Professional Documents
Culture Documents
Command Line Interface Reference For The Passport 1600 Series Layer 3 Switch, Version 1.1
Command Line Interface Reference For The Passport 1600 Series Layer 3 Switch, Version 1.1
316862-B Rev 00
March 2004
Trademarks
Nortel Networks, the Nortel Networks logo, the Globemark, Unified Networks, and PASSPORT are trademarks of
Nortel Networks.
Adobe and Acrobat Reader are trademarks of Adobe Systems Incorporated.
Microsoft, Windows, and Windows NT are trademarks of Microsoft Corporation.
IPX is a trademark of Novell, Inc.
SSH is a trademark of SSH Communication Security
TACACS+ is a trademark of Cisco Systems
SecureCRT is a trademark of VanDyke Software, Inc.
SecureNetterm is a trademark of InterSoft International, Inc.
AbsoluteTelnet is a trademark of Celestial Software
PenguiNet is a trademark of Silicon Circus Ltd.
F-Secure is a trademark of F-Secure Corporation
The asterisk after a name denotes a trademarked item.
Statement of conditions
In the interest of improving internal design, operational function, and/or reliability, Nortel Networks Inc. reserves the
right to make changes to the products described in this document without notice.
Nortel Networks Inc. does not assume any liability that may occur due to the use or application of the product(s) or
circuit layout(s) described herein.
Portions of the code in this software product may be Copyright © 1988, Regents of the University of California. All
rights reserved. Redistribution and use in source and binary forms of such portions are permitted, provided that the
above copyright notice and this paragraph are duplicated in all such forms and that any documentation, advertising
materials, and other materials related to such distribution and use acknowledge that such portions of the software were
316862-B Rev 00
3
developed by the University of California, Berkeley. The name of the University may not be used to endorse or promote
products derived from such portions of the software without specific prior written permission.
SUCH PORTIONS OF THE SOFTWARE ARE PROVIDED “AS IS” AND WITHOUT ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
In addition, the program and information contained herein are licensed only pursuant to a license agreement that contains
restrictions on use and disclosure (that may incorporate by reference certain limitations and notices imposed by third
parties).
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.0
4
316862-B Rev 00
5
Contents
Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Figures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Connecting a terminal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Setting the switch's IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Logging on to the system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Entering CLI commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Editing commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Displaying multiple pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Understanding top-level commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Managing switch operations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
6 Contents
316862-B Rev 00
Contents 7
Syslog commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
SSH commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
TACACS+ commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Password Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Password format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
System Log Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Receiving system log messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Creating a Syslog host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Configuring a Syslog host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Configuring the maximum number of Syslog hosts . . . . . . . . . . . . . . . . . . . . . . . 112
Deleting a Syslog host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Enabling a Syslog host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Disabling a Syslog host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Displaying the current Syslog configuration on the Switch . . . . . . . . . . . . . . . . . 116
Enabling and disabling logging on the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Uploading the Switch’s log and configuration to a TFTP server . . . . . . . . . . . . . . . . 118
Configuring Password aging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Displaying the Password aging time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Configuring the Switch’s Secure Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Displaying the Switch’s current secure mode . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Secure Shell (SSH) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
SSH version 2 (SSH-2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Supported SSH clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Using the CLI to configure SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Configuring Secure Shell (SSH) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Creating a User account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Configuring the SSH authorization mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Displaying the Switch’s current SSH authorization mode . . . . . . . . . . . . . . . . . . 133
Updating an SSH user account’s authorization mode . . . . . . . . . . . . . . . . . . . . . 133
Configuring the SSH encryption algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Displaying the Current SSH encryption algorithm . . . . . . . . . . . . . . . . . . . . . . . . 137
Displaying the Switch’s current SSH Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Configuring the SSH Server on the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Displaying the current SSH Server configuration . . . . . . . . . . . . . . . . . . . . . . . . 141
Enabling and disabling the SSH Server on the Switch . . . . . . . . . . . . . . . . . . . . 142
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
8 Contents
316862-B Rev 00
Contents 9
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
10 Contents
316862-B Rev 00
Contents 11
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
12 Contents
316862-B Rev 00
Contents 13
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
14 Contents
316862-B Rev 00
Contents 15
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
16 Contents
316862-B Rev 00
Contents 17
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
18 Contents
316862-B Rev 00
19
Tables
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
20 Tables
316862-B Rev 00
21
Figures
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
22 Figures
316862-B Rev 00
Figures 23
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
24 Figures
316862-B Rev 00
Figures 25
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
26 Figures
316862-B Rev 00
Figures 27
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
28 Figures
316862-B Rev 00
Figures 29
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
30 Figures
316862-B Rev 00
31
Preface
• Passport 1612G 12 small form factor (SFP) GBICs, which provides small to
medium aggregation
• Passport 1624G 24 SFP GBICs, which provides small to medium aggregation
• Passport 1648T 48 10/100, plus 4 SFP GBICs, which provides small edge
concentration
The Passport 1600 Series Layer 3 routing switch can reside in the wiring closet
(1648T) and in the data center or network core (1612G and 1624G). The Passport
1648T provides Layer 3 functionality in the wiring closet with 48 10/100 ports
and 4 GBIC ports. The Passport 1612G and 1624G provide 12 and 24 gigabit
Ethernet ports for wiring closet aggregation as well as high-speed connections for
servers and power users. These types of aggregation devices typically reside in the
network core or data center but can be placed anywhere.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
32 Preface
This guide provides a reference for all of the commands contained in the
Command Line Interface (CLI). You use these commands to configure and
manage a Nortel Networks* Passport 1600 Series Layer 3 routing switch (also
referred to in this guide as the “Passport 1600 Series switch” or the “switch”) via
the serial port or Telnet interfaces.
316862-B Rev 00
Preface 33
Text conventions
This guide uses the following text conventions
angle brackets (< >) Indicates a single alphanumeric or numeric value that
you must enter for the command to successfully
execute.
Example: create ipif <ipif_name>
<vlan_name> ipaddress <network_address>
{state [enable/disable]}
In this example, you must supply an IP interface name
in the <ipif_name> space, a VLAN name in the
<vlan_name> space, and then network address in the
<network_address> space. Do not type the angle
brackets.
slash (/) Separates sub-commands, parameters, or values in a
set. These sub-commands, etc., may be required and
mutually exclusive (enclosed in square brackets), or
optional (enclosed in braces).
Example: show snmp [community/trap
receiver/detail]
In this example, you must enter either community,
trap receiver, or detail to specify which type of
SNMP users the switch displays.
italic text Indicates new terms, book titles, and variables in
command syntax descriptions. Where a variable is two
or more words, the words are connected by an
underscore.
Example: If the command syntax is
create ipif <ipif>, <vlan_name>
vlan_name is a variable that you substitute a name for.
plain Courier Indicates command syntax and system output, for
text example, prompts and system messages.
Example: show snmp
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
34 Preface
316862-B Rev 00
Preface 35
Note: The list of related publications for this manual can be found in the
release notes that came with your software.
From the Technical Support page, you can open a Customer Service Request
online or find the telephone number for the nearest Technical Solutions Center.
If you are not connected to the Internet, you can call 1-800-4NORTEL
(1-800-466-7835) to learn the telephone number for the nearest Technical
Solutions Center.
An Express Routing Code (ERC) is available for many Nortel Networks products
and services. When you use an ERC, your call is routed to a technical support
person who specializes in supporting that product or service. To locate an ERC for
your product or service, go to the http://www.nortelnetworks.com/help/contact/
erc/index.html URL.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
36 Preface
316862-B Rev 00
37
Chapter 1
Setting up the switch
The Passport 1600 Series Layer 3 switch supports a Command Line Interface
(CLI) that allows you to configure and manage the switch. You access the CLI
through a direct serial-port connection to the switch or through a Telnet session.
You can open a Telnet session from Device Manager by clicking on the Telnet
button on the toolbar or choosing Device > Telnet from the menu bar. For more
information about Device Manager, see Installing and Using Device Manager.
You can use any terminal or personal computer (PC) with a terminal emulator as
the CLI console station.
This chapter describes how to connect a terminal to the switch, set the IP address
for the switch, reboot the switch, and log on to the switch software. It also
explains how to enter and edit CLI commands. Specifically, this chapter includes
the following topics:
Topic Page
Connecting a terminal 37
Setting the switch's IP address 39
Logging on to the system 41
Entering CLI commands 42
Connecting a terminal
The serial console interface is an RS-232 port that enables a connection to a PC or
terminal for monitoring and configuring the switch. The port is implemented as a
DB-9 connector that can operate as either data terminal equipment (DTE) or data
communication equipment (DCE). The default communication protocol settings
for the Console port are:
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
38 Chapter 1 Setting up the switch
316862-B Rev 00
Chapter 1 Setting up the switch 39
5 At the Login prompt, enter the login ID (rwa) and press Enter.
6 At the password prompt, enter the password (rwa) and press Enter.
7 Set the switch’s IP address (see “Setting the switch's IP address,” next).
The switch is also assigned a unique MAC address by the factory. This MAC
address cannot be changed. You can view the MAC address, using the show
switch command.
You can automatically set the switch IP address using BOOTP or DHCP
protocols, in which case you must know the actual address assigned to the switch.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
40 Chapter 1 Setting up the switch
The switch has Layer 3 functionality, so its ports can be sectioned into IP
interfaces - where each section has its own range of IP addresses (specified by a
network address and subnet mask). By default, an IP interface named System is
configured on the switch and contains all of the ports on the switch. Initially, you
can use the System interface to assign a range of IP addresses to the switch. Later,
when you configure VLANs and IP interfaces on the switch, the ports you assign
to these VLANs and IP interfaces will be removed from the System interface.
316862-B Rev 00
Chapter 1 Setting up the switch 41
Configuration example
The following example shows how to assign IP address 10.42.73.74 with a subnet
mask of 255.0.0.0 to the switch and saving the switch parameters. The Success
message indicates that you can now configure and manage the switch via
TELNET and the CLI using the IP address 10.42.73.74 to connect to the switch.
Success
PP1612:4# reboot
Default Default
Access level Description login password
Configuration example
The following example shows how to log on to the switch using read/write/all
access:
Login: rwa
Password: ***
:4#
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
42 Chapter 1 Setting up the switch
dir
Entering a question mark (?) will display each command followed by the various
sub-commands, input values, and parameters that are associated with each
command. The dir command has the same function as the ? command.
However, it displays less detail. Figure 2 shows the results of entering the ?
command:
316862-B Rev 00
Chapter 1 Setting up the switch 43
When you enter a command without its required parameters, the CLI will prompt
you with a Next possible completions: message (Figure 3).
PP1612G:4#config account
Command: config account
Next possible completions:
<username>
PP1612G:4#
In Figure 3, you entered the command config account without the required
parameter <username>, so the CLI returned the Next possible
completions: <username> message.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
44 Chapter 1 Setting up the switch
You can reenter the previous command (config account) at the command
prompt by pressing the up arrow. Then, you can enter the appropriate user name
and reenter the config account command. The up arrow and other helpful
console keys are described in the sections that follow.
Editing commands
The console interface assigns certain functions to the editing keys on the
management keyboard. These keys and their functions are described in Table 2.
Key Description
Delete The delete key deletes the character under the cursor. The
remaining characters to the right of the cursor are then
shifted one space to the left.
Backspace The backspace key deletes the character immediately to the
left of the cursor. The remaining characters to the right of the
cursor are then shifted one space to the left.
Insert You can toggle the insert key on or off. When on, characters
are entered at the cursor, while the existing characters are
shifted to the left. When off, characters are entered at the
cursor, overwriting the existing characters.
Left Arrow The left arrow moves the cursor one space to the left.
Right Arrow The right arrow moves the cursor one space to the right.
Up Arrow The up arrow re-enters the previous command line entry.
This can be useful if you make a mistake in entering the
parameters or values required by a given command.
Tab The tab key displays the next possible command parameter
entry, in a round-robin fashion, once the first level of a
command has been entered. If the Tab key is pressed before
any part of a command string has been entered, the first level
of possible command entries will be displayed — starting
with the “?” command, and proceeding through all of the
possible commands until the last command in the list (the
“upload” command) is displayed. Pressing the Tab key after
the “upload” command is displayed will go through the list
again with, starting with the “?” command.
316862-B Rev 00
Chapter 1 Setting up the switch 45
Key Description
space Displays the next page.
Ctrl + c Stops the display of multiple pages.
Ctrl + u Deletes a command in the CLI without executing it.
Esc Stops the display of multiple pages.
n Displays the next page.
p Displays the previous page.
q Stops the display of multiple pages (quit).
r Refreshes the current page.
a Displays the remaining pages without pausing between pages (all).
Enter Displays the next line or table entry.
For example, if you enter the show command with no additional parameters, the
CLI displays all of the possible next parameters (Figure 4).
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
46 Chapter 1 Setting up the switch
P1612G:4# show
Command: show
Next possible completions:
802.1p account arpentry bootp_relay command_history dnsr
dst_ipfilter dvmrp error fdb fdbfilter flow_classifier
igmp igmp_snooping ip_fragment_filter ipif ipmc iproute
link_aggregation log mac_priority md5 mgmt_port mirror
multicast_fdb ospf packet ports post_hist rip
route router_ports rtc scheduling serial_port session
snmp stp switch tdp template_rule traffic
trusted_host utilization vlan vlan_interface vlan_ports
PP1612G:4#
In Figure 4, all of the possible next parameters for the show command are
displayed. At the next command prompt, you use the up arrow to re-enter the
show command, followed by the account parameter. The CLI then displays the
user accounts configured on the switch.
316862-B Rev 00
47
Chapter 2
Managing switch operations
This chapter describes the basic switch configuration commands, such as the
commands for creating and configuring user accounts, displaying the switch
information (including the firmware version), configuring the RS-232 console
serial port, and enabling Telnet for out-of-band switch management. Specifically,
this chapter includes the following topics:
Topic Page
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
48 Chapter 2 Managing switch operations
Topic Page
Command Parameter
create account admin <username 15>
user <username 15>
config account <username 15>
show account
delete account <username 15>
config command_history <value 1-40>
show command_history
?
dir
show session
show switch
show serial_port
config serial_port baud_rate [9600|19200|38400|115200]
auto_logout
[never|2-minutes|5_minutes|10_minut
es|15_minutes]
enable clipaging
disable clipaging
enable telnet <tcp_port_number 1-65535>
disable telnet
enable web <tcp_port_number 1-65535>
316862-B Rev 00
Chapter 2 Managing switch operations 49
Command Parameter
disable web
save
download firmware <ipaddr>
<path_filename 64>
download configuration <ipaddr> increment
<path_filename 64>
upload configuration <ipaddr>
<path_filename 64> <append_account>
upload log <ipaddr> <path_filename
64> <append_account>
reboot
reset config
system
login
logout
create account
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
50 Chapter 2 Managing switch operations
create account
followed by:
Figure 5 shows you how to create a new administrator-level user account with the
username Test.
PP1612G:4#
316862-B Rev 00
Chapter 2 Managing switch operations 51
where:
username 15 is the name assigned to the account. It is an alphanumeric string,
from 1 to 15 characters.
Figure 6 shows you how to change the password for the user account named Test.
Success.
PP1612G:4#
show account
Figure 7 shows an example of the console screen when you display the user
accounts configured on the switch.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
52 Chapter 2 Managing switch operations
PP1612G:4#show account
Command: show account
Current Accounts:
Username Access Level
--------------- ------------
System user
Test Admin
PP1612G:4#
where:
username 15 is the name assigned to the account. It is an alphanumeric string,
from 1 to 15 characters.
Figure 8 shows an example of the console screen when you delete the existing
user account Test configured on the switch.
Success.
PP1612G:4#
316862-B Rev 00
Chapter 2 Managing switch operations 53
where:
value 1-40 represents the number of commands that the switch will retain in
it’s command history list. The valid range is 1 to 40 commands.
Figure 9 shows the command history being configured to retain the last 20
commands:
Success
PP1612G:4#
show command_history
The number of commands displayed depends on the value you entered using the
config command_history command.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
54 Chapter 2 Managing switch operations
?
?
delete account test
delete account
show account test
config account
show account
config account test
config account
create account admin
create account user test
create account user
user
create account
create user account
PP1612G:4#
316862-B Rev 00
Chapter 2 Managing switch operations 55
PP1612G:4# ?
Command: ?
..
? {<specified_command>}
clear
clear arptable
clear counters {ports <portlist>}
clear fdb [vlan <vlan_name 32> | port <port> | all]
clear log
clear post_hist
config 802.1p default_priority [ <portlist> | all ] priority
[2 | 4 | 6 | 7]
config account <username>
config arp_aging time <value 0-65535>
config bootp_relay { hops <value 1-16> | time <sec 0-65535>}
config bootp_relay add ipif <ipif_name 12> <ipaddr>
config bootp_relay delete ipif <ipif_name 12> <ipaddr>
config command_history <value 1-40>
config dnsr [[primary|secondary] nameserver
<ipaddr>|[add|delete] static <domain
_name 32> <ipaddr>]
config dvmrp [ipif <ipif_name 12>| all ] {metric <value 1-31>|
probe <sec 1-6553
5>| neighbor_timeout <sec 1-65535>|state [enabled|disabled]}
config fdb aging_time <sec 10-630>
config flow_classifier template_1 mode [security | qos |
l4_switch] template_2 m
ode [security | qos | l4_switch]
ode [security | qos | l4_switch]
config flow_classifier template_id <value 1-2> mode_parameters
[qos_flavor [802.
1p | dscp | dst_ip | dst_tcp_port | dst_udp_port] | l4_session
{tcp_session fiel
ds {dip | sip | tos | dst_port | src_port | tcp_flags} |
udp_session fields {dip
| sip | tos | dst_port | src_port} | other_session fields
{dip | sip | tos | l4
_protocol | icmp_msg | igmp_type}}]
PP1612G:4#
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
56 Chapter 2 Managing switch operations
dir
PP1612G:4# dir
Command: dir
..
?
clear
clear arptable
clear counters
clear fdb
clear log
clear post_hist
config 802.1p default_priority
config account
config arp_aging time
config bootp_relay
config bootp_relay add ipif
config bootp_relay delete ipif
config command_history
config dnsr
config dvmrp
config fdb aging_time
config flow_classifier template_1 mode
config flow_classifier template_id
config flow_classifier vlan
config igmp
config igmp_snooping
config igmp_snooping querier
config ip_forwarding
...
316862-B Rev 00
Chapter 2 Managing switch operations 57
show session
Figure 13 shows the console screen when you display the current switch
management sessions.
PP1612G:4#show session
PP1612G:4#
show switch
The information that displays includes the IP address and subnet mask, the name
of the VLAN on which the switch’s IP address resides, and the boot PROM and
firmware version.
Figure 14 shows a sample console screen when you display the current switch
status.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
58 Chapter 2 Managing switch operations
show serial_port
316862-B Rev 00
Chapter 2 Managing switch operations 59
Figure 15 shows a sample console screen when you display the current serial port
configuration.
To change the settings of the switch’s serial port, use the following command:
config serial_port
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
60 Chapter 2 Managing switch operations
Figure 16 shows a sample console screen when you display the current serial port
configuration.
Success.
PP1612G:4#
enable clipaging
By using this command you can pause the console screen at the end of each page
instead of scrolling through more than one screen of information.
Figure 17 shows a sample console screen when you enable CLI paging.
316862-B Rev 00
Chapter 2 Managing switch operations 61
PP1612G:4#enable clipaging
Command: enable clipaging
Success.
PP1612G:4#
disable clipaging
By using this command, you can disable pausing the console screen at the end of
each page instead of scrolling through more than one screen of information.
Figure 18 shows a sample console screen when you disable CLI paging.
PP1612G:4#disable clipaging
Command: disable clipaging
Success.
PP1612G:4#
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
62 Chapter 2 Managing switch operations
Enabling Telnet
To enable Telnet connections between a remote management station and the
switch, using the default TCP port number 23, use the following command:
enable telnet
You can use all of the commands described in this manual to configure the 1600
switch over an Ethernet link using the Telnet protocol. The procedures, syntax of
the commands, and input of values are identical when using either the serial port
or the Telnet protocol to configure and manage the switch.
enable telnet
followed by:
Figure 19 shows a sample console screen when you enable Telnet, using TCP port
number 23.
PP1612G:4#enable telnet 23
Command: enable telnet 23
Success.
PP1612G:4#
316862-B Rev 00
Chapter 2 Managing switch operations 63
Disabling Telnet
To disable Telnet as a communication protocol between a remote management
station and the switch, use the following command:
disable telnet
PP1612G:4#disable telnet
Command: disable telnet
Success.
PP1612G:4#
enable web
You can use all of the commands described in this manual to configure the 1600
switch over an Ethernet link using a web browser and the web-based management
agent built into the switch.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
64 Chapter 2 Managing switch operations
enable web
followed by:
Figure 19 shows a sample console screen when you enable Telnet, using TCP port
number 23.
PP1612G:4#enable web 80
Command: enable web 80
Success.
PP1612G:4#
disable web
Figure 20 shows a sample console screen when you disable the web-based
manager.
316862-B Rev 00
Chapter 2 Managing switch operations 65
PP1612G:4#disable web
Command: disable web
Success.
PP1612G:4#
save
Figure 23 shows a sample console screen when you save the current switch
configuration to NV-RAM.
PP1612G:4#save
Command: save
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
66 Chapter 2 Managing switch operations
Managing files
Trivial File Transfer Protocol (TFTP) services allow you to upgrade the switch’s
firmware to be upgraded by transferring a new firmware file from a TFTP server
to the switch. A configuration file can also be loaded into the switch from a TFTP
server, switch settings can be saved to the TFTP server, and a history log can be
uploaded from the switch to the TFTP server.
Topic Page
Downloading switch firmware 67
Downloading a configuration file 67
Uploading a configuration file to a TFTP server 69
Uploading a log file to a TFTP server 70
316862-B Rev 00
Chapter 2 Managing switch operations 67
where:
ipaddr is the IP address of the remote TFTP server.
path_filename 64 is the DOS path and filename of the firmware file on the
remote TFTP server. The path filename can be up to 64 characters.
Note: If you download the switch firmware via the PP1612G/24G out-of-band
management port, the TFTP server must be on the same IP subnet as the switch.
The TFTP server must be running TFTP server software to perform the file
transfer. TFTP server software is a part of many network management software
packages, or you can obtain it as a separate program.
For example, to download and install a new switch firmware file from a remote
TFTP server, IP address 10.20.20.128, on the server’s hard drive at
C:\firmware.had, enter the following command:
where:
ipaddr is the IP address of the remote TFTP server.
path_filename 64 is the DOS path and filename of the firmware file on the
remote TFTP server. The path filename can be up to 64 characters.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
68 Chapter 2 Managing switch operations
Note: If you download the switch firmware via the PP1612G/24G out-of-band
management port, the TFTP server must be on the same IP subnet as the switch.
The TFTP server must be running TFTP server software to perform the file
transfer. TFTP server software is a part of many network management software
packages, or you can obtain it as a separate program.
PP1612G:4#
316862-B Rev 00
Chapter 2 Managing switch operations 69
To upload the current switch configuration settings to a remote TFTP server, enter
the following command:
where:
ipaddr is the IP address of the remote TFTP server.
path_filename 64 is the DOS path and filename of a file on the remote TFTP
server that will receive the configuration file from the switch. The path filename
can be up to 64 characters.
Note: If you download the switch firmware via the PP1612G/24G out-of-band
management port, the TFTP server must be on the same IP subnet as the switch.
The TFTP server must be running TFTP server software to perform the file
transfer. TFTP server software is a part of many network management software
packages, or you can obtain it as a separate program.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
70 Chapter 2 Managing switch operations
PP1612G:4#
To upload a log file to a remote TFTP server, use the following command:
where:
ipaddr is the IP address of the remote TFTP server, and
path_filename 64 is the DOS path and filename of a file on the remote TFTP
server that will receive the log file from the switch.
Note: If you download the switch firmware via the PP1612G/24G out-of-band
management port, the TFTP server must be on the same IP subnet as the switch.
The TFTP server must be running TFTP server software to perform the file
transfer. TFTP server software is a part of many network management software
packages, or you can obtain it as a separate program.
Figure 26 shows how to upload a log file named c:\cfg\log.txt to a remote TFTP
server at IP address 10.48.74.121.
316862-B Rev 00
Chapter 2 Managing switch operations 71
PP1612G:4#
reboot
Figure 27 shows a sample console screen when you reboot the switch.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
72 Chapter 2 Managing switch operations
PP1612G:4#reboot
Command: reboot
reset
reset
followed by:
Figure 28 shows a sample console screen when you reset the switch configuration.
316862-B Rev 00
Chapter 2 Managing switch operations 73
PP1612G:4#reset config
Command: reset config
login
Figure 29 shows a sample console screen when you initiate the login procedure on
the switch.
PP1612G:4#login
Command: login
UserName:
logout
Figure 30 shows a sample console screen when you log out of the switch.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
74 Chapter 2 Managing switch operations
PP1612G:4#logout
316862-B Rev 00
75
Chapter 3
Configuring ports
This chapter describes the CLI commands that you can use to set the speed, flow
control, MAC address learning, and the state (enabled or disabled) for a port or
range of ports on the switch. It includes the following topics:
Topic Page
Configuring ports 76
Command Parameter
config ports <portlist> all
speed
[auto|10_half|10_full|100_half|1
00_full|1000_full]
flow_control [enabled|disabled]
learning [enabled|disabled]
state [enabled|disabled]
show ports <portlist>
config mgmt_port speed
[auto|10_half|10_full|100_half|1
00_full|1000_full]
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
76 Chapter 3 Configuring ports
Command Parameter
flow_control [enabled|disabled]
learning [enabled|disabled]
state [enabled|disabled]
Configuring ports
To configure the ports on the switch, use the following command:
where:
portlist allows you to specify the ports that you want to configure. You must
first enter the lowest port number in a group, and then the highest port number in a
group, separated by a dash. For example, to enter a port group that includes switch
ports 1, 2, and 3, you entered 1-3.
To enter ports that are not contained within a group, enter the port numbers,
separated by a comma. For example, port group 1-3 and port 26 are entered
as 1-3, 26.
316862-B Rev 01
Chapter 3 Configuring ports 77
Figure 31 shows how to set ports 1, 2, and 3 to 10 Mbps, with full duplex, and
MAC address learning, and frame forwarding enabled on the switch.
show ports
show ports
followed by:
<portlist> Specifies a list of ports to display.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
78 Chapter 3 Configuring ports
PP1612G:4#show ports
To configure the copper management port on the 1612G and 1624G switches, use
the following command:
316862-B Rev 01
Chapter 3 Configuring ports 79
config mgmt_port
followed by:
Figure 31 shows how to configure the dedicated managemet port to 100 Mbps,
with full duplex, and MAC address learning, and frame forwarding enabled on the
switch.
show mgmt_port
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
80 Chapter 3 Configuring ports
PP1612G:4#show mgmt_port
316862-B Rev 01
81
Chapter 4
Configuring Spanning Tree
The IEEE 802.1D Spanning Tree Protocol (STP) allows links between switches
that form loops within the network to be blocked. When it detects multiple links
between switches, it establishes a primary link. Duplicate links are then blocked
and become standby links. STP also allows you to use these duplicate links in the
event of a failure of the primary link. The reactivation of the blocked links is done
automatically- without requiring operator intervention.
This chapter describes the commands you use to configure, enable and disable
STP, and show STP ports. Specifically, it includes the following topics:
Topic Page
Roadmap of Spanning Tree CLI commands 82
Configuring STP 82
Enabling STP on the switch 84
Disabling STP on the switch 84
Displaying STP status on the switch 85
Displaying STP port group status 87
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
82 Chapter 4 Configuring Spanning Tree
Command Parameter
config stp ports <portlist>
maxage <value>
hellotime <value>
forwarddelay <value>
priority <value>
fbpdu [enable|disable]
enable stp
disable stp
show stp
Configuring STP
To configure STP on the switch, use the following command:
config stp
316862-B Rev 00
Chapter 4 Configuring Spanning Tree 83
config stp
followed by:
Figure 35 shows you how to configure STP on the switch, using a max age time of
18 seconds, and a hello time of 4 seconds.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
84 Chapter 4 Configuring Spanning Tree
Success.
PP1648T:4#
enable stp
PP1648T:4#enable stp
Command: enable stp
Success.
PP1648T:4#
disable stp
316862-B Rev 00
Chapter 4 Configuring Spanning Tree 85
Success.
PP1648T:4#
show stp
Figure 38 shows you an example of an STP switch status display when STP is
enabled.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
86 Chapter 4 Configuring Spanning Tree
PP1648T:4#
Figure 39 shows you an example of an STP switch status display when STP is
disabled.
PP1648T:4#
316862-B Rev 00
Chapter 4 Configuring Spanning Tree 87
Figure 40 shows you how to display the status of an STP port group, consisting of
ports 1 through 9.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
88 Chapter 4 Configuring Spanning Tree
316862-B Rev 00
89
Chapter 5
Security features
This chapter describes the CLI commands that you can use to set the security
features of the Switch. It includes the following topics:
Topic Page
Password Protection 95
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
90 Chapter 5 Security features
Syslog commands
Command Parameter
enable syslog
disable syslog
show syslog
config syslog max_hosts <int 1-10>
create syslog host <slog_id>
severity
informational
warning
error
fatal
all
facility
local0
local1
local2
local3
local4
local5
local6
local7
udp_port <int 514-530>
ipaddress <ipaddr>
state enabled|disabled
316862-B Rev 00
Chapter 5 Security features 91
Command Parameter
config syslog host <slog_id>
severity
informational
warning
error
fatal
all
facility
local0
local1
local2
local3
local4
local5
local6
local7
udp_port <int 514-530>
ipaddress <ipaddr>
state enabled|disabled
delete syslog host <slog_id>
all
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
92 Chapter 5 Security features
SSH commands
Command Parameter
config ssh algorithm 3DES
AES128
AES192
AES256
arcfour
blowfish
cast128
twofish128
twofish192
twofish256
MD5
SHA1
RSA
DSA
enabled|disabled
show ssh algorithm
show ssh authmode password
publickey
hostbased
enabled|disabled
show ssh authmode
show ssh user <username>
authmode
publickey
password
hostbased
hostname <domain_name 31>
hostname_ip <domain_name 31>
<ipaddr>
show ssh user
316862-B Rev 00
Chapter 5 Security features 93
Command Parameter
config ssh server maxsession <int 1-3>
timeout <sec 1-120>
authfail <init 2-20>
rekey
10min
30min
60min
never
port <tcp_port_number 1-65535>
enable | disable ssh
show ssh server
config ssh regenerate hostkey
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
94 Chapter 5 Security features
TACACS+ commands
Command Parameter
enable authentication
disable authentication
config authentication login console
telnet
ssh
web
all
tacacs+
local
none
config authentication admin console
ssh
telnet
all
tacacs+
local
none
config login_authen response_timeout <sec 1-255>
show authentication
create tacacs+_server <ip_address>
tcp_port <int 1-65535>
key <string 254>
timeout <sec 1-255>
config tacacs+_server <ip_address>
tcp_port <int 1-65535>
key <string 254>
timeout <sec 1-255>
delete tacacs+_server <ip_address>
show tacacs+_server
enable admin
config admin local_password <password 8-15>
316862-B Rev 00
Chapter 5 Security features 95
Password Protection
The password security features allow you to restrict access to the switch. Network
managers have restricted access to the control path; users have restricted access to
the data path.
The network administrator has the ability to login to a Passport 1600 Series switch
and configure passwords through the CLI. The Passport 1600 Series switch
supports multi-level access with the use of different logins and passwords.
A local database stores the information about user name, password and privilege
level. All Web and CLI logins check the user name and password with the
information in the database.
Password format
The following is a list of rules or guidelines to use when creating or modifying
passwords.
• You may use only alphanumeric characters, special characters are not allowed
in passwords.
• The length of passwords must be eight characters or more.
• Administrator and User level access with different login and passwords are
supported.
• Logins are rejected after three invalid attempts.
• If the Switch is operating in secure mode, a password history for each user
account is maintained. The last 5 passwords for a given user account are kept
in this history, and the Switch will prevent the Administrator from
re-assigning any of these 5, previously assigned, passwords to the user’s
account.
• If a user tries to login and fails due to an error in entering a user name or
password three consecutive times, the switch will deny the telnet session. The
telnet session of the source IP address will be denied for three minutes.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
96 Chapter 5 Security features
You can use the system log messaging feature of the Passport 1600 Series switch
to manage switch event messages on any UNIX-based management platform. The
Passport 1600 Series switch syslog software supports this functionality by
communicating with a counter part software component named syslog on your
management workstation. The UNIX daemon syslogd is a software component
that receives and locally logs, displays, prints, and/or forwards messages that
originate from sources internal and external to the workstation. For example,
syslogd on a workstation concurrently handles messages received from
applications running on the workstation, as well as messages received from a
Passport switch running in a network accessible to the workstation.
At a remote management workstation, the system log messaging feature does the
following:
316862-B Rev 00
Chapter 5 Security features 97
Internally the Passport 1600 Series switch has four severity levels for log
messages:
• Info
• Warning
• Critical
• Error
Table 4 shows the default mapping of internal severity levels to syslog severity
levels.
5 Notice -
6 Info Info
7 Debug -
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
98 Chapter 5 Security features
316862-B Rev 00
Chapter 5 Security features 99
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
100 Chapter 5 Security features
316862-B Rev 00
Chapter 5 Security features 101
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
102 Chapter 5 Security features
316862-B Rev 00
Chapter 5 Security features 103
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
104 Chapter 5 Security features
The following sections detail the CLI commands used to configure Syslog on the
Switch.
316862-B Rev 00
Chapter 5 Security features 105
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
106 Chapter 5 Security features
Numerical Facility
Code
0 kernel messages
1 user-level messages
2 mail system
3 system daemons
4 security|authorization messages
5 messages generated internally by syslog
6 line printer subsystem
7 network news subsystem
8 UUCP subsystem
9 clock daemon
10 security|authorization messages
11 FTP daemon
12 NTP subsystem
13 log audit
14 log alert
15 clock daemon
16 local use 0 (local0)
17 local use 1 (local1)
18 local use 2 (local2)
19 local use 3 (local3)
20 local use 4 (local4)
21 local use 5 (local5)
22 local use 6 (local6)
23 local use 7 (local7)
316862-B Rev 00
Chapter 5 Security features 107
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
108 Chapter 5 Security features
Success.
:4#
316862-B Rev 00
Chapter 5 Security features 109
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
110 Chapter 5 Security features
Numerical Facility
Code
0 kernel messages
1 user-level messages
2 mail system
3 system daemons
4 security|authorization messages
5 messages generated internally by syslog
6 line printer subsystem
7 network news subsystem
8 UUCP subsystem
9 clock daemon
10 security|authorization messages
11 FTP daemon
12 NTP subsystem
13 log audit
14 log alert
15 clock daemon
16 local use 0 (local0)
17 local use 1 (local1)
18 local use 2 (local2)
19 local use 3 (local3)
20 local use 4 (local4)
21 local use 5 (local5)
22 local use 6 (local6)
23 local use 7 (local7)
316862-B Rev 00
Chapter 5 Security features 111
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
112 Chapter 5 Security features
Success.
:4#
To configure the maximum number of Syslog hosts that can be created on the
Switch, use the following command:
Figure 43 shows the setting of 10 Syslog hosts as the maximum on the Switch.
316862-B Rev 00
Chapter 5 Security features 113
Success.
:4#
To delete a previously created Syslog host on the Switch, use the following
command:
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
114 Chapter 5 Security features
Success.
:4#
To enable a previously created Syslog host on the Switch, use the following
command:
enable syslog
enable syslog
:4#enable syslog
Command: enable syslog
Success.
:4#
316862-B Rev 00
Chapter 5 Security features 115
To disable a previously created Syslog host on the Switch, use the following
command:
disable syslog
disable syslog
:4#disable syslog
Command: disable syslog
Success.
:4#
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
116 Chapter 5 Security features
To display the current Syslog configuration on the Switch, use the following
command:
show syslog
show syslog
followed by:
Figure 47 shows the displaying of the current Syslog host configuration on the
Switch.
:4#
316862-B Rev 00
Chapter 5 Security features 117
To disable the logging of all CLI commands issued by the user Johnson, use the
following command:
config log_state
followed by:
Figure 48 shows the disabling of CLI command logging for the user account
Johnson.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
118 Chapter 5 Security features
Success.
:4#
316862-B Rev 00
Chapter 5 Security features 119
upload
followed by:
:4#
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
120 Chapter 5 Security features
config password_aging
config password_aging
followed by:
Figure 50 shows the setting of the maximum amount of time a password assigned
to a user account can be in use to be 10 days.
Success.
:4#
316862-B Rev 00
Chapter 5 Security features 121
The Passport 1600 Series Switches (firmware release 1.0.1.1 and higher) allow
you configure the maximum amount of time a password assigned to a user
account is allowed to be in use. The default is 90 days. The Switch will give a
warning message when the user logs in at the point where 75, 80, 85, 90, and 95%
of the maximum password age time has expired.
show password_aging
show password_aging
Figure 51 shows the display of the currently configured maximum amount of time
a password assigned to a user account can be in use.
:4#show password_aging
Command: show password_aging
:4#
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
122 Chapter 5 Security features
Initially, when the Switch’s secure mode is set to high, only the RS-232 Console
port can be used to manage and configure the Switch. You can manually enable
any of the remote management applications however, using the CLI and the
RS-232 Console port.
Note: The config secure mode [normal | high] command can only be
entered from the Console application and cannot be entered from a remote
management application, such as TELNET, SSH, or the Web-based
configuration manager.
Note: After resetting the Passport 1600 Series switch, if the high secure
mode was previously configured, the switch remains in high secure mode.
To return to normal secure mode, you must manually disable the high
secure mode. You can only perform this operation from the CLI.
To configure the Switch to close the SSH, TELNET, WEB, and SNMP remote
management and configuration applications, use the following command:
316862-B Rev 00
Chapter 5 Security features 123
config secure_mode
followed by:
Figure 52 shows the Switch’s secure mode being set to high. In this mode, only
the RS-232 Console port can be used to manage and configure the Switch.
Success.
:4#
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
124 Chapter 5 Security features
The Passport 1600 Series Switches (firmware release 1.0.1.1 and higher) allow
you configure a secure mode for the Switch as either normal or high. In the
normal mode, the security configuration is in effect, as entered. In the high mode,
the SSH, TELNET, WEB and SNMP remote management and configuration
applications are closed to all users. When the Switch’s secure mode is set to high,
only the RS-232 Console port can be used to manage and configure the Switch.
To display the Switch’s current secure mode configuration, use the following
command:
show secure_mode
show secure_mode
Figure 53 shows the display of the Switch’s currently configured secure mode.
:4#show secure_mode
Command: show secure_mode
:4#
316862-B Rev 00
Chapter 5 Security features 125
Note: the Passport 1600 Series Switches support only SSH version 2.
The Switch does not support SSH version 1.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
126 Chapter 5 Security features
• Integrity. This guarantees that the data is transmitted from the sender to the
receiver without any alteration. If any third party captures and modifies the
traffic, the SSH server will detect this alteration. Hmac-MD% and
Hmac-sha-1 are supported.
The implementation of the SSH server in the Passport 1600 Series switch enables
the SSH client to make a secure connection to a Passport 1600 Series switch and
will work with commercially available SSH clients.
You must use the CLI to initially configure SSH. You can use Device Manager
(DM) to change the SSH configuration parameters. However, Nortel Networks
recommends using the CLI. Nortel Networks also recommends using the console
port to configure the SSH parameters.
The SSH protocol, version 2 (SSH-2) is a complete rewrite of the SSH-1 protocol.
While SSH-1 contains multiple functions in a single protocol, in SSH-2 the
function are divided among three layers:
316862-B Rev 00
Chapter 5 Security features 127
The modular approach of the SSH-2 improves on the security, performance, and
portability over the SSH-1 protocol.
Note: The SSH-1 and SSH-2 protocols are not compatible. The SSH
implementation in the Passport 1600 Series switch supports only SSH
version 2.
The Passport 1600 Series switch software release 1.0.1.1 supports the following
third party SSH clients. The table below describes the third party SSH client
software that has been tested but not included with this release.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
128 Chapter 5 Security features
You can use Device Manager (DM) to change the SSH configuration parameters.
However, Nortel Networks recommends using the Command Line Interface (CLI)
to configure the SSH.
Note: Only the Server SSH has been implemented in the 1.1 release.
There is NO SSH client on the Passport 1600 Series switch. A remote
application must be used to establish the communication with the switch.
316862-B Rev 00
Chapter 5 Security features 129
The steps required to use the SSH protocol for secure communication between a
remote PC (the SSH Client) and the Switch (the SSH Server), are as follows:
• Create a user account with admin-level access using the create account admin
<username> <password> command. In the example presented below, the
username SSHtest is used. This is identical to creating any other admin-lever
User account on the Switch, including specifying a password. This password
is used to login to the Switch, once secure communication has been
established using the SSH version 2 protocol.
• Configure the user account to use a specified authorization method to identify
users that are allowed to establish SSH connections with the Switch using the
config ssh user authmode command. There are some choices as to the method
SSH will use to authorize the user. The two methods, password and publickey
are used in the example presented below.
• Configure the encryption algrothim that SSH will use to encrypt and decrypt
messages sent between the SSH Client and the SSH Server. Again, there are
some choices to make, but 3DES is used in the example presented below.
• Finally, enable SSH on the Switch using the enable ssh command.
• After following the above steps, you can configure an SSH Client on the
remote PC and manage the Switch using secure, in-band communication.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
130 Chapter 5 Security features
To create an admin or user account, including a username and password, use the
create account command. Note that this command also allows you to select
the privileges this account will have. In general, user-level accounts can display
the switch’s current configuration, but cannot make any changes. Admin-level
accounts have full access to all configuration commands.
To create a new User account for use with the SSH protocol, use the following
command:
The password must be at least 8 and not more than 15 characters. This password
will be used to logon to the switch.
create account
followed by:
Figure 54 shows you how to create a new administrator-level user account with
the username SSHtest.
316862-B Rev 00
Chapter 5 Security features 131
Success.
:4#
Before the SSH Server on the Switch can establish a secure communications
channel with an SSH Client, you must specify the type of authorization that the
SSH Server can accept to verify the SSH Client as an authorized user. The
password parameter instructs the SSH Server to use the password assigned to the
User account. The public key parameter instructs the SSH Server to use the public
key encryption/decrypting method using a combination of a private key and public
key stored on the remote PC (the SSH Client). The hostbased parameter allows
you to specify a remote host on the network by either name or IP address that will
be allowed to establish an SSH connection with the Switch.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
132 Chapter 5 Security features
Figure 55 shows how to configure the user account SSHtest to use the password
assigned to this account to authorize an SSH session with the Switch.
Success.
:4#
316862-B Rev 00
Chapter 5 Security features 133
To display the Switch’s current SSH authorization mode, use the following
command:
Once you have created a user account, and configured the SSH authorization
mode for that account, you can update the information using the config ssh user
command.
To update the configuration of an SSH user account, use the following command:
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
134 Chapter 5 Security features
where:
SSHtest is the username of a previously created User account.
Figure 57 shows how to configure the user account SSHtest to use the password
assigned to this account to authorize an SSH session with the Switch.
316862-B Rev 00
Chapter 5 Security features 135
Success.
:4#
where:
3DES is the encryption algrothim that the Secure Shell (SSH) will use to encrypt
and decrypt messages between the SSH Server and the SSH Client.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
136 Chapter 5 Security features
316862-B Rev 00
Chapter 5 Security features 137
Figure 58 shows the SSH Server on the Switch configured to use the 3DES
encryption algorithm.
Success.
:4#
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
138 Chapter 5 Security features
Encryption Algorithm
-------------------------
3DES : Enable
AES128 : Enable
AES192 : Enable
AES256 : Enable
Arcfour : Enable
Blowfish : Enable
Cast128 : Enable
Twofish128: Enable
Twofish192: Enable
Twofish256: Enable
:4#
316862-B Rev 00
Chapter 5 Security features 139
where:
3DES is the encryption algrothim that the Secure Shell (SSH) will use to encrypt
and decrypt messages between the SSH Server and the SSH Client.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
140 Chapter 5 Security features
Figure 61 shows the SSH Server on the Switch configured to allow a maximum of
2 sessions, a timeout of 20 seconds, a maximum of 2 failed authorization attempts,
a rekey time of never, and the use of TCP port number 22.
316862-B Rev 00
Chapter 5 Security features 141
Success.
:4#
Figure 62 shows the current configuration of the SSH Server on the Switch.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
142 Chapter 5 Security features
enable ssh
Success.
:4#
Figure 64 shows the current configuration of the SSH Server on the Switch.
316862-B Rev 00
Chapter 5 Security features 143
Success.
:4#
TACACS+
TACACS+ is a security protocol that provides access control for devices via one
or more centralized servers. All WEB, TELNET and CLI user logins check the
user name and password with a database of Network Access Security (NAS)
servers through the TACACS+ protocol if the authentication method being used is
TACACS+. This is useful in checking authentication when thousands of users
using thousands of devices are distributed around the network.
The system provides two stages of authentication for the user, the first is the
“login” stage and the second is the “enable” stage. Each stage can choose up to
three authentication methods, the are TACACS+, local/enable and none. In
addition, two privilege levels are provided, the user level and the admin level.
When the user passes the first level, the “user” level is assigned. The “admin”
level will be assigned if the user passes the second stage.
TACACS+: Verifies both the username/password pair and enables the password
using the TACACS+ server. When username/password verification is passed, the
user level is assigned. After that, use the “enable admin” command to promote
privilege mode to the admin user. Four TACACA+ servers are supported.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
144 Chapter 5 Security features
Enable: only the password is checked. This option is used only to promote the
privilege level to the “admin” level.
To create an entry to the Switch’s TACACS+ Server table, use the following
command:
where:
<ip_address> is the IP address of a TACACS+ Server on the network.
create tacacs+_server
followed by:
316862-B Rev 00
Chapter 5 Security features 145
Figure 65 shows the creation of a TACACS+ Server entry on the Switch, using
the key “top secret.”
Success.
:4#
where:
<ip_address> is the IP address of a TACACS+ Server on the network.
config tacacs+_server
followed by:
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
146 Chapter 5 Security features
config tacacs+_server
followed by:
Success.
:4#
To display the entries in the Switch’s TACACS+ Server table, use the following
command:
show tacacs+_server
show tacacs+_server
316862-B Rev 00
Chapter 5 Security features 147
Figure 67 shows the current contents of the Switch’s TACACS+ Server table.
:4#
To delete an entry from the Switch’s TACACS+ Server table, use the following
command:
delete tacacs+_server
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
148 Chapter 5 Security features
Success.
:4#
enable admin
When this command is entered, the current user authentication method in use on
the Switch will be used to authenticate the user.
enable admin
There are no options
Figure 69 shows the currently logged on user raising the account’s privilege level
from user-level to admin-level.
Password: ********
Success.
:4#
316862-B Rev 00
Chapter 5 Security features 149
When this command is entered, the current user authentication method in use on
the Switch will be used to authenticate the user.
Success.
:4#
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
150 Chapter 5 Security features
To configure the maximum amount of time the Switch will wait for a user to input
their password, use the following command:
config login_authen
followed by:
Success.
:4#
This command is used to configure how the Switch will authenticate users when
they login to the various applications that are used to configure the Switch. When
authentication is enabled on the Switch, the authentication settings specified in
this command will take effect. The Switch’s default is to use local authentication,
such as asking for a user name and password when logging on the Console.
316862-B Rev 00
Chapter 5 Security features 151
When the TACACS+ or the none authentication method is specified, users are
assigned only user-level privileges when the first log on to a Switch management
application (such as the Console). If this user wants to promote their privilege
level to admin-level, they must enter the enable admin command, described
below.
So, there are four applications that can be used to configure and manage the
Switch; the Console, TELNET, SSH, and the Web-based configuration manager.
You can assign one of three user-authentication methods to any of these
applications. The three user-authentication methods are, TACACS+, local, and
none. TACACS+ instructs the Switch for forward the user name and password to a
TACACS+ Server for authentication. The local method relies upon the Switch
itself to verify the user name and password against the user accounts stored in its
memory. The none method performs no user authentication.
If the TACACS+ user authentication method is specified, and all of the TACACS+
Servers have timed out, or do not exist, the Switch then will use the second
method entered with this command. In the example below, the none user
authentication method will be used.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
152 Chapter 5 Security features
Figure 72 shows the Switch being configured to use the TACACS+ user
authentication method for the TELNET application.
Success.
:4#
This command is used to configure how the Switch will authenticate users when
they want to promote their privileges from user-level to admin-level, when they
are logged on to the various applications that are used to configure the Switch.
When authentication is enabled on the Switch, the authentication settings
specified in this command will take effect.
316862-B Rev 00
Chapter 5 Security features 153
When the TACACS+ authentication method is specified, users need to input their
password to promote their privileges from user-level to admin-level. The Switch
will then pass this password to the TACACS+ Server for authentication. The
TACACS+ Server will return a PASS or FAIL.
When enable is specified, the Switch will compare this password to the Switch’s
(local) password. If the passwords are the same, the Switch will return a PASS. If
the two passwords are different, the Switch will return a FAIL.
So, there are four applications that can be used to configure and manage the
Switch; the Console, TELNET, SSH, and the Web-based configuration manager.
You can assign one of three user-authentication methods to authenticate users
who want to promote their user-level privileges to admin-level privileges to any of
these applications. The three user-authentication methods are, TACACS+, enable,
and none. TACACS+ instructs the Switch for forward the user name and password
to a TACACS+ Server for authentication. The enable method relies upon the
Switch itself to verify the user name and password against the user accounts
stored in its memory. The none method performs no user authentication.
If the TACACS+ user authentication method is specified, and all of the TACACS+
Servers have timed out, or do not exist, the Switch then will use the second
method entered with this command. In the example below, the enable user
authentication method will be used.
To configure the authentication settings that govern the promotion of users with
user-level privileges to admin-level privileges, on the Switch, use the following
command:
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
154 Chapter 5 Security features
Figure 73 shows the Switch being configured to use the TACACS+ user
authentication method to authenticate users who want to promote their user-level
privileges to admin-level privileges, for the TELNET application.
Success.
:4#
Enabling authentication
enable authentication
enable authentication
There are no options
316862-B Rev 00
Chapter 5 Security features 155
Figure 74 shows the current authentication settings on the Switch being enabled.
Success.
:4#
Disabling authentication
disable authentication
disable authentication
There are no options
Figure 75 shows the current authentication settings on the Switch being enabled.
Success.
:4#
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
156 Chapter 5 Security features
show authentication
show authentication
There are no options
316862-B Rev 00
157
Chapter 6
Configuring VLANs
This chapter describes the commands you use to configure, enable and disable,
and show VLANs for Layer 2 operations. It also describes how to configure IP on
a VLAN for Layer 3 operations. Specifically, it includes the following topics:
Topic Page
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
158 Chapter 6 Configuring VLANs
Topic Page
316862-B Rev 00
Chapter 6 Configuring VLANs 159
The following roadmap lists all of the VLAN commands and their parameters.
Use this list as a quick reference or click on any entry for more information:
Command Parameter
create vlan <vlan_name 32> type port |ip-subnet
<network_address>
arp_classification_id <vlanid
1-4094> |protocol-ip
|protocol-ipx802dot3
|protocol-ipx802dot2
|protocol-ipxSnap
|protocol-appleTalk
|protocol-decLat |protocol-decOther
|protocol-sna802dot2
|protocol-snaEthernet2
|protocol-netBios |protocol-xns
|protocol-vines |protocol-ipV6
|protocol-userDefined <hex
0x0-0xffff> |encap
[ethernet2|IIc|snap|all]
|protocol-rarp |priority [0|4|6|7]
delete vlan <vlan_name 32>
config vlan <vlan_name 32> add tagged <portlist>
untagged <portlist>
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
160 Chapter 6 Configuring VLANs
Command Parameter
config vlan <vlan_name 32> delete
<portlist>
show vlan <vlan_name 32> |type [port
|ip-subnet <network_address>
arp_classification_id <vlanid
1-4094> |protocol-ip
|protocol-ipx802dot3
|protocol-ipx802dot2
|protocol-ipxSnap
|protocol-appleTalk
|protocol-decLat |protocol-decOther
|protocol-sna802dot2
|protocol-snaEthernet2
|protocol-netBios |protocol-xns
|protocol-vines |protocol-ipV6
|protocol-userDefined <hex
0x0-0xffff> encap
[ethernet2|IIc|snap|all]
|protocol-rarp]
Creating a VLAN
To create a VLAN, use the following command:
where:
vlan_name 32 is the name of the VLAN that you want to create. The VLAN
name can be up to 32 alphanumeric characters.
316862-B Rev 00
Chapter 6 Configuring VLANs 161
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
162 Chapter 6 Configuring VLANs
PP1612G:4#create vlan v1
Command: create vlan v1
Success.
PP1612G:4#
Deleting a VLAN
where:
vlan_name 32 is the name of the VLAN that you want to delete.
PP1612G:4#delete vlan v1
Command: delete vlan v1
Success.
PP1612G:4#
where:
vlan_name 32 is the name of the VLAN to which you want to add ports.
316862-B Rev 00
Chapter 6 Configuring VLANs 163
Figure 79 shows you how to add ports 4 through 8 and 10 as VLAN tagged ports.
Success.
PP1612G:4#
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
164 Chapter 6 Configuring VLANs
where:
vlan_name 32 is the name of the VLAN that you want to delete.
portlist specifies the list of ports to remove from the VLAN. To specify a
range of ports, enter the beginning and end values, separated by a hyphen (e.g.,
1-3). To specify non-contiguous port numbers, enter the port numbers, separated
by commas (e.g., 1,4,8).
Success.
PP1612G:4#
show vlan
316862-B Rev 00
Chapter 6 Configuring VLANs 165
show vlan
followed by:
<vlan_name 32> This is the name of the VLAN for which you want to
display the current configuration. If you do not
enter a VLAN name, all of the VLANs currently
configured on the switch will have their
configurations displayed.
type This parameter allows you to select the type of
VLAN that will be created. The available types are
as follows:
port
ip-subnet <network_address>
protocol-ip
protocol-ipx802dot3
protocol-ipx802dot2
protocol-ipxSnap
protocol-appleTalk
protocol-decLat
protocol-decOther
protocol-sna802dot2
protocol-snaEthernet2
protocol-netBios
protocol-xns
protocol-vines
protocol-ipV6
protocol-userDefined <hex 0x0-0xffff> encap
[ethernet2|iic|snap|all]
protocol-rarp
Figure 81 shows you how to display the current configuration for the VLANs on
the switch.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
166 Chapter 6 Configuring VLANs
Total Entries : 3
PP1612G:4#
316862-B Rev 00
Chapter 6 Configuring VLANs 167
The following roadmap lists all of the IP interface commands and their
parameters. Use this list as a quick reference or click on any entry for more
information:
Command Parameter
create ipif <ipif_name 12>
<network_address> <vlan_name 32>
state [enabled|disabled]
config ipif <ipif_name 12>
ipaddress <network_address> vlan
<vlan_name 32> state
[enabled|disabled]
delete ipif <ipif_name 12>
all
config ipif System vlan <vlan_name 32>
ipaddress <network_address>
state [enabled|disabled]
enable ipif <ipif_name 12>
all
disable ipif <ipif_name 12>
all
show ipif System all
Creating an IP interface
To create an IP interface with a network address and a subnet mask that will be
assigned to a VLAN, enter the following command:
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
168 Chapter 6 Configuring VLANs
where:
ipif_name 12 is the name of the IP interface. The name can be up to 12
alphanumeric characters.
network_address is the IP address and the netmask of the IP interface you wish
to create. You can specify the address and mask information using the traditional
format- for example, 10.1.2.3/255.0.0.0, or in the CIDR format - for example,
10.1.2.3/8.
vlan_name 32 is the name of the VLAN that you want to assign to the IP
interface.
Figure 82 shows how to create an IP interface named ip2 that will be assigned to
the VLAN named vlan2, and will be enabled.
Success.
PP1612G:4#
Configuring an IP interface
where:
ipif_name 12 is the name of the IP interface. The name can be up to 12
alphanumeric characters.
network_address is the IP address and the netmask of the IP interface. You can
specify the address and mask information using the traditional format- for
example, 10.1.2.3/255.0.0.0, or in the CIDR format - for example, 10.1.2.3/8.
vlan_name 32 is the name of the VLAN that you want to assign to the IP
interface.
316862-B Rev 00
Chapter 6 Configuring VLANs 169
Figure 83 shows how to assign ip2 to vlan3 and enable the interface.
Success.
PP1612G:4#
Deleting an IP interface
To delete the IP interface, use the following command:
delete ipif
delete ipif
followed by:
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
170 Chapter 6 Configuring VLANs
Success.
PP1612G:4#
To assign the System IP interface an IP address and a subnet mask, enter the
following command:
vlan <vlan_name 32> The name of the VLAN that corresponds to the
System IP interface.
ipaddress The IP address and the netmask with which you
<network_address> want the System IP interface to be associated. You
can specify the address and mask information
using the traditional format - for example, 10.1.2.3/
255.0.0.0, or in the CIDR format - for example,
10.1.2.3/8
state [enabled|disabled] Specifies whether you want the System IP
interface to be enabled or disabled.
Figure 85 shows you how to configure the System IP interface with the IP address
10.48.74.122 and a subnet mask of 255.0.0.0 (in CIDR format, 10.48.74.122/8).
316862-B Rev 00
Chapter 6 Configuring VLANs 171
Success.
PP1612G:4#
Enabling an IP interface
enable ipif
enable ipif
followed by:
Success.
PP1612G:4#
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
172 Chapter 6 Configuring VLANs
Disabling an IP interface
disable ipif
disable ipif
followed by:
Success.
PP1612G:4#
To display the current configuration of the System IP interface, enter the following
command:
316862-B Rev 00
Chapter 6 Configuring VLANs 173
Figure 88 shows you how to display the current configuration of the System IP
interface.
IP Interface Settings
Interface Name : System
IP Address : 10.48.74.122 (MANUAL)
Subnet Mask : 255.0.0.0
VLAN Name : default
Admin. State : Disabled
Link Status : Link UP
Member Ports : 1-26
Total Entries : 1
PP1648T:4#
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
174 Chapter 6 Configuring VLANs
In addition, you can specify the port (by port number) or the VLAN (by the
VLAN name) on which the MAC address resides. For multicast MAC addresses,
you can specify a range of ports and a VLAN.
The switch enters the relationship between destination MAC or IP addresses and
the Ethernet port or gateway router the destination resides on into its forwarding
table. This information is then used to forward packets. This reduces the traffic
congestion on the network, because packets, instead of being transmitted to all
ports, are transmitted to the destination port only. For example, if Port 1 receives a
packet destined for a station on Port 2, the Switch transmits that packet through
Port 2 only, and transmits nothing through the other ports. This process is referred
to as 'learning' the network topology.
The MAC address aging time affects the learning process of the switch. Dynamic
forwarding table entries, which are made up of the source MAC addresses and
their associated port numbers, are deleted from the table if they are not accessed
within the aging time.
The aging time can be from 10 to 630 seconds with a default value of 300 seconds.
A very long aging time can result in dynamic forwarding table entries that are
out-of-date or nonexistent. This may cause incorrect packet forwarding decisions
by the switch.
If the aging time is too short, many entries are aged out too soon. This results in a
high percentage of received packets whose source addresses cannot be found in
the forwarding table. In this case the switch broadcasts the packet to all ports,
negating many of the benefits of having a switch.
The following sections describe the procedures you use to create, configure,
delete, and display forwarding database entries.
316862-B Rev 00
Chapter 6 Configuring VLANs 175
The following roadmap lists all of forwarding database CLI commands and their
parameters. Use this list as a quick reference or click on any entry for more
information:
Command Parameter
create fdb <vlan_name 32> <macaddr>
port <port>
config fdb aging_time <sec 10-630>
create multicast_fdb <vlan_name 32>
<macaddr>
config multicast_fdb <vlan_name 32>
<macaddr> [add|delete] <portlist>
delete fdb <vlan_name 32> <macaddr>
clear fdb Vlan <vlan_name 32>
Port <port>
all
show multicast_fdb vlan <vlan_name 32>
mac_address <macaddr>
show fdb port <port>
vlan <vlan_name 32>
mac_address <macaddr>
static
aging_time
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
176 Chapter 6 Configuring VLANs
where:
vlan_name 32 is the name of the VLAN where the MAC address is located.
macaddr is the MAC address that will be added to the switch’s unicast MAC
address forwarding database.
port is the port number on the switch where the specified MAC address resides.
The switch will always forward traffic to the MAC address through this port.
Figure 89 shows the creation of a static MAC address entry, for the MAC address
00-00-00-00-01-02 — which resides on the VLAN named default, on port 2 — to
the switch’s unicast forwarding database.
Success.
PP1612G:4#
To configure the age-out time for the switch’s unicast MAC address forwarding
database, use the following command:
where:
sec 10-630 is the amount of time, in seconds, that a learned MAC address will
remain in the switch’s MAC address forwarding database, without being used,
before being dropped from the database.
316862-B Rev 00
Chapter 6 Configuring VLANs 177
Success.
PP1612G:4#
where:
vlan_name 32 is the name of the VLAN where the multicast MAC address is
located.
macaddr is the MAC address that will be added to the switch’s multicast MAC
address forwarding database.
Figure 91 shows how to create a static MAC address entry for the MAC address
00-00-00-00-01-02—which resides on the VLAN named default, on port 2 — to
the switch’s multicast forwarding database:
Success.
PP1612G:4#
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
178 Chapter 6 Configuring VLANs
where:
vlan_name 32 is the name of the VLAN where the multicast MAC address is
located.
macaddr is the multicast MAC address. add allows you to add this multicast
MAC address to the switch’s multicast MAC address forwarding database;
delete allows you to remove this address from the database.
portlist specifies a range of ports. Ports are specified by entering the lowest
port number in a group, and then the highest port number in a group, separated by
a hyphen. So, a port group including the switch ports 1, 2, and 3 would be entered
as 1-3. Ports that are not contained within a group are specified by entering their
port number, separated by a comma. So, the port group 1-3 and port 26 would be
entered as 1-3, 26.
Success.
PP1612G:4#
316862-B Rev 00
Chapter 6 Configuring VLANs 179
To delete an entry from the forwarding database entry, use the following
command:
where:
vlan_name 32 is the name of the VLAN on which the MAC address resides.
macaddr is the MAC address that you want to delete from the switch’s
forwarding database.
Figure 93 shows how to delete the MAC address 00-00-00-01-02, which resides
on the VLAN named default, from the switch’s forwarding database.
Success.
PP1612G:4#
To clear the switch’s forwarding database of learned MAC addresses, use the
following command:
clear fdb
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
180 Chapter 6 Configuring VLANs
clear fdb
followed by:
Vlan <vlan_name 32> Specifies the name of the VLAN for which you want to
clear all learned MAC addresses from the switch’s
forwarding database.
Port <port> Specifies the port for which you want to clear all learned
MAC addresses from the switch’s forwarding database.
all Specifies that you want all learned MAC addresses
cleared from the switch’s forwarding database, regardless
of VLAN or port association.
Figure 94 shows how to clear the switch’s forwarding database of all learned
entries.
Success.
PP1612G:4#
To display the contents of the switch’s mutualist forwarding database, use the
following command:
show multicast_fdb
316862-B Rev 00
Chapter 6 Configuring VLANs 181
show multicast_fdb
followed by:
vlan <vlan_name 32> Displays the multicast forwarding database for a single
VLAN.
mac_address Displays the multicast forwarding database entries for a
<macaddr> single multicast MAC address
Total entries : 1
PP1612G:4#
show fdb
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
182 Chapter 6 Configuring VLANs
show fdb
followed by:
Total Entries: 5
PP1648T:4#
316862-B Rev 00
183
Chapter 7
Configuring link aggregation groups
You use link aggregation to combine a number of ports together to make a single
high-bandwidth data pipeline. The participating ports are called members of a link
aggregation group, with one port designated as the master port.
Since you must configure all members of the link aggregation group to operate in
the same manner, the configuration of the master port is applied to all members of
the link aggregation group. Thus, when configuring the ports in a link aggregation
group, you need to configure only the master port.
The 1600 switch supports link aggregation groups. This may include from 2 to 4
switch ports each, except for a Gigabit link aggregation group which consists of 2
to 4 of the SFP Gigabit Ethernet ports of the front panel.
This chapter describes the commands you use to configure, delete, and show link
aggregation. Specifically, it includes the following topics:
Topic Page
Roadmap of CLI commands 184
Creating a link aggregation group 184
Deleting a link aggregation group 185
Configuring a link aggregation group 186
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
184 Chapter 7 Configuring link aggregation groups
Command Parameter
create link_aggregationc group_id <value>>
delete link_aggregation group_id <value>
config link_aggregation group_id <value>
master_port <port>
ports <portlist>
state [enabled|disabled]
BDPU_8600_Interop
[enabled|disabled]
show link_aggregation group_id <value>
Note: Before you add a port to the MLT, you must first add the port to
the VLAN. For instructions on adding ports to a VLAN configuration, see
Chapter 6, “Configuring VLANs.”
create link_aggregation
316862-B Rev 00
Chapter 7 Configuring link aggregation groups 185
create link_aggregation
followed by:
Figure 97 shows you how to create a link aggregation group with a group ID of 1.
Success.
PP1648T:4#
delete link_aggregation
delete link_aggregation
followed by:
Figure 98 shows you how to delete a link aggregation group with a group ID of 6.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
186 Chapter 7 Configuring link aggregation groups
Success.
PP1648T:4#
config link_aggregation
config link_aggregation
followed by:
316862-B Rev 00
Chapter 7 Configuring link aggregation groups 187
config link_aggregation
followed by:
Figure 99 shows you how to configure a link aggregation group with a group ID
of 1, a master port of 5, and ports 5 through 9 making up the link aggregation
group.
Success.
PP1648T:4#
show link_aggregation
show link_aggregation
followed by:
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
188 Chapter 7 Configuring link aggregation groups
Figure 100 shows you how to display the link aggregation for group 1 on the
switch.
Group ID : 1
Master Port : 10
Member Port : 10-12
Status : Enabled
Flooding Port : 10
BDPU 8600 Interop : Disabled
PP1648T:4#
316862-B Rev 00
189
Chapter 8
Configuring QoS
The Passport 1600 Series switches have a number of commands that allow you to
specify how packets from various sources are forwarded to the switch’s four
hardware priority queues. This chapter provides information on configuring
Quality of Service (QoS) and utilizing those hardware queues. Specifically, it
includes the following topics:
Topic Page
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
190 Chapter 8 Configuring QoS
Topic Page
Command Parameter
config flow_classifier [security|qos|l4_switch]
template_<value 1-2> mode
316862-B Rev 00
Chapter 8 Configuring QoS 191
Command Parameter
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
192 Chapter 8 Configuring QoS
Command Parameter
src_port <tcp_port_number 1-65535>
other_session fields (followed by)
dip <ipaddr>
sip <ipaddr>
tos <hex 0x00-0xff>
protocol [icmp|igmp]
icmp_message type <hex 0x00-0xff>
code <hex 0x00-0xff>
igmp_type [query|response]
action (followed by)
drop
forward <priority 0-7>
redirect <ipaddr>
unreachable_next_hop [drop|forward]
316862-B Rev 00
Chapter 8 Configuring QoS 193
Command Parameter
enable ip_fragment_filter
disable ip_fragment_filter
show ip_fragment_filter
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
194 Chapter 8 Configuring QoS
2 Set the fields of an incoming packet’s header that the switch examines, as well
as the parameters that must be in those fields, to determine if the packet meets
the criteria of the rule.
3 Specify the action the switch will take when it finds packets that meet the
criteria.
QoS templates
You use the two switch templates (template_id 1 and template_id 2) to house the
packet screening rules in one of three modes:
• security
• qos
• l4_switch
The default operating mode for template 1 is L4 switch mode, while the default
operating mode for template 2 is QoS.
Note: You can operate the two templates in the same mode.
When you change the operating mode of a template, all previously
entered rules are deleted and the switch reboots.
You cannot enter rules that are incompatible with the template’s current
operating mode. For example, you cannot enter QoS rules when the
template is in L4 switch mode.
Security mode
QoS mode
316862-B Rev 00
Chapter 8 Configuring QoS 195
L4 switch mode
Command overview
Table 10 provides an overview of the QoS commands and their functions.
Command Description
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
196 Chapter 8 Configuring QoS
Command Description
Once you restart the switch, you must then attach the flow classification template
to a VLAN using the config flow_classifier vlan <vlan_name>
attach template_id <value 1-2> command. For more information on
this command, see “Attaching a flow classifier template” on page 201.”
When adding rules to a template, remember that the rules must be compatible with
the template’s operating mode. For example, you cannot add a QoS rule to a
security or l4_switch mode template.
316862-B Rev 00
Chapter 8 Configuring QoS 197
Figure 101 shows how to configure template 1 in security mode and template 2 in
qos mode.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
198 Chapter 8 Configuring QoS
For a template operating in security mode, you must enter the source and
destination IP subnet masks using the config flow_classifier command, and then
enter the source and destination IP address part of the network addresses using the
create sec_rule command, as shown below. Entering a zero source netmask (src
0.0.0.0) will instruct the switch to ignore source IP subnets when filtering.
Entering a zero destination netmask (dst 0.0.0.0) will instruct the switch to ignore
destination IP subnets when filtering.
For a template operating in qos mode, you must select the qos_flavor from the
following list: 802.1p value, dscp value, destination TCP port number, destination
UDP port number, or destination IP.
316862-B Rev 00
Chapter 8 Configuring QoS 199
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
200 Chapter 8 Configuring QoS
Figure 102 shows you how to set the switch’s QoS criteria to examine the 802.1p
priority field of incoming packets.
Success.
PP1648G:4#
show flow_classifier
Figure 103 shows sample results of this command. In this example, the command
shows that Template 1 is in Security mode and Template 2 is in QoS mode.
316862-B Rev 00
Chapter 8 Configuring QoS 201
PP1648G:4#
Packets that are received from this VLAN are examined by the switch to
determine if they meet the criteria in the template. If so, the switch takes the
actions specified in the template. Packets that are received from VLANs that are
not attached to a template are not examined in this way.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
202 Chapter 8 Configuring QoS
Figure 104 shows you how to attach a flow classifier named 77 to template_id 2.
Success.
PP1648G:4#
Filtering source and destination subnets is then accomplished in two steps. First,
enter the source and destination subnet masks using the config flow_classifier {src
<netmask>|dst <netmask>} command and attach the flow classifier to a VLAN
and to a template. Second, enter the IP address part of the subnet’s network
address using the create sec_rule template_id <value 1-2> src_ip_address
<ipaddr>|dst_ip_address <ipaddr> command.
You can define the IP subnet filter as a source-only IP subnet filter by entering a
source netmask of zero (config flow classifier src 0.0.0.0) or a destination-only IP
subnet filter by entering a destination netmask of zero (config flow classifer dst
0.0.0.0.) If both the source and destination netmasks are entered as 0.0.0.0 then no
IP subnet filtering will take place.
316862-B Rev 00
Chapter 8 Configuring QoS 203
Note:
1. When you specify a source and destination network address filter (src
and dst), the IP address part of the network address is template-dependent.
You must first enter the source and destination subnet masks using the
config flow_classifier {src <netmask>|dst <netmask>} command. Then
you can enter the IP address part of the source and destination network
addresses using create sec_rule command, which will be assigned to the
specified template (1 or 2). The template that the sec_rule is assigned to
also must be in the security operating mode.
2. You can define the IP subnet filter as a source-only IP subnet filter by
entering a source netmask of zero (config flow classifier src 0.0.0.0) or a
destination-only IP subnet filter by entering a destination netmask of zero
(config flow classifer dst 0.0.0.0.) If both the source and destination
netmasks are entered as 0.0.0.0 then no IP subnet filtering will take place.
3. A memory limitation exists here. The two templates, template_id 1 and
template_id 2, share the same amount of memory. If you reach the
maximum amount of memory for one template, then you cannot enter any
more rules for the remaining template. Security mode has a maximum of
64 rule entries if the combination is L4_Switch/SEC, SEC/Qos and SEC/
SEC.
create sec_rule
followed by:
[template_id <value 1-2> Allows you to filter the source (src) and destination
|scr_ip_address (dst) IP addresses. You must specify which of the
<ipaddr>|dst_ip_address two available templates this filter will apply to, and
<ipaddr] ensure that this template is in the security
operating mode.
Figure 105 shows you how to filter packets with a source and destination IP
address of 192.32.96.54.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
204 Chapter 8 Configuring QoS
Success.
PP1612G:4#
Note:
1. When you want to delete an IP address filter, you must specify the
template_id <value 1-2> for this IP filter, along with the rule_index
<value>.
2. When you want to delete all IP address filters from a template in the
security mode, you do not need to specify the rule_index. You have the
option of specifying all.
316862-B Rev 00
Chapter 8 Configuring QoS 205
delete sec_rule
followed by:
[template_id <value Allows you to uniquely identify the filter you want to
1-2>]|rule_index delete.
<value>|all] If you want to delete an IP address filter, you must
specify which of the two available templates this
filter applies to.
If you want to delete all filters from a template in
the security mode, you do not need to specify the
rule_index. You have the option of specifying all,
which will delete all of the IP address filters for that
template.
Figure 106 shows you how to delete all IP filters from the template 1.
Success.
PP1612G:4#
If you filter by destination, it means that packets with the specified IP address as
the destination are dropped.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
206 Chapter 8 Configuring QoS
Note:
When you specify a destination IP address filter, it is
template-independent. Any packet with the specified IP address as it’s
destination will be dropped by the switch, regardless of the operating
mode of the applicable template.
create dst_ipfilter
followed by:
Figure 105 shows you how to filter packets with a destination IP address of
192.32.96.54.
Success.
PP1612G:4#
316862-B Rev 00
Chapter 8 Configuring QoS 207
Because of the way IP filters are identified within the switch, you must enter the
same destination IP address to delete a specific IP filter, or specify all to instruct
the switch to delete all destination IP address filters that have been entered.
Note:
When you specify a destination IP address filter, it is
template-independent. Any packet with the specified IP address as it’s
destination will be dropped by the switch, regardless of the operating
mode of the applicable template.
delete dst_ipfilter
followed by:
[ip_address <ipaddr> Allows you to uniquely identify the filter you want to
|all]] delete.
If you want to delete a filter for an IP address as a
destination (dst), you do not need to specify the
template id. You have the option of deleting a
specific IP address or deleting all destination IP
filters.
Figure 106 shows you how to delete an IP filter with a destination IP address of
192.32.96.54.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
208 Chapter 8 Configuring QoS
Success.
PP1612G:4#
show dst_ipfilter
Note:
When you specify a destination IP address filter, it is
template-independent. Any packet with the specified IP address as it’s
destination will be dropped by the switch, regardless of the operating
mode of the applicable template.
show dst_ipfilter
followed by:
Figure 106 shows you how to display the current contents of the switch’s
destination IP address filter table.
316862-B Rev 00
Chapter 8 Configuring QoS 209
PP1612G:4#show dst_ipfilter
Command: show dst_ipfilter
PP1612G:4#
A QoS rule determines the priority queuing of an incoming packet. The following
steps are used to determine the appropriate priority queuing of a packet.
1 The switch checks to see if the packet’s source VLAN is bound to the
template in current use.
2 If the current template is bound to the source VLAN, the switch checks the
template to see if it is in qos mode.
3 If the current template is in qos mode, the switch then applies any qos_rule
that has been entered into the template.
4 If there is no qos_rule, or the packet does not match the criteria of the
qos_rule, the packet’s priority tag determines priority queuing.
5 If the packet has no priority tag, the switch uses the default priority setting or
the MAC address priority setting (if the source MAC address is in the MAC
address priority table).
QoS rules affect all packets that are received by the switch from VLANs to which
the template containing the QoS rules are bound.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
210 Chapter 8 Configuring QoS
2 It allows you to specify the priority queue (priority < value 0-7>) the
switch will forward packets that match the protocol and parameter criteria to.
The switch has four hardware priority queues, and the 8 levels of priority
specified by priority <value 0-7> are mapped (by default) to these four
priority queues. For example, 0, 1, and 2 specify the switch’s lowest priority
queue, 3 and 4 specify the next lowest priority queue, 5 and 6 specify the next
highest priority queue, and 7 specifies the highest priority queue.
3 For example, 0 and 1 correspond to the switch’s highest priority queue, 2 and
3 correspond to the next lowest priority queue, and so on until 6 and 7 specify
the switch’s lowest priority queue.
You can configure the mapping using the config scheduling command.
Incoming packets must also be from a VLAN to which the template that
contains the QoS rule is attached.
316862-B Rev 00
Chapter 8 Configuring QoS 211
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
212 Chapter 8 Configuring QoS
Success.
PP1648G:4#
QoS rules are identified by the template id of the template they are entered into,
and by the numerical order in which they are entered.
Figure 111 shows how to delete the QoS rule that was entered into template_id 2
in Figure 110. In that example, only 1 QoS rule was entered, so the rule has a
rule_index of 1.
316862-B Rev 00
Chapter 8 Configuring QoS 213
Success.
PP1648G:4#
A layer 4 rule determines whether or not the switch forwards a packet, the priority
queuing of an incoming packet, or where the switch forwards a packet if the next
router hop is unreachable. The following steps determine whether an incoming
packet is subject to an l4_switch_rule.
1 The switch checks to see if the packet’s source VLAN is bound to the
template in current use.
2 If the current template is bound to the source VLAN, the switch then checks
the template to see if it is in l4_switch mode.
3 If the current template is in l4_switch mode, the switch then applies any
l4_switch_rule that has been entered into the template.
4 If there is no l4_switch_rule, or the packet does not match the criteria of the
l4_switch_rule, the packet is forwarded or dropped according to the switch’s
default settings.
l4_switch_rules affect all packets that are received by the switch from VLANs to
which the template containing the l4_switch_rules are bound.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
214 Chapter 8 Configuring QoS
2 It allows you to specify the action the switch takes on packets that match the
parameters entered in the first part of the command. These actions are drop,
forward <priority 0-7>, and redirect <ipaddr> unreachable next hop [drop/
forward]. Incoming packets must also be from a VLAN to which the template
that contains the l4_switch_rules are bound.
316862-B Rev 00
Chapter 8 Configuring QoS 215
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
216 Chapter 8 Configuring QoS
316862-B Rev 00
Chapter 8 Configuring QoS 217
Success.
PP1612G:4#
l4_switch_rules are identified by the template id of the template they are entered
into, and by the numerical order in which they are entered.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
218 Chapter 8 Configuring QoS
Figure 113 shows how to delete the l4_switch_rule that was entered to
template_id 1 in Figure 112. In that example, only 1 l4_switch_rule was entered,
so the rule has a rule_index of 1.
Success.
PP1648G:4#
create fdbfilter
When executing this command, consider that the command fails to execute if any
of the following are true:
1 If the combination of the VLAN and MAC addresses are entered into the
switch’s static forwarding database.
2 If the combination of the VLAN and MAC addresses are part of a MAC
address priority rule.
3 If the combination of the VLAN and MAC addresses have been dynamically
entered into the switch’s forwarding database. If so, the create fdbfilter
command then sets the database entry to static, and drops packets with this
MAC address.
316862-B Rev 00
Chapter 8 Configuring QoS 219
create fdbfilter
followed by:
vlan <vlan_name> Identifies the name of the VLAN on which the MAC
address you want to filter resides.
mac_address <macaddr> Specifies the MAC address of the network device
you want to filter from the switch.
Figure 114 shows how to create a forwarding database filter for the VLAN named
default, for the MAC address 00-11-22-33-44-55.
Success.
PP1648G:4#
delete fdbfilter
Forwarding database filters are identified by the VLAN name and MAC address
that you enter when the you first create the filter.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
220 Chapter 8 Configuring QoS
delete fdbfilter
followed by:
vlan <vlan_name> Identifies the name of the VLAN on which the MAC
address you want to delete resides.
mac_address <macaddr> Specifies the MAC address of the network device
you want to delete from the switch.
all Deletes all the filters in the forwarding database.
Figure 115 shows how to delete a forwarding database filter for the VLAN named
default, for the MAC address 00-11-22-33-44-55.
Success.
PP1648G:4#
show fdbfilter
Forwarding database filters are identified by the VLAN name and MAC address
that you enter when the you first create the filter.
316862-B Rev 00
Chapter 8 Configuring QoS 221
show fdbfilter
followed by:
vlan <vlan_name> Identifies the name of the VLAN on which the MAC
address you want to display resides.
vlan <vlan_name> Identifies the name of the VLAN and specifies the
mac_address <macaddr> MAC address of the network device you want to
display on the switch.
mac_address <macaddr> Specifies the MAC address of the network device
you want to delete from the switch.
Figure 116 shows how to display a forwarding database filter for the VLAN
named default, for the MAC address 00-11-22-33-44-55.
Total Entries: 1
PP1612G:4#
enable ip_fragment_filter
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
222 Chapter 8 Configuring QoS
PP1648G:4#enable ip_fragment_filter
Command: enable ip_fragment_filter
Success.
PP1648G:4#
disable ip_fragment_filter
PP1648G:4#disable ip_fragment_filter
Command: disable ip_fragment_filter
Success.
PP1648G:4#
316862-B Rev 00
Chapter 8 Configuring QoS 223
show ip_fragment_filter
Configuring scheduling
To specify the rotation of the first three hardware priority queues on the switch,
enter the following command:
config scheduling
There are four outgoing traffic classes on the switch. The mechanism of the first
three traffic classes is weighted round-robin (WRR), while the fourth follows a
strict-priority (SP) scheme. The weighted round-robin scheme guarantees a
minimum bandwidth to the first three hardware priority queues on the switch.
For example, if the weighted round-robin scheme is applied to port 1, with a 10,
30, 60 weighting, the queues stop transmitting packets when they reach 10%,
30%, or 60% of the ports bandwidth, respectively. The fourth queue does not stop
transmitting packets until its packet buffer is empty.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
224 Chapter 8 Configuring QoS
config scheduling
followed by:
Figure 120 shows how to configure scheduling for ports 1 through 10 to weight
the hardware priority queue 2 as max_packet 7.
Success.
PP1648G:4#
316862-B Rev 00
Chapter 8 Configuring QoS 225
create mac_priority
The priority value you specify is referenced to the user priority and traffic class
settings currently in use on the switch. An incoming packet is first checked to see
if the VLAN it was received from is bound to a template. If it is, the template is
examined to see if it is in qos mode. If so, the template is examined to see if it
contains an applicable rule regarding priority. If so, this rule is applied.
If there is no template bound to the VLAN, the packet’s priority tag is used to
determine the appropriate priority queue. If there is no priority tag on the packet,
the switch compares the default port priority with the MAC priority rules- and
then uses the higher of the two.
When executing this command, consider that the command fails to execute if any
of the following are true:
1 If the combination of VLAN and MAC addresses have a static entry in the
switch’s forwarding database.
2 If the combination of VLAN and MAC addresses are entered as an fdbfilter.
3 If the combination of VLAN and MAC addresses have been dynamically
entered into the switch’s forwarding database. If so, the command changes the
entry to static with the destination priority value you specify.
create mac_priority
followed by:
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
226 Chapter 8 Configuring QoS
create mac_priority
followed by:
Figure 121 shows how to create a MAC priority entry for the VLAN default for
the MAC address 00-11-22-33-44-55 and instruct the switch to direct all packets it
receives from this MAC address to priority queue 3.
Success.
PP1648G:4#
delete mac_priority
MAC priority entries are identified on the switch by a combination of the VLAN
name and the destination MAC address.
316862-B Rev 00
Chapter 8 Configuring QoS 227
delete mac_priority
followed by:
vlan <vlan_name> Identifies the name of the VLAN on which the MAC
address you want to delete resides.
dst_mac_address Specifies a destination MAC address for which you
<macaddr> want to delete the MAC priority entry.
Figure 122 shows how to delete a MAC priority entry for the VLAN default for
the MAC address 00-11-22-33-44-55.
Success.
PP1648G:4#
show mac_priority
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
228 Chapter 8 Configuring QoS
show mac_priority
followed by:
vlan <vlan_name> Identifies the name of the VLAN for which you
want to display the MAC priority entries.
vlan <vlan_name> Specifies the VLAN and destination MAC address
dst_mac_addr <macaddr> for which you want to display the MAC priority
entries.
dst_mac_addr <macaddr> Specifies the MAC address for which you want to
display the MAC priorities entries.
Figure 123 shows how to display the MAC priority entries for the VLAN default
for the MAC address 00-11-22-33-44-55.
Total Entries: 1
PP1612G:4#
316862-B Rev 00
229
Chapter 9
Configuring traffic filters
This chapter describes the commands you use to create and delete IP address
filters, MAC address filters, and broadcast traffic control. Specifically, it includes
the following topics:
Topic Page
Note that the switch also allows you to assign ranges of IP addresses to VLANs.
You then identify each VLAN by a VLAN name, a network address, and an IP
interface name. You must configure a VLAN prior to setting up the corresponding
IP interface. You must then establish and implement an IP addressing scheme
when the IP interfaces are set up on the switch.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
230 Chapter 9 Configuring traffic filters
The following roadmap lists all of the IP address, fragment filtering commands
and their parameters. Use this list as a quick reference or click on any entry for
more information:
Command Parameter
create dst_ipfilter ip_address <ipaddr>
delete dst_ipfilter [ip_address <ipaddr> |all]]
show dst_ipfilter none
To specify either a destination IP address to be filtered from the switch, use the
following command:
If you filter by destination, it means that packets with the specified IP address as
the destination are dropped.
Note:
When you specify a destination IP address filter, it is
template-independent. Any packet with the specified IP address as it’s
destination will be dropped by the switch, regardless of the operating
mode of the applicable template.
316862-B Rev 00
Chapter 9 Configuring traffic filters 231
create dst_ipfilter
followed by:
Figure 124 shows you how to filter packets with a destination IP address of
192.32.96.54.
Success.
PP1612G:4#
To delete all previously-entered destination IP address filters from the switch, use
the following command:
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
232 Chapter 9 Configuring traffic filters
Because of the way IP filters are identified within the switch, you must enter the
same destination IP address to delete a specific IP filter, or specify all to instruct
the switch to delete all destination IP address filters that have been entered.
Note:
When you specify a destination IP address filter, it is
template-independent. Any packet with the specified IP address as it’s
destination will be dropped by the switch, regardless of the operating
mode of the applicable template.
delete dst_ipfilter
followed by:
[ip_address <ipaddr> Allows you to uniquely identify the filter you want to
|all]] delete.
If you want to delete a filter for an IP address as a
destination (dst), you do not need to specify the
template id. You have the option of deleting a
specific IP address or deleting all destination IP
filters.
Figure 125 shows you how to delete an IP filter with a destination IP address of
192.32.96.54.
Success.
PP1612G:4#
316862-B Rev 00
Chapter 9 Configuring traffic filters 233
show dst_ipfilter
Note:
When you specify a destination IP address filter, it is
template-independent. Any packet with the specified IP address as it’s
destination will be dropped by the switch, regardless of the operating
mode of the applicable template.
show dst_ipfilter
followed by:
Figure 126 shows you how to display the current contents of the switch’s
destination IP address filter table.
PP1612G:4#show dst_ipfilter
Command: show dst_ipfilter
PP1612G:4#
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
234 Chapter 9 Configuring traffic filters
Note: The Passport 1600 switch supports basic MAC filtering only. If
you want to filter on a MAC address, the switch will filter it if that address
is in the packet as a source or destination address. It does not support
filtering on a MAC address if you specify filtering on source or
destination addresses only.
This section describes the commands you use in creating, deleting, and showing
MAC address filters. Specifically, it includes the following topics:
Topic Page
Roadmap of MAC address filter CLI commands 234
Creating a MAC address filter 235
Deleting a MAC address filter 235
Displaying MAC address filters 236
The following roadmap lists all of the MAC address filter commands and their
parameters. Use this list as a quick reference or click on any entry for more
information:
Command Parameter
create fdbfilter vlan <vlan_name>
mac_address <macaddr>
delete fdbfilter vlan <vlan_name>
mac_address <macaddr>
show fdbfilter vlan <vlan_name>
mac_address <macaddr>
316862-B Rev 00
Chapter 9 Configuring traffic filters 235
To filter a MAC address from the switch and prevent this MAC address from
being dynamically entered into the switch’s forwarding database, use the
following command:
create fdbfilter
create fdbfilter
followed by:
vlan <vlan_name> Identifies the name of the VLAN on which the MAC
address you wish to filter from the switch resides.
mac_address <macaddr> Specifies the MAC address of the network device
you wish to filter from the switch.
Figure 127 shows you how to filter VLAN v1 and MAC address
00-FF-BA-F4-D5-0C from the switch’s forwarding database.
Success.
PP1648T:4#
To delete the filtering of a MAC address from the switch’s forwarding database,
use the following command:
delete fdbfilter
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
236 Chapter 9 Configuring traffic filters
delete fdbfilter
followed by:
vlan <vlan_name> Identifies the name of the VLAN for which you wish
to delete the forwarding database filter.
mac_address <macaddr> Specifies the MAC address of the network device
you wish to delete from the forwarding database
filter.
Figure 128 shows you how to delete the VLAN v1 and MAC address
00-FF-BA-F4-D5-0C filters from the switch’s forwarding database.
Success.
PP1648T:4#
To display the switch’s MAC address filters, use the following command:
show fdbfilter
316862-B Rev 00
Chapter 9 Configuring traffic filters 237
show fdbfilter
followed by:
vlan <vlan_name> Identifies the name of the VLAN for which you wish
to display the forwarding database filter.
mac_address <macaddr> Specifies the MAC address of the network device
for which you wish to display the forwarding
database filter.
Figure 129 shows you how to display the VLAN v1 and MAC address
00-FF-BA-F4-D5-0C filters from the switch’s forwarding database.
Total Entries: 1
PP1648T:4#
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
238 Chapter 9 Configuring traffic filters
The second command allows you to specify the number of ARP packets received
by the Switch in one second that will trigger the ARP rate limit control. If the
Switch receives more ARP packets in a second than you specify, the Switch will
block all ARP requests for one second. The ARP rate limit counter is then reset,
and ARP requests are again allowed — until the rate of ARP packets received by
the Switch exceeds the limit you have set. The default value of the ARP request
rate limit is 50 ARP packets per second, and you can specify any value between
10 and 100 packets per second.
This section describes the commands you use in creating, deleting, and showing
ARP request rate limits. Specifically, it includes the following topics:
Topic Page
Configuring the ARP request rate limit 230
Enabling the ARP request rate limit 235
Disabling the ARP request rate limit 235
Displaying the ARP request rate limit 236
Command Parameter
config arp_req_rate_limit 60 <value 10-100>
enable arp_req_rate_limit none
disable arp_req_rate_limit none
show arpentry Ipif <ipif_name 12>
IPaddress <ipaddr>
static
316862-B Rev 00
Chapter 9 Configuring traffic filters 239
To set the ARP request rate limit for the switch to 60 ARP packets per second, use
the following command:
config arp_req_rate_limit 60
config arp_req_rate_limit
followed by:
Figure 130 shows you how to set the ARP request rate limit to 60 ARP packets
per second.
PP1648T:4#config arp_req_rate_limit 60
Command: config arp_req_rate_limit 60
Success.
PP1648T:4#
To enable the ARP request rate limit for the switch, use the following command:
enable arp_req_rate_limit
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
240 Chapter 9 Configuring traffic filters
enable arp_req_rate_limit
followed by:
Figure 131 shows you how to enable the ARP request rate limit.
PP1648T:4#enable arp_req_rate_limit
Command: enable arp_req_rate_limit
Success.
PP1648T:4#
To disable the ARP request rate limit for the switch, use the following command:
disable arp_req_rate_limit
disable arp_req_rate_limit
followed by:
Figure 132 shows you how to disable the ARP request rate limit.
316862-B Rev 00
Chapter 9 Configuring traffic filters 241
PP1648T:4#disable arp_req_rate_limit
Command: disable arp_req_rate_limit
Success.
PP1648T:4#
To display the current ARP request rate limit for the switch, use the following
command:
show arpentry
show arpentry
followed by:
Figure 133 shows you how to display the ARP request rate limit, along with the
switch’s ARP table.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
242 Chapter 9 Configuring traffic filters
PP1648T:4#show arpentry
To prevent these packet-types from creating a storm on the network, you can
assign a threshold, in Kp/s, for each packet type. When the number of packets
received by the switch exceeds this threshold, the switch stops forwarding these
packet-types - until the rate of packets received falls below the threshold.
This section describes the commands you use to configure broadcast traffic
control.
316862-B Rev 00
Chapter 9 Configuring traffic filters 243
The following roadmap lists the broadcast control commands and their
parameters. Use this list as a quick reference or click on any entry for more
information:
Command Parameter
config traffic control <portlist>
all
dlf [enabled|disabled]
broadcast [enabled|disabled]
multicast [enabled|disabled]
threshold <value>
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
244 Chapter 9 Configuring traffic filters
Figure 134 shows you an example of configuring traffic control for switch ports 1
through 3, for broadcast packets.
316862-B Rev 00
Chapter 9 Configuring traffic filters 245
Success.
PP1648T:4#
To display the current traffic control settings on the switch, use the following
command:
ports <portlist> You use this to display the traffic control settings
for a group of ports. You enter the lowest port
number in a group, and then the highest,
separated by a dash.
For example, you enter a port group including the
switch ports 1, 2, and 3 as 1-3. You specify ports
that are not contained within a group by entering
their port number, separated by a comma. Thus,
you enter the port group 1-3 and port 26 as 1-3,
26.
Figure 135 shows you how to display traffic control settings for switch ports 1
through 3.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
246 Chapter 9 Configuring traffic filters
Traffic Control
Total Entries: 3
PP1648T:4#
316862-B Rev 00
247
Chapter 10
Configuring ARP, RIP, and OSPF
This chapter provides overviews of the Address Resolution Protocol (ARP), the
Routing Information Protocol (RIP), the Open Shortest Path First Protocol
(OSPF), and OSPF packet authentication (MD5 keys), and describes how to
configure each of these protocols using the CLI. Specifically, this chapter contains
the following topics:
Topic Page
Configuring ARP
The Address Resolution Protocol (ARP) determines the correspondence between
a MAC address and an IP address for a network device.
The switch allows you to make static entries into its ARP table, as well as to
configure the length of time a dynamically learned ARP table entry is allowed to
remain without being accessed.
This section describes the ARP commands. Specifically, it includes the following
topics:
Topic Page
Roadmap of ARP CLI commands 248
Creating an ARP entry 248
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
248 Chapter 10 Configuring ARP, RIP, and OSPF
Topic Page
Deleting an ARP entry 249
Configuring the ARP aging time 250
Displaying the current ARP entries 250
Clearing the ARP table 251
The following roadmap lists some of the ARP commands and their parameters.
Use this list as a quick reference or click on any command or parameter entry for
more information on ARP commands.
Command Parameter
create arpentry <ipaddr>
<macaddr>
delete arpentry <ipaddr>
all
config arp_aging time
<value>
show arpentry ipif <ipif_name 12>
ipaddress <ipaddr>
static
clear arptable
To create an ARP (Address Resolution Protocol) entry into the switch’s ARP
table, enter the following command:
where:
ipaddr is the IP address that you want to associate with the MAC address.
macaddr is the MAC address that you want to associate with the IP address.
316862-B Rev 00
Chapter 10 Configuring ARP, RIP, and OSPF 249
Figure 136 shows how to create an ARP entry that is associated with IP address
10.48.74.121 and with MAC address 00-50-BA-00-07-36.
delete arpentry
delete arpentry
followed by:
<ipaddr> The IP address for which you want to delete the ARP entry on the
switch.
all Deletes all ARP entries on the switch.
Figure 137 shows how to delete an ARP entry with the IP address 10.48.74.121.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
250 Chapter 10 Configuring ARP, RIP, and OSPF
where:
value is the time, in seconds, that an entry can remain in the switch’s ARP table,
without being used, before it is dropped from the ARP table. The default is 20
minutes.
Figure 138 shows how to configure the ARP aging time to be 30 minutes.
Success.
PP1612G:4#
show arpentry
show arpentry
followed by:
ipif <ipif_name 12> The name of the IP interface of the end node for
which you want to display the ARP table entry for.
This value can be up to 12 alphanumeric characters.
316862-B Rev 00
Chapter 10 Configuring ARP, RIP, and OSPF 251
show arpentry
followed by:
ipaddress <ipaddr> The IP address corresponding to the IP interface
name entered above.
static Displays all of the static entries in the switch’s ARP
table.
clear arptable
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
252 Chapter 10 Configuring ARP, RIP, and OSPF
Success.
PP1612G:4#
The second command allows you to specify the number of ARP packets received
by the Switch in one second that will trigger the ARP rate limit control. If the
Switch receives more ARP packets in a second than you specify, the Switch will
block all ARP requests for one second. The ARP rate limit counter is then reset,
and ARP requests are again allowed — until the rate of ARP packets received by
the Switch exceeds the limit you have set. The default value of the ARP request
rate limit is 50 ARP packets per second, and you can specify any value between
10 and 100 packets per second.
This section describes the commands you use in creating, deleting, and showing
ARP request rate limits. Specifically, it includes the following topics:
Topic Page
Configuring the ARP request rate limit 252
Enabling the ARP request rate limit 254
Disabling the ARP request rate limit 255
Displaying the ARP request rate limit 255
316862-B Rev 00
Chapter 10 Configuring ARP, RIP, and OSPF 253
The following roadmap lists all of the MAC address filter commands and their
parameters. Use this list as a quick reference or click on any entry for more
information:
Command Parameter
config arp_req_rate_limit 60 <value 10-100>
enable arp_req_rate_limit none
disable arp_req_rate_limit none
show arpentry none
config arp_req_rate_limit 60
config arp_req_rate_limit
followed by:
Figure 141 shows you how to set the ARP request rate limit to 60 ARP packets
per second.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
254 Chapter 10 Configuring ARP, RIP, and OSPF
PP1648T:4#config arp_req_rate_limit 60
Command: config arp_req_rate_limit 60
Success.
PP1648T:4#
To enable the ARP request rate limit for the switch, use the following command:
enable arp_req_rate_limit
enable arp_req_rate_limit
followed by:
Figure 142 shows you how to enable the ARP request rate limit.
PP1648T:4#enable arp_req_rate_limit
Command: enable arp_req_rate_limit
Success.
PP1648T:4#
316862-B Rev 00
Chapter 10 Configuring ARP, RIP, and OSPF 255
To disable the ARP request rate limit for the switch, use the following command:
disable arp_req_rate_limit
disable arp_req_rate_limit
followed by:
Figure 143 shows you how to disable the ARP request rate limit.
PP1648T:4#disable arp_req_rate_limit
Command: disable arp_req_rate_limit
Success.
PP1648T:4#
To display the current ARP request rate limit for the switch, use the following
command:
show arpentry
show arpentry
followed by:
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
256 Chapter 10 Configuring ARP, RIP, and OSPF
Figure 144 shows you how to display the ARP request rate limit, along with the
switch’s ARP table.
PP1648T:4#show arpentry
Configuring RIP
The Routing Information Protocol (RIP) is a distance-vector routing protocol.
There are two types of network devices running RIP - active and passive. Active
devices advertise their routes to others through RIP messages, while passive
devices listen to these messages. Both active and passive routers update their
routing tables based upon RIP messages that active routers exchange. Only routers
can run RIP in the active mode. The 1600 Series switches are active RIP devices.
RIP measures distance by an integer count of the number of hops from one
network to another. A router is one hop from a directly connected network, two
hops from a network that can be reached through a router, etc. The more routers
between a source and a destination, the greater the RIP distance (or hop count).
There are a few rules to the routing table update process that help to improve
performance and stability. A router will not replace a route with a newly learned
one if the new route has the same hop count (sometimes referred to as 'cost'). So
learned routes are retained until a new route with a lower hop count is learned.
316862-B Rev 00
Chapter 10 Configuring ARP, RIP, and OSPF 257
When learned routes are entered into the routing table, a timer is started. This
timer is restarted every time this route is advertised. If the route is not advertised
for a period of time (usually 180 seconds), the route is removed from the routing
table.
Topic Page
Roadmap of RIP CLI commands 257
Configuring RIP 258
Enabling RIP 259
Disabling RIP 260
Displaying the current RIP configuration 260
The following roadmap lists some of the RIP CLI commands and their
parameters. Use this list as a quick reference or click on any command or
parameter entry for more information on RIP commands.
Command Parameter
config rip ipif <ipif_name 12> rx_mode
[disable|v1_only|v2_only|v1_and_
v2]
tx_mode
[disable|v1_only|v1_compatible|v
2_only]
authentication [enabled
<password>|disabled]
state [enabled|disabled]
enable rip
disable rip
show rip ipif <ipif_name 12>
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
258 Chapter 10 Configuring ARP, RIP, and OSPF
Configuring RIP
where:
ipif_name 12 is the name of the IP interface on which RIP is configured.
316862-B Rev 00
Chapter 10 Configuring ARP, RIP, and OSPF 259
Figure 145 shows RIP being configured for the IP interface named System, and to
use RIP version V1 to interpret received RIP packets.
Enabling RIP
enable rip
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
260 Chapter 10 Configuring ARP, RIP, and OSPF
PP1612G:4#enable rip
Command: enable rip
Success.
PP1612G:4#
Disabling RIP
disable rip
PP1612G:4#disable rip
Command: disable rip
Success.
PP1612G:4#
show rip
316862-B Rev 00
Chapter 10 Configuring ARP, RIP, and OSPF 261
show rip
followed by:
ipif <ipif_name 12> The name of the IP interface for which you want to
display the current RIP configuration. If you do not
enter an IP interface name, the switch displays the
current RIP configuration for all IP interfaces.
Total Entries : 1
PP1648T:4# PP1612G:4#
Configuring OSPF
The Open Shortest Path First (OSPF) is routing protocol that uses a link-state
algorithm to determine routes to network destinations. A link is an interface on a
router and the state is a description of that interface and its relationship to
neighboring routers. The state contains information such as the IP address, subnet
mask, type of network the interface is attached to, other routers attached to the
network, etc. The collection of link-states are then collected in a link-state
database that is maintained by routers running OSPF.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
262 Chapter 10 Configuring ARP, RIP, and OSPF
To limit the extent of link-state update traffic between routers, OSPF defines the
concept of Area. All routers within an area share the exact same link-state
database, and a change to this database on one router triggers an update to the
link-state database of all other routers in that area. Routers that have interfaces
connected to more than one area are called Border Routers and take the
responsibility of distributing routing information between areas.
One area is defined as Area 0 or the Backbone. This area is central to the rest of
the network in that all other areas have a connection (through a router) to the
backbone. Only routers have connections to the backbone and OSPF is structured
such that routing information changes in other areas will be introduced into the
backbone, and then propagated to the rest of the network.
There are four general categories of tasks required to setup OSPF on the 1600
switch:
316862-B Rev 00
Chapter 10 Configuring ARP, RIP, and OSPF 263
Topic Page
Roadmap of OSPF CLI commands 263
Enabling OSPF 265
Disabling OSPF 266
Configuring the OSPF router ID 266
Displaying the current OSPF configuration 267
Creating an OSPF area 269
Deleting an OSPF area 270
Configuring an OSPF area 271
Displaying the current OSPF area configuration 272
Creating an OSPF host route 273
Creating an OSPF area aggregation 277
Displaying the current OSPF LSDB 281
Displaying the current OSPF neighbor table 282
Displaying the current OSPF virtual neighbor table 283
Configuring an OSPF IP interface 283
Creating an OSPF virtual link 286
Configuring an OSPF virtual link 288
Deleting an OSPF virtual link 290
Displaying the currently configured OSPF virtual links 290
The following roadmap lists some of the OSPF switch commands and their
parameters. Use this list as a quick reference or click on any command or
parameter entry for more information on OSPF switch commands.
Command Parameter
enable ospf
disable ospf
config ospf router_id <ipaddr>
show ospf
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
264 Chapter 10 Configuring ARP, RIP, and OSPF
Command Parameter
create ospf area <area_id> type stub_summary [enabled|disabled]
[normal|stub]
metric <value>
delete ospf area <area_id>
config ospf area <area_id> type stub_summary [enabled|disabled]
[normal|stub]
metric <value>
show ospf area <area_id>
create ospf host_route <ipaddr> area <area_id>
metric <value>
config ospf host_route <ipaddr> area <area_id>
metric <value>
show ospf host_route <ipaddr>
delete ospf host_route <ipaddr>
create ospf aggregation <area_id> advertise [enabled|disabled]
<network_address> lsdb_type
[summary]
delete ospf aggregation <area_id>
<network_address> lsdb_type
[summary]
config ospf aggregation <area_id> advertise [enabled|disabled]
<network_address> lsdb_type
[summary]
metric <value>
show ospf aggregation area <area_id>
show ospf lsdb area <area_id>
advertise_router <ipaddr>
type
[rtrlink|netlink|summary|assumma
ry|asextlink]
show ospf neighbor
show ospf virtual_neighbor area <area_id>
config ospf ipif <ipif_name 12> all
316862-B Rev 00
Chapter 10 Configuring ARP, RIP, and OSPF 265
Command Parameter
area <area_id>
priority <value>
hello_interval <sec>
dead_interval <sec>
authentication [none|simple
<password>|md5 <key_id>]
metric <value>
state [enabled|disabled]
show ospf ipif <ipif_name 12>
all
create ospf virtual_link <area_id> hello_interval <sec>
<neighbor_id>
dead_interval <sec>
authentication [none|simple
<password>|md5 <key_id>]
config ospf virtual_link <area_id> hello_interval <sec>
<neighbor_id>
dead_interval <sec>
authentication [none|simple
<password>|md5 <key_id>]
delete ospf virtual_link <area_id>
<neighbor_id>
show ospf virtual_link area <area_id>
<neighbor_id>
Enabling OSPF
enable ospf
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
266 Chapter 10 Configuring ARP, RIP, and OSPF
PP1612G:4#enable ospf
Command: enable ospf
Success.
PP1612G:4#
Disabling OSPF
disable ospf
PP1612G:4#disable ospf
Command: disable ospf
Success.
PP1612G:4#
316862-B Rev 00
Chapter 10 Configuring ARP, RIP, and OSPF 267
where:
ipaddr is the OSPF router ID.
show ospf
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
268 Chapter 10 Configuring ARP, RIP, and OSPF
Total Entries : 2
Total Entries : 1
Total Entries : 0
Total Entries : 0
PP1612G:4#
316862-B Rev 00
Chapter 10 Configuring ARP, RIP, and OSPF 269
OSPF areas can be designated as either normal or stub. Normal OSPF areas allow
link-state database (LSDB) advertisements of routes to networks that are external
to the area, Stub areas do not allow the LSDB advertisement of external routes.
Stub areas use a default summary route (0.0.0.0) to reach external destinations.
Stub — OSPF areas that do not allow AS-external_LSAs to be flooded into them.
where:
area_id is the OSPF area ID.
type specifies the mode of operation in the OSPF area. normal indicates OSPF
areas that allow AS-external_LSAs to be flooded into them. stub indicates OSPF
areas that do not allow AS-external_LSAs to be flooded into them.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
270 Chapter 10 Configuring ARP, RIP, and OSPF
Figure 153 shows the configuration of the OSPF area with the area ID of
10.48.74.122, and the type normal.
where:
area_id is the OSPF area ID.
Figure 154 shows the deletion of the OSPF area with the area ID of 10.48.74.122.
316862-B Rev 00
Chapter 10 Configuring ARP, RIP, and OSPF 271
OSPF areas can be designated as either normal or stub. Normal OSPF areas allow
link-state database (LSDB) advertisements of routes to networks that are external
to the area. Stub areas do not allow the LSDB advertisement of external routes.
Stub areas use a default summary external route (0.0.0.0 or Area 0) to reach
external destinations.
where:
area_id is the OSPF area ID.
type specifies the mode of operation in the OSPF area. normal indicates that
LSAs for routes outside the area are allowed. stub indicates that LSAs for routes
outside the area are not allowed.
Figure 155 shows how to configure an OSPF area with the area ID of
10.48.74.122 to be of type stub, how to enable stub summary LSAs to be
imported, and how to configure an OSPF cost of 1.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
272 Chapter 10 Configuring ARP, RIP, and OSPF
To display the current OSPF area configuration, use the following command:
Figure 156 shows the current OSPF area configuration being displayed.
316862-B Rev 00
Chapter 10 Configuring ARP, RIP, and OSPF 273
This command allows you to make a static entry into the switch’s OSPF host table
for host computers that are directly connected to the switch, so that their IP
addresses and route metrics can be advertised to other OSPF areas.
where:
ipaddr is the IP address of the host.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
274 Chapter 10 Configuring ARP, RIP, and OSPF
Figure 157 shows how to create an OSPF host route between the host’s IP address
10.48.74.122 and the OSPF area 10.1.1.1, with an OSPF area cost of 2.
This command allows you to configure a static entry into the switch’s OSPF host
table for host computers that are directly connected to the switch, so that their IP
addresses and route metrics can be advertised to other OSPF areas.
where:
ipaddr is the IP address of the host.
316862-B Rev 00
Chapter 10 Configuring ARP, RIP, and OSPF 275
Figure 158 shows how to configure the OSPF host route between the host’s IP
address 10.48.74.122 and the OSPF area 10.1.1.1, to use the OSPF area cost of 1.
Figure 159 shows the display of the currently configured OSPF host routes.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
276 Chapter 10 Configuring ARP, RIP, and OSPF
Total Entries : 1
PP1612G:4#
where:
ipaddr is the IP address of the host.
Figure 160 shows how to delete an OSPF host route, where the host’s IP address
10.48.74.122.
316862-B Rev 00
Chapter 10 Configuring ARP, RIP, and OSPF 277
where:
area_id is the OSPF area ID.
network_address is the IP address that corresponds to the OSPF area ID.
lsdb_type is the type of address aggregation that OSPF will use. Currently, only
summary is supported.
Figure 161 shows how to create an OSPF area aggregation for the OSPF area
10.1.1.1, and the network address 10.48.76.122/16, how to specify the LSDB type
to summary, and how to enable the advertisement trigger.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
278 Chapter 10 Configuring ARP, RIP, and OSPF
where:
area_id is the OSPF area ID.
network_address is the IP address that corresponds to the OSPF area ID.
lsdb_type is the type of address aggregation that OSPF uses. Currently, only
summary is supported.
Figure 162 shows how to delete the OSPF area aggregation for the OSPF area
10.1.1.1, and the network address 10.48.76.122/16, with the LSDB type being
summary.
316862-B Rev 00
Chapter 10 Configuring ARP, RIP, and OSPF 279
This command allows you to configure how OSPF areas are aggregated so that
each area can be represented by its network address and subnet mask. In this way,
all of the range of IP addresses assigned to an OSPF area can be advertised by just
two numbers — the network address and subnet mask. In addition, the type of
link-state database advertisements can be specified for each area.
where:
area_id is the OSPF area ID.
network_address is the IP address that corresponds to the OSPF area ID.
lsdb_type is the type of address aggregation that OSPF will use. Currently, only
summary is supported.
Figure 163 shows how to configure an OSPF area aggregation for the OSPF area
10.1.1.1, and the network address 10.48.76.122/16, with the LSDB type being
summary and the advertisement trigger disabled:
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
280 Chapter 10 Configuring ARP, RIP, and OSPF
To display the currently configured OSPF area aggregations, use the following
command:
316862-B Rev 00
Chapter 10 Configuring ARP, RIP, and OSPF 281
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
282 Chapter 10 Configuring ARP, RIP, and OSPF
Total Entries: 1
PP1648T:4#
To display the current OSPF neighbor table, use the following command:
Figure 166 shows the display of the current OSPF neighbor table.
316862-B Rev 00
Chapter 10 Configuring ARP, RIP, and OSPF 283
To display the current OSPF virtual neighbor table, use the following command:
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
284 Chapter 10 Configuring ARP, RIP, and OSPF
where:
316862-B Rev 00
Chapter 10 Configuring ARP, RIP, and OSPF 285
Figure 168 shows the configuration of the OSPF IP interface named System.
show ospf
followed by:
<ipif_name 12> Specifies the OSPF IP interface that you want to display.
all Specifies that you want all of the currently configured OSPF IP
interfaces on the switch to be displayed.
Figure 169 shows the currently configured OSPF IP interfaces being displayed.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
286 Chapter 10 Configuring ARP, RIP, and OSPF
Total Entries : 1
PP1648T:4#
where:
area_id is the OSPF Transit area ID.
neighbor_id is the OSPF router ID of the neighbor.
316862-B Rev 00
Chapter 10 Configuring ARP, RIP, and OSPF 287
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
288 Chapter 10 Configuring ARP, RIP, and OSPF
Figure 170 shows how to create an OSPF virtual link between the OSPF area
10.1.1.1 and the OSPF area 20.1.1.1 with a hello interval of 10 seconds between
the transmission of hello packets.
This command allows OSPF areas to be represented by their network address and
subnet mask. In this way, all of the range of IP addresses assigned to an OSPF area
can be advertised by just two numbers — the network address and subnet mask. In
addition, the type of link-state database advertisements can be specified for each
area.
where:
area_id is the OSPF Transit area ID.
neighbor_id is the OSPF router ID of the neighbor.
316862-B Rev 00
Chapter 10 Configuring ARP, RIP, and OSPF 289
Figure 171 shows the configuration of an OSPF virtual link between the OSPF
area 10.1.1.1 and the OSPF area 20.1.1.1 with a hello interval of 20 seconds
between the transmission of hello packets.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
290 Chapter 10 Configuring ARP, RIP, and OSPF
where:
area_id is the OSPF Transit area ID.
neighbor_id is the OSPF router ID of the neighbor.
Figure 172 shows the deletion of an OSPF virtual link between the OSPF area
10.1.1.1 and the OSPF area 20.1.1.1.
316862-B Rev 00
Chapter 10 Configuring ARP, RIP, and OSPF 291
This section describes the commands you use to configure MD5 and also create,
delete, and show MD5 key table entries. Specifically, it includes the following
topics:
Topic Page
Roadmap of MD5 CLI commands 292
Creating an entry to the MD5 key table 292
Deleting an MD5 key table entry 293
Configuring an MD5 key 293
Displaying the current MD5 key table 294
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
292 Chapter 10 Configuring ARP, RIP, and OSPF
The following roadmap lists all of the MD5 commands and their parameters. Use
this list as a quick reference or click on any entry for more information:
Command Parameter
create md5 key <key_id> <password 16>
delete md5 key <key_id>
config md5 key <key_id> <password 16>
show md5 <key_id>
where:
key_id is the MD5 key ID with values between 1 and 255.
password 16 is a case-sensitive alphanumeric string of up to 16 characters.
Figure 174 shows how to create a new key entry into the switch’s MD5 key table
with the key ID 2 and the password internet.
Success.
PP1612G:4#
316862-B Rev 00
Chapter 10 Configuring ARP, RIP, and OSPF 293
To delete the MD5 key table entry, use the following command:
where:
key_id is the MD5 key ID with values between 1 and 255.
Figure 175 shows how to delete an MD5 key table entry with the key ID 1.
Success.
PP1612G:4#
where:
key_id is the MD5 key ID with values between 1 and 255.
password 16 is a case-sensitive alphanumeric string of up to 16 characters.
Figure 176 shows how to configure MD5 to use key ID 1 and the password
customer.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
294 Chapter 10 Configuring ARP, RIP, and OSPF
Success.
PP1612G:4#
To display the switch’s current MD5 key table, use the following command:
show md5
show md5
followed by:
Figure 177 shows how to display the switch’s MD5 key table.
316862-B Rev 00
Chapter 10 Configuring ARP, RIP, and OSPF 295
PP1612G:4#show md5
Command: show md5
Key-ID Key
------ ---
1 customer
2 develop
3 fireball
4 intelligent
Total Entries:4
PP1612G:4#
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
296 Chapter 10 Configuring ARP, RIP, and OSPF
316862-B Rev 00
297
Chapter 11
Configuring IP routes and route redistribution
This chapter describes the route table and route redistribution commands.
Specifically, it includes the following topics:
Topic Page
Using the route table 298
Roadmap of route table CLI commands 298
Creating an IP route 299
Creating a default IP route 300
Displaying the IP routes 301
Configuring IP routes 301
Configuring default IP routes 303
Configuring IP routes with max static routes 304
Using route redistribution 306
Roadmap of route redistribution CLI commands 307
Creating a route redistribution from RIP to OSPF 307
Creating a route redistribution from OSPF to RIP 309
Deleting a route redistribution 311
Configuring a route redistribution between RIP and OSPF 312
Configuring a route redistribution between OSPF and RIP 314
Displaying the route redistribution settings 315
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
298 Chapter 11 Configuring IP routes and route redistribution
A default gateway is defined as the gateway that connects the local network to the
backbone or to the Internet. A default gateway is used whenever no specific route
is found for a given packet, or when there are several gateways on a network that
all have similar connections. For the Passport 1600 CLI, a default IP route is a
route to a default gateway.
Command Parameter
create iproute default
<network_address>
create iproute default <ipaddr>
<metric>
create iproute <network address> <ipaddr>
<metric>
delete iproute default
show iproute <network_address>
static
rip
316862-B Rev 00
Chapter 11 Configuring IP routes and route redistribution 299
Command Parameter
ospf
config iproute default
max_static_route
config iproute default <ipaddr>
<metric 1-65535>
config iproute max_static_route <int 0-512>
Creating an IP route
To create an IP route, enter the following command:
create iproute
create iproute
followed by:
Figure 178 shows the creation of an IP route between 10.48.74,121, with a subnet
mask of 255.0.0.0, a gateway at IP address 10.1.1.254, and a route metric of 1.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
300 Chapter 11 Configuring IP routes and route redistribution
followed by:
<ipaddr> Identifies the IP address of the next hop. This can be a
bridge, a router, or a gateway.
<metric> Specifies a numerical value representing the relative distance
between the source and the destination along the IP route.
The default is 1.
316862-B Rev 00
Chapter 11 Configuring IP routes and route redistribution 301
followed by:
<ipaddr> Identifies the IP address of the next hop. This can be a
bridge, a router, or a gateway.
<metric> Specifies a numerical value representing the relative distance
between the source and the destination along the IP route.
The default is 1.
Deleting an IP route
To delete an IP route, enter the following command:
show iproute
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
302 Chapter 11 Configuring IP routes and route redistribution
show iproute
followed by:
Routing Table
316862-B Rev 00
Chapter 11 Configuring IP routes and route redistribution 303
Configuring IP routes
To configure IP routes, enter the following command:
config iproute
config iproute
followed by:
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
304 Chapter 11 Configuring IP routes and route redistribution
Figure 182 shows the display of the config iproute default command.
316862-B Rev 00
Chapter 11 Configuring IP routes and route redistribution 305
Note: Due to memory limitations, reserving more space for static route
entries reduces the number of maximum dynamic routes. Before changing
the default setting, please refer to Table 11.
Table 11 Unicast/multicast ratios for dynamic and static iproute and arp values
Unicast/
Dynamic
multicast ratio Static iproute Dynamic arp Static arp
iproute
of 75/25
1404 0 1372 32
1372 32 1372 32
1340 64 1372 32
1276 128 1372 32
1148 256 1372 32
892 512 1372 32
Unicast/
Dynamic
multicast ratio Static iproute Dynamic arp Static arp
iproute
of 100/0
1918 0 1372 32
1886 32 1372 32
1854 64 1372 32
1790 128 1372 32
1662 256 1372 32
1406 512 1372 32
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
306 Chapter 11 Configuring IP routes and route redistribution
The switch can redistribute routing information between the OSPF and RIP
routing protocols to all routers on the network (that are running either OSPF or
RIP). Routing information entered into the switch’s static routing table and the IP
interface routing information (local to the switch) can also be redistributed.
The Route Redistribution commands in the Command Line Interface (CLI) are
listed (along with the appropriate parameters) in the following table:
316862-B Rev 00
Chapter 11 Configuring IP routes and route redistribution 307
Command Parameter
create route redistribute dst mettype [type_1|type_2]
ospf src rip metric <value>
create route redistribute dst rip [all|internal|external|type_1|type_2|
src ospf inter+e1|inter+e2]
metric <value>
delete route redistribute dst [rip|ospf]
src [rip|static|local| ospf]
config route redistribute dst mettype [1|2]
ospf src rip metric <value>
config route redistribute dst rip [all|internal|external|type_1|type_2|
src ospf inter+e1|inter+e2]
metric <value>
show route redistribute dst rip dst [rip|ospf]
src ospf src [rip|static|local|ospf]
To redistribute routes between RIP and OSPF (RIP as the source, and OSPF as the
destination), enter the following command:
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
308 Chapter 11 Configuring IP routes and route redistribution
Note that rip allows you to redistribute routes discovered through the Routing
Information Protocol (RIP). You can also specify static and local as the source of
the routing information to redistribute. Static refers to manual entries in the
switch’s routing table, while local redistributes routing information from within
the switch’s routing table.
Table 12 shows the allowed values for the OSPF routing metrics:
316862-B Rev 00
Chapter 11 Configuring IP routes and route redistribution 309
Figure 184 shows how to redistribute routing information between RIP and OSPF,
with RIP as the source and OSPF as the destination.
Figure 184 create route redistribute dst ospf src rip command
Success.
PP1648T:4#
To redistribute routes between OSPF and RIP (OSPF as the source and RIP as the
destination), enter the following command:
Note that ospf allows you to redistribute routes discovered through Open
Shortest Path First (OSPF). You can also specify static and local as the source of
the routing information to redistribute. Static refers to manual entries in the
switch’s routing table, while local redistributes routing information from within
the switch’s routing table.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
310 Chapter 11 Configuring IP routes and route redistribution
OSPF 0 to 16 all
type_1
type_2
internal type_1
internal type_2
external
internal
RIP 0 to 16 not applicable
Figure 185 shows how to redistribute all OSPF routes in the switch’s routing table
to RIP with an OSPF interface cost of 2.
316862-B Rev 00
Chapter 11 Configuring IP routes and route redistribution 311
Figure 185 create route redistribute dst rip src ospf command
PP1648T:4# create route redistribute dst rip src ospf all metric 2
Command: create route redistribute dst rip src ospf all metric 2
Success.
PP1648T:4#
Figure 186 shows how to delete a route redistribution between RIP and OSPF
with RIP as the destination and OSPF as the source.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
312 Chapter 11 Configuring IP routes and route redistribution
Success.
PP1648T:4#
Note that rip allows you to redistribute routes discovered through the Routing
Information Protocol (RIP). You can also specify static and local as the source of
the routing information to redistribute. Static refers to manual entries in the
switch’s routing table, while local redistributes routing information from within
the switch’s routing table.
316862-B Rev 00
Chapter 11 Configuring IP routes and route redistribution 313
Figure 187 shows how to configure route redistribution from RIP to OSPF using
the metric calculation method 1 and a metric value of 2:
Figure 187 config route redistribute dst ospf src rip command
PP1648T:4# config route redistribute dst ospf src rip mettype 1 metric 2
Command: config route redistribute dst ospf src rip mettype 1 metric 2
Success.
PP1648T:4#
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
314 Chapter 11 Configuring IP routes and route redistribution
Note that ospf allows you to redistribute routes discovered through Open
Shortest Path First (OSPF). You can also specify static and local as the source of
the routing information to redistribute. Static refers to manual entries in the
switch’s routing table, while local redistributes routing information from within
the switch’s routing table.
Figure 188 shows the configuration of a route redistribution from OSPF to RIP to
use OSPF type all and a metric value of 3.
316862-B Rev 00
Chapter 11 Configuring IP routes and route redistribution 315
Figure 188 config route redistribute dst rip src ospf command
PP1648T:4# config route redistribute dst rip src ospf all metric 3
Command: config route redistribute dst rip src ospf all metric 3
Success.
PP1648T:4#
Figure 189 shows the display of the routing information redistribution settings.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
316 Chapter 11 Configuring IP routes and route redistribution
Total Entries : 3
PP1648T:4#
316862-B Rev 00
317
Chapter 12
Configuring VRRP
This chapter describes the CLI commands that you can use to configure the VRRP
(Virtual Router Redundancy Protocol) on the Switch.
The VRRP is designed to eliminate the single point of failure inherent in the static
default routed environment. VRRP specifies an election protocol that dynamically
assigns responsibility for a virtual router to one of the VRRP routers on your
LAN. The VRRP router controlling the IP address associated with a virtual router
is called the Master, and forwards packets sent to this IP address. The election
process provides dynamic fail-over in the forwarding responsibility should the
Master become unavailable. Any of the virtual router’s IP addresses on a LAN can
then be used as the default first hop router by end-hosts. The advantage gained
from using VRRP is a higher availability default path without requiring
configuration of dynamic routing or router discovery protocols on every end-host.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
318 Chapter 12 Configuring VRRP
The VRRP commands in the Command Line Interface (CLI) are listed (along with
the appropriate parameters) in the following table.
Command Parameter
create vrrp ipif <ipif_name>
vrid <int 1-255>
authtype [none | simple authdata <string> |
ip authdata <string>]
admin [up | down]
priority <int 1-255>
advint <int 1-255>
preempt [true | false]
critical ipaddress <ipaddr>
criticalip [enabled | disabled]
holddowntimer <int 0-21600>
316862-B Rev 00
Chapter 12 Configuring VRRP 319
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
320 Chapter 12 Configuring VRRP
vrid <int 1-255> This is an integer that will be used to identify this
VRRP group from other VRRP groups that may be
defined on your network. All routers that will
participate in this VRRP group must be assigned
the same VRID (for example, 1), but this number
must be different from the VRID that is assigned to
other VRRP groups that may be created or
configured on your network.
ipaddress <ipaddr> This is the virtual IP address that will be assigned
to the VRRP entry. This is also the IP address of
the default gateway that will be statically assigned
to end-hosts.
This virtual IP address must be assigned to all
routers that will participate in this VRRP group.
admin [up | down] Specifies the state of the administration of the
VRRP entry. If up is specified, the router will
participate in VRRP. If down is specified, the router
will not participate in VRRP.
priority <int 1-255> This is a relative number that will be used in the
election of a Master router from the group of
routers that will participate in VRRP. A higher
number will increase the probability that this router
will be elected as the Master router. A lower
number will increase the probability that this router
will be elected as a backup router.
255 is used to indicate that this router will always
be the Master, and no backup router can become
the Master, unless the Master stops functioning.
The default value is 100. If all routers participating
in VRRP are assigned the same priority value, the
router with the higher physical IP address will be
elected as the Master.
advint <int 1-255> This is the time interval, in seconds, between
sending VRRP message packets. The default
value is 1 second.
The same advint value must be assigned to all
routers participating in this VRRP group.
316862-B Rev 00
Chapter 12 Configuring VRRP 321
preempt [true | false] This specifies the behavior of backup routers in the
VRRP group. The same preempt setting (true or
false) must be set for all routers participating in this
VRRP group.
If preempt is set to true, and a backup router’s
priority is larger than the Master’s priority, the
backup will become the Master, and the Master will
become the backup.
If preempt is set to false, a backup router can not
become a Master router.
critical ip address This is a physical IP address that provides the
<ipaddr> most direct route to the Internet or other critical
network connections, from this router. This must
be a real IP address assigned to a real device on
the network.
If the connection between the Master router and
this IP address is not functioning, a new Master will
be elected from the backup routers participating in
the VRRP.
If the connection to a backup router to this IP
address is also not functioning, this backup router
can not become the Master.
You can assign different critical IP addresses to
different routers participating in the VRRP. In this
way, you can define multiple routes to the Internet
or other critical network connections.
criticalip [enabled | This is used to enable or disable the critical ip
disabled] address command above. The default is disabled.
holddowntimer <int This is the time interval, in seconds, that the router
0-21600> will wait after being booted to start VRRP. All
routers participating in this VRRP group must have
the same holddowntimer value.
The default is 0 seconds. A longer time interval
may be specified if multiple routes must be learned
by the Switch from other devices on the network.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
322 Chapter 12 Configuring VRRP
Figure 190 shows the creation of a VRRP entry for the IP interface System with
the vrid 1 and the virtual IP address 10.1.1.1.
Success.
:4#
316862-B Rev 00
Chapter 12 Configuring VRRP 323
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
324 Chapter 12 Configuring VRRP
priority <int 1-255> This is a relative number that will be used in the
election of a Master router from the group of
routers that will participate in VRRP. A higher
number will increase the probability that this router
will be elected as the Master router. A lower
number will increase the probability that this router
will be elected as a backup router.
255 is used to indicate that this router will always
be the Master, and no backup router can become
the Master, unless the Master stops functioning.
The default value is 100. If all routers participating
in VRRP are assigned the same priority value, the
router with the higher physical IP address will be
elected as the Master.
advint <int 1-255> This is the time interval, in seconds, between
sending VRRP message packets. The default
value is 1 second.
The same advint value must be assigned to all
routers participating in this VRRP group.
preempt [true | false] This specifies the behavior of backup routers in the
VRRP group. The same preempt setting (true or
false) must be set for all routers participating in this
VRRP group.
If preempt is set to true, and a backup router’s
priority is larger than the Master’s priority, the
backup will become the Master, and the Master will
become the backup.
If preempt is set to false, a backup router can not
become a Master router.
316862-B Rev 00
Chapter 12 Configuring VRRP 325
holddowntimer <int This is the time interval, in seconds, that the router
0-21600> will wait after being booted to start VRRP. All
routers participating in this VRRP group must have
the same holddowntimer value.
The default is 0 seconds. A longer time interval
may be specified if multiple routes must be learned
by the Switch from other devices on the network.
Figure 191 shows the configuration of the VRRP entry for the IP interface System
to make the entry’s priority set to 4.
Success.
:4#
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
326 Chapter 12 Configuring VRRP
316862-B Rev 00
Chapter 12 Configuring VRRP 327
Figure 192 shows the VRRP entry for the IP interface System.
VRRP : Disabled
Ping Virtal IP Address : Disabled
VRID : 1
Current State : Init
Advertisement Interval: 1 second(s)
Preemption Mode : Preempt
Priority : 4
Administrator Status: Down
HoldDownTimer : 0
Master IP addresses : 10.42.73.88
IP addresses backed up : 10.1.1.1
Critical IP : Disabled
Critical IP addresses : 0.0.0.0
Total Entries: 1
:4#
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
328 Chapter 12 Configuring VRRP
To delete all VRRP IP interface configurations on the Switch, use the following
command:
delete vrrp
delete vrrp
followed by:
Figure 193 shows the deletion of the VRRP entry for the IP interface System.
Success.
:4#
316862-B Rev 00
Chapter 12 Configuring VRRP 329
enable vrrp
enable vrrp
followed by:
Success.
:4#
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
330 Chapter 12 Configuring VRRP
disable vrrp
disable vrrp
followed by:
Success.
:4#
316862-B Rev 00
331
Chapter 13
Configuring BootP and DNS relay
This chapter describes how to configure Bootstrap Protocol (BootP) relay and
Dynamic Name Server (DNS) relay. Specifically, it includes the following topics:
Topic Page
If the BootP server and end station are on the same IP interface, no relay is
necessary. If the BootP server and the end station are on different IP interfaces, a
relay agent is necessary for the switch to forward the BootP messages.
The relay agent forwards these packets between IP interfaces, and therefore must
know the IP addresses of the BootP servers and their respective IP interface
names.
When the switch receives packets destined for a BootP server, it forwards them to
specific servers as defined in the BootP relay configuration. The switch also
forwards packets from the BootP servers to the appropriate IP interfaces.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
332 Chapter 13 Configuring BootP and DNS relay
Topic Page
The following roadmap lists some of the BootP relay commands and their
parameters. Use this list as a quick reference or click on any command or
parameter entry for more information on BootP relay commands.
Command Parameter
config bootp_relay hops <value 1-16>
time <sec 0-65535>
config bootp_relay add ipif <ipif_name>
<ipaddr>
config bootp_relay delete ipif <ipif_name>
<ipaddr>
enable bootp_relay
disable bootp_relay
show bootp_relay ipif <ipif_name>
316862-B Rev 00
Chapter 13 Configuring BootP and DNS relay 333
config bootp_relay
config bootp_relay
followed by:
hops <value 1-16> The maximum number of router hops that the BootP packets can cross before
being dropped.
time <sec 0-65535> The minimum amount of time, in seconds, within which the switch must relay
the BootP request. If this time is exceeded, the switch will drop the BootP
packet.
Figure 196 shows BootP relay being configured to allow the BootP packets to
cross 4 routers, and to set the BootP relay timer to 2 seconds.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
334 Chapter 13 Configuring BootP and DNS relay
Figure 197 shows the addition of a BootP relay server, located on the IP interface
named System, and having the IP address 10.43.21.12.
316862-B Rev 00
Chapter 13 Configuring BootP and DNS relay 335
Figure 198 shows the deletion of a BootP relay server, located on the IP interface
named System, and having the IP address 10.43.21.12.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
336 Chapter 13 Configuring BootP and DNS relay
enable bootp_relay
PP1612G:4#enable bootp_relay
Command: enable bootp_relay
Success.
PP1612G:4#
disable bootp_relay
PP1612G:4#disable bootp_relay
Command: disable bootp_relay
Success.
PP1612G:4#
316862-B Rev 00
Chapter 13 Configuring BootP and DNS relay 337
To display the current BootP relay configuration, use the following command:
show bootp_relay
show bootp_relay
ipif <ipif_name> The BootP relay configuration can be displayed on a per-IP interface basis. This
is the name of the IP interface you want to display the BootP relay configuration
for. If no IP interface name is specified, the switch will display all of the BootP
configurations on the switch.
Figure 201 shows the current BootP relay configuration being displayed.
Total Entries: 1
PP1612G:4#
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
338 Chapter 13 Configuring BootP and DNS relay
If the DNS server and end station are on the same IP interface, no relay is
necessary. If the DNS server and the end station are on different IP interfaces, a
relay agent is necessary for the switch to forward the DNS messages.
The relay agent forwards these packets between IP interfaces, and therefore must
know the IP addresses of the DNS servers and their respective IP interface names.
When the switch receives packets destined for a DNS server, it forwards them to
specific servers as defined in the DNS relay configuration. The switch also
forwards packets from the DNS servers to the appropriate IP interfaces.
Topic Page
316862-B Rev 00
Chapter 13 Configuring BootP and DNS relay 339
The following roadmap lists some of the DNS relay commands and their
parameters. Use this list as a quick reference or click on any command or
parameter entry for more information on DNS relay commands.
Command Parameter
config dnsr primary
secondary
nameserver <ipaddr>
config dnsr
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
340 Chapter 13 Configuring BootP and DNS relay
config dnsr
followed by:
primary This specifies that the DNS server, located at the IP address
entered following nameserver, below, is the primary DNS server.
secondary This specifies that the DNS server, located at the IP address
entered following nameserver, below, is the secondary DNS
server.
nameserver <ipaddr> This is the IP address of the DNS server.
Figure 202 shows DNS relay being configured to relay packets from the primary
DNS server, located at the IP address 10.43.21.12.
316862-B Rev 00
Chapter 13 Configuring BootP and DNS relay 341
enable dnsr
PP1612G:4#enable dnsr
Command: enable dnsr
Success.
PP1612G:4#
disable dnsr
PP1612G:4#disable dnsr
Command: disable dnsr
Success.
PP1612G:4#
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
342 Chapter 13 Configuring BootP and DNS relay
316862-B Rev 00
Chapter 13 Configuring BootP and DNS relay 343
To enable the DNS relay static table, use the following command:
Figure 207 shows the DNS relay static table being enabled.
To disable the DNS relay static table, use the following command:
Figure 208 shows the DNS relay static table being enabled.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
344 Chapter 13 Configuring BootP and DNS relay
To disable the DNS relay static table, use the following command:
show dnsr
show dnsr
followed by:
static The DNS relay static table can be displayed by
specifing this parameter.
Figure 209 shows the current DNS relay configuration being displayed.
316862-B Rev 00
345
Chapter 14
Configuring SNMP
The 1600 switch has a software program called an “agent” that processes SNMP
requests, but the user program that makes the requests and collects the responses
runs on a management station (a designated computer on the network). The
SNMP agent and the user program both use the UDP/IP protocols to exchange
packets.
You use “community strings” to ensure that both the router SNMP agent and the
remote user SNMP application program discard packets from unauthorized users.
The remote user SNMP application and the router SNMP must use the same
community string. SNMP community strings of up to 20 characters may be
entered under the Remote Management Setup menu of the console program.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
346 Chapter 14 Configuring SNMP
Caution: The Passport 1600 Series Layer 3 Switch software version 1.1
are encrypted. When the switch starts for the first time, it uses the default
community string. It is strongly recommend that you change the default
community string immediately after the installation.
This chapter describes the commands you use to configure SNMP. Specifically, it
includes the following topics:
Topic Page
Roadmap of SNMP CLI commands 347
Configuring SNMP 348
Managing SNMP traps 358
316862-B Rev 00
Chapter 14 Configuring SNMP 347
Command Parameter
create snmp community <community_string>
[readonly|readwrite]
delete snmp community <community_string>
create trusted_host <ipaddr>
<netmask>
delete trusted_host <ipaddr>
<netmask>
config snmp community <community_string>
[readonly|readwrite]
config snmp system_name <sw_name>
config snmp location <sw_location>
config snmp system_contact <sw_contact>
show snmp community
trap_receiver
show trusted_host <ipaddr>
<netmask>
create snmp trap_receiver <ipaddr>
<community_string>
delete snmp trap_receiver <ipaddr>
enable snmp
disable snmp
enable snmp authenticate traps
disable snmp authenticate traps
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
348 Chapter 14 Configuring SNMP
Configuring SNMP
This section describes how to create and delete SNMP community strings and
trusted hosts, to configure SNMP contact information, and to display SNMP
configuration information. It contains the following topics:
Topic Page
Creating an SNMP community string 348
Deleting an SNMP community string 349
Creating a trusted host 350
Deleting a trusted host 351
Configuring an SNMP community string 351
Configuring the SNMP system name 353
Configuring the SNMP location 353
Configuring the SNMP system contact 354
Displaying the current SNMP configuration 355
Displaying the currently configured trusted hosts 357
316862-B Rev 00
Chapter 14 Configuring SNMP 349
Figure 210 shows the creation of the SNMP community string “System” and
gives this string read/write access.
Success.
PP1612G:4#
where:
community_string is an alphanumeric string of up to 32 characters used to
authenticate users who want access to the switch’s SNMP agent.
Figure 211 shows an example of the output for this command. In this example, the
SNMP community string System is deleted.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
350 Chapter 14 Configuring SNMP
Success.
PP1612G:4#
create trusted_host
create trusted_host
followed by:
Success.
PP1612G:4#
316862-B Rev 00
Chapter 14 Configuring SNMP 351
delete trusted_host
delete trusted_host
followed by:
where:
ipaddr is the IP address of the remote management station that will be deleted
as a trusted host.
netmask is the subnet mask corresponding to the IP address above.
Success.
PP1612G:4#
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
352 Chapter 14 Configuring SNMP
Figure 214 shows the configuration of the SNMP community string “Passport”
and gives this string read/write access.
Success.
Success.
PP1612G:4#
316862-B Rev 00
Chapter 14 Configuring SNMP 353
To configure an SNMP system name for the switch, use the following command:
Success.
PP1612G:4#
To configure an SNMP location for the switch, use the following command:
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
354 Chapter 14 Configuring SNMP
where:
Success.
PP1612G:4#
316862-B Rev 00
Chapter 14 Configuring SNMP 355
Success.
PP1612G:4#
To display the current SNMP configuration on the switch, use the following
command:
show snmp
show snmp
followed by:
community
trap_receiver
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
356 Chapter 14 Configuring SNMP
PP1648T:4#show snmp
Command: show snmp
Total Entries: 3
Total Entries: 1
PP1648T:4#
316862-B Rev 00
Chapter 14 Configuring SNMP 357
To display the currently configured trusted hosts on the switch, use the following
command:
show trusted_host
show trusted_host
followed by:
This command includes the option <ipaddr>, which allows you to specify the
trusted host that you want to display.
Figure 219 shows the currently configured trusted hosts on the switch.
PP1648T:4#show trusted_host
Command: show trusted_host
Management Stations:
IP Address Mask
--------------- ---------------
10.12.53.251 255.0.0.0
11.1.1.1 255.0.0.0
PP1648T:4#
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
358 Chapter 14 Configuring SNMP
Trap recipients are special users of the network who are given certain rights and
access in overseeing the maintenance of the network. Trap recipients will receive
traps sent from the switch; they must immediately take certain actions to avoid
future failure or breakdown of the network.
You can also specify which network managers may receive traps from the switch
by entering a list of the IP addresses of authorized network managers. Up to four
trap recipient IP addresses, and four corresponding SNMP community strings can
be entered. SNMP community strings function like passwords in that the
community string entered for a given IP address must be used in the management
station software, or a trap will be sent.
Topic Page
Creating an SNMP trap receiver 358
Deleting an SNMP trap receiver 359
Enabling the transmission of SNMP traps 360
Disabling the transmission of SNMP traps 360
Enabling the authentication of SNMP traps 361
Disabling the authentication of SNMP traps 361
316862-B Rev 00
Chapter 14 Configuring SNMP 359
Figure 220 shows the creation of an SNMP trap receiver that has an IP address of
10.1.1.1 and will use the community string System.
Success.
PP1612G:4#
Figure 221 shows the deletion of an SNMP trap receiver that has an IP address of
10.1.1.1.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
360 Chapter 14 Configuring SNMP
Success.
PP1612G:4#
To enable the switch’s SNMP agent to send traps, use the following command:
enable snmp
Figure 222 shows the enabling of the transmission of SNMP traps on the switch.
PP1612G:4#enable snmp
Command: enable snmp
Success.
PP1612G:4#
To disable the switch’s SNMP agent sending traps, use the following command:
disable snmp
Figure 223 shows the disabling of the transmission of SNMP traps on the switch.
316862-B Rev 00
Chapter 14 Configuring SNMP 361
PP1612G:4#disable snmp
Command: disable snmp
Success.
PP1612G:4#
Figure 224 shows enabling the authentication of SNMP traps on the switch.
Success.
PP1612G:4#
Figure 225 shows disabling the authentication of SNMP traps on the switch.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
362 Chapter 14 Configuring SNMP
Success.
PP1612G:4#
316862-B Rev 00
363
Chapter 15
Configuring Multicasting (IGMP, IGMP Snooping,
and DVMRP)
Configuring IGMP
To receive multicast packets, end users must inform nearby routers that they want
to become a member of a multicast group. The Internet Group Management
Protocol (IGMP) is used by multicast routers to maintain multicast group
membership. IGMP is used to determine whether the switch should forward
multicast packets it receives to the other IP interfaces or not. When the switch has
received a multicast packet, it will check to determine if there is at least one
member of a multicast group that has requested to receive multicast packets from
this source. If there is one member, the packet is forwarded. If there are no
members, the packet is dropped.
IGMP snooping allows the switch to “snoop,” or to capture the IGMP message
packets, and examine their contents, as these packets pass between hosts and
routers. When the switch receives an IGMP join message from a host for a given
multicast group, the switch then adds the host’s IGMP information into its list for
that group. When the switch receives an IGMP leave message for a host, it will
remove the host from its list for that multicast group.
Topic Page
Roadmap of IGMP commands 364
The IP multicast cache commands allow you to display the entries into 389
the switch’s IP multicasting cache for specific groups and IP addresses.
Configuring IGMP snooping 368
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
364 Chapter 15 Configuring Multicasting (IGMP, IGMP Snooping, and DVMRP)
Command Parameter
config igmp ipif <ipif_name>
all
version <value>
query_interval <sec>
max_response_time <sec>
robustness_variable <value>
last_member_query_interval
<value>
state [enabled|disabled]
316862-B Rev 00
Chapter 15 Configuring Multicasting (IGMP, IGMP Snooping, and DVMRP) 365
Command Parameter
config router_ports <vlan_name>
[add|delete] <portlist>
Configuring IGMP
To configure IGMP for all IP interfaces on the switch to use IGMP version 1, and
to enable IGMP, enter the following command:
config igmp
config igmp
followed by:
ipif <ipif_name> Specifies the name of the IP interface for which you
wish to configure IGMP.
all Indicates that this IGMP configuration is applied to all
IP interfaces on the switch.
followed by:
version <value> Identifies the IGMP version number.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
366 Chapter 15 Configuring Multicasting (IGMP, IGMP Snooping, and DVMRP)
config igmp
followed by:
query_interval <sec> Designates the time, in seconds, between general
query transmissions.
max_response_time <sec> Specifies the maximum amount of time, in seconds,
that the switch will wait for reports from group
members.
robustness_variable <value> Specifies a tuning variable for networks that are
expected to lose a large number of packets. A
number between 2 and 255 can be entered, with
larger values being specified for networks that are
expected to lose a larger number of packets. The
default is 2.
last_member_query_interval <value> Specifies the Max Response Time inserted into
Group-Specific Queries sent in response to Leave
Group messages. It also identifies the amount of
time between Group-Specific Query messages. The
default is 1 second.
state [enabled|disabled] Enables or disables IGMP for the IP interface
specified above.
Figure 226 shows IGMP being configured for all the IP interfaces on the switch to
use IGMP version 1, and that IGMP is enabled.
Success.
PP1648T:4#
316862-B Rev 00
Chapter 15 Configuring Multicasting (IGMP, IGMP Snooping, and DVMRP) 367
show igmp
show igmp
followed by:
ipif <ipif_name> Specifies the name of the IP interface name for which you want to
display the current IGMP configuration. If no IP interface name is
specified, the switch will display the IGMP configuration for all the IP
interfaces on the switch.
Figure 227 shows IGMP being configured for all the IP interfaces on the switch to
use IGMP version 1, and that IGMP is enabled.
Total Entries: 2
PP1612G:4#
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
368 Chapter 15 Configuring Multicasting (IGMP, IGMP Snooping, and DVMRP)
To display the IGMP group settings for all IP interfaces on the switch.
ipif <ipif_name> Identifies the IP interface name for which you wish to
display the current IGMP configuration. If no IP
interface name is specified, the switch displays the
IGMP configuration for all the IP interfaces on the
switch.
Figure 228 shows IGMP being configured for all the IP interfaces on the switch to
use IGMP version 1, and that IGMP is enabled.
Total Entries: 0
PP1612G:4#
316862-B Rev 00
Chapter 15 Configuring Multicasting (IGMP, IGMP Snooping, and DVMRP) 369
Figure 229 shows how to configure and enable IGMP snooping for all VLANs on
the switch with a host timeout value of 250 seconds.
Success.
PP1648T:4#
You can use the IGMP querier feature to configure the time in seconds between
general query transmissions, the maximum time in seconds to wait for reports
from members, and the permitted packet loss value that guarantees IGMP
snooping.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
370 Chapter 15 Configuring Multicasting (IGMP, IGMP Snooping, and DVMRP)
To configure the IGMP snooping querier feature, use the following command:
Figure 230 shows how to configure and enable IGMP snooping querier for a
VLAN named default, with a query interval of 125 seconds:
316862-B Rev 00
Chapter 15 Configuring Multicasting (IGMP, IGMP Snooping, and DVMRP) 371
Success.
PP1648T:4#
config router_ports
config router_ports
followed by:
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
372 Chapter 15 Configuring Multicasting (IGMP, IGMP Snooping, and DVMRP)
Figure 231 shows how to configure switch ports 1 through 3 to be router ports.
Success.
PP1648T:4#
You can globally enable IGMP snooping on the switch. When you enable IGMP
snooping on the switch, the switch forwards all multicast traffic to any IP router
and forwards traffic to the VLAN in which a client shows up.
To globally enable IGMP snooping on the switch, use the following command:
enable igmp_snooping
If you want the switch to forward all multicast traffic only to a multicast-enabled
router, include the forward_mcrouter_only parameter in the command line;
otherwise, the switch forwards all multicast traffic to any IP router.
As a switch, the Passport 1600 can also prune group memberships per port within
a VLAN. This feature, igmp_snooping filtering, allows you to optimize the
IP multicast data flow for a group within a VLAN to only those ports that are
members of the group. The switch listens to group reports from each port and
builds a database of multicast group members per port. The switch suppresses the
reports heard by not forwarding them out to other hosts, forcing the members to
continuously send their own reports. Furthermore, the switch forwards multicast
data only to the participating group members within the VLAN.
316862-B Rev 00
Chapter 15 Configuring Multicasting (IGMP, IGMP Snooping, and DVMRP) 373
enable igmp_snooping
followed by:
Figure 232 shows how to configure and enable IGMP snooping to forward all
multicast traffic only to a multicast-enabled router.
Success.
PP1648T:4#
To globally disable IGMP snooping on the switch, use the following command:
disable igmp_snooping
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
374 Chapter 15 Configuring Multicasting (IGMP, IGMP Snooping, and DVMRP)
disable igmp_snooping
followed by:
Success.
PP1648T:4#
You can display the current IGMP snooping configuration on the switch.
To display the current IGMP snooping configuration, use the following show
command:
show igmp_snooping
316862-B Rev 00
Chapter 15 Configuring Multicasting (IGMP, IGMP Snooping, and DVMRP) 375
show igmp_snooping
followed by:
vlan <vlan_name> Specifies the name of the VLAN for which you
want to view the IGMP snooping configuration
Note: The IGMP snooping feature can be
configured differently for each VLAN on the switch.
Figure 234 shows how to display the IGMP snooping configuration on the switch.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
376 Chapter 15 Configuring Multicasting (IGMP, IGMP Snooping, and DVMRP)
Total Entries: 2
PP1648T:4#
316862-B Rev 00
Chapter 15 Configuring Multicasting (IGMP, IGMP Snooping, and DVMRP) 377
You can display current IGMP snooping group configurations on the switch.
To display the current IGMP snooping group configuration, use the following
show command:
show igmp_snooping
followed by:
vlan <vlan_name> Specifies the name of the VLAN for which you
want to view the IGMP snooping group
configuration
Note: The IGMP snooping feature can be
configured differently for each VLAN on the switch.
Figure 235 shows how to display the current IGMP snooping group configuration.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
378 Chapter 15 Configuring Multicasting (IGMP, IGMP Snooping, and DVMRP)
Total Entries : 6
PP1648T:4#
316862-B Rev 00
Chapter 15 Configuring Multicasting (IGMP, IGMP Snooping, and DVMRP) 379
You can display information about the IGMP snooping forwarding table.
To display the current IGMP snooping forwarding table, use the following show
command:
vlan <vlan_name> Specifies the name of the VLAN for which you
want to view the IGMP snooping forwarding
configuration
Note: You can configure the IGMP snooping
feature differently for each VLAN on the switch.
Figure 236 shows how to display information about the IGMP snooping
forwarding table.
Total Entries : 1
PP1648T:4#
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
380 Chapter 15 Configuring Multicasting (IGMP, IGMP Snooping, and DVMRP)
You can display the currently configured router ports on the switch.
To display the current list of router ports, use the following command:
show router_ports
show router_ports
followed by:
vlan <vlan_name> Specifies the name of the VLAN for which you
want to view the list of router ports.
[static|dynamic] Allows you to view the list of router ports based on
the method used to add a port to the router port
list:
• static — entered manually
• dynamic — discovered automatically by the
switch.
VLAN Name : v2
Static router port : 17-22
Dynamic router port:
Total Entries: 2
PP1648T:4#
316862-B Rev 00
Chapter 15 Configuring Multicasting (IGMP, IGMP Snooping, and DVMRP) 381
Configuring DVMRP
This section describes the CLI commands that you can use to configure the
DVMRP (Distance Vector Multicast Routing Protocol) on the Switch.
DVMRP resembles the Routing Information Protocol (RIP), but is extended for
multicast delivery. It relies upon RIP hop counts to calculate 'shortest paths' back
to the source of a multicast message, but defines a 'route cost' to calculate which
branches of a multicast delivery tree should be 'pruned' - once the delivery tree is
established.
The higher the route cost, the lower the probability that the current route will be
chosen to be an active branch of the multicast delivery tree (not 'pruned') - if there
is an alternative route.
DVMRP commands in the Command Line Interface (CLI) are listed (along with
the appropriate parameters) in the following table:
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
382 Chapter 15 Configuring Multicasting (IGMP, IGMP Snooping, and DVMRP)
Command Parameter
316862-B Rev 00
Chapter 15 Configuring Multicasting (IGMP, IGMP Snooping, and DVMRP) 383
Configuring DVMRP
config dvmrp
followed by:
ipif <ipif_name> This is the name of the IP interface that this DVMRP
configuration will apply to.
all This specifies that this DVMRP configuration will
apply to all the IP interfaces on the switch.
metric <value> This allows you to assign a DVMRP route cost to the
IP interface (entered above). A DVMRP route cost is
a number that represents the relative cost of using
this route, as opposed to using an alternative route,
in the construction of a multicast delivery tree. The
default cost is 1.
probe <second> This is the amount of time, in seconds, between
queries to determine if a multicast group is present
on a given router’s subnet. The default is 10 second.
neighbor_timeout <second> The time period, in seconds, that the switch will
retain DVMRP neighbor router reports before issuing
poison route messages. The default is 35 seconds.
state [enabled/disabled] This allows you to enable or disable DVMRP.
Figure shows DVMRP being configured for the IP interface System, to use a
neighbor timeout of 30 seconds and a DVMRP route cost of 2:
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
384 Chapter 15 Configuring Multicasting (IGMP, IGMP Snooping, and DVMRP)
Success.
:4#
Enabling DVMRP
enable dvmrp
enable dvmrp
This command has no additional parameters.
Success.
:4#
316862-B Rev 00
Chapter 15 Configuring Multicasting (IGMP, IGMP Snooping, and DVMRP) 385
Disabling DVMRP
disable dvmrp
disable dvmrp
This command has no additional parameters.
Success.
:4#
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
386 Chapter 15 Configuring Multicasting (IGMP, IGMP Snooping, and DVMRP)
To display the current DVMRP routing table, use the following command:
Total Entries: 0
:4#
316862-B Rev 00
Chapter 15 Configuring Multicasting (IGMP, IGMP Snooping, and DVMRP) 387
To display the current DVMRP neighbor router table, use the following
command:
Figure shows the current DVMRP neighbor router table being displayed:
Total Entries: 0
:4#
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
388 Chapter 15 Configuring Multicasting (IGMP, IGMP Snooping, and DVMRP)
To display the current DVMRP neighbor router table, use the following
command:
Figure shows the current DVMRP nexthop router table being displayed:
Total Entries: 0
:4#
316862-B Rev 00
Chapter 15 Configuring Multicasting (IGMP, IGMP Snooping, and DVMRP) 389
show dvmrp
show dvmrp
followed by:
ipif <ipif_name> This is the name of the IP interface for which you
want to display the current DVMRP
configuration.
Total Entries: 1
:4#
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
390 Chapter 15 Configuring Multicasting (IGMP, IGMP Snooping, and DVMRP)
The IP multicasting commands in the Command Line Interface (CLI) are listed
(along with the appropriate parameters) in the following table.
316862-B Rev 00
Chapter 15 Configuring Multicasting (IGMP, IGMP Snooping, and DVMRP) 391
Total Entries: 0
:4#
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
392 Chapter 15 Configuring Multicasting (IGMP, IGMP Snooping, and DVMRP)
show ipmc
show ipmc
followed by:
ipif <ipif_name> This is the name of the IP interface for which you
want to display the IP multicast table.
Total Entries: 1
:4#
316862-B Rev 00
393
Chapter 16
Monitoring the network
The Passport 1600 switch provides extensive network monitoring that can be
viewed using the network monitoring commands described in this chapter.
Topic Page
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
394 Chapter 16 Monitoring the network
Command Parameter
show packet ports <portlist>
show error ports <portlist>
show utilization
clear counters ports <portlist>
clear log
show log index <value>
config mirror port <port> add
source ports <portlist>
[rx|tx|both]
config mirror port <port> delete
source ports <portlist>
[rx|tx|both]
enable mirror
disable mirror
show mirror
enable rmon
disable rmon
ping <ipaddr> times <values 1-255>
timeout <sec 1-99>
traceroute <ipaddr> ttl <value 1-60>
port <value 30000-64900>
timeout <sec 1-65535>
probe <value 1-9>
316862-B Rev 00
Chapter 16 Monitoring the network 395
Figure 247 shows the traffic statistics collected by the switch for port 7.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
396 Chapter 16 Monitoring the network
Port number : 7
Frame Size Frame Counts Frames/sec Frame Type Total Total/sec
------------ ------------ ---------- ---------- --------- ---------
64 2 0 RX Bytes 64 0
65-127 0 0 RX Frames 1 0
128-255 0 0
256-511 0 0 TX Bytes 64 0
512-1023 0 0 TX Frames 1 0
1024-Max Size 0 0
Unicast RX 0 0
Multicast RX 1 0
Broadcast RX 0 0
Unicast TX 0 0
Multicast TX 1 0
Broadcast TX 0 0
Table 24 shows the definitions for terms related to displaying port traffic
statistics.
316862-B Rev 00
Chapter 16 Monitoring the network 397
Term Definition
Frames The number of packets (or frames) received or transmitted by the switch
with the size, in octets, given by the column on the right.
Frames/sec The number of packets (or frames) transmitted or received, per second,
by the switch.
Unicast RX Displays the number of unicast packets received by the switch in total
number (Frames) and the rate (Frames/sec).
Multicast RX Displays the number of multicast packets received by the switch in total
number (Frames) and the rate (Frames/sec).
Broadcast RX Displays the number of broadcast packets received by the switch in total
number (Frames) and the rate (Frames/sec).
RX Bytes Displays the number of bytes (octets) received by the switch in total
number (Total), and rate (Total/sec).
RX Frames Displays the number of packets (frames) received by the switch in total
number (Total), and rate (Total/sec).
Unicast TX Displays the number of unicast packets transmitted by the switch in total
number (Frames) and the rate (Frames/sec).
Multicast TX Displays the number of multicast packets transmitted by the switch in
total number (Frames) and the rate (Frames/sec).
Broadcast TX Displays the number of broadcast packets transmitted by the switch in
total number (Frames) and the rate (Frames/sec).
TX Bytes Displays the number of bytes (octets) transmitted by the switch in total
number (Total), and rate (Total/sec).
TX Frames Displays the number of packets (frames) transmitted by the switch in
total number (Total), and rate (Total/sec).
Term Definition
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
398 Chapter 16 Monitoring the network
Term Definition
Undersize The total number of frames received that were less than 64
octets long (excluding framing bits, but including FCS
octets) and were otherwise well formed.
Oversize The total number of frames received that were longer than
1518 octets (excluding framing bits, but including FCS
octets) and were otherwise well formed.
Fragment The total number of frames received that were less that 64
octets in length (excluding framing bits, but including FCS
octets) and had either an FCS or an alignment error.
Jabber The total number of frames received that were longer than
1518 octets (excluding framing bits, but including FCS
octets), and had either an FCS or an alignment error.
For transmitted packets
Excessive Collision Excessive Collisions. The number of frames for which
transmission failed due to excessive collisions.
Late Collision The number of times that a collision is detected later than
512 bit-times into the transmission of a packet.
Collision
To display error statistics for the switch’s ports, use the following command:
316862-B Rev 00
Chapter 16 Monitoring the network 399
where:
portlist specifies the ports for which you want to display traffic statistics. Ports
are specified by entering the lowest port number in a group, and then the highest
port number in a group, separated by a dash. A port group, including the switch
ports 1, 2, and 3, would be entered as 1-3. Ports that are not contained within a
group are specified by entering their port number, separated by a comma. For
example, the port group 1-3 and port 26 would be entered as 1-3, 26.
Figure 248 shows the traffic statistics collected by the switch for port 3.
Port number : 7
RX Frames TX Frames
--------- ---------
CRC Error 0 Excessive Collision 0
Undersize 0 Late Collision 0
Oversize 0 Collision 0
Fragment 0
Jabber 0
Term Definition
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
400 Chapter 16 Monitoring the network
show utilization
PP1624G:4#
316862-B Rev 00
Chapter 16 Monitoring the network 401
clear counters
clear counters
followed by:
ports <portlist> Specifies that you only want to clear the counters for the ports
specified in the < portlist>. If this parameter is not
specified, the counters for all of the ports on the switch will be
cleared.
• portlist is the range of ports for which you want to
clear counters. Ports are specified by entering the lowest
port number in a group, and then the highest port number
in a group, separated by a dash. So, a port group including
the switch ports 1, 2, and 3 would be entered as 1-3. Ports
that are not contained within a group are specified by
entering their port number, separated by a comma. So, the
port group 1-3 and port 26 would be entered as 1-3, 26.
Figure 250 shows how to clear counters for ports 7 through 9, inclusive.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
402 Chapter 16 Monitoring the network
clear log
Success.
PP1612G:4#
316862-B Rev 00
Chapter 16 Monitoring the network 403
show log
show log
followed by:
index <value> Specifies the index number for which you want to display the
switch log.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
404 Chapter 16 Monitoring the network
where:
port is the number of the port that will become a mirror for the ports listed in
portlist.
portlist is the range of ports whose traffic is mirrored in the mirror port. To
specify a range, enter the beginning and end values, separated by a hyphen. You
specify ports that are not contained within a group by entering their port number,
separated by a comma. Thus, you enter the port group 1-3 and port 26 as 1-3, 26.
rx mirrors the packets received by the source ports.
tx mirrors the packets transmitted by the source ports.
both mirrors all packets that pass through the source ports.
Figure 253 shows you how to configure port 5 as the mirror port, and ports 1
through 4 as the source ports. All traffic passing through the source ports are
mirrored to port 5.
Success.
316862-B Rev 00
Chapter 16 Monitoring the network 405
where:
port is the number of the port that is a mirror for the ports listed in portlist.
portlist is the range of ports whose traffic is mirrored in the mirror port. To
specify a range, enter the beginning and end values, separated by a hyphen. You
specify ports that are not contained within a group by entering their port number,
separated by a comma. Thus, you enter the port group 1-3 and port 26 as 1-3, 26.
rx mirrors the packets received by the source ports.
tx mirrors the packets transmitted by the source ports.
both mirrors all packets that pass through the source ports.
Figure 254 shows you how to delete port 5 as the mirror port, and ports 1 through
4 as the source ports.
Success.
PP1612G:4#
enable mirror
Figure 255 shows you how to enable port mirroring on the switch.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
406 Chapter 16 Monitoring the network
PP1612G:4#enable mirror
Command: enable mirror
Success.
PP1612G:4#
disable mirror
Figure 256 shows you how to disable port mirroring on the switch.
PP1612G:4#disable mirror
Command: disable mirror.
Success.
PP1612G:4#
show mirror
Figure 257 shows you how to display the current mirror settings on the switch.
316862-B Rev 00
Chapter 16 Monitoring the network 407
Current Settings
Mirror Status: Enabled
Target Port : 9
Mirrored Port
RX:
TX: 1-5
PP1648T:4#
enable rmon
PP1612G:4#enable rmon
Command: enable rmon
Success.
PP1612G:4#
disable rmon
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
408 Chapter 16 Monitoring the network
PP1612G:4#disable rmon
Command: disable rmon
Success.
PP1612G:4#
ping <ipaddr>
where:
ipaddr is the IP address of the network device at the remote end of the link. This
IP address must be on the same subnet as the switch.
ping
followed by:
times <values 1-255> The number of times the remote network device
will be “pinged.”
timeout <sec 1-99> The length of time, in seconds, the switch will wait
for a response from the remote network device
after sending a ping packet.
Note: You cannot ping an interface if its ports are in blocking mode and
the link is up.
316862-B Rev 00
Chapter 16 Monitoring the network 409
Figure 260 shows the switch sending 4 ping packets to the IP address
10.48.74.128.
PP1612G:4#
traceroute <ipaddr>
where:
ipaddr is the IP address of the remote network device to be pinged.
traceroute
followed by:
ttl <value 1-60> The time to live (TTL) value of the trace route
request. This is the maximum number of routers
the traceroute command can cross while seeking
the network path between two devices.
port <value 30000-64900> The port number.
timeout <sec 1-65535> The maximum amount of time, in seconds, the
switch will wait for a response.
probe <value 1-9> The number of times the switch will try the
traceroute command.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
410 Chapter 16 Monitoring the network
Figure 261 shows the switch tracing the route between the switch and the network
device with the IP address 10.48.74.121, with 3 probes:
1 <10ms. 10.48.74.121
1 <10ms. 10.48.74.121
1 <10ms. 10.48.74.121
PP1612G:4#
316862-B Rev 00
411
Chapter 17
CLI configuration examples
This chapter provides configuration examples for common Passport 1600 Series
switch tasks and includes the CLI commands that you use to create the
configuration examples. It includes the following topics:
Topic Page
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
412 Chapter 17 CLI configuration examples
Note: The Passport 1600 Series switch requires names when you create
or edit VLANs or IP addresses. The VLAN name can be up to 32
characters in length and is case-sensitive. For this configuration, you will
not create a new VLAN or IP address; you will simply change the settings
for the default VLAN, named default, and the default IP address, named
System.
This example shows you how to create the default VLAN, as follows:
316862-A Rev 00
Chapter 17 CLI configuration examples 413
Figure 262 Configuration example — configuring the default VLAN for access
Passport
1648T
Default gateway Port 1
10.1.1.1
Management IP
10.1.1.10/24
10825EL
To perform this configuration, you connect your PC or terminal to the console port
on the switch using the 9-pin serial connector, and you set your terminal to 9600
bps 8/N/1.
This section describes how to configure the default VLAN for this example. For
more information about the commands used in this section, see Chapter 1,
“Setting up the switch,” and Chapter 6, “Configuring VLANs.”
Current Accounts:
Username Access Level
--------------- ------------
rwa Admin
3 View the VLAN configuration by entering the following command:
PP1648T:4# show vlan
Command: show vlan
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
414 Chapter 17 CLI configuration examples
Total Entries : 1
2 View the IP addresses used using the following command:
316862-A Rev 00
Chapter 17 CLI configuration examples 415
IP Interface Settings
Total Entries : 1
PP1648T:4#
where:
ipaddr is the IP address of the remote TFTP server.
path_filename 64 is the DOS path and filename of the firmware file on the
remote TFTP server. The path filename can be up to 64 characters.
where:
ipaddr is the IP address of the remote TFTP server.
path_filename 64 is the DOS path and filename of a file on the remote TFTP
server that will receive the configuration file from the switch. The path filename
can be up to 64 characters.
For more information about the commands used in this section, see Chapter 2,
“Managing switch operations.”
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
416 Chapter 17 CLI configuration examples
Passport Passport
VLAN 10 1648T 8600
Tagged
VLAN 12
VLAN 10 and 12
10825EB
316862-A Rev 00
Chapter 17 CLI configuration examples 417
Viewing VLANs
To view the VLANs that you have just configured, use the following command
Total Entries : 3
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
418 Chapter 17 CLI configuration examples
where:
port specifies port number.
vlan_name_32 specifies a VLAN.
macaddr is a multicast MAC address.
Example:
Total Entries: 15
316862-A Rev 00
Chapter 17 CLI configuration examples 419
For more information about the commands used in this section, see Chapter 4,
“Configuring Spanning Tree.”
Success.
To disable Spanning Tree for a specific port, use the following command. In this
example, you disable Spanning Tree for port 12.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
420 Chapter 17 CLI configuration examples
For this example, you create MLT group 1 with ports 1/27 and 1/28.
Figure 264 Configuration example — creating MLT group with ports 27 and 28
Passport Passport
1648T 8600
27
28
10825EV
316862-A Rev 00
Chapter 17 CLI configuration examples 421
This section describes how to configure the Passport 1600 Series switch for this
example. For more information about the commands used in this section, see
Chapter 7, “Configuring link aggregation groups.”
Enabling OSPF
For this example, you create two new VLANs, as follows:
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
422 Chapter 17 CLI configuration examples
Passport
1648T
VLAN 3
VLAN 2 10.1.1.68/30 OSPF
10.50.1.0/24 Area 0
.1 .69 .70
10825EF
This section describes how to configure the Passport 1600 Series switch for this
example. For more information about the commands used in this section, see
Chapter 10, “Configuring ARP, RIP, and OSPF.”
316862-A Rev 00
Chapter 17 CLI configuration examples 423
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
424 Chapter 17 CLI configuration examples
Total Entries : 3
Total Entries : 1
316862-A Rev 00
Chapter 17 CLI configuration examples 425
Total Entries : 0
Total Entries : 0
Total Entries : 0
Total Entries: 1
To view the OSPF link state database, use the following command:
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
426 Chapter 17 CLI configuration examples
Total Entries: 16
Routing Table
316862-A Rev 00
Chapter 17 CLI configuration examples 427
Total Entries : 22
The Passport 1600 Series switch supports both Simple and MD5 mechanisms. The
Simple Password is a text password mechanism, only routers that contain the
same authentication id in their LSA headers can communicate with each other.
MD5 is the preferred method of OSPF security as it provides standards based
(RFC 1321) authentication using 128-bit encryption.
For this example, you enable MD5 authentication for the Passport 8600 using an
MD5 key of passport1234.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
428 Chapter 17 CLI configuration examples
Passport Passport
1648T 8600
ipif = ip_3
Configure MD5 key with 'passport 1234'
10825EG
This section describes how to configure the Passport 1600 Series switch for this
example. For more information about the commands used in this section, see
Chapter 10, “Configuring ARP, RIP, and OSPF.”
316862-A Rev 00
Chapter 17 CLI configuration examples 429
For this example, you create a stub area and two new VLANs, as follows:
Passport Passport
1648T 8600
VLAN 3
10.1.1.68/30
.69 .70
VLAN 2
10.50.1.1/24
Stub Area 2 Area 0
10825EH
This section describes how to configure the Passport 1600 Series switch for this
example. For more information about the commands used in this section, see
Chapter 6, “Configuring VLANs” and Chapter 10, “Configuring ARP, RIP, and
OSPF.”
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
430 Chapter 17 CLI configuration examples
316862-A Rev 00
Chapter 17 CLI configuration examples 431
Router Passport
VLAN 4 1648T
VLAN 3
10.1.1.76/30 10.1.1.68/30 OSPF
Area 0
.78 .77 .69 .70
RIP OSPF
ASBR
10825EI
This section describes how to configure the Passport 1600 Series switch for this
example. For more information about the commands used in this section, see
Chapter 6, “Configuring VLANs,” Chapter 10, “Configuring ARP, RIP, and
OSPF,” and Chapter 11, “Configuring IP routes and route redistribution.”
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
432 Chapter 17 CLI configuration examples
316862-A Rev 00
Chapter 17 CLI configuration examples 433
Passport
1648T
VLAN 3
VLAN 2 10.1.1.68/30
10.50.1.0/24
RIP
.1 .69 .70
10825EJ
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
434 Chapter 17 CLI configuration examples
316862-A Rev 00
Chapter 17 CLI configuration examples 435
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
436 Chapter 17 CLI configuration examples
To configure the RIP transmit and receive mode to version 2, use the following
command:
For more information about this command, see Chapter 10, “Configuring ARP,
RIP, and OSPF.”
For more information about the commands used in this section, see Chapter 9,
“Configuring traffic filters.”
316862-A Rev 00
Chapter 17 CLI configuration examples 437
Displaying thresholds
The output from the show scheduling command shows that the weight
assigned to Traffic Class 0 to 2, inclusive, are all configured to the same value of
6. You can change this value, using a range from 0 to 255. This value specifies the
maximum number of packets a given hardware priority queue can transmit before
allowing the next lowest hardware priority queue to begin transmitting its packet.
For example, if you specify 3, then the highest hardware priority queue (number
3) is allowed to transmit 3 packets; the next lowest hardware priority queue
(number 2) is allowed to transmit 3 packets, and so on, until all of the queues have
transmitted 3 packets. The process then repeats.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
438 Chapter 17 CLI configuration examples
For this example, you prioritize traffic on egress port 39, as shown below:
802.1p value Default PP1600 priority queue Configured queue weight desired
5,6 2 65%
3,4 1 25%
0,1,2 0 10%
Passport
1648T
802.1p = 2 Port 39
802.1p = 3
802.1p = 5 (egress)
ingress
10825EC
This section shows how to configure the Passport 1600 Series switch for this
example. For more information about the following commands, see Chapter 8,
“Configuring QoS.”
316862-A Rev 00
Chapter 17 CLI configuration examples 439
For more information about the commands used in the following sections, see
Chapter 8, “Configuring QoS.”
The Passport 1600 supports two base templates that can be programmed in one of
three modes:
To configure Template 1:
To configure Template 2:
The following sections describe how to configure the L4_switch and the QoS flow
classifiers.
By default, the L4_switch classifier is used for Template 1. When configuring the
L4_switch template mode, there are thee types of sessions available, with various
fields available under each session.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
440 Chapter 17 CLI configuration examples
• TCP Session
• UDP Session
• Other Session
The following displays the various fields available for each session:
316862-A Rev 00
Chapter 17 CLI configuration examples 441
For example, if you want the switch to search for the TCP destination port and
destination IP address only in an incoming packet’s TCP header, enter the
following command:
By default, the QoS classifier is used for Template 2. The following list defines
what characteristics an incoming packet must meet:
• 802.1p
• DSCP
• IP
• TCP
• UDP
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
442 Chapter 17 CLI configuration examples
Once the template and flow classifier has been configured, you need to configure a
template rule. When configuring the template rule, you need to define which
template ID to use: L4_switch or QoS. The list of available options depends on
how you configured the flow classifier.
Depending on the flow classifier fields you selected (see page 440), enter all the
appropriate files. The following command is an example using TCP session:
Depending on the flow classifier fields you selected (see page 442), enter all the
appropriate files. The following command is an example using IP as the selected
QoS flow classifier:
316862-A Rev 00
Chapter 17 CLI configuration examples 443
The final step is to bind the template rule or rules configured in the Step 3 to the
appropriate VLAN or VLANs.
To add the template to the appropriate VLAN, enter the following command:
Once the filter has been defined, you can view the flow classifier configuration by
entering the following command:
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
444 Chapter 17 CLI configuration examples
Passport
1648T
VLAN 10, 192.85.10.1/24 Port 39
VLAN 11, 192.85.11.1/24 VLAN 13, 192.85.13.1/24
VLAN 12, 192.85.11.1/24 (egress)
ingress
10825ED
This section describes how to configure the Passport 1600 Series switch for this
example. For more information about the commands used in this section, see
Chapter 8, “Configuring QoS.”
After you configure the appropriate VLAN and IP addresses, create the IP
template.
By default, the template mode for QoS is already enabled using ID = 2. If it is not,
enter the following command:
316862-A Rev 00
Chapter 17 CLI configuration examples 445
To attach the newly created template rule to all the appropriate VLANs, enter the
following commands:
Passport
1648T
VLAN 10, 192.85.10.1/24 Port 39
VLAN 11, 192.85.11.1/24 VLAN 13, 192.85.13.1/24
VLAN 12, 192.85.11.1/24 (egress)
ingress
10825ED
This section describes how to configure filtering for the Passport 1600 Series
switch for this example, which assumes that you’ve already configured VLAN 10,
VLAN 11, and VLAN 12. For more information about the commands used in this
section, see Chapter 8, “Configuring QoS.”
After you’ve configured the VLANs and IP addresses, you create the IP template.
By default, the template mode for L4_switch is already enabled using ID = 1. If it
has not already been enabled, enter the following command:
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
446 Chapter 17 CLI configuration examples
To attach the newly created template rule to the appropriate VLAN, enter the
following command:
For this example, you add a filter to drop MAC address of 00:00:00:00:00:0a from
VLAN 10.
316862-A Rev 00
Chapter 17 CLI configuration examples 447
Passport
1648T
VLAN 10, 192.85.10.1/24 Port 39
VLAN 13, 192.85.13.1/24
(egress)
ingress
10825EE
This section describes how to configure the Passport 1600 Series switch for this
example. For more information about the commands used in this section see
Chapter 9, “Configuring traffic filters.”
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
448 Chapter 17 CLI configuration examples
Configuring forward-to-next-hop
When you use the L4_switch template mode, one of the action items is redirect,
which provides a forward-to-next-hop action.
• For all FTP traffic to host 192.4.4.3, use a next-hop of 10.1.1.74 to the
Passport 8600B, instead of the shortest hop of 10.1.1.70 to the Passport
8600A.
• Use the shortest next-hop of 10.1.1.70 in case 10.1.1.74 should fail.
• Configure the Passport 1648T with an ACL to filter on destination IP =
192.4.4.3 and TCP port = 23, with a redirect (forward-to-next-hop) action to
10.1.1.74.
Passport Passport
1648T 8600A
VLAN 10
69 70
.1
10.1.1.68/30
192.85.10.3/24 .73 192.4.4.3/24
10.1.1.72/30
.74 Passport
8600B
10825EW
This section describes how to configure the Passport 1600 Series switch for this
example. For more information about the commands used in this section see
Chapter 8, “Configuring QoS.”
316862-A Rev 00
Chapter 17 CLI configuration examples 449
Filtering IP addresses
You can configure the Passport 1600 Series switch to filter on specific destination
IP addresses. Unlike MAC filtering, IP filtering is not associated with a VLAN or
port; it is applied globally on the Passport 1600.
For this example, you add an IP filter to block forwarding to IP address 10.1.1.10.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
450 Chapter 17 CLI configuration examples
Passport
1648T
VLAN 10, 192.85.10.1/24 Port 39
VLAN 13, 192.85.13.1/24
(egress)
ingress
10825EE
This section describes how to configure the Passport 1600 Series switch for this
example. For more information about the commands used in this section see
Chapter 9, “Configuring traffic filters.”
316862-A Rev 00
Chapter 17 CLI configuration examples 451
To enable the Passport 1600 to drop fragmented packets, enter the following
command:
To display the status of the IP Fragment filter, enter the following command:
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
452 Chapter 17 CLI configuration examples
316862-A Rev 00
453
Index
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
454 Index
316862-B Rev 00
Index 455
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
456 Index
configuring IGMP snooping querier 360 creating a user account 47, 102, 106, 110, 111,
options 360 112, 113, 114, 115, 117, 118, 119, 120, 122, 128,
configuring ports 74, 93, 131, 133, 135, 136, 137, 313, 316, 319, 321, 322
139, 140, 142, 143, 144, 145, 146, 147, 148, 149, options 48, 103, 107, 110, 111, 112, 113, 115,
150, 152, 153 116, 117, 118, 119, 121, 122, 128, 313, 316,
options 75, 77, 130, 131, 132, 133, 135, 136, 319, 321, 322
138, 139, 140, 142, 143, 144, 145, 146, 147, creating a VLAN 156
148, 149, 151, 152, 153, 154 creating an IP filter for a flow classification
configuring route redistribution template 197, 201, 228
between OSPF and RIP 307 options 198, 202, 229
options 307 creating an IP interface 163
between RIP and OSPF 305
creating an IP route 297
options 306
options 297
configuring scheduling 220
creating an L4 switch rule 210
options 221
options 211
configuring STP on the switch 80
creating route redistribution
options 81
OSPF to RIP 302
configuring the flow classifier template mode options 303
parameters 193 RIP to OSPF 300
configuring the flow classifier template operating options 301
mode 192 customer support 33
options 192
configuring the system IP interface D
options 166
defaults
Console port
login names and passwords 39
connecting 35
interface description 35 deleting a forwarding database filter 216
options 216
conventions, text 31
deleting a link aggregation group 181
creating a forwarding database filter 215
options 181
options 215
deleting a MAC address filter 233
creating a link aggregation group 180
options 234
options 181
deleting a MAC priority entry 223
creating a MAC address filter 233, 237, 238, 239,
251, 252, 253 deleting a mac priority entry
options 233, 237, 238, 239, 251, 252, 253 options 224
creating a MAC priority entry 222 deleting a mirror port 396
options 222 deleting a QoS rule 209
creating a QoS rule 206 options 209
options 207 deleting a route redistribution 304
options 304
316862-B Rev 00
Index 457
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
458 Index
316862-B Rev 00
Index 459
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
460 Index
terminal, connecting 35
text conventions 31
traceroute command 401
U
understanding basic switch commands 45
using IP address filters and interfaces 227
using MAC address filtering 232
using sub-commands and parameters 43
using top-level commands 43
V
VLANs
assigning IP address ranges 227
CLI commands, roadmap 156, 163, 171
collection of end nodes 155
equate to a broadcast domain 155
grouped by logic not location 155
316862-B Rev 00