Central Office Operations

                          Central Office Operations
                         Western Electric 1ESS,1AESS,
                      The end office network environment

Topics covered in this article will be:

        Call tracing
        RCMAC
        Input/output messages
        SCC and SCCS
        COSMOS and LMOS
        BLV, (REMOB) and "No test trunks"
        Recent change messages
        Equal Access

Did I get your attention? Good, everyone should read this. With the time, effort, and balls it has taken me compile this knowledge it is certainly worth your time. I hope you appreciate me taking the time to write this.

I should point out that the information in this article is correct to the best of my knowledge. I'm sure there are going to be people that disagree with me on some of it, particularly the references to tracing. However, I have been involved in telecommunications and computers for 12+ years.

I'm basing this article around the 1AESS since it is the most common switch in use today.

OUTSIDE PLANT **

This is the wiring between your telephone and the central office. That is another topic in itself. If you are interested read Phucked Agent 04's article on The Outside Loop Distribution Plant (OLDP) in the LOD/H Technical Journal, Issue #1. The article explains those green boxes you see on street corners, aerial cables, manholes etc. So where that article stops, this one starts.

CABLE VAULT **

All of the cables from other offices and from subscribers enter the central office underground. They enter into a room called the cable vault. This is a room generally in the basement located at one end or another of the building. The width of the room varies but runs the entire length of the building. Outside cables appear through holes in the wall. The cables then run up through holes in the ceiling to the frame room.

Understand that each of these cables consist of an average of 3600 pairs of wires. That's 3600 telephone lines. The amount of cables obviously depends on the size of the office. All cables (e.g. interoffice, local lines, fiber optic, coaxial) enter through the cable vault.

FRAME ROOM **

The frame is where the cable separates into individual pairs and attach to connectors. The frame runs the length of the building, from floor to ceiling. There are two sides to the frame, the horizontal side and the vertical side. The vertical side is where the outside wiring attaches and the protector fuses reside. The horizontal side is where the connectors to the switching system reside. Multi-conductor cables run from the connectors to actual switching equipment. So what we have is a large frame called the Main Distribution Frame (MDF) running the entire length of the building. From floor to ceiling it is 5 feet thick. The MDF consists of two sides, the VDF and the HDF. Cables from outside connect on one side and cables from the switching equipment connect to the other side and jumper wires connect the two. This way any piece of equipment can be connected to any incoming "cable pair". These jumper wires are simply 2 conductor twisted pair, running between the VDF and the HDF.

What does all this mean? Well if you had access to COSMOS you would see information regarding cable and pair and "OE" (Office Equipment). With this information you could find your line on the frame and on the switch. The VDF side is clearly marked by cable and pair at the top of the frame, however the HDF side is a little more complicated and varies in format from frame to frame and from switch to switch. Since I am writing this article around the 1AESS, I will describe the OE format used for that switch.

OE ABB-CDD-EFF

Where..

      A = Control Group (when more than one switch exists in that C.O.)
      B = LN  Line Link Network
      C = LS  Line Switching Frame
      D = CONC or CONCentrator
      E = Switch (individual, not the big one)
      F = Level

There is one more frame designation called LOC or LOCation. This gives the location of the connector block on the HDF side. Very simply, looking at the frame:

H ---------------------------------------------------------------------

G ---------------------------------------------------------------------

F ---------------------------------------------------------------------

E ---------------------------------------------------------------------

D ---------------------------------------------------------------------

C ---------------------------------------------------------------------

B ---------------------------------------------------------------------

A ---------------------------------------------------------------------

123456789 etc.

Please note that what you are looking at here represents the HDF side of the MDF, being up to 100 feet long, and 20 feet high. Each "-" represents a connector block containing connections for 4 x 24 (which is 96) pairs.

So far I've covered how the wires get from you to the switching equipment. Now we get to the switching system itself.

SWITCHING SYSTEMS **

Writing an article that covers them all would be lengthy indeed. So I am only going to list the major ones and a brief description of each.

Step by Step Strowger 1889 First automatic, required no operators for local calls No custom calling or touch tone Manufactured by many different companies in different versions Hard wire routing instructions, could not choose an alternate route if programed route was busy Each dial pulse tripped a "stepper" type relay to find its path
No.1 Crossbar 1930
No.5 Crossbar 1947 (faster, more capacity) Western Electric First ability to find idle trunks for call routing No custom calling, or equal access Utilized 10x20 cross point relay switches Hard wired common control logic for program control Also copied by other manufactures
No.4 Crossbar Used as a toll switch for AT&T's long lines network 4 wire tandem switching Not usually used for local loop switching
No.1ESS 1966
No.1AESS 1973 Western Electric Described in detail later
No.1EAX GTE Automatic Electric GTE's version of the 1AESS Slower and louder
No.2ESS 1967
No.2BESS 1974 Western Electric Analog switching under digital control Very similar to the No.1ESS and No.1AESS Downsized for smaller applications

_ No.3ESS

      Western Electric
      Analog switching under digital control
      Even smaller version of No.1AESS
      Rural applications for up to 4500 lines

No.2EAX GTE Automatic Electric Smaller version of 1EAX Analog switch under digital control
No.4ESS Western Electric Toll switch, 4 wire tandem Digital switching Uses the 1AESS processor
No.3EAX Gee is there a pattern here? No GTE Digital Toll switch 4 wire tandem switching
No.5ESS AT&T Network Systems Full scale computerized digital switching ISDN compatibility Utilizes time sharing technology Toll or end office
DMS 100 Digital Matrix Switch Northern Telecom Similar to 5ESS Runs slower Considerably less expensive
DMS 200 Toll and Access Tandem Optional operator services
DMS 250 Toll switch designed for common carriers
DMS 300 Toll switch for international gateways
No.5EAX GTE Automatic Electric Same as above

How much does a switch cost? A fully equipped 5ESS for a 40,000 subscriber end office can cost well over 3 million dollars. Now you know why your phone bill is so much. Well...maybe you parents bill.

The 1ESS and 1AESS **

This was the first switch of it's type put into widespread use by Bell. Primarily an analog switch under digital control, the switch is no longer being manufactured. The 1ESS has been replaced by the 5ESS and other full scale digital switches, however, it is still by far the most common switch used in today's Class 5 end offices.

The #1 and 1A use a crosspoint matrix similar to the X-bar. The primary switch used in the matrix is the ferreed (remreed in the 1A). It is a two state magnetic alloy switch. It is basically a magnetic switch that does not require voltage to stay in it's present position. A voltage is only required to change the state of the switch.

The No. 1 utilized a computer style, common control and memory. Memory used by the #1 changed with technology, but most have been upgraded to RAM. Line scanners monitor the status of customer lines, crosspoint switches, and all internal, outgoing, and incoming trunks, reporting their status to the central control. The central control then either calls upon program or call store memories to chose which crosspoints to activate for processing the call. The crosspoint matrices are controlled via central pulse distributors which in turn are controlled by the central control via data buses. All of the scanner's AMA tape controllers, pulse distro, x-point matrix, etc., listen to data buses for their address and command or report their information on the buses. The buses are merely cables connecting the different units to the central control.

The 1E was quickly replaced by the 1A due to advances in technology. So 1A's are more common, also many of the 1E's have been upgraded to a 1A. This meant changing the ferreed to the remreed relay, adding additional peripheral component controllers (to free up central controller load) and implementation of the 1A processor. The 1A processor replaced older style electronics with integrated circuits. Both switches operate similarly. The primary differences were speed and capacity. The #1ESS could process 110,000 calls per hour and serve 128,000 lines.

Most of the major common control elements are either fully or partially duplicated to ensure reliability. Systems run simultaneously and are checked against each other for errors. When a problem occurs the system will double check, reroute, or switch over to auxiliary to continue system operation. Alarms are also reported to the maintenance console and are in turn printed out on a printer near the control console.

Operation of the switch is done through the Master Control Center (MCC) panel and/or a terminal. Remote operation is also done through input/output channels. These channels have different functions and therefore receive different types of output messages and have different abilities as for what type of commands they are allowed to issue. Here is a list of the commonly used TTY channels.

Maintenance - Primary channel for testing, enable, disable etc. Recent Change - Changes in class of service, calling features etc. Administrative - Traffic information and control Supplementary - Traffic information supplied to automatic network control SCC Maint. - Switching Control Center interface Plant Serv.Cent.- Reports testing information to test facilities

At the end of this article you will find a list of the most frequently seen Maintenance channel output messages and a brief description of their meaning. You will also find a list of frequently used input messages.

There are other channels as well as back ups but the only ones to be concerned with are Recent Change and SCC maint. These are the two channels you will most likely want to get access to. The Maintenance channel doesn't leave the C.O. and is used by switch engineers as the primary way of controlling the switch. During off hours and weekends the control of the switch is transferred to the SCC.

The SCC is a centrally located bureau that has up to 16 switches reporting to it via their SCC maint. channel. The SCC has a mini computer running SCCS that watches the output of all these switches for trouble conditions that require immediate attention. The SCC personnel then have the ability to input messages to that particular switch to try and correct the problem. If necessary, someone will be dispatched to the C.O. to correct the problem. I should also mention that the SCC mini, SCCS has dialups and access to SCCS means access to all the switches connected to it. The level of access however, may be dependent upon the privileges of the account you are using.

The Recent Change channels also connect to a centrally located bureau referred to as the RCMAC. These bureaus are responsible for activating lines, changing class of service etc. RCMAC has been automated to a large degree by computer systems that log into COSMOS and look for pending orders. COSMOS is basically an order placement and record keeping system for central office equipment, but you should know that already, right? So this system, called Work Manager running MIZAR logs into COSMOS, pulls orders requiring recent change work, then in one batch several times a day, transmits the orders to the appropriate switch via it's Recent Change Channel.

Testing of the switch is done by many different methods. Bell Labs has developed a number of systems, many accomplishing the same functions. I will only attempt to cover the ones I know fairly well.

The primary testing system is the trunk test panels located at the switch itself. There are three and they all pretty much do the same thing, which is to test trunk and line paths through the switch.

         Trunk and Line Test Panel
         Supplementary Trunk Test Panel
         Manual Trunk Test Panel

     MLT (Mechanized Loop Testing) is another popular one. This system is

often available through the LMOS data base and can give very specific measurements of line levels and losses. The "TV Mask" is also popular giving the user the ability to monitor lines via a call back number.

DAMT (Direct Access Mechanized Testing) is used by line repairmen to put tone on numbers to help them find lines. This was previously done by Frame personnel, so DAMT automated that task. DAMT can also monitor lines, but unfortunately, the audio is scrambled in a manor that allows one only to tell what type of signal is present on the line, or whether it is busy or not.

All of these testing systems have one thing in common: they access the line through a "No Test Trunk". This is a switch which can drop in on a specific path or line and connect it to the testing device. It depends on the device connected to the trunk, but there is usually a noticeable "click" heard on the tested line when the No Test Trunk drops in. Also the testing devices I have mentioned here will seize the line, busying it out. This will present problems when trying to monitor calls, as you would need to drop in during the call. The No Test Trunk is also the method in which operator consoles perform verifications and interrupts.

INTEROFFICE SIGNALLING **

Calls coming into and leaving the switch are routed via trunks. The switches select which trunk will route the call most effectively and then retransmits the dialed number to the distant switch. There are several different ways this is done. The two most common are Loop Signaling and CCIS, Common Channel Interoffice Signaling. The predecessor to both of these is the famous and almost extinct "SF Signaling". This utilized the presence of 2600hz to indicate trunks in use. If one winks 2600Hz down one of these trunks, the distant switch would think you hung up. Remove the 2600, and you have control of the trunk and you could then MF a number. This worked great for years. Assuming you had dialed a toll free number to begin with, there was no billing generated at all. The 1AESS does have a program called SIGI that looks for any 2600 winks after the original connection of a toll call. It then proceeds to record on AMA and output any MF digits received. For more information on AMA see Phantom Phreaker's article entitled, Understanding Automatic Message Accounting in the LOD/H TJ Issue #3. However due to many long distant carriers using signaling that can generate these messages it is often overlooked and "SIG IRR" output messages are quite common.

Loop signaling still uses MF to transmit the called number to distant switches, however, the polarity of the voltage on the trunk is reversed to indicate trunk use.

CCIS sometimes referred to CCS#6 uses a separate data link sending packets of data containing information regarding outgoing calls. The distant switch monitors the information and connects the correct trunk to the correct path. This is a faster and more efficient way of call processing and is being implemented everywhere. The protocol that AT&T uses is CCS7 and is currently being accepted as the industry standard. CCS6 and CCS7 are somewhat similar.

Interoffice trunks are multiplexed together onto one pair. The standard is 24 channels per pair. This is called T-1 in it's analog format and D-1 in its digital format. This is often referred to as carrier or CXR. The terms frame error and phase jitter are part of this technology which is often a world in itself. This type of transmission is effective for only a few miles on twisted pair. It is often common to see interoffice repeaters in manholes or special huts. Repeaters can also be found within C.O.s, amplifying trunks between offices. This equipment is usually handled by the "carrier" room, often located on another floor. Carrier also handles special circuits, private lines, and foreign exchange circuits.

After a call reaches a Toll Switch, the transmit and receive paths of the calling and called party are separated and transmitted on separate channels. This allows better transmission results and allows more calls to be placed on any given trunk. This is referred to as 4 wire switching. This also explains why during a call, one person can hear crosstalk and the other cannot. Crosstalk will bleed over from other channels onto the multiplexed T-Carrier transmission lines used between switches.

CALL TRACING

So with the Loop Signaling standard format there is no information being transmitted regarding the calling number between switches. This therefore causes the call tracing routine to be at least a two step process. This is assuming that you are trying to trace an anticipated call, not one in progress. When call trace "CLID" is placed on a number, a message is output every time someone calls that number. The message shows up on most of the ESS output channels and gives information regarding the time and the number of the incoming trunk group. If the call came from within that office, then the calling number is printed in the message. Once the trunk group is known, it can usually be determined what C.O. the calls are coming from. This is also assuming that the calls are coming from within that Bell company and not through a long distance carrier (IEC). So if Bell knows what C.O. the calls are coming from, they simply put the called number on the C.I. list of that C.O. Anytime anyone in that C.O. calls the number in question another message is generated showing all the pertinent information.

Now if this were a real time trace it would only require the assistance of the SCC and a few commands sent to the appropriate switches (i.e. NET-LINE). This would give them the path and trunk group numbers of the call in progress. Naturally the more things the call is going through, the more people that will need to be involved in the trace. There seems to be a common misconception about the ability to trace a call through some of the larger packet networks i.e. Telenet and TYMNET. Well I can assure you, they can track a call through their network in seconds (assuming multiple systems and/or network gateways are not used) and then all that is needed is the cooperation of the Bell companies. Call tracing in itself it not that difficult these days. What is difficult is getting the different organizations together to cooperate. You have to be doing something relatively serious to warrant tracing in most cases, however, not always. So if tracing is a concern, I would recommend using as many different companies at one time as you think is necessary, especially US Sprint, since they can't even bill people on time much less trace a call. But...it is not recommended to call Sprint direct, more on that in the Equal Access section.

EQUAL ACCESS

The first thing you need to understand is that every IEC Inter Exchange Carrier (long distance company) needs to have an agreement with every LEC Local Exchange Carrier (your local phone company) that they want to have access to and from. They have to pay the LEC for the type of service they receive and the amount of trunks, and trunk use. The cost is high and the market is a zoo. The LECs have the following options:

Feature Group A -

This was the first access form offered to the IECs by the LECs. Basically whenever you access an IEC by dialing a regular 7 digit number (POTS line) this is FGA. The IECs' equipment would answer the line and interpret your digits and route your call over their own network. Then they would pick up an outgoing telephone line in the city you were calling and dial your number locally. Basically a dial in, dial out situation similar to Telenet's PC pursuit service.

Feature Group B -

FGB is 950-xxxx. This is a very different setup from FGA. When you dial 950, your local switch routes the call to the closest Access Tandem (AT) (Toll Switch) in your area. There the IECs have direct trunks connected between the AT and their equipment. These trunks usually use a form of multiplexing like T-1 carrier with wink start (2600Hz). On the incoming side, calls coming in from the IEC are basically connected the same way. The IEC MFs into the AT and the AT then connects the calls. There are many different ways FGB is technically setup, but this is the most common.

Tracing on 950 calls has been an area of controversy and I would like to clear it up. The answer is yes, it is possible. But like I mentioned earlier, it would take considerable manpower which equals expensive to do this. It also really depends on how the IEC interface is set up. Many IECs have trunks going directly to Class 5 end offices. So, if you are using a small IEC, and they figure out what C.O. you are calling from, it wouldn't be out of the question to put CLID on the 950 number. This is highly unlikely and I have not heard from reliable sources of it ever being done. Remember, CLID generates a message every time a call is placed to that number. Excessive call trace messages can crash a switch. However, I should mention that brute force hacking of 950s is easily detected and relatively easy to trace. If the IEC is really having a problem in a particular area they will pursue it.

Feature Group C -

FGC is reserved for and used exclusively by AT&T.

Feature Group D - FGD is similar to FGB with the exception that ANI is MF'ed to the IEC. The end office switch must have Equal Access capability in order to transmit the ANI. Anything above a X-bar can have it. FGD can only be implemented on 800 numbers and if an IEC wants it, they have to buy the whole prefix. For a list of FGD prefixes see 2600 Magazine. You should also be aware that MCI, Sprint, and AT&T are offering a service where they will transmit the ANI to the customer as well. You will find this being used as a security or marketing tool by an increasing amount of companies. A good example would be 800-999-CHAT.

OUTPUT MESSAGES **

The following is a compiled list of common switch messages. The list was compiled from various reference materials that I have at my disposal.

                     1AESS COMMON OUTPUT MESSAGES
                --------------------------------------

MSG. DESCRIPTION

ALARM **

AR01 Office alarm
AR02 Alarm retired or transferred
AR03 Fuse blown
AR04 Unknown alarm scan point activated AR05 Commercial power failure
AR06 Switchroom alarm via alarm grid
AR07 Power plant alarm
AR08 Alarm circuit battery loss
AR09 AMA bus fuse blown
AR10 Alarm configuration has been changed (retired,inhibited) AR11 Power converter trouble
AR13 Carrier group alarm
AR15 Hourly report on building and power alarms

AUTOMATIC TRUNK TEST ** AT01 Results of trunk test
CARRIER GROUP ** CG01 Carrier group in alarm CG03 Reason for above
COIN PHONE ** CN02 List of pay phones with coin disposal problems CN03 Possible Trouble CN04 Phone taken out of restored service because of possible coin fraud
COPY ** COPY Data copied from one address to another
CALL TRACE ** CT01 Manually requested trace line to line, information follows CT02 Manually requested trace line to trunk, information follows CT03 Intraoffice call placed to a number with CLID CT04 Interoffice call placed to a number with CLID CT05 Call placed to number on the CI list CT06 Contents of the CI list CT07 ACD related trace CT08 ACD related trace CT09 ACD related trace
DIGITAL CARRIER TRUNK ** DCT COUNTS Count of T carrier errors
MEMORY DIAGNOSTICS ** DGN Memory failure in cs/ps diagnostic program
DIGITAL CARRIER "FRAME" ERRORS ** FM01 DCT alarm activated or retired FM02 Possible failure of entire bank not just frame FM03 Error rate of specified digroup FM04 Digroup out of frame more than indicated FM05 Operation or release of the loop terminal relay FM06 Result of digroup circuit diagnostics FM07 Carrier group alarm status of specific group FM08 Carrier group alarm count for digroup FM09 Hourly report of carrier group alarms FM10 Public switched digital capacity failure FM11 PUC counts of carrier group errors
MAINTENANCE ** MA02 Status requested, print out of MACII scratch pad MA03 Hourly report of system circuits and units in trouble MA04 Reports condition of system MA05 Maintenance interrupt count for last hour MA06 Scanners,network and signal distributors in trouble MA07 Successful switch of duplicated unit (program store etc.) MA08 Excessive error rate of named unit MA09 Power should not be removed from named unit MA10 OK to remove paper MA11 Power manually removed from unit MA12 Power restored to unit MA13 Indicates central control active MA15 Hourly report of # of times interrupt recovery program acted MA17 Centrex data link power removed MA21 Reports action taken on MAC-REX command MA23 4 minute report, emergency action phase triggers are inhibited
MEMORY ** MN02 List of circuits in trouble in memory
NETWORK TROUBLE ** NT01 Network frame unable to switch off line after fault detection NT02 Network path trouble Trunk to Line NT03 Network path trouble Line to Line NT04 Network path trouble Trunk to Trunk NT06 Hourly report of network frames made busy NT10 Network path failed to restore
OPERATING SYSTEM STATUS ** OP:APS-0OP:APSTATUSOP:CHAN OP:CISRC Source of critical alarm, automatic every 15 minutes OP:CSSTATUS Call store status OP:DUSTATUS Data unit status OP:ERAPDATA Error analysis database output OP:INHINT Hourly report of inhibited devices OP:LIBSTAT List of active library programs OP:OOSUNITS Units out of service OP:PSSTATUS Program store status
PLANT MEASUREMENTS ** PM01 Daily report PM02 Monthly report PM03 Response to a request for a specific section of report PM04 Daily summary of IC/IEC irregularities
REPORT ** REPT:ADS FUNCTION Reports that a ADS function is about to occur REPT:ADS FUNCTION DUPLEX FAILED No ADS assigned REPT:ADS FUNCTION SIMPLEX Only one tape drive is assigned REPT:ADS FUNCTION STATE CHANGE Change in state of ADS REPT:ADS PROCEDURAL ERROR You fucked up REPT:LINE TRBL Too many permanent off hooks, may indicate bad cable REPT:PROG CONT OFF-NORMAL System programs that are off or on REPT:RC CENSUS Hourly report on recent changes REPT:RC SOURCE Recent change system status (RCS=1 means RC Channel inhibited)
RECENT CHANGE ** RC18 RC message response
REMOVE ** RMV Removed from service
RESTORE ** RST Restored to service status
RINGING AND TONE PLANT ** RT04 Status of monitors
SOFTWARE AUDIT ** SA01 Call store memory audit results SA03 Call store memory audit results
SIGNAL IRREGULARITY ** SIG IRR Blue box detection SIG IRR INHIBITED Detector off SIG IRR TRAF Half hour report of traffic data
TRAFFIC CONDITION ** TC15 Reports overall traffic condition TL02 Reason test position test was denied TL03 Same as above
TRUNK NETWORK ** TN01 Trunk diagnostic found trouble TN02 Dial tone delay alarm failure TN04 Trunk diag request from test panel TN05 Trunk test procedural report or denials TN06 Trunk state change TN07 Response to a trunk type and status request TN08 Failed incoming or outgoing call TN09 Network relay failures TN10 Response to TRK-LIST input, usually a request from test position TN11 Hourly, status of trunk undergoing tests TN16 Daily summary of precut trunk groups
TRAFFIC OVERLOAD CONDITION ** TOC01 Serious traffic condition TOC02 Reports status of less serious overload conditions
TRANSLATION ** (shows class of service, calling features etc.) TR01 Translation information, response to VFY-DN TR03 Translation information, response to VFY-LEN TR75 Translation information, response to VF:DNSVY
TW02 Dump of octal contents of memory

                    1AESS COMMON INPUT MESSAGES
               -------------------------------------

 Messages always terminate with ". ctrl d "      x=number or trunk network #

MSG. DESCRIPTION
NET-LINE-xxxxxxx0000 Trace of path through switch

NET-TNN-xxxxxx         Same as above for trunk trace
T-DN-MBxxxxxxx         Makes a # busy
TR-DEACTT-26xxxxxxx    Deactivates call forwarding
VFY-DNxxxxxxx          Displays class of service, calling features etc.
VFY-LENxxxxxxxx        Same as above for OE

VFY-LIST-09 xxxxxxx Displays speed calling 8 list