Command Line Interface Reference For The Passport 1600 Series Layer 3 Switch, Version 1.1

Part No.
316862-B Rev 00
March 2004
4655 Great America Parkway

Santa Clara, CA 95054
Command Line Interface

Reference for the Passport
1600 Series Layer 3 Switch,
Version 1.1
*316862-B Rev 00*

2
Copyright © 2004 Nortel Networks

All rights reserved. March 2004.
The information in this document is subject to change without notice. The statements, configurations, technical data, and
recommendations in this document are believed to be accurate and reliable, but are presented without express or implied
warranty. Users must take full responsibility for their applications of any products specified in this document. The
information in this document is proprietary to Nortel Networks Inc.
The software described in this document is furnished under a license agreement and may be used only in accordance
with the terms of that license. The software license agreement is included in this document.
Trademarks
Nortel Networks, the Nortel Networks logo, the Globemark, Unified Networks, and PASSPORT are trademarks of
Nortel Networks.
Adobe and Acrobat Reader are trademarks of Adobe Systems Incorporated.
Microsoft, Windows, and Windows NT are trademarks of Microsoft Corporation.
IPX is a trademark of Novell, Inc.
SSH is a trademark of SSH Communication Security
TACACS+ is a trademark of Cisco Systems
SecureCRT is a trademark of VanDyke Software, Inc.
SecureNetterm is a trademark of InterSoft International, Inc.
AbsoluteTelnet is a trademark of Celestial Software
PenguiNet is a trademark of Silicon Circus Ltd.
F-Secure is a trademark of F-Secure Corporation
The asterisk after a name denotes a trademarked item.
Restricted rights legend

Use, duplication, or disclosure by the United States Government is subject to restrictions as set forth in subparagraph
(c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013.
Notwithstanding any other license agreement that may pertain to, or accompany the delivery of, this computer software,
the rights of the United States Government regarding its use, reproduction, and disclosure are as set forth in the
Commercial Computer Software-Restricted Rights clause at FAR 52.227-19.
Statement of conditions
In the interest of improving internal design, operational function, and/or reliability, Nortel Networks Inc. reserves the
right to make changes to the products described in this document without notice.
Nortel Networks Inc. does not assume any liability that may occur due to the use or application of the product(s) or
circuit layout(s) described herein.
Portions of the code in this software product may be Copyright © 1988, Regents of the University of California. All
rights reserved. Redistribution and use in source and binary forms of such portions are permitted, provided that the
above copyright notice and this paragraph are duplicated in all such forms and that any documentation, advertising
materials, and other materials related to such distribution and use acknowledge that such portions of the software were
316862-B Rev 00
3
developed by the University of California, Berkeley. The name of the University may not be used to endorse or promote
products derived from such portions of the software without specific prior written permission.
SUCH PORTIONS OF THE SOFTWARE ARE PROVIDED “AS IS” AND WITHOUT ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
In addition, the program and information contained herein are licensed only pursuant to a license agreement that contains
restrictions on use and disclosure (that may incorporate by reference certain limitations and notices imposed by third
parties).
Nortel Networks Inc. software license agreement

This Software License Agreement (“License Agreement”) is between you, the end-user (“Customer”) and Nortel
Networks Corporation and its subsidiaries and affiliates (“Nortel Networks”). PLEASE READ THE FOLLOWING
CAREFULLY. YOU MUST ACCEPT THESE LICENSE TERMS IN ORDER TO DOWNLOAD AND/OR USE THE
SOFTWARE. USE OF THE SOFTWARE CONSTITUTES YOUR ACCEPTANCE OF THIS LICENSE
AGREEMENT. If you do not accept these terms and conditions, return the Software, unused and in the original shipping
container, within 30 days of purchase to obtain a credit for the full purchase price.
“Software” is owned or licensed by Nortel Networks, its parent or one of its subsidiaries or affiliates, and is copyrighted
and licensed, not sold. Software consists of machine-readable instructions, its components, data, audio-visual content
(such as images, text, recordings or pictures) and related licensed materials including all whole or partial copies. Nortel
Networks grants you a license to use the Software only in the country where you acquired the Software. You obtain no
rights other than those granted to you under this License Agreement. You are responsible for the selection of the
Software and for the installation of, use of, and results obtained from the Software.
1. Licensed Use of Software. Nortel Networks grants Customer a nonexclusive license to use a copy of the Software
on only one machine at any one time or to the extent of the activation or authorized usage level, whichever is applicable.
To the extent Software is furnished for use with designated hardware or Customer furnished equipment (“CFE”),
Customer is granted a nonexclusive license to use Software only on such hardware or CFE, as applicable. Software
contains trade secrets and Customer agrees to treat Software as confidential information using the same care and
discretion Customer uses with its own similar information that it does not wish to disclose, publish or disseminate.
Customer will ensure that anyone who uses the Software does so only in compliance with the terms of this Agreement.
Customer shall not a) use, copy, modify, transfer or distribute the Software except as expressly authorized; b) reverse
assemble, reverse compile, reverse engineer or otherwise translate the Software; c) create derivative works or
modifications unless expressly authorized; or d) sublicense, rent or lease the Software. Licensors of intellectual property
to Nortel Networks are beneficiaries of this provision. Upon termination or breach of the license by Customer or in the
event designated hardware or CFE is no longer in use, Customer will promptly return the Software to Nortel Networks
or certify its destruction. Nortel Networks may audit by remote polling or other reasonable means to determine
Customer’s Software activation or usage levels. If suppliers of third party software included in Software require Nortel
Networks to include additional or different terms, Customer agrees to abide by such terms provided by Nortel Networks
with respect to such third party software.
2. Warranty. Except as may be otherwise expressly agreed to in writing between Nortel Networks and Customer,
Software is provided “AS IS” without any warranties (conditions) of any kind. NORTEL NETWORKS DISCLAIMS
ALL WARRANTIES (CONDITIONS) FOR THE SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING,
BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE AND ANY WARRANTY OF NON-INFRINGEMENT. Nortel Networks is not obligated to
provide support of any kind for the Software. Some jurisdictions do not allow exclusion of implied warranties, and, in
such event, the above exclusions may not apply.
3. Limitation of Remedies. IN NO EVENT SHALL NORTEL NETWORKS OR ITS AGENTS OR SUPPLIERS BE
LIABLE FOR ANY OF THE FOLLOWING: a) DAMAGES BASED ON ANY THIRD PARTY CLAIM; b) LOSS OF,
OR DAMAGE TO, CUSTOMER’S RECORDS, FILES OR DATA; OR c) DIRECT, INDIRECT, SPECIAL,
INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES (INCLUDING LOST PROFITS OR SAVINGS),
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.0
4
WHETHER IN CONTRACT, TORT OR OTHERWISE (INCLUDING NEGLIGENCE) ARISING OUT OF YOUR

USE OF THE SOFTWARE, EVEN IF NORTEL NETWORKS, ITS AGENTS OR SUPPLIERS HAVE BEEN
ADVISED OF THEIR POSSIBILITY. The forgoing limitations of remedies also apply to any developer and/or supplier
of the Software. Such developer and/or supplier is an intended beneficiary of this Section. Some jurisdictions do not
allow these limitations or exclusions and, in such event, they may not apply.
4. General
a. If Customer is the United States Government, the following paragraph shall apply: All Nortel Networks
Software available under this License Agreement is commercial computer software and commercial computer
software documentation and, in the event Software is licensed for or on behalf of the United States
Government, the respective rights to the software and software documentation are governed by Nortel
Networks standard commercial license in accordance with U.S. Federal Regulations at 48 C.F.R. Sections
12.212 (for non-DoD entities) and 48 C.F.R. 227.7202 (for DoD entities).
b. Customer may terminate the license at any time. Nortel Networks may terminate the license if Customer fails
to comply with the terms and conditions of this license. In either event, upon termination, Customer must
either return the Software to Nortel Networks or certify its destruction.
c. Customer is responsible for payment of any taxes, including personal property taxes, resulting from
Customer’s use of the Software. Customer agrees to comply with all applicable laws including all applicable
export and import laws and regulations.
d. Neither party may bring an action, regardless of form, more than two years after the cause of the action arose.
e. The terms and conditions of this License Agreement form the complete and exclusive agreement between
Customer and Nortel Networks.
f. This License Agreement is governed by the laws of the country in which Customer acquires the Software. If
the Software is acquired in the United States, then this License Agreement is governed by the laws of the state
of New York.
316862-B Rev 00
5
Contents
Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Figures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Text conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Hard-copy technical manuals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
How to get help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Setting up the switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Connecting a terminal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Setting the switch's IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Logging on to the system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Entering CLI commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Editing commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Displaying multiple pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Understanding top-level commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Managing switch operations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Roadmap of basic switch CLI commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Creating an admin or user account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Configuring an existing user account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Showing an existing user account configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Deleting an existing user account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Configuring the command history list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Displaying the command history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Displaying all commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Showing current switch management sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Showing the current status of the switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
6 Contents
Showing the current status of the switch serial port . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Configuring the switch’s serial port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Enabling CLI paging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Disabling CLI paging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Enabling Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Disabling Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Enabling the Web-based manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Disabling the Web-based manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Saving the current switch configuration to NV-RAM . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Managing files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Downloading switch firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Downloading a configuration file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Uploading a configuration file to a TFTP server . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Uploading a log file to a TFTP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Rebooting the switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Resetting the switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Logging in to the switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Logging out of the switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Configuring ports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Roadmap of port configuration CLI commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Configuring ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Displaying the current port configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Configuring the management port — 1612G and 1624G . . . . . . . . . . . . . . . . . . . . . . 78
Displaying the current management port configuration . . . . . . . . . . . . . . . . . . . . . 79
Configuring Spanning Tree. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Roadmap of Spanning Tree CLI commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

Configuring STP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Enabling STP on the switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Disabling STP on the switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Displaying STP status on the switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Displaying STP port group status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Security features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Roadmap of security features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
316862-B Rev 00
Contents 7
Syslog commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
SSH commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
TACACS+ commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Password Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Password format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
System Log Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Receiving system log messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Creating a Syslog host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Configuring a Syslog host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Configuring the maximum number of Syslog hosts . . . . . . . . . . . . . . . . . . . . . . . 112
Deleting a Syslog host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Enabling a Syslog host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Disabling a Syslog host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Displaying the current Syslog configuration on the Switch . . . . . . . . . . . . . . . . . 116
Enabling and disabling logging on the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Uploading the Switch’s log and configuration to a TFTP server . . . . . . . . . . . . . . . . 118
Configuring Password aging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Displaying the Password aging time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Configuring the Switch’s Secure Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Displaying the Switch’s current secure mode . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Secure Shell (SSH) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
SSH version 2 (SSH-2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Supported SSH clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Using the CLI to configure SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Configuring Secure Shell (SSH) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Creating a User account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Configuring the SSH authorization mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Displaying the Switch’s current SSH authorization mode . . . . . . . . . . . . . . . . . . 133
Updating an SSH user account’s authorization mode . . . . . . . . . . . . . . . . . . . . . 133
Configuring the SSH encryption algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Displaying the Current SSH encryption algorithm . . . . . . . . . . . . . . . . . . . . . . . . 137
Displaying the Switch’s current SSH Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Configuring the SSH Server on the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Displaying the current SSH Server configuration . . . . . . . . . . . . . . . . . . . . . . . . 141
Enabling and disabling the SSH Server on the Switch . . . . . . . . . . . . . . . . . . . . 142
8 Contents
Configuring the SSH Server to regenerate its hostkey . . . . . . . . . . . . . . . . . . . . 142

TACACS+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Creating an entry to the Switch’s TACACS+ Server table . . . . . . . . . . . . . . . . . . 144
Configuring a TACACS+ Server entry on the Switch . . . . . . . . . . . . . . . . . . . . . 145
Displaying the Switch’s TACACS+ Server table . . . . . . . . . . . . . . . . . . . . . . . . . 146
Deleting an entry from the Switch’s TACACS+ Server table . . . . . . . . . . . . . . . . 147
Enabling admin-level privileges for a user-level account . . . . . . . . . . . . . . . . . . . 148
Assigning a password to the “local enable” method . . . . . . . . . . . . . . . . . . . . . . 149
Configuring the login authentication settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Configuring the authentication settings on the Switch . . . . . . . . . . . . . . . . . . . . . 150
Configuring the authentication settings on the Switch used to promote users from
user-level privileges to admin-level privileges . . . . . . . . . . . . . . . . . . . . . . . . . 152
Enabling authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Disabling authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Displaying the Switch’s current authentication settings . . . . . . . . . . . . . . . . . . . . 156
Configuring VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Configuring Layer 2 operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

Roadmap of VLAN CLI commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Creating a VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Deleting a VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Adding ports to a VLAN configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Deleting ports from a VLAN configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Displaying a VLAN configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Configuring Layer 3 operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Roadmap of IP interface CLI commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Creating an IP interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Configuring an IP interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Deleting an IP interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Configuring the System IP interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Enabling an IP interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Disabling an IP interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Displaying the current IP interface configuration . . . . . . . . . . . . . . . . . . . . . . . . . 172
Using the forwarding database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Roadmap of forwarding database CLI commands . . . . . . . . . . . . . . . . . . . . . . . 175
Creating a unicast forwarding database entry . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
316862-B Rev 00
Contents 9
Configuring a unicast forwarding database entry . . . . . . . . . . . . . . . . . . . . . . . . 176

Creating a multicast forwarding database entry . . . . . . . . . . . . . . . . . . . . . . . . . 177
Configuring the multicast forwarding database . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Deleting an entry from the forwarding database . . . . . . . . . . . . . . . . . . . . . . . . . 179
Clearing the forwarding database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Displaying the multicast forwarding database . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Displaying the unicast forwarding database . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Configuring link aggregation groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Roadmap of CLI commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184

Creating a link aggregation group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Deleting a link aggregation group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Configuring a link aggregation group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Displaying the link aggregation configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Configuring QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Roadmap of CLI commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190

Establishing a QoS scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
QoS templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Security mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
QoS mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
L4 switch mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Command overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Configuring the flow classifier template operating mode . . . . . . . . . . . . . . . . . . . . . . 196
Configuring flow classifier template mode parameters . . . . . . . . . . . . . . . . . . . . . . . 198
Displaying the flow classifier template mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
Attaching a flow classifier template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Creating an IP filter for a flow classification template . . . . . . . . . . . . . . . . . . . . . . . . . 202
Deleting an IP filter from a flow classification template . . . . . . . . . . . . . . . . . . . . . . . 204
Creating a destination IP address filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Deleting a destination IP address filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Displaying the destination IP address filter table . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Creating a QoS rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Deleting a QoS rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Creating a Layer 4 switch rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Deleting a Layer 4 switch rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
10 Contents
Creating a forwarding database filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218

Deleting a forwarding database filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Displaying a forwarding database filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Enabling the IP fragment filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Disabling the IP fragment filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Displaying the status of the IP fragment filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Configuring scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Creating a MAC priority entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Deleting a MAC priority entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Displaying MAC priority entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Configuring traffic filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
Configuring destination IP filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229

Roadmap of destination IP address filter CLI commands . . . . . . . . . . . . . . . . . . 230
Creating a destination IP address filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
Deleting a destination IP address filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Displaying the destination IP address filter table . . . . . . . . . . . . . . . . . . . . . . . . . 233
Configuring MAC address filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
Roadmap of MAC address filter CLI commands . . . . . . . . . . . . . . . . . . . . . . . . . 234
Creating a MAC address filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Deleting a MAC address filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Displaying MAC address filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Configuring an ARP request rate limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Roadmap of ARP request rate limit CLI commands . . . . . . . . . . . . . . . . . . . . . . 238
Configuring the ARP request rate limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
Enabling the ARP request rate limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
Disabling the ARP request rate limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
Displaying the ARP request rate limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
Configuring broadcast control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
Roadmap of broadcast control CLI commands . . . . . . . . . . . . . . . . . . . . . . . . . . 243
Configuring traffic control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
Displaying traffic control settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Configuring ARP, RIP, and OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Configuring ARP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

Roadmap of ARP CLI commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
316862-B Rev 00
Contents 11
Creating an ARP entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248

Deleting an ARP entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Configuring the ARP aging time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Displaying the current ARP entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Clearing the ARP table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Configuring an ARP request rate limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Roadmap of ARP request rate limit CLI commands . . . . . . . . . . . . . . . . . . . . . . 253
Configuring the ARP request rate limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Enabling the ARP request rate limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Disabling the ARP request rate limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Displaying the ARP request rate limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Configuring RIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
Roadmap of RIP CLI commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
Configuring RIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
Enabling RIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
Disabling RIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
Displaying the current RIP configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
Configuring OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
Roadmap of OSPF CLI commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
Enabling OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
Disabling OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
Configuring the OSPF router ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
Displaying the current OSPF configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
Creating an OSPF area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
Deleting an OSPF area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
Configuring an OSPF area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
Displaying the current OSPF area configuration . . . . . . . . . . . . . . . . . . . . . . . . . 272
Creating an OSPF host route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Configuring an OSPF host route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
Displaying the currently configured OSPF host routes . . . . . . . . . . . . . . . . . . . . 275
Deleting an OSPF host route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
Creating an OSPF area aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
Deleting an OSPF area aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Configuring an OSPF area aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Displaying the currently configured OSPF area aggregations . . . . . . . . . . . . . . . 280
12 Contents
Displaying the current OSPF LSDB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281

Displaying the current OSPF neighbor table . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
Displaying the current OSPF virtual neighbor table . . . . . . . . . . . . . . . . . . . . . . . 283
Configuring an OSPF IP interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
Displaying currently configured OSPF IP interfaces . . . . . . . . . . . . . . . . . . . . . . 285
Creating an OSPF virtual link . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
Configuring an OSPF virtual link . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Deleting an OSPF virtual link . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Displaying the currently configured OSPF virtual links . . . . . . . . . . . . . . . . . . . . 290
Configuring OSPF packet authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Roadmap of MD5 CLI commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
Creating an entry to the MD5 key table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
Deleting an MD5 key table entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
Configuring an MD5 key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
Displaying the current MD5 key table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
Configuring IP routes and route redistribution. . . . . . . . . . . . . . . . . . . . . 297
Using the route table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298

Roadmap of route table CLI commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
Creating an IP route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Creating a default IP route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
Creating an IP route using a network address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
Deleting an IP route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Displaying the IP routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Configuring IP routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
Configuring default IP routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
Configuring IP routes with max static routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
Using route redistribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
Roadmap of route redistribution CLI commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
Creating a route redistribution from RIP to OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
Creating a route redistribution from OSPF to RIP . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
Deleting a route redistribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
Configuring a route redistribution between RIP and OSPF . . . . . . . . . . . . . . . . . . . . 312
Configuring a route redistribution between OSPF and RIP . . . . . . . . . . . . . . . . . . . . 314
Displaying the route redistribution settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
316862-B Rev 00
Contents 13
Configuring VRRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
Roadmap of VRRP features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318

Creating a VRRP IP Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
Configuring a VRRP IP Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
Displaying a VRRP IP interface configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
Deleting a VRRP IP interface configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
Enabling a VRRP IP interface configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
Disabling a VRRP IP interface configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330
Configuring BootP and DNS relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
Configuring BootP relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331

Roadmap of BootP relay commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
Configuring BootP relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
Adding a BootP relay address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
Deleting a BootP relay address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
Enabling BootP relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
Disabling BootP relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
Displaying the current BootP relay configuration . . . . . . . . . . . . . . . . . . . . . . . . . 337
Configuring DNS relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
Roadmap of DNS relay CLI commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Configuring DNS relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Enabling DNS relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
Disabling DNS relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
Enabling the DNS relay cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
Disabling the DNS relay cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
Enabling the DNS static table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
Disabling the DNS static table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
Displaying the current DNS relay configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 344
Configuring SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
Roadmap of SNMP CLI commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347

Configuring SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
Creating an SNMP community string . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
Deleting an SNMP community string . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
14 Contents
Creating a trusted host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350

Deleting a trusted host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
Configuring an SNMP community string . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
Configuring the SNMP system name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
Configuring the SNMP location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
Configuring the SNMP system contact . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
Displaying the current SNMP configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355
Displaying the currently configured trusted hosts . . . . . . . . . . . . . . . . . . . . . . . . 357
Managing SNMP traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
Creating an SNMP trap receiver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
Deleting an SNMP trap receiver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Enabling the transmission of SNMP traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
Disabling the transmission of SNMP traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
Enabling the authentication of SNMP traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
Disabling the authentication of SNMP traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
Configuring Multicasting (IGMP, IGMP Snooping, and DVMRP) . . . . . . . 363
Configuring IGMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363

Roadmap of IGMP commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
Configuring IGMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
Displaying IGMP settings for all IP interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
Displaying the IGMP group settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
Configuring IGMP snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
Configuring IGMP snooping querier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369
Configuring router ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
Enabling IGMP snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
Disabling IGMP snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
Displaying the current IGMP snooping configuration . . . . . . . . . . . . . . . . . . . . . 374
Displaying IGMP snooping groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
Displaying IGMP snooping forwarding table . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379
Displaying the list of router ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
Configuring DVMRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
Configuring DVMRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
Enabling DVMRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
Disabling DVMRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385
316862-B Rev 00
Contents 15
Displaying the current DVMRP routing table . . . . . . . . . . . . . . . . . . . . . . . . . 386

Displaying the current DVMRP neighbor router table . . . . . . . . . . . . . . . . . . 387
Displaying the current DVMRP nexthop router table . . . . . . . . . . . . . . . . . . 388
Displaying the current DVMRP configuration . . . . . . . . . . . . . . . . . . . . . . . . 389
Displaying the Switch’s IP multicast cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
Roadmap of IP multicast cache commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
Displaying the Switch’s IP multicast cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
Displaying the switch’s IP multicast table . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
Monitoring the network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
Roadmap of network monitoring commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394

Displaying port traffic statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
Displaying port error statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
Displaying port utilization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
Clearing the switch counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
Clearing the switch log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
Displaying the switch log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403
Configuring port mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403
Configuring a mirror port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404
Deleting a mirror port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404
Enabling a mirror port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
Disabling a mirror port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
Displaying the current mirror settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
Enabling and disabling RMON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407
Checking network links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
Determining the network route using traceroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409
CLI configuration examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
Resetting the switch to its factory defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412

Configuring the default VLAN for management access . . . . . . . . . . . . . . . . . . . . . . . 412
Configuration example — configuring the default VLAN . . . . . . . . . . . . . . . . . . . 413
Viewing the VLAN and IP addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
Downloading firmware and uploading configuration files . . . . . . . . . . . . . . . . . . . . . . 415
Creating new port-based VLANS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416
Configuration example — creating port-based VLANs . . . . . . . . . . . . . . . . . . . . 416
Viewing VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417
16 Contents
Viewing the forwarding database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417

Disabling Spanning Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
Configuration example — disabling Spanning Tree . . . . . . . . . . . . . . . . . . . . . . 419
Viewing Spanning Tree status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
Configuring link aggregation groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
Configuration example — configuring link aggregation groups . . . . . . . . . . . . . . 421
Enabling OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421
Configuration example — enabling OSPF globally . . . . . . . . . . . . . . . . . . . . . . . 422
Viewing OSPF status and routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424
Viewing OSPF neighbor status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425
Viewing OSPF LSDB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425
Viewing the Passport 1600 Series switch route table . . . . . . . . . . . . . . . . . . . . . 426
Configuring OSPF MD5 authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427
Configuration example — creating an MD5 key . . . . . . . . . . . . . . . . . . . . . . . . . 428
Configuring an OSPF stub area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428
Configuration example — configuring a stub area . . . . . . . . . . . . . . . . . . . . . . . 429
Configuring OSPF route distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430
Configuration example — configuring OSPF route distribution . . . . . . . . . . . . . . 431
Configuring RIP base . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
Configuration example — configuring RIP base . . . . . . . . . . . . . . . . . . . . . . . . . 433
Selecting Tx and Rx RIP v2 mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435
Configuration example — configuring RIP TX and RX mode to v2 . . . . . . . . . . . 436
Configuring broadcast and multicast storm control . . . . . . . . . . . . . . . . . . . . . . . . . . 436
Configuration example — enabling thresholds . . . . . . . . . . . . . . . . . . . . . . . . . . 436
Displaying thresholds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
Configuring egress queue weight . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
Configuration example — configuring port scheduling . . . . . . . . . . . . . . . . . . . . 438
Configuring QoS and IP filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438
Step 1: Configuring the template mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439
Step 2: Configuring the flow classifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439
Configuring the L4_switch flow classifier . . . . . . . . . . . . . . . . . . . . . . . . . . . 439
Configuring the QoS flow classifier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
Step 3: Configuring the template rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442
Configuration example — using the L4_switch template . . . . . . . . . . . . . . . 442
Configuration example — using the QoS template . . . . . . . . . . . . . . . . . . . . 442
316862-B Rev 00
Contents 17
Step 4: Binding the template rule to a VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443

Configuration example — adding the template to a VLAN . . . . . . . . . . . . . . 443
Setting QoS priority for destination TCP flows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
Configuration example — setting QoS Priority for destination TCP flows . . . . . . 444
Dropping TCP flows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445
Configuration example — dropping TCP flows . . . . . . . . . . . . . . . . . . . . . . . . . . 445
Viewing the template rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446
Filtering MAC addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446
Configuration example — filtering MAC addresses . . . . . . . . . . . . . . . . . . . . . . . 447
Viewing the fdb filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
Configuring forward-to-next-hop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448
Configuration example — forward-next-hop . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448
Filtering IP addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449
Configuration example — filtering IP addresses . . . . . . . . . . . . . . . . . . . . . . . . . 450
Viewing the IP filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450
Dropping fragmented IP packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453
18 Contents
316862-B Rev 00
19
Tables
Table 1 Access level and default login value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Table 2 Line editing keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Table 3 Multiple page display keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Table 4 Default severity levels and system log severity levels . . . . . . . . . . . . . . . 97
Table 5 Info log messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Table 6 Warning log messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Table 7 Critical log messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Table 8 Error log messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Table 9 Third party SSH client software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Table 10 QoS command overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Table 11 Unicast/multicast ratios for dynamic and static iproute and arp values . 305
Table 12 Allowed values for the OSPF routing metrics . . . . . . . . . . . . . . . . . . . . . 308
Table 13 Allowed values for the routing metrics . . . . . . . . . . . . . . . . . . . . . . . . . . 310
Table 14 config dvmrp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
Table 15 enable dvmrp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
Table 16 disable dvmrp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385
Table 17 show dvmrp routing_table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
Table 18 show dvmrp neighbor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
Table 19 show dvmrp next hop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388
Table 20 show dvmrp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
Table 21 IP multicasting cache commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
Table 22 show ipmc cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
Table 23 show ipmc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
Table 24 show packet port definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
20 Tables
316862-B Rev 00
21
Figures
Figure 1 Login screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Figure 2 Using the question mark (?) command . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Figure 3 Next possible completions message . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Figure 4 Top-level show command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Figure 5 create account command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Figure 6 config account command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Figure 7 show account command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Figure 8 delete account command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Figure 9 config command_history command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Figure 10 show command_history command output . . . . . . . . . . . . . . . . . . . . . . . . 54
Figure 11 ? command output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Figure 12 dir command output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Figure 13 show session command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Figure 14 show switch command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Figure 15 show session command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Figure 16 config serial port command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Figure 17 enable clipaging command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Figure 18 disable clipaging command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Figure 19 enable telnet command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Figure 20 disable telnet command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Figure 21 enable web command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Figure 22 disable telnet command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Figure 23 save command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Figure 24 download configuration command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Figure 25 upload configuration command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Figure 26 upload log command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Figure 27 reboot command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Figure 28 reset config command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Figure 29 login command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
22 Figures
Figure 30 logout command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

Figure 31 config ports command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Figure 32 show ports command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Figure 33 config mgmt_port command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Figure 34 show mgmt_port command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Figure 35 config stp command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Figure 36 enable stp command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Figure 37 disable stp command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Figure 38 show stp (enabled) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Figure 39 show stp (disabled) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Figure 40 show stp_ports command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Figure 41 create syslog host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Figure 42 config syslog host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Figure 43 config syslog max_hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Figure 44 delete syslog host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Figure 45 enable syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Figure 46 disable syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Figure 47 show syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Figure 48 config log_state Johnson disabled . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Figure 49 upload configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Figure 50 config password_aging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Figure 51 show password_aging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Figure 52 config secure_mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Figure 53 show secure_mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Figure 54 create account command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Figure 55 config ssh authmode command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Figure 56 show ssh authmode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Figure 57 config ssh user command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Figure 58 config ssh algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Figure 59 show ssh algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Figure 60 show ssh user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Figure 61 config ssh server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Figure 62 show ssh server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Figure 63 enable ssh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Figure 64 config ssh regenerate hostkey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
316862-B Rev 00
Figures 23
Figure 65 create tacacs+_server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

Figure 66 config tacacs+_server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Figure 67 show tacacs+_server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Figure 68 delete tacacs+_server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Figure 69 enable admin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Figure 70 config admin local_password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Figure 71 config admin login_authen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Figure 72 config authentication login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Figure 73 config authentication admin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Figure 74 enable authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Figure 75 disable authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Figure 76 show authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Figure 77 create vlan command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Figure 78 delete vlan command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Figure 79 config vlan add command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Figure 80 config vlan delete command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Figure 81 show vlan command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Figure 82 create ipif command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Figure 83 config ipif command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Figure 84 delete ipif command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Figure 85 config ipif System ipaddress command . . . . . . . . . . . . . . . . . . . . . . . . . 171
Figure 86 enable ipif command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Figure 87 disable ipif command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Figure 88 show ipif System command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Figure 89 create fdb command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Figure 90 config fdb command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Figure 91 create multicast_fdb command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Figure 92 config multicast_fdb . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Figure 93 delete fdb command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Figure 94 clear fdb all command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Figure 95 show multicast_fdb command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Figure 96 show fdb command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Figure 97 create link_aggregation command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Figure 98 delete link_aggregation command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Figure 99 config link_aggregation command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
24 Figures
Figure 100 show link_aggregation command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188

Figure 101 config flow classifier template_<value 1-2> mode command . . . . . . . . . 197
Figure 102 config flow classifier template_id <value 1-2> mode_parameters . . . . . 200
Figure 103 show flow_classifier command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Figure 104 config flow_classifier vlan <vlan_name> command . . . . . . . . . . . . . . . . 202
Figure 105 create sec_rule command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Figure 106 delete sec_rule command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Figure 107 create dst_ipfilter command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Figure 108 delete dst_ipfilter command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Figure 109 show dst_ipfilter command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Figure 110 create qos_rule command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Figure 111 delete qos_rule command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Figure 112 create l4_switch_rule command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Figure 113 delete l4_switch_rule command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Figure 114 create fdbfilter command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Figure 115 delete fdbfilter command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Figure 116 show fdbfilter command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Figure 117 enable ip_fragment_filter command . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Figure 118 disable ip_fragment_filter command . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Figure 119 show ip_fragment_filter command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Figure 120 config scheduling command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Figure 121 create mac_priority command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Figure 122 delete mac_priority command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Figure 123 show mac_priority command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Figure 124 create dst_ipfilter command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Figure 125 delete ipfilter command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
Figure 126 show dst_ipfilter command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
Figure 127 create fdbfilter command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Figure 128 delete fdbfilter command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Figure 129 show fdbfilter command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Figure 130 config arp_req_rate_limit command . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
Figure 131 enable arp_req_rate_limit command . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
Figure 132 disable arp_req_rate_limit command . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
Figure 133 show arpentry command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
Figure 134 config traffic control command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
316862-B Rev 00
Figures 25
Figure 135 show traffic control command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246

Figure 136 create arpentry command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Figure 137 delete arpentry command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Figure 138 config arp_aging time command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Figure 140 clear arptable command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Figure 141 config arp_req_rate_limit command . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Figure 142 enable arp_req_rate_limit command . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Figure 143 disable arp_req_rate_limit command . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Figure 145 config rip command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
Figure 146 enable rip command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
Figure 147 disable rip command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
Figure 148 show rip command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
Figure 149 enable ospf command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
Figure 150 disable ospf command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
Figure 151 config ospf router_id command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
Figure 152 show ospf command - partial display . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
Figure 153 create ospf area command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
Figure 154 delete ospf area command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
Figure 155 config ospf area command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
Figure 156 show ospf area command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Figure 157 create ospf host_route command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
Figure 158 config ospf host_route command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Figure 159 show ospf host_route command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
Figure 160 delete ospf host_route command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
Figure 161 create ospf aggregation command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Figure 162 delete ospf aggregation command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Figure 163 configure ospf aggregation command . . . . . . . . . . . . . . . . . . . . . . . . . . 280
Figure 164 show ospf aggregation command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
Figure 165 show ospf lsdb command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
Figure 166 show ospf neighbor command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
Figure 167 show ospf virtual_neighbor command . . . . . . . . . . . . . . . . . . . . . . . . . . 283
Figure 168 config ospf ipif command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
Figure 169 show ospf all command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
26 Figures
Figure 170 create ospf virtual_link command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288

Figure 171 config ospf virtual_link command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Figure 172 delete ospf virtual_link command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Figure 173 show ospf virtual_link command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Figure 174 create md5 key command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
Figure 175 delete md5 key command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
Figure 176 config md5 command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
Figure 177 show md5 command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
Figure 178 create iproute command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
Figure 179 delete iproute command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Figure 180 show iproute command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
Figure 181 config iproute command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
Figure 182 config iproute default command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
Figure 183 config iproute max_static_route command . . . . . . . . . . . . . . . . . . . . . . . 306
Figure 184 create route redistribute dst ospf src rip command . . . . . . . . . . . . . . . . . 309
Figure 185 create route redistribute dst rip src ospf command . . . . . . . . . . . . . . . . . 311
Figure 186 delete route redistribute command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
Figure 187 config route redistribute dst ospf src rip command . . . . . . . . . . . . . . . . . 313
Figure 188 config route redistribute dst rip src ospf command . . . . . . . . . . . . . . . . . 315
Figure 189 show route redistribute command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
Figure 190 create vrrp ipif . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
Figure 191 config vrrp ipif . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
Figure 192 show vrrp ipif . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
Figure 193 delete vrrp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
Figure 194 enable vrrp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
Figure 195 disable vrrp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330
Figure 196 config bootp_relay command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
Figure 197 config bootp_relay add command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
Figure 198 config bootp_relay delete command . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
Figure 199 enable bootp_relay command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
Figure 200 disable bootp_relay command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
Figure 201 show bootp_relay command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
Figure 202 config dnsr command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
Figure 203 enable dnsr command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
Figure 204 disable dnsr command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
316862-B Rev 00
Figures 27
Figure 205 disable dnsr command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342

Figure 206 disable dnsr cache command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
Figure 207 enable dnsr static command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
Figure 208 disable dnsr static command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
Figure 209 show dnsr static command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344
Figure 210 create snmp community command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
Figure 211 delete snmp community command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
Figure 212 create trusted_host command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
Figure 213 delete trusted_host command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
Figure 214 config snmp community command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352
Figure 215 config snmp system_name command . . . . . . . . . . . . . . . . . . . . . . . . . . 353
Figure 216 config snmp system_location command . . . . . . . . . . . . . . . . . . . . . . . . . 354
Figure 217 config snmp system_contact command . . . . . . . . . . . . . . . . . . . . . . . . . 355
Figure 218 show snmp command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
Figure 219 show trusted_host command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
Figure 220 create snmp trap_receiver command . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Figure 221 delete snmp trap_receiver command . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
Figure 222 enable snmp command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
Figure 223 disable snmp command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
Figure 224 enable snmp authenticate traps command . . . . . . . . . . . . . . . . . . . . . . . 361
Figure 225 disable snmp authenticate traps command . . . . . . . . . . . . . . . . . . . . . . 362
Figure 226 config igmp command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366
Figure 227 show igmp command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
Figure 228 show igmp group command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
Figure 229 config igmp_snooping all command . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369
Figure 230 config igmp_snooping querier command . . . . . . . . . . . . . . . . . . . . . . . . 371
Figure 231 config router_ports command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
Figure 232 enable igmp_snooping command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
Figure 233 disable igmp_snooping command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
Figure 234 show igmp_snooping command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376
Figure 235 show igmp_snooping group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
Figure 236 show igmp_snooping forwarding command . . . . . . . . . . . . . . . . . . . . . . 379
Figure 237 show router_ports command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
Figure 238 config dvmrp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
Figure 239 enable dvmrp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
28 Figures
Figure 240 disable dvmrp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385

Figure 241 show dvmrp routing_table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
Figure 242 show dvmrp neighbor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
Figure 243 show dvmrp nexthop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388
Figure 244 show dvmrp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
Figure 245 show ipmc cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Figure 246 show ipmc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
Figure 247 show packet ports command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
Figure 248 show error ports command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
Figure 249 show utilization command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
Figure 250 clear counters ports command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
Figure 251 clear log command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
Figure 252 show log command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403
Figure 253 config mirror port add command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404
Figure 254 config mirror port delete command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
Figure 255 enable mirror command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
Figure 256 disable mirror command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
Figure 257 show mirror command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407
Figure 258 enable rmon command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407
Figure 259 disable rmon command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
Figure 260 ping command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409
Figure 261 traceroute command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410
Figure 262 Configuration example — configuring the default VLAN for access . . . . 413
Figure 263 Configuration example -— creating a new port-based VLAN . . . . . . . . . 416
Figure 264 Configuration example — creating MLT group with ports 27 and 28 . . . 420
Figure 265 Configuration example — enabling OSPF in the default area 0 . . . . . . . 422
Figure 266 Configuration example — MD5 authentication . . . . . . . . . . . . . . . . . . . . 428
Figure 267 Configuration example — OSPF stub area . . . . . . . . . . . . . . . . . . . . . . 429
Figure 268 Configuration example — OSPF route distribution . . . . . . . . . . . . . . . . . 431
Figure 269 Configuration example — RIP base . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
Figure 270 Configuration example — egress queue weight . . . . . . . . . . . . . . . . . . . 438
Figure 271 Configuration example — setting QoS priority . . . . . . . . . . . . . . . . . . . . 444
Figure 272 Configuration example — dropping TCP flows . . . . . . . . . . . . . . . . . . . . 445
Figure 273 Configuration example — filtering MAC addresses . . . . . . . . . . . . . . . . 447
Figure 274 Configuration example — forward-to-next-hop . . . . . . . . . . . . . . . . . . . . 448
316862-B Rev 00
Figures 29
Figure 275 Configuration example — filtering IP addresses . . . . . . . . . . . . . . . . . . . 450
30 Figures
316862-B Rev 00
31
Preface
The Passport 1600 is a fixed-port hardware-based Layer 3 routing switch that

supports three models:
• Passport 1612G 12 small form factor (SFP) GBICs, which provides small to
medium aggregation
• Passport 1624G 24 SFP GBICs, which provides small to medium aggregation
• Passport 1648T 48 10/100, plus 4 SFP GBICs, which provides small edge
concentration
The Passport 1600 Series Layer 3 routing switch can reside in the wiring closet
(1648T) and in the data center or network core (1612G and 1624G). The Passport
1648T provides Layer 3 functionality in the wiring closet with 48 10/100 ports
and 4 GBIC ports. The Passport 1612G and 1624G provide 12 and 24 gigabit
Ethernet ports for wiring closet aggregation as well as high-speed connections for
servers and power users. These types of aggregation devices typically reside in the
network core or data center but can be placed anywhere.
32 Preface
This guide provides a reference for all of the commands contained in the
Command Line Interface (CLI). You use these commands to configure and
manage a Nortel Networks* Passport 1600 Series Layer 3 routing switch (also
referred to in this guide as the “Passport 1600 Series switch” or the “switch”) via
the serial port or Telnet interfaces.
For commands that use the <network_address> variable, enter an IP address

and subnet mask. For commands that use the <ip_address> variable, enter an
IP address.
Before you begin

This guide is intended for network administrators with the following background:
• Basic knowledge of networks, Ethernet bridging, and IP routing

• Familiarity with networking concepts and terminology
• Experience with windowing systems or GUIs
• Basic knowledge of network topologies
316862-B Rev 00
Preface 33
Text conventions
This guide uses the following text conventions
angle brackets (< >) Indicates a single alphanumeric or numeric value that
you must enter for the command to successfully
execute.
Example: create ipif <ipif_name>
<vlan_name> ipaddress <network_address>
{state [enable/disable]}
In this example, you must supply an IP interface name
in the <ipif_name> space, a VLAN name in the
<vlan_name> space, and then network address in the
<network_address> space. Do not type the angle
brackets.
slash (/) Separates sub-commands, parameters, or values in a
set. These sub-commands, etc., may be required and
mutually exclusive (enclosed in square brackets), or
optional (enclosed in braces).
Example: show snmp [community/trap
receiver/detail]
In this example, you must enter either community,
trap receiver, or detail to specify which type of
SNMP users the switch displays.
italic text Indicates new terms, book titles, and variables in
command syntax descriptions. Where a variable is two
or more words, the words are connected by an
underscore.
Example: If the command syntax is
create ipif <ipif>, <vlan_name>
vlan_name is a variable that you substitute a name for.
plain Courier Indicates command syntax and system output, for
text example, prompts and system messages.
Example: show snmp
34 Preface
square brackets [ ] Indicates sub-commands, parameters, and values which

are not optional, and are mutually exclusive. You must
enter one of the sub-commands enclosed by angle
brackets for the command to successfully execute on
the switch.
Example: create account [admin/user]
In this example, you must enter either admin or user
to specify the privilege level of the account you are
creating. Do not type the square brackets.
braces ({ }) Indicates sub-commands, parameters, and values that
are optional, and not mutually exclusive. You can enter
one or more of the sub-commands enclosed by braces.
If entered, some sub-commands may require a
parameter or value. In such cases, the required
parameter or value set corresponding to the
sub-command is enclosed by square brackets.
Example: config igmp [<ipif_name>/all]
{version <value>/query_interval <sec>/
max_response_time <sec>/
robustness_variable <value>/
last_member_query_interval <value>/state
[enabled/disabled]}
In this example, you must choose one of the items
enclosed in the first set of angle brackets, either
<ipif_name> or all. The next set of values, enclosed
by braces, are optional.
Some of the optional sub-commands have a
corresponding value that you must enter along with the
parameter. For example, version requires you enter
the value <value> to specify the IGMP version
number that the switch uses. Thus, if you choose the
optional sub-command version, you must enter the
version number in the <value> field for the command
to successfully execute.
Some optional sub-commands require you enter a
choice of parameters. For example, state requires the
entry of either enabled or disabled. If you choose
the optional sub-command state, you must enter
either enabled or disabled for the command to
successfully execute.
Do not type the braces.
316862-B Rev 00
Preface 35
Hard-copy technical manuals

You can print selected technical manuals and release notes free, directly from the
Internet. Go to the www.nortelnetworks.com/documentation URL. Find the
product for which you need documentation. Then locate the specific category and
model or version for your hardware or software product. Use Adobe* Acrobat
Reader* to open the manuals and release notes, search for the sections you need,
and print them on most standard printers. Go to Adobe Systems at the
www.adobe.com URL to download a free copy of the Adobe Acrobat Reader.
Note: The list of related publications for this manual can be found in the
release notes that came with your software.
How to get help

If you purchased a service contract for your Nortel Networks product from a
distributor or authorized reseller, contact the technical support staff for that
distributor or reseller for assistance.
If you purchased a Nortel Networks service program, contact Nortel Networks

Technical Support. To obtain contact information online, go to the
www.nortelnetworks.com/cgi-bin/comments/comments.cgi URL, then click on
Technical Support.
From the Technical Support page, you can open a Customer Service Request
online or find the telephone number for the nearest Technical Solutions Center.
If you are not connected to the Internet, you can call 1-800-4NORTEL
(1-800-466-7835) to learn the telephone number for the nearest Technical
Solutions Center.
An Express Routing Code (ERC) is available for many Nortel Networks products
and services. When you use an ERC, your call is routed to a technical support
person who specializes in supporting that product or service. To locate an ERC for
your product or service, go to the http://www.nortelnetworks.com/help/contact/
erc/index.html URL.
36 Preface
316862-B Rev 00
37
Chapter 1
Setting up the switch
The Passport 1600 Series Layer 3 switch supports a Command Line Interface
(CLI) that allows you to configure and manage the switch. You access the CLI
through a direct serial-port connection to the switch or through a Telnet session.
You can open a Telnet session from Device Manager by clicking on the Telnet
button on the toolbar or choosing Device > Telnet from the menu bar. For more
information about Device Manager, see Installing and Using Device Manager.
You can use any terminal or personal computer (PC) with a terminal emulator as
the CLI console station.
This chapter describes how to connect a terminal to the switch, set the IP address
for the switch, reboot the switch, and log on to the switch software. It also
explains how to enter and edit CLI commands. Specifically, this chapter includes
the following topics:
Topic Page
Connecting a terminal 37
Setting the switch's IP address 39
Logging on to the system 41
Entering CLI commands 42
Connecting a terminal
The serial console interface is an RS-232 port that enables a connection to a PC or
terminal for monitoring and configuring the switch. The port is implemented as a
DB-9 connector that can operate as either data terminal equipment (DTE) or data
communication equipment (DCE). The default communication protocol settings
for the Console port are:
38 Chapter 1 Setting up the switch
• 9600 baud rate

• 8 data bits
• 1 stop bit
• No parity
To use the Console port, you need the following equipment:
• A VT100-compatible terminal, or a portable computer with a serial port and

terminal-emulation software.
• A UL-listed straight-through RS-232 cable with a female DB-9 connector for
the Console port on the switch.
The other end of the cable must have a connector appropriate to the serial port
on your computer or terminal. (Most computers or terminals use a male
DB-25 connector.)
Any cable connected to the Console port must be shielded to comply with
emissions regulations and requirements.
To connect a computer or terminal to the Console port:
1 Set the terminal protocol as follows:

• 9600 baud
• 8 data bits
• 1 stop bit
• No parity
2 Connect the RS-232 cable to the Console port.
3 Connect the other end of the cable to the terminal or computer serial port.
4 Turn on the terminal.
The Login screen appears.
316862-B Rev 00
Chapter 1 Setting up the switch 39
Figure 1 Login screen
5 At the Login prompt, enter the login ID (rwa) and press Enter.
6 At the password prompt, enter the password (rwa) and press Enter.
7 Set the switch’s IP address (see “Setting the switch's IP address,” next).
Setting the switch's IP address

Each switch must be assigned its own IP Address, which is used for
communication with an SNMP network manager or other TCP/IP application (for
example, BOOTP or TFTP). The switch's default IP address is 10.90.90.90. You
can change the default switch IP address to meet the specification of your
networking address scheme.
The switch is also assigned a unique MAC address by the factory. This MAC
address cannot be changed. You can view the MAC address, using the show
switch command.
You can automatically set the switch IP address using BOOTP or DHCP
protocols, in which case you must know the actual address assigned to the switch.
The switch has Layer 3 functionality, so its ports can be sectioned into IP
interfaces - where each section has its own range of IP addresses (specified by a
network address and subnet mask). By default, an IP interface named System is
configured on the switch and contains all of the ports on the switch. Initially, you
can use the System interface to assign a range of IP addresses to the switch. Later,
when you configure VLANs and IP interfaces on the switch, the ports you assign
to these VLANs and IP interfaces will be removed from the System interface.
To set the switch’s IP address using the CLI:
1 Enter one of the following commands at the system prompt:

config ipif System ipaddress xxx.xxx.xxx.xxx/
yyy.yyy.yyy.yyy
where:
xxx.xxx.xxx.xxx represents the IP address to be assigned to the IP
interface named System and yyy.yyy.yyy.yyy represents the
corresponding subnet mask.
or
config ipif System ipaddress xxx.xxx.xxx.xxx/z
where:
xxx.xxx.xxx.xxx represents the IP address to be assigned to the IP
interface named System and z represents the corresponding number of
subnets in CIDR notation.
2 Save the switch configuration by entering the following command:
save
316862-B Rev 00
Configuration example
The following example shows how to assign IP address 10.42.73.74 with a subnet
mask of 255.0.0.0 to the switch and saving the switch parameters. The Success
message indicates that you can now configure and manage the switch via
TELNET and the CLI using the IP address 10.42.73.74 to connect to the switch.
PP1612:4# config ipif System ipaddress 10.42.73.74/255.0.0.0

Command: config ipif System ipaddress 10.42.73.74/8
Success
PP1612:4# reboot
Logging on to the system

When the switch completes its reboot sequence, the login prompt appears (see
Figure 1). The default value for login and password for the console and Telnet
sessions is shown in Table 1.
Table 1 Access level and default login value
Default Default
Access level Description login password
Read/write/all Allows all the rights of Read-Write access rwa rwa

and the ability to change security settings,
including the CLI and Web-based
management user names and passwords
and the SNMP community strings.
Configuration example
The following example shows how to log on to the switch using read/write/all
access:
Login: rwa
Password: ***
:4#
Entering CLI commands

You enter CLI commands at the PP16xxx:4# prompt, where xxx represents the
12G-, the 16G-, or the 48T-port switch. There are a number of helpful commands
in the CLI. For example, to display a list of all of the top-level commands, use the
following command:
dir
Entering a question mark (?) will display each command followed by the various
sub-commands, input values, and parameters that are associated with each
command. The dir command has the same function as the ? command.
However, it displays less detail. Figure 2 shows the results of entering the ?
command:
316862-B Rev 00
Figure 2 Using the question mark (?) command

..
? {<specified_command>}
clear
clear arptable
clear counters {ports <portlist>}
clear fdb [vlan <vlan_name 32> | port <port> | all]
clear log
clear post_hist
config 802.1p default_priority [ <portlist> | all ] priority [2
| 4 | 6 | 7]
config account <username>
config arp_aging time <value 0-65535>
config bootp_relay { hops <value 1-16> | time <sec 0-65535>}
config bootp_relay add ipif <ipif_name 12> <ipaddr>
config bootp_relay delete ipif <ipif_name 12> <ipaddr>
config command_history <value 1-40>
config dnsr [[primary|secondary] nameserver
<ipaddr>|[add|delete] static <domain_name 32> <ipaddr>]
config dvmrp [ipif <ipif_name 12>| all ] {metric <value 1-31>|
probe <sec 1-65535>| neighbor_timeout <sec 1-65535>|state
[enabled|disabled]}
config fdb aging_time <sec 10-630>
config flow_classifier template_1 mode [security | qos |
l4_switch] template_2 mode [security | qos | l4_switch]
CTRL+C ESC q Quit SPACE n Next Page ENTER Next Entry a All
When you enter a command without its required parameters, the CLI will prompt
you with a Next possible completions: message (Figure 3).
Figure 3 Next possible completions message
PP1612G:4#config account
Command: config account
Next possible completions:
<username>
PP1612G:4#
In Figure 3, you entered the command config account without the required
parameter <username>, so the CLI returned the Next possible
completions: <username> message.
You can reenter the previous command (config account) at the command
prompt by pressing the up arrow. Then, you can enter the appropriate user name
and reenter the config account command. The up arrow and other helpful
console keys are described in the sections that follow.
Editing commands
The console interface assigns certain functions to the editing keys on the
management keyboard. These keys and their functions are described in Table 2.
Table 2 Line editing keys
Key Description
Delete The delete key deletes the character under the cursor. The
remaining characters to the right of the cursor are then
shifted one space to the left.
Backspace The backspace key deletes the character immediately to the
left of the cursor. The remaining characters to the right of the
cursor are then shifted one space to the left.
Insert You can toggle the insert key on or off. When on, characters
are entered at the cursor, while the existing characters are
shifted to the left. When off, characters are entered at the
cursor, overwriting the existing characters.
Left Arrow The left arrow moves the cursor one space to the left.
Right Arrow The right arrow moves the cursor one space to the right.
Up Arrow The up arrow re-enters the previous command line entry.
This can be useful if you make a mistake in entering the
parameters or values required by a given command.
Tab The tab key displays the next possible command parameter
entry, in a round-robin fashion, once the first level of a
command has been entered. If the Tab key is pressed before
any part of a command string has been entered, the first level
of possible command entries will be displayed — starting
with the “?” command, and proceeding through all of the
possible commands until the last command in the list (the
“upload” command) is displayed. Pressing the Tab key after
the “upload” command is displayed will go through the list
again with, starting with the “?” command.
316862-B Rev 00
Displaying multiple pages
The console interface assigns functions to various keys on the management

stations keyboard to control the display of tables that require more than one page.
These keys are described in Table 3.
Table 3 Multiple page display keys
Key Description
space Displays the next page.
Ctrl + c Stops the display of multiple pages.
Ctrl + u Deletes a command in the CLI without executing it.
Esc Stops the display of multiple pages.
n Displays the next page.
p Displays the previous page.
q Stops the display of multiple pages (quit).
r Refreshes the current page.
a Displays the remaining pages without pausing between pages (all).
Enter Displays the next line or table entry.
Understanding top-level commands

If you reenter a command that is unrecognized by the CLI, the top-level
commands are displayed under the Available commands: prompt.
Top-level CLI commands consist of commands like show or config. These

commands require one or more parameters to narrow the scope of the top-level
command. This is equivalent to show what? or config what?, where the what?
is the next sub-command or parameter.
For example, if you enter the show command with no additional parameters, the
CLI displays all of the possible next parameters (Figure 4).
Figure 4 Top-level show command
P1612G:4# show
Command: show
802.1p account arpentry bootp_relay command_history dnsr
dst_ipfilter dvmrp error fdb fdbfilter flow_classifier
igmp igmp_snooping ip_fragment_filter ipif ipmc iproute
link_aggregation log mac_priority md5 mgmt_port mirror
multicast_fdb ospf packet ports post_hist rip
route router_ports rtc scheduling serial_port session
snmp stp switch tdp template_rule traffic
trusted_host utilization vlan vlan_interface vlan_ports
PP1612G:4#
In Figure 4, all of the possible next parameters for the show command are
displayed. At the next command prompt, you use the up arrow to re-enter the
show command, followed by the account parameter. The CLI then displays the
user accounts configured on the switch.
316862-B Rev 00
47
Chapter 2
Managing switch operations
This chapter describes the basic switch configuration commands, such as the
commands for creating and configuring user accounts, displaying the switch
information (including the firmware version), configuring the RS-232 console
serial port, and enabling Telnet for out-of-band switch management. Specifically,
this chapter includes the following topics:
Topic Page
Roadmap of basic switch CLI commands 48

Creating an admin or user account 49
Configuring an existing user account 51
Showing an existing user account configuration 51
Deleting an existing user account 52
Configuring the command history list 53
Displaying the command history 53
Displaying all commands 54
Showing the current status of the switch serial port 57
Configuring the switch’s serial port 59
Enabling CLI paging 60
Disabling CLI paging 61
Enabling Telnet 62
Disabling Telnet 63
Enabling the Web-based manager 63
Managing files 66
Rebooting the switch 71
Resetting the switch 72
48 Chapter 2 Managing switch operations
Topic Page
Logging in to the switch 73

Logging out of the switch 73
Roadmap of basic switch CLI commands

The following roadmap lists all of the basic switch commands and their
parameters. Use this list as a quick reference or click on any entry for more
information:
Command Parameter
create account admin <username 15>
user <username 15>
config account <username 15>
show account
delete account <username 15>
show command_history
?
dir
show session
show switch
show serial_port
config serial_port baud_rate [9600|19200|38400|115200]
auto_logout
[never|2-minutes|5_minutes|10_minut
es|15_minutes]
enable clipaging
disable clipaging
enable telnet <tcp_port_number 1-65535>
disable telnet
enable web <tcp_port_number 1-65535>
316862-B Rev 00
Chapter 2 Managing switch operations 49
Command Parameter
disable web
save
download firmware <ipaddr>
<path_filename 64>
download configuration <ipaddr> increment
<path_filename 64>
upload configuration <ipaddr>
<path_filename 64> <append_account>
upload log <ipaddr> <path_filename
64> <append_account>
reboot
reset config
system
login
logout
Creating an admin or user account

To create an admin or user account, including a username and password, use the
create account command. Note that this command also allows you to select
the privileges this account will have. In general, user-level accounts can display
the switch’s current configuration, but cannot make any changes. Admin-level
accounts have full access to all configuration commands.
To create a new account, use the following command:
create account
This command includes the following options:
create account
followed by:
admin <username 15> Creates an administrator-level user account. This

user can execute all of the commands in the CLI
without restriction.
• username identifies the user. It is a
alphanumeric string, from 1 to 15 characters.
user <username 15> Creates a user-level user account. This user is
limited to displaying switch configuration and
accumulated switch statistics.
Figure 5 shows you how to create a new administrator-level user account with the
username Test.
Figure 5 create account command
PP1612G:4#create account admin Test

Command: create account admin Test
Enter a case-sensitive new password:****

Enter the new password again for confirmation:****
Success.
PP1612G:4#
316862-B Rev 00
Configuring an existing user account

To configure an existing user account (change the account’s password) after you
have created it, use the following command:
config account <username 15 >
where:
username 15 is the name assigned to the account. It is an alphanumeric string,
from 1 to 15 characters.
Figure 6 shows you how to change the password for the user account named Test.
Figure 6 config account command
PP1612G:4#config account Test

Command: config account Test
Enter an old password:****

Enter a case-sensitive new password:****
Enter the new password again for confirmation:****
Success.
PP1612G:4#
Showing an existing user account configuration

To display the configuration of an existing user account, use the following
command:
show account
Figure 7 shows an example of the console screen when you display the user
accounts configured on the switch.
Figure 7 show account command
PP1612G:4#show account
Command: show account
Current Accounts:
Username Access Level
--------------- ------------
System user
Test Admin
PP1612G:4#
Deleting an existing user account

To delete an existing user account, use the following command:
delete account <username 15 >
where:
username 15 is the name assigned to the account. It is an alphanumeric string,
from 1 to 15 characters.
Figure 8 shows an example of the console screen when you delete the existing
user account Test configured on the switch.
Figure 8 delete account command
PP1612G:4#delete account Test

Command: delete account Test
Success.
PP1612G:4#
316862-B Rev 00
Configuring the command history list

The 1600 Series switches retain the list of commands that you enter during the
current session. You can configure the command history list to retain up to 40
commands by using the following command:
config command_history < value 1-40>
where:
value 1-40 represents the number of commands that the switch will retain in
it’s command history list. The valid range is 1 to 40 commands.
Figure 9 shows the command history being configured to retain the last 20
commands:
Figure 9 config command_history command
PP1612G:4# config command_history 20

Command: config command_history 20
Success
PP1612G:4#
Displaying the command history

To display the commands that you entered previously, use the following
command:
show command_history
The number of commands displayed depends on the value you entered using the
config command_history command.
Figure 10 shows sample output for the show command_history command.
Figure 10 show command_history command output
PP1612G:4# show command_history

Command: show command_history
?
?
delete account test
delete account
show account test
config account
show account
config account test
config account
create account admin
create account user test
create account user
user
create account
create user account
PP1612G:4#
Displaying all commands

To display the entire list of commands available in the 1600 Series CLI, including
all parameters and arguments, use the following command:
Figure 11 shows sample output for the ? command.
316862-B Rev 00
Figure 11 ? command output
PP1612G:4# ?
Command: ?
..
? {<specified_command>}
clear
clear arptable
clear counters {ports <portlist>}
clear fdb [vlan <vlan_name 32> | port <port> | all]
clear log
clear post_hist
config 802.1p default_priority [ <portlist> | all ] priority
[2 | 4 | 6 | 7]
config account <username>
config arp_aging time <value 0-65535>
config bootp_relay { hops <value 1-16> | time <sec 0-65535>}
config bootp_relay add ipif <ipif_name 12> <ipaddr>
config bootp_relay delete ipif <ipif_name 12> <ipaddr>
config dnsr [[primary|secondary] nameserver
<ipaddr>|[add|delete] static <domain
_name 32> <ipaddr>]
config dvmrp [ipif <ipif_name 12>| all ] {metric <value 1-31>|
probe <sec 1-6553
5>| neighbor_timeout <sec 1-65535>|state [enabled|disabled]}
config flow_classifier template_1 mode [security | qos |
l4_switch] template_2 m
ode [security | qos | l4_switch]
ode [security | qos | l4_switch]
config flow_classifier template_id <value 1-2> mode_parameters
[qos_flavor [802.
1p | dscp | dst_ip | dst_tcp_port | dst_udp_port] | l4_session
{tcp_session fiel
ds {dip | sip | tos | dst_port | src_port | tcp_flags} |
udp_session fields {dip
| sip | tos | dst_port | src_port} | other_session fields
{dip | sip | tos | l4
_protocol | icmp_msg | igmp_type}}]
PP1612G:4#
To display the complete command list, use the following command:
dir
Figure 12 shows sample output from the dir command.
Figure 12 dir command output
PP1612G:4# dir
Command: dir
..
?
clear
clear arptable
clear counters
clear fdb
clear log
clear post_hist
config 802.1p default_priority
config account
config arp_aging time
config bootp_relay
config bootp_relay add ipif
config bootp_relay delete ipif
config command_history
config dnsr
config dvmrp
config fdb aging_time
config flow_classifier template_1 mode
config flow_classifier template_id
config flow_classifier vlan
config igmp
config igmp_snooping
config igmp_snooping querier
config ip_forwarding
...
316862-B Rev 00
Showing current switch management sessions

To display all of the current connections to the switch’s management agent, use
the following command:
show session
Figure 13 shows the console screen when you display the current switch
management sessions.
Figure 13 show session command
PP1612G:4#show session
ID Live Time From Level Name

--- ------------ ------ ----- -----
0 0:17:16.2 Serial Port 4 Anonymous
PP1612G:4#
Showing the current status of the switch

To display the current status of the switch, use the following command:
show switch
The information that displays includes the IP address and subnet mask, the name
of the VLAN on which the switch’s IP address resides, and the boot PROM and
firmware version.
Figure 14 shows a sample console screen when you display the current switch
status.
Figure 14 show switch command
Showing the current status of the switch serial port

To display the current status of the switch, use the following command:
show serial_port
316862-B Rev 00
Figure 15 shows a sample console screen when you display the current serial port
configuration.
Figure 15 show session command
PP1648T:4# show serial_port

Command: show serial_port
Baud Rate : 9600

Data Bits : 8
Parity Bits : None
Stop Bits : 1
Auto-Logout : 10 mins
PP1648T:4#
Configuring the switch’s serial port

The switch’s serial port has the following default configuration:
• Baud Rate: 9600

• Data Bits: 8
• Parity Bits: None
• Stop Bits: 1
• Auto-Logout: 10 minutes
To change the settings of the switch’s serial port, use the following command:
config serial_port
config serial port

followed by:
baud_rate The serial bit-rate that used to communicate

[9600|19200|38400|115200] with the switch’s serial port.
auto_logout The length of time a console session is inactive

[never|2-minutes|5_minutes before the console session is closed by the
|10_minutes|15_minutes] switch.
Note: This command also applies to Telnet
sessions. For security reasons, do not set this
command to never.
Figure 16 shows a sample console screen when you display the current serial port
configuration.
Figure 16 config serial port command
PP1612G:4#config serial_port baud_rate 9600

Command: config serial_port baud_rate 9600
Success.
PP1612G:4#
Enabling CLI paging

To enable paging for the CLI, use the following command:
enable clipaging
By using this command you can pause the console screen at the end of each page
instead of scrolling through more than one screen of information.
Figure 17 shows a sample console screen when you enable CLI paging.
316862-B Rev 00
Figure 17 enable clipaging command
PP1612G:4#enable clipaging
Command: enable clipaging
Success.
PP1612G:4#
Disabling CLI paging

To disable paging for the CLI, use the following command:
disable clipaging
By using this command, you can disable pausing the console screen at the end of
each page instead of scrolling through more than one screen of information.
Figure 18 shows a sample console screen when you disable CLI paging.
Figure 18 disable clipaging command
PP1612G:4#disable clipaging
Command: disable clipaging
Success.
PP1612G:4#
Enabling Telnet
To enable Telnet connections between a remote management station and the
switch, using the default TCP port number 23, use the following command:
enable telnet
You can use all of the commands described in this manual to configure the 1600
switch over an Ethernet link using the Telnet protocol. The procedures, syntax of
the commands, and input of values are identical when using either the serial port
or the Telnet protocol to configure and manage the switch.
This command contains the following parameters:
enable telnet
followed by:
<tcp_port_number The TCP port number that a remote management

1-65535> station uses to establish a Telnet connection. The
default TCP port number for Telnet is 23.
Figure 19 shows a sample console screen when you enable Telnet, using TCP port
number 23.
Figure 19 enable telnet command
PP1612G:4#enable telnet 23
Command: enable telnet 23
Success.
PP1612G:4#
316862-B Rev 00
Disabling Telnet
To disable Telnet as a communication protocol between a remote management
station and the switch, use the following command:
disable telnet
Figure 20 shows a sample console screen when you disable Telnet.
Figure 20 disable telnet command
PP1612G:4#disable telnet
Command: disable telnet
Success.
PP1612G:4#
Enabling the Web-based manager

To enable Web-based connections between a remote management station and the
switch, using the default TCP port number 80, use the following command:
enable web
You can use all of the commands described in this manual to configure the 1600
switch over an Ethernet link using a web browser and the web-based management
agent built into the switch.
enable web
followed by:
<tcp_port_number The TCP port number that a remote management

1-65535> station uses to establish a connection between a
web browser and the web-based management
agent built into the switch. The default TCP port
number for the web-based manager is 80.
Figure 19 shows a sample console screen when you enable Telnet, using TCP port
number 23.
Figure 21 enable web command
PP1612G:4#enable web 80
Command: enable web 80
Success.
PP1612G:4#
Disabling the Web-based manager

To disable connections between a remote management station’s web browser and
the web-based management agent buitl into the switch, use the following
command:
disable web
Figure 20 shows a sample console screen when you disable the web-based
manager.
316862-B Rev 00
Figure 22 disable telnet command
PP1612G:4#disable web
Command: disable web
Success.
PP1612G:4#
Saving the current switch configuration to NV-RAM

To save the current switch configuration to the switch’s non-volatile RAM, use
save
Figure 23 shows a sample console screen when you save the current switch
configuration to NV-RAM.
Figure 23 save command
PP1612G:4#save
Command: save
Saving all settings to NV-RAM........ Done.

done.
PP1612G:4#
Managing files
Trivial File Transfer Protocol (TFTP) services allow you to upgrade the switch’s
firmware to be upgraded by transferring a new firmware file from a TFTP server
to the switch. A configuration file can also be loaded into the switch from a TFTP
server, switch settings can be saved to the TFTP server, and a history log can be
uploaded from the switch to the TFTP server.
This section describes the download/upload commands in the Command Line

Interface (CLI) along with the appropriate parameters.
Topic Page
Downloading switch firmware 67
Downloading a configuration file 67
Uploading a configuration file to a TFTP server 69
Uploading a log file to a TFTP server 70
316862-B Rev 00
Downloading switch firmware
To download a switch firmware, use the following command:
download firmware <ipaddr > <path_filename 64>
where:
ipaddr is the IP address of the remote TFTP server.
path_filename 64 is the DOS path and filename of the firmware file on the
remote TFTP server. The path filename can be up to 64 characters.
Note: If you download the switch firmware via the PP1612G/24G out-of-band
management port, the TFTP server must be on the same IP subnet as the switch.
The TFTP server must be running TFTP server software to perform the file
transfer. TFTP server software is a part of many network management software
packages, or you can obtain it as a separate program.
For example, to download and install a new switch firmware file from a remote
TFTP server, IP address 10.20.20.128, on the server’s hard drive at
C:\firmware.had, enter the following command:
download firmware 10.20.20.128 C:\firmware.had
Downloading a configuration file

To download a configuration file, use the following command:
download configuration < ipaddr> <path_filename 64>
where:
This command includes the following option:
download configuration <ipaddr> <path_filename 64>

followed by:
increment Allows a configuration file to be downloaded that

will only make changes explicitly stated in the file.
All other configuration settings on the switch will
remain unchanged.
Figure 24 shows how to download a configuration file named c:\cfg\setting.txt

from the TFTP server at IP address 10.48.74.121:
Figure 24 download configuration command
PP1612G:4# download configuration 10.48.74.121

c:\cfg\setting.txt
Command: download configuration 10.48.74.121
c:\cfg\setting.txt
Connecting to server................... Done.

Download configuration............. Done.
PP1612G:4#
316862-B Rev 00
Uploading a configuration file to a TFTP server
To upload the current switch configuration settings to a remote TFTP server, enter
upload configuration <ipaddr> <path_filename 64>

<append_account>
where:
path_filename 64 is the DOS path and filename of a file on the remote TFTP
server that will receive the configuration file from the switch. The path filename
can be up to 64 characters.
append_account instructs the switch to upload user account information,

including passwords, to the TFTP server. The passwords in the uploaded
configuration file will be encrypted using a key that is unique to the Passport 1600
series switches. Only a Passport 1600 series switch has the key necessary to
decrypt passwords that are uploaded using the append_account command, and the
encrypted passwords will only be decrypted when a configuration file is
downloaded to the switch.
Figure 25 shows how to upload a switch configuration file named c:\cfg\cfg.txt to

a remote TFTP server at IP address 10.48.74.121.
Figure 25 upload configuration command
PP1612G:4# upload configuration 10.48.74.121

c:\cfg\cfg.txt
Command: upload configuration 10.48.74.121
c:\cfg\cfg.txt

Upload configuration...................Done.
PP1612G:4#
Uploading a log file to a TFTP server
To upload a log file to a remote TFTP server, use the following command:
upload log <ipaddr> <path_filename 64 > <append_account>
where:
ipaddr is the IP address of the remote TFTP server, and
server that will receive the log file from the switch.
Figure 26 shows how to upload a log file named c:\cfg\log.txt to a remote TFTP
server at IP address 10.48.74.121.
316862-B Rev 00
Figure 26 upload log command
PP1612G:4# upload log 10.48.74.121 c:\cfg\log.txt

Command: upload log 10.48.74.121 c:\cfg\log.txt

Upload log .............................Done.
PP1612G:4#
Rebooting the switch

To reboot the switch, use the following command:
reboot
Figure 27 shows a sample console screen when you reboot the switch.
Figure 27 reboot command
PP1612G:4#reboot
Command: reboot
If you do not save the settings, all changes made will be

lost. Are you sure you want to proceed with the system
reboot (y/n)?
Please wait, the switch is rebooting...
Boot Procedure 0.00.001
Power On Self Test ………………………100%
MAC Address : 00-05-5D-11-F9-20

H/W Version : 2B1
Please wait, loading Runtime image ….100%
Resetting the switch

To reset the switch’s configuration to the factory defaults (except the system IP
address, log history and TDP), use the following command:
reset
reset
followed by:
config Resets the agent to default settings, except history

log and TDP.
system Resets the agent to default settings, except the
history log. Then, the switch will do a factory reset,
save, and reboot.
Figure 28 shows a sample console screen when you reset the switch configuration.
316862-B Rev 00
Figure 28 reset config command
PP1612G:4#reset config
Command: reset config
Warning! Switch will be reset to factory defaults

Are you sure you want to proceed with a reset (y/n)?
Success.
Logging in to the switch

To log in to the switch, use the following command:
login
Figure 29 shows a sample console screen when you initiate the login procedure on
the switch.
Figure 29 login command
PP1612G:4#login
Command: login
UserName:
Logging out of the switch

To log out of the switch, use the following command:
logout
Figure 30 shows a sample console screen when you log out of the switch.
Figure 30 logout command
PP1612G:4#logout
316862-B Rev 00
75
Chapter 3
Configuring ports
This chapter describes the CLI commands that you can use to set the speed, flow
control, MAC address learning, and the state (enabled or disabled) for a port or
range of ports on the switch. It includes the following topics:
Topic Page
Roadmap of port configuration CLI commands 75
Configuring ports 76
Roadmap of port configuration CLI commands

The following roadmap lists some of the port configuration commands and their
parameters. Use this list as a quick reference or click on any command or
parameter entry for more information on configuring ports.
Command Parameter
config ports <portlist> all
speed
[auto|10_half|10_full|100_half|1
00_full|1000_full]
flow_control [enabled|disabled]
learning [enabled|disabled]
state [enabled|disabled]
show ports <portlist>
config mgmt_port speed
[auto|10_half|10_full|100_half|1
00_full|1000_full]
76 Chapter 3 Configuring ports
Command Parameter
flow_control [enabled|disabled]
learning [enabled|disabled]
Configuring ports
To configure the ports on the switch, use the following command:
config ports <portlist>
where:
portlist allows you to specify the ports that you want to configure. You must
first enter the lowest port number in a group, and then the highest port number in a
group, separated by a dash. For example, to enter a port group that includes switch
ports 1, 2, and 3, you entered 1-3.
To enter ports that are not contained within a group, enter the port numbers,
separated by a comma. For example, port group 1-3 and port 26 are entered
as 1-3, 26.

followed by:
all Applies the command to all ports on the

switch.
speed Sets the speed, in Mbps, and the duplex
[auto|10_half|10_full|100_half state, full or half, the port will use to make
|100_full|1000_full] a link.
Note: Setting a port speed duplex
operation that is not supported on a port
will result in a failed operation. For
example, setting a Passport 1648 10/
100BaseT to 1000 full or half will result in
a failed operation.
flow_control Enables or disables flow control for the
[enabled|disabled] range of ports specified above.
316862-B Rev 01
Chapter 3 Configuring ports 77

followed by:
learning [enabled|disabled] Enables or disables MAC address

learning for the range of ports specified
above.
state [enabled|disabled] Enables or disables forwarding of frames
for the range of ports specified above.
Figure 31 shows how to set ports 1, 2, and 3 to 10 Mbps, with full duplex, and
MAC address learning, and frame forwarding enabled on the switch.
Figure 31 config ports command
PP1648T:4# config ports 1-3 speed 10_full learning

enabled state enabled
Command: config ports 1-3 speed 10_full learning enabled
state enabled
Success.
PP1648T:4#
Displaying the current port configuration
To display the current management port configuration, use the following

command:
show ports
This command contains no additional options:
show ports
followed by:
<portlist> Specifies a list of ports to display.
Figure 32 shows the current configuration of the management port.
Figure 32 show ports command
PP1612G:4#show ports
Port Port Settings Connection Address

State Speed/Duplex/FlowCtrl Speed/Duplex/FlowCtrl Learning
----- ----- --------------------- --------------------- --------
1 Enabled Auto/Disabled Link Down Enabled
Configuring the management port — 1612G and 1624G

This section applies only to the Passport 1612G and 1624G switches — which
have a dedicated copper Ethernet management port, in addition to the fiber optic
ports, for the convenience of the network administrator. Other switches in the
Passport 1600 series do not have a dedicated copper management port.
To configure the copper management port on the 1612G and 1624G switches, use
config mgmt_port speed auto
316862-B Rev 01
Chapter 3 Configuring ports 79
config mgmt_port
followed by:
speed Sets the speed, in Mbps, and the duplex

[auto|10_half|10_full|100_half state, full or half, the port will use to make
|100_full|1000_full] a link.
Note: Setting a port speed duplex
operation that is not supported on a port
will result in a failed operation. For
example, setting a Passport 1648 10/
100BaseT to 1000 full or half will result in
a failed operation.
flow_control Enables or disables flow control for the
[enabled|disabled] range of ports specified above.
state [enabled|disabled] Enables or disables forwarding of frames

for the range of ports specified above.
Figure 31 shows how to configure the dedicated managemet port to 100 Mbps,
with full duplex, and MAC address learning, and frame forwarding enabled on the
switch.
Figure 33 config mgmt_port command
PP1612G:4# config mgmt_port speed 100_full state enabled

Command: config mgmt_port speed 100_full state enabled
Success.
PP1612G:4#
Displaying the current management port configuration
To display the current management port configuration, use the following

command:
show mgmt_port
This command contains no additional options:
Figure 33 shows the current configuration of the management port.
Figure 34 show mgmt_port command
PP1612G:4#show mgmt_port
Port Settings Connection

State Speed/Duplex/FlowCtrl Speed/Duplex/FlowCtrl
----- --------------------- ---------------------
Enabled Auto/Disabled Link Down
316862-B Rev 01
81
Chapter 4
Configuring Spanning Tree
The IEEE 802.1D Spanning Tree Protocol (STP) allows links between switches
that form loops within the network to be blocked. When it detects multiple links
between switches, it establishes a primary link. Duplicate links are then blocked
and become standby links. STP also allows you to use these duplicate links in the
event of a failure of the primary link. The reactivation of the blocked links is done
automatically- without requiring operator intervention.
STP operates on two levels:
• Switch level, where the settings are globally implemented

• Port level where the settings are implemented on a per user-defined STP
group basis
This chapter describes the commands you use to configure, enable and disable
STP, and show STP ports. Specifically, it includes the following topics:
Topic Page
Roadmap of Spanning Tree CLI commands 82
Configuring STP 82
Enabling STP on the switch 84
Disabling STP on the switch 84
Displaying STP status on the switch 85
Displaying STP port group status 87
82 Chapter 4 Configuring Spanning Tree
Roadmap of Spanning Tree CLI commands

The following roadmap lists all of the STP commands and their parameters. Use
this list as a quick reference or click on any entry for more information:
Command Parameter
config stp ports <portlist>
maxage <value>
hellotime <value>
forwarddelay <value>
priority <value>
fbpdu [enable|disable]
enable stp
disable stp
show stp
show stp ports <portlist>
Configuring STP
To configure STP on the switch, use the following command:
config stp
316862-B Rev 00
Chapter 4 Configuring Spanning Tree 83
This command uses the following options:
config stp
followed by:
ports <portlist> Specifies a range of ports for which you wish to

configure STP. You specify ports by entering the
lowest port number in a group, and then the
highest port number, separated by a dash.
For example, you enter a port group including the
switch ports 1, 2, and 3 as 1-3. You specify ports
that are not contained within a group by entering
their port number, separated by a comma. Thus,
you enter the port group 1-3 and port 26 as 1-3,
26.
maxage <value> This is the maximum amount of time, in seconds,
that the switch will wait to receive a BPDU packet
before re-configuring STP. The default is 20
seconds.
hellotime <value> This is the time interval, in seconds, between
transmissions of STP configuration messages by
the root device. The default is 2 seconds.
forwarddelay <value> This is the maximum amount of time, in seconds,
that the root device will wait before transitional
STP states. The default is 15 seconds.
priority <value> This is a numerical value between 0 and 65535
that is used by STP to determine the root device,
root port, and designated port. The devise with the
highest priority becomes the root device, and so
on. The lower the numerical value of the STP
priority for a given device or port, the higher the
priority for that device or port. The default is 32768.
fbpdu [enable|disable] This enables or disables the forwarding of STP
BPDU (Bridge Protocol Data Unit) packets from
other network devices when STP is disabled on
the switch. The default is enabled.
Figure 35 shows you how to configure STP on the switch, using a max age time of
18 seconds, and a hello time of 4 seconds.
Figure 35 config stp command
PP1648T:4# config stp maxage 18 hellotime 4

Command: config stp maxage 18 hellotime 4
Success.
PP1648T:4#
Enabling STP on the switch

To globally enable STP on the switch, use the following command:
enable stp
This command contains no parameters.
Figure 36 shows you how to globally enable STP on the switch.
Figure 36 enable stp command
PP1648T:4#enable stp
Command: enable stp
Success.
PP1648T:4#
Disabling STP on the switch

To globally disable STP on the switch, use the following command:
disable stp
316862-B Rev 00
This command contains no parameters:
Figure 37 shows you how to globally disable STP on the switch.
Figure 37 disable stp command
PP1648T:4# disable stp

Command: disable stp
Success.
PP1648T:4#
Displaying STP status on the switch

To globally display STP status on the switch, use the following command:
show stp
Figure 38 shows you an example of an STP switch status display when STP is
enabled.
Figure 38 show stp (enabled)
PP1648T:4# show stp

Command: show stp
STP Status : Enabled

Max Age : 18
Hello Time : 4
Forward Delay : 15
Priority : 32768
Forwarding BPDU : Enabled
Designated Root Bridge : 00-00-00-12-00-00

Root Priority : 32768
Cost to Root : 19
Root Port : 33
Last Topology Change : 13sec
Topology Changes Count : 0
PP1648T:4#
Figure 39 shows you an example of an STP switch status display when STP is
disabled.
Figure 39 show stp (disabled)
PP1648T:4# show stp

Command: show stp
STP Status : Disabled

Max Age : 18
Hello Time : 4
Forward Delay : 15
Priority : 32768
PP1648T:4#
316862-B Rev 00
Displaying STP port group status

To display the status of an STP port group, use the following command:
show stp ports
show stp ports

followed by:
<portlist> Specifies a range of ports you want to use to

display STP status. You specify ports by entering
the lowest port number in a group, and then the
highest, separated by a dash.
switch ports 1, 2, and 3 as 1-3. You enter ports that
are not contained within a group by entering their
port number, separated by a comma. Thus, you
enter the port group 1-3 and port 26 as 1-3, 26.
Figure 40 shows you how to display the status of an STP port group, consisting of
ports 1 through 9.
Figure 40 show stp_ports command
PP1648T:4# show stp ports 1-9

Command: show stp ports 1-9
Port Connection State Cost Priority Status STP Name

---- ------------------- -------- ---- -------- ---------- --------
1 100M/Full/None Enabled *19 128 Forwarding s0
2 Link Down Enabled *19 128 Disabled s0
316862-B Rev 00
89
Chapter 5
Security features
This chapter describes the CLI commands that you can use to set the security
features of the Switch. It includes the following topics:
Topic Page
Roadmap of security features 89
Password Protection 95
System Log Messages 96
Configuring Password aging 119

Configuring the Switch’s Secure Mode 122
Secure Shell (SSH) 125
Configuring Secure Shell (SSH) 129
TACACS+ 143
Roadmap of security features

The following roadmap lists the security configuration commands and their
parameters.
90 Chapter 5 Security features
Syslog commands
Command Parameter
enable syslog
disable syslog
show syslog
config syslog max_hosts <int 1-10>
create syslog host <slog_id>
severity
informational
warning
error
fatal
all
facility
local0
local1
local2
local3
local4
local5
local6
local7
udp_port <int 514-530>
ipaddress <ipaddr>
state enabled|disabled
316862-B Rev 00
Chapter 5 Security features 91
Command Parameter
config syslog host <slog_id>
severity
informational
warning
error
fatal
all
facility
local0
local1
local2
local3
local4
local5
local6
local7
udp_port <int 514-530>
ipaddress <ipaddr>
state enabled|disabled
delete syslog host <slog_id>
all
SSH commands
Command Parameter
config ssh algorithm 3DES
AES128
AES192
AES256
arcfour
blowfish
cast128
twofish128
twofish192
twofish256
MD5
SHA1
RSA
DSA
enabled|disabled
show ssh algorithm
show ssh authmode password
publickey
hostbased
enabled|disabled
show ssh authmode
show ssh user <username>
authmode
publickey
password
hostbased
hostname <domain_name 31>
hostname_ip <domain_name 31>
<ipaddr>
show ssh user
316862-B Rev 00
Command Parameter
config ssh server maxsession <int 1-3>
timeout <sec 1-120>
authfail <init 2-20>
rekey
10min
30min
60min
never
port <tcp_port_number 1-65535>
enable | disable ssh
show ssh server
config ssh regenerate hostkey
TACACS+ commands
Command Parameter
enable authentication
disable authentication
config authentication login console
telnet
ssh
web
all
tacacs+
local
none
config authentication admin console
ssh
telnet
all
tacacs+
local
none
config login_authen response_timeout <sec 1-255>
show authentication
create tacacs+_server <ip_address>
tcp_port <int 1-65535>
key <string 254>
timeout <sec 1-255>
config tacacs+_server <ip_address>
tcp_port <int 1-65535>
key <string 254>
timeout <sec 1-255>
delete tacacs+_server <ip_address>
show tacacs+_server
enable admin
config admin local_password <password 8-15>
316862-B Rev 00
Password Protection
The password security features allow you to restrict access to the switch. Network
managers have restricted access to the control path; users have restricted access to
the data path.
The network administrator has the ability to login to a Passport 1600 Series switch
and configure passwords through the CLI. The Passport 1600 Series switch
supports multi-level access with the use of different logins and passwords.
A local database stores the information about user name, password and privilege
level. All Web and CLI logins check the user name and password with the
information in the database.
Password format
The following is a list of rules or guidelines to use when creating or modifying
passwords.
• You may use only alphanumeric characters, special characters are not allowed
in passwords.
• The length of passwords must be eight characters or more.
• Administrator and User level access with different login and passwords are
supported.
• Logins are rejected after three invalid attempts.
• If the Switch is operating in secure mode, a password history for each user
account is maintained. The last 5 passwords for a given user account are kept
in this history, and the Switch will prevent the Administrator from
re-assigning any of these 5, previously assigned, passwords to the user’s
account.
• If a user tries to login and fails due to an error in entering a user name or
password three consecutive times, the switch will deny the telnet session. The
telnet session of the source IP address will be denied for three minutes.
System Log Messages

On any UNIX*-based management platform, you can use the syslog messaging
feature of the Passport 1600 Series switch to manage event messages. The
Passport syslog software communicates with a server software component named
syslogd on your management workstation. The UNIX daemon syslogd is a
software component that receives and locally logs, displays, prints and/or
forwards messages that originate from sources internal and external to the
workstation. For example, syslogd on a UNIX workstation concurrently handles
messages received from applications running on the workstation, as well as
messages received from a Passport 1600 Series switch running in a network
accessible to the workstation.
Receiving system log messages
You can use the system log messaging feature of the Passport 1600 Series switch
to manage switch event messages on any UNIX-based management platform. The
Passport 1600 Series switch syslog software supports this functionality by
communicating with a counter part software component named syslog on your
management workstation. The UNIX daemon syslogd is a software component
that receives and locally logs, displays, prints, and/or forwards messages that
originate from sources internal and external to the workstation. For example,
syslogd on a workstation concurrently handles messages received from
applications running on the workstation, as well as messages received from a
Passport switch running in a network accessible to the workstation.
At a remote management workstation, the system log messaging feature does the
following:
• Receives system log messages from the Passport switch.

• Examines the severity code in each message.
• Uses the severity code to determine appropriate system handling for each
message.
• Based on the severity code in each message, dispatches each message to any
or all of the following destinations
• Workstation display
• Local log file
• One or more remote hosts
316862-B Rev 00
Internally the Passport 1600 Series switch has four severity levels for log
messages:
• Info
• Warning
• Critical
• Error
Table 4 shows the default mapping of internal severity levels to syslog severity
levels.
Table 4 Default severity levels and system log severity levels
UNIX system error System log severity Internal Passport

codes level severity level
0 Emergency -
1 Alert -
2 Critical Critical
3 Error Error
4 Warning Warning
5 Notice -
6 Info Info
7 Debug -
Table 5 shows the mapping of Info log messages.
Table 5 Info log messages
Log Message Log ID

System up 200
Port <port> autonegotiation 306
successful
Port <port> link up <speed> 300
<duplex_mode>
Port <port> link down 301
Port <port> enabled (Username: 302
<user> from <UI>)
Port <port> disabled (Username: 303

<user> from <UI>)
Port<port> configuration modified 307
(Username: <user> from <UI>)
Successful login through Console 401
Successful login through Web 407
<remote IP> (Username: <user>)
Successful login through Telnet 413
Successful login through SSH 419
Successful authentication through 1703
SSH <remote IP> (Username:
<user>)
Logout through Console 404
(Username: <user>)
Logout through Telnet <remote 416
IP> (Username: <user>)
Logout through SSH <remote IP> 422
(Username: <user>)
Console session time out 405
(Username: <user>)
TELNET session time out <remote 417
IP> (Username: <user>)
SSH session time out <remote IP> 423
(Username: <user>)
Configuration saved to flash 201
Firmware upgraded successfully 202
Configuration successfully 204
downloaded (Username: <user>
from <UI>)
Configuration successfully 206
uploaded (Username: <user> from
<UI>)
Log message successfully 208
uploaded (Username: <user> from
<UI>)
316862-B Rev 00
Topology changed 600

New root selected <MAC> 601
Spanning Tree Protocol is enabled 602
Spanning Tree Protocol is 603
disabled (Username: <user> from
<UI>)
Spanning Tree configuration 604
modified (Username: <user> from
<UI>)
Spanning Tree port configuration 605
<UI>)
VLAN <ID> created successfully 700
VLAN <ID> modified successfully 701
VLAN <ID> deleted successfully 702
Management Port link up <speed> 304
<duplex_mode>
Management Port link down 305
Primary Power ON 212
Primary Power OFF 213
Redundant Power ON 214
Redundant Power OFF 215
RIP is enabled (Username: <user> 800
from <UI>)
RIP is disabled (Username: 801
<user> from <UI>)
RIP configuration modified 802
OSPF is enabled (Username: 900
<user> from <UI>)
OSPF is disabled (Username: 901
<user> from <UI>)
OSPF Interface state change: rtid: 902

<router_id>, ipa: <If_IP>, lesIf:
<less_if>, <old_state> ->
<new_state>
OSPF Virtual Interface state 903
change: rtid: <router_id>, vir-area:
<area_id>, vir-neibor: <neibor>,
<old_state> -> <new_state>
OSPF Nbr state change: rtid: 904
<router_id>, nbr-ipa: <If_IP>,
nbr-lessIndex: <less_index>,
nbr-rtid: <rtrid>, <old_stat> ->
<new_state>
OSPF Virtual Nbr state change: 905
rtid: <router_id>, vir-nbr-area:
<area_id>, vir-nbr-rtid>,
<old_state> -> <new_state>
OSPF MD5 authentication 906
<UI>)
OSPF configuration modified 907
Template <ID> modified 1300
VLAN <ID> attached to Template 1301
VLAN <ID> detached from 1302
Template (Username: <user> from
<UI>)
User <user> account created 1500
User <user> password modified 1501
User <user> account deleted 1502
SYSLOG enabled (Username: 1400
<user> from <UI>)
SYSLOG configuration modified 1401
SYSLOG disabled (Username: 1402
<user> from <UI>)
316862-B Rev 00
TELNET server enabled 424

TELNET configuration modified 425
TELNET server disabled 426
SSH server enabled (Username: 1700
<user> from <UI>)
SSH configuration modified 1701
SSH server disabled (Username: 1702
<user> from <UI>)
SNMP configuration modified 501
Login successfully through 400
Console authenticated by
TACACS+ server <IP>
(Username: <user>)
Login successfully through WEB 406
from <remote IP> authenticated by
TACACS+ server <IP>
(Username: <user>)
Login successfully through 412
TELNET from <remote IP>
authenticated by TACACS+ server
<IP> (Username: <user>)
Login successfully through SSH 418
from <remote IP> authenticated by
TACACS+ server <IP>
(Username: <user>)
Authentication enabled by user 1200
Authentication disabled by user 1201
Log table cleared (Username: 216
<user> from <UI>)
IGMP SNOOPING enabled 1000
IGMP SNOOPING disabled 1001
IGMP SNOOPING configuration 1002

<UI>)
IGMP configuration modified 1100
create <action - related 1900
command> (Username: <user>
from <UI>)
config <action - related command> 1900
delete <action - related command> 1900
show <action - related command> 1900
clear <action - related command> 1900
Table 6 shows the mapping of Warning log messages.
Table 6 Warning log messages
Log Message Log ID

Console login fail (Username: 403
<user>)
Web login fail <remote IP> 409
TELNET login fail <remote IP> 415
SSH login fail <remote IP> 421
Failure to authenticate user 1704
through SSH <remote IP>
SNMP request received from 500
<remote IP> with invalid
community string (Username:
<user> from <UI>)
Firmware upgrade failed 203
316862-B Rev 00
Table 6 Warning log messages
Configuration download failed 205

Configuration upload failed 207
Log message upload failed 209
Login fail through Console 402
authenticated by TACACS+ server
<IP> (Username: <user>)
Login fail through WEB from 408
<remote IP> authenticated by
TACACS+ server <IP>
(Username: <user>)
Login fail through TELNET from 414
TACACS+ server <IP>
(Username: <user>)
Login fail through SSH from 420
TACACS+ server <IP>
(Username: <user>)
TACACS+server <remote IP> 1202
connection fail
TACACS+ server <IP> response 1206
is wrong
TACACS+ doesn’t support this 1207
functionality
Table 7 shows the mapping of Critical log messages.
Table 7 Critical log messages
Log Message Log ID

Error in PSS, phy link is up, but 102
PSS link is down
CPU hang 100
Table 8 shows the mapping of Error log messages.
Table 8 Error log messages
Log Message Log ID

TACACS+ module allocated 1203
memory fail
TACACS+ socket API occurs 1205
some errors
TACACS+ internal fatal error 1208
The following sections detail the CLI commands used to configure Syslog on the
Switch.
Creating a Syslog host

To create a new Syslog host on the Switch, use the following command:
create syslog host
316862-B Rev 00
create syslog host

followed by:
<slog_id> This an index number that will be used to identify

the Syslog host, if more than one Syslog host is
created on the Switch.
severity Severity level indicator. Enter the parameter (in
italics, below) after the severity parameter in the
command line to instruct the switch to send the
type of messages to the remote host.
informational - specifies that informational
messages will be sent to the remote host. As
described in the table above.
warning - Specifies that warning messages will
be sent to the remote host. As described in the
table above.
error - specifies that error messages will be
sent to the remote host. As described in the
table above.
fatal - specifies that fatal messages will be sent
to the remote host. The Switch maps the
Critical and Emergency messages, as
described in the table above, to this severity
level.
all - specifies that all of the above categories of
messages will be sent to the remote host.
create syslog host

followed by:
facility Some of the operating system daemons and

processes have been assigned Facility values.
Processes and daemons that have not been
explicitly assigned a Facility may use any of
the"local use" facilities or they may use the
"user-level" Facility. Those Facilities that have
been designated are shown in the following:
Bold font indicates the facility values the Switch
supports now.
Numerical Facility
Code
0 kernel messages
1 user-level messages
2 mail system
3 system daemons
4 security|authorization messages
5 messages generated internally by syslog
6 line printer subsystem
7 network news subsystem
8 UUCP subsystem
9 clock daemon
11 FTP daemon
12 NTP subsystem
13 log audit
14 log alert
15 clock daemon
16 local use 0 (local0)
316862-B Rev 00
create syslog host

followed by:
local0 - Specifies that local use 0 messages will be

sent to the remote host. This corresponds to
number 16 from the list above.
udp_port <value 514-530> Specifies the UDP port number that the syslog
protocol will use to send messages to the remote
host.ipaddress.
ipaddress <ipaddr> Specifies the IP address of the remote host where
syslog messages will be sent.state
state [enabled|disabled] - Allows the sending of syslog
messages to the remote host, specified above, to
be enabled and disabled.
Figure 41 shows the creation of a Syslog host on the Switch.
Figure 41 create syslog host
:4#create syslog host 1 severity all facility local0

Command: create syslog host 1 severity all facility local0
Success.
:4#
Configuring a Syslog host

To configure a previously created Syslog host on the Switch, use the following
command:
config syslog host
316862-B Rev 00
config syslog host

followed by:

created on the Switch.
severity Severity level indicator. Enter the parameter (in
italics, below) after the severity parameter in the
command line to instruct the switch to send the
type of messages to the remote host.
informational - specifies that informational
messages will be sent to the remote host. As
described in the table above.
warning - Specifies that warning messages will
be sent to the remote host. As described in the
table above.
error - specifies that error messages will be
sent to the remote host. As described in the
table above.
fatal - specifies that fatal messages will be sent
to the remote host. The Switch maps the
Critical and Emergency messages, as
described in the table above, to this severity
level.
all - specifies that all of the above categories of
messages will be sent to the remote host.
config syslog host

followed by:
facility Some of the operating system daemons and

processes have been assigned Facility values.
Processes and daemons that have not been
explicitly assigned a Facility may use any of
the"local use" facilities or they may use the
"user-level" Facility. Those Facilities that have
been designated are shown in the following:
Bold font indicates the facility values the Switch
supports now.
Numerical Facility
Code
0 kernel messages
1 user-level messages
2 mail system
3 system daemons
5 messages generated internally by syslog
6 line printer subsystem
7 network news subsystem
8 UUCP subsystem
9 clock daemon
11 FTP daemon
12 NTP subsystem
13 log audit
14 log alert
15 clock daemon
316862-B Rev 00
config syslog host

followed by:

udp_port <value 514-530> Specifies the UDP port number that the syslog
protocol will use to send messages to the remote
host.ipaddress.
ipaddress <ipaddr> Specifies the IP address of the remote host where
syslog messages will be sent.state
state [enabled|disabled] - Allows the sending of syslog
messages to the remote host, specified above, to
be enabled and disabled.
Figure 42 shows the configuration of a Syslog host on the Switch.
Figure 42 config syslog host
:4#config syslog host 1 severity all facility local0

Command: config syslog host 1 severity all facility local0
Success.
:4#
Configuring the maximum number of Syslog hosts
To configure the maximum number of Syslog hosts that can be created on the
Switch, use the following command:
config syslog max_hosts
config syslog max_hosts

followed by:
<int 1-10> This is the maximum number of Syslog hosts that

can be created on the Switch.
Entering ‘0’ instructs the Switch to prevent any
Syslog hosts from being created. If there are any
previously created Syslog hosts on the Switch,
and you enter the command config syslog
max_hosts 0, then all existing syslog hosts will be
deleted from the Switch when the command
executes sucessfully.
Figure 43 shows the setting of 10 Syslog hosts as the maximum on the Switch.
316862-B Rev 00
Figure 43 config syslog max_hosts
:4#config syslog max_hosts 10

Command: config syslog max_hosts 10
Success.
:4#
Deleting a Syslog host
To delete a previously created Syslog host on the Switch, use the following
command:
delete syslog host
delete syslog host

followed by:

created on the Switch. There can be up to four
Syslog hosts.
all Specifies that all Syslog hosts created on the
Switch will be deleted.
Figure 44 shows the deletion of all Syslog hosts on the Switch.
Figure 44 delete syslog host
:4#delete syslog host all

Command: delete syslog host all
Success.
:4#
Enabling a Syslog host
To enable a previously created Syslog host on the Switch, use the following
command:
enable syslog
This command includes no additional options:
enable syslog
There are no options
Figure 45 shows the enabling of a Syslog host on the Switch.
Figure 45 enable syslog
:4#enable syslog
Command: enable syslog
Success.
:4#
316862-B Rev 00
Disabling a Syslog host
To disable a previously created Syslog host on the Switch, use the following
command:
disable syslog
disable syslog
Figure 46 shows the enabling of a Syslog host on the Switch.
Figure 46 disable syslog
:4#disable syslog
Command: disable syslog
Success.
:4#
Displaying the current Syslog configuration on the Switch
To display the current Syslog configuration on the Switch, use the following
command:
show syslog
show syslog
followed by:

created on the Switch. There can be up to four
Syslog hosts.
Figure 47 shows the displaying of the current Syslog host configuration on the
Switch.
Figure 47 show syslog
:4#show syslog host

Command: show syslog
Syslog Global State: Enabled

Index Host IP Address Severity Facility UDP port Status
------ --------------- -------- -------- -------- ------
1 10.1.2.1 Info local2 520 Enabled
:4#
316862-B Rev 00
Enabling and disabling logging on the Switch

The Switch can log all CLI commands that a given user enters in both a local log
and through Syslog. The config log_state command allows you to turn the logging
of CLI command entry on or off for a particular user account. If you disable the
logging of CLI commands for a particular user account, both the local log and the
Syslog will be disabled for that user. When CLI logging is enabled, it takes effect
immediately.
The default log state is enabled.
To disable the logging of all CLI commands issued by the user Johnson, use the
following command:
config log_state Johnson disabled
config log_state
followed by:
<username> This is the username assigned to the user account

for which you want to enable or disable the logging
of all CLI commands issued in both the local log
and Syslog.
enabled | disabled Instructs the Switch to enable or disable the
logging of all CLI commands for the user account
specified by the <username> entered above.
Figure 48 shows the disabling of CLI command logging for the user account
Johnson.
Figure 48 config log_state Johnson disabled
:4#config log_state Johnson disabled

Command: config log_state Johnson disabled
Success.
:4#
Uploading the Switch’s log and configuration to a TFTP

server
The Switch can log all CLI commands that a given user enters. The upload
[configuration | log] command allows you send a copy of the log (or the current
Switch configuration) to a TFTP server on your network. In firmware release
1.0.1.1 or higher, you have the option of including user account information (user
names, password, and admin/user-level status) in the configuration file that is
uploaded to the TFTP server. The append_account parameter is used to add user
account information to the configuration file. The Switch will automatically
encrypt the passwords (using SSH-A1 with a non-user changable key stored in the
switch,) if the append_account parameter is specified. The only way to decrypt
these passwords is to subsequently download this configuration file from the
TFTP server to the Switch. So, the passwords assigned to the user accounts can
not be read from the text file the Switch uploads to the TFTP server.
To upload the Switch’s current configuration, including user account information,

use the following command:
upload configuration 10.42.73.5 c:\cfg\config.txt append_account
316862-B Rev 00
upload
followed by:
configuration | log Instructs the Switch to upload either its current

configuration or its current log file.
<ipaddr> This is the IP address of a TFTP server that will
receive the configuration or log file.
<path_filename> Specifies the location on the TFTP server where
the configuration of log file will be uploaded to.
This is in the form: c:\.
append_account Instructs the Switch to include user account
information in the configuration file.
Figure 49 shows the uploading of a configuration.
Figure 49 upload configuration
:4#upload configuration 10.42.73.5 c:\cfg\config.txt

append_account
Command: upload configuration 10.42.73.5 c:\cfg\config.txt
append_account
Connecting to server ........................... Done.

Upload Configuration ........................... Done.
:4#
Configuring Password aging

The Passport 1600 Series Switches (firmware release 1.0.1.1 and higher) allow
you configure the maximum amount of time a password assigned to a user
account is allowed to be in use. The default is 90 days. The Switch will give a
warning message when the user logs in at the point where 75, 80, 85, 90, and 95%
of the maximum password age time has expired.
To configure the maximum length of time a password assigned to a user account

may be in use, use the following command:
config password_aging
config password_aging
followed by:
<day 1-999> This is the maximum amount of time, in days, that

a password assigned to a user account can be in
use (valid). The default is 90 days. The user will be
notified at login when 75 to 95% of this time has
expired, in 5% increments.
Entering ‘999’ instructs the Switch to disable
password aging. If you enter the command config
password_aging 999, password aging will be
disabled on the Switch and no warning messages
will be displayed.
Figure 50 shows the setting of the maximum amount of time a password assigned
to a user account can be in use to be 10 days.
Figure 50 config password_aging
:4#config password_aging day 10

Command: config password_aging day 10
Success.
:4#
316862-B Rev 00
Displaying the Password aging time
you configure the maximum amount of time a password assigned to a user
account is allowed to be in use. The default is 90 days. The Switch will give a
warning message when the user logs in at the point where 75, 80, 85, 90, and 95%
of the maximum password age time has expired.
To display the currently configured maximum length of time a password assigned

to a user account may be in use, use the following command:
show password_aging
show password_aging
Figure 51 shows the display of the currently configured maximum amount of time
a password assigned to a user account can be in use.
Figure 51 show password_aging
:4#show password_aging
Command: show password_aging
Password Aging Time :10 day (s)
:4#
Configuring the Switch’s Secure Mode

you to specify a secure mode for the Switch as either normal or high. In the
normal mode, the TELNET and SNMP remote management applications are
enabled, while the SSH and WEB remote management applications are disabled.
In the high mode, the SSH, TELNET, WEB and SNMP remote management and
configuration applications are all disabled.
Initially, when the Switch’s secure mode is set to high, only the RS-232 Console
port can be used to manage and configure the Switch. You can manually enable
any of the remote management applications however, using the CLI and the
RS-232 Console port.
Note: The config secure mode [normal | high] command can only be
entered from the Console application and cannot be entered from a remote
management application, such as TELNET, SSH, or the Web-based
configuration manager.
Note: After resetting the Passport 1600 Series switch, if the high secure
mode was previously configured, the switch remains in high secure mode.
To return to normal secure mode, you must manually disable the high
secure mode. You can only perform this operation from the CLI.
To configure the Switch to close the SSH, TELNET, WEB, and SNMP remote
management and configuration applications, use the following command:
config secure_mode high
316862-B Rev 00
config secure_mode
followed by:
normal This specifies that security configuration for the

TELNET and SNMP remote management and
configuration applications will be enabled, and that
these applications can be used to manage and
configure the Switch. The SSH and WEB remote
management applications will be disabled.
You can manually enable the SSH and WEB
remote management applications at any time after
issuing this command.
high This specifies that the SSH, TELNET, WEB, and
SNMP remote management and configuration
applications will be disabled. When the Switch’s
secure mode is set to high, only the RS-232
Console port can be used to manage and
configure the Switch.
You can manually enable the SSH, TELNET, WEB
and SNMP at any time after issuing this command.
Figure 52 shows the Switch’s secure mode being set to high. In this mode, only
the RS-232 Console port can be used to manage and configure the Switch.
Figure 52 config secure_mode
:4#config secure_mode high

Command: config secure_mode high
Success.
:4#
Displaying the Switch’s current secure mode
you configure a secure mode for the Switch as either normal or high. In the
normal mode, the security configuration is in effect, as entered. In the high mode,
the SSH, TELNET, WEB and SNMP remote management and configuration
applications are closed to all users. When the Switch’s secure mode is set to high,
only the RS-232 Console port can be used to manage and configure the Switch.
To display the Switch’s current secure mode configuration, use the following
command:
show secure_mode
show secure_mode
Figure 53 shows the display of the Switch’s currently configured secure mode.
Figure 53 show secure_mode
:4#show secure_mode
Command: show secure_mode
Secure Mode : High
:4#
316862-B Rev 00
Secure Shell (SSH)

Secure Shell (SSH) is a client/server protocol that specifies the way to conduct
secure communications over a network. Secure CoPy is a secure file transfer
protocol. When using other methods of remote access, such as Telnet or FTP, the
traffic generated by these utilities is not encrypted. Anyone that can see the
network traffic can see all data, including passwords and user names. SSH can
replace Telnet and other remote logon utilities.
SSH supports a variety of the many different public/private key encryption

schemes available. Using the public key of the host server, the client and server
negotiate to generate a session key known only to the client and the server. This
one-time key is then used to encrypt all traffic between the client and the server.
Even if network security is compromised, traffic cannot be played back or

decrypted, and the connection cannot be hijacked.
The secure channel of communication provided by SSH does not provide

protection against break-in attempts or denial-of-service (DoS) attacks.
Note: the Passport 1600 Series Switches support only SSH version 2.
The Switch does not support SSH version 1.
The SSHversion 2 protocol supported by the Switch supports the following

security features:
• Authentication. This determines, in a reliable way, the identity of the SSH

client. During the login process the SSH client is queried for a digital proof of
identity.
Supported authentications or RSA (SSH-1) DSA (SSH-2) and passwords
(both SSH-1 and SSH-2).
• Encryption. The SSH server uses encryption algorithms to scramble data and
render it unintelligible except to the receiver.
Supported encryption algorithms are: 3DES, AES-128-cbc,
AES-192-cbc, AES-256-cbc, ArcFour, Blowfish-cbc, Cast128-cbc,
Twofish128-cbc, Twofish192-cbc, and Twofish256-cbc.
• Integrity. This guarantees that the data is transmitted from the sender to the
receiver without any alteration. If any third party captures and modifies the
traffic, the SSH server will detect this alteration. Hmac-MD% and
Hmac-sha-1 are supported.
The implementation of the SSH server in the Passport 1600 Series switch enables
the SSH client to make a secure connection to a Passport 1600 Series switch and
will work with commercially available SSH clients.
You must use the CLI to initially configure SSH. You can use Device Manager
(DM) to change the SSH configuration parameters. However, Nortel Networks
recommends using the CLI. Nortel Networks also recommends using the console
port to configure the SSH parameters.
SSH version 2 (SSH-2)
The SSH protocol, version 2 (SSH-2) is a complete rewrite of the SSH-1 protocol.
While SSH-1 contains multiple functions in a single protocol, in SSH-2 the
function are divided among three layers:
• SSH Transport Layer (SSH-TRANS)

The SSH transport layer manages the server authentication and provides
the initial connection between the client and the server. Once established,
the transport layer provides a secure, full-duplex connection between the
client and server.
• SSH Authentication Protocol (SSH-AUTH)
The SSH authentication protocol runs on top of the SSH transport layer
and authenticates the client-side user to the server. SSH-AUTH defines
three authentication methods; public key, host-based, and password.
SSH-AUTH provides a single authenticated tunnel for the SSH
connection protocol.
• SSH Connection Protocol (SSH-CONN)
The SSH connection protocol runs on top of the SSH transport layer and
user authentication protocols. SSH-CONN provides interactive login
sessions, remote execution of commands, forwarded TCP/IP connections,
and forwarded X11 connections. These higher services are multiplexed
into the single encrypted tunnel provided by the SSH transport layer.
316862-B Rev 00
The modular approach of the SSH-2 improves on the security, performance, and
portability over the SSH-1 protocol.
Note: The SSH-1 and SSH-2 protocols are not compatible. The SSH
implementation in the Passport 1600 Series switch supports only SSH
version 2.
Supported SSH clients
The Passport 1600 Series switch software release 1.0.1.1 supports the following
third party SSH clients. The table below describes the third party SSH client
software that has been tested but not included with this release.
Table 9 Third party SSH client software
SSH Client Secure Shell (SSH)
SecureCRT • Supports SSH-2 client only.

Openssh • Authentication: RSA, DSA, Password.
• Provides a keygen tool.
• It creates both RSA and DSA keys in SSH v2 format.
OpenSSH • Supports SSH-2 clients.
Unix • Authentication: RSA, DSA, Password.
Solaris2.5/2.6 • Provides a keygen tool.
Secure Netterm • Supports SSH-2 clients.
Windows 2000 • Authentication: RSA, DSA, Password.
PuTTY • Supports SSH-2 clients.
Table 9 Third party SSH client software
Absolute • Supports SSH-2 clients.

Secure Shell • Supports SSH-1 and SSH-2 clients.
Client Windows • Authentication: RSA, DSA, Password
2000 • Provides a keygen tool.
ZOC pro • Supports SSH-2 clients.
PenguiNet • Supports SSH-2 clients.
F-secure • Supports SSH-2 clients.
Using the CLI to configure SSH
You can use Device Manager (DM) to change the SSH configuration parameters.
However, Nortel Networks recommends using the Command Line Interface (CLI)
to configure the SSH.
Note: Only the Server SSH has been implemented in the 1.1 release.
There is NO SSH client on the Passport 1600 Series switch. A remote
application must be used to establish the communication with the switch.
316862-B Rev 00
Configuring Secure Shell (SSH)

The Passport 1600 Series switches (firmware release 1.0.1.1, or later) support the
SSH version 2 SERVER implementation.
Note: SSH version 1, because of its inherent security holes is not

supported. Because the Passport 1600 Series switches implement only the
server part of the protocol, you must use a third-party application to
connect to the switch. Please see Table 9 for a list of approved SSH v2
clients.
The steps required to use the SSH protocol for secure communication between a
remote PC (the SSH Client) and the Switch (the SSH Server), are as follows:
• Create a user account with admin-level access using the create account admin
<username> <password> command. In the example presented below, the
username SSHtest is used. This is identical to creating any other admin-lever
User account on the Switch, including specifying a password. This password
is used to login to the Switch, once secure communication has been
established using the SSH version 2 protocol.
• Configure the user account to use a specified authorization method to identify
users that are allowed to establish SSH connections with the Switch using the
config ssh user authmode command. There are some choices as to the method
SSH will use to authorize the user. The two methods, password and publickey
are used in the example presented below.
• Configure the encryption algrothim that SSH will use to encrypt and decrypt
messages sent between the SSH Client and the SSH Server. Again, there are
some choices to make, but 3DES is used in the example presented below.
• Finally, enable SSH on the Switch using the enable ssh command.
• After following the above steps, you can configure an SSH Client on the
remote PC and manage the Switch using secure, in-band communication.
Creating a User account
To create an admin or user account, including a username and password, use the
create account command. Note that this command also allows you to select
the privileges this account will have. In general, user-level accounts can display
the switch’s current configuration, but cannot make any changes. Admin-level
accounts have full access to all configuration commands.
To create a new User account for use with the SSH protocol, use the following
command:
create account admin SSHtest
The Switch will respond with:
Enter a case-sensitive new password: *******

Enter the new password again for confirmation: ********
The password must be at least 8 and not more than 15 characters. This password
will be used to logon to the switch.
create account
followed by:
admin <username 15> Creates an administrator-level user account. This

user can execute all of the commands in the CLI
without restriction.
user <username 15> Creates a user-level user account. This user is
limited to displaying switch configuration and
accumulated switch statistics.
Figure 54 shows you how to create a new administrator-level user account with
the username SSHtest.
316862-B Rev 00
Figure 54 create account command
:4#create account admin SSHtest

Command: create account admin SSHtest
Enter a case-sensitive new password:********

Enter the new password again for confirmation:********
Success.
:4#
Configuring the SSH authorization mode
Before the SSH Server on the Switch can establish a secure communications
channel with an SSH Client, you must specify the type of authorization that the
SSH Server can accept to verify the SSH Client as an authorized user. The
password parameter instructs the SSH Server to use the password assigned to the
User account. The public key parameter instructs the SSH Server to use the public
key encryption/decrypting method using a combination of a private key and public
key stored on the remote PC (the SSH Client). The hostbased parameter allows
you to specify a remote host on the network by either name or IP address that will
be allowed to establish an SSH connection with the Switch.
To configure the SSH authorization mode, use the following command:
config ssh authmode password enabled
config ssh authmode

followed by:
password Specifies the use of a password to

establish user authorization for an SSH
session. This password is the same as
the password assigned to the User
account.
public key Specifies the use of public key encryption
and decryption of a message exchange
between the SSH Client and the Switch’s
SSH Server to authorize the User.
hostbased This specifies the name or IP address of
a specific host (a remote PC) that will be
authorized to establish an SSH
connection to the Switch.
The host’s name is specified by entering
hostname followed by the host’s name in
the <string> field of the create ssh user
command, shown above.
enabled Enables the User authorization mode
specified above.
disabled Disables the User authorization mode
specified above.
Figure 55 shows how to configure the user account SSHtest to use the password
assigned to this account to authorize an SSH session with the Switch.
Figure 55 config ssh authmode command
:4# config ssh authmode password enabled

Command: config ssh authmode password enabled
Success.
:4#
316862-B Rev 00
Displaying the Switch’s current SSH authorization mode
To display the Switch’s current SSH authorization mode, use the following
command:
show ssh authmode
show ssh authmode
Figure 56 shows the Switch’s current SSH authorization mode.
Figure 56 show ssh authmode
:4# show ssh authmode

Command: show ssh authmode
The SSH User Authentication Support

------------------------------------
Password : Enabled
Public Key : Enabled
Hostbased : Enabled
Updating an SSH user account’s authorization mode
Once you have created a user account, and configured the SSH authorization
mode for that account, you can update the information using the config ssh user
command.
To update the configuration of an SSH user account, use the following command:
config ssh user SSHtest authmode password
where:
SSHtest is the username of a previously created User account.
config ssh user <username> authmode

followed by:
hostbased This specifies the name or IP address of

a specific host (a remote PC) that will be
hostname <string 31>
authorized to establish an SSH
hostname_IP <string 31> connection to the Switch.
<ipaddr> The host’s name is specified by entering
hostname followed by the host’s name in
the <string> field.
The host’s IP address is specified by
entering hostname_IP followed by the
host’s name in the <string> field, followed
by the host’s IP address in the <ipaddr>
field.
password Specifies the use of a password to
establish user authorization for an SSH
session. This password is the same as
the password assigned to the User
account.
public key Specifies the use of public key encryption
and decryption of a message exchange
between the SSH Client and the Switch’s
SSH Server to authorize the User.
none Specifies that there will be on user
authorization.
Figure 57 shows how to configure the user account SSHtest to use the password
assigned to this account to authorize an SSH session with the Switch.
316862-B Rev 00
Figure 57 config ssh user command
:4# config ssh user SSHtest authmode password

Command: config ssh user SSHtest authmode password
Success.
:4#
Configuring the SSH encryption algorithm
To configure the SSH algorithm to use 3DES:
config ssh algorithm 3DES enabled
where:
3DES is the encryption algrothim that the Secure Shell (SSH) will use to encrypt
and decrypt messages between the SSH Server and the SSH Client.
config ssh algorithm

followed by:
3DES Enter this parameter, followed by

enabled or disabled, to use the 3DES
encryption algorithm with the Secure
Shell (SSH.)
AES128 Enter this parameter, followed by
enabled or disabled, to use the
AES128 encryption algorithm with the
Secure Shell (SSH.)
Secure Shell (SSH.)
Secure Shell (SSH.)
config ssh algorithm

followed by:
arcfour Enter this parameter, followed by

Arcfour encryption algorithm with the
Secure Shell (SSH.)
blowfish Enter this parameter, followed by
Blowfish encryption algorithm with the
Secure Shell (SSH.)
cast128 Enter this parameter, followed by
Cast128 encryption algorithm with the
Secure Shell (SSH.)
twofish128 Enter this parameter, followed by
Twofish128 encryption algorithm with the
Secure Shell (SSH.)
Secure Shell (SSH.)
Secure Shell (SSH.)
MD5 Enter this parameter, followed by
HMAC-MD5 data integrity algorithm with
the Secure Shell (SSH.)
SHA1 Enter this parameter, followed by
HMAC-SHA1 data integrity algorithm with
the Secure Shell (SSH.)
RSA Enter this parameter, followed by
enabled or disabled, to use the RSA
public key algorithm with the Secure Shell
(SSH.)
DSA Enter this parameter, followed by
enabled or disabled, to use the DSA
public key algorithm with the Secure Shell
(SSH.)
enabled|disabled Enter enabled or disabled after any
one of the algorithms above to activate
that algorithm for use with SSH.
316862-B Rev 00
Figure 58 shows the SSH Server on the Switch configured to use the 3DES
encryption algorithm.
Figure 58 config ssh algorithm
:4# config ssh algorithm 3DES enabled

Command: config ssh algorithm 3DES enabled
Success.
:4#
Displaying the Current SSH encryption algorithm

To display the current SSH algorithm in use on the Switch, use the following
command:
show ssh algorithm
show ssh algorithm
Figure 59 shows the current SSH algorithm configuration of the Switch.
Figure 59 show ssh algorithm
:4# show ssh algorithm

Command: show ssh algorithm
Encryption Algorithm
-------------------------
3DES : Enable
AES128 : Enable
AES192 : Enable
AES256 : Enable
Arcfour : Enable
Blowfish : Enable
Cast128 : Enable
Twofish128: Enable
Twofish192: Enable
Twofish256: Enable
Data Integrity Algorithm

------------------------
MD5 : Enable
SHA1 : Enable
Public Key Algorithm

--------------------
RSA : Enable
DSA : Enable
:4#
Displaying the Switch’s current SSH Users

To display the Switch’s current SSH users, use the following command:
show ssh user
show ssh user
316862-B Rev 00
Figure 60 shows the Switch’s current SSH users.
Figure 60 show ssh user
:4# show ssh user

Command: show ssh user
Current Accounts:
--------------------------
Username Authentication
SSHtest Password
SSHtest2 Publickey
SSHtest3 Hostbased Debbie 10.42.73.5
SSHtest4 None
Configuring the SSH Server on the Switch

To configure the SSH algorithm to use 3DES:
config ssh server
where:
3DES is the encryption algrothim that the Secure Shell (SSH) will use to encrypt
and decrypt messages between the SSH Server and the SSH Client.
config ssh server

followed by:
maxsession <int 1-3> This parameter allows you to specify the

maximum number of SSH sessions that
the SSH Server on the Switch will allow at
any one time. You can specify between a
minimum of one and a maximum of three
simultaneous SSH sessions. The default
is 3.
timeout <sec 1-120> You can specify the maximum amount of
time that will be allowed for an SSH
session to be established. If this time is
exceeded before the SSH session has
begun, the SSH Server will discontinue
the connection. You can specify a
minimum of one and a maximum of 120
seconds. The default is 120 seconds.
authfail <int 2-20> You can specify the maximum number of
times the SSH Server will allow a remote
host to attempt to become authorized. If
this number of attempts is exceeded, the
SSH Server will discontinue the
connection. You can specify a minimum
of two and a maximum of twenty
authorization attempts. The default is 2.
rekey <10min 30min 60min You can specify the length of time that an
never> SSH session can last before generating a
new set of encryption/decryption keys.
You can specify 10min, 30min, 60min,
and never. The default is 2.
port <tcp_port_number 1-65535> This parameter allows you to specify
which TCP port the SSH Server will listen
on for requests from remote hosts to
establish an SSH connection with the
Switch. The default is TCP port number
22.
Figure 61 shows the SSH Server on the Switch configured to allow a maximum of
2 sessions, a timeout of 20 seconds, a maximum of 2 failed authorization attempts,
a rekey time of never, and the use of TCP port number 22.
316862-B Rev 00
Figure 61 config ssh server
:4# config ssh server maxsession 2 timeout 20 authfail 2

rekey never port 22
Command: config ssh server maxsession 2 timeout 20
authfail 2 rekey never port 22
Success.
:4#
Displaying the current SSH Server configuration
To display the current SSH Server configuration:
show ssh server
show ssh server

There are no options.
Figure 62 shows the current configuration of the SSH Server on the Switch.
Figure 62 show ssh server
:4# show ssh server

Command: show ssh server
SSH Server Status : Enabled

SSH Max Session : 2
Connection timeout : 20 (sec)
Rekey timeout : never
Listened Port Number : 22
Enabling and disabling the SSH Server on the Switch
To enable the SSH Server on the Switch:
enable ssh
This command has no options:
enable | disable ssh
there are no options.
Figure 63 shows the SSH Server on the Switch being enabled.
Figure 63 enable ssh
:4# enable ssh

Command: enable ssh
Success.
:4#
Configuring the SSH Server to regenerate its hostkey

To force the SSH Server to regenerate its hostkey, use the following command:
Figure 64 shows the current configuration of the SSH Server on the Switch.
316862-B Rev 00
Figure 64 config ssh regenerate hostkey
:4# config ssh regenerate hostkey

Command: config ssh regenerate hostkey
Success.
:4#
TACACS+
TACACS+ is a security protocol that provides access control for devices via one
or more centralized servers. All WEB, TELNET and CLI user logins check the
user name and password with a database of Network Access Security (NAS)
servers through the TACACS+ protocol if the authentication method being used is
TACACS+. This is useful in checking authentication when thousands of users
using thousands of devices are distributed around the network.
The system provides two stages of authentication for the user, the first is the
“login” stage and the second is the “enable” stage. Each stage can choose up to
three authentication methods, the are TACACS+, local/enable and none. In
addition, two privilege levels are provided, the user level and the admin level.
When the user passes the first level, the “user” level is assigned. The “admin”
level will be assigned if the user passes the second stage.
The following four authentication methods are supported:
TACACS+: Verifies both the username/password pair and enables the password
using the TACACS+ server. When username/password verification is passed, the
user level is assigned. After that, use the “enable admin” command to promote
privilege mode to the admin user. Four TACACA+ servers are supported.
Local: Authenticate the username/password pair with a local database. If

authentication passes and the privilege level associated with the username/
password pair is “admin level,” the user will receive admin level privilege. If
authentication passes and the username/password pair is “user level,” the user will
receive user-level privileges.
Enable: only the password is checked. This option is used only to promote the
privilege level to the “admin” level.
None: no authentication is specified.
The following privilege modes are supported:
user level: read only is permitted.
admin level: read/write is permitted.
Creating an entry to the Switch’s TACACS+ Server table
To create an entry to the Switch’s TACACS+ Server table, use the following
command:
create tacacs+_server <ip_address>
where:
<ip_address> is the IP address of a TACACS+ Server on the network.
create tacacs+_server
followed by:
<ipaddr> This is the IP address of a TACACS+

Server on the network.
tcp_port <int 1-65535> This is the TCP port number in use by the
TACACS+ Server specified above. The
default is TCP port is port number 49.
key [<key_string 1-254> | This is the key used for TACACS+
authentication. If no string is specified
none]
(the value is null) then no encryption will
be applied. If none is specified, then no
encryption key will be used. The default is
none.
timeout <sec 1-255> This parameter specifies the time, in
seconds, that the Switch will wait for a
reply from the TACACS+ Server. The
default is 5 seconds.
316862-B Rev 00
Figure 65 shows the creation of a TACACS+ Server entry on the Switch, using
the key “top secret.”
Figure 65 create tacacs+_server
:4# create tacacs+_server 10.42.73.5 key top secret

Command: create tacacs_server 10.42.73.5 key top secret
Success.
:4#
Configuring a TACACS+ Server entry on the Switch

To configure an entry to the Switch’s TACACS+ Server table (change a
previously created entry), use the following command:
config tacacs+_server <ip_address>
where:
<ip_address> is the IP address of a TACACS+ Server on the network.
Note: Nortel Networks strongly recommends that you configure in the

TACACS+ server all interfaces participating in any remote session
(telnet, SSH, etc.).
config tacacs+_server
followed by:
<ipaddr> This is the IP address of a TACACS+

Server on the network.
tcp_port <int 1-65535> This is the TCP port number in use by the
TACACS+ Server specified above. The
default is TCP port is port number 49.
config tacacs+_server
followed by:
key [<key_string 1-254> | This is the key used for TACACS+

authentication. If no string is specified
none]
(the value is null) then no encryption will
be applied. If none is specified, then no
encryption key will be used. The default is
none.
timeout <sec 1-255> This parameter specifies the time, in
seconds, that the Switch will wait for a
reply from the TACACS+ Server. The
default is 5 seconds.
Figure 66 shows the configuring of a TACACS+ Server entry on the Switch,

using the key “not so secret.”
Figure 66 config tacacs+_server
:4# config tacacs+_server 10.42.73.5 key not so secret

Command: config tacacs+_server 10.42.73.5 key not so
secret
Success.
:4#
Displaying the Switch’s TACACS+ Server table
To display the entries in the Switch’s TACACS+ Server table, use the following
command:
show tacacs+_server
show tacacs+_server
316862-B Rev 00
Figure 67 shows the current contents of the Switch’s TACACS+ Server table.
Figure 67 show tacacs+_server
:4# show tacacs+_server

Command: show tacacs+_server
IP Address Port timeout key

-------------------------------------------------------
10.1.1.222 17777 10 not so secret
:4#
Deleting an entry from the Switch’s TACACS+ Server table
To delete an entry from the Switch’s TACACS+ Server table, use the following
command:
delete tacacs+_server 10.1.1.222
delete tacacs+_server
<ip_address> This is the IP address of the TACACS+

Server you want to delete from the
Switch’s TACACS+ Server table.
Figure 68 shows the deletion of the TACACS+ Server, with an IP address of

10.1.1.222, from the Switch’s TACACS+ Server table.
Figure 68 delete tacacs+_server
:4# delete tacacs+_server 10.1.1.222

Command: delete tacacs+_server 10.1.1.222
Success.
:4#
Enabling admin-level privileges for a user-level account
To promote a user with user-level privileges to admin-level privileges, use the

following command:
enable admin
When this command is entered, the current user authentication method in use on
the Switch will be used to authenticate the user.
enable admin
Figure 69 shows the currently logged on user raising the account’s privilege level
from user-level to admin-level.
Figure 69 enable admin
:4# enable admin

Command: enable admin
Password: ********
Success.
:4#
316862-B Rev 00
Assigning a password to the “local enable” method
To assign a password to authenticate users that want to change their user-level

privileges to admin-level privileges, using the “local enable” method, use the
following command:
config admin local_password
When this command is entered, the current user authentication method in use on
the Switch will be used to authenticate the user.
config admin local_password

followed by:
<password 8-15> This is the password that will be used to

authenticate users that want to change
their user-level privileges to admin-level
privileges, using the “local enable”
method.
Figure 70 shows the assigning of a password that will be used to authenticate

users that want to change their user-level privileges to admin-level privileges,
using the “local enable” method.
Figure 70 config admin local_password
:4# config admin local_password

Command: config admin local_password
Enter the case-sensitive password: ********

Enter the password again for confirmation ********
Success.
:4#
Configuring the login authentication settings
To configure the maximum amount of time the Switch will wait for a user to input
their password, use the following command:
config login_authen response_timeout <sec 1-255>
config login_authen
followed by:
response_timeout <sec 1-255> This is the maximum amount of time the

Switch will wait for a user to input their
password. If this time is exceeded, the
Switch will discontinue the connection.
The default is 30 seconds.
Figure 71 shows the maximum number of authentication attempts being set to 8.
Figure 71 config admin login_authen
:4# config login_authen response_timeout 30

Command: config login_authen response_timeout 30
Success.
:4#
Configuring the authentication settings on the Switch
This command is used to configure how the Switch will authenticate users when
they login to the various applications that are used to configure the Switch. When
authentication is enabled on the Switch, the authentication settings specified in
this command will take effect. The Switch’s default is to use local authentication,
such as asking for a user name and password when logging on the Console.
316862-B Rev 00
When the TACACS+ or the none authentication method is specified, users are
assigned only user-level privileges when the first log on to a Switch management
application (such as the Console). If this user wants to promote their privilege
level to admin-level, they must enter the enable admin command, described
below.
When the local authentication method is specified, a user’s privilege level

depends upon the privilege level assigned when the user account was created.
So, there are four applications that can be used to configure and manage the
Switch; the Console, TELNET, SSH, and the Web-based configuration manager.
You can assign one of three user-authentication methods to any of these
applications. The three user-authentication methods are, TACACS+, local, and
none. TACACS+ instructs the Switch for forward the user name and password to a
TACACS+ Server for authentication. The local method relies upon the Switch
itself to verify the user name and password against the user accounts stored in its
memory. The none method performs no user authentication.
If the TACACS+ user authentication method is specified, and all of the TACACS+
Servers have timed out, or do not exist, the Switch then will use the second
method entered with this command. In the example below, the none user
authentication method will be used.
To configure the authentication settings on the Switch, use the following

command:
config authentication login

followed by:
console Specifies the Console application will be

authenticated.
telnet Specifies the TELNET application will be
authenticated.
ssh Specifies the Secure Shell (SSH)
application will be authenticated.

followed by:
web Specifies the Web-based configuration

manager application will be
authenticated.
all Specifies the Console, TELNET, SSH,
and Web applications will be
authenticated.
tacacs+ Specifies that a TACACS+ Server will
provide authentication.
local Specifies that the Switch will provide
authentication.
none Specifies that no authentication will be
used.
Figure 72 shows the Switch being configured to use the TACACS+ user
authentication method for the TELNET application.
Figure 72 config authentication login
:4# config authentication login telnet tacacs+ none

Command: config authentication login telnet tacacs+ none
Success.
:4#
Configuring the authentication settings on the Switch used

to promote users from user-level privileges to admin-level
privileges
This command is used to configure how the Switch will authenticate users when
they want to promote their privileges from user-level to admin-level, when they
are logged on to the various applications that are used to configure the Switch.
When authentication is enabled on the Switch, the authentication settings
specified in this command will take effect.
316862-B Rev 00
When the TACACS+ authentication method is specified, users need to input their
password to promote their privileges from user-level to admin-level. The Switch
will then pass this password to the TACACS+ Server for authentication. The
TACACS+ Server will return a PASS or FAIL.
When enable is specified, the Switch will compare this password to the Switch’s
(local) password. If the passwords are the same, the Switch will return a PASS. If
the two passwords are different, the Switch will return a FAIL.
So, there are four applications that can be used to configure and manage the
Switch; the Console, TELNET, SSH, and the Web-based configuration manager.
You can assign one of three user-authentication methods to authenticate users
who want to promote their user-level privileges to admin-level privileges to any of
these applications. The three user-authentication methods are, TACACS+, enable,
and none. TACACS+ instructs the Switch for forward the user name and password
to a TACACS+ Server for authentication. The enable method relies upon the
Switch itself to verify the user name and password against the user accounts
stored in its memory. The none method performs no user authentication.
If the TACACS+ user authentication method is specified, and all of the TACACS+
Servers have timed out, or do not exist, the Switch then will use the second
method entered with this command. In the example below, the enable user
authentication method will be used.
To configure the authentication settings that govern the promotion of users with
user-level privileges to admin-level privileges, on the Switch, use the following
command:
config authentication admin

followed by:
console Specifies the Console application will be

authenticated.
telnet Specifies the TELNET application will be
authenticated.
ssh Specifies the Secure Shell (SSH)
application will be authenticated.

followed by:
all Specifies the Console, TELNET, SSH,

and Web applicationswill be
authenticated.
tacacs+ Specifies that a TACACS+ Server will
provide authentication will be
authenticated.
local Specifies that the Switch will provide
authenticationwill be authenticated.
none Specifies that no authentication will be
used.
Figure 73 shows the Switch being configured to use the TACACS+ user
authentication method to authenticate users who want to promote their user-level
privileges to admin-level privileges, for the TELNET application.
Figure 73 config authentication admin
:4# config authentication admin telnet tacacs+

Command: config authentication admin telnet tacacs+
Success.
:4#
Enabling authentication
To enable the current authentication settings, use the following command:
316862-B Rev 00
Figure 74 shows the current authentication settings on the Switch being enabled.
Figure 74 enable authentication
:4# enable authentication

Command: enable authentication
Success.
:4#
Disabling authentication
To disable the current authentication settings, use the following command:
Figure 75 shows the current authentication settings on the Switch being enabled.
Figure 75 disable authentication
:4# disable authentication

Command: disable authentication
Success.
:4#
Displaying the Switch’s current authentication settings
To display the Switch’s current authentication settings, use the following

command:
show authentication
show authentication
Figure 76 shows the display of the Switch’s current authentication settings.
Figure 76 show authentication
:4# show authentication

Command: show authentication
Authentication Status : Disabled

The amount of time for user input : 30 seconds
The maximum user attempts : 3
Login Login Admin Admin

Application Primary Secondary Primary Secondary
----------- ------- --------- ------- ---------
Console Local Local
Telnet Local Local
SSH Local Local
Web Local
316862-B Rev 00
157
Chapter 6
Configuring VLANs
A virtual local area network (VLAN) is a collection of end nodes grouped by

logical rather than physical location. End nodes that frequently communicate with
each other are assigned to the same VLAN, regardless of where they are
physically located on the network. Logically, you can equate a VLAN to a
broadcast domain because broadcast packets are forwarded only to members of
the VLAN on which the broadcast was initiated.
This chapter describes the commands you use to configure, enable and disable,
and show VLANs for Layer 2 operations. It also describes how to configure IP on
a VLAN for Layer 3 operations. Specifically, it includes the following topics:
Topic Page
Roadmap of VLAN CLI commands 159

Creating a VLAN 160
Deleting a VLAN 162
Adding ports to a VLAN configuration 162
Deleting ports from a VLAN configuration 163
Displaying a VLAN configuration 164
Roadmap of IP interface CLI commands 167
Creating an IP interface 167
Configuring an IP interface 168
Deleting an IP interface 169
Configuring the System IP interface 170
Enabling an IP interface 171
Disabling an IP interface 172
Displaying the current IP interface configuration 172
Roadmap of forwarding database CLI commands 175
158 Chapter 6 Configuring VLANs
Topic Page
Creating a unicast forwarding database entry 176

Configuring a unicast forwarding database entry 176
Creating a multicast forwarding database entry 177
Configuring the multicast forwarding database 178
Deleting an entry from the forwarding database 179
Clearing the forwarding database 179
Displaying the multicast forwarding database 180
Displaying the unicast forwarding database 181
Configuring Layer 2 operations

The following sections describe how to configure VLANs for Layer 2 operations.
316862-B Rev 00
Chapter 6 Configuring VLANs 159
Roadmap of VLAN CLI commands
The following roadmap lists all of the VLAN commands and their parameters.
Use this list as a quick reference or click on any entry for more information:
Command Parameter
create vlan <vlan_name 32> type port |ip-subnet
<network_address>
arp_classification_id <vlanid
1-4094> |protocol-ip
|protocol-ipx802dot3
|protocol-ipxSnap
|protocol-appleTalk
|protocol-decLat |protocol-decOther
|protocol-sna802dot2
|protocol-snaEthernet2
|protocol-netBios |protocol-xns
|protocol-vines |protocol-ipV6
|protocol-userDefined <hex
0x0-0xffff> |encap
[ethernet2|IIc|snap|all]
|protocol-rarp |priority [0|4|6|7]
delete vlan <vlan_name 32>
config vlan <vlan_name 32> add tagged <portlist>
untagged <portlist>
Command Parameter
config vlan <vlan_name 32> delete
<portlist>
show vlan <vlan_name 32> |type [port
|ip-subnet <network_address>
arp_classification_id <vlanid
1-4094> |protocol-ip
|protocol-ipxSnap
|protocol-appleTalk
|protocol-decLat |protocol-decOther
|protocol-sna802dot2
|protocol-snaEthernet2
|protocol-netBios |protocol-xns
|protocol-vines |protocol-ipV6
|protocol-userDefined <hex
0x0-0xffff> encap
|protocol-rarp]
Creating a VLAN
To create a VLAN, use the following command:
create vlan <vlan_name 32 >
where:
vlan_name 32 is the name of the VLAN that you want to create. The VLAN
name can be up to 32 alphanumeric characters.
316862-B Rev 00
create vlan <vlan_name 32>

followed by:
vid <vid> Specifies the VLAN ID with which transmitted

packets are tagged. The range is from 1 to 4094.
type This parameter allows you to select the type of
VLAN that will be created. The available types are
as follows:
port
ip-subnet <network_address>
protocol-ip
protocol-ipx802dot3
protocol-ipx802dot2
protocol-ipxSnap
protocol-appleTalk
protocol-decLat
protocol-decOther
protocol-sna802dot2
protocol-snaEthernet2
protocol-netBios
protocol-xns
protocol-vines
protocol-ipV6
protocol-userDefined <hex 0x0-0xffff> encap
protocol-rarp
priority [0|4|6|7]
<network_address> The IP address and mask for a subnet-based
VLAN.
<hex 0x0-0xffff> The user-defined protocol type format in hex.
encap The encapsulated packet format for user-defined

[ehternet2|iic|snap|all] protocol. The possible formats are ethernet2, IIc,
snap, and all.
arp_classification_id create an IP Subnet VLAN with ARP Classification
<vlanid 1-4094> and available options
Figure 77 shows you how to create a VLAN named v1.
Figure 77 create vlan command
PP1612G:4#create vlan v1
Command: create vlan v1
Success.
PP1612G:4#
Deleting a VLAN
To delete a VLAN, use the following command:
delete vlan <vlan_name 32 >
where:
vlan_name 32 is the name of the VLAN that you want to delete.
Figure 78 shows you how to delete a VLAN named v1.
Figure 78 delete vlan command
PP1612G:4#delete vlan v1
Command: delete vlan v1
Success.
PP1612G:4#
Adding ports to a VLAN configuration
To add ports to a VLAN, use the following command:
config vlan <vlan_name 32 > add
where:
vlan_name 32 is the name of the VLAN to which you want to add ports.
316862-B Rev 00
config vlan add

followed by:
tagged <portlist> Indicates that the specified ports will be VLAN

tagged.
• portlist specifies the list of ports to add to
the VLAN. To specify a range of ports, enter
the beginning and end values, separated by a
hyphen (e.g., 1-3). To specify non-contiguous
port numbers, enter the port numbers,
separated by commas (e.g., 1,4,8).
untagged <portlist> Indicates that the specified ports will not be VLAN
tagged. untagged is the default.
• portlist specifies the list of ports to add to
the VLAN. To specify a range of ports, enter
the beginning and end values, separated by a
hyphen (e.g., 1-3). To specify non-contiguous
port numbers, enter the port numbers,
separated by commas (e.g., 1,4,8).
Figure 79 shows you how to add ports 4 through 8 and 10 as VLAN tagged ports.
Figure 79 config vlan add command
PP1612G:4#config vlan v1 add tagged 4-8,10

Command: config vlan v1 add tagged 4-8,10
Success.
PP1612G:4#
Deleting ports from a VLAN configuration
To delete ports on a VLAN, enter the following command:
config vlan <vlan_name 32 > delete <portlist>
where:
vlan_name 32 is the name of the VLAN that you want to delete.
portlist specifies the list of ports to remove from the VLAN. To specify a
range of ports, enter the beginning and end values, separated by a hyphen (e.g.,
1-3). To specify non-contiguous port numbers, enter the port numbers, separated
by commas (e.g., 1,4,8).
Figure 80 shows you how to delete ports 4 through 8.
Figure 80 config vlan delete command
PP1612G:4#config vlan v1 delete 4-8

Command: config vlan v1 delete 4-8
Success.
PP1612G:4#
Displaying a VLAN configuration

To display the current configuration for the VLAN, enter the following command:
show vlan
316862-B Rev 00
show vlan
followed by:
<vlan_name 32> This is the name of the VLAN for which you want to
display the current configuration. If you do not
enter a VLAN name, all of the VLANs currently
configured on the switch will have their
configurations displayed.
type This parameter allows you to select the type of
VLAN that will be created. The available types are
as follows:
port
ip-subnet <network_address>
protocol-ip
protocol-ipx802dot3
protocol-ipx802dot2
protocol-ipxSnap
protocol-appleTalk
protocol-decLat
protocol-decOther
protocol-sna802dot2
protocol-snaEthernet2
protocol-netBios
protocol-xns
protocol-vines
protocol-ipV6
protocol-userDefined <hex 0x0-0xffff> encap
[ethernet2|iic|snap|all]
protocol-rarp
Figure 81 shows you how to display the current configuration for the VLANs on
the switch.
Figure 81 show vlan command
PP1612G:4# show vlan

Command: show vlan
VID : 1 VLAN Name : default

VLAN TYPE : static
Member ports : 1-12
Static ports : 1-12
Untagged ports : 1-12
VID : 2 VLAN Name : v1

VLAN TYPE : static
Member ports :
Static ports :
Untagged ports :
VID : 3 VLAN Name : v2

VLAN TYPE : static
Member ports :
Static ports :
Untagged ports :
Total Entries : 3
PP1612G:4#
Configuring Layer 3 operations

The following sections describe how to configure IP on a VLAN for Layer 3
operations.
316862-B Rev 00
Roadmap of IP interface CLI commands
The following roadmap lists all of the IP interface commands and their
information:
Command Parameter
create ipif <ipif_name 12>
<network_address> <vlan_name 32>
config ipif <ipif_name 12>
ipaddress <network_address> vlan
<vlan_name 32> state
[enabled|disabled]
delete ipif <ipif_name 12>
all
config ipif System vlan <vlan_name 32>
ipaddress <network_address>
enable ipif <ipif_name 12>
all
disable ipif <ipif_name 12>
all
show ipif System all
Creating an IP interface
To create an IP interface with a network address and a subnet mask that will be
assigned to a VLAN, enter the following command:
create ipif <ipif_name 12 > <network_address> <vlan_name 32>

where:
ipif_name 12 is the name of the IP interface. The name can be up to 12
alphanumeric characters.
network_address is the IP address and the netmask of the IP interface you wish
to create. You can specify the address and mask information using the traditional
format- for example, 10.1.2.3/255.0.0.0, or in the CIDR format - for example,
10.1.2.3/8.
vlan_name 32 is the name of the VLAN that you want to assign to the IP
interface.
Figure 82 shows how to create an IP interface named ip2 that will be assigned to
the VLAN named vlan2, and will be enabled.
Figure 82 create ipif command
PP1612G:4#create ipif ip2 20.1.1.1/8 vlan2 state enabled

Command: create ipif ip2 20.1.1.1/8 vlan2 state enabled
Success.
PP1612G:4#
Configuring an IP interface
To re-configure an IP interface so that it is assigned to a new VLAN, use the

following command:
config ipif <ipif_name 12 > ipaddress <network_address> vlan

<vlan_name 32> state [enabled|disabled]
where:
network_address is the IP address and the netmask of the IP interface. You can
specify the address and mask information using the traditional format- for
example, 10.1.2.3/255.0.0.0, or in the CIDR format - for example, 10.1.2.3/8.
vlan_name 32 is the name of the VLAN that you want to assign to the IP
interface.
316862-B Rev 00
Figure 83 shows how to assign ip2 to vlan3 and enable the interface.
Figure 83 config ipif command
PP1612G:4#config ipif ip2 ipaddress 20.1.1.1/8 vlan vlan3

state enabled
Command: config ipif ip2 ipaddress 20.1.1.1/8 vlan vlan3
state enabled
Success.
PP1612G:4#
Deleting an IP interface
To delete the IP interface, use the following command:
delete ipif
delete ipif
followed by:
<ipif_name 12> Specifies the name of the IP interface that you

want to delete.
all Specifies that all IP interfaces configured on the
switch will be deleted.
Figure 84 shows you how to delete an IP interface named ip2.
Figure 84 delete ipif command
PP1612G:4#delete ipif ip2

Command: delete ipif ip2
Success.
PP1612G:4#
Configuring the System IP interface
To assign the System IP interface an IP address and a subnet mask, enter the
following command:
config ipif System
config ipif System

followed by:
vlan <vlan_name 32> The name of the VLAN that corresponds to the
System IP interface.
ipaddress The IP address and the netmask with which you
<network_address> want the System IP interface to be associated. You
can specify the address and mask information
using the traditional format - for example, 10.1.2.3/
255.0.0.0, or in the CIDR format - for example,
10.1.2.3/8
state [enabled|disabled] Specifies whether you want the System IP
interface to be enabled or disabled.
Figure 85 shows you how to configure the System IP interface with the IP address
10.48.74.122 and a subnet mask of 255.0.0.0 (in CIDR format, 10.48.74.122/8).
316862-B Rev 00
Figure 85 config ipif System ipaddress command
PP1612G:4#config ipif System ipaddress 10.48.74.122/8

Command: config ipif System ipaddress 10.48.74.122/8
Success.
PP1612G:4#
Enabling an IP interface
To enable an IP interface, enter the following command:
enable ipif
enable ipif
followed by:
<ipif_name 12> Specifies the name of the IP interface that you

want to enable.
all Specifies that you want all of the IP interfaces
configured on the switch to be enabled.
Figure 86 shows you how to enable an IP interface named ip2.
Figure 86 enable ipif command
PP1612G:4#enable ipif ip2

Command: enable ipif ip2
Success.
PP1612G:4#
Disabling an IP interface
To disable an IP interface, enter the following command:
disable ipif
disable ipif
followed by:
<ipif_name 12> The name of the IP interface you want to disable.

configured on the switch to be disabled.
Figure 87 shows you how to disable an IP interface named ip2.
Figure 87 disable ipif command
PP1612G:4#disable ipif ip2

Command: disable ipif ip2
Success.
PP1612G:4#
Displaying the current IP interface configuration
To display the current configuration of the System IP interface, enter the following
command:
show ipif System
316862-B Rev 00
show ipif System

followed by:

configured on the switch to have their current
configurations displayed.
Figure 88 shows you how to display the current configuration of the System IP
interface.
Figure 88 show ipif System command
PP1648T:4#show ipif System

Command: show ipif System
IP Interface Settings
Interface Name : System
IP Address : 10.48.74.122 (MANUAL)
Subnet Mask : 255.0.0.0
VLAN Name : default
Admin. State : Disabled
Link Status : Link UP
Member Ports : 1-26
Total Entries : 1
PP1648T:4#
Using the forwarding database

The 1600 switch maintains a database that relates MAC addresses to the switch
ports that packets must be forwarded to, in order to reach the appropriate MAC
address. These commands allow you to make static entries into the switch’s
forwarding database. These entries will not be aged-out by the forwarding
database’s age-out timer.
In addition, you can specify the port (by port number) or the VLAN (by the
VLAN name) on which the MAC address resides. For multicast MAC addresses,
you can specify a range of ports and a VLAN.
The switch enters the relationship between destination MAC or IP addresses and
the Ethernet port or gateway router the destination resides on into its forwarding
table. This information is then used to forward packets. This reduces the traffic
congestion on the network, because packets, instead of being transmitted to all
ports, are transmitted to the destination port only. For example, if Port 1 receives a
packet destined for a station on Port 2, the Switch transmits that packet through
Port 2 only, and transmits nothing through the other ports. This process is referred
to as 'learning' the network topology.
The MAC address aging time affects the learning process of the switch. Dynamic
forwarding table entries, which are made up of the source MAC addresses and
their associated port numbers, are deleted from the table if they are not accessed
within the aging time.
The aging time can be from 10 to 630 seconds with a default value of 300 seconds.
A very long aging time can result in dynamic forwarding table entries that are
out-of-date or nonexistent. This may cause incorrect packet forwarding decisions
by the switch.
If the aging time is too short, many entries are aged out too soon. This results in a
high percentage of received packets whose source addresses cannot be found in
the forwarding table. In this case the switch broadcasts the packet to all ports,
negating many of the benefits of having a switch.
Static forwarding entries are not affected by the aging time.
The following sections describe the procedures you use to create, configure,
delete, and display forwarding database entries.
316862-B Rev 00
Roadmap of forwarding database CLI commands
The following roadmap lists all of forwarding database CLI commands and their
information:
Command Parameter
create fdb <vlan_name 32> <macaddr>
port <port>
create multicast_fdb <vlan_name 32>
<macaddr>
config multicast_fdb <vlan_name 32>
<macaddr> [add|delete] <portlist>
delete fdb <vlan_name 32> <macaddr>
clear fdb Vlan <vlan_name 32>
Port <port>
all
show multicast_fdb vlan <vlan_name 32>
mac_address <macaddr>
show fdb port <port>
vlan <vlan_name 32>
static
aging_time
Creating a unicast forwarding database entry
To create a static entry, use the following command
create fdb <vlan_name 32 > <macaddr> port <port>
where:
vlan_name 32 is the name of the VLAN where the MAC address is located.
macaddr is the MAC address that will be added to the switch’s unicast MAC
address forwarding database.
port is the port number on the switch where the specified MAC address resides.
The switch will always forward traffic to the MAC address through this port.
Figure 89 shows the creation of a static MAC address entry, for the MAC address
00-00-00-00-01-02 — which resides on the VLAN named default, on port 2 — to
the switch’s unicast forwarding database.
Figure 89 create fdb command
PP1612G:4# create fdb default 00-00-00-00-01-02 port 2

Command: create fdb default 00-00-00-00-01-02 port 2
Success.
PP1612G:4#
Configuring a unicast forwarding database entry
To configure the age-out time for the switch’s unicast MAC address forwarding
database, use the following command:
config fdb aging_time < sec 10-630>
where:
sec 10-630 is the amount of time, in seconds, that a learned MAC address will
remain in the switch’s MAC address forwarding database, without being used,
before being dropped from the database.
316862-B Rev 00
Figure 90 shows how to set the age-out time to 300 seconds.
Figure 90 config fdb command
PP1612G:4# config fdb aging_time 300

Command: config fdb aging_time 300
Success.
PP1612G:4#
Creating a multicast forwarding database entry
To create a static entry, use the following command:
create multicast_fdb <vlan_name 32> <macaddr>
where:
vlan_name 32 is the name of the VLAN where the multicast MAC address is
located.
macaddr is the MAC address that will be added to the switch’s multicast MAC
address forwarding database.
Figure 91 shows how to create a static MAC address entry for the MAC address
00-00-00-00-01-02—which resides on the VLAN named default, on port 2 — to
the switch’s multicast forwarding database:
Figure 91 create multicast_fdb command
PP1612G:4# create multicast default 01-00-5E-00-00-00

Command: create multicast default 01-00-5E-00-00-00
Success.
PP1612G:4#
Configuring the multicast forwarding database
To configure the switch’s multicast forwarding database, use the following

command:
config multicast_fdb <vlan_name 32> <macaddr> [add|delete]

<portlist>
where:
vlan_name 32 is the name of the VLAN where the multicast MAC address is
located.
macaddr is the multicast MAC address. add allows you to add this multicast
MAC address to the switch’s multicast MAC address forwarding database;
delete allows you to remove this address from the database.
portlist specifies a range of ports. Ports are specified by entering the lowest
port number in a group, and then the highest port number in a group, separated by
a hyphen. So, a port group including the switch ports 1, 2, and 3 would be entered
as 1-3. Ports that are not contained within a group are specified by entering their
port number, separated by a comma. So, the port group 1-3 and port 26 would be
entered as 1-3, 26.
Figure 92 shows how to add the multicast MAC address 01-00-5E-00-00-00,

residing on the VLAN named default, and ports 1 through 5, to the switch’s
multicast MAC address forwarding database:
Figure 92 config multicast_fdb
PP1612G:4# config multicast_fdb default 01-00-5E-00-00-00 add 1-5

Command: config multicast_fdb default 01-00-5E-00-00-00 add 1-5
Success.
PP1612G:4#
316862-B Rev 00
Deleting an entry from the forwarding database
To delete an entry from the forwarding database entry, use the following
command:
delete fdb <vlan_name 32 > <macaddr>
where:
vlan_name 32 is the name of the VLAN on which the MAC address resides.
macaddr is the MAC address that you want to delete from the switch’s
forwarding database.
Figure 93 shows how to delete the MAC address 00-00-00-01-02, which resides
on the VLAN named default, from the switch’s forwarding database.
Figure 93 delete fdb command
PP1612G:4# delete fdb default 00-00-00-00-01-02

Command: delete fdb default 00-00-00-00-01-02
Success.
PP1612G:4#
Clearing the forwarding database
To clear the switch’s forwarding database of learned MAC addresses, use the
following command:
clear fdb
clear fdb
followed by:
Vlan <vlan_name 32> Specifies the name of the VLAN for which you want to
clear all learned MAC addresses from the switch’s
Port <port> Specifies the port for which you want to clear all learned
MAC addresses from the switch’s forwarding database.
all Specifies that you want all learned MAC addresses
cleared from the switch’s forwarding database, regardless
of VLAN or port association.
Figure 94 shows how to clear the switch’s forwarding database of all learned
entries.
Figure 94 clear fdb all command
PP1612G:4# clear fdb all

Command: clear fdb all
Success.
PP1612G:4#
Displaying the multicast forwarding database
To display the contents of the switch’s mutualist forwarding database, use the
following command:
show multicast_fdb
316862-B Rev 00
show multicast_fdb
followed by:
vlan <vlan_name 32> Displays the multicast forwarding database for a single
VLAN.
mac_address Displays the multicast forwarding database entries for a
<macaddr> single multicast MAC address
Figure 95 displays the multicast forwarding database.
Figure 95 show multicast_fdb command
PP1612G:4# show multicast_fdb

Command: show multicast_fdb
VLAN name : default

MAC address : 01-00-5E-00-00-00
Egress ports : 1-5
Mode : Static
Total entries : 1
PP1612G:4#
Displaying the unicast forwarding database

To display the contents of the switch’s unicast forwarding database, use the
following command:
show fdb
show fdb
followed by:
port <port> Displays the forwarding database for a single port.

vlan <vlan_name 32> Displays the forwarding database for a single VLAN.
mac_address Displays the forwarding database entries for a single
<macaddr> multicast MAC address.
static Displays only the static MAC address entries in the

aging_time Displays the current age-out time setting.
Figure 96 displays the unicast forwarding database:
Figure 96 show fdb command
PP1648T:4# show fdb

Command: show fdb
Unicast MAC Address Aging Time = 200
VID VLAN Name MAC Address Type Port

---- ---------------- ----------------- --------- ---------------
1 default 00-09-97-DA-E0-01 Self CPU
1 default 00-80-2D-4E-A9-00 Dynamic 1
1 default 00-80-2D-C2-CE-08 Dynamic 1
1 default 08-00-20-B0-E9-59 Dynamic 1
1 default FF-FF-FF-FF-FF-FF Self CPU
Total Entries: 5
PP1648T:4#
316862-B Rev 00
183
Chapter 7
Configuring link aggregation groups
You use link aggregation to combine a number of ports together to make a single
high-bandwidth data pipeline. The participating ports are called members of a link
aggregation group, with one port designated as the master port.
Since you must configure all members of the link aggregation group to operate in
the same manner, the configuration of the master port is applied to all members of
the link aggregation group. Thus, when configuring the ports in a link aggregation
group, you need to configure only the master port.
The 1600 switch supports link aggregation groups. This may include from 2 to 4
switch ports each, except for a Gigabit link aggregation group which consists of 2
to 4 of the SFP Gigabit Ethernet ports of the front panel.
This chapter describes the commands you use to configure, delete, and show link
aggregation. Specifically, it includes the following topics:
Topic Page
Roadmap of CLI commands 184
Creating a link aggregation group 184
Deleting a link aggregation group 185
Configuring a link aggregation group 186
184 Chapter 7 Configuring link aggregation groups
Roadmap of CLI commands

The following roadmap lists all of the link aggregation commands and their
information:
Command Parameter
create link_aggregationc group_id <value>>
delete link_aggregation group_id <value>
config link_aggregation group_id <value>
master_port <port>
ports <portlist>
BDPU_8600_Interop
[enabled|disabled]
show link_aggregation group_id <value>
Creating a link aggregation group
Note: Before you add a port to the MLT, you must first add the port to
the VLAN. For instructions on adding ports to a VLAN configuration, see
Chapter 6, “Configuring VLANs.”
To create a link aggregation group, use the following command:
create link_aggregation
316862-B Rev 00
Chapter 7 Configuring link aggregation groups 185
create link_aggregation
followed by:
group_id <value> A number from 1 to 7 that identifies the link

aggregation group. The switch allows you to define
up to 7 link aggregation groups. The group ID
identifies the link aggregation group.
Figure 97 shows you how to create a link aggregation group with a group ID of 1.
Figure 97 create link_aggregation command
PP1648T:4# create link_aggregation group_id 1

Command: create link_aggregation group_id 1
Success.
PP1648T:4#
Deleting a link aggregation group

To delete a link aggregation group, use the following command:
delete link_aggregation
delete link_aggregation
followed by:

aggregation group you want to delete. The switch
allows you to define up to 7 link aggregation
groups. The group ID identifies the link
aggregation group.
Figure 98 shows you how to delete a link aggregation group with a group ID of 6.
Figure 98 delete link_aggregation command
PP1648T:4# delete link_aggregation group_id 6

Command: delete link_aggregation group_id 6
Success.
PP1648T:4#
Configuring a link aggregation group

To configure a link aggregation group, use the following command:
config link_aggregation
followed by:

aggregation group you want to configure. The
switch allows you to define up to 7 link aggregation
aggregation group.
master_port <port> Specifies the port (by port number) that you wish
to designate as the master port of the link
aggregation group. All of the ports in a link
aggregation group share the port configuration
with the master port.
ports <portlist> Specifies a range of ports for which you wish to
display traffic statistics. You specify ports by
entering the lowest port number in a group, and
then the highest, separated by a dash.
26.
316862-B Rev 00
Chapter 7 Configuring link aggregation groups 187
followed by:
state [enabled|disabled] Allows you to enable or disable the specified link

aggregation group.
BDPU_8600_Interop Enable this function is you would like to have an
[enabled|disabled] MLT connection between a Passport 8600 and the
Passport 1600 under STP
Figure 99 shows you how to configure a link aggregation group with a group ID
of 1, a master port of 5, and ports 5 through 9 making up the link aggregation
group.
Figure 99 config link_aggregation command
PP1648T:4# config link_aggregation group_id 1 master_port

5 ports 5-10
Command: config link_aggregation group_id 1 master_port 5
ports 5-10
Success.
PP1648T:4#
Displaying the link aggregation configuration
To display a link aggregation configuration, use the following command:
show link_aggregation
show link_aggregation
followed by:

aggregation group you want to display. The switch
allows you to define up to 7 link aggregation
aggregation group.
Figure 100 shows you how to display the link aggregation for group 1 on the
switch.
Figure 100 show link_aggregation command
PP1648T:4# show link_aggregation group_id 1

Command: show link_aggregation group_id 1
Group ID : 1
Master Port : 10
Member Port : 10-12
Status : Enabled
Flooding Port : 10
BDPU 8600 Interop : Disabled
PP1648T:4#
316862-B Rev 00
189
Chapter 8
Configuring QoS
The Passport 1600 Series switches have a number of commands that allow you to
specify how packets from various sources are forwarded to the switch’s four
hardware priority queues. This chapter provides information on configuring
Quality of Service (QoS) and utilizing those hardware queues. Specifically, it
includes the following topics:
Topic Page
Roadmap of CLI commands 190

Establishing a QoS scheme 193
Command overview 195
Configuring the flow classifier template operating mode 196
Configuring flow classifier template mode parameters 198
Displaying the flow classifier template mode 200
Attaching a flow classifier template 201
Creating an IP filter for a flow classification template 202
Deleting an IP filter from a flow classification template 204
Creating a QoS rule 209
Deleting a QoS rule 212
Creating a Layer 4 switch rule 213
Deleting a Layer 4 switch rule 217
Creating a forwarding database filter 218
Deleting a forwarding database filter 219
Displaying a forwarding database filter 220
Enabling the IP fragment filter 221
Disabling the IP fragment filter 222
Displaying the status of the IP fragment filter 223
190 Chapter 8 Configuring QoS
Topic Page
Configuring scheduling 223

Creating a MAC priority entry 225
Deleting a MAC priority entry 226
Displaying MAC priority entries 227
Roadmap of CLI commands

The following roadmap lists all of the QoS commands and their parameters. Use
Command Parameter
config flow_classifier [security|qos|l4_switch]
template_<value 1-2> mode
config flow_classifier template_id [subnet_mask {src <netmask>|dst

<value 1-2> mode_parameters <netmask>}|qos_flavor
[802.1p|dscp|dst_ip|dst_tcp_port|ds
t_udp_port] |l4_session
{tcp_session fields
{dip|sip|tos|dst_port|
src_port|tcp_flags} | udp_session
fields {dip|sip|tos|dst_port|
src_port} | other_session fields
{dip|sip|tos|l4_protocol|icmp_msg|i
gmp_type}}]
show flow_classifier none
config flow_classifier vlan attach template_id <value 1-2>

<vlan_name>
detach template_id <value 1-2>
create sec_rule [template_id <value 1-2>

|scr_ip_address
<ipaddr>|dst_ip_address <ipaddr]
316862-B Rev 00
Chapter 8 Configuring QoS 191
Command Parameter
delete sec_rule [template_id <value

1-2>]|rule_index <value>|all]
create qos_rule template_id <value

1-2> 802.1p <value 0-7>
dscp <value 0-63>
dst_ip <ipaddr>
dst_tcp_port <tcp_port_number
1-65535>
dst_udp_port <udp_port_number
1-65535>
priority <value 0-7>
delete qos_rule template_id <value

1-2> rule_index <value>
all
create l4_switch_rule template_id tcp_session fields (followed by)

<value 1-2>
dip <ipaddr>
sip <ipaddr>
tos <hex 0x00-0xff>
dst_port <tcp_port_number 1-65535>
src_port <tcp_port_number 1-65535>
tcp_flags ack|fin|psh|rst|syn|urg
udp_session fields (followed by)
dip <ipaddr>
sip <ipaddr>
tos <hex 0x00-0xff>
dst_port <tcp_port_number 1-65535>
Command Parameter
src_port <tcp_port_number 1-65535>
other_session fields (followed by)
dip <ipaddr>
sip <ipaddr>
tos <hex 0x00-0xff>
protocol [icmp|igmp]
icmp_message type <hex 0x00-0xff>
code <hex 0x00-0xff>
igmp_type [query|response]
action (followed by)
drop
forward <priority 0-7>
redirect <ipaddr>
unreachable_next_hop [drop|forward]
delete l4_switch_rule template_id

<value 1-2> rule_index <value>
all
create fdbfilter vlan <vlan_name> mac_address

<macaddr>
delete fdbfilter vlan <vlan_name> mac_address

<macaddr>
vlan <vlan_name>
all
show fdbfilter vlan <vlan_name> mac_address
<macaddr>
vlan <vlan_name>
316862-B Rev 00
Command Parameter
enable ip_fragment_filter
disable ip_fragment_filter
show ip_fragment_filter
config scheduling ports [<portlist>/all]

class_id <value 0-2>
max_packet <value 6-255>
create mac_priority vlan <vlan_name>

dst_mac_addr <macaddr>
priority <value 0-7>
delete mac_priority vlan <vlan_name> dst_mac_address

<macaddr>
vlan <vlan_name>
dst_mac_address <macaddr>
all
show mac_priority vlan <vlan_name>

vlan <vlan_name> dst_mac_addr
<macaddr>
dst_mac_addr <macaddr>
Establishing a QoS scheme

You establish a QoS scheme on the switch by following these three steps:
1 Select one of the two available templates (template_id 1 or template_id 2) to

write the rules to. These are called flow classifiers when you configure them.
2 Set the fields of an incoming packet’s header that the switch examines, as well
as the parameters that must be in those fields, to determine if the packet meets
the criteria of the rule.
3 Specify the action the switch will take when it finds packets that meet the
criteria.
QoS templates
You use the two switch templates (template_id 1 and template_id 2) to house the
packet screening rules in one of three modes:
• security
• qos
• l4_switch
The default operating mode for template 1 is L4 switch mode, while the default
operating mode for template 2 is QoS.
Note: You can operate the two templates in the same mode.
When you change the operating mode of a template, all previously
entered rules are deleted and the switch reboots.
You cannot enter rules that are incompatible with the template’s current
operating mode. For example, you cannot enter QoS rules when the
template is in L4 switch mode.
Security mode
In security mode, incoming packets have their IP headers examined to determine

source and destination subnet addresses. These packets are then filtered if the
addresses are entered into the template’s IP filtering database.
QoS mode
In QoS mode, an incoming packet’s priority information is examined to determine

if the QoS rules should be applied, and the packet forwarded to a specified priority
queue.
316862-B Rev 00
L4 switch mode
In L4 switch mode, an incoming packet’s TCP, UDP, or other header information

is examined to determine if the L4 switch rule should be applied. The packet is
then either forwarded or dropped, as specified.
Command overview
Table 10 provides an overview of the QoS commands and their functions.
Table 10 QoS command overview
Command Description
config flow_classifier Configures the operating mode of a template.

template_<value 1-2> mode
config flow_classifier Configures the fields in the header of an incoming
template_id <value 1-2> packet that the switch examines.
mode_parameters
config flow_classifier Attaches an already-created template to a VLAN.
vlan <vlan_name> attach
template_id <value 1-2>
create sec_rule Adds or deletes IP subnet filters to a template in
delete sec_rule Security mode.
create dst_ipfilter Adds or deletes destination IP addresses to be

filtered from the Switch
delete dst_ipfilter
create qos_rule Adds or deletes QoS rules and actions to a
delete qos_rule template in Qos mode.
create l4_switch_rule Adds or deletes rules and actions from a template

delete l4_switch_rule in L4_switch mode.
create fdbfilter Applies to both templates, and the VLANs to

which the templates are bound, regardless of the
delete fdbfilter
template’s operating mode.
show fdbfilter Note: You do not need fdbfilter to bind with
enable ip_fragment_filter a VLAN; however, ip_fragment_filter
disable should be in the template with the bound VLAN.
ip_fragment_filter
Table 10 QoS command overview
Command Description
config scheduling Assigns weights to the switch’s round-robin

priority queue transmission scheme. This
command is independent of the current template.
create mac_priority Directs packets with a specified MAC address as
delete mac_priority their destination to a specified priority queue.
These commands are independent of the current
show mac_priority template.
Configuring the flow classifier template operating mode

The Passport 1600 Series switches allow you to define two templates for flow
classification, and then add some rules that determine what the switch will do with
packets that meet the criteria established in these template. To modify the
operation mode of both flow templates, enter the following command:
config flow_classifier template_< value 1-2> mode
There are two steps involved in modifying a flow classification template.
1 Delete all active rules.

2 Save the modified flow classification template to the switch’s NV-RAM, and
restart the switch.
Once you restart the switch, you must then attach the flow classification template
to a VLAN using the config flow_classifier vlan <vlan_name>
attach template_id <value 1-2> command. For more information on
this command, see “Attaching a flow classifier template” on page 201.”
When adding rules to a template, remember that the rules must be compatible with
the template’s operating mode. For example, you cannot add a QoS rule to a
security or l4_switch mode template.
316862-B Rev 00
This command uses the following option:
config flow_classifier template_<value 1-2> mode

followed by:
[security|qos|l4_switch] This sets the operating mode of the template.

In security mode, incoming packets’s have their IP
headers examined to determine source and
destination subnet IP addresses. These packets
are then filtered if the addresses are entered into
the template’s IP filtering database.
In qos mode, you can create qos-related rules to
forward incoming packets to the switch’s various
priority queues.
In l4_switch mode, incoming packets are examined
to determine the values in their L3 and L4 packet
headers.
Figure 101 shows how to configure template 1 in security mode and template 2 in
qos mode.
Figure 101 config flow classifier template_<value 1-2> mode command
PP1612G:4# config flow_classifier template_1 mode security

template_2 mode qos
Command: config flow_classifier template_1 mode security
template_2 mode qos
WARNING: Change templates' modes results in system reboot! Will

you continue anyway[Y/N]?
Saving all configurations to NV-RAM.......... 100 %
Success.
PP1648G:4#
Configuring flow classifier template mode parameters

To configure the flow classifier template mode parameters for the template whose
operating mode you configured using the config flow_classifier
template_id <value 1-2> mode command, enter the following:
config flow_classifier template_id < value 1-2>

mode_parameters
For a template operating in security mode, you must enter the source and
destination IP subnet masks using the config flow_classifier command, and then
enter the source and destination IP address part of the network addresses using the
create sec_rule command, as shown below. Entering a zero source netmask (src
0.0.0.0) will instruct the switch to ignore source IP subnets when filtering.
Entering a zero destination netmask (dst 0.0.0.0) will instruct the switch to ignore
destination IP subnets when filtering.
For a template operating in qos mode, you must select the qos_flavor from the
following list: 802.1p value, dscp value, destination TCP port number, destination
UDP port number, or destination IP.
For a template operating in l4_switch mode, you must define a combination of

TCP session, UDP session, or other session fields for rules (created later) to fill.
316862-B Rev 00
config flow_classifier template_id <value 1-2>

mode_parameters
followed by:
[subnet_mask {src subnet_mask {src <netmask>|dst <netmask>}

<netmask>|dst allows you to enter subnet masks for source and
<netmask>}|qos_flavor destination subnets that you can use in
[802.1p|dscp|dst_ip|dst_ combination is IP addresses entered with the
tcp_port|dst_udp_port] create sec_rule command, shown below, to filter
source and destination IP subnets. These
|l4_session {tcp_session parameters are used with templates that are in the
fields security operating mode. You can define the IP
{dip|sip|tos|dst_port| subnet filter as a source-only IP subnet filter by
src_port|tcp_flags} | entering a source netmask of zero (config flow
udp_session fields classifier src 0.0.0.0) or a destination-only IP
{dip|sip|tos|dst_port| subnet filter by entering a source netmask of zero
src_port} | (config flow classifer dst 0.0.0.0.) If both the source
other_session fields and destination netmasks are entered as 0.0.0.0
{dip|sip|tos|l4_protocol then no IP subnet filtering will take place.
|icmp_msg|igmp_type}}] qos_flavor allows you to select the criteria used to
determine what the switch does with packets that
meet this criteria. You must choose between the
value in an incoming packet’s 802.1p, dscp, dst_ip,
dst_tcp_port, or dst_udp_port fields. If you select
802.1p , then incoming packets will have their
802.1p priority fields examined.
l4_session allows you to modify the following types

of fields:
• tcp_session fields allows you to select a
combination of TCP fields in an incoming
packet’s header that the switch examines. You
can choose a combination of the dip, sip, tos,
dst_port, src_port, or tcp_flags fields in an
incoming packet’s TCP header for the switch to
examine.
• udp_session fields allows you to select a
combination of UDP fields in an incoming
packet’s header that the switch examines. You
can choose a combination of the dip, sip, tos,
dst_port, or src_port fields in an incoming
packet’s UDP header for the switch to examine.
• other_session fields allows you to select from
the following fields of an incoming packet’s
header that the switch examines. You can
choose a combination of dip, sip, tos,
l4_protocol, icmp_msg or igmp_type fields in
an incoming packet’s header for the switch to
examine.
Figure 102 shows you how to set the switch’s QoS criteria to examine the 802.1p
priority field of incoming packets.
Figure 102 config flow classifier template_id <value 1-2> mode_parameters
PP1612G:4# config flow_classifier template_id 2 mode_parameters

qos_flavor 802.1p
Command: config flow_classifier template_id 2 mode_parameters

qos_flavor 802.1p
Success.
PP1648G:4#
Displaying the flow classifier template mode

To display the flow classifier template mode, enter the following:
show flow_classifier
Figure 103 shows sample results of this command. In this example, the command
shows that Template 1 is in Security mode and Template 2 is in QoS mode.
316862-B Rev 00
Figure 103 show flow_classifier command
PP1612G:4# show flow_classifier

Command: show flow_classifier
Flow Template Table:

Template ID: 1 Template ID: 2
Template Mode: SECURITY Template Mode: QOS
SrcSubnet Mask: 255.255.255.255 QoS Flavor: 802.1P
DstSubnet Mask: 0.0.0.0
Rule Number: 0 Rule Number: 0

Attached Vlan: Attached Vlan:
PP1648G:4#
Attaching a flow classifier template

To attach a flow classifier template to the VLAN, enter the following command:
config flow_classifier vlan < vlan_name>
Packets that are received from this VLAN are examined by the switch to
determine if they meet the criteria in the template. If so, the switch takes the
actions specified in the template. Packets that are received from VLANs that are
not attached to a template are not examined in this way.
config flow_classifier vlan <vlan_name>

followed by:
attach template_id Attaches an already-created template to a VLAN.

<value 1-2>
detach template_id Detaches a template from a VLAN.
<value 1-2>
Figure 104 shows you how to attach a flow classifier named 77 to template_id 2.
Figure 104 config flow_classifier vlan <vlan_name> command
PP1648G:4#config flow_classifier vlan 77 attach

template_id 2
Command: config flow_classifier vlan 77 attach
template_id 2
Success.
PP1648G:4#
Creating an IP filter for a flow classification template

To specify both source and destination IP network addresses (in combination with
the subnet_mask {src <netmask>|dst <netmask>} parameters entered with the
config flow_classifier command, as shown above) to be filtered from the switch,
use the following command (it is assumed in this case that the source and
destination netmasks are entered using the config flow_classifier command as
255.0.0.0):
create sec_rule template_id 1 src_ip_address 10.20.30.40

dst_ip_address 10.20.30.40
Filtering source and destination subnets is then accomplished in two steps. First,
enter the source and destination subnet masks using the config flow_classifier {src
<netmask>|dst <netmask>} command and attach the flow classifier to a VLAN
and to a template. Second, enter the IP address part of the subnet’s network
address using the create sec_rule template_id <value 1-2> src_ip_address
<ipaddr>|dst_ip_address <ipaddr> command.
You can define the IP subnet filter as a source-only IP subnet filter by entering a
source netmask of zero (config flow classifier src 0.0.0.0) or a destination-only IP
subnet filter by entering a destination netmask of zero (config flow classifer dst
0.0.0.0.) If both the source and destination netmasks are entered as 0.0.0.0 then no
IP subnet filtering will take place.
316862-B Rev 00
Note:
1. When you specify a source and destination network address filter (src
and dst), the IP address part of the network address is template-dependent.
You must first enter the source and destination subnet masks using the
config flow_classifier {src <netmask>|dst <netmask>} command. Then
you can enter the IP address part of the source and destination network
addresses using create sec_rule command, which will be assigned to the
specified template (1 or 2). The template that the sec_rule is assigned to
also must be in the security operating mode.
2. You can define the IP subnet filter as a source-only IP subnet filter by
entering a source netmask of zero (config flow classifier src 0.0.0.0) or a
destination-only IP subnet filter by entering a destination netmask of zero
(config flow classifer dst 0.0.0.0.) If both the source and destination
netmasks are entered as 0.0.0.0 then no IP subnet filtering will take place.
3. A memory limitation exists here. The two templates, template_id 1 and
template_id 2, share the same amount of memory. If you reach the
maximum amount of memory for one template, then you cannot enter any
more rules for the remaining template. Security mode has a maximum of
64 rule entries if the combination is L4_Switch/SEC, SEC/Qos and SEC/
SEC.
create sec_rule
followed by:
[template_id <value 1-2> Allows you to filter the source (src) and destination
|scr_ip_address (dst) IP addresses. You must specify which of the
<ipaddr>|dst_ip_address two available templates this filter will apply to, and
<ipaddr] ensure that this template is in the security
operating mode.
Figure 105 shows you how to filter packets with a source and destination IP
address of 192.32.96.54.
Figure 105 create sec_rule command
PP1612G:4#create sec_rule template_id 1 src_ip_address

192.32.96.54 dst_ip_address 192.32.96.54
Command: create sec_rule template_id 1 src_ip_address
192.32.96.54 dst_ip_address 192.32.96.54
Success.
PP1612G:4#
Deleting an IP filter from a flow classification template

To delete all previously-entered IP address filter from the switch’s template 1, use
delete sec_rule template 1 all
Note:
1. When you want to delete an IP address filter, you must specify the
template_id <value 1-2> for this IP filter, along with the rule_index
<value>.
2. When you want to delete all IP address filters from a template in the
security mode, you do not need to specify the rule_index. You have the
option of specifying all.
316862-B Rev 00
delete sec_rule
followed by:
[template_id <value Allows you to uniquely identify the filter you want to
1-2>]|rule_index delete.
<value>|all] If you want to delete an IP address filter, you must
specify which of the two available templates this
filter applies to.
If you want to delete all filters from a template in
the security mode, you do not need to specify the
rule_index. You have the option of specifying all,
which will delete all of the IP address filters for that
template.
Figure 106 shows you how to delete all IP filters from the template 1.
Figure 106 delete sec_rule command
PP1612G:4#delete sec_rule template_id 1 all

Command: delete sec_rule template_id 1 all
Success.
PP1612G:4#
Creating a destination IP address filter

To specify either a destination IP address to be filtered from the switch, use the
following command:
create dst_ipfilter ip_address 10.42.73.5
If you filter by destination, it means that packets with the specified IP address as
the destination are dropped.
Note:
When you specify a destination IP address filter, it is
template-independent. Any packet with the specified IP address as it’s
destination will be dropped by the switch, regardless of the operating
mode of the applicable template.
create dst_ipfilter
followed by:
ip_address <ipaddr>] If you want to filter the IP address as a destination

(dst), you do not need to specify the template id.
The switch drops packets that have the IP address
entered previously as their destination regardless
of what operating mode the templates are in.
Figure 105 shows you how to filter packets with a destination IP address of
192.32.96.54.
Figure 107 create dst_ipfilter command
PP1612G:4#create dst_ipfilter ip_address 192.32.96.54

Command: create dst_ipfilter ip_address 192.32.96.54
Success.
PP1612G:4#
316862-B Rev 00
Deleting a destination IP address filter

To delete all previously-entered destination IP address filters from the switch, use
delete dst_ipfilter all
Because of the way IP filters are identified within the switch, you must enter the
same destination IP address to delete a specific IP filter, or specify all to instruct
the switch to delete all destination IP address filters that have been entered.
Note:
delete dst_ipfilter
followed by:
[ip_address <ipaddr> Allows you to uniquely identify the filter you want to
|all]] delete.
If you want to delete a filter for an IP address as a
destination (dst), you do not need to specify the
template id. You have the option of deleting a
specific IP address or deleting all destination IP
filters.
Figure 106 shows you how to delete an IP filter with a destination IP address of
192.32.96.54.
Figure 108 delete dst_ipfilter command
PP1612G:4#delete dst_ipfilter ip_address 192.32.96.54

Command: delete dst_ipfilter ip_address 192.32.96.54
Success.
PP1612G:4#
Displaying the destination IP address filter table

To display all previously-entered destination IP address filters on the switch, use
show dst_ipfilter
Note:
This command has no additional options:
show dst_ipfilter
followed by:
Figure 106 shows you how to display the current contents of the switch’s
destination IP address filter table.
316862-B Rev 00
Figure 109 show dst_ipfilter command
PP1612G:4#show dst_ipfilter
Command: show dst_ipfilter
Destination IP Filter Table:

Destination IP Address
----------------------
10.42.73.5
Total Entries: 1
PP1612G:4#
Creating a QoS rule

To add a QoS rule to a template, use the following command:
create qos_rule template_id < value 1-2>
A QoS rule determines the priority queuing of an incoming packet. The following
steps are used to determine the appropriate priority queuing of a packet.
1 The switch checks to see if the packet’s source VLAN is bound to the
template in current use.
2 If the current template is bound to the source VLAN, the switch checks the
template to see if it is in qos mode.
3 If the current template is in qos mode, the switch then applies any qos_rule
that has been entered into the template.
4 If there is no qos_rule, or the packet does not match the criteria of the
qos_rule, the packet’s priority tag determines priority queuing.
5 If the packet has no priority tag, the switch uses the default priority setting or
the MAC address priority setting (if the source MAC address is in the MAC
address priority table).
QoS rules affect all packets that are received by the switch from VLANs to which
the template containing the QoS rules are bound.
The create qos_rule command is structured in two parts.
1 It specifies the protocol (802.1p, dscp, dst_ip, dst_tcp_port,and dst_udp_port)

and a parameter that will be compared to the protocol’s parameter written in
incoming packet’s headers.
If an incoming packet’s protocol’s parameter matches the protocol parameter
entered with the create qos_rule command, the switch takes the action you
specify in the second part of this command.
2 It allows you to specify the priority queue (priority < value 0-7>) the
switch will forward packets that match the protocol and parameter criteria to.
The switch has four hardware priority queues, and the 8 levels of priority
specified by priority <value 0-7> are mapped (by default) to these four
priority queues. For example, 0, 1, and 2 specify the switch’s lowest priority
queue, 3 and 4 specify the next lowest priority queue, 5 and 6 specify the next
highest priority queue, and 7 specifies the highest priority queue.
3 For example, 0 and 1 correspond to the switch’s highest priority queue, 2 and
3 correspond to the next lowest priority queue, and so on until 6 and 7 specify
the switch’s lowest priority queue.
You can configure the mapping using the config scheduling command.
Incoming packets must also be from a VLAN to which the template that
contains the QoS rule is attached.
Note: Qos mode has a maximum of 64 rule entries if the combination is

L4_Switch/Qos, SEC/QoS and Qos/QoS.
create qos_rule template_id <value 1-2>

followed by:
802.1p <value 0-7> Specifies the value of an incoming packet’s 802.1p

priority tag that you want the switch to send to the
priority queue you designate with priority <value
0-7>.
dscp <value 0-63> Specifies the value of an incoming packet’s DSCP
field that you want the switch to send to the priority
queue you designate with priority <value 0-7>.
316862-B Rev 00
create qos_rule template_id <value 1-2>

followed by:
dst_ip <ipaddr> Specifies the IP address of an incoming packet’s

destination IP address field that you want the
switch to send to the priority queue you designate
with priority <value 0-7> .
dst_tcp_port Specifies the TCP port number of an incoming
<tcp_port_number packet’s destination TCP port field that you want
1-65535> the switch to send to the priority queue you
designate with priority <value 0-7>.
dst_udp_port Specifies the UDP port number of an incoming
<udp_port_number packet’s destination UDP port field that you want
1-65535> the switch to send to the priority queue you
designate with priority <value 0-7.
priority <value 0-7> The priority queue to which you want the switch to
send packets that meet the criteria entered
previously. The switch’s default mapping between
the 8 priority levels specified here, and the switch’s
four hardware priority queues is to map so that:
• 0 and 1 and 2 correspond to the switch’s
highest priority queue
• 3 and 4 correspond to the next lowest priority
queue
• 5 and 6 correspond to an even lower priority
queue
• 7 specifies the switch’s lowest priority queue
This default mapping can be configured differently
by a user.
Figure 110 shows how to configure a QoS rule to be added to template_id 2 to

send incoming packets with an 802.1p value of 3 to the switch’s lowest priority
queue (priority 7).
Figure 110 create qos_rule command
PP1648G:4#create qos_rule template_id 2 802.1p 3 priority

7
Command: create qos_rule template_id 2 802.1p 3 priority
7
Success.
PP1648G:4#
Deleting a QoS rule

To delete a QoS rule that was entered into a template, use the following command:
delete qos_rule template_id < value 1-2>
QoS rules are identified by the template id of the template they are entered into,
and by the numerical order in which they are entered.
delete qos_rule template_id <value 1-2>

followed by:
rule_index <value> Deletes the QoS rule specified by the number of

value . QoS rules are entered into a template in
numerical order.
all Deletes all of the QoS rules assigned to the
specified template.
Figure 111 shows how to delete the QoS rule that was entered into template_id 2
in Figure 110. In that example, only 1 QoS rule was entered, so the rule has a
rule_index of 1.
316862-B Rev 00
Figure 111 delete qos_rule command
PP1648G:4#delete qos_rule template_id 2 rule_index 1

Command: delete qos_rule template_id 2 rule_index 1
Success.
PP1648G:4#
Creating a Layer 4 switch rule

To add a Layer 4 switch rule to a template, use the following command:
create l4_switch_rule template_id < value 1-2>
A layer 4 rule determines whether or not the switch forwards a packet, the priority
queuing of an incoming packet, or where the switch forwards a packet if the next
router hop is unreachable. The following steps determine whether an incoming
packet is subject to an l4_switch_rule.
1 The switch checks to see if the packet’s source VLAN is bound to the
template in current use.
2 If the current template is bound to the source VLAN, the switch then checks
the template to see if it is in l4_switch mode.
3 If the current template is in l4_switch mode, the switch then applies any
l4_switch_rule that has been entered into the template.
4 If there is no l4_switch_rule, or the packet does not match the criteria of the
l4_switch_rule, the packet is forwarded or dropped according to the switch’s
default settings.
l4_switch_rules affect all packets that are received by the switch from VLANs to
which the template containing the l4_switch_rules are bound.
The create l4_switch_rule command is structured in two parts.
1 It specifies the session type (tcp_session, udp_session, and other_session) and

a combination of parameters that will be compared to the parameters written
in incoming packet’s headers.
If an incoming packet’s parameters match the parameters entered with the
create l4_switch_rule command, the switch takes the action you specify in the
second part of this command.
2 It allows you to specify the action the switch takes on packets that match the
parameters entered in the first part of the command. These actions are drop,
forward <priority 0-7>, and redirect <ipaddr> unreachable next hop [drop/
forward]. Incoming packets must also be from a VLAN to which the template
that contains the l4_switch_rules are bound.
Both templates (template_id 1 and template_id 2) share the same physical

memory. There is only enough memory to hold a maximum of 192
l4_switch_rules. The memory used to store these l4_switch_rules is
shared between the two templates. If you enter 192 l4_switch_rules into
template_id 1, then there will be no memory remaining to enter
l4_switch_rules into template_id 2.
create l4_switch_rule template_id <value 1-2>

followed by:
tcp_session fields The switch examines the packet’s TCP header to

followed by a combination of: determine if the packet meets the criteria entered
below.
dip <ipaddr> A destination IP address.
sip <ipaddr> A source IP address.

tos <hex 0x00-0xff> The Type of Service (ToS) entry into a packet’s IP
header.
dst_port A destination TCP port number.
<tcp_port_number
1-65535>
src_port A source TCP port number.
<tcp_port_number
1-65535>
316862-B Rev 00

followed by:
tcp_flags The TCP flag bit in a packet’s IP header. A packet

can be examined for the following TCP flags:
ack — the acknowledge number is valid.
fin — finished flag, the sender is finished
sending data
psh — the receiver should pass this packet to the
application as soon as possible.
rst — reset flag, reset the connection.
syn — synchronize flag, synchronize the
sequence numbers.
urg — urgent, an emergency packet.
udp_session fields The switch will examine the packet’s UDP header
followed by a combination of: to determine if the packet meets the criteria
entered below.
tos <hex 0x00-0xff> The Type of Service entry into a packet’s IP
header.
dst_port A destination TCP port number.
<tcp_port_number
1-65535>
src_port A source TCP port number.
<tcp_port_number
1-65535>
other_session fields The switch will examine the packet’s header (other
followed by a combination of: than TCP or UDP) to determine if the packet meets
the criteria entered below.
tos <hex 0x00-0xff> The Type of Service entry into a packet’s IP
header.
protocol [icmp|igmp] The protocol field in a packet’s IP header. This
parameter also has the following available options:
[dip | sip | tos | icmp_message |
igmp_type | action]
icmp_message type Identifies the ICMP message type. Enter a
<hex 0x00-0xff> code hexadecimal value, in the range 0x00 to 0xff.
<hex 0x00-0xff>

followed by:
igmp_type Identifies the IGMP type. For igmp_type

[query|response] query, the available options are:
[dip | sip | tos | protocol |
icmp_message| action].
For igmp_type response, the available
options are:
[version_1|version_2|all]
action This starts the part of the create l4_switch_rule
followed by: command where you specify what you want the
switch to do when if finds a packet that meets the
criteria above.
drop The packet will be dropped.
forward <priority 0-7> The packet will be forwarded to the priority queue
specified by <priority 0-7>. If no priority value is
specified, the packet will be forwarded according to
the switch’s default user priority settings.
redirect <ipaddr> The packet will be redirected to the IP address
unreachable_next_hop specified with <ipaddr>. If the IP address <ipaddr>
[drop|forward] does not exist in the ARP table, the packet will
become an “unreachable next hop” packet. If drop
is specified, the packet will be dropped. If forward
is specified, the switch will search its routing table
for the destination IP address of the packet.
Figure 112 shows how to configure an l4_switch_rule to be added to template_id

1.
316862-B Rev 00
Figure 112 create l4_switch_rule command
PP1612G:4# create l4_switch_rule template_id 1

tcp_session fields dip 10.1.1.1 sip 10.2.2.2 tos 0xAB
dst_port 1000 src_port 2000 tcp_flags ack fin syn psh rst
urg action redirect 10.3.3.3 unreachable_next_hop forward
Command: create l4_switch_rule template_id 1 tcp_session
fields dip 10.1.1.1 sip 10.2.2.2 tos 0xAB dst_port 1000
src_port 2000 tcp_flags ack fin syn psh rst urg action
redirect 10.3.3.3 unreachable_next_hop forward
Success.
PP1612G:4#
Deleting a Layer 4 switch rule

To delete a Layer 4 switch rule entered into a template, use the following
command:
delete l4_switch_rule template_id <value 1-2>
l4_switch_rules are identified by the template id of the template they are entered
into, and by the numerical order in which they are entered.
delete l4_switch_rule template_id <value 1-2>

followed by:
rule_index <value> Deletes the L4 switch rule specified by the number

of value. L4 switch rules are entered into a
template in numerical order.
all Deletes all of the L4 switch rules assigned to the
specified template.
Figure 113 shows how to delete the l4_switch_rule that was entered to
template_id 1 in Figure 112. In that example, only 1 l4_switch_rule was entered,
so the rule has a rule_index of 1.
Figure 113 delete l4_switch_rule command
PP1648G:4#delete l4_switch_rule template_id 1 rule_index 1

Command: delete l4_switch_rule template_id 1 rule_index 1
Success.
PP1648G:4#
Creating a forwarding database filter

To specify a MAC address that you wish to see filtered from the switch, enter the
following command:
create fdbfilter
When executing this command, consider that the command fails to execute if any
of the following are true:
1 If the combination of the VLAN and MAC addresses are entered into the
switch’s static forwarding database.
2 If the combination of the VLAN and MAC addresses are part of a MAC
address priority rule.
3 If the combination of the VLAN and MAC addresses have been dynamically
entered into the switch’s forwarding database. If so, the create fdbfilter
command then sets the database entry to static, and drops packets with this
MAC address.
You can create up to 64 MAC address forwarding database filters.
316862-B Rev 00
create fdbfilter
followed by:
vlan <vlan_name> Identifies the name of the VLAN on which the MAC
address you want to filter resides.
mac_address <macaddr> Specifies the MAC address of the network device
you want to filter from the switch.
Figure 114 shows how to create a forwarding database filter for the VLAN named
default, for the MAC address 00-11-22-33-44-55.
Figure 114 create fdbfilter command
PP1648G:4#create fdbfilter vlan default mac_address

00-11-22-33-44-55
Command: create fdbfilter vlan default mac_address
00-11-22-33-44-55
Success.
PP1648G:4#
Deleting a forwarding database filter

To delete a forwarding database filter, enter the following command:
delete fdbfilter
Forwarding database filters are identified by the VLAN name and MAC address
that you enter when the you first create the filter.
delete fdbfilter
followed by:
vlan <vlan_name> Identifies the name and MAC address of the

mac_address <macaddr> network device you want to delete from the switch.
address you want to delete resides.
you want to delete from the switch.
all Deletes all the filters in the forwarding database.
Figure 115 shows how to delete a forwarding database filter for the VLAN named
default, for the MAC address 00-11-22-33-44-55.
Figure 115 delete fdbfilter command
PP1648G:4#delete fdbfilter vlan default mac_address

00-11-22-33-44-55
Command: delete fdbfilter vlan default mac_address
00-11-22-33-44-55
Success.
PP1648G:4#
Displaying a forwarding database filter

To display the forwarding database filters currently in use on the switch, enter the
following command:
show fdbfilter
Forwarding database filters are identified by the VLAN name and MAC address
that you enter when the you first create the filter.
316862-B Rev 00
show fdbfilter
followed by:
address you want to display resides.
vlan <vlan_name> Identifies the name of the VLAN and specifies the
mac_address <macaddr> MAC address of the network device you want to
display on the switch.
you want to delete from the switch.
Figure 116 shows how to display a forwarding database filter for the VLAN
named default, for the MAC address 00-11-22-33-44-55.
Figure 116 show fdbfilter command
PP1612G:4# show fdbf

Command: show fdbfilter
FDB Filter Table:

VLAN Name MAC address
-------------------------------- -----------------
default 00-11-22-33-44-55
Total Entries: 1
PP1612G:4#
Enabling the IP fragment filter

The 1600 Series switches allow you to enable any fragmented packets that are
received on a VLAN to which either of the two templates are bound. To enable the
IP fragment filter, enter the following command:
enable ip_fragment_filter
Figure 117 shows how to enable an IP fragment filter.
Figure 117 enable ip_fragment_filter command
PP1648G:4#enable ip_fragment_filter
Command: enable ip_fragment_filter
Success.
PP1648G:4#
Disabling the IP fragment filter

The 1600 Series switches allow you to disable any fragmented packets that are
received on a VLAN to which either of the two templates are bound. To disable
the IP fragment filter, use the following command:
disable ip_fragment_filter
Figure 118 shows how to disable an IP fragment filter.
Figure 118 disable ip_fragment_filter command
PP1648G:4#disable ip_fragment_filter
Command: disable ip_fragment_filter
Success.
PP1648G:4#
316862-B Rev 00
Displaying the status of the IP fragment filter

The 1600 Series switches will allow you to display any fragmented packets that
are received on a VLAN to which either of the two templates are bound. To
display the status of the IP fragment filter, use the following command:
Figure 119 shows how to display the status of an IP fragment filter.
Figure 119 show ip_fragment_filter command
PP1612G:4# show ip_fragment_filter

Command: show ip_fragment_filter
IP Fragment Filter Status: Enabled

PP1612G:4#
Configuring scheduling
To specify the rotation of the first three hardware priority queues on the switch,
enter the following command:
config scheduling
There are four outgoing traffic classes on the switch. The mechanism of the first
three traffic classes is weighted round-robin (WRR), while the fourth follows a
strict-priority (SP) scheme. The weighted round-robin scheme guarantees a
minimum bandwidth to the first three hardware priority queues on the switch.
For example, if the weighted round-robin scheme is applied to port 1, with a 10,
30, 60 weighting, the queues stop transmitting packets when they reach 10%,
30%, or 60% of the ports bandwidth, respectively. The fourth queue does not stop
transmitting packets until its packet buffer is empty.
config scheduling
followed by:
ports [<portlist>/all] Identifies a list of ports for which you want to

configure the hardware priority queue round-robin
transmitting scheme. You specify the ports by
entering the lowest port number in a group,
followed by the highest, separated by a dash.
Thus, you enter a port group including the switch
ports 1, 2, and 3 as 1-3.
You specify ports that are not contained within a
group by entering their port number, separated by
a comma. For example, you enter the port group
1-3 and port 26 as 1-3, 26.
all specifies that the hardware priority queue
round-robin transmitting scheme applies to all
ports on the switch.
class_id <value 0-2> Identifies the hardware priority queue.
max_packet <value 6-255> Includes the round-robin weight of the priority
queue specified previously. The value of
max_packet is in 256 byte multiples and the
number of bytes must be less than the MTU.
Figure 120 shows how to configure scheduling for ports 1 through 10 to weight
the hardware priority queue 2 as max_packet 7.
Figure 120 config scheduling command
PP1648G:4#config scheduling ports 1-10 class_id 2

max_packet 7
Command: scheduling ports 1-10 class_id 2 max packet 7
Success.
PP1648G:4#
316862-B Rev 00
Creating a MAC priority entry

To direct packets with a specific VLAN and MAC address combination to a given
priority queue on the switch, enter the following command:
create mac_priority
The priority value you specify is referenced to the user priority and traffic class
settings currently in use on the switch. An incoming packet is first checked to see
if the VLAN it was received from is bound to a template. If it is, the template is
examined to see if it is in qos mode. If so, the template is examined to see if it
contains an applicable rule regarding priority. If so, this rule is applied.
If there is no template bound to the VLAN, the packet’s priority tag is used to
determine the appropriate priority queue. If there is no priority tag on the packet,
the switch compares the default port priority with the MAC priority rules- and
then uses the higher of the two.
When executing this command, consider that the command fails to execute if any
of the following are true:
1 If the combination of VLAN and MAC addresses have a static entry in the
switch’s forwarding database.
2 If the combination of VLAN and MAC addresses are entered as an fdbfilter.
3 If the combination of VLAN and MAC addresses have been dynamically
entered into the switch’s forwarding database. If so, the command changes the
entry to static with the destination priority value you specify.
You can make up to 64 MAC priority entries.
create mac_priority
followed by:
vlan <vlan_name> Identifies the name of the VLAN the destination

MAC address resides on.
create mac_priority
followed by:
dst_mac_addr <macaddr> Specifies a destination MAC address for which you

want to direct packets to the priority queue that
follows.
priority <value 0-7> Identifies the priority queue you want packets for
the MAC address to be directed to.
Figure 121 shows how to create a MAC priority entry for the VLAN default for
the MAC address 00-11-22-33-44-55 and instruct the switch to direct all packets it
receives from this MAC address to priority queue 3.
Figure 121 create mac_priority command
PP1648G:4#create mac_priority vlan default

dst_mac_addr 00-11-22-33-44-55 priority 3
Command: create mac_priority vlan default dst_mac_addr
00-11-22-33-44-55 priority 3
Success.
PP1648G:4#
Deleting a MAC priority entry

To delete a MAC priority entry, enter the following command:
delete mac_priority
MAC priority entries are identified on the switch by a combination of the VLAN
name and the destination MAC address.
316862-B Rev 00
delete mac_priority
followed by:
vlan <vlan_name> Identifies the name of the VLAN and the

dst_mac_address destination MAC address for which you want to
<macaddr> delete the MAC priority entry.
address you want to delete resides.
dst_mac_address Specifies a destination MAC address for which you
<macaddr> want to delete the MAC priority entry.
all Deletes all the MAC priority entries on the switch.
Figure 122 shows how to delete a MAC priority entry for the VLAN default for
the MAC address 00-11-22-33-44-55.
Figure 122 delete mac_priority command
PP1648G:4#delete mac_priority vlan default dst_mac_addr

00-11-22-33-44-55
Command: delete mac_priority vlan default dst_mac_addr
00-11-22-33-44-55
Success.
PP1648G:4#
Displaying MAC priority entries

To display one or all of the MAC priority entries on the switch, enter the following
command:
show mac_priority
show mac_priority
followed by:
vlan <vlan_name> Identifies the name of the VLAN for which you
want to display the MAC priority entries.
vlan <vlan_name> Specifies the VLAN and destination MAC address
dst_mac_addr <macaddr> for which you want to display the MAC priority
entries.
dst_mac_addr <macaddr> Specifies the MAC address for which you want to
display the MAC priorities entries.
Figure 123 shows how to display the MAC priority entries for the VLAN default
for the MAC address 00-11-22-33-44-55.
Figure 123 show mac_priority command
PP1612G:4# show mac_priority vlan default dst_mac_addr

00-11-22-33-44-55
Command: show mac_priority vlan default dst_mac_addr
00-11-22-33-44-55
MAC Priority Table:

VLAN Name Destination Priority
MAC Address
------------------------ --------------- --------
default 00-11-22-33-44-55 3
Total Entries: 1
PP1612G:4#
316862-B Rev 00
229
Chapter 9
Configuring traffic filters
This chapter describes the commands you use to create and delete IP address
filters, MAC address filters, and broadcast traffic control. Specifically, it includes
Topic Page
Configuring destination IP filters 229

Creating a destination IP address filter 230
Configuring an ARP request rate limit 237
Configuring destination IP filters

The 1600 Series switch allows you to filter traffic from specific IP addresses. You
can specify these IP addresses as a source, a destination, or either, of network
traffic. You can also instruct the switch to filter fragmented IP packets using the
enable ip_fragment_filter command.
Note that the switch also allows you to assign ranges of IP addresses to VLANs.
You then identify each VLAN by a VLAN name, a network address, and an IP
interface name. You must configure a VLAN prior to setting up the corresponding
IP interface. You must then establish and implement an IP addressing scheme
when the IP interfaces are set up on the switch.
230 Chapter 9 Configuring traffic filters
Roadmap of destination IP address filter CLI commands
The following roadmap lists all of the IP address, fragment filtering commands
and their parameters. Use this list as a quick reference or click on any entry for
more information:
Command Parameter
create dst_ipfilter ip_address <ipaddr>
delete dst_ipfilter [ip_address <ipaddr> |all]]
show dst_ipfilter none
Creating a destination IP address filter
To specify either a destination IP address to be filtered from the switch, use the
following command:
create dst_ipfilter ip_address 10.42.73.5
If you filter by destination, it means that packets with the specified IP address as
the destination are dropped.
Note:
316862-B Rev 00
Chapter 9 Configuring traffic filters 231
create dst_ipfilter
followed by:
ip_address <ipaddr> If you want to filter the IP address as a destination

(dst), you do not need to specify the template id.
The switch drops packets that have the IP address
entered previously as their destination regardless
of what operating mode the templates are in.
Figure 124 shows you how to filter packets with a destination IP address of
192.32.96.54.
Figure 124 create dst_ipfilter command
PP1612G:4#create dst_ipfilter ip_address 192.32.96.54

Command: create dst_ipfilter ip_address 192.32.96.54
Success.
PP1612G:4#
Deleting a destination IP address filter
To delete all previously-entered destination IP address filters from the switch, use
delete dst_ipfilter all
Because of the way IP filters are identified within the switch, you must enter the
same destination IP address to delete a specific IP filter, or specify all to instruct
the switch to delete all destination IP address filters that have been entered.
Note:
delete dst_ipfilter
followed by:
[ip_address <ipaddr> Allows you to uniquely identify the filter you want to
|all]] delete.
If you want to delete a filter for an IP address as a
destination (dst), you do not need to specify the
template id. You have the option of deleting a
specific IP address or deleting all destination IP
filters.
Figure 125 shows you how to delete an IP filter with a destination IP address of
192.32.96.54.
Figure 125 delete ipfilter command
PP1612G:4#delete dst_ipfilter ip_address 192.32.96.54

Command: delete dst_ipfilter ip_address 192.32.96.54
Success.
PP1612G:4#
316862-B Rev 00
Displaying the destination IP address filter table
To display all previously-entered destination IP address filters on the switch, use

show dst_ipfilter
Note:
This command has no additional options:
show dst_ipfilter
followed by:
Figure 126 shows you how to display the current contents of the switch’s
destination IP address filter table.
Figure 126 show dst_ipfilter command
PP1612G:4#show dst_ipfilter
Command: show dst_ipfilter
Destination IP Filter Table:

Destination IP Address
----------------------
10.42.73.5
Total Entries: 1
PP1612G:4#
Configuring MAC address filters

The Passport 1600 Series switch allows the filtering of traffic from specific MAC
addresses. The switch uses a filtering database to segment the network and control
communication between segments. It can also filter packets off the network for
intrusion control. You can create static filtering entries by MAC address or IP
address filtering.
Note: The Passport 1600 switch supports basic MAC filtering only. If
you want to filter on a MAC address, the switch will filter it if that address
is in the packet as a source or destination address. It does not support
filtering on a MAC address if you specify filtering on source or
destination addresses only.
This section describes the commands you use in creating, deleting, and showing
MAC address filters. Specifically, it includes the following topics:
Topic Page
Roadmap of MAC address filter CLI commands 234
Creating a MAC address filter 235
Deleting a MAC address filter 235
Displaying MAC address filters 236
Roadmap of MAC address filter CLI commands
The following roadmap lists all of the MAC address filter commands and their
information:
Command Parameter
create fdbfilter vlan <vlan_name>
delete fdbfilter vlan <vlan_name>
show fdbfilter vlan <vlan_name>
316862-B Rev 00
Creating a MAC address filter
To filter a MAC address from the switch and prevent this MAC address from
being dynamically entered into the switch’s forwarding database, use the
following command:
create fdbfilter
create fdbfilter
followed by:
address you wish to filter from the switch resides.
you wish to filter from the switch.
Figure 127 shows you how to filter VLAN v1 and MAC address
00-FF-BA-F4-D5-0C from the switch’s forwarding database.
Figure 127 create fdbfilter command
PP1648T:4#create fdbfilter vlan v1 mac_address

00-50-BA-F4-D5-0C
Command: create fdbfilter vlan v1 mac_address
00-50-BA-F4-D5-0C
Success.
PP1648T:4#
Deleting a MAC address filter
To delete the filtering of a MAC address from the switch’s forwarding database,
use the following command:
delete fdbfilter
delete fdbfilter
followed by:
vlan <vlan_name> Identifies the name of the VLAN for which you wish
to delete the forwarding database filter.
you wish to delete from the forwarding database
filter.
Figure 128 shows you how to delete the VLAN v1 and MAC address
00-FF-BA-F4-D5-0C filters from the switch’s forwarding database.
Figure 128 delete fdbfilter command
PP1648T:4#delete fdbfilter vlan v1 mac_address

00-50-BA-F4-D5-0C
Command: delete fdbfilter vlan v1 mac_address
00-50-BA-F4-D5-0C
Success.
PP1648T:4#
Displaying MAC address filters
To display the switch’s MAC address filters, use the following command:
show fdbfilter
316862-B Rev 00
show fdbfilter
followed by:
vlan <vlan_name> Identifies the name of the VLAN for which you wish
to display the forwarding database filter.
for which you wish to display the forwarding
database filter.
Figure 129 shows you how to display the VLAN v1 and MAC address
00-FF-BA-F4-D5-0C filters from the switch’s forwarding database.
Figure 129 show fdbfilter command
PP1648T:4#show fdbfilter vlan v1 mac_address

00-50-BA-F4-D5-0C
Command: show fdbfilter vlan v1 mac_address
00-50-BA-F4-D5-0C
FDB Filter Name

VLAN Name MAC Address
-------------- -------
v1 00-50-BA-F4-D5-0C
Total Entries: 1
PP1648T:4#
Configuring an ARP request rate limit

The Passport 1600 series switches allow you to set limits on the rate at which the
Switch will receive and process Address Resolution Protocol (ARP) request
packets. There are two commands available to configure and enable the ARP rate
limit control on the Switch. The first allows you to enable and disable the ARP
rate limit — without changing the limit values you may have entered.
The second command allows you to specify the number of ARP packets received
by the Switch in one second that will trigger the ARP rate limit control. If the
Switch receives more ARP packets in a second than you specify, the Switch will
block all ARP requests for one second. The ARP rate limit counter is then reset,
and ARP requests are again allowed — until the rate of ARP packets received by
the Switch exceeds the limit you have set. The default value of the ARP request
rate limit is 50 ARP packets per second, and you can specify any value between
10 and 100 packets per second.
ARP request rate limits. Specifically, it includes the following topics:
Topic Page
Configuring the ARP request rate limit 230
Enabling the ARP request rate limit 235
Disabling the ARP request rate limit 235
Displaying the ARP request rate limit 236
Roadmap of ARP request rate limit CLI commands

information:
Command Parameter
config arp_req_rate_limit 60 <value 10-100>
enable arp_req_rate_limit none
disable arp_req_rate_limit none
show arpentry Ipif <ipif_name 12>
IPaddress <ipaddr>
static
316862-B Rev 00
Configuring the ARP request rate limit
To set the ARP request rate limit for the switch to 60 ARP packets per second, use
config arp_req_rate_limit 60
config arp_req_rate_limit
followed by:
<value 10-100> Specifies the rate of ARP packets received by the

switch, in packets per second, that will trigger the
switch’s response. The default is 50 ARP packets
per second. If the number of ARP packets received
by the switch exceeds the number entered here,
the switch will drop all ARP request packets for
one second, reset the incoming ARP packet rate
counter, and then resume receiving and
processing ARP packets.
Figure 130 shows you how to set the ARP request rate limit to 60 ARP packets
per second.
Figure 130 config arp_req_rate_limit command
PP1648T:4#config arp_req_rate_limit 60
Command: config arp_req_rate_limit 60
Success.
PP1648T:4#
Enabling the ARP request rate limit
To enable the ARP request rate limit for the switch, use the following command:
enable arp_req_rate_limit
This command uses no additional options:
followed by:
Figure 131 shows you how to enable the ARP request rate limit.
Figure 131 enable arp_req_rate_limit command
PP1648T:4#enable arp_req_rate_limit
Command: enable arp_req_rate_limit
Success.
PP1648T:4#
Disabling the ARP request rate limit
To disable the ARP request rate limit for the switch, use the following command:
disable arp_req_rate_limit
followed by:
Figure 132 shows you how to disable the ARP request rate limit.
316862-B Rev 00
Figure 132 disable arp_req_rate_limit command
PP1648T:4#disable arp_req_rate_limit
Command: disable arp_req_rate_limit
Success.
PP1648T:4#
Displaying the ARP request rate limit
To display the current ARP request rate limit for the switch, use the following
command:
show arpentry
show arpentry
followed by:
Ipif <ipif_name 12>

IPaddress <ipaddr>
static
Figure 133 shows you how to display the ARP request rate limit, along with the
switch’s ARP table.
Figure 133 show arpentry command
PP1648T:4#show arpentry
ARP Aging Time : 20

ARP Req Rate Limit : Enabled (50 frames/sec)
Interface IP Address MAC Address Type

--------- ---------- ----------- --------------
System 10.0.0.0 FF-FF-FF-FF-FF-FF Local/Broadcast
Configuring broadcast control

You use broadcast control to limit the number of broadcast, multicast, and
destination not found (dlf) packets that are forwarded through the switch at any
given time. Since these packet types are commonly forwarded to all ports of a
given VLAN or IP interface, it is possible that other network devices could also
forward these packets through alternative network routes, and that they will find
there way back to the switch. The switch will then forward the packets again, and
so on, until a significant portion of the network’s bandwidth is consumed.
To prevent these packet-types from creating a storm on the network, you can
assign a threshold, in Kp/s, for each packet type. When the number of packets
received by the switch exceeds this threshold, the switch stops forwarding these
packet-types - until the rate of packets received falls below the threshold.
This section describes the commands you use to configure broadcast traffic
control.
316862-B Rev 00
Roadmap of broadcast control CLI commands
The following roadmap lists the broadcast control commands and their
information:
Command Parameter
config traffic control <portlist>
all
dlf [enabled|disabled]
broadcast [enabled|disabled]
multicast [enabled|disabled]
threshold <value>
show traffic control ports <portlist>
Configuring traffic control
To configure broadcast control, use the following command:
config traffic control
config traffic control

followed by:
<portlist> You use this option to enter a group of ports that

the config traffic control command is
applied to. You specify ports by entering the lowest
port number in a group, and then the highest,
separated by a dash.
26.
all Specifies that the config traffic
control command applies to all of the ports on
the switch.
dlf [enabled|disabled] Specifies that the config traffic
control command is applied to packets
generated by a dlf (destination lookup fail). You
must follow this parameter with enabled or
disabled.
broadcast Specifies that the config traffic
[enabled|disabled] control command is applied to broadcast
packets. You must follow this parameter with
enabled or disabled.
multicast Specifies that the config traffic
[enabled|disabled] control command is applied to multicast
packets. You must follow this parameter with
enabled or disabled.
threshold <value> Specifies the threshold, in Kb/s, at which the
config traffic control command is
applied. The default is 128 Kb/s.
Figure 134 shows you an example of configuring traffic control for switch ports 1
through 3, for broadcast packets.
316862-B Rev 00
Figure 134 config traffic control command
PP1648T:4#config traffic control 1-3 broadcast enabled

Command: config traffic control 1-3 broadcast enabled
Success.
PP1648T:4#
Displaying traffic control settings
To display the current traffic control settings on the switch, use the following
command:
show traffic control
show traffic control

followed by:
ports <portlist> You use this to display the traffic control settings
for a group of ports. You enter the lowest port
number in a group, and then the highest,
separated by a dash.
26.
Figure 135 shows you how to display traffic control settings for switch ports 1
through 3.
Figure 135 show traffic control command
PP1648T:4#show traffic control ports 1-3

Command: show traffic control ports 1-3
Traffic Control
DLF State: Disabled
Broadcast Multicast Threshold

Ports Storm Storm <Percentage>
---- -------- -------- ----------
1 Enabled Disabled 0
Total Entries: 3
PP1648T:4#
316862-B Rev 00
247
Chapter 10
Configuring ARP, RIP, and OSPF
This chapter provides overviews of the Address Resolution Protocol (ARP), the
Routing Information Protocol (RIP), the Open Shortest Path First Protocol
(OSPF), and OSPF packet authentication (MD5 keys), and describes how to
configure each of these protocols using the CLI. Specifically, this chapter contains
Topic Page
Configuring ARP 247

Configuring an ARP request rate limit 252
Configuring OSPF 261
Configuring OSPF packet authentication 291
Configuring ARP
The Address Resolution Protocol (ARP) determines the correspondence between
a MAC address and an IP address for a network device.
The switch allows you to make static entries into its ARP table, as well as to
configure the length of time a dynamically learned ARP table entry is allowed to
remain without being accessed.
This section describes the ARP commands. Specifically, it includes the following
topics:
Topic Page
Roadmap of ARP CLI commands 248
Creating an ARP entry 248
248 Chapter 10 Configuring ARP, RIP, and OSPF
Topic Page
Deleting an ARP entry 249
Configuring the ARP aging time 250
Displaying the current ARP entries 250
Clearing the ARP table 251
Roadmap of ARP CLI commands
The following roadmap lists some of the ARP commands and their parameters.
Use this list as a quick reference or click on any command or parameter entry for
more information on ARP commands.
Command Parameter
create arpentry <ipaddr>
<macaddr>
delete arpentry <ipaddr>
all
config arp_aging time
<value>
show arpentry ipif <ipif_name 12>
ipaddress <ipaddr>
static
clear arptable
Creating an ARP entry
To create an ARP (Address Resolution Protocol) entry into the switch’s ARP
table, enter the following command:
create arpentry <ipaddr > <macaddr>
where:
ipaddr is the IP address that you want to associate with the MAC address.
macaddr is the MAC address that you want to associate with the IP address.
316862-B Rev 00
Chapter 10 Configuring ARP, RIP, and OSPF 249
Figure 136 shows how to create an ARP entry that is associated with IP address
10.48.74.121 and with MAC address 00-50-BA-00-07-36.
Figure 136 create arpentry command
PP1612G:4# create arpentry 10.48.74.121 00-50-BA-00-07-36

Command: create arpentry 10.48.74.121 00-50-BA-00-07-36
Success.
PP1612G:4#
Deleting an ARP entry
To delete an ARP entry, enter the following command:
delete arpentry
delete arpentry
followed by:
<ipaddr> The IP address for which you want to delete the ARP entry on the
switch.
all Deletes all ARP entries on the switch.
Figure 137 shows how to delete an ARP entry with the IP address 10.48.74.121.
Figure 137 delete arpentry command
PP1612G:4# delete arpentry 10.48.74.121

Command: delete arpentry 10.48.74.121
Success.
PP1612G:4#
Configuring the ARP aging time
To configure the ARP aging time, enter the following command:
config arp_aging time < value>
where:
value is the time, in seconds, that an entry can remain in the switch’s ARP table,
without being used, before it is dropped from the ARP table. The default is 20
minutes.
Figure 138 shows how to configure the ARP aging time to be 30 minutes.
Figure 138 config arp_aging time command
PP1612G:4# config arp_aging time 30

Command: config arp_aging time 30
Success.
PP1612G:4#
Displaying the current ARP entries
To display the current contents of the switch’s ARP table:
show arpentry
show arpentry
followed by:
ipif <ipif_name 12> The name of the IP interface of the end node for
which you want to display the ARP table entry for.
This value can be up to 12 alphanumeric characters.
316862-B Rev 00
show arpentry
followed by:
ipaddress <ipaddr> The IP address corresponding to the IP interface
name entered above.
static Displays all of the static entries in the switch’s ARP
table.
Figure 139 shows the ARP table being displayed.
Clearing the ARP table
To clear the ARP table:
clear arptable
This command has no additional options.
Figure 140 shows the switch’s ARP table being cleared.
Figure 140 clear arptable command
PP1612G:4# clear arptable

Command: clear arptable
Success.
PP1612G:4#
Configuring an ARP request rate limit

The Passport 1600 series switches allow you to set limits on the rate at which the
Switch will receive and process Address Resolution Protocol (ARP) request
packets. There are two commands available to configure and enable the ARP rate
limit control on the Switch. The first allows you to enable and disable the ARP
rate limit — without changing the limit values you may have entered.
The second command allows you to specify the number of ARP packets received
by the Switch in one second that will trigger the ARP rate limit control. If the
Switch receives more ARP packets in a second than you specify, the Switch will
block all ARP requests for one second. The ARP rate limit counter is then reset,
and ARP requests are again allowed — until the rate of ARP packets received by
the Switch exceeds the limit you have set. The default value of the ARP request
rate limit is 50 ARP packets per second, and you can specify any value between
10 and 100 packets per second.
ARP request rate limits. Specifically, it includes the following topics:
Topic Page
Configuring the ARP request rate limit 252
Enabling the ARP request rate limit 254
Disabling the ARP request rate limit 255
Displaying the ARP request rate limit 255
316862-B Rev 00
Roadmap of ARP request rate limit CLI commands
information:
Command Parameter
config arp_req_rate_limit 60 <value 10-100>
enable arp_req_rate_limit none
disable arp_req_rate_limit none
show arpentry none
Configuring the ARP request rate limit

To set the ARP request rate limit for the switch to 60 ARP packets per second, use
config arp_req_rate_limit 60
config arp_req_rate_limit
followed by:
<value 10-100> Specifies the rate of ARP packets received by the

switch, in packets per second, that will trigger the
switch’s response. The default is 50 ARP packets
per second. If the number of ARP packets received
by the switch exceeds the number entered here,
the switch will drop all ARP request packets for
one second, reset the incoming ARP packet rate
counter, and then resume receiving and
processing ARP packets.
Figure 141 shows you how to set the ARP request rate limit to 60 ARP packets
per second.
Figure 141 config arp_req_rate_limit command
PP1648T:4#config arp_req_rate_limit 60
Command: config arp_req_rate_limit 60
Success.
PP1648T:4#
Enabling the ARP request rate limit
To enable the ARP request rate limit for the switch, use the following command:
followed by:
Figure 142 shows you how to enable the ARP request rate limit.
Figure 142 enable arp_req_rate_limit command
PP1648T:4#enable arp_req_rate_limit
Command: enable arp_req_rate_limit
Success.
PP1648T:4#
316862-B Rev 00
Disabling the ARP request rate limit
To disable the ARP request rate limit for the switch, use the following command:
followed by:
Figure 143 shows you how to disable the ARP request rate limit.
Figure 143 disable arp_req_rate_limit command
PP1648T:4#disable arp_req_rate_limit
Command: disable arp_req_rate_limit
Success.
PP1648T:4#
Displaying the ARP request rate limit
To display the current ARP request rate limit for the switch, use the following
command:
show arpentry
show arpentry
followed by:
Figure 144 shows you how to display the ARP request rate limit, along with the
switch’s ARP table.
PP1648T:4#show arpentry
ARP Aging Time : 20

ARP Req Rate Limit : Enabled (50 frames/sec)
Interface IP Address MAC Address Type

--------- ---------- ----------- --------------
System 10.0.0.0 FF-FF-FF-FF-FF-FF Local/Broadcast
Configuring RIP
The Routing Information Protocol (RIP) is a distance-vector routing protocol.
There are two types of network devices running RIP - active and passive. Active
devices advertise their routes to others through RIP messages, while passive
devices listen to these messages. Both active and passive routers update their
routing tables based upon RIP messages that active routers exchange. Only routers
can run RIP in the active mode. The 1600 Series switches are active RIP devices.
Every 30 seconds, a router running RIP broadcasts a routing update containing a

set of pairs of network addresses and a distance (represented by the number of
hops or routers between the advertising router and the remote network). So, the
vector is the network address and the distance is measured by the number of
routers between the local router and the remote network.
RIP measures distance by an integer count of the number of hops from one
network to another. A router is one hop from a directly connected network, two
hops from a network that can be reached through a router, etc. The more routers
between a source and a destination, the greater the RIP distance (or hop count).
There are a few rules to the routing table update process that help to improve
performance and stability. A router will not replace a route with a newly learned
one if the new route has the same hop count (sometimes referred to as 'cost'). So
learned routes are retained until a new route with a lower hop count is learned.
316862-B Rev 00
When learned routes are entered into the routing table, a timer is started. This
timer is restarted every time this route is advertised. If the route is not advertised
for a period of time (usually 180 seconds), the route is removed from the routing
table.
This section includes the following topics:
Topic Page
Roadmap of RIP CLI commands 257
Configuring RIP 258
Enabling RIP 259
Disabling RIP 260
Displaying the current RIP configuration 260
Roadmap of RIP CLI commands
The following roadmap lists some of the RIP CLI commands and their
parameter entry for more information on RIP commands.
Command Parameter
config rip ipif <ipif_name 12> rx_mode
[disable|v1_only|v2_only|v1_and_
v2]
tx_mode
[disable|v1_only|v1_compatible|v
2_only]
authentication [enabled
<password>|disabled]
enable rip
disable rip
show rip ipif <ipif_name 12>
Configuring RIP
To configure RIP on a specific interface, use the following command:
config rip ipif <ipif_name 12 >
where:
ipif_name 12 is the name of the IP interface on which RIP is configured.
config rip ipif <ipif_name 12>

followed by:
rx_mode Determines the version of RIP that the switch will to
[disable|v1_only|v2_only|v1_and_v2] interpret received RIP packets — as RIP version V1
only, V2 only, or V1 and V2. disable prevents the
switch from receiving RIP packets.
tx_mode Determines the version of RIP that will be used by
[disable|v1_only|v1_compatible|v2_o the switch to format transmitted RIP packets — as
nly] RIP version V1 only, V1 compatible, or V2 only.
disable prevents the switch from transmitting RIP
packets.
authentication [enabled Enables or disables the authentication of RIP
<password>|disabled] packets. If authentication is enabled, a case-sensitive
password must be entered.
state [enabled|disabled] Enables or disables RIP on the interface.
To configure RIP on all interfaces, use the following command:
config rip all
316862-B Rev 00
config rip all

followed by:
rx_mode Determines the version of RIP that the switch will to
[disable|v1_only|v2_only|v1_and_v2] interpret received RIP packets — as RIP version V1
only, V2 only, or V1 and V2. disable prevents the
switch from receiving RIP packets.
tx_mode Determines the version of RIP that will be used by
[disable|v1_only|v1_compatiable|v2_ the switch to format transmitted RIP packets — as
only] RIP version V1 only, V1 compatible, or V2 only.
disable prevents the switch from transmitting RIP
packets.
authentication [enabled Enables or disables the authentication of RIP
<password>|disabled] packets. If authentication is enabled, a case-sensitive
password must be entered.
state [enabled|disabled] Enables or disables RIP on all interfaces.
Figure 145 shows RIP being configured for the IP interface named System, and to
use RIP version V1 to interpret received RIP packets.
Figure 145 config rip command
PP1612G:4#config rip ipif System rx_mode v1_only

Command: config rip ipif System rx_mode v1_only
Success.
PP1612G:4#
Enabling RIP
To enable RIP, use the following command:
enable rip
Figure 146 shows RIP being enabled.
Figure 146 enable rip command
PP1612G:4#enable rip
Command: enable rip
Success.
PP1612G:4#
Disabling RIP
To disable RIP, use the following command:
disable rip
Figure 147 shows RIP being disabled.
Figure 147 disable rip command
PP1612G:4#disable rip
Command: disable rip
Success.
PP1612G:4#
Displaying the current RIP configuration
To display the current RIP configuration, use the following command:
show rip
316862-B Rev 00
show rip
followed by:
ipif <ipif_name 12> The name of the IP interface for which you want to
display the current RIP configuration. If you do not
enter an IP interface name, the switch displays the
current RIP configuration for all IP interfaces.
Figure 148 shows the current RIP configuration being displayed.
Figure 148 show rip command
PP1648T:4# show rip

Command: show rip
RIP Global State : Enabled
RIP Interface Settings
Interface IP Address TX Mode RX Mode

Authen- State
tication
------------- ------------------ ---------- ------------- ---------- -----
System 192.32.96.151/26 V1 Comp. V1 and V2 Disabled Disabled
Total Entries : 1
PP1648T:4# PP1612G:4#
Configuring OSPF
The Open Shortest Path First (OSPF) is routing protocol that uses a link-state
algorithm to determine routes to network destinations. A link is an interface on a
router and the state is a description of that interface and its relationship to
neighboring routers. The state contains information such as the IP address, subnet
mask, type of network the interface is attached to, other routers attached to the
network, etc. The collection of link-states are then collected in a link-state
database that is maintained by routers running OSPF.
OSPF specifies how routers will communicate to maintain their link-state

database and defines several concepts about the topology of networks that use
OSPF.
To limit the extent of link-state update traffic between routers, OSPF defines the
concept of Area. All routers within an area share the exact same link-state
database, and a change to this database on one router triggers an update to the
link-state database of all other routers in that area. Routers that have interfaces
connected to more than one area are called Border Routers and take the
responsibility of distributing routing information between areas.
One area is defined as Area 0 or the Backbone. This area is central to the rest of
the network in that all other areas have a connection (through a router) to the
backbone. Only routers have connections to the backbone and OSPF is structured
such that routing information changes in other areas will be introduced into the
backbone, and then propagated to the rest of the network.
When constructing a network to use OSPF, it is generally advisable to begin with

the backbone (area 0) and work outward.
There are four general categories of tasks required to setup OSPF on the 1600
switch:
• OSPF Area Setting — the configuration of sub-domains called OSPF areas

and the designating them as either normal or stub areas. Normal areas allow
the advertisement of external routes and stub areas do not.
• OSPF IP Interface Configuration — the entry of OSPF IP Interfaces that
correspond to IP interfaces configured previously on the switch.
• OSPF Virtual Link Configuration — the definition of OSPF areas that
allow links with outside routers to access the OSPF backbone.
• OSPF Area Aggregation Configuration — allows OSPF areas to be
represented by their network address and subnet mask. In addition, the type of
link-state database advertisements can be specified for each area.
316862-B Rev 00
This section includes the following topics:
Topic Page
Roadmap of OSPF CLI commands 263
Enabling OSPF 265
Disabling OSPF 266
Configuring the OSPF router ID 266
Displaying the current OSPF configuration 267
Creating an OSPF area 269
Deleting an OSPF area 270
Configuring an OSPF area 271
Displaying the current OSPF area configuration 272
Creating an OSPF host route 273
Creating an OSPF area aggregation 277
Displaying the current OSPF LSDB 281
Displaying the current OSPF neighbor table 282
Displaying the current OSPF virtual neighbor table 283
Configuring an OSPF IP interface 283
Creating an OSPF virtual link 286
Configuring an OSPF virtual link 288
Deleting an OSPF virtual link 290
Displaying the currently configured OSPF virtual links 290
Roadmap of OSPF CLI commands
The following roadmap lists some of the OSPF switch commands and their
parameter entry for more information on OSPF switch commands.
Command Parameter
enable ospf
disable ospf
config ospf router_id <ipaddr>
show ospf
Command Parameter
create ospf area <area_id> type stub_summary [enabled|disabled]
[normal|stub]
metric <value>
delete ospf area <area_id>
config ospf area <area_id> type stub_summary [enabled|disabled]
[normal|stub]
metric <value>
show ospf area <area_id>
create ospf host_route <ipaddr> area <area_id>
metric <value>
config ospf host_route <ipaddr> area <area_id>
metric <value>
show ospf host_route <ipaddr>
delete ospf host_route <ipaddr>
create ospf aggregation <area_id> advertise [enabled|disabled]
<network_address> lsdb_type
[summary]
delete ospf aggregation <area_id>
[summary]
config ospf aggregation <area_id> advertise [enabled|disabled]
[summary]
metric <value>
show ospf aggregation area <area_id>
show ospf lsdb area <area_id>
advertise_router <ipaddr>
type
[rtrlink|netlink|summary|assumma
ry|asextlink]
show ospf neighbor
show ospf virtual_neighbor area <area_id>
config ospf ipif <ipif_name 12> all
316862-B Rev 00
Command Parameter
area <area_id>
priority <value>
hello_interval <sec>
dead_interval <sec>
authentication [none|simple
<password>|md5 <key_id>]
metric <value>
show ospf ipif <ipif_name 12>
all
create ospf virtual_link <area_id> hello_interval <sec>
<neighbor_id>
dead_interval <sec>
config ospf virtual_link <area_id> hello_interval <sec>
<neighbor_id>
dead_interval <sec>
delete ospf virtual_link <area_id>
<neighbor_id>
show ospf virtual_link area <area_id>
<neighbor_id>
Enabling OSPF
To enable OSPF on the switch, use the following command:
enable ospf
Figure 149 shows OSPF being enabled.
Figure 149 enable ospf command
PP1612G:4#enable ospf
Command: enable ospf
Success.
PP1612G:4#
Disabling OSPF
To disable OSPF on the switch, use the following command:
disable ospf
Figure 150 shows OSPF being disabled.
Figure 150 disable ospf command
PP1612G:4#disable ospf
Command: disable ospf
Success.
PP1612G:4#
Configuring the OSPF router ID
An OSPF router ID is a 32-bit number (in the same form as an IP address —

xxx.xxx.xxx.xxx) that uniquely identifies the switch in OSPF domain. It is
common to assign the highest IP address assigned to the switch as the OSPF
router ID. In the case of a 10.x.x.x network, this would be 10.255.255.255, but any
unique 32-bit number will do. If 0.0.0.0 is entered, the highest IP address assigned
to the switch will become the OSPF router ID for the switch.
316862-B Rev 00
To configure the OSPF router ID, use the following command:
config ospf router_id < ipaddr>
where:
ipaddr is the OSPF router ID.
Figure 151 shows the configuration of the OSPF router ID to be 10.48.74.122.
Figure 151 config ospf router_id command
PP1612G:4#config ospf router_id 10.48.74.122

Command: config ospf router_id 10.48.74.122
Success.
PP1612G:4#
Displaying the current OSPF configuration
To display the current OSPF configuration, use the following command:
show ospf
Figure 152 shows the current OSPF configuration being displayed.
Figure 152 show ospf command - partial display
PP1612G:4# show ospf

Command: show ospf
OSPF Router ID : 192.32.96.54 (Auto selected)

State : Disabled
OSPF Interface Settings
Interface IP Address Area ID State Link Metric

Status
------------ ------------------ --------------- -------- --------- ---------
ip2 10.1.2.3/8 0.0.0.0 Disabled Link DOWN 1
System 192.32.96.54/26 0.0.0.0 Disabled Link Up 1
Total Entries : 2
OSPF Area Settings
Area ID Type Stub Import Summary LSA Stub Default Cost

--------------- ------ ----------------------- -----------------
0.0.0.0 Normal None None
Total Entries : 1
Virtual Interface Configuration
Transit Virtual Hello Dead Authentication Link

Area ID Neighbor Router Interval Interval Status
--------------- --------------- -------- -------- -------------- ------
Total Entries : 0
OSPF Area Aggregation Settings
Area ID Aggregated LSDB Advertise

Network Address Type
--------------- ------------------ -------- ---------
Total Entries : 0
OSPF Host Route Settings
Host Address Metric Area ID TOS

--------------- ------ --------------- ---
Total Entries : 0
PP1612G:4#
316862-B Rev 00
Creating an OSPF area
OSPF areas can be designated as either normal or stub. Normal OSPF areas allow
link-state database (LSDB) advertisements of routes to networks that are external
to the area, Stub areas do not allow the LSDB advertisement of external routes.
Stub areas use a default summary route (0.0.0.0) to reach external destinations.
OSPF area definitions are as follows:
Area ID — A 32-bit number in the form of an IP address (xxx.xxx.xxx.xxx) that

uniquely identifies the OSPF area in the OSPF domain.
Normal — OSPF areas that allow AS-external-LSAs to be flooded into them.
Stub — OSPF areas that do not allow AS-external_LSAs to be flooded into them.
To create an OSPF area, use the following command:
create ospf area <area_id > type [normal|stub]
where:
area_id is the OSPF area ID.
type specifies the mode of operation in the OSPF area. normal indicates OSPF
areas that allow AS-external_LSAs to be flooded into them. stub indicates OSPF
areas that do not allow AS-external_LSAs to be flooded into them.
create ospf area <area_id> type [normal|stub]

followed by:
stub_summary [enabled|disabled] Enables or disables the OSPF area to import
summary LSA advertisements.
metric <value> This is a number between 0 and 65535 that
represents the OSPF area cost. The default is 1.
Figure 153 shows the configuration of the OSPF area with the area ID of
10.48.74.122, and the type normal.
Figure 153 create ospf area command
PP1612G:4#create ospf area 10.48.74.122 type normal

Command: create ospf area 10.48.74.122 type normal
Success.
PP1612G:4#
Deleting an OSPF area
To delete an OSPF area, use the following command:
delete ospf area <area_id >
where:
Figure 154 shows the deletion of the OSPF area with the area ID of 10.48.74.122.
Figure 154 delete ospf area command
PP1612G:4#delete ospf area 10.48.74.122

Command: delete ospf area 10.48.74.122
Success.
PP1612G:4#
316862-B Rev 00
Configuring an OSPF area
OSPF areas can be designated as either normal or stub. Normal OSPF areas allow
link-state database (LSDB) advertisements of routes to networks that are external
to the area. Stub areas do not allow the LSDB advertisement of external routes.
Stub areas use a default summary external route (0.0.0.0 or Area 0) to reach
external destinations.
To configure an OSPF area, use the following command:
config ospf area <area_id > type [normal|stub]
where:
type specifies the mode of operation in the OSPF area. normal indicates that
LSAs for routes outside the area are allowed. stub indicates that LSAs for routes
outside the area are not allowed.
config ospf area <area_id> type [normal|stub]

followed by:
stub_summary [enabled|disabled] Enables or disables the OSPF area to import
summary LSA advertisements.
metric <value> This is a number between 0 and 65535 that
Figure 155 shows how to configure an OSPF area with the area ID of
10.48.74.122 to be of type stub, how to enable stub summary LSAs to be
imported, and how to configure an OSPF cost of 1.
Figure 155 config ospf area command
PP1612G:4#config ospf area 10.48.74.122 type stub

stub_summary enabled metric 1
Command: config ospf area 10.48.74.122 type stub
stub_summary enabled metric 1
Success.
PP1612G:4#
Displaying the current OSPF area configuration
To display the current OSPF area configuration, use the following command:
show ospf area
show ospf area

followed by:
<area_id> This is the OSPF area ID.
Figure 156 shows the current OSPF area configuration being displayed.
316862-B Rev 00
Figure 156 show ospf area command
PP1612G:4#show ospf area

Command: show ospf area
Area ID Type Stub Import Summary LSA Stub DefaultCost
0.0.0.0 Normal None None None
10.48.74.122 Stub Enabled 1
Total Entries: 2
PP1612G:4#
Creating an OSPF host route
This command allows you to make a static entry into the switch’s OSPF host table
for host computers that are directly connected to the switch, so that their IP
addresses and route metrics can be advertised to other OSPF areas.
To create an OSPF host route, use the following command:
create ospf host_route < ipaddr>
where:
ipaddr is the IP address of the host.
create ospf host_route <ipaddr>

followed by:
area <area_id> This is the OSPF area ID where the host computer is located.
metric <value> This is a number between 0 and 65535 that represents the OSPF area
cost. The default is 1.
Figure 157 shows how to create an OSPF host route between the host’s IP address
10.48.74.122 and the OSPF area 10.1.1.1, with an OSPF area cost of 2.
Figure 157 create ospf host_route command
PP1612G:4#create ospf host_route 10.48.74.122 area

10.1.1.1 metric 2
Command: create ospf host_route 10.48.74.122 area 10.1.1.1
metric 2
Success.
PP1612G:4#
Configuring an OSPF host route
This command allows you to configure a static entry into the switch’s OSPF host
table for host computers that are directly connected to the switch, so that their IP
addresses and route metrics can be advertised to other OSPF areas.
To configure the OSPF host route, use the following command:
config ospf host_route < ipaddr>
where:
config ospf host_route <ipaddr>

followed by:
area <area_id> This is the OSPF area ID where the host computer is located.
metric <value> This is a number between 0 and 65535 that represents the OSPF area cost.
The default is 1.
316862-B Rev 00
Figure 158 shows how to configure the OSPF host route between the host’s IP
address 10.48.74.122 and the OSPF area 10.1.1.1, to use the OSPF area cost of 1.
Figure 158 config ospf host_route command
PP1612G:4#config ospf host_route 10.48.74.122 area 10.1.1.1 met-

ric 1
Command: config ospf host_route 10.48.74.122 area 10.1.1.1 metric
1
Success.
PP1612G:4#
Displaying the currently configured OSPF host routes
To display the OSPF host route, use the following command:
show ospf host_route
show ospf host_route

followed by:
<ipaddr> This is the IP address of the host.
Figure 159 shows the display of the currently configured OSPF host routes.
Figure 159 show ospf host_route command
PP1612G:4# show ospf host_route

Command: show ospf host_route

--------------- ------ --------------- ---
2.2.2.2 1 0.0.0.0 0 (Ready)
Total Entries : 1
PP1612G:4#
Deleting an OSPF host route
To delete an OSPF host route, use the following command:
delete ospf host_route <ipaddr>
where:
Figure 160 shows how to delete an OSPF host route, where the host’s IP address
10.48.74.122.
Figure 160 delete ospf host_route command
PP1612G:4#delete ospf host_route 10.48.74.122

Command: delete ospf host_route 10.48.74.122
Success.
PP1612G:4#
316862-B Rev 00
Creating an OSPF area aggregation
This command allows OSPF areas to be represented by their network addresses

and subnet masks. In this way, all of the range of IP addresses assigned to an
OSPF area can be advertised by just two numbers — the network address and
subnet mask. In addition, the type of link-state database advertisements can be
specified for each area.
To create an OSPF area aggregation, use the following command:
create ospf aggregation < area_id> <network_address>

lsdb_type [summary]
where:
network_address is the IP address that corresponds to the OSPF area ID.
lsdb_type is the type of address aggregation that OSPF will use. Currently, only
summary is supported.
create ospf aggregation <area_id> <network_address> lsdb_type [summary]

followed by:
advertise [enabled|disabled] Enables or disables the advertisement trigger.
Figure 161 shows how to create an OSPF area aggregation for the OSPF area
10.1.1.1, and the network address 10.48.76.122/16, how to specify the LSDB type
to summary, and how to enable the advertisement trigger.
Figure 161 create ospf aggregation command
PP1612G:4#create ospf aggregation 10.1.1.1

10.48.76.122/16 lsdb_type summary advertise enabled
Command: create ospf aggregation 10.1.1.1 10.48.76.122/16
lsdb_type summary advertise enabled
Success.
PP1612G:4#
Deleting an OSPF area aggregation
To delete an OSPF area aggregation, use the following command:
delete ospf aggregation < area_id> <network_address>

lsdb_type [summary]
where:
lsdb_type is the type of address aggregation that OSPF uses. Currently, only
Figure 162 shows how to delete the OSPF area aggregation for the OSPF area
10.1.1.1, and the network address 10.48.76.122/16, with the LSDB type being
summary.
Figure 162 delete ospf aggregation command
PP1612G:4#delete ospf aggregation 10.1.1.1 10.48.76.122/16

lsdb_type summary
Command: delete ospf aggregation 10.1.1.1 10.48.76..122/16
lsdb_type summary
Success.
PP1612G:4#
316862-B Rev 00
Configuring an OSPF area aggregation
This command allows you to configure how OSPF areas are aggregated so that
each area can be represented by its network address and subnet mask. In this way,
all of the range of IP addresses assigned to an OSPF area can be advertised by just
two numbers — the network address and subnet mask. In addition, the type of
link-state database advertisements can be specified for each area.
To configure an OSPF area aggregation, use the following command:
config ospf aggregation < area_id> <network_address>

lsdb_type [summary]
where:
lsdb_type is the type of address aggregation that OSPF will use. Currently, only
config ospf aggregation <area_id> <network_address> lsdb_type [summary]

followed by:
advertise [enabled|disabled] Enables or disables the advertisement trigger.
metric <value> Specifies a number between 0 and 65535 that
Figure 163 shows how to configure an OSPF area aggregation for the OSPF area
10.1.1.1, and the network address 10.48.76.122/16, with the LSDB type being
summary and the advertisement trigger disabled:
Figure 163 configure ospf aggregation command
PP1612G:4# config ospf aggregation 10.1.1.1 10.48.76.122/16

lsdb_type summary advertise disabled
Command: config ospf aggregation 10.1.1.1 10.48.76.122/16
lsdb_type summary advertise disabled
Success.
PP1612G:4#
Displaying the currently configured OSPF area

aggregations
To display the currently configured OSPF area aggregations, use the following
command:
show ospf aggregation
This command uses the following options.
show ospf aggregation

followed by:
area <area_id> Indicates the OSPF area ID that you want to display.
Figure 164 shows the currently configured OSPF area aggregations.
316862-B Rev 00
Figure 164 show ospf aggregation command
PP1612G:4#show ospf aggregation

Command: show ospf aggregation
------------ --------------------- -------------- -------------

10.1.1.1 10.0.0.0/8 Summary Enabled
10.1.1.1 20.2.0.0/16 Summary Enabled
Total Entries: 2
PP1612G:4#
Displaying the current OSPF LSDB
To display the current OSPF LSDB, use the following command:
show ospf lsdb
show ospf lsdb

followed by:
area <area_id> Indicates the OSPF area ID in the LSDB that you
want to display.
advertise_router <ipaddr> Indicates the OSPF router ID of the advertising
router in the LSDB that you want to display.
type Specifies the type of link in the LSDB that you want
[rtrlink|netlink|summary|assummary| to display.
asextlink]
Figure 165 shows the current OSPF LSDB.
Figure 165 show ospf lsdb command
PP1648T:4# show ospf lsdb

Command: show ospf lsdb
Area LSDB Advertising Link State Cost Sequence

ID Type Router ID ID Number
--------------- --------- --------------- ------------------ -------- ----------
0.0.0.0 RTRLink 50.48.75.73 50.48.75.73 * 0x80000002
Total Entries: 1
PP1648T:4#
Displaying the current OSPF neighbor table
To display the current OSPF neighbor table, use the following command:
show ospf neighbor
Figure 166 shows the display of the current OSPF neighbor table.
Figure 166 show ospf neighbor command
PP1612G:4#show ospf neighbor

Command: show ospf neighbor
IP Address of Router ID of Neighbor Neighbor
Neighbor Neighbor Priority State
------------ --------------- -------- ------------
151.201.0.1 10.200.5.12 1 Full
201.3.0.2 10.200.5.7 1 Full
201.3.10.39 10.200.5.39 1 Full
Total Entries: 3
316862-B Rev 00
Displaying the current OSPF virtual neighbor table
To display the current OSPF virtual neighbor table, use the following command:
show ospf virtual_neighbor
show ospf virtual_neighbor

followed by:
area <area_id> Indicates the OSPF area ID of the virtual neighbor
that you want to display.
Figure 167 shows the display of the current OSPF LSDB.
Figure 167 show ospf virtual_neighbor command
PP1612G:4#show ospf virtual_link

Command: show ospf virtual_link
Transit Virtual Hello Dead AuthenticationLink
----------- ------------------------ -------- -------------------
3.3.3.3 10.200.5.7 10 60 None UP
3.3.3.3 10.200.5.36 10 60 None UP
Total Entries : 2
PP1612G:4#
Configuring an OSPF IP interface
This command allows you to assign a previously configured IP interface on the

switch for a previously configured OSPF area. The IP interface is identified by
name, and represents a VLAN (also previously configured on the switch).
To configure the OSPF IP interface, use the following command:
config ospf ipif <ipif_name 12 >
where:

config ospf ipif <ipif_name 12>

followed by:
all Specifies that this OSPF IP interface configuration
will apply to all the IP interfaces on the switch.
area <area_id> Specifies the OSPF area ID.
priority <value> Determines the Designated Router (DR).
• value is a number between 0 and 255. The
higher the number, the higher the priority. For
example, 255 represents a higher priority than
200.
hello_interval <sec> Specifies the amount of time, in seconds, between
the transmission of OSPF Hello packets.
• sec is a value between 1 and 65535 seconds,
inclusive.
Note: The Hello Interval, Dead Interval,
Authorization Type, and Authorization Key should be
the same for all routers on the network.
dead_interval <sec> Specifies the maximum length of time, in seconds,
between the receipt of successive Hello packets from
a neighbor router before the area router declares the
neighbor router down.
inclusive. The Dead Interval must be evenly
divisible by the Hello Interval.
authentication [none|simple Specifies the type of authentication required between
<password>|md5 <key_id>] routers.
• password is an 8-character, case-sensitive
password. You specify a password when you
select simple authentication
• key_id is a previously defined MD5 key ID. For
instructions on configuring an entry in the MD5
key table, see “Configuring OSPF packet
authentication” on page 291.
316862-B Rev 00
config ospf ipif <ipif_name 12>

followed by:
metric <value> Indicates the OSPF area cost.
• value is a number between 0 and 65535,
inclusive. The default is 1.
state [enabled|disabled] Enables or disables the OSPF IP interface.
Figure 168 shows the configuration of the OSPF IP interface named System.
Figure 168 config ospf ipif command
PP1612G:4#config ospf ipif System priority 2 hello_interval 15

metric 2 state enabled
Command: config ospf ipif System priority 2 metric 2 state
enabled hello_interval 15
Success.
PP1612G:4#
Displaying currently configured OSPF IP interfaces
To display the current configured OSPF IP interfaces:
show ospf ipif
show ospf
followed by:
<ipif_name 12> Specifies the OSPF IP interface that you want to display.
all Specifies that you want all of the currently configured OSPF IP
interfaces on the switch to be displayed.
Figure 169 shows the currently configured OSPF IP interfaces being displayed.
Figure 169 show ospf all command
PP1648T:4# show ospf all

Command: show ospf all
Interface Name: System IP Address: 192.32.96.151/

26 (Link Up)
Network Medium Type: BROADCAST Metric: 1
Area ID: 0.0.0.0 Administrative State:
Disabled
Priority: 1 DR State: DOWN
DR Address: None Backup DR Address: None
Hello Interval: 10 Dead Interval: 40
Transmit Delay: 1 Retransmit Time: 5
Total Entries : 1
PP1648T:4#
Creating an OSPF virtual link

You use virtual links to restore or increase connectivity of the backbone. Virtual
links may be configured between any pair of area border routers that have
interfaces to a common (non-backbone) area. The virtual link appears as an
unnumbered point-to-point link in the graph for the backbone. You must configure
the virtual link in both of the area border routers.
To create an OSPF virtual link, use the following command:
create ospf virtual_link < area_id> <neighbor_id>
where:
area_id is the OSPF Transit area ID.
neighbor_id is the OSPF router ID of the neighbor.
316862-B Rev 00
create ospf virtual_link <area_id> <neighbor_id>

followed by:
inclusive.
select simple authentication.
• key_id is a previously defined MD5 key ID.
Figure 170 shows how to create an OSPF virtual link between the OSPF area
10.1.1.1 and the OSPF area 20.1.1.1 with a hello interval of 10 seconds between
the transmission of hello packets.
Figure 170 create ospf virtual_link command
PP1612G:4#create ospf virtual_link 10.1.1.1 20.1.1.1

hello_interval 10
Command: create ospf virtual_link 10.1.1.1 20.1.1.1
hello_interval 10
Success.
PP1612G:4#
Configuring an OSPF virtual link
This command allows OSPF areas to be represented by their network address and
subnet mask. In this way, all of the range of IP addresses assigned to an OSPF area
can be advertised by just two numbers — the network address and subnet mask. In
addition, the type of link-state database advertisements can be specified for each
area.
To configure an OSPF virtual link, use the following command:
config ospf virtual_link < area_id> <neighbor_id>
where:
316862-B Rev 00
config ospf virtual_link <area_id> <neighbor_id>

followed by:
inclusive.
select simple authentication.
• key_id is a previously defined MD5 key ID.
Figure 171 shows the configuration of an OSPF virtual link between the OSPF
area 10.1.1.1 and the OSPF area 20.1.1.1 with a hello interval of 20 seconds
between the transmission of hello packets.
Figure 171 config ospf virtual_link command
PP1612G:4#config ospf virtual_link 10.1.1.2 20.1.1.1

hello_interval 20
Command: config ospf virtual_link 10.1.1.2 20.1.1.1
hello_interval 20
Success.
PP1612G:4#
Deleting an OSPF virtual link
To delete an OSPF virtual link, use the following command:
delete ospf virtual_link < area_id> <neighbor_id>
where:
Figure 172 shows the deletion of an OSPF virtual link between the OSPF area
10.1.1.1 and the OSPF area 20.1.1.1.
Figure 172 delete ospf virtual_link command
PP1612G:4#delete ospf virtual_link 10.1.12 20.1.1.1

Command: delete ospf virtual_link 10.1.12 20.1.1.1
Success.
PP1612G:4#
Displaying the currently configured OSPF virtual links
To display the currently configured OSPF virtual links:
show ospf virtual_link
show ospf virtual_link

followed by:
area <area_id> Specifies the OSPF area ID of the virtual link that you
want to display.
<neighbor_id> Specifies the OSPF router ID of the neighbor that
you want to display.
316862-B Rev 00
Figure 173 displays the currently configured OSPF virtual links:
Figure 173 show ospf virtual_link command
PP1612G:4# show ospf virtual_link

Command: show ospf virtual_link

--------------- --------------- -------- -------- -------------- ------
10.0.0.0 20.0.0.0 10 60 None DOWN
Total Entries: 1
PP1612G:4#
Configuring OSPF packet authentication

A Message Digest - version 5 (MD5) key is an alphanumeric string of up to 16
case-sensitive characters that you use to authenticate every packet exchanged
between OSPF routers. You can also use it as a security mechanism to limit the
exchange of network topology information to authorized routers in the OSPF
domain.
This section describes the commands you use to configure MD5 and also create,
delete, and show MD5 key table entries. Specifically, it includes the following
topics:
Topic Page
Roadmap of MD5 CLI commands 292
Creating an entry to the MD5 key table 292
Deleting an MD5 key table entry 293
Configuring an MD5 key 293
Displaying the current MD5 key table 294
Roadmap of MD5 CLI commands
The following roadmap lists all of the MD5 commands and their parameters. Use
Command Parameter
create md5 key <key_id> <password 16>
delete md5 key <key_id>
config md5 key <key_id> <password 16>
show md5 <key_id>
Creating an entry to the MD5 key table

To create an entry into the switch’s MD5 key table which can be used to
authenticate exchanges between OSPF routers, use the following command:
create md5 key <key_id> <password 16>
where:
key_id is the MD5 key ID with values between 1 and 255.
password 16 is a case-sensitive alphanumeric string of up to 16 characters.
Figure 174 shows how to create a new key entry into the switch’s MD5 key table
with the key ID 2 and the password internet.
Figure 174 create md5 key command
PP1612G:4#create md5 key 2 internet

Command: create md5 key 2 internet
Success.
PP1612G:4#
316862-B Rev 00
Deleting an MD5 key table entry
To delete the MD5 key table entry, use the following command:
delete md5 key <key_id>
where:
Figure 175 shows how to delete an MD5 key table entry with the key ID 1.
Figure 175 delete md5 key command
PP1612G:4#delete md5 key 1

Command: delete md5 key 1
Success.
PP1612G:4#
Configuring an MD5 key
To configure an MD5 key which can be used to authenticate exchanges between

OSPF routers, enter the following command:
config md5 key <key_id> <password 16>
where:
password 16 is a case-sensitive alphanumeric string of up to 16 characters.
Figure 176 shows how to configure MD5 to use key ID 1 and the password
customer.
Figure 176 config md5 command
PP1612G:4#config md5 key 1 customer

Command: config md5 key 1 customer
Success.
PP1612G:4#
Displaying the current MD5 key table
To display the switch’s current MD5 key table, use the following command:
show md5
show md5
followed by:
<key_id> Specifies the MD5 key ID that you want to display.
Figure 177 shows how to display the switch’s MD5 key table.
316862-B Rev 00
Figure 177 show md5 command
PP1612G:4#show md5
Command: show md5
MD5 Key Table Configurations
Key-ID Key
------ ---
1 customer
2 develop
3 fireball
4 intelligent
Total Entries:4
PP1612G:4#
316862-B Rev 00
297
Chapter 11
Configuring IP routes and route redistribution
This chapter describes the route table and route redistribution commands.
Specifically, it includes the following topics:
Topic Page
Using the route table 298
Roadmap of route table CLI commands 298
Creating an IP route 299
Creating a default IP route 300
Displaying the IP routes 301
Configuring IP routes 301
Configuring default IP routes 303
Configuring IP routes with max static routes 304
Using route redistribution 306
Roadmap of route redistribution CLI commands 307
Creating a route redistribution from RIP to OSPF 307
Creating a route redistribution from OSPF to RIP 309
Deleting a route redistribution 311
Configuring a route redistribution between RIP and OSPF 312
Configuring a route redistribution between OSPF and RIP 314
Displaying the route redistribution settings 315
298 Chapter 11 Configuring IP routes and route redistribution
Using the route table

The Passport 1600 switch allows you to make static entries into the switch’s IP
routing table.
IP routing is based on the network address of the destination IP address. Each

routing table entry on the switch has a corresponding network addresses. For each
network address, a corresponding gateway is listed. A gateway is used to
communicate with remote networks. The gateway does not have to be directly
connected to the remote network, it simply needs to be the first place to go on the
way to the remote network.
A default gateway is defined as the gateway that connects the local network to the
backbone or to the Internet. A default gateway is used whenever no specific route
is found for a given packet, or when there are several gateways on a network that
all have similar connections. For the Passport 1600 CLI, a default IP route is a
route to a default gateway.
Roadmap of route table CLI commands

The following roadmap lists some of the route table commands and their
parameter entry for more information on route table commands.
Command Parameter
create iproute default
<network_address>
create iproute default <ipaddr>
<metric>
create iproute <network address> <ipaddr>
<metric>
delete iproute default
show iproute <network_address>
static
rip
316862-B Rev 00
Chapter 11 Configuring IP routes and route redistribution 299
Command Parameter
ospf
config iproute default
max_static_route
config iproute default <ipaddr>
<metric 1-65535>
config iproute max_static_route <int 0-512>
Creating an IP route
To create an IP route, enter the following command:
create iproute
create iproute
followed by:
default Creates a default IP route entry.

<network_address> Specifies the IP address and subnet mask of the IP interface
you want create an IP route for. You can specify the address
and mask information using the traditional format — for
example, 10.1.2.3/255.0.0.0, or in the CIDR format — for
example, 10.1.2.3/8.
Figure 178 shows the creation of an IP route between 10.48.74,121, with a subnet
mask of 255.0.0.0, a gateway at IP address 10.1.1.254, and a route metric of 1.
Figure 178 create iproute command
PP1648T:4# create iproute 10.48.74.121/255.0.0.0 10.1.1.254 1

Command: create iproute 10.48.74.121/8 10.1.1.254 1
Success.
PP1648T:4#
Creating a default IP route

To create a default IP route, enter the following command:

followed by:
followed by:
<ipaddr> Identifies the IP address of the next hop. This can be a
bridge, a router, or a gateway.
<metric> Specifies a numerical value representing the relative distance
between the source and the destination along the IP route.
The default is 1.
Creating an IP route using a network address

To create an IP route using a network address, enter the following command:
create iproute <network address>
316862-B Rev 00
create iproute <network address>

followed by:
followed by:
<ipaddr> Identifies the IP address of the next hop. This can be a
bridge, a router, or a gateway.
<metric> Specifies a numerical value representing the relative distance
between the source and the destination along the IP route.
The default is 1.
Deleting an IP route
To delete an IP route, enter the following command:
delete iproute default
Figure 179 shows the deletion of an IP route.
Figure 179 delete iproute command
PP1648T:4# delete iproute default

Command: delete iproute default
Success.
PP1648T:4#
Displaying the IP routes

To display the current IP routes in the switch’s routing table, enter the following
command:
show iproute
show iproute
followed by:
<network_address> Specifies the IP address and subnet mask of the IP interface

for which you want display the IP route, if it exists. You can
specify the address and mask information using the traditional
format — for example, 10.1.2.3/255.0.0.0, or in the CIDR
format — for example, 10.1.2.3/8.
static You can choose to display the switch’s IP routing table by the
way the route was entered — static, for IP routes entered
statical.
rip You can choose to display the switch’s IP routing table by the
way the route was entered — rip — for routes discovered by
RIP (Routing Information Protocol), or ospf — for routes
discovered by OSPF (Open Shortest Path First)
ospf You can choose to display the switch’s IP routing table by the
way the route was entered — ospf — for routes discovered by
OSPF (Open Shortest Path First)
Figure 180 shows the display of the switch’s routing table.
Figure 180 show iproute command
PP1648T:4# show iproute

Command: show iproute
Routing Table
IP Address/Netmask Gateway Interface Cost Protocol

------------------ --------------- ------------ -------- --------------
0.0.0.0 10.254.254.254System 1 Default
11.0.0.0/29 11.0.0.2 v2 1 Local
11.0.0.32/29 11.0.0.25 v3 15 OSPF
12.1.40.0/24 11.0.0.25 v3 8 OSPF
31.1.40.0/24 201.8.0.1 v5 2 RIP (Age: 26)
Total Entries: 5
PP1648T:4#
316862-B Rev 00
Configuring IP routes
To configure IP routes, enter the following command:
config iproute
config iproute
followed by:
default This option modifies the default route which

has been created.
max_static_route This option creates the maximum entry for
static routes.
Figure 181 shows the display of the config iproute command.
Figure 181 config iproute command
PP1648T:4# config iproute

Command: config iproute
default max_static_route
PP1648T:4#
Configuring default IP routes

To modify the default IP route, enter the following command:

followed by:
<ipaddr> Identifies the IP address of the next hop.

This can be a bridge, router or gateway.
<metric 1-65535> Specifies a numerical value representing
the relative distance between the source
destination along the IP route. The default
value is 1.
Figure 182 shows the display of the config iproute default command.
Figure 182 config iproute default command
PP1648T:4# config iproute default

Command: config iproute default
<ipaddr> <metric 1-65535>
PP1648T:4#
Configuring IP routes with max static routes

To set up the maximum static route number, enter the following command:
config iproute max_static_route
config iproute max_static_route

followed by:
<int 0-512> Identifies the maximum number of static

route entries for users’ configurations. The
default value is 32.
316862-B Rev 00
Note: Due to memory limitations, reserving more space for static route
entries reduces the number of maximum dynamic routes. Before changing
the default setting, please refer to Table 11.
Table 11 Unicast/multicast ratios for dynamic and static iproute and arp values
Unicast/
Dynamic
multicast ratio Static iproute Dynamic arp Static arp
iproute
of 75/25
1404 0 1372 32
1372 32 1372 32
1340 64 1372 32
1276 128 1372 32
1148 256 1372 32
892 512 1372 32
Unicast/
Dynamic
multicast ratio Static iproute Dynamic arp Static arp
iproute
of 100/0
1918 0 1372 32
1886 32 1372 32
1854 64 1372 32
1790 128 1372 32
1662 256 1372 32
1406 512 1372 32
Figure 183 shows the display of the config iproute command.
Figure 183 config iproute max_static_route command
PP1648T:4# config iproute max_static_route

Command: config iproute max_static_route
<int 0-512>
PP1648T:4#
Using route redistribution

Route redistribution allows routers on the network that are running different
routing protocols to exchange routing information. This is accomplished by
comparing the routes stored in the various router’s routing tables and assigning
appropriate metrics. This information is then exchanged among the various
routers according to the individual routers current routing protocol.
The switch can redistribute routing information between the OSPF and RIP
routing protocols to all routers on the network (that are running either OSPF or
RIP). Routing information entered into the switch’s static routing table and the IP
interface routing information (local to the switch) can also be redistributed.
The Route Redistribution commands in the Command Line Interface (CLI) are
listed (along with the appropriate parameters) in the following table:
316862-B Rev 00
Roadmap of route redistribution CLI commands

The following roadmap lists some of the route redistribution commands and their
parameter entry for more information on route redistribution commands.
Command Parameter
create route redistribute dst mettype [type_1|type_2]
ospf src rip metric <value>
create route redistribute dst rip [all|internal|external|type_1|type_2|
src ospf inter+e1|inter+e2]
metric <value>
delete route redistribute dst [rip|ospf]
src [rip|static|local| ospf]
config route redistribute dst mettype [1|2]
ospf src rip metric <value>
config route redistribute dst rip [all|internal|external|type_1|type_2|
src ospf inter+e1|inter+e2]
metric <value>
show route redistribute dst rip dst [rip|ospf]
src ospf src [rip|static|local|ospf]
Creating a route redistribution from RIP to OSPF

The source for the routing information to redistribute is OSPF, the switch’s static
routing table, and the switch’s local IP interface routing information. You can also
choose how the RIP routing metric is calculated for redistribution to OSPF.
To redistribute routes between RIP and OSPF (RIP as the source, and OSPF as the
destination), enter the following command:
create route redistribute dst ospf src rip
Note that rip allows you to redistribute routes discovered through the Routing
Information Protocol (RIP). You can also specify static and local as the source of
the routing information to redistribute. Static refers to manual entries in the
switch’s routing table, while local redistributes routing information from within
the switch’s routing table.
create route redistribute dst ospf src rip

followed by:
mettype [type_1|type_2] Allows you to choose between the two methods of
calculating the routing metric when redistributing
routing information.
type_1 — (for redistributing from RIP to OSPF)
calculates the metric by adding the destination’s
interface cost to the metric entered in the metric field,
below.
type_2 — uses the metric entered in the metric field
without change. type_2 only applies when the
destination field is OSPF.
metric <value> Allows you to enter a value for an OSPF interface
cost that will be used when redistributing routes from
RIP to OSPF. Entering a metric value of 0 specifies
transparency.
Table 12 shows the allowed values for the OSPF routing metrics:
Table 12 Allowed values for the OSPF routing metrics
Route Source Metric Metric Type
RIP 0 to 16777214 mettype 1

mettype 2
Static 0 to 16777214 mettype 1
mettype 2
Local 0 to 16777214 mettype 1
mettype 2
The RIP metric value 0 will be redistributed in OSPF as 20.
316862-B Rev 00
Figure 184 shows how to redistribute routing information between RIP and OSPF,
with RIP as the source and OSPF as the destination.
Figure 184 create route redistribute dst ospf src rip command
PP1648T:4# create route redistribute dst ospf src rip

Command: create route redistribute dst ospf src rip
Success.
PP1648T:4#
Creating a route redistribution from OSPF to RIP

The source for the routing information to redistribute is OSPF, the switch’s static
routing table, and the switch’s local IP interface routing information. You can
choose the type of OSPF route to redistribute, as well as how the routing metric
information will be redistributed to RIP.
To redistribute routes between OSPF and RIP (OSPF as the source and RIP as the
destination), enter the following command:
create route redistribute dst rip src ospf
Note that ospf allows you to redistribute routes discovered through Open
Shortest Path First (OSPF). You can also specify static and local as the source of
create route redistribute dst rip src ospf

followed by:
[all|internal|external|type_1|type_ Follow ospf with one or more of the following OSPF
2|inter+e1|inter+e2] type descriptors:
all — redistributes all OSPF routes in the switch’s
routing table to RIP.
internal — redistributes only OSPF internal routes to
RIP.
external — redistributes only OSPF external routes
to RIP.
type_1 — redistributes OSPF type 1 LSAs (Link
State Advertisements)
type_2 — redistributes OSPF type 2 LSAs
inter+e1 — redistributes OSPF internal, external and
Type 1 routes to RIP
inter+e2 — redistributes OSPF internal, external and
Type 2 routes to RIP
metric <value> Allows you to enter a value for an OSPF interface
cost that is used when redistributing routes from RIP
to OSPF. Entering a metric value of 0 specifies
transparency.
Table 13 shows the allowed values for the routing metrics
Table 13 Allowed values for the routing metrics
Route Source Metric Type
OSPF 0 to 16 all
type_1
type_2
internal type_1
internal type_2
external
internal
RIP 0 to 16 not applicable
Figure 185 shows how to redistribute all OSPF routes in the switch’s routing table
to RIP with an OSPF interface cost of 2.
316862-B Rev 00
Figure 185 create route redistribute dst rip src ospf command
PP1648T:4# create route redistribute dst rip src ospf all metric 2
Command: create route redistribute dst rip src ospf all metric 2
Success.
PP1648T:4#
Deleting a route redistribution

To delete a route redistribution configuration, enter the following command:
delete route redistribute
delete route redistribute

followed by:
dst [rip|ospf] Allows you to select the destination for the route
redistribution you want to delete. If the route
redistribution is from RIP to OSPF, then OSPF is the
destination protocol.
src [rip|static|local| Allows you to select the source for the route
ospf] redistribution you what to delete. If the route
redistribution is from RIP to OSPF, then RIP is the
source protocol.
Figure 186 shows how to delete a route redistribution between RIP and OSPF
with RIP as the destination and OSPF as the source.
Figure 186 delete route redistribute command
PP1648T:4# delete route redistribute dst rip src ospf

Command: delete route redistribute dst rip src ospf
Success.
PP1648T:4#
Configuring a route redistribution between RIP and

OSPF
To configure a route redistribution configuration between RIP and OSPF with RIP
as the source, and OSPF as the destination, enter the following command:
config route redistribute dst ospf src rip
Note that rip allows you to redistribute routes discovered through the Routing
Information Protocol (RIP). You can also specify static and local as the source of
316862-B Rev 00
config route redistribute dst ospf src rip

followed by:
mettype [1|2] Allows you to choose between two methods of calculating
the routing metric when redistributing routing information.
1 — (for redistributing from RIP to OSPF) calculates the
metric by adding the destination’s interface cost to the
metric entered in the metric field, below.
2 — uses the metric entered in the metric field without
change. type_2 only applies when the destination field is
OSPF.
metric <value> Allows you to enter a value for an OSPF interface cost
that will be used when redistributing routes from RIP to
OSPF.
Figure 187 shows how to configure route redistribution from RIP to OSPF using
the metric calculation method 1 and a metric value of 2:
Figure 187 config route redistribute dst ospf src rip command
PP1648T:4# config route redistribute dst ospf src rip mettype 1 metric 2
Command: config route redistribute dst ospf src rip mettype 1 metric 2
Success.
PP1648T:4#
Configuring a route redistribution between OSPF and

RIP
To configure a route redistribution configuration between RIP and OSPF with RIP
as the destination, and OSPF as the source, enter the following command:
config route redistribute dst rip src ospf
Note that ospf allows you to redistribute routes discovered through Open
Shortest Path First (OSPF). You can also specify static and local as the source of
config route redistribute dst rip src ospf

followed by:
[all|internal|exter Follow ospf with one or more of the following OSPF type descriptors:
nal|type_1|type_2|i all — redistributes all OSPF routes in the switch’s routing table to RIP
nter+e1|inter+e2] internal — redistributes only OSPF internal routes to RIP
external — redistributes only OSPF external routes to RIP
type_1 — redistributes OSPF type 1 LSAs (Link State Advertisements)
type_2 — redistributes OSPF type 2 LSAs
inter+e1— redistributes OSPF internal, external, and Type 1 routes to
RIP
inter +e2 — redistributes OSPF internal, external, and Type 2 routes to
RIP
metric <value> Allows you to enter a value for an OSPF interface cost that will be used when
redistributing routes from RIP to OSPF.
Figure 188 shows the configuration of a route redistribution from OSPF to RIP to
use OSPF type all and a metric value of 3.
316862-B Rev 00
Figure 188 config route redistribute dst rip src ospf command
PP1648T:4# config route redistribute dst rip src ospf all metric 3
Command: config route redistribute dst rip src ospf all metric 3
Success.
PP1648T:4#
Displaying the route redistribution settings

To display the switch’s route redistribution settings for redistributing routing
information from OSPF to RIP, enter the following command:
show route redistribute dst rip src ospf
show route redistribute

followed by:
dst [rip|ospf] Allows you to select the destination protocol for the
routing information redistribution settings you want to
display. If no destination protocol is specified, the
switch will display all of its routing information
redistribution settings.
src [rip|static|local|ospf] Allows you to select the source protocol for the
routing information redistribution settings you want to
display.
Figure 189 shows the display of the routing information redistribution settings.
Figure 189 show route redistribute command
PP1648T:4# show route redistribute

Command: show route redistribute
Route Redistribution Settings
Source Destination Type Metric

Protocol Protocol
-------- ------------ -------- ------------
OSPF RIP All Transparency
RIP OSPF Type-1 2
LOCAL OSPF Type-2 20
Total Entries : 3
PP1648T:4#
316862-B Rev 00
317
Chapter 12
Configuring VRRP
This chapter describes the CLI commands that you can use to configure the VRRP
(Virtual Router Redundancy Protocol) on the Switch.
The Virtual Router Redundancy Protocol (VRRP) dynamically assigns

responsiblity for a virtual router to one of the VRRP routers on your LAN. The
VRRP router controlling the IP address associated with a virtual router is called
the Master, and forwards packets sent to this IP address. This allows any of the
Virtual Router IP addresses on the LAN to be used as the default first hop router
by end-hosts. The advantage gained from using VRRP is a higher availablity
defalut path without requiring configuration of dynamic routing or router
discovery protocols on every end-host.
The use of a statically configured default route is popular as it minimizes

configuration and processing overhead on the end-host and is widely supported.
This creates a single point of failure in your LAN, however. Loss of the default
router resulte in a catastrophic event, isolating all end-hosts that are unable to
detect any alternate path that may be available.
The VRRP is designed to eliminate the single point of failure inherent in the static
default routed environment. VRRP specifies an election protocol that dynamically
assigns responsibility for a virtual router to one of the VRRP routers on your
LAN. The VRRP router controlling the IP address associated with a virtual router
is called the Master, and forwards packets sent to this IP address. The election
process provides dynamic fail-over in the forwarding responsibility should the
Master become unavailable. Any of the virtual router’s IP addresses on a LAN can
then be used as the default first hop router by end-hosts. The advantage gained
from using VRRP is a higher availability default path without requiring
configuration of dynamic routing or router discovery protocols on every end-host.
You can assign a VRRP IP interface to every VLAN (and corresponding IP

interface) configured on the Switch.
318 Chapter 12 Configuring VRRP
The VRRP commands in the Command Line Interface (CLI) are listed (along with
the appropriate parameters) in the following table.
Roadmap of VRRP features
Command Parameter
create vrrp ipif <ipif_name>
vrid <int 1-255>
authtype [none | simple authdata <string> |
ip authdata <string>]
admin [up | down]
priority <int 1-255>
advint <int 1-255>
preempt [true | false]
critical ipaddress <ipaddr>
criticalip [enabled | disabled]
holddowntimer <int 0-21600>
delete vrrp ipif

<ipif_name>
vrid <int_1-255>
config vrrp ipif <ipif_name>
authtype [none|simple authdate <string>]
vrid <int 1-255>
admin [up | down]
priority <int 1-255>
advint <int 1-255>
preempt [true | false]
critical ip address <ipaddr>
criticalip [enabled | disabled]
holddowntimer <int 0-21600>
show vrrp ipif <ipif_name>
vrid <int 1-255>
enable vrrp ping
disable vrrp ping
316862-B Rev 00
Chapter 12 Configuring VRRP 319
Creating a VRRP IP Interface
To create a VRRP IP interface on the Switch, use the following command:
create vrrp ipif
create vrrp ipif

followed by:
<ipif_name> This is the name of the IP interface that the VRRP

entry is being created for. This IP interface must
have been previously created, and assigned to a
VLAN, on the Switch.
authtype [none | simple Specifies the type of authentication that will be
authdata <string> | ip used. The same authentication method must be
authdata <string>] specified for all routers that will particpate in the
VRRP
none specifies that no authentication will be used.
If simple authdata is specified, you must enter an
alphanumeric string of no more than 8 characters
in the <string> field. This same string must be
entered for all routers that will participate in the
VRRP. It is used as a simple password, and will be
compared when VRRP message packets are
received by a router. If the two strings do not
match, the packet will be dropped.
If ip authdata is specified, you must supply an
alpha numeric authentication string, or no more
than 16 characters in the <string> field. This same
string must be entered for all routers that will
participate in the VRRP. An MD5 message digest
is generated using this string, and will be
recieved by a router. If the two digests do not
create vrrp ipif

followed by:
vrid <int 1-255> This is an integer that will be used to identify this
VRRP group from other VRRP groups that may be
defined on your network. All routers that will
participate in this VRRP group must be assigned
the same VRID (for example, 1), but this number
must be different from the VRID that is assigned to
other VRRP groups that may be created or
configured on your network.
ipaddress <ipaddr> This is the virtual IP address that will be assigned
to the VRRP entry. This is also the IP address of
the default gateway that will be statically assigned
to end-hosts.
This virtual IP address must be assigned to all
routers that will participate in this VRRP group.
admin [up | down] Specifies the state of the administration of the
VRRP entry. If up is specified, the router will
participate in VRRP. If down is specified, the router
will not participate in VRRP.
priority <int 1-255> This is a relative number that will be used in the
election of a Master router from the group of
routers that will participate in VRRP. A higher
number will increase the probability that this router
will be elected as the Master router. A lower
will be elected as a backup router.
255 is used to indicate that this router will always
be the Master, and no backup router can become
the Master, unless the Master stops functioning.
The default value is 100. If all routers participating
in VRRP are assigned the same priority value, the
router with the higher physical IP address will be
elected as the Master.
advint <int 1-255> This is the time interval, in seconds, between
sending VRRP message packets. The default
value is 1 second.
The same advint value must be assigned to all
routers participating in this VRRP group.
316862-B Rev 00
create vrrp ipif

followed by:
preempt [true | false] This specifies the behavior of backup routers in the
VRRP group. The same preempt setting (true or
false) must be set for all routers participating in this
VRRP group.
If preempt is set to true, and a backup router’s
priority is larger than the Master’s priority, the
backup will become the Master, and the Master will
become the backup.
If preempt is set to false, a backup router can not
become a Master router.
critical ip address This is a physical IP address that provides the
<ipaddr> most direct route to the Internet or other critical
network connections, from this router. This must
be a real IP address assigned to a real device on
the network.
If the connection between the Master router and
this IP address is not functioning, a new Master will
be elected from the backup routers participating in
the VRRP.
If the connection to a backup router to this IP
address is also not functioning, this backup router
can not become the Master.
You can assign different critical IP addresses to
different routers participating in the VRRP. In this
way, you can define multiple routes to the Internet
or other critical network connections.
criticalip [enabled | This is used to enable or disable the critical ip
disabled] address command above. The default is disabled.
holddowntimer <int This is the time interval, in seconds, that the router
0-21600> will wait after being booted to start VRRP. All
routers participating in this VRRP group must have
the same holddowntimer value.
The default is 0 seconds. A longer time interval
may be specified if multiple routes must be learned
by the Switch from other devices on the network.
Figure 190 shows the creation of a VRRP entry for the IP interface System with
the vrid 1 and the virtual IP address 10.1.1.1.
Figure 190 create vrrp ipif
:4#create vrrp ipif System vrid 1 ipaddress 10.1.1.1

Command: create vrrp System vrid 1 ipaddress 10.1.1.1
Success.
:4#
Configuring a VRRP IP Interface
To configure a VRRP IP interface on the Switch, use the following command:
config vrrp ipif
316862-B Rev 00
config vrrp ipif

followed by:

entry that is being configured. This IP interface
must have been previously created, and assigned
to a VLAN, on the Switch.
authtype [none | simple Specifies the type of authentication that will be
authdata <string> | ip used. The same authentication method must be
authdata <string] specified for all routers that will particpate in the
VRRP
none specifies that no authentication will be used.
If simple authdata is specified, you must enter an
alphanumeric string of no more than 8 characters
in the <string> field. This same string must be
entered for all routers that will participate in the
VRRP. It is used as a simple password, and will be
received by a router. If the two strings do not
If ip authdata is specified, you must supply an
alpha numeric authentication string, or no more
than 16 characters in the <string> field. This same
string must be entered for all routers that will
participate in the VRRP. An MD5 message digest
is generated using this string, and will be
recieved by a router. If the two digests do not
vrid <int 1-255> This is an integer that will be used to identify this
VRRP group from other VRRP groups that may be
defined on your network. All routers that will
participate in this VRRP group must be assigned
the same VRID (for example, 1), but this number
must be different from the VRID that is assigned to
other VRRP groups that may be created or
configured on your network.
admin [up | down] Specifies the state of the administration of the
VRRP entry. If up is specified, the router will
participate in VRRP. If down is specified, the router
will not participate in VRRP.
config vrrp ipif

followed by:
priority <int 1-255> This is a relative number that will be used in the
election of a Master router from the group of
routers that will participate in VRRP. A higher
will be elected as the Master router. A lower
will be elected as a backup router.
255 is used to indicate that this router will always
be the Master, and no backup router can become
the Master, unless the Master stops functioning.
The default value is 100. If all routers participating
in VRRP are assigned the same priority value, the
router with the higher physical IP address will be
elected as the Master.
advint <int 1-255> This is the time interval, in seconds, between
sending VRRP message packets. The default
value is 1 second.
The same advint value must be assigned to all
routers participating in this VRRP group.
preempt [true | false] This specifies the behavior of backup routers in the
VRRP group. The same preempt setting (true or
false) must be set for all routers participating in this
VRRP group.
If preempt is set to true, and a backup router’s
priority is larger than the Master’s priority, the
backup will become the Master, and the Master will
become the backup.
If preempt is set to false, a backup router can not
become a Master router.
316862-B Rev 00
config vrrp ipif

followed by:
critical ip address This is a physical IP address that provides the

<ipaddr> most direct route to the Internet or other critical
network connections, from this router. This must
be a real IP address assigned to a real device on
the network.
If the connection between the Master router and
this IP address is not functioning, a new Master will
be elected from the backup routers participating in
the VRRP.
If the connection to a backup router to this IP
address is also not functioning, this backup router
can not become the Master.
You can assign different critical IP addresses to
different routers participating in the VRRP. In this
way, you can define multiple routes to the Internet
or other critical network connections.
criticalip [enabled | This is used to enable or disable the critical ip
disabled] address command above. The default is disabled.
holddowntimer <int This is the time interval, in seconds, that the router
0-21600> will wait after being booted to start VRRP. All
routers participating in this VRRP group must have
the same holddowntimer value.
The default is 0 seconds. A longer time interval
may be specified if multiple routes must be learned
by the Switch from other devices on the network.
Figure 191 shows the configuration of the VRRP entry for the IP interface System
to make the entry’s priority set to 4.
Figure 191 config vrrp ipif
:4# config vrrp ipif System vrid 1 priority 4

Command: config vrrp ipif System vrid 1 priority 4
Success.
:4#
Displaying a VRRP IP interface configuration
To display a VRRP IP interface configuration on the Switch, use the following

command:
show vrrp ipif
show vrrp ipif

followed by:

entry is being displayed. This IP interface must
have been previously created, and assigned to a
VLAN, on the Switch.
vrid <int 1-255> This is an integer that will be used to identify the
VRRP entry.
316862-B Rev 00
Figure 192 shows the VRRP entry for the IP interface System.
Figure 192 show vrrp ipif
:4# show vrrp ipif System vrid 1

Command: show vrrp System vrid 1
VRRP : Disabled
Ping Virtal IP Address : Disabled

Authentication type : None
VRID : 1
Current State : Init
Advertisement Interval: 1 second(s)
Preemption Mode : Preempt
Priority : 4
Administrator Status: Down
HoldDownTimer : 0
Master IP addresses : 10.42.73.88
IP addresses backed up : 10.1.1.1
Critical IP : Disabled
Critical IP addresses : 0.0.0.0
Total Entries: 1
:4#
Deleting a VRRP IP interface configuration
To delete all VRRP IP interface configurations on the Switch, use the following
command:
delete vrrp
delete vrrp
followed by:
ipif This allows you to select a specifid VRRP IP

interface (or VRRP group) to be deleted from the
Switch. If you simply enter delete vrrp, the Switch
will delete all VRRP groups that have been
configured.
entry is being created for.
vrid <int 1-255> This is an integer that will be used to identify the
VRRP entry.
Figure 193 shows the deletion of the VRRP entry for the IP interface System.
Figure 193 delete vrrp
:4# delete vrrp ipif System vrid 1

Command: delete vrrp ipif System vrid 1
Success.
:4#
316862-B Rev 00
Enabling a VRRP IP interface configuration
To enable a VRRP IP interface configuration on the Switch, use the following

command:
enable vrrp
enable vrrp
followed by:
ping This allows the virtual IP address to be “pinged”

from end-hosts to verify connectivity.
The default is disabled (no ping parameter
entered).
If the ping parameter is specified, the command
will only enable the virtual IP address to be
“pinged”.
If the ping parameter is not specified the command
will enable the VRRP protocol on the Switch.
Figure 194 shows VRRP being enabled on the Switch.
Figure 194 enable vrrp
:4# enable vrrp

Command: enable vrrp
Success.
:4#
Disabling a VRRP IP interface configuration
To enable a VRRP IP interface configuration on the Switch, use the following

command:
disable vrrp
disable vrrp
followed by:
ping This allows the virtual IP address to be “pinged”

from end-hosts to verify connectivity.
The default is disabled (no ping parameter
entered).
If the ping parameter is specified, the command
will only enable the virtual IP address to be
“pinged”.
If the ping parameter is not specified the command
will enable the VRRP protocol on the Switch.
Figure 194 shows VRRP being disabled on the Switch.
Figure 195 disable vrrp
:4# disable vrrp

Command: disable vrrp
Success.
:4#
316862-B Rev 00
331
Chapter 13
Configuring BootP and DNS relay
This chapter describes how to configure Bootstrap Protocol (BootP) relay and
Dynamic Name Server (DNS) relay. Specifically, it includes the following topics:
Topic Page
Configuring BootP relay 331

Configuring DNS relay 338
Configuring BootP relay

The BootP relay enables end stations to use a BootP server to obtain TCP/IP
configuration information, even if the BootP server is not on the local IP interface.
If the BootP server and end station are on the same IP interface, no relay is
necessary. If the BootP server and the end station are on different IP interfaces, a
relay agent is necessary for the switch to forward the BootP messages.
The relay agent forwards these packets between IP interfaces, and therefore must
know the IP addresses of the BootP servers and their respective IP interface
names.
When the switch receives packets destined for a BootP server, it forwards them to
specific servers as defined in the BootP relay configuration. The switch also
forwards packets from the BootP servers to the appropriate IP interfaces.
332 Chapter 13 Configuring BootP and DNS relay
This chapter includes the following topics:
Topic Page
Roadmap of BootP relay commands 332

Configuring BootP relay 333
Adding a BootP relay address 334
Deleting a BootP relay address 335
Enabling BootP relay 336
Displaying the current BootP relay configuration 337
Roadmap of BootP relay commands
The following roadmap lists some of the BootP relay commands and their
parameter entry for more information on BootP relay commands.
Command Parameter
config bootp_relay hops <value 1-16>
time <sec 0-65535>
config bootp_relay add ipif <ipif_name>
<ipaddr>
config bootp_relay delete ipif <ipif_name>
<ipaddr>
enable bootp_relay
disable bootp_relay
show bootp_relay ipif <ipif_name>
316862-B Rev 00
Chapter 13 Configuring BootP and DNS relay 333
Configuring BootP relay
To configure BootP relay, use the following command:
config bootp_relay
config bootp_relay
followed by:
hops <value 1-16> The maximum number of router hops that the BootP packets can cross before
being dropped.
time <sec 0-65535> The minimum amount of time, in seconds, within which the switch must relay
the BootP request. If this time is exceeded, the switch will drop the BootP
packet.
Figure 196 shows BootP relay being configured to allow the BootP packets to
cross 4 routers, and to set the BootP relay timer to 2 seconds.
Figure 196 config bootp_relay command
PP1612G:4#config bootp_relay hops 4 time 2

Command: config bootp_relay hops 4 time 2
Success.
PP1612G:4#
Adding a BootP relay address
To add an IP address of a BootP relay server, use the following command:
config bootp_relay add
config bootp_relay add

followed by:
ipif <ipif_name> This is the name of the IP interface on the switch where the BootP server’s
packets will be relayed to.
<ipaddr> This is the IP address of the BootP server.
Figure 197 shows the addition of a BootP relay server, located on the IP interface
named System, and having the IP address 10.43.21.12.
Figure 197 config bootp_relay add command
PP1612G:4#config bootp_relay add ipif System

10.43.21.12
Command: config bootp_relay add ipif System
10.43.21.12
Success.
PP1612G:4#
316862-B Rev 00
Deleting a BootP relay address
To delete an IP address of a BootP relay server, use the following command:
config bootp_relay delete
config bootp_relay delete

followed by:
ipif <ipif_name> This is the name of the IP interface on the switch where the BootP server’s
packets will be relayed to.
<ipaddr> This is the IP address of the BootP server.
Figure 198 shows the deletion of a BootP relay server, located on the IP interface
named System, and having the IP address 10.43.21.12.
Figure 198 config bootp_relay delete command
PP1612G:4#config bootp_relay delete ipif System

10.43.21.12
Command: config bootp_relay delete ipif System
10.43.21.12
Success.
PP1612G:4#
Enabling BootP relay
To enable BootP relay, use the following command:
enable bootp_relay
Figure 199 shows BootP relay being enabled.
Figure 199 enable bootp_relay command
PP1612G:4#enable bootp_relay
Command: enable bootp_relay
Success.
PP1612G:4#
Disabling BootP relay
To disable BootP relay, use the following command:
disable bootp_relay
This command uses no additional options.
Figure 200 shows BootP relay being disabled.
Figure 200 disable bootp_relay command
PP1612G:4#disable bootp_relay
Command: disable bootp_relay
Success.
PP1612G:4#
316862-B Rev 00
Displaying the current BootP relay configuration
To display the current BootP relay configuration, use the following command:
show bootp_relay
show bootp_relay
ipif <ipif_name> The BootP relay configuration can be displayed on a per-IP interface basis. This
is the name of the IP interface you want to display the BootP relay configuration
for. If no IP interface name is specified, the switch will display all of the BootP
configurations on the switch.
Figure 201 shows the current BootP relay configuration being displayed.
Figure 201 show bootp_relay command
PP1612G:4#show bootp_relay ipif System

Command: show bootp_relay ipif System
bootp Relay Status :Disabled
bootp Hops Count Limit :4
bootp Relay Time Threshold :0
Interface Server 1 Server 2 Server 3 Server 4
--------- -------- -------- --------- ---------
System 10.48.74.122 10.23.12.34 10.12.34.12 10.48.75.121
Total Entries: 1
PP1612G:4#
Configuring DNS relay

DNS relay enables end stations to use a DNS server to obtain IP addresses that
correspond to URLs, even if the DNS server is not on the local IP interface.
If the DNS server and end station are on the same IP interface, no relay is
necessary. If the DNS server and the end station are on different IP interfaces, a
relay agent is necessary for the switch to forward the DNS messages.
The relay agent forwards these packets between IP interfaces, and therefore must
know the IP addresses of the DNS servers and their respective IP interface names.
When the switch receives packets destined for a DNS server, it forwards them to
specific servers as defined in the DNS relay configuration. The switch also
forwards packets from the DNS servers to the appropriate IP interfaces.
This chapter includes the following topics:
Topic Page
Roadmap of DNS relay CLI commands 339

Configuring DNS relay 339
Enabling DNS relay 341
Disabling DNS relay 341
Enabling the DNS relay cache 342
Disabling the DNS relay cache 342
Enabling the DNS static table 343
Disabling the DNS static table 343
Displaying the current DNS relay configuration 344
316862-B Rev 00
Roadmap of DNS relay CLI commands
The following roadmap lists some of the DNS relay commands and their
parameter entry for more information on DNS relay commands.
Command Parameter
config dnsr primary
secondary
nameserver <ipaddr>
config dnsr add static <domain_name>

<ipaddr>
config dnsr delete static <domain_name>
<ipaddr>
enable dnsr
disable dnsr
enable dnsr cache
disable dnsr cache
enable dnsr static
disable dnsr static
show dnsr static
Configuring DNS relay

To configure DNS relay to relay packets from the primary DNS server, you can
use the following set of commands:
config dnsr
config dnsr add
config dnsr delete
config dnsr
followed by:
primary This specifies that the DNS server, located at the IP address
entered following nameserver, below, is the primary DNS server.
secondary This specifies that the DNS server, located at the IP address
entered following nameserver, below, is the secondary DNS
server.
nameserver <ipaddr> This is the IP address of the DNS server.
config dnsr add

followed by:
static <domain_name> This specifies that the entry into the switch’s DNS cache will be
static (no timeout).
<ipaddr> This specifies the IP address of the DNS cache entry.
config dnsr delete

followed by:
static <domain_name> This specifies that the entry into the switch’s DNS cache will be
static (no timeout).
<ipaddr> This specifies the IP address of the DNS cache entry.
Figure 202 shows DNS relay being configured to relay packets from the primary
DNS server, located at the IP address 10.43.21.12.
Figure 202 config dnsr command
PP1612G:4#config dnsr primary nameserver 10.43.21.12

Command: config dnsr primary nameserver 10.43.21.12
Success
PP1612G:4#
316862-B Rev 00
Enabling DNS relay
To enable DNS relay, use the following command:
enable dnsr
Figure 203 shows DNS relay being enabled.
Figure 203 enable dnsr command
PP1612G:4#enable dnsr
Command: enable dnsr
Success.
PP1612G:4#
Disabling DNS relay
To disable DNS relay, use the following command:
disable dnsr
Figure 204 shows DNS relay being disabled.
Figure 204 disable dnsr command
PP1612G:4#disable dnsr
Command: disable dnsr
Success.
PP1612G:4#
Enabling the DNS relay cache
To enable the DNS relay cache, use the following command:
enable dnsr cache
Figure 205 shows the DNS relay cache being enabled.
Figure 205 disable dnsr command
PP1612G:4#enable dnsr cache

Command: enable dnsr cache
Success.
PP1612G:4#
Disabling the DNS relay cache
To disable the DNS relay cache, use the following command:
disable dnsr cache
Figure 206 shows the DNS relay cache being enabled.
Figure 206 disable dnsr cache command
PP1612G:4#disable dnsr cache

Command: disable dnsr cache
Success.
PP1612G:4#
316862-B Rev 00
Enabling the DNS static table
To enable the DNS relay static table, use the following command:
enable dnsr static
Figure 207 shows the DNS relay static table being enabled.
Figure 207 enable dnsr static command
PP1612G:4#enable dnsr static

Command: enable dnsr static
Success.
PP1612G:4#
Disabling the DNS static table
To disable the DNS relay static table, use the following command:
disable dnsr static
Figure 208 shows the DNS relay static table being enabled.
Figure 208 disable dnsr static command
PP1612G:4#disable dnsr static

Command: disable dnsr static
Success.
PP1612G:4#
Displaying the current DNS relay configuration
To disable the DNS relay static table, use the following command:
show dnsr
show dnsr
followed by:
static The DNS relay static table can be displayed by
specifing this parameter.
Figure 209 shows the current DNS relay configuration being displayed.
Figure 209 show dnsr static command
PP1612G:4#show dnsr static

Command: show dnsr static
DNS Relay Static Table
Domain Name IP Address
--------------------------------------
www.123.com 10.12.12.123
bbs.ntu.edu. 140.112.1.23
Total Entries: 2
PP1612G:4#
316862-B Rev 00
345
Chapter 14
Configuring SNMP
The Simple Network Management Protocol (SNMP) is a protocol for remotely

monitoring and configuring network devices. SNMP enables network
management stations to read and modify the settings of gateways, routers,
switches, and other network devices. SNMP can be used to perform many of the
same functions as a directly-connected console, or can be used within an
integrated network management software package.
SNMP performs the following functions:
• Sending and receiving SNMP packets through the IP protocol.

• Collecting information about the status and current configuration of network
devices.
• Modifying the configuration of network devices.
The 1600 switch has a software program called an “agent” that processes SNMP
requests, but the user program that makes the requests and collects the responses
runs on a management station (a designated computer on the network). The
SNMP agent and the user program both use the UDP/IP protocols to exchange
packets.
You use “community strings” to ensure that both the router SNMP agent and the
remote user SNMP application program discard packets from unauthorized users.
The remote user SNMP application and the router SNMP must use the same
community string. SNMP community strings of up to 20 characters may be
entered under the Remote Management Setup menu of the console program.
346 Chapter 14 Configuring SNMP
Caution: The Passport 1600 Series Layer 3 Switch software version 1.1
are encrypted. When the switch starts for the first time, it uses the default
community string. It is strongly recommend that you change the default
community string immediately after the installation.
This chapter describes the commands you use to configure SNMP. Specifically, it
Topic Page
Roadmap of SNMP CLI commands 347
Configuring SNMP 348
Managing SNMP traps 358
316862-B Rev 00
Chapter 14 Configuring SNMP 347
Roadmap of SNMP CLI commands

The following roadmap lists some of the SNMP CLI commands and their
parameter entry for more information:
Command Parameter
create snmp community <community_string>
[readonly|readwrite]
delete snmp community <community_string>
create trusted_host <ipaddr>
<netmask>
delete trusted_host <ipaddr>
<netmask>
config snmp community <community_string>
[readonly|readwrite]
config snmp system_name <sw_name>
config snmp location <sw_location>
config snmp system_contact <sw_contact>
show snmp community
trap_receiver
show trusted_host <ipaddr>
<netmask>
create snmp trap_receiver <ipaddr>
<community_string>
delete snmp trap_receiver <ipaddr>
enable snmp
disable snmp
enable snmp authenticate traps
disable snmp authenticate traps
Configuring SNMP
This section describes how to create and delete SNMP community strings and
trusted hosts, to configure SNMP contact information, and to display SNMP
configuration information. It contains the following topics:
Topic Page
Creating an SNMP community string 348
Deleting an SNMP community string 349
Creating a trusted host 350
Deleting a trusted host 351
Configuring an SNMP community string 351
Configuring the SNMP system name 353
Configuring the SNMP location 353
Configuring the SNMP system contact 354
Displaying the current SNMP configuration 355
Displaying the currently configured trusted hosts 357
Creating an SNMP community string

To create an SNMP community string, use the following command:
create snmp community

followed by:
<community_string> An alphanumeric string of up to 32 characters

used to authentication of users wanting access to
the switch's SNMP agent.
[readonly|readwrite] SNMP management stations using the above
community string can have read-only access or
read/write access to the switch's SNMP agent.
The default read-only community string is “public.”
The default read/write community string is
“private.”
316862-B Rev 00
Figure 210 shows the creation of the SNMP community string “System” and
gives this string read/write access.
Figure 210 create snmp community command
PP1612G:4#create snmp community System readwrite

Command: create snmp community System readwrite
Success.
PP1612G:4#
Deleting an SNMP community string
To delete an SNMP community string, use the following command:
delete snmp community < community_string>
delete snmp community

followed by:

used to authenticate users who want to access the
switch's SNMP agent.
where:
community_string is an alphanumeric string of up to 32 characters used to
authenticate users who want access to the switch’s SNMP agent.
Figure 211 shows an example of the output for this command. In this example, the
SNMP community string System is deleted.
Figure 211 delete snmp community command
PP1612G:4#delete snmp community System

Command: delete snmp community System
Success.
PP1612G:4#
Creating a trusted host
To create a trusted host, use the following command:
create trusted_host
create trusted_host
followed by:
<ipaddr> This parameter specifies the IP address of the

remote management station that will be a trusted
host
<netmask> Specifies the subnet mask corresponding to the IP
address above
Figure 212 shows the creation of a trusted host with an IP address of

10.48.74.121.
Figure 212 create trusted_host command
PP1612G:4#create trusted_host 10.48.74.121

Command: create trusted_host 10.48.74.121
Success.
PP1612G:4#
316862-B Rev 00
Deleting a trusted host
To delete a trusted host, use the following command:
delete trusted_host
delete trusted_host
followed by:
<ipaddr> This parameter specifies the IP address of the

remote management station that will be deleted as
a trusted host
<netmask> Specifies the subnet mask corresponding to the IP
address above
where:
ipaddr is the IP address of the remote management station that will be deleted
as a trusted host.
netmask is the subnet mask corresponding to the IP address above.
Figure 213 shows the deletion of a trusted host with an IP address of

10.48.74.121.
Figure 213 delete trusted_host command
PP1612G:4#delete trusted_host 10.48.74.121

Command: delete trusted_host 10.48.74.121
Success.
PP1612G:4#
Configuring an SNMP community string
To configure an SNMP community string, use the following command:
config snmp community

followed by:

used to authenticate users who want access to the
[readonly|readwrite] SNMP management stations using the above
community string can have read-only access or
read/write access to the switch's SNMP agent.
The default read-only community string is “public.”
The default read/write community string is
“private.”
Figure 214 shows the configuration of the SNMP community string “Passport”
and gives this string read/write access.
Figure 214 config snmp community command
PP1648T:4# create snmp community Passport readwrite

Command: create snmp community Passport readwrite
Success.
PP1612G:4#config snmp community Passport readwrite

Command: config snmp community Passport readwrite
Success.
PP1612G:4#
316862-B Rev 00
Configuring the SNMP system name
To configure an SNMP system name for the switch, use the following command:
config snmp system_name < sw_name>
config snmp system_name

followed by:
<sw_name> The name of the switch. The name can be up to

128 alphanumeric characters.
Figure 215 shows the configuration of the SNMP name “coolbob.”
Figure 215 config snmp system_name command
PP1612G:4#config snmp system_name coolbob

Command: config snmp system_name coolbob
Success.
PP1612G:4#
Configuring the SNMP location
To configure an SNMP location for the switch, use the following command:
config snmp location <sw_location>
where:
config snmp location

followed by:
<sw_location> The location of the switch. The location can be up

to 128 alphanumeric characters.
Figure 216 shows the configuration of the SNMP location “HereThere.”
Figure 216 config snmp system_location command
PP1612G:4#config snmp system_location HereThere

Command: config snmp system_location HereThere
Success.
PP1612G:4#
Configuring the SNMP system contact

To configure an SNMP system contact for the switch, use the following
command:
config snmp system_contact < sw_contact>
config snmp system_contact

followed by:
<sw_contact> The name of the contact for the switch. The

contact is usually the person or group responsible
for the switch. The name can be up to 128
Figure 217 shows the configuration of the SNMP system

contact named “Mike.”
316862-B Rev 00
Figure 217 config snmp system_contact command
PP1612G:4#config snmp system_contact Mike

Command: config snmp system_contact Mike
Success.
PP1612G:4#
Displaying the current SNMP configuration
To display the current SNMP configuration on the switch, use the following
command:
show snmp
show snmp
followed by:
community
trap_receiver
Figure 218 shows the current SNMP configuration on the switch.
Figure 218 show snmp command
PP1648T:4#show snmp
Command: show snmp
System Name : PP1648T

System Location :
System Contact :
SNMP Trap : Enabled
Authenticate Traps : Enabled
SNMP Status : Enabled
Community String Rights

---------------- ----------------------
**** Read-Only
**** Read/Write
**** Read-Only
Total Entries: 3
IP Address Community String

-------------- -----------------
10.1.1.100 ****
Total Entries: 1
PP1648T:4#
316862-B Rev 00
Displaying the currently configured trusted hosts
To display the currently configured trusted hosts on the switch, use the following
command:
show trusted_host
show trusted_host
followed by:
<ipaddr> Specifies the IP address of the trusted host that

you want to display
<netmask> Specifies the IP mask value of the trusted host that
you want to display.
This command includes the option <ipaddr>, which allows you to specify the
trusted host that you want to display.
Figure 219 shows the currently configured trusted hosts on the switch.
Figure 219 show trusted_host command
PP1648T:4#show trusted_host
Command: show trusted_host
Management Stations:
IP Address Mask
--------------- ---------------
10.12.53.251 255.0.0.0
11.1.1.1 255.0.0.0
PP1648T:4#
Managing SNMP traps

Traps are messages that alert network personnel of events that occur on the switch.
The events can be as serious as a reboot (someone accidentally turned OFF the
switch), or less serious like a port status change. The switch generates traps and
sends them to the trap recipient (or network manager).
Trap recipients are special users of the network who are given certain rights and
access in overseeing the maintenance of the network. Trap recipients will receive
traps sent from the switch; they must immediately take certain actions to avoid
future failure or breakdown of the network.
You can also specify which network managers may receive traps from the switch
by entering a list of the IP addresses of authorized network managers. Up to four
trap recipient IP addresses, and four corresponding SNMP community strings can
be entered. SNMP community strings function like passwords in that the
community string entered for a given IP address must be used in the management
station software, or a trap will be sent.
This section contains the following topics:
Topic Page
Creating an SNMP trap receiver 358
Deleting an SNMP trap receiver 359
Enabling the transmission of SNMP traps 360
Disabling the transmission of SNMP traps 360
Enabling the authentication of SNMP traps 361
Disabling the authentication of SNMP traps 361
Creating an SNMP trap receiver
To create an SNMP trap receiver, use the following command:
create snmp trap_receiver
316862-B Rev 00
create snmp trap_receiver

followed by:
<ipaddr> The IP address of the remote management station

that will receive SNMP traps generated by the
switch’s SNMP agent.
used to authenticate users wanting access to the
Figure 220 shows the creation of an SNMP trap receiver that has an IP address of
10.1.1.1 and will use the community string System.
Figure 220 create snmp trap_receiver command
PP1612G:4#create snmp trap_receiver 10.1.1.1 System

Command: create snmp trap_receiver 10.1.1.1 System
Success.
PP1612G:4#
Deleting an SNMP trap receiver
To delete an SNMP trap receiver, use the following command:
delete snmp trap_receiver < ipaddr>
delete snmp trap_receiver

followed by:
<ipaddr> Specifies the IP address of the remot management

station that will receive SNMP traps generated by
the switch’s SNMP agent.
Figure 221 shows the deletion of an SNMP trap receiver that has an IP address of
10.1.1.1.
Figure 221 delete snmp trap_receiver command
PP1612G:4#delete snmp trap_receiver 10.1.1.1

Command: delete snmp trap_receiver 10.1.1.1
Success.
PP1612G:4#
Enabling the transmission of SNMP traps
To enable the switch’s SNMP agent to send traps, use the following command:
enable snmp
Figure 222 shows the enabling of the transmission of SNMP traps on the switch.
Figure 222 enable snmp command
PP1612G:4#enable snmp
Command: enable snmp
Success.
PP1612G:4#
Disabling the transmission of SNMP traps
To disable the switch’s SNMP agent sending traps, use the following command:
disable snmp
Figure 223 shows the disabling of the transmission of SNMP traps on the switch.
316862-B Rev 00
Figure 223 disable snmp command
PP1612G:4#disable snmp
Command: disable snmp
Success.
PP1612G:4#
Enabling the authentication of SNMP traps
To enable the authentication of SNMP traps, use the following command:
enable snmp authenticate traps
Figure 224 shows enabling the authentication of SNMP traps on the switch.
Figure 224 enable snmp authenticate traps command
PP1612G:4#enable snmp authenticate traps

Command: enable snmp authenticate traps
Success.
PP1612G:4#
Disabling the authentication of SNMP traps
To disable the authentication of SNMP traps, use the following command:
disable snmp authenticate traps
Figure 225 shows disabling the authentication of SNMP traps on the switch.
Figure 225 disable snmp authenticate traps command
PP1612G:4#disable snmp authenticate traps

Command: disable snmp authenticate traps
Success.
PP1612G:4#
316862-B Rev 00
363
Chapter 15
Configuring Multicasting (IGMP, IGMP Snooping,
and DVMRP)
Configuring IGMP
To receive multicast packets, end users must inform nearby routers that they want
to become a member of a multicast group. The Internet Group Management
Protocol (IGMP) is used by multicast routers to maintain multicast group
membership. IGMP is used to determine whether the switch should forward
multicast packets it receives to the other IP interfaces or not. When the switch has
received a multicast packet, it will check to determine if there is at least one
member of a multicast group that has requested to receive multicast packets from
this source. If there is one member, the packet is forwarded. If there are no
members, the packet is dropped.
IGMP snooping allows the switch to “snoop,” or to capture the IGMP message
packets, and examine their contents, as these packets pass between hosts and
routers. When the switch receives an IGMP join message from a host for a given
multicast group, the switch then adds the host’s IGMP information into its list for
that group. When the switch receives an IGMP leave message for a host, it will
remove the host from its list for that multicast group.
This chapter describes the IP multicast commands. Specifically, it includes the

following topics:
Topic Page
Roadmap of IGMP commands 364
The IP multicast cache commands allow you to display the entries into 389
the switch’s IP multicasting cache for specific groups and IP addresses.
Configuring IGMP snooping 368
364 Chapter 15 Configuring Multicasting (IGMP, IGMP Snooping, and DVMRP)
Roadmap of IGMP commands

The following roadmap lists some of the IGMP commands and their parameters.
Use this list as a quick reference or click on any command or parameter entry for
more information on IGMP commands.
Command Parameter
config igmp ipif <ipif_name>
all
version <value>
query_interval <sec>
max_response_time <sec>
robustness_variable <value>
last_member_query_interval
<value>
show igmp ipif <ipif_name>
show igmp group group <group>

ipif <ipif_name>
config igmp_snooping all host_timeout <sec>
router_timeout <sec>
leave_timer <sec>
config igmp_snooping querier <vlan_name>

all
query_interval <sec>
max_response_time <sec>
robustness_variable <value>
last_member_query_interval
<sec>
316862-B Rev 00
Chapter 15 Configuring Multicasting (IGMP, IGMP Snooping, and DVMRP) 365
Command Parameter
config router_ports <vlan_name>
[add|delete] <portlist>
enable igmp_snooping forward_mcrouter_only
show igmp_snooping vlan <vlan_name>
show igmp_snooping group vlan <vlan_name>
show igmp_snooping forwarding vlan <vlan_name>
show router_ports vlan <vlan_name>

[static|dynamic]
Configuring IGMP
To configure IGMP for all IP interfaces on the switch to use IGMP version 1, and
to enable IGMP, enter the following command:
config igmp
config igmp
followed by:
ipif <ipif_name> Specifies the name of the IP interface for which you
wish to configure IGMP.
all Indicates that this IGMP configuration is applied to all
IP interfaces on the switch.
followed by:
version <value> Identifies the IGMP version number.
config igmp
followed by:
query_interval <sec> Designates the time, in seconds, between general
query transmissions.
max_response_time <sec> Specifies the maximum amount of time, in seconds,
that the switch will wait for reports from group
members.
robustness_variable <value> Specifies a tuning variable for networks that are
expected to lose a large number of packets. A
number between 2 and 255 can be entered, with
larger values being specified for networks that are
expected to lose a larger number of packets. The
default is 2.
last_member_query_interval <value> Specifies the Max Response Time inserted into
Group-Specific Queries sent in response to Leave
Group messages. It also identifies the amount of
time between Group-Specific Query messages. The
default is 1 second.
state [enabled|disabled] Enables or disables IGMP for the IP interface
specified above.
Figure 226 shows IGMP being configured for all the IP interfaces on the switch to
use IGMP version 1, and that IGMP is enabled.
Figure 226 config igmp command
PP1648T:4# config igmp all version 1 state enabled

Command: config igmp all version 1 state enabled
Success.
PP1648T:4#
316862-B Rev 00
Displaying IGMP settings for all IP interfaces
To display the IGMP settings for all IP interfaces on the switch.
show igmp
show igmp
followed by:
ipif <ipif_name> Specifies the name of the IP interface name for which you want to
display the current IGMP configuration. If no IP interface name is
specified, the switch will display the IGMP configuration for all the IP
interfaces on the switch.
Figure 227 show igmp command
PP1612G:4# show igmp

Command: show igmp
IGMP Interface Configurations
Interface IP Address Ver- Query Maximum Robust- Last State

sion Inter- Response ness Member
val Time Value Query
Inter-
val
------------ --------------- ---- ------ -------- ------- ------ -------
System 192.32.96.54/26 2 125 10 2 1 Disabled
ip2 10.1.2.3/8 2 125 10 2 1 Disabled
Total Entries: 2
PP1612G:4#
Displaying the IGMP group settings
To display the IGMP group settings for all IP interfaces on the switch.
show igmp group
show igmp group

followed by:
group <group> Identifies the multicast group ID.
ipif <ipif_name> Identifies the IP interface name for which you wish to
display the current IGMP configuration. If no IP
interface name is specified, the switch displays the
IGMP configuration for all the IP interfaces on the
switch.
Figure 228 show igmp group command
PP1612G:4# show igmp group

Command: show igmp group
Interface Multicast Group Last Reporter IP Querier IP Expire

------------ --------------- --------------- --------------- ---------
Total Entries: 0
PP1612G:4#
Configuring IGMP snooping

To configure your switch to perform IGMP snooping on all the VLANs on the
switch, use the following command:
config igmp_snooping all
316862-B Rev 00
config igmp_snooping all

followed by:
host_timeout <sec> Specifies the maximum amount of time a host can

be a member of a multicast group without the
switch receiving a host membership report. The
default value is 70 seconds.
router_timeout <sec> Specifies the maximum time, in seconds, that a
route remains in the switch’s memory without the
switch receiving a host membership report. The
default value is 70 seconds.
leave_timer <sec> Designates the amount of time a route will remain
in the switch’s memory after receiving a leave
group message from a host. The default is 2
seconds.
state [enabled|disabled] Enables or disables this IGMP Snooping
configuration.
Figure 229 shows how to configure and enable IGMP snooping for all VLANs on
the switch with a host timeout value of 250 seconds.
Figure 229 config igmp_snooping all command
PP1648T:4#config igmp_snooping all host_timeout 250 state

enabled
Command: config igmp_snooping all host_timeout 250
state enabled
Success.
PP1648T:4#
Configuring IGMP snooping querier
You can use the IGMP querier feature to configure the time in seconds between
general query transmissions, the maximum time in seconds to wait for reports
from members, and the permitted packet loss value that guarantees IGMP
snooping.
To configure the IGMP snooping querier feature, use the following command:

followed by:
<vlan_name> Identifies the name of the VLAN to which the

IGMP snooping querier configuration applies
all Specifies that this IGMP Snooping querier
configuration will be applied to all VLANs on the
switch.
followed by:
query_interval <sec> Designates the amount of time, in seconds,
between general query transmissions. The
default setting is 30 seconds.
max_response_time <sec> Specifies the maximum amount of time, in
seconds, that the switch will wait for reports from
members. The default is 10 seconds.
robustness_variable Specifies a tuning variable for networks that are
<value> expected to lose a large number of packets. A
number between 2 and 255 can be entered, with
larger values being specified for networks that
are expected to lose a larger number of packets.
The default is 2.
last_member_query_interval Identifies the Max Response Time inserted into
<sec> Group-Specific Queries sent in response to
Leave Group messages, and is also the amount
of time between Group-Specific Query
messages. The default is 1 second.
state [enabled|disabled] Enables or disables IGMP for the IP interface
specified above.
Figure 230 shows how to configure and enable IGMP snooping querier for a
VLAN named default, with a query interval of 125 seconds:
316862-B Rev 00
Figure 230 config igmp_snooping querier command
PP1648T:4#config igmp_snooping querier default

query_interval 125 state enabled
Command: config igmp_snooping querier default

query_interval 125 state enabled
Success.
PP1648T:4#
Configuring router ports

You can designate a range of switch ports as being connected to multicast-enabled
routers. This feature ensures that all packets with such a router as its destination
will reach the multicast-enabled router regardless of the protocol type.
To configure a range of ports as router ports, use the following command:
config router_ports
config router_ports
followed by:
<vlan_name> Specifies the name of the VLAN on which the

router port resides
[add|delete] <portlist> Allows you to add or delete a range of ports.
You can specify the ports to add or delete by first
entering the lowest port number in a group, and
then the highest port number in a group, separated
by a dash. For example, to enter a port group that
includes switch ports 1, 2, and 3, you enter 1-3.
To enter ports that are not contained within a
group enter the port numbers, separated by a
comma. For example, port group 1-3 and port 26
are entered as 1-3, 26
Figure 231 shows how to configure switch ports 1 through 3 to be router ports.
Figure 231 config router_ports command
PP1648T:4#config router_ports default add 1-3

Command: config router_ports default add 1-3
Success.
PP1648T:4#
Enabling IGMP snooping
You can globally enable IGMP snooping on the switch. When you enable IGMP
snooping on the switch, the switch forwards all multicast traffic to any IP router
and forwards traffic to the VLAN in which a client shows up.
To globally enable IGMP snooping on the switch, use the following command:
enable igmp_snooping
If you want the switch to forward all multicast traffic only to a multicast-enabled
router, include the forward_mcrouter_only parameter in the command line;
otherwise, the switch forwards all multicast traffic to any IP router.
As a switch, the Passport 1600 can also prune group memberships per port within
a VLAN. This feature, igmp_snooping filtering, allows you to optimize the
IP multicast data flow for a group within a VLAN to only those ports that are
members of the group. The switch listens to group reports from each port and
builds a database of multicast group members per port. The switch suppresses the
reports heard by not forwarding them out to other hosts, forcing the members to
continuously send their own reports. Furthermore, the switch forwards multicast
data only to the participating group members within the VLAN.
316862-B Rev 00
enable igmp_snooping
followed by:
forward_mcrouter_only Specifies that the switch forward all multicast

traffic to a multicast-enabled router only. If this
parameter is not entered, the switch forwards all
multicast traffic to any IP router.
filtering Specifies that the switch forward multicast traffic
for a group within a VLAN to only those ports that
are members of the group
Figure 232 shows how to configure and enable IGMP snooping to forward all
multicast traffic only to a multicast-enabled router.
Figure 232 enable igmp_snooping command
PP1648T:4# enable igmp_snooping forward_mcrouter_only
Command: enable igmp_snooping forward_mcrouter_only
Success.
PP1648T:4#
Disabling IGMP snooping

You can disable IGMP snooping on the switch only if IP multicast routing is not
being used. Disabling IGMP snooping allows all IGMP and IP multicast traffic to
flood within a given IP interface.
To globally disable IGMP snooping on the switch, use the following command:
disable igmp_snooping
disable igmp_snooping
followed by:
filtering Specifies that “unknown” IGMP packets will be

filtered from the snooping process. When filtering
is specified, only “registered” IGMP packets will be
snooped.
Figure 233 shows how to disable IGMP snooping on the switch.
Figure 233 disable igmp_snooping command
PP1648T:4# disable igmp_snooping
Command: disable igmp_snooping
Success.
PP1648T:4#
Displaying the current IGMP snooping configuration
You can display the current IGMP snooping configuration on the switch.
To display the current IGMP snooping configuration, use the following show
command:
show igmp_snooping
316862-B Rev 00
show igmp_snooping
followed by:
vlan <vlan_name> Specifies the name of the VLAN for which you
want to view the IGMP snooping configuration
Note: The IGMP snooping feature can be
configured differently for each VLAN on the switch.
Figure 234 shows how to display the IGMP snooping configuration on the switch.
Figure 234 show igmp_snooping command
PP1648T:4# show igmp_snooping

Command: show igmp_snooping
IGMP Snooping Global State : Disabled

Multicast router Only : Disabled
Multicast Filtering : Enabled
VLAN Name : default
Query Interval : 125
Max Response Time : 10
Robustness Value : 2
Last Member Query Interval : 1
Host Timeout : 260
Route Timeout : 260
Leave Timer : 2
Querier State : Disabled
Querier Router Behavior : Non-Querier
State : Disabled
VLAN Name : vlan2

Query Interval : 125
Max Response Time : 10
Robustness Value : 2
Last Member Query Interval : 1
Host Timeout : 260
Route Timeout : 260
Leave Timer : 2
Querier State : Disabled
Querier Router Behavior : Non-Querier
State : Disabled
Total Entries: 2
PP1648T:4#
316862-B Rev 00
Displaying IGMP snooping groups
You can display current IGMP snooping group configurations on the switch.
To display the current IGMP snooping group configuration, use the following
show command:
show igmp_snooping group
show igmp_snooping
followed by:
want to view the IGMP snooping group
configuration
Note: The IGMP snooping feature can be
configured differently for each VLAN on the switch.
Figure 235 shows how to display the current IGMP snooping group configuration.
Figure 235 show igmp_snooping group
PP1648T:4# show igmp_snooping group

Command: show igmp_snooping group
VLAN Name : default

Multicast group: 224.0.0.2
MAC address : 01-00-5E-00-00-02
Reports : 1
Port Member : 7,26
VLAN Name : default

MAC address : 01-00-5E-00-00-09
Reports : 1
Port Member : 7,26
VLAN Name : default
MAC address : 01-00-5E-05-06-07
Reports : 1
Port Member : 9,26
VLAN Name : default

MAC address : 01-00-5E-36-3F-4B
Reports : 1
Port Member : 7,26
VLAN Name : default

MAC address : 01-00-5E-7F-FF-FA
Reports : 2
Port Member : 7,26
VLAN Name : default

MAC address : 01-00-5E-7F-FF-FE
Reports : 1
Port Member : 7,26
Total Entries : 6
PP1648T:4#
316862-B Rev 00
Displaying IGMP snooping forwarding table
You can display information about the IGMP snooping forwarding table.
To display the current IGMP snooping forwarding table, use the following show
command:
show igmp_snooping forwarding
show igmp_snooping forwarding

followed by:
want to view the IGMP snooping forwarding
configuration
Note: You can configure the IGMP snooping
feature differently for each VLAN on the switch.
Figure 236 shows how to display information about the IGMP snooping
forwarding table.
Figure 236 show igmp_snooping forwarding command
PP1648T:4# show igmp_snooping forwarding

Command: show igmp_snooping forwarding
VLAN Name : default

Source IP : 10.44.45.66
Multicast group : 224.0.0.2
Port Member : 24
Total Entries : 1
PP1648T:4#
Displaying the list of router ports
You can display the currently configured router ports on the switch.
To display the current list of router ports, use the following command:
show router_ports
show router_ports
followed by:
want to view the list of router ports.
[static|dynamic] Allows you to view the list of router ports based on
the method used to add a port to the router port
list:
• static — entered manually
• dynamic — discovered automatically by the
switch.
Figure 237 shows sample output for this command.
Figure 237 show router_ports command
PP1648T:4# show router_ports

Command: show router_ports
VLAN Name : default

Static router port :
Dynamic router port: 11
VLAN Name : v2
Static router port : 17-22
Dynamic router port:
Total Entries: 2
PP1648T:4#
316862-B Rev 00
Configuring DVMRP
This section describes the CLI commands that you can use to configure the
DVMRP (Distance Vector Multicast Routing Protocol) on the Switch.
The Distance Vector Multicast Routing Protocol (DVMRP) is a hop-based

method of building multicast delivery trees from multicast sources to all nodes of
a network.
DVMRP resembles the Routing Information Protocol (RIP), but is extended for
multicast delivery. It relies upon RIP hop counts to calculate 'shortest paths' back
to the source of a multicast message, but defines a 'route cost' to calculate which
branches of a multicast delivery tree should be 'pruned' - once the delivery tree is
established.
Route cost is a relative number that is used by DVMRP to calculate which

branches of a multicast delivery tree should be 'pruned'. The 'cost' is relative to
other costs assigned to other DVMRP routes throughout the network.
The higher the route cost, the lower the probability that the current route will be
chosen to be an active branch of the multicast delivery tree (not 'pruned') - if there
is an alternative route.
DVMRP commands in the Command Line Interface (CLI) are listed (along with
the appropriate parameters) in the following table:
Command Parameter
config dvmrp ipif <ipif_name 12>

all
metric <value 1-31>
probe <sec 1-65535>
neighbor_timeout <sec 1-65535>
state [enabled | disabled]
show dvmrp ipif <ipif_name>

enable dvmrp
disable dvmrp
show dvmrp routing_table ipaddress <network_address>
show dvmrp neighbor ipif <ipif_name 12>
show dvmrp nexthop ipif <ipif_name 12>
316862-B Rev 00
Configuring DVMRP
To configure DVMRP for the IP interface named System, to use a neighbor

timeout of 30 seconds, and a DVMRP route cost of 2, use the following
command:
config dvmrp ipif System neighbor_timeout 30 metric 2
Table 14 config dvmrp
config dvmrp
followed by:
ipif <ipif_name> This is the name of the IP interface that this DVMRP
configuration will apply to.
all This specifies that this DVMRP configuration will
apply to all the IP interfaces on the switch.
metric <value> This allows you to assign a DVMRP route cost to the
IP interface (entered above). A DVMRP route cost is
a number that represents the relative cost of using
this route, as opposed to using an alternative route,
in the construction of a multicast delivery tree. The
default cost is 1.
probe <second> This is the amount of time, in seconds, between
queries to determine if a multicast group is present
on a given router’s subnet. The default is 10 second.
neighbor_timeout <second> The time period, in seconds, that the switch will
retain DVMRP neighbor router reports before issuing
poison route messages. The default is 35 seconds.
state [enabled/disabled] This allows you to enable or disable DVMRP.
Figure shows DVMRP being configured for the IP interface System, to use a
neighbor timeout of 30 seconds and a DVMRP route cost of 2:
Figure 238 config dvmrp
:4# config dvmrp ipif System metric 2 neighbor_timeout 30

Command: config dvmrp ipif System metric 2
neighbor_timeout 30
Success.
:4#
Enabling DVMRP
To enable DVMRP, use the following command:
enable dvmrp
This command contains no additional parameters:
Table 15 enable dvmrp
enable dvmrp
This command has no additional parameters.
Figure shows DVMRP being enabled:
Figure 239 enable dvmrp
:4# enable dvmrp

Command: enable dvmrp
Success.
:4#
316862-B Rev 00
Disabling DVMRP
To disable DVMRP, use the following command:
disable dvmrp
This command contains no additional parameters:
Table 16 disable dvmrp
disable dvmrp
This command has no additional parameters.
Figure shows DVMRP being disabled:
Figure 240 disable dvmrp
:4# disable dvmrp

Command: disable dvmrp
Success.
:4#
Displaying the current DVMRP routing table
To display the current DVMRP routing table, use the following command:
show dvmrp routing_table
Table 17 show dvmrp routing_table
show dvmrp routing table

followed by:
Figure shows the current DVMRP routing table being displayed:
Figure 241 show dvmrp routing_table
:4# show dvmrp routing table

Command: show dvmrp routing table
DVMRP Routing Table
Source AddressSoruce MaskNext Hop RouterLearnedInterfaceExpire

--------------------------------------------------------------
Total Entries: 0
:4#
316862-B Rev 00
Displaying the current DVMRP neighbor router table
To display the current DVMRP neighbor router table, use the following
command:
show dvmrp neighbor
Table 18 show dvmrp neighbor
show dvmrp neighbor

followed by:
ipif <ipif_name> This is the name of the IP interface for which you
want to display the DVMRP neighbor router table.
ipaddress <network_address> This is the IP address of a neighbor router.
Figure shows the current DVMRP neighbor router table being displayed:
Figure 242 show dvmrp neighbor
:4# show dvmrp neighbor

Command: show dvmrp neighbor
DVMRP Neighbor Address Table
Interface Neighbor AddressGeneration IDExpire Time

--------- ----------------------------------------
Total Entries: 0
:4#
Displaying the current DVMRP nexthop router table
To display the current DVMRP neighbor router table, use the following
command:
show dvmrp nexthop
Table 19 show dvmrp next hop
show dvmrp nexthop

followed by:
want to display the DVMRP nexthop router table.
ipaddress <network_address> This is the IP address of a neighbor router.
Figure shows the current DVMRP nexthop router table being displayed:
Figure 243 show dvmrp nexthop
:4# show dvmrp nexthop

Command: show dvmrp nexthop
DVMRP Routing Next Hop Table
Source IP AddressSoruce Mask Interface NameType

---------------------------- ------------------
Total Entries: 0
:4#
316862-B Rev 00
Displaying the current DVMRP configuration
To display the current DVMRP configuration, use the following command:
show dvmrp
Table 20 show dvmrp
show dvmrp
followed by:
want to display the current DVMRP
configuration.
Figure shows the current DVMRP configuration being displayed:
Figure 244 show dvmrp
:4# show dvmrp

Command: show dvmrp
DVMRP Global State : Disabled
Interface IP Address Neighbor TimeoutProbe Metric State

--------- ---------------------------------- ------ -----
System 10.42.73.88/830 10 2 Disabled
Total Entries: 1
:4#
Displaying the Switch’s IP multicast cache

The IP multicast cache commands allow you to display the entries into the
switch’s IP multicasting cache for specific groups and IP addresses.
The IP multicasting commands in the Command Line Interface (CLI) are listed
(along with the appropriate parameters) in the following table.
Roadmap of IP multicast cache commands

Table 21 IP multicasting cache commands
Command Parameter
show ipmc cache group <group>
show ipmc ipif <ipif_name>
Displaying the Switch’s IP multicast cache

To display the switch’s IP multicast cache, use the following command:
show ipmc cache
Table 22 show ipmc cache
show ipmc cache

followed by:
group <group> This is the multicast group ID.
ipaddress <network_address> This is the IP address and subnet mask for a
multicast destination. If no IP address is entered, the
switch will display all of the destination IP addresses
in it’s IP multicasting forwarding table.
Figure shows the switch’s IP multicast cache being displayed:
316862-B Rev 00
Figure 245 show ipmc cache
:4# show ipmc cache

Command: show ipmc cache
Multicast Source IP Source IP Upstream Expire Routing

Group Address Mask Neighbor Time Protocol
--------- --------- --------- -------- ------ --------
Total Entries: 0
:4#
Displaying the switch’s IP multicast table
To display the switch’s IP multicast table, use the following command:
show ipmc
Table 23 show ipmc
show ipmc
followed by:
want to display the IP multicast table.
Figure shows the switch’s IP multicast table being displayed:
Figure 246 show ipmc
:4# show ipmc

Command: show ipmc
Interface Name IP Address Multicast Routing

-------------- ---------- -----------------
System 10.42.73.88 INACT
Total Entries: 1
:4#
316862-B Rev 00
393
Chapter 16
Monitoring the network
The Passport 1600 switch provides extensive network monitoring that can be
viewed using the network monitoring commands described in this chapter.
This chapter describes the network monitoring commands. Specifically, it

Topic Page
Roadmap of network monitoring commands 394

Displaying port traffic statistics 395
Displaying port error statistics 397
Displaying port utilization 399
Clearing the switch counters 401
Clearing the switch log 402
Displaying the switch log 403
Configuring port mirroring 403
Displaying the current mirror settings 406
Enabling and disabling RMON 407
Checking network links 408
Determining the network route using traceroute 409
394 Chapter 16 Monitoring the network
Roadmap of network monitoring commands

The following roadmap lists some of the network monitoring commands and their
parameter entry for more information on monitoring networks.
Command Parameter
show packet ports <portlist>
show error ports <portlist>
show utilization
clear counters ports <portlist>
clear log
show log index <value>
config mirror port <port> add
source ports <portlist>
[rx|tx|both]
config mirror port <port> delete
source ports <portlist>
[rx|tx|both]
enable mirror
disable mirror
show mirror
enable rmon
disable rmon
ping <ipaddr> times <values 1-255>
timeout <sec 1-99>
traceroute <ipaddr> ttl <value 1-60>
port <value 30000-64900>
timeout <sec 1-65535>
probe <value 1-9>
316862-B Rev 00
Chapter 16 Monitoring the network 395
Displaying port traffic statistics

To display the traffic statistics for a port, use the following command:
show packet ports
show packet ports

followed by:
<portlist> Specifies a range of ports you want to display the traffic
statistics for. Ports are specified by entering the lowest port
number in a group, and then the highest port number in a
group, separated by a dash. So, a port group including the
switch ports 1, 2, and 3 would be entered as 1-3. Ports that
are not contained within a group are specified by entering their
port number, separated by a comma. So, the port group 1-3
and port 26 would be entered as 1-3, 26.
Figure 247 shows the traffic statistics collected by the switch for port 7.
Figure 247 show packet ports command
PP1648T:4# show packet ports 7

Command: show packet ports 7
Port number : 7
Frame Size Frame Counts Frames/sec Frame Type Total Total/sec
------------ ------------ ---------- ---------- --------- ---------
64 2 0 RX Bytes 64 0
65-127 0 0 RX Frames 1 0
128-255 0 0
256-511 0 0 TX Bytes 64 0
512-1023 0 0 TX Frames 1 0
1024-Max Size 0 0
Unicast RX 0 0
Multicast RX 1 0
Broadcast RX 0 0
Unicast TX 0 0
Multicast TX 1 0
Broadcast TX 0 0
Table 24 shows the definitions for terms related to displaying port traffic
statistics.
316862-B Rev 00
Table 24 show packet port definitions
Term Definition
Frames The number of packets (or frames) received or transmitted by the switch
with the size, in octets, given by the column on the right.
Frames/sec The number of packets (or frames) transmitted or received, per second,
by the switch.
Unicast RX Displays the number of unicast packets received by the switch in total
number (Frames) and the rate (Frames/sec).
Multicast RX Displays the number of multicast packets received by the switch in total
Broadcast RX Displays the number of broadcast packets received by the switch in total
RX Bytes Displays the number of bytes (octets) received by the switch in total
number (Total), and rate (Total/sec).
RX Frames Displays the number of packets (frames) received by the switch in total
Unicast TX Displays the number of unicast packets transmitted by the switch in total
Multicast TX Displays the number of multicast packets transmitted by the switch in
total number (Frames) and the rate (Frames/sec).
Broadcast TX Displays the number of broadcast packets transmitted by the switch in
total number (Frames) and the rate (Frames/sec).
TX Bytes Displays the number of bytes (octets) transmitted by the switch in total
TX Frames Displays the number of packets (frames) transmitted by the switch in
total number (Total), and rate (Total/sec).
Displaying port error statistics

The following are definitions for terms related to displaying port error statistics:
Term Definition
For received packets

CRC Error For 10 Mbps ports, the counter records CRC errors (FCS
or alignment errors). For 100 Mbps ports, the counter
records the sum of CRC errors and code errors (frames
received with rxerror signal).
Term Definition
Undersize The total number of frames received that were less than 64
octets long (excluding framing bits, but including FCS
octets) and were otherwise well formed.
Oversize The total number of frames received that were longer than
1518 octets (excluding framing bits, but including FCS
octets) and were otherwise well formed.
Fragment The total number of frames received that were less that 64
octets in length (excluding framing bits, but including FCS
octets) and had either an FCS or an alignment error.
Jabber The total number of frames received that were longer than
1518 octets (excluding framing bits, but including FCS
octets), and had either an FCS or an alignment error.
For transmitted packets
Excessive Collision Excessive Collisions. The number of frames for which
transmission failed due to excessive collisions.
Late Collision The number of times that a collision is detected later than
512 bit-times into the transmission of a packet.
Collision
To display error statistics for the switch’s ports, use the following command:
show error ports
show error ports

followed by:
<portlist> Specifies a range of ports for which you want to display error
statistics. Ports are specified by entering the lowest port
number in a group, and then the highest port number in a
group, separated by a dash. So, a port group including the
switch ports 1, 2, and 3 would be entered as 1-3. Ports that
are not contained within a group are specified by entering their
port number, separated by a comma. So, the port group 1-3
and port 26 would be entered as 1-3, 26.
316862-B Rev 00
where:
portlist specifies the ports for which you want to display traffic statistics. Ports
are specified by entering the lowest port number in a group, and then the highest
port number in a group, separated by a dash. A port group, including the switch
ports 1, 2, and 3, would be entered as 1-3. Ports that are not contained within a
group are specified by entering their port number, separated by a comma. For
example, the port group 1-3 and port 26 would be entered as 1-3, 26.
Figure 248 shows the traffic statistics collected by the switch for port 3.
Figure 248 show error ports command
PP1648T:4# show error ports 7

Command: show error ports 7
Port number : 7
RX Frames TX Frames
--------- ---------
CRC Error 0 Excessive Collision 0
Undersize 0 Late Collision 0
Oversize 0 Collision 0
Fragment 0
Jabber 0
Displaying port utilization

The following are definitions for terms related to displaying port utilization:
Term Definition
Port The switch's port number.

TX/sec The rate at which the given port is transmitting packets, in
packets per second.
RX/sec The rate at which the given port is receiving packets, in
packets per second.
Util The percentage utilization of the given port's available
bandwidth.
To display the bandwidth utilization, in real time:
show utilization
Figure 249 shows the bandwidth utilization for the switch:
Figure 249 show utilization command
PP1624G:4# show utilization
Port TX/sec RX/sec Util Port TX/sec RX/sec Util

1 0 0 0 22 0 0 0
2 0 0 0 23 0 0 0
3 0 0 0 244 0 0 0
4 0 0 0 25 0 0 0
5 0 0 0 26 19 49 1
6 0 0 0 1 0 0 0
7 0 0 0 2 0 0 0
8 0 0 0 3 0 0 0
9 0 0 0 4 0 0 0
10 0 0 0 5 0 0 0
11 0 0 0 6 0 0 0
12 0 0 0 7 0 30 1
13 0 0 0 8 0 0 0
14 0 0 0 9 30 0 1
15 0 0 0 10 0 0 0
16 0 0 0 11 0 0 0
17 0 0 0 12 0 0 0
18 0 0 0 13 0 0 0
19 0 0 0 14 0 0 0
20 0 0 0 15 0 0 0
21 0 0 0 16 0 0 0
PP1624G:4#
316862-B Rev 00
Clearing the switch counters

To clear the switch counters, use the following command:
clear counters
clear counters
followed by:
ports <portlist> Specifies that you only want to clear the counters for the ports
specified in the < portlist>. If this parameter is not
specified, the counters for all of the ports on the switch will be
cleared.
• portlist is the range of ports for which you want to
clear counters. Ports are specified by entering the lowest
port number in a group, and then the highest port number
in a group, separated by a dash. So, a port group including
the switch ports 1, 2, and 3 would be entered as 1-3. Ports
that are not contained within a group are specified by
entering their port number, separated by a comma. So, the
port group 1-3 and port 26 would be entered as 1-3, 26.
Figure 250 shows how to clear counters for ports 7 through 9, inclusive.
Figure 250 clear counters ports command
PP1612G:4# clear counters ports 7-9

Command: clear counters ports 7-9
Success.
PP1612G:4#
Clearing the switch log

To clear the switch log:
clear log
Figure 251 shows how to clear the switch log.
Figure 251 clear log command
PP1612G:4# clear log

Command: clear log
Success.
PP1612G:4#
316862-B Rev 00
Displaying the switch log

To display the switch log, use the following command:
show log
show log
followed by:
index <value> Specifies the index number for which you want to display the
switch log.
Figure 252 shows how to display the switch’s log.
Figure 252 show log command
PP1648T:4# show log

Command: show log
Index Date&Time Log Text

----- ------------------- -----------------------------------------
2 2004/03/12 10:10:49 clear log (Username:rwa from Telnet client
10.12.53.251)
1 2004/03/12 10:10:49 clear log tables successfully (Username:
rwa from Telnet client 10.12.53.251)
PP1648T:4#
Configuring port mirroring

Port mirroring allows a range of ports to have all of their traffic duplicated and
sent to a designated port, where a network sniffer or other device can monitor the
network traffic. For the range of ports to be mirrored, you can also specify that
only traffic received by, sent by or both is mirrored to the target port.
Configuring a mirror port
To configure a mirror port, use the following command:
config mirror port <port > add source ports <portlist>

[rx|tx|both]
where:
port is the number of the port that will become a mirror for the ports listed in
portlist.
portlist is the range of ports whose traffic is mirrored in the mirror port. To
specify a range, enter the beginning and end values, separated by a hyphen. You
specify ports that are not contained within a group by entering their port number,
separated by a comma. Thus, you enter the port group 1-3 and port 26 as 1-3, 26.
rx mirrors the packets received by the source ports.
tx mirrors the packets transmitted by the source ports.
both mirrors all packets that pass through the source ports.
Figure 253 shows you how to configure port 5 as the mirror port, and ports 1
through 4 as the source ports. All traffic passing through the source ports are
mirrored to port 5.
Figure 253 config mirror port add command
PP1612G:4#config mirror port 5 add source ports 1-4 both

Command: config mirror port 5 add source ports 1-4 both
Success.
Deleting a mirror port
To delete a mirror port, use the following command:
config mirror port <port > delete source ports <portlist>

[rx|tx|both]
316862-B Rev 00
where:
port is the number of the port that is a mirror for the ports listed in portlist.
portlist is the range of ports whose traffic is mirrored in the mirror port. To
specify a range, enter the beginning and end values, separated by a hyphen. You
specify ports that are not contained within a group by entering their port number,
separated by a comma. Thus, you enter the port group 1-3 and port 26 as 1-3, 26.
rx mirrors the packets received by the source ports.
tx mirrors the packets transmitted by the source ports.
both mirrors all packets that pass through the source ports.
Figure 254 shows you how to delete port 5 as the mirror port, and ports 1 through
4 as the source ports.
Figure 254 config mirror port delete command
PP1612G:4# config mirror port 5 delete source ports 1-4

both
Command: config mirror port 5 delete source ports 1-4
both
Success.
PP1612G:4#
Enabling a mirror port

To enable port mirroring on the switch, use the following command:
enable mirror
Figure 255 shows you how to enable port mirroring on the switch.
Figure 255 enable mirror command
PP1612G:4#enable mirror
Command: enable mirror
Success.
PP1612G:4#
Disabling a mirror port
To disable port mirroring on the switch, use the following command:
disable mirror
Figure 256 shows you how to disable port mirroring on the switch.
Figure 256 disable mirror command
PP1612G:4#disable mirror
Command: disable mirror.
Success.
PP1612G:4#
Displaying the current mirror settings

To display the current port mirroring settings on the switch, use the following
command:
show mirror
Figure 257 shows you how to display the current mirror settings on the switch.
316862-B Rev 00
Figure 257 show mirror command
PP1648T:4# show mirror

Command: show mirror
Current Settings
Mirror Status: Enabled
Target Port : 9
Mirrored Port
RX:
TX: 1-5
PP1648T:4#
Enabling and disabling RMON

To enable RMON, use the following command:
enable rmon
Figure 258 shows enabling RMON on the switch:
Figure 258 enable rmon command
PP1612G:4#enable rmon
Command: enable rmon
Success.
PP1612G:4#
To disable RMON, use the following command:
disable rmon
Figure 259 shows disabling RMON on the switch:
Figure 259 disable rmon command
PP1612G:4#disable rmon
Command: disable rmon
Success.
PP1612G:4#
Checking network links

To verify the network link between the switch and another network device, use the
following command:
ping <ipaddr>
where:
ipaddr is the IP address of the network device at the remote end of the link. This
IP address must be on the same subnet as the switch.
ping
followed by:
times <values 1-255> The number of times the remote network device
will be “pinged.”
timeout <sec 1-99> The length of time, in seconds, the switch will wait
for a response from the remote network device
after sending a ping packet.
Note: You cannot ping an interface if its ports are in blocking mode and
the link is up.
316862-B Rev 00
Figure 260 shows the switch sending 4 ping packets to the IP address
10.48.74.128.
Figure 260 ping command
PP1612G:4# ping 10.48.74.121 times 4

Command: ping 10.48.74.121
Reply from 10.48.74.121, time<10ms
Ping Statistics for 10.48.74.121
Packets: Sent=4, Received=4, Lost=0
PP1612G:4#
Determining the network route using traceroute

To verify the network link between the switch and another network device, use
traceroute <ipaddr>
where:
ipaddr is the IP address of the remote network device to be pinged.
traceroute
followed by:
ttl <value 1-60> The time to live (TTL) value of the trace route
request. This is the maximum number of routers
the traceroute command can cross while seeking
the network path between two devices.
port <value 30000-64900> The port number.
timeout <sec 1-65535> The maximum amount of time, in seconds, the
switch will wait for a response.
probe <value 1-9> The number of times the switch will try the
traceroute command.
Figure 261 shows the switch tracing the route between the switch and the network
device with the IP address 10.48.74.121, with 3 probes:
Figure 261 traceroute command
PP1612G:4# traceroute 10.48.74.121 probe 3

Command: traceroute 10.48.74.121 probe 3
1 <10ms. 10.48.74.121
1 <10ms. 10.48.74.121
1 <10ms. 10.48.74.121
PP1612G:4#
316862-B Rev 00
411
Chapter 17
CLI configuration examples
This chapter provides configuration examples for common Passport 1600 Series
switch tasks and includes the CLI commands that you use to create the
configuration examples. It includes the following topics:
Topic Page
Resetting the switch to its factory defaults 412

Configuring the default VLAN for management access 412
Downloading firmware and uploading configuration files 415
Creating new port-based VLANS 416
Disabling Spanning Tree 419
Configuring link aggregation groups 420
Enabling OSPF 421
Configuring OSPF MD5 authentication 427
Configuring an OSPF stub area 428
Configuring OSPF route distribution 430
Configuring RIP base 433
Selecting Tx and Rx RIP v2 mode 435
Configuring broadcast and multicast storm control 436
Configuring egress queue weight 437
Configuring QoS and IP filtering 438
Setting QoS priority for destination TCP flows 443
Dropping TCP flows 445
Filtering MAC addresses 446
Configuring forward-to-next-hop 448
Filtering IP addresses 449
Dropping fragmented IP packets 450
412 Chapter 17 CLI configuration examples
Resetting the switch to its factory defaults

To reset the switch to its factory defaults, use the following command:
PP1648T:4# reset config
Configuring the default VLAN for management access

By default, all ports are assigned to the default VLAN, named default. This
VLAN has an IP interface named System and an IP address of 10.90.90.90/8. You
can change the System IP address to meet the IP subnet requirements used in your
network. After you have changed the IP address, you can use TELNET or Device
Manager to access and manage your switch.
Note: The Passport 1600 Series switch requires names when you create
or edit VLANs or IP addresses. The VLAN name can be up to 32
characters in length and is case-sensitive. For this configuration, you will
not create a new VLAN or IP address; you will simply change the settings
for the default VLAN, named default, and the default IP address, named
System.
This example shows you how to create the default VLAN, as follows:
• Configure the default VLAN to use port 1 only.

• Change the System IP address to 10.1.1.10/24.
• Create a default gateway with an address 10.1.1.1.
Figure 262 illustrates this configuration example.
316862-A Rev 00
Chapter 17 CLI configuration examples 413
Figure 262 Configuration example — configuring the default VLAN for access
Passport
1648T
Default gateway Port 1
10.1.1.1
Management IP
10.1.1.10/24
10825EL
To perform this configuration, you connect your PC or terminal to the console port
on the switch using the 9-pin serial connector, and you set your terminal to 9600
bps 8/N/1.
Configuration example — configuring the default VLAN
This section describes how to configure the default VLAN for this example. For
more information about the commands used in this section, see Chapter 1,
“Setting up the switch,” and Chapter 6, “Configuring VLANs.”
1 Log on to the switch by entering the following commands:

Login: rwa
Password: rwa (rwa appears as ***)
2 View the default privileges by entering the following command:
PP1648T:4# show account
Command: show account
Current Accounts:
Username Access Level
--------------- ------------
rwa Admin
3 View the VLAN configuration by entering the following command:
PP1648T:4# show vlan
Command: show vlan

VLAN TYPE : static
Member ports : 1-52
Static ports : 1-52
Note that all ports are under the default VLAN.
4 Remove all ports from the default VLAN, except port 1, by entering the
following command:
PP1648T:4# config vlan default delete 2-52
5 Change the default System IP address to 10.1.1.10/24 by entering the
following command:
PP1648T:4# config ipif System ipaddress 10.1.1.10/24 vlan
default state enable
6 Add a default gateway address with an address of 10.1.1.1:
PP1648T:4# create iproute default 10.1.1.1
7 Save the configuration by entering the following command:
PP1648T:4# save
Viewing the VLAN and IP addresses

To view the VLAN and IP addresses that you have just configured, use the
following procedures:
1 View the VLAN using the following command:

Command: show vlan

VLAN TYPE : static
Member ports : 1
Static ports : 1
Untagged ports : 1
Total Entries : 1
2 View the IP addresses used using the following command:
316862-A Rev 00
PP1648T:4# show ipif

Command: show ipif
IP Interface Settings

IP Address : 10.1.1.1 (MANUAL)
Subnet Mask : 255.255.255.0
VLAN Name : default
Admin. State : Enabled
Link Status : Link UP
Member Ports : 1
Total Entries : 1
PP1648T:4#
Downloading firmware and uploading configuration files

To download firmware, enter the following command:
PP1648T:4# download firmware <ipaddr> <path_filename 64>
where:
To upload a configuration file, enter the following command:
PP1648T:4# upload config <ipaddr> <path_filename 64>
where:
server that will receive the configuration file from the switch. The path filename
can be up to 64 characters.
For more information about the commands used in this section, see Chapter 2,
“Managing switch operations.”
Creating new port-based VLANS

For this example, you create two new VLANs, as follows:
• Create a port-based VLAN with a PVID of 10 that uses ports 10-12

• Create a port-based VLAN with a PVID of 12 that uses ports 13-14
• Add a tagged uplink port for both VLAN 10 and VLAN 12 that uses port 49
Figure 263 Configuration example -— creating a new port-based VLAN
Passport Passport
VLAN 10 1648T 8600
Tagged
VLAN 12
VLAN 10 and 12
10825EB
Configuration example — creating port-based VLANs

This section describes how to configure the Passport 1600 Series switch for this
example. For more information about the commands used in this section, see
Chapter 6, “Configuring VLANs.”
1 Add VLAN 10:

a The following command creates VLAN 10:
PP1648T:4# create vlan vlan_10 vid 10
b The following command adds untagged ports 10, 11, and 12 to VLAN 10:
PP1648T:4# config vlan vlan_10 add untagged 10-12
c The following command adds tagged port 49 to VLAN 10:
PP1648T:4# config vlan vlan_10 add tagged 49
2 Add VLAN 12:
a The following command creates VLAN 12:
316862-A Rev 00
b The following command adds untagged ports 13 and 14 to VLAN 10:

c The following command adds tagged port 49 to VLAN 12:
PP1648T:4# config vlan vlan_12 add tagged 49
Viewing VLANs
To view the VLANs that you have just configured, use the following command

Command: show vlan

VLAN TYPE : static
Member ports : 1
Static ports : 1
Untagged ports : 1
VID : 10 VLAN Name : vlan_10

VLAN TYPE : static
Member ports : 10-12, 49
Static ports : 10-12, 49
VID : 12 VLAN Name : vlan_12

VLAN TYPE : static
Member ports : 13-14, 49
Static ports : 13-14, 49
Total Entries : 3
Viewing the forwarding database
To view the forwarding database, use the following command:
PP1648T:4# show fdb {port <port>|

vlan <vlan_name 32>|mac_accress <macaddr>|static|aging_time}
where:
port specifies port number.
vlan_name_32 specifies a VLAN.
macaddr is a multicast MAC address.
Example:
PP1648T:4# show fdb

Command: show fdb
Unicast MAC Address Aging Time = 300
VID VLAN Name MAC Address Type Port

---- ---------------- ----------------- --------- ---------------
1 default 00-03-4B-D8-7E-E1 Dynamic 1
1 default 00-09-97-E3-40-01 Self CPU
1 default 00-60-F3-20-59-4B Dynamic 1
1 default 00-80-2D-AF-CE-0F Dynamic 1
1 default 00-E0-4C-88-AE-67 Dynamic 1
1 default 01-00-5E-00-00-04 Multicast
1 default FF-FF-FF-FF-FF-FF Self CPU
2 vlan_2 00-09-97-E3-40-02 Self CPU
2 vlan_2 01-00-5E-00-00-04 Multicast
2 vlan_2 FF-FF-FF-FF-FF-FF Self CPU
3 vlan_3 00-09-97-E3-40-03 Self CPU
3 vlan_3 00-E0-7B-82-9C-60 Dynamic 49
3 vlan_3 00-E0-7B-82-9E-0C Dynamic 49
3 vlan_3 01-00-5E-00-00-04 Multicast
3 vlan_3 FF-FF-FF-FF-FF-FF Self CPU
Total Entries: 15
316862-A Rev 00
Disabling Spanning Tree

The Passport 1600 Series switch currently supports one instance of Spanning
Tree. You can disable Spanning Tree for a specific port or globally.
“Configuring Spanning Tree.”
Configuration example — disabling Spanning Tree
To disable Spanning globally, use the following command:
PP1648T:4# disable stp

Command: disable stp
Success.
To disable Spanning Tree for a specific port, use the following command. In this
example, you disable Spanning Tree for port 12.
PP1648T:4# config stp ports 12 state disabled

Command: config stp ports 12 state disabled
Success.
Viewing Spanning Tree status

To view the status of Spanning Tree, use the following commands:
PP1648T:4# show stp

Command: show stp
STP Status : Disabled

Max Age : 20
Hello Time : 2
Forward Delay : 15
Priority : 32768
PP1648T:4# show stp ports

Command: show stp ports
Port Connection State Cost Priority Status STP Name

---- ----------------- -------- ---- -------- ---------- ------
1 100M/Full/None Enabled *19 128 Forwarding s0

12 100M/Half/None Disabled *19 128 Forwarding s0
Configuring link aggregation groups

The Passport 1600 supports up to seven multilink trunking (MLT) groups with up
to four ports per group. Each MLT group has a flooding port. You use the flooding
port to flood packets with unknown MAC destinations.
For this example, you create MLT group 1 with ports 1/27 and 1/28.
Figure 264 Configuration example — creating MLT group with ports 27 and 28
Passport Passport
1648T 8600
27
28
10825EV
316862-A Rev 00
Configuration example — configuring link aggregation

groups
Chapter 7, “Configuring link aggregation groups.”
1 Create MLT group 1:

PP1648T:4#: create link_aggregation group_id 1
2 Add the MLT port to MLT group 1:
PP1648T:4#: config link_aggregation group_id 1
master_port 27 ports 27-28 state enabled
3 View the MLT configuration:
PP1648T:4#: show link_aggregation
Enabling OSPF
For this example, you create two new VLANs, as follows:
• Create VLAN 2 using untagged port 12 and add IP address 10.50.1.1/24.

• Create VLAN 3 using untagged port 49 and add IP address 10.1.1.66/30.
• Enable OSPF area 0 for both VLAN 2 and VLAN 3.
• Add an OSPF router ID of 10.50.1.1.
• Set the router priority so that the Passport 1648T never becomes the
Designated Router.
Figure 265 Configuration example — enabling OSPF in the default area 0
Passport
1648T
VLAN 3
VLAN 2 10.1.1.68/30 OSPF
10.50.1.0/24 Area 0
.1 .69 .70
10825EF
Configuration example — enabling OSPF globally
Chapter 10, “Configuring ARP, RIP, and OSPF.”
1 Enable OSPF globally, using the following command:

PP1648T:4#: enable ospf
2 Add VLAN 2:
The following command creates VLAN 2 with a VLAN name of vlan_2:
3 Add untagged ports to VLAN 2:
The following command adds untagged port 12 to VLAN 2:
PP1648T:4# config vlan vlan_2 add untagged 12
4 Add IP address to VLAN 2:
The following command creates an IP interface with the name ip_2 and adds
it to VLAN 2:
PP1648T:4# create ipif ip_2 10.50.1.1/25 vlan_2
state enabled
5 Enable OSPF on VLAN 2, using the following command:
PP1648T:4# config ospf ipif ip_2 state enabled
6 Add VLAN 3:
a The following command creates VLAN 3 with a VLAN name of vlan_3:
316862-A Rev 00

b The following command adds untagged port 49 to VLAN 3:
7 Add IP address to VLAN 3:
The following command creates an IP interface with the name ip_3 and adds
it to VLAN 3:
PP1648T:4# create ipif ip_3 10.1.1.69/30 vlan_3 state
enabled
8 Enable OSPF on VLAN 3:
PP1648T:4# config ospf ipif ip_3 state enabled
9 Add OSPF router ID 10.50.1.1:
PP1648T:4# config ospf router_id 10.50.1.1
10 Configure OSPF router priority to 0 for IP interface ip_2 and ip_3:
PP1648T:4# config ospf ipif ip_2 area 0.0.0.0
priority 0
PP1648T:4# config ospf ipif ip_3 area 0.0.0.0 priority 0
11 Save the configuration:
PP1648T:4# save
12 Use the following show commands:
PP1648T:4# show ospf
PP1648T:4# show ospf ipif <ipif name>
PP1648T:4# show ospf area
PP1648T:4# show ospf neighbor
PP1648T:4# show ospf aggregation
PP1648T:4# show ospf host_route
PP1648T:4# show ospf virtual_link
PP1648T:4# show ospf virtual_neighbor
PP1648T:4# show ospf all

PP1648T:4# show arpentry
PP1648T:4# ping <ip address>
PP1648T:4# traceroute <ip address>
PP1648T:4# traceroute <ip address> {ttl <value
1-60>|port <value 30000-64900>|timeout <sec
1-65535>|probe <value 1-9>}
Viewing OSPF status and routes

To view OSPF status and routes, use the following command:
PP1648T:4# show ospf

Command: show ospf
OSPF Router ID : 10.50.1.1

State : Enabled
Interface IP Address Area ID State

Link Metric
Status
------------ ------------------ --------------- -------- --------- ---------
ip_3 10.1.1.69/30 0.0.0.0 Enabled Link Up 1
ip_2 10.50.1.1/24 0.0.0.0 Enabled Link Up 1
System 10.1.1.10/24 0.0.0.0 Disabled Link Up 1
Total Entries : 3
OSPF Area Settings
Area ID Type Stub Import Summary LSA Stub Default Cost

--------------- ------ ----------------------- -----------------
0.0.0.0 Normal None None
Total Entries : 1
316862-A Rev 00

--------------- --------------- -------- -------- -------------- ------
Total Entries : 0

--------------- ------------------ -------- ---------
Total Entries : 0

--------------- ------ --------------- ---
Total Entries : 0
Viewing OSPF neighbor status
To view OSPF neighbor status, use the following command:
PP1648T:4# show ospf neighbor

Command: show ospf neighbor
IP Address of Router ID of Neighbor Neighbor

Neighbor Neighbor Priority State
--------------- --------------- -------- -------------
10.1.1.70 1.1.1.3 1 Full
Total Entries: 1
Viewing OSPF LSDB
To view the OSPF link state database, use the following command:

Command: show ospf lsdb
Area LSDB Advertising Link State Cost Sequence

ID Type Router ID ID Number
--------------- --------- --------------- ------------------ -------- ----------
0.0.0.0 RTRLink 1.1.1.1 1.1.1.1 * 0x800005DE

0.0.0.0 RTRLink 1.1.1.2 1.1.1.2 * 0x80000593
0.0.0.0 RTRLink 1.1.1.3 1.1.1.3 * 0x80000404
0.0.0.0 RTRLink 1.1.1.4 1.1.1.4 * 0x800005CC
0.0.0.0 RTRLink 1.1.1.10 1.1.1.10 * 0x80000521
0.0.0.0 RTRLink 1.1.1.55 1.1.1.55 * 0x800002A5
0.0.0.0 RTRLink 10.50.1.1 10.50.1.1 * 0x80000008
0.0.0.0 RTRLink 47.133.59.49 47.133.59.49 * 0x80000002
0.0.0.0 NETLink 1.1.1.3 10.1.1.2/30 * 0x80000397
0.0.0.0 NETLink 1.1.1.4 10.1.1.6/30 * 0x800004E9
0.0.0.0 NETLink 1.1.1.4 10.1.1.10/30 * 0x80000214
0.0.0.0 NETLink 1.1.1.3 10.1.1.14/30 * 0x80000244
0.0.0.0 NETLink 1.1.1.3 10.1.1.70/30 * 0x80000002
0.0.0.0 NETLink 1.1.1.1 10.20.1.1/24 * 0x8000029D
0.0.0.0 NETLink 1.1.1.4 90.1.1.1/24 * 0x80000128
0.0.0.0 ASExtLink 1.1.1.1 0.0.0.0 100 0x80000368
0.0.0.0 ASExtLink 1.1.1.3 1.1.1.1/32 60000 0x800003D5
Total Entries: 16
Viewing the Passport 1600 Series switch route table
To view the switch route table, use the following command:

Command: show iproute
Routing Table
IP Address/Netmask Gateway Interface Hops Protocol

------------------ --------------- ------------ -------- --------
0.0.0.0 47.133.59.1 System 1 Default
1.1.1.1/32 10.1.1.70 ip_3 12 OSPF
1.1.1.2/32 10.1.1.70 ip_3 12 OSPF
1.1.1.3/32 10.1.1.70 ip_3 11 OSPF
1.1.1.4/32 10.1.1.70 ip_3 13 OSPF
1.1.1.10/32 10.1.1.70 ip_3 14 OSPF
1.1.1.55/32 10.1.1.70 ip_3 13 OSPF
10.1.1.0/30 10.1.1.70 ip_3 2 OSPF
10.1.1.4/30 10.1.1.70 ip_3 3 OSPF
10.1.1.8/30 10.1.1.70 ip_3 3 OSPF
10.1.1.12/30 10.1.1.70 ip_3 2 OSPF
10.1.1.68/30 0.0.0.0 ip_3 1 Local
316862-A Rev 00
10.1.1.72/30 10.1.1.70 ip_3 4 OSPF

10.1.5.0/24 10.1.1.70 ip_3 12 OSPF
10.1.20.0/24 10.1.1.70 ip_3 12 OSPF
10.1.30.0/24 10.1.1.70 ip_3 11 OSPF
10.1.60.0/24 10.1.1.70 ip_3 12 OSPF
10.5.1.0/24 10.1.1.70 ip_3 11 OSPF
10.20.1.0/24 10.1.1.70 ip_3 12 OSPF
10.50.1.0/24 0.0.0.0 ip_2 1 Local
47.133.59.0/24 0.0.0.0 System 1 Local
90.1.1.0/24 10.1.1.70 ip_3 13 OSPF
Total Entries : 22
Configuring OSPF MD5 authentication

The Passport 1600 implementation of OSPF includes security mechanisms to
prevent the OSPF routing domain from being attacked by unauthorized routers.
This prevents someone from joining an OSPF domain and advertising false
information in its OSPF LSAs. Likewise, it prevents a misconfigured router from
joining an OSPF domain.
The Passport 1600 Series switch supports both Simple and MD5 mechanisms. The
Simple Password is a text password mechanism, only routers that contain the
same authentication id in their LSA headers can communicate with each other.
MD5 is the preferred method of OSPF security as it provides standards based
(RFC 1321) authentication using 128-bit encryption.
For this example, you enable MD5 authentication for the Passport 8600 using an
MD5 key of passport1234.
Figure 266 Configuration example — MD5 authentication
Passport Passport
1648T 8600
ipif = ip_3
Configure MD5 key with 'passport 1234'
10825EG
Configuration example — creating an MD5 key
Chapter 10, “Configuring ARP, RIP, and OSPF.”
1 Create the MD5 key for the Passport 8600:

PP1648T:4# create md5 key 1 PP8600
2 Assign the password passport1234 to the MD5 key:
PP1648T:4# config md5 key 1 passport1234
3 Add the MD5 key to the appropriate OSPF interface:
PP1648T:4# config ospf ipif ip_3 authentication md5 1
4 View the MD5 configuration:
PP1648T:4# show md5
Configuring an OSPF stub area

A stub area does not receive advertisements for external routes (AS-external
LSAs, type 5) from an Area Border Router, which reduces the size of the link state
database. Instead, routing to external destinations from within a stub area is based
simply on the default route originated by a stub area border router. A stub area has
only one area border router. Any packets destined outside the area are simply
routed to that area border exit point where the packets are examined by the area
border router and forwarded to a destination. ASBR’s cannot be supported within
a stub area. Without AS-external LSA’s, stub area’s cannot support virtual links.
316862-A Rev 00
For this example, you create a stub area and two new VLANs, as follows:
• Create a stub area with an area ID of 0.0.0.2.

• Create VLAN 2 using untagged port 12.
• Add stub area to VLAN 2
• Create VLAN 3 using untagged port 49.
• Enable OSPF on VLAN 3
• Add OSPF router ID 10.50.1.1
Figure 267 Configuration example — OSPF stub area
Passport Passport
1648T 8600
VLAN 3
10.1.1.68/30
.69 .70
VLAN 2
10.50.1.1/24
Stub Area 2 Area 0
10825EH
Configuration example — configuring a stub area
Chapter 6, “Configuring VLANs” and Chapter 10, “Configuring ARP, RIP, and
OSPF.”
1 Enable OSPF globally:

PP1648T:4# enable ospf
2 Create a stub area with an area ID of 0.0.0.2:
PP1648T:4# create ospf area 0.0.0.2 type stub
3 Add VLAN 2:

c The following command creates an IP interface with the name ip_2 and
adds it to VLAN 2:
enabled
4 Add OSPF stub area 2 to VLAN 2:
PP1648T:4# config ospf ipif ip_2 area 0.0.0.2 state
enable
5 Add VLAN 3:
adds it to VLAN 3:
enabled
enable
7 Add an OSPF router ID of 10.50.1.1:
PP1648T:4# save
Configuring OSPF route distribution

For this example, you configure the Passport 1600 switch to redistribute:
316862-A Rev 00
• OSPF routes to RIP

• RIP to OSPF using External Type 1 metrics
• Local interfaces to OSPF using External Type 1 metrics
Figure 268 Configuration example — OSPF route distribution
Router Passport
VLAN 4 1648T
VLAN 3
10.1.1.76/30 10.1.1.68/30 OSPF
Area 0
.78 .77 .69 .70
RIP OSPF
ASBR
10825EI
Configuration example — configuring OSPF route

distribution
Chapter 6, “Configuring VLANs,” Chapter 10, “Configuring ARP, RIP, and
OSPF,” and Chapter 11, “Configuring IP routes and route redistribution.”
1 Enable OSPF globally:

PP1648T:4# enable ospf
2 Add VLAN 3:
adds it to VLAN 3:
enabled

enable
4 Add an OSPF router ID of 10.1.1.69:
5 Configure an OSPF router priority to 0 for IP interface ip_3:
PP1648T:4# config ospf ipif ip_3 area 0.0.0.0
priority 0
6 Add VLAN 4:
adds it to VLAN 4:
enabled
7 Add RIP to VLAN 4:
PP1648T:4# config rip ipif ip_4 state enabled
8 Configure VLAN 4 to operate in RIP version 2 only:
PP1648T:4# config rip ipif ip_4 tx_mode v2_only
rx_mode v2_only
9 Enable RIP:
PP1648T:4# enable rip
10 Configure route redistribution from OSPF to RIP:
PP1648T:4# create route redistribute dst rip src
ospf all
11 Configure route redistribution to redistribute RIP routes to OSPF using a
metric value of Type-1:
PP1648T:4# create route redistribute dst ospf src
rip mettype 1
316862-A Rev 00
12 Configure route redistribution to redistribute the Passport 100 local interfaces

to OSPF using a metric value of Type-1:
PP1648T:4# create route redistribute dst ospf src
local mettype 1
PP1648T:4# save
Configuring RIP base

For this example, you create two VLANs, as follows:
• Create VLAN 2 using untagged port 12

• Create VLAN 3 using untagged GigE port 49
• Enable RIP for both VLAN 2 and VLAN 3
Figure 269 Configuration example — RIP base
Passport
1648T
VLAN 3
VLAN 2 10.1.1.68/30
10.50.1.0/24
RIP
.1 .69 .70
10825EJ
Configuration example — configuring RIP base

Chapter 6, “Configuring VLANs” and Chapter 10, “Configuring ARP, RIP, and
OSPF.”
1 Enable RIP globally:

PP1648T:4# enable rip
2 Add VLAN 3:
adds it to VLAN 3:
enabled
3 Enable RIP on VLAN 3:
PP1648T:4# config rip ipif ip_3 state enable
4 Add VLAN 2:
b The following command adds untagged ports 12, 13, and 14 to VLAN 2:
address 10.50.1.1/24 and adds it to VLAN 2:
enabled
5 Enable RIP on VLAN 2:
PP1648T:4# config rip ipif ip_2 state enable
PP1648T:4# save
7 Use the following show commands
PP1648T:4# show rip
PP1648T:4# show rip ipif <ipif name>
316862-A Rev 00

PP1648T:4# show arpentry
PP1648T:4# ping <ip address>
PP1648T:4# traceroute <ip address>
PP1648T:4# traceroute <ip address> {ttl <value
1-60>|port <value 30000-64900>|timeout <sec
1-65535>|probe <value 1-9>}
Selecting Tx and Rx RIP v2 mode

By default, the Passport 1600 Series switch uses RIP v1_compatible transmit
mode and RIP v1_and_v2 receive mode. This allows the Passport 8600 to operate
in both RIP modes of operation.
The Passport 1600 supports four transmit modes:
• Disabled – indicates that no RIP updates are sent on this interface

• V1_only – specifies only RIP v1 packets updates
• V2_only – specifies only RIP v2 packets updates
• V1_compatible – specifies only broadcast RIP v2 updates
The Passport 1600 supports four receive modes:
• Disabled - prevents the reception of RIP packets

• V1_only – specifies that only RIP v1 packets will be accepted
• V2_only – specifies that only RIP v2 packets will be accepted
• V1_and_v2 – specifies that both RIP v1 and v2 packets will be accepted
Configuration example — configuring RIP TX and RX mode

to v2
To configure the RIP transmit and receive mode to version 2, use the following
command:
PP1648T:4# config rip ipif ip_4 tx_mode v2_only rx_mode

v2_only state enabled
For more information about this command, see Chapter 10, “Configuring ARP,
RIP, and OSPF.”
Configuring broadcast and multicast storm control

You can configure the Passport 1600 Series switch to limit the amount of
broadcast or multicast traffic received on a port. The threshold is expressed as a
percentage from 10 to 100 percent.
“Configuring traffic filters.”
Configuration example — enabling thresholds

To enable broadcast threshold, use the following command:
PP1648T:4# config traffic control <port number> broadcast

enabled threshold <percentage 10-100>
To enable multicast threshold, use the following command:
PP1648T:4# config traffic control <port number> multicast

enabled threshold <percentage 10-100>
316862-A Rev 00
Displaying thresholds
To display the configured thresholds, use the following show commands:
PP1648T:4# show traffic control

PP1648T:4# show traffic control ports <port list>
Configuring egress queue weight

The Passport 1600 Series switch contains 4 hardware priority queues. Three of
these queues use Deficit Weighted Round Robin, while the fourth uses Strict
Priority. Incoming packets are be mapped to one of these four queues. By default,
the weight is assigned evenly for all the Deficit Weighted Round Robin ports. To
view the queues, use the following command:
PP1648T:4# show scheduling

Command: show scheduling
Port Scheduling Table:

Port Traffic Class 0 Traffic Class 1 Traffic Class 2 Traffic Class 3
------ --------------- --------------- --------------- ---------------
1 WRR Sched 6 WRR Sched 6 WRR Sched 6 Strict Priority
The output from the show scheduling command shows that the weight
assigned to Traffic Class 0 to 2, inclusive, are all configured to the same value of
6. You can change this value, using a range from 0 to 255. This value specifies the
maximum number of packets a given hardware priority queue can transmit before
allowing the next lowest hardware priority queue to begin transmitting its packet.
For example, if you specify 3, then the highest hardware priority queue (number
3) is allowed to transmit 3 packets; the next lowest hardware priority queue
(number 2) is allowed to transmit 3 packets, and so on, until all of the queues have
transmitted 3 packets. The process then repeats.
For this example, you prioritize traffic on egress port 39, as shown below:
802.1p value Default PP1600 priority queue Configured queue weight desired
5,6 2 65%
3,4 1 25%
0,1,2 0 10%
Figure 270 Configuration example — egress queue weight
Passport
1648T
802.1p = 2 Port 39
802.1p = 3
802.1p = 5 (egress)
ingress
10825EC
Configuration example — configuring port scheduling
This section shows how to configure the Passport 1600 Series switch for this
example. For more information about the following commands, see Chapter 8,
“Configuring QoS.”
PP1648T:4# config scheduling ports 39 class_id 0 max_packet

25
65
165
Configuring QoS and IP filtering

To configure filters on the Passport 1600, you perform the following steps:
1 Configure the template mode

2 Configure the flow classifiers
3 Configure the template rule
316862-A Rev 00
4 Add the template rule to a VLAN
For more information about the commands used in the following sections, see
Chapter 8, “Configuring QoS.”
Step 1: Configuring the template mode
The Passport 1600 supports two base templates that can be programmed in one of
three modes:
• Security - when a template operates in security mode, it acts like a source IP

filter. Packets that match a rule are considered dangerous to network security
and are unconditionally dropped.
• Qos - when a template operates in QoS mode, packets that match require
some levels of bandwidth guarantee.
• l4-switch - when a template operates in l2_switch mode, you must further
define the combination fields of the packet header (IP and L4 header) to be
examined.
To configure Template 1:
PP1648T:4# config flow_classifier template_1 mode <security

qos l4_switch>
To configure Template 2:
PP1648T:4# config flow_classifier template_2 mode <security

qos l4_switch>
Step 2: Configuring the flow classifiers
The following sections describe how to configure the L4_switch and the QoS flow
classifiers.
Configuring the L4_switch flow classifier
By default, the L4_switch classifier is used for Template 1. When configuring the
L4_switch template mode, there are thee types of sessions available, with various
fields available under each session.
• TCP Session
• UDP Session
• Other Session
The following displays the various fields available for each session:
• Tcp_session field options

— dip – checks destination IP address must be checked or not
— sip – checks source IP address must be checked or not
— tos – checks IP ToS field must be checked or not
— dst_port – checks destination TCP port number must be checked or not
— src_port – checks source TCP port number must be checked or not
— tcp_flags – checks TCP flags must be checked or not
• Udp_session field options
— dip – checks source IP address must be checked or not
— dst_port – checks destination UDP port number must be checked or not
— src_port – checks sourceUDP port number must be checked or not
• Other_session field options
— sip – checks source IP address must be checked or not
— l4_protocol – checks Checks L4 protocol must be checked or not
— icmp_msg – checks ICMP message must be checked or not
— igmp_type – checks whether the IGMP type must be checked or not
Configuration examples — configuring the L4_switch classifier
To configure TCP session fields, use the following command:
PP1648T:4# config flow_classifier template_id 1

mode_parameters l4_session tcp_session fields
{dip|sip|tos|dst_port|src_port|tcp_flags}
316862-A Rev 00
For example, if you want the switch to search for the TCP destination port and
destination IP address only in an incoming packet’s TCP header, enter the
following command:

mode_parameters l4_session tcp_session fields dip dst_port
To configure UDP session fields, use the following command:

mode_parameters l4_session udp_session fields
{dip|sip|tos|dst_port|src_port|tcp_flags}
To configure Other session fields, use the following command:

mode_parameters l4_session other_session fields
{dip|sip|tos|l4_protocol|icmp_msg|igmp_type}
To configure all optional settings, enter the following command:

mode_parameters l4_session tcp_session fields dip sip tos
dst_port src_port tcp_flags udp_session fields dip sip tos
dst_port src_port other_session fields dip sip tos
l4_protocol icmp_msg igmp_type
Configuring the QoS flow classifier
By default, the QoS classifier is used for Template 2. The following list defines
what characteristics an incoming packet must meet:
• 802.1p
• DSCP
• IP
• TCP
• UDP
Configuration example — configuring the QoS flow classifier
To configure the QoS flow classifier, enter the following command:

mode_parameters qos_flavor <802.1p dscp dst_ip dst_tcp_port
dst_udp_port>
Step 3: Configuring the template rule
Once the template and flow classifier has been configured, you need to configure a
template rule. When configuring the template rule, you need to define which
template ID to use: L4_switch or QoS. The list of available options depends on
how you configured the flow classifier.
Configuration example — using the L4_switch template
Depending on the flow classifier fields you selected (see page 440), enter all the
appropriate files. The following command is an example using TCP session:
PP1648T:4# create l4_switch_rule template_id <1-2>

tcp_session fields sip <src IP address> tos <ToS value in
hex> dst_port <dst TCP port number> src_port <src TCP port
number> action {drop|forward|redirect}
Configuration example — using the QoS template
Depending on the flow classifier fields you selected (see page 442), enter all the
appropriate files. The following command is an example using IP as the selected
QoS flow classifier:
PP1648T:4# create qos_rule template_id <1-2> dst_tcp_port

<TCP Port Number> priority <1-7>
316862-A Rev 00
Step 4: Binding the template rule to a VLAN
The final step is to bind the template rule or rules configured in the Step 3 to the
appropriate VLAN or VLANs.
Note: You can only bind one template ID to a VLAN.
Configuration example — adding the template to a VLAN
To add the template to the appropriate VLAN, enter the following command:
PP1648T:4# config flow_classifier vlan <vlan_name> attach

template_id <value 1-2>
Once the filter has been defined, you can view the flow classifier configuration by
entering the following command:
PP1648T:4# show flow_classifier
Setting QoS priority for destination TCP flows

For this example, you prioritize traffic, based on the TCP destination port number,
and apply the QoS priority to all the ingress VLANs. Prioritize the traffic, using
the following numbers:
• Destination TCP Port = 80 to QoS Level 0

Figure 271 Configuration example — setting QoS priority
Passport
1648T
VLAN 10, 192.85.10.1/24 Port 39
VLAN 11, 192.85.11.1/24 VLAN 13, 192.85.13.1/24
VLAN 12, 192.85.11.1/24 (egress)
ingress
10825ED
Configuration example — setting QoS Priority for

destination TCP flows
After you configure the appropriate VLAN and IP addresses, create the IP
template.
By default, the template mode for QoS is already enabled using ID = 2. If it is not,
enter the following command:
PP1648T:4# config flow_classifier template_2 mode qos
To configure the QoS flow classifier, enter the following command:

mode_parameters qos_flavor dst_tcp_port
To configure the QoS template rule, enter the following commands:
PP1648T:4# create qos_rule template_id 2 dst_tcp_port 80

priority 0
priority 3
priority 5
316862-A Rev 00
To attach the newly created template rule to all the appropriate VLANs, enter the
following commands:
PP1648T:4# config flow_classifier vlan 10 attach template_id

2
2
2
Dropping TCP flows

For this example, you drop both TELNET and FTP from egressing from VLAN
10 only.
Figure 272 Configuration example — dropping TCP flows
Passport
1648T
VLAN 10, 192.85.10.1/24 Port 39
VLAN 11, 192.85.11.1/24 VLAN 13, 192.85.13.1/24
VLAN 12, 192.85.11.1/24 (egress)
ingress
10825ED
Configuration example — dropping TCP flows
This section describes how to configure filtering for the Passport 1600 Series
switch for this example, which assumes that you’ve already configured VLAN 10,
VLAN 11, and VLAN 12. For more information about the commands used in this
section, see Chapter 8, “Configuring QoS.”
After you’ve configured the VLANs and IP addresses, you create the IP template.
By default, the template mode for L4_switch is already enabled using ID = 1. If it
has not already been enabled, enter the following command:
PP1648T:4# config flow_classifier template_1 mode l4_switch
To configure the L4_switch flow classifier, enter the following command:

mode_parameters l4_session tcp_session fields dst_port
To configure the L4_switch template rule, enter the following commands:
PP1648T:4# create l4_switch_rule template_id 1 tcp_session

fields dst_port 21 action drop
PP1648T:4# create l4_switch_rule template_id 1 tcp_session
fields dst_port 23 action drop
To attach the newly created template rule to the appropriate VLAN, enter the
following command:

1
Viewing the template rule
To view template rule, enter the following command:
PP1648T:4# show template_rule template_id 1
Filtering MAC addresses

The Passport 1600 Series switch can be configured to filter on specific MAC
address on a per VLAN basis.
For this example, you add a filter to drop MAC address of 00:00:00:00:00:0a from
VLAN 10.
316862-A Rev 00
Figure 273 Configuration example — filtering MAC addresses
Passport
1648T
VLAN 10, 192.85.10.1/24 Port 39
VLAN 13, 192.85.13.1/24
(egress)
ingress
10825EE
Configuration example — filtering MAC addresses
example. For more information about the commands used in this section see
Chapter 9, “Configuring traffic filters.”
To add the MAC filter, enter the following command:
PP1648T:4# create fdbfilter vlan 10 mac_address

00-00-00-00-00-0A
To delete the MAC filter, enter the following command:
PP1648T:4# delete fdbfilter vlan 10 mac_address

00-00-00-00-00-0a
Viewing the fdb filter
To view the fdb filter, enter the following command:
PP1648T:4# show fdbfilter
Configuring forward-to-next-hop
When you use the L4_switch template mode, one of the action items is redirect,
which provides a forward-to-next-hop action.
For this example, you perform the following tasks:
• For all FTP traffic to host 192.4.4.3, use a next-hop of 10.1.1.74 to the
Passport 8600B, instead of the shortest hop of 10.1.1.70 to the Passport
8600A.
• Use the shortest next-hop of 10.1.1.70 in case 10.1.1.74 should fail.
• Configure the Passport 1648T with an ACL to filter on destination IP =
192.4.4.3 and TCP port = 23, with a redirect (forward-to-next-hop) action to
10.1.1.74.
Figure 274 Configuration example — forward-to-next-hop
Passport Passport
1648T 8600A
VLAN 10
69 70
.1
10.1.1.68/30
192.85.10.3/24 .73 192.4.4.3/24
10.1.1.72/30
.74 Passport
8600B
10825EW
Configuration example — forward-next-hop
By default, the template mode for L4_switch is already enabled using ID = 1. If it

is not, use the following command:
PP1648T:4# config flow_classifier template_1 mode l4_switch
316862-A Rev 00
1 Configure the L4_switch flow classifier:

mode_parameters l4_session tcp_session fields dip
dst_port
2 Configure the L4_switch template rule:
PP1648T:4# create l4_switch_rule template_id 1
tcp_session fields dip 192.4.4.3 dst_port 21 action
redirect 10.1.1.73 unreachable_next_hop forward
3 Attach the newly created template rule to all the appropriate VLANs:
PP1648T:4# config flow_classifier vlan 10 attach
template_id 1
4 Use the following show command to view the configuration:
PP1648T:4# show flow_classifier
Flow Template Table:

Template ID: 1 Template ID: 2
Template Mode: L4_SWITCH Template Mode: QOS
TCP Session: DST_IP DST_Port QoS Flavor:
DESTINATION_TCP_PORT
UDP Session:
Other Session:
Rule Number: 1 Rule Number: 0
Attached Vlan: Attached Vlan:
10
Filtering IP addresses
You can configure the Passport 1600 Series switch to filter on specific destination
IP addresses. Unlike MAC filtering, IP filtering is not associated with a VLAN or
port; it is applied globally on the Passport 1600.
For this example, you add an IP filter to block forwarding to IP address 10.1.1.10.
Figure 275 illustrates this example.
Figure 275 Configuration example — filtering IP addresses
Passport
1648T
VLAN 10, 192.85.10.1/24 Port 39
VLAN 13, 192.85.13.1/24
(egress)
ingress
10825EE
Configuration example — filtering IP addresses
Chapter 9, “Configuring traffic filters.”
To create a destination IP Filter, enter the following command:
PP1648T:4# create ipfilter type dst ip_address 192.85.10.10
To delete the IP filter, enter the following command:
PP1648T:4# delete ipfilter type dst ip_address 192.85.10.10
Viewing the IP filter
To view the destination IP filter, enter the following command:
PP1648T:4# show dst_ipfilter
Dropping fragmented IP packets

The Passport 1600 Series switch has a Global parameter that enables you to allow
or drop fragmented IP packets. Unless the IP Fragment field is 0x00 or 0x4000, all
packets will be dropped by the Passport 1600. For more information about the
commands used in this section see Chapter 9, “Configuring traffic filters.”
316862-A Rev 00
To enable the Passport 1600 to drop fragmented packets, enter the following
command:
PP1648T:4# enable ip_fragment_filter
To display the status of the IP Fragment filter, enter the following command:
PP1648T:4# show ip_fragment_filter
316862-A Rev 00
453
Index
A roadmap of VLAN CLI commands 156, 163,

171
adding ports to a VLAN 158
commands
options 157, 159
basic switch 45
assigning IP address ranges to VLANs 227 config account 49
available commands prompt 43 config flow classifier template_id mode
options 192
B config flow_classifier template_id
mode_parameters 193
basic switch CLI commands, roadmap 46 options 194
binding a flow classifier template 196 config flow_classifier template_id mode 192
config flow_classifier vlan 196
C config ipif System
options 166
cable, serial 36 config link_aggregation 182
changing the switch serial port settings 57 options 182
options 58 config mirror port 395
CLI config scheduling 220
roadmap of basic switch CLI commands 46 options 221
roadmap of IGMP commands 354, 381 config serial_port 57
roadmap of IP address filter and interface CLI options 58
commands 228 config stp 80
roadmap of link aggregation CLI options 81
commands 180 config traffic control 241
roadmap of MAC address filter CLI options 241
commands 232, 236, 251 config vlan add 158
roadmap of MD5 CLI commands 290 options 157, 159
roadmap of port configuration CLI config vlan delete 159
commands 73, 87 configuring a range of router ports 361
roadmap of QoS CLI commands 186 options 361
roadmap of route redistribution CLI configuring an IP interface 164
commands 300 configuring IGMP 355
roadmap of route table CLI commands 296 options 355
roadmap of storm control CLI commands 240 configuring IGMP snooping 358
roadmap of STP CLI commands 80 options 359
configuring IGMP snooping querier 360
454 Index
options 360 delete ipfilter 200, 203, 205, 229, 231

configuring ports 74, 93, 131, 133, 135, 136, options 200, 203, 205, 230, 231
137, 139, 140, 142, 143, 144, 145, 146, 147, delete ipif
148, 149, 150, 152, 153 options 165
options 75, 77, 130, 131, 132, 133, 135, 136, delete l4_switch_rule 214
138, 139, 140, 142, 143, 144, 145, 146, options 214
147, 148, 149, 151, 152, 153, 154 delete link_aggregation 181
configuring route redistribution options 181
between OSPF and RIP 307 delete mac_priority 223
between OSPF and RIP, options 307 options 224
between RIP and OSPF 305 delete mirror port 396
between RIP and OSPF, options 306 delete qos_rule 209
create fdbfilter 215, 233, 237, 238, 239, 251, options 209
252, 253 delete vlan 158
options 215, 233, 237, 238, 239, 251, 252, deleting a route redistribution 304
253 options 304
create ipfilter 197, 201, 228 deleting an IP route 298
options 198, 202, 229 dir 40
create ipif 163 disable clipaging 59
create l4_switch_rule disable ip_fragment_filter 219
options 211 disable ipif 168
create link_aggregation 180 options 168
options 181 disable mirror 398
create mac_priority 222 disable stp 82
options 222 disable TELNET 61, 62
create qos_rule 206 display fdbfilter
options 207 options 217
create user account 47, 102, 106, 110, 111, 112, displaying current IGMP snooping
113, 114, 115, 117, 118, 119, 120, 122, 128, configuration 364
313, 316, 319, 321, 322 options 365
options 48, 103, 107, 110, 111, 112, 113, displaying current port configuration 76, 78
115, 116, 117, 118, 119, 121, 122, 128, options 76, 78
313, 316, 319, 321, 322 displaying IGMP group settings 358
create vlan 156 options 358
create_l4_switch_rule 210 displaying IGMP IP interface settings 357
creating an IP route 297 options 357
options 297 displaying IGMP snooping forwarding
creating route redistribution table 369
OSPF to RIP 302 options 369
OSPF to RIP, options 303 displaying IGMP snooping groups 367
RIP to OSPF 300 options 367
RIP to OSPF, options 301 displaying IP routes 298
delete fdbfilter 216, 233 options 298
options 216, 234 displaying route redistribution settings 308
316862-B Rev 00
Index 455
options 308 show vlan 160

displaying the list of router ports 370 options 161
options 370 sub-commands and parameters 43
download configuration 65 top-level 43
download firmware 65 up arrow 42
options 66 configuration examples
downloading and uploading files 64 configuring an OSPF stub area 420
enable clipaging 58 configuring broadcast control 428
enable ip_fragment_filter 218 configuring egress queue weight 429
enable ipif 167 configuring OSPF MD5 authentication 419
enable mirror 397 configuring OSPF route redistribution 422
enable stp 82 configuring QoS and IP filtering 430
enable TELNET 60, 61 configuring RIP base 425
options 60, 62 configuring the default VLAN 404
globally disabling IGMP snooping 364 creating port-based VLANs 408
globally enabling IGMP snooping 362 disabling Spanning Tree 411
options 363 dropping fragmented IP packets 442
login 71 dropping TCP flows 437
logout 71 enabling OSPF 413
question mark (?) 40 filtering IP addresses 441
reboot 69 filtering MAC addresses 438
reset 70 resetting switch to factory defaults 404
options 70 selecting tx and rx RIP v2 mode 427
save 63 setting QoS priority for destination TCP
show account 49 flows 435
show fdbfilter 217, 234
configure a mirror port 395
options 235
show flow_classifier template_id mode 195 configuring a link aggregation group 182
show ip_fragment_filter 219 options 182
show ipif System 168 configuring a range of router ports 361
show link_aggregation 183 configuring an existing user account 49
options 184
configuring an IP interface 164
show mac_priority 224
options 225 configuring broadcast storm control 241
show mirror 398 options 241
show serial_port 56 configuring flow classifier template mode
show session 55 parameters
show stp 83 options 194
show stp_ports 85 configuring IGMP 355
show switch 55
configuring IGMP snooping 358
show traffic control 242
options 359
options 242
456 Index
configuring IGMP snooping querier 360 creating a user account 47, 102, 106, 110, 111,
options 360 112, 113, 114, 115, 117, 118, 119, 120, 122, 128,
configuring ports 74, 93, 131, 133, 135, 136, 137, 313, 316, 319, 321, 322
139, 140, 142, 143, 144, 145, 146, 147, 148, 149, options 48, 103, 107, 110, 111, 112, 113, 115,
150, 152, 153 116, 117, 118, 119, 121, 122, 128, 313, 316,
options 75, 77, 130, 131, 132, 133, 135, 136, 319, 321, 322
138, 139, 140, 142, 143, 144, 145, 146, 147, creating a VLAN 156
148, 149, 151, 152, 153, 154 creating an IP filter for a flow classification
configuring route redistribution template 197, 201, 228
between OSPF and RIP 307 options 198, 202, 229
options 307 creating an IP interface 163
between RIP and OSPF 305
creating an IP route 297
options 306
options 297
configuring scheduling 220
creating an L4 switch rule 210
options 221
options 211
configuring STP on the switch 80
creating route redistribution
options 81
OSPF to RIP 302
configuring the flow classifier template mode options 303
parameters 193 RIP to OSPF 300
configuring the flow classifier template operating options 301
mode 192 customer support 33
options 192
configuring the system IP interface D
options 166
defaults
Console port
login names and passwords 39
connecting 35
interface description 35 deleting a forwarding database filter 216
options 216
conventions, text 31
deleting a link aggregation group 181
creating a forwarding database filter 215
options 181
options 215
deleting a MAC address filter 233
creating a link aggregation group 180
options 234
options 181
deleting a MAC priority entry 223
creating a MAC address filter 233, 237, 238, 239,
251, 252, 253 deleting a mac priority entry
options 233, 237, 238, 239, 251, 252, 253 options 224
creating a MAC priority entry 222 deleting a mirror port 396
options 222 deleting a QoS rule 209
creating a QoS rule 206 options 209
options 207 deleting a route redistribution 304
options 304
316862-B Rev 00
Index 457
deleting a VLAN 158 displaying mac priority entries

deleting an IP filter from a flow classification options 225
template 200, 203, 205, 229, 231 displaying route redistribution settings 308
options 200, 203, 205, 230, 231 options 308
deleting an IP interface displaying the current IP interface
options 165 configuration 168
deleting an IP route 298 options 169
deleting an L4 switch rule 214 displaying the current port mirror settings 398
options 214 displaying the flow classifier template mode 195
deleting ports on a VLAN 159 displaying the list of router ports 370
disabling an IP interface 168 options 370
options 168 displaying the status of an STP port group 85
disabling CLI paging 59 options 85
disabling port mirroring on the switch 398 displaying the status of the IP fragment filter 219
disabling TELNET as a communication displaying the switch MAC address filters 234
protocol 61, 62 options 235
disabling the IP fragment filter 219 downloading a configuration file 65
displaying a forwarding database filter 217 downloading and uploading file commands 64
options 217 downloading switch firmware 65
displaying a link aggregation configuration 183 options 66
options 184
displaying current IGMP snooping E
configuration 364 enabling an IP interface 167
options 365
enabling CLI paging 58
displaying current port configuration 76, 78
enabling port mirroring on the switch 397
options 76, 78
enabling TELNET connections 60, 61
displaying current VLAN configuration 160
options 60, 62
options 161
enabling the IP fragment filter 218
displaying IGMP group settings 358
options 358
displaying IGMP IP interface settings 357 F
options 357 filtering database
displaying IGMP snooping forwarding table 369 filters packets off the network 232
options 369 segments network and control
displaying IGMP snooping groups 367 communication 232
options 367
displaying IP routes 298 G
options 298 globally disabling IGMP snooping 364
displaying MAC priority entries 224
458 Index
globally enabling IGMP snooping 362 M

options 363
MAC address filter CLI commands, roadmap 232,
236, 251
H MAC address filtering 232
helpful editing commands MD5
dir 40 CLI commands, roadmap 290
question mark (?) 40 definition 289
up arrow 42 key table entry definitions 290
usage 289
I multiple page display keys 43
IGMP
join and leave messages 353 N
snooping function 353
next possible completions message 41
IGMP CLI commands, roadmap 354, 381
IP address filter and interface CLI commands,
roadmap 228
P
IP address filters and interfaces 227 Passport 1600 Series switch
available commands prompt 43
IP multicast
line editing keys 42
IGMP join and leave messages 353
multiple page display keys 43
IGMP’s role in multicast groups 353
next possible completions message 41
obtaining multicast group membership 353
port mirroring 395
receiving multicast packets 353
passwords
IP routing
default 39
based on network addresses 296
ping command 400
port configuration
L CLI commands, roadmap 73, 87
line editing keys 42 port mirroring 395
link aggregation product support 33
1600 Series switch support 179
protocol settings, terminal 36
master port configuration 179
participating ports 179 publications, hard copy 33
purpose 179
link aggregation CLI commands, roadmap 180 Q
logging into the switch 71 QoS
logging out of the switch 71 CLI commands, roadmap 186
login names command overview 191
default 39 configuring and utilizing hardware queues 185
establishing a scheme 189
template operating modes 190
316862-B Rev 00
Index 459
l4_switch mode 190 configuring 345

qos mode 190 displaying configuration 346
security mode 190 displaying trusted hosts 347
template_id 1 and template_id 2 190 location
configuring 345
R overview of 337
system name
rebooting the switch 69 configuring 344
resetting the switch 70 trap receivers
options 70 creating 349
RMON, enabling 399 deleting 350
traps
route redistribution
disabling authentication of 352
between OSPF and RIP 299
disabling transmission of 351
CLI commands, roadmap 300
enabling authentication of 351
definition 299
enabling transmission of 350
operation 299
managing 348
route table trusted host
CLI commands, roadmap 296 creating 342
route table entries deleting 342
corresponding network addresses and storm control
gateways 296 assigns thresholds for each packet type 240
default gateways 296 limits the not found (dlf) packets 240
RS-232 Console port 35 storm control CLI commands, roadmap 240
STP
S blocks duplicate links 79
CLI commands, roadmap 80
saving switch configuration to NV-RAM 63
establishes a primary link 79
showing an existing user account 49 globally disabling 82
showing current switch management sessions 55 globally displaying status 83
showing current switch status 55 globally enabling 82
operates on two levels
showing the current status of the serial port 56
port level 79
showing traffic control settings 242 switch level 79
options 242 uses duplicate links when primary fails 79
SNMP support, Nortel Networks 33
community string
configuring 343
community strings T
creating 340 technical publications 33
deleting 341
technical support 33
description of 337
contact terminal protocol, setting 36
460 Index
terminal, connecting 35
text conventions 31
traceroute command 401
U
understanding basic switch commands 45
using IP address filters and interfaces 227
using MAC address filtering 232
using sub-commands and parameters 43
using top-level commands 43
V
VLANs
assigning IP address ranges 227
CLI commands, roadmap 156, 163, 171
collection of end nodes 155
equate to a broadcast domain 155
grouped by logic not location 155
316862-B Rev 00

Command Line Interface Reference For The Passport 1600 Series Layer 3 Switch, Version 1.1

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Command Line Interface Reference For The Passport 1600 Series Layer 3 Switch, Version 1.1

Uploaded by

Copyright:

Available Formats

Part No.

4655 Great America Parkway

Command Line Interface

*316862-B Rev 00*

Copyright © 2004 Nortel Networks

Restricted rights legend

Nortel Networks Inc. software license agreement

WHETHER IN CONTRACT, TORT OR OTHERWISE (INCLUDING NEGLIGENCE) ARISING OUT OF YOUR

Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Roadmap of basic switch CLI commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Showing the current status of the switch serial port . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Roadmap of port configuration CLI commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Roadmap of Spanning Tree CLI commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

Roadmap of security features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Configuring the SSH Server to regenerate its hostkey . . . . . . . . . . . . . . . . . . . . 142

Configuring Layer 2 operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

Configuring a unicast forwarding database entry . . . . . . . . . . . . . . . . . . . . . . . . 176

Roadmap of CLI commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184

Roadmap of CLI commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190

Creating a forwarding database filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218

Configuring destination IP filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229

Configuring ARP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

Creating an ARP entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248

Displaying the current OSPF LSDB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281

Using the route table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298

Configuring VRRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317

Roadmap of VRRP features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318

Configuring BootP relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331

Roadmap of SNMP CLI commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347

Creating a trusted host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350

Configuring IGMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363

Displaying the current DVMRP routing table . . . . . . . . . . . . . . . . . . . . . . . . . 386

Roadmap of network monitoring commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394

Resetting the switch to its factory defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412

Viewing the forwarding database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417

Step 4: Binding the template rule to a VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443

Table 1 Access level and default login value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Figure 1 Login screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Figure 30 logout command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

Figure 65 create tacacs+_server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

Figure 100 show link_aggregation command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188

Figure 135 show traffic control command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246

Figure 170 create ospf virtual_link command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288

Figure 205 disable dnsr command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342

Figure 240 disable dvmrp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385

Figure 275 Configuration example — filtering IP addresses . . . . . . . . . . . . . . . . . . . 450

The Passport 1600 is a fixed-port hardware-based Layer 3 routing switch that

For commands that use the <network_address> variable, enter an IP address

Before you begin

• Basic knowledge of networks, Ethernet bridging, and IP routing

square brackets [ ] Indicates sub-commands, parameters, and values which

Hard-copy technical manuals

How to get help

If you purchased a Nortel Networks service program, contact Nortel Networks

• 9600 baud rate

To use the Console port, you need the following equipment:

• A VT100-compatible terminal, or a portable computer with a serial port and

To connect a computer or terminal to the Console port:

1 Set the terminal protocol as follows:

Figure 1 Login screen

Setting the switch's IP address

To set the switch’s IP address using the CLI:

1 Enter one of the following commands at the system prompt:

316862-B Rev 00