Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Rule 2: Keep Layer 2 and Layer 3 Management Networks Together and Segregated From Other L2/L3 IP Subnets


This topic describes deployment rule 2 for the TCX1000-RDM20 and TCX1000-ILA, which requires you to keep management networks together and segregated from other L2/L3 subnets.


By design, TCX1000 devices (TCX1000-RDM20 and TCX1000-ILA) act like Layer 2 devices in the optical network; all the management communication ports on TCX1000 devices are Layer 2 interfaces. However, TCX1000 devices are managed by the proNX Optical Director using IP, which is Layer 3 protocol. As such, when you design your DCN HA, each TCX1000-RDM20 and TCX1000-ILA in your optical network must be dedicated to a single Layer 2 (L2) and Layer 3 (L3) IP subnet and you must keep the TCX1000-RDM20 and TCX1000-ILA L2/L3 subnet together and segregated from other L2/L3 subnets in your network.

The DCN ports and Line port on the TCX1000-RDM20, and MGMT and Line A and Line B ports on the TCX1000-ILA must be on the same L2 RSTP domain. For L3 remote IP management connectivity to work over the L2 domain, the remote TCX1000 device must be on the same IP subnet as the local TCX1000 device. As L2 devices, TCX1000 devices cannot forward management messages to a remotely connected TCX1000 device on a different L2/L3 subnet. This rule keeps domains segregated to ensure no possible interactions with several IP subnets.

TCX1000-RDM20 L2/L3 Segregation

Best Practice

If you need to deploy a TCX1000-RDM20 device on a different L2/L3 subnet, you must segregate the L2/L3 subnets. You can do this by connecting the TCX1000-RDM20 DCN ports through an external L2 switch and ensuring that OSC forwarding is disabled so that management messages are not forwarded over the TCX1000-RDM20 line port.

If you have a multi-subnet node, you must connect the TCX1000-RDM20s in the node to your DCN HA using a dedicated L2 RSTP-enabled switch for each IP subnet so that the TCX1000-RDM20s can communicate directly over their DCN ports to the proNX Optical Director and you must also ensure that you do not enable OSC forwarding on a TCX1000-RDM20 in a multi-subnet node. As a L2 device, the TCX1000-RDM20 cannot forward management messages to remotely connected TCX1000 device on a different L2/L3 subnet..


For Layer 3 connectivity to work over a Layer 2 network and to provide remote connectivity over its Line port, the local TCX1000-RDM20 must be on the same L2/L3 subnet as the remote TCX1000 device it provides remote management connectivity for regardless of whether the remote device is a TCX1000-RDM20 or TCX1000-ILA.

TCX1000-ILA L2/L3 Segregation


You cannot deploy a TCX1000-ILA on a different L2/L3 subnet from its connecting TCX1000-RDM20 or TCX1000-ILA. If the TCX1000-ILA receives a management message addressed to a remote TCX1000 device it forwards the message out the appropriately line port.

Layer 2/Layer 3 Subnet Segregation Example

On the left of Figure 1, we see two network examples showing the proper set up for Layer 2 and Layer 3 segregation and OSC forwarding.

On the right, we see the same two examples, with OSC forwarding improperly set up, causing management communications to fail.

Figure 1: TCX1000 Hardware Networking Architecture
TCX1000 Hardware Networking

The top-left network in Figure 1 is a three site multi-span network. All three sites are on different IP subnets. TCX1000-RDM20-a is on IP subnet A, it is connected to a 2-degree ROADM node made up of TCX1000-RDM20-b and TCX1000-RDM20-c, which are on IP subnet B and finally to TCX1000-RDM20-d, which is on IP subnet C. Because the three TCX1000-RDM20s are all on different IP subnets, OSC forwarding must be disabled. In this example, OSC forwarding is properly set to disabled.

However, if OSC forwarding was enabled as shown in the top-right example of Figure 1, management communications would not work because they cannot cross IP subnets and this would effectively join IP subnets A, B, and C onto same L2 network, which is not allowed.

The bottom half of Figure 1 shows a different optical network configuration. On the example network in the bottom-left of Figure 1, we have a network with four sites. Three sites are on IP subnet B and one site is on IP subnet A. In this example, OSC forwarding must be disabled on TCX1000-RDM20-e at site A and also on TCX1000-RDM20-f at site B, thereby blocking management communications between IP subnets A and B. However, notice that all the other TCX1000-RDM20s in the network are on IP subnet B; because they are on the same L2/L3 subnet, you can enable OSC forwarding on these TCX1000-RDM20s including: TCX1000-RDM20-g, TCX1000-RDM20-h, TCX1000-RDM20-i, TCX1000-RDM20-j, and TCX1000-RDM20-k.

On the bottom-right in Figure 1, we have the same network, however, in this example, all TCX1000-RDM20s are on different subnets and if OSC forwarding was enabled on any device, management communications would not work. TCX1000-RDM20-p on IP subnet A and TCX1000-RDM20-q on IP subnet B, are properly set with OSC forwarding disabled. However, all other TCX1000-RDM20s in this example have OSC forwarding enabled and as such, the L2/L3 subnets for sites B, C, and D are not segregated. As such, in the bottom-right example, proNX Optical Director communications would not work properly because they cannot cross IP subnets and this would effectively join IP subnets B, C, and D onto same L2 network, which is not allowed.