. Reporting Units establish a unique
relationship with the Management Unit (or management card in the Point System
Chassis, see Figure 2 ) based on the matching of the embedded
keys. The key is programmed by the network administrator during the initial setup on
the main management and reporting units. The units with identical Embedded Keys will
create virtual private networks, so, consequently, you can have different groups of
converters (sharing different embedded keys) operating on the same network segment
that are isolated from each other. The unique relationship can be established only
between management units and reporting units "sharing" the same embedded key. Each
main management unit has one embedded key.
Figure 3: Service provider offering data services 
Traditional methods of providing high-speed data connections are expensive and
require additional routing, multiplexing and terminating equipment (CSU/DSU's,
DACS's, Routers.) MAC Converters take advantage of the Fast Ethernet speed and
fiber's capability. It gives more than enough bandwidth without the need for any
protocol conversion at the customer's premises. Service providers can use MAC to
provide dedicated data access capabilities at 10 or 100Mbps to each of the customers
over a single pair of fiber at minimum cost. As it uses the 10/100 Ethernet protocol
it is easy to install, inexpensive and easily integrated with the CPE. You can use
the Main Management Unit at CO or PoP; install a Reporting Unit(s) in the basement of
the office building you are servicing and assign one port of the MAC Reporting Unit
to each company. Assign each port to a separate VLAN so that Company A cannot see anything from
other users in the building. This also allows a service provider to prevent the
customer from having visibility to the management traffic. The MAC can be set so the
only port that management traffic is transmitted on is the port on which the
management data is received. In this way the fiber port will serve as a backbone/data
uplink port for all users, but the users will not see each other's or the management
traffic. Again, MAC Converters use port based VLAN. Every port has the ability to
accept or reject packets from every other port on the switch. The converters will
pass (are transparent to) VLAN tagging (802.1Q), so when you are using a 802.1Q
switch with VLANs already set up, port based VLANs on the MAC should not be
activated. To assure continuous connection you can enable a spanning tree feature. This
feature will establish a path redundancy and prevent undesirable loops in the
network. The user can set up another connection between a reporting unit and a
management unit. Spanning tree will put this connection in a standby mode so no loop
is created. If one connection is broken the spanning tree algorithm enables the
standby link and reconfigures traffic through this path. The converter supports the IEEE 802.1P signaling, also defined as best effort QoS
at Layer 2. 802.1P traffic is simply classified, prioritized and sent to the
destination; no bandwidth reservations are established.
Reporting units can be daisy chained and the administrator will still be able to
manage each one of their ports remotely and in-band. The discovery mechanism will
locate the unit and the main management unit will add a new unit to the pool provided
a new daisy chained unit contains an identical Embedded Key. MAC also incorporates other Transition Networks media conversion features such as
AutoCross™, Auto-Negotiation, Pause, Source Address Change (SAC), Mirror port,
and Last Gasp. AutoCross technology eliminates an entire category of network
troubleshooting by sensing the polarity of the signals on the pins and automatically
configuring the port to MDI or MDI-X. Auto-Negotiation in all 802.3U compliant environments. Devices
advertise their own capabilities to other devices and automatically configure to the
highest or best performance mode of operation. If the RJ-45 port on the converter is
connected to a 10/100 N-way device, auto-negotiation should be enabled to ensure the
optimum mode (full duplex) and speed (100Mbps) are engaged. It is important that
auto-negotiation can be disabled in instances where you are connected to a 100Mbps
only device to assure a full duplex link. When a converter is connected to a standard
100Mbps device auto-negotiation can be disabled and the mode can be set by the
administrator via the management software. Pause is a flow control feature and the MAC units are designed to
allow this flow control feature to function unhindered between devices such as
switches that are pause capable. Port mirroring allows any port to be setup to mirror another
port's packets. The port mirror option can also be disabled on any of the ports and
is controlled only through the command line interface. The Source Address Change (SAC) alerts the network manager to a
new station that is plugged into a port or to a station that has a new media access
control address. In such instances a trap is being sent to the administrator. The Last Gasp feature alerts the network manager when a power
failure has occurred in the unit. If power is lost, the unit has enough power to send
a final trap indicating a power failure. Management Platforms
MAC features in-band management of the reporting units. The in-band management
enables network administrators to manage each port of the remote reporting units of
the system separately, and in-band. It is done in-band because management data is
securely embedded in the Ethernet packet and it travels on the same fiber as the
network data. MAC converters can be managed via the "Focal Point" management software, with our
web based management using any standard web browser or through the command line
interface (CLI). Focal Point is the same software package that is used in management
of the Point System products. It offers full SNMP read/write management capabilities
via a user friendly graphical user interface (GUI). Transition's GUI interface is
supported on most major network management platforms such as HP Openview™, Sun
Solaris, and NT. The web-based management can be accessed via any HTTP type browser.
The level of control that a user has over the MAC is identical for Focal Point and
web-based interface. It gives full port management. The Focal Point management
software is fully SNMP compliant so simple text-based management is always
supported. Per Port Management 
The following features are manageable via the GUI or web-based platforms. 
The Command line interface (CLI) is used for the setup and installation process,
but can also be used to manage the system. In the main management unit the user can
setup the embedded key that will be shared with the reporting units, IP, Gateway and
Netmask addresses of the management agent, four IP Addresses for the traps and others
(please see manual for detailed list of options.) 
Since privacy and security are highly valued in such applications, network
administrators can take a full advantage of security features.
The management agent has a set of standard and proprietary security features that
will prevent access by most unauthorized users. It has at least two Community Names,
each providing a distinct set of read and write privileges.
To log in to the Telnet server (and thus gain access to the same CLI that is
available via the serial port), one must enter the Private Community Name when asked
for a password. The CLI can also be locked so that unsolicited messages are still displayed, but
commands are not accepted from Telnet or the serial port. The default password to
unlock the console is the Private Community Name. Firewall
MAC main management unit contains an internal IP filter that can be used to restrict
access to the Agent to particular IP subnetworks or stations on a service-by-service
basis. It can be configured through the CLI command FWALL. Each rule entered into the
IP filter matches packets based on source IP address, destination protocol,
destination port, or some combination of the three. Each rule also contains a "drop"
or "pass" action, making it possible to configure the filter with either a "default
accept" or a "default deny" philosophy. MAC Address Filtering
The FILTERMAC facility allows the user to specify up to four trusted Ethernet
hardware addresses (i.e.MAC addresses) that are permitted to send IP packets to the
Agent. When one or more FILTERMAC addresses are specified, the IP stack in the Agent
will drop all IP packets that come from any station that is not listed. The FILTERMAC
facility is disabled if no addresses are specified, and all IP packets are passed to
the FWALL filter for processing. SNMP Lock
The SNMPLOCK feature is designed to make it much more difficult for intruders to
make changes to management settings via a method known as "IP Spoofing." In an IP
Spoofing attack, the intruder configures an attacking computer to assume the identity
of a trusted computer (such as one allowed to pass by the FWALL filter) in order to
bypass security measures. LOCK / UNLOCK CLI
The LOCK command allows the CLI to be locked so that no commands can be entered.
(Unsolicited log messages are still displayed, and SNMPLOCK functionality is still
active when the console is locked.) Traps
The administrator can specify up to four IP addresses that will receive traps. (back to top)
| 
