Download Configuring ports - Inesc-ID

Part No. 316862-B Rev 00
March 2004
4655 Great America Parkway
Santa Clara, CA 95054
Command Line Interface
Reference for the Passport
1600 Series Layer 3 Switch,
Version 1.1
*316862-B Rev 00*
2
Copyright © 2004 Nortel Networks
All rights reserved. March 2004.
The information in this document is subject to change without notice. The statements, configurations, technical data, and
recommendations in this document are believed to be accurate and reliable, but are presented without express or implied
warranty. Users must take full responsibility for their applications of any products specified in this document. The
information in this document is proprietary to Nortel Networks Inc.
The software described in this document is furnished under a license agreement and may be used only in accordance
with the terms of that license. The software license agreement is included in this document.
Trademarks
Nortel Networks, the Nortel Networks logo, the Globemark, Unified Networks, and PASSPORT are trademarks of
Nortel Networks.
Adobe and Acrobat Reader are trademarks of Adobe Systems Incorporated.
Microsoft, Windows, and Windows NT are trademarks of Microsoft Corporation.
IPX is a trademark of Novell, Inc.
SSH is a trademark of SSH Communication Security
TACACS+ is a trademark of Cisco Systems
SecureCRT is a trademark of VanDyke Software, Inc.
SecureNetterm is a trademark of InterSoft International, Inc.
AbsoluteTelnet is a trademark of Celestial Software
PenguiNet is a trademark of Silicon Circus Ltd.
F-Secure is a trademark of F-Secure Corporation
The asterisk after a name denotes a trademarked item.
Restricted rights legend
Use, duplication, or disclosure by the United States Government is subject to restrictions as set forth in subparagraph
(c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013.
Notwithstanding any other license agreement that may pertain to, or accompany the delivery of, this computer software,
the rights of the United States Government regarding its use, reproduction, and disclosure are as set forth in the
Commercial Computer Software-Restricted Rights clause at FAR 52.227-19.
Statement of conditions
In the interest of improving internal design, operational function, and/or reliability, Nortel Networks Inc. reserves the
right to make changes to the products described in this document without notice.
Nortel Networks Inc. does not assume any liability that may occur due to the use or application of the product(s) or
circuit layout(s) described herein.
Portions of the code in this software product may be Copyright © 1988, Regents of the University of California. All
rights reserved. Redistribution and use in source and binary forms of such portions are permitted, provided that the
above copyright notice and this paragraph are duplicated in all such forms and that any documentation, advertising
materials, and other materials related to such distribution and use acknowledge that such portions of the software were
316862-B Rev 00
3
developed by the University of California, Berkeley. The name of the University may not be used to endorse or promote
products derived from such portions of the software without specific prior written permission.
SUCH PORTIONS OF THE SOFTWARE ARE PROVIDED “AS IS” AND WITHOUT ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
In addition, the program and information contained herein are licensed only pursuant to a license agreement that contains
restrictions on use and disclosure (that may incorporate by reference certain limitations and notices imposed by third
parties).
Nortel Networks Inc. software license agreement
This Software License Agreement (“License Agreement”) is between you, the end-user (“Customer”) and Nortel
Networks Corporation and its subsidiaries and affiliates (“Nortel Networks”). PLEASE READ THE FOLLOWING
CAREFULLY. YOU MUST ACCEPT THESE LICENSE TERMS IN ORDER TO DOWNLOAD AND/OR USE THE
SOFTWARE. USE OF THE SOFTWARE CONSTITUTES YOUR ACCEPTANCE OF THIS LICENSE
AGREEMENT. If you do not accept these terms and conditions, return the Software, unused and in the original shipping
container, within 30 days of purchase to obtain a credit for the full purchase price.
“Software” is owned or licensed by Nortel Networks, its parent or one of its subsidiaries or affiliates, and is copyrighted
and licensed, not sold. Software consists of machine-readable instructions, its components, data, audio-visual content
(such as images, text, recordings or pictures) and related licensed materials including all whole or partial copies. Nortel
Networks grants you a license to use the Software only in the country where you acquired the Software. You obtain no
rights other than those granted to you under this License Agreement. You are responsible for the selection of the
Software and for the installation of, use of, and results obtained from the Software.
1. Licensed Use of Software. Nortel Networks grants Customer a nonexclusive license to use a copy of the Software
on only one machine at any one time or to the extent of the activation or authorized usage level, whichever is applicable.
To the extent Software is furnished for use with designated hardware or Customer furnished equipment (“CFE”),
Customer is granted a nonexclusive license to use Software only on such hardware or CFE, as applicable. Software
contains trade secrets and Customer agrees to treat Software as confidential information using the same care and
discretion Customer uses with its own similar information that it does not wish to disclose, publish or disseminate.
Customer will ensure that anyone who uses the Software does so only in compliance with the terms of this Agreement.
Customer shall not a) use, copy, modify, transfer or distribute the Software except as expressly authorized; b) reverse
assemble, reverse compile, reverse engineer or otherwise translate the Software; c) create derivative works or
modifications unless expressly authorized; or d) sublicense, rent or lease the Software. Licensors of intellectual property
to Nortel Networks are beneficiaries of this provision. Upon termination or breach of the license by Customer or in the
event designated hardware or CFE is no longer in use, Customer will promptly return the Software to Nortel Networks
or certify its destruction. Nortel Networks may audit by remote polling or other reasonable means to determine
Customer’s Software activation or usage levels. If suppliers of third party software included in Software require Nortel
Networks to include additional or different terms, Customer agrees to abide by such terms provided by Nortel Networks
with respect to such third party software.
2. Warranty. Except as may be otherwise expressly agreed to in writing between Nortel Networks and Customer,
Software is provided “AS IS” without any warranties (conditions) of any kind. NORTEL NETWORKS DISCLAIMS
ALL WARRANTIES (CONDITIONS) FOR THE SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING,
BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE AND ANY WARRANTY OF NON-INFRINGEMENT. Nortel Networks is not obligated to
provide support of any kind for the Software. Some jurisdictions do not allow exclusion of implied warranties, and, in
such event, the above exclusions may not apply.
3. Limitation of Remedies. IN NO EVENT SHALL NORTEL NETWORKS OR ITS AGENTS OR SUPPLIERS BE
LIABLE FOR ANY OF THE FOLLOWING: a) DAMAGES BASED ON ANY THIRD PARTY CLAIM; b) LOSS OF,
OR DAMAGE TO, CUSTOMER’S RECORDS, FILES OR DATA; OR c) DIRECT, INDIRECT, SPECIAL,
INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES (INCLUDING LOST PROFITS OR SAVINGS),
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.0
4
WHETHER IN CONTRACT, TORT OR OTHERWISE (INCLUDING NEGLIGENCE) ARISING OUT OF YOUR
USE OF THE SOFTWARE, EVEN IF NORTEL NETWORKS, ITS AGENTS OR SUPPLIERS HAVE BEEN
ADVISED OF THEIR POSSIBILITY. The forgoing limitations of remedies also apply to any developer and/or supplier
of the Software. Such developer and/or supplier is an intended beneficiary of this Section. Some jurisdictions do not
allow these limitations or exclusions and, in such event, they may not apply.
4.
General
a.
If Customer is the United States Government, the following paragraph shall apply: All Nortel Networks
Software available under this License Agreement is commercial computer software and commercial computer
software documentation and, in the event Software is licensed for or on behalf of the United States
Government, the respective rights to the software and software documentation are governed by Nortel
Networks standard commercial license in accordance with U.S. Federal Regulations at 48 C.F.R. Sections
12.212 (for non-DoD entities) and 48 C.F.R. 227.7202 (for DoD entities).
b.
Customer may terminate the license at any time. Nortel Networks may terminate the license if Customer fails
to comply with the terms and conditions of this license. In either event, upon termination, Customer must
either return the Software to Nortel Networks or certify its destruction.
c.
Customer is responsible for payment of any taxes, including personal property taxes, resulting from
Customer’s use of the Software. Customer agrees to comply with all applicable laws including all applicable
export and import laws and regulations.
d.
Neither party may bring an action, regardless of form, more than two years after the cause of the action arose.
e.
The terms and conditions of this License Agreement form the complete and exclusive agreement between
Customer and Nortel Networks.
f.
This License Agreement is governed by the laws of the country in which Customer acquires the Software. If
the Software is acquired in the United States, then this License Agreement is governed by the laws of the state
of New York.
316862-B Rev 00
5
Contents
Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Figures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Text conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Hard-copy technical manuals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
How to get help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Setting up the switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Connecting a terminal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Setting the switch's IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Logging on to the system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Entering CLI commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Editing commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Displaying multiple pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Understanding top-level commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Managing switch operations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Roadmap of basic switch CLI commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Creating an admin or user account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Configuring an existing user account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Showing an existing user account configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Deleting an existing user account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Configuring the command history list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Displaying the command history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Displaying all commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Showing current switch management sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Showing the current status of the switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
6
Contents
Showing the current status of the switch serial port . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Configuring the switch’s serial port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Enabling CLI paging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Disabling CLI paging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Enabling Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Disabling Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Enabling the Web-based manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Disabling the Web-based manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Saving the current switch configuration to NV-RAM . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Managing files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Downloading switch firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Downloading a configuration file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Uploading a configuration file to a TFTP server . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Uploading a log file to a TFTP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Rebooting the switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Resetting the switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Logging in to the switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Logging out of the switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Configuring ports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Roadmap of port configuration CLI commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Configuring ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Displaying the current port configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Configuring the management port — 1612G and 1624G . . . . . . . . . . . . . . . . . . . . . . 78
Displaying the current management port configuration . . . . . . . . . . . . . . . . . . . . . 79
Configuring Spanning Tree. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Roadmap of Spanning Tree CLI commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Configuring STP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Enabling STP on the switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Disabling STP on the switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Displaying STP status on the switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Displaying STP port group status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Security features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Roadmap of security features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
316862-B Rev 00
Contents
7
Syslog commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
SSH commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
TACACS+ commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Password Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Password format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
System Log Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Receiving system log messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Creating a Syslog host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Configuring a Syslog host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Configuring the maximum number of Syslog hosts . . . . . . . . . . . . . . . . . . . . . . . 112
Deleting a Syslog host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Enabling a Syslog host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Disabling a Syslog host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Displaying the current Syslog configuration on the Switch . . . . . . . . . . . . . . . . . 116
Enabling and disabling logging on the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Uploading the Switch’s log and configuration to a TFTP server . . . . . . . . . . . . . . . . 118
Configuring Password aging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Displaying the Password aging time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Configuring the Switch’s Secure Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Displaying the Switch’s current secure mode . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Secure Shell (SSH) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
SSH version 2 (SSH-2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Supported SSH clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Using the CLI to configure SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Configuring Secure Shell (SSH) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Creating a User account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Configuring the SSH authorization mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Displaying the Switch’s current SSH authorization mode . . . . . . . . . . . . . . . . . . 133
Updating an SSH user account’s authorization mode . . . . . . . . . . . . . . . . . . . . . 133
Configuring the SSH encryption algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Displaying the Current SSH encryption algorithm . . . . . . . . . . . . . . . . . . . . . . . . 137
Displaying the Switch’s current SSH Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Configuring the SSH Server on the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Displaying the current SSH Server configuration . . . . . . . . . . . . . . . . . . . . . . . . 141
Enabling and disabling the SSH Server on the Switch . . . . . . . . . . . . . . . . . . . . 142
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
8
Contents
Configuring the SSH Server to regenerate its hostkey . . . . . . . . . . . . . . . . . . . . 142
TACACS+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Creating an entry to the Switch’s TACACS+ Server table . . . . . . . . . . . . . . . . . . 144
Configuring a TACACS+ Server entry on the Switch . . . . . . . . . . . . . . . . . . . . . 145
Displaying the Switch’s TACACS+ Server table . . . . . . . . . . . . . . . . . . . . . . . . . 146
Deleting an entry from the Switch’s TACACS+ Server table . . . . . . . . . . . . . . . . 147
Enabling admin-level privileges for a user-level account . . . . . . . . . . . . . . . . . . . 148
Assigning a password to the “local enable” method . . . . . . . . . . . . . . . . . . . . . . 149
Configuring the login authentication settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Configuring the authentication settings on the Switch . . . . . . . . . . . . . . . . . . . . . 150
Configuring the authentication settings on the Switch used to promote users from
user-level privileges to admin-level privileges . . . . . . . . . . . . . . . . . . . . . . . . . 152
Enabling authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Disabling authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Displaying the Switch’s current authentication settings . . . . . . . . . . . . . . . . . . . . 156
Configuring VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Configuring Layer 2 operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Roadmap of VLAN CLI commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Creating a VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Deleting a VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Adding ports to a VLAN configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Deleting ports from a VLAN configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Displaying a VLAN configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Configuring Layer 3 operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Roadmap of IP interface CLI commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Creating an IP interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Configuring an IP interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Deleting an IP interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Configuring the System IP interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Enabling an IP interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Disabling an IP interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Displaying the current IP interface configuration . . . . . . . . . . . . . . . . . . . . . . . . . 172
Using the forwarding database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Roadmap of forwarding database CLI commands . . . . . . . . . . . . . . . . . . . . . . . 175
Creating a unicast forwarding database entry . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
316862-B Rev 00
Contents
9
Configuring a unicast forwarding database entry . . . . . . . . . . . . . . . . . . . . . . . . 176
Creating a multicast forwarding database entry . . . . . . . . . . . . . . . . . . . . . . . . . 177
Configuring the multicast forwarding database . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Deleting an entry from the forwarding database . . . . . . . . . . . . . . . . . . . . . . . . . 179
Clearing the forwarding database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Displaying the multicast forwarding database . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Displaying the unicast forwarding database . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Configuring link aggregation groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Roadmap of CLI commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Creating a link aggregation group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Deleting a link aggregation group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Configuring a link aggregation group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Displaying the link aggregation configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Configuring QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Roadmap of CLI commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Establishing a QoS scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
QoS templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Security mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
QoS mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
L4 switch mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Command overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Configuring the flow classifier template operating mode . . . . . . . . . . . . . . . . . . . . . . 196
Configuring flow classifier template mode parameters . . . . . . . . . . . . . . . . . . . . . . . 198
Displaying the flow classifier template mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
Attaching a flow classifier template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Creating an IP filter for a flow classification template . . . . . . . . . . . . . . . . . . . . . . . . . 202
Deleting an IP filter from a flow classification template . . . . . . . . . . . . . . . . . . . . . . . 204
Creating a destination IP address filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Deleting a destination IP address filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Displaying the destination IP address filter table . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Creating a QoS rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Deleting a QoS rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Creating a Layer 4 switch rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Deleting a Layer 4 switch rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
10
Contents
Creating a forwarding database filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Deleting a forwarding database filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Displaying a forwarding database filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Enabling the IP fragment filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Disabling the IP fragment filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Displaying the status of the IP fragment filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Configuring scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Creating a MAC priority entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Deleting a MAC priority entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Displaying MAC priority entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Configuring traffic filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
Configuring destination IP filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
Roadmap of destination IP address filter CLI commands . . . . . . . . . . . . . . . . . . 230
Creating a destination IP address filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
Deleting a destination IP address filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Displaying the destination IP address filter table . . . . . . . . . . . . . . . . . . . . . . . . . 233
Configuring MAC address filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
Roadmap of MAC address filter CLI commands . . . . . . . . . . . . . . . . . . . . . . . . . 234
Creating a MAC address filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Deleting a MAC address filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Displaying MAC address filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Configuring an ARP request rate limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Roadmap of ARP request rate limit CLI commands . . . . . . . . . . . . . . . . . . . . . . 238
Configuring the ARP request rate limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
Enabling the ARP request rate limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
Disabling the ARP request rate limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
Displaying the ARP request rate limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
Configuring broadcast control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
Roadmap of broadcast control CLI commands . . . . . . . . . . . . . . . . . . . . . . . . . . 243
Configuring traffic control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
Displaying traffic control settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Configuring ARP, RIP, and OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Configuring ARP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Roadmap of ARP CLI commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
316862-B Rev 00
Contents
11
Creating an ARP entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
Deleting an ARP entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Configuring the ARP aging time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Displaying the current ARP entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Clearing the ARP table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Configuring an ARP request rate limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Roadmap of ARP request rate limit CLI commands . . . . . . . . . . . . . . . . . . . . . . 253
Configuring the ARP request rate limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Enabling the ARP request rate limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Disabling the ARP request rate limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Displaying the ARP request rate limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Configuring RIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
Roadmap of RIP CLI commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
Configuring RIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
Enabling RIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
Disabling RIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
Displaying the current RIP configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
Configuring OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
Roadmap of OSPF CLI commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
Enabling OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
Disabling OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
Configuring the OSPF router ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
Displaying the current OSPF configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
Creating an OSPF area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
Deleting an OSPF area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
Configuring an OSPF area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
Displaying the current OSPF area configuration . . . . . . . . . . . . . . . . . . . . . . . . . 272
Creating an OSPF host route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Configuring an OSPF host route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
Displaying the currently configured OSPF host routes . . . . . . . . . . . . . . . . . . . . 275
Deleting an OSPF host route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
Creating an OSPF area aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
Deleting an OSPF area aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Configuring an OSPF area aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Displaying the currently configured OSPF area aggregations . . . . . . . . . . . . . . . 280
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
12
Contents
Displaying the current OSPF LSDB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
Displaying the current OSPF neighbor table . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
Displaying the current OSPF virtual neighbor table . . . . . . . . . . . . . . . . . . . . . . . 283
Configuring an OSPF IP interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
Displaying currently configured OSPF IP interfaces . . . . . . . . . . . . . . . . . . . . . . 285
Creating an OSPF virtual link . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
Configuring an OSPF virtual link . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Deleting an OSPF virtual link . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Displaying the currently configured OSPF virtual links . . . . . . . . . . . . . . . . . . . . 290
Configuring OSPF packet authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Roadmap of MD5 CLI commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
Creating an entry to the MD5 key table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
Deleting an MD5 key table entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
Configuring an MD5 key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
Displaying the current MD5 key table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
Configuring IP routes and route redistribution. . . . . . . . . . . . . . . . . . . . . 297
Using the route table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
Roadmap of route table CLI commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
Creating an IP route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Creating a default IP route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
Creating an IP route using a network address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
Deleting an IP route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Displaying the IP routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Configuring IP routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
Configuring default IP routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
Configuring IP routes with max static routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
Using route redistribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
Roadmap of route redistribution CLI commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
Creating a route redistribution from RIP to OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
Creating a route redistribution from OSPF to RIP . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
Deleting a route redistribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
Configuring a route redistribution between RIP and OSPF . . . . . . . . . . . . . . . . . . . . 312
Configuring a route redistribution between OSPF and RIP . . . . . . . . . . . . . . . . . . . . 314
Displaying the route redistribution settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
316862-B Rev 00
Contents
13
Configuring VRRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
Roadmap of VRRP features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
Creating a VRRP IP Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
Configuring a VRRP IP Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
Displaying a VRRP IP interface configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
Deleting a VRRP IP interface configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
Enabling a VRRP IP interface configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
Disabling a VRRP IP interface configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330
Configuring BootP and DNS relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
Configuring BootP relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
Roadmap of BootP relay commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
Configuring BootP relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
Adding a BootP relay address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
Deleting a BootP relay address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
Enabling BootP relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
Disabling BootP relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
Displaying the current BootP relay configuration . . . . . . . . . . . . . . . . . . . . . . . . . 337
Configuring DNS relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
Roadmap of DNS relay CLI commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Configuring DNS relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Enabling DNS relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
Disabling DNS relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
Enabling the DNS relay cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
Disabling the DNS relay cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
Enabling the DNS static table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
Disabling the DNS static table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
Displaying the current DNS relay configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 344
Configuring SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
Roadmap of SNMP CLI commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
Configuring SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
Creating an SNMP community string . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
Deleting an SNMP community string . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
14
Contents
Creating a trusted host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
Deleting a trusted host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
Configuring an SNMP community string . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
Configuring the SNMP system name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
Configuring the SNMP location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
Configuring the SNMP system contact . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
Displaying the current SNMP configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355
Displaying the currently configured trusted hosts . . . . . . . . . . . . . . . . . . . . . . . . 357
Managing SNMP traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
Creating an SNMP trap receiver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
Deleting an SNMP trap receiver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Enabling the transmission of SNMP traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
Disabling the transmission of SNMP traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
Enabling the authentication of SNMP traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
Disabling the authentication of SNMP traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
Configuring Multicasting (IGMP, IGMP Snooping, and DVMRP) . . . . . . . 363
Configuring IGMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
Roadmap of IGMP commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
Configuring IGMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
Displaying IGMP settings for all IP interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
Displaying the IGMP group settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
Configuring IGMP snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
Configuring IGMP snooping querier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369
Configuring router ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
Enabling IGMP snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
Disabling IGMP snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
Displaying the current IGMP snooping configuration . . . . . . . . . . . . . . . . . . . . . 374
Displaying IGMP snooping groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
Displaying IGMP snooping forwarding table . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379
Displaying the list of router ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
Configuring DVMRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
Configuring DVMRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
Enabling DVMRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
Disabling DVMRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385
316862-B Rev 00
Contents
15
Displaying the current DVMRP routing table . . . . . . . . . . . . . . . . . . . . . . . . . 386
Displaying the current DVMRP neighbor router table . . . . . . . . . . . . . . . . . . 387
Displaying the current DVMRP nexthop router table . . . . . . . . . . . . . . . . . . 388
Displaying the current DVMRP configuration . . . . . . . . . . . . . . . . . . . . . . . . 389
Displaying the Switch’s IP multicast cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
Roadmap of IP multicast cache commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
Displaying the Switch’s IP multicast cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
Displaying the switch’s IP multicast table . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
Monitoring the network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
Roadmap of network monitoring commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
Displaying port traffic statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
Displaying port error statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
Displaying port utilization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
Clearing the switch counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
Clearing the switch log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
Displaying the switch log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403
Configuring port mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403
Configuring a mirror port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404
Deleting a mirror port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404
Enabling a mirror port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
Disabling a mirror port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
Displaying the current mirror settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
Enabling and disabling RMON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407
Checking network links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
Determining the network route using traceroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409
CLI configuration examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
Resetting the switch to its factory defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412
Configuring the default VLAN for management access . . . . . . . . . . . . . . . . . . . . . . . 412
Configuration example — configuring the default VLAN . . . . . . . . . . . . . . . . . . . 413
Viewing the VLAN and IP addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
Downloading firmware and uploading configuration files . . . . . . . . . . . . . . . . . . . . . . 415
Creating new port-based VLANS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416
Configuration example — creating port-based VLANs . . . . . . . . . . . . . . . . . . . . 416
Viewing VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
16
Contents
Viewing the forwarding database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417
Disabling Spanning Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
Configuration example — disabling Spanning Tree . . . . . . . . . . . . . . . . . . . . . . 419
Viewing Spanning Tree status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
Configuring link aggregation groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
Configuration example — configuring link aggregation groups . . . . . . . . . . . . . . 421
Enabling OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421
Configuration example — enabling OSPF globally . . . . . . . . . . . . . . . . . . . . . . . 422
Viewing OSPF status and routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424
Viewing OSPF neighbor status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425
Viewing OSPF LSDB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425
Viewing the Passport 1600 Series switch route table . . . . . . . . . . . . . . . . . . . . . 426
Configuring OSPF MD5 authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427
Configuration example — creating an MD5 key . . . . . . . . . . . . . . . . . . . . . . . . . 428
Configuring an OSPF stub area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428
Configuration example — configuring a stub area . . . . . . . . . . . . . . . . . . . . . . . 429
Configuring OSPF route distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430
Configuration example — configuring OSPF route distribution . . . . . . . . . . . . . . 431
Configuring RIP base . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
Configuration example — configuring RIP base . . . . . . . . . . . . . . . . . . . . . . . . . 433
Selecting Tx and Rx RIP v2 mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435
Configuration example — configuring RIP TX and RX mode to v2 . . . . . . . . . . . 436
Configuring broadcast and multicast storm control . . . . . . . . . . . . . . . . . . . . . . . . . . 436
Configuration example — enabling thresholds . . . . . . . . . . . . . . . . . . . . . . . . . . 436
Displaying thresholds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
Configuring egress queue weight . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
Configuration example — configuring port scheduling . . . . . . . . . . . . . . . . . . . . 438
Configuring QoS and IP filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438
Step 1: Configuring the template mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439
Step 2: Configuring the flow classifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439
Configuring the L4_switch flow classifier . . . . . . . . . . . . . . . . . . . . . . . . . . . 439
Configuring the QoS flow classifier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
Step 3: Configuring the template rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442
Configuration example — using the L4_switch template . . . . . . . . . . . . . . . 442
Configuration example — using the QoS template . . . . . . . . . . . . . . . . . . . . 442
316862-B Rev 00
Contents
17
Step 4: Binding the template rule to a VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
Configuration example — adding the template to a VLAN . . . . . . . . . . . . . . 443
Setting QoS priority for destination TCP flows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
Configuration example — setting QoS Priority for destination TCP flows . . . . . . 444
Dropping TCP flows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445
Configuration example — dropping TCP flows . . . . . . . . . . . . . . . . . . . . . . . . . . 445
Viewing the template rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446
Filtering MAC addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446
Configuration example — filtering MAC addresses . . . . . . . . . . . . . . . . . . . . . . . 447
Viewing the fdb filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
Configuring forward-to-next-hop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448
Configuration example — forward-next-hop . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448
Filtering IP addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449
Configuration example — filtering IP addresses . . . . . . . . . . . . . . . . . . . . . . . . . 450
Viewing the IP filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450
Dropping fragmented IP packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
18
Contents
316862-B Rev 00
19
Tables
Table 1
Access level and default login value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Table 2
Line editing keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Table 3
Multiple page display keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Table 4
Default severity levels and system log severity levels . . . . . . . . . . . . . . . 97
Table 5
Info log messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Table 6
Warning log messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Table 7
Critical log messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Table 8
Error log messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Table 9
Third party SSH client software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Table 10
QoS command overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Table 11
Unicast/multicast ratios for dynamic and static iproute and arp values . 305
Table 12
Allowed values for the OSPF routing metrics . . . . . . . . . . . . . . . . . . . . . 308
Table 13
Allowed values for the routing metrics . . . . . . . . . . . . . . . . . . . . . . . . . . 310
Table 14
config dvmrp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
Table 15
enable dvmrp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
Table 16
disable dvmrp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385
Table 17
show dvmrp routing_table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
Table 18
show dvmrp neighbor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
Table 19
show dvmrp next hop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388
Table 20
show dvmrp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
Table 21
IP multicasting cache commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
Table 22
show ipmc cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
Table 23
show ipmc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
Table 24
show packet port definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
20
Tables
316862-B Rev 00
21
Figures
Figure 1
Login screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Figure 2
Using the question mark (?) command . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Figure 3
Next possible completions message . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Figure 4
Top-level show command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Figure 5
create account command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Figure 6
config account command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Figure 7
show account command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Figure 8
delete account command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Figure 9
config command_history command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Figure 10
show command_history command output . . . . . . . . . . . . . . . . . . . . . . . . 54
Figure 11
? command output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Figure 12
dir command output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Figure 13
show session command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Figure 14
show switch command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Figure 15
show session command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Figure 16
config serial port command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Figure 17
enable clipaging command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Figure 18
disable clipaging command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Figure 19
enable telnet command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Figure 20
disable telnet command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Figure 21
enable web command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Figure 22
disable telnet command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Figure 23
save command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Figure 24
download configuration command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Figure 25
upload configuration command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Figure 26
upload log command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Figure 27
reboot command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Figure 28
reset config command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Figure 29
login command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
22
Figures
Figure 30
logout command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Figure 31
config ports command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Figure 32
show ports command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Figure 33
config mgmt_port command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Figure 34
show mgmt_port command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Figure 35
config stp command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Figure 36
enable stp command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Figure 37
disable stp command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Figure 38
show stp (enabled) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Figure 39
show stp (disabled) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Figure 40
show stp_ports command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Figure 41
create syslog host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Figure 42
config syslog host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Figure 43
config syslog max_hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Figure 44
delete syslog host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Figure 45
enable syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Figure 46
disable syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Figure 47
show syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Figure 48
config log_state Johnson disabled . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Figure 49
upload configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Figure 50
config password_aging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Figure 51
show password_aging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Figure 52
config secure_mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Figure 53
show secure_mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Figure 54
create account command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Figure 55
config ssh authmode command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Figure 56
show ssh authmode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Figure 57
config ssh user command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Figure 58
config ssh algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Figure 59
show ssh algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Figure 60
show ssh user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Figure 61
config ssh server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Figure 62
show ssh server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Figure 63
enable ssh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Figure 64
config ssh regenerate hostkey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
316862-B Rev 00
Figures
23
Figure 65
create tacacs+_server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Figure 66
config tacacs+_server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Figure 67
show tacacs+_server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Figure 68
delete tacacs+_server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Figure 69
enable admin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Figure 70
config admin local_password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Figure 71
config admin login_authen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Figure 72
config authentication login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Figure 73
config authentication admin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Figure 74
enable authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Figure 75
disable authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Figure 76
show authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Figure 77
create vlan command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Figure 78
delete vlan command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Figure 79
config vlan add command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Figure 80
config vlan delete command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Figure 81
show vlan command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Figure 82
create ipif command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Figure 83
config ipif command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Figure 84
delete ipif command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Figure 85
config ipif System ipaddress command . . . . . . . . . . . . . . . . . . . . . . . . . 171
Figure 86
enable ipif command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Figure 87
disable ipif command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Figure 88
show ipif System command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Figure 89
create fdb command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Figure 90
config fdb command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Figure 91
create multicast_fdb command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Figure 92
config multicast_fdb . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Figure 93
delete fdb command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Figure 94
clear fdb all command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Figure 95
show multicast_fdb command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Figure 96
show fdb command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Figure 97
create link_aggregation command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Figure 98
delete link_aggregation command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Figure 99
config link_aggregation command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
24
Figures
Figure 100 show link_aggregation command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Figure 101 config flow classifier template_<value 1-2> mode command . . . . . . . . . 197
Figure 102 config flow classifier template_id <value 1-2> mode_parameters . . . . . 200
Figure 103 show flow_classifier command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Figure 104 config flow_classifier vlan <vlan_name> command . . . . . . . . . . . . . . . . 202
Figure 105 create sec_rule command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Figure 106 delete sec_rule command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Figure 107 create dst_ipfilter command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Figure 108 delete dst_ipfilter command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Figure 109 show dst_ipfilter command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Figure 110 create qos_rule command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Figure 111 delete qos_rule command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Figure 112 create l4_switch_rule command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Figure 113 delete l4_switch_rule command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Figure 114 create fdbfilter command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Figure 115 delete fdbfilter command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Figure 116 show fdbfilter command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Figure 117 enable ip_fragment_filter command . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Figure 118 disable ip_fragment_filter command . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Figure 119 show ip_fragment_filter command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Figure 120 config scheduling command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Figure 121 create mac_priority command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Figure 122 delete mac_priority command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Figure 123 show mac_priority command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Figure 124 create dst_ipfilter command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Figure 125 delete ipfilter command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
Figure 126 show dst_ipfilter command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
Figure 127 create fdbfilter command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Figure 128 delete fdbfilter command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Figure 129 show fdbfilter command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Figure 130 config arp_req_rate_limit command . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
Figure 131 enable arp_req_rate_limit command . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
Figure 132 disable arp_req_rate_limit command . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
Figure 133 show arpentry command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
Figure 134 config traffic control command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
316862-B Rev 00
Figures
25
Figure 135 show traffic control command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
Figure 136 create arpentry command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Figure 137 delete arpentry command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Figure 138 config arp_aging time command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Figure 139 show arpentry command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Figure 140 clear arptable command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Figure 141 config arp_req_rate_limit command . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Figure 142 enable arp_req_rate_limit command . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Figure 143 disable arp_req_rate_limit command . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Figure 144 show arpentry command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
Figure 145 config rip command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
Figure 146 enable rip command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
Figure 147 disable rip command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
Figure 148 show rip command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
Figure 149 enable ospf command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
Figure 150 disable ospf command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
Figure 151 config ospf router_id command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
Figure 152 show ospf command - partial display . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
Figure 153 create ospf area command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
Figure 154 delete ospf area command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
Figure 155 config ospf area command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
Figure 156 show ospf area command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Figure 157 create ospf host_route command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
Figure 158 config ospf host_route command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Figure 159 show ospf host_route command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
Figure 160 delete ospf host_route command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
Figure 161 create ospf aggregation command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Figure 162 delete ospf aggregation command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Figure 163 configure ospf aggregation command . . . . . . . . . . . . . . . . . . . . . . . . . . 280
Figure 164 show ospf aggregation command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
Figure 165 show ospf lsdb command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
Figure 166 show ospf neighbor command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
Figure 167 show ospf virtual_neighbor command . . . . . . . . . . . . . . . . . . . . . . . . . . 283
Figure 168 config ospf ipif command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
Figure 169 show ospf all command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
26
Figures
Figure 170 create ospf virtual_link command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Figure 171 config ospf virtual_link command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Figure 172 delete ospf virtual_link command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Figure 173 show ospf virtual_link command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Figure 174 create md5 key command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
Figure 175 delete md5 key command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
Figure 176 config md5 command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
Figure 177 show md5 command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
Figure 178 create iproute command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
Figure 179 delete iproute command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Figure 180 show iproute command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
Figure 181 config iproute command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
Figure 182 config iproute default command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
Figure 183 config iproute max_static_route command . . . . . . . . . . . . . . . . . . . . . . . 306
Figure 184 create route redistribute dst ospf src rip command . . . . . . . . . . . . . . . . . 309
Figure 185 create route redistribute dst rip src ospf command . . . . . . . . . . . . . . . . . 311
Figure 186 delete route redistribute command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
Figure 187 config route redistribute dst ospf src rip command . . . . . . . . . . . . . . . . . 313
Figure 188 config route redistribute dst rip src ospf command . . . . . . . . . . . . . . . . . 315
Figure 189 show route redistribute command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
Figure 190 create vrrp ipif . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
Figure 191 config vrrp ipif . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
Figure 192 show vrrp ipif . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
Figure 193 delete vrrp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
Figure 194 enable vrrp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
Figure 195 disable vrrp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330
Figure 196 config bootp_relay command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
Figure 197 config bootp_relay add command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
Figure 198 config bootp_relay delete command . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
Figure 199 enable bootp_relay command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
Figure 200 disable bootp_relay command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
Figure 201 show bootp_relay command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
Figure 202 config dnsr command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
Figure 203 enable dnsr command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
Figure 204 disable dnsr command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
316862-B Rev 00
Figures
27
Figure 205 disable dnsr command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
Figure 206 disable dnsr cache command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
Figure 207 enable dnsr static command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
Figure 208 disable dnsr static command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
Figure 209 show dnsr static command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344
Figure 210 create snmp community command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
Figure 211 delete snmp community command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
Figure 212 create trusted_host command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
Figure 213 delete trusted_host command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
Figure 214 config snmp community command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352
Figure 215 config snmp system_name command . . . . . . . . . . . . . . . . . . . . . . . . . . 353
Figure 216 config snmp system_location command . . . . . . . . . . . . . . . . . . . . . . . . . 354
Figure 217 config snmp system_contact command . . . . . . . . . . . . . . . . . . . . . . . . . 355
Figure 218 show snmp command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
Figure 219 show trusted_host command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
Figure 220 create snmp trap_receiver command . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Figure 221 delete snmp trap_receiver command . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
Figure 222 enable snmp command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
Figure 223 disable snmp command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
Figure 224 enable snmp authenticate traps command . . . . . . . . . . . . . . . . . . . . . . . 361
Figure 225 disable snmp authenticate traps command . . . . . . . . . . . . . . . . . . . . . . 362
Figure 226 config igmp command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366
Figure 227 show igmp command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
Figure 228 show igmp group command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
Figure 229 config igmp_snooping all command . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369
Figure 230 config igmp_snooping querier command . . . . . . . . . . . . . . . . . . . . . . . . 371
Figure 231 config router_ports command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
Figure 232 enable igmp_snooping command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
Figure 233 disable igmp_snooping command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
Figure 234 show igmp_snooping command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376
Figure 235 show igmp_snooping group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
Figure 236 show igmp_snooping forwarding command . . . . . . . . . . . . . . . . . . . . . . 379
Figure 237 show router_ports command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
Figure 238 config dvmrp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
Figure 239 enable dvmrp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
28
Figures
Figure 240 disable dvmrp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385
Figure 241 show dvmrp routing_table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
Figure 242 show dvmrp neighbor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
Figure 243 show dvmrp nexthop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388
Figure 244 show dvmrp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
Figure 245 show ipmc cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Figure 246 show ipmc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
Figure 247 show packet ports command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
Figure 248 show error ports command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
Figure 249 show utilization command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
Figure 250 clear counters ports command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
Figure 251 clear log command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
Figure 252 show log command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403
Figure 253 config mirror port add command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404
Figure 254 config mirror port delete command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
Figure 255 enable mirror command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
Figure 256 disable mirror command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
Figure 257 show mirror command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407
Figure 258 enable rmon command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407
Figure 259 disable rmon command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
Figure 260 ping command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409
Figure 261 traceroute command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410
Figure 262 Configuration example — configuring the default VLAN for access . . . . 413
Figure 263 Configuration example -— creating a new port-based VLAN . . . . . . . . . 416
Figure 264 Configuration example — creating MLT group with ports 27 and 28 . . . 420
Figure 265 Configuration example — enabling OSPF in the default area 0 . . . . . . . 422
Figure 266 Configuration example — MD5 authentication . . . . . . . . . . . . . . . . . . . . 428
Figure 267 Configuration example — OSPF stub area . . . . . . . . . . . . . . . . . . . . . . 429
Figure 268 Configuration example — OSPF route distribution . . . . . . . . . . . . . . . . . 431
Figure 269 Configuration example — RIP base . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
Figure 270 Configuration example — egress queue weight . . . . . . . . . . . . . . . . . . . 438
Figure 271 Configuration example — setting QoS priority . . . . . . . . . . . . . . . . . . . . 444
Figure 272 Configuration example — dropping TCP flows . . . . . . . . . . . . . . . . . . . . 445
Figure 273 Configuration example — filtering MAC addresses . . . . . . . . . . . . . . . . 447
Figure 274 Configuration example — forward-to-next-hop . . . . . . . . . . . . . . . . . . . . 448
316862-B Rev 00
Figures
29
Figure 275 Configuration example — filtering IP addresses . . . . . . . . . . . . . . . . . . . 450
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
30
Figures
316862-B Rev 00
31
Preface
The Passport 1600 is a fixed-port hardware-based Layer 3 routing switch that
supports three models:
•
•
•
Passport 1612G 12 small form factor (SFP) GBICs, which provides small to
medium aggregation
Passport 1624G 24 SFP GBICs, which provides small to medium aggregation
Passport 1648T 48 10/100, plus 4 SFP GBICs, which provides small edge
concentration
The Passport 1600 Series Layer 3 routing switch can reside in the wiring closet
(1648T) and in the data center or network core (1612G and 1624G). The Passport
1648T provides Layer 3 functionality in the wiring closet with 48 10/100 ports
and 4 GBIC ports. The Passport 1612G and 1624G provide 12 and 24 gigabit
Ethernet ports for wiring closet aggregation as well as high-speed connections for
servers and power users. These types of aggregation devices typically reside in the
network core or data center but can be placed anywhere.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
32
Preface
This guide provides a reference for all of the commands contained in the
Command Line Interface (CLI). You use these commands to configure and
manage a Nortel Networks* Passport 1600 Series Layer 3 routing switch (also
referred to in this guide as the “Passport 1600 Series switch” or the “switch”) via
the serial port or Telnet interfaces.
For commands that use the <network_address> variable, enter an IP address
and subnet mask. For commands that use the <ip_address> variable, enter an
IP address.
Before you begin
This guide is intended for network administrators with the following background:
•
•
•
•
316862-B Rev 00
Basic knowledge of networks, Ethernet bridging, and IP routing
Familiarity with networking concepts and terminology
Experience with windowing systems or GUIs
Basic knowledge of network topologies
Preface
33
Text conventions
This guide uses the following text conventions
angle brackets (< >)
Indicates a single alphanumeric or numeric value that
you must enter for the command to successfully
execute.
Example: create ipif <ipif_name>
<vlan_name> ipaddress <network_address>
{state [enable/disable]}
In this example, you must supply an IP interface name
in the <ipif_name> space, a VLAN name in the
<vlan_name> space, and then network address in the
<network_address> space. Do not type the angle
brackets.
slash (/)
Separates sub-commands, parameters, or values in a
set. These sub-commands, etc., may be required and
mutually exclusive (enclosed in square brackets), or
optional (enclosed in braces).
Example: show snmp [community/trap
receiver/detail]
In this example, you must enter either community,
trap receiver, or detail to specify which type of
SNMP users the switch displays.
italic text
Indicates new terms, book titles, and variables in
command syntax descriptions. Where a variable is two
or more words, the words are connected by an
underscore.
Example: If the command syntax is
create ipif <ipif>, <vlan_name>
vlan_name is a variable that you substitute a name for.
plain Courier
text
Indicates command syntax and system output, for
example, prompts and system messages.
Example: show snmp
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
34
Preface
square brackets [ ]
Indicates sub-commands, parameters, and values which
are not optional, and are mutually exclusive. You must
enter one of the sub-commands enclosed by angle
brackets for the command to successfully execute on
the switch.
Example: create account [admin/user]
In this example, you must enter either admin or user
to specify the privilege level of the account you are
creating. Do not type the square brackets.
braces ({ })
Indicates sub-commands, parameters, and values that
are optional, and not mutually exclusive. You can enter
one or more of the sub-commands enclosed by braces.
If entered, some sub-commands may require a
parameter or value. In such cases, the required
parameter or value set corresponding to the
sub-command is enclosed by square brackets.
Example: config igmp [<ipif_name>/all]
{version <value>/query_interval <sec>/
max_response_time <sec>/
robustness_variable <value>/
last_member_query_interval <value>/state
[enabled/disabled]}
In this example, you must choose one of the items
enclosed in the first set of angle brackets, either
<ipif_name> or all. The next set of values, enclosed
by braces, are optional.
Some of the optional sub-commands have a
corresponding value that you must enter along with the
parameter. For example, version requires you enter
the value <value> to specify the IGMP version
number that the switch uses. Thus, if you choose the
optional sub-command version, you must enter the
version number in the <value> field for the command
to successfully execute.
Some optional sub-commands require you enter a
choice of parameters. For example, state requires the
entry of either enabled or disabled. If you choose
the optional sub-command state, you must enter
either enabled or disabled for the command to
successfully execute.
Do not type the braces.
316862-B Rev 00
Preface
35
Hard-copy technical manuals
You can print selected technical manuals and release notes free, directly from the
Internet. Go to the www.nortelnetworks.com/documentation URL. Find the
product for which you need documentation. Then locate the specific category and
model or version for your hardware or software product. Use Adobe* Acrobat
Reader* to open the manuals and release notes, search for the sections you need,
and print them on most standard printers. Go to Adobe Systems at the
www.adobe.com URL to download a free copy of the Adobe Acrobat Reader.
Note: The list of related publications for this manual can be found in the
release notes that came with your software.
How to get help
If you purchased a service contract for your Nortel Networks product from a
distributor or authorized reseller, contact the technical support staff for that
distributor or reseller for assistance.
If you purchased a Nortel Networks service program, contact Nortel Networks
Technical Support. To obtain contact information online, go to the
www.nortelnetworks.com/cgi-bin/comments/comments.cgi URL, then click on
Technical Support.
From the Technical Support page, you can open a Customer Service Request
online or find the telephone number for the nearest Technical Solutions Center.
If you are not connected to the Internet, you can call 1-800-4NORTEL
(1-800-466-7835) to learn the telephone number for the nearest Technical
Solutions Center.
An Express Routing Code (ERC) is available for many Nortel Networks products
and services. When you use an ERC, your call is routed to a technical support
person who specializes in supporting that product or service. To locate an ERC for
your product or service, go to the http://www.nortelnetworks.com/help/contact/
erc/index.html URL.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
36
Preface
316862-B Rev 00
37
Chapter 1
Setting up the switch
The Passport 1600 Series Layer 3 switch supports a Command Line Interface
(CLI) that allows you to configure and manage the switch. You access the CLI
through a direct serial-port connection to the switch or through a Telnet session.
You can open a Telnet session from Device Manager by clicking on the Telnet
button on the toolbar or choosing Device > Telnet from the menu bar. For more
information about Device Manager, see Installing and Using Device Manager.
You can use any terminal or personal computer (PC) with a terminal emulator as
the CLI console station.
This chapter describes how to connect a terminal to the switch, set the IP address
for the switch, reboot the switch, and log on to the switch software. It also
explains how to enter and edit CLI commands. Specifically, this chapter includes
the following topics:
Topic
Page
Connecting a terminal
37
Setting the switch's IP address
39
Logging on to the system
41
Entering CLI commands
42
Connecting a terminal
The serial console interface is an RS-232 port that enables a connection to a PC or
terminal for monitoring and configuring the switch. The port is implemented as a
DB-9 connector that can operate as either data terminal equipment (DTE) or data
communication equipment (DCE). The default communication protocol settings
for the Console port are:
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
38
Chapter 1 Setting up the switch
•
•
•
•
9600 baud rate
8 data bits
1 stop bit
No parity
To use the Console port, you need the following equipment:
•
•
A VT100-compatible terminal, or a portable computer with a serial port and
terminal-emulation software.
A UL-listed straight-through RS-232 cable with a female DB-9 connector for
the Console port on the switch.
The other end of the cable must have a connector appropriate to the serial port
on your computer or terminal. (Most computers or terminals use a male
DB-25 connector.)
Any cable connected to the Console port must be shielded to comply with
emissions regulations and requirements.
To connect a computer or terminal to the Console port:
1
Set the terminal protocol as follows:
•
•
•
•
9600 baud
8 data bits
1 stop bit
No parity
2
Connect the RS-232 cable to the Console port.
3
Connect the other end of the cable to the terminal or computer serial port.
4
Turn on the terminal.
The Login screen appears.
316862-B Rev 00
Chapter 1 Setting up the switch
39
Figure 1 Login screen
5
At the Login prompt, enter the login ID (rwa) and press Enter.
6
At the password prompt, enter the password (rwa) and press Enter.
7
Set the switch’s IP address (see “Setting the switch's IP address,” next).
Setting the switch's IP address
Each switch must be assigned its own IP Address, which is used for
communication with an SNMP network manager or other TCP/IP application (for
example, BOOTP or TFTP). The switch's default IP address is 10.90.90.90. You
can change the default switch IP address to meet the specification of your
networking address scheme.
The switch is also assigned a unique MAC address by the factory. This MAC
address cannot be changed. You can view the MAC address, using the show
switch command.
You can automatically set the switch IP address using BOOTP or DHCP
protocols, in which case you must know the actual address assigned to the switch.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
40
Chapter 1 Setting up the switch
The switch has Layer 3 functionality, so its ports can be sectioned into IP
interfaces - where each section has its own range of IP addresses (specified by a
network address and subnet mask). By default, an IP interface named System is
configured on the switch and contains all of the ports on the switch. Initially, you
can use the System interface to assign a range of IP addresses to the switch. Later,
when you configure VLANs and IP interfaces on the switch, the ports you assign
to these VLANs and IP interfaces will be removed from the System interface.
To set the switch’s IP address using the CLI:
1
Enter one of the following commands at the system prompt:
config ipif System ipaddress xxx.xxx.xxx.xxx/
yyy.yyy.yyy.yyy
where:
xxx.xxx.xxx.xxx represents the IP address to be assigned to the IP
interface named System and yyy.yyy.yyy.yyy represents the
corresponding subnet mask.
or
config ipif System ipaddress xxx.xxx.xxx.xxx/z
where:
xxx.xxx.xxx.xxx represents the IP address to be assigned to the IP
interface named System and z represents the corresponding number of
subnets in CIDR notation.
2
Save the switch configuration by entering the following command:
save
316862-B Rev 00
Chapter 1 Setting up the switch
41
Configuration example
The following example shows how to assign IP address 10.42.73.74 with a subnet
mask of 255.0.0.0 to the switch and saving the switch parameters. The Success
message indicates that you can now configure and manage the switch via
TELNET and the CLI using the IP address 10.42.73.74 to connect to the switch.
PP1612:4# config ipif System ipaddress 10.42.73.74/255.0.0.0
Command: config ipif System ipaddress 10.42.73.74/8
Success
PP1612:4# reboot
Logging on to the system
When the switch completes its reboot sequence, the login prompt appears (see
Figure 1). The default value for login and password for the console and Telnet
sessions is shown in Table 1.
Table 1 Access level and default login value
Default Default
login
password
Access level
Description
Read/write/all
Allows all the rights of Read-Write access rwa
and the ability to change security settings,
including the CLI and Web-based
management user names and passwords
and the SNMP community strings.
rwa
Configuration example
The following example shows how to log on to the switch using read/write/all
access:
Login: rwa
Password: ***
:4#
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
42
Chapter 1 Setting up the switch
Entering CLI commands
You enter CLI commands at the PP16xxx:4# prompt, where xxx represents the
12G-, the 16G-, or the 48T-port switch. There are a number of helpful commands
in the CLI. For example, to display a list of all of the top-level commands, use the
following command:
dir
Entering a question mark (?) will display each command followed by the various
sub-commands, input values, and parameters that are associated with each
command. The dir command has the same function as the ? command.
However, it displays less detail. Figure 2 shows the results of entering the ?
command:
316862-B Rev 00
Chapter 1 Setting up the switch
43
Figure 2 Using the question mark (?) command
..
? {<specified_command>}
clear
clear arptable
clear counters {ports <portlist>}
clear fdb [vlan <vlan_name 32> | port <port> | all]
clear log
clear post_hist
config 802.1p default_priority [ <portlist> | all ] priority [2
| 4 | 6 | 7]
config account <username>
config arp_aging time <value 0-65535>
config bootp_relay { hops <value 1-16> | time <sec 0-65535>}
config bootp_relay add ipif <ipif_name 12> <ipaddr>
config bootp_relay delete ipif <ipif_name 12> <ipaddr>
config command_history <value 1-40>
config dnsr [[primary|secondary] nameserver
<ipaddr>|[add|delete] static <domain_name 32> <ipaddr>]
config dvmrp [ipif <ipif_name 12>| all ] {metric <value 1-31>|
probe <sec 1-65535>| neighbor_timeout <sec 1-65535>|state
[enabled|disabled]}
config fdb aging_time <sec 10-630>
config flow_classifier template_1 mode [security | qos |
l4_switch] template_2 mode [security | qos | l4_switch]
CTRL+C ESC q Quit SPACE n Next Page ENTER Next Entry a All
When you enter a command without its required parameters, the CLI will prompt
you with a Next possible completions: message (Figure 3).
Figure 3 Next possible completions message
PP1612G:4#config account
Command: config account
Next possible completions:
<username>
PP1612G:4#
In Figure 3, you entered the command config account without the required
parameter <username>, so the CLI returned the Next possible
completions: <username> message.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
44
Chapter 1 Setting up the switch
You can reenter the previous command (config account) at the command
prompt by pressing the up arrow. Then, you can enter the appropriate user name
and reenter the config account command. The up arrow and other helpful
console keys are described in the sections that follow.
Editing commands
The console interface assigns certain functions to the editing keys on the
management keyboard. These keys and their functions are described in Table 2.
Table 2 Line editing keys
Key
Description
Delete
The delete key deletes the character under the cursor. The
remaining characters to the right of the cursor are then
shifted one space to the left.
Backspace
The backspace key deletes the character immediately to the
left of the cursor. The remaining characters to the right of the
cursor are then shifted one space to the left.
Insert
You can toggle the insert key on or off. When on, characters
are entered at the cursor, while the existing characters are
shifted to the left. When off, characters are entered at the
cursor, overwriting the existing characters.
Left Arrow
The left arrow moves the cursor one space to the left.
Right Arrow
The right arrow moves the cursor one space to the right.
Up Arrow
The up arrow re-enters the previous command line entry.
This can be useful if you make a mistake in entering the
parameters or values required by a given command.
Tab
The tab key displays the next possible command parameter
entry, in a round-robin fashion, once the first level of a
command has been entered. If the Tab key is pressed before
any part of a command string has been entered, the first level
of possible command entries will be displayed — starting
with the “?” command, and proceeding through all of the
possible commands until the last command in the list (the
“upload” command) is displayed. Pressing the Tab key after
the “upload” command is displayed will go through the list
again with, starting with the “?” command.
316862-B Rev 00
Chapter 1 Setting up the switch
45
Displaying multiple pages
The console interface assigns functions to various keys on the management
stations keyboard to control the display of tables that require more than one page.
These keys are described in Table 3.
Table 3 Multiple page display keys
Key
Description
space
Displays the next page.
Ctrl + c
Stops the display of multiple pages.
Ctrl + u
Deletes a command in the CLI without executing it.
Esc
Stops the display of multiple pages.
n
Displays the next page.
p
Displays the previous page.
q
Stops the display of multiple pages (quit).
r
Refreshes the current page.
a
Displays the remaining pages without pausing between pages (all).
Enter
Displays the next line or table entry.
Understanding top-level commands
If you reenter a command that is unrecognized by the CLI, the top-level
commands are displayed under the Available commands: prompt.
Top-level CLI commands consist of commands like show or config. These
commands require one or more parameters to narrow the scope of the top-level
command. This is equivalent to show what? or config what?, where the what?
is the next sub-command or parameter.
For example, if you enter the show command with no additional parameters, the
CLI displays all of the possible next parameters (Figure 4).
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
46
Chapter 1 Setting up the switch
Figure 4 Top-level show command
P1612G:4# show
Command: show
Next possible completions:
802.1p account arpentry bootp_relay command_history dnsr
dst_ipfilter dvmrp error fdb fdbfilter flow_classifier
igmp igmp_snooping ip_fragment_filter ipif ipmc iproute
link_aggregation log mac_priority md5 mgmt_port mirror
multicast_fdb ospf packet ports post_hist rip
route router_ports rtc scheduling serial_port session
snmp stp switch tdp template_rule traffic
trusted_host utilization vlan vlan_interface vlan_ports
PP1612G:4#
In Figure 4, all of the possible next parameters for the show command are
displayed. At the next command prompt, you use the up arrow to re-enter the
show command, followed by the account parameter. The CLI then displays the
user accounts configured on the switch.
316862-B Rev 00
47
Chapter 2
Managing switch operations
This chapter describes the basic switch configuration commands, such as the
commands for creating and configuring user accounts, displaying the switch
information (including the firmware version), configuring the RS-232 console
serial port, and enabling Telnet for out-of-band switch management. Specifically,
this chapter includes the following topics:
Topic
Page
Roadmap of basic switch CLI commands
48
Creating an admin or user account
49
Configuring an existing user account
51
Showing an existing user account configuration
51
Deleting an existing user account
52
Configuring the command history list
53
Displaying the command history
53
Displaying all commands
54
Showing the current status of the switch serial port
57
Configuring the switch’s serial port
59
Enabling CLI paging
60
Disabling CLI paging
61
Enabling Telnet
62
Disabling Telnet
63
Enabling the Web-based manager
63
Managing files
66
Rebooting the switch
71
Resetting the switch
72
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
48
Chapter 2 Managing switch operations
Topic
Page
Logging in to the switch
73
Logging out of the switch
73
Roadmap of basic switch CLI commands
The following roadmap lists all of the basic switch commands and their
parameters. Use this list as a quick reference or click on any entry for more
information:
Command
Parameter
create account
admin <username 15>
user <username 15>
config account <username 15>
show account
delete account <username 15>
config command_history <value 1-40>
show command_history
?
dir
show session
show switch
show serial_port
config serial_port
baud_rate [9600|19200|38400|115200]
auto_logout
[never|2-minutes|5_minutes|10_minut
es|15_minutes]
enable clipaging
disable clipaging
enable telnet
<tcp_port_number 1-65535>
disable telnet
enable web
316862-B Rev 00
<tcp_port_number 1-65535>
Chapter 2 Managing switch operations
Command
49
Parameter
disable web
save
download firmware <ipaddr>
<path_filename 64>
download configuration <ipaddr>
<path_filename 64>
increment
upload configuration <ipaddr>
<path_filename 64> <append_account>
upload log <ipaddr> <path_filename
64> <append_account>
reboot
reset
config
system
login
logout
Creating an admin or user account
To create an admin or user account, including a username and password, use the
create account command. Note that this command also allows you to select
the privileges this account will have. In general, user-level accounts can display
the switch’s current configuration, but cannot make any changes. Admin-level
accounts have full access to all configuration commands.
To create a new account, use the following command:
create account
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
50
Chapter 2 Managing switch operations
This command includes the following options:
create account
followed by:
admin <username 15>
Creates an administrator-level user account. This
user can execute all of the commands in the CLI
without restriction.
• username identifies the user. It is a
alphanumeric string, from 1 to 15 characters.
user <username 15>
Creates a user-level user account. This user is
limited to displaying switch configuration and
accumulated switch statistics.
• username identifies the user. It is a
alphanumeric string, from 1 to 15 characters.
Figure 5 shows you how to create a new administrator-level user account with the
username Test.
Figure 5 create account command
PP1612G:4#create account admin Test
Command: create account admin Test
Enter a case-sensitive new password:****
Enter the new password again for confirmation:****
Success.
PP1612G:4#
316862-B Rev 00
Chapter 2 Managing switch operations
51
Configuring an existing user account
To configure an existing user account (change the account’s password) after you
have created it, use the following command:
config account <username 15 >
where:
username 15 is the name assigned to the account. It is an alphanumeric string,
from 1 to 15 characters.
Figure 6 shows you how to change the password for the user account named Test.
Figure 6 config account command
PP1612G:4#config account Test
Command: config account Test
Enter an old password:****
Enter a case-sensitive new password:****
Enter the new password again for confirmation:****
Success.
PP1612G:4#
Showing an existing user account configuration
To display the configuration of an existing user account, use the following
command:
show account
Figure 7 shows an example of the console screen when you display the user
accounts configured on the switch.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
52
Chapter 2 Managing switch operations
Figure 7 show account command
PP1612G:4#show account
Command: show account
Current Accounts:
Username
--------------System
Test
Access Level
-----------user
Admin
PP1612G:4#
Deleting an existing user account
To delete an existing user account, use the following command:
delete account <username 15 >
where:
username 15 is the name assigned to the account. It is an alphanumeric string,
from 1 to 15 characters.
Figure 8 shows an example of the console screen when you delete the existing
user account Test configured on the switch.
Figure 8 delete account command
PP1612G:4#delete account Test
Command: delete account Test
Success.
PP1612G:4#
316862-B Rev 00
Chapter 2 Managing switch operations
53
Configuring the command history list
The 1600 Series switches retain the list of commands that you enter during the
current session. You can configure the command history list to retain up to 40
commands by using the following command:
config command_history < value 1-40>
where:
value 1-40 represents the number of commands that the switch will retain in
it’s command history list. The valid range is 1 to 40 commands.
Figure 9 shows the command history being configured to retain the last 20
commands:
Figure 9 config command_history command
PP1612G:4# config command_history 20
Command: config command_history 20
Success
PP1612G:4#
Displaying the command history
To display the commands that you entered previously, use the following
command:
show command_history
The number of commands displayed depends on the value you entered using the
config command_history command.
Figure 10 shows sample output for the show command_history command.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
54
Chapter 2 Managing switch operations
Figure 10 show command_history command output
PP1612G:4# show command_history
Command: show command_history
?
?
delete account test
delete account
show account test
config account
show account
config account test
config account
create account admin
create account user test
create account user
user
create account
create user account
PP1612G:4#
Displaying all commands
To display the entire list of commands available in the 1600 Series CLI, including
all parameters and arguments, use the following command:
?
Figure 11 shows sample output for the ? command.
316862-B Rev 00
Chapter 2 Managing switch operations
55
Figure 11 ? command output
PP1612G:4# ?
Command: ?
..
? {<specified_command>}
clear
clear arptable
clear counters {ports <portlist>}
clear fdb [vlan <vlan_name 32> | port <port> | all]
clear log
clear post_hist
config 802.1p default_priority [ <portlist> | all ] priority
[2 | 4 | 6 | 7]
config account <username>
config arp_aging time <value 0-65535>
config bootp_relay { hops <value 1-16> | time <sec 0-65535>}
config bootp_relay add ipif <ipif_name 12> <ipaddr>
config bootp_relay delete ipif <ipif_name 12> <ipaddr>
config command_history <value 1-40>
config dnsr [[primary|secondary] nameserver
<ipaddr>|[add|delete] static <domain
_name 32> <ipaddr>]
config dvmrp [ipif <ipif_name 12>| all ] {metric <value 1-31>|
probe <sec 1-6553
5>| neighbor_timeout <sec 1-65535>|state [enabled|disabled]}
config fdb aging_time <sec 10-630>
config flow_classifier template_1 mode [security | qos |
l4_switch] template_2 m
ode [security | qos | l4_switch]
ode [security | qos | l4_switch]
config flow_classifier template_id <value 1-2> mode_parameters
[qos_flavor [802.
1p | dscp | dst_ip | dst_tcp_port | dst_udp_port] | l4_session
{tcp_session fiel
ds {dip | sip | tos | dst_port | src_port | tcp_flags} |
udp_session fields {dip
| sip | tos | dst_port | src_port} | other_session fields
{dip | sip | tos | l4
_protocol | icmp_msg | igmp_type}}]
PP1612G:4#
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
56
Chapter 2 Managing switch operations
To display the complete command list, use the following command:
dir
Figure 12 shows sample output from the dir command.
Figure 12 dir command output
PP1612G:4# dir
Command: dir
..
?
clear
clear arptable
clear counters
clear fdb
clear log
clear post_hist
config 802.1p default_priority
config account
config arp_aging time
config bootp_relay
config bootp_relay add ipif
config bootp_relay delete ipif
config command_history
config dnsr
config dvmrp
config fdb aging_time
config flow_classifier template_1 mode
config flow_classifier template_id
config flow_classifier vlan
config igmp
config igmp_snooping
config igmp_snooping querier
config ip_forwarding
...
316862-B Rev 00
Chapter 2 Managing switch operations
57
Showing current switch management sessions
To display all of the current connections to the switch’s management agent, use
the following command:
show session
Figure 13 shows the console screen when you display the current switch
management sessions.
Figure 13 show session command
PP1612G:4#show session
ID
Live Time
From
--- ------------ -----0
0:17:16.2 Serial Port
Level
----4
Name
----Anonymous
PP1612G:4#
Showing the current status of the switch
To display the current status of the switch, use the following command:
show switch
The information that displays includes the IP address and subnet mask, the name
of the VLAN on which the switch’s IP address resides, and the boot PROM and
firmware version.
Figure 14 shows a sample console screen when you display the current switch
status.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
58
Chapter 2 Managing switch operations
Figure 14 show switch command
Showing the current status of the switch serial port
To display the current status of the switch, use the following command:
show serial_port
316862-B Rev 00
Chapter 2 Managing switch operations
59
Figure 15 shows a sample console screen when you display the current serial port
configuration.
Figure 15 show session command
PP1648T:4# show serial_port
Command: show serial_port
Baud Rate
Data Bits
Parity Bits
Stop Bits
Auto-Logout
PP1648T:4#
:
:
:
:
:
9600
8
None
1
10 mins
Configuring the switch’s serial port
The switch’s serial port has the following default configuration:
•
•
•
•
•
Baud Rate: 9600
Data Bits: 8
Parity Bits: None
Stop Bits: 1
Auto-Logout: 10 minutes
To change the settings of the switch’s serial port, use the following command:
config serial_port
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
60
Chapter 2 Managing switch operations
This command includes the following options:
config serial port
followed by:
baud_rate
[9600|19200|38400|115200]
The serial bit-rate that used to communicate
with the switch’s serial port.
The length of time a console session is inactive
auto_logout
[never|2-minutes|5_minutes before the console session is closed by the
switch.
|10_minutes|15_minutes]
Note: This command also applies to Telnet
sessions. For security reasons, do not set this
command to never.
Figure 16 shows a sample console screen when you display the current serial port
configuration.
Figure 16 config serial port command
PP1612G:4#config serial_port baud_rate 9600
Command: config serial_port baud_rate 9600
Success.
PP1612G:4#
Enabling CLI paging
To enable paging for the CLI, use the following command:
enable clipaging
By using this command you can pause the console screen at the end of each page
instead of scrolling through more than one screen of information.
Figure 17 shows a sample console screen when you enable CLI paging.
316862-B Rev 00
Chapter 2 Managing switch operations
61
Figure 17 enable clipaging command
PP1612G:4#enable clipaging
Command: enable clipaging
Success.
PP1612G:4#
Disabling CLI paging
To disable paging for the CLI, use the following command:
disable clipaging
By using this command, you can disable pausing the console screen at the end of
each page instead of scrolling through more than one screen of information.
Figure 18 shows a sample console screen when you disable CLI paging.
Figure 18 disable clipaging command
PP1612G:4#disable clipaging
Command: disable clipaging
Success.
PP1612G:4#
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
62
Chapter 2 Managing switch operations
Enabling Telnet
To enable Telnet connections between a remote management station and the
switch, using the default TCP port number 23, use the following command:
enable telnet
You can use all of the commands described in this manual to configure the 1600
switch over an Ethernet link using the Telnet protocol. The procedures, syntax of
the commands, and input of values are identical when using either the serial port
or the Telnet protocol to configure and manage the switch.
This command contains the following parameters:
enable telnet
followed by:
<tcp_port_number
1-65535>
The TCP port number that a remote management
station uses to establish a Telnet connection. The
default TCP port number for Telnet is 23.
Figure 19 shows a sample console screen when you enable Telnet, using TCP port
number 23.
Figure 19 enable telnet command
PP1612G:4#enable telnet 23
Command: enable telnet 23
Success.
PP1612G:4#
316862-B Rev 00
Chapter 2 Managing switch operations
63
Disabling Telnet
To disable Telnet as a communication protocol between a remote management
station and the switch, use the following command:
disable telnet
Figure 20 shows a sample console screen when you disable Telnet.
Figure 20 disable telnet command
PP1612G:4#disable telnet
Command: disable telnet
Success.
PP1612G:4#
Enabling the Web-based manager
To enable Web-based connections between a remote management station and the
switch, using the default TCP port number 80, use the following command:
enable web
You can use all of the commands described in this manual to configure the 1600
switch over an Ethernet link using a web browser and the web-based management
agent built into the switch.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
64
Chapter 2 Managing switch operations
This command contains the following parameters:
enable web
followed by:
<tcp_port_number
1-65535>
The TCP port number that a remote management
station uses to establish a connection between a
web browser and the web-based management
agent built into the switch. The default TCP port
number for the web-based manager is 80.
Figure 19 shows a sample console screen when you enable Telnet, using TCP port
number 23.
Figure 21 enable web command
PP1612G:4#enable web 80
Command: enable web 80
Success.
PP1612G:4#
Disabling the Web-based manager
To disable connections between a remote management station’s web browser and
the web-based management agent buitl into the switch, use the following
command:
disable web
Figure 20 shows a sample console screen when you disable the web-based
manager.
316862-B Rev 00
Chapter 2 Managing switch operations
65
Figure 22 disable telnet command
PP1612G:4#disable web
Command: disable web
Success.
PP1612G:4#
Saving the current switch configuration to NV-RAM
To save the current switch configuration to the switch’s non-volatile RAM, use
the following command:
save
Figure 23 shows a sample console screen when you save the current switch
configuration to NV-RAM.
Figure 23 save command
PP1612G:4#save
Command: save
Saving all settings to NV-RAM........ Done.
done.
PP1612G:4#
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
66
Chapter 2 Managing switch operations
Managing files
Trivial File Transfer Protocol (TFTP) services allow you to upgrade the switch’s
firmware to be upgraded by transferring a new firmware file from a TFTP server
to the switch. A configuration file can also be loaded into the switch from a TFTP
server, switch settings can be saved to the TFTP server, and a history log can be
uploaded from the switch to the TFTP server.
This section describes the download/upload commands in the Command Line
Interface (CLI) along with the appropriate parameters.
Topic
Page
Downloading switch firmware
67
Downloading a configuration file
67
Uploading a configuration file to a TFTP server
69
Uploading a log file to a TFTP server
70
316862-B Rev 00
Chapter 2 Managing switch operations
67
Downloading switch firmware
To download a switch firmware, use the following command:
download firmware <ipaddr > <path_filename 64>
where:
ipaddr is the IP address of the remote TFTP server.
path_filename 64 is the DOS path and filename of the firmware file on the
remote TFTP server. The path filename can be up to 64 characters.
Note: If you download the switch firmware via the PP1612G/24G out-of-band
management port, the TFTP server must be on the same IP subnet as the switch.
The TFTP server must be running TFTP server software to perform the file
transfer. TFTP server software is a part of many network management software
packages, or you can obtain it as a separate program.
For example, to download and install a new switch firmware file from a remote
TFTP server, IP address 10.20.20.128, on the server’s hard drive at
C:\firmware.had, enter the following command:
download firmware 10.20.20.128 C:\firmware.had
Downloading a configuration file
To download a configuration file, use the following command:
download configuration < ipaddr> <path_filename 64>
where:
ipaddr is the IP address of the remote TFTP server.
path_filename 64 is the DOS path and filename of the firmware file on the
remote TFTP server. The path filename can be up to 64 characters.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
68
Chapter 2 Managing switch operations
This command includes the following option:
download configuration <ipaddr> <path_filename 64>
followed by:
increment
Allows a configuration file to be downloaded that
will only make changes explicitly stated in the file.
All other configuration settings on the switch will
remain unchanged.
Note: If you download the switch firmware via the PP1612G/24G out-of-band
management port, the TFTP server must be on the same IP subnet as the switch.
The TFTP server must be running TFTP server software to perform the file
transfer. TFTP server software is a part of many network management software
packages, or you can obtain it as a separate program.
Figure 24 shows how to download a configuration file named c:\cfg\setting.txt
from the TFTP server at IP address 10.48.74.121:
Figure 24 download configuration command
PP1612G:4# download configuration 10.48.74.121
c:\cfg\setting.txt
Command: download configuration 10.48.74.121
c:\cfg\setting.txt
Connecting to server................... Done.
Download configuration............. Done.
PP1612G:4#
316862-B Rev 00
Chapter 2 Managing switch operations
69
Uploading a configuration file to a TFTP server
To upload the current switch configuration settings to a remote TFTP server, enter
the following command:
upload configuration <ipaddr> <path_filename 64>
<append_account>
where:
ipaddr is the IP address of the remote TFTP server.
path_filename 64 is the DOS path and filename of a file on the remote TFTP
server that will receive the configuration file from the switch. The path filename
can be up to 64 characters.
append_account instructs the switch to upload user account information,
including passwords, to the TFTP server. The passwords in the uploaded
configuration file will be encrypted using a key that is unique to the Passport 1600
series switches. Only a Passport 1600 series switch has the key necessary to
decrypt passwords that are uploaded using the append_account command, and the
encrypted passwords will only be decrypted when a configuration file is
downloaded to the switch.
Note: If you download the switch firmware via the PP1612G/24G out-of-band
management port, the TFTP server must be on the same IP subnet as the switch.
The TFTP server must be running TFTP server software to perform the file
transfer. TFTP server software is a part of many network management software
packages, or you can obtain it as a separate program.
Figure 25 shows how to upload a switch configuration file named c:\cfg\cfg.txt to
a remote TFTP server at IP address 10.48.74.121.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
70
Chapter 2 Managing switch operations
Figure 25 upload configuration command
PP1612G:4# upload configuration 10.48.74.121
c:\cfg\cfg.txt
Command: upload configuration 10.48.74.121
c:\cfg\cfg.txt
Connecting to server................... Done.
Upload configuration...................Done.
PP1612G:4#
Uploading a log file to a TFTP server
To upload a log file to a remote TFTP server, use the following command:
upload log <ipaddr> <path_filename 64 > <append_account>
where:
ipaddr is the IP address of the remote TFTP server, and
path_filename 64 is the DOS path and filename of a file on the remote TFTP
server that will receive the log file from the switch.
Note: If you download the switch firmware via the PP1612G/24G out-of-band
management port, the TFTP server must be on the same IP subnet as the switch.
The TFTP server must be running TFTP server software to perform the file
transfer. TFTP server software is a part of many network management software
packages, or you can obtain it as a separate program.
Figure 26 shows how to upload a log file named c:\cfg\log.txt to a remote TFTP
server at IP address 10.48.74.121.
316862-B Rev 00
Chapter 2 Managing switch operations
71
Figure 26 upload log command
PP1612G:4# upload log 10.48.74.121 c:\cfg\log.txt
Command: upload log 10.48.74.121 c:\cfg\log.txt
Connecting to server................... Done.
Upload log .............................Done.
PP1612G:4#
Rebooting the switch
To reboot the switch, use the following command:
reboot
Figure 27 shows a sample console screen when you reboot the switch.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
72
Chapter 2 Managing switch operations
Figure 27 reboot command
PP1612G:4#reboot
Command: reboot
If you do not save the settings, all changes made will be
lost. Are you sure you want to proceed with the system
reboot (y/n)?
Please wait, the switch is rebooting...
Boot Procedure
0.00.001
Power On Self Test ………………………100%
MAC Address
H/W Version
: 00-05-5D-11-F9-20
: 2B1
Please wait, loading Runtime image ….100%
Resetting the switch
To reset the switch’s configuration to the factory defaults (except the system IP
address, log history and TDP), use the following command:
reset
This command contains the following parameters:
reset
followed by:
config
Resets the agent to default settings, except history
log and TDP.
system
Resets the agent to default settings, except the
history log. Then, the switch will do a factory reset,
save, and reboot.
Figure 28 shows a sample console screen when you reset the switch configuration.
316862-B Rev 00
Chapter 2 Managing switch operations
73
Figure 28 reset config command
PP1612G:4#reset config
Command: reset config
Warning! Switch will be reset to factory defaults
Are you sure you want to proceed with a reset (y/n)?
Success.
Logging in to the switch
To log in to the switch, use the following command:
login
Figure 29 shows a sample console screen when you initiate the login procedure on
the switch.
Figure 29 login command
PP1612G:4#login
Command: login
UserName:
Logging out of the switch
To log out of the switch, use the following command:
logout
Figure 30 shows a sample console screen when you log out of the switch.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
74
Chapter 2 Managing switch operations
Figure 30 logout command
PP1612G:4#logout
316862-B Rev 00
75
Chapter 3
Configuring ports
This chapter describes the CLI commands that you can use to set the speed, flow
control, MAC address learning, and the state (enabled or disabled) for a port or
range of ports on the switch. It includes the following topics:
Topic
Page
Roadmap of port configuration CLI commands
75
Configuring ports
76
Roadmap of port configuration CLI commands
The following roadmap lists some of the port configuration commands and their
parameters. Use this list as a quick reference or click on any command or
parameter entry for more information on configuring ports.
Command
Parameter
config ports <portlist>
all
speed
[auto|10_half|10_full|100_half|1
00_full|1000_full]
flow_control [enabled|disabled]
learning [enabled|disabled]
state [enabled|disabled]
show ports
<portlist>
config mgmt_port
speed
[auto|10_half|10_full|100_half|1
00_full|1000_full]
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
76
Chapter 3 Configuring ports
Command
Parameter
flow_control [enabled|disabled]
learning [enabled|disabled]
state [enabled|disabled]
Configuring ports
To configure the ports on the switch, use the following command:
config ports <portlist>
where:
portlist allows you to specify the ports that you want to configure. You must
first enter the lowest port number in a group, and then the highest port number in a
group, separated by a dash. For example, to enter a port group that includes switch
ports 1, 2, and 3, you entered 1-3.
To enter ports that are not contained within a group, enter the port numbers,
separated by a comma. For example, port group 1-3 and port 26 are entered
as 1-3, 26.
This command includes the following options:
config ports <portlist>
followed by:
all
Applies the command to all ports on the
switch.
Sets the speed, in Mbps, and the duplex
speed
[auto|10_half|10_full|100_half state, full or half, the port will use to make
a link.
|100_full|1000_full]
Note: Setting a port speed duplex
operation that is not supported on a port
will result in a failed operation. For
example, setting a Passport 1648 10/
100BaseT to 1000 full or half will result in
a failed operation.
flow_control
[enabled|disabled]
316862-B Rev 01
Enables or disables flow control for the
range of ports specified above.
Chapter 3 Configuring ports
77
config ports <portlist>
followed by:
learning [enabled|disabled]
Enables or disables MAC address
learning for the range of ports specified
above.
state [enabled|disabled]
Enables or disables forwarding of frames
for the range of ports specified above.
Figure 31 shows how to set ports 1, 2, and 3 to 10 Mbps, with full duplex, and
MAC address learning, and frame forwarding enabled on the switch.
Figure 31 config ports command
PP1648T:4# config ports 1-3 speed 10_full learning
enabled state enabled
Command: config ports 1-3 speed 10_full learning enabled
state enabled
Success.
PP1648T:4#
Displaying the current port configuration
To display the current management port configuration, use the following
command:
show ports
This command contains no additional options:
show ports
followed by:
<portlist>
Specifies a list of ports to display.
Figure 32 shows the current configuration of the management port.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
78
Chapter 3 Configuring ports
Figure 32 show ports command
PP1612G:4#show ports
Port
----1
2
3
4
5
6
7
Port
Settings
State
Speed/Duplex/FlowCtrl
------------------------Enabled
Auto/Disabled
Enabled
Auto/Disabled
Enabled
Auto/Disabled
Enabled
Auto/Disabled
Enabled
Auto/Disabled
Enabled
Auto/Disabled
Enabled
Auto/Disabled
Connection
Speed/Duplex/FlowCtrl
--------------------Link Down
Link Down
Link Down
Link Down
Link Down
Link Down
Link Down
Address
Learning
-------Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Configuring the management port — 1612G and 1624G
This section applies only to the Passport 1612G and 1624G switches — which
have a dedicated copper Ethernet management port, in addition to the fiber optic
ports, for the convenience of the network administrator. Other switches in the
Passport 1600 series do not have a dedicated copper management port.
To configure the copper management port on the 1612G and 1624G switches, use
the following command:
config mgmt_port speed auto
316862-B Rev 01
Chapter 3 Configuring ports
79
This command includes the following options:
config mgmt_port
followed by:
Sets the speed, in Mbps, and the duplex
speed
[auto|10_half|10_full|100_half state, full or half, the port will use to make
a link.
|100_full|1000_full]
Note: Setting a port speed duplex
operation that is not supported on a port
will result in a failed operation. For
example, setting a Passport 1648 10/
100BaseT to 1000 full or half will result in
a failed operation.
flow_control
[enabled|disabled]
Enables or disables flow control for the
range of ports specified above.
state [enabled|disabled]
Enables or disables forwarding of frames
for the range of ports specified above.
Figure 31 shows how to configure the dedicated managemet port to 100 Mbps,
with full duplex, and MAC address learning, and frame forwarding enabled on the
switch.
Figure 33 config mgmt_port command
PP1612G:4# config mgmt_port speed 100_full state enabled
Command: config mgmt_port speed 100_full state enabled
Success.
PP1612G:4#
Displaying the current management port configuration
To display the current management port configuration, use the following
command:
show mgmt_port
This command contains no additional options:
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
80
Chapter 3 Configuring ports
Figure 33 shows the current configuration of the management port.
Figure 34 show mgmt_port command
PP1612G:4#show mgmt_port
Port
Settings
State
Speed/Duplex/FlowCtrl
------------------------Enabled
Auto/Disabled
316862-B Rev 01
Connection
Speed/Duplex/FlowCtrl
--------------------Link Down
81
Chapter 4
Configuring Spanning Tree
The IEEE 802.1D Spanning Tree Protocol (STP) allows links between switches
that form loops within the network to be blocked. When it detects multiple links
between switches, it establishes a primary link. Duplicate links are then blocked
and become standby links. STP also allows you to use these duplicate links in the
event of a failure of the primary link. The reactivation of the blocked links is done
automatically- without requiring operator intervention.
STP operates on two levels:
•
•
Switch level, where the settings are globally implemented
Port level where the settings are implemented on a per user-defined STP
group basis
This chapter describes the commands you use to configure, enable and disable
STP, and show STP ports. Specifically, it includes the following topics:
Topic
Page
Roadmap of Spanning Tree CLI commands
82
Configuring STP
82
Enabling STP on the switch
84
Disabling STP on the switch
84
Displaying STP status on the switch
85
Displaying STP port group status
87
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
82
Chapter 4 Configuring Spanning Tree
Roadmap of Spanning Tree CLI commands
The following roadmap lists all of the STP commands and their parameters. Use
this list as a quick reference or click on any entry for more information:
Command
Parameter
config stp
ports <portlist>
maxage <value>
hellotime <value>
forwarddelay <value>
priority <value>
fbpdu [enable|disable]
enable stp
disable stp
show stp
show stp ports
<portlist>
Configuring STP
To configure STP on the switch, use the following command:
config stp
316862-B Rev 00
Chapter 4 Configuring Spanning Tree
83
This command uses the following options:
config stp
followed by:
ports <portlist>
Specifies a range of ports for which you wish to
configure STP. You specify ports by entering the
lowest port number in a group, and then the
highest port number, separated by a dash.
For example, you enter a port group including the
switch ports 1, 2, and 3 as 1-3. You specify ports
that are not contained within a group by entering
their port number, separated by a comma. Thus,
you enter the port group 1-3 and port 26 as 1-3,
26.
maxage <value>
This is the maximum amount of time, in seconds,
that the switch will wait to receive a BPDU packet
before re-configuring STP. The default is 20
seconds.
hellotime <value>
This is the time interval, in seconds, between
transmissions of STP configuration messages by
the root device. The default is 2 seconds.
forwarddelay <value>
This is the maximum amount of time, in seconds,
that the root device will wait before transitional
STP states. The default is 15 seconds.
priority <value>
This is a numerical value between 0 and 65535
that is used by STP to determine the root device,
root port, and designated port. The devise with the
highest priority becomes the root device, and so
on. The lower the numerical value of the STP
priority for a given device or port, the higher the
priority for that device or port. The default is 32768.
fbpdu [enable|disable]
This enables or disables the forwarding of STP
BPDU (Bridge Protocol Data Unit) packets from
other network devices when STP is disabled on
the switch. The default is enabled.
Figure 35 shows you how to configure STP on the switch, using a max age time of
18 seconds, and a hello time of 4 seconds.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
84
Chapter 4 Configuring Spanning Tree
Figure 35 config stp command
PP1648T:4# config stp maxage 18 hellotime 4
Command: config stp maxage 18 hellotime 4
Success.
PP1648T:4#
Enabling STP on the switch
To globally enable STP on the switch, use the following command:
enable stp
This command contains no parameters.
Figure 36 shows you how to globally enable STP on the switch.
Figure 36 enable stp command
PP1648T:4#enable stp
Command: enable stp
Success.
PP1648T:4#
Disabling STP on the switch
To globally disable STP on the switch, use the following command:
disable stp
316862-B Rev 00
Chapter 4 Configuring Spanning Tree
85
This command contains no parameters:
Figure 37 shows you how to globally disable STP on the switch.
Figure 37 disable stp command
PP1648T:4# disable stp
Command: disable stp
Success.
PP1648T:4#
Displaying STP status on the switch
To globally display STP status on the switch, use the following command:
show stp
Figure 38 shows you an example of an STP switch status display when STP is
enabled.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
86
Chapter 4 Configuring Spanning Tree
Figure 38 show stp (enabled)
PP1648T:4# show stp
Command: show stp
STP Status
Max Age
Hello Time
Forward Delay
Priority
Forwarding BPDU
:
:
:
:
:
:
Enabled
18
4
15
32768
Enabled
Designated Root Bridge
Root Priority
Cost to Root
Root Port
Last Topology Change
Topology Changes Count
:
:
:
:
:
:
00-00-00-12-00-00
32768
19
33
13sec
0
PP1648T:4#
Figure 39 shows you an example of an STP switch status display when STP is
disabled.
Figure 39 show stp (disabled)
PP1648T:4# show stp
Command: show stp
STP Status
Max Age
Hello Time
Forward Delay
Priority
Forwarding BPDU
PP1648T:4#
316862-B Rev 00
:
:
:
:
:
:
Disabled
18
4
15
32768
Enabled
Chapter 4 Configuring Spanning Tree
87
Displaying STP port group status
To display the status of an STP port group, use the following command:
show stp ports
This command uses the following options:
show stp ports
followed by:
Specifies a range of ports you want to use to
display STP status. You specify ports by entering
the lowest port number in a group, and then the
highest, separated by a dash.
For example, you enter a port group including the
switch ports 1, 2, and 3 as 1-3. You enter ports that
are not contained within a group by entering their
port number, separated by a comma. Thus, you
enter the port group 1-3 and port 26 as 1-3, 26.
<portlist>
Figure 40 shows you how to display the status of an STP port group, consisting of
ports 1 through 9.
Figure 40 show stp_ports command
PP1648T:4# show stp ports 1-9
Command: show stp ports 1-9
Port
---1
2
3
4
5
6
7
8
9
Connection
------------------100M/Full/None
Link Down
Link Down
Link Down
Link Down
Link Down
Link Down
Link Down
Link Down
State
-------Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Cost
---*19
*19
*19
*19
*19
*19
*19
*19
*19
Priority
-------128
128
128
128
128
128
128
128
128
Status
STP Name
---------- -------Forwarding s0
Disabled
s0
Disabled
s0
Disabled
s0
Disabled
s0
Disabled
s0
Disabled
s0
Disabled
s0
Disabled
s0
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
88
Chapter 4 Configuring Spanning Tree
316862-B Rev 00
89
Chapter 5
Security features
This chapter describes the CLI commands that you can use to set the security
features of the Switch. It includes the following topics:
Topic
Page
Roadmap of security features
89
Password Protection
95
System Log Messages
96
Configuring Password aging
119
Configuring the Switch’s Secure Mode
122
Secure Shell (SSH)
125
Configuring Secure Shell (SSH)
129
TACACS+
143
Roadmap of security features
The following roadmap lists the security configuration commands and their
parameters.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
90
Chapter 5 Security features
Syslog commands
Command
Parameter
enable syslog
disable syslog
show syslog
config syslog max_hosts
<int 1-10>
create syslog host
<slog_id>
severity
informational
warning
error
fatal
all
facility
local0
local1
local2
local3
local4
local5
local6
local7
udp_port <int 514-530>
ipaddress <ipaddr>
state enabled|disabled
316862-B Rev 00
Chapter 5 Security features
Command
Parameter
config syslog host
<slog_id>
severity
informational
warning
error
fatal
all
facility
local0
local1
local2
local3
local4
local5
local6
local7
udp_port <int 514-530>
ipaddress <ipaddr>
state enabled|disabled
delete syslog host
<slog_id>
all
91
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
92
Chapter 5 Security features
SSH commands
Command
Parameter
config ssh algorithm
3DES
AES128
AES192
AES256
arcfour
blowfish
cast128
twofish128
twofish192
twofish256
MD5
SHA1
RSA
DSA
enabled|disabled
show ssh algorithm
show ssh authmode
password
publickey
hostbased
enabled|disabled
show ssh authmode
show ssh user
show ssh user
316862-B Rev 00
<username>
authmode
publickey
password
hostbased
hostname <domain_name 31>
hostname_ip <domain_name 31>
<ipaddr>
Chapter 5 Security features
Command
Parameter
config ssh server
maxsession <int 1-3>
timeout <sec 1-120>
authfail <init 2-20>
rekey
10min
30min
60min
never
port <tcp_port_number 1-65535>
93
enable | disable ssh
show ssh server
config ssh regenerate hostkey
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
94
Chapter 5 Security features
TACACS+ commands
Command
Parameter
enable authentication
disable authentication
config authentication login
console
telnet
ssh
web
all
tacacs+
local
none
config authentication admin
console
ssh
telnet
all
tacacs+
local
none
config login_authen
response_timeout <sec 1-255>
show authentication
create tacacs+_server
<ip_address>
tcp_port <int 1-65535>
key <string 254>
timeout <sec 1-255>
config tacacs+_server
<ip_address>
tcp_port <int 1-65535>
key <string 254>
timeout <sec 1-255>
delete tacacs+_server
<ip_address>
show tacacs+_server
enable admin
config admin local_password
316862-B Rev 00
<password 8-15>
Chapter 5 Security features
95
Password Protection
The password security features allow you to restrict access to the switch. Network
managers have restricted access to the control path; users have restricted access to
the data path.
The network administrator has the ability to login to a Passport 1600 Series switch
and configure passwords through the CLI. The Passport 1600 Series switch
supports multi-level access with the use of different logins and passwords.
A local database stores the information about user name, password and privilege
level. All Web and CLI logins check the user name and password with the
information in the database.
Password format
The following is a list of rules or guidelines to use when creating or modifying
passwords.
•
•
•
•
•
•
You may use only alphanumeric characters, special characters are not allowed
in passwords.
The length of passwords must be eight characters or more.
Administrator and User level access with different login and passwords are
supported.
Logins are rejected after three invalid attempts.
If the Switch is operating in secure mode, a password history for each user
account is maintained. The last 5 passwords for a given user account are kept
in this history, and the Switch will prevent the Administrator from
re-assigning any of these 5, previously assigned, passwords to the user’s
account.
If a user tries to login and fails due to an error in entering a user name or
password three consecutive times, the switch will deny the telnet session. The
telnet session of the source IP address will be denied for three minutes.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
96
Chapter 5 Security features
System Log Messages
On any UNIX*-based management platform, you can use the syslog messaging
feature of the Passport 1600 Series switch to manage event messages. The
Passport syslog software communicates with a server software component named
syslogd on your management workstation. The UNIX daemon syslogd is a
software component that receives and locally logs, displays, prints and/or
forwards messages that originate from sources internal and external to the
workstation. For example, syslogd on a UNIX workstation concurrently handles
messages received from applications running on the workstation, as well as
messages received from a Passport 1600 Series switch running in a network
accessible to the workstation.
Receiving system log messages
You can use the system log messaging feature of the Passport 1600 Series switch
to manage switch event messages on any UNIX-based management platform. The
Passport 1600 Series switch syslog software supports this functionality by
communicating with a counter part software component named syslog on your
management workstation. The UNIX daemon syslogd is a software component
that receives and locally logs, displays, prints, and/or forwards messages that
originate from sources internal and external to the workstation. For example,
syslogd on a workstation concurrently handles messages received from
applications running on the workstation, as well as messages received from a
Passport switch running in a network accessible to the workstation.
At a remote management workstation, the system log messaging feature does the
following:
•
•
•
•
316862-B Rev 00
Receives system log messages from the Passport switch.
Examines the severity code in each message.
Uses the severity code to determine appropriate system handling for each
message.
Based on the severity code in each message, dispatches each message to any
or all of the following destinations
• Workstation display
• Local log file
• One or more remote hosts
Chapter 5 Security features
97
Internally the Passport 1600 Series switch has four severity levels for log
messages:
•
•
•
•
Info
Warning
Critical
Error
Table 4 shows the default mapping of internal severity levels to syslog severity
levels.
Table 4 Default severity levels and system log severity levels
UNIX system error
codes
System log severity
level
Internal Passport
severity level
0
Emergency
-
1
Alert
-
2
Critical
Critical
3
Error
Error
4
Warning
Warning
5
Notice
-
6
Info
Info
7
Debug
-
Table 5 shows the mapping of Info log messages.
Table 5 Info log messages
Log Message
Log ID
System up
200
Port <port> autonegotiation
successful
306
Port <port> link up <speed>
<duplex_mode>
300
Port <port> link down
301
Port <port> enabled (Username:
<user> from <UI>)
302
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
98
Chapter 5 Security features
Table 5 Info log messages
Port <port> disabled (Username:
<user> from <UI>)
303
Port<port> configuration modified
(Username: <user> from <UI>)
307
Successful login through Console
(Username: <user> from <UI>)
401
Successful login through Web
<remote IP> (Username: <user>)
407
Successful login through Telnet
<remote IP> (Username: <user>)
413
Successful login through SSH
<remote IP> (Username: <user>)
419
Successful authentication through
SSH <remote IP> (Username:
<user>)
1703
Logout through Console
(Username: <user>)
404
Logout through Telnet <remote
IP> (Username: <user>)
416
Logout through SSH <remote IP>
(Username: <user>)
422
Console session time out
(Username: <user>)
405
TELNET session time out <remote 417
IP> (Username: <user>)
SSH session time out <remote IP> 423
(Username: <user>)
Configuration saved to flash
(Username: <user> from <UI>)
201
Firmware upgraded successfully
(Username: <user> from <UI>)
202
Configuration successfully
downloaded (Username: <user>
from <UI>)
204
Configuration successfully
206
uploaded (Username: <user> from
<UI>)
Log message successfully
208
uploaded (Username: <user> from
<UI>)
316862-B Rev 00
Chapter 5 Security features
99
Table 5 Info log messages
Topology changed
600
New root selected <MAC>
601
Spanning Tree Protocol is enabled 602
(Username: <user> from <UI>)
Spanning Tree Protocol is
disabled (Username: <user> from
<UI>)
603
Spanning Tree configuration
modified (Username: <user> from
<UI>)
604
Spanning Tree port configuration
modified (Username: <user> from
<UI>)
605
VLAN <ID> created successfully
(Username: <user> from <UI>)
700
VLAN <ID> modified successfully
(Username: <user> from <UI>)
701
VLAN <ID> deleted successfully
(Username: <user> from <UI>)
702
Management Port link up <speed> 304
<duplex_mode>
Management Port link down
305
Primary Power ON
212
Primary Power OFF
213
Redundant Power ON
214
Redundant Power OFF
215
RIP is enabled (Username: <user> 800
from <UI>)
RIP is disabled (Username:
<user> from <UI>)
801
RIP configuration modified
(Username: <user> from <UI>)
802
OSPF is enabled (Username:
<user> from <UI>)
900
OSPF is disabled (Username:
<user> from <UI>)
901
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
100
Chapter 5 Security features
Table 5 Info log messages
OSPF Interface state change: rtid: 902
<router_id>, ipa: <If_IP>, lesIf:
<less_if>, <old_state> ->
<new_state>
903
OSPF Virtual Interface state
change: rtid: <router_id>, vir-area:
<area_id>, vir-neibor: <neibor>,
<old_state> -> <new_state>
OSPF Nbr state change: rtid:
<router_id>, nbr-ipa: <If_IP>,
nbr-lessIndex: <less_index>,
nbr-rtid: <rtrid>, <old_stat> ->
<new_state>
904
OSPF Virtual Nbr state change:
rtid: <router_id>, vir-nbr-area:
<area_id>, vir-nbr-rtid>,
<old_state> -> <new_state>
905
OSPF MD5 authentication
modified (Username: <user> from
<UI>)
906
OSPF configuration modified
(Username: <user> from <UI>)
907
Template <ID> modified
(Username: <user> from <UI>)
1300
VLAN <ID> attached to Template
(Username: <user> from <UI>)
1301
VLAN <ID> detached from
1302
Template (Username: <user> from
<UI>)
User <user> account created
(Username: <user> from <UI>)
1500
User <user> password modified
(Username: <user> from <UI>)
1501
User <user> account deleted
(Username: <user> from <UI>)
1502
SYSLOG enabled (Username:
<user> from <UI>)
1400
SYSLOG configuration modified
(Username: <user> from <UI>)
1401
SYSLOG disabled (Username:
<user> from <UI>)
1402
316862-B Rev 00
Chapter 5 Security features
101
Table 5 Info log messages
TELNET server enabled
(Username: <user> from <UI>)
424
TELNET configuration modified
(Username: <user> from <UI>)
425
TELNET server disabled
(Username: <user> from <UI>)
426
SSH server enabled (Username:
<user> from <UI>)
1700
SSH configuration modified
(Username: <user> from <UI>)
1701
SSH server disabled (Username:
<user> from <UI>)
1702
SNMP configuration modified
(Username: <user> from <UI>)
501
Login successfully through
Console authenticated by
TACACS+ server <IP>
(Username: <user>)
400
406
Login successfully through WEB
from <remote IP> authenticated by
TACACS+ server <IP>
(Username: <user>)
412
Login successfully through
TELNET from <remote IP>
authenticated by TACACS+ server
<IP> (Username: <user>)
418
Login successfully through SSH
from <remote IP> authenticated by
TACACS+ server <IP>
(Username: <user>)
Authentication enabled by user
(Username: <user> from <UI>)
1200
Authentication disabled by user
(Username: <user> from <UI>)
1201
Log table cleared (Username:
<user> from <UI>)
216
IGMP SNOOPING enabled
(Username: <user> from <UI>)
1000
IGMP SNOOPING disabled
(Username: <user> from <UI>)
1001
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
102
Chapter 5 Security features
Table 5 Info log messages
IGMP SNOOPING configuration
modified (Username: <user> from
<UI>)
1002
IGMP configuration modified
(Username: <user> from <UI>)
1100
create <action - related
command> (Username: <user>
from <UI>)
1900
config <action - related command> 1900
(Username: <user> from <UI>)
delete <action - related command> 1900
(Username: <user> from <UI>)
show <action - related command> 1900
(Username: <user> from <UI>)
clear <action - related command>
(Username: <user> from <UI>)
1900
Table 6 shows the mapping of Warning log messages.
Table 6 Warning log messages
Log Message
Log ID
Console login fail (Username:
<user>)
403
Web login fail <remote IP>
(Username: <user> from <UI>)
409
TELNET login fail <remote IP>
(Username: <user> from <UI>)
415
SSH login fail <remote IP>
(Username: <user> from <UI>)
421
Failure to authenticate user
through SSH <remote IP>
(Username: <user> from <UI>)
1704
SNMP request received from
<remote IP> with invalid
community string (Username:
<user> from <UI>)
500
Firmware upgrade failed
(Username: <user> from <UI>)
203
316862-B Rev 00
Chapter 5 Security features
103
Table 6 Warning log messages
Configuration download failed
(Username: <user> from <UI>)
205
Configuration upload failed
(Username: <user> from <UI>)
207
Log message upload failed
(Username: <user> from <UI>)
209
402
Login fail through Console
authenticated by TACACS+ server
<IP> (Username: <user>)
Login fail through WEB from
<remote IP> authenticated by
TACACS+ server <IP>
(Username: <user>)
408
Login fail through TELNET from
<remote IP> authenticated by
TACACS+ server <IP>
(Username: <user>)
414
Login fail through SSH from
<remote IP> authenticated by
TACACS+ server <IP>
(Username: <user>)
420
TACACS+server <remote IP>
connection fail
1202
TACACS+ server <IP> response
is wrong
1206
TACACS+ doesn’t support this
functionality
1207
Table 7 shows the mapping of Critical log messages.
Table 7 Critical log messages
Log Message
Log ID
Error in PSS, phy link is up, but
PSS link is down
102
CPU hang
100
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
104
Chapter 5 Security features
Table 8 shows the mapping of Error log messages.
Table 8 Error log messages
Log Message
Log ID
TACACS+ module allocated
memory fail
1203
TACACS+ socket API occurs
some errors
1205
TACACS+ internal fatal error
1208
The following sections detail the CLI commands used to configure Syslog on the
Switch.
Creating a Syslog host
To create a new Syslog host on the Switch, use the following command:
create syslog host
316862-B Rev 00
Chapter 5 Security features
105
This command includes the following options:
create syslog host
followed by:
<slog_id>
This an index number that will be used to identify
the Syslog host, if more than one Syslog host is
created on the Switch.
severity
Severity level indicator. Enter the parameter (in
italics, below) after the severity parameter in the
command line to instruct the switch to send the
type of messages to the remote host.
informational - specifies that informational
messages will be sent to the remote host. As
described in the table above.
warning - Specifies that warning messages will
be sent to the remote host. As described in the
table above.
error - specifies that error messages will be
sent to the remote host. As described in the
table above.
fatal - specifies that fatal messages will be sent
to the remote host. The Switch maps the
Critical and Emergency messages, as
described in the table above, to this severity
level.
all - specifies that all of the above categories of
messages will be sent to the remote host.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
106
Chapter 5 Security features
create syslog host
followed by:
facility
Some of the operating system daemons and
processes have been assigned Facility values.
Processes and daemons that have not been
explicitly assigned a Facility may use any of
the"local use" facilities or they may use the
"user-level" Facility. Those Facilities that have
been designated are shown in the following:
Bold font indicates the facility values the Switch
supports now.
Numerical
Facility
Code
0
kernel messages
1
user-level messages
2
mail system
3
system daemons
4
security|authorization messages
5
messages generated internally by syslog
6
line printer subsystem
7
network news subsystem
8
UUCP subsystem
9
clock daemon
10
security|authorization messages
11
FTP daemon
12
NTP subsystem
13
log audit
14
log alert
15
clock daemon
16
local use 0 (local0)
17
local use 1 (local1)
18
local use 2 (local2)
19
local use 3 (local3)
20
local use 4 (local4)
21
local use 5 (local5)
22
local use 6 (local6)
23
local use 7 (local7)
316862-B Rev 00
Chapter 5 Security features
107
create syslog host
followed by:
local0 - Specifies that local use 0 messages will be
sent to the remote host. This corresponds to
number 16 from the list above.
local1 - Specifies that local use 1 messages will be
sent to the remote host. This corresponds to
number 17 from the list above.
local2 - Specifies that local use 2 messages will be
sent to the remote host. This corresponds to
number 18 from the list above.
local3 - Specifies that local use 3 messages will be
sent to the remote host. This corresponds to
number 19 from the list above.
local4 - Specifies that local use 4 messages will be
sent to the remote host. This corresponds to
number 20 from the list above.
local5 - Specifies that local use 5 messages will be
sent to the remote host. This corresponds to
number 21 from the list above.
local6 - Specifies that local use 6 messages will be
sent to the remote host. This corresponds to
number 22 from the list above.
local7 - Specifies that local use 7 messages will be
sent to the remote host. This corresponds to
number 23 from the list above.
udp_port <value 514-530> Specifies the UDP port number that the syslog
protocol will use to send messages to the remote
host.ipaddress.
ipaddress <ipaddr>
Specifies the IP address of the remote host where
syslog messages will be sent.state
state
[enabled|disabled] - Allows the sending of syslog
messages to the remote host, specified above, to
be enabled and disabled.
Figure 41 shows the creation of a Syslog host on the Switch.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
108
Chapter 5 Security features
Figure 41 create syslog host
:4#create syslog host 1 severity all facility local0
Command: create syslog host 1 severity all facility local0
Success.
:4#
Configuring a Syslog host
To configure a previously created Syslog host on the Switch, use the following
command:
config syslog host
316862-B Rev 00
Chapter 5 Security features
109
This command includes the following options:
config syslog host
followed by:
<slog_id>
This an index number that will be used to identify
the Syslog host, if more than one Syslog host is
created on the Switch.
severity
Severity level indicator. Enter the parameter (in
italics, below) after the severity parameter in the
command line to instruct the switch to send the
type of messages to the remote host.
informational - specifies that informational
messages will be sent to the remote host. As
described in the table above.
warning - Specifies that warning messages will
be sent to the remote host. As described in the
table above.
error - specifies that error messages will be
sent to the remote host. As described in the
table above.
fatal - specifies that fatal messages will be sent
to the remote host. The Switch maps the
Critical and Emergency messages, as
described in the table above, to this severity
level.
all - specifies that all of the above categories of
messages will be sent to the remote host.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
110
Chapter 5 Security features
config syslog host
followed by:
facility
Some of the operating system daemons and
processes have been assigned Facility values.
Processes and daemons that have not been
explicitly assigned a Facility may use any of
the"local use" facilities or they may use the
"user-level" Facility. Those Facilities that have
been designated are shown in the following:
Bold font indicates the facility values the Switch
supports now.
Numerical
Facility
Code
0
kernel messages
1
user-level messages
2
mail system
3
system daemons
4
security|authorization messages
5
messages generated internally by syslog
6
line printer subsystem
7
network news subsystem
8
UUCP subsystem
9
clock daemon
10
security|authorization messages
11
FTP daemon
12
NTP subsystem
13
log audit
14
log alert
15
clock daemon
16
local use 0 (local0)
17
local use 1 (local1)
18
local use 2 (local2)
19
local use 3 (local3)
20
local use 4 (local4)
21
local use 5 (local5)
22
local use 6 (local6)
23
local use 7 (local7)
316862-B Rev 00
Chapter 5 Security features
111
config syslog host
followed by:
local0 - Specifies that local use 0 messages will be
sent to the remote host. This corresponds to
number 16 from the list above.
local1 - Specifies that local use 1 messages will be
sent to the remote host. This corresponds to
number 17 from the list above.
local2 - Specifies that local use 2 messages will be
sent to the remote host. This corresponds to
number 18 from the list above.
local3 - Specifies that local use 3 messages will be
sent to the remote host. This corresponds to
number 19 from the list above.
local4 - Specifies that local use 4 messages will be
sent to the remote host. This corresponds to
number 20 from the list above.
local5 - Specifies that local use 5 messages will be
sent to the remote host. This corresponds to
number 21 from the list above.
local6 - Specifies that local use 6 messages will be
sent to the remote host. This corresponds to
number 22 from the list above.
local7 - Specifies that local use 7 messages will be
sent to the remote host. This corresponds to
number 23 from the list above.
udp_port <value 514-530> Specifies the UDP port number that the syslog
protocol will use to send messages to the remote
host.ipaddress.
ipaddress <ipaddr>
Specifies the IP address of the remote host where
syslog messages will be sent.state
state
[enabled|disabled] - Allows the sending of syslog
messages to the remote host, specified above, to
be enabled and disabled.
Figure 42 shows the configuration of a Syslog host on the Switch.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
112
Chapter 5 Security features
Figure 42 config syslog host
:4#config syslog host 1 severity all facility local0
Command: config syslog host 1 severity all facility local0
Success.
:4#
Configuring the maximum number of Syslog hosts
To configure the maximum number of Syslog hosts that can be created on the
Switch, use the following command:
config syslog max_hosts
This command includes the following options:
config syslog max_hosts
followed by:
<int 1-10>
This is the maximum number of Syslog hosts that
can be created on the Switch.
Entering ‘0’ instructs the Switch to prevent any
Syslog hosts from being created. If there are any
previously created Syslog hosts on the Switch,
and you enter the command config syslog
max_hosts 0, then all existing syslog hosts will be
deleted from the Switch when the command
executes sucessfully.
Figure 43 shows the setting of 10 Syslog hosts as the maximum on the Switch.
316862-B Rev 00
Chapter 5 Security features
113
Figure 43 config syslog max_hosts
:4#config syslog max_hosts 10
Command: config syslog max_hosts 10
Success.
:4#
Deleting a Syslog host
To delete a previously created Syslog host on the Switch, use the following
command:
delete syslog host
This command includes the following options:
delete syslog host
followed by:
<slog_id>
This an index number that will be used to identify
the Syslog host, if more than one Syslog host is
created on the Switch. There can be up to four
Syslog hosts.
all
Specifies that all Syslog hosts created on the
Switch will be deleted.
Figure 44 shows the deletion of all Syslog hosts on the Switch.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
114
Chapter 5 Security features
Figure 44 delete syslog host
:4#delete syslog host all
Command: delete syslog host all
Success.
:4#
Enabling a Syslog host
To enable a previously created Syslog host on the Switch, use the following
command:
enable syslog
This command includes no additional options:
enable syslog
There are no options
Figure 45 shows the enabling of a Syslog host on the Switch.
Figure 45 enable syslog
:4#enable syslog
Command: enable syslog
Success.
:4#
316862-B Rev 00
Chapter 5 Security features
115
Disabling a Syslog host
To disable a previously created Syslog host on the Switch, use the following
command:
disable syslog
This command includes no additional options:
disable syslog
There are no options
Figure 46 shows the enabling of a Syslog host on the Switch.
Figure 46 disable syslog
:4#disable syslog
Command: disable syslog
Success.
:4#
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
116
Chapter 5 Security features
Displaying the current Syslog configuration on the Switch
To display the current Syslog configuration on the Switch, use the following
command:
show syslog
This command includes the following options:
show syslog
followed by:
<slog_id>
This an index number that will be used to identify
the Syslog host, if more than one Syslog host is
created on the Switch. There can be up to four
Syslog hosts.
Figure 47 shows the displaying of the current Syslog host configuration on the
Switch.
Figure 47 show syslog
:4#show syslog host
Command: show syslog
Syslog
Index
-----1
:4#
316862-B Rev 00
Global State: Enabled
Host IP Address Severity
--------------- -------10.1.2.1
Info
Facility
-------local2
UDP port
-------520
Status
-----Enabled
Chapter 5 Security features
117
Enabling and disabling logging on the Switch
The Switch can log all CLI commands that a given user enters in both a local log
and through Syslog. The config log_state command allows you to turn the logging
of CLI command entry on or off for a particular user account. If you disable the
logging of CLI commands for a particular user account, both the local log and the
Syslog will be disabled for that user. When CLI logging is enabled, it takes effect
immediately.
The default log state is enabled.
To disable the logging of all CLI commands issued by the user Johnson, use the
following command:
config log_state Johnson disabled
This command includes the following options:
config log_state
followed by:
<username>
This is the username assigned to the user account
for which you want to enable or disable the logging
of all CLI commands issued in both the local log
and Syslog.
enabled | disabled
Instructs the Switch to enable or disable the
logging of all CLI commands for the user account
specified by the <username> entered above.
Figure 48 shows the disabling of CLI command logging for the user account
Johnson.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
118
Chapter 5 Security features
Figure 48 config log_state Johnson disabled
:4#config log_state Johnson disabled
Command: config log_state Johnson disabled
Success.
:4#
Uploading the Switch’s log and configuration to a TFTP
server
The Switch can log all CLI commands that a given user enters. The upload
[configuration | log] command allows you send a copy of the log (or the current
Switch configuration) to a TFTP server on your network. In firmware release
1.0.1.1 or higher, you have the option of including user account information (user
names, password, and admin/user-level status) in the configuration file that is
uploaded to the TFTP server. The append_account parameter is used to add user
account information to the configuration file. The Switch will automatically
encrypt the passwords (using SSH-A1 with a non-user changable key stored in the
switch,) if the append_account parameter is specified. The only way to decrypt
these passwords is to subsequently download this configuration file from the
TFTP server to the Switch. So, the passwords assigned to the user accounts can
not be read from the text file the Switch uploads to the TFTP server.
To upload the Switch’s current configuration, including user account information,
use the following command:
upload configuration 10.42.73.5 c:\cfg\config.txt append_account
316862-B Rev 00
Chapter 5 Security features
119
This command includes the following options:
upload
followed by:
configuration | log
Instructs the Switch to upload either its current
configuration or its current log file.
<ipaddr>
This is the IP address of a TFTP server that will
receive the configuration or log file.
<path_filename>
Specifies the location on the TFTP server where
the configuration of log file will be uploaded to.
This is in the form: c:\.
append_account
Instructs the Switch to include user account
information in the configuration file.
Figure 49 shows the uploading of a configuration.
Figure 49 upload configuration
:4#upload configuration 10.42.73.5 c:\cfg\config.txt
append_account
Command: upload configuration 10.42.73.5 c:\cfg\config.txt
append_account
Connecting to server ........................... Done.
Upload Configuration ........................... Done.
:4#
Configuring Password aging
The Passport 1600 Series Switches (firmware release 1.0.1.1 and higher) allow
you configure the maximum amount of time a password assigned to a user
account is allowed to be in use. The default is 90 days. The Switch will give a
warning message when the user logs in at the point where 75, 80, 85, 90, and 95%
of the maximum password age time has expired.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
120
Chapter 5 Security features
To configure the maximum length of time a password assigned to a user account
may be in use, use the following command:
config password_aging
This command includes the following options:
config password_aging
followed by:
<day 1-999>
This is the maximum amount of time, in days, that
a password assigned to a user account can be in
use (valid). The default is 90 days. The user will be
notified at login when 75 to 95% of this time has
expired, in 5% increments.
Entering ‘999’ instructs the Switch to disable
password aging. If you enter the command config
password_aging 999, password aging will be
disabled on the Switch and no warning messages
will be displayed.
Figure 50 shows the setting of the maximum amount of time a password assigned
to a user account can be in use to be 10 days.
Figure 50 config password_aging
:4#config password_aging day 10
Command: config password_aging day 10
Success.
:4#
316862-B Rev 00
Chapter 5 Security features
121
Displaying the Password aging time
The Passport 1600 Series Switches (firmware release 1.0.1.1 and higher) allow
you configure the maximum amount of time a password assigned to a user
account is allowed to be in use. The default is 90 days. The Switch will give a
warning message when the user logs in at the point where 75, 80, 85, 90, and 95%
of the maximum password age time has expired.
To display the currently configured maximum length of time a password assigned
to a user account may be in use, use the following command:
show password_aging
This command includes no additional options:
show password_aging
There are no options
Figure 51 shows the display of the currently configured maximum amount of time
a password assigned to a user account can be in use.
Figure 51 show password_aging
:4#show password_aging
Command: show password_aging
Password Aging Time :10 day (s)
:4#
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
122
Chapter 5 Security features
Configuring the Switch’s Secure Mode
The Passport 1600 Series Switches (firmware release 1.0.1.1 and higher) allow
you to specify a secure mode for the Switch as either normal or high. In the
normal mode, the TELNET and SNMP remote management applications are
enabled, while the SSH and WEB remote management applications are disabled.
In the high mode, the SSH, TELNET, WEB and SNMP remote management and
configuration applications are all disabled.
Initially, when the Switch’s secure mode is set to high, only the RS-232 Console
port can be used to manage and configure the Switch. You can manually enable
any of the remote management applications however, using the CLI and the
RS-232 Console port.
Note: The config secure mode [normal | high] command can only be
entered from the Console application and cannot be entered from a remote
management application, such as TELNET, SSH, or the Web-based
configuration manager.
Note: After resetting the Passport 1600 Series switch, if the high secure
mode was previously configured, the switch remains in high secure mode.
To return to normal secure mode, you must manually disable the high
secure mode. You can only perform this operation from the CLI.
To configure the Switch to close the SSH, TELNET, WEB, and SNMP remote
management and configuration applications, use the following command:
config secure_mode high
316862-B Rev 00
Chapter 5 Security features
123
This command includes the following options:
config secure_mode
followed by:
normal
This specifies that security configuration for the
TELNET and SNMP remote management and
configuration applications will be enabled, and that
these applications can be used to manage and
configure the Switch. The SSH and WEB remote
management applications will be disabled.
You can manually enable the SSH and WEB
remote management applications at any time after
issuing this command.
high
This specifies that the SSH, TELNET, WEB, and
SNMP remote management and configuration
applications will be disabled. When the Switch’s
secure mode is set to high, only the RS-232
Console port can be used to manage and
configure the Switch.
You can manually enable the SSH, TELNET, WEB
and SNMP at any time after issuing this command.
Figure 52 shows the Switch’s secure mode being set to high. In this mode, only
the RS-232 Console port can be used to manage and configure the Switch.
Figure 52 config secure_mode
:4#config secure_mode high
Command: config secure_mode high
Success.
:4#
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
124
Chapter 5 Security features
Displaying the Switch’s current secure mode
The Passport 1600 Series Switches (firmware release 1.0.1.1 and higher) allow
you configure a secure mode for the Switch as either normal or high. In the
normal mode, the security configuration is in effect, as entered. In the high mode,
the SSH, TELNET, WEB and SNMP remote management and configuration
applications are closed to all users. When the Switch’s secure mode is set to high,
only the RS-232 Console port can be used to manage and configure the Switch.
To display the Switch’s current secure mode configuration, use the following
command:
show secure_mode
This command includes no additional options:
show secure_mode
There are no options
Figure 53 shows the display of the Switch’s currently configured secure mode.
Figure 53 show secure_mode
:4#show secure_mode
Command: show secure_mode
Secure Mode : High
:4#
316862-B Rev 00
Chapter 5 Security features
125
Secure Shell (SSH)
Secure Shell (SSH) is a client/server protocol that specifies the way to conduct
secure communications over a network. Secure CoPy is a secure file transfer
protocol. When using other methods of remote access, such as Telnet or FTP, the
traffic generated by these utilities is not encrypted. Anyone that can see the
network traffic can see all data, including passwords and user names. SSH can
replace Telnet and other remote logon utilities.
SSH supports a variety of the many different public/private key encryption
schemes available. Using the public key of the host server, the client and server
negotiate to generate a session key known only to the client and the server. This
one-time key is then used to encrypt all traffic between the client and the server.
Even if network security is compromised, traffic cannot be played back or
decrypted, and the connection cannot be hijacked.
The secure channel of communication provided by SSH does not provide
protection against break-in attempts or denial-of-service (DoS) attacks.
Note: the Passport 1600 Series Switches support only SSH version 2.
The Switch does not support SSH version 1.
The SSHversion 2 protocol supported by the Switch supports the following
security features:
•
Authentication. This determines, in a reliable way, the identity of the SSH
client. During the login process the SSH client is queried for a digital proof of
identity.
Supported authentications or RSA (SSH-1) DSA (SSH-2) and passwords
(both SSH-1 and SSH-2).
•
Encryption. The SSH server uses encryption algorithms to scramble data and
render it unintelligible except to the receiver.
Supported encryption algorithms are: 3DES, AES-128-cbc,
AES-192-cbc, AES-256-cbc, ArcFour, Blowfish-cbc, Cast128-cbc,
Twofish128-cbc, Twofish192-cbc, and Twofish256-cbc.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
126
Chapter 5 Security features
•
Integrity. This guarantees that the data is transmitted from the sender to the
receiver without any alteration. If any third party captures and modifies the
traffic, the SSH server will detect this alteration. Hmac-MD% and
Hmac-sha-1 are supported.
The implementation of the SSH server in the Passport 1600 Series switch enables
the SSH client to make a secure connection to a Passport 1600 Series switch and
will work with commercially available SSH clients.
You must use the CLI to initially configure SSH. You can use Device Manager
(DM) to change the SSH configuration parameters. However, Nortel Networks
recommends using the CLI. Nortel Networks also recommends using the console
port to configure the SSH parameters.
SSH version 2 (SSH-2)
The SSH protocol, version 2 (SSH-2) is a complete rewrite of the SSH-1 protocol.
While SSH-1 contains multiple functions in a single protocol, in SSH-2 the
function are divided among three layers:
•
SSH Transport Layer (SSH-TRANS)
The SSH transport layer manages the server authentication and provides
the initial connection between the client and the server. Once established,
the transport layer provides a secure, full-duplex connection between the
client and server.
•
SSH Authentication Protocol (SSH-AUTH)
The SSH authentication protocol runs on top of the SSH transport layer
and authenticates the client-side user to the server. SSH-AUTH defines
three authentication methods; public key, host-based, and password.
SSH-AUTH provides a single authenticated tunnel for the SSH
connection protocol.
•
SSH Connection Protocol (SSH-CONN)
The SSH connection protocol runs on top of the SSH transport layer and
user authentication protocols. SSH-CONN provides interactive login
sessions, remote execution of commands, forwarded TCP/IP connections,
and forwarded X11 connections. These higher services are multiplexed
into the single encrypted tunnel provided by the SSH transport layer.
316862-B Rev 00
Chapter 5 Security features
127
The modular approach of the SSH-2 improves on the security, performance, and
portability over the SSH-1 protocol.
Note: The SSH-1 and SSH-2 protocols are not compatible. The SSH
implementation in the Passport 1600 Series switch supports only SSH
version 2.
Supported SSH clients
The Passport 1600 Series switch software release 1.0.1.1 supports the following
third party SSH clients. The table below describes the third party SSH client
software that has been tested but not included with this release.
Table 9 Third party SSH client software
SSH Client
Secure Shell (SSH)
SecureCRT
Openssh
•
•
•
•
Supports SSH-2 client only.
Authentication: RSA, DSA, Password.
Provides a keygen tool.
It creates both RSA and DSA keys in SSH v2 format.
OpenSSH
Unix
Solaris2.5/2.6
•
•
•
•
Supports SSH-2 clients.
Authentication: RSA, DSA, Password.
Provides a keygen tool.
It creates both RSA and DSA keys in SSH v2 format.
Secure Netterm
Windows 2000
•
•
•
•
Supports SSH-2 clients.
Authentication: RSA, DSA, Password.
Provides a keygen tool.
It creates both RSA and DSA keys in SSH v2 format.
PuTTY
Windows 2000
•
•
•
•
Supports SSH-2 clients.
Authentication: RSA, DSA, Password.
Provides a keygen tool.
It creates both RSA and DSA keys in SSH v2 format.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
128
Chapter 5 Security features
Table 9 Third party SSH client software
Absolute
Windows 2000
•
•
•
•
Supports SSH-2 clients.
Authentication: RSA, DSA, Password.
Provides a keygen tool.
It creates both RSA and DSA keys in SSH v2 format.
Secure Shell
Client Windows
2000
•
•
•
•
Supports SSH-1 and SSH-2 clients.
Authentication: RSA, DSA, Password
Provides a keygen tool.
It creates both RSA and DSA keys in SSH v1 format.
ZOC pro
Windows 2000
•
•
•
•
Supports SSH-2 clients.
Authentication: RSA, DSA, Password.
Provides a keygen tool.
It creates both RSA and DSA keys in SSH v2 format.
PenguiNet
Windows 2000
•
•
•
•
Supports SSH-2 clients.
Authentication: RSA, DSA, Password.
Provides a keygen tool.
It creates both RSA and DSA keys in SSH v2 format.
F-secure
Windows 2000
•
•
•
•
Supports SSH-2 clients.
Authentication: RSA, DSA, Password.
Provides a keygen tool.
It creates both RSA and DSA keys in SSH v2 format.
Using the CLI to configure SSH
You can use Device Manager (DM) to change the SSH configuration parameters.
However, Nortel Networks recommends using the Command Line Interface (CLI)
to configure the SSH.
Note: Only the Server SSH has been implemented in the 1.1 release.
There is NO SSH client on the Passport 1600 Series switch. A remote
application must be used to establish the communication with the switch.
316862-B Rev 00
Chapter 5 Security features
129
Configuring Secure Shell (SSH)
The Passport 1600 Series switches (firmware release 1.0.1.1, or later) support the
SSH version 2 SERVER implementation.
Note: SSH version 1, because of its inherent security holes is not
supported. Because the Passport 1600 Series switches implement only the
server part of the protocol, you must use a third-party application to
connect to the switch. Please see Table 9 for a list of approved SSH v2
clients.
The steps required to use the SSH protocol for secure communication between a
remote PC (the SSH Client) and the Switch (the SSH Server), are as follows:
•
•
•
•
•
Create a user account with admin-level access using the create account admin
<username> <password> command. In the example presented below, the
username SSHtest is used. This is identical to creating any other admin-lever
User account on the Switch, including specifying a password. This password
is used to login to the Switch, once secure communication has been
established using the SSH version 2 protocol.
Configure the user account to use a specified authorization method to identify
users that are allowed to establish SSH connections with the Switch using the
config ssh user authmode command. There are some choices as to the method
SSH will use to authorize the user. The two methods, password and publickey
are used in the example presented below.
Configure the encryption algrothim that SSH will use to encrypt and decrypt
messages sent between the SSH Client and the SSH Server. Again, there are
some choices to make, but 3DES is used in the example presented below.
Finally, enable SSH on the Switch using the enable ssh command.
After following the above steps, you can configure an SSH Client on the
remote PC and manage the Switch using secure, in-band communication.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
130
Chapter 5 Security features
Creating a User account
To create an admin or user account, including a username and password, use the
create account command. Note that this command also allows you to select
the privileges this account will have. In general, user-level accounts can display
the switch’s current configuration, but cannot make any changes. Admin-level
accounts have full access to all configuration commands.
To create a new User account for use with the SSH protocol, use the following
command:
create account admin SSHtest
The Switch will respond with:
Enter a case-sensitive new password: *******
Enter the new password again for confirmation: ********
The password must be at least 8 and not more than 15 characters. This password
will be used to logon to the switch.
This command includes the following options:
create account
followed by:
admin <username 15>
Creates an administrator-level user account. This
user can execute all of the commands in the CLI
without restriction.
• username identifies the user. It is a
alphanumeric string, from 1 to 15 characters.
user <username 15>
Creates a user-level user account. This user is
limited to displaying switch configuration and
accumulated switch statistics.
• username identifies the user. It is a
alphanumeric string, from 1 to 15 characters.
Figure 54 shows you how to create a new administrator-level user account with
the username SSHtest.
316862-B Rev 00
Chapter 5 Security features
131
Figure 54 create account command
:4#create account admin SSHtest
Command: create account admin SSHtest
Enter a case-sensitive new password:********
Enter the new password again for confirmation:********
Success.
:4#
Configuring the SSH authorization mode
Before the SSH Server on the Switch can establish a secure communications
channel with an SSH Client, you must specify the type of authorization that the
SSH Server can accept to verify the SSH Client as an authorized user. The
password parameter instructs the SSH Server to use the password assigned to the
User account. The public key parameter instructs the SSH Server to use the public
key encryption/decrypting method using a combination of a private key and public
key stored on the remote PC (the SSH Client). The hostbased parameter allows
you to specify a remote host on the network by either name or IP address that will
be allowed to establish an SSH connection with the Switch.
To configure the SSH authorization mode, use the following command:
config ssh authmode password enabled
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
132
Chapter 5 Security features
This command includes the following options:
config ssh authmode
followed by:
password
Specifies the use of a password to
establish user authorization for an SSH
session. This password is the same as
the password assigned to the User
account.
public key
Specifies the use of public key encryption
and decryption of a message exchange
between the SSH Client and the Switch’s
SSH Server to authorize the User.
hostbased
This specifies the name or IP address of
a specific host (a remote PC) that will be
authorized to establish an SSH
connection to the Switch.
The host’s name is specified by entering
hostname followed by the host’s name in
the <string> field of the create ssh user
command, shown above.
enabled
Enables the User authorization mode
specified above.
disabled
Disables the User authorization mode
specified above.
Figure 55 shows how to configure the user account SSHtest to use the password
assigned to this account to authorize an SSH session with the Switch.
Figure 55 config ssh authmode command
:4# config ssh authmode password enabled
Command: config ssh authmode password enabled
Success.
:4#
316862-B Rev 00
Chapter 5 Security features
133
Displaying the Switch’s current SSH authorization mode
To display the Switch’s current SSH authorization mode, use the following
command:
show ssh authmode
This command includes no additional options:
show ssh authmode
There are no options
Figure 56 shows the Switch’s current SSH authorization mode.
Figure 56 show ssh authmode
:4# show ssh authmode
Command: show ssh authmode
The SSH User Authentication Support
-----------------------------------Password
: Enabled
Public Key : Enabled
Hostbased
: Enabled
Updating an SSH user account’s authorization mode
Once you have created a user account, and configured the SSH authorization
mode for that account, you can update the information using the config ssh user
command.
To update the configuration of an SSH user account, use the following command:
config ssh user SSHtest authmode password
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
134
Chapter 5 Security features
where:
SSHtest is the username of a previously created User account.
This command includes the following options:
config ssh user <username> authmode
followed by:
hostbased
hostname <string 31>
hostname_IP <string 31>
<ipaddr>
This specifies the name or IP address of
a specific host (a remote PC) that will be
authorized to establish an SSH
connection to the Switch.
The host’s name is specified by entering
hostname followed by the host’s name in
the <string> field.
The host’s IP address is specified by
entering hostname_IP followed by the
host’s name in the <string> field, followed
by the host’s IP address in the <ipaddr>
field.
password
Specifies the use of a password to
establish user authorization for an SSH
session. This password is the same as
the password assigned to the User
account.
public key
Specifies the use of public key encryption
and decryption of a message exchange
between the SSH Client and the Switch’s
SSH Server to authorize the User.
none
Specifies that there will be on user
authorization.
Figure 57 shows how to configure the user account SSHtest to use the password
assigned to this account to authorize an SSH session with the Switch.
316862-B Rev 00
Chapter 5 Security features
135
Figure 57 config ssh user command
:4# config ssh user SSHtest authmode password
Command: config ssh user SSHtest authmode password
Success.
:4#
Configuring the SSH encryption algorithm
To configure the SSH algorithm to use 3DES:
config ssh algorithm 3DES enabled
where:
3DES is the encryption algrothim that the Secure Shell (SSH) will use to encrypt
and decrypt messages between the SSH Server and the SSH Client.
This command includes the following options:
config ssh algorithm
followed by:
3DES
Enter this parameter, followed by
enabled or disabled, to use the 3DES
encryption algorithm with the Secure
Shell (SSH.)
AES128
Enter this parameter, followed by
enabled or disabled, to use the
AES128 encryption algorithm with the
Secure Shell (SSH.)
AES192
Enter this parameter, followed by
enabled or disabled, to use the
AES192 encryption algorithm with the
Secure Shell (SSH.)
AES256
Enter this parameter, followed by
enabled or disabled, to use the
AES256 encryption algorithm with the
Secure Shell (SSH.)
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
136
Chapter 5 Security features
config ssh algorithm
followed by:
arcfour
Enter this parameter, followed by
enabled or disabled, to use the
Arcfour encryption algorithm with the
Secure Shell (SSH.)
blowfish
Enter this parameter, followed by
enabled or disabled, to use the
Blowfish encryption algorithm with the
Secure Shell (SSH.)
cast128
Enter this parameter, followed by
enabled or disabled, to use the
Cast128 encryption algorithm with the
Secure Shell (SSH.)
twofish128
Enter this parameter, followed by
enabled or disabled, to use the
Twofish128 encryption algorithm with the
Secure Shell (SSH.)
twofish192
Enter this parameter, followed by
enabled or disabled, to use the
Twofish192 encryption algorithm with the
Secure Shell (SSH.)
twofish256
Enter this parameter, followed by
enabled or disabled, to use the
Twofish256 encryption algorithm with the
Secure Shell (SSH.)
MD5
Enter this parameter, followed by
enabled or disabled, to use the
HMAC-MD5 data integrity algorithm with
the Secure Shell (SSH.)
SHA1
Enter this parameter, followed by
enabled or disabled, to use the
HMAC-SHA1 data integrity algorithm with
the Secure Shell (SSH.)
RSA
Enter this parameter, followed by
enabled or disabled, to use the RSA
public key algorithm with the Secure Shell
(SSH.)
DSA
Enter this parameter, followed by
enabled or disabled, to use the DSA
public key algorithm with the Secure Shell
(SSH.)
enabled|disabled
Enter enabled or disabled after any
one of the algorithms above to activate
that algorithm for use with SSH.
316862-B Rev 00
Chapter 5 Security features
137
Figure 58 shows the SSH Server on the Switch configured to use the 3DES
encryption algorithm.
Figure 58 config ssh algorithm
:4# config ssh algorithm 3DES enabled
Command: config ssh algorithm 3DES enabled
Success.
:4#
Displaying the Current SSH encryption algorithm
To display the current SSH algorithm in use on the Switch, use the following
command:
show ssh algorithm
This command includes the following options:
show ssh algorithm
There are no options
Figure 59 shows the current SSH algorithm configuration of the Switch.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
138
Chapter 5 Security features
Figure 59 show ssh algorithm
:4# show ssh algorithm
Command: show ssh algorithm
Encryption Algorithm
------------------------3DES
: Enable
AES128
: Enable
AES192
: Enable
AES256
: Enable
Arcfour
: Enable
Blowfish : Enable
Cast128
: Enable
Twofish128: Enable
Twofish192: Enable
Twofish256: Enable
Data Integrity Algorithm
-----------------------MD5
: Enable
SHA1
: Enable
Public Key Algorithm
-------------------RSA
: Enable
DSA
: Enable
:4#
Displaying the Switch’s current SSH Users
To display the Switch’s current SSH users, use the following command:
show ssh user
This command includes no additional options:
show ssh user
There are no options
316862-B Rev 00
Chapter 5 Security features
139
Figure 60 shows the Switch’s current SSH users.
Figure 60 show ssh user
:4# show ssh user
Command: show ssh user
Current Accounts:
-------------------------Username
Authentication
SSHtest
Password
SSHtest2
Publickey
SSHtest3
Hostbased Debbie 10.42.73.5
SSHtest4
None
Configuring the SSH Server on the Switch
To configure the SSH algorithm to use 3DES:
config ssh server
where:
3DES is the encryption algrothim that the Secure Shell (SSH) will use to encrypt
and decrypt messages between the SSH Server and the SSH Client.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
140
Chapter 5 Security features
This command includes the following options:
config ssh server
followed by:
maxsession <int 1-3>
This parameter allows you to specify the
maximum number of SSH sessions that
the SSH Server on the Switch will allow at
any one time. You can specify between a
minimum of one and a maximum of three
simultaneous SSH sessions. The default
is 3.
timeout <sec 1-120>
You can specify the maximum amount of
time that will be allowed for an SSH
session to be established. If this time is
exceeded before the SSH session has
begun, the SSH Server will discontinue
the connection. You can specify a
minimum of one and a maximum of 120
seconds. The default is 120 seconds.
authfail <int 2-20>
You can specify the maximum number of
times the SSH Server will allow a remote
host to attempt to become authorized. If
this number of attempts is exceeded, the
SSH Server will discontinue the
connection. You can specify a minimum
of two and a maximum of twenty
authorization attempts. The default is 2.
rekey <10min 30min 60min
never>
You can specify the length of time that an
SSH session can last before generating a
new set of encryption/decryption keys.
You can specify 10min, 30min, 60min,
and never. The default is 2.
port <tcp_port_number 1-65535> This parameter allows you to specify
which TCP port the SSH Server will listen
on for requests from remote hosts to
establish an SSH connection with the
Switch. The default is TCP port number
22.
Figure 61 shows the SSH Server on the Switch configured to allow a maximum of
2 sessions, a timeout of 20 seconds, a maximum of 2 failed authorization attempts,
a rekey time of never, and the use of TCP port number 22.
316862-B Rev 00
Chapter 5 Security features
141
Figure 61 config ssh server
:4# config ssh server maxsession 2 timeout 20 authfail 2
rekey never port 22
Command: config ssh server maxsession 2 timeout 20
authfail 2 rekey never port 22
Success.
:4#
Displaying the current SSH Server configuration
To display the current SSH Server configuration:
show ssh server
This command includes no additional options:
show ssh server
There are no options.
Figure 62 shows the current configuration of the SSH Server on the Switch.
Figure 62 show ssh server
:4# show ssh server
Command: show ssh server
SSH Server Status : Enabled
SSH Max Session : 2
Connection timeout : 20 (sec)
Rekey timeout : never
Listened Port Number : 22
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
142
Chapter 5 Security features
Enabling and disabling the SSH Server on the Switch
To enable the SSH Server on the Switch:
enable ssh
This command has no options:
enable | disable ssh
there are no options.
Figure 63 shows the SSH Server on the Switch being enabled.
Figure 63 enable ssh
:4# enable ssh
Command: enable ssh
Success.
:4#
Configuring the SSH Server to regenerate its hostkey
To force the SSH Server to regenerate its hostkey, use the following command:
config ssh regenerate hostkey
This command includes no additional options:
config ssh regenerate hostkey
Figure 64 shows the current configuration of the SSH Server on the Switch.
316862-B Rev 00
Chapter 5 Security features
143
Figure 64 config ssh regenerate hostkey
:4# config ssh regenerate hostkey
Command: config ssh regenerate hostkey
Success.
:4#
TACACS+
TACACS+ is a security protocol that provides access control for devices via one
or more centralized servers. All WEB, TELNET and CLI user logins check the
user name and password with a database of Network Access Security (NAS)
servers through the TACACS+ protocol if the authentication method being used is
TACACS+. This is useful in checking authentication when thousands of users
using thousands of devices are distributed around the network.
The system provides two stages of authentication for the user, the first is the
“login” stage and the second is the “enable” stage. Each stage can choose up to
three authentication methods, the are TACACS+, local/enable and none. In
addition, two privilege levels are provided, the user level and the admin level.
When the user passes the first level, the “user” level is assigned. The “admin”
level will be assigned if the user passes the second stage.
The following four authentication methods are supported:
TACACS+: Verifies both the username/password pair and enables the password
using the TACACS+ server. When username/password verification is passed, the
user level is assigned. After that, use the “enable admin” command to promote
privilege mode to the admin user. Four TACACA+ servers are supported.
Local: Authenticate the username/password pair with a local database. If
authentication passes and the privilege level associated with the username/
password pair is “admin level,” the user will receive admin level privilege. If
authentication passes and the username/password pair is “user level,” the user will
receive user-level privileges.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
144
Chapter 5 Security features
Enable: only the password is checked. This option is used only to promote the
privilege level to the “admin” level.
None: no authentication is specified.
The following privilege modes are supported:
user level: read only is permitted.
admin level: read/write is permitted.
Creating an entry to the Switch’s TACACS+ Server table
To create an entry to the Switch’s TACACS+ Server table, use the following
command:
create tacacs+_server <ip_address>
where:
<ip_address> is the IP address of a TACACS+ Server on the network.
This command includes the following options:
create tacacs+_server
followed by:
<ipaddr>
This is the IP address of a TACACS+
Server on the network.
tcp_port <int 1-65535>
This is the TCP port number in use by the
TACACS+ Server specified above. The
default is TCP port is port number 49.
key [<key_string 1-254> |
none]
This is the key used for TACACS+
authentication. If no string is specified
(the value is null) then no encryption will
be applied. If none is specified, then no
encryption key will be used. The default is
none.
timeout <sec 1-255>
This parameter specifies the time, in
seconds, that the Switch will wait for a
reply from the TACACS+ Server. The
default is 5 seconds.
316862-B Rev 00
Chapter 5 Security features
145
Figure 65 shows the creation of a TACACS+ Server entry on the Switch, using
the key “top secret.”
Figure 65 create tacacs+_server
:4# create tacacs+_server 10.42.73.5 key top secret
Command: create tacacs_server 10.42.73.5 key top secret
Success.
:4#
Configuring a TACACS+ Server entry on the Switch
To configure an entry to the Switch’s TACACS+ Server table (change a
previously created entry), use the following command:
config tacacs+_server <ip_address>
where:
<ip_address> is the IP address of a TACACS+ Server on the network.
Note: Nortel Networks strongly recommends that you configure in the
TACACS+ server all interfaces participating in any remote session
(telnet, SSH, etc.).
This command includes the following options:
config tacacs+_server
followed by:
<ipaddr>
This is the IP address of a TACACS+
Server on the network.
tcp_port <int 1-65535>
This is the TCP port number in use by the
TACACS+ Server specified above. The
default is TCP port is port number 49.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
146
Chapter 5 Security features
config tacacs+_server
followed by:
key [<key_string 1-254> |
none]
This is the key used for TACACS+
authentication. If no string is specified
(the value is null) then no encryption will
be applied. If none is specified, then no
encryption key will be used. The default is
none.
timeout <sec 1-255>
This parameter specifies the time, in
seconds, that the Switch will wait for a
reply from the TACACS+ Server. The
default is 5 seconds.
Figure 66 shows the configuring of a TACACS+ Server entry on the Switch,
using the key “not so secret.”
Figure 66 config tacacs+_server
:4# config tacacs+_server 10.42.73.5 key not so secret
Command: config tacacs+_server 10.42.73.5 key not so
secret
Success.
:4#
Displaying the Switch’s TACACS+ Server table
To display the entries in the Switch’s TACACS+ Server table, use the following
command:
show tacacs+_server
This command includes no additional options:
show tacacs+_server
316862-B Rev 00
Chapter 5 Security features
147
Figure 67 shows the current contents of the Switch’s TACACS+ Server table.
Figure 67 show tacacs+_server
:4# show tacacs+_server
Command: show tacacs+_server
IP Address
Port
timeout
key
------------------------------------------------------10.1.1.222
17777
10
not so secret
:4#
Deleting an entry from the Switch’s TACACS+ Server table
To delete an entry from the Switch’s TACACS+ Server table, use the following
command:
delete tacacs+_server 10.1.1.222
This command includes the following options:
delete tacacs+_server
<ip_address>
This is the IP address of the TACACS+
Server you want to delete from the
Switch’s TACACS+ Server table.
Figure 68 shows the deletion of the TACACS+ Server, with an IP address of
10.1.1.222, from the Switch’s TACACS+ Server table.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
148
Chapter 5 Security features
Figure 68 delete tacacs+_server
:4# delete tacacs+_server 10.1.1.222
Command: delete tacacs+_server 10.1.1.222
Success.
:4#
Enabling admin-level privileges for a user-level account
To promote a user with user-level privileges to admin-level privileges, use the
following command:
enable admin
When this command is entered, the current user authentication method in use on
the Switch will be used to authenticate the user.
This command includes the following options:
enable admin
There are no options
Figure 69 shows the currently logged on user raising the account’s privilege level
from user-level to admin-level.
Figure 69 enable admin
:4# enable admin
Command: enable admin
Password: ********
Success.
:4#
316862-B Rev 00
Chapter 5 Security features
149
Assigning a password to the “local enable” method
To assign a password to authenticate users that want to change their user-level
privileges to admin-level privileges, using the “local enable” method, use the
following command:
config admin local_password
When this command is entered, the current user authentication method in use on
the Switch will be used to authenticate the user.
This command includes the following options:
config admin local_password
followed by:
<password 8-15>
This is the password that will be used to
authenticate users that want to change
their user-level privileges to admin-level
privileges, using the “local enable”
method.
Figure 70 shows the assigning of a password that will be used to authenticate
users that want to change their user-level privileges to admin-level privileges,
using the “local enable” method.
Figure 70 config admin local_password
:4# config admin local_password
Command: config admin local_password
Enter the case-sensitive password: ********
Enter the password again for confirmation ********
Success.
:4#
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
150
Chapter 5 Security features
Configuring the login authentication settings
To configure the maximum amount of time the Switch will wait for a user to input
their password, use the following command:
config login_authen response_timeout <sec 1-255>
This command includes the following options:
config login_authen
followed by:
response_timeout <sec 1-255>
This is the maximum amount of time the
Switch will wait for a user to input their
password. If this time is exceeded, the
Switch will discontinue the connection.
The default is 30 seconds.
Figure 71 shows the maximum number of authentication attempts being set to 8.
Figure 71 config admin login_authen
:4# config login_authen response_timeout 30
Command: config login_authen response_timeout 30
Success.
:4#
Configuring the authentication settings on the Switch
This command is used to configure how the Switch will authenticate users when
they login to the various applications that are used to configure the Switch. When
authentication is enabled on the Switch, the authentication settings specified in
this command will take effect. The Switch’s default is to use local authentication,
such as asking for a user name and password when logging on the Console.
316862-B Rev 00
Chapter 5 Security features
151
When the TACACS+ or the none authentication method is specified, users are
assigned only user-level privileges when the first log on to a Switch management
application (such as the Console). If this user wants to promote their privilege
level to admin-level, they must enter the enable admin command, described
below.
When the local authentication method is specified, a user’s privilege level
depends upon the privilege level assigned when the user account was created.
So, there are four applications that can be used to configure and manage the
Switch; the Console, TELNET, SSH, and the Web-based configuration manager.
You can assign one of three user-authentication methods to any of these
applications. The three user-authentication methods are, TACACS+, local, and
none. TACACS+ instructs the Switch for forward the user name and password to a
TACACS+ Server for authentication. The local method relies upon the Switch
itself to verify the user name and password against the user accounts stored in its
memory. The none method performs no user authentication.
If the TACACS+ user authentication method is specified, and all of the TACACS+
Servers have timed out, or do not exist, the Switch then will use the second
method entered with this command. In the example below, the none user
authentication method will be used.
To configure the authentication settings on the Switch, use the following
command:
config authentication login
This command includes the following options:
config authentication login
followed by:
console
Specifies the Console application will be
authenticated.
telnet
Specifies the TELNET application will be
authenticated.
ssh
Specifies the Secure Shell (SSH)
application will be authenticated.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
152
Chapter 5 Security features
config authentication login
followed by:
web
Specifies the Web-based configuration
manager application will be
authenticated.
all
Specifies the Console, TELNET, SSH,
and Web applications will be
authenticated.
tacacs+
Specifies that a TACACS+ Server will
provide authentication.
local
Specifies that the Switch will provide
authentication.
none
Specifies that no authentication will be
used.
Figure 72 shows the Switch being configured to use the TACACS+ user
authentication method for the TELNET application.
Figure 72 config authentication login
:4# config authentication login telnet tacacs+ none
Command: config authentication login telnet tacacs+ none
Success.
:4#
Configuring the authentication settings on the Switch used
to promote users from user-level privileges to admin-level
privileges
This command is used to configure how the Switch will authenticate users when
they want to promote their privileges from user-level to admin-level, when they
are logged on to the various applications that are used to configure the Switch.
When authentication is enabled on the Switch, the authentication settings
specified in this command will take effect.
316862-B Rev 00
Chapter 5 Security features
153
When the TACACS+ authentication method is specified, users need to input their
password to promote their privileges from user-level to admin-level. The Switch
will then pass this password to the TACACS+ Server for authentication. The
TACACS+ Server will return a PASS or FAIL.
When enable is specified, the Switch will compare this password to the Switch’s
(local) password. If the passwords are the same, the Switch will return a PASS. If
the two passwords are different, the Switch will return a FAIL.
So, there are four applications that can be used to configure and manage the
Switch; the Console, TELNET, SSH, and the Web-based configuration manager.
You can assign one of three user-authentication methods to authenticate users
who want to promote their user-level privileges to admin-level privileges to any of
these applications. The three user-authentication methods are, TACACS+, enable,
and none. TACACS+ instructs the Switch for forward the user name and password
to a TACACS+ Server for authentication. The enable method relies upon the
Switch itself to verify the user name and password against the user accounts
stored in its memory. The none method performs no user authentication.
If the TACACS+ user authentication method is specified, and all of the TACACS+
Servers have timed out, or do not exist, the Switch then will use the second
method entered with this command. In the example below, the enable user
authentication method will be used.
To configure the authentication settings that govern the promotion of users with
user-level privileges to admin-level privileges, on the Switch, use the following
command:
config authentication admin
This command includes the following options:
config authentication admin
followed by:
console
Specifies the Console application will be
authenticated.
telnet
Specifies the TELNET application will be
authenticated.
ssh
Specifies the Secure Shell (SSH)
application will be authenticated.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
154
Chapter 5 Security features
config authentication admin
followed by:
all
Specifies the Console, TELNET, SSH,
and Web applicationswill be
authenticated.
tacacs+
Specifies that a TACACS+ Server will
provide authentication will be
authenticated.
local
Specifies that the Switch will provide
authenticationwill be authenticated.
none
Specifies that no authentication will be
used.
Figure 73 shows the Switch being configured to use the TACACS+ user
authentication method to authenticate users who want to promote their user-level
privileges to admin-level privileges, for the TELNET application.
Figure 73 config authentication admin
:4# config authentication admin telnet tacacs+
Command: config authentication admin telnet tacacs+
Success.
:4#
Enabling authentication
To enable the current authentication settings, use the following command:
enable authentication
This command includes no additional options:
enable authentication
There are no options
316862-B Rev 00
Chapter 5 Security features
155
Figure 74 shows the current authentication settings on the Switch being enabled.
Figure 74 enable authentication
:4# enable authentication
Command: enable authentication
Success.
:4#
Disabling authentication
To disable the current authentication settings, use the following command:
disable authentication
This command includes no additional options:
disable authentication
There are no options
Figure 75 shows the current authentication settings on the Switch being enabled.
Figure 75 disable authentication
:4# disable authentication
Command: disable authentication
Success.
:4#
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
156
Chapter 5 Security features
Displaying the Switch’s current authentication settings
To display the Switch’s current authentication settings, use the following
command:
show authentication
This command includes no additional options:
show authentication
There are no options
Figure 76 shows the display of the Switch’s current authentication settings.
Figure 76 show authentication
:4# show authentication
Command: show authentication
Authentication Status
:
The amount of time for user input :
The maximum user attempts
:
Application
----------Console
Telnet
SSH
Web
316862-B Rev 00
Login
Primary
------Local
Local
Local
Local
Login
Secondary
---------
Disabled
30 seconds
3
Admin
Primary
------Local
Local
Local
Admin
Secondary
---------
157
Chapter 6
Configuring VLANs
A virtual local area network (VLAN) is a collection of end nodes grouped by
logical rather than physical location. End nodes that frequently communicate with
each other are assigned to the same VLAN, regardless of where they are
physically located on the network. Logically, you can equate a VLAN to a
broadcast domain because broadcast packets are forwarded only to members of
the VLAN on which the broadcast was initiated.
This chapter describes the commands you use to configure, enable and disable,
and show VLANs for Layer 2 operations. It also describes how to configure IP on
a VLAN for Layer 3 operations. Specifically, it includes the following topics:
Topic
Page
Roadmap of VLAN CLI commands
159
Creating a VLAN
160
Deleting a VLAN
162
Adding ports to a VLAN configuration
162
Deleting ports from a VLAN configuration
163
Displaying a VLAN configuration
164
Roadmap of IP interface CLI commands
167
Creating an IP interface
167
Configuring an IP interface
168
Deleting an IP interface
169
Configuring the System IP interface
170
Enabling an IP interface
171
Disabling an IP interface
172
Displaying the current IP interface configuration
172
Roadmap of forwarding database CLI commands
175
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
158
Chapter 6 Configuring VLANs
Topic
Page
Creating a unicast forwarding database entry
176
Configuring a unicast forwarding database entry
176
Creating a multicast forwarding database entry
177
Configuring the multicast forwarding database
178
Deleting an entry from the forwarding database
179
Clearing the forwarding database
179
Displaying the multicast forwarding database
180
Displaying the unicast forwarding database
181
Configuring Layer 2 operations
The following sections describe how to configure VLANs for Layer 2 operations.
316862-B Rev 00
Chapter 6 Configuring VLANs
159
Roadmap of VLAN CLI commands
The following roadmap lists all of the VLAN commands and their parameters.
Use this list as a quick reference or click on any entry for more information:
Command
Parameter
create vlan <vlan_name 32>
type port |ip-subnet
<network_address>
arp_classification_id <vlanid
1-4094> |protocol-ip
|protocol-ipx802dot3
|protocol-ipx802dot2
|protocol-ipxSnap
|protocol-appleTalk
|protocol-decLat |protocol-decOther
|protocol-sna802dot2
|protocol-snaEthernet2
|protocol-netBios |protocol-xns
|protocol-vines |protocol-ipV6
|protocol-userDefined <hex
0x0-0xffff> |encap
[ethernet2|IIc|snap|all]
|protocol-rarp |priority [0|4|6|7]
delete vlan <vlan_name 32>
config vlan <vlan_name 32> add
tagged <portlist>
untagged <portlist>
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
160
Chapter 6 Configuring VLANs
Command
Parameter
config vlan <vlan_name 32> delete
<portlist>
show vlan
<vlan_name 32> |type [port
|ip-subnet <network_address>
arp_classification_id <vlanid
1-4094> |protocol-ip
|protocol-ipx802dot3
|protocol-ipx802dot2
|protocol-ipxSnap
|protocol-appleTalk
|protocol-decLat |protocol-decOther
|protocol-sna802dot2
|protocol-snaEthernet2
|protocol-netBios |protocol-xns
|protocol-vines |protocol-ipV6
|protocol-userDefined <hex
0x0-0xffff> encap
[ethernet2|IIc|snap|all]
|protocol-rarp]
Creating a VLAN
To create a VLAN, use the following command:
create vlan <vlan_name 32 >
where:
vlan_name 32 is the name of the VLAN that you want to create. The VLAN
name can be up to 32 alphanumeric characters.
316862-B Rev 00
Chapter 6 Configuring VLANs
161
This command uses the following options:
create vlan <vlan_name 32>
followed by:
vid <vid>
Specifies the VLAN ID with which transmitted
packets are tagged. The range is from 1 to 4094.
type
This parameter allows you to select the type of
VLAN that will be created. The available types are
as follows:
port
ip-subnet <network_address>
protocol-ip
protocol-ipx802dot3
protocol-ipx802dot2
protocol-ipxSnap
protocol-appleTalk
protocol-decLat
protocol-decOther
protocol-sna802dot2
protocol-snaEthernet2
protocol-netBios
protocol-xns
protocol-vines
protocol-ipV6
protocol-userDefined <hex 0x0-0xffff> encap
[ethernet2|IIc|snap|all]
protocol-rarp
priority [0|4|6|7]
<network_address>
The IP address and mask for a subnet-based
VLAN.
<hex 0x0-0xffff>
The user-defined protocol type format in hex.
The encapsulated packet format for user-defined
encap
[ehternet2|iic|snap|all] protocol. The possible formats are ethernet2, IIc,
snap, and all.
arp_classification_id
<vlanid 1-4094>
create an IP Subnet VLAN with ARP Classification
and available options
Figure 77 shows you how to create a VLAN named v1.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
162
Chapter 6 Configuring VLANs
Figure 77 create vlan command
PP1612G:4#create vlan v1
Command: create vlan v1
Success.
PP1612G:4#
Deleting a VLAN
To delete a VLAN, use the following command:
delete vlan <vlan_name 32 >
where:
vlan_name 32 is the name of the VLAN that you want to delete.
Figure 78 shows you how to delete a VLAN named v1.
Figure 78 delete vlan command
PP1612G:4#delete vlan v1
Command: delete vlan v1
Success.
PP1612G:4#
Adding ports to a VLAN configuration
To add ports to a VLAN, use the following command:
config vlan <vlan_name 32 > add
where:
vlan_name 32 is the name of the VLAN to which you want to add ports.
316862-B Rev 00
Chapter 6 Configuring VLANs
163
This command uses the following options:
config vlan add
followed by:
tagged <portlist>
Indicates that the specified ports will be VLAN
tagged.
• portlist specifies the list of ports to add to
the VLAN. To specify a range of ports, enter
the beginning and end values, separated by a
hyphen (e.g., 1-3). To specify non-contiguous
port numbers, enter the port numbers,
separated by commas (e.g., 1,4,8).
untagged <portlist>
Indicates that the specified ports will not be VLAN
tagged. untagged is the default.
• portlist specifies the list of ports to add to
the VLAN. To specify a range of ports, enter
the beginning and end values, separated by a
hyphen (e.g., 1-3). To specify non-contiguous
port numbers, enter the port numbers,
separated by commas (e.g., 1,4,8).
Figure 79 shows you how to add ports 4 through 8 and 10 as VLAN tagged ports.
Figure 79 config vlan add command
PP1612G:4#config vlan v1 add tagged 4-8,10
Command: config vlan v1 add tagged 4-8,10
Success.
PP1612G:4#
Deleting ports from a VLAN configuration
To delete ports on a VLAN, enter the following command:
config vlan <vlan_name 32 > delete <portlist>
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
164
Chapter 6 Configuring VLANs
where:
vlan_name 32 is the name of the VLAN that you want to delete.
portlist specifies the list of ports to remove from the VLAN. To specify a
range of ports, enter the beginning and end values, separated by a hyphen (e.g.,
1-3). To specify non-contiguous port numbers, enter the port numbers, separated
by commas (e.g., 1,4,8).
Figure 80 shows you how to delete ports 4 through 8.
Figure 80 config vlan delete command
PP1612G:4#config vlan v1 delete 4-8
Command: config vlan v1 delete 4-8
Success.
PP1612G:4#
Displaying a VLAN configuration
To display the current configuration for the VLAN, enter the following command:
show vlan
316862-B Rev 00
Chapter 6 Configuring VLANs
165
This command uses the following options:
show vlan
followed by:
<vlan_name 32>
This is the name of the VLAN for which you want to
display the current configuration. If you do not
enter a VLAN name, all of the VLANs currently
configured on the switch will have their
configurations displayed.
type
This parameter allows you to select the type of
VLAN that will be created. The available types are
as follows:
port
ip-subnet <network_address>
protocol-ip
protocol-ipx802dot3
protocol-ipx802dot2
protocol-ipxSnap
protocol-appleTalk
protocol-decLat
protocol-decOther
protocol-sna802dot2
protocol-snaEthernet2
protocol-netBios
protocol-xns
protocol-vines
protocol-ipV6
protocol-userDefined <hex 0x0-0xffff> encap
[ethernet2|iic|snap|all]
protocol-rarp
Figure 81 shows you how to display the current configuration for the VLANs on
the switch.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
166
Chapter 6 Configuring VLANs
Figure 81 show vlan command
PP1612G:4# show vlan
Command: show vlan
VID
VLAN TYPE
Member ports
Static ports
Untagged ports
:
:
:
:
:
1
static
1-12
1-12
1-12
VLAN Name
: default
VID
VLAN TYPE
Member ports
Static ports
Untagged ports
: 2
: static
:
:
:
VLAN Name
: v1
VID
VLAN TYPE
Member ports
Static ports
Untagged ports
: 3
: static
:
:
:
VLAN Name
: v2
Total Entries : 3
PP1612G:4#
Configuring Layer 3 operations
The following sections describe how to configure IP on a VLAN for Layer 3
operations.
316862-B Rev 00
Chapter 6 Configuring VLANs
167
Roadmap of IP interface CLI commands
The following roadmap lists all of the IP interface commands and their
parameters. Use this list as a quick reference or click on any entry for more
information:
Command
Parameter
create ipif <ipif_name 12>
<network_address> <vlan_name 32>
state [enabled|disabled]
config ipif <ipif_name 12>
ipaddress <network_address> vlan
<vlan_name 32> state
[enabled|disabled]
delete ipif
<ipif_name 12>
all
config ipif System
vlan <vlan_name 32>
ipaddress <network_address>
state [enabled|disabled]
enable ipif
<ipif_name 12>
all
disable ipif
<ipif_name 12>
all
show ipif System
all
Creating an IP interface
To create an IP interface with a network address and a subnet mask that will be
assigned to a VLAN, enter the following command:
create ipif <ipif_name 12 > <network_address> <vlan_name 32>
state [enabled|disabled]
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
168
Chapter 6 Configuring VLANs
where:
ipif_name 12 is the name of the IP interface. The name can be up to 12
alphanumeric characters.
network_address is the IP address and the netmask of the IP interface you wish
to create. You can specify the address and mask information using the traditional
format- for example, 10.1.2.3/255.0.0.0, or in the CIDR format - for example,
10.1.2.3/8.
vlan_name 32 is the name of the VLAN that you want to assign to the IP
interface.
Figure 82 shows how to create an IP interface named ip2 that will be assigned to
the VLAN named vlan2, and will be enabled.
Figure 82 create ipif command
PP1612G:4#create ipif ip2 20.1.1.1/8 vlan2 state enabled
Command: create ipif ip2 20.1.1.1/8 vlan2 state enabled
Success.
PP1612G:4#
Configuring an IP interface
To re-configure an IP interface so that it is assigned to a new VLAN, use the
following command:
config ipif <ipif_name 12 > ipaddress <network_address> vlan
<vlan_name 32> state [enabled|disabled]
where:
ipif_name 12 is the name of the IP interface. The name can be up to 12
alphanumeric characters.
network_address is the IP address and the netmask of the IP interface. You can
specify the address and mask information using the traditional format- for
example, 10.1.2.3/255.0.0.0, or in the CIDR format - for example, 10.1.2.3/8.
vlan_name 32 is the name of the VLAN that you want to assign to the IP
interface.
316862-B Rev 00
Chapter 6 Configuring VLANs
169
Figure 83 shows how to assign ip2 to vlan3 and enable the interface.
Figure 83 config ipif command
PP1612G:4#config ipif ip2 ipaddress 20.1.1.1/8 vlan vlan3
state enabled
Command: config ipif ip2 ipaddress 20.1.1.1/8 vlan vlan3
state enabled
Success.
PP1612G:4#
Deleting an IP interface
To delete the IP interface, use the following command:
delete ipif
This command uses the following options:
delete ipif
followed by:
<ipif_name 12>
Specifies the name of the IP interface that you
want to delete.
all
Specifies that all IP interfaces configured on the
switch will be deleted.
Figure 84 shows you how to delete an IP interface named ip2.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
170
Chapter 6 Configuring VLANs
Figure 84 delete ipif command
PP1612G:4#delete ipif ip2
Command: delete ipif ip2
Success.
PP1612G:4#
Configuring the System IP interface
To assign the System IP interface an IP address and a subnet mask, enter the
following command:
config ipif System
This command uses the following options:
config ipif System
followed by:
vlan <vlan_name 32>
The name of the VLAN that corresponds to the
System IP interface.
ipaddress
<network_address>
The IP address and the netmask with which you
want the System IP interface to be associated. You
can specify the address and mask information
using the traditional format - for example, 10.1.2.3/
255.0.0.0, or in the CIDR format - for example,
10.1.2.3/8
state [enabled|disabled] Specifies whether you want the System IP
interface to be enabled or disabled.
Figure 85 shows you how to configure the System IP interface with the IP address
10.48.74.122 and a subnet mask of 255.0.0.0 (in CIDR format, 10.48.74.122/8).
316862-B Rev 00
Chapter 6 Configuring VLANs
171
Figure 85 config ipif System ipaddress command
PP1612G:4#config ipif System ipaddress 10.48.74.122/8
Command: config ipif System ipaddress 10.48.74.122/8
Success.
PP1612G:4#
Enabling an IP interface
To enable an IP interface, enter the following command:
enable ipif
This command uses the following options:
enable ipif
followed by:
<ipif_name 12>
Specifies the name of the IP interface that you
want to enable.
all
Specifies that you want all of the IP interfaces
configured on the switch to be enabled.
Figure 86 shows you how to enable an IP interface named ip2.
Figure 86 enable ipif command
PP1612G:4#enable ipif ip2
Command: enable ipif ip2
Success.
PP1612G:4#
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
172
Chapter 6 Configuring VLANs
Disabling an IP interface
To disable an IP interface, enter the following command:
disable ipif
This command uses the following options:
disable ipif
followed by:
<ipif_name 12>
The name of the IP interface you want to disable.
all
Specifies that you want all of the IP interfaces
configured on the switch to be disabled.
Figure 87 shows you how to disable an IP interface named ip2.
Figure 87 disable ipif command
PP1612G:4#disable ipif ip2
Command: disable ipif ip2
Success.
PP1612G:4#
Displaying the current IP interface configuration
To display the current configuration of the System IP interface, enter the following
command:
show ipif System
316862-B Rev 00
Chapter 6 Configuring VLANs
173
This command uses the following options:
show ipif System
followed by:
all
Specifies that you want all of the IP interfaces
configured on the switch to have their current
configurations displayed.
Figure 88 shows you how to display the current configuration of the System IP
interface.
Figure 88 show ipif System command
PP1648T:4#show ipif System
Command: show ipif System
IP Interface Settings
Interface Name
: System
IP Address
: 10.48.74.122
Subnet Mask
: 255.0.0.0
VLAN Name
: default
Admin. State
: Disabled
Link Status
: Link UP
Member Ports
: 1-26
Total Entries : 1
PP1648T:4#
(MANUAL)
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
174
Chapter 6 Configuring VLANs
Using the forwarding database
The 1600 switch maintains a database that relates MAC addresses to the switch
ports that packets must be forwarded to, in order to reach the appropriate MAC
address. These commands allow you to make static entries into the switch’s
forwarding database. These entries will not be aged-out by the forwarding
database’s age-out timer.
In addition, you can specify the port (by port number) or the VLAN (by the
VLAN name) on which the MAC address resides. For multicast MAC addresses,
you can specify a range of ports and a VLAN.
The switch enters the relationship between destination MAC or IP addresses and
the Ethernet port or gateway router the destination resides on into its forwarding
table. This information is then used to forward packets. This reduces the traffic
congestion on the network, because packets, instead of being transmitted to all
ports, are transmitted to the destination port only. For example, if Port 1 receives a
packet destined for a station on Port 2, the Switch transmits that packet through
Port 2 only, and transmits nothing through the other ports. This process is referred
to as 'learning' the network topology.
The MAC address aging time affects the learning process of the switch. Dynamic
forwarding table entries, which are made up of the source MAC addresses and
their associated port numbers, are deleted from the table if they are not accessed
within the aging time.
The aging time can be from 10 to 630 seconds with a default value of 300 seconds.
A very long aging time can result in dynamic forwarding table entries that are
out-of-date or nonexistent. This may cause incorrect packet forwarding decisions
by the switch.
If the aging time is too short, many entries are aged out too soon. This results in a
high percentage of received packets whose source addresses cannot be found in
the forwarding table. In this case the switch broadcasts the packet to all ports,
negating many of the benefits of having a switch.
Static forwarding entries are not affected by the aging time.
The following sections describe the procedures you use to create, configure,
delete, and display forwarding database entries.
316862-B Rev 00
Chapter 6 Configuring VLANs
175
Roadmap of forwarding database CLI commands
The following roadmap lists all of forwarding database CLI commands and their
parameters. Use this list as a quick reference or click on any entry for more
information:
Command
Parameter
create fdb <vlan_name 32> <macaddr>
port <port>
config fdb aging_time <sec 10-630>
create multicast_fdb <vlan_name 32>
<macaddr>
config multicast_fdb <vlan_name 32>
<macaddr> [add|delete] <portlist>
delete fdb <vlan_name 32> <macaddr>
clear fdb
Vlan <vlan_name 32>
Port <port>
all
show multicast_fdb
vlan <vlan_name 32>
mac_address <macaddr>
show fdb
port <port>
vlan <vlan_name 32>
mac_address <macaddr>
static
aging_time
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
176
Chapter 6 Configuring VLANs
Creating a unicast forwarding database entry
To create a static entry, use the following command
create fdb <vlan_name 32 > <macaddr> port <port>
where:
vlan_name 32 is the name of the VLAN where the MAC address is located.
macaddr is the MAC address that will be added to the switch’s unicast MAC
address forwarding database.
port is the port number on the switch where the specified MAC address resides.
The switch will always forward traffic to the MAC address through this port.
Figure 89 shows the creation of a static MAC address entry, for the MAC address
00-00-00-00-01-02 — which resides on the VLAN named default, on port 2 — to
the switch’s unicast forwarding database.
Figure 89 create fdb command
PP1612G:4# create fdb default 00-00-00-00-01-02 port 2
Command: create fdb default 00-00-00-00-01-02 port 2
Success.
PP1612G:4#
Configuring a unicast forwarding database entry
To configure the age-out time for the switch’s unicast MAC address forwarding
database, use the following command:
config fdb aging_time < sec 10-630>
where:
sec 10-630 is the amount of time, in seconds, that a learned MAC address will
remain in the switch’s MAC address forwarding database, without being used,
before being dropped from the database.
316862-B Rev 00
Chapter 6 Configuring VLANs
177
Figure 90 shows how to set the age-out time to 300 seconds.
Figure 90 config fdb command
PP1612G:4# config fdb aging_time 300
Command: config fdb aging_time 300
Success.
PP1612G:4#
Creating a multicast forwarding database entry
To create a static entry, use the following command:
create multicast_fdb <vlan_name 32> <macaddr>
where:
vlan_name 32 is the name of the VLAN where the multicast MAC address is
located.
macaddr is the MAC address that will be added to the switch’s multicast MAC
address forwarding database.
Figure 91 shows how to create a static MAC address entry for the MAC address
00-00-00-00-01-02—which resides on the VLAN named default, on port 2 — to
the switch’s multicast forwarding database:
Figure 91 create multicast_fdb command
PP1612G:4# create multicast default 01-00-5E-00-00-00
Command: create multicast default 01-00-5E-00-00-00
Success.
PP1612G:4#
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
178
Chapter 6 Configuring VLANs
Configuring the multicast forwarding database
To configure the switch’s multicast forwarding database, use the following
command:
config multicast_fdb <vlan_name 32> <macaddr> [add|delete]
<portlist>
where:
vlan_name 32 is the name of the VLAN where the multicast MAC address is
located.
macaddr is the multicast MAC address. add allows you to add this multicast
MAC address to the switch’s multicast MAC address forwarding database;
delete allows you to remove this address from the database.
portlist specifies a range of ports. Ports are specified by entering the lowest
port number in a group, and then the highest port number in a group, separated by
a hyphen. So, a port group including the switch ports 1, 2, and 3 would be entered
as 1-3. Ports that are not contained within a group are specified by entering their
port number, separated by a comma. So, the port group 1-3 and port 26 would be
entered as 1-3, 26.
Figure 92 shows how to add the multicast MAC address 01-00-5E-00-00-00,
residing on the VLAN named default, and ports 1 through 5, to the switch’s
multicast MAC address forwarding database:
Figure 92 config multicast_fdb
PP1612G:4# config multicast_fdb default 01-00-5E-00-00-00 add 1-5
Command: config multicast_fdb default 01-00-5E-00-00-00 add 1-5
Success.
PP1612G:4#
316862-B Rev 00
Chapter 6 Configuring VLANs
179
Deleting an entry from the forwarding database
To delete an entry from the forwarding database entry, use the following
command:
delete fdb <vlan_name 32 > <macaddr>
where:
vlan_name 32 is the name of the VLAN on which the MAC address resides.
macaddr is the MAC address that you want to delete from the switch’s
forwarding database.
Figure 93 shows how to delete the MAC address 00-00-00-01-02, which resides
on the VLAN named default, from the switch’s forwarding database.
Figure 93 delete fdb command
PP1612G:4# delete fdb default 00-00-00-00-01-02
Command: delete fdb default 00-00-00-00-01-02
Success.
PP1612G:4#
Clearing the forwarding database
To clear the switch’s forwarding database of learned MAC addresses, use the
following command:
clear fdb
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
180
Chapter 6 Configuring VLANs
This command includes the following options:
clear fdb
followed by:
Vlan <vlan_name 32>
Specifies the name of the VLAN for which you want to
clear all learned MAC addresses from the switch’s
forwarding database.
Port <port>
Specifies the port for which you want to clear all learned
MAC addresses from the switch’s forwarding database.
all
Specifies that you want all learned MAC addresses
cleared from the switch’s forwarding database, regardless
of VLAN or port association.
Figure 94 shows how to clear the switch’s forwarding database of all learned
entries.
Figure 94 clear fdb all command
PP1612G:4# clear fdb all
Command: clear fdb all
Success.
PP1612G:4#
Displaying the multicast forwarding database
To display the contents of the switch’s mutualist forwarding database, use the
following command:
show multicast_fdb
316862-B Rev 00
Chapter 6 Configuring VLANs
181
This command uses the following options:
show multicast_fdb
followed by:
vlan <vlan_name 32>
Displays the multicast forwarding database for a single
VLAN.
mac_address
<macaddr>
Displays the multicast forwarding database entries for a
single multicast MAC address
Figure 95 displays the multicast forwarding database.
Figure 95 show multicast_fdb command
PP1612G:4# show multicast_fdb
Command: show multicast_fdb
VLAN name
MAC address
Egress ports
Mode
:
:
:
:
default
01-00-5E-00-00-00
1-5
Static
Total entries : 1
PP1612G:4#
Displaying the unicast forwarding database
To display the contents of the switch’s unicast forwarding database, use the
following command:
show fdb
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
182
Chapter 6 Configuring VLANs
This command uses the following options:
show fdb
followed by:
port <port>
Displays the forwarding database for a single port.
vlan <vlan_name 32> Displays the forwarding database for a single VLAN.
mac_address
<macaddr>
Displays the forwarding database entries for a single
multicast MAC address.
static
Displays only the static MAC address entries in the
forwarding database.
aging_time
Displays the current age-out time setting.
Figure 96 displays the unicast forwarding database:
Figure 96 show fdb command
PP1648T:4# show fdb
Command: show fdb
Unicast MAC Address Aging Time
VID
---1
1
1
1
1
VLAN Name
---------------default
default
default
default
default
Total Entries: 5
PP1648T:4#
316862-B Rev 00
= 200
MAC Address
----------------00-09-97-DA-E0-01
00-80-2D-4E-A9-00
00-80-2D-C2-CE-08
08-00-20-B0-E9-59
FF-FF-FF-FF-FF-FF
Type
--------Self
Dynamic
Dynamic
Dynamic
Self
Port
--------------CPU
1
1
1
CPU
183
Chapter 7
Configuring link aggregation groups
You use link aggregation to combine a number of ports together to make a single
high-bandwidth data pipeline. The participating ports are called members of a link
aggregation group, with one port designated as the master port.
Since you must configure all members of the link aggregation group to operate in
the same manner, the configuration of the master port is applied to all members of
the link aggregation group. Thus, when configuring the ports in a link aggregation
group, you need to configure only the master port.
The 1600 switch supports link aggregation groups. This may include from 2 to 4
switch ports each, except for a Gigabit link aggregation group which consists of 2
to 4 of the SFP Gigabit Ethernet ports of the front panel.
This chapter describes the commands you use to configure, delete, and show link
aggregation. Specifically, it includes the following topics:
Topic
Page
Roadmap of CLI commands
184
Creating a link aggregation group
184
Deleting a link aggregation group
185
Configuring a link aggregation group
186
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
184
Chapter 7 Configuring link aggregation groups
Roadmap of CLI commands
The following roadmap lists all of the link aggregation commands and their
parameters. Use this list as a quick reference or click on any entry for more
information:
Command
Parameter
create link_aggregationc
group_id <value>>
delete link_aggregation
group_id <value>
config link_aggregation
group_id <value>
master_port <port>
ports <portlist>
state [enabled|disabled]
BDPU_8600_Interop
[enabled|disabled]
show link_aggregation
group_id <value>
Creating a link aggregation group
Note: Before you add a port to the MLT, you must first add the port to
the VLAN. For instructions on adding ports to a VLAN configuration, see
Chapter 6, “Configuring VLANs.”
To create a link aggregation group, use the following command:
create link_aggregation
316862-B Rev 00
Chapter 7 Configuring link aggregation groups
185
This command uses the following options:
create link_aggregation
followed by:
group_id <value>
A number from 1 to 7 that identifies the link
aggregation group. The switch allows you to define
up to 7 link aggregation groups. The group ID
identifies the link aggregation group.
Figure 97 shows you how to create a link aggregation group with a group ID of 1.
Figure 97 create link_aggregation command
PP1648T:4# create link_aggregation group_id 1
Command: create link_aggregation group_id 1
Success.
PP1648T:4#
Deleting a link aggregation group
To delete a link aggregation group, use the following command:
delete link_aggregation
This command uses the following options:
delete link_aggregation
followed by:
group_id <value>
A number from 1 to 7 that identifies the link
aggregation group you want to delete. The switch
allows you to define up to 7 link aggregation
groups. The group ID identifies the link
aggregation group.
Figure 98 shows you how to delete a link aggregation group with a group ID of 6.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
186
Chapter 7 Configuring link aggregation groups
Figure 98 delete link_aggregation command
PP1648T:4# delete link_aggregation group_id 6
Command: delete link_aggregation group_id 6
Success.
PP1648T:4#
Configuring a link aggregation group
To configure a link aggregation group, use the following command:
config link_aggregation
This command uses the following options:
config link_aggregation
followed by:
group_id <value>
A number from 1 to 7 that identifies the link
aggregation group you want to configure. The
switch allows you to define up to 7 link aggregation
groups. The group ID identifies the link
aggregation group.
master_port <port>
Specifies the port (by port number) that you wish
to designate as the master port of the link
aggregation group. All of the ports in a link
aggregation group share the port configuration
with the master port.
ports <portlist>
Specifies a range of ports for which you wish to
display traffic statistics. You specify ports by
entering the lowest port number in a group, and
then the highest, separated by a dash.
For example, you enter a port group including the
switch ports 1, 2, and 3 as 1-3. You specify ports
that are not contained within a group by entering
their port number, separated by a comma. Thus,
you enter the port group 1-3 and port 26 as 1-3,
26.
316862-B Rev 00
Chapter 7 Configuring link aggregation groups
187
config link_aggregation
followed by:
state [enabled|disabled] Allows you to enable or disable the specified link
aggregation group.
BDPU_8600_Interop
[enabled|disabled]
Enable this function is you would like to have an
MLT connection between a Passport 8600 and the
Passport 1600 under STP
Figure 99 shows you how to configure a link aggregation group with a group ID
of 1, a master port of 5, and ports 5 through 9 making up the link aggregation
group.
Figure 99 config link_aggregation command
PP1648T:4# config link_aggregation group_id 1 master_port
5 ports 5-10
Command: config link_aggregation group_id 1 master_port 5
ports 5-10
Success.
PP1648T:4#
Displaying the link aggregation configuration
To display a link aggregation configuration, use the following command:
show link_aggregation
This command uses the following options:
show link_aggregation
followed by:
group_id <value>
A number from 1 to 7 that identifies the link
aggregation group you want to display. The switch
allows you to define up to 7 link aggregation
groups. The group ID identifies the link
aggregation group.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
188
Chapter 7 Configuring link aggregation groups
Figure 100 shows you how to display the link aggregation for group 1 on the
switch.
Figure 100 show link_aggregation command
PP1648T:4# show link_aggregation group_id 1
Command: show link_aggregation group_id 1
Group ID
Master Port
Member Port
Status
Flooding Port
BDPU 8600 Interop
PP1648T:4#
316862-B Rev 00
:
:
:
:
:
:
1
10
10-12
Enabled
10
Disabled
189
Chapter 8
Configuring QoS
The Passport 1600 Series switches have a number of commands that allow you to
specify how packets from various sources are forwarded to the switch’s four
hardware priority queues. This chapter provides information on configuring
Quality of Service (QoS) and utilizing those hardware queues. Specifically, it
includes the following topics:
Topic
Page
Roadmap of CLI commands
190
Establishing a QoS scheme
193
Command overview
195
Configuring the flow classifier template operating mode
196
Configuring flow classifier template mode parameters
198
Displaying the flow classifier template mode
200
Attaching a flow classifier template
201
Creating an IP filter for a flow classification template
202
Deleting an IP filter from a flow classification template
204
Creating a QoS rule
209
Deleting a QoS rule
212
Creating a Layer 4 switch rule
213
Deleting a Layer 4 switch rule
217
Creating a forwarding database filter
218
Deleting a forwarding database filter
219
Displaying a forwarding database filter
220
Enabling the IP fragment filter
221
Disabling the IP fragment filter
222
Displaying the status of the IP fragment filter
223
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
190 Chapter 8 Configuring QoS
Topic
Page
Configuring scheduling
223
Creating a MAC priority entry
225
Deleting a MAC priority entry
226
Displaying MAC priority entries
227
Roadmap of CLI commands
The following roadmap lists all of the QoS commands and their parameters. Use
this list as a quick reference or click on any entry for more information:
Command
Parameter
config flow_classifier
template_<value 1-2> mode
[security|qos|l4_switch]
config flow_classifier template_id
<value 1-2> mode_parameters
[subnet_mask {src <netmask>|dst
<netmask>}|qos_flavor
[802.1p|dscp|dst_ip|dst_tcp_port|ds
t_udp_port] |l4_session
{tcp_session fields
{dip|sip|tos|dst_port|
src_port|tcp_flags} | udp_session
fields {dip|sip|tos|dst_port|
src_port} | other_session fields
{dip|sip|tos|l4_protocol|icmp_msg|i
gmp_type}}]
show flow_classifier
none
config flow_classifier vlan
<vlan_name>
attach template_id <value 1-2>
detach template_id <value 1-2>
create sec_rule
316862-B Rev 00
[template_id <value 1-2>
|scr_ip_address
<ipaddr>|dst_ip_address <ipaddr]
Chapter 8 Configuring QoS 191
Command
Parameter
delete sec_rule
[template_id <value
1-2>]|rule_index <value>|all]
create qos_rule template_id <value
1-2>
802.1p <value 0-7>
dscp <value 0-63>
dst_ip <ipaddr>
dst_tcp_port <tcp_port_number
1-65535>
dst_udp_port <udp_port_number
1-65535>
priority <value 0-7>
delete qos_rule template_id <value
1-2>
rule_index <value>
all
create l4_switch_rule template_id
<value 1-2>
tcp_session fields (followed by)
dip <ipaddr>
sip <ipaddr>
tos <hex 0x00-0xff>
dst_port <tcp_port_number 1-65535>
src_port <tcp_port_number 1-65535>
tcp_flags ack|fin|psh|rst|syn|urg
udp_session fields (followed by)
dip <ipaddr>
sip <ipaddr>
tos <hex 0x00-0xff>
dst_port <tcp_port_number 1-65535>
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
192 Chapter 8 Configuring QoS
Command
Parameter
src_port <tcp_port_number 1-65535>
other_session fields (followed by)
dip <ipaddr>
sip <ipaddr>
tos <hex 0x00-0xff>
protocol [icmp|igmp]
icmp_message type <hex 0x00-0xff>
code <hex 0x00-0xff>
igmp_type [query|response]
action (followed by)
drop
forward <priority 0-7>
redirect <ipaddr>
unreachable_next_hop [drop|forward]
delete l4_switch_rule template_id
<value 1-2>
rule_index <value>
all
create fdbfilter
vlan <vlan_name> mac_address
<macaddr>
delete fdbfilter
vlan <vlan_name> mac_address
<macaddr>
vlan <vlan_name>
mac_address <macaddr>
all
show fdbfilter
vlan <vlan_name> mac_address
<macaddr>
vlan <vlan_name>
mac_address <macaddr>
316862-B Rev 00
Chapter 8 Configuring QoS 193
Command
Parameter
enable ip_fragment_filter
disable ip_fragment_filter
show ip_fragment_filter
config scheduling
ports [<portlist>/all]
class_id <value 0-2>
max_packet <value 6-255>
create mac_priority
vlan <vlan_name>
dst_mac_addr <macaddr>
priority <value 0-7>
delete mac_priority
vlan <vlan_name> dst_mac_address
<macaddr>
vlan <vlan_name>
dst_mac_address <macaddr>
all
show mac_priority
vlan <vlan_name>
vlan <vlan_name> dst_mac_addr
<macaddr>
dst_mac_addr <macaddr>
Establishing a QoS scheme
You establish a QoS scheme on the switch by following these three steps:
1
Select one of the two available templates (template_id 1 or template_id 2) to
write the rules to. These are called flow classifiers when you configure them.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
194 Chapter 8 Configuring QoS
2
Set the fields of an incoming packet’s header that the switch examines, as well
as the parameters that must be in those fields, to determine if the packet meets
the criteria of the rule.
3
Specify the action the switch will take when it finds packets that meet the
criteria.
QoS templates
You use the two switch templates (template_id 1 and template_id 2) to house the
packet screening rules in one of three modes:
•
•
•
security
qos
l4_switch
The default operating mode for template 1 is L4 switch mode, while the default
operating mode for template 2 is QoS.
Note: You can operate the two templates in the same mode.
When you change the operating mode of a template, all previously
entered rules are deleted and the switch reboots.
You cannot enter rules that are incompatible with the template’s current
operating mode. For example, you cannot enter QoS rules when the
template is in L4 switch mode.
Security mode
In security mode, incoming packets have their IP headers examined to determine
source and destination subnet addresses. These packets are then filtered if the
addresses are entered into the template’s IP filtering database.
QoS mode
In QoS mode, an incoming packet’s priority information is examined to determine
if the QoS rules should be applied, and the packet forwarded to a specified priority
queue.
316862-B Rev 00
Chapter 8 Configuring QoS 195
L4 switch mode
In L4 switch mode, an incoming packet’s TCP, UDP, or other header information
is examined to determine if the L4 switch rule should be applied. The packet is
then either forwarded or dropped, as specified.
Command overview
Table 10 provides an overview of the QoS commands and their functions.
Table 10 QoS command overview
Command
Description
config flow_classifier
Configures the operating mode of a template.
template_<value 1-2> mode
config flow_classifier
template_id <value 1-2>
mode_parameters
Configures the fields in the header of an incoming
packet that the switch examines.
config flow_classifier
vlan <vlan_name> attach
template_id <value 1-2>
Attaches an already-created template to a VLAN.
create sec_rule
delete sec_rule
Adds or deletes IP subnet filters to a template in
Security mode.
create dst_ipfilter
delete dst_ipfilter
Adds or deletes destination IP addresses to be
filtered from the Switch
create qos_rule
delete qos_rule
Adds or deletes QoS rules and actions to a
template in Qos mode.
create l4_switch_rule
delete l4_switch_rule
Adds or deletes rules and actions from a template
in L4_switch mode.
create fdbfilter
delete fdbfilter
show fdbfilter
enable ip_fragment_filter
disable
ip_fragment_filter
show ip_fragment_filter
Applies to both templates, and the VLANs to
which the templates are bound, regardless of the
template’s operating mode.
Note: You do not need fdbfilter to bind with
a VLAN; however, ip_fragment_filter
should be in the template with the bound VLAN.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
196 Chapter 8 Configuring QoS
Table 10 QoS command overview
Command
Description
config scheduling
Assigns weights to the switch’s round-robin
priority queue transmission scheme. This
command is independent of the current template.
create mac_priority
delete mac_priority
show mac_priority
Directs packets with a specified MAC address as
their destination to a specified priority queue.
These commands are independent of the current
template.
Configuring the flow classifier template operating mode
The Passport 1600 Series switches allow you to define two templates for flow
classification, and then add some rules that determine what the switch will do with
packets that meet the criteria established in these template. To modify the
operation mode of both flow templates, enter the following command:
config flow_classifier template_< value 1-2> mode
There are two steps involved in modifying a flow classification template.
1
Delete all active rules.
2
Save the modified flow classification template to the switch’s NV-RAM, and
restart the switch.
Once you restart the switch, you must then attach the flow classification template
to a VLAN using the config flow_classifier vlan <vlan_name>
attach template_id <value 1-2> command. For more information on
this command, see “Attaching a flow classifier template” on page 201.”
When adding rules to a template, remember that the rules must be compatible with
the template’s operating mode. For example, you cannot add a QoS rule to a
security or l4_switch mode template.
316862-B Rev 00
Chapter 8 Configuring QoS 197
This command uses the following option:
config flow_classifier template_<value 1-2> mode
followed by:
[security|qos|l4_switch] This sets the operating mode of the template.
In security mode, incoming packets’s have their IP
headers examined to determine source and
destination subnet IP addresses. These packets
are then filtered if the addresses are entered into
the template’s IP filtering database.
In qos mode, you can create qos-related rules to
forward incoming packets to the switch’s various
priority queues.
In l4_switch mode, incoming packets are examined
to determine the values in their L3 and L4 packet
headers.
Figure 101 shows how to configure template 1 in security mode and template 2 in
qos mode.
Figure 101 config flow classifier template_<value 1-2> mode command
PP1612G:4# config flow_classifier template_1 mode security
template_2 mode qos
Command: config flow_classifier template_1 mode security
template_2 mode qos
WARNING: Change templates' modes results in system reboot! Will
you continue anyway[Y/N]?
Saving all configurations to NV-RAM.......... 100 %
Success.
PP1648G:4#
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
198 Chapter 8 Configuring QoS
Configuring flow classifier template mode parameters
To configure the flow classifier template mode parameters for the template whose
operating mode you configured using the config flow_classifier
template_id <value 1-2> mode command, enter the following:
config flow_classifier template_id < value 1-2>
mode_parameters
For a template operating in security mode, you must enter the source and
destination IP subnet masks using the config flow_classifier command, and then
enter the source and destination IP address part of the network addresses using the
create sec_rule command, as shown below. Entering a zero source netmask (src
0.0.0.0) will instruct the switch to ignore source IP subnets when filtering.
Entering a zero destination netmask (dst 0.0.0.0) will instruct the switch to ignore
destination IP subnets when filtering.
For a template operating in qos mode, you must select the qos_flavor from the
following list: 802.1p value, dscp value, destination TCP port number, destination
UDP port number, or destination IP.
For a template operating in l4_switch mode, you must define a combination of
TCP session, UDP session, or other session fields for rules (created later) to fill.
316862-B Rev 00
Chapter 8 Configuring QoS 199
This command uses the following options:
config flow_classifier template_id <value 1-2>
mode_parameters
followed by:
[subnet_mask {src
<netmask>|dst
<netmask>}|qos_flavor
[802.1p|dscp|dst_ip|dst_
tcp_port|dst_udp_port]
|l4_session {tcp_session
fields
{dip|sip|tos|dst_port|
src_port|tcp_flags} |
udp_session fields
{dip|sip|tos|dst_port|
src_port} |
other_session fields
{dip|sip|tos|l4_protocol
|icmp_msg|igmp_type}}]
subnet_mask {src <netmask>|dst <netmask>}
allows you to enter subnet masks for source and
destination subnets that you can use in
combination is IP addresses entered with the
create sec_rule command, shown below, to filter
source and destination IP subnets. These
parameters are used with templates that are in the
security operating mode. You can define the IP
subnet filter as a source-only IP subnet filter by
entering a source netmask of zero (config flow
classifier src 0.0.0.0) or a destination-only IP
subnet filter by entering a source netmask of zero
(config flow classifer dst 0.0.0.0.) If both the source
and destination netmasks are entered as 0.0.0.0
then no IP subnet filtering will take place.
qos_flavor allows you to select the criteria used to
determine what the switch does with packets that
meet this criteria. You must choose between the
value in an incoming packet’s 802.1p, dscp, dst_ip,
dst_tcp_port, or dst_udp_port fields. If you select
802.1p , then incoming packets will have their
802.1p priority fields examined.
l4_session allows you to modify the following types
of fields:
• tcp_session fields allows you to select a
combination of TCP fields in an incoming
packet’s header that the switch examines. You
can choose a combination of the dip, sip, tos,
dst_port, src_port, or tcp_flags fields in an
incoming packet’s TCP header for the switch to
examine.
• udp_session fields allows you to select a
combination of UDP fields in an incoming
packet’s header that the switch examines. You
can choose a combination of the dip, sip, tos,
dst_port, or src_port fields in an incoming
packet’s UDP header for the switch to examine.
• other_session fields allows you to select from
the following fields of an incoming packet’s
header that the switch examines. You can
choose a combination of dip, sip, tos,
l4_protocol, icmp_msg or igmp_type fields in
an incoming packet’s header for the switch to
examine.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
200 Chapter 8 Configuring QoS
Figure 102 shows you how to set the switch’s QoS criteria to examine the 802.1p
priority field of incoming packets.
Figure 102 config flow classifier template_id <value 1-2> mode_parameters
PP1612G:4# config flow_classifier template_id 2 mode_parameters
qos_flavor 802.1p
Command: config flow_classifier template_id 2 mode_parameters
qos_flavor 802.1p
Success.
PP1648G:4#
Displaying the flow classifier template mode
To display the flow classifier template mode, enter the following:
show flow_classifier
This command contains no parameters.
Figure 103 shows sample results of this command. In this example, the command
shows that Template 1 is in Security mode and Template 2 is in QoS mode.
316862-B Rev 00
Chapter 8 Configuring QoS 201
Figure 103 show flow_classifier command
PP1612G:4# show flow_classifier
Command: show flow_classifier
Flow Template Table:
Template ID:
1
Template Mode: SECURITY
SrcSubnet Mask: 255.255.255.255
DstSubnet Mask: 0.0.0.0
Template ID: 2
Template Mode: QOS
QoS Flavor: 802.1P
Rule Number:
0
Attached Vlan:
Rule Number: 0
Attached Vlan:
PP1648G:4#
Attaching a flow classifier template
To attach a flow classifier template to the VLAN, enter the following command:
config flow_classifier vlan < vlan_name>
Packets that are received from this VLAN are examined by the switch to
determine if they meet the criteria in the template. If so, the switch takes the
actions specified in the template. Packets that are received from VLANs that are
not attached to a template are not examined in this way.
This command uses the following options:
config flow_classifier vlan <vlan_name>
followed by:
attach template_id
<value 1-2>
Attaches an already-created template to a VLAN.
detach template_id
<value 1-2>
Detaches a template from a VLAN.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
202 Chapter 8 Configuring QoS
Figure 104 shows you how to attach a flow classifier named 77 to template_id 2.
Figure 104 config flow_classifier vlan <vlan_name> command
PP1648G:4#config flow_classifier vlan 77 attach
template_id 2
Command: config flow_classifier vlan 77 attach
template_id 2
Success.
PP1648G:4#
Creating an IP filter for a flow classification template
To specify both source and destination IP network addresses (in combination with
the subnet_mask {src <netmask>|dst <netmask>} parameters entered with the
config flow_classifier command, as shown above) to be filtered from the switch,
use the following command (it is assumed in this case that the source and
destination netmasks are entered using the config flow_classifier command as
255.0.0.0):
create sec_rule template_id 1 src_ip_address 10.20.30.40
dst_ip_address 10.20.30.40
Filtering source and destination subnets is then accomplished in two steps. First,
enter the source and destination subnet masks using the config flow_classifier {src
<netmask>|dst <netmask>} command and attach the flow classifier to a VLAN
and to a template. Second, enter the IP address part of the subnet’s network
address using the create sec_rule template_id <value 1-2> src_ip_address
<ipaddr>|dst_ip_address <ipaddr> command.
You can define the IP subnet filter as a source-only IP subnet filter by entering a
source netmask of zero (config flow classifier src 0.0.0.0) or a destination-only IP
subnet filter by entering a destination netmask of zero (config flow classifer dst
0.0.0.0.) If both the source and destination netmasks are entered as 0.0.0.0 then no
IP subnet filtering will take place.
316862-B Rev 00
Chapter 8 Configuring QoS 203
Note:
1. When you specify a source and destination network address filter (src
and dst), the IP address part of the network address is template-dependent.
You must first enter the source and destination subnet masks using the
config flow_classifier {src <netmask>|dst <netmask>} command. Then
you can enter the IP address part of the source and destination network
addresses using create sec_rule command, which will be assigned to the
specified template (1 or 2). The template that the sec_rule is assigned to
also must be in the security operating mode.
2. You can define the IP subnet filter as a source-only IP subnet filter by
entering a source netmask of zero (config flow classifier src 0.0.0.0) or a
destination-only IP subnet filter by entering a destination netmask of zero
(config flow classifer dst 0.0.0.0.) If both the source and destination
netmasks are entered as 0.0.0.0 then no IP subnet filtering will take place.
3. A memory limitation exists here. The two templates, template_id 1 and
template_id 2, share the same amount of memory. If you reach the
maximum amount of memory for one template, then you cannot enter any
more rules for the remaining template. Security mode has a maximum of
64 rule entries if the combination is L4_Switch/SEC, SEC/Qos and SEC/
SEC.
This command uses the following options:
create sec_rule
followed by:
[template_id <value 1-2>
|scr_ip_address
<ipaddr>|dst_ip_address
<ipaddr]
Allows you to filter the source (src) and destination
(dst) IP addresses. You must specify which of the
two available templates this filter will apply to, and
ensure that this template is in the security
operating mode.
Figure 105 shows you how to filter packets with a source and destination IP
address of 192.32.96.54.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
204 Chapter 8 Configuring QoS
Figure 105 create sec_rule command
PP1612G:4#create sec_rule template_id 1 src_ip_address
192.32.96.54 dst_ip_address 192.32.96.54
Command: create sec_rule template_id 1 src_ip_address
192.32.96.54 dst_ip_address 192.32.96.54
Success.
PP1612G:4#
Deleting an IP filter from a flow classification template
To delete all previously-entered IP address filter from the switch’s template 1, use
the following command:
delete sec_rule template 1 all
Note:
1. When you want to delete an IP address filter, you must specify the
template_id <value 1-2> for this IP filter, along with the rule_index
<value>.
2. When you want to delete all IP address filters from a template in the
security mode, you do not need to specify the rule_index. You have the
option of specifying all.
316862-B Rev 00
Chapter 8 Configuring QoS 205
This command uses the following options:
delete sec_rule
followed by:
[template_id <value
1-2>]|rule_index
<value>|all]
Allows you to uniquely identify the filter you want to
delete.
If you want to delete an IP address filter, you must
specify which of the two available templates this
filter applies to.
If you want to delete all filters from a template in
the security mode, you do not need to specify the
rule_index. You have the option of specifying all,
which will delete all of the IP address filters for that
template.
Figure 106 shows you how to delete all IP filters from the template 1.
Figure 106 delete sec_rule command
PP1612G:4#delete sec_rule template_id 1 all
Command: delete sec_rule template_id 1 all
Success.
PP1612G:4#
Creating a destination IP address filter
To specify either a destination IP address to be filtered from the switch, use the
following command:
create dst_ipfilter ip_address 10.42.73.5
If you filter by destination, it means that packets with the specified IP address as
the destination are dropped.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
206 Chapter 8 Configuring QoS
Note:
When you specify a destination IP address filter, it is
template-independent. Any packet with the specified IP address as it’s
destination will be dropped by the switch, regardless of the operating
mode of the applicable template.
This command uses the following options:
create dst_ipfilter
followed by:
ip_address <ipaddr>]
If you want to filter the IP address as a destination
(dst), you do not need to specify the template id.
The switch drops packets that have the IP address
entered previously as their destination regardless
of what operating mode the templates are in.
Figure 105 shows you how to filter packets with a destination IP address of
192.32.96.54.
Figure 107 create dst_ipfilter command
PP1612G:4#create dst_ipfilter ip_address 192.32.96.54
Command: create dst_ipfilter ip_address 192.32.96.54
Success.
PP1612G:4#
316862-B Rev 00
Chapter 8 Configuring QoS 207
Deleting a destination IP address filter
To delete all previously-entered destination IP address filters from the switch, use
the following command:
delete dst_ipfilter all
Because of the way IP filters are identified within the switch, you must enter the
same destination IP address to delete a specific IP filter, or specify all to instruct
the switch to delete all destination IP address filters that have been entered.
Note:
When you specify a destination IP address filter, it is
template-independent. Any packet with the specified IP address as it’s
destination will be dropped by the switch, regardless of the operating
mode of the applicable template.
This command uses the following options:
delete dst_ipfilter
followed by:
[ip_address <ipaddr>
|all]]
Allows you to uniquely identify the filter you want to
delete.
If you want to delete a filter for an IP address as a
destination (dst), you do not need to specify the
template id. You have the option of deleting a
specific IP address or deleting all destination IP
filters.
Figure 106 shows you how to delete an IP filter with a destination IP address of
192.32.96.54.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
208 Chapter 8 Configuring QoS
Figure 108 delete dst_ipfilter command
PP1612G:4#delete dst_ipfilter ip_address 192.32.96.54
Command: delete dst_ipfilter ip_address 192.32.96.54
Success.
PP1612G:4#
Displaying the destination IP address filter table
To display all previously-entered destination IP address filters on the switch, use
the following command:
show dst_ipfilter
Note:
When you specify a destination IP address filter, it is
template-independent. Any packet with the specified IP address as it’s
destination will be dropped by the switch, regardless of the operating
mode of the applicable template.
This command has no additional options:
show dst_ipfilter
followed by:
There are no options.
Figure 106 shows you how to display the current contents of the switch’s
destination IP address filter table.
316862-B Rev 00
Chapter 8 Configuring QoS 209
Figure 109 show dst_ipfilter command
PP1612G:4#show dst_ipfilter
Command: show dst_ipfilter
Destination IP Filter Table:
Destination IP Address
---------------------10.42.73.5
Total Entries: 1
PP1612G:4#
Creating a QoS rule
To add a QoS rule to a template, use the following command:
create qos_rule template_id < value 1-2>
A QoS rule determines the priority queuing of an incoming packet. The following
steps are used to determine the appropriate priority queuing of a packet.
1
The switch checks to see if the packet’s source VLAN is bound to the
template in current use.
2
If the current template is bound to the source VLAN, the switch checks the
template to see if it is in qos mode.
3
If the current template is in qos mode, the switch then applies any qos_rule
that has been entered into the template.
4
If there is no qos_rule, or the packet does not match the criteria of the
qos_rule, the packet’s priority tag determines priority queuing.
5
If the packet has no priority tag, the switch uses the default priority setting or
the MAC address priority setting (if the source MAC address is in the MAC
address priority table).
QoS rules affect all packets that are received by the switch from VLANs to which
the template containing the QoS rules are bound.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
210 Chapter 8 Configuring QoS
The create qos_rule command is structured in two parts.
1
It specifies the protocol (802.1p, dscp, dst_ip, dst_tcp_port,and dst_udp_port)
and a parameter that will be compared to the protocol’s parameter written in
incoming packet’s headers.
If an incoming packet’s protocol’s parameter matches the protocol parameter
entered with the create qos_rule command, the switch takes the action you
specify in the second part of this command.
2
It allows you to specify the priority queue (priority < value 0-7>) the
switch will forward packets that match the protocol and parameter criteria to.
The switch has four hardware priority queues, and the 8 levels of priority
specified by priority <value 0-7> are mapped (by default) to these four
priority queues. For example, 0, 1, and 2 specify the switch’s lowest priority
queue, 3 and 4 specify the next lowest priority queue, 5 and 6 specify the next
highest priority queue, and 7 specifies the highest priority queue.
3
For example, 0 and 1 correspond to the switch’s highest priority queue, 2 and
3 correspond to the next lowest priority queue, and so on until 6 and 7 specify
the switch’s lowest priority queue.
You can configure the mapping using the config scheduling command.
Incoming packets must also be from a VLAN to which the template that
contains the QoS rule is attached.
Note: Qos mode has a maximum of 64 rule entries if the combination is
L4_Switch/Qos, SEC/QoS and Qos/QoS.
This command uses the following options:
create qos_rule template_id <value 1-2>
followed by:
802.1p <value 0-7>
Specifies the value of an incoming packet’s 802.1p
priority tag that you want the switch to send to the
priority queue you designate with priority <value
0-7>.
dscp <value 0-63>
Specifies the value of an incoming packet’s DSCP
field that you want the switch to send to the priority
queue you designate with priority <value 0-7>.
316862-B Rev 00
Chapter 8 Configuring QoS 211
create qos_rule template_id <value 1-2>
followed by:
dst_ip <ipaddr>
Specifies the IP address of an incoming packet’s
destination IP address field that you want the
switch to send to the priority queue you designate
with priority <value 0-7> .
dst_tcp_port
<tcp_port_number
1-65535>
Specifies the TCP port number of an incoming
packet’s destination TCP port field that you want
the switch to send to the priority queue you
designate with priority <value 0-7>.
dst_udp_port
<udp_port_number
1-65535>
Specifies the UDP port number of an incoming
packet’s destination UDP port field that you want
the switch to send to the priority queue you
designate with priority <value 0-7.
priority <value 0-7>
The priority queue to which you want the switch to
send packets that meet the criteria entered
previously. The switch’s default mapping between
the 8 priority levels specified here, and the switch’s
four hardware priority queues is to map so that:
• 0 and 1 and 2 correspond to the switch’s
highest priority queue
• 3 and 4 correspond to the next lowest priority
queue
• 5 and 6 correspond to an even lower priority
queue
• 7 specifies the switch’s lowest priority queue
This default mapping can be configured differently
by a user.
Figure 110 shows how to configure a QoS rule to be added to template_id 2 to
send incoming packets with an 802.1p value of 3 to the switch’s lowest priority
queue (priority 7).
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
212 Chapter 8 Configuring QoS
Figure 110 create qos_rule command
PP1648G:4#create qos_rule template_id 2 802.1p 3 priority
7
Command: create qos_rule template_id 2 802.1p 3 priority
7
Success.
PP1648G:4#
Deleting a QoS rule
To delete a QoS rule that was entered into a template, use the following command:
delete qos_rule template_id < value 1-2>
QoS rules are identified by the template id of the template they are entered into,
and by the numerical order in which they are entered.
This command uses the following options:
delete qos_rule template_id <value 1-2>
followed by:
rule_index <value>
Deletes the QoS rule specified by the number of
value . QoS rules are entered into a template in
numerical order.
all
Deletes all of the QoS rules assigned to the
specified template.
Figure 111 shows how to delete the QoS rule that was entered into template_id 2
in Figure 110. In that example, only 1 QoS rule was entered, so the rule has a
rule_index of 1.
316862-B Rev 00
Chapter 8 Configuring QoS 213
Figure 111 delete qos_rule command
PP1648G:4#delete qos_rule template_id 2 rule_index 1
Command: delete qos_rule template_id 2 rule_index 1
Success.
PP1648G:4#
Creating a Layer 4 switch rule
To add a Layer 4 switch rule to a template, use the following command:
create l4_switch_rule template_id < value 1-2>
A layer 4 rule determines whether or not the switch forwards a packet, the priority
queuing of an incoming packet, or where the switch forwards a packet if the next
router hop is unreachable. The following steps determine whether an incoming
packet is subject to an l4_switch_rule.
1
The switch checks to see if the packet’s source VLAN is bound to the
template in current use.
2
If the current template is bound to the source VLAN, the switch then checks
the template to see if it is in l4_switch mode.
3
If the current template is in l4_switch mode, the switch then applies any
l4_switch_rule that has been entered into the template.
4
If there is no l4_switch_rule, or the packet does not match the criteria of the
l4_switch_rule, the packet is forwarded or dropped according to the switch’s
default settings.
l4_switch_rules affect all packets that are received by the switch from VLANs to
which the template containing the l4_switch_rules are bound.
The create l4_switch_rule command is structured in two parts.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
214 Chapter 8 Configuring QoS
1
It specifies the session type (tcp_session, udp_session, and other_session) and
a combination of parameters that will be compared to the parameters written
in incoming packet’s headers.
If an incoming packet’s parameters match the parameters entered with the
create l4_switch_rule command, the switch takes the action you specify in the
second part of this command.
2
It allows you to specify the action the switch takes on packets that match the
parameters entered in the first part of the command. These actions are drop,
forward <priority 0-7>, and redirect <ipaddr> unreachable next hop [drop/
forward]. Incoming packets must also be from a VLAN to which the template
that contains the l4_switch_rules are bound.
Both templates (template_id 1 and template_id 2) share the same physical
memory. There is only enough memory to hold a maximum of 192
l4_switch_rules. The memory used to store these l4_switch_rules is
shared between the two templates. If you enter 192 l4_switch_rules into
template_id 1, then there will be no memory remaining to enter
l4_switch_rules into template_id 2.
This command uses the following options:
create l4_switch_rule template_id <value 1-2>
followed by:
followed by a combination of:
The switch examines the packet’s TCP header to
determine if the packet meets the criteria entered
below.
dip <ipaddr>
A destination IP address.
sip <ipaddr>
A source IP address.
tos <hex 0x00-0xff>
The Type of Service (ToS) entry into a packet’s IP
header.
dst_port
<tcp_port_number
1-65535>
A destination TCP port number.
src_port
<tcp_port_number
1-65535>
A source TCP port number.
tcp_session fields
316862-B Rev 00
Chapter 8 Configuring QoS 215
create l4_switch_rule template_id <value 1-2>
followed by:
tcp_flags
The TCP flag bit in a packet’s IP header. A packet
can be examined for the following TCP flags:
ack — the acknowledge number is valid.
fin — finished flag, the sender is finished
sending data
psh — the receiver should pass this packet to the
application as soon as possible.
rst — reset flag, reset the connection.
syn — synchronize flag, synchronize the
sequence numbers.
urg — urgent, an emergency packet.
udp_session fields
followed by a combination of:
The switch will examine the packet’s UDP header
to determine if the packet meets the criteria
entered below.
dip <ipaddr>
A destination IP address.
sip <ipaddr>
A source IP address.
tos <hex 0x00-0xff>
The Type of Service entry into a packet’s IP
header.
dst_port
<tcp_port_number
1-65535>
A destination TCP port number.
src_port
<tcp_port_number
1-65535>
A source TCP port number.
other_session fields
followed by a combination of:
The switch will examine the packet’s header (other
than TCP or UDP) to determine if the packet meets
the criteria entered below.
dip <ipaddr>
A destination IP address.
sip <ipaddr>
A source IP address.
tos <hex 0x00-0xff>
The Type of Service entry into a packet’s IP
header.
protocol [icmp|igmp]
The protocol field in a packet’s IP header. This
parameter also has the following available options:
[dip | sip | tos | icmp_message |
igmp_type | action]
icmp_message type
<hex 0x00-0xff> code
<hex 0x00-0xff>
Identifies the ICMP message type. Enter a
hexadecimal value, in the range 0x00 to 0xff.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
216 Chapter 8 Configuring QoS
create l4_switch_rule template_id <value 1-2>
followed by:
igmp_type
[query|response]
Identifies the IGMP type. For igmp_type
query, the available options are:
[dip | sip | tos | protocol |
icmp_message| action].
For igmp_type response, the available
options are:
[version_1|version_2|all]
action
followed by:
This starts the part of the create l4_switch_rule
command where you specify what you want the
switch to do when if finds a packet that meets the
criteria above.
drop
The packet will be dropped.
forward <priority 0-7>
The packet will be forwarded to the priority queue
specified by <priority 0-7>. If no priority value is
specified, the packet will be forwarded according to
the switch’s default user priority settings.
redirect <ipaddr>
unreachable_next_hop
[drop|forward]
The packet will be redirected to the IP address
specified with <ipaddr>. If the IP address <ipaddr>
does not exist in the ARP table, the packet will
become an “unreachable next hop” packet. If drop
is specified, the packet will be dropped. If forward
is specified, the switch will search its routing table
for the destination IP address of the packet.
Figure 112 shows how to configure an l4_switch_rule to be added to template_id
1.
316862-B Rev 00
Chapter 8 Configuring QoS 217
Figure 112 create l4_switch_rule command
PP1612G:4# create l4_switch_rule template_id 1
tcp_session fields dip 10.1.1.1 sip 10.2.2.2 tos 0xAB
dst_port 1000 src_port 2000 tcp_flags ack fin syn psh rst
urg action redirect 10.3.3.3 unreachable_next_hop forward
Command: create l4_switch_rule template_id 1 tcp_session
fields dip 10.1.1.1 sip 10.2.2.2 tos 0xAB dst_port 1000
src_port 2000 tcp_flags ack fin syn psh rst urg action
redirect 10.3.3.3 unreachable_next_hop forward
Success.
PP1612G:4#
Deleting a Layer 4 switch rule
To delete a Layer 4 switch rule entered into a template, use the following
command:
delete l4_switch_rule template_id <value 1-2>
l4_switch_rules are identified by the template id of the template they are entered
into, and by the numerical order in which they are entered.
This command uses the following options:
delete l4_switch_rule template_id <value 1-2>
followed by:
rule_index <value>
Deletes the L4 switch rule specified by the number
of value. L4 switch rules are entered into a
template in numerical order.
all
Deletes all of the L4 switch rules assigned to the
specified template.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
218 Chapter 8 Configuring QoS
Figure 113 shows how to delete the l4_switch_rule that was entered to
template_id 1 in Figure 112. In that example, only 1 l4_switch_rule was entered,
so the rule has a rule_index of 1.
Figure 113 delete l4_switch_rule command
PP1648G:4#delete l4_switch_rule template_id 1 rule_index 1
Command: delete l4_switch_rule template_id 1 rule_index 1
Success.
PP1648G:4#
Creating a forwarding database filter
To specify a MAC address that you wish to see filtered from the switch, enter the
following command:
create fdbfilter
When executing this command, consider that the command fails to execute if any
of the following are true:
1
If the combination of the VLAN and MAC addresses are entered into the
switch’s static forwarding database.
2
If the combination of the VLAN and MAC addresses are part of a MAC
address priority rule.
3
If the combination of the VLAN and MAC addresses have been dynamically
entered into the switch’s forwarding database. If so, the create fdbfilter
command then sets the database entry to static, and drops packets with this
MAC address.
You can create up to 64 MAC address forwarding database filters.
316862-B Rev 00
Chapter 8 Configuring QoS 219
This command uses the following options:
create fdbfilter
followed by:
vlan <vlan_name>
Identifies the name of the VLAN on which the MAC
address you want to filter resides.
mac_address <macaddr>
Specifies the MAC address of the network device
you want to filter from the switch.
Figure 114 shows how to create a forwarding database filter for the VLAN named
default, for the MAC address 00-11-22-33-44-55.
Figure 114 create fdbfilter command
PP1648G:4#create fdbfilter vlan default mac_address
00-11-22-33-44-55
Command: create fdbfilter vlan default mac_address
00-11-22-33-44-55
Success.
PP1648G:4#
Deleting a forwarding database filter
To delete a forwarding database filter, enter the following command:
delete fdbfilter
Forwarding database filters are identified by the VLAN name and MAC address
that you enter when the you first create the filter.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
220 Chapter 8 Configuring QoS
This command uses the following options:
delete fdbfilter
followed by:
vlan <vlan_name>
mac_address <macaddr>
Identifies the name and MAC address of the
network device you want to delete from the switch.
vlan <vlan_name>
Identifies the name of the VLAN on which the MAC
address you want to delete resides.
mac_address <macaddr>
Specifies the MAC address of the network device
you want to delete from the switch.
all
Deletes all the filters in the forwarding database.
Figure 115 shows how to delete a forwarding database filter for the VLAN named
default, for the MAC address 00-11-22-33-44-55.
Figure 115 delete fdbfilter command
PP1648G:4#delete fdbfilter vlan default mac_address
00-11-22-33-44-55
Command: delete fdbfilter vlan default mac_address
00-11-22-33-44-55
Success.
PP1648G:4#
Displaying a forwarding database filter
To display the forwarding database filters currently in use on the switch, enter the
following command:
show fdbfilter
Forwarding database filters are identified by the VLAN name and MAC address
that you enter when the you first create the filter.
316862-B Rev 00
Chapter 8 Configuring QoS 221
This command uses the following options:
show fdbfilter
followed by:
vlan <vlan_name>
Identifies the name of the VLAN on which the MAC
address you want to display resides.
vlan <vlan_name>
mac_address <macaddr>
Identifies the name of the VLAN and specifies the
MAC address of the network device you want to
display on the switch.
mac_address <macaddr>
Specifies the MAC address of the network device
you want to delete from the switch.
Figure 116 shows how to display a forwarding database filter for the VLAN
named default, for the MAC address 00-11-22-33-44-55.
Figure 116 show fdbfilter command
PP1612G:4# show fdbf
Command: show fdbfilter
FDB Filter Table:
VLAN Name
MAC address
-------------------------------- ----------------default
00-11-22-33-44-55
Total Entries: 1
PP1612G:4#
Enabling the IP fragment filter
The 1600 Series switches allow you to enable any fragmented packets that are
received on a VLAN to which either of the two templates are bound. To enable the
IP fragment filter, enter the following command:
enable ip_fragment_filter
This command contains no parameters.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
222 Chapter 8 Configuring QoS
Figure 117 shows how to enable an IP fragment filter.
Figure 117 enable ip_fragment_filter command
PP1648G:4#enable ip_fragment_filter
Command: enable ip_fragment_filter
Success.
PP1648G:4#
Disabling the IP fragment filter
The 1600 Series switches allow you to disable any fragmented packets that are
received on a VLAN to which either of the two templates are bound. To disable
the IP fragment filter, use the following command:
disable ip_fragment_filter
This command contains no parameters.
Figure 118 shows how to disable an IP fragment filter.
Figure 118 disable ip_fragment_filter command
PP1648G:4#disable ip_fragment_filter
Command: disable ip_fragment_filter
Success.
PP1648G:4#
316862-B Rev 00
Chapter 8 Configuring QoS 223
Displaying the status of the IP fragment filter
The 1600 Series switches will allow you to display any fragmented packets that
are received on a VLAN to which either of the two templates are bound. To
display the status of the IP fragment filter, use the following command:
show ip_fragment_filter
This command contains no parameters.
Figure 119 shows how to display the status of an IP fragment filter.
Figure 119 show ip_fragment_filter command
PP1612G:4# show ip_fragment_filter
Command: show ip_fragment_filter
IP Fragment Filter Status: Enabled
PP1612G:4#
Configuring scheduling
To specify the rotation of the first three hardware priority queues on the switch,
enter the following command:
config scheduling
There are four outgoing traffic classes on the switch. The mechanism of the first
three traffic classes is weighted round-robin (WRR), while the fourth follows a
strict-priority (SP) scheme. The weighted round-robin scheme guarantees a
minimum bandwidth to the first three hardware priority queues on the switch.
For example, if the weighted round-robin scheme is applied to port 1, with a 10,
30, 60 weighting, the queues stop transmitting packets when they reach 10%,
30%, or 60% of the ports bandwidth, respectively. The fourth queue does not stop
transmitting packets until its packet buffer is empty.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
224 Chapter 8 Configuring QoS
This command uses the following options:
config scheduling
followed by:
ports [<portlist>/all]
Identifies a list of ports for which you want to
configure the hardware priority queue round-robin
transmitting scheme. You specify the ports by
entering the lowest port number in a group,
followed by the highest, separated by a dash.
Thus, you enter a port group including the switch
ports 1, 2, and 3 as 1-3.
You specify ports that are not contained within a
group by entering their port number, separated by
a comma. For example, you enter the port group
1-3 and port 26 as 1-3, 26.
all specifies that the hardware priority queue
round-robin transmitting scheme applies to all
ports on the switch.
class_id <value 0-2>
Identifies the hardware priority queue.
max_packet <value 6-255> Includes the round-robin weight of the priority
queue specified previously. The value of
max_packet is in 256 byte multiples and the
number of bytes must be less than the MTU.
Figure 120 shows how to configure scheduling for ports 1 through 10 to weight
the hardware priority queue 2 as max_packet 7.
Figure 120 config scheduling command
PP1648G:4#config scheduling ports 1-10 class_id 2
max_packet 7
Command: scheduling ports 1-10 class_id 2 max packet 7
Success.
PP1648G:4#
316862-B Rev 00
Chapter 8 Configuring QoS 225
Creating a MAC priority entry
To direct packets with a specific VLAN and MAC address combination to a given
priority queue on the switch, enter the following command:
create mac_priority
The priority value you specify is referenced to the user priority and traffic class
settings currently in use on the switch. An incoming packet is first checked to see
if the VLAN it was received from is bound to a template. If it is, the template is
examined to see if it is in qos mode. If so, the template is examined to see if it
contains an applicable rule regarding priority. If so, this rule is applied.
If there is no template bound to the VLAN, the packet’s priority tag is used to
determine the appropriate priority queue. If there is no priority tag on the packet,
the switch compares the default port priority with the MAC priority rules- and
then uses the higher of the two.
When executing this command, consider that the command fails to execute if any
of the following are true:
1
If the combination of VLAN and MAC addresses have a static entry in the
switch’s forwarding database.
2
If the combination of VLAN and MAC addresses are entered as an fdbfilter.
3
If the combination of VLAN and MAC addresses have been dynamically
entered into the switch’s forwarding database. If so, the command changes the
entry to static with the destination priority value you specify.
You can make up to 64 MAC priority entries.
This command uses the following options:
create mac_priority
followed by:
vlan <vlan_name>
Identifies the name of the VLAN the destination
MAC address resides on.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
226 Chapter 8 Configuring QoS
create mac_priority
followed by:
dst_mac_addr <macaddr>
Specifies a destination MAC address for which you
want to direct packets to the priority queue that
follows.
priority <value 0-7>
Identifies the priority queue you want packets for
the MAC address to be directed to.
Figure 121 shows how to create a MAC priority entry for the VLAN default for
the MAC address 00-11-22-33-44-55 and instruct the switch to direct all packets it
receives from this MAC address to priority queue 3.
Figure 121 create mac_priority command
PP1648G:4#create mac_priority vlan default
dst_mac_addr 00-11-22-33-44-55 priority 3
Command: create mac_priority vlan default dst_mac_addr
00-11-22-33-44-55 priority 3
Success.
PP1648G:4#
Deleting a MAC priority entry
To delete a MAC priority entry, enter the following command:
delete mac_priority
MAC priority entries are identified on the switch by a combination of the VLAN
name and the destination MAC address.
316862-B Rev 00
Chapter 8 Configuring QoS 227
This command uses the following options:
delete mac_priority
followed by:
vlan <vlan_name>
dst_mac_address
<macaddr>
Identifies the name of the VLAN and the
destination MAC address for which you want to
delete the MAC priority entry.
vlan <vlan_name>
Identifies the name of the VLAN on which the MAC
address you want to delete resides.
dst_mac_address
<macaddr>
Specifies a destination MAC address for which you
want to delete the MAC priority entry.
all
Deletes all the MAC priority entries on the switch.
Figure 122 shows how to delete a MAC priority entry for the VLAN default for
the MAC address 00-11-22-33-44-55.
Figure 122 delete mac_priority command
PP1648G:4#delete mac_priority vlan default dst_mac_addr
00-11-22-33-44-55
Command: delete mac_priority vlan default dst_mac_addr
00-11-22-33-44-55
Success.
PP1648G:4#
Displaying MAC priority entries
To display one or all of the MAC priority entries on the switch, enter the following
command:
show mac_priority
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
228 Chapter 8 Configuring QoS
This command uses the following options:
show mac_priority
followed by:
vlan <vlan_name>
Identifies the name of the VLAN for which you
want to display the MAC priority entries.
vlan <vlan_name>
dst_mac_addr <macaddr>
Specifies the VLAN and destination MAC address
for which you want to display the MAC priority
entries.
dst_mac_addr <macaddr>
Specifies the MAC address for which you want to
display the MAC priorities entries.
Figure 123 shows how to display the MAC priority entries for the VLAN default
for the MAC address 00-11-22-33-44-55.
Figure 123 show mac_priority command
PP1612G:4# show mac_priority vlan default dst_mac_addr
00-11-22-33-44-55
Command: show mac_priority vlan default dst_mac_addr
00-11-22-33-44-55
MAC Priority Table:
VLAN Name
-----------------------default
Total Entries: 1
PP1612G:4#
316862-B Rev 00
Destination
MAC Address
--------------00-11-22-33-44-55
Priority
-------3
229
Chapter 9
Configuring traffic filters
This chapter describes the commands you use to create and delete IP address
filters, MAC address filters, and broadcast traffic control. Specifically, it includes
the following topics:
Topic
Page
Configuring destination IP filters
229
Creating a destination IP address filter
230
Configuring an ARP request rate limit
237
Configuring destination IP filters
The 1600 Series switch allows you to filter traffic from specific IP addresses. You
can specify these IP addresses as a source, a destination, or either, of network
traffic. You can also instruct the switch to filter fragmented IP packets using the
enable ip_fragment_filter command.
Note that the switch also allows you to assign ranges of IP addresses to VLANs.
You then identify each VLAN by a VLAN name, a network address, and an IP
interface name. You must configure a VLAN prior to setting up the corresponding
IP interface. You must then establish and implement an IP addressing scheme
when the IP interfaces are set up on the switch.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
230
Chapter 9 Configuring traffic filters
Roadmap of destination IP address filter CLI commands
The following roadmap lists all of the IP address, fragment filtering commands
and their parameters. Use this list as a quick reference or click on any entry for
more information:
Command
Parameter
create dst_ipfilter
ip_address <ipaddr>
delete dst_ipfilter
[ip_address <ipaddr> |all]]
show dst_ipfilter
none
Creating a destination IP address filter
To specify either a destination IP address to be filtered from the switch, use the
following command:
create dst_ipfilter ip_address 10.42.73.5
If you filter by destination, it means that packets with the specified IP address as
the destination are dropped.
Note:
When you specify a destination IP address filter, it is
template-independent. Any packet with the specified IP address as it’s
destination will be dropped by the switch, regardless of the operating
mode of the applicable template.
316862-B Rev 00
Chapter 9 Configuring traffic filters
231
This command uses the following options:
create dst_ipfilter
followed by:
ip_address <ipaddr>
If you want to filter the IP address as a destination
(dst), you do not need to specify the template id.
The switch drops packets that have the IP address
entered previously as their destination regardless
of what operating mode the templates are in.
Figure 124 shows you how to filter packets with a destination IP address of
192.32.96.54.
Figure 124 create dst_ipfilter command
PP1612G:4#create dst_ipfilter ip_address 192.32.96.54
Command: create dst_ipfilter ip_address 192.32.96.54
Success.
PP1612G:4#
Deleting a destination IP address filter
To delete all previously-entered destination IP address filters from the switch, use
the following command:
delete dst_ipfilter all
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
232
Chapter 9 Configuring traffic filters
Because of the way IP filters are identified within the switch, you must enter the
same destination IP address to delete a specific IP filter, or specify all to instruct
the switch to delete all destination IP address filters that have been entered.
Note:
When you specify a destination IP address filter, it is
template-independent. Any packet with the specified IP address as it’s
destination will be dropped by the switch, regardless of the operating
mode of the applicable template.
This command uses the following options:
delete dst_ipfilter
followed by:
[ip_address <ipaddr>
|all]]
Allows you to uniquely identify the filter you want to
delete.
If you want to delete a filter for an IP address as a
destination (dst), you do not need to specify the
template id. You have the option of deleting a
specific IP address or deleting all destination IP
filters.
Figure 125 shows you how to delete an IP filter with a destination IP address of
192.32.96.54.
Figure 125 delete ipfilter command
PP1612G:4#delete dst_ipfilter ip_address 192.32.96.54
Command: delete dst_ipfilter ip_address 192.32.96.54
Success.
PP1612G:4#
316862-B Rev 00
Chapter 9 Configuring traffic filters
233
Displaying the destination IP address filter table
To display all previously-entered destination IP address filters on the switch, use
the following command:
show dst_ipfilter
Note:
When you specify a destination IP address filter, it is
template-independent. Any packet with the specified IP address as it’s
destination will be dropped by the switch, regardless of the operating
mode of the applicable template.
This command has no additional options:
show dst_ipfilter
followed by:
There are no options.
Figure 126 shows you how to display the current contents of the switch’s
destination IP address filter table.
Figure 126 show dst_ipfilter command
PP1612G:4#show dst_ipfilter
Command: show dst_ipfilter
Destination IP Filter Table:
Destination IP Address
---------------------10.42.73.5
Total Entries: 1
PP1612G:4#
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
234
Chapter 9 Configuring traffic filters
Configuring MAC address filters
The Passport 1600 Series switch allows the filtering of traffic from specific MAC
addresses. The switch uses a filtering database to segment the network and control
communication between segments. It can also filter packets off the network for
intrusion control. You can create static filtering entries by MAC address or IP
address filtering.
Note: The Passport 1600 switch supports basic MAC filtering only. If
you want to filter on a MAC address, the switch will filter it if that address
is in the packet as a source or destination address. It does not support
filtering on a MAC address if you specify filtering on source or
destination addresses only.
This section describes the commands you use in creating, deleting, and showing
MAC address filters. Specifically, it includes the following topics:
Topic
Page
Roadmap of MAC address filter CLI commands
234
Creating a MAC address filter
235
Deleting a MAC address filter
235
Displaying MAC address filters
236
Roadmap of MAC address filter CLI commands
The following roadmap lists all of the MAC address filter commands and their
parameters. Use this list as a quick reference or click on any entry for more
information:
Command
Parameter
create fdbfilter
vlan <vlan_name>
mac_address <macaddr>
delete fdbfilter
vlan <vlan_name>
mac_address <macaddr>
show fdbfilter
vlan <vlan_name>
mac_address <macaddr>
316862-B Rev 00
Chapter 9 Configuring traffic filters
235
Creating a MAC address filter
To filter a MAC address from the switch and prevent this MAC address from
being dynamically entered into the switch’s forwarding database, use the
following command:
create fdbfilter
This command uses the following options:
create fdbfilter
followed by:
vlan <vlan_name>
Identifies the name of the VLAN on which the MAC
address you wish to filter from the switch resides.
mac_address <macaddr>
Specifies the MAC address of the network device
you wish to filter from the switch.
Figure 127 shows you how to filter VLAN v1 and MAC address
00-FF-BA-F4-D5-0C from the switch’s forwarding database.
Figure 127 create fdbfilter command
PP1648T:4#create fdbfilter vlan v1 mac_address
00-50-BA-F4-D5-0C
Command: create fdbfilter vlan v1 mac_address
00-50-BA-F4-D5-0C
Success.
PP1648T:4#
Deleting a MAC address filter
To delete the filtering of a MAC address from the switch’s forwarding database,
use the following command:
delete fdbfilter
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
236
Chapter 9 Configuring traffic filters
This command uses the following options:
delete fdbfilter
followed by:
vlan <vlan_name>
Identifies the name of the VLAN for which you wish
to delete the forwarding database filter.
mac_address <macaddr>
Specifies the MAC address of the network device
you wish to delete from the forwarding database
filter.
Figure 128 shows you how to delete the VLAN v1 and MAC address
00-FF-BA-F4-D5-0C filters from the switch’s forwarding database.
Figure 128 delete fdbfilter command
PP1648T:4#delete fdbfilter vlan v1 mac_address
00-50-BA-F4-D5-0C
Command: delete fdbfilter vlan v1 mac_address
00-50-BA-F4-D5-0C
Success.
PP1648T:4#
Displaying MAC address filters
To display the switch’s MAC address filters, use the following command:
show fdbfilter
316862-B Rev 00
Chapter 9 Configuring traffic filters
237
This command uses the following options:
show fdbfilter
followed by:
vlan <vlan_name>
Identifies the name of the VLAN for which you wish
to display the forwarding database filter.
mac_address <macaddr>
Specifies the MAC address of the network device
for which you wish to display the forwarding
database filter.
Figure 129 shows you how to display the VLAN v1 and MAC address
00-FF-BA-F4-D5-0C filters from the switch’s forwarding database.
Figure 129 show fdbfilter command
PP1648T:4#show fdbfilter vlan v1 mac_address
00-50-BA-F4-D5-0C
Command: show fdbfilter vlan v1 mac_address
00-50-BA-F4-D5-0C
FDB Filter Name
VLAN Name
-------------v1
MAC Address
------00-50-BA-F4-D5-0C
Total Entries: 1
PP1648T:4#
Configuring an ARP request rate limit
The Passport 1600 series switches allow you to set limits on the rate at which the
Switch will receive and process Address Resolution Protocol (ARP) request
packets. There are two commands available to configure and enable the ARP rate
limit control on the Switch. The first allows you to enable and disable the ARP
rate limit — without changing the limit values you may have entered.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
238
Chapter 9 Configuring traffic filters
The second command allows you to specify the number of ARP packets received
by the Switch in one second that will trigger the ARP rate limit control. If the
Switch receives more ARP packets in a second than you specify, the Switch will
block all ARP requests for one second. The ARP rate limit counter is then reset,
and ARP requests are again allowed — until the rate of ARP packets received by
the Switch exceeds the limit you have set. The default value of the ARP request
rate limit is 50 ARP packets per second, and you can specify any value between
10 and 100 packets per second.
This section describes the commands you use in creating, deleting, and showing
ARP request rate limits. Specifically, it includes the following topics:
Topic
Page
Configuring the ARP request rate limit
230
Enabling the ARP request rate limit
235
Disabling the ARP request rate limit
235
Displaying the ARP request rate limit
236
Roadmap of ARP request rate limit CLI commands
The following roadmap lists all of the MAC address filter commands and their
parameters. Use this list as a quick reference or click on any entry for more
information:
Command
Parameter
config arp_req_rate_limit 60
<value 10-100>
enable arp_req_rate_limit
none
disable arp_req_rate_limit
none
show arpentry
Ipif <ipif_name 12>
IPaddress <ipaddr>
static
316862-B Rev 00
Chapter 9 Configuring traffic filters
239
Configuring the ARP request rate limit
To set the ARP request rate limit for the switch to 60 ARP packets per second, use
the following command:
config arp_req_rate_limit 60
This command uses the following options:
config arp_req_rate_limit
followed by:
<value 10-100>
Specifies the rate of ARP packets received by the
switch, in packets per second, that will trigger the
switch’s response. The default is 50 ARP packets
per second. If the number of ARP packets received
by the switch exceeds the number entered here,
the switch will drop all ARP request packets for
one second, reset the incoming ARP packet rate
counter, and then resume receiving and
processing ARP packets.
Figure 130 shows you how to set the ARP request rate limit to 60 ARP packets
per second.
Figure 130 config arp_req_rate_limit command
PP1648T:4#config arp_req_rate_limit 60
Command: config arp_req_rate_limit 60
Success.
PP1648T:4#
Enabling the ARP request rate limit
To enable the ARP request rate limit for the switch, use the following command:
enable arp_req_rate_limit
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
240
Chapter 9 Configuring traffic filters
This command uses no additional options:
enable arp_req_rate_limit
followed by:
There are no options.
Figure 131 shows you how to enable the ARP request rate limit.
Figure 131 enable arp_req_rate_limit command
PP1648T:4#enable arp_req_rate_limit
Command: enable arp_req_rate_limit
Success.
PP1648T:4#
Disabling the ARP request rate limit
To disable the ARP request rate limit for the switch, use the following command:
disable arp_req_rate_limit
This command uses no additional options:
disable arp_req_rate_limit
followed by:
There are no options.
Figure 132 shows you how to disable the ARP request rate limit.
316862-B Rev 00
Chapter 9 Configuring traffic filters
241
Figure 132 disable arp_req_rate_limit command
PP1648T:4#disable arp_req_rate_limit
Command: disable arp_req_rate_limit
Success.
PP1648T:4#
Displaying the ARP request rate limit
To display the current ARP request rate limit for the switch, use the following
command:
show arpentry
show arpentry
followed by:
Ipif <ipif_name 12>
IPaddress <ipaddr>
static
Figure 133 shows you how to display the ARP request rate limit, along with the
switch’s ARP table.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
242
Chapter 9 Configuring traffic filters
Figure 133 show arpentry command
PP1648T:4#show arpentry
ARP Aging Time : 20
ARP Req Rate Limit : Enabled (50 frames/sec)
Interface
--------System
IP Address
---------10.0.0.0
MAC Address
Type
-----------------------FF-FF-FF-FF-FF-FF Local/Broadcast
Configuring broadcast control
You use broadcast control to limit the number of broadcast, multicast, and
destination not found (dlf) packets that are forwarded through the switch at any
given time. Since these packet types are commonly forwarded to all ports of a
given VLAN or IP interface, it is possible that other network devices could also
forward these packets through alternative network routes, and that they will find
there way back to the switch. The switch will then forward the packets again, and
so on, until a significant portion of the network’s bandwidth is consumed.
To prevent these packet-types from creating a storm on the network, you can
assign a threshold, in Kp/s, for each packet type. When the number of packets
received by the switch exceeds this threshold, the switch stops forwarding these
packet-types - until the rate of packets received falls below the threshold.
This section describes the commands you use to configure broadcast traffic
control.
316862-B Rev 00
Chapter 9 Configuring traffic filters
243
Roadmap of broadcast control CLI commands
The following roadmap lists the broadcast control commands and their
parameters. Use this list as a quick reference or click on any entry for more
information:
Command
Parameter
config traffic control
<portlist>
all
dlf [enabled|disabled]
broadcast [enabled|disabled]
multicast [enabled|disabled]
threshold <value>
show traffic control
ports <portlist>
Configuring traffic control
To configure broadcast control, use the following command:
config traffic control
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
244
Chapter 9 Configuring traffic filters
This command uses the following options:
config traffic control
followed by:
<portlist>
You use this option to enter a group of ports that
the config traffic control command is
applied to. You specify ports by entering the lowest
port number in a group, and then the highest,
separated by a dash.
For example, you enter a port group including the
switch ports 1, 2, and 3 as 1-3. You specify ports
that are not contained within a group by entering
their port number, separated by a comma. Thus,
you enter the port group 1-3 and port 26 as 1-3,
26.
all
Specifies that the config traffic
control command applies to all of the ports on
the switch.
dlf [enabled|disabled]
Specifies that the config traffic
control command is applied to packets
generated by a dlf (destination lookup fail). You
must follow this parameter with enabled or
disabled.
broadcast
[enabled|disabled]
Specifies that the config traffic
control command is applied to broadcast
packets. You must follow this parameter with
enabled or disabled.
multicast
[enabled|disabled]
Specifies that the config traffic
control command is applied to multicast
packets. You must follow this parameter with
enabled or disabled.
threshold <value>
Specifies the threshold, in Kb/s, at which the
config traffic control command is
applied. The default is 128 Kb/s.
Figure 134 shows you an example of configuring traffic control for switch ports 1
through 3, for broadcast packets.
316862-B Rev 00
Chapter 9 Configuring traffic filters
245
Figure 134 config traffic control command
PP1648T:4#config traffic control 1-3 broadcast enabled
Command: config traffic control 1-3 broadcast enabled
Success.
PP1648T:4#
Displaying traffic control settings
To display the current traffic control settings on the switch, use the following
command:
show traffic control
This command uses the following options:
show traffic control
followed by:
ports <portlist>
You use this to display the traffic control settings
for a group of ports. You enter the lowest port
number in a group, and then the highest,
separated by a dash.
For example, you enter a port group including the
switch ports 1, 2, and 3 as 1-3. You specify ports
that are not contained within a group by entering
their port number, separated by a comma. Thus,
you enter the port group 1-3 and port 26 as 1-3,
26.
Figure 135 shows you how to display traffic control settings for switch ports 1
through 3.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
246
Chapter 9 Configuring traffic filters
Figure 135 show traffic control command
PP1648T:4#show traffic control ports 1-3
Command: show traffic control ports 1-3
Traffic Control
DLF State:
Ports
---1
2
3
Disabled
Broadcast
Storm
-------Enabled
Enabled
Enabled
Total Entries: 3
PP1648T:4#
316862-B Rev 00
Multicast
Storm
-------Disabled
Disabled
Disabled
Threshold
<Percentage>
---------0
0
0
247
Chapter 10
Configuring ARP, RIP, and OSPF
This chapter provides overviews of the Address Resolution Protocol (ARP), the
Routing Information Protocol (RIP), the Open Shortest Path First Protocol
(OSPF), and OSPF packet authentication (MD5 keys), and describes how to
configure each of these protocols using the CLI. Specifically, this chapter contains
the following topics:
Topic
Page
Configuring ARP
247
Configuring an ARP request rate limit
252
Configuring OSPF
261
Configuring OSPF packet authentication
291
Configuring ARP
The Address Resolution Protocol (ARP) determines the correspondence between
a MAC address and an IP address for a network device.
The switch allows you to make static entries into its ARP table, as well as to
configure the length of time a dynamically learned ARP table entry is allowed to
remain without being accessed.
This section describes the ARP commands. Specifically, it includes the following
topics:
Topic
Page
Roadmap of ARP CLI commands
248
Creating an ARP entry
248
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
248
Chapter 10 Configuring ARP, RIP, and OSPF
Topic
Page
Deleting an ARP entry
249
Configuring the ARP aging time
250
Displaying the current ARP entries
250
Clearing the ARP table
251
Roadmap of ARP CLI commands
The following roadmap lists some of the ARP commands and their parameters.
Use this list as a quick reference or click on any command or parameter entry for
more information on ARP commands.
Command
Parameter
create arpentry <ipaddr>
<macaddr>
delete arpentry
<ipaddr>
all
config arp_aging time
<value>
show arpentry
ipif <ipif_name 12>
ipaddress <ipaddr>
static
clear arptable
Creating an ARP entry
To create an ARP (Address Resolution Protocol) entry into the switch’s ARP
table, enter the following command:
create arpentry <ipaddr > <macaddr>
where:
ipaddr is the IP address that you want to associate with the MAC address.
macaddr is the MAC address that you want to associate with the IP address.
316862-B Rev 00
Chapter 10 Configuring ARP, RIP, and OSPF
249
Figure 136 shows how to create an ARP entry that is associated with IP address
10.48.74.121 and with MAC address 00-50-BA-00-07-36.
Figure 136 create arpentry command
PP1612G:4# create arpentry 10.48.74.121 00-50-BA-00-07-36
Command: create arpentry 10.48.74.121 00-50-BA-00-07-36
Success.
PP1612G:4#
Deleting an ARP entry
To delete an ARP entry, enter the following command:
delete arpentry
This command uses the following options:
delete arpentry
followed by:
<ipaddr>
The IP address for which you want to delete the ARP entry on the
switch.
all
Deletes all ARP entries on the switch.
Figure 137 shows how to delete an ARP entry with the IP address 10.48.74.121.
Figure 137 delete arpentry command
PP1612G:4# delete arpentry 10.48.74.121
Command: delete arpentry 10.48.74.121
Success.
PP1612G:4#
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
250
Chapter 10 Configuring ARP, RIP, and OSPF
Configuring the ARP aging time
To configure the ARP aging time, enter the following command:
config arp_aging time < value>
where:
value is the time, in seconds, that an entry can remain in the switch’s ARP table,
without being used, before it is dropped from the ARP table. The default is 20
minutes.
Figure 138 shows how to configure the ARP aging time to be 30 minutes.
Figure 138 config arp_aging time command
PP1612G:4# config arp_aging time 30
Command: config arp_aging time 30
Success.
PP1612G:4#
Displaying the current ARP entries
To display the current contents of the switch’s ARP table:
show arpentry
This command uses the following options:
show arpentry
followed by:
ipif <ipif_name 12>
316862-B Rev 00
The name of the IP interface of the end node for
which you want to display the ARP table entry for.
This value can be up to 12 alphanumeric characters.
Chapter 10 Configuring ARP, RIP, and OSPF
251
show arpentry
followed by:
ipaddress <ipaddr>
The IP address corresponding to the IP interface
name entered above.
static
Displays all of the static entries in the switch’s ARP
table.
Figure 139 shows the ARP table being displayed.
Figure 139 show arpentry command
Clearing the ARP table
To clear the ARP table:
clear arptable
This command has no additional options.
Figure 140 shows the switch’s ARP table being cleared.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
252
Chapter 10 Configuring ARP, RIP, and OSPF
Figure 140 clear arptable command
PP1612G:4# clear arptable
Command: clear arptable
Success.
PP1612G:4#
Configuring an ARP request rate limit
The Passport 1600 series switches allow you to set limits on the rate at which the
Switch will receive and process Address Resolution Protocol (ARP) request
packets. There are two commands available to configure and enable the ARP rate
limit control on the Switch. The first allows you to enable and disable the ARP
rate limit — without changing the limit values you may have entered.
The second command allows you to specify the number of ARP packets received
by the Switch in one second that will trigger the ARP rate limit control. If the
Switch receives more ARP packets in a second than you specify, the Switch will
block all ARP requests for one second. The ARP rate limit counter is then reset,
and ARP requests are again allowed — until the rate of ARP packets received by
the Switch exceeds the limit you have set. The default value of the ARP request
rate limit is 50 ARP packets per second, and you can specify any value between
10 and 100 packets per second.
This section describes the commands you use in creating, deleting, and showing
ARP request rate limits. Specifically, it includes the following topics:
Topic
Page
Configuring the ARP request rate limit
252
Enabling the ARP request rate limit
254
Disabling the ARP request rate limit
255
Displaying the ARP request rate limit
255
316862-B Rev 00
Chapter 10 Configuring ARP, RIP, and OSPF
253
Roadmap of ARP request rate limit CLI commands
The following roadmap lists all of the MAC address filter commands and their
parameters. Use this list as a quick reference or click on any entry for more
information:
Command
Parameter
config arp_req_rate_limit 60
<value 10-100>
enable arp_req_rate_limit
none
disable arp_req_rate_limit
none
show arpentry
none
Configuring the ARP request rate limit
To set the ARP request rate limit for the switch to 60 ARP packets per second, use
the following command:
config arp_req_rate_limit 60
This command uses the following options:
config arp_req_rate_limit
followed by:
<value 10-100>
Specifies the rate of ARP packets received by the
switch, in packets per second, that will trigger the
switch’s response. The default is 50 ARP packets
per second. If the number of ARP packets received
by the switch exceeds the number entered here,
the switch will drop all ARP request packets for
one second, reset the incoming ARP packet rate
counter, and then resume receiving and
processing ARP packets.
Figure 141 shows you how to set the ARP request rate limit to 60 ARP packets
per second.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
254
Chapter 10 Configuring ARP, RIP, and OSPF
Figure 141 config arp_req_rate_limit command
PP1648T:4#config arp_req_rate_limit 60
Command: config arp_req_rate_limit 60
Success.
PP1648T:4#
Enabling the ARP request rate limit
To enable the ARP request rate limit for the switch, use the following command:
enable arp_req_rate_limit
This command uses no additional options:
enable arp_req_rate_limit
followed by:
There are no options.
Figure 142 shows you how to enable the ARP request rate limit.
Figure 142 enable arp_req_rate_limit command
PP1648T:4#enable arp_req_rate_limit
Command: enable arp_req_rate_limit
Success.
PP1648T:4#
316862-B Rev 00
Chapter 10 Configuring ARP, RIP, and OSPF
255
Disabling the ARP request rate limit
To disable the ARP request rate limit for the switch, use the following command:
disable arp_req_rate_limit
This command uses no additional options:
disable arp_req_rate_limit
followed by:
There are no options.
Figure 143 shows you how to disable the ARP request rate limit.
Figure 143 disable arp_req_rate_limit command
PP1648T:4#disable arp_req_rate_limit
Command: disable arp_req_rate_limit
Success.
PP1648T:4#
Displaying the ARP request rate limit
To display the current ARP request rate limit for the switch, use the following
command:
show arpentry
This command uses no additional options:
show arpentry
followed by:
There are no options.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
256
Chapter 10 Configuring ARP, RIP, and OSPF
Figure 144 shows you how to display the ARP request rate limit, along with the
switch’s ARP table.
Figure 144 show arpentry command
PP1648T:4#show arpentry
ARP Aging Time : 20
ARP Req Rate Limit : Enabled (50 frames/sec)
Interface
--------System
IP Address
---------10.0.0.0
MAC Address
Type
-----------------------FF-FF-FF-FF-FF-FF Local/Broadcast
Configuring RIP
The Routing Information Protocol (RIP) is a distance-vector routing protocol.
There are two types of network devices running RIP - active and passive. Active
devices advertise their routes to others through RIP messages, while passive
devices listen to these messages. Both active and passive routers update their
routing tables based upon RIP messages that active routers exchange. Only routers
can run RIP in the active mode. The 1600 Series switches are active RIP devices.
Every 30 seconds, a router running RIP broadcasts a routing update containing a
set of pairs of network addresses and a distance (represented by the number of
hops or routers between the advertising router and the remote network). So, the
vector is the network address and the distance is measured by the number of
routers between the local router and the remote network.
RIP measures distance by an integer count of the number of hops from one
network to another. A router is one hop from a directly connected network, two
hops from a network that can be reached through a router, etc. The more routers
between a source and a destination, the greater the RIP distance (or hop count).
There are a few rules to the routing table update process that help to improve
performance and stability. A router will not replace a route with a newly learned
one if the new route has the same hop count (sometimes referred to as 'cost'). So
learned routes are retained until a new route with a lower hop count is learned.
316862-B Rev 00
Chapter 10 Configuring ARP, RIP, and OSPF
257
When learned routes are entered into the routing table, a timer is started. This
timer is restarted every time this route is advertised. If the route is not advertised
for a period of time (usually 180 seconds), the route is removed from the routing
table.
This section includes the following topics:
Topic
Page
Roadmap of RIP CLI commands
257
Configuring RIP
258
Enabling RIP
259
Disabling RIP
260
Displaying the current RIP configuration
260
Roadmap of RIP CLI commands
The following roadmap lists some of the RIP CLI commands and their
parameters. Use this list as a quick reference or click on any command or
parameter entry for more information on RIP commands.
Command
Parameter
config rip ipif <ipif_name 12>
rx_mode
[disable|v1_only|v2_only|v1_and_
v2]
tx_mode
[disable|v1_only|v1_compatible|v
2_only]
authentication [enabled
<password>|disabled]
state [enabled|disabled]
enable rip
disable rip
show rip
ipif <ipif_name 12>
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
258
Chapter 10 Configuring ARP, RIP, and OSPF
Configuring RIP
To configure RIP on a specific interface, use the following command:
config rip ipif <ipif_name 12 >
where:
ipif_name 12 is the name of the IP interface on which RIP is configured.
This command uses the following options:
config rip ipif <ipif_name 12>
followed by:
Determines the version of RIP that the switch will to
rx_mode
[disable|v1_only|v2_only|v1_and_v2] interpret received RIP packets — as RIP version V1
only, V2 only, or V1 and V2. disable prevents the
switch from receiving RIP packets.
Determines the version of RIP that will be used by
tx_mode
[disable|v1_only|v1_compatible|v2_o the switch to format transmitted RIP packets — as
RIP version V1 only, V1 compatible, or V2 only.
nly]
disable prevents the switch from transmitting RIP
packets.
authentication [enabled
<password>|disabled]
Enables or disables the authentication of RIP
packets. If authentication is enabled, a case-sensitive
password must be entered.
state [enabled|disabled]
Enables or disables RIP on the interface.
To configure RIP on all interfaces, use the following command:
config rip all
316862-B Rev 00
Chapter 10 Configuring ARP, RIP, and OSPF
259
This command uses the following options:
config rip all
followed by:
Determines the version of RIP that the switch will to
rx_mode
[disable|v1_only|v2_only|v1_and_v2] interpret received RIP packets — as RIP version V1
only, V2 only, or V1 and V2. disable prevents the
switch from receiving RIP packets.
Determines the version of RIP that will be used by
tx_mode
[disable|v1_only|v1_compatiable|v2_ the switch to format transmitted RIP packets — as
RIP version V1 only, V1 compatible, or V2 only.
only]
disable prevents the switch from transmitting RIP
packets.
authentication [enabled
<password>|disabled]
Enables or disables the authentication of RIP
packets. If authentication is enabled, a case-sensitive
password must be entered.
state [enabled|disabled]
Enables or disables RIP on all interfaces.
Figure 145 shows RIP being configured for the IP interface named System, and to
use RIP version V1 to interpret received RIP packets.
Figure 145 config rip command
PP1612G:4#config rip ipif System rx_mode v1_only
Command: config rip ipif System rx_mode v1_only
Success.
PP1612G:4#
Enabling RIP
To enable RIP, use the following command:
enable rip
Figure 146 shows RIP being enabled.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
260
Chapter 10 Configuring ARP, RIP, and OSPF
Figure 146 enable rip command
PP1612G:4#enable rip
Command: enable rip
Success.
PP1612G:4#
Disabling RIP
To disable RIP, use the following command:
disable rip
Figure 147 shows RIP being disabled.
Figure 147 disable rip command
PP1612G:4#disable rip
Command: disable rip
Success.
PP1612G:4#
Displaying the current RIP configuration
To display the current RIP configuration, use the following command:
show rip
316862-B Rev 00
Chapter 10 Configuring ARP, RIP, and OSPF
261
This command uses the following options:
show rip
followed by:
ipif <ipif_name 12>
The name of the IP interface for which you want to
display the current RIP configuration. If you do not
enter an IP interface name, the switch displays the
current RIP configuration for all IP interfaces.
Figure 148 shows the current RIP configuration being displayed.
Figure 148 show rip command
PP1648T:4# show rip
Command: show rip
RIP Global State : Enabled
RIP Interface Settings
Interface
IP Address
TX Mode
RX Mode
AuthenState
tication
------------- ------------------ ---------- ------------- ---------- ----System
192.32.96.151/26
V1 Comp.
V1 and V2
Disabled
Disabled
Total Entries : 1
PP1648T:4# PP1612G:4#
Configuring OSPF
The Open Shortest Path First (OSPF) is routing protocol that uses a link-state
algorithm to determine routes to network destinations. A link is an interface on a
router and the state is a description of that interface and its relationship to
neighboring routers. The state contains information such as the IP address, subnet
mask, type of network the interface is attached to, other routers attached to the
network, etc. The collection of link-states are then collected in a link-state
database that is maintained by routers running OSPF.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
262
Chapter 10 Configuring ARP, RIP, and OSPF
OSPF specifies how routers will communicate to maintain their link-state
database and defines several concepts about the topology of networks that use
OSPF.
To limit the extent of link-state update traffic between routers, OSPF defines the
concept of Area. All routers within an area share the exact same link-state
database, and a change to this database on one router triggers an update to the
link-state database of all other routers in that area. Routers that have interfaces
connected to more than one area are called Border Routers and take the
responsibility of distributing routing information between areas.
One area is defined as Area 0 or the Backbone. This area is central to the rest of
the network in that all other areas have a connection (through a router) to the
backbone. Only routers have connections to the backbone and OSPF is structured
such that routing information changes in other areas will be introduced into the
backbone, and then propagated to the rest of the network.
When constructing a network to use OSPF, it is generally advisable to begin with
the backbone (area 0) and work outward.
There are four general categories of tasks required to setup OSPF on the 1600
switch:
•
•
•
•
316862-B Rev 00
OSPF Area Setting — the configuration of sub-domains called OSPF areas
and the designating them as either normal or stub areas. Normal areas allow
the advertisement of external routes and stub areas do not.
OSPF IP Interface Configuration — the entry of OSPF IP Interfaces that
correspond to IP interfaces configured previously on the switch.
OSPF Virtual Link Configuration — the definition of OSPF areas that
allow links with outside routers to access the OSPF backbone.
OSPF Area Aggregation Configuration — allows OSPF areas to be
represented by their network address and subnet mask. In addition, the type of
link-state database advertisements can be specified for each area.
Chapter 10 Configuring ARP, RIP, and OSPF
263
This section includes the following topics:
Topic
Page
Roadmap of OSPF CLI commands
263
Enabling OSPF
265
Disabling OSPF
266
Configuring the OSPF router ID
266
Displaying the current OSPF configuration
267
Creating an OSPF area
269
Deleting an OSPF area
270
Configuring an OSPF area
271
Displaying the current OSPF area configuration
272
Creating an OSPF host route
273
Creating an OSPF area aggregation
277
Displaying the current OSPF LSDB
281
Displaying the current OSPF neighbor table
282
Displaying the current OSPF virtual neighbor table
283
Configuring an OSPF IP interface
283
Creating an OSPF virtual link
286
Configuring an OSPF virtual link
288
Deleting an OSPF virtual link
290
Displaying the currently configured OSPF virtual links
290
Roadmap of OSPF CLI commands
The following roadmap lists some of the OSPF switch commands and their
parameters. Use this list as a quick reference or click on any command or
parameter entry for more information on OSPF switch commands.
Command
Parameter
enable ospf
disable ospf
config ospf router_id <ipaddr>
show ospf
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
264
Chapter 10 Configuring ARP, RIP, and OSPF
Command
Parameter
create ospf area <area_id> type
[normal|stub]
stub_summary [enabled|disabled]
metric <value>
delete ospf area <area_id>
config ospf area <area_id> type
[normal|stub]
stub_summary [enabled|disabled]
metric <value>
show ospf area
<area_id>
create ospf host_route <ipaddr>
area <area_id>
metric <value>
config ospf host_route <ipaddr>
area <area_id>
metric <value>
show ospf host_route
<ipaddr>
delete ospf host_route <ipaddr>
create ospf aggregation <area_id>
<network_address> lsdb_type
[summary]
advertise [enabled|disabled]
delete ospf aggregation <area_id>
<network_address> lsdb_type
[summary]
config ospf aggregation <area_id>
<network_address> lsdb_type
[summary]
advertise [enabled|disabled]
metric <value>
show ospf aggregation
area <area_id>
show ospf lsdb
area <area_id>
advertise_router <ipaddr>
type
[rtrlink|netlink|summary|assumma
ry|asextlink]
show ospf neighbor
show ospf virtual_neighbor
area <area_id>
config ospf ipif <ipif_name 12>
all
316862-B Rev 00
Chapter 10 Configuring ARP, RIP, and OSPF
Command
265
Parameter
area <area_id>
priority <value>
hello_interval <sec>
dead_interval <sec>
authentication [none|simple
<password>|md5 <key_id>]
metric <value>
state [enabled|disabled]
show ospf ipif
<ipif_name 12>
all
create ospf virtual_link <area_id>
<neighbor_id>
hello_interval <sec>
dead_interval <sec>
authentication [none|simple
<password>|md5 <key_id>]
config ospf virtual_link <area_id>
<neighbor_id>
hello_interval <sec>
dead_interval <sec>
authentication [none|simple
<password>|md5 <key_id>]
delete ospf virtual_link <area_id>
<neighbor_id>
show ospf virtual_link
area <area_id>
<neighbor_id>
Enabling OSPF
To enable OSPF on the switch, use the following command:
enable ospf
This command uses no additional options:
Figure 149 shows OSPF being enabled.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
266
Chapter 10 Configuring ARP, RIP, and OSPF
Figure 149 enable ospf command
PP1612G:4#enable ospf
Command: enable ospf
Success.
PP1612G:4#
Disabling OSPF
To disable OSPF on the switch, use the following command:
disable ospf
Figure 150 shows OSPF being disabled.
Figure 150 disable ospf command
PP1612G:4#disable ospf
Command: disable ospf
Success.
PP1612G:4#
Configuring the OSPF router ID
An OSPF router ID is a 32-bit number (in the same form as an IP address —
xxx.xxx.xxx.xxx) that uniquely identifies the switch in OSPF domain. It is
common to assign the highest IP address assigned to the switch as the OSPF
router ID. In the case of a 10.x.x.x network, this would be 10.255.255.255, but any
unique 32-bit number will do. If 0.0.0.0 is entered, the highest IP address assigned
to the switch will become the OSPF router ID for the switch.
316862-B Rev 00
Chapter 10 Configuring ARP, RIP, and OSPF
267
To configure the OSPF router ID, use the following command:
config ospf router_id < ipaddr>
where:
ipaddr is the OSPF router ID.
Figure 151 shows the configuration of the OSPF router ID to be 10.48.74.122.
Figure 151 config ospf router_id command
PP1612G:4#config ospf router_id 10.48.74.122
Command: config ospf router_id 10.48.74.122
Success.
PP1612G:4#
Displaying the current OSPF configuration
To display the current OSPF configuration, use the following command:
show ospf
Figure 152 shows the current OSPF configuration being displayed.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
268
Chapter 10 Configuring ARP, RIP, and OSPF
Figure 152 show ospf command - partial display
PP1612G:4# show ospf
Command: show ospf
OSPF Router ID : 192.32.96.54 (Auto selected)
State
: Disabled
OSPF Interface Settings
Interface
IP Address
Area ID
State
Link
Status
------------ ------------------ --------------- -------- --------ip2
10.1.2.3/8
0.0.0.0
Disabled Link DOWN
System
192.32.96.54/26
0.0.0.0
Disabled Link Up
Metric
--------1
1
Total Entries : 2
OSPF Area Settings
Area ID
Type
Stub Import Summary LSA Stub Default Cost
--------------- ------ ----------------------- ----------------0.0.0.0
Normal None
None
Total Entries : 1
Virtual Interface Configuration
Transit
Virtual
Hello
Dead
Authentication Link
Area ID
Neighbor Router Interval Interval
Status
--------------- --------------- -------- -------- -------------- -----Total Entries : 0
OSPF Area Aggregation Settings
Area ID
Aggregated
LSDB
Advertise
Network Address
Type
--------------- ------------------ -------- --------Total Entries : 0
OSPF Host Route Settings
Host Address
Metric Area ID
TOS
--------------- ------ --------------- --Total Entries : 0
PP1612G:4#
316862-B Rev 00
Chapter 10 Configuring ARP, RIP, and OSPF
269
Creating an OSPF area
OSPF areas can be designated as either normal or stub. Normal OSPF areas allow
link-state database (LSDB) advertisements of routes to networks that are external
to the area, Stub areas do not allow the LSDB advertisement of external routes.
Stub areas use a default summary route (0.0.0.0) to reach external destinations.
OSPF area definitions are as follows:
Area ID — A 32-bit number in the form of an IP address (xxx.xxx.xxx.xxx) that
uniquely identifies the OSPF area in the OSPF domain.
Normal — OSPF areas that allow AS-external-LSAs to be flooded into them.
Stub — OSPF areas that do not allow AS-external_LSAs to be flooded into them.
To create an OSPF area, use the following command:
create ospf area <area_id > type [normal|stub]
where:
area_id is the OSPF area ID.
type specifies the mode of operation in the OSPF area. normal indicates OSPF
areas that allow AS-external_LSAs to be flooded into them. stub indicates OSPF
areas that do not allow AS-external_LSAs to be flooded into them.
This command uses the following options:
create ospf area <area_id> type [normal|stub]
followed by:
stub_summary [enabled|disabled]
Enables or disables the OSPF area to import
summary LSA advertisements.
metric <value>
This is a number between 0 and 65535 that
represents the OSPF area cost. The default is 1.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
270
Chapter 10 Configuring ARP, RIP, and OSPF
Figure 153 shows the configuration of the OSPF area with the area ID of
10.48.74.122, and the type normal.
Figure 153 create ospf area command
PP1612G:4#create ospf area 10.48.74.122 type normal
Command: create ospf area 10.48.74.122 type normal
Success.
PP1612G:4#
Deleting an OSPF area
To delete an OSPF area, use the following command:
delete ospf area <area_id >
where:
area_id is the OSPF area ID.
Figure 154 shows the deletion of the OSPF area with the area ID of 10.48.74.122.
Figure 154 delete ospf area command
PP1612G:4#delete ospf area 10.48.74.122
Command: delete ospf area 10.48.74.122
Success.
PP1612G:4#
316862-B Rev 00
Chapter 10 Configuring ARP, RIP, and OSPF
271
Configuring an OSPF area
OSPF areas can be designated as either normal or stub. Normal OSPF areas allow
link-state database (LSDB) advertisements of routes to networks that are external
to the area. Stub areas do not allow the LSDB advertisement of external routes.
Stub areas use a default summary external route (0.0.0.0 or Area 0) to reach
external destinations.
To configure an OSPF area, use the following command:
config ospf area <area_id > type [normal|stub]
where:
area_id is the OSPF area ID.
type specifies the mode of operation in the OSPF area. normal indicates that
LSAs for routes outside the area are allowed. stub indicates that LSAs for routes
outside the area are not allowed.
This command uses the following options:
config ospf area <area_id> type [normal|stub]
followed by:
stub_summary [enabled|disabled]
Enables or disables the OSPF area to import
summary LSA advertisements.
metric <value>
This is a number between 0 and 65535 that
represents the OSPF area cost. The default is 0.
Figure 155 shows how to configure an OSPF area with the area ID of
10.48.74.122 to be of type stub, how to enable stub summary LSAs to be
imported, and how to configure an OSPF cost of 1.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
272
Chapter 10 Configuring ARP, RIP, and OSPF
Figure 155 config ospf area command
PP1612G:4#config ospf area 10.48.74.122 type stub
stub_summary enabled metric 1
Command: config ospf area 10.48.74.122 type stub
stub_summary enabled metric 1
Success.
PP1612G:4#
Displaying the current OSPF area configuration
To display the current OSPF area configuration, use the following command:
show ospf area
This command uses the following option:
show ospf area
followed by:
<area_id>
This is the OSPF area ID.
Figure 156 shows the current OSPF area configuration being displayed.
316862-B Rev 00
Chapter 10 Configuring ARP, RIP, and OSPF
273
Figure 156 show ospf area command
PP1612G:4#show ospf area
Command: show ospf area
Area ID
Type
Stub Import Summary LSA Stub DefaultCost
0.0.0.0
Normal None
10.48.74.122 Stub
None
None
Enabled
1
Total Entries: 2
PP1612G:4#
Creating an OSPF host route
This command allows you to make a static entry into the switch’s OSPF host table
for host computers that are directly connected to the switch, so that their IP
addresses and route metrics can be advertised to other OSPF areas.
To create an OSPF host route, use the following command:
create ospf host_route < ipaddr>
where:
ipaddr is the IP address of the host.
This command uses the following options:
create ospf host_route <ipaddr>
followed by:
area <area_id>
This is the OSPF area ID where the host computer is located.
metric <value>
This is a number between 0 and 65535 that represents the OSPF area
cost. The default is 1.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
274
Chapter 10 Configuring ARP, RIP, and OSPF
Figure 157 shows how to create an OSPF host route between the host’s IP address
10.48.74.122 and the OSPF area 10.1.1.1, with an OSPF area cost of 2.
Figure 157 create ospf host_route command
PP1612G:4#create ospf host_route 10.48.74.122 area
10.1.1.1 metric 2
Command: create ospf host_route 10.48.74.122 area 10.1.1.1
metric 2
Success.
PP1612G:4#
Configuring an OSPF host route
This command allows you to configure a static entry into the switch’s OSPF host
table for host computers that are directly connected to the switch, so that their IP
addresses and route metrics can be advertised to other OSPF areas.
To configure the OSPF host route, use the following command:
config ospf host_route < ipaddr>
where:
ipaddr is the IP address of the host.
This command uses the following options:
config ospf host_route <ipaddr>
followed by:
area <area_id>
This is the OSPF area ID where the host computer is located.
metric <value>
This is a number between 0 and 65535 that represents the OSPF area cost.
The default is 1.
316862-B Rev 00
Chapter 10 Configuring ARP, RIP, and OSPF
275
Figure 158 shows how to configure the OSPF host route between the host’s IP
address 10.48.74.122 and the OSPF area 10.1.1.1, to use the OSPF area cost of 1.
Figure 158 config ospf host_route command
PP1612G:4#config ospf host_route 10.48.74.122 area 10.1.1.1 metric 1
Command: config ospf host_route 10.48.74.122 area 10.1.1.1 metric
1
Success.
PP1612G:4#
Displaying the currently configured OSPF host routes
To display the OSPF host route, use the following command:
show ospf host_route
This command uses the following options:
show ospf host_route
followed by:
<ipaddr>
This is the IP address of the host.
Figure 159 shows the display of the currently configured OSPF host routes.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
276
Chapter 10 Configuring ARP, RIP, and OSPF
Figure 159 show ospf host_route command
PP1612G:4# show ospf host_route
Command: show ospf host_route
OSPF Host Route Settings
Host Address
Metric Area ID
TOS
--------------- ------ --------------- --2.2.2.2
1
0.0.0.0
0 (Ready)
Total Entries : 1
PP1612G:4#
Deleting an OSPF host route
To delete an OSPF host route, use the following command:
delete ospf host_route <ipaddr>
where:
ipaddr is the IP address of the host.
Figure 160 shows how to delete an OSPF host route, where the host’s IP address
10.48.74.122.
Figure 160 delete ospf host_route command
PP1612G:4#delete ospf host_route 10.48.74.122
Command: delete ospf host_route 10.48.74.122
Success.
PP1612G:4#
316862-B Rev 00
Chapter 10 Configuring ARP, RIP, and OSPF
277
Creating an OSPF area aggregation
This command allows OSPF areas to be represented by their network addresses
and subnet masks. In this way, all of the range of IP addresses assigned to an
OSPF area can be advertised by just two numbers — the network address and
subnet mask. In addition, the type of link-state database advertisements can be
specified for each area.
To create an OSPF area aggregation, use the following command:
create ospf aggregation < area_id> <network_address>
lsdb_type [summary]
where:
area_id is the OSPF area ID.
network_address is the IP address that corresponds to the OSPF area ID.
lsdb_type is the type of address aggregation that OSPF will use. Currently, only
summary is supported.
This command uses the following option:
create ospf aggregation <area_id> <network_address> lsdb_type [summary]
followed by:
advertise [enabled|disabled]
Enables or disables the advertisement trigger.
Figure 161 shows how to create an OSPF area aggregation for the OSPF area
10.1.1.1, and the network address 10.48.76.122/16, how to specify the LSDB type
to summary, and how to enable the advertisement trigger.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
278
Chapter 10 Configuring ARP, RIP, and OSPF
Figure 161 create ospf aggregation command
PP1612G:4#create ospf aggregation 10.1.1.1
10.48.76.122/16 lsdb_type summary advertise enabled
Command: create ospf aggregation 10.1.1.1 10.48.76.122/16
lsdb_type summary advertise enabled
Success.
PP1612G:4#
Deleting an OSPF area aggregation
To delete an OSPF area aggregation, use the following command:
delete ospf aggregation < area_id> <network_address>
lsdb_type [summary]
where:
area_id is the OSPF area ID.
network_address is the IP address that corresponds to the OSPF area ID.
lsdb_type is the type of address aggregation that OSPF uses. Currently, only
summary is supported.
Figure 162 shows how to delete the OSPF area aggregation for the OSPF area
10.1.1.1, and the network address 10.48.76.122/16, with the LSDB type being
summary.
Figure 162 delete ospf aggregation command
PP1612G:4#delete ospf aggregation 10.1.1.1 10.48.76.122/16
lsdb_type summary
Command: delete ospf aggregation 10.1.1.1 10.48.76..122/16
lsdb_type summary
Success.
PP1612G:4#
316862-B Rev 00
Chapter 10 Configuring ARP, RIP, and OSPF
279
Configuring an OSPF area aggregation
This command allows you to configure how OSPF areas are aggregated so that
each area can be represented by its network address and subnet mask. In this way,
all of the range of IP addresses assigned to an OSPF area can be advertised by just
two numbers — the network address and subnet mask. In addition, the type of
link-state database advertisements can be specified for each area.
To configure an OSPF area aggregation, use the following command:
config ospf aggregation < area_id> <network_address>
lsdb_type [summary]
where:
area_id is the OSPF area ID.
network_address is the IP address that corresponds to the OSPF area ID.
lsdb_type is the type of address aggregation that OSPF will use. Currently, only
summary is supported.
This command uses the following options:
config ospf aggregation <area_id> <network_address> lsdb_type [summary]
followed by:
advertise [enabled|disabled]
Enables or disables the advertisement trigger.
metric <value>
Specifies a number between 0 and 65535 that
represents the OSPF area cost. The default is 0.
Figure 163 shows how to configure an OSPF area aggregation for the OSPF area
10.1.1.1, and the network address 10.48.76.122/16, with the LSDB type being
summary and the advertisement trigger disabled:
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
280
Chapter 10 Configuring ARP, RIP, and OSPF
Figure 163 configure ospf aggregation command
PP1612G:4# config ospf aggregation 10.1.1.1 10.48.76.122/16
lsdb_type summary advertise disabled
Command: config ospf aggregation 10.1.1.1 10.48.76.122/16
lsdb_type summary advertise disabled
Success.
PP1612G:4#
Displaying the currently configured OSPF area
aggregations
To display the currently configured OSPF area aggregations, use the following
command:
show ospf aggregation
This command uses the following options.
show ospf aggregation
followed by:
area <area_id>
Indicates the OSPF area ID that you want to display.
Figure 164 shows the currently configured OSPF area aggregations.
316862-B Rev 00
Chapter 10 Configuring ARP, RIP, and OSPF
281
Figure 164 show ospf aggregation command
PP1612G:4#show ospf aggregation
Command: show ospf aggregation
OSPF Area Aggregation Settings
Area ID
Aggregated
LSDB
Network Address
Type
Advertise
------------ --------------------- -------------- ------------10.1.1.1
10.0.0.0/8
Summary
Enabled
10.1.1.1
20.2.0.0/16
Summary
Enabled
Total Entries: 2
PP1612G:4#
Displaying the current OSPF LSDB
To display the current OSPF LSDB, use the following command:
show ospf lsdb
This command uses the following options:
show ospf lsdb
followed by:
area <area_id>
Indicates the OSPF area ID in the LSDB that you
want to display.
advertise_router <ipaddr>
Indicates the OSPF router ID of the advertising
router in the LSDB that you want to display.
Specifies the type of link in the LSDB that you want
type
[rtrlink|netlink|summary|assummary| to display.
asextlink]
Figure 165 shows the current OSPF LSDB.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
282
Chapter 10 Configuring ARP, RIP, and OSPF
Figure 165 show ospf lsdb command
PP1648T:4# show ospf lsdb
Command: show ospf lsdb
Area
LSDB
Advertising
Link State
Cost
Sequence
ID
Type
Router ID
ID
Number
--------------- --------- --------------- ------------------ -------- ---------0.0.0.0
RTRLink
50.48.75.73
50.48.75.73
*
0x80000002
Total Entries: 1
PP1648T:4#
Displaying the current OSPF neighbor table
To display the current OSPF neighbor table, use the following command:
show ospf neighbor
Figure 166 shows the display of the current OSPF neighbor table.
Figure 166 show ospf neighbor command
PP1612G:4#show ospf neighbor
Command: show ospf neighbor
IP Address of
Router ID of
Neighbor
Neighbor
Neighbor
Neighbor
Priority
State
------------
---------------
151.201.0.1
10.200.5.12
1
Full
201.3.0.2
10.200.5.7
1
Full
201.3.10.39
10.200.5.39
1
Full
Total Entries: 3
316862-B Rev 00
--------
------------
Chapter 10 Configuring ARP, RIP, and OSPF
283
Displaying the current OSPF virtual neighbor table
To display the current OSPF virtual neighbor table, use the following command:
show ospf virtual_neighbor
This command uses the following options:
show ospf virtual_neighbor
followed by:
Indicates the OSPF area ID of the virtual neighbor
that you want to display.
area <area_id>
Figure 167 shows the display of the current OSPF LSDB.
Figure 167 show ospf virtual_neighbor command
PP1612G:4#show ospf virtual_link
Command: show ospf virtual_link
Transit
Virtual
Hello
Dead
Area ID
Neighbor Router Interval Interval
AuthenticationLink
Status
----------- ------------------------ -------- ------------------3.3.3.3
10.200.5.7
10
60
None
UP
3.3.3.3
10.200.5.36
10
60
None
UP
Total Entries : 2
PP1612G:4#
Configuring an OSPF IP interface
This command allows you to assign a previously configured IP interface on the
switch for a previously configured OSPF area. The IP interface is identified by
name, and represents a VLAN (also previously configured on the switch).
To configure the OSPF IP interface, use the following command:
config ospf ipif <ipif_name 12 >
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
284
Chapter 10 Configuring ARP, RIP, and OSPF
where:
ipif_name 12 is the name of the IP interface. The name can be up to 12
alphanumeric characters.
This command uses the following options:
config ospf ipif <ipif_name 12>
followed by:
all
Specifies that this OSPF IP interface configuration
will apply to all the IP interfaces on the switch.
area <area_id>
Specifies the OSPF area ID.
priority <value>
Determines the Designated Router (DR).
• value is a number between 0 and 255. The
higher the number, the higher the priority. For
example, 255 represents a higher priority than
200.
hello_interval <sec>
Specifies the amount of time, in seconds, between
the transmission of OSPF Hello packets.
• sec is a value between 1 and 65535 seconds,
inclusive.
Note: The Hello Interval, Dead Interval,
Authorization Type, and Authorization Key should be
the same for all routers on the network.
dead_interval <sec>
Specifies the maximum length of time, in seconds,
between the receipt of successive Hello packets from
a neighbor router before the area router declares the
neighbor router down.
• sec is a value between 1 and 65535 seconds,
inclusive. The Dead Interval must be evenly
divisible by the Hello Interval.
authentication [none|simple
<password>|md5 <key_id>]
Specifies the type of authentication required between
routers.
• password is an 8-character, case-sensitive
password. You specify a password when you
select simple authentication
• key_id is a previously defined MD5 key ID. For
instructions on configuring an entry in the MD5
key table, see “Configuring OSPF packet
authentication” on page 291.
316862-B Rev 00
Chapter 10 Configuring ARP, RIP, and OSPF
285
config ospf ipif <ipif_name 12>
followed by:
metric <value>
Indicates the OSPF area cost.
• value is a number between 0 and 65535,
inclusive. The default is 1.
state [enabled|disabled]
Enables or disables the OSPF IP interface.
Figure 168 shows the configuration of the OSPF IP interface named System.
Figure 168 config ospf ipif command
PP1612G:4#config ospf ipif System priority 2 hello_interval 15
metric 2 state enabled
Command: config ospf ipif System priority 2 metric 2 state
enabled hello_interval 15
Success.
PP1612G:4#
Displaying currently configured OSPF IP interfaces
To display the current configured OSPF IP interfaces:
show ospf ipif
This command uses the following options:
show ospf
followed by:
<ipif_name 12>
Specifies the OSPF IP interface that you want to display.
all
Specifies that you want all of the currently configured OSPF IP
interfaces on the switch to be displayed.
Figure 169 shows the currently configured OSPF IP interfaces being displayed.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
286
Chapter 10 Configuring ARP, RIP, and OSPF
Figure 169 show ospf all command
PP1648T:4# show ospf all
Command: show ospf all
OSPF Interface Settings
Interface Name: System
26 (Link Up)
Network Medium Type: BROADCAST
Area ID: 0.0.0.0
Disabled
Priority: 1
DR Address: None
Hello Interval: 10
Transmit Delay: 1
IP Address: 192.32.96.151/
Metric: 1
Administrative State:
DR State: DOWN
Backup DR Address: None
Dead Interval: 40
Retransmit Time: 5
Total Entries : 1
PP1648T:4#
Creating an OSPF virtual link
You use virtual links to restore or increase connectivity of the backbone. Virtual
links may be configured between any pair of area border routers that have
interfaces to a common (non-backbone) area. The virtual link appears as an
unnumbered point-to-point link in the graph for the backbone. You must configure
the virtual link in both of the area border routers.
To create an OSPF virtual link, use the following command:
create ospf virtual_link < area_id> <neighbor_id>
where:
area_id is the OSPF Transit area ID.
neighbor_id is the OSPF router ID of the neighbor.
316862-B Rev 00
Chapter 10 Configuring ARP, RIP, and OSPF
287
This command uses the following options:
create ospf virtual_link <area_id> <neighbor_id>
followed by:
hello_interval <sec>
Specifies the amount of time, in seconds, between
the transmission of OSPF Hello packets.
• sec is a value between 1 and 65535 seconds,
inclusive.
Note: The Hello Interval, Dead Interval,
Authorization Type, and Authorization Key should be
the same for all routers on the network.
dead_interval <sec>
Specifies the maximum length of time, in seconds,
between the receipt of successive Hello packets from
a neighbor router before the area router declares the
neighbor router down.
• sec is a value between 1 and 65535 seconds,
inclusive. The Dead Interval must be evenly
divisible by the Hello Interval.
authentication [none|simple
<password>|md5 <key_id>]
Specifies the type of authentication required between
routers.
• password is an 8-character, case-sensitive
password. You specify a password when you
select simple authentication.
• key_id is a previously defined MD5 key ID.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
288
Chapter 10 Configuring ARP, RIP, and OSPF
Figure 170 shows how to create an OSPF virtual link between the OSPF area
10.1.1.1 and the OSPF area 20.1.1.1 with a hello interval of 10 seconds between
the transmission of hello packets.
Figure 170 create ospf virtual_link command
PP1612G:4#create ospf virtual_link 10.1.1.1 20.1.1.1
hello_interval 10
Command: create ospf virtual_link 10.1.1.1 20.1.1.1
hello_interval 10
Success.
PP1612G:4#
Configuring an OSPF virtual link
This command allows OSPF areas to be represented by their network address and
subnet mask. In this way, all of the range of IP addresses assigned to an OSPF area
can be advertised by just two numbers — the network address and subnet mask. In
addition, the type of link-state database advertisements can be specified for each
area.
To configure an OSPF virtual link, use the following command:
config ospf virtual_link < area_id> <neighbor_id>
where:
area_id is the OSPF Transit area ID.
neighbor_id is the OSPF router ID of the neighbor.
316862-B Rev 00
Chapter 10 Configuring ARP, RIP, and OSPF
289
This command uses the following options:
config ospf virtual_link <area_id> <neighbor_id>
followed by:
hello_interval <sec>
Specifies the amount of time, in seconds, between
the transmission of OSPF Hello packets.
• sec is a value between 1 and 65535 seconds,
inclusive.
Note: The Hello Interval, Dead Interval,
Authorization Type, and Authorization Key should be
the same for all routers on the network.
dead_interval <sec>
Specifies the maximum length of time, in seconds,
between the receipt of successive Hello packets from
a neighbor router before the area router declares the
neighbor router down.
• sec is a value between 1 and 65535 seconds,
inclusive. The Dead Interval must be evenly
divisible by the Hello Interval.
authentication [none|simple
<password>|md5 <key_id>]
Specifies the type of authentication required between
routers.
• password is an 8-character, case-sensitive
password. You specify a password when you
select simple authentication.
• key_id is a previously defined MD5 key ID.
Figure 171 shows the configuration of an OSPF virtual link between the OSPF
area 10.1.1.1 and the OSPF area 20.1.1.1 with a hello interval of 20 seconds
between the transmission of hello packets.
Figure 171 config ospf virtual_link command
PP1612G:4#config ospf virtual_link 10.1.1.2 20.1.1.1
hello_interval 20
Command: config ospf virtual_link 10.1.1.2 20.1.1.1
hello_interval 20
Success.
PP1612G:4#
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
290
Chapter 10 Configuring ARP, RIP, and OSPF
Deleting an OSPF virtual link
To delete an OSPF virtual link, use the following command:
delete ospf virtual_link < area_id> <neighbor_id>
where:
area_id is the OSPF Transit area ID.
neighbor_id is the OSPF router ID of the neighbor.
Figure 172 shows the deletion of an OSPF virtual link between the OSPF area
10.1.1.1 and the OSPF area 20.1.1.1.
Figure 172 delete ospf virtual_link command
PP1612G:4#delete ospf virtual_link 10.1.12 20.1.1.1
Command: delete ospf virtual_link 10.1.12 20.1.1.1
Success.
PP1612G:4#
Displaying the currently configured OSPF virtual links
To display the currently configured OSPF virtual links:
show ospf virtual_link
This command uses the following options:
show ospf virtual_link
followed by:
area <area_id>
Specifies the OSPF area ID of the virtual link that you
want to display.
<neighbor_id>
Specifies the OSPF router ID of the neighbor that
you want to display.
316862-B Rev 00
Chapter 10 Configuring ARP, RIP, and OSPF
291
Figure 173 displays the currently configured OSPF virtual links:
Figure 173 show ospf virtual_link command
PP1612G:4# show ospf virtual_link
Command: show ospf virtual_link
Virtual Interface Configuration
Transit
Virtual
Hello
Dead
Authentication Link
Area ID
Neighbor Router Interval Interval
Status
--------------- --------------- -------- -------- -------------- -----10.0.0.0
20.0.0.0
10
60
None
DOWN
Total Entries: 1
PP1612G:4#
Configuring OSPF packet authentication
A Message Digest - version 5 (MD5) key is an alphanumeric string of up to 16
case-sensitive characters that you use to authenticate every packet exchanged
between OSPF routers. You can also use it as a security mechanism to limit the
exchange of network topology information to authorized routers in the OSPF
domain.
This section describes the commands you use to configure MD5 and also create,
delete, and show MD5 key table entries. Specifically, it includes the following
topics:
Topic
Page
Roadmap of MD5 CLI commands
292
Creating an entry to the MD5 key table
292
Deleting an MD5 key table entry
293
Configuring an MD5 key
293
Displaying the current MD5 key table
294
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
292
Chapter 10 Configuring ARP, RIP, and OSPF
Roadmap of MD5 CLI commands
The following roadmap lists all of the MD5 commands and their parameters. Use
this list as a quick reference or click on any entry for more information:
Command
Parameter
create md5 key <key_id> <password 16>
delete md5 key <key_id>
config md5 key <key_id> <password 16>
show md5
<key_id>
Creating an entry to the MD5 key table
To create an entry into the switch’s MD5 key table which can be used to
authenticate exchanges between OSPF routers, use the following command:
create md5 key <key_id> <password 16>
where:
key_id is the MD5 key ID with values between 1 and 255.
password 16 is a case-sensitive alphanumeric string of up to 16 characters.
Figure 174 shows how to create a new key entry into the switch’s MD5 key table
with the key ID 2 and the password internet.
Figure 174 create md5 key command
PP1612G:4#create md5 key 2 internet
Command: create md5 key 2 internet
Success.
PP1612G:4#
316862-B Rev 00
Chapter 10 Configuring ARP, RIP, and OSPF
293
Deleting an MD5 key table entry
To delete the MD5 key table entry, use the following command:
delete md5 key <key_id>
where:
key_id is the MD5 key ID with values between 1 and 255.
Figure 175 shows how to delete an MD5 key table entry with the key ID 1.
Figure 175 delete md5 key command
PP1612G:4#delete md5 key 1
Command: delete md5 key 1
Success.
PP1612G:4#
Configuring an MD5 key
To configure an MD5 key which can be used to authenticate exchanges between
OSPF routers, enter the following command:
config md5 key <key_id> <password 16>
where:
key_id is the MD5 key ID with values between 1 and 255.
password 16 is a case-sensitive alphanumeric string of up to 16 characters.
Figure 176 shows how to configure MD5 to use key ID 1 and the password
customer.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
294
Chapter 10 Configuring ARP, RIP, and OSPF
Figure 176 config md5 command
PP1612G:4#config md5 key 1 customer
Command: config md5 key 1 customer
Success.
PP1612G:4#
Displaying the current MD5 key table
To display the switch’s current MD5 key table, use the following command:
show md5
This command uses the following options:
show md5
followed by:
<key_id>
Specifies the MD5 key ID that you want to display.
Figure 177 shows how to display the switch’s MD5 key table.
316862-B Rev 00
Chapter 10 Configuring ARP, RIP, and OSPF
295
Figure 177 show md5 command
PP1612G:4#show md5
Command: show md5
MD5 Key Table Configurations
Key-ID
-----1
2
3
4
Key
--customer
develop
fireball
intelligent
Total Entries:4
PP1612G:4#
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
296
Chapter 10 Configuring ARP, RIP, and OSPF
316862-B Rev 00
297
Chapter 11
Configuring IP routes and route redistribution
This chapter describes the route table and route redistribution commands.
Specifically, it includes the following topics:
Topic
Page
Using the route table
298
Roadmap of route table CLI commands
298
Creating an IP route
299
Creating a default IP route
300
Displaying the IP routes
301
Configuring IP routes
301
Configuring default IP routes
303
Configuring IP routes with max static routes
304
Using route redistribution
306
Roadmap of route redistribution CLI commands
307
Creating a route redistribution from RIP to OSPF
307
Creating a route redistribution from OSPF to RIP
309
Deleting a route redistribution
311
Configuring a route redistribution between RIP and OSPF
312
Configuring a route redistribution between OSPF and RIP
314
Displaying the route redistribution settings
315
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
298
Chapter 11 Configuring IP routes and route redistribution
Using the route table
The Passport 1600 switch allows you to make static entries into the switch’s IP
routing table.
IP routing is based on the network address of the destination IP address. Each
routing table entry on the switch has a corresponding network addresses. For each
network address, a corresponding gateway is listed. A gateway is used to
communicate with remote networks. The gateway does not have to be directly
connected to the remote network, it simply needs to be the first place to go on the
way to the remote network.
A default gateway is defined as the gateway that connects the local network to the
backbone or to the Internet. A default gateway is used whenever no specific route
is found for a given packet, or when there are several gateways on a network that
all have similar connections. For the Passport 1600 CLI, a default IP route is a
route to a default gateway.
Roadmap of route table CLI commands
The following roadmap lists some of the route table commands and their
parameters. Use this list as a quick reference or click on any command or
parameter entry for more information on route table commands.
Command
Parameter
create iproute
default
<network_address>
create iproute default
<ipaddr>
<metric>
create iproute <network address>
<ipaddr>
<metric>
delete iproute default
show iproute
<network_address>
static
rip
316862-B Rev 00
Chapter 11 Configuring IP routes and route redistribution
Command
299
Parameter
ospf
config iproute
default
max_static_route
config iproute default
<ipaddr>
<metric 1-65535>
config iproute max_static_route
<int 0-512>
Creating an IP route
To create an IP route, enter the following command:
create iproute
This command uses the following options:
create iproute
followed by:
default
Creates a default IP route entry.
<network_address> Specifies the IP address and subnet mask of the IP interface
you want create an IP route for. You can specify the address
and mask information using the traditional format — for
example, 10.1.2.3/255.0.0.0, or in the CIDR format — for
example, 10.1.2.3/8.
Figure 178 shows the creation of an IP route between 10.48.74,121, with a subnet
mask of 255.0.0.0, a gateway at IP address 10.1.1.254, and a route metric of 1.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
300
Chapter 11 Configuring IP routes and route redistribution
Figure 178 create iproute command
PP1648T:4# create iproute 10.48.74.121/255.0.0.0 10.1.1.254 1
Command: create iproute 10.48.74.121/8 10.1.1.254 1
Success.
PP1648T:4#
Creating a default IP route
To create a default IP route, enter the following command:
create iproute default
This command uses the following options:
create iproute default
followed by:
followed by:
<ipaddr>
Identifies the IP address of the next hop. This can be a
bridge, a router, or a gateway.
<metric>
Specifies a numerical value representing the relative distance
between the source and the destination along the IP route.
The default is 1.
Creating an IP route using a network address
To create an IP route using a network address, enter the following command:
create iproute <network address>
316862-B Rev 00
Chapter 11 Configuring IP routes and route redistribution
301
This command uses the following options:
create iproute <network address>
followed by:
followed by:
<ipaddr>
Identifies the IP address of the next hop. This can be a
bridge, a router, or a gateway.
<metric>
Specifies a numerical value representing the relative distance
between the source and the destination along the IP route.
The default is 1.
Deleting an IP route
To delete an IP route, enter the following command:
delete iproute default
Figure 179 shows the deletion of an IP route.
Figure 179 delete iproute command
PP1648T:4# delete iproute default
Command: delete iproute default
Success.
PP1648T:4#
Displaying the IP routes
To display the current IP routes in the switch’s routing table, enter the following
command:
show iproute
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
302
Chapter 11 Configuring IP routes and route redistribution
This command uses the following options:
show iproute
followed by:
<network_address> Specifies the IP address and subnet mask of the IP interface
for which you want display the IP route, if it exists. You can
specify the address and mask information using the traditional
format — for example, 10.1.2.3/255.0.0.0, or in the CIDR
format — for example, 10.1.2.3/8.
static
You can choose to display the switch’s IP routing table by the
way the route was entered — static, for IP routes entered
statical.
rip
You can choose to display the switch’s IP routing table by the
way the route was entered — rip — for routes discovered by
RIP (Routing Information Protocol), or ospf — for routes
discovered by OSPF (Open Shortest Path First)
ospf
You can choose to display the switch’s IP routing table by the
way the route was entered — ospf — for routes discovered by
OSPF (Open Shortest Path First)
Figure 180 shows the display of the switch’s routing table.
Figure 180 show iproute command
PP1648T:4# show iproute
Command: show iproute
Routing Table
IP Address/Netmask Gateway
Interface
Cost
Protocol
------------------ --------------- ------------ -------- -------------0.0.0.0
10.254.254.254System
1
Default
11.0.0.0/29
11.0.0.2
v2
1
Local
11.0.0.32/29
11.0.0.25
v3
15
OSPF
12.1.40.0/24
11.0.0.25
v3
8
OSPF
31.1.40.0/24
201.8.0.1
v5
2
RIP (Age: 26)
Total Entries: 5
PP1648T:4#
316862-B Rev 00
Chapter 11 Configuring IP routes and route redistribution
303
Configuring IP routes
To configure IP routes, enter the following command:
config iproute
This command uses the following options:
config iproute
followed by:
default
This option modifies the default route which
has been created.
max_static_route
This option creates the maximum entry for
static routes.
Figure 181 shows the display of the config iproute command.
Figure 181 config iproute command
PP1648T:4# config iproute
Command: config iproute
Next possible completions:
default max_static_route
PP1648T:4#
Configuring default IP routes
To modify the default IP route, enter the following command:
config iproute default
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
304
Chapter 11 Configuring IP routes and route redistribution
This command uses the following options:
config iproute default
followed by:
<ipaddr>
Identifies the IP address of the next hop.
This can be a bridge, router or gateway.
<metric 1-65535>
Specifies a numerical value representing
the relative distance between the source
destination along the IP route. The default
value is 1.
Figure 182 shows the display of the config iproute default command.
Figure 182 config iproute default command
PP1648T:4# config iproute default
Command: config iproute default
Next possible completions:
<ipaddr> <metric 1-65535>
PP1648T:4#
Configuring IP routes with max static routes
To set up the maximum static route number, enter the following command:
config iproute max_static_route
This command uses the following options:
config iproute max_static_route
followed by:
<int 0-512>
316862-B Rev 00
Identifies the maximum number of static
route entries for users’ configurations. The
default value is 32.
Chapter 11 Configuring IP routes and route redistribution
305
Note: Due to memory limitations, reserving more space for static route
entries reduces the number of maximum dynamic routes. Before changing
the default setting, please refer to Table 11.
Table 11 Unicast/multicast ratios for dynamic and static iproute and arp values
Unicast/
multicast ratio
of 75/25
Unicast/
multicast ratio
of 100/0
Dynamic
iproute
Static iproute
Dynamic arp
Static arp
1404
0
1372
32
1372
32
1372
32
1340
64
1372
32
1276
128
1372
32
1148
256
1372
32
892
512
1372
32
Dynamic
iproute
Static iproute
Dynamic arp
Static arp
1918
0
1372
32
1886
32
1372
32
1854
64
1372
32
1790
128
1372
32
1662
256
1372
32
1406
512
1372
32
Figure 183 shows the display of the config iproute command.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
306
Chapter 11 Configuring IP routes and route redistribution
Figure 183 config iproute max_static_route command
PP1648T:4# config iproute max_static_route
Command: config iproute max_static_route
Next possible completions:
<int 0-512>
PP1648T:4#
Using route redistribution
Route redistribution allows routers on the network that are running different
routing protocols to exchange routing information. This is accomplished by
comparing the routes stored in the various router’s routing tables and assigning
appropriate metrics. This information is then exchanged among the various
routers according to the individual routers current routing protocol.
The switch can redistribute routing information between the OSPF and RIP
routing protocols to all routers on the network (that are running either OSPF or
RIP). Routing information entered into the switch’s static routing table and the IP
interface routing information (local to the switch) can also be redistributed.
The Route Redistribution commands in the Command Line Interface (CLI) are
listed (along with the appropriate parameters) in the following table:
316862-B Rev 00
Chapter 11 Configuring IP routes and route redistribution
307
Roadmap of route redistribution CLI commands
The following roadmap lists some of the route redistribution commands and their
parameters. Use this list as a quick reference or click on any command or
parameter entry for more information on route redistribution commands.
Command
Parameter
create route redistribute dst
ospf src rip
mettype [type_1|type_2]
metric <value>
create route redistribute dst rip
src ospf
[all|internal|external|type_1|type_2|
inter+e1|inter+e2]
metric <value>
delete route redistribute
dst [rip|ospf]
src [rip|static|local| ospf]
config route redistribute dst
ospf src rip
mettype [1|2]
metric <value>
config route redistribute dst rip
src ospf
[all|internal|external|type_1|type_2|
inter+e1|inter+e2]
metric <value>
show route redistribute dst rip
src ospf
dst [rip|ospf]
src [rip|static|local|ospf]
Creating a route redistribution from RIP to OSPF
The source for the routing information to redistribute is OSPF, the switch’s static
routing table, and the switch’s local IP interface routing information. You can also
choose how the RIP routing metric is calculated for redistribution to OSPF.
To redistribute routes between RIP and OSPF (RIP as the source, and OSPF as the
destination), enter the following command:
create route redistribute dst ospf src rip
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
308
Chapter 11 Configuring IP routes and route redistribution
Note that rip allows you to redistribute routes discovered through the Routing
Information Protocol (RIP). You can also specify static and local as the source of
the routing information to redistribute. Static refers to manual entries in the
switch’s routing table, while local redistributes routing information from within
the switch’s routing table.
This command uses the following options:
create route redistribute dst ospf src rip
followed by:
mettype [type_1|type_2] Allows you to choose between the two methods of
calculating the routing metric when redistributing
routing information.
type_1 — (for redistributing from RIP to OSPF)
calculates the metric by adding the destination’s
interface cost to the metric entered in the metric field,
below.
type_2 — uses the metric entered in the metric field
without change. type_2 only applies when the
destination field is OSPF.
Allows you to enter a value for an OSPF interface
cost that will be used when redistributing routes from
RIP to OSPF. Entering a metric value of 0 specifies
transparency.
metric <value>
Table 12 shows the allowed values for the OSPF routing metrics:
Table 12 Allowed values for the OSPF routing metrics
Route Source
Metric
Metric Type
RIP
0 to 16777214
mettype 1
mettype 2
Static
0 to 16777214
mettype 1
mettype 2
Local
0 to 16777214
mettype 1
mettype 2
The RIP metric value 0 will be redistributed in OSPF as 20.
316862-B Rev 00
Chapter 11 Configuring IP routes and route redistribution
309
Figure 184 shows how to redistribute routing information between RIP and OSPF,
with RIP as the source and OSPF as the destination.
Figure 184 create route redistribute dst ospf src rip command
PP1648T:4# create route redistribute dst ospf src rip
Command: create route redistribute dst ospf src rip
Success.
PP1648T:4#
Creating a route redistribution from OSPF to RIP
The source for the routing information to redistribute is OSPF, the switch’s static
routing table, and the switch’s local IP interface routing information. You can
choose the type of OSPF route to redistribute, as well as how the routing metric
information will be redistributed to RIP.
To redistribute routes between OSPF and RIP (OSPF as the source and RIP as the
destination), enter the following command:
create route redistribute dst rip src ospf
Note that ospf allows you to redistribute routes discovered through Open
Shortest Path First (OSPF). You can also specify static and local as the source of
the routing information to redistribute. Static refers to manual entries in the
switch’s routing table, while local redistributes routing information from within
the switch’s routing table.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
310
Chapter 11 Configuring IP routes and route redistribution
This command uses the following options:
create route redistribute dst rip src ospf
followed by:
[all|internal|external|type_1|type_ Follow ospf with one or more of the following OSPF
type descriptors:
2|inter+e1|inter+e2]
all — redistributes all OSPF routes in the switch’s
routing table to RIP.
internal — redistributes only OSPF internal routes to
RIP.
external — redistributes only OSPF external routes
to RIP.
type_1 — redistributes OSPF type 1 LSAs (Link
State Advertisements)
type_2 — redistributes OSPF type 2 LSAs
inter+e1 — redistributes OSPF internal, external and
Type 1 routes to RIP
inter+e2 — redistributes OSPF internal, external and
Type 2 routes to RIP
Allows you to enter a value for an OSPF interface
cost that is used when redistributing routes from RIP
to OSPF. Entering a metric value of 0 specifies
transparency.
metric <value>
Table 13 shows the allowed values for the routing metrics
Table 13 Allowed values for the routing metrics
Route Source
Metric
Type
OSPF
0 to 16
all
type_1
type_2
internal type_1
internal type_2
external
internal
RIP
0 to 16
not applicable
Figure 185 shows how to redistribute all OSPF routes in the switch’s routing table
to RIP with an OSPF interface cost of 2.
316862-B Rev 00
Chapter 11 Configuring IP routes and route redistribution
311
Figure 185 create route redistribute dst rip src ospf command
PP1648T:4# create route redistribute dst rip src ospf all metric 2
Command: create route redistribute dst rip src ospf all metric 2
Success.
PP1648T:4#
Deleting a route redistribution
To delete a route redistribution configuration, enter the following command:
delete route redistribute
This command uses the following options:
delete route redistribute
followed by:
dst [rip|ospf]
Allows you to select the destination for the route
redistribution you want to delete. If the route
redistribution is from RIP to OSPF, then OSPF is the
destination protocol.
src [rip|static|local|
ospf]
Allows you to select the source for the route
redistribution you what to delete. If the route
redistribution is from RIP to OSPF, then RIP is the
source protocol.
Figure 186 shows how to delete a route redistribution between RIP and OSPF
with RIP as the destination and OSPF as the source.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
312
Chapter 11 Configuring IP routes and route redistribution
Figure 186 delete route redistribute command
PP1648T:4# delete route redistribute dst rip src ospf
Command: delete route redistribute dst rip src ospf
Success.
PP1648T:4#
Configuring a route redistribution between RIP and
OSPF
To configure a route redistribution configuration between RIP and OSPF with RIP
as the source, and OSPF as the destination, enter the following command:
config route redistribute dst ospf src rip
Note that rip allows you to redistribute routes discovered through the Routing
Information Protocol (RIP). You can also specify static and local as the source of
the routing information to redistribute. Static refers to manual entries in the
switch’s routing table, while local redistributes routing information from within
the switch’s routing table.
316862-B Rev 00
Chapter 11 Configuring IP routes and route redistribution
313
This command uses the following options:
config route redistribute dst ospf src rip
followed by:
mettype [1|2]
Allows you to choose between two methods of calculating
the routing metric when redistributing routing information.
1 — (for redistributing from RIP to OSPF) calculates the
metric by adding the destination’s interface cost to the
metric entered in the metric field, below.
2 — uses the metric entered in the metric field without
change. type_2 only applies when the destination field is
OSPF.
metric <value>
Allows you to enter a value for an OSPF interface cost
that will be used when redistributing routes from RIP to
OSPF.
Figure 187 shows how to configure route redistribution from RIP to OSPF using
the metric calculation method 1 and a metric value of 2:
Figure 187 config route redistribute dst ospf src rip command
PP1648T:4# config route redistribute dst ospf src rip mettype 1 metric 2
Command: config route redistribute dst ospf src rip mettype 1 metric 2
Success.
PP1648T:4#
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
314
Chapter 11 Configuring IP routes and route redistribution
Configuring a route redistribution between OSPF and
RIP
To configure a route redistribution configuration between RIP and OSPF with RIP
as the destination, and OSPF as the source, enter the following command:
config route redistribute dst rip src ospf
Note that ospf allows you to redistribute routes discovered through Open
Shortest Path First (OSPF). You can also specify static and local as the source of
the routing information to redistribute. Static refers to manual entries in the
switch’s routing table, while local redistributes routing information from within
the switch’s routing table.
This command uses the following options:
config route redistribute dst rip src ospf
followed by:
[all|internal|exter Follow ospf with one or more of the following OSPF type descriptors:
nal|type_1|type_2|i all — redistributes all OSPF routes in the switch’s routing table to RIP
nter+e1|inter+e2]
internal — redistributes only OSPF internal routes to RIP
external — redistributes only OSPF external routes to RIP
type_1 — redistributes OSPF type 1 LSAs (Link State Advertisements)
type_2 — redistributes OSPF type 2 LSAs
inter+e1— redistributes OSPF internal, external, and Type 1 routes to
RIP
inter +e2 — redistributes OSPF internal, external, and Type 2 routes to
RIP
metric <value>
Allows you to enter a value for an OSPF interface cost that will be used when
redistributing routes from RIP to OSPF.
Figure 188 shows the configuration of a route redistribution from OSPF to RIP to
use OSPF type all and a metric value of 3.
316862-B Rev 00
Chapter 11 Configuring IP routes and route redistribution
315
Figure 188 config route redistribute dst rip src ospf command
PP1648T:4# config route redistribute dst rip src ospf all metric 3
Command: config route redistribute dst rip src ospf all metric 3
Success.
PP1648T:4#
Displaying the route redistribution settings
To display the switch’s route redistribution settings for redistributing routing
information from OSPF to RIP, enter the following command:
show route redistribute dst rip src ospf
This command uses the following options:
show route redistribute
followed by:
dst [rip|ospf]
Allows you to select the destination protocol for the
routing information redistribution settings you want to
display. If no destination protocol is specified, the
switch will display all of its routing information
redistribution settings.
src [rip|static|local|ospf]
Allows you to select the source protocol for the
routing information redistribution settings you want to
display.
Figure 189 shows the display of the routing information redistribution settings.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
316
Chapter 11 Configuring IP routes and route redistribution
Figure 189 show route redistribute command
PP1648T:4# show route redistribute
Command: show route redistribute
Route Redistribution Settings
Source
Protocol
-------OSPF
RIP
LOCAL
Destination
Protocol
-----------RIP
OSPF
OSPF
Total Entries : 3
PP1648T:4#
316862-B Rev 00
Type
Metric
-------All
Type-1
Type-2
-----------Transparency
2
20
317
Chapter 12
Configuring VRRP
This chapter describes the CLI commands that you can use to configure the VRRP
(Virtual Router Redundancy Protocol) on the Switch.
The Virtual Router Redundancy Protocol (VRRP) dynamically assigns
responsiblity for a virtual router to one of the VRRP routers on your LAN. The
VRRP router controlling the IP address associated with a virtual router is called
the Master, and forwards packets sent to this IP address. This allows any of the
Virtual Router IP addresses on the LAN to be used as the default first hop router
by end-hosts. The advantage gained from using VRRP is a higher availablity
defalut path without requiring configuration of dynamic routing or router
discovery protocols on every end-host.
The use of a statically configured default route is popular as it minimizes
configuration and processing overhead on the end-host and is widely supported.
This creates a single point of failure in your LAN, however. Loss of the default
router resulte in a catastrophic event, isolating all end-hosts that are unable to
detect any alternate path that may be available.
The VRRP is designed to eliminate the single point of failure inherent in the static
default routed environment. VRRP specifies an election protocol that dynamically
assigns responsibility for a virtual router to one of the VRRP routers on your
LAN. The VRRP router controlling the IP address associated with a virtual router
is called the Master, and forwards packets sent to this IP address. The election
process provides dynamic fail-over in the forwarding responsibility should the
Master become unavailable. Any of the virtual router’s IP addresses on a LAN can
then be used as the default first hop router by end-hosts. The advantage gained
from using VRRP is a higher availability default path without requiring
configuration of dynamic routing or router discovery protocols on every end-host.
You can assign a VRRP IP interface to every VLAN (and corresponding IP
interface) configured on the Switch.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
318
Chapter 12 Configuring VRRP
The VRRP commands in the Command Line Interface (CLI) are listed (along with
the appropriate parameters) in the following table.
Roadmap of VRRP features
Command
Parameter
create vrrp ipif
<ipif_name>
vrid <int 1-255>
authtype [none | simple authdata <string> |
ip authdata <string>]
admin [up | down]
priority <int 1-255>
advint <int 1-255>
preempt [true | false]
critical ipaddress <ipaddr>
criticalip [enabled | disabled]
holddowntimer <int 0-21600>
delete vrrp
ipif
<ipif_name>
vrid <int_1-255>
config vrrp ipif
<ipif_name>
authtype [none|simple authdate <string>]
vrid <int 1-255>
admin [up | down]
priority <int 1-255>
advint <int 1-255>
preempt [true | false]
critical ip address <ipaddr>
criticalip [enabled | disabled]
holddowntimer <int 0-21600>
show vrrp ipif
<ipif_name>
vrid <int 1-255>
enable vrrp
ping
disable vrrp
ping
316862-B Rev 00
Chapter 12 Configuring VRRP
319
Creating a VRRP IP Interface
To create a VRRP IP interface on the Switch, use the following command:
create vrrp ipif
This command includes the following options:
create vrrp ipif
followed by:
<ipif_name>
This is the name of the IP interface that the VRRP
entry is being created for. This IP interface must
have been previously created, and assigned to a
VLAN, on the Switch.
authtype [none | simple
authdata <string> | ip
authdata <string>]
Specifies the type of authentication that will be
used. The same authentication method must be
specified for all routers that will particpate in the
VRRP
none specifies that no authentication will be used.
If simple authdata is specified, you must enter an
alphanumeric string of no more than 8 characters
in the <string> field. This same string must be
entered for all routers that will participate in the
VRRP. It is used as a simple password, and will be
compared when VRRP message packets are
received by a router. If the two strings do not
match, the packet will be dropped.
If ip authdata is specified, you must supply an
alpha numeric authentication string, or no more
than 16 characters in the <string> field. This same
string must be entered for all routers that will
participate in the VRRP. An MD5 message digest
is generated using this string, and will be
compared when VRRP message packets are
recieved by a router. If the two digests do not
match, the packet will be dropped.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
320
Chapter 12 Configuring VRRP
create vrrp ipif
followed by:
vrid <int 1-255>
This is an integer that will be used to identify this
VRRP group from other VRRP groups that may be
defined on your network. All routers that will
participate in this VRRP group must be assigned
the same VRID (for example, 1), but this number
must be different from the VRID that is assigned to
other VRRP groups that may be created or
configured on your network.
ipaddress <ipaddr>
This is the virtual IP address that will be assigned
to the VRRP entry. This is also the IP address of
the default gateway that will be statically assigned
to end-hosts.
This virtual IP address must be assigned to all
routers that will participate in this VRRP group.
admin [up | down]
Specifies the state of the administration of the
VRRP entry. If up is specified, the router will
participate in VRRP. If down is specified, the router
will not participate in VRRP.
priority <int 1-255>
This is a relative number that will be used in the
election of a Master router from the group of
routers that will participate in VRRP. A higher
number will increase the probability that this router
will be elected as the Master router. A lower
number will increase the probability that this router
will be elected as a backup router.
255 is used to indicate that this router will always
be the Master, and no backup router can become
the Master, unless the Master stops functioning.
The default value is 100. If all routers participating
in VRRP are assigned the same priority value, the
router with the higher physical IP address will be
elected as the Master.
advint <int 1-255>
This is the time interval, in seconds, between
sending VRRP message packets. The default
value is 1 second.
The same advint value must be assigned to all
routers participating in this VRRP group.
316862-B Rev 00
Chapter 12 Configuring VRRP
321
create vrrp ipif
followed by:
preempt [true | false]
This specifies the behavior of backup routers in the
VRRP group. The same preempt setting (true or
false) must be set for all routers participating in this
VRRP group.
If preempt is set to true, and a backup router’s
priority is larger than the Master’s priority, the
backup will become the Master, and the Master will
become the backup.
If preempt is set to false, a backup router can not
become a Master router.
critical ip address
<ipaddr>
This is a physical IP address that provides the
most direct route to the Internet or other critical
network connections, from this router. This must
be a real IP address assigned to a real device on
the network.
If the connection between the Master router and
this IP address is not functioning, a new Master will
be elected from the backup routers participating in
the VRRP.
If the connection to a backup router to this IP
address is also not functioning, this backup router
can not become the Master.
You can assign different critical IP addresses to
different routers participating in the VRRP. In this
way, you can define multiple routes to the Internet
or other critical network connections.
criticalip [enabled |
disabled]
This is used to enable or disable the critical ip
address command above. The default is disabled.
holddowntimer <int
0-21600>
This is the time interval, in seconds, that the router
will wait after being booted to start VRRP. All
routers participating in this VRRP group must have
the same holddowntimer value.
The default is 0 seconds. A longer time interval
may be specified if multiple routes must be learned
by the Switch from other devices on the network.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
322
Chapter 12 Configuring VRRP
Figure 190 shows the creation of a VRRP entry for the IP interface System with
the vrid 1 and the virtual IP address 10.1.1.1.
Figure 190 create vrrp ipif
:4#create vrrp ipif System vrid 1 ipaddress 10.1.1.1
Command: create vrrp System vrid 1 ipaddress 10.1.1.1
Success.
:4#
Configuring a VRRP IP Interface
To configure a VRRP IP interface on the Switch, use the following command:
config vrrp ipif
316862-B Rev 00
Chapter 12 Configuring VRRP
323
This command includes the following options:
config vrrp ipif
followed by:
<ipif_name>
This is the name of the IP interface that the VRRP
entry that is being configured. This IP interface
must have been previously created, and assigned
to a VLAN, on the Switch.
authtype [none | simple
authdata <string> | ip
authdata <string]
Specifies the type of authentication that will be
used. The same authentication method must be
specified for all routers that will particpate in the
VRRP
none specifies that no authentication will be used.
If simple authdata is specified, you must enter an
alphanumeric string of no more than 8 characters
in the <string> field. This same string must be
entered for all routers that will participate in the
VRRP. It is used as a simple password, and will be
compared when VRRP message packets are
received by a router. If the two strings do not
match, the packet will be dropped.
If ip authdata is specified, you must supply an
alpha numeric authentication string, or no more
than 16 characters in the <string> field. This same
string must be entered for all routers that will
participate in the VRRP. An MD5 message digest
is generated using this string, and will be
compared when VRRP message packets are
recieved by a router. If the two digests do not
match, the packet will be dropped.
vrid <int 1-255>
This is an integer that will be used to identify this
VRRP group from other VRRP groups that may be
defined on your network. All routers that will
participate in this VRRP group must be assigned
the same VRID (for example, 1), but this number
must be different from the VRID that is assigned to
other VRRP groups that may be created or
configured on your network.
admin [up | down]
Specifies the state of the administration of the
VRRP entry. If up is specified, the router will
participate in VRRP. If down is specified, the router
will not participate in VRRP.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
324
Chapter 12 Configuring VRRP
config vrrp ipif
followed by:
priority <int 1-255>
This is a relative number that will be used in the
election of a Master router from the group of
routers that will participate in VRRP. A higher
number will increase the probability that this router
will be elected as the Master router. A lower
number will increase the probability that this router
will be elected as a backup router.
255 is used to indicate that this router will always
be the Master, and no backup router can become
the Master, unless the Master stops functioning.
The default value is 100. If all routers participating
in VRRP are assigned the same priority value, the
router with the higher physical IP address will be
elected as the Master.
advint <int 1-255>
This is the time interval, in seconds, between
sending VRRP message packets. The default
value is 1 second.
The same advint value must be assigned to all
routers participating in this VRRP group.
preempt [true | false]
This specifies the behavior of backup routers in the
VRRP group. The same preempt setting (true or
false) must be set for all routers participating in this
VRRP group.
If preempt is set to true, and a backup router’s
priority is larger than the Master’s priority, the
backup will become the Master, and the Master will
become the backup.
If preempt is set to false, a backup router can not
become a Master router.
316862-B Rev 00
Chapter 12 Configuring VRRP
325
config vrrp ipif
followed by:
critical ip address
<ipaddr>
This is a physical IP address that provides the
most direct route to the Internet or other critical
network connections, from this router. This must
be a real IP address assigned to a real device on
the network.
If the connection between the Master router and
this IP address is not functioning, a new Master will
be elected from the backup routers participating in
the VRRP.
If the connection to a backup router to this IP
address is also not functioning, this backup router
can not become the Master.
You can assign different critical IP addresses to
different routers participating in the VRRP. In this
way, you can define multiple routes to the Internet
or other critical network connections.
criticalip [enabled |
disabled]
This is used to enable or disable the critical ip
address command above. The default is disabled.
holddowntimer <int
0-21600>
This is the time interval, in seconds, that the router
will wait after being booted to start VRRP. All
routers participating in this VRRP group must have
the same holddowntimer value.
The default is 0 seconds. A longer time interval
may be specified if multiple routes must be learned
by the Switch from other devices on the network.
Figure 191 shows the configuration of the VRRP entry for the IP interface System
to make the entry’s priority set to 4.
Figure 191 config vrrp ipif
:4# config vrrp ipif System vrid 1 priority 4
Command: config vrrp ipif System vrid 1 priority 4
Success.
:4#
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
326
Chapter 12 Configuring VRRP
Displaying a VRRP IP interface configuration
To display a VRRP IP interface configuration on the Switch, use the following
command:
show vrrp ipif
This command includes the following options:
show vrrp ipif
followed by:
<ipif_name>
This is the name of the IP interface that the VRRP
entry is being displayed. This IP interface must
have been previously created, and assigned to a
VLAN, on the Switch.
vrid <int 1-255>
This is an integer that will be used to identify the
VRRP entry.
316862-B Rev 00
Chapter 12 Configuring VRRP
327
Figure 192 shows the VRRP entry for the IP interface System.
Figure 192 show vrrp ipif
:4# show vrrp ipif System vrid 1
Command: show vrrp System vrid 1
VRRP
: Disabled
Ping Virtal IP Address : Disabled
Interface Name
Authentication type
: System
: None
VRID
: 1
Current State
: Init
Advertisement Interval: 1 second(s)
Preemption Mode
: Preempt
Priority
: 4
Administrator Status: Down
HoldDownTimer
: 0
Master IP addresses
: 10.42.73.88
IP addresses backed up
: 10.1.1.1
Critical IP
: Disabled
Critical IP addresses
: 0.0.0.0
Total Entries: 1
:4#
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
328
Chapter 12 Configuring VRRP
Deleting a VRRP IP interface configuration
To delete all VRRP IP interface configurations on the Switch, use the following
command:
delete vrrp
This command includes the following options:
delete vrrp
followed by:
ipif
This allows you to select a specifid VRRP IP
interface (or VRRP group) to be deleted from the
Switch. If you simply enter delete vrrp, the Switch
will delete all VRRP groups that have been
configured.
<ipif_name>
This is the name of the IP interface that the VRRP
entry is being created for.
vrid <int 1-255>
This is an integer that will be used to identify the
VRRP entry.
Figure 193 shows the deletion of the VRRP entry for the IP interface System.
Figure 193 delete vrrp
:4# delete vrrp ipif System vrid 1
Command: delete vrrp ipif System vrid 1
Success.
:4#
316862-B Rev 00
Chapter 12 Configuring VRRP
329
Enabling a VRRP IP interface configuration
To enable a VRRP IP interface configuration on the Switch, use the following
command:
enable vrrp
This command includes the following options:
enable vrrp
followed by:
ping
This allows the virtual IP address to be “pinged”
from end-hosts to verify connectivity.
The default is disabled (no ping parameter
entered).
If the ping parameter is specified, the command
will only enable the virtual IP address to be
“pinged”.
If the ping parameter is not specified the command
will enable the VRRP protocol on the Switch.
Figure 194 shows VRRP being enabled on the Switch.
Figure 194 enable vrrp
:4# enable vrrp
Command: enable vrrp
Success.
:4#
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
330
Chapter 12 Configuring VRRP
Disabling a VRRP IP interface configuration
To enable a VRRP IP interface configuration on the Switch, use the following
command:
disable vrrp
This command includes the following options:
disable vrrp
followed by:
ping
This allows the virtual IP address to be “pinged”
from end-hosts to verify connectivity.
The default is disabled (no ping parameter
entered).
If the ping parameter is specified, the command
will only enable the virtual IP address to be
“pinged”.
If the ping parameter is not specified the command
will enable the VRRP protocol on the Switch.
Figure 194 shows VRRP being disabled on the Switch.
Figure 195 disable vrrp
:4# disable vrrp
Command: disable vrrp
Success.
:4#
316862-B Rev 00
331
Chapter 13
Configuring BootP and DNS relay
This chapter describes how to configure Bootstrap Protocol (BootP) relay and
Dynamic Name Server (DNS) relay. Specifically, it includes the following topics:
Topic
Page
Configuring BootP relay
331
Configuring DNS relay
338
Configuring BootP relay
The BootP relay enables end stations to use a BootP server to obtain TCP/IP
configuration information, even if the BootP server is not on the local IP interface.
If the BootP server and end station are on the same IP interface, no relay is
necessary. If the BootP server and the end station are on different IP interfaces, a
relay agent is necessary for the switch to forward the BootP messages.
The relay agent forwards these packets between IP interfaces, and therefore must
know the IP addresses of the BootP servers and their respective IP interface
names.
When the switch receives packets destined for a BootP server, it forwards them to
specific servers as defined in the BootP relay configuration. The switch also
forwards packets from the BootP servers to the appropriate IP interfaces.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
332
Chapter 13 Configuring BootP and DNS relay
This chapter includes the following topics:
Topic
Page
Roadmap of BootP relay commands
332
Configuring BootP relay
333
Adding a BootP relay address
334
Deleting a BootP relay address
335
Enabling BootP relay
336
Displaying the current BootP relay configuration
337
Roadmap of BootP relay commands
The following roadmap lists some of the BootP relay commands and their
parameters. Use this list as a quick reference or click on any command or
parameter entry for more information on BootP relay commands.
Command
Parameter
config bootp_relay
hops <value 1-16>
time <sec 0-65535>
config bootp_relay add
ipif <ipif_name>
<ipaddr>
config bootp_relay delete
ipif <ipif_name>
<ipaddr>
enable bootp_relay
disable bootp_relay
show bootp_relay
316862-B Rev 00
ipif <ipif_name>
Chapter 13 Configuring BootP and DNS relay
333
Configuring BootP relay
To configure BootP relay, use the following command:
config bootp_relay
This command contains the following parameters:
config bootp_relay
followed by:
hops <value 1-16>
The maximum number of router hops that the BootP packets can cross before
being dropped.
time <sec 0-65535> The minimum amount of time, in seconds, within which the switch must relay
the BootP request. If this time is exceeded, the switch will drop the BootP
packet.
Figure 196 shows BootP relay being configured to allow the BootP packets to
cross 4 routers, and to set the BootP relay timer to 2 seconds.
Figure 196 config bootp_relay command
PP1612G:4#config bootp_relay hops 4 time 2
Command: config bootp_relay hops 4 time 2
Success.
PP1612G:4#
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
334
Chapter 13 Configuring BootP and DNS relay
Adding a BootP relay address
To add an IP address of a BootP relay server, use the following command:
config bootp_relay add
This command contains the following parameters:
config bootp_relay add
followed by:
ipif <ipif_name>
This is the name of the IP interface on the switch where the BootP server’s
packets will be relayed to.
<ipaddr>
This is the IP address of the BootP server.
Figure 197 shows the addition of a BootP relay server, located on the IP interface
named System, and having the IP address 10.43.21.12.
Figure 197 config bootp_relay add command
PP1612G:4#config bootp_relay add ipif System
10.43.21.12
Command: config bootp_relay add ipif System
10.43.21.12
Success.
PP1612G:4#
316862-B Rev 00
Chapter 13 Configuring BootP and DNS relay
335
Deleting a BootP relay address
To delete an IP address of a BootP relay server, use the following command:
config bootp_relay delete
This command contains the following parameters:
config bootp_relay delete
followed by:
ipif <ipif_name>
This is the name of the IP interface on the switch where the BootP server’s
packets will be relayed to.
<ipaddr>
This is the IP address of the BootP server.
Figure 198 shows the deletion of a BootP relay server, located on the IP interface
named System, and having the IP address 10.43.21.12.
Figure 198 config bootp_relay delete command
PP1612G:4#config bootp_relay delete ipif System
10.43.21.12
Command: config bootp_relay delete ipif System
10.43.21.12
Success.
PP1612G:4#
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
336
Chapter 13 Configuring BootP and DNS relay
Enabling BootP relay
To enable BootP relay, use the following command:
enable bootp_relay
Figure 199 shows BootP relay being enabled.
Figure 199 enable bootp_relay command
PP1612G:4#enable bootp_relay
Command: enable bootp_relay
Success.
PP1612G:4#
Disabling BootP relay
To disable BootP relay, use the following command:
disable bootp_relay
This command uses no additional options.
Figure 200 shows BootP relay being disabled.
Figure 200 disable bootp_relay command
PP1612G:4#disable bootp_relay
Command: disable bootp_relay
Success.
PP1612G:4#
316862-B Rev 00
Chapter 13 Configuring BootP and DNS relay
337
Displaying the current BootP relay configuration
To display the current BootP relay configuration, use the following command:
show bootp_relay
This command contains the following parameters:
show bootp_relay
ipif <ipif_name>
The BootP relay configuration can be displayed on a per-IP interface basis. This
is the name of the IP interface you want to display the BootP relay configuration
for. If no IP interface name is specified, the switch will display all of the BootP
configurations on the switch.
Figure 201 shows the current BootP relay configuration being displayed.
Figure 201 show bootp_relay command
PP1612G:4#show bootp_relay ipif System
Command: show bootp_relay ipif System
bootp Relay Status :Disabled
bootp Hops Count Limit :4
bootp Relay Time Threshold :0
Interface Server 1
--------- -------System
Server 2
--------
Server 3
---------
Server 4
---------
10.48.74.122 10.23.12.34 10.12.34.12 10.48.75.121
Total Entries: 1
PP1612G:4#
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
338
Chapter 13 Configuring BootP and DNS relay
Configuring DNS relay
DNS relay enables end stations to use a DNS server to obtain IP addresses that
correspond to URLs, even if the DNS server is not on the local IP interface.
If the DNS server and end station are on the same IP interface, no relay is
necessary. If the DNS server and the end station are on different IP interfaces, a
relay agent is necessary for the switch to forward the DNS messages.
The relay agent forwards these packets between IP interfaces, and therefore must
know the IP addresses of the DNS servers and their respective IP interface names.
When the switch receives packets destined for a DNS server, it forwards them to
specific servers as defined in the DNS relay configuration. The switch also
forwards packets from the DNS servers to the appropriate IP interfaces.
This chapter includes the following topics:
Topic
Page
Roadmap of DNS relay CLI commands
339
Configuring DNS relay
339
Enabling DNS relay
341
Disabling DNS relay
341
Enabling the DNS relay cache
342
Disabling the DNS relay cache
342
Enabling the DNS static table
343
Disabling the DNS static table
343
Displaying the current DNS relay configuration
344
316862-B Rev 00
Chapter 13 Configuring BootP and DNS relay
339
Roadmap of DNS relay CLI commands
The following roadmap lists some of the DNS relay commands and their
parameters. Use this list as a quick reference or click on any command or
parameter entry for more information on DNS relay commands.
Command
Parameter
config dnsr
primary
secondary
nameserver <ipaddr>
config dnsr add
static <domain_name>
<ipaddr>
config dnsr delete
static <domain_name>
<ipaddr>
enable dnsr
disable dnsr
enable dnsr cache
disable dnsr cache
enable dnsr static
disable dnsr static
show dnsr
static
Configuring DNS relay
To configure DNS relay to relay packets from the primary DNS server, you can
use the following set of commands:
config dnsr
config dnsr add
config dnsr delete
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
340
Chapter 13 Configuring BootP and DNS relay
This command uses the following options:
config dnsr
followed by:
primary
This specifies that the DNS server, located at the IP address
entered following nameserver, below, is the primary DNS server.
secondary
This specifies that the DNS server, located at the IP address
entered following nameserver, below, is the secondary DNS
server.
nameserver <ipaddr>
This is the IP address of the DNS server.
config dnsr add
followed by:
static <domain_name>
This specifies that the entry into the switch’s DNS cache will be
static (no timeout).
<ipaddr>
This specifies the IP address of the DNS cache entry.
config dnsr delete
followed by:
static <domain_name>
This specifies that the entry into the switch’s DNS cache will be
static (no timeout).
<ipaddr>
This specifies the IP address of the DNS cache entry.
Figure 202 shows DNS relay being configured to relay packets from the primary
DNS server, located at the IP address 10.43.21.12.
Figure 202 config dnsr command
PP1612G:4#config dnsr primary nameserver 10.43.21.12
Command: config dnsr primary nameserver 10.43.21.12
Success
PP1612G:4#
316862-B Rev 00
Chapter 13 Configuring BootP and DNS relay
341
Enabling DNS relay
To enable DNS relay, use the following command:
enable dnsr
This command uses no additional options:
Figure 203 shows DNS relay being enabled.
Figure 203 enable dnsr command
PP1612G:4#enable dnsr
Command: enable dnsr
Success.
PP1612G:4#
Disabling DNS relay
To disable DNS relay, use the following command:
disable dnsr
This command uses no additional options:
Figure 204 shows DNS relay being disabled.
Figure 204 disable dnsr command
PP1612G:4#disable dnsr
Command: disable dnsr
Success.
PP1612G:4#
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
342
Chapter 13 Configuring BootP and DNS relay
Enabling the DNS relay cache
To enable the DNS relay cache, use the following command:
enable dnsr cache
This command uses no additional options:
Figure 205 shows the DNS relay cache being enabled.
Figure 205 disable dnsr command
PP1612G:4#enable dnsr cache
Command: enable dnsr cache
Success.
PP1612G:4#
Disabling the DNS relay cache
To disable the DNS relay cache, use the following command:
disable dnsr cache
This command uses no additional options:
Figure 206 shows the DNS relay cache being enabled.
Figure 206 disable dnsr cache command
PP1612G:4#disable dnsr cache
Command: disable dnsr cache
Success.
PP1612G:4#
316862-B Rev 00
Chapter 13 Configuring BootP and DNS relay
343
Enabling the DNS static table
To enable the DNS relay static table, use the following command:
enable dnsr static
This command uses no additional options:
Figure 207 shows the DNS relay static table being enabled.
Figure 207 enable dnsr static command
PP1612G:4#enable dnsr static
Command: enable dnsr static
Success.
PP1612G:4#
Disabling the DNS static table
To disable the DNS relay static table, use the following command:
disable dnsr static
This command uses no additional options:
Figure 208 shows the DNS relay static table being enabled.
Figure 208 disable dnsr static command
PP1612G:4#disable dnsr static
Command: disable dnsr static
Success.
PP1612G:4#
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
344
Chapter 13 Configuring BootP and DNS relay
Displaying the current DNS relay configuration
To disable the DNS relay static table, use the following command:
show dnsr
This command uses the following options:
show dnsr
followed by:
static
The DNS relay static table can be displayed by
specifing this parameter.
Figure 209 shows the current DNS relay configuration being displayed.
Figure 209 show dnsr static command
PP1612G:4#show dnsr static
Command: show dnsr static
DNS Relay Static Table
Domain Name IP Address
-------------------------------------www.123.com 10.12.12.123
bbs.ntu.edu. 140.112.1.23
Total Entries: 2
PP1612G:4#
316862-B Rev 00
345
Chapter 14
Configuring SNMP
The Simple Network Management Protocol (SNMP) is a protocol for remotely
monitoring and configuring network devices. SNMP enables network
management stations to read and modify the settings of gateways, routers,
switches, and other network devices. SNMP can be used to perform many of the
same functions as a directly-connected console, or can be used within an
integrated network management software package.
SNMP performs the following functions:
•
•
•
Sending and receiving SNMP packets through the IP protocol.
Collecting information about the status and current configuration of network
devices.
Modifying the configuration of network devices.
The 1600 switch has a software program called an “agent” that processes SNMP
requests, but the user program that makes the requests and collects the responses
runs on a management station (a designated computer on the network). The
SNMP agent and the user program both use the UDP/IP protocols to exchange
packets.
You use “community strings” to ensure that both the router SNMP agent and the
remote user SNMP application program discard packets from unauthorized users.
The remote user SNMP application and the router SNMP must use the same
community string. SNMP community strings of up to 20 characters may be
entered under the Remote Management Setup menu of the console program.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
346 Chapter 14 Configuring SNMP
Caution: The Passport 1600 Series Layer 3 Switch software version 1.1
are encrypted. When the switch starts for the first time, it uses the default
community string. It is strongly recommend that you change the default
community string immediately after the installation.
This chapter describes the commands you use to configure SNMP. Specifically, it
includes the following topics:
Topic
Page
Roadmap of SNMP CLI commands
347
Configuring SNMP
348
Managing SNMP traps
358
316862-B Rev 00
Chapter 14 Configuring SNMP 347
Roadmap of SNMP CLI commands
The following roadmap lists some of the SNMP CLI commands and their
parameters. Use this list as a quick reference or click on any command or
parameter entry for more information:
Command
Parameter
create snmp community
<community_string>
[readonly|readwrite]
delete snmp community
<community_string>
create trusted_host
<ipaddr>
<netmask>
delete trusted_host
<ipaddr>
<netmask>
config snmp community
<community_string>
[readonly|readwrite]
config snmp system_name
<sw_name>
config snmp location
<sw_location>
config snmp system_contact
<sw_contact>
show snmp
community
trap_receiver
show trusted_host
<ipaddr>
<netmask>
create snmp trap_receiver
<ipaddr>
<community_string>
delete snmp trap_receiver
<ipaddr>
enable snmp
disable snmp
enable snmp authenticate traps
disable snmp authenticate traps
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
348 Chapter 14 Configuring SNMP
Configuring SNMP
This section describes how to create and delete SNMP community strings and
trusted hosts, to configure SNMP contact information, and to display SNMP
configuration information. It contains the following topics:
Topic
Page
Creating an SNMP community string
348
Deleting an SNMP community string
349
Creating a trusted host
350
Deleting a trusted host
351
Configuring an SNMP community string
351
Configuring the SNMP system name
353
Configuring the SNMP location
353
Configuring the SNMP system contact
354
Displaying the current SNMP configuration
355
Displaying the currently configured trusted hosts
357
Creating an SNMP community string
To create an SNMP community string, use the following command:
create snmp community
This command contains the following parameters:
create snmp community
followed by:
<community_string>
An alphanumeric string of up to 32 characters
used to authentication of users wanting access to
the switch's SNMP agent.
[readonly|readwrite]
SNMP management stations using the above
community string can have read-only access or
read/write access to the switch's SNMP agent.
The default read-only community string is “public.”
The default read/write community string is
“private.”
316862-B Rev 00
Chapter 14 Configuring SNMP 349
Figure 210 shows the creation of the SNMP community string “System” and
gives this string read/write access.
Figure 210 create snmp community command
PP1612G:4#create snmp community System readwrite
Command: create snmp community System readwrite
Success.
PP1612G:4#
Deleting an SNMP community string
To delete an SNMP community string, use the following command:
delete snmp community < community_string>
This command contains the following parameters:
delete snmp community
followed by:
<community_string>
An alphanumeric string of up to 32 characters
used to authenticate users who want to access the
switch's SNMP agent.
where:
community_string is an alphanumeric string of up to 32 characters used to
authenticate users who want access to the switch’s SNMP agent.
Figure 211 shows an example of the output for this command. In this example, the
SNMP community string System is deleted.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
350 Chapter 14 Configuring SNMP
Figure 211 delete snmp community command
PP1612G:4#delete snmp community System
Command: delete snmp community System
Success.
PP1612G:4#
Creating a trusted host
To create a trusted host, use the following command:
create trusted_host
create trusted_host
followed by:
<ipaddr>
This parameter specifies the IP address of the
remote management station that will be a trusted
host
<netmask>
Specifies the subnet mask corresponding to the IP
address above
Figure 212 shows the creation of a trusted host with an IP address of
10.48.74.121.
Figure 212 create trusted_host command
PP1612G:4#create trusted_host 10.48.74.121
Command: create trusted_host 10.48.74.121
Success.
PP1612G:4#
316862-B Rev 00
Chapter 14 Configuring SNMP 351
Deleting a trusted host
To delete a trusted host, use the following command:
delete trusted_host
delete trusted_host
followed by:
<ipaddr>
This parameter specifies the IP address of the
remote management station that will be deleted as
a trusted host
<netmask>
Specifies the subnet mask corresponding to the IP
address above
where:
ipaddr is the IP address of the remote management station that will be deleted
as a trusted host.
netmask is the subnet mask corresponding to the IP address above.
Figure 213 shows the deletion of a trusted host with an IP address of
10.48.74.121.
Figure 213 delete trusted_host command
PP1612G:4#delete trusted_host 10.48.74.121
Command: delete trusted_host 10.48.74.121
Success.
PP1612G:4#
Configuring an SNMP community string
To configure an SNMP community string, use the following command:
config snmp community
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
352 Chapter 14 Configuring SNMP
This command contains the following parameters:
create snmp community
followed by:
<community_string>
An alphanumeric string of up to 32 characters
used to authenticate users who want access to the
switch's SNMP agent.
[readonly|readwrite]
SNMP management stations using the above
community string can have read-only access or
read/write access to the switch's SNMP agent.
The default read-only community string is “public.”
The default read/write community string is
“private.”
Figure 214 shows the configuration of the SNMP community string “Passport”
and gives this string read/write access.
Figure 214 config snmp community command
PP1648T:4# create snmp community Passport readwrite
Command: create snmp community Passport readwrite
Success.
PP1612G:4#config snmp community Passport readwrite
Command: config snmp community Passport readwrite
Success.
PP1612G:4#
316862-B Rev 00
Chapter 14 Configuring SNMP 353
Configuring the SNMP system name
To configure an SNMP system name for the switch, use the following command:
config snmp system_name < sw_name>
config snmp system_name
followed by:
<sw_name>
The name of the switch. The name can be up to
128 alphanumeric characters.
Figure 215 shows the configuration of the SNMP name “coolbob.”
Figure 215 config snmp system_name command
PP1612G:4#config snmp system_name coolbob
Command: config snmp system_name coolbob
Success.
PP1612G:4#
Configuring the SNMP location
To configure an SNMP location for the switch, use the following command:
config snmp location <sw_location>
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
354 Chapter 14 Configuring SNMP
where:
config snmp location
followed by:
<sw_location>
The location of the switch. The location can be up
to 128 alphanumeric characters.
Figure 216 shows the configuration of the SNMP location “HereThere.”
Figure 216 config snmp system_location command
PP1612G:4#config snmp system_location HereThere
Command: config snmp system_location HereThere
Success.
PP1612G:4#
Configuring the SNMP system contact
To configure an SNMP system contact for the switch, use the following
command:
config snmp system_contact < sw_contact>
config snmp system_contact
followed by:
<sw_contact>
The name of the contact for the switch. The
contact is usually the person or group responsible
for the switch. The name can be up to 128
alphanumeric characters.
Figure 217 shows the configuration of the SNMP system
contact named “Mike.”
316862-B Rev 00
Chapter 14 Configuring SNMP 355
Figure 217 config snmp system_contact command
PP1612G:4#config snmp system_contact Mike
Command: config snmp system_contact Mike
Success.
PP1612G:4#
Displaying the current SNMP configuration
To display the current SNMP configuration on the switch, use the following
command:
show snmp
This command contains the following parameters:
show snmp
followed by:
community
trap_receiver
Figure 218 shows the current SNMP configuration on the switch.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
356 Chapter 14 Configuring SNMP
Figure 218 show snmp command
PP1648T:4#show snmp
Command: show snmp
System Name
System Location
System Contact
SNMP Trap
Authenticate Traps
SNMP Status
:
:
:
:
:
:
PP1648T
Community String
---------------****
****
****
Rights
---------------------Read-Only
Read/Write
Read-Only
Enabled
Enabled
Enabled
Total Entries: 3
IP Address
-------------10.1.1.100
Total Entries: 1
PP1648T:4#
316862-B Rev 00
Community String
----------------****
Chapter 14 Configuring SNMP 357
Displaying the currently configured trusted hosts
To display the currently configured trusted hosts on the switch, use the following
command:
show trusted_host
show trusted_host
followed by:
<ipaddr>
Specifies the IP address of the trusted host that
you want to display
<netmask>
Specifies the IP mask value of the trusted host that
you want to display.
This command includes the option <ipaddr>, which allows you to specify the
trusted host that you want to display.
Figure 219 shows the currently configured trusted hosts on the switch.
Figure 219 show trusted_host command
PP1648T:4#show trusted_host
Command: show trusted_host
Management Stations:
IP Address
--------------10.12.53.251
11.1.1.1
PP1648T:4#
Mask
--------------255.0.0.0
255.0.0.0
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
358 Chapter 14 Configuring SNMP
Managing SNMP traps
Traps are messages that alert network personnel of events that occur on the switch.
The events can be as serious as a reboot (someone accidentally turned OFF the
switch), or less serious like a port status change. The switch generates traps and
sends them to the trap recipient (or network manager).
Trap recipients are special users of the network who are given certain rights and
access in overseeing the maintenance of the network. Trap recipients will receive
traps sent from the switch; they must immediately take certain actions to avoid
future failure or breakdown of the network.
You can also specify which network managers may receive traps from the switch
by entering a list of the IP addresses of authorized network managers. Up to four
trap recipient IP addresses, and four corresponding SNMP community strings can
be entered. SNMP community strings function like passwords in that the
community string entered for a given IP address must be used in the management
station software, or a trap will be sent.
This section contains the following topics:
Topic
Page
Creating an SNMP trap receiver
358
Deleting an SNMP trap receiver
359
Enabling the transmission of SNMP traps
360
Disabling the transmission of SNMP traps
360
Enabling the authentication of SNMP traps
361
Disabling the authentication of SNMP traps
361
Creating an SNMP trap receiver
To create an SNMP trap receiver, use the following command:
create snmp trap_receiver
316862-B Rev 00
Chapter 14 Configuring SNMP 359
This command contains the following parameters:
create snmp trap_receiver
followed by:
<ipaddr>
The IP address of the remote management station
that will receive SNMP traps generated by the
switch’s SNMP agent.
<community_string>
An alphanumeric string of up to 32 characters
used to authenticate users wanting access to the
switch's SNMP agent.
Figure 220 shows the creation of an SNMP trap receiver that has an IP address of
10.1.1.1 and will use the community string System.
Figure 220 create snmp trap_receiver command
PP1612G:4#create snmp trap_receiver 10.1.1.1 System
Command: create snmp trap_receiver 10.1.1.1 System
Success.
PP1612G:4#
Deleting an SNMP trap receiver
To delete an SNMP trap receiver, use the following command:
delete snmp trap_receiver < ipaddr>
delete snmp trap_receiver
followed by:
<ipaddr>
Specifies the IP address of the remot management
station that will receive SNMP traps generated by
the switch’s SNMP agent.
Figure 221 shows the deletion of an SNMP trap receiver that has an IP address of
10.1.1.1.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
360 Chapter 14 Configuring SNMP
Figure 221 delete snmp trap_receiver command
PP1612G:4#delete snmp trap_receiver 10.1.1.1
Command: delete snmp trap_receiver 10.1.1.1
Success.
PP1612G:4#
Enabling the transmission of SNMP traps
To enable the switch’s SNMP agent to send traps, use the following command:
enable snmp
Figure 222 shows the enabling of the transmission of SNMP traps on the switch.
Figure 222 enable snmp command
PP1612G:4#enable snmp
Command: enable snmp
Success.
PP1612G:4#
Disabling the transmission of SNMP traps
To disable the switch’s SNMP agent sending traps, use the following command:
disable snmp
Figure 223 shows the disabling of the transmission of SNMP traps on the switch.
316862-B Rev 00
Chapter 14 Configuring SNMP 361
Figure 223 disable snmp command
PP1612G:4#disable snmp
Command: disable snmp
Success.
PP1612G:4#
Enabling the authentication of SNMP traps
To enable the authentication of SNMP traps, use the following command:
enable snmp authenticate traps
Figure 224 shows enabling the authentication of SNMP traps on the switch.
Figure 224 enable snmp authenticate traps command
PP1612G:4#enable snmp authenticate traps
Command: enable snmp authenticate traps
Success.
PP1612G:4#
Disabling the authentication of SNMP traps
To disable the authentication of SNMP traps, use the following command:
disable snmp authenticate traps
Figure 225 shows disabling the authentication of SNMP traps on the switch.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
362 Chapter 14 Configuring SNMP
Figure 225 disable snmp authenticate traps command
PP1612G:4#disable snmp authenticate traps
Command: disable snmp authenticate traps
Success.
PP1612G:4#
316862-B Rev 00
363
Chapter 15
Configuring Multicasting (IGMP, IGMP Snooping,
and DVMRP)
Configuring IGMP
To receive multicast packets, end users must inform nearby routers that they want
to become a member of a multicast group. The Internet Group Management
Protocol (IGMP) is used by multicast routers to maintain multicast group
membership. IGMP is used to determine whether the switch should forward
multicast packets it receives to the other IP interfaces or not. When the switch has
received a multicast packet, it will check to determine if there is at least one
member of a multicast group that has requested to receive multicast packets from
this source. If there is one member, the packet is forwarded. If there are no
members, the packet is dropped.
IGMP snooping allows the switch to “snoop,” or to capture the IGMP message
packets, and examine their contents, as these packets pass between hosts and
routers. When the switch receives an IGMP join message from a host for a given
multicast group, the switch then adds the host’s IGMP information into its list for
that group. When the switch receives an IGMP leave message for a host, it will
remove the host from its list for that multicast group.
This chapter describes the IP multicast commands. Specifically, it includes the
following topics:
Topic
Page
Roadmap of IGMP commands
364
The IP multicast cache commands allow you to display the entries into 389
the switch’s IP multicasting cache for specific groups and IP addresses.
Configuring IGMP snooping
368
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
364
Chapter 15 Configuring Multicasting (IGMP, IGMP Snooping, and DVMRP)
Roadmap of IGMP commands
The following roadmap lists some of the IGMP commands and their parameters.
Use this list as a quick reference or click on any command or parameter entry for
more information on IGMP commands.
Command
Parameter
config igmp
ipif <ipif_name>
all
version <value>
query_interval <sec>
max_response_time <sec>
robustness_variable <value>
last_member_query_interval
<value>
state [enabled|disabled]
show igmp
ipif <ipif_name>
show igmp group
group <group>
ipif <ipif_name>
config igmp_snooping all
host_timeout <sec>
router_timeout <sec>
leave_timer <sec>
state [enabled|disabled]
config igmp_snooping querier
<vlan_name>
all
query_interval <sec>
max_response_time <sec>
robustness_variable <value>
last_member_query_interval
<sec>
state [enabled|disabled]
316862-B Rev 00
Chapter 15 Configuring Multicasting (IGMP, IGMP Snooping, and DVMRP)
Command
Parameter
config router_ports
<vlan_name>
[add|delete] <portlist>
enable igmp_snooping
forward_mcrouter_only
show igmp_snooping
vlan <vlan_name>
show igmp_snooping group
vlan <vlan_name>
365
show igmp_snooping forwarding vlan <vlan_name>
show router_ports
vlan <vlan_name>
[static|dynamic]
Configuring IGMP
To configure IGMP for all IP interfaces on the switch to use IGMP version 1, and
to enable IGMP, enter the following command:
config igmp
This command uses the following options:
config igmp
followed by:
ipif <ipif_name>
Specifies the name of the IP interface for which you
wish to configure IGMP.
all
Indicates that this IGMP configuration is applied to all
IP interfaces on the switch.
followed by:
version <value>
Identifies the IGMP version number.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
366
Chapter 15 Configuring Multicasting (IGMP, IGMP Snooping, and DVMRP)
config igmp
followed by:
query_interval <sec>
Designates the time, in seconds, between general
query transmissions.
max_response_time <sec>
Specifies the maximum amount of time, in seconds,
that the switch will wait for reports from group
members.
robustness_variable <value>
Specifies a tuning variable for networks that are
expected to lose a large number of packets. A
number between 2 and 255 can be entered, with
larger values being specified for networks that are
expected to lose a larger number of packets. The
default is 2.
last_member_query_interval <value>
Specifies the Max Response Time inserted into
Group-Specific Queries sent in response to Leave
Group messages. It also identifies the amount of
time between Group-Specific Query messages. The
default is 1 second.
state [enabled|disabled]
Enables or disables IGMP for the IP interface
specified above.
Figure 226 shows IGMP being configured for all the IP interfaces on the switch to
use IGMP version 1, and that IGMP is enabled.
Figure 226 config igmp command
PP1648T:4# config igmp all version 1 state enabled
Command: config igmp all version 1 state enabled
Success.
PP1648T:4#
316862-B Rev 00
Chapter 15 Configuring Multicasting (IGMP, IGMP Snooping, and DVMRP)
367
Displaying IGMP settings for all IP interfaces
To display the IGMP settings for all IP interfaces on the switch.
show igmp
This command uses the following options:
show igmp
followed by:
ipif <ipif_name>
Specifies the name of the IP interface name for which you want to
display the current IGMP configuration. If no IP interface name is
specified, the switch will display the IGMP configuration for all the IP
interfaces on the switch.
Figure 227 shows IGMP being configured for all the IP interfaces on the switch to
use IGMP version 1, and that IGMP is enabled.
Figure 227 show igmp command
PP1612G:4# show igmp
Command: show igmp
IGMP Interface Configurations
Interface
IP Address
------------ --------------System
192.32.96.54/26
ip2
10.1.2.3/8
Ver- Query Maximum Robust- Last
sion Inter- Response ness
Member
val
Time
Value
Query
Interval
---- ------ -------- ------- -----2
125
10
2
1
2
125
10
2
1
State
------Disabled
Disabled
Total Entries: 2
PP1612G:4#
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
368
Chapter 15 Configuring Multicasting (IGMP, IGMP Snooping, and DVMRP)
Displaying the IGMP group settings
To display the IGMP group settings for all IP interfaces on the switch.
show igmp group
This command uses the following options:
show igmp group
followed by:
group <group>
Identifies the multicast group ID.
ipif <ipif_name>
Identifies the IP interface name for which you wish to
display the current IGMP configuration. If no IP
interface name is specified, the switch displays the
IGMP configuration for all the IP interfaces on the
switch.
Figure 228 shows IGMP being configured for all the IP interfaces on the switch to
use IGMP version 1, and that IGMP is enabled.
Figure 228 show igmp group command
PP1612G:4# show igmp group
Command: show igmp group
Interface
------------
Multicast Group
---------------
Last Reporter
---------------
IP Querier
---------------
IP Expire
---------
Total Entries: 0
PP1612G:4#
Configuring IGMP snooping
To configure your switch to perform IGMP snooping on all the VLANs on the
switch, use the following command:
config igmp_snooping all
316862-B Rev 00
Chapter 15 Configuring Multicasting (IGMP, IGMP Snooping, and DVMRP)
369
This command includes the following options:
config igmp_snooping all
followed by:
host_timeout <sec>
Specifies the maximum amount of time a host can
be a member of a multicast group without the
switch receiving a host membership report. The
default value is 70 seconds.
router_timeout <sec>
Specifies the maximum time, in seconds, that a
route remains in the switch’s memory without the
switch receiving a host membership report. The
default value is 70 seconds.
leave_timer <sec>
Designates the amount of time a route will remain
in the switch’s memory after receiving a leave
group message from a host. The default is 2
seconds.
state [enabled|disabled] Enables or disables this IGMP Snooping
configuration.
Figure 229 shows how to configure and enable IGMP snooping for all VLANs on
the switch with a host timeout value of 250 seconds.
Figure 229 config igmp_snooping all command
PP1648T:4#config igmp_snooping all host_timeout 250 state
enabled
Command: config igmp_snooping all host_timeout 250
state enabled
Success.
PP1648T:4#
Configuring IGMP snooping querier
You can use the IGMP querier feature to configure the time in seconds between
general query transmissions, the maximum time in seconds to wait for reports
from members, and the permitted packet loss value that guarantees IGMP
snooping.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
370
Chapter 15 Configuring Multicasting (IGMP, IGMP Snooping, and DVMRP)
To configure the IGMP snooping querier feature, use the following command:
config igmp_snooping querier
This command includes the following options:
config igmp_snooping querier
followed by:
<vlan_name>
Identifies the name of the VLAN to which the
IGMP snooping querier configuration applies
all
Specifies that this IGMP Snooping querier
configuration will be applied to all VLANs on the
switch.
followed by:
query_interval <sec>
Designates the amount of time, in seconds,
between general query transmissions. The
default setting is 30 seconds.
max_response_time <sec>
Specifies the maximum amount of time, in
seconds, that the switch will wait for reports from
members. The default is 10 seconds.
robustness_variable
<value>
Specifies a tuning variable for networks that are
expected to lose a large number of packets. A
number between 2 and 255 can be entered, with
larger values being specified for networks that
are expected to lose a larger number of packets.
The default is 2.
last_member_query_interval Identifies the Max Response Time inserted into
Group-Specific Queries sent in response to
<sec>
Leave Group messages, and is also the amount
of time between Group-Specific Query
messages. The default is 1 second.
state [enabled|disabled]
Enables or disables IGMP for the IP interface
specified above.
Figure 230 shows how to configure and enable IGMP snooping querier for a
VLAN named default, with a query interval of 125 seconds:
316862-B Rev 00
Chapter 15 Configuring Multicasting (IGMP, IGMP Snooping, and DVMRP)
371
Figure 230 config igmp_snooping querier command
PP1648T:4#config igmp_snooping querier default
query_interval 125 state enabled
Command: config igmp_snooping querier default
query_interval 125 state enabled
Success.
PP1648T:4#
Configuring router ports
You can designate a range of switch ports as being connected to multicast-enabled
routers. This feature ensures that all packets with such a router as its destination
will reach the multicast-enabled router regardless of the protocol type.
To configure a range of ports as router ports, use the following command:
config router_ports
This command includes the following options:
config router_ports
followed by:
<vlan_name>
Specifies the name of the VLAN on which the
router port resides
[add|delete] <portlist>
Allows you to add or delete a range of ports.
You can specify the ports to add or delete by first
entering the lowest port number in a group, and
then the highest port number in a group, separated
by a dash. For example, to enter a port group that
includes switch ports 1, 2, and 3, you enter 1-3.
To enter ports that are not contained within a
group enter the port numbers, separated by a
comma. For example, port group 1-3 and port 26
are entered as 1-3, 26
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
372
Chapter 15 Configuring Multicasting (IGMP, IGMP Snooping, and DVMRP)
Figure 231 shows how to configure switch ports 1 through 3 to be router ports.
Figure 231 config router_ports command
PP1648T:4#config router_ports default add 1-3
Command: config router_ports default add 1-3
Success.
PP1648T:4#
Enabling IGMP snooping
You can globally enable IGMP snooping on the switch. When you enable IGMP
snooping on the switch, the switch forwards all multicast traffic to any IP router
and forwards traffic to the VLAN in which a client shows up.
To globally enable IGMP snooping on the switch, use the following command:
enable igmp_snooping
If you want the switch to forward all multicast traffic only to a multicast-enabled
router, include the forward_mcrouter_only parameter in the command line;
otherwise, the switch forwards all multicast traffic to any IP router.
As a switch, the Passport 1600 can also prune group memberships per port within
a VLAN. This feature, igmp_snooping filtering, allows you to optimize the
IP multicast data flow for a group within a VLAN to only those ports that are
members of the group. The switch listens to group reports from each port and
builds a database of multicast group members per port. The switch suppresses the
reports heard by not forwarding them out to other hosts, forcing the members to
continuously send their own reports. Furthermore, the switch forwards multicast
data only to the participating group members within the VLAN.
316862-B Rev 00
Chapter 15 Configuring Multicasting (IGMP, IGMP Snooping, and DVMRP)
373
This command includes the following options:
enable igmp_snooping
followed by:
forward_mcrouter_only
Specifies that the switch forward all multicast
traffic to a multicast-enabled router only. If this
parameter is not entered, the switch forwards all
multicast traffic to any IP router.
filtering
Specifies that the switch forward multicast traffic
for a group within a VLAN to only those ports that
are members of the group
Figure 232 shows how to configure and enable IGMP snooping to forward all
multicast traffic only to a multicast-enabled router.
Figure 232 enable igmp_snooping command
PP1648T:4# enable igmp_snooping forward_mcrouter_only
Command: enable igmp_snooping forward_mcrouter_only
Success.
PP1648T:4#
Disabling IGMP snooping
You can disable IGMP snooping on the switch only if IP multicast routing is not
being used. Disabling IGMP snooping allows all IGMP and IP multicast traffic to
flood within a given IP interface.
To globally disable IGMP snooping on the switch, use the following command:
disable igmp_snooping
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
374
Chapter 15 Configuring Multicasting (IGMP, IGMP Snooping, and DVMRP)
This command includes the following options:
disable igmp_snooping
followed by:
filtering
Specifies that “unknown” IGMP packets will be
filtered from the snooping process. When filtering
is specified, only “registered” IGMP packets will be
snooped.
Figure 233 shows how to disable IGMP snooping on the switch.
Figure 233 disable igmp_snooping command
PP1648T:4# disable igmp_snooping
Command: disable igmp_snooping
Success.
PP1648T:4#
Displaying the current IGMP snooping configuration
You can display the current IGMP snooping configuration on the switch.
To display the current IGMP snooping configuration, use the following show
command:
show igmp_snooping
316862-B Rev 00
Chapter 15 Configuring Multicasting (IGMP, IGMP Snooping, and DVMRP)
375
This command includes the following options:
show igmp_snooping
followed by:
vlan <vlan_name>
Specifies the name of the VLAN for which you
want to view the IGMP snooping configuration
Note: The IGMP snooping feature can be
configured differently for each VLAN on the switch.
Figure 234 shows how to display the IGMP snooping configuration on the switch.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
376
Chapter 15 Configuring Multicasting (IGMP, IGMP Snooping, and DVMRP)
Figure 234 show igmp_snooping command
PP1648T:4# show igmp_snooping
Command: show igmp_snooping
IGMP Snooping Global State
Multicast router Only
Multicast Filtering
VLAN Name
Query Interval
Max Response Time
Robustness Value
Last Member Query Interval
Host Timeout
Route Timeout
Leave Timer
Querier State
Querier Router Behavior
State
: Disabled
: Disabled
: Enabled
: default
: 125
: 10
: 2
: 1
: 260
: 260
: 2
: Disabled
: Non-Querier
: Disabled
VLAN Name
Query Interval
Max Response Time
Robustness Value
Last Member Query Interval
Host Timeout
Route Timeout
Leave Timer
Querier State
Querier Router Behavior
State
:
:
:
:
:
:
:
:
:
:
:
Total Entries: 2
PP1648T:4#
316862-B Rev 00
vlan2
125
10
2
1
260
260
2
Disabled
Non-Querier
Disabled
Chapter 15 Configuring Multicasting (IGMP, IGMP Snooping, and DVMRP)
377
Displaying IGMP snooping groups
You can display current IGMP snooping group configurations on the switch.
To display the current IGMP snooping group configuration, use the following
show command:
show igmp_snooping group
This command includes the following options:
show igmp_snooping
followed by:
vlan <vlan_name>
Specifies the name of the VLAN for which you
want to view the IGMP snooping group
configuration
Note: The IGMP snooping feature can be
configured differently for each VLAN on the switch.
Figure 235 shows how to display the current IGMP snooping group configuration.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
378
Chapter 15 Configuring Multicasting (IGMP, IGMP Snooping, and DVMRP)
Figure 235 show igmp_snooping group
PP1648T:4# show igmp_snooping group
Command: show igmp_snooping group
VLAN Name
:
Multicast group:
MAC address
:
Reports
:
Port Member
:
default
224.0.0.2
01-00-5E-00-00-02
1
7,26
VLAN Name
:
Multicast group:
MAC address
:
Reports
:
Port Member
:
VLAN Name
:
Multicast group:
MAC address
:
Reports
:
Port Member
:
default
224.0.0.9
01-00-5E-00-00-09
1
7,26
default
234.5.6.7
01-00-5E-05-06-07
1
9,26
VLAN Name
:
Multicast group:
MAC address
:
Reports
:
Port Member
:
default
236.54.63.75
01-00-5E-36-3F-4B
1
7,26
VLAN Name
:
Multicast group:
MAC address
:
Reports
:
Port Member
:
default
239.255.255.250
01-00-5E-7F-FF-FA
2
7,26
VLAN Name
:
Multicast group:
MAC address
:
Reports
:
Port Member
:
default
239.255.255.254
01-00-5E-7F-FF-FE
1
7,26
Total Entries : 6
PP1648T:4#
316862-B Rev 00
Chapter 15 Configuring Multicasting (IGMP, IGMP Snooping, and DVMRP)
379
Displaying IGMP snooping forwarding table
You can display information about the IGMP snooping forwarding table.
To display the current IGMP snooping forwarding table, use the following show
command:
show igmp_snooping forwarding
This command includes the following options:
show igmp_snooping forwarding
followed by:
vlan <vlan_name>
Specifies the name of the VLAN for which you
want to view the IGMP snooping forwarding
configuration
Note: You can configure the IGMP snooping
feature differently for each VLAN on the switch.
Figure 236 shows how to display information about the IGMP snooping
forwarding table.
Figure 236 show igmp_snooping forwarding command
PP1648T:4# show igmp_snooping forwarding
Command: show igmp_snooping forwarding
VLAN Name
: default
Source IP
: 10.44.45.66
Multicast group : 224.0.0.2
Port Member
: 24
Total Entries : 1
PP1648T:4#
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
380
Chapter 15 Configuring Multicasting (IGMP, IGMP Snooping, and DVMRP)
Displaying the list of router ports
You can display the currently configured router ports on the switch.
To display the current list of router ports, use the following command:
show router_ports
This command includes the following options:
show router_ports
followed by:
vlan <vlan_name>
Specifies the name of the VLAN for which you
want to view the list of router ports.
[static|dynamic]
Allows you to view the list of router ports based on
the method used to add a port to the router port
list:
• static — entered manually
• dynamic — discovered automatically by the
switch.
Figure 237 shows sample output for this command.
Figure 237 show router_ports command
PP1648T:4# show router_ports
Command: show router_ports
VLAN Name
: default
Static router port :
Dynamic router port: 11
VLAN Name
: v2
Static router port : 17-22
Dynamic router port:
Total Entries: 2
PP1648T:4#
316862-B Rev 00
Chapter 15 Configuring Multicasting (IGMP, IGMP Snooping, and DVMRP)
381
Configuring DVMRP
This section describes the CLI commands that you can use to configure the
DVMRP (Distance Vector Multicast Routing Protocol) on the Switch.
The Distance Vector Multicast Routing Protocol (DVMRP) is a hop-based
method of building multicast delivery trees from multicast sources to all nodes of
a network.
DVMRP resembles the Routing Information Protocol (RIP), but is extended for
multicast delivery. It relies upon RIP hop counts to calculate 'shortest paths' back
to the source of a multicast message, but defines a 'route cost' to calculate which
branches of a multicast delivery tree should be 'pruned' - once the delivery tree is
established.
Route cost is a relative number that is used by DVMRP to calculate which
branches of a multicast delivery tree should be 'pruned'. The 'cost' is relative to
other costs assigned to other DVMRP routes throughout the network.
The higher the route cost, the lower the probability that the current route will be
chosen to be an active branch of the multicast delivery tree (not 'pruned') - if there
is an alternative route.
DVMRP commands in the Command Line Interface (CLI) are listed (along with
the appropriate parameters) in the following table:
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
382
Chapter 15 Configuring Multicasting (IGMP, IGMP Snooping, and DVMRP)
Command
Parameter
config dvmrp
ipif <ipif_name 12>
all
metric <value 1-31>
probe <sec 1-65535>
neighbor_timeout <sec 1-65535>
state [enabled | disabled]
show dvmrp
ipif <ipif_name>
enable dvmrp
disable dvmrp
show dvmrp routing_table
ipaddress <network_address>
show dvmrp neighbor
ipif <ipif_name 12>
ipaddress <network_address>
show dvmrp nexthop
ipif <ipif_name 12>
ipaddress <network_address>
316862-B Rev 00
Chapter 15 Configuring Multicasting (IGMP, IGMP Snooping, and DVMRP)
383
Configuring DVMRP
To configure DVMRP for the IP interface named System, to use a neighbor
timeout of 30 seconds, and a DVMRP route cost of 2, use the following
command:
config dvmrp ipif System neighbor_timeout 30 metric 2
This command contains the following parameters:
Table 14 config dvmrp
config dvmrp
followed by:
ipif <ipif_name>
This is the name of the IP interface that this DVMRP
configuration will apply to.
all
This specifies that this DVMRP configuration will
apply to all the IP interfaces on the switch.
metric <value>
This allows you to assign a DVMRP route cost to the
IP interface (entered above). A DVMRP route cost is
a number that represents the relative cost of using
this route, as opposed to using an alternative route,
in the construction of a multicast delivery tree. The
default cost is 1.
probe <second>
This is the amount of time, in seconds, between
queries to determine if a multicast group is present
on a given router’s subnet. The default is 10 second.
neighbor_timeout <second>
The time period, in seconds, that the switch will
retain DVMRP neighbor router reports before issuing
poison route messages. The default is 35 seconds.
state [enabled/disabled]
This allows you to enable or disable DVMRP.
Figure shows DVMRP being configured for the IP interface System, to use a
neighbor timeout of 30 seconds and a DVMRP route cost of 2:
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
384
Chapter 15 Configuring Multicasting (IGMP, IGMP Snooping, and DVMRP)
Figure 238 config dvmrp
:4# config dvmrp ipif System metric 2 neighbor_timeout 30
Command: config dvmrp ipif System metric 2
neighbor_timeout 30
Success.
:4#
Enabling DVMRP
To enable DVMRP, use the following command:
enable dvmrp
This command contains no additional parameters:
Table 15 enable dvmrp
enable dvmrp
This command has no additional parameters.
Figure shows DVMRP being enabled:
Figure 239 enable dvmrp
:4# enable dvmrp
Command: enable dvmrp
Success.
:4#
316862-B Rev 00
Chapter 15 Configuring Multicasting (IGMP, IGMP Snooping, and DVMRP)
385
Disabling DVMRP
To disable DVMRP, use the following command:
disable dvmrp
This command contains no additional parameters:
Table 16 disable dvmrp
disable dvmrp
This command has no additional parameters.
Figure shows DVMRP being disabled:
Figure 240 disable dvmrp
:4# disable dvmrp
Command: disable dvmrp
Success.
:4#
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
386
Chapter 15 Configuring Multicasting (IGMP, IGMP Snooping, and DVMRP)
Displaying the current DVMRP routing table
To display the current DVMRP routing table, use the following command:
show dvmrp routing_table
This command contains the following parameters:
Table 17 show dvmrp routing_table
show dvmrp routing table
followed by:
ipaddress <network_address>
Figure shows the current DVMRP routing table being displayed:
Figure 241 show dvmrp routing_table
:4# show dvmrp routing table
Command: show dvmrp routing table
DVMRP Routing Table
Source AddressSoruce MaskNext Hop RouterLearnedInterfaceExpire
--------------------------------------------------------------
Total Entries: 0
:4#
316862-B Rev 00
Chapter 15 Configuring Multicasting (IGMP, IGMP Snooping, and DVMRP)
387
Displaying the current DVMRP neighbor router table
To display the current DVMRP neighbor router table, use the following
command:
show dvmrp neighbor
This command contains the following parameters:
Table 18 show dvmrp neighbor
show dvmrp neighbor
followed by:
ipif <ipif_name>
This is the name of the IP interface for which you
want to display the DVMRP neighbor router table.
ipaddress <network_address>
This is the IP address of a neighbor router.
Figure shows the current DVMRP neighbor router table being displayed:
Figure 242 show dvmrp neighbor
:4# show dvmrp neighbor
Command: show dvmrp neighbor
DVMRP Neighbor Address Table
Interface Neighbor AddressGeneration IDExpire Time
--------- ----------------------------------------
Total Entries: 0
:4#
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
388
Chapter 15 Configuring Multicasting (IGMP, IGMP Snooping, and DVMRP)
Displaying the current DVMRP nexthop router table
To display the current DVMRP neighbor router table, use the following
command:
show dvmrp nexthop
This command contains the following parameters:
Table 19 show dvmrp next hop
show dvmrp nexthop
followed by:
ipif <ipif_name>
This is the name of the IP interface for which you
want to display the DVMRP nexthop router table.
ipaddress <network_address>
This is the IP address of a neighbor router.
Figure shows the current DVMRP nexthop router table being displayed:
Figure 243 show dvmrp nexthop
:4# show dvmrp nexthop
Command: show dvmrp nexthop
DVMRP Routing Next Hop Table
Source IP AddressSoruce Mask
----------------------------
Total Entries: 0
:4#
316862-B Rev 00
Interface NameType
------------------
Chapter 15 Configuring Multicasting (IGMP, IGMP Snooping, and DVMRP)
389
Displaying the current DVMRP configuration
To display the current DVMRP configuration, use the following command:
show dvmrp
This command contains the following parameters:
Table 20 show dvmrp
show dvmrp
followed by:
ipif <ipif_name>
This is the name of the IP interface for which you
want to display the current DVMRP
configuration.
Figure shows the current DVMRP configuration being displayed:
Figure 244 show dvmrp
:4# show dvmrp
Command: show dvmrp
DVMRP Global State : Disabled
Interface IP Address
Neighbor TimeoutProbe
--------- ---------------------------------System
10.42.73.88/830
10
Metric State
------ ----2
Disabled
Total Entries: 1
:4#
Displaying the Switch’s IP multicast cache
The IP multicast cache commands allow you to display the entries into the
switch’s IP multicasting cache for specific groups and IP addresses.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
390
Chapter 15 Configuring Multicasting (IGMP, IGMP Snooping, and DVMRP)
The IP multicasting commands in the Command Line Interface (CLI) are listed
(along with the appropriate parameters) in the following table.
Roadmap of IP multicast cache commands
Table 21 IP multicasting cache commands
Command
Parameter
show ipmc cache
group <group>
ipaddress <network_address>
show ipmc
ipif <ipif_name>
Displaying the Switch’s IP multicast cache
To display the switch’s IP multicast cache, use the following command:
show ipmc cache
This command contains the following parameters:
Table 22 show ipmc cache
show ipmc cache
followed by:
group <group>
This is the multicast group ID.
ipaddress <network_address>
This is the IP address and subnet mask for a
multicast destination. If no IP address is entered, the
switch will display all of the destination IP addresses
in it’s IP multicasting forwarding table.
Figure shows the switch’s IP multicast cache being displayed:
316862-B Rev 00
Chapter 15 Configuring Multicasting (IGMP, IGMP Snooping, and DVMRP)
391
Figure 245 show ipmc cache
:4# show ipmc cache
Command: show ipmc cache
Multicast Source IP Source IP
Group
Address
Mask
--------- --------- ---------
Upstream
Neighbor
--------
Expire
Time
------
Routing
Protocol
--------
Total Entries: 0
:4#
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
392
Chapter 15 Configuring Multicasting (IGMP, IGMP Snooping, and DVMRP)
Displaying the switch’s IP multicast table
To display the switch’s IP multicast table, use the following command:
show ipmc
This command contains the following parameters:
Table 23 show ipmc
show ipmc
followed by:
ipif <ipif_name>
This is the name of the IP interface for which you
want to display the IP multicast table.
Figure shows the switch’s IP multicast table being displayed:
Figure 246 show ipmc
:4# show ipmc
Command: show ipmc
Interface Name
-------------System
Total Entries: 1
:4#
316862-B Rev 00
IP Address
---------10.42.73.88
Multicast Routing
----------------INACT
393
Chapter 16
Monitoring the network
The Passport 1600 switch provides extensive network monitoring that can be
viewed using the network monitoring commands described in this chapter.
This chapter describes the network monitoring commands. Specifically, it
includes the following topics:
Topic
Page
Roadmap of network monitoring commands
394
Displaying port traffic statistics
395
Displaying port error statistics
397
Displaying port utilization
399
Clearing the switch counters
401
Clearing the switch log
402
Displaying the switch log
403
Configuring port mirroring
403
Displaying the current mirror settings
406
Enabling and disabling RMON
407
Checking network links
408
Determining the network route using traceroute
409
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
394
Chapter 16 Monitoring the network
Roadmap of network monitoring commands
The following roadmap lists some of the network monitoring commands and their
parameters. Use this list as a quick reference or click on any command or
parameter entry for more information on monitoring networks.
Command
Parameter
show packet ports
<portlist>
show error ports
<portlist>
show utilization
clear counters
ports <portlist>
clear log
show log
index <value>
config mirror port <port> add
source ports <portlist>
[rx|tx|both]
config mirror port <port> delete
source ports <portlist>
[rx|tx|both]
enable mirror
disable mirror
show mirror
enable rmon
disable rmon
ping <ipaddr>
times <values 1-255>
timeout <sec 1-99>
traceroute <ipaddr>
ttl <value 1-60>
port <value 30000-64900>
timeout <sec 1-65535>
probe <value 1-9>
316862-B Rev 00
Chapter 16 Monitoring the network
395
Displaying port traffic statistics
To display the traffic statistics for a port, use the following command:
show packet ports
This command uses the following option:
show packet ports
followed by:
<portlist>
Specifies a range of ports you want to display the traffic
statistics for. Ports are specified by entering the lowest port
number in a group, and then the highest port number in a
group, separated by a dash. So, a port group including the
switch ports 1, 2, and 3 would be entered as 1-3. Ports that
are not contained within a group are specified by entering their
port number, separated by a comma. So, the port group 1-3
and port 26 would be entered as 1-3, 26.
Figure 247 shows the traffic statistics collected by the switch for port 7.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
396
Chapter 16 Monitoring the network
Figure 247 show packet ports command
PP1648T:4# show packet ports 7
Command: show packet ports 7
Port number :
Frame Size
-----------64
65-127
128-255
256-511
512-1023
1024-Max Size
7
Frame Counts
-----------2
0
0
0
0
0
Frames/sec
---------0
0
0
0
0
0
Unicast RX
Multicast RX
Broadcast RX
Unicast TX
Multicast TX
Broadcast TX
0
1
0
0
1
0
0
0
0
0
0
0
Frame Type
---------RX Bytes
RX Frames
Total
--------64
1
Total/sec
--------0
0
TX Bytes
TX Frames
64
1
0
0
Table 24 shows the definitions for terms related to displaying port traffic
statistics.
316862-B Rev 00
Chapter 16 Monitoring the network
397
Table 24 show packet port definitions
Term
Definition
Frames
The number of packets (or frames) received or transmitted by the switch
with the size, in octets, given by the column on the right.
Frames/sec
The number of packets (or frames) transmitted or received, per second,
by the switch.
Unicast RX
Displays the number of unicast packets received by the switch in total
number (Frames) and the rate (Frames/sec).
Multicast RX
Displays the number of multicast packets received by the switch in total
number (Frames) and the rate (Frames/sec).
Broadcast RX
Displays the number of broadcast packets received by the switch in total
number (Frames) and the rate (Frames/sec).
RX Bytes
Displays the number of bytes (octets) received by the switch in total
number (Total), and rate (Total/sec).
RX Frames
Displays the number of packets (frames) received by the switch in total
number (Total), and rate (Total/sec).
Unicast TX
Displays the number of unicast packets transmitted by the switch in total
number (Frames) and the rate (Frames/sec).
Multicast TX
Displays the number of multicast packets transmitted by the switch in
total number (Frames) and the rate (Frames/sec).
Broadcast TX
Displays the number of broadcast packets transmitted by the switch in
total number (Frames) and the rate (Frames/sec).
TX Bytes
Displays the number of bytes (octets) transmitted by the switch in total
number (Total), and rate (Total/sec).
TX Frames
Displays the number of packets (frames) transmitted by the switch in
total number (Total), and rate (Total/sec).
Displaying port error statistics
The following are definitions for terms related to displaying port error statistics:
Term
Definition
For received packets
CRC Error
For 10 Mbps ports, the counter records CRC errors (FCS
or alignment errors). For 100 Mbps ports, the counter
records the sum of CRC errors and code errors (frames
received with rxerror signal).
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
398
Chapter 16 Monitoring the network
Term
Definition
Undersize
The total number of frames received that were less than 64
octets long (excluding framing bits, but including FCS
octets) and were otherwise well formed.
Oversize
The total number of frames received that were longer than
1518 octets (excluding framing bits, but including FCS
octets) and were otherwise well formed.
Fragment
The total number of frames received that were less that 64
octets in length (excluding framing bits, but including FCS
octets) and had either an FCS or an alignment error.
Jabber
The total number of frames received that were longer than
1518 octets (excluding framing bits, but including FCS
octets), and had either an FCS or an alignment error.
For transmitted packets
Excessive Collision
Excessive Collisions. The number of frames for which
transmission failed due to excessive collisions.
Late Collision
The number of times that a collision is detected later than
512 bit-times into the transmission of a packet.
Collision
To display error statistics for the switch’s ports, use the following command:
show error ports
show error ports
followed by:
<portlist>
316862-B Rev 00
Specifies a range of ports for which you want to display error
statistics. Ports are specified by entering the lowest port
number in a group, and then the highest port number in a
group, separated by a dash. So, a port group including the
switch ports 1, 2, and 3 would be entered as 1-3. Ports that
are not contained within a group are specified by entering their
port number, separated by a comma. So, the port group 1-3
and port 26 would be entered as 1-3, 26.
Chapter 16 Monitoring the network
399
where:
portlist specifies the ports for which you want to display traffic statistics. Ports
are specified by entering the lowest port number in a group, and then the highest
port number in a group, separated by a dash. A port group, including the switch
ports 1, 2, and 3, would be entered as 1-3. Ports that are not contained within a
group are specified by entering their port number, separated by a comma. For
example, the port group 1-3 and port 26 would be entered as 1-3, 26.
Figure 248 shows the traffic statistics collected by the switch for port 3.
Figure 248 show error ports command
PP1648T:4# show error ports 7
Command: show error ports 7
Port number : 7
RX Frames
--------0
0
0
0
0
CRC Error
Undersize
Oversize
Fragment
Jabber
Excessive Collision
Late Collision
Collision
TX Frames
--------0
0
0
Displaying port utilization
The following are definitions for terms related to displaying port utilization:
Term
Definition
Port
The switch's port number.
TX/sec
The rate at which the given port is transmitting packets, in
packets per second.
RX/sec
The rate at which the given port is receiving packets, in
packets per second.
Util
The percentage utilization of the given port's available
bandwidth.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
400
Chapter 16 Monitoring the network
To display the bandwidth utilization, in real time:
show utilization
Figure 249 shows the bandwidth utilization for the switch:
Figure 249 show utilization command
PP1624G:4# show utilization
Port
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
TX/sec
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
PP1624G:4#
316862-B Rev 00
RX/sec
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
Util
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
Port
22
23
244
25
26
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
TX/sec
0
0
0
0
19
0
0
0
0
0
0
0
0
30
0
0
0
0
0
0
0
RX/sec
0
0
0
0
49
0
0
0
0
0
0
30
0
0
0
0
0
0
0
0
0
Util
0
0
0
0
1
0
0
0
0
0
0
1
0
1
0
0
0
0
0
0
0
Chapter 16 Monitoring the network
401
Clearing the switch counters
To clear the switch counters, use the following command:
clear counters
This command uses the following option:
clear counters
followed by:
ports <portlist>
Specifies that you only want to clear the counters for the ports
specified in the < portlist>. If this parameter is not
specified, the counters for all of the ports on the switch will be
cleared.
• portlist is the range of ports for which you want to
clear counters. Ports are specified by entering the lowest
port number in a group, and then the highest port number
in a group, separated by a dash. So, a port group including
the switch ports 1, 2, and 3 would be entered as 1-3. Ports
that are not contained within a group are specified by
entering their port number, separated by a comma. So, the
port group 1-3 and port 26 would be entered as 1-3, 26.
Figure 250 shows how to clear counters for ports 7 through 9, inclusive.
Figure 250 clear counters ports command
PP1612G:4# clear counters ports 7-9
Command: clear counters ports 7-9
Success.
PP1612G:4#
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
402
Chapter 16 Monitoring the network
Clearing the switch log
To clear the switch log:
clear log
Figure 251 shows how to clear the switch log.
Figure 251 clear log command
PP1612G:4# clear log
Command: clear log
Success.
PP1612G:4#
316862-B Rev 00
Chapter 16 Monitoring the network
403
Displaying the switch log
To display the switch log, use the following command:
show log
This command uses the following option:
show log
followed by:
index <value>
Specifies the index number for which you want to display the
switch log.
Figure 252 shows how to display the switch’s log.
Figure 252 show log command
PP1648T:4# show log
Command: show log
Index
----2
Date&Time
Log Text
------------------- ----------------------------------------2004/03/12 10:10:49 clear log (Username:rwa from Telnet client
10.12.53.251)
1
2004/03/12 10:10:49 clear log tables successfully (Username:
rwa from Telnet client 10.12.53.251)
PP1648T:4#
Configuring port mirroring
Port mirroring allows a range of ports to have all of their traffic duplicated and
sent to a designated port, where a network sniffer or other device can monitor the
network traffic. For the range of ports to be mirrored, you can also specify that
only traffic received by, sent by or both is mirrored to the target port.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
404
Chapter 16 Monitoring the network
Configuring a mirror port
To configure a mirror port, use the following command:
config mirror port <port > add source ports <portlist>
[rx|tx|both]
where:
port is the number of the port that will become a mirror for the ports listed in
portlist.
portlist is the range of ports whose traffic is mirrored in the mirror port. To
specify a range, enter the beginning and end values, separated by a hyphen. You
specify ports that are not contained within a group by entering their port number,
separated by a comma. Thus, you enter the port group 1-3 and port 26 as 1-3, 26.
rx mirrors the packets received by the source ports.
tx mirrors the packets transmitted by the source ports.
both mirrors all packets that pass through the source ports.
Figure 253 shows you how to configure port 5 as the mirror port, and ports 1
through 4 as the source ports. All traffic passing through the source ports are
mirrored to port 5.
Figure 253 config mirror port add command
PP1612G:4#config mirror port 5 add source ports 1-4 both
Command: config mirror port 5 add source ports 1-4 both
Success.
Deleting a mirror port
To delete a mirror port, use the following command:
config mirror port <port > delete source ports <portlist>
[rx|tx|both]
316862-B Rev 00
Chapter 16 Monitoring the network
405
where:
port is the number of the port that is a mirror for the ports listed in portlist.
portlist is the range of ports whose traffic is mirrored in the mirror port. To
specify a range, enter the beginning and end values, separated by a hyphen. You
specify ports that are not contained within a group by entering their port number,
separated by a comma. Thus, you enter the port group 1-3 and port 26 as 1-3, 26.
rx mirrors the packets received by the source ports.
tx mirrors the packets transmitted by the source ports.
both mirrors all packets that pass through the source ports.
Figure 254 shows you how to delete port 5 as the mirror port, and ports 1 through
4 as the source ports.
Figure 254 config mirror port delete command
PP1612G:4# config mirror port 5 delete source ports 1-4
both
Command: config mirror port 5 delete source ports 1-4
both
Success.
PP1612G:4#
Enabling a mirror port
To enable port mirroring on the switch, use the following command:
enable mirror
Figure 255 shows you how to enable port mirroring on the switch.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
406
Chapter 16 Monitoring the network
Figure 255 enable mirror command
PP1612G:4#enable mirror
Command: enable mirror
Success.
PP1612G:4#
Disabling a mirror port
To disable port mirroring on the switch, use the following command:
disable mirror
Figure 256 shows you how to disable port mirroring on the switch.
Figure 256 disable mirror command
PP1612G:4#disable mirror
Command: disable mirror.
Success.
PP1612G:4#
Displaying the current mirror settings
To display the current port mirroring settings on the switch, use the following
command:
show mirror
Figure 257 shows you how to display the current mirror settings on the switch.
316862-B Rev 00
Chapter 16 Monitoring the network
407
Figure 257 show mirror command
PP1648T:4# show mirror
Command: show mirror
Current Settings
Mirror Status: Enabled
Target Port : 9
Mirrored Port
RX:
TX: 1-5
PP1648T:4#
Enabling and disabling RMON
To enable RMON, use the following command:
enable rmon
Figure 258 shows enabling RMON on the switch:
Figure 258 enable rmon command
PP1612G:4#enable rmon
Command: enable rmon
Success.
PP1612G:4#
To disable RMON, use the following command:
disable rmon
Figure 259 shows disabling RMON on the switch:
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
408
Chapter 16 Monitoring the network
Figure 259 disable rmon command
PP1612G:4#disable rmon
Command: disable rmon
Success.
PP1612G:4#
Checking network links
To verify the network link between the switch and another network device, use the
following command:
ping <ipaddr>
where:
ipaddr is the IP address of the network device at the remote end of the link. This
IP address must be on the same subnet as the switch.
This command contains the following parameters:
ping
followed by:
times <values 1-255>
The number of times the remote network device
will be “pinged.”
timeout <sec 1-99>
The length of time, in seconds, the switch will wait
for a response from the remote network device
after sending a ping packet.
Note: You cannot ping an interface if its ports are in blocking mode and
the link is up.
316862-B Rev 00
Chapter 16 Monitoring the network
409
Figure 260 shows the switch sending 4 ping packets to the IP address
10.48.74.128.
Figure 260 ping command
PP1612G:4# ping 10.48.74.121 times 4
Command: ping 10.48.74.121
Reply from 10.48.74.121, time<10ms
Reply from 10.48.74.121, time<10ms
Reply from 10.48.74.121, time<10ms
Reply from 10.48.74.121, time<10ms
Ping Statistics for 10.48.74.121
Packets: Sent=4, Received=4, Lost=0
PP1612G:4#
Determining the network route using traceroute
To verify the network link between the switch and another network device, use
the following command:
traceroute <ipaddr>
where:
ipaddr is the IP address of the remote network device to be pinged.
This command contains the following parameters:
traceroute
followed by:
ttl <value 1-60>
The time to live (TTL) value of the trace route
request. This is the maximum number of routers
the traceroute command can cross while seeking
the network path between two devices.
port <value 30000-64900> The port number.
timeout <sec 1-65535>
The maximum amount of time, in seconds, the
switch will wait for a response.
probe <value 1-9>
The number of times the switch will try the
traceroute command.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
410
Chapter 16 Monitoring the network
Figure 261 shows the switch tracing the route between the switch and the network
device with the IP address 10.48.74.121, with 3 probes:
Figure 261 traceroute command
PP1612G:4# traceroute 10.48.74.121 probe 3
Command: traceroute 10.48.74.121 probe 3
1 <10ms. 10.48.74.121
1 <10ms. 10.48.74.121
1 <10ms. 10.48.74.121
PP1612G:4#
316862-B Rev 00
411
Chapter 17
CLI configuration examples
This chapter provides configuration examples for common Passport 1600 Series
switch tasks and includes the CLI commands that you use to create the
configuration examples. It includes the following topics:
Topic
Page
Resetting the switch to its factory defaults
412
Configuring the default VLAN for management access
412
Downloading firmware and uploading configuration files
415
Creating new port-based VLANS
416
Disabling Spanning Tree
419
Configuring link aggregation groups
420
Enabling OSPF
421
Configuring OSPF MD5 authentication
427
Configuring an OSPF stub area
428
Configuring OSPF route distribution
430
Configuring RIP base
433
Selecting Tx and Rx RIP v2 mode
435
Configuring broadcast and multicast storm control
436
Configuring egress queue weight
437
Configuring QoS and IP filtering
438
Setting QoS priority for destination TCP flows
443
Dropping TCP flows
445
Filtering MAC addresses
446
Configuring forward-to-next-hop
448
Filtering IP addresses
449
Dropping fragmented IP packets
450
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
412
Chapter 17 CLI configuration examples
Resetting the switch to its factory defaults
To reset the switch to its factory defaults, use the following command:
PP1648T:4# reset config
Configuring the default VLAN for management access
By default, all ports are assigned to the default VLAN, named default. This
VLAN has an IP interface named System and an IP address of 10.90.90.90/8. You
can change the System IP address to meet the IP subnet requirements used in your
network. After you have changed the IP address, you can use TELNET or Device
Manager to access and manage your switch.
Note: The Passport 1600 Series switch requires names when you create
or edit VLANs or IP addresses. The VLAN name can be up to 32
characters in length and is case-sensitive. For this configuration, you will
not create a new VLAN or IP address; you will simply change the settings
for the default VLAN, named default, and the default IP address, named
System.
This example shows you how to create the default VLAN, as follows:
•
•
•
Configure the default VLAN to use port 1 only.
Change the System IP address to 10.1.1.10/24.
Create a default gateway with an address 10.1.1.1.
Figure 262 illustrates this configuration example.
316862-A Rev 00
Chapter 17 CLI configuration examples
413
Figure 262 Configuration example — configuring the default VLAN for access
Passport
1648T
Default gateway
10.1.1.1
Port 1
Management IP
10.1.1.10/24
10825EL
To perform this configuration, you connect your PC or terminal to the console port
on the switch using the 9-pin serial connector, and you set your terminal to 9600
bps 8/N/1.
Configuration example — configuring the default VLAN
This section describes how to configure the default VLAN for this example. For
more information about the commands used in this section, see Chapter 1,
“Setting up the switch,” and Chapter 6, “Configuring VLANs.”
1
Log on to the switch by entering the following commands:
Login: rwa
Password: rwa (rwa appears as ***)
2
View the default privileges by entering the following command:
PP1648T:4# show account
Command: show account
Current Accounts:
Username
--------------rwa
3
Access Level
-----------Admin
View the VLAN configuration by entering the following command:
PP1648T:4# show vlan
Command: show vlan
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
414
Chapter 17 CLI configuration examples
VID
VLAN TYPE
Member ports
Static ports
Untagged ports
:
:
:
:
:
1
static
1-52
1-52
1-52
VLAN Name
: default
Note that all ports are under the default VLAN.
4
Remove all ports from the default VLAN, except port 1, by entering the
following command:
PP1648T:4# config vlan default delete 2-52
5
Change the default System IP address to 10.1.1.10/24 by entering the
following command:
PP1648T:4# config ipif System ipaddress 10.1.1.10/24 vlan
default state enable
6
Add a default gateway address with an address of 10.1.1.1:
PP1648T:4# create iproute default 10.1.1.1
7
Save the configuration by entering the following command:
PP1648T:4# save
Viewing the VLAN and IP addresses
To view the VLAN and IP addresses that you have just configured, use the
following procedures:
1
View the VLAN using the following command:
PP1648T:4# show vlan
Command: show vlan
VID
VLAN TYPE
Member ports
Static ports
Untagged ports
:
:
:
:
:
1
static
1
1
1
VLAN Name
Total Entries : 1
2
316862-A Rev 00
View the IP addresses used using the following command:
: default
Chapter 17 CLI configuration examples
415
PP1648T:4# show ipif
Command: show ipif
IP Interface Settings
Interface Name
IP Address
Subnet Mask
VLAN Name
Admin. State
Link Status
Member Ports
:
:
:
:
:
:
:
System
10.1.1.1 (MANUAL)
255.255.255.0
default
Enabled
Link UP
1
Total Entries : 1
PP1648T:4#
Downloading firmware and uploading configuration files
To download firmware, enter the following command:
PP1648T:4# download firmware <ipaddr> <path_filename 64>
where:
ipaddr is the IP address of the remote TFTP server.
path_filename 64 is the DOS path and filename of the firmware file on the
remote TFTP server. The path filename can be up to 64 characters.
To upload a configuration file, enter the following command:
PP1648T:4# upload config <ipaddr> <path_filename 64>
where:
ipaddr is the IP address of the remote TFTP server.
path_filename 64 is the DOS path and filename of a file on the remote TFTP
server that will receive the configuration file from the switch. The path filename
can be up to 64 characters.
For more information about the commands used in this section, see Chapter 2,
“Managing switch operations.”
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
416
Chapter 17 CLI configuration examples
Creating new port-based VLANS
For this example, you create two new VLANs, as follows:
•
•
•
Create a port-based VLAN with a PVID of 10 that uses ports 10-12
Create a port-based VLAN with a PVID of 12 that uses ports 13-14
Add a tagged uplink port for both VLAN 10 and VLAN 12 that uses port 49
Figure 263 illustrates this configuration example.
Figure 263 Configuration example -— creating a new port-based VLAN
VLAN 10
Passport
8600
Passport
1648T
Tagged
VLAN 12
VLAN 10 and 12
10825EB
Configuration example — creating port-based VLANs
This section describes how to configure the Passport 1600 Series switch for this
example. For more information about the commands used in this section, see
Chapter 6, “Configuring VLANs.”
1
Add VLAN 10:
a
The following command creates VLAN 10:
PP1648T:4# create vlan vlan_10 vid 10
b
The following command adds untagged ports 10, 11, and 12 to VLAN 10:
PP1648T:4# config vlan vlan_10 add untagged 10-12
c
The following command adds tagged port 49 to VLAN 10:
PP1648T:4# config vlan vlan_10 add tagged 49
2
Add VLAN 12:
a
The following command creates VLAN 12:
PP1648T:4# create vlan vlan_12 vid 12
316862-A Rev 00
Chapter 17 CLI configuration examples
b
417
The following command adds untagged ports 13 and 14 to VLAN 10:
PP1648T:4# config vlan vlan_12 add untagged 13-14
c
The following command adds tagged port 49 to VLAN 12:
PP1648T:4# config vlan vlan_12 add tagged 49
Viewing VLANs
To view the VLANs that you have just configured, use the following command
PP1648T:4# show vlan
Command: show vlan
VID
VLAN TYPE
Member ports
Static ports
Untagged ports
:
:
:
:
:
1
static
1
1
1
VLAN Name
: default
VID
VLAN TYPE
Member ports
Static ports
Untagged ports
:
:
:
:
:
10
static
10-12, 49
10-12, 49
10-12
VLAN Name
: vlan_10
VID
VLAN TYPE
Member ports
Static ports
Untagged ports
:
:
:
:
:
12
static
13-14, 49
13-14, 49
13-14
VLAN Name
: vlan_12
Total Entries : 3
Viewing the forwarding database
To view the forwarding database, use the following command:
PP1648T:4# show fdb {port <port>|
vlan <vlan_name 32>|mac_accress <macaddr>|static|aging_time}
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
418
Chapter 17 CLI configuration examples
where:
port specifies port number.
vlan_name_32 specifies a VLAN.
macaddr is a multicast MAC address.
Example:
PP1648T:4# show fdb
Command: show fdb
Unicast MAC Address Aging Time
VID
---1
1
1
1
1
1
1
2
2
2
3
3
3
3
3
VLAN Name
---------------default
default
default
default
default
default
default
vlan_2
vlan_2
vlan_2
vlan_3
vlan_3
vlan_3
vlan_3
vlan_3
Total Entries: 15
316862-A Rev 00
= 300
MAC Address
----------------00-03-4B-D8-7E-E1
00-09-97-E3-40-01
00-60-F3-20-59-4B
00-80-2D-AF-CE-0F
00-E0-4C-88-AE-67
01-00-5E-00-00-04
FF-FF-FF-FF-FF-FF
00-09-97-E3-40-02
01-00-5E-00-00-04
FF-FF-FF-FF-FF-FF
00-09-97-E3-40-03
00-E0-7B-82-9C-60
00-E0-7B-82-9E-0C
01-00-5E-00-00-04
FF-FF-FF-FF-FF-FF
Type
--------Dynamic
Self
Dynamic
Dynamic
Dynamic
Multicast
Self
Self
Multicast
Self
Self
Dynamic
Dynamic
Multicast
Self
Port
--------------1
CPU
1
1
1
CPU
CPU
CPU
CPU
49
49
CPU
Chapter 17 CLI configuration examples
419
Disabling Spanning Tree
The Passport 1600 Series switch currently supports one instance of Spanning
Tree. You can disable Spanning Tree for a specific port or globally.
For more information about the commands used in this section, see Chapter 4,
“Configuring Spanning Tree.”
Configuration example — disabling Spanning Tree
To disable Spanning globally, use the following command:
PP1648T:4# disable stp
Command: disable stp
Success.
To disable Spanning Tree for a specific port, use the following command. In this
example, you disable Spanning Tree for port 12.
PP1648T:4# config stp ports 12 state disabled
Command: config stp ports 12 state disabled
Success.
Viewing Spanning Tree status
To view the status of Spanning Tree, use the following commands:
PP1648T:4# show stp
Command: show stp
STP Status
Max Age
Hello Time
Forward Delay
Priority
Forwarding BPDU
:
:
:
:
:
:
Disabled
20
2
15
32768
Enabled
PP1648T:4# show stp ports
Command: show stp ports
Port
----
Connection
State
Cost Priority
Status
------------------------ ---- --------
STP Name
---------- ------
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
420
Chapter 17 CLI configuration examples
1
2
3
4
5
6
7
8
9
10
11
12
100M/Full/None
Link Down
Link Down
Link Down
Link Down
Link Down
Link Down
Link Down
Link Down
Link Down
Link Down
100M/Half/None
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Disabled
*19
*19
*19
*19
*19
*19
*19
*19
*19
*19
*19
*19
128
128
128
128
128
128
128
128
128
128
128
128
Forwarding
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Forwarding
s0
s0
s0
s0
s0
s0
s0
s0
s0
s0
s0
s0
Configuring link aggregation groups
The Passport 1600 supports up to seven multilink trunking (MLT) groups with up
to four ports per group. Each MLT group has a flooding port. You use the flooding
port to flood packets with unknown MAC destinations.
For this example, you create MLT group 1 with ports 1/27 and 1/28.
Figure 264 illustrates this configuration example.
Figure 264 Configuration example — creating MLT group with ports 27 and 28
Passport
1648T
Passport
8600
27
28
10825EV
316862-A Rev 00
Chapter 17 CLI configuration examples
421
Configuration example — configuring link aggregation
groups
This section describes how to configure the Passport 1600 Series switch for this
example. For more information about the commands used in this section, see
Chapter 7, “Configuring link aggregation groups.”
1
Create MLT group 1:
PP1648T:4#: create link_aggregation group_id 1
2
Add the MLT port to MLT group 1:
PP1648T:4#: config link_aggregation group_id 1
master_port 27 ports 27-28 state enabled
3
View the MLT configuration:
PP1648T:4#: show link_aggregation
Enabling OSPF
For this example, you create two new VLANs, as follows:
•
•
•
•
•
Create VLAN 2 using untagged port 12 and add IP address 10.50.1.1/24.
Create VLAN 3 using untagged port 49 and add IP address 10.1.1.66/30.
Enable OSPF area 0 for both VLAN 2 and VLAN 3.
Add an OSPF router ID of 10.50.1.1.
Set the router priority so that the Passport 1648T never becomes the
Designated Router.
Figure 265 illustrates this configuration example.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
422
Chapter 17 CLI configuration examples
Figure 265 Configuration example — enabling OSPF in the default area 0
Passport
1648T
VLAN 2
10.50.1.0/24
.1
VLAN 3
10.1.1.68/30
.69
OSPF
Area 0
.70
10825EF
Configuration example — enabling OSPF globally
This section describes how to configure the Passport 1600 Series switch for this
example. For more information about the commands used in this section, see
Chapter 10, “Configuring ARP, RIP, and OSPF.”
1
Enable OSPF globally, using the following command:
PP1648T:4#: enable ospf
2
Add VLAN 2:
The following command creates VLAN 2 with a VLAN name of vlan_2:
PP1648T:4# create vlan vlan_2 vid 2
3
Add untagged ports to VLAN 2:
The following command adds untagged port 12 to VLAN 2:
PP1648T:4# config vlan vlan_2 add untagged 12
4
Add IP address to VLAN 2:
The following command creates an IP interface with the name ip_2 and adds
it to VLAN 2:
PP1648T:4# create ipif ip_2 10.50.1.1/25 vlan_2
state enabled
5
Enable OSPF on VLAN 2, using the following command:
PP1648T:4# config ospf ipif ip_2 state enabled
6
Add VLAN 3:
a
316862-A Rev 00
The following command creates VLAN 3 with a VLAN name of vlan_3:
Chapter 17 CLI configuration examples
423
PP1648T:4# create vlan vlan_3 vid 3
b
The following command adds untagged port 49 to VLAN 3:
PP1648T:4# config vlan vlan_3 add untagged 49
7
Add IP address to VLAN 3:
The following command creates an IP interface with the name ip_3 and adds
it to VLAN 3:
PP1648T:4# create ipif ip_3 10.1.1.69/30 vlan_3 state
enabled
8
Enable OSPF on VLAN 3:
PP1648T:4# config ospf ipif ip_3 state enabled
9
Add OSPF router ID 10.50.1.1:
PP1648T:4# config ospf router_id 10.50.1.1
10 Configure OSPF router priority to 0 for IP interface ip_2 and ip_3:
PP1648T:4# config ospf ipif ip_2 area 0.0.0.0
priority 0
PP1648T:4# config ospf ipif ip_3 area 0.0.0.0 priority 0
11 Save the configuration:
PP1648T:4# save
12 Use the following show commands:
PP1648T:4# show ospf
PP1648T:4# show ospf lsdb
PP1648T:4# show ospf ipif <ipif name>
PP1648T:4# show ospf area
PP1648T:4# show ospf neighbor
PP1648T:4# show ospf aggregation
PP1648T:4# show ospf host_route
PP1648T:4# show ospf virtual_link
PP1648T:4# show ospf virtual_neighbor
PP1648T:4# show ospf all
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
424
Chapter 17 CLI configuration examples
PP1648T:4# show iproute
PP1648T:4# show ipif
PP1648T:4# show arpentry
PP1648T:4# ping <ip address>
PP1648T:4# traceroute <ip address>
PP1648T:4# traceroute <ip address> {ttl <value
1-60>|port <value 30000-64900>|timeout <sec
1-65535>|probe <value 1-9>}
Viewing OSPF status and routes
To view OSPF status and routes, use the following command:
PP1648T:4# show ospf
Command: show ospf
OSPF Router ID : 10.50.1.1
State
: Enabled
OSPF Interface Settings
Interface
IP Address
Area ID
State
Link
Status
------------ ------------------ --------------- -------- --------ip_3
10.1.1.69/30
0.0.0.0
Enabled Link Up
ip_2
10.50.1.1/24
0.0.0.0
Enabled Link Up
System
10.1.1.10/24
0.0.0.0
Disabled Link Up
Metric
--------1
1
1
Total Entries : 3
OSPF Area Settings
Area ID
Type
Stub Import Summary LSA Stub Default Cost
--------------- ------ ----------------------- ----------------0.0.0.0
Normal None
None
Total Entries : 1
Virtual Interface Configuration
Transit
316862-A Rev 00
Virtual
Hello
Dead
Authentication Link
Chapter 17 CLI configuration examples
425
Area ID
Neighbor Router Interval Interval
Status
--------------- --------------- -------- -------- -------------- -----Total Entries : 0
OSPF Area Aggregation Settings
Area ID
Aggregated
LSDB
Advertise
Network Address
Type
--------------- ------------------ -------- --------Total Entries : 0
OSPF Host Route Settings
Host Address
Metric Area ID
TOS
--------------- ------ --------------- --Total Entries : 0
Viewing OSPF neighbor status
To view OSPF neighbor status, use the following command:
PP1648T:4# show ospf neighbor
Command: show ospf neighbor
IP Address of
Neighbor
--------------10.1.1.70
Router ID of
Neighbor
--------------1.1.1.3
Neighbor
Priority
-------1
Neighbor
State
------------Full
Total Entries: 1
Viewing OSPF LSDB
To view the OSPF link state database, use the following command:
PP1648T:4# show ospf lsdb
Command: show ospf lsdb
Area
LSDB
Advertising
Link State
Cost
Sequence
ID
Type
Router ID
ID
Number
--------------- --------- --------------- ------------------ -------- ----------
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
426
Chapter 17 CLI configuration examples
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
RTRLink
RTRLink
RTRLink
RTRLink
RTRLink
RTRLink
RTRLink
RTRLink
NETLink
NETLink
NETLink
NETLink
NETLink
NETLink
NETLink
ASExtLink
ASExtLink
1.1.1.1
1.1.1.2
1.1.1.3
1.1.1.4
1.1.1.10
1.1.1.55
10.50.1.1
47.133.59.49
1.1.1.3
1.1.1.4
1.1.1.4
1.1.1.3
1.1.1.3
1.1.1.1
1.1.1.4
1.1.1.1
1.1.1.3
1.1.1.1
1.1.1.2
1.1.1.3
1.1.1.4
1.1.1.10
1.1.1.55
10.50.1.1
47.133.59.49
10.1.1.2/30
10.1.1.6/30
10.1.1.10/30
10.1.1.14/30
10.1.1.70/30
10.20.1.1/24
90.1.1.1/24
0.0.0.0
1.1.1.1/32
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
100
60000
0x800005DE
0x80000593
0x80000404
0x800005CC
0x80000521
0x800002A5
0x80000008
0x80000002
0x80000397
0x800004E9
0x80000214
0x80000244
0x80000002
0x8000029D
0x80000128
0x80000368
0x800003D5
Total Entries: 16
Viewing the Passport 1600 Series switch route table
To view the switch route table, use the following command:
PP1648T:4# show iproute
Command: show iproute
Routing Table
IP Address/Netmask
-----------------0.0.0.0
1.1.1.1/32
1.1.1.2/32
1.1.1.3/32
1.1.1.4/32
1.1.1.10/32
1.1.1.55/32
10.1.1.0/30
10.1.1.4/30
10.1.1.8/30
10.1.1.12/30
10.1.1.68/30
316862-A Rev 00
Gateway
--------------47.133.59.1
10.1.1.70
10.1.1.70
10.1.1.70
10.1.1.70
10.1.1.70
10.1.1.70
10.1.1.70
10.1.1.70
10.1.1.70
10.1.1.70
0.0.0.0
Interface
-----------System
ip_3
ip_3
ip_3
ip_3
ip_3
ip_3
ip_3
ip_3
ip_3
ip_3
ip_3
Hops
-------1
12
12
11
13
14
13
2
3
3
2
1
Protocol
-------Default
OSPF
OSPF
OSPF
OSPF
OSPF
OSPF
OSPF
OSPF
OSPF
OSPF
Local
Chapter 17 CLI configuration examples
10.1.1.72/30
10.1.5.0/24
10.1.20.0/24
10.1.30.0/24
10.1.60.0/24
10.5.1.0/24
10.20.1.0/24
10.50.1.0/24
47.133.59.0/24
90.1.1.0/24
10.1.1.70
10.1.1.70
10.1.1.70
10.1.1.70
10.1.1.70
10.1.1.70
10.1.1.70
0.0.0.0
0.0.0.0
10.1.1.70
ip_3
ip_3
ip_3
ip_3
ip_3
ip_3
ip_3
ip_2
System
ip_3
4
12
12
11
12
11
12
1
1
13
427
OSPF
OSPF
OSPF
OSPF
OSPF
OSPF
OSPF
Local
Local
OSPF
Total Entries : 22
Configuring OSPF MD5 authentication
The Passport 1600 implementation of OSPF includes security mechanisms to
prevent the OSPF routing domain from being attacked by unauthorized routers.
This prevents someone from joining an OSPF domain and advertising false
information in its OSPF LSAs. Likewise, it prevents a misconfigured router from
joining an OSPF domain.
The Passport 1600 Series switch supports both Simple and MD5 mechanisms. The
Simple Password is a text password mechanism, only routers that contain the
same authentication id in their LSA headers can communicate with each other.
MD5 is the preferred method of OSPF security as it provides standards based
(RFC 1321) authentication using 128-bit encryption.
For this example, you enable MD5 authentication for the Passport 8600 using an
MD5 key of passport1234.
Figure 266 illustrates this configuration example.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
428
Chapter 17 CLI configuration examples
Figure 266 Configuration example — MD5 authentication
Passport
8600
Passport
1648T
ipif = ip_3
Configure MD5 key with 'passport 1234'
10825EG
Configuration example — creating an MD5 key
This section describes how to configure the Passport 1600 Series switch for this
example. For more information about the commands used in this section, see
Chapter 10, “Configuring ARP, RIP, and OSPF.”
1
Create the MD5 key for the Passport 8600:
PP1648T:4# create md5 key 1 PP8600
2
Assign the password passport1234 to the MD5 key:
PP1648T:4# config md5 key 1 passport1234
3
Add the MD5 key to the appropriate OSPF interface:
PP1648T:4# config ospf ipif ip_3 authentication md5 1
4
View the MD5 configuration:
PP1648T:4# show md5
Configuring an OSPF stub area
A stub area does not receive advertisements for external routes (AS-external
LSAs, type 5) from an Area Border Router, which reduces the size of the link state
database. Instead, routing to external destinations from within a stub area is based
simply on the default route originated by a stub area border router. A stub area has
only one area border router. Any packets destined outside the area are simply
routed to that area border exit point where the packets are examined by the area
border router and forwarded to a destination. ASBR’s cannot be supported within
a stub area. Without AS-external LSA’s, stub area’s cannot support virtual links.
316862-A Rev 00
Chapter 17 CLI configuration examples
429
For this example, you create a stub area and two new VLANs, as follows:
•
•
•
•
•
•
Create a stub area with an area ID of 0.0.0.2.
Create VLAN 2 using untagged port 12.
Add stub area to VLAN 2
Create VLAN 3 using untagged port 49.
Enable OSPF on VLAN 3
Add OSPF router ID 10.50.1.1
Figure 267 illustrates this configuration example.
Figure 267 Configuration example — OSPF stub area
Passport
1648T
VLAN 2
10.50.1.1/24
Passport
8600
VLAN 3
10.1.1.68/30
.69
Stub Area 2
.70
Area 0
10825EH
Configuration example — configuring a stub area
This section describes how to configure the Passport 1600 Series switch for this
example. For more information about the commands used in this section, see
Chapter 6, “Configuring VLANs” and Chapter 10, “Configuring ARP, RIP, and
OSPF.”
1
Enable OSPF globally:
PP1648T:4# enable ospf
2
Create a stub area with an area ID of 0.0.0.2:
PP1648T:4# create ospf area 0.0.0.2 type stub
3
Add VLAN 2:
a
The following command creates VLAN 2 with a VLAN name of vlan_2:
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
430
Chapter 17 CLI configuration examples
PP1648T:4# create vlan vlan_2 vid 2
b
The following command adds untagged port 12 to VLAN 2:
PP1648T:4# config vlan vlan_2 add untagged 12
c
The following command creates an IP interface with the name ip_2 and
adds it to VLAN 2:
PP1648T:4# create ipif ip_2 10.50.1.1/24 vlan_2 state
enabled
4
Add OSPF stub area 2 to VLAN 2:
PP1648T:4# config ospf ipif ip_2 area 0.0.0.2 state
enable
5
Add VLAN 3:
a
The following command creates VLAN 3 with a VLAN name of vlan_3:
PP1648T:4# create vlan vlan_3 vid 3
b
The following command adds untagged port 49 to VLAN 3:
PP1648T:4# config vlan vlan_3 add untagged 49
c
The following command creates an IP interface with the name ip_3 and
adds it to VLAN 3:
PP1648T:4# create ipif ip_3 10.1.1.69/30 vlan_3 state
enabled
6
Enable OSPF on VLAN 3:
PP1648T:4# config ospf ipif ip_3 area 0.0.0.2 state
enable
7
Add an OSPF router ID of 10.50.1.1:
PP1648T:4# config ospf router_id 10.50.1.1
8
Save the configuration:
PP1648T:4# save
Configuring OSPF route distribution
For this example, you configure the Passport 1600 switch to redistribute:
316862-A Rev 00
Chapter 17 CLI configuration examples
•
•
•
431
OSPF routes to RIP
RIP to OSPF using External Type 1 metrics
Local interfaces to OSPF using External Type 1 metrics
Figure 268 illustrates this configuration example.
Figure 268 Configuration example — OSPF route distribution
Passport
1648T
Router
VLAN 4
10.1.1.76/30
.78
VLAN 3
10.1.1.68/30
.69
.77
OSPF
Area 0
.70
OSPF
ASBR
RIP
10825EI
Configuration example — configuring OSPF route
distribution
This section describes how to configure the Passport 1600 Series switch for this
example. For more information about the commands used in this section, see
Chapter 6, “Configuring VLANs,” Chapter 10, “Configuring ARP, RIP, and
OSPF,” and Chapter 11, “Configuring IP routes and route redistribution.”
1
Enable OSPF globally:
PP1648T:4# enable ospf
2
Add VLAN 3:
a
The following command creates VLAN 3 with a VLAN name of vlan_3:
PP1648T:4# create vlan vlan_3 vid 3
b
The following command adds untagged port 49 to VLAN 3:
PP1648T:4# config vlan vlan_3 add untagged 49
c
The following command creates an IP interface with the name ip_3 and
adds it to VLAN 3:
PP1648T:4# create ipif ip_3 10.1.1.69/30 vlan_3 state
enabled
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
432
Chapter 17 CLI configuration examples
3
Enable OSPF on VLAN 3:
PP1648T:4# config ospf ipif ip_3 area 0.0.0.2 state
enable
4
Add an OSPF router ID of 10.1.1.69:
PP1648T:4# config ospf router_id 10.1.1.69
5
Configure an OSPF router priority to 0 for IP interface ip_3:
PP1648T:4# config ospf ipif ip_3 area 0.0.0.0
priority 0
6
Add VLAN 4:
a
The following command creates VLAN 4 with a VLAN name of vlan_4:
PP1648T:4# create vlan vlan_4 vid 4
b
The following command adds untagged port 12 to VLAN 4:
PP1648T:4# config vlan vlan_4 add untagged 12
c
The following command creates an IP interface with the name ip_4 and
adds it to VLAN 4:
PP1648T:4# create ipif ip_4 10.1.1.77/30 vlan_4 state
enabled
7
Add RIP to VLAN 4:
PP1648T:4# config rip ipif ip_4 state enabled
8
Configure VLAN 4 to operate in RIP version 2 only:
PP1648T:4# config rip ipif ip_4 tx_mode v2_only
rx_mode v2_only
9
Enable RIP:
PP1648T:4# enable rip
10 Configure route redistribution from OSPF to RIP:
PP1648T:4# create route redistribute dst rip src
ospf all
11 Configure route redistribution to redistribute RIP routes to OSPF using a
metric value of Type-1:
PP1648T:4# create route redistribute dst ospf src
rip mettype 1
316862-A Rev 00
Chapter 17 CLI configuration examples
433
12 Configure route redistribution to redistribute the Passport 100 local interfaces
to OSPF using a metric value of Type-1:
PP1648T:4# create route redistribute dst ospf src
local mettype 1
13 Save the configuration:
PP1648T:4# save
Configuring RIP base
For this example, you create two VLANs, as follows:
•
•
•
Create VLAN 2 using untagged port 12
Create VLAN 3 using untagged GigE port 49
Enable RIP for both VLAN 2 and VLAN 3
Figure 269 illustrates this configuration example.
Figure 269 Configuration example — RIP base
Passport
1648T
VLAN 2
VLAN 3
10.1.1.68/30
10.50.1.0/24
.1
.69
RIP
.70
10825EJ
Configuration example — configuring RIP base
This section describes how to configure the Passport 1600 Series switch for this
example. For more information about the commands used in this section, see
Chapter 6, “Configuring VLANs” and Chapter 10, “Configuring ARP, RIP, and
OSPF.”
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
434
Chapter 17 CLI configuration examples
1
Enable RIP globally:
PP1648T:4# enable rip
2
Add VLAN 3:
a
The following command creates VLAN 3 with a VLAN name of vlan_3:
PP1648T:4# create vlan vlan_3 vid 3
b
The following command adds untagged port 49 to VLAN 3:
PP1648T:4# config vlan vlan_3 add untagged 49
c
The following command creates an IP interface with the name ip_3 and
adds it to VLAN 3:
PP1648T:4# create ipif ip_3 10.1.1.69/30 vlan_3 state
enabled
3
Enable RIP on VLAN 3:
PP1648T:4# config rip ipif ip_3 state enable
4
Add VLAN 2:
a
The following command creates VLAN 2 with a VLAN name of vlan_2:
PP1648T:4# create vlan vlan_2 vid 2
b
The following command adds untagged ports 12, 13, and 14 to VLAN 2:
PP1648T:4# config vlan vlan_2 add untagged 12-14
c
The following command creates an IP interface with the name ip_2 and
address 10.50.1.1/24 and adds it to VLAN 2:
PP1648T:4# create ipif ip_2 10.50.1.1/24 vlan_2 state
enabled
5
Enable RIP on VLAN 2:
PP1648T:4# config rip ipif ip_2 state enable
6
Save the configuration:
PP1648T:4# save
7
Use the following show commands
PP1648T:4# show rip
PP1648T:4# show rip ipif <ipif name>
PP1648T:4# show iproute
316862-A Rev 00
Chapter 17 CLI configuration examples
435
PP1648T:4# show ipif
PP1648T:4# show arpentry
PP1648T:4# ping <ip address>
PP1648T:4# traceroute <ip address>
PP1648T:4# traceroute <ip address> {ttl <value
1-60>|port <value 30000-64900>|timeout <sec
1-65535>|probe <value 1-9>}
Selecting Tx and Rx RIP v2 mode
By default, the Passport 1600 Series switch uses RIP v1_compatible transmit
mode and RIP v1_and_v2 receive mode. This allows the Passport 8600 to operate
in both RIP modes of operation.
The Passport 1600 supports four transmit modes:
•
•
•
•
Disabled – indicates that no RIP updates are sent on this interface
V1_only – specifies only RIP v1 packets updates
V2_only – specifies only RIP v2 packets updates
V1_compatible – specifies only broadcast RIP v2 updates
The Passport 1600 supports four receive modes:
•
•
•
•
Disabled - prevents the reception of RIP packets
V1_only – specifies that only RIP v1 packets will be accepted
V2_only – specifies that only RIP v2 packets will be accepted
V1_and_v2 – specifies that both RIP v1 and v2 packets will be accepted
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
436
Chapter 17 CLI configuration examples
Configuration example — configuring RIP TX and RX mode
to v2
To configure the RIP transmit and receive mode to version 2, use the following
command:
PP1648T:4# config rip ipif ip_4 tx_mode v2_only rx_mode
v2_only state enabled
For more information about this command, see Chapter 10, “Configuring ARP,
RIP, and OSPF.”
Configuring broadcast and multicast storm control
You can configure the Passport 1600 Series switch to limit the amount of
broadcast or multicast traffic received on a port. The threshold is expressed as a
percentage from 10 to 100 percent.
For more information about the commands used in this section, see Chapter 9,
“Configuring traffic filters.”
Configuration example — enabling thresholds
To enable broadcast threshold, use the following command:
PP1648T:4# config traffic control <port number> broadcast
enabled threshold <percentage 10-100>
To enable multicast threshold, use the following command:
PP1648T:4# config traffic control <port number> multicast
enabled threshold <percentage 10-100>
316862-A Rev 00
Chapter 17 CLI configuration examples
437
Displaying thresholds
To display the configured thresholds, use the following show commands:
PP1648T:4# show traffic control
PP1648T:4# show traffic control ports <port list>
Configuring egress queue weight
The Passport 1600 Series switch contains 4 hardware priority queues. Three of
these queues use Deficit Weighted Round Robin, while the fourth uses Strict
Priority. Incoming packets are be mapped to one of these four queues. By default,
the weight is assigned evenly for all the Deficit Weighted Round Robin ports. To
view the queues, use the following command:
PP1648T:4# show scheduling
Command: show scheduling
Port Scheduling Table:
Port
Traffic Class 0
------ --------------1
WRR Sched 6
2
WRR Sched 6
3
WRR Sched 6
4
WRR Sched 6
5
WRR Sched 6
6
WRR Sched 6
Traffic Class 1
--------------WRR Sched 6
WRR Sched 6
WRR Sched 6
WRR Sched 6
WRR Sched 6
WRR Sched 6
Traffic Class 2
--------------WRR Sched 6
WRR Sched 6
WRR Sched 6
WRR Sched 6
WRR Sched 6
WRR Sched 6
Traffic Class 3
--------------Strict Priority
Strict Priority
Strict Priority
Strict Priority
Strict Priority
Strict Priority
The output from the show scheduling command shows that the weight
assigned to Traffic Class 0 to 2, inclusive, are all configured to the same value of
6. You can change this value, using a range from 0 to 255. This value specifies the
maximum number of packets a given hardware priority queue can transmit before
allowing the next lowest hardware priority queue to begin transmitting its packet.
For example, if you specify 3, then the highest hardware priority queue (number
3) is allowed to transmit 3 packets; the next lowest hardware priority queue
(number 2) is allowed to transmit 3 packets, and so on, until all of the queues have
transmitted 3 packets. The process then repeats.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
438
Chapter 17 CLI configuration examples
For this example, you prioritize traffic on egress port 39, as shown below:
802.1p value
Default PP1600 priority queue
Configured queue weight desired
5,6
2
65%
3,4
1
25%
0,1,2
0
10%
Figure 270 Configuration example — egress queue weight
Passport
1648T
802.1p = 2
802.1p = 3
802.1p = 5
Port 39
(egress)
ingress
10825EC
Configuration example — configuring port scheduling
This section shows how to configure the Passport 1600 Series switch for this
example. For more information about the following commands, see Chapter 8,
“Configuring QoS.”
PP1648T:4# config scheduling ports 39 class_id 0 max_packet
25
PP1648T:4# config scheduling ports 39 class_id 1 max_packet
65
PP1648T:4# config scheduling ports 39 class_id 2 max_packet
165
Configuring QoS and IP filtering
To configure filters on the Passport 1600, you perform the following steps:
1
Configure the template mode
2
Configure the flow classifiers
3
Configure the template rule
316862-A Rev 00
Chapter 17 CLI configuration examples
4
439
Add the template rule to a VLAN
For more information about the commands used in the following sections, see
Chapter 8, “Configuring QoS.”
Step 1: Configuring the template mode
The Passport 1600 supports two base templates that can be programmed in one of
three modes:
•
•
•
Security - when a template operates in security mode, it acts like a source IP
filter. Packets that match a rule are considered dangerous to network security
and are unconditionally dropped.
Qos - when a template operates in QoS mode, packets that match require
some levels of bandwidth guarantee.
l4-switch - when a template operates in l2_switch mode, you must further
define the combination fields of the packet header (IP and L4 header) to be
examined.
To configure Template 1:
PP1648T:4# config flow_classifier template_1 mode <security
qos l4_switch>
To configure Template 2:
PP1648T:4# config flow_classifier template_2 mode <security
qos l4_switch>
Step 2: Configuring the flow classifiers
The following sections describe how to configure the L4_switch and the QoS flow
classifiers.
Configuring the L4_switch flow classifier
By default, the L4_switch classifier is used for Template 1. When configuring the
L4_switch template mode, there are thee types of sessions available, with various
fields available under each session.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
440
Chapter 17 CLI configuration examples
•
•
•
TCP Session
UDP Session
Other Session
The following displays the various fields available for each session:
•
•
•
Tcp_session field options
— dip – checks destination IP address must be checked or not
— sip – checks source IP address must be checked or not
— tos – checks IP ToS field must be checked or not
— dst_port – checks destination TCP port number must be checked or not
— src_port – checks source TCP port number must be checked or not
— tcp_flags – checks TCP flags must be checked or not
Udp_session field options
— dip – checks destination IP address must be checked or not
— dip – checks source IP address must be checked or not
— tos – checks IP ToS field must be checked or not
— dst_port – checks destination UDP port number must be checked or not
— src_port – checks sourceUDP port number must be checked or not
Other_session field options
— dip – checks destination IP address must be checked or not
— sip – checks source IP address must be checked or not
— tos – checks IP ToS field must be checked or not
— l4_protocol – checks Checks L4 protocol must be checked or not
— icmp_msg – checks ICMP message must be checked or not
— igmp_type – checks whether the IGMP type must be checked or not
Configuration examples — configuring the L4_switch classifier
To configure TCP session fields, use the following command:
PP1648T:4# config flow_classifier template_id 1
mode_parameters l4_session tcp_session fields
{dip|sip|tos|dst_port|src_port|tcp_flags}
316862-A Rev 00
Chapter 17 CLI configuration examples
441
For example, if you want the switch to search for the TCP destination port and
destination IP address only in an incoming packet’s TCP header, enter the
following command:
PP1648T:4# config flow_classifier template_id 1
mode_parameters l4_session tcp_session fields dip dst_port
To configure UDP session fields, use the following command:
PP1648T:4# config flow_classifier template_id 1
mode_parameters l4_session udp_session fields
{dip|sip|tos|dst_port|src_port|tcp_flags}
To configure Other session fields, use the following command:
PP1648T:4# config flow_classifier template_id 1
mode_parameters l4_session other_session fields
{dip|sip|tos|l4_protocol|icmp_msg|igmp_type}
To configure all optional settings, enter the following command:
PP1648T:4# config flow_classifier template_id 1
mode_parameters l4_session tcp_session fields dip sip tos
dst_port src_port tcp_flags udp_session fields dip sip tos
dst_port src_port other_session fields dip sip tos
l4_protocol icmp_msg igmp_type
Configuring the QoS flow classifier
By default, the QoS classifier is used for Template 2. The following list defines
what characteristics an incoming packet must meet:
•
•
•
•
•
802.1p
DSCP
IP
TCP
UDP
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
442
Chapter 17 CLI configuration examples
Configuration example — configuring the QoS flow classifier
To configure the QoS flow classifier, enter the following command:
PP1648T:4# config flow_classifier template_id 2
mode_parameters qos_flavor <802.1p dscp dst_ip dst_tcp_port
dst_udp_port>
Step 3: Configuring the template rule
Once the template and flow classifier has been configured, you need to configure a
template rule. When configuring the template rule, you need to define which
template ID to use: L4_switch or QoS. The list of available options depends on
how you configured the flow classifier.
Configuration example — using the L4_switch template
Depending on the flow classifier fields you selected (see page 440), enter all the
appropriate files. The following command is an example using TCP session:
PP1648T:4# create l4_switch_rule template_id <1-2>
tcp_session fields sip <src IP address> tos <ToS value in
hex> dst_port <dst TCP port number> src_port <src TCP port
number> action {drop|forward|redirect}
Configuration example — using the QoS template
Depending on the flow classifier fields you selected (see page 442), enter all the
appropriate files. The following command is an example using IP as the selected
QoS flow classifier:
PP1648T:4# create qos_rule template_id <1-2> dst_tcp_port
<TCP Port Number> priority <1-7>
316862-A Rev 00
Chapter 17 CLI configuration examples
443
Step 4: Binding the template rule to a VLAN
The final step is to bind the template rule or rules configured in the Step 3 to the
appropriate VLAN or VLANs.
Note: You can only bind one template ID to a VLAN.
Configuration example — adding the template to a VLAN
To add the template to the appropriate VLAN, enter the following command:
PP1648T:4# config flow_classifier vlan <vlan_name> attach
template_id <value 1-2>
Once the filter has been defined, you can view the flow classifier configuration by
entering the following command:
PP1648T:4# show flow_classifier
Setting QoS priority for destination TCP flows
For this example, you prioritize traffic, based on the TCP destination port number,
and apply the QoS priority to all the ingress VLANs. Prioritize the traffic, using
the following numbers:
•
•
•
Destination TCP Port = 80 to QoS Level 0
Destination TCP Port = 23 to QoS Level 3
Destination TCP Port = 21 to QoS Level 5
Figure 271 illustrates this configuration example.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
444
Chapter 17 CLI configuration examples
Figure 271 Configuration example — setting QoS priority
Passport
1648T
VLAN 10, 192.85.10.1/24
VLAN 11, 192.85.11.1/24
VLAN 12, 192.85.11.1/24
Port 39
VLAN 13, 192.85.13.1/24
(egress)
ingress
10825ED
Configuration example — setting QoS Priority for
destination TCP flows
This section describes how to configure the Passport 1600 Series switch for this
example. For more information about the commands used in this section, see
Chapter 8, “Configuring QoS.”
After you configure the appropriate VLAN and IP addresses, create the IP
template.
By default, the template mode for QoS is already enabled using ID = 2. If it is not,
enter the following command:
PP1648T:4# config flow_classifier template_2 mode qos
To configure the QoS flow classifier, enter the following command:
PP1648T:4# config flow_classifier template_id 2
mode_parameters qos_flavor dst_tcp_port
To configure the QoS template rule, enter the following commands:
PP1648T:4# create qos_rule template_id 2 dst_tcp_port 80
priority 0
PP1648T:4# create qos_rule template_id 2 dst_tcp_port 23
priority 3
PP1648T:4# create qos_rule template_id 2 dst_tcp_port 21
priority 5
316862-A Rev 00
Chapter 17 CLI configuration examples
445
To attach the newly created template rule to all the appropriate VLANs, enter the
following commands:
PP1648T:4# config flow_classifier vlan 10 attach template_id
2
PP1648T:4# config flow_classifier vlan 11 attach template_id
2
PP1648T:4# config flow_classifier vlan 12 attach template_id
2
Dropping TCP flows
For this example, you drop both TELNET and FTP from egressing from VLAN
10 only.
Figure 190 illustrates this configuration example.
Figure 272 Configuration example — dropping TCP flows
Passport
1648T
VLAN 10, 192.85.10.1/24
VLAN 11, 192.85.11.1/24
VLAN 12, 192.85.11.1/24
Port 39
VLAN 13, 192.85.13.1/24
(egress)
ingress
10825ED
Configuration example — dropping TCP flows
This section describes how to configure filtering for the Passport 1600 Series
switch for this example, which assumes that you’ve already configured VLAN 10,
VLAN 11, and VLAN 12. For more information about the commands used in this
section, see Chapter 8, “Configuring QoS.”
After you’ve configured the VLANs and IP addresses, you create the IP template.
By default, the template mode for L4_switch is already enabled using ID = 1. If it
has not already been enabled, enter the following command:
PP1648T:4# config flow_classifier template_1 mode l4_switch
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
446
Chapter 17 CLI configuration examples
To configure the L4_switch flow classifier, enter the following command:
PP1648T:4# config flow_classifier template_id 1
mode_parameters l4_session tcp_session fields dst_port
To configure the L4_switch template rule, enter the following commands:
PP1648T:4# create l4_switch_rule template_id 1 tcp_session
fields dst_port 21 action drop
PP1648T:4# create l4_switch_rule template_id 1 tcp_session
fields dst_port 23 action drop
To attach the newly created template rule to the appropriate VLAN, enter the
following command:
PP1648T:4# config flow_classifier vlan 10 attach template_id
1
Viewing the template rule
To view template rule, enter the following command:
PP1648T:4# show template_rule template_id 1
Filtering MAC addresses
The Passport 1600 Series switch can be configured to filter on specific MAC
address on a per VLAN basis.
For this example, you add a filter to drop MAC address of 00:00:00:00:00:0a from
VLAN 10.
Figure 273 illustrates this configuration example.
316862-A Rev 00
Chapter 17 CLI configuration examples
447
Figure 273 Configuration example — filtering MAC addresses
Passport
1648T
VLAN 10, 192.85.10.1/24
Port 39
VLAN 13, 192.85.13.1/24
(egress)
ingress
10825EE
Configuration example — filtering MAC addresses
This section describes how to configure the Passport 1600 Series switch for this
example. For more information about the commands used in this section see
Chapter 9, “Configuring traffic filters.”
To add the MAC filter, enter the following command:
PP1648T:4# create fdbfilter vlan 10 mac_address
00-00-00-00-00-0A
To delete the MAC filter, enter the following command:
PP1648T:4# delete fdbfilter vlan 10 mac_address
00-00-00-00-00-0a
Viewing the fdb filter
To view the fdb filter, enter the following command:
PP1648T:4# show fdbfilter
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
448
Chapter 17 CLI configuration examples
Configuring forward-to-next-hop
When you use the L4_switch template mode, one of the action items is redirect,
which provides a forward-to-next-hop action.
For this example, you perform the following tasks:
•
•
•
For all FTP traffic to host 192.4.4.3, use a next-hop of 10.1.1.74 to the
Passport 8600B, instead of the shortest hop of 10.1.1.70 to the Passport
8600A.
Use the shortest next-hop of 10.1.1.70 in case 10.1.1.74 should fail.
Configure the Passport 1648T with an ACL to filter on destination IP =
192.4.4.3 and TCP port = 23, with a redirect (forward-to-next-hop) action to
10.1.1.74.
Figure 274 illustrates this configuration example.
Figure 274 Configuration example — forward-to-next-hop
Passport
8600A
Passport
1648T
VLAN 10
.1
192.85.10.3/24
69
70
10.1.1.68/30
.73
192.4.4.3/24
10.1.1.72/30
.74
Passport
8600B
10825EW
Configuration example — forward-next-hop
This section describes how to configure the Passport 1600 Series switch for this
example. For more information about the commands used in this section see
Chapter 8, “Configuring QoS.”
By default, the template mode for L4_switch is already enabled using ID = 1. If it
is not, use the following command:
PP1648T:4# config flow_classifier template_1 mode l4_switch
316862-A Rev 00
Chapter 17 CLI configuration examples
1
449
Configure the L4_switch flow classifier:
PP1648T:4# config flow_classifier template_id 1
mode_parameters l4_session tcp_session fields dip
dst_port
2
Configure the L4_switch template rule:
PP1648T:4# create l4_switch_rule template_id 1
tcp_session fields dip 192.4.4.3 dst_port 21 action
redirect 10.1.1.73 unreachable_next_hop forward
3
Attach the newly created template rule to all the appropriate VLANs:
PP1648T:4# config flow_classifier vlan 10 attach
template_id 1
4
Use the following show command to view the configuration:
PP1648T:4# show flow_classifier
Flow Template Table:
Template ID:
1
Template Mode: L4_SWITCH
TCP Session:
DST_IP DST_Port
DESTINATION_TCP_PORT
Template ID:
2
Template Mode: QOS
QoS Flavor:
UDP Session:
Other Session:
Rule Number:
1
Attached Vlan:
Rule Number:
0
Attached Vlan:
10
Filtering IP addresses
You can configure the Passport 1600 Series switch to filter on specific destination
IP addresses. Unlike MAC filtering, IP filtering is not associated with a VLAN or
port; it is applied globally on the Passport 1600.
For this example, you add an IP filter to block forwarding to IP address 10.1.1.10.
Figure 275 illustrates this example.
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
450
Chapter 17 CLI configuration examples
Figure 275 Configuration example — filtering IP addresses
Passport
1648T
VLAN 10, 192.85.10.1/24
Port 39
VLAN 13, 192.85.13.1/24
(egress)
ingress
10825EE
Configuration example — filtering IP addresses
This section describes how to configure the Passport 1600 Series switch for this
example. For more information about the commands used in this section see
Chapter 9, “Configuring traffic filters.”
To create a destination IP Filter, enter the following command:
PP1648T:4# create ipfilter type dst ip_address 192.85.10.10
To delete the IP filter, enter the following command:
PP1648T:4# delete ipfilter type dst ip_address 192.85.10.10
Viewing the IP filter
To view the destination IP filter, enter the following command:
PP1648T:4# show dst_ipfilter
Dropping fragmented IP packets
The Passport 1600 Series switch has a Global parameter that enables you to allow
or drop fragmented IP packets. Unless the IP Fragment field is 0x00 or 0x4000, all
packets will be dropped by the Passport 1600. For more information about the
commands used in this section see Chapter 9, “Configuring traffic filters.”
316862-A Rev 00
Chapter 17 CLI configuration examples
451
To enable the Passport 1600 to drop fragmented packets, enter the following
command:
PP1648T:4# enable ip_fragment_filter
To display the status of the IP Fragment filter, enter the following command:
PP1648T:4# show ip_fragment_filter
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
452
Chapter 17 CLI configuration examples
316862-A Rev 00
453
Index
A
adding ports to a VLAN 158
options 157, 159
assigning IP address ranges to VLANs 227
available commands prompt 43
B
basic switch CLI commands, roadmap 46
binding a flow classifier template 196
C
cable, serial 36
changing the switch serial port settings 57
options 58
CLI
roadmap of basic switch CLI commands 46
roadmap of IGMP commands 354, 381
roadmap of IP address filter and interface CLI
commands 228
roadmap of link aggregation CLI
commands 180
roadmap of MAC address filter CLI
commands 232, 236, 251
roadmap of MD5 CLI commands 290
roadmap of port configuration CLI
commands 73, 87
roadmap of QoS CLI commands 186
roadmap of route redistribution CLI
commands 300
roadmap of route table CLI commands 296
roadmap of storm control CLI commands 240
roadmap of STP CLI commands 80
roadmap of VLAN CLI commands 156, 163,
171
commands
basic switch 45
config account 49
config flow classifier template_id mode
options 192
config flow_classifier template_id
mode_parameters 193
options 194
config flow_classifier template_id mode 192
config flow_classifier vlan 196
config ipif System
options 166
config link_aggregation 182
options 182
config mirror port 395
config scheduling 220
options 221
config serial_port 57
options 58
config stp 80
options 81
config traffic control 241
options 241
config vlan add 158
options 157, 159
config vlan delete 159
configuring a range of router ports 361
options 361
configuring an IP interface 164
configuring IGMP 355
options 355
configuring IGMP snooping 358
options 359
configuring IGMP snooping querier 360
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
454
Index
options 360
configuring ports 74, 93, 131, 133, 135, 136,
137, 139, 140, 142, 143, 144, 145, 146, 147,
148, 149, 150, 152, 153
options 75, 77, 130, 131, 132, 133, 135, 136,
138, 139, 140, 142, 143, 144, 145, 146,
147, 148, 149, 151, 152, 153, 154
configuring route redistribution
between OSPF and RIP 307
between OSPF and RIP, options 307
between RIP and OSPF 305
between RIP and OSPF, options 306
create fdbfilter 215, 233, 237, 238, 239, 251,
252, 253
options 215, 233, 237, 238, 239, 251, 252,
253
create ipfilter 197, 201, 228
options 198, 202, 229
create ipif 163
create l4_switch_rule
options 211
create link_aggregation 180
options 181
create mac_priority 222
options 222
create qos_rule 206
options 207
create user account 47, 102, 106, 110, 111, 112,
113, 114, 115, 117, 118, 119, 120, 122, 128,
313, 316, 319, 321, 322
options 48, 103, 107, 110, 111, 112, 113,
115, 116, 117, 118, 119, 121, 122, 128,
313, 316, 319, 321, 322
create vlan 156
create_l4_switch_rule 210
creating an IP route 297
options 297
creating route redistribution
OSPF to RIP 302
OSPF to RIP, options 303
RIP to OSPF 300
RIP to OSPF, options 301
delete fdbfilter 216, 233
options 216, 234
316862-B Rev 00
delete ipfilter 200, 203, 205, 229, 231
options 200, 203, 205, 230, 231
delete ipif
options 165
delete l4_switch_rule 214
options 214
delete link_aggregation 181
options 181
delete mac_priority 223
options 224
delete mirror port 396
delete qos_rule 209
options 209
delete vlan 158
deleting a route redistribution 304
options 304
deleting an IP route 298
dir 40
disable clipaging 59
disable ip_fragment_filter 219
disable ipif 168
options 168
disable mirror 398
disable stp 82
disable TELNET 61, 62
display fdbfilter
options 217
displaying current IGMP snooping
configuration 364
options 365
displaying current port configuration 76, 78
options 76, 78
displaying IGMP group settings 358
options 358
displaying IGMP IP interface settings 357
options 357
displaying IGMP snooping forwarding
table 369
options 369
displaying IGMP snooping groups 367
options 367
displaying IP routes 298
options 298
displaying route redistribution settings 308
Index
options 308
displaying the list of router ports 370
options 370
download configuration 65
download firmware 65
options 66
downloading and uploading files 64
enable clipaging 58
enable ip_fragment_filter 218
enable ipif 167
enable mirror 397
enable stp 82
enable TELNET 60, 61
options 60, 62
globally disabling IGMP snooping 364
globally enabling IGMP snooping 362
options 363
login 71
logout 71
question mark (?) 40
reboot 69
reset 70
options 70
save 63
show account 49
show fdbfilter 217, 234
options 235
show flow_classifier template_id mode 195
show ip_fragment_filter 219
show ipif System 168
options 169
show link_aggregation 183
options 184
show mac_priority 224
options 225
show mirror 398
show serial_port 56
show session 55
show stp 83
show stp_ports 85
options 85
show switch 55
show traffic control 242
options 242
455
show vlan 160
options 161
sub-commands and parameters 43
top-level 43
up arrow 42
configuration examples
configuring an OSPF stub area 420
configuring broadcast control 428
configuring egress queue weight 429
configuring OSPF MD5 authentication 419
configuring OSPF route redistribution 422
configuring QoS and IP filtering 430
configuring RIP base 425
configuring the default VLAN 404
creating port-based VLANs 408
disabling Spanning Tree 411
dropping fragmented IP packets 442
dropping TCP flows 437
enabling OSPF 413
filtering IP addresses 441
filtering MAC addresses 438
resetting switch to factory defaults 404
selecting tx and rx RIP v2 mode 427
setting QoS priority for destination TCP
flows 435
configure a mirror port 395
configuring a link aggregation group 182
options 182
configuring a range of router ports 361
options 361
configuring an existing user account 49
configuring an IP interface 164
configuring broadcast storm control 241
options 241
configuring flow classifier template mode
parameters
options 194
configuring IGMP 355
options 355
configuring IGMP snooping 358
options 359
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
456
Index
configuring IGMP snooping querier 360
options 360
configuring ports 74, 93, 131, 133, 135, 136, 137,
139, 140, 142, 143, 144, 145, 146, 147, 148, 149,
150, 152, 153
options 75, 77, 130, 131, 132, 133, 135, 136,
138, 139, 140, 142, 143, 144, 145, 146, 147,
148, 149, 151, 152, 153, 154
configuring route redistribution
between OSPF and RIP 307
options 307
between RIP and OSPF 305
options 306
configuring scheduling 220
options 221
configuring STP on the switch 80
options 81
configuring the flow classifier template mode
parameters 193
configuring the flow classifier template operating
mode 192
options 192
configuring the system IP interface
options 166
Console port
connecting 35
interface description 35
conventions, text 31
creating a forwarding database filter 215
options 215
creating a link aggregation group 180
options 181
creating a MAC address filter 233, 237, 238, 239,
251, 252, 253
options 233, 237, 238, 239, 251, 252, 253
creating a MAC priority entry 222
options 222
creating a QoS rule 206
options 207
316862-B Rev 00
creating a user account 47, 102, 106, 110, 111,
112, 113, 114, 115, 117, 118, 119, 120, 122, 128,
313, 316, 319, 321, 322
options 48, 103, 107, 110, 111, 112, 113, 115,
116, 117, 118, 119, 121, 122, 128, 313, 316,
319, 321, 322
creating a VLAN 156
creating an IP filter for a flow classification
template 197, 201, 228
options 198, 202, 229
creating an IP interface 163
creating an IP route 297
options 297
creating an L4 switch rule 210
options 211
creating route redistribution
OSPF to RIP 302
options 303
RIP to OSPF 300
options 301
customer support 33
D
defaults
login names and passwords 39
deleting a forwarding database filter 216
options 216
deleting a link aggregation group 181
options 181
deleting a MAC address filter 233
options 234
deleting a MAC priority entry 223
deleting a mac priority entry
options 224
deleting a mirror port 396
deleting a QoS rule 209
options 209
deleting a route redistribution 304
options 304
Index
deleting a VLAN 158
deleting an IP filter from a flow classification
template 200, 203, 205, 229, 231
options 200, 203, 205, 230, 231
deleting an IP interface
options 165
deleting an IP route 298
displaying mac priority entries
options 225
displaying route redistribution settings 308
options 308
displaying the current IP interface
configuration 168
options 169
deleting an L4 switch rule 214
options 214
displaying the current port mirror settings 398
deleting ports on a VLAN 159
displaying the list of router ports 370
options 370
disabling an IP interface 168
options 168
457
displaying the flow classifier template mode 195
disabling CLI paging 59
displaying the status of an STP port group 85
options 85
disabling port mirroring on the switch 398
displaying the status of the IP fragment filter 219
disabling TELNET as a communication
protocol 61, 62
displaying the switch MAC address filters 234
options 235
disabling the IP fragment filter 219
downloading a configuration file 65
displaying a forwarding database filter 217
options 217
downloading and uploading file commands 64
displaying a link aggregation configuration 183
options 184
displaying current IGMP snooping
configuration 364
options 365
displaying current port configuration 76, 78
options 76, 78
displaying current VLAN configuration 160
options 161
displaying IGMP group settings 358
options 358
displaying IGMP IP interface settings 357
options 357
displaying IGMP snooping forwarding table 369
options 369
displaying IGMP snooping groups 367
options 367
displaying IP routes 298
options 298
downloading switch firmware 65
options 66
E
enabling an IP interface 167
enabling CLI paging 58
enabling port mirroring on the switch 397
enabling TELNET connections 60, 61
options 60, 62
enabling the IP fragment filter 218
F
filtering database
filters packets off the network 232
segments network and control
communication 232
G
globally disabling IGMP snooping 364
displaying MAC priority entries 224
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
458
Index
globally enabling IGMP snooping 362
options 363
H
helpful editing commands
dir 40
question mark (?) 40
up arrow 42
M
MAC address filter CLI commands, roadmap 232,
236, 251
MAC address filtering 232
MD5
CLI commands, roadmap 290
definition 289
key table entry definitions 290
usage 289
I
multiple page display keys 43
IGMP
join and leave messages 353
snooping function 353
N
IGMP CLI commands, roadmap 354, 381
next possible completions message 41
IP address filter and interface CLI commands,
roadmap 228
P
IP address filters and interfaces 227
Passport 1600 Series switch
available commands prompt 43
line editing keys 42
multiple page display keys 43
next possible completions message 41
port mirroring 395
IP multicast
IGMP join and leave messages 353
IGMP’s role in multicast groups 353
obtaining multicast group membership 353
receiving multicast packets 353
IP routing
based on network addresses 296
passwords
default 39
ping command 400
L
port configuration
CLI commands, roadmap 73, 87
line editing keys 42
port mirroring 395
link aggregation
1600 Series switch support 179
master port configuration 179
participating ports 179
purpose 179
product support 33
link aggregation CLI commands, roadmap 180
Q
logging into the switch 71
QoS
CLI commands, roadmap 186
command overview 191
configuring and utilizing hardware queues 185
establishing a scheme 189
template operating modes 190
logging out of the switch 71
login names
default 39
316862-B Rev 00
protocol settings, terminal 36
publications, hard copy 33
Index
configuring 345
displaying configuration 346
displaying trusted hosts 347
location
configuring 345
overview of 337
system name
configuring 344
trap receivers
creating 349
deleting 350
traps
disabling authentication of 352
disabling transmission of 351
enabling authentication of 351
enabling transmission of 350
managing 348
trusted host
creating 342
deleting 342
l4_switch mode 190
qos mode 190
security mode 190
template_id 1 and template_id 2 190
R
rebooting the switch 69
resetting the switch 70
options 70
RMON, enabling 399
route redistribution
between OSPF and RIP 299
CLI commands, roadmap 300
definition 299
operation 299
route table
CLI commands, roadmap 296
route table entries
corresponding network addresses and
gateways 296
default gateways 296
storm control
assigns thresholds for each packet type 240
limits the not found (dlf) packets 240
RS-232 Console port 35
storm control CLI commands, roadmap 240
S
saving switch configuration to NV-RAM 63
showing an existing user account 49
showing current switch management sessions 55
showing current switch status 55
showing the current status of the serial port 56
showing traffic control settings 242
options 242
SNMP
community string
configuring 343
community strings
creating 340
deleting 341
description of 337
contact
459
STP
blocks duplicate links 79
CLI commands, roadmap 80
establishes a primary link 79
globally disabling 82
globally displaying status 83
globally enabling 82
operates on two levels
port level 79
switch level 79
uses duplicate links when primary fails 79
support, Nortel Networks 33
T
technical publications 33
technical support 33
terminal protocol, setting 36
Command Line Interface Reference Guide for the Passport 1600 Series Layer 3 Switch, Version 1.1
460
Index
terminal, connecting 35
text conventions 31
traceroute command 401
U
understanding basic switch commands 45
using IP address filters and interfaces 227
using MAC address filtering 232
using sub-commands and parameters 43
using top-level commands 43
V
VLANs
assigning IP address ranges 227
CLI commands, roadmap 156, 163, 171
collection of end nodes 155
equate to a broadcast domain 155
grouped by logic not location 155
316862-B Rev 00