Nortel Ethernet Routing Switch 8600 Administration

Nortel Ethernet Routing Switch 8600

AdministrationRelease: 5.1Document Revision: 02.05

www.nortel.com

NN46205-605.

Nortel Ethernet Routing Switch 8600Release: 5.1Publication: NN46205-605Document release date: 28 April 2010

Copyright © 2008-2010 Nortel Networks. All Rights Reserved.

While the information in this document is believed to be accurate and reliable, except as otherwise expresslyagreed to in writing NORTEL PROVIDES THIS DOCUMENT "AS IS" WITHOUT WARRANTY OR CONDITION OFANY KIND, EITHER EXPRESS OR IMPLIED. The information and/or products described in this document aresubject to change without notice.

Nortel, Nortel Networks, the Nortel logo, and the Globemark are trademarks of Nortel Networks.

All other trademarks are the property of their respective owners.

.

3.

ContentsSoftware license 15

New in this release 19Features 19

Configuring the time zone 19Feature licensing 19SF/CPU High Availability mode 19Memory size for secondary CPU 20FTP, TFTP, and rlogin support for IPv6 addresses 20

Other changes 20Default parameters 20Controlling link state changes 21Enabling the high availability mode 21Installing a license file 21Customer service 21Record reservation 21Viewing power supply parameters 21Feature Licensing 22Document update 22

Introduction 23

System startup fundamentals 25Boot sequence 25

Stage 1: Loading the boot monitor image 26Stage 2: Loading the boot configuration 26Stage 3: Loading the run-time image 27Stage 4: Loading the switch configuration file 27Boot sequence modification 29

Boot process and run-time process 33Boot image verification 33Boot monitor 34Run-time 34

System flags 35Clock synchronization 37

Nortel Ethernet Routing Switch 8600Administration

NN46205-605 02.05 28 April 2010


.

4

Real-time clock synchronization 38System connections 38

Terminal connection 38Modem connection 39

Boot parameter configuration using the CLI 43Job aid 44Accessing the boot monitor 47Configuring the boot monitor 48Modifying the boot sequence 51Enabling or disabling remote access services 51Accessing the boot monitor CLI 52Modifying the boot monitor CLI operation 53Modifying the boot sequence from the run-time CLI 54Changing the boot source order 54

Example of changing the boot source order 56Configuring the standby-to-master delay 56Configuring system flags 56Configuring the remote host logon 64Specifying the master SF/CPU 65Configuring SF/CPU network port devices 66Configuring SF/CPU serial port devices 69

Job aid 72Configuring the time zone 76Enabling remote access services from the run-time CLI 78Displaying the boot monitor configuration 79

Boot parameter configuration using the NNCLI 81Job aid 82Accessing the boot monitor 85Accessing the boot monitor from the run-time environment 85Configuring the boot monitor 86Modifying the boot sequence 87Enabling remote access services 88Changing the boot source order 89

Example of changing the boot source order 90Configuring the standby-to-master delay 90Configuring system flags 91Configuring the remote host logon 99Specifying the master SF/CPU 101Configuring SF/CPU network port devices 101Configuring SF/CPU serial port devices 103

Job aid 106Configuring the time zone 111Displaying the boot monitor configuration 114


NN46205-605 02.05 28 April 2010


.

5

Run-time process management using the CLI 117Job aid 117Configuring the date 121Configuring the run-time CLI 122Configuring the CLI logon banner 124Configuring the message-of-the-day 125Configuring command logging 125Configuring individual system-level switch parameters 126

Example of configuring system-level switch parameters 130Synchronizing the real-time and system clocks 131Creating a virtual management port 132

Example of creating a virtual management port 132Configuring system message control 133Forcing message control for system message control 134Enabling the administrative status of a module 135

Run-time process management using the NNCLI 137Job aid 137Configuring the date 139Configuring the run-time environment 139Configuring the NNCLI logon banner 141Configuring the message-of-the-day 142Configuring command logging 142

Prerequisites 143Configuring system-level switch parameters 143Synchronizing the real-time and system clocks 145Creating a virtual management port 146

Example of creating a virtual management port 147Configuring system message control 147Forcing message control for system message control 148

Chassis operations fundamentals 151Operating modes 151

SF/CPU High Availability mode 153Module types 157

R and RS module support for 8010co chassis 159SF/CPU warm standby 159

Hardware and software compatibility 160Power management 167Software lock-up detection 168Loop prevention and CP limit 168

SLPP configuration considerations 171Extended CP Limit 172

Switch reliability 173


NN46205-605 02.05 28 April 2010


.

6

Jumbo frames 174Tagged VLAN support 175Modules and interfaces that support Jumbo frames 175

Chassis operations configuration using Device Manager 177Editing system information 178Editing chassis information 181Configuring system flags 183Enabling M mode 187Enabling R mode 188Enabling enhanced operational mode 190Enabling global filter ordering 190Enabling CPU High Availability 191Configuring a basic configuration 192Opening a dual tab 197Editing ports 198Viewing the boot configuration 198Enabling Jumbo frames 199Reserving records 199Viewing the trap sender table 200Configuring the time 201Configuring SLPP globally 202Configuring the SLPP by VLAN 203Configuring the SLPP by port 204Configuring Extended CP Limit globally 205

Prerequisites 205Configuring extended CP Limit for a port 206Configuring loop detect 208Configuring CP Limit 209Editing the boot file 210Editing the management port parameters 212Editing the management port CPU route table 213Configuring the management port IPv6 interface parameters 214Configuring management port IPv6 addresses 216Configuring the CPU IPv6 route table 217Editing serial port parameters 218Enabling port lock 219Enabling power management 221Configuring slot priority 221

Chassis operations configuration using the CLI 223Job aid 224Enabling M mode 225Enabling R mode 226Enabling enhanced operational mode 227


NN46205-605 02.05 28 April 2010


.

7

Enabling global filter ordering 228Enabling CPU High Availability mode 228

Job aid 229Disabling CPU High Availability mode 230

Removing a master CPU with CPU-HA mode activated 231Enabling jumbo frames 231Reserving records 232

Prerequisites 232Configuring SLPP 233Configuring SLPP on a port 234Viewing SLPP information 235Configuring Extended CP Limit on a port 238Configuring loop detect 239Configuring CP Limit 240Enabling power management 241Configuring slot priority 241

Chassis operations configuration using the NNCLI 243Job aid 244Enabling M mode 245Enabling R mode 246Enabling enhanced operational mode 247Enabling global filter ordering 248Enabling the CPU High Availability mode 248

Prerequisites 248Procedure steps 249Job aid 249Disabling CPU High Availability mode 250

Removing a master SF/CPU with CPU-HA mode activated 251Enabling jumbo frames 252Reserving records 253

Prerequisites 253Job aid 254

Configuring SLPP 254Configuring SLPP on a port 256Viewing SLPP information 257

Procedure steps 257Prerequisites 258Procedure steps 258

Configuring Extended CP Limit on the chassis 258Configuring Extended CP Limit on a port 260Configuring loop detect 261Configuring CP Limit 262Enabling power management 263


NN46205-605 02.05 28 April 2010


.

8

Configuring slot priority 263Prerequisites 263

Hardware status using Device Manager 265Viewing card information 265Viewing fan details 266Viewing MDA parameters 267Viewing power supply parameters 268

System access fundamentals 271Logging on to the system 271

hsecure bootconfig flag 273Managing the switch using different VRF contexts 273CLI passwords 274

Password encryption 274Subscriber or administrative interaction 274

Access policies for services 275Web interface passwords 275Web server password 276

Password reset 276Password encryption 276Password recovery 276

System access configuration using Device Manager 279Enabling access levels 279Changing passwords 281Creating an access policy 283Enabling an access policy 286

System access configuration using the CLI 289Job aid 289Enabling CLI access levels 291Changing passwords 292Enabling the access policy globally 296Creating an access policy 296Configuring an access policy 297

Job aid 299Specifying a name for an access policy 300Specifying the host address and username for rlogin 301Enabling an access service 301

Job aid 303Allowing a network access to the switch 303Configuring access policies by MAC address 304Resetting and modifying passwords 305


NN46205-605 02.05 28 April 2010


.

9

System access configuration using the NNCLI 307Prerequisites 307Job aid 307Enabling CLI access levels 309Changing passwords 310Creating an access policy 312Configuring an access policy 313

Example of configuring an access policy 316Enabling the access policy globally 317Specifying a name for an access policy 317Allowing a network access to the switch 318Configuring access policies by MAC address 319

Ethernet Routing Switch 8600 licensing fundamentals 321Feature licensing 321

Advanced License 322Premier License 322Premier Trial License 323

License type and part numbers 323License certificates 325License file generation 325Working with feature license files 325License transfer 325

Ethernet Routing Switch 8600 licensing 327Ethernet Routing Switch 8600 licensing tasks 327

License generation 329Navigation 329Generating a license 329

License installation using Device Manager 333Installing a license file using Device Manager 333

License installation using the CLI 337Installing a license file using the CLI 337Showing a license file using the CLI 339

License installation using the NNCLI 341Installing a license file using the NNCLI 341Showing a license file using the NNCLI 343

License transfer 345Transferring a license 345

NTP fundamentals 349Overview 349


NN46205-605 02.05 28 April 2010


.

10

NTP terms 350NTP system implementation model 350Time distribution within a subnet 351Synchronization 352NTP modes of operation 352NTP authentication 353

NTP configuration using Device Manager 355NTP configuration procedures 355Enabling NTP globally 356Adding an NTP server 357Configuring authentication keys 359

NTP configuration using the CLI 361NTP configuration procedures 361Job aid 363Enabling NTP globally 363

Example of enabling NTP globally 364Adding an NTP server 364

Example of adding an NTP server 366Configuring authentication keys 366

Example of configuring an NTP authentication key 368

NTP configuration using the NNCLI 369NTP configuration procedures 369Job aid 371Enabling NTP globally 371Adding an NTP server 372

Example of adding an NTP server 373Configuring authentication keys 373

Example of configuring an NTP authentication key 374

DNS fundamentals 375DNS client 375

DNS configuration using Device Manager 377Configuring the DNS client 377Querying the DNS host 378

DNS configuration using the CLI 381Job aid 381Configuring the DNS client 382

Job aid 383Querying the DNS host 384

Job aid 385

DNS configuration using the NNCLI 387Job aid 387


NN46205-605 02.05 28 April 2010


.

11

Configuring the DNS client 388Querying the DNS host 389

Multicast group ID fundamentals 391Introduction 391Expansion 391

Multicast group ID reservation using Device Manager 393Enabling maximum VLAN mode 393Reserving MGIDs for IPMC 394

Multicast group ID reservation using the CLI 397Job aid 397Enabling maximum VLAN mode 397Reserving MGIDs for IPMC 398

Multicast group ID reservation using the NNCLI 399Job aid 399Enabling maximum VLAN mode 400Reserving MGIDs for IPMC 400

Common procedures using Device Manager 403Showing the MTU for the system 403Showing the MTU for each port 404Viewing topology status information 404Viewing the MIB status 405Displaying flash memory and PCMCIA information for the system 406Displaying flash file information for a specific SF/CPU 407Displaying flash file information for the system 408Displaying PCMCIA file information for a specific SF/CPU 408Displaying PCMCIA file information for the system 409Copying a PCMCIA or flash file 409

Common procedures using the CLI 411Job aid 411Saving the boot configuration to a file 413

Example of saving the boot configuration to a file 414Restarting the switch 415Resetting the switch 416Accessing the standby SF/CPU 416Pinging an IP device 417Pinging an IPX device 418Calculating the MD5 digest 419Resetting system functions 421

Example of resetting system functions 422Sourcing a configuration 423


NN46205-605 02.05 28 April 2010


.

12

Common procedures using the NNCLI 425Job aid 425Saving the boot configuration to a file 427

Example of saving the boot configuration to a file 429Saving the current configuration to a file 429

Example of saving the boot configuration to a file 431Restarting the switch 431Resetting the switch 432Accessing the standby SF/CPU 433Pinging an IP device 433Pinging an IPX device 435Calculating the MD5 digest 435Resetting system functions 438

Example of resetting system functions 439Sourcing a configuration 439

CLI show command reference 441Access, logon names, and passwords 441All CLI configuration 442Current switch configuration 443CLI settings 445Hardware information 446Memory size for secondary CPU 447MTU for all ports 448NTP server status 448Power summary 449Slot power details 450System status (detailed) 450System status and parameter configuration 451Users logged on 458

NNCLI show command reference 459Access, logon names, and passwords 459Basic switch configuration 460Current switch configuration 460CLI settings 462Hardware information 463Memory size for secondary CPU 464NTP server status 464Power summary 465Power information for power supplies 466Slot power details 466System information 467System status (detailed) 472


NN46205-605 02.05 28 April 2010


.

13

Users logged on 473

Port numbering and MAC address assignment reference 475Port numbering 475Interface indexes 476

Port interface index 476VLAN interface index 477MLT interface index 477

MAC address assignment 477Physical MAC addresses 478Virtual MAC addresses 479

Customer service 481Updated versions of documentation 481Getting help 481Express Routing Codes 481Additional information 482

Index 483


NN46205-605 02.05 28 April 2010


.

14


NN46205-605 02.05 28 April 2010


.

15.

Software licenseThis section contains the Nortel Networks software license.

Nortel Networks Inc. software license agreementThis Software License Agreement ("License Agreement") is betweenyou, the end-user ("Customer") and Nortel Networks Corporation andits subsidiaries and affiliates ("Nortel Networks"). PLEASE READ THEFOLLOWING CAREFULLY. YOU MUST ACCEPT THESE LICENSETERMS IN ORDER TO DOWNLOAD AND/OR USE THE SOFTWARE.USE OF THE SOFTWARE CONSTITUTES YOUR ACCEPTANCE OFTHIS LICENSE AGREEMENT. If you do not accept these terms andconditions, return the Software, unused and in the original shippingcontainer, within 30 days of purchase to obtain a credit for the fullpurchase price.

"Software" is owned or licensed by Nortel Networks, its parent or one ofits subsidiaries or affiliates, and is copyrighted and licensed, not sold.Software consists of machine-readable instructions, its components, data,audio-visual content (such as images, text, recordings or pictures) andrelated licensed materials including all whole or partial copies. NortelNetworks grants you a license to use the Software only in the countrywhere you acquired the Software. You obtain no rights other than thosegranted to you under this License Agreement. You are responsible for theselection of the Software and for the installation of, use of, and resultsobtained from the Software.

1. Licensed Use of Software. Nortel Networks grants Customer anonexclusive license to use a copy of the Software on only one machineat any one time or to the extent of the activation or authorized usage level,whichever is applicable. To the extent Software is furnished for use withdesignated hardware or Customer furnished equipment ("CFE"), Customeris granted a nonexclusive license to use Software only on such hardwareor CFE, as applicable. Software contains trade secrets and Customeragrees to treat Software as confidential information using the same careand discretion Customer uses with its own similar information that it doesnot wish to disclose, publish or disseminate. Customer will ensure thatanyone who uses the Software does so only in compliance with the terms


NN46205-605 02.05 28 April 2010


.

16 Software license

of this Agreement. Customer shall not a) use, copy, modify, transferor distribute the Software except as expressly authorized; b) reverseassemble, reverse compile, reverse engineer or otherwise translate theSoftware; c) create derivative works or modifications unless expresslyauthorized; or d) sublicense, rent or lease the Software. Licensors ofintellectual property to Nortel Networks are beneficiaries of this provision.Upon termination or breach of the license by Customer or in the eventdesignated hardware or CFE is no longer in use, Customer will promptlyreturn the Software to Nortel Networks or certify its destruction. NortelNetworks may audit by remote polling or other reasonable means todetermine Customer’s Software activation or usage levels. If suppliers ofthird party software included in Software require Nortel Networks to includeadditional or different terms, Customer agrees to abide by such termsprovided by Nortel Networks with respect to such third party software.

2. Warranty. Except as may be otherwise expressly agreed to inwriting between Nortel Networks and Customer, Software is provided"AS IS" without any warranties (conditions) of any kind. NORTELNETWORKS DISCLAIMS ALL WARRANTIES (CONDITIONS) FOR THESOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOTLIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY ANDFITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OFNON-INFRINGEMENT. Nortel Networks is not obligated to provide supportof any kind for the Software. Some jurisdictions do not allow exclusionof implied warranties, and, in such event, the above exclusions may notapply.

3. Limitation of Remedies. IN NO EVENT SHALL NORTELNETWORKS OR ITS AGENTS OR SUPPLIERS BE LIABLE FOR ANYOF THE FOLLOWING: a) DAMAGES BASED ON ANY THIRD PARTYCLAIM; b) LOSS OF, OR DAMAGE TO, CUSTOMER’S RECORDS,FILES OR DATA; OR c) DIRECT, INDIRECT, SPECIAL, INCIDENTAL,PUNITIVE, OR CONSEQUENTIAL DAMAGES (INCLUDING LOSTPROFITS OR SAVINGS), WHETHER IN CONTRACT, TORT OROTHERWISE (INCLUDING NEGLIGENCE) ARISING OUT OFYOUR USE OF THE SOFTWARE, EVEN IF NORTEL NETWORKS,ITS AGENTS OR SUPPLIERS HAVE BEEN ADVISED OF THEIRPOSSIBILITY. The forgoing limitations of remedies also apply to anydeveloper and/or supplier of the Software. Such developer and/or supplieris an intended beneficiary of this Section. Some jurisdictions do not allowthese limitations or exclusions and, in such event, they may not apply.

4. General

1. If Customer is the United States Government, the following paragraphshall apply: All Nortel Networks Software available under this LicenseAgreement is commercial computer software and commercial computer


NN46205-605 02.05 28 April 2010


.

Nortel Networks Inc. software license agreement 17

software documentation and, in the event Software is licensed foror on behalf of the United States Government, the respective rightsto the software and software documentation are governed by NortelNetworks standard commercial license in accordance with U.S. FederalRegulations at 48 C.F.R. Sections 12.212 (for non-DoD entities) and48 C.F.R. 227.7202 (for DoD entities).

2. Customer may terminate the license at any time. Nortel Networksmay terminate the license if Customer fails to comply with the termsand conditions of this license. In either event, upon termination,Customer must either return the Software to Nortel Networks or certifyits destruction.

3. Customer is responsible for payment of any taxes, including personalproperty taxes, resulting from Customer’s use of the Software.Customer agrees to comply with all applicable laws including allapplicable export and import laws and regulations.

4. Neither party may bring an action, regardless of form, more than twoyears after the cause of the action arose.

5. The terms and conditions of this License Agreement form the completeand exclusive agreement between Customer and Nortel Networks.

6. This License Agreement is governed by the laws of the country inwhich Customer acquires the Software. If the Software is acquired inthe United States, then this License Agreement is governed by thelaws of the state of New York.


NN46205-605 02.05 28 April 2010


.

18 Software license


NN46205-605 02.05 28 April 2010


.

19.

New in this releaseThe following sections detail what’s new in Nortel Ethernet Routing Switch8600 Administration (NN46205-605) for Release 5.1.

• “Features” (page 19)

• “Other changes” (page 20)

FeaturesSee the following sections for information about changes that arefeature-related:

• “Configuring the time zone” (page 19)

• “Feature licensing” (page 19)

• “SF/CPU High Availability mode” (page 19)

• “Memory size for secondary CPU” (page 20)

Configuring the time zoneThe time zone configuration command has been enhanced. The syntaxfor dst-offset and offset-from-utc can use hours and minutesin Release 5.1. For more information about the time zone commandenhancement, see “Configuring the time zone” (page 76) and “Configuringthe time zone” (page 111).

Feature licensingAdvanced and Premier License lists are updated to include the newfeatures for Release 5.1. For more information about the featuresincluded, see “Feature licensing” (page 321).

SF/CPU High Availability modeTables describing the feature support for High Availability (HA) in specifiedsoftware release versions and Release 3.5 and later synchronizationcapabilities in HA mode are updated for Release 5.1. For more informationabout the feature support for HA mode, see “SF/CPU High Availabilitymode” (page 153).


NN46205-605 02.05 28 April 2010


.

20 New in this release

Memory size for secondary CPUYou can display the secondary CPU DRAM memory size in hexadecimalformat. For more information about CLI and NNCLI command syntax,see “Memory size for secondary CPU” (page 447) and “Memory size forsecondary CPU” (page 464).

FTP, TFTP, and rlogin support for IPv6 addressesFTP, TFTP, and rlogin server (incoming) connections and access policiesare now supported with IPv6 on the Ethernet Routing Switch 8600. Youcan configure an IPv6 address on the Ethernet Routing Switch 8600 anduse FTP, TFTP, or rlogin services to access the switch using the IPv6address. You use the same command syntax for any command related toFTP, TFTP, or rlogin regardless of whether you logged in using an IPv4 orIPv6 address (all commands supported with FTP, TFTP, and rlogin usingIPv4 are supported with IPv6 addresses). For more information aboutFTP, TFTP, rlogin, and access policy support for IPv6 addresses, see“Configuring management port IPv6 addresses” (page 216), “Configuringan access policy” (page 297), and “Specifying the host address andusername for rlogin” (page 301).

Other changesSee the following sections for information about changes that are notfeature-related:

• “Default parameters” (page 20)

• “Controlling link state changes” (page 21)

• “Enabling the high availability mode” (page 21)

• “Installing a license file” (page 21)

• “Customer service” (page 21)

• “Record reservation” (page 21)

• “Viewing power supply parameters” (page 21)

• “Document update” (page 22)

Default parametersThe command parameter descriptions are updated with default values.


NN46205-605 02.05 28 April 2010


.

Other changes 21

Controlling link state changesConceptual and procedural content for controlling link state changes wasremoved from the following sections to Nortel Ethernet Routing Switch8600 Series Fault Management, NN46205-705:

• Chassis operations configuration using Device Manager

• Chassis operations configuration using the CLI

• Chassis operations configuration using the NNCLI

Enabling the high availability modeA procedure to enable the High Availability (HA) mode is added along withthe messages a user would encounter while enabling the HA mode. Formore information about enabling the HA mode, see “Enabling CPU HighAvailability mode” (page 228) and “Enabling the CPU High Availabilitymode” (page 248).

Installing a license fileChanges have been made to the prerequisites of the procedures to installa licence file using Device Manager, CLI and NNCLI. For more informationabout these changes, see “License installation using Device Manager”(page 333), “License installation using the CLI” (page 337), “Licenseinstallation using the NNCLI” (page 341).

Customer serviceCustomer service chapter is added to this document. This chapterdescribes the complete range of services and support that Nortelprovides to its customers. For more information about Nortel support, see“Customer service” (page 481).

Record reservationProcedures for reserving hardware records for CLI and NNCLI,respectively, are added to this document to augment the existing DeviceManager procedure for reserving records. For more information and tosee these procedures, see “Reserving records” (page 232) and “Reservingrecords” (page 253).

Viewing power supply parametersVariable definitions for input line voltage and operating line voltage areadded for Device manager. For more information, and to see the variablesdefinition table containing these parameters, see “Viewing power supplyparameters” (page 268).


NN46205-605 02.05 28 April 2010


.

22 New in this release

Feature LicensingYou must specify the location of your license file in the boot configurationfile. NN46205-605_02.03 updates the section Feature Licensing andupdates Table 31, Supported licenses for the Ethernet Routing Switch8600. For more information and to see the table containing the updates,see “Feature licensing” (page 321).

Document updateTHis issue is updated to reflect modifications made in chapters ’Chassisoperations fundamentals, Viewing SLPP information, Chassis operationsconfiguring using the CLI and Configuring SLPP on a port.


NN46205-605 02.05 28 April 2010


.

23.

IntroductionThe Nortel Ethernet Routing Switch 8600 is a flexible and multifunctionalswitch that supports a diverse range of network architectures andprotocols. This guide contains conceptual and procedural informationto support the administration of the Ethernet Routing Switch 8600. Formore information about the available user interfaces and how to use editcommands and special terminal characters, see Nortel Ethernet RoutingSwitch 8600 User Interface Fundamentals (NN46205-308).

Navigation• “System startup fundamentals” (page 25)

• “Boot parameter configuration using the CLI” (page 43)

• “Boot parameter configuration using the NNCLI” (page 81)

• “Run-time process management using the CLI” (page 117)

• “Run-time process management using the NNCLI” (page 137)

• “Chassis operations fundamentals” (page 151)

• “Chassis operations configuration using Device Manager” (page 177)

• “Chassis operations configuration using the CLI” (page 223)

• “Chassis operations configuration using the NNCLI” (page 243)

• “Hardware status using Device Manager” (page 265)

• “System access fundamentals” (page 271)

• “System access configuration using Device Manager” (page 279)

• “System access configuration using the CLI” (page 289)

• “System access configuration using the NNCLI” (page 307)

• “Ethernet Routing Switch 8600 licensing fundamentals” (page 321)

• “Ethernet Routing Switch 8600 licensing” (page 327)

• “License generation” (page 329)

• “License installation using Device Manager” (page 333)


NN46205-605 02.05 28 April 2010


.

24 Introduction

• “License installation using the CLI” (page 337)

• “License installation using the NNCLI” (page 341)

• “License transfer” (page 345)

• “NTP fundamentals” (page 349)

• “NTP configuration using Device Manager” (page 355)

• “NTP configuration using the CLI” (page 361)

• “NTP configuration using the NNCLI” (page 369)

• “DNS fundamentals” (page 375)

• “DNS configuration using Device Manager” (page 377)

• “DNS configuration using the CLI” (page 381)

• “DNS configuration using the NNCLI” (page 387)

• “Multicast group ID fundamentals” (page 391)

• “Multicast group ID reservation using Device Manager” (page 393)

• “Multicast group ID reservation using the CLI” (page 397)

• “Multicast group ID reservation using the NNCLI” (page 399)

• “Common procedures using Device Manager” (page 403)

• “Common procedures using the CLI” (page 411)

• “Common procedures using the NNCLI” (page 425)

• “CLI show command reference” (page 441)

• “NNCLI show command reference” (page 459)

• “Port numbering and MAC address assignment reference” (page 475)


NN46205-605 02.05 28 April 2010


.

25.

System startup fundamentalsThis section provides conceptual material on the boot sequence and bootprocesses of the Nortel Ethernet Routing Switch 8600. Review this contentbefore you make changes to the configurable boot process options.

Navigation• “Boot sequence” (page 25)

• “Boot process and run-time process” (page 33)

• “System flags” (page 35)

• “Clock synchronization” (page 37)

• “System connections” (page 38)

Boot sequenceThe Ethernet Routing Switch 8600 goes through a four-stage bootsequence before it becomes fully operational. After you turn on powerto the switch, the SF/CPU module starts its built-in boot loader. In anEthernet Routing Switch 8600 with redundant switch fabric or switchmanagement modules, the module in slot 5 provides the active SF/CPUfunctions after the switch powers up or resets. (Use the options in the bootmonitor to specify the module that is the active SF/CPU.) The switch fabricsubsystems of both modules are active and share the switching functionsfor the switch.

The boot sequence consists of the following four file loads:

• “Stage 1: Loading the boot monitor image” (page 26)

• “Stage 2: Loading the boot configuration” (page 26)

• “Stage 3: Loading the run-time image” (page 27)

• “Stage 4: Loading the switch configuration file” (page 27)


NN46205-605 02.05 28 April 2010


.

26 System startup fundamentals

Stage 1: Loading the boot monitor imageAt power-up or reset, the SF/CPU subsystem on the 8691 SF/CPU moduleloads the boot monitor image.

After loading the boot monitor image, the SF/CPU and basic systemdevices such as the console port, modem port, Personal ComputerMemory Card International Association (PCMCIA) card slot, andmanagement port initialize. (At this stage, the input/output (I/O) ports arenot available; system does not initialize the I/O ports until later in the bootprocess.)

Stage 2: Loading the boot configurationAfter the boot monitor image loads, the boot configuration loads from a filecalled /pcmcia/pcmboot.cfg from the PCMCIA if a PCMCIA card is present.If a PCMCIA card is not present or file /pcmcia/pcmboot.cfg is not present,then the boot configuration loads from a file called /flash/boot.cfg on theonboard flash memory (Nortel recommends that you copy the boot.cfgfile in the /flash directory). If the /flash/boot.cfg file is not present, and if aPCMCIA card is present, the Ethernet Routing Switch 8600 searches forthe file /pcmcia/boot.cfg.

If the loaded boot configuration file is corrupt, then the switch starts a loopprocess.

If none of the boot configuration files are present (/pcmcia/pcmboot.cfgor /flash/boot.cfg or /pcmcia/boot.cfg), the Ethernet Routing Switch 8600starts using the default boot-configuration settings.

ATTENTIONIf you are using a PCMCIA card manufactured by Sandisk, the EthernetRouting Switch 8600 does not consistently access the /pcmcia/pcmboot.cfgor /pcmcia/boot.cfg file during boot-up. This limitation is observed only duringboot-up. No limitation is observed if you access the Sandisk device afterboot-up.

If the Autoboot flag is disabled or if the boot process is interrupted atthe console, the boot process stops. At this stage, you can access theboot monitor at the console. In the boot monitor, you can set the bootconfiguration and perform upgrades to the boot monitor image andrun-time image (loaded in stage 3). Changes made and saved at the bootmonitor change the boot configuration.

After you save changes, you can initiate the boot process from the bootmonitor using the boot command.


NN46205-605 02.05 28 April 2010


.

Boot sequence 27

Stage 3: Loading the run-time imageThe run-time image loads after the boot configuration. This software imageinitializes the I/O modules and provides full routing switch functionality.You can load the run-time image from the flash memory, from a PCMCIAcard, or from a Trivial File Transfer Protocol (TFTP) server using themanagement port.

The default load order is defined in the boot configuration file(/pcmcia/boot.cfg or /flash/boot.cfg). You can redefine the source andorder from where to load the run-time image if you interrupt the autobootprocess.

Stage 4: Loading the switch configuration fileThe final step before the boot process is complete is to load the switchconfiguration file (/flash/config.cfg). The switch configuration consists ofhigher-level functionality, including:

• Chassis configuration

• Port configuration

• Spanning tree group (STG) configuration

• VLAN configuration

• Routing configuration

• IP address assignments

• RMON configuration

The default switch configuration includes the following:

• All ports in a single spanning tree group (STG), STG number 1 (Thedefault Spanning Tree Group is 802.1D compliant, and its BridgeProtocol Data Units (BPDU) are never tagged.)

• A single, port-based default VLAN with a VLAN identification numberof 1, bound to the default spanning tree group

• Spanning Tree FastStart disabled on all ports

• No interface assigned IP addresses

• Traffic priority for all ports set to normal priority

• All ports as nontagged ports

• Default communication protocol settings for the console port. SeeNortel Ethernet Routing Switch 8600 Quick Start (NN46205-310) forinformation about these protocol settings.


NN46205-605 02.05 28 April 2010


.


In the configuration file, statements preceded by both the number sign(#) and exclamation point (!) load prior to the general configurationparameters. Statements preceded by only the number sign are commentsmeant to add clarity to the configuration; they do not load configurationparameters. The following table illustrates the difference between thesetwo statement formats.

Table 1Configuration file statements

Sample statement Action

# software version : 3.7.12.0 Adds clarity to the configuration byidentifying the software version.

#!flags m-mode false Configures the M mode flag to thefalse condition, prior to loading thegeneral configuration.

Figure 1 "Switch boot sequence" (page 29) shows a summary of the bootsequence.


NN46205-605 02.05 28 April 2010


.

Boot sequence 29

Figure 1Switch boot sequence

Boot sequence modificationThe default boot sequence directs the switch to look for its image andconfiguration files first on the PCMCIA card, in the onboard flash memorysecond, and then from a server on the network. That is, the PCMCIAcard is the primary source for the files, the onboard flash memory is thesecondary source, and the network server is the tertiary source. Thesesource and file name definitions are in the boot configuration file.


NN46205-605 02.05 28 April 2010


.


ATTENTIONIf an Ethernet Routing Switch 8600 loads its secondary software image filebecause it cannot find its primary software image, during this process, it alsoloads the secondary configuration file.

You can change the boot sequence in the following ways:

• Change the primary, secondary, and tertiary designations for filesources. For example, you can specify the network as the primary filesource and update the configuration file or image file using a singlecopy of the file on the server.

ATTENTIONEach choice of a file source (primary, secondary, or tertiary) specifies animage file and a matching configuration file. When you specify a source, youspecify the associated pair of files.

• Change the file names from the default values. You can store severalversions of the image or configuration file and specify a particular oneby file name after you restart the switch.

• Start the switch without loading a configuration file, so that theswitch uses its factory default configuration settings. Bypassing theswitch configuration does not affect saved switch configuration; theconfiguration is simply not loaded.

Whether the switch configuration is loaded or not is controlled by the bootconfiguration. You can bypass loading the switch configuration.

If the configuration is bypassed, the switch starts with the default switchconfiguration settings and the boot flag settings that were loaded as theboot configuration file in stage 2.

Figure 2 "Boot source text added to the system log file" (page 31) showsthe boot source text added to the system log file.


NN46205-605 02.05 28 April 2010


.

Boot sequence 31

Figure 2Boot source text added to the system log file

Static IP entry for the OOB network management interfaceThe default IP for the Out of Band (OOB) network management port isassigned as shown in Figure 3 "Flowchart for the default IP for the OOBnetwork management port" (page 32).


NN46205-605 02.05 28 April 2010


.


Figure 3Flowchart for the default IP for the OOB network management port

The switch first checks for the file pcmboot.cfg, in PCMCIA. If not found,the switch checks for the file boot.cfg in flash.

ATTENTIONUsers using the boot configuration file from PCMCIA must rename the file topcmboot.cfg The boot.cfg file is no longer saved in PCMCIA. The file is savedonly in flash.


NN46205-605 02.05 28 April 2010


.

Boot process and run-time process 33

Boot process and run-time processYou manage the boot process of the switch using the boot monitor.

You access the boot monitor by interrupting the boot process. Thisinterrupt can only be initiated through a direct serial-port connection to theswitch, or some remote connection to the serial port such as a remote (outof band) terminal server connection.

A switch placed into the boot monitor state cannot accept peer telnetconnections from the master SF/CPU.

After the boot monitor is active, you can change the boot configuration,including boot choices and boot flags, and you can set the flags for Telnetand rlogin to allow remote access, but you cannot access the boot monitorremotely. You can access the boot monitor only through a direct serial-portconnection.

You manage the run-time process using the run-time commands. Toaccess the run-time command line interface (CLI) or Nortel Networkscommand line interface (NNCLI), wait until the boot process completes.

Boot image verificationAfter a switch starts, the switch recognizes the boot source and logs amessage in the system log file that informs you about the selected bootsource.

Figure 4 "Console port boot source messages" (page 33) shows the bootsource messages observed on the console port.

Figure 4Console port boot source messages


NN46205-605 02.05 28 April 2010


.


Boot monitorUse the boot monitor to configure and manage the boot process.

ATTENTIONYou must use a terminal connected directly to the console port on the switch. Ifyou restart the switch from a remote terminal, the connection is terminated.

After you enter the boot monitor, the following prompt is displayed:

monitor#

Run-timeAfter the Ethernet Routing Switch 8600 is operational, you can use therun-time commands to perform most of the configuration and managementfunctions necessary to manage the switch. These functions include thefollowing:

• Resetting or restarting the Ethernet Routing Switch 8600.

• Adding, deleting, and displaying address resolution protocol (ARP)table entries.

• Pinging another network device.

• Viewing and configuring variables for the entire switch and forindividual ports.

• Configuring and displaying STG parameters and enabling or disablingthe Spanning Tree Protocol (STP) on an STG.

• Configuring and displaying MultiLink Trunking (MLT) parameters.

• Testing the switching fabric and performing internal and externalloopback tests on individual ports.

• Creating and managing port-based VLANs or policy-based VLANs.

To access the run-time environment you need a connection from a PCor terminal to the switch. You can use a direct connection to the switchthrough the console or modem port or through Telnet, rlogin, or SecureShell (SSH) sessions. For more information about SSH, see NortelEthernet Routing Switch 8600 Security (NN46205-601).

ATTENTIONBefore you attempt to access the switch using one of the previous methods,ensure you first enable the corresponding daemon flags.


NN46205-605 02.05 28 April 2010


.

System flags 35

System flagsAfter you enable or disable certain modes and functions, you need to savethe configuration and reset the switch for your change to take effect. Thefollowing tables list parameters and indicate if they require a reset of theswitch.

Table 2 "Bootconfig flags" (page 35) lists parameters you configure in theCLI using the config bootconfig flags command and in the NNCLIusing the boot config flags command.

Table 2Bootconfig flags

CLI flag NNCLI flag Switchreset

8616-reautoneg <true|false> 8616-reautoneg No

alt-led-enable <true|false> alt-led Yes

autoboot <true|false> autoboot Yes

block-snmp <true|false> block-snmp No

block-warmstandby-switchover<true|false>

block-warmstandby-switchover Yes

control-record-optimization<true|false>

control-record-optimization Yes

daylight-saving-time <true|false> daylight-saving-time No

debug-config <true|false> debug-config Yes

debugmode <true|false> debugmode Yes

egress-mirror <true|false> egress-mirror Yes

factorydefaults <true|false> factorydefaults Yes

ftpd <true|false> ftpd No

ha-cpu <true|false> ha-cpu Yes

hsecure <true|false> hsecure No

info Not applicable No

logging <true|false> logging No

mezz <true|false> mezz Yes


NN46205-605 02.05 28 April 2010


.


Table 2Bootconfig flags (cont’d.)

CLI flag NNCLI flag Switchreset

nncli <true|false> nncli Yes

reboot <true|false> reboot Yes

rlogind <true|false> rlogind No

savetostandby <true|false> savetostandby No

spanning-tree-mode <mstp|rstp|default>

spanning-tree-mode Yes

sshd <true|false> sshd No

telnetd <true|false> telnetd No

tftpd <true|false> tftpd No

trace-logging <true|false> trace-logging No

verify-config <true|false> verify-config Yes

wdt <true|false> wdt Yes

The Ethernet Routing Switch 8600 can operate in four different modes.You configure the mode parameters in the CLI using the config sysset flags command, in the NNCLI using the sys flags command, orin Device Manager using Edit, Chassis, System Flags. After you changethe configuration for the modes, you must reset the switch. The modesare:

• R mode

• M mode

• Enhanced operational mode

• VLAN optimization mode

In a chassis equipped with all R-modules (and most often R-modeenabled) the following flags have no effect, as these parameters arespecific to legacy modules and therefore must always be set to false ordisabled:

• Control-record-optimization (config bootconfig flagscontrol-record-optimization <false|true>)

• Enhanced-operational-mode (EOM) (config sys set flagsenhanced-operational-mode <false|true>)


NN46205-605 02.05 28 April 2010


.

Clock synchronization 37

For best operation, also set these flags to disabled (false) in any mixedchassis that has R-modules present.

In addition to the mode flags, you can configure two other system flags.Both of the following flags require a system reset:

• global-filter-ordering

• multicast-check-packet

ATTENTIONNortel recommends that you do not change the configuration of themulticast-check-packet and vlan-optimization-mode flags.

Table 3 "Other system settings" (page 37) lists other parameters youconfigure by using the CLI, NNCLI, or Device Manager under Edit,Chassis, System Flags.

Table 3Other system settings

Flag Switch reset CLI command NNCLI command

AuthenticationTraps Yes

WebServer No config web-server enable

web-serverenable

AccessPolicy Yes

MrouteStreamLimit Yes

ForceTrapSender Yes

ForceIpheaderSender Yes

VlanByScrMac Yes

DiffServEcnCompatibility Yes

WsmDirectMode Yes

System Monitor Yes

Clock synchronizationThe Ethernet Routing Switch 8600 automatically synchronizes thereal-time clocks (hardware) on the primary and secondary SF/CPUs, andsynchronizes the real-time and system (software) clocks.


NN46205-605 02.05 28 April 2010


.


Real-time clock synchronizationAfter you configure the real-time clock on the master SF/CPU, the slaveSF/CPU real-time clock is immediately updated, and both clocks areset to the same time. A log message is added in the log file stating thatclock synchronization is complete. Familiarize yourself with the followingconditions regarding SF/CPU clock synchronization:

• If the switch is operating normally with a redundant SF/CPU, the clocksynchronizes at 24 hour intervals. If the switch is operating normallywith no redundant SF/CPU and a standby SF/CPU card is inserted,the real-time clocks on the master SF/CPU and the standby SF/CPUimmediately synchronize. A log message is added in the log file,stating that clock synchronization is complete. If the synchronizationprocess continues successfully, no more log messages are generatedand clock synchronization continues at 24 hour intervals.

At boot time, after the switch is initialized, the clocks on the masterSF/CPU and the standby SF/CPU immediately synchronize and clocksynchronization continues at 24 hour intervals. If the standby SF/CPUis removed, the SF/CPU clock synchronization process stops. Also, ifthe clock synchronization process fails, a log message generates in thelog file. When the real-time clock synchronization begins to fail, theswitch generates a log message for each failed attempt.

• If the Inter SF/CPU Communication (ICC) channel is in use by anotherprocess at the time of clock synchronization, the synchronizationprocess is not performed, but attempted again after the scheduled24-hour interval. The switch adds a log message in the log file.

System connectionsConnect to the Switch Fabric/Central Processor Unit (SF/CPU) serial portsusing one of the following connections:

• “Terminal connection” (page 38)

• “Modem connection” (page 39)

Terminal connectionConnect the serial console interface (an RS-232 port) to a PC or terminalto monitor and configure the switch. The port uses a DB-9 connectorthat operates as data terminal equipment (DTE) or data communicationequipment (DCE). The default communication protocol settings for theconsole port are:

• 9600 baud

• 8 data bits


NN46205-605 02.05 28 April 2010


.

System connections 39

• 1 stop bit

• No parity

To use the console port, you need the following equipment:

• a terminal or teletypewriter (TTY)-compatible terminal, or a portablecomputer with a serial port and terminal-emulation software

• an Underwriters Laboratories (UL)-listed straight-through or nullmodem RS-232 cable with a female DB-9 connector for the consoleport on the switch

The other end of the cable must use a connector appropriate to theserial port on your computer or terminal. Most computers or terminalsuse a male DB-25 connector. You can find a null modem cable withthe chassis.

You must shield the cable connected to the console port to comply withemissions regulations and requirements.

Modem connectionYou can access the switch through a modem connection to the 8691 or8692 SF/CPU modules. Nortel recommends that you use the defaultsettings for the modem port for most modem installations.

To set up modem access, you must use a DTE-to-DCE cable (straightor transmit cable) to connect the Ethernet Routing Switch 8600 to themodem. The following table shows the DTE-to-DCE pin assignments.

Table 4DTE-to-DCE straight-through pin assignments

Switch ModemSignal Pin

numberDCE DB-9pin number

DCE DB-25pin number

Received data(RXD)

2 2 3

Transmitted data(TXD)

3 3 2

Data terminalready (DTR)

4 4 20

Ground (GND) 5 5 7

Data set ready(DSR)

6 6 6


NN46205-605 02.05 28 April 2010


.


Table 4DTE-to-DCE straight-through pin assignments (cont’d.)

Switch Modem

Signal Pinnumber

DCE DB-9pin number

DCE DB-25pin number

Request to send(RTS)

7 7 4

Clear to send(CTS)

8 8 5

The default communication protocol settings for the modem port are:

• 9600 baud

• 8 data bits

• 1 stop bit

• No parity

Because the modem port receives DSR and CTS signals beforetransmitting, control lines are required in the cables. The modem portsupports no inbound flow control. The port does not turn on and turn offcontrol lines to indicate the input buffer is full.

To connect a modem to an Ethernet Routing Switch 8600, you canconfigure the modem port first using another type of connection to the CLIor NNCLI.

PPP modem connectionYou can establish a PPP (Point-to-Point Protocol) link over serialasynchronous lines. PC clients use this link to connect remotely to aswitch through a standard dial-up modem and the modem DTE port on themaster switch SF/CPU. You must configure the connection on both theremote client PC and the switch. The following figure shows a standardPPP connection to the Ethernet Routing Switch 8600.


NN46205-605 02.05 28 April 2010


.

System connections 41

Figure 5PPP configuration topology

After you configure the modem port on the switch to use PPP, you mustalso specify a PPP file. The PPP file is a text document which includesall additional PPP configuration parameters to include after the switchrestarts. Enter one configuration parameter on each line.

You can configure the connection to use the Challenge-HandshakeAuthentication Protocol (CHAP) or the Password Authentication Protocol(PAP). Both protocols require a secrets file. The secrets file is a textdocument which includes the list of all users authorized to use the modemport. You must list one user on each line and include specific parameters.The format for each user is client server password IP address. Thefollowing list explains each option.

• client–the name of the user. This value is the logon name of theauthorized user. This value is the name or ID of the user, similar to aWindows or UNIX logon.

• server–the name of the remote device, which is often the dial-in server.Use an asterisk (*) to indicate any server name is acceptable.

• password–the password for the user.

• IP address–the IP address associated with the user.

The value for the IP address depends on the desired configuration of themodem. If all users must use the same IP address, you must specifythe same IP address for all users in the file and it must be the same IPaddress that you configure as the peer-ip for the modem port. Configurethe IP settings on the client to obtain an IP address automatically.

If each user must use a different IP address, list each user with a differentIP address in the file. Configure the client IP settings to use a static IPaddress that matches what you configure in the secrets file.


NN46205-605 02.05 28 April 2010


.


An example secrets file looks like the following:

long * long 47.133.223.200william * william 47.133.223.200


NN46205-605 02.05 28 April 2010


.

43.

Boot parameter configuration usingthe CLI

Use the procedures in this section to configure and manage the bootparameters using the command line interface (CLI).

Prerequisites to boot parameter configuration• You initiate a boot monitor session only through a direct serial-port

connection to the switch. After the boot monitor is active, you can setthe flags for Telnet and rlogin to allow remote access, but accessto the boot monitor is still only available through a direct serial-portconnection. Within the boot monitor, you can change the bootconfiguration, including boot choices and boot flags.

Navigation• “Job aid” (page 44)

• “Accessing the boot monitor” (page 47)

• “Configuring the boot monitor” (page 48)

• “Modifying the boot sequence” (page 51)

• “Enabling or disabling remote access services” (page 51)

• “Accessing the boot monitor CLI” (page 52)

• “Modifying the boot monitor CLI operation” (page 53)

• “Modifying the boot sequence from the run-time CLI” (page 54)

• “Changing the boot source order” (page 54)

• “Configuring the standby-to-master delay” (page 56)

• “Configuring system flags” (page 56)

• “Configuring the remote host logon” (page 64)

• “Specifying the master SF/CPU” (page 65)


NN46205-605 02.05 28 April 2010


.

44 Boot parameter configuration using the CLI

• “Configuring SF/CPU network port devices” (page 66)

• “Configuring SF/CPU serial port devices” (page 69)


• “Enabling remote access services from the run-time CLI” (page 78)

• “Displaying the boot monitor configuration” (page 79)

Job aidThe following table lists the commands and their parameters that you useto complete the procedures in this section.

Table 5Job aid

Command Parameter

config cli defaultlogin <true|false>defaultpassword <true|false>infologinprompt <string>more <true|false>passwordprompt <string>prompt <prompt>rlogin-sessions <nsessions>screenlines <nlines>telnet-sessions <nsessions>timeout <seconds>

info

delay <seconds>

loadconfigtime <seconds>

logfile <minsize> <maxsize><maxoccupyPercentage>

master <cpu-slot>

config bootconfig

multicast <value>

info

backup-config-file <file>

config-file <file>

image-file <file>

config bootconfig choice <boot-choice>

license-file <file>


NN46205-605 02.05 28 April 2010


.

Accessing the boot monitor 47

Command Parameter

info

dst-end <Mm.n.d/hhmm|MMddhhmm>

dst-name <dstname>

dst-offset <minutes>

dst-start <Mm.n.d/hhmm|MMddhhmm>

name <tz>

offset-from-utc <minutes>

config bootconfig tz

factorydefault

true

flags info

choice

cli

config [verbose]

flags

host

master

mezz-image

net

show-all [file <value> ]

sio

tz

wlan

bootp

show bootconfig

andconfig bootconfig show

show bootconfig master

Accessing the boot monitorAccess the boot monitor to configure and manage the boot process byperforming this procedure.

Procedure steps

Step Action

1 Restart the switch.

2 Interrupt the boot sequence by pressing the Enter key after thefollowing prompt is displayed:


NN46205-605 02.05 28 April 2010


.


Press Enter to stop autoboot.

--End--

Configuring the boot monitorConfigure the boot monitor to configure connection settings for CLIsessions. Use the bootconfig command to configure the general bootmonitor operations. The bootconfig command also provides severalsubcommands that are used in the procedures in this section.

Configure the boot monitor by performing this procedure.

Procedure steps

Step Action

1 Configure the boot monitor connection settings by using thefollowing command:

config cli

2 Save the changed configuration file.

3 Configure the boot monitor operations by using the followingcommand:

config bootconfig

4 Save the changed configuration to the boot.cfg and pcmboot.cfgfiles.


--End--

Variable definitionsUse the data in the following table to use the config cli command.

Variable Value

defaultlogin <true|false> Specifies the current settings for thelogin prompt as true or false.

The default value is true.

defaultpassword <true|false> Specifies the current settings for thepassword prompt as true or false.

The default is true.


NN46205-605 02.05 28 April 2010


.

Configuring the boot monitor 49

Variable Value

info Specifies the current settings for theboot monitor CLI.

loginprompt <string> Specifies the login prompt for theboot monitor as a string of 1–1513characters.

more <true|false> Configures scrolling for the outputdisplay.


• true —configures output displayscrolling to one page at a time.

• false —configures the outputdisplay to continuous scrolling.

passwordprompt <string> Specifies the password prompt for theboot monitor as a string of 1–1510characters.

prompt <prompt> Changes the boot monitor prompt tothe defined string.

• prompt is a string of 0–255characters.

The default prompt depends on theswitch; for example, ERS-8606.

rlogin-sessions <nsessions> Configures the allowable number ofinbound remote boot monitor CLIlogon sessions.

• nsessions is the number ofsessions from 0–8.

The default value is 8.

screenlines <nlines> Configures the number of lines in theoutput display.

• nlines is the number of lines from8–64.



NN46205-605 02.05 28 April 2010


.


Variable Value

telnet-sessions <nsessions> Configures the allowable number ofinbound Telnet sessions.

• nsessions is the number ofsessions from 0–8.


timeout <seconds> Configures the idle timeout periodbefore automatic logoff for CLIsessions.

• seconds is the timeout period inseconds from 30–65535.

The default is 900.

Use the data in the following table to use the config bootconfigcommand.

Variable Value

delay <seconds> Configures the number of seconds a standbySF/CPU waits (delays) before trying to becomethe master SF/CPU. This command appliesonly during a cold start and does not apply to afailover start.The default is 45 seconds delay.

info Specifies the configured values.

loadconfigtime<seconds>

Configures the time-out value, in seconds, forloading a configuration file. seconds is a valuefrom 0–300.The default is 60 seconds.

logfile <minsize><maxsize> <maxoccupyPercentage>

Configures the parameters for the log file.

• minsize is the minimum size of the log filefrom 64–500 kilobytes (KB).


• maxsize is the maximum size of the log filefrom 500–16384 KB.


• maxoccupyPercentage is the percentageof free Personal Computer Memory CardInternational Association (PCMCIA) to usefor a log file from 10–90.


NN46205-605 02.05 28 April 2010


.

Enabling or disabling remote access services 51

Variable Value


master <cpu-slot> Indicates which SF/CPU becomes the masterafter the switch powers up. The masterSF/CPU performs a loopback test to test theswitch fabric. The default master is set for slot5.

• cpu-slot is the module position, eitherslot 5 or slot 6.

multicast <value> Configures the system multicast scalingparameter from 0–2147483647.The default value is 0.

Modifying the boot sequenceModify the boot sequence to prevent the switch from using the factorydefault settings or, conversely, to prevent loading a saved configuration fileby performing this procedure.

Procedure steps

Step Action

1 Bypass the loading of the switch configuration with the followingcommand:

flags factorydefault true

ATTENTIONIf the switch fails to read and load a saved configuration file afterit starts, ensure this flag is set to false before investigating otheroptions.

--End--

Enabling or disabling remote access servicesEnable the remote access service to provide multiple methods of remoteaccess by performing this procedure.

Prerequisites

• If you enable an rlogin flag, you must configure an access policy andspecify the name of the user who can access the switch.


NN46205-605 02.05 28 April 2010


.


Procedure steps

Step Action

1 While the switch is starting, press any key to interrupt theautoboot process.

2 Enable or disable the access service by using the followingcommand:

flags <access-service> <true|false>

3 Save the boot configuration.

--End--

Variable definitionsUse the data in the following table to use the flags command.

Variable Value

access-service Specifies the type of remote accessservice. Enter one of the following:ftpd, rlogind, telnetd, tftpd, or sshd.

true|false Specifies true to activate the service;false to disable the service.

Accessing the boot monitor CLIAccess the boot monitor CLI from the run-time CLI to configure andmanage the boot process by performing this procedure.

Procedure steps

Step Action

1 Configure the bootconfig autoboot flag by using the followingcommand:

config bootconfig flags autoboot false

2 Save the boot configuration by using the following command:

save bootconfig


--End--


NN46205-605 02.05 28 April 2010


.

Modifying the boot monitor CLI operation 53

Modifying the boot monitor CLI operationModify the boot monitor CLI operation to change the connection settingsby performing this procedure.

Procedure steps

Step Action

1 Modify the boot monitor CLI by using the following command:

config bootconfig cli



--End--

Variable definitionsUse the data in the following table to use the config bootconfig clicommand.

Variable Value

info Specifies the current settings for the bootmonitor CLI.

more <true|false> Configures scrolling for the output display.The default value is true.

• true configures output displayscrolling to one page at a time.

• false configures the output display tocontinuous scrolling.

prompt <value> Changes the boot monitor prompt to thedefined string.

• value is a string from 1–32 characters.


NN46205-605 02.05 28 April 2010


.


Variable Value

screenlines <value> Configures the number of lines in theoutput display.The default is 23.

• value is the number of lines from8–64.

timeout <seconds> Configures the idle timeout period beforeautomatic logout for CLI sessions. Thedefault value is 0.

• seconds is the timeout period inseconds from 30–65535.

Modifying the boot sequence from the run-time CLIModify the boot sequence to prevent the switch from using the factorydefault settings or, conversely, to prevent loading a saved configuration fileby performing this procedure.

Procedure steps

Step Action

1 Bypass loading a saved configuration file with the followingcommand:

config bootconfig flags factorydefault true

ATTENTIONIf the switch fails to read and load a saved configuration file afterit starts, ensure this flag is set to false before investigating otheroptions.



--End--

Changing the boot source orderChange the boot source order to display or change the order in which theboot sources (flash and Personal Computer Memory Card InternationalAssociation, or PCMCIA, card) are accessed by performing this procedure.


NN46205-605 02.05 28 April 2010


.

Changing the boot source order 55

Procedure steps

Step Action

1 Change the boot order by using the following command:

config bootconfig choice <boot-choice>



--End--

Variable definitionsUse the data in the following table to use the config bootconfigchoice command.

Variable Value

backup-config-file<file>

Identifies the backup boot configuration file.

• file is the device and file name, up to 256characters including the path.

boot-choice Lists the order in which the specified bootdevices are accessed after you restart the switch.The options for boot-choice are primary,secondary, or tertiary. The primary sourcefor files is the PCMCIA card, the secondary sourceis the onboard flash memory, and the tertiarysource is the network server. The default order isto access the device specified in this commandfirst, and then to access the onboard flash.

config-file <file> Identifies the boot configuration file.


license-file <file> Identifies the license file.


image-file <file> Identifies the image file.


info Specifies the current boot choices and associatedfiles.


NN46205-605 02.05 28 April 2010


.


Example of changing the boot source order

Step Action

1 Specify the configuration file in flash memory as the primary bootsource:

config bootconfig choice primary config-file/flash/config.cfg

--End--

Configuring the standby-to-master delayConfigure the standby-to-master delay to set the number of seconds astandby SF/CPU waits before trying to become the master SF/CPU. Thetime delay you configure applies during a cold start; it does not apply toa failover start.

Configure the standby-to-master delay by performing this procedure.

Procedure steps

Step Action

1 Configure the number of seconds by using the followingcommand:

config bootconfig delay <seconds>



--End--

Configuring system flagsSet the system flags to enable or disable flags for specific configurationsettings by performing this procedure.

ATTENTIONIf you activate auto-trace, SF/CPU utilization increases by up to 30 percent.


NN46205-605 02.05 28 April 2010


.

Configuring system flags 57

ATTENTIONAfter you change certain configuration parameters using the configbootconfig flags or the conf sys set flags command, you must save thechanges to the configuration file and restart the switch before the changes takeeffect. For more information about which parameters require a switch reset, seethe value descriptions in “System flags” (page 35).

Prerequisites

• After you enable the hsecure flag, you cannot enable the flags for theWeb server or SSH password-authentication.

Procedure steps

Step Action

1 Configure system flags by using the following command:

config bootconfig flags



--End--

Variable definitionsUse the data in the following table to use the config bootconfig flagscommand.

Variable Value

8616-reautoneg <true|false> Permits 8616 modules to reautonegotiate whenconnected to a Multiservice Switch 15000.The default value is false.

alt-led-enable <true|false> Activates or disables the alternate LED behavior.The default value is false (off).If you change this parameter, you must reset the switch.

ATTENTIONDo not change this parameter unless directed by Nortel.


NN46205-605 02.05 28 April 2010


.


Variable Value

autoboot <true|false> Enables or disables use of the automatic run-time image.

• true—the switch automatically runs the run-time imageafter reset

• false—the boot process stops at the boot monitorprompt

The default value is true.If you change this parameter, you must reset the switch.

You can set autoboot <false> to facilitate debug tasks.

block-snmp <true|false> Enables or disables Simple Network ManagementProtocol (SNMP) access.

• true—disables SNMP access

• false—enables SNMP access

The default is value is false.


Enables or disables use of the warm standby secondarySF/CPU as the primary SF/CPU if the primary SF/CPU isreset.

• true—the system prevents the secondary SF/CPUin warm standby mode from becoming the primarySF/CPU if the primary SF/CPU is reset.

• false—designates the secondary SF/CPU in warmstandby mode as the primary SF/CPU if the primarySF/CPU is reset

The default value is false.

If you change the block-warmstandby-switchovervariable, you must reset the switch.


Enables or disables optimization of control records.The control-record-optimization command applies only toclassic E and M modules.The default value is false.

You must set the control-record-optimization variable totrue under the following conditions:

• To prevent hardware records creation—because theswitch creates hardware records for routing Layer 3


NN46205-605 02.05 28 April 2010


.


Variable Value

protocol destination multicast addresses by default,even when the corresponding protocol is not enabled.

• To achieve higher record scaling.

• To achieve faster startup time.

You must set the control-record-optimization variableto false if you operate the switch under the followingconditions:

• In High Availability mode.

• In a mixed chassis containing R or RS modules.

If you change the control-record-optimization variablevalue, you must reset the switch.

daylight-saving-time<true|false>

Activates or disables Daylight Saving Time (DST) for theswitch.The default value is false (disabled).If you set the daylight-saving-time variable to true(enabled), you must set the DST settings using theconfig bootconfig tz command.

debug-config <true|false> Activates or disables run-time debugging of theconfiguration file.

• true—the system displays the line by line configurationfile processing on the console during SF/CPUinitializing

• false—disables run-time configuration file debug

The default value for the debug-config variable is false.If you change the debug-config variable, you must resetthe switch.

debugmode <true|false> Controls whether the switch stops in debug modefollowing a fatal error.Debug mode provides information equivalent to thetrace commands.

• true—the switch does not restart following a fatalerror.

• false—the switch automatically restarts following afatal error.

The default value is false.If you change this parameter, you must reset the switch.

ATTENTION


NN46205-605 02.05 28 April 2010


.


Variable Value

Do not change this parameter unless directed by Nortel.

egress-mirror <true|false> Activates the ability to mirror egress traffic for E and Mmodules.The default value is true.If you change this parameter, you must reset the switch.

factorydefaults <true|false> Specifies whether the switch uses the factory defaults atstartup.The default value is false.

• true—the switch uses the factory default configurationat startup

• false—the switch uses the current configuration atstartup

If you change the factorydefaults variable, you must resetthe switch.

The system automatically resets the value to the defaultsetting after the CPU restarts.

ftpd <true|false> Activates or disables FTP service on the switch.The default value is false.To enable FTP, you must set the config bootconfigflags tftpd command variable to false.

ha-cpu <true|false> Activates or disables High Availability (HA) mode.Switches with two SF/CPUs use HA mode to recoverquickly if one SF/CPU fails.The default value is false.

After you enable High Availability mode, the secondarySF/CPU resets to load settings from the saved bootconfiguration file.You must reset the primary SF/CPU after the secondarySF/CPU starting is complete.

CAUTIONRisk of service lossEnabling HA mode can disable certainfeatures.

For more information about the HA supported features,see Table 14 "Feature support for HA in specifiedsoftware release versions" (page 153).


NN46205-605 02.05 28 April 2010


.


Variable Value

hsecure <true|false> Activates or disables High Secure mode in the switch.If you enable hsecure, the following password behaviorsare available:

• 10 characters enforcement

• aging time

• limitation of failed login attempts

• a protection mechanism to filter certain IP addresses

After you enable High Secure mode, you must reset theswitch to enforce secure passwords. In High Securemode, a user with an invalid-length password is promptedto change their password.


logging <true|false> If a PCMCIA is present, the logging command activatesor disables system logging to a file on the PCMCIA.The default value is true.

The system generates the log file name based on an 8.3(xxxxxxxx.sss) format as described in the following list.

• The first 6 characters of the file name contain the lastthree bytes of the chassis base MAC address.

• The next two characters of the file name specify theslot number of the CPU that generated the logs.

• The last three characters of the file name denote thesequence number of the log file.

Under the following conditions, the system generatesmultiple sequence numbers for the same chassis andslot:

• You replace or reinsert the CPU.

• The log file reaches the maximum size.


NN46205-605 02.05 28 April 2010


.


Variable Value

mezz <true|false> Permits or prevents the mezzanine card from startingwhen it is present on a SF/CPU card.

On a dual CPU chassis the SuperMezz configurationmust be identical on both CPUs: either both CPUs have aSuperMezz or both CPUs do not have a SuperMezz.

The default value is true.If you change this value, you must reset the switch.Before you reset the switch with the mezz parameterenabled, you must ensure that the SuperMezz imageresides on the switch.

nncli <true|false> Configures the switch to use NNCLI or CLI mode.If you change the nncli variable, you must restart thesystem.The default value is false.

reboot <true|false> Activates or disables automatic reboot on a fatal error.The default value is true.If you change this parameter, you must reset the switch.The reboot command is equivalent to the debugmodecommand.


rlogind <true|false> Activates or disables the rlogin and rsh server.The default value is false.

savetostandby <true|false> Activates or disables the ability to save the configurationor boot configuration file automatically to the standbySF/CPU.


If you have a dual SF/CPU system, for ease of operationNortel recommends that you set the savetostandbyvariable to true.

spanning-tree-mode<mstp|rstp|default>

Selects the Multiple Spanning Tree Protocol (MSTP),Rapid Spanning Tree Protocol (RSTP), or default (legacy)spanning tree modes.If you do not specify a protocol, the switch uses thedefault spanning tree mode.If you change this parameter, you must save the currentconfiguration and reset the switch.The default value is rstp.


NN46205-605 02.05 28 April 2010


.


Variable Value

sshd <true|false> Activates or disables the SSH server service.The default value is true.

telnetd <true|false> Activates or disables the Telnet server service.The default value is true.

In a dual SF/CPU system, if you disable the Telnet serveryou prevent a Telnet connection from the other SF/CPU.

tftpd <true|false> Activates or disables Trivial File Transfer Protocol (TFTP)server service.The default value is true.

Even if you disable the TFTP server, you can copy filesbetween the SF/CPUs.

trace-logging <true|false> Activates or disables the creation of trace logs.The default value is false.


verify-config <true|false> Activates syntax checking of the configuration file.


• true—when the system detects a syntax error, thesystem loads the factory default configuration

• false—the system logs syntax errors and the SF/CPUcontinues to source the configuration file

Nortel recommends that you use the default variable(false).If you change the verify-config variable, you must resetthe switch.

wdt <true|false> Activates or disables the hardware watchdog timer thatmonitors a hardware circuit.Based on software errors, the watchdog timer restarts theswitch.The default value for the wdt variable is true.

• true—activates a hardware circuit watchdog timer

• false—disables a hardware circuit watchdog timer

If you change the wdt variable, you must reset the switch.

ATTENTION


NN46205-605 02.05 28 April 2010


.


Variable Value

Do not change this parameter unless directed by Nortel.

Configuring the remote host logonConfigure the remote host logon to modify parameters for FTP and TFTPaccess. The defaults allow TFTP transfers. If you want to use FTP as thetransfer mechanism, you need to change the password to a non-null value.

Configure the remote host logon by performing this procedure

Procedure steps

Step Action

1 Define conditions for the remote host logon by using thefollowing command:

config bootconfig host



--End--

Variable definitionsUse the data in the following table to use the config bootconfig hostcommand.

Variable Value

ftp-debug<true|false>

Activates or disables debug mode on FTP. If youenable debug mode, debug messages display on themanagement console screen. The default value isfalse.

info Specifies the current remote host logon settings.


NN46205-605 02.05 28 April 2010


.

Specifying the master SF/CPU 65

Variable Value

password <value> Configures the password to enable FTP transfers.

• value is the password, up to 16 characters long.After this password is configured, only FTP is usedfor remote host logon.

ATTENTIONThis password must match the password set for theFTP server, or the FTP operation fails. Also, if thepassword is set to a nonnull value, all copying to andfrom the network uses FTP instead of TFTP. If theusername or password is incorrect, copying over thenetwork fails.

tftp-debug<true|false>

Activates or disables debug mode on TFTP/TFTPD.If you enable debug mode, debug messages display onthe management console screen.The default value is false.

tftp-hash<true|false>

Activates or disables the TFTP hash bucket display.The default value is false.

tftp-rexmit<seconds>

Configures the TFTP retransmission timeout.The default value is 6 seconds.

• seconds is the number of seconds from1–120.

tftp-timeout<seconds>

Configures the TFTP timeout value.

The default value is 6 seconds.

• seconds is the number of seconds from 1–120.

user <value> Configures the remote user logon.

• value is the user logon name, up to 16 characterslong.

Specifying the master SF/CPUSpecify the master SF/CPU to determine which SF/CPU becomes themaster after the switch performs a full power cycle.Specify the master SF/CPU by performing this procedure.


NN46205-605 02.05 28 April 2010


.


Procedure steps

Step Action

1 View the current configuration for the master SF/CPU by usingthe following command:

show bootconfig master

2 Specify the slot of the master SF/CPU by using the followingcommand:

config bootconfig master <cpu-slot>



--End--

Variable definitionsUse the data in the following table to use the config bootconfigmaster command.

Variable Value

<cpu-slot> Specifies the slot number, either 5 or6, for the master SF/CPU.The default is slot 5.

Configuring SF/CPU network port devicesConfigure the network port devices to define connection settings for theport. The three network ports are:

• management port (mgmt)

• SF/CPU port (cpu2cpu)

• PCMCIA card (pccard)

Configure the SF/CPU network port devices by performing this procedure.

Procedure steps

Step Action

1 Configure the network port by using the following command:

config bootconfig net <mgmt|cpu2cpu|pccard>


NN46205-605 02.05 28 April 2010


.

Configuring SF/CPU network port devices 67


--End--

Variable definitionsUse the data in the following table to use the config bootconfig netcommand.

Variable Value

autonegotiate<true|false>

Activates or disables autonegotiation for the port.The default autonegotiation port values are asfollows:• management port is true

• SF/CPU port is false

• PCMCIA card is true

bootp <true|false> Activates or disables the Bootstrap Protocol(BootP) for the port.The default bootp port values are as follows:

• management port is true

• SF/CPU port is true


chk-src-route<true|false>

Blocks traffic with no route back to source.The chk-src-route default port values are asfollows:


• SF/CPU port is false


enable <true|false> Activates or disables the specified port.The default enable port values are as follows:





NN46205-605 02.05 28 April 2010


.


Variable Value

fullduplex<true|false>

Activates or disables full-duplex mode on thespecified port.The default fullduplex port values are as follows:

• management port is false


• PCMCIA card is false

info Specifies information about the currentconfiguration of the specified port.

ip <ipaddr/mask>[cpu-slot <value> ]

Assigns an IP address and mask for:

• the management port

• SF/CPU

• PCMCIA

Optional parameter:

• cpu-slot value specifies the slot number towhich the IP address applies. The valid optionsare 3, 5, or 6. If you do not specify a slot, thesystem assigns the IP address to the port in thecurrently active SF/CPU.

ATTENTIONYou cannot assign an address of 0.0.0.0/0.

restart Shuts down and re-initializes the port.

route [add|del]<netaddr/subnetmask> <gateway>

Configures a route for the port.

• add adds a route. del deletes a route.

• netaddr is the IP address of the network to bereached.

• gateway is the gateway IP address.


NN46205-605 02.05 28 April 2010


.

Configuring SF/CPU serial port devices 69

Variable Value

speed <10|100> Configures the connection speed for ports to 10Mb/s, 100 Mb/s, or 1000 Mb/s.The default value for management port is 10Mb/s.

The default value for SF/CPU port is 100Mb/s.

The default value for PCMCIA card is 10Mb/s.

tftp <ipaddr> Specifies a TFTP server for the port.

• ipaddr is the IP address of the TFTP server.

The default value is 0.0.0.0.

Configuring SF/CPU serial port devicesConfigure the serial port devices to define connection settings for serialports such as the modem and console port or to disable the port. If youuse American Standard Code for Information Interchange (ASCII) mode,configure the port if you need to use nondefault settings.

If you configure the mode for the modem port as either Serial Line IP(SLIP) or Point-to-Point Protocol (PPP), you must configure additionalparameters.

CAUTIONRisk of service interruptionNortel recommends that you not configure the console portmode to SLIP or PPP. The switch can display log, trace, anderror messages on the console port and these messagesinterfere with the SLIP or PPP operation.

Configure the SF/CPU serial port devices by performing this procedure.

Prerequisites

• You need a DTE-to-DCE cable (straight or transmit cable) to connectthe Ethernet Routing Switch 8600 to a modem.

• You must configure your client dial-up settings to establish aconnection to a modem.


NN46205-605 02.05 28 April 2010


.


Procedure steps

Step Action

1 Optionally, change the default generic port settings by using thefollowing command:

config bootconfig sio <console|modem|pccard> [8databits<true|false]> [baud <rate>] [mode <ascii|slip|ppp>]

2 If you use PPP mode, configure PPP options by using thefollowing command:

config bootconfig sio <console|modem|pccard> [mtu<bytes>] [my-ip <ipaddr>] [peer-ip <ipaddr>] pppfile<file>

3 If you use SLIP mode, optionally change the default SLIPsettings by using the following command:

config bootconfig sio <console|modem|pccard>[slip-compression <true|false>] [slip-rx-compression<true|false>]

4 Restart the port by using the following command:

config bootconfig sio <console|modem|pccard> restart

5 Disable the port by using the following command:

config bootconfig sio <console|modem|pccard> enablefalse



--End--

Variable definitionsUse the data in the following table to use the config bootconfig siocommand.

Variable Value

8databits<true|false>

Specifies either 8 (true) or 7 (false) data bits for eachbyte for the software to interpret.The default value is 7 (false).

baud <rate> Configures the baud rate for the port.The default value is 9600.

enable <true|false>

Activates or disables the port.The default value is true.


NN46205-605 02.05 28 April 2010


.


Variable Value

info Specifies information about the specified port.


Configures the communication mode for the serial port.The default communication mode is ASCII.

If you are configuring the modem port, you can setthe port to use either the SLIP or PPP communicationmode.

mtu <bytes> Configures the size of the maximum transmission unitfor a PPP link from 0–2048.The default value is 0.

my-ip <ipaddr> Configures the IP address for the server side, theEthernet Routing Switch 8600, of the point-to-point link.The default is value 0.0.0.0.Nortel recommends that you use the IP address for themanagement port.

peer-ip <ipaddr> Configures the peer, the PC, IP address on thepoint-to-point link. The default value is 0.0.0.0.The switch assigns this value to a PC that connectsthrough the modem port with configured TCP/IPproperties to obtain an IP address automatically.If the client uses a static IP address, the EthernetRouting Switch 8600 accepts this address.If you use the Password Authentication Protocol (PAP)authentication, you must ensure that the client uses thecorrect IP address.

pppfile <file> Specifies the PPP configuration file to provide detailsfor authentication, and other options, to include duringthe start procedure of the switch.If you set the port mode to PPP, you must specify aPPP file name. For more information about this file,see “Job aid” (page 72).The PPP file name is a string value of no morethan 64 characters. Identify the file in the format{a.b.c.d:|peer:|/pcmcia/|/flash/}<file>.

ATTENTIONDo not specify a PPP file name with more than 64characters.

restart Shuts down and initializes the port.


NN46205-605 02.05 28 April 2010


.


Variable Value

slip-compression<true|false>

Activates or disables Transmission Control Protocolover IP (TCP/IP) header compression for SLIP mode.The default value is false.


Activates or disables TCP/IP header compression onthe receive packet for SLIP mode.The default value is false.

Job aidCreate the PPP file with one option on each line; comment lines start witha pound sign (#). The following table lists the recognized options.

Table 6Job aid

Option Description

asyncmap <value> Configures the desired async map tothe value you specify.

chap_file <file> Obtains Challenge-HandshakeAuthentication Protocol (CHAP)secrets from the specified file. Yourequire this option if either peerrequires CHAP authentication. If yourusers must use the same IP address,the PAP and CHAP secret files mustspecify the same IP address for allusers and it must match the peer-ipconfiguration on the modem port.

chap_interval <value> Configures the interval, in seconds, forthe CHAP rechallenge to the value youspecify.

chap_restart <value> Configures the timeout, in seconds,for CHAP negotiation to the value youspecify.

debug Activates the PPP daemon debugmode.

default_route Adds a default route to the systemrouting table, after successful InternetProtocol Control Protocol (IPCP)negotiation. Use the peer as thegateway. After the PPP connectionends, the system removes this entry.

driver_debug Activates PPP driver debug mode.

escape_chars <value> Configures the characters to escapeon transmission to the value youspecify.


NN46205-605 02.05 28 April 2010


.


Table 6Job aid (cont’d.)

Option Description

ipcp_accept_local Accepts what the remote peer uses asthe target local IP address, even if thelocal IP address is specified.

ipcp_accept_remote Accepts what the remote peer uses asthe IP address, even if you specify theremote IP address.

ipcp_max_configure <value> Configures the maximum number oftransmissions for IPCP configurationrequests to the value you specify.

ipcp_max_failure <value> Configures the maximum numberof IPCP configuration negativeacknowledgements (NAK) to the valueyou specify.

ipcp_max_terminate <value> Configures the maximum number oftransmissions for IPCP terminationrequests to the value you specify.

ipcp_restart <value> Configures the timeout, in seconds,for IPCP negotiation to the value youspecify.

lcp_echo_failure <value> Configures the maximum consecutiveLink Control Protocol (LCP) echofailures to the value you specify.

lcp_echo_interval <value> Configures the interval, in seconds,between LCP echo requests to thevalue you specify.

lcp_max_configure <value> Configures the maximum number oftransmissions for LCP configurationrequests to the value you specify.

lcp_max_failure <value> Configures the maximum number ofLCP configuration NAKs to the valueyou specify.

lcp_max_terminate <value> Configures the maximum number oftransmissions for LCP terminationrequests to the value you specify.

lcp_restart <value> Configures the timeout in seconds forthe LCP negotiation to the value youspecify.

local_auth_name <name> Configures the local name forauthentication to the specified name.


NN46205-605 02.05 28 April 2010


.



Option Description

login Uses the logon password databasefor Password Authentication Protocol(PAP) peer authentication.

max_challenge <value> Configures the maximum number oftransmissions for CHAP challengerequests to the value you specify.

mru <value> Configures the maximum receive unit(MRU) size for negotiation to the valueyou specify.

mtu <value> Configures the maximum transmissionunit (MTU) size for negotiation to thevalue you specify.

netmask <value> Configures the netmask value fornegotiation to the value you specify.

no_acc Disables address control compression.

no_all Does not request or allow options.

no_asyncmap Disables async map negotiation.

no_chap Disallows CHAP authentication withpeer.

no_ip Disables IP address negotiation inIPCP.

no_mn Disables magic number negotiation.

no_mru Disables MRU negotiation.

no_pap Disables PAP authentication with thepeer.

no_pc Disables protocol field compression.

no_vj Disables Van Jacobson (VJ)compression. VJ compressionreduces the regular 40-byte TCP/IPheader to 3 or 8 bytes.

no_vjccomp Disables VJ connection IDcompression.


NN46205-605 02.05 28 April 2010


.



Option Description

pap_file <file> Obtains PAP secrets from thespecified file. You require thisoption if either peer requires PAPauthentication. If your users must usethe same IP address, the PAP andCHAP secret files must specify thesame IP address for all users and itmust match the peer-ip configurationon the modem port.

pap_max_authreq <value> Configures the maximum number oftransmissions for PAP authenticationrequests to the value you specify.

pap_passwd <password> Configures the password for PAPauthentication with the peer to thespecified password.

pap_restart <value> Configures the timeout, in seconds,for PAP negotiation to the value youspecify.

pap_user_name <name> Configures the user name for PAPauthentication with the peer to thespecified name.

passive_mode Configures passive mode. PPP waitsfor the peer to connect after an initialconnection attempt.

proxy_arp Adds an entry to the AddressResolution Protocol (ARP) tablewith the IP address of the peer and theEthernet address of the local system.

remote_auth_name <name> Configures the remote name forauthentication to the specified name.

require_chap Requires CHAP authentication withpeer.

require_pap Requires PAP authentication withpeer.

silent_mode Configures silent mode. PPP doesnot transmit LCP packets to initiate aconnection until it receives a valid LCPpacket from the peer.

vj_max_slots <value> Configures the maximum number ofVJ compression header slots to thevalue you specify.


NN46205-605 02.05 28 April 2010


.


Table 7 "Sample PPP file" (page 76) shows example contents from a PPPfile.

Table 7Sample PPP file

passive_mode

lcp_echo_interval 30

lcp_echo_failure 10

require_chap

require_pap

no_vj

ipcp_accept_remote

login

chap_file "my_chap"

pap_file "my_pap"

Configuring the time zoneSet the time zone to specify the time for your location and configure thesettings for daylight saving by performing this procedure.

The format for the time zone command is derived with observation ashours:minutes when compared to minutes only in other Ethernet RoutingSwitches series for both DST offset and offset from GMT. The input valueis positive for the west side of GMT as opposed to negative in every othercommercial product.

Procedure steps

Step Action

1 Configure the time zone by using the following command:

config bootconfig tz



NN46205-605 02.05 28 April 2010


.

Configuring the time zone 77


--End--

Variable definitionsUse the data in the following table to use the config bootconfig tzcommand.

Variable Value


Configures the ending date of daylight saving time.You can specify the time in one of the following ways:

• Mm.n.d/hhmm specifies an hour on the nthoccurrence of a weekday in a month. For example,M10.5.0/0200 means the fifth occurrence ofSunday in the tenth month (October) at 2:00 a.m.

• MMddhhmm specifies a month, day, hour, andminute. For example, 10310200 means October 31at 2:00 a.m.

dst-name<dstname>

Configures an abbreviated name for the local daylightsaving time zone.

• dstname is the name (for example, "pdt" is PacificDaylight Time).

dst-offset<minutes|hh:mm>

Configures the daylight saving adjustment in minutes orhours:minutes. The values range from -4:0 to 4:0 forhours:minutes and from -240 to 240 for minutes.



Configures the starting date of daylight saving time.



info Specifies time zone information.


NN46205-605 02.05 28 April 2010


.


Variable Value

name <tz> Configures an abbreviated name for the local timezone name.

• tz is the name (for example "pst" is PacificStandard Time).

offset-from-utc<minutes|hh:mm>

Configures the time zone offset, in minutes orhours:minutes, to subtract from Universal CoordinatedTime (UTC), where positive numbers mean westof Greenwich and negative numbers mean east ofGreenwich.The values range from -14:0 to 14:0 for hours:minutesand from -840 to 840 for minutes.The default value is 0.

Enabling remote access services from the run-time CLIEnable the remote access service to provide multiple methods of remoteaccess by performing this procedure.

Prerequisites

• If you enable an rlogin flag, you must configure an access policy andspecify the name of the user who can access the switch.

Procedure steps

Step Action

1 Enable or disable the access service by using the followingcommand:

config bootconfig flags <access-service> <true|false>

2 Save the configuration.

--End--

Variable definitionsUse the data in the following table to use the config bootconfig flagscommand.


NN46205-605 02.05 28 April 2010


.

Displaying the boot monitor configuration 79

Variable Value

access-service Specify the type of remote accessservice. Enter one of the following:ftpd, rlogind, telnetd, tftpd, or sshd.

true|false Enables or disables a remote accessservice.

• true—activates a service

• false—disables a service

Displaying the boot monitor configurationDisplay the configuration to view current or changed settings for the bootmonitor and boot monitor CLI by performing this procedure.

CAUTIONRisk of equipment failureDo not edit the boot.cfg file manually because the switch readsthis file during the boot process. Errors generated while editingthe file can render the switch inoperable.

Procedure steps

Step Action

1 View the configuration using one of the following commands:

show bootconfig

or

config bootconfig show

--End--

Variable definitionsUse the data in the following table to use the show bootconfig andconfig bootconfig show commands.

Variable Value

choice Specifies the current boot configuration choices.

cli Specifies the current cli configuration.


NN46205-605 02.05 28 April 2010


.


Variable Value

config [verbose] Specifies the current boot configuration.

• verbose includes all possible information.

If you omit verbose, only the values that werechanged from their default settings are displayed.

flags Specifies the current flag settings.

host Specifies the current host configuration.

info Specifies the current settings for the boot monitor.

master Specifies the current SF/CPU slot set as master andthe settings for the delay and multicast command.

mezz-image Specifies the mezzanine image.

net Specifies the current configuration of the SF/CPUnetwork ports.

show-all [file<value> ]

Specifies all relevant information about bootconfiguration on the switch.

• value is the filename to which the output isredirected.

sio Specifies the current configuration of the SF/CPU serialports.

tz Specifies the current configuration of the switch timezone.

wlan Specifies wireless LAN information.

bootp Specifies the BootP configuration.


NN46205-605 02.05 28 April 2010


.

81.

Boot parameter configuration usingthe NNCLI

Use the procedures in this section to configure and manage the bootmonitor using the Nortel Networks command line interface (NNCLI).

Prerequisites to boot parameter configuration• You initiate a boot monitor session only through a direct serial-port

connection to the switch. After the boot monitor is active, you can setthe flags for Telnet and rlogin to allow remote access, but accessto the boot monitor is still only available through a direct serial-portconnection. Within the boot monitor, you can change the bootconfiguration, including boot choices and boot flags.

• To perform the procedures in this section, you must log on to theGlobal Configuration mode in the NNCLI. For more information aboutusing NNCLI, see Nortel Ethernet Routing Switch 8600 User InterfaceFundamentals (NN46205-308).


• “Accessing the boot monitor ” (page 85)

• “Accessing the boot monitor from the run-time environment” (page 85)

• “Configuring the boot monitor” (page 86)

• “Modifying the boot sequence” (page 87)

• “Enabling remote access services” (page 88)

• “Changing the boot source order” (page 89)

• “Configuring the standby-to-master delay” (page 90)


• “Configuring the remote host logon” (page 99)


NN46205-605 02.05 28 April 2010


.

82 Boot parameter configuration using the NNCLI

• “Specifying the master SF/CPU” (page 101)

• “Configuring SF/CPU network port devices” (page 101)

• “Configuring SF/CPU serial port devices” (page 103)


• “Displaying the boot monitor configuration” (page 114)


Table 8Job aid

Command Parameter

Privileged EXEC mode

bootp

choice

cli

flags

general

host

master

mezz-image

net

running-config

sio

tz

show boot config

wlan

Global Configuration mode

<primary|secondary|tertiary>

backup-config-file <file>

config-file <file>

boot config choice

image-file <file>


NN46205-605 02.05 28 April 2010


.

Job aid 83

Command Parameter

8100-mode

8616-reautoneg

delay <seconds>

more

prompt <value>

screenlines <value>

boot config cli

timeout <seconds>

alt-led

autoboot

block-snmp

block-warmstandby-switchover

control-record-optimization

daylight-saving-time

debug-config

debugmode

egress-mirror

factorydefaults

ftpd

ha-cpu

hsecure

logging

mezz

nncli

reboot

rlogind

savetostandby

spanning-tree-mode

sshd

telnetd

tftpd

trace-logging

verify-config

boot config flags


NN46205-605 02.05 28 April 2010


.


Command Parameter

wdt

ftp-debug

password

tftp-debug

tftp-hash

tftp-rexmit

tftp-timeout

boot config host

user

boot config master <cpu-slot>

autonegotiate

bootp

chk-src-route

fullduplex

ip

restart

route

speed

boot config net <cpu-network-port>

tftp

8databits

baud

mode

mtu

my-ip

peer-ip

pppfile

restart

slip-compression

boot config sio <console|modem|pccard>

slip-rx-compression


NN46205-605 02.05 28 April 2010


.

Accessing the boot monitor from the run-time environment 85

Command Parameter

dst-end

dst-name

dst-offset

dst-start

name

boot config tz

offset-from-utc

Accessing the boot monitorAccess the boot monitor to configure and manage the boot process byperforming this procedure.

Procedure steps

Step Action


2 Interrupt the boot sequence by pressing the Enter key after thefollowing prompt is displayed:

Press Enter to stop autoboot.

--End--

Accessing the boot monitor from the run-time environmentAccess the boot monitor from the run-time environment to configure andmanage the boot process by performing this procedure.

Prerequisites

• You must log on to the Global Configuration mode in the NNCLI.

Procedure steps

Step Action

1 Configure the autoboot flag by using the following command:

no boot config flags autoboot

2 Save the boot configuration by using the following command:

save bootconfig


NN46205-605 02.05 28 April 2010


.



--End--

Configuring the boot monitorConfigure the boot monitor to configure connection settings for NNCLIsessions by performing this procedure.

Prerequisites


Procedure steps

Step Action

1 Configure the boot monitor CLI by using the following command:

boot config cli [more] [prompt <value>] [screenlines<value>] [timeout <seconds>]

2 Save the changed configuration file.


--End--

Variable definitionsUse the data in the following table to use the boot config clicommand.

Variable Value

more Configures scrolling for the outputdisplay.

The default is true.Use the no operator to remove thisconfiguration.To set this option to the default value,use the default operator with thecommand.


NN46205-605 02.05 28 April 2010


.

Modifying the boot sequence 87

Variable Value

prompt <value> Changes the boot monitor prompt tothe defined string.

• value is a string from 1–32characters.

To set this option to the default value,use the default operator with thecommand.

screenlines <value> Configures the number of lines in theoutput display.

• value is the number of lines from1–64.

To set this option to the default value,use the default operator with thecommand.The default is value 23.

timeout <seconds> Configures the idle timeout periodbefore automatic logoff for NNCLIsessions.

• seconds is the timeout period, inseconds,from 0–65536.

To set this option to the default value,use the default operator with thecommand.The default value is 0.

Modifying the boot sequenceModify the boot sequence to prevent the switch from using the factorydefault settings or, conversely, to prevent loading a saved configuration fileby performing this procedure.

Prerequisites


Procedure steps

Step Action

1 Bypass the loading of the switch configuration with the followingcommand:


NN46205-605 02.05 28 April 2010


.


boot config flags factorydefaults

ATTENTIONIf the switch fails to read and load a saved configuration file after itstarts, ensure you use the no operator with this command, no bootconfig flags factorydefaults, before investigating otheroptions.

--End--

Enabling remote access servicesEnable the remote access service to provide multiple methods of remoteaccess by performing this procedure.

Prerequisites

• If you enable an rlogin flag, you must configure an access policy tospecify the name of the user who can access the switch.


Procedure steps

Step Action

1 Enable the access service by using the following command:

boot config flags <access-service>

2 Save the boot configuration.

--End--

Variable definitionsUse the data in the following table to use the boot config flagscommand.

Variable Value

access-service Specifies the type of remote accessservice to enable. Select from thefollowing list:• ftpd

• rlogind

• sshd


NN46205-605 02.05 28 April 2010


.

Changing the boot source order 89

Variable Value

• telnetd

• tftpd

Use the no operator to remove thisconfiguration.To set this option to the default value,use the default operator with thecommand.

Changing the boot source orderChange the boot source order to display or change the order in which thesystem accesses the boot sources (flash and PCMCIA card) by performingthis procedure.

Prerequisites


Procedure steps

Step Action

1 Change the boot order by using the following command:

boot config choice <primary|secondary|tertiary>backup-config-file <file> config-file <file> image-file<file> license-file <file>



--End--

Variable definitionsUse the data in the following table to use the boot config choicecommand.

Variable Value

backup-config-file<file>

Identifies the backup boot configuration file.


To set this option to the default value, use thedefault operator with the command.


NN46205-605 02.05 28 April 2010


.


Variable Value

config-file <file> Identifies the boot configuration file.



license-file <file> Identifies the license file.


image-file <file> Identifies the image file.



<primary|secondary|tertiary>

Lists the order in which the specified boot devicesare accessed after you restart the switch. Theprimary source for files is the PCMCIA card, thesecondary source is the onboard flash memory,and the tertiary source is the network server. Thedefault order is to access the device specified inthis command first, and then to access the onboardflash.

Example of changing the boot source order

Step Action

1 Specify the configuration file in flash memory as the primary bootsource:

config bootconfig choice primary config-file/flash/config.cfg

--End--

Configuring the standby-to-master delayConfigure the standby-to-master delay to set the number of seconds astandby SF/CPU waits before trying to become the master SF/CPU. Thetime delay you configure applies during a cold start; it does not apply toa failover start.

Configure the standby-to-master delay by performing this procedure.


NN46205-605 02.05 28 April 2010


.


Prerequisites


Procedure steps

Step Action

1 Configure the number of seconds by using the followingcommand:

boot config cli delay <seconds>



--End--

Configuring system flagsSet the system flags to enable flags for specific configuration settings byperforming this procedure.

ATTENTIONIf auto-trace is activated, SF/CPU utilization increases by up to 30 percent.

ATTENTIONAfter you change certain configuration parameters using the boot configflags command, you must save the changes to the configuration file andrestart the switch before the changes take effect. For more information aboutwhich parameters require a switch reset, see the variable definitions tablefollowing the procedure.

Prerequisites

• If you enable the hsecure flag, you cannot enable the flags for the Webserver or SSH password-authentication.


Procedure steps

Step Action

1 Enable system flags by using the following command:

boot config flags <flag>


NN46205-605 02.05 28 April 2010


.


To disable a flag use the no operator before the flag command:no boot config flags <flag>.

To set a flag to the default value, use the default operator withthe command.



--End--

Variable definitionsUse the data in the following table to use the boot config flagscommand.

Variable Value

8100-mode Turns the flag ON or OFF.The default value is false.

8616-reautoneg Permits 8616 modules to reautonegotiate whenconnected to a Multiservice Switch 15000.The default value is false.

alt-led Activates the alternate LED behavior.The default is false (disabled).If you change this parameter, you must resetthe switch.

ATTENTIONDo not change this parameter unless directedby Nortel.

autoboot Enables or disables automatic use of therun-time image by the switch after reset.The default value is true (enabled).

If you disable autoboot, the boot process stopsat the boot monitor prompt. Disabling autobootcan facilitate debug tasks.If you change this parameter, you must resetthe switch.

block-snmp Enables or disables Simple NetworkManagement Protocol (SNMP) management.The default value is disabled.


NN46205-605 02.05 28 April 2010


.


Variable Value

block-warmstandby-switchover Enables or disables use of the secondarySF/CPU (in warm standby mode) as the primarySF/CPU if you reset the switch.

• enabled—prevents use of the secondarySF/CPU (in warm standby mode) from asthe primary SF/CPU if you reset the primarySF/CPU/

• disabled—designates the secondarySF/CPU in warm standby mode as theprimary SF/CPU if you reset the primarySF/CPU.

The default setting is disabled.If you change the block-warmstandby-switchover setting, you must reset the switch.

control-record-optimization Enables or disables creation of hardwarerecords to route Layer 3 protocol destinationmulticast addresses.By default, the switch creates hardware recordsto route Layer 3 protocol destination multicastaddresses even if the corresponding protocol isdisabled.

Set the control-record-optimization variable totrue (enabled) to

• prevent creation of hardware records

• achieve higher record scaling

• achieve faster boot time

Set the control-record-optimization variable tofalse (disabled) when operating the switch in

• High Availability mode

• a mixed chassis containing R or RSmodules

This flag applies only to classic E and Mmodules.

The default setting is false (disabled).If you change this parameter, you must resetthe switch.


NN46205-605 02.05 28 April 2010


.


Variable Value

daylight-saving-time Activates or disables Daylight Saving Time(DST) for the switch.If you enable DST you must configure the DSTsettings using the config bootconfig tzcommand.The default value is disabled.

debug-config Activates or disables run-time debugging of theconfiguration file.Use one of the following variables to configurethe command.

• true—line by line configuration fileprocessing displays on the console duringSF/CPU initialization

• false—disables run-time configuration filedebug

The default value is false (disabled).If you change the debug-config variable value,you must reset the switch.

debugmode Controls whether the switch stops in debugmode following a fatal error. Debug modeprovides information equivalent to the tracecommands.

• true (enabled)—the switch does not restartfollowing a fatal error

• false (disabled)—the switch restartsautomatically following a fatal error

The default value is disabled.If you change this parameter, you must resetthe switch.


egress-mirror Activates egress traffic mirroring for E and Mmodules.The default value is activated.If you change this parameter, you must resetthe switch.


NN46205-605 02.05 28 April 2010


.


Variable Value

factorydefaults Specifies whether the switch uses the factorydefault settings at startup.The default value is disabled.This flag is automatically set back to the defaultsetting after the CPU restarts.If you change this parameter, you must resetthe switch.

ftpd Activates or disables theFTP server on theswitch.The default value is disabled.To enable FTP, ensure that the tftpd flag isdisabled.

ha-cpu Activates or disables High Availability (HA)mode. Switches with two SF/CPUs use HAmode to recover quickly from a failure of one ofthe SF/CPUs.

If you enable High Availability mode, thesecondary SF/CPU resets to load settings fromthe saved boot configuration file. You mustreset the primary SF/CPU after the secondarySF/CPU starting is complete.

CAUTIONRisk of service lossEnabling HA mode candisable certain features.

For more information about what features aresupported with HA, see Table 14 "Featuresupport for HA in specified software releaseversions" (page 153).

hsecure Activates or disables High Secure mode in theswitch.

The hsecure command provides the followingpassword behavior:

• 10 character enforcement

• aging time

• failed login attempt limitation

• designated IP address filtration

The default value is false (disabled).


NN46205-605 02.05 28 April 2010


.


Variable Value

If you enable High Secure mode, you mustreset the switch to enforce secure passwords.

If you operate the switch in High Secure mode,the switch prompts a password change if youenter invalid-length passwords.

logging If a PCMCIA exists in the system, you can usethe logging command to activate or disablesystem logging to a file on the PCMCIA.

The default value is true (enabled).

The system names log files according to thefollowing:

• File names appear in 8.3 (xxxxxxxx.sss)format.

• The first 6 characters of the file namecontain the last three bytes of the chassisbase MAC address.

• The next two characters in the file namespecify the slot number of the CPU thatgenerated the logs.

• The last three characters in the file nameare the sequence number of the log file.

The system generates multiple sequencenumbers for the same chassis and same slot if

• you replace the CPU

• you reinsert the CPU

• the system reaches the maximum log filesize

mezz Permits or prevents the mezzanine card fromstarting if it is present on a SF/CPU card.

If you enable mezz on a dual CPU chassis,ensure that both CPUs contain a SuperMezzcard.

The mezz default value is enabled.If you change this parameter, you must resetthe switch.


NN46205-605 02.05 28 April 2010


.


Variable Value

If you reset the switch with mezz enabled,ensure that the SuperMezz image resides onthe switch prior to the reset.

nncli Configures the switch to use NNCLI or CLImode.After you change this parameter, you mustrestart the system for the change to take effect.The default value is true.

reboot Activates or disables automatic reboot on a fatalerror.The default value is activated.The reboot command is equivalent to thedebugmode command.If you change the reboot variable value, youmust reset the switch.


rlogind Activates or disables the rlogin and rsh server.The default value is disabled.

savetostandby Activates or disables automatic save of theconfiguration or boot configuration file to thestandby SF/CPU.The default value is disabled.

If you operate a dual SF/CPU system, Nortelrecommends that you enable this flag for easeof operation.


Specifies the Multiple Spanning Tree Protocol(MSTP), Rapid Spanning Tree Protocol (RSTP),or default (legacy) spanning tree mode.If you do not specify a protocol, the switch usesthe default mode.The default mode is rstp.If you change the spanning tree mode, youmust save the current configuration and resetthe switch.

sshd Activates or disables the SSH server service.The default value is true (enabled).


NN46205-605 02.05 28 April 2010


.


Variable Value

telnetd Activates or disables the Telnet server service.The default is disabled.

If you disable the Telnet server service in a dualSF/CPU system, the Telnet server preventsa Telnet connection initiated from the otherSF/CPU.

tftpd Activates or disables Trivial File TransferProtocol (TFTP) server service.The default value is disabled.

If you disable the TFTP server you can stillcopy files between the SF/CPUs.

trace-logging Activates or disables the creation of trace logs.The default value is disabled.


verify-config Activates syntax checking of the configurationfile.The default value is true (enabled).If the system finds a syntax error, it loads thefactory default configuration.

If you set the variable to false, the system logssyntax errors and the SF/CPU continues tosource the configuration file.

Nortel recommends that you set theverify-config variable to false.If you change this parameter, you must resetthe switch.

wdt Activates or disables the hardware watchdogtimer monitoring a hardware circuit.The default value is activated.The watchdog timer restarts the switch basedon software errors.If you change the wtd variable, you must resetthe switch.



NN46205-605 02.05 28 April 2010


.

Configuring the remote host logon 99

Configuring the remote host logonConfigure the remote host logon to modify parameters for FTP and TFTPaccess. The defaults allow TFTP transfers. If you want to use FTP as thetransfer mechanism, you need to change the password to a non-null value.

Configure the remote host logon by performing this procedure.

Prerequisites


Procedure steps

Step Action

1 Define conditions for the remote host logon by using thefollowing command:

boot config host



--End--

Variable definitionsUse the data in the following table to use the boot config hostcommand.

Variable Value

ftp-debug Activates or disables debug mode on FTP.If you enable debug mode, debug messages display onthe management console screen.The default value is disabled.Use the no operator to remove this configuration.To set this option to the default value, use thedefault operator with the command.


NN46205-605 02.05 28 April 2010


.


Variable Value

password <value> Configures the password to enable FTP transfers.

• value is the password, up to 16 characters long.If you configure this password, you can use onlyFTP for remote host logon.

ATTENTIONThis password must match the password set for theFTP server, or the FTP operation fails. If you set thepassword to a nonnull value, all copy operations toand from the network use FTP instead of TFTP. If theuser name or password is incorrect, copy operationsover the network fail.

tftp-debug Activates or disables debug mode on TFTP/TFTPD.If you enable debug mode, debug messages display onthe management console screen.The default value is disabled.Use the no operator to remove this configuration.To set this option to the default value, use thedefault operator with the command.

tftp-hash Activates or disables the TFTP hash bucket display.The default value is disabled.Use the no operator to remove this configuration.To set this option to the default value, use thedefault operator with the command.

tftp-rexmit<seconds>

Configures the TFTP retransmission timeout. Thedefault value is 2 seconds.



tftp-timeout<seconds>

Configures the TFTP timeout.The default value is 10 seconds.



user <value> Configures the remote user logon.

• value is the user logon name, up to 16 characterslong.



NN46205-605 02.05 28 April 2010


.

Configuring SF/CPU network port devices 101

Specifying the master SF/CPUSpecify the master SF/CPU to designate which SF/CPU becomes themaster after the switch performs a full power cycle.Specify the master SF/CPU by performing this procedure.

Prerequisites

• You must log on to the NNCLI Global Configuration mode.

Procedure steps

Step Action

1 View the current configuration for the master SF/CPU by usingthe following command:

show boot config master

2 Specify the slot of the master SF/CPU by using the followingcommand:

boot config master <cpu-slot>



--End--

Variable definitionsUse the data in the following table to use the boot config mastercommand.

Variable Value

<cpu-slot> Specifies the slot number, either 5 or6, for the master SF/CPU.The default value is slot 5.

Configuring SF/CPU network port devicesConfigure the network port devices to define connection settings for theport. The three network ports are:

• management port (mgmt)

• SF/CPU port (cpu2cpu)

• PCMCIA card (pccard)


NN46205-605 02.05 28 April 2010


.


Prerequisites


Procedure steps

Step Action

1 Configure the network port by using the following command:

boot config net <cpu-network-port>


--End--

Variable definitionsUse the data in the following table to use the boot config netcommand.

Variable Value

<cpu-network-port> Identifies the port using one of the following:• mgmt

• cpu2cpu

• pccard

autonegotiate Activates or disables autonegotiation for the port.The default value is disabled.Use the no operator to remove this configuration.To set this option to the default value, use thedefault operator with the command.

bootp Activates or disables the Bootstrap Protocol(BootP) for the port.The default value is activated.Use the no operator to remove this configuration.To set this option to the default value, use thedefault operator with the command.

chk-src-route Blocks traffic with no route back to the source.The default value is activated.Use the no operator to remove this configuration.To set this option to the default value, use thedefault operator with the command.


NN46205-605 02.05 28 April 2010


.


Variable Value

fullduplex Activates or disables full-duplex mode on thespecified port.The default value is activated.Use the no operator to remove this configuration.To set this option to the default value, use thedefault operator with the command.

ip <ipaddr/mask>[cpu-slot <value> ]

Assigns an IP address/mask for the managementport, SF/CPU, or PCMCIA card.

Optional parameter:

• cpu-slot value specifies the slot number towhich the IP address applies.The valid options are 3, 5, or 6.If you do not specify a slot, the system assignsthe IP address to the port in the currently activeSF/CPU.

In an 8003 chassis, only SF/CPU slot 3 isavailable.

ATTENTIONYou cannot assign an address of 0.0.0.0/0.

restart Restarts the port.

route <netaddr> Configures a route for the port. netaddr is theIP address and mask of the network you want toreach.

Use the no operator to remove this configuration.

speed <10|100> Configures the connection speed for ports to 10Mb/s, 100 Mb/s, or 1000 Mb/s.The default is 10 Mb/s.To set this option to the default value, use thedefault operator with the command.

tftp <ipaddr> Specifies a TFTP server for the port.

ipaddr is the IP address of the TFTP server.

Configuring SF/CPU serial port devicesConfigure the serial port devices to define connection settings for serialports; for example, the modem and console port .


NN46205-605 02.05 28 April 2010


.


If you configure the modem port mode as either Serial Line IP (SLIP) orPoint-to-Point Protocol (PPP), you must configure additional parameters.

CAUTIONRisk of service interruptionNortel recommends that you not configure the console portmode to SLIP or PPP. The switch can display log, trace, anderror messages on the console port and these messagesinterfere with the SLIP or PPP operation.

Prerequisites

• You need a DTE-to-DCE cable (straight or transmit cable) to connectthe Ethernet Routing Switch 8600 to a modem.

• You must configure your client dial-up settings to establish aconnection to a modem.


Procedure steps

Step Action

1 Optionally, change the default generic port settings by using thefollowing command:

boot config sio <console|modem|pccard> [8databits][baud <rate>] [mode <ascii|slip|ppp>]

2 If you use PPP mode, configure PPP options by using thefollowing command:

boot config sio <console|modem|pccard> [mtu <bytes>][my-ip <ipaddr>] [peer-ip <ipaddr>] pppfile <file>

3 If you use SLIP mode, optionally change the default SLIPsettings by using the following command:

boot config sio <console|modem|pccard> [slip-compression <true|false>] [slip-rx-compression <true|false>]

4 Restart the port by using the following command:

boot config sio <console|modem|pccard> restart

5 Disable the port by using the following command:

no boot config sio <console|modem|pccard>


7 Optionally, shutdown and reinitialize the port by using thefollowing command:


NN46205-605 02.05 28 April 2010


.


boot config sio modem restart


--End--

Variable definitionsUse the data in the following table to use the boot config siocommand.

Variable Value

8databits Specifies either 8 (activated) or 7 (disabled) data bitsfor each byte for the software to interpret.The default value is 7 (disabled).Use the no operator to remove this configuration.To set this option to the default value, use thedefault operator with the command.

baud <rate> Configures the baud rate for the port.The default value is 9600.To set this option to the default value, use thedefault operator with the command.


Configures the communication mode for the serial port.The default is ASCII (American Standard Code forInformation Interchange).

If you are configuring the modem port, you can setthe port to use either the SLIP or PPP communicationmode.


mtu <bytes> Configures the size of the maximum transmission unitfor a PPP link, from 0–2048.The default value is 0.To set this option to the default value, use thedefault operator with the command.

my-ip <ipaddr> Configures the IP address for the server side, theEthernet Routing Switch 8600, of the point-to-point link.The default value is 0.0.0.0.Nortel recommends that you use the current IPaddress for the management port.To set this option to the default value, use thedefault operator with the command.


NN46205-605 02.05 28 April 2010


.


Variable Value

peer-ip <ipaddr> Configures the peer (the PC) IP address on thepoint-to-point link. The default is 0.0.0.0.The switch assigns the peer IP address to a PCthat connects through the modem port if the TCP/IPproperties for the PC are configured to obtain an IPaddress automatically.If the client uses a static IP address, the EthernetRouting Switch 8600 accepts this address.If you use Password Authentication Protocol (PAP)authentication, you must ensure that the client uses thecorrect IP address.To set this option to the default value, use thedefault operator with the command.

pppfile <file> Specifies the PPP configuration file that providesauthentication details and options to include during theswitch boot procedure.The PPP file name is a string value of no morethan 64 characters. Identify the file in the format{a.b.c.d:|peer:|/pcmcia/|/flash/}<file>.

ATTENTIONDo not specify a PPP file name with more than 64characters.


restart Shuts down and initializes the port.

slip-compression<true|false>

Activates or disables Transmission Control Protocolover IP (TCP/IP) header compression for SLIP mode.The default value is false.Use the no operator to remove this configuration.To set this option to the default value, use thedefault operator with the command.


Activates or disables TCP/IP header compression onthe receive packet for SLIP mode.The default value is false.Use the no operator to remove this configuration.To set this option to the default value, use thedefault operator with the command.

Job aidCreate the PPP file with one option on each line; comment lines start witha pound sign (#). The following table lists the recognized options.


NN46205-605 02.05 28 April 2010


.


Table 9Job aid

Option Description

asyncmap <value> Configures the async map.• value is the value you sprcify

chap_file <file> Obtains Challenge-HandshakeAuthentication Protocol (CHAP)secrets from the specified file.If either peer requires CHAPauthentication, you must specify afile name.If users must use the same IP address• the PAP and CHAP secret files

must specify the same IP addressfor all users

• the IP address must match thepeer-ip configuration on the modemport

chap_interval <value> Configures the interval for the CHAPrechallenge.• value, expressed in seconds, is

the interval that you specify.

chap_restart <value> Configures the timeout for CHAPnegotiation.• value, expressed in seconds, is

the interval that you specify.

debug Activates the PPP daemon debugmode.

default_route Adds a default route to the systemrouting table, after successful InternetProtocol Control Protocol (IPCP)negotiation.Use the peer as the gateway.After the PPP connection ends, thesystem removes the default routingtable entry.

driver_debug Activates PPP driver debug mode.

escape_chars <value> Configures the characters to escapeon transmission.• value is the number of characters

you specify.

ipcp_accept_local Accepts the remote peer target localIP address as the target local IPaddress, whether the local IP addressis specified or not.


NN46205-605 02.05 28 April 2010


.



Option Description

ipcp_accept_remote Accepts the remote peer IP address,whether the remote IP address isspecified or not.

ipcp_max_configure <value> Configures the maximum number oftransmissions for IPCP configurationrequests.• value is the number you specify

ipcp_max_failure <value> Configures the maximum numberof IPCP configuration negativeacknowledgements (NAK).• value is the number you specify

ipcp_max_terminate <value> Configures the maximum number oftransmissions for IPCP terminationrequests.• value is the number you specify

ipcp_restart <value> Configures the timeout interval forIPCP negotiation.• value is the interval, in seconds,

that you specify

lcp_echo_failure <value> Configures the maximum consecutiveLink Control Protocol (LCP) echofailures.• value is the number that you

specify

lcp_echo_interval <value> Configures the interval between LCPecho requests.• value is the interval, in seconds,

that you specify.

lcp_max_configure <value> Configures the maximum number oftransmissions for LCP configurationrequests.• value is a number that you specify

lcp_max_failure <value> Configures the maximum number ofLCP configuration NAKs• value is a number that you specify

lcp_max_terminate <value> Configures the maximum number oftransmissions for LCP terminationrequests• value is a number that you specify


NN46205-605 02.05 28 April 2010


.



Option Description

lcp_restart <value> Configures the timeout for the LCPnegotiation.• value is the interval, in seconds,

that you specify

local_auth_name <name> Configures the local name forauthentication.• name is the name that you specify

login Uses the logon password databasefor Password Authentication Protocol(PAP) peer authentication.

max_challenge <value> Configures the maximum number oftransmissions for CHAP challengerequests• value is the number you specify

mru <value> Configures the maximum receive unit(MRU) size for negotiation.• value is the MRU size for

negotiation that you specify

mtu <value> Configures the maximum transmissionunit (MTU) size for negotiation.• value is the MTU size for

negotiation that you specify

netmask <value> Configures the netmask value fornegotiation.• value is the netmask that you

specify

no_acc Disables address control compression.

no_all Does not request or allow options.

no_asyncmap Disables asynchronous mapnegotiation.

no_chap Disallows CHAP authentication withpeer.

no_ip Disables IP address negotiation inIPCP.

no_mn Disables magic number negotiation.

no_mru Disables MRU negotiation.

no_pap Disables PAP authentication with thepeer.

no_pc Disables protocol field compression.


NN46205-605 02.05 28 April 2010


.



Option Description

no_vj Disables Van Jacobson (VJ)compression.VJ compression reduces the regular40-byte TCP/IP header to 3 or 8 bytes.

no_vjccomp Disables VJ connection IDcompression.

pap_file <file> Obtains PAP secrets from thespecified file.Use this option if either peer requiresPAP authentication.If users must use the same IPaddress, you must specify the same IPaddress for all users in the PAP andCHAP secret files and the IP addressmust match the peer-ip configurationon the modem port.

pap_max_authreq <value> Configures the maximum number oftransmissions for PAP authenticationrequests.• value is the number you specify

pap_passwd <password> Configures the password for PAPauthentication with the peer.• password is the password you

specify

pap_restart <value> Configures the timeout for PAPnegotiation.• value is the interval, in seconds,

that you specify

pap_user_name <name> Configures the user name for PAPauthentication with the peer.• name is the name you specify

passive_mode Configures passive mode.PPP waits for the peer to connect afteran initial connection attempt.

proxy_arp Adds an entry to the AddressResolution Protocol (ARP) tablewith the IP address of the peer and theEthernet address of the local system.

remote_auth_name <name> Configures the remote name forauthentication.• name is the name you specify


NN46205-605 02.05 28 April 2010


.



Option Description

require_chap Requires CHAP authentication withpeer.

require_pap Requires PAP authentication withpeer.

silent_mode Configures silent mode.PPP does not transmit LCP packets toinitiate a connection until it receives avalid LCP packet from the peer.

vj_max_slots <value> Configures the maximum number ofVJ compression header slots.• value is the number you specify

Table 10 "Sample PPP file" (page 111) shows example contents from aPPP file.

Table 10Sample PPP file

passive_mode

lcp_echo_interval 30

lcp_echo_failure 10

require_chap

require_pap

no_vj

ipcp_accept_remote

login

chap_file "my_chap"

pap_file "my_pap"

Configuring the time zoneSet the time zone to specify the time for your location and configuresettings for daylight saving.


NN46205-605 02.05 28 April 2010


.


The format for the time zone command is hours:minutes for both DaylightSavings Time (DST) offset and offset from Greenwich Mean Time (GMT);the format is minutes only in other Ethernet Routing Switch products. Theinput value is positive for the west side of GMT; it is negative in othercommercial products.

Configure the time zone by performing this procedure.

Prerequisites


Procedure steps

Step Action

1 Configure the time zone by using the following command:

boot config tz



--End--

Variable definitionsUse the data in the following table to use the boot config tz command.

Variable Value


Configures the ending date of daylight saving time. Youcan specify the time in one of the two ways:




NN46205-605 02.05 28 April 2010


.


Variable Value

dst-name<dstname>

Configures an abbreviated name for the local daylightsaving time zone.

• dstname is the name (for example, "pdt" is PacificDaylight Time).


dst-offset<minutes|hh:mm>

Configures the daylight saving adjustment in minutes orhours:minutes. The values range from -4:0 to 4:0 forhours:minutes and from -240 to 240 for minutes.

The default, in minutes, is 60.



Configures the starting date of daylight saving time.



name <tz> Configures an abbreviated name for the local time zonename.

• tz is the name (for example "pst" is PacificStandard Time).


offset-from-utc<minutes|hh:mm>

Configures the time zone offset in minutes orhours:minutes to subtract from Universal CoordinatedTime (UTC), where positive numbers mean westof Greenwich and negative numbers mean east ofGreenwich.The values range from -14:0 to 14:0 for hours:minutesand from -840 to 840 for minutes.The default value is 0.To set this option to the default value, use thedefault operator with the command.


NN46205-605 02.05 28 April 2010


.


Displaying the boot monitor configurationDisplay the configuration to view current or changed settings for the bootmonitor and boot monitor by performing this procedure.

CAUTIONRisk of system failureDo not edit the boot.cfg file manually because the switch readsthis file during the boot process. Errors generated while editingthe file can render the switch inoperable.

Prerequisites

• You must log on to the NNCLI Privileged EXEC mode.

Procedure steps

Step Action

1 View the configuration by using the following command:

show boot config

--End--

Variable definitionsUse the data in the following table to use the show boot configcommand.

Variable Value

bootp Specifies the bootp configuration.

choice Specifies the current boot configuration choices.

cli Specifies the current cli configuration.

flags Specifies the current flag settings.

general Specifies system information.

host Specifies the current host configuration.

master Specifies the current SF/CPU slot set as master andthe settings for the delay and multicast command.

mezz-image Specifies the mezzanine image.

net Specifies the current configuration of the SF/CPUnetwork ports.


NN46205-605 02.05 28 April 2010


.

Displaying the boot monitor configuration 115

Variable Value

running-config[verbose]

Specifies the current boot configuration.

• verbose includes all possible information.

If you omit verbose, the system displays only thevalues that you changed from their default settings.

sio Specifies the current configuration of the SF/CPU serialports.

tz Specifies the current configuration of the switch timezone.

wlan Specifies wireless LAN information.


NN46205-605 02.05 28 April 2010


.



NN46205-605 02.05 28 April 2010


.

117.

Run-time process management usingthe CLI

Configure and manage the run-time process using the run-time commandline interface (CLI). Access the run-time CLI after the boot process iscomplete by entering your username and password at the logon prompt.

Run-time process management navigation• “Job aid” (page 117)

• “Configuring the date” (page 121)

• “Configuring the run-time CLI” (page 122)

• “Configuring the CLI logon banner” (page 124)

• “Configuring the message-of-the-day” (page 125)

• “Configuring command logging” (page 125)

• “Configuring individual system-level switch parameters” (page 126)

• “Synchronizing the real-time and system clocks” (page 131)

• “Creating a virtual management port” (page 132)

• “Configuring system message control” (page 133)

• “Forcing message control for system message control” (page 134)

• “Enabling the administrative status of a module” (page 135)

Job aidThe following table lists the commands, with their parameters, that you useto complete the procedures in this section.


NN46205-605 02.05 28 April 2010


.

118 Run-time process management using the CLI

Table 11Job aid

Command Parameter

info

defaultlogin <true|false>

defaultpassword <true|false>

loginprompt <string>

more <true|false>

passwordprompt <string>

prompt <prompt>

rlogin-sessions <nsessions>

screenlines <nlines>

telnet-sessions <nsessions>

config cli

timeout <seconds>

info

add <string>

defaultbanner <true|false>

config cli banner

delete

enable <true|false>

info

config cli clilog

maxfilesize <integer>

info

duration <integer>

config cli monitor

interval <integer>

info

add <string>

displaymotd <true|false>

config cli motd

delete


NN46205-605 02.05 28 April 2010


.

Job aid 119

Command Parameter

info

access-level <access-level> <enable|disable>

aging <days>

min-password-len <integer>

default-lockout-time <secs>

lockout-time <HostAddress> <secs>

l1<username> [<password>]

l2 <username> [<password>]

l3 <username> [<password>]

l4oper <username>

l4admin <username>

oper <username>

ro<username> [<password>]

rw<username> [<password>]

rwa<username> [<password>]

slbadmin <username>

slboper <username>

ssladmin <username>

config cli password

password-history <number>

config slot

<slot>

infostate <enable|disable|reset>

info

auto-port-down

<enable|disable>

frequency

<frequency>

interval

<interval>

config sys link-flap-detect

send-trap

<enable|disable>


NN46205-605 02.05 28 April 2010


.


Command Parameter

info

cpuswitchover

resetconsole

resetcounters

config sys set action

resetmodem

clipld-topology-ip <id>

clock-sync-time

<minutes>

contact

<contact>

ecn-compatibility

<enable|disable>

force-topology-ip-flag <true|false>

global-filter

<enable|disable>

info

location

<location>

max-vlan-resource-reservation<enable|disable>

mgmt-virtual-ip

<ipaddr/mask>

mgmt-virtual-ipv6

<ipv6addr|prefix-len>

mroute-stream-limit

<enable|disable>

mtu

<bytes>

multicast-resource reservaton <value>

name

<prompt>

portlock <on|off>

sendAuthenticationTrap

<true|false>

smlt-on-single-cp

config sys set


NN46205-605 02.05 28 April 2010


.

Configuring the date 121

Command Parameter

<enable|disable>[timer <value>]

topology

<on|off>

udp-checksum

<enable|disable>

udpsrc-by-vip

<enable|disable>

vlan-bysrcmac

<enable|disable>

wsm-direct-mode

<enable|disable>

config sys set clock-sync-time<minutes>

config sys set mgmt-virtual-ip<ipaddr/mask>

info

action

<suppress-msg | send-trap|both>

control-interval

<minutes>

disable

enable

config sys set msg-control

max-msg-num

<number>

info

add <string>

config sys set msg-controlforce-msg

del

<string>

Configuring the dateConfigure the calendar time in the form of month, day, year, hour, minute,and second by performing this procedure.


NN46205-605 02.05 28 April 2010


.


Prerequisites

• You must log on as rwa to use this command.

Procedure steps

Step Action

1 Configure the date by using the following command:

config setdate <MMddyyyyhhmmss>

--End--

Configuring the run-time CLIConfigure the run-time CLI to define generic configuration settings for CLIsessions by performing this procedure.

Procedure steps

Step Action

1 Configure the run-time CLI options by using the followingcommand:

config cli

--End--

Variable definitionsUse the data in the following table to use the config cli command.

Variable Value

defaultlogin <true|false> Activates or disables use of the defaultlogon string.

• false disables the default logonbanner and displays the new banner.

defaultpassword <true|false>

Activates or disables use of the defaultpassword string.

info Specifies the current CLI parametersettings.


NN46205-605 02.05 28 April 2010


.

Configuring the run-time CLI 123

Variable Value

loginprompt <string> Changes the CLI logon prompt.

• string is an American Standard Codefor Information Interchange (ASCII)string from 1–1513 characters.

more <true|false> Configures scrolling for the output display.The default value is true.

• true configures output displayscrolling to one page at a time.

• false configures the output display tocontinuous scrolling.

passwordprompt <string> Changes the CLI password prompt.

• string is an ASCII string from 1–1510characters.

prompt <prompt> Configures the root level prompt andsysName to a defined string.

• prompt is a string from 0–255characters.

rlogin-sessions <nsessions>

Configures the allowable number ofinbound remote CLI logon sessions.The default value is 8.

• nsessions is the number of sessionsfrom 0–8.

screenlines <nlines> Configures the number of lines in theoutput display.The default value is 23.

• nlines is the number of lines from8–64.


NN46205-605 02.05 28 April 2010


.


Variable Value

telnet-sessions <nsessions>

Configures the allowable number ofinbound Telnet sessions.The default value is 8.


timeout <seconds> Configures the idle timeout period beforethe system terminates CLI sessions.The default value is 0.

• seconds is the timeout period, inseconds, from 30–65535.

Configuring the CLI logon bannerConfigure the CLI logon banner to display a warning message to usersbefore authentication by performing this procedure.

Procedure steps

Step Action

1 Configure the CLI banner by using the following command:

config cli banner add <string>

--End--

Variable definitionsUse the data in the following table to use the config cli bannercommand.

Variable Value

add <string> Adds lines of text to the CLI logon banner.


defaultbanner <true|false> Activates or disables using the default CLIlogon banner.

delete Deletes an existing customized logonbanner.

info Specifies the text added to the logonbanner using the config cli addcommand.


NN46205-605 02.05 28 April 2010


.

Configuring command logging 125

Configuring the message-of-the-dayConfigure a system login message-of-the-day in the form of a text bannerthat is displayed upon each successful logon by performing this procedure.

Procedure steps

Step Action

1 Configure the message-of-the-day by using the followingcommand:

config cli motd add <string>

--End--

Variable definitionsUse the data in the following table to use the config cli motdcommand.

Variable Value

add <string> Creates a message of the day to displaywith the logon banner.


delete Deletes the message of the day.

displaymotd <true|false> Specifies (true) or does not display(false) the message of the day.

info Specifies information about the messageof the day.

Configuring command loggingConfigure logging of CLI commands to the file clilog.txt on the PersonalComputer Memory Card International Association (PCMCIA). You canenable command logging to keep track of the commands a user entersduring a login session.

Configure logging of CLI commands by performing this procedure.

Procedure steps

Step Action

1 Configure CLI logging by using the following command:


NN46205-605 02.05 28 April 2010


.


config cli clilog enable {true|false} [maxfilesize<integer>]

--End--

Variable definitionsUse the data in the following table to use the config cli clilogcommand.

Variable Value

enable {true|false} Enables or disables logging of CLIcommands.

• true—activates logging of CLIcommands

• false—disables CLI logging

maxfilesize <integer> Specifies the maximum size of the clilog.txtfile, in kilobytes (KB), in a range from64–256000.The default value is 256 KB.

Configuring individual system-level switch parametersConfigure individual system-level switch parameters to configure globaloptions for the Ethernet Routing Switch 8600 by performing this procedure.

Procedure steps

Step Action

1 Configure system-level switch parameters by using the followingcommand:

config sys set

--End--

Variable definitionsUse the data in the following table to use the config sys set command.

Variable Value

clipld-topology-ip <id> Set the topology IP address from theavailable CLIP.


NN46205-605 02.05 28 April 2010


.

Configuring individual system-level switch parameters 127

Variable Value

clock-sync-time <minutes> Configures the RTC-to-system clocksynchronization time.

• minutes is 15–3600 minutes.


contact <contact> Configures the contact information for theswitch.

• contact is an ASCII string from0–255 characters (for example a phoneextension or email address).

The default e-mail address ishttp://support.nortel.com/.

ecn-compatibility<enable|disable>

Activates or disables explicit congestionnotification, as defined in ExperimentalRequest For Comments (RFC) 2780.This feature is not currently supported onthe Ethernet Routing Switch 8600.The default value is enable.

force-topology-ip-flag<flue|false>

Sets the flag to force the topology IPchoice.

global-filter <enable|disable>

Activates or disables global filtering on theswitch.After you activate this command, youmust disable source MAC VLANs—usethe config sys set vlan-bysrcmacdisable command because youcannot enable global filtering and sourceMAC-based VLANs at the same time.

This command is available only on theEthernet Routing Switch 8600 E and Mmodules.

The default value is enable.

info Specifies current system settings.


NN46205-605 02.05 28 April 2010


.


Variable Value

location <location> Configures the location information for theswitch.

• location is an ASCII string from0–255 characters.

The default location is 4655, GreatAmerica Parkway, Santa Clara, CA 95054.

max-vlan-resource-reservation <enable|disable>

Activates or disables the max-vlan feature.The default is false (disabled).

mroute-stream-limit<enable|disable>

Activates or disables multicast streamlimiting.The default value is disable.

mgmt-virtual-ip <ipaddr/mask>

Configures the virtual management port.

• ipaddr|mask is the IP address andmask of the virtual management port.

The default value is 0.0.0.0/0.0.0.0.

mgmt-virtual-ipv6<ipv6addr|prefix-len>

Configures the management of virtualIPv6.

• ipv6addr is the IPv6 address in thehexadecimal format.

• prefix-len is the prefix length with astring length from 0–46.

The default value is 0:0:0:0:0:0:0:0/0

mtu <bytes> Activates Jumbo frame support for thedata path.

• bytes is the Ethernet frame size,either 1522, 1950 (default), or 9600bytes.Settings of 1950 or 9600 activateJumbo frame support.Jumbo frame support is activated bydefault.

name <prompt> Configures the root level prompt name forthe switch.

• prompt is an ASCII string from 0–255characters (for example, LabSC7 orCloset4).


NN46205-605 02.05 28 April 2010


.

Configuring individual system-level switch parameters 129

Variable Value

portlock <on|off> Turns port locking on or off.To specify the ports to be locked, usethe config ethernet <ports> lockcommand.The default value is off.

sendAuthenticationTrap<true|false>

Configures whether to send authenticationfailure traps.The default value is false.

smlt-on-single-cp<enable|disable> [timer<value> ]

Activates or disables SMLT on the singleCP.

Optional parameter:

timer value is the timer value for SMLTon the single CP feature timer.Valid options are 1–3.This mode is applicable only on E andM modules. R and RS modules supportSMLT-on-single-CP configurations bydefault.

The default value is set to disable and thetimer value default is 3.

topology <on|off> Turns the topology feature on or off.The topology feature generates topologypackets used by Enterprise NetworkManagement System (ENMS).If you disable this feature, the system doesnot generate the topology table.The default is on.

udp-checksum <enable|disable>

Activates or disables the UDP checksumcalculation.The default value is enable.

udpsrc-by-vip <enable|disable>

Activates or disables virtual IP as the UDPsource.


NN46205-605 02.05 28 April 2010


.


Variable Value

vlan-bysrcmac <enable|disable>

Activates or disables source MAC VLANconfiguration on the switch.The default is disable.If you enable this command, you mustdisable the global filter command (configsys set global-filter disable)because you cannot enable global filteringand source MAC-based VLANs at thesame time.

wsm-direct-mode <enable|disable>

Activates or disables configuration of thesame community string on the EthernetRouting Switch 8600 and the WebSwitching Module (WSM) for a directSNMP connection to the WSM.The default configuration is disable.

Example of configuring system-level switch parameters

Step Action

1 Configure the contact parameter:

ERS-8606:5# config sys setERS-8606:5/config/sys/set# contact cbfw

2 Configure the location parameter:

ERS-8606:5/config/sys/set# location Marketing

3 Configure the authentication trap parameter:

ERS-8606:5/config/sys/set# sendAuthenticationTrap true

4 View the current system-level switch parameters:

ERS-8606:5/config/sys/set# infoSub-Context: action flags msg-controlrecord-reservation snmp sshCurrent Context:


NN46205-605 02.05 28 April 2010


.

Synchronizing the real-time and system clocks 131

mgmt-virtual-ip : 0.0.0.0/0.0.0.0mgmt-virtual-ipv6 : 0:0:0:0:0:0:0:0/0udp-checksum : enableudp-source : disableclock-sync-time : 60mroute-stream-limit : disablecontact : cbfwlocation : Marketingname : ERS-8606portlock : offsendAuthenticationTrap : falsetopology : onglobalFilter : enablevlanBySrcMac : disableecn-compatibility : enablewsm-direct-mode : disablesmmlt-on-single-cp : disable timer 3max-vlan-resource-reservation : (disable) -> (disable)multicast-resource-reservation : (2000) -> (2000)System MTU : 1950ERS-8606:5/config/sys/set#

--End--

Synchronizing the real-time and system clocksConfigure the regular interval to synchronize the real-time and systemclocks. The switch generates log messages if the drift between thereal-time clock and the system clock is more than 5 seconds.

Synchronize the real-time and system clocks by performing this procedure.

Procedure steps

Step Action

1 Configure the synchronization interval by using the followingcommand:

config sys set clock-sync-time <minutes>

--End--

Variable definitionsUse the data in the following table to use the config sys setclock-sync-time command.


NN46205-605 02.05 28 April 2010


.


Variable Value

minutes Specifies the number of minutesbetween synchronization in a rangefrom 15–3600 minutes.The default value is 60 minutes.

Creating a virtual management portCreate a virtual management port in addition to the physical managementports on the switch management modules.

After you assign an IP address to the virtual management port, the IPaddress provides access to both switch management modules. Themaster management module replies to all management requests sentto the virtual IP address, as well as to requests sent to its managementport IP address. If the master management module fails and the standbymanagement module takes over, the virtual management port IP addresscontinues to provide management access to the switch.

ATTENTIONThis feature is not supported in a switch with mixed Ethernet Routing Switch8600 8190SM modules and 8691 SF/CPU modules.

Create a virtual management port by performing this procedure.

Procedure steps

Step Action

1 Create a virtual management port by using the followingcommand:

config sys set mgmt-virtual-ip <ipaddr|mask>

--End--

Example of creating a virtual management port

Step Action

1 Create a virtual management port:

ERS-8606:5# config sys set mgmt-virtual-ip47.140.54.40/255.255.255.0Physical and Virtual IP must be in the same subnet

--End--


NN46205-605 02.05 28 April 2010


.

Configuring system message control 133

Configuring system message controlConfigure system message control to enable or disable system messagingand define configuration settings by performing this procedure.

Procedure steps

Step Action

1 Configure system message control action by using the followingcommand:

config sys set msg-control action <suppress-msg|send-trap|both>

2 Configure the maximum number of messages by using thefollowing command:

config sys set msg-control max-msg-num

3 Configure the interval by using the following command:

config sys set msg-control control-interval <minutes>

--End--

Variable definitionsUse the data in the following table to use the config sys setmsg-control command.

Variable Value

action <suppress-msg|send-trap|both>

Configures the message controlaction.

control-interval <minutes> Configures the message controlinterval in minutes.• minutes is a number from

1–30

disable Disables system message control.

enable Activates system message control.• enable suppresses duplicate

error messages

info Specifies the configuration ofsystem message control.

max-msg-num <number> Configures the number ofoccurrences of a message afterwhich the control action occurs.• number is a value from 2–500


NN46205-605 02.05 28 April 2010


.


Forcing message control for system message controlUse the force message control option to extend the message controlfeature functionality to the software and hardware log messages.

To enable the message control feature, you must specify an action, controlinterval, and maximum message number. After enabling the feature, thelog messages, which get repeated and cross the maximum messagenumber in the control interval, trigger the force message feature. You caneither suppress the message or send a trap notification, or both.

Use the force message control for system message control by performingthis procedure.

Procedure steps

Step Action

1 Configure the force message control option by using thefollowing command:

config sys set msg-control force-msg add <string>

--End--

Variable definitionsUse the data in the following table to use the config sys setmsg-control force-msg command.

Variable Value

add <string> Adds a forced message control pattern

• string is a string of 4 characters.

You can add a four-byte pattern into the force-msgtable. The software and the hardware log messagesthat use the first four bytes that match one of thepatterns in the force-msg table undergo the configuredmessage control action.

You can specify up to 32 patterns in the force-msgtable. The force-msg table can include a wild-cardpattern (****). If you specify the wild-card pattern, allmessages undergo message control.


NN46205-605 02.05 28 April 2010


.

Enabling the administrative status of a module 135

Variable Value

del <string> Deletes a forced message control pattern


info Specifies the current configuration.

Enabling the administrative status of a moduleEnable or disable the administrative status of the module by performingthis procedure.

Procedure steps

Step Action

1 View the current administrative status of the module by using thefollowing command:

config slot <slots> info

2 Change the administrative status of the module by using thefollowing command:

config slot <slots> state <enable|disable>

--End--


NN46205-605 02.05 28 April 2010


.



NN46205-605 02.05 28 April 2010


.

137.

Run-time process management usingthe NNCLI

Configure and manage the run-time process using the Nortel Networkscommand line interface (NNCLI).

Prerequisites to run-time process management• To perform the procedures in this section, you must log on to the

Global Configuration mode in the NNCLI. For more information aboutusing NNCLI, see Nortel Ethernet Routing Switch 8600 User InterfaceFundamentals (NN46205-308).


• “Configuring the date” (page 139)

• “Configuring the run-time environment” (page 139)

• “Configuring the NNCLI logon banner” (page 141)

• “Configuring the message-of-the-day” (page 142)

• “Configuring command logging” (page 142)

• “Configuring system-level switch parameters” (page 143)

• “Synchronizing the real-time and system clocks” (page 145)

• “Creating a virtual management port” (page 146)

• “Configuring system message control” (page 147)

• “Forcing message control for system message control” (page 148)

Job aidThe following table lists the commands and parameters that you use tocomplete the procedures in this section.


NN46205-605 02.05 28 April 2010


.

138 Run-time process management using the NNCLI

Table 12Job aid

Command Parameter


clock set <MMddyyyyhhmmss>


custom

displaymotd

motd <string>

static

banner

string

enable

maxfilesize <integer>

clilog

word<1-80>

clock sync-time <minutes> minutes <15-3600>

auto-port-down

frequency

interval

link-flap-detect

send-trap

login-message <string> WORD <1-1513>

max-logins <nsessions> nsessions <0-8>

passwordprompt <string> WORD <1-1510>

sys ecn-compatibility

sys force-msg <string> WORD <4-4>

sys global-filter

sys mgmt-virtual-ip <ipaddr/mask>

sys mtu <bytes> bytes <1522-9600>


control-interval <minutes>

sys msg-control

max-msg-num

sys name <string> WORD <0-255>

sys smlt-on-single-cp timer <value> value <1-3>

login-timeout <seconds>telnet-access

sessions <nsessions>

udp-checksum enable

udpsrc-by-vip


NN46205-605 02.05 28 April 2010


.

Configuring the run-time environment 139

Configuring the dateConfigure the calendar time in the form of month, day, year, hour, minute,and second by performing this procedure.

Prerequisites

• You must log on as rwa to use this command.

• You must log on to the Privileged EXEC mode in the NNCLI.

Procedure steps

Step Action

1 Configure the date by using the following command:

clock set <MMddyyyyhhmmss>

--End--

Configuring the run-time environmentConfigure the run-time environment to define generic configuration settingsfor NNCLI sessions by performing this procedure.

Prerequisites


Procedure steps

Step Action

1 Change the login prompt by using the following command:

login-message WORD <1-1513>

2 Change the password prompt by using the following command:

passwordprompt word <1-1510>

3 Configure the number of supported rlogin sessions by using thefollowing command:

max-logins <0-8>

4 Configure the number of supported Telnet sessions by using thefollowing command:

telnet-access sessions <0-8>

5 Configure the Telnet login timeout by using the followingcommand:


NN46205-605 02.05 28 April 2010


.


telnet-access login-timeout <30-65535>

--End--

Variable definitionsUse the data in the following table to use the run-time environmentcommands.

Variable Value

login-message <string> Changes the NNCLI logon prompt.

• string is an American Standard Codefor Information Interchange (ASCII)string from 1–1513 characters.

• Use the default option before thisparameter, default loginmessage,to enable use of the default logonstring.

• Use the no operator before thisparameter, no loginmessage, todisable the default logon banner anddisplay the new banner.

passwordprompt <string> Changes the NNCLI password prompt.


• Use the default option beforethis parameter, defaultpasswordprompt, to enable using thedefault password string.

• Use the no operator before thisparameter, no passwordprompt, todisable the default password string.

max-logins <nsessions> Configures the allowable number ofinbound remote NNCLI logon sessions.




NN46205-605 02.05 28 April 2010


.

Configuring the NNCLI logon banner 141

Variable Value

telnet-access login-timeout <seconds>

Configures the time, in seconds, to waitfor a Telnet login before terminating theconnection.• seconds is a number from 30–65535

telnet-access sessions<nsessions>

Configures the allowable number ofinbound Telnet sessions.


• nsessions is a number from 0–8.

Configuring the NNCLI logon bannerConfigure the NNCLI logon banner to display a warning message to usersbefore authentication by performing this procedure.

Prerequisites


Procedure steps

Step Action

1 Configure the switch to use a custom banner or use the defaultbanner by using the following command:

banner <custom|static>

2 Create a custom banner by using the following command:

banner <string>

--End--

Variable definitionsUse the data in the following table to use the banner command.

Variable Value

string Adds lines of text to the NNCLI logonbanner.

• string is an ASCII string from 1–80characters

custom|static Activates or disables use of the defaultbanner.


NN46205-605 02.05 28 April 2010


.


Configuring the message-of-the-dayConfigure a system login message-of-the-day in the form of a text bannerthat is displayed upon each successful logon by performing this procedure.

Prerequisites


Procedure steps

Step Action

1 Create the message-of-the-day by using the following command:

banner motd <string>

2 Enable the custom message-of-the-day by using the followingcommand:

banner displaymotd

--End--

Variable definitionsUse the data in the following table to use the banner command.

Variable Value

<string> Creates a message of the day to displaywith the logon banner.To provide a string with spaces, includethe text in quotation marks (").To set this option to the default value, usethe default operator with the command.

• string is an ASCII string from 1–1516characters

displaymotd Specifies the message of the day.To set this option to the default value, usethe default operator with the command.

Configuring command loggingConfigure logging of NNCLI commands to the file clilog.txt on the PersonalComputer Memory Card International Association (PCMCIA). You canenable command logging to keep track of the commands a user entersduring a login session.


NN46205-605 02.05 28 April 2010


.

Configuring system-level switch parameters 143

Configure logging of CLI commands by performing this procedure.

Prerequisites


Procedure steps

Step Action

1 Configure NNCLI logging by using the following command:

clilog enable [maxfilesize <integer>]

--End--

Variable definitionsUse the data in the following table to use the clilog command.

Variable Value

enable Activates NNCLI logging to the file clilog.txton the PCMCIA,To disable NNCLI logging, use the no formof the command, no clilog enable.

maxfilesize <integer> Specify the maximum size of the fileclilog.txt in a range from 64–256000.The file size is expressed in kilobytes (KB).The default value is 256.

Configuring system-level switch parametersConfigure individual system-level switch parameters to configure globaloptions for the Ethernet Routing Switch 8600 by performing this procedure.

Prerequisites


Procedure steps

Step Action

1 Change the system name by using the following command:

sys name <string>


NN46205-605 02.05 28 April 2010


.


2 Enable explicit congestion notification by using the followingcommand:

sys ecn-compatibility

3 Enable global filtering by using the following command:

sys global-filter

4 Enable support for Jumbo frames by using the followingcommand: (where <bytes> is either 1950 or 9600)

sys mtu <bytes>

5 Enable SMLT on the single CP by using the following command:

sys smlt-on-single-cp [timer <value>]

6 Enable the UDP checksum calculation by using the followingcommand:

udp-checksum enable

7 Enable virtual IP as the UDP source by using the followingcommand:

udpsrc-by-vip

--End--

Variable definitionsUse the data in the following table to use system-level commands.

Variable Value

ecn-compatibility Activates explicit congestion notification,as defined in Experimental Request ForComments (RFC) 2780.This feature is not currently supported onthe Ethernet Routing Switch 8600.

sys global-filter Activates global filtering on the switch.If you activate global filtering, you mustdisable source MAC VLANs because youcannot enable global filtering and sourceMAC-based VLANs at the same time.

Global filtering is available only on theEthernet Routing Switch 8600 E and Mmodules.


NN46205-605 02.05 28 April 2010


.

Synchronizing the real-time and system clocks 145

Variable Value

mtu <bytes> Activates Jumbo frame support for thedata path.

• bytes is the Ethernet frame size,either 1522, 1950 (default), or 9600bytes.Settings of 1950 or 9600 bytes activateJumbo frame support.Jumbo frame support is activated bydefault.

name <string> Configures the system, or root level,prompt name for the switch.

• string is an ASCII string from 0–255characters (for example, LabSC7 orCloset4).

smlt-on-single-cp timer<value>

Activates SMLT on the single CP.

Optional parameter:

timer value is the timer value for SMLTon the single CP feature timer in a rangefrom 1–3.SMLT on the single CP timer applies onlyto E and M modules.R and RS modules support SMLT-on-single-CP configurations by default.

Synchronizing the real-time and system clocksConfigure the regular interval to synchronize the real-time and systemclocks. The switch generates log messages if the drift between thereal-time clock and the system clock is more than 5 seconds.

Synchronize the real-time and system clocks by performing this procedure.

Prerequisites


Procedure steps

Step Action

1 Configure the synchronization interval by using the followingcommand:


NN46205-605 02.05 28 April 2010


.


clock sync-time <minutes>

--End--

Variable definitionsUse the data in the following table to use theclock sync-timecommand.

Variable Value

<minutes> Specifies the number of minutesbetween synchronization in a rangefrom 15–3600.The default value is 60.To set this option to the default value,use the default operator with thecommand.

Creating a virtual management portCreate a virtual management port in addition to the physical managementports on the switch management modules.

After you assign an IP address to the virtual management port, the IPaddress provides access to both switch management modules. Themaster management module replies to all management requests sentto the virtual IP address, as well as to requests sent to its managementport IP address. If the master management module fails and the standbymanagement module takes over, the virtual management port IP addresscontinues to provide management access to the switch.

Create a virtual management port by performing this procedure.

ATTENTIONThis feature is not supported in a switch with mixed Ethernet Routing Switch8600 8190SM modules and 8691 SF/CPU modules.

Prerequisites


Procedure steps

Step Action

1 Create a virtual management port by using the followingcommand:


NN46205-605 02.05 28 April 2010


.

Configuring system message control 147

sys mgmt-virtual-ip <ipaddr/mask>

--End--

Example of creating a virtual management port

Step Action

1 Create a virtual management port:

ERS-8606:5(config)# sys mgmt-virtual-ip47.140.54.40/255.255.255.0Physical and Virtual IP must be in the same subnet

--End--

Configuring system message controlConfigure system message control to enable or disable system messagingand define configuration settings by performing this procedure.

Prerequisites


Procedure steps

Step Action

1 Configure system message control action by using the followingcommand:

sys msg-control action <suppress-msg|send-trap|both>

2 Configure the maximum number of messages by using thefollowing command:

sys msg-control max-msg-num <number>

3 Configure the interval by using the following command:

sys msg-control control-interval <minutes>

--End--

Variable definitionsUse the data in the following table to use the sys msg-controlcommand.


NN46205-605 02.05 28 April 2010


.


Variable Value


Configures the message controlaction.The default value is supress-msg.To set this option to the defaultvalue, use the default operatorwith the command.

control-interval <minutes> Configures the message controlinterval, in minutes.The default value is 5.

• minutes is a value from 1–30

To set this option to the defaultvalue, use the default operatorwith the command.

max-msg-num <number> Configures the number ofoccurrences of a message afterwhich the control action occurs.The default value is 5.

• number is a value from 2–500

To set this option to the defaultvalue, use the default operatorwith the command.

Forcing message control for system message controlUse the force message control option to extend the message controlfeature functionality to the software and hardware log messages.

To enable the message control feature, you must specify an action, controlinterval, and maximum message number. After enabling the feature, thelog messages, which get repeated and cross the maximum messagenumber in the control interval, trigger the force message feature. You caneither suppress the message or send a trap notification, or both.

Use the force message control for system message control by performingthis procedure.

Prerequisites



NN46205-605 02.05 28 April 2010


.

Forcing message control for system message control 149

Procedure steps

Step Action

1 Configure the force message control option by using thefollowing command:

sys force-msg <string>

--End--

Variable definitionsUse the data in the following table to use the sys force-msg command.

Variable Value

<string> Adds a forced message control pattern


You can add a four-byte pattern into the force-msgtable.The software and the hardware log messages that usethe first four bytes that match one of the patterns inthe force-msg table undergo the configured messagecontrol action.

You can specify up to 32 different patterns in theforce-msg table including a wild-card pattern (****) .If you specify the wild-card pattern, all messagesundergo message control.


NN46205-605 02.05 28 April 2010


.



NN46205-605 02.05 28 April 2010


.

151.

Chassis operations fundamentalsThis section provides conceptual information for chassis operations suchas operating modes, module types, hardware and software compatibility,and power management. Read this section before configuring the chassisoperations.

Navigation• “Operating modes” (page 151)

• “Module types” (page 157)

• “Hardware and software compatibility” (page 160)

• “Power management” (page 167)

• “Software lock-up detection” (page 168)

• “Loop prevention and CP limit” (page 168)

• “Switch reliability” (page 173)

• “Jumbo frames” (page 174)

Operating modesThe Nortel Ethernet Routing Switch 8600 uses hardware records (or tableentries) to store Address Resolution Protocol (ARP) entries. In addition,hardware records are used to store information pertaining to MACs,multicast, VLANs, IP routes, IP filters, and IPX entries. Each hardwarerecord type, such as ARP or MAC, has a defined minimum number ofreserved records.


NN46205-605 02.05 28 April 2010


.

152 Chassis operations fundamentals

The Ethernet Routing Switch 8600 interface modules can run in differentoperating modes that define the level of support for hardware records. TheEthernet Routing Switch 8600 has the following operating modes:

• Default mode supports up to 32 000 hardware records. This modesupports all modules. The default mode supports 21 000 AddressRouting Protocol (ARP) entries.

• M mode supports up to 128 000 hardware records. This modesupports M, R, and RS modules. M mode supports 32 000 ARPentries.

• R mode supports up to:

— 256 000 IP routes

— 64 000 MAC entries

— 32 000 ARP entries

This mode supports only R and RS modules.

The switch can additionally operate in the following modes:

• Enhanced operational mode increases the maximum number ofVLANs. This mode supports E and M modules. Enhanced operationalmode supports 21 000 ARP entries.

For best operation, set the flag for the enhanced operational mode todisabled (false) in any chassis that has R-modules present.

• VLAN optimization mode supports E and M modules, except the8648TXE module. VLAN optimization mode is not applicable to R andRS modules.

Table 13Operation mode and module type interoperability

Module types

Chassisconfiguration

Operationmodes

RS R M E

a= activated; d = disabled

Default mode - - - a

M mode - - a a

same typemodulechassis

R mode a a - -

Default mode a a a a

M mode a a a d

mixed typemodulechassis

R mode a a d d


NN46205-605 02.05 28 April 2010


.

Operating modes 153

SF/CPU High Availability modeCPU High Availability (HA) mode enables switches with two CPUs torecover quickly from a failure of the master SF/CPU. HA and non-HAmode characteristics are as follows:

• In HA mode, also called “hot standby,” the two CPUs are synchronized.This means the CPUs have the same configuration and forwardingtables, with the master automatically updating the forwarding tablesof the secondary in real time. When the master SF/CPU fails, thesecondary takes over "master" responsibility very quickly, therebyminimizing traffic interruption for the failure condition.

• In non-HA mode, also called “warm standby,” the two CPUs are notsynchronized. In this mode, when the master fails, the secondarySF/CPU must boot before taking "master" responsibility, and then mustalso re-learn the forwarding table information. This operation causesan interruption to traffic.

SF/CPU failure has no effect on the SF portion of the SF/CPU module.The switchover of traffic to the single functioning SF is always sub-second.The preceding list of characteristics refers to failures and their effect onthe CPU portion of the SF/CPU module, as this is a dual-purpose module.Failures to the secondary or standby SF/CPU have no effect on CPUoperation within the system while the primary SF/CPU is operational.

The following table identifies which features support HA mode.

Table 14Feature support for HA in specified software release versions

Release/Feature

3.5.0 3.7.0 4.0.0 4.1.0 5.0 5.1

Modules Classic Classic Classicand R

Classicand R

Classic, R,and RS

Classic, R, and RS

Platform Yes Yes Yes Yes Yes Yes

Layer 2 Yes Yes Yes(3.5based)

Yes Yes Yes

Layer 3 Yes(Static/ARP)

Yes (3.5+ RIP,OSPF,VRRP,Filters,RoutePolicies)No BGP

No, 3.5based

Yes (3.7.0 +, ACE/ACLs)No BGP

Yes as in4.1.0 andBGP

Yes

BGP, BFD


NN46205-605 02.05 28 April 2010


.


Table 14Feature support for HA in specified software release versions (cont’d.)

Release/Feature

3.5.0 3.7.0 4.0.0 4.1.0 5.0 5.1

Multicast No No No No Yes,DVMRPand PIMNo PGM

Yes

DVMRP, PIM,MSDP, Multicastvirtualization ofIGMP,and PIM-SM/SSM

IPv6 NA NA NA Yes,Restart

Yes, Restart

Yes

Security Yes Yes Yes(3.5based)

Yes Yes Yes

TACACS+

ATM, POS,WSM,SAM, SDMModules

No No No No No No

HA synchronization also applies to various configuration and softwareparameters, and may also be dependent on software release. Thefollowing table shows which features are supported in Release 3.5 andlater.

Table 15Release 3.5 and later synchronization capabilities in HA mode

Synchroniza-tion of:

3.5 3.7 4.0 (HALayer 2 isnotsupported)

4.1 5.0 5.1

Layer 1

Portconfigurationparameters

Yes Yes Yes Yes Yes Yes

Layer 2

VLANparameters


STPparameters


RSTP/MSTPparameters

N/A N/A N/A Yes Yes Yes


NN46205-605 02.05 28 April 2010


.

Operating modes 155

Synchroniza-tion of:

3.5 3.7 4.0 (HALayer 2 isnotsupported)

4.1 5.0 5.1

SMLTparameters


QoSparameters


Layer 3

Virtual IP(VLANs)


ARP entries Yes Yes Yes Yes Yes Yes

Static anddefault routes


VRRP No Yes No Yes Yes Yes

RIP No Yes No Yes Yes Yes

OSPF No Yes No Yes Yes Yes

Layer 3 Filters/ACE/ACLs

No Yes No Yes Yes Yes

BGP No No No No Yes Yes

DVMRP No No No No Yes Yes

PIM-SM/SSM No No No No NoNote 1

Yes

Note 2

MSDP No No No No No Yes

Multicast No No No No No Yes

BFD No No No No No Yes

Note 1: In Release 5.0, PIM-SM and SSM have partial HA support with GRT only, no virtualization.Note 2: In Release 5.1, PIM-SM and SSM are virtualized and have partial HA support.

HA mode support for 8691 SF/CPUsIn the following configurations, assume that SF/CPU High Availabilitymode is activated. However, you can see in some cases that HA modeis impossible because one of the SF/CPUs is offline due to a hardwareor software incompatibility.


NN46205-605 02.05 28 April 2010


.


HA mode support for Dual SF/CPUIf your switch supports Dual SF/CPU modules, see Table 16 "Boot modeat startup for Dual SF/CPU configurations" (page 156) to use the SF/CPUHigh Availability mode. The boot mode is determined by the types ofSF/CPUs in the chassis and whether the SF/CPU High Availability modeis activated.

When using the command line interface (CLI) or Nortel Networkscommand line interface (NNCLI) on a dual-SF/CPU system with HA modeenabled, do not enter configuration commands on the Standby SF/CPU.Execute all configuration commands on the Master SF/CPU only.

Table 16Boot mode at startup for Dual SF/CPU configurations

If the configuration is: And SF/CPU high-availability mode is:

Then:

Two dual SF/CPU modules Activated System starts in SF/CPU HighAvailability mode.

One dual SF/CPU module andone single SF/CPU module

Activated If the single SF/CPU startsfirst, the SF/CPU restarts sothe dual SF/CPU is the masterand the single SF/CPU goesoffline. If the dual SF/CPUstarts first, the system starts inSF/CPU High Availability modeand the single SF/CPU goesoffline.

Two single SF/CPU modules Activated System does not start andstays in monitor mode.

Two dual SF/CPU modules Disabled System starts in single SF/CPUmode.

One dual SF/CPU module andone single SF/CPU module

Disabled System starts in single SF/CPUmode.

Two single SF/CPU modules Disabled System starts in single SF/CPUmode.

After you insert a module into a running chassis, the SF/CPU HighAvailability mode status determines the initialization mode of the module.

Table 17Inserting single and dual SF/CPU modules into running chassis

If you insert this module intoa running chassis:

And SF/CPU High Availabilitymode status is:

Then:

Dual SF/CPU module Activated The module is activated as abackup.


NN46205-605 02.05 28 April 2010


.

Module types 157

If you insert this module intoa running chassis:

And SF/CPU High Availabilitymode status is:

Then:

Single SF/CPU module Activated The module is not activated.A trap is sent and the systemlogs an error to the console.

Dual SF/CPU module Disabled The module is activated insingle SF/CPU mode.

Single SF/CPU module Disabled The module is activated insingle SF/CPU mode.

Module typesThe Ethernet Routing Switch 8600 modules include the following types:

• E modules replace the pre-E modules.

— E modules support egress port mirroring.

— E modules support 32 000 records and can operate only in defaultmode.

• M modules do not replace E modules. Both E and M modules areavailable and use different part numbers. The only exception is the8683POSM module, which replaced the 8683POSE.

— M modules use the same model number as the E modules, exceptthe M suffix. The exceptions to this rule are the 10 Gigabit Ethernetmodules (8661XLR and 8661XLW), the 8661 SSL AccelerationModule, and the Web Switching Module, which do not use the Msuffix, but are still M modules.

— M modules support 128 000 records and operate in M mode ordefault mode.

• R modules support greater bandwidth and routing table memory thanE, or M modules. R modules use an R suffix, which identifies them asR modules. R modules support:

— 256 000 IP routes

— 64 000 MAC entries

— 32 000 ARP entries

— Custom AutoNegotiation Advertisement (CANA)

• RS modules support extended mirroring over R modules. RS modulesuse an RS suffix, which identifies them as RS modules. RS modulessupport:


NN46205-605 02.05 28 April 2010


.


— All features supported by R modules as well as new features inRelease 5.1.

— Multiple ports for each lane for both ingress and egress mirroring.

— Improved port behavior to provide for faster link state detectionthan R modules.

Table 18 "Nortel Ethernet Routing Switch 8600 modules" (page 158) liststhe supported modules.

Table 18Nortel Ethernet Routing Switch 8600 modules

E modules M modules R modules RS modules

N/A N/A N/A 8612XLRS

8608GBE(DS1404038)

8608GBM(DS1404059)

N/A

8608GTE(DS1404044)

8608GTM(DS1404061)

N/A

8608SXE(DS1404036)

N/A N/A

8616SXE(DS1404011)

N/A N/A

8624FXE(DS1404037)

N/A N/A

N/A N/A 8630GBR

8632TXE(DS1404024)

8632TXM(DS1404055)

N/A

N/A N/A N/A 8634XGRS

N/A N/A N/A 8648GBRS

N/A N/A 8648GTR 8648GTRS

8648TXE(DS1404035)

8648TXM(DS1404056)

N/A

8672ATME(DS1304008)

8672ATMM(DS1304009)

N/A

N/A 8683POSM(DS1404060)

N/A

8616GTE(DS1404034)

N/A N/A

N/A 8661XLR(DS1404053)

N/A

N/A 8661XLW(DS1404052)

N/A


NN46205-605 02.05 28 April 2010


.

Module types 159

Table 18Nortel Ethernet Routing Switch 8600 modules (cont’d.)

E modules M modules R modules RS modules

N/A 8661 SSLAcceleration Module(DS1404070

N/A

N/A Web SwitchingModule (WSM)(DS1404045)

N/A

N/A N/A 8683XlR

R and RS module support for 8010co chassisThe 8010co chassis supports R or RS modules with a High PerformanceBackplane. Identify the High Performance Backplane by the chassisrevision number in the CLI. The CLI display of the show sys infocommand shows a revision number of 02 or higher in the hardwareconfiguration (H/W Config) field to indicate the new high performancechassis. Additionally, you can examine the hardware revision field(HwRev) to determine whether a chassis is high performance or standard,see Table 19 "Chassis revision number" (page 159).

Table 19Chassis revision number

Chassis Mode HwRev

8010 06 or greater

8006 05 or greater

8010 co chassis 05 or greater

SF/CPU warm standbyThe Ethernet Routing Switch 8600 supports up to two 8691 or 8692SF/CPU modules in slots 5 or 6 in either a 6-slot or 10-slot chassis. If youstart the switch with SF/CPU modules in slots 5 and 6, slot 5 becomesthe master SF/CPU, and slot 6 becomes the backup (warm standby) bydefault. You can change this default behavior.

8691/8692 SF/CPU modules provide two functions: SF/CPU andswitching. Switching fabrics are always active, providing load sharing forinput/output (I/O) modules. One SF/CPU remains active, while the otherSF/CPU is the backup. R modules are supported only with the 8692SF/CPU.


NN46205-605 02.05 28 April 2010


.


ATTENTIONA Dual SF/CPU system configuration supports two modes of SF/CPU operation:warm standby or hot standby. Hot standby, or High Availability (HA) uses thetwo SF/CPUs as synchronizing tables – Layer 2, Layer 3, or both. HA is notactivated by default. You must enable a specific flag to enable HA.

Hardware and software compatibilityThe following tables describe the hardware and the minimum EthernetRouting Switch 8600 software version required to support the hardware.

Table 20Hardware and minimum software version

Chassis and switching fabric Minimumsoftwareversion

Partnumber

8010co chassis 10-slot chassis 3.1.2 DS1402004-E5DS1402004- E5GS

8010 chassis 10-slot chassis 3.0.0 DS1402001-E5DS1402001- E5GS



8691 SF/CPU Switching fabric 3.1.1 DS1404025

8691SF/256 8691SF/256 with 256 SDRAMinstalled

3.1.1 DS1404090

8692 SF/CPU Switching fabric 3.5.6, 3.7.3,4.0.0

DS1404065

Power Supplies

8001AC 690W AC Power Supply 3.0.0 DS1405x01

8002DC 780W DC Power Supply 3.0.0 DS1405002

8003AC 500W AC Power Supply(8003 chassis only)

3.1.2 DS1405x03

8004AC 850W AC Power Supply 3.1.2 DS1405x08

8004DC 850W DC Power Supply 3.1.2 DS1405007

8005AC 1462W AC Power Supply 4.0.0 DS1405012

8005DI 1500W dual input AC powersupply

5.0 DS1405016-E6

8005DC 1462W DC Power Supply 4.0.x DS1405011

Upgrade Kits


NN46205-605 02.05 28 April 2010


.

Hardware and software compatibility 161

Table 20Hardware and minimum software version (cont’d.)

Chassis and switching fabric Minimumsoftwareversion

Partnumber

256MB SF/CPUupgrade kit

The 8691 SF/CPU must beupgraded to 256MB withSoftware Release 3.5, 3.7,4.0 and 4.1. This memoryupgrade is required for the3.5 and 3.7 software to runproperly. See note 1.

3.5.0 DS1404016

MAC upgrade kit Use this kit to add MediaAccess Control (MAC)addresses to your system.This kit is required for routedinterface scaling beyond 500.

3.5.0 DS1404015

Notes

1 The 8691 SF/CPU must be upgraded to 256MB with Software Release 3.5, 3.7, 4.0 and 4.1.

Table 21Hardware and minimum software version continued

8600 modules and componentsMinimumsoftwareversion

Partnumber

Security modules

8661SSL Acceleration Module (SAM)

High PerformanceSSL AccelerationModule securesWeb-based applicationsand businesscommunications. Seenote 1.

3.3.1See note 2.

DS1404070

8660 ServiceDelivery ModuleFirewall 1 (SDMFW1)

The 8660 SDM is acombination of dedicatedhardware and softwarethat addresses the needsfor security, performance,and ease of use.

3.7.6 DS1404104



3.7.6 DS1404081


NN46205-605 02.05 28 April 2010


.


Table 21Hardware and minimum software version continued (cont’d.)


Partnumber



3.7.6 DS1404080

8660 ServiceDelivery ModuleThreat ProtectionSystem (SDMTPS4)


4.1.0 DS1404082

8660 ComboService DeliveryModule Firewall 2Threat ProtectionSystem 2 (SDMFW2/TPS2)


4.1.0 DS1404086

8660 ComboService DeliveryModule Firewall 1Threat ProtectionSystem 1 (SDMFW1/TPS1)


4.1.0 DS1404087

8660 SDM sparedisk drive

Replacement part 3.7.6 DS1411023

8660 SDM sparePrPMC

Replacement part 3.7.6 DS1411024

Layer 4-7 module

Web SwitchingModule (WSM)

4-Port Gigabit EthernetSX or 10/100TX

3.1.3, seenote 33.2.1, seenote 43.3.0, seenote 5

DS1404045

Ethernet E modules see note 6

8608GBE module 8-port Gigabit EthernetGBIC

3.1.1 DS1404038

8608GTE module 8-port Gigabit Ethernet1000TX

3.1.1 DS1404044


NN46205-605 02.05 28 April 2010


.




Partnumber

8608SXE module 8-port Gigabit EthernetSX

3.1.1 DS1404036

8616SXE module 16-port Gigabit EthernetSX

3.1.0 DS1404011

8616GTE module 16-port Gigabit EthernetTX

3.3.0 DS1404034

8624FXE module 24-port 100FX 3.1.1 DS1404037

8648TXE module 48-port 10/100 TX 3.1.1 DS1404035

8632TXE module 32-port 10/100TX (2GBICs)

3.1.2 DS1404024

Ethernet M modules see note 7

8608GBM module 8-port Gigabit EthernetGBIC

3.3.0 DS1404059

8608GTM module 8-port Gigabit Ethernet1000TX

3.3.0 DS1404061

8632TXM module 32-port 10/100TX (2GBICs)

3.3.0 DS1404055

8648TXM module 48-port 10/100 TX 3.3.0 DS1404056

Ethernet R modules see note 9

8630GBR module 30-port Gigabit EthernetSFP

4.0.0 DS1404063

8648GTR module 48-port 10/100/1000 TX 4.0.x DS1404092

8683XLR module 3-port 10Gigabit EthernetXFP (10.3125 Gb/s LANPHY)

4.0.0 DS1404101

8683XZR module 3-port 10Gigabit EthernetXFP (10.3125 Gb/s LANPHY and 9.953 Gb/sWAN PHY)

4.1.0 DS1404064

Ethernet RS modules

8612XLRS 12 port 10 GE 5.0 DS1404097

8634XGRS 2 port 10GE, 32 port100/1000

5.0 DS1404109

8648GBRS 48 port 100/1000Gb/sSFP

5.0 DS1404102


NN46205-605 02.05 28 April 2010


.




Partnumber

8648GTRS 48 port 10 Base-T/100Base -TX/1000 Base-T

5.0 DS1404110

ATM/ATME/ATMM modules

8672ATME module ATME module. See note6.

3.1.1 DS1304008

8672ATMM module ATMM module. See note7.

3.3.0 DS1304009

ATM/ATME/ATMM module components see note 10

DS-3 MDA 2-port 75 ohm coaxial 3.3.0 DS1304002

OC-12c/STM-4MDA

1-port MMF 3.1.0, 3.1.1,3.3.0

DS1304004

OC-12c/STM-4MDA

1-port SMF 3.1.0, 3.1.1,3.3.0

DS1304005

OC-3c/STM-1 MDA 4-port MMF 3.1.0, 3.1.1,3.3.0

DS1304006

OC-3c/STM-1 MDA 4-port SMF 3.1.0, 3.1.1,3.3.0

DS1304007

POS/POSE/POSM modules

8683POSM module M module. See note 7. 3.3.0 DS1404060

POS/POSE/POSM MDAs see note 11

OC-3c/STM-1 MDA 2-port MMF 3.1.0, 3.1.1,3.3

DS1333003

OC-3c/STM-1 MDA 2-port SMF 3.1.0, 3.1.1,3.3

DS1333004

OC-12c/STM-4MDA

1-port MMF 3.1.0, 3.1.1,3.3

DS1333001

OC-12c/STM-4MDA

1-port SMF 3.1.0, 3.1.1,3.3

DS1333002

8600 compatible GBICs, SFPs and XFPs see note 12

1000BASE-SXGBIC

850 nm, shortwavelength, GigabitEthernet

3.0.0 AA1419001

1000BASE-LXGBIC

1300 nm, longwavelength, GigabitEthernet

3.0.0 AA1419002


NN46205-605 02.05 28 April 2010


.




Partnumber

1000BASE-T GBIC Category 5 copperunshielded twisted pair(UTP)

3.5.0 AA1419041

1000BASE-XDGBIC

50k, SC duplex SMF,Gigabit Ethernet

3.0.0 AA1419003

1000BASE-ZXGBIC

70k, SC duplex SMF,Gigabit Ethernet

3.0.0 AA1419004

Gray CWDM GBIC Discontinued, see GrayCWDM APD GBIC

3.1.2 AA1419005

Violet CWDM GBIC Discontinued, see VioletCWDM APD GBIC

3.1.2 AA1419006

Blue CWDM GBIC Discontinued, see BlueCWDM APD GBIC

3.1.2 AA1419007

Green CWDMGBIC

Discontinued, see GreenCWDM APD GBIC

3.1.2 AA1419008

Yellow CWDMGBIC

Discontinued, see YellowCWDM APD GBIC

3.1.2 AA1419009

Orange CWDMGBIC

Discontinued, seeOrange CWDM APDGBIC

3.1.2 AA1419010

Red CWDM GBIC Discontinued, see RedCWDM APD GBIC

3.1.2 AA1419011

Brown CWDMGBIC

Discontinued, see BrownCWDM APD GBIC

3.1.2 AA1419012

Gray CWDM APDGBIC

1470nm 3.1.4 AA1419017

Violet CWDM APDGBIC

1490nm 3.1.4 AA1419018

Blue CWDM APDGBIC

1510nm 3.1.4 AA1419019

Green CWDM APDGBIC

1530nm 3.1.4 AA1419020

Yellow CWDMAPD GBIC

1550nm 3.1.4 AA1419021

Orange CWDMAPD GBIC

1570nm 3.1.4 AA1419022


NN46205-605 02.05 28 April 2010


.




Partnumber

Red CWDM APDGBIC

1590nm 3.1.4 AA1419023

Brown CWDM APDGBIC

1610nm 3.1.4 AA1419024

1000BASE-SXSFP

850nm, Gigabit Ethernet,LC connector

4.0.0 AA1419013

1000BASE-SXSFP

850nm, Gigabit Ethernet,MT-RJ connector

4.0.0 AA1419014

1000BASE-LX SFP 1310nm, GigabitEthernet, LC connector

4.0.0 AA1419015

1000BASE-T SFP Category 5 copperunshielded twisted pair(UTP), RJ-45 connector

4.0.0 AA1419043

1000BASE-BXbidirectional SFP

1310nm, GigabitEthernet, single fiberLC fiber-optic connector

4.1.0 AA1419069

1000BASE-BXbidirectional SFP

1490nm, GigabitEthernet, single fiberLC fiber-optic connector

4.1.0 AA1419070

10GBASE-LR/LWXFP

1-port 10km, 1310nmSMF, LC connector

4.0.0 AA1403001

10GBASE-SR/SWXFP

1-port 300m, 850nmMMF, LC connector

4.0.0 AA1403005

10GBASE-ER/EWXFP

1-port 40km, 1550nmSMF, LC connector

4.0.x AA1403003

10GBASE-ZR/ZWXFP

1550nm SMF, 80km, LCconnector

4.1.0 AA1403006

Notes

1 The 8661 SAM is used in conjunction with the Web Switching Module to intelligentlyaccelerate secure business communication and confidential data by off-loading SecureSockets Layer (SSL) Processing.

2 The 8661 SAM and Web Switching Module security solution also require WebOS version10.0.27.3 or newer. Nortel Ethernet Routing Switch 8600 Software Release 3.3.1 wasspecifically designed to introduce the 8661 SAM module. Release 3.3.1 is the only 3.3.xRelease that supports the 8661 SAM module. The 8661 SAM module is supported inRelease 3.5.

3 Nortel Ethernet Routing Switch 8600 Software Release 3.1.3 is the first and only Release inthe 3.1.x software branch that supports the Web Switching Module.


NN46205-605 02.05 28 April 2010


.

Power management 167



Partnumber

4 Nortel Ethernet Routing Switch 8600 Software Release 3.2.1 (and later) supports the WebSwitching Module.

5 Nortel Ethernet Routing Switch 8600 Software Release 3.3.0 introduced support for WebOS10.0 on the Web Switching Module.

7 M modules offer additional memory to support large routing tables such as those found inBGP implementations. The Nortel Ethernet Routing Switch 8600 Software Release 3.3introduced a new mode, called M Mode, or 128K records mode, which requires the 8691SF/CPU module. If this mode is activated, M modules can use their full capabilities (128Krecords). If this mode is disabled, the M modules work in 32K mode (case of non E and Emodules). To be effective, this mode requires that all modules installed in the same chassissupport 128K records (M modules) and that the SF/CPUs are 8691 SF/CPU. If one or moremodules installed in the chassis is a 32K records module (non M module), these modulesare disabled if the chassis is configured to operate in M Mode .

9 R modules support greater bandwidth and routing table memory than E and M modules aswell as advanced QoS and filtering.

10 ATM MDAs inserted into an 8672ATME module require Nortel Ethernet Routing Switch8600 Series Software Release 3.1.1 or higher. ATM MDAs inserted into a 8672ATMMmodule require Nortel Ethernet Routing Switch 8600 Series Software Release 3.3.0 orhigher.

11 POS MDAs inserted into an 8683POSM module require Nortel Ethernet Routing Switch8600 Series Software Release 3.3.0 or higher.

12 Nonsupported GBICs are displayed as GBIC-other.

Power managementRelease 5.1 of the Nortel Ethernet Routing Switch 8600 offers improvedpower management. Power management identifies the available power inthe chassis, called the power budget, and determines if enough power isavailable to operate the installed components.

If the power usage exceeds the power budget, the system powers off thelast module or ports to power on. If you configure slot priorities, the systempowers off the slot with the lowest priority. If a port exceeds the slot power,the system powers off the offending port. After a power over-usage occurs,the system uses an SNMP trap to send a message to the user interface.

In redundancy mode, the system compares the total chassis powerconsumed against the total chassis power available and verifies that ifone power supply fails, enough power still remains to operate the chassisand components. If, after one power supply failure, not enough power isavailable to operate the chassis and all components, the system sends an


NN46205-605 02.05 28 April 2010


.


SNMP trap to the receiver and a message to the CLI to inform you thatthe switch is no longer operating in redundant mode. By default, the trapnotification for redundancy is disabled.

Software lock-up detectionThe software lock-up detect feature monitors processes on the masterSF/CPU to limit situations where the switch stops functioning because of asoftware process issue. Monitored issues include:

• software entering a dead-lock state

• a software process entering an infinite loop

This feature monitors processes to ensure that software is functioningwithin expected time limits. After an issue that can potentially lock up themaster SF/CPU is encountered, the master ends the process and restarts.In redundant configurations, the standby SF/CPU takes over from themaster.

The SF/CPU logs details about suspended tasks in the log file. Thelog file is saved only on an installed Personal Computer Memory CardInternational Association (PCMCIA). Installation of a PCMCIA on allSF/CPU modules is a best practice. Ensure that the PCMCIA cardprovides sufficient space to write the log file. For additional informationabout this log file, see Nortel Ethernet Routing Switch 8600 LogsReference (NN46205-701).

Loop prevention and CP limitSplit MultiLink Trunking (SMLT) based network designs form physicalloops for redundancy that logically do not function as a loop. Under certainadverse conditions, incorrect configurations or cabling, loops can form.

The two solutions to detect loops are Loop Detect and Simple LoopPrevention Protocol (SLPP). Loop Detect and SLPP detect a loop andautomatically stop the loop. Both solutions determine on which port theloop is occurring and shuts down that port.

Control packet rate limit (CP Limit) controls the amount of multicastand broadcast traffic sent to the SF/CPU from a physical port. CP Limitprotects the SF/CPU from being flooded with traffic from a single, unstableport.


NN46205-605 02.05 28 April 2010


.

Loop prevention and CP limit 169

Do not use only the CP Limit for loop prevention. Nortel recommends thefollowing loop prevention and recovery features in order of preference:

• SLPP

• Extended CP Limit (Ext-CP Limit) HardDown

• Loop Detect with ARP-Detect activated, when available

Beginning with Software Release 4.1, Nortel recommends using SLPP toprotect the network against Layer 2 loops. SLPP is used to prevent loopsin an SMLT network. SLPP is focused on SMLT networks but works withother configurations. This functionality provides active protection againstnetwork loops. When you configure and enable SLPP, the switch sendsa test packet to the VLAN. A loop is detected if the switch or if a peeraggregation switch on the same VLAN receives the original packet. If aloop is detected, the switch disables the port. To enable the port requiresmanual intervention. As an alternative, you can use port auto-enable tore-enable the port after a predefined interval. In addition to using SLPPfor loop prevention, you can use the extended CP Limit softdown featureto protect the SF/CPU against DOS attacks where required. The extendedCP Limit harddown option should be used only as a loop preventionmechanism in Software Release 3.7.x.

The Loop Detection feature is used at the edge of a network to preventloops. It detects whether the same MAC address appears on differentports. This feature can disable a VLAN or a port. The Loop Detectionfeature can also disable a group of ports if it detects the same MACaddress on two different ports five times in a configurable amount of time.

On a individual port basis, the Loop Detection feature detects MACaddresses that are looping from one port to other ports. After a loop isdetected, the port on which the MAC addresses were learned is disabled.Additionally, if a MAC address is found to loop, the MAC address isdisabled for that VLAN.

The ARP-Detect feature is an enhancement over Loop Detect to accountfor ARP packets on IP configured interfaces. For network loops involvingARP frames on routed interfaces, Loop-Detect does not detect the networkloop condition due to how ARP frames are copied to the SF/CPU . UseARP-Detect on Layer 3 interfaces. The ARP-Detect feature supports onlythe vlan-block and port-down options.

For more information about designing your network with CP Limit andSLPP, see Nortel Ethernet Routing Switch 8600 Planning and Engineering— Network Design (NN46205-200). For more information about loopdetection, see Nortel Ethernet Routing Switch 8600 Configuration —VLANs and Spanning Tree (NN46205-517).


NN46205-605 02.05 28 April 2010


.


Depending upon code release usage, select the set of features listedin Table 22 "Loop prevention by release" (page 170). For best loopprevention, Nortel Global Network Product Support recommends that youupgrade to release 4.1.1 or greater and use SLPP.

Table 22Loop prevention by release

Software release CP Limit Loop detect Ext-CP Limit SLPP

3.7.0 - 3.7.4 Yes (see Note 2) Yes (see Note 1) N/A N/A

3.7.5 - 3.7.x Yes (see Note 2) Yes(see Notes 1 and5)

Yes (hard down)(see Notes 2 and4)

N/A

4.0.x Yes (see Note 2) Yes (see Note 1) N/A N/A

4.1.x and on Yes (see Note 2) No Yes (soft down)(see Notes 2 and4)

Yes (see Note 3)

Note 1: Do not enable on IST links and do not use the VLAN down option for SMLT configurations.

Note 2: SF/CPU protection mechanism; do not enable on IST links.

Note 3: Do not enable SLPP on IST or SMLT core facing ports.

Note 4: With Release 4.1.1.0 and later, Nortel recommends that you use the Soft Down optionverses Hard Down.

Note 5: For this configuration, always set ARP-detect option to activated as well.

The following table provides the Nortel recommended CP Limit values.

Table 23CP Limit recommended values

CP Limit Values

Broadcast Multicast

Aggressive

Access SMLT/SLT 1000 1000

Server 2500 2500

Core SMLT 7500 7500

Moderate


Server 5000 5000

Core SMLT 9000 9000

Relaxed


NN46205-605 02.05 28 April 2010


.

Loop prevention and CP limit 171

Table 23CP Limit recommended values (cont’d.)

CP Limit Values

Broadcast Multicast

Aggressive


Server 7000 7000

Core SMLT 10 000 10 000

The following table provides the Nortel recommended SLPP values.

Table 24SLPP recommended values

Setting

Enable SLPP

Access SMLT Yes

Access SLT Yes

Core SMLT No

IST No

Primary switch

Packet Rx threshold 5

Transmission interval 500 milliseconds (ms) (default)

Ethertype Default

Secondary switch

Packet Rx threshold 50

Transmission interval 500 ms (default)

Ethertype Default

SLPP configuration considerationsUse the information in this section to understand the considerations andguidelines when configuring SLPP in an SMLT network.

• You must enable SLPP packet receive on each port to detect a loop.

• Vary the SLPP packet receive threshold between the two core SMLTswitches so that if a loop is detected, the access ports on bothswitches do not go down, and SMLT client isolation is avoided.

• SLPP test packets (SLPP-PDU) are forwarded for each VLAN.

• SLPP-PDUs are automatically forwarded VLAN ports configured forSLPP.


NN46205-605 02.05 28 April 2010


.


• The SLPP-PDU destination MAC address is the switch MAC address(with the multicast bit set) and the source MAC address is the switchMAC address.

• The SLPP-PDU is sent out as a multicast packet and is constrainedto the VLAN on which it is sent.

• If one port of an MLT is shut down because it received SLPP-PDUsthat exceed the receive threshold of the port, then all ports of the MLTare shut down.

• The SLPP-PDU can be received by the originating CP or the peerSMLT CP. All other switches treat the SLPP-PDU as a normalmulticast packet, and forward it to the VLAN.

• SLPP-PDU transmission and reception operates only on ports forwhich STP is in a forwarding state (if STP is enabled on one switchin the path).

• SLPP is port-based, so a port is disabled if it receives SLPP-PDUon one or more VLANs on a tagged port. For example, if the SLPPpacket receive threshold is set to 5, a port is shut down if it receives 5SLPP-PDU from one or more VLANs on a tagged port.

Extended CP LimitThe CP Limit function protects the SF/CPU by shutting down ports thatsend traffic to the SF/CPU at a rate greater than desired through oneor more ports. You can configure the Extended CP Limit functionality toprevent overwhelming the switch with high traffic. To use the Extended CPLimit functionality, configure CP Limit at the chassis and port levels.

ATTENTIONThe Extended CP Limit feature differs from the rate-limit feature by monitoringpackets that are only sent to the SF/CPU (control plane), instead of all packetsthat are forwarded through the switch (data plane).

The set of ports to check for a high rate of traffic must be predetermined,and configured as either SoftDown or HardDown.

HardDown ports are disabled immediately after the SF/CPU is congestedfor a certain period of time.

SoftDown ports are monitored for a specified time interval, and aredisabled only if the traffic does not subside. The user configures themaximum number of monitored SoftDown ports.

To enable this functionality and set its general parameters, configurationmust take place at the chassis level first. After you enable this functionalityat the chassis level, configure each port individually to make use of it.


NN46205-605 02.05 28 April 2010


.

Switch reliability 173

The following table provides the Nortel recommended Extended CP Limitvalues.

Table 25Extended CP Limit recommended values

Setting Value

SoftDown – use with 4.1

Maximum ports 5

Minimum congestion time 3 seconds (default)

Port congestion time 5 seconds (default)

CP Limit utilization rate Dependent on network traffic

HardDown – use with 3.7

Maximum ports 5

Minimum congestion time P = 4000 msS = 70000 msT = 140 000 msQ = 210 000 ms

Port congestion time P = 4 secondsS = 70 secondsT = 140 secondsQ = 210 seconds

Legend: Primary (P) – primary target for convergence, Secondary (S) –secondary target for convergence, Tertiary (T) – third target for convergence,Quarternary (Q) – fourth target for convergenceNortel does not recommend the Ext CP Limit HardDown option for softwareRelease 4.1 or later. Only use this option if SLPP is not available.

Switch reliabilityAs system resources become more widely distributed, the reliability ofnetwork nodes is even more important because it affects connectivity inthe entire network. Although software and hardware components of a nodeare reliable, they are still prone to failures. Protecting the node from failureof one of its components makes the node highly available.

The Ethernet Routing Switch 8600 supports many High Availabilityfeatures at all levels, including the following:

• Hardware

— hot-swappable Input/Output (I/O) modules

— hot-swappable Service Delivery Modules

— passive backplane


NN46205-605 02.05 28 April 2010


.


— Silicon Switch Fabric redundancy and load-sharing

— redundant fans and power supply units

• Software

— port-level and slot-level redundancy in the form of link aggregation

— Split Link Aggregation

— Split MulitLink Trunking (SMLT)

— Routed Split MultiLink Trunking (RSMLT)

— basic Central Processing Unit (SF/CPU) availability— warmstandby

— high SF/CPU availability—hot standby

— router redundancy through Virtual Router Redundancy Protocol(VRRP)

If the primary SF/CPU module fails, the backup SF/CPU assumes theprimary role.

ATTENTIONDuring a SF/CPU failover, do not hot swap I/O modules until the new SF/CPUbecomes the master SF/CPU.

You can configure SF/CPU redundancy to provide either basic availabilityor High Availability.

In warm standby redundancy mode, if the primary SF/CPU fails, thebackup SF/CPU must initialize all input/output modules and load switchconfigurations, causing delays and disrupting operations. In hot standbyredundancy mode, both SF/CPUs maintain synchronized configuration andoperational databases, enabling very quick recovery and High Availability.

If you enable HA, also called Layer 3 redundancy, you automaticallydisable all non-HA features, that is features not supported by HA.

After you enable HA, both the primary and secondary SF/CPUssynchronize their database structures following initialization. After thiscomplete table synchronization, only topology changes are exchangedbetween the primary and secondary SF/CPU.

Jumbo framesThe standard 1518 bytes Ethernet frame size was designed to protectagainst the high bit error rates of older physical-layer Ethernet componentsbut increases in computer processing power and the use of switchedEthernet over unshielded twisted pair or fiber media significantly lowersEthernet errors.


NN46205-605 02.05 28 April 2010


.

Jumbo frames 175

In addition, the speed and capacity of the Ethernet are expanding theprocessor limits of many installed servers, and more data is transferredbetween servers. For these reasons, increasing Ethernet frame size is alogical option. The Ethernet Routing Switch 8600 now supports Ethernetframes as large as 9600 bytes, compared to the standard 1518 bytes, totransmit large amounts of data efficiently and minimize the task load on aserver SF/CPU.

Tagged VLAN supportA port with VLAN tagging activated can send tagged frames. If you planto use Jumbo frames in a VLAN, make sure that the ports in the VLANare configured to accept Jumbo frames and that the server or hosts in theVLAN do not send frames that exceed 9600 bytes. For more informationabout configuring VLANs, see Nortel Ethernet Routing Switch 8600Configuration — VLANs and Spanning Tree (NN46205-517).

Modules and interfaces that support Jumbo framesAs a minimum, Jumbo frame support requires Gigabit speed. Althoughthe system allows larger MTU settings, modules with 10/100 interfaces donot support Jumbo frames.

The following Ethernet Routing Switch 8600 devices and interfacessupport Jumbo frames:

• All RS modules: 8612XLRS, 8634XGRS, 8648GBRS, and 8648GTRS.

• Gigabit fiber and Gigabit copper ports in 8608SX-E, 8608GBIC,8608GBIC-E, 8632TX, 8632TX-E, 8608GT-E, 8630GBR, and8648GTR.

• 10 Gigabit interfaces 8683XLR and 8683XZR.

• IPv6—if you enable IPv6 Jumbo frame support you must set the portinterface MTU size to 9600 bytes.

The following IPv4 and IPv6 control plane applications do not supportJumbo frames:

• Ping

• Telnet

• Domain Name Service (DNS)

• Secure Shell (SSH)

• Secure Copy Protocol (SCP)

• Simple Network Management Protocol (SNMP)

• Open Shortest Path First (OSPF) versions 2 and 3

• Routing Internet Protocol (RIP)


NN46205-605 02.05 28 April 2010


.


If you enable Jumbo frame support on the chassis, then you must set theport interfaces that support the Jumbo frames feature to an MTU size of9600 bytes. Retain the default MTU size of 1950 bytes on port interfacesthat do not support the Jumbo frames feature. Changes that you make tothe MTU size take place immediately.

ATTENTIONOn the 8648GTR module, ports operating at 100 Mbit/s support a maximumframe size of 9188 bytes.

The Web Switching Module (WSM) supports Jumbo frames of up to9018 octets. For instructions about configuring Jumbo frames for thismodule, see Nortel Ethernet Routing Switch 8600 Web Switching ModuleFundamentals (NN46205-314).


NN46205-605 02.05 28 April 2010


.

177.

Chassis operations configurationusing Device Manager

This section provides the details to configure operating modes and basichardware and system settings.

Navigation• “Editing system information” (page 178)

• “Editing chassis information” (page 181)


• “Enabling M mode ” (page 187)

• “Enabling R mode” (page 188)

• “Enabling enhanced operational mode” (page 190)

• “Enabling global filter ordering” (page 190)

• “Enabling CPU High Availability” (page 191)

• “Configuring a basic configuration” (page 192)

• “Opening a dual tab” (page 197)

• “Editing ports” (page 198)

• “Viewing the boot configuration” (page 198)

• “Enabling Jumbo frames” (page 199)

• “Reserving records” (page 199)

• “Viewing the trap sender table” (page 200)

• “Configuring the time” (page 201)

• “Configuring SLPP globally” (page 202)

• “Configuring the SLPP by VLAN” (page 203)

• “Configuring the SLPP by port” (page 204)

• “Configuring Extended CP Limit globally” (page 205)


NN46205-605 02.05 28 April 2010


.

178 Chassis operations configuration using Device Manager

• “Configuring extended CP Limit for a port ” (page 206)

• “Configuring loop detect” (page 208)

• “Configuring CP Limit” (page 209)

• “Editing the boot file” (page 210)

• “Editing the management port parameters” (page 212)

• “Editing the management port CPU route table” (page 213)

• “Configuring the management port IPv6 interface parameters” (page214)

• “Configuring management port IPv6 addresses” (page 216)

• “Configuring the CPU IPv6 route table” (page 217)

• “Editing serial port parameters” (page 218)

• “Enabling port lock” (page 219)

• “Locking a port” (page 220)

• “Enabling power management” (page 221)

• “Configuring slot priority” (page 221)

Editing system informationYou can edit system information such as the contact person, the name ofthe device, and its location. Other information cannot be edited, but is veryuseful, such as the software version running on the device.

Edit system information by performing this procedure.

Procedure steps

Step Action

1 On the Device Manager menu bar, choose Edit, Chassis.

The Chassis dialog box appears with the System tab displayed.

2 Edit the required options.

3 Click Apply.

4 Click Close.

--End--

Variable definitionsUse the data in the following table to configure the Chassis, System tab.


NN46205-605 02.05 28 April 2010


.

Editing system information 179

Variable Value

sysDescr Shows the system assigned name and thecurrent, running software version.

sysUpTime Shows the time since the system last started.

sysContact Configures the contact information (in thiscase, an E-mail address) for the Nortelsupport group.

sysName Configures the device name.

sysLocation Configures the physical location of the device.The default location is 4655, Great AmericaParkway, Santa Clara, CA - 95054.

VirtualIpAddr Configures the virtual IP address advertisedby the master SF/CPU.Unlike the management port IP address,the virtual IP address is stored in the switchconfiguration file, not the boot configurationfile.The default IP address is 0.0.0.0.

VirtualNetMask Configures the net mask of the virtualmanagement IP address.The default net mask is 0.0.0.0.

VirtualIpv6Address Configures the virtual IPv6 address advertisedby the master SF/CPU.Unlike the management port IPv6 address,this address is stored in the switchconfiguration file, not the boot configurationfile.The default address is 0:0:0:0:0:0:0:0.

VirtualIPv6Prefix Length Configures the length of the virtual IPv6 prefixentry.The default is 0.

DnsDomainName Configures the default domain for querying theDNS server.

LastChange Specifies the time since the last configurationchange.

LastVlanChange Specifies the time since the last VLANchange.

LastStatisticsReset Specifies the time since the statistics counterswere last reset.

LastRunTimeConfigSave Specifies the last run-time configurationsaved.

LastRunTimeConfigSaveToSlave

Specifies the last run-time configuration savedto the standby device.


NN46205-605 02.05 28 April 2010


.


Variable Value

LastBootConfigSave Specifies the last boot configuration saved.

LastBootConfigSaveOnSlave Specifies the last boot configuration saved onthe standby device.

LastRuntimeConfigFileName Specifies the default Runtime ConfigurationFile directory name.

DefaultBootConfigFileName Specifies the default Boot Configuration Filedirectory name.The default name is /flash/boot.cfg.

ConfigFileName Specifies the name of a new boot or runtimeconfiguration file.For more information, see saveBootConfigand saveRuntimeConfig in ActionGroup1.The default name is /flash/config.cfg.

ActionGroup1 Specifies one of the following actions:

• resetCounters—resets all statisticcounters.

• checkSwInFlash—checks the software inflash memory.

• saveRuntimeConfigToSlave—savesthe current run-time configuration to thesecondary SF/CPU.

• saveToNVRAM—saves the currentrun-time configuration to NVRAM.

• checkSwInPcmcia—checks the softwarein Personal Computer Memory CardInternational Association (PCMCIA).

• saveBootConfig—saves the currentboot configuration to the file specified inConfigFileName. If the configFileNamefield is blank, the switch saves theboot configuration to the current bootconfiguration file.

• saveToStandbyNVRAM—saves thecurrent run-time configuration to thestandby NVRAM.

• saveRuntimeConfig—saves the currentrun-time configuration to the file specifiedin ConfigFileName. If the configFileNamefield is blank, the switch saves the run-timeconfiguration to the current run-timeconfiguration file.


NN46205-605 02.05 28 April 2010


.

Editing chassis information 181

Variable Value

• saveSlaveBootConfig—saves the currentboot configuration to the secondarySF/CPU.

• loadLicense—loads a software license fileto enable features.

ActionGroup2 Specifies one of the following actions:• resetlstStatCounters—resets the IST

statistic counters.

• resetLspStats—resets the LSP statistics

ActionGroup3 flushIpRouteTbl—flushes IP routes from therouting table.

ActionGroup4 Specifies one of the following actions:

• hardReset—resets the device and runspower-on tests.

• softReset—resets the device withoutrunning power-on tests.

• cpuSwitchOver—swaps control from oneSF/CPU to another.

• resetConsole—reinitializes the hardwareUART drivers. Reset the console onlyif the console or modem connection ishanging.

• resetModem—reinitializes the UARTdrivers on the modem port. Reset themodem only if the console or modemconnection is hunging.

Result Specifies a message after you click Apply.

Editing chassis informationEdit the chassis information to make changes to chassis-wide settings byperforming this procedure.

Procedure steps

Step Action

1 On the device, select the chassis.

2 From the Device Manager menu bar, choose Edit, Chassis.

The chassis dialog box appears with the System tab displayed.

3 Click the Chassis tab.


NN46205-605 02.05 28 April 2010


.


4 Edit the necessary options.

5 Click Apply.

6 Click Close.

--End--

Variable definitionsUse the data in the following table to configure the Chassis tab.

Variable Value

Type Specifies the Ethernet Routing Switch 8600module type.

SerialNumber Specifies a unique chassis serial number.

HardwareRevision Specifies the current hardware revision of thedevice chassis.

NumSlots Specifies the number of slots (or cards) thisdevice can contain.

NumPorts Specifies the number of ports currently on thisdevice.

BaseMacAddr Specifies the starting point of the block of MACaddresses used by the switch for logical andphysical interfaces.

MacAddrCapacity Specifies the MAC address capacity.The default value is 4096.

MacFlapLimitTime Configures the time limit for the loop-detectfeature, in milliseconds, for MAC flapping. Thevalue ranges from 10 to 5000.The default value is 500.

AutoRecoverDelay Configures the delay in autorecovery. Thevalue ranges from 5 to 3600.The default is 30 seconds.

MTUSize Configures the maximum transmission unitsize.The default is 1950.

Temperature Specifies the current temperature of thechassis in degrees Celsius.

PrimaryCPUType Specifies the primary SF/CPU type; forexample, the 8692 SF/CPU.

PrimaryCPUMemory Specifies the primary SF/CPU memory size;for example, 256 MB.


NN46205-605 02.05 28 April 2010


.


Variable Value

SecondaryCPUType Specifies the secondary SF/CPU type; forexample, the 8692 SF/CPU.

SecondaryCPUMemory Specifies the secondary SF/CPU memory size;for example, 256 MB.

PowerUsage Specifies the amount of power the SF/CPUuses.The default value is 665.

PowerAvailable Specifies the amount of power available to theSF/CPU.The default is 1050.

Configuring system flagsConfigure the system flags to enable or disable flags for specificconfiguration settings by performing this procedure.

Procedure steps

Step Action



The chassis dialog box appears with the System tab displayed .

3 Click the System Flags tab.

The Chassis—System Flags tab appears.

4 Select the system flags you want to set.

5 You can assign a specific mode by selecting it in the modesection of the dialog box.

6 Click Apply.

ATTENTIONAfter you change certain configuration parameters, you must savethe changes to the configuration file and restart the switch before thechanges take effect. For more information about which parametersrequire a switch reset, see the value descriptions in Variablesdefinitions.

--End--

Variable definitionsUse the data in the following table to configure the Chassis, System Flagstab.


NN46205-605 02.05 28 April 2010


.


Variable Value

AuthenticationTraps Activates Authentication traps.If you change this parameter, you must restartthe system for the change to take effect.

EnableWebServer Activates the Web server.If you change this parameter, you must clickApply for the change to take effect.

EnableAccessPolicy Activates access policies.If you change this parameter, you must restartthe system for the change to take effect.

MrouteStreamLimit Enables or disables Mroute Stream Limit.If you change this parameter, you must restartthe system for the change to take effect.

ForceTrapSender Configures CLIP (Circuit Less IP) as a traporiginator. If you change this parameter, youmust restart the system for the change to takeeffect.

ForceIpHdrSender If you enable Force IP Header Senter, thesystem matches the IP header source addresswith SNMP header sender networks.If you change this parameter, you must restartthe system for the change to take effect.

GlobalFilterEnable Enables or disables the ordering of globalfilters by their ID in the system.If you change this parameter, you must restartthe system for the change to take effect.

VlanBySrcMacEnable Enables or disables source MAC basedVLANs.If you change this parameter, you must restartthe system for the change to take effect.

DiffServEcnCompatibilityEnable

Enables or disables the Explicit CongestionNotification (ECN) compatibility feature.If you select false, the system masks the ECNbits in the DS field while re-marking DSCP anddoes not match on ECN capable flows if thefilter is set on DSmatch.If you select true, the system preserves theECN bits in the DS field while re-marking andmakes matches based on the full 8-bit DSfield.If you change this parameter, you must restartthe system for the change to take effect.


NN46205-605 02.05 28 April 2010


.


Variable Value

WsmDirectMode Activates configuration of same communitystrings on the WSM and 8600.Enables direct connection by SNMP to theWSM.If you change this parameter, you must restartthe system for the change to take effect.

ConfigMode Configures the switch to use Nortel Networkscommand line interface (NNCLI) or CLI mode.If you change this parameter, you must restartthe system for the change to take effect.The default is nncli.

ForceTopologyIpFlagEnable Enables or disables the flag that sets the CLIPID as the topology IP. Values are true or false.The default value is false (disabled).

CircuitlessIpId Sets the CLIP ID to be used as the topologyIP. Enter a value from 1 to 256.

EnableEnhancedOperationalMode

Configures Enhanced Operational mode.

EnhancedOperMode Indicates if Enhanced Operational mode isconfigured. The values are true or false. Thisis a read-only field.

EnableM-Mode Enables or disables M mode.If you change this parameter, you must restartthe system for the change to take effect.

M-Mode Indicates if M mode is configured. The valuesare true or false. This is a read-only field.

EmModeError Indicates the M mode error status. Thepossible error message values are as follows:

• none

• non128KCardOffLine

• checkSlaveConfigNResetForEmMMode

• mismatchResetForEmMode

• mismatchEmModeMasterSlave

• incompatMasterResetForEmMode

• putSlaveOffEmImcompat

• slave8690EmIncompatGoingOffline

• cpu8690DisableEm

EnableR-Mode Activates R mode.If you change this parameter, you must restartthe system for the change to take effect.


NN46205-605 02.05 28 April 2010


.


Variable Value

R-Mode Indicates if R-mode is configured. The valuesare true or false. This is a read-only field.

RspModeError Indicates the R mode error status. Thepossible error message values are as follows:

• none

• non256KCardOffLine

EnableVlanOptimizationMode Configures VLAN Optimization mode.

ATTENTIONNortel recommends that you do not changethe configuration of the VLAN optimizationmode.

VlanOptimization Specifies the current state of VLANOptimization mode.

SystemMonitorEnable Activates or disables system monitoring inthe switch. If you change this parameter, youmust restart the system for the change to takeeffect.

MonitoringEnable Starts or ends a monitoring session.

MonitorDetectionTime Configures the interval, in seconds, for systemmonitoring, in a range from 10 to 600 seconds.The default value is 30.

HaCpu Activates or disables the High Availability CPUfeature.If you change this parameter, you must restartthe system for the change to take effect.The default value is disabled.

HaCpuState Indicates the High Availability CPU state.

• initialization—indicates the SF/CPU is inthis state

• oneWayActive—modules that need to besynchronized register with the framework(either locally or a message received from aremote SF/CPU)

• twoWayActive—modules that need to besynchronized register with the framework(either locally or a message received from aremote SF/CPU)

• synchronized—table-based synchronizationis complete on the current SF/CPU


NN46205-605 02.05 28 April 2010


.

Enabling M mode 187

Variable Value

• remoteIncompatible—SF/CPU frameworkversion is incompatible with the remoteSF/CPU

• error—if an invalid event is generated in aspecific state the SF/CPU enters Error state

• disabled—High Availability is not activated

• peerNotConnected—no established peerconnection

• peerConnected—established peerconnection is established

• lostPeerConnection—lost connection topeer or standby SF/CPU

• notSynchronized—table-basedsynchronization is not complete

The default is disabled.

HaEvent Indicates the High Availability event status.

• restart—causes the state machine torestart.

• systemRegistrationDone—causes theSF/CPU to transfer to One Way or TwoWay Active state.

• tableSynchronizationDone—causes theSF/CPU to transfer to synchronized state.

• versionIncompatible—causes the SF/CPUto go to remote incompatible state

• noEvent—means no event occurred todate.

StandbyCpu Indicates the state of the standby SF/CPU.

Enabling M modeEnable M mode to support up to 128000 table entries in the system byperforming this procedure.

Prerequisites

• M mode supports the Nortel Ethernet Routing Switch 8600 Release 3.xfeature set. Full support of M mode requires the following configurationconditions:


NN46205-605 02.05 28 April 2010


.


— The chassis must include at least one 8691 or 8692 SF/CPUmodule.

— All modules installed in the chassis must be M, R, or RS modules,are capable of supporting 128000 table entries.

— M modules require Nortel Ethernet Routing Switch 8600 Release3.3 or later.

— You must understand how the modules installed in the chassisaffect the operating mode of the switch.

ATTENTIONIf M mode is activated, any E modules present in the chassis aredisabled. This protects the system forwarding tables from lost entries.

• You cannot activate M mode and R mode at the same time.

Procedure steps

Step Action




3 Select the EnableM-Mode box.

4 Click Apply.

A warning message appears, advising you to restart.

5 Click OK.

ATTENTIONIf you activated M mode and you are using Device Manager,you cannot edit or apply changes on the Boot tab on the standbySF/CPU. Configuration is possible if you are in default mode.

--End--

Enabling R modeEnable R mode to support 256 000 IP routes. R mode supports the NortelEthernet Routing Switch 8600 Release 4.0 and later feature sets.

Enable R mode by performing this procedure.

Prerequisites

• Full support of R mode requires the following configuration conditions:


NN46205-605 02.05 28 April 2010


.

Enabling R mode 189

— The system must include either R or RS modules only. Ifthe system uses a mix of R, RS, M, or E modules, you mustunderstand how that affects available configuration options.

— The system must include at least one 8692 SF/CPU module. R andRS modules do not start with the 8691 SF/CPU modules (see thefollowing exception).

The 8648GTR module operates with 8691 and 8692 SF/CPUmodules. To support the 8648GTR with the 8691 SF/CPU, theSF/CPU must be configured with 256MB Synchronous DynamicRandom Access Memory (SDRAM) (the 8692 SF/CPU shipsstandard with 256MB SDRAM). A system with 8691 SF/CPUconfigured with 256MB SDRAM and only 8648GTR interfacemodules meets the conditions for R mode.

— When you configure an Ethernet Routing Switch 8600, considertotal power-consumption to ensure proper system performance.The total input power-consumption of the components (modulesand fan trays) must not exceed the output power rating of thepower supply. See your power supply document for power supplyspecifications. For input power consumption information, seeNortel Ethernet Routing Switch 8600 Installation — Chassis(NN46205-303).

— R modules require Nortel Ethernet Routing Switch 8600 softwareRelease 4.0 or later.

Procedure steps

Step Action




3 Select the Enable R-Mode box.

4 Click Apply.

A warning message appears, advising you to restart.

5 Click OK.


NN46205-605 02.05 28 April 2010


.


ATTENTIONIf you activate R mode and you are using Device Manager, youcannot edit or apply changes on the Boot tab on the standbySF/CPU. Configuration is possible if you are in default mode or Mmode.

--End--

Enabling enhanced operational modeEnable enhanced operational mode to increase the maximum numberof virtual LANs (VLAN) if you use MultiLink Trunking (MLT) and SplitMultiLink Trunking (SMLT) by performing this procedure.

Procedure steps

Step Action




3 Select the EnableEnhancedOperationalMode box.

4 Click Apply.


6 Restart the chassis.

--End--

Enabling global filter orderingEnable the ordering of global filters. By default, global filters are stored inthe hardware records in the order that they are applied. After you enablethe ordering of global filters, global filters are stored in the order of theirIDs. To ensure that a global filter is used first, you need to assign a lowerID to that filter; or assign a higher ID to a less specific filter.

Enable the order of global filter by performing this procedure

Prerequisites

• Global filter ordering is supported only on classic modules; this featureis not applicable to R or RS modules.


NN46205-605 02.05 28 April 2010


.

Enabling CPU High Availability 191

Procedure steps

Step Action




3 Select the GlobalFilterEnable box.

4 Click Apply.

ATTENTIONFor the changes to take effect, you must save the configuration andrestart the chassis.

--End--

Enabling CPU High AvailabilityCPU high-availability (HA) mode enables switches with two CPUs torecover quickly from a failure of the master SF/CPU. Use the procedure inthis section to enable CPU HA mode.

Procedure steps

Step Action





4 In HaCpu section, select Enable.

5 Click Apply.

A message box appears.

6 Click Yes to confirm.

After enabling HA mode on the master SF/CPU, the secondarySF/CPU automatically resets to load settings from itspreviously-saved boot configuration file. You must manuallyreset the primary SF/CPU while the secondary SF/CPU isbooting.


NN46205-605 02.05 28 April 2010


.


ATTENTIONFailure to manually boot the primary CPU before the secondaryfinishes booting can lead to system instability. Traffic is interruptedwhen the master is manually reset.

CAUTIONEnabling the HA mode can cause certain features tobecome disabled. See the Release Notes for yoursoftware version for details on HA mode specificinformation.

--End--

Configuring a basic configurationYou can set options for a basic port configuration through the Interfacetab in the Port dialog box. Additional tabs and screen entries formodule-specific functions appear when applicable. For example, on theInterface dialog box for a port, tabs for Layer 3 (routing) functions appear ifDevice Manager accesses an Ethernet Routing Switch 8600.

Configure the basic port configuration by performing this procedure.

Procedure steps

Step Action

1 On the device view, select a port or multiple ports.

2 From the Device Manager menu bar, choose Edit, Port, General– Global Router (vrf 0)....

The Port dialog box appears with the Interface tab displayed.

3 Configure the fields as required.

The 10/100Base-TX ports do not consistently autonegotiate witholder 10/100Base-TX equipment. You can sometimes upgradethe older devices with new firmware or driver revisions. If anupgrade does not allow autonegotiation to correctly identify thelink speed and duplex settings, you can manually configure thesettings for the link in question. Check the Nortel Web site forthe latest compatibility information.

--End--

Variable definitionsUse the data in the following table to use the Interface tab.


NN46205-605 02.05 28 April 2010


.

Configuring a basic configuration 193

Variable Value

Index A unique value, in a range from 64–511,assigned to each interface.The default value is 212.

Name The name assigned to the port.

Descr The port type of this interface.

Type The media type of this interface.

Mtu The size of the largest packet, in octets, theswitch can send or receive on the interface(maximum transmission unit).The default is 1950.

PhysAddress The MAC address assigned to a particularinterface.

VendorDescr The name of the interface chipset. (Thisdoes not apply to all port types.)

AdminStatus AdminStatus is expressed as one of thefollowing states:

• up

• down

• testing

After a managed system initializes, allinterfaces start with AdminStatus in the upstate.AdminStatus changes to either the downor the testing state (or remains in the downstate) if you make explicit managementaction or if the managed system retainsconfiguration information.The testing state indicates that the switchdoes not pass operational packets.

The default state is up.


NN46205-605 02.05 28 April 2010


.


Variable Value

OperStatus The current operational state of the interfaceexpressed as one of the following states:

• up

• down

• testing

The testing state indicates that the switchdoes not pass operational packets.If AdminStatus is down, OperStatus is down.If AdminStatus changes to up, OperStatuschanges to up if the interface is ready totransmit and receive network traffic.AdminStatus remains in the down state if,and only if, a fault exists that prevents itfrom going to the up state.

The default operating status is down.

LastChange The value of sysUpTime at the time theinterface entered its current operationalstate.If the interface entered the current stateprior to the last reinitialization of the localnetwork management subsystem, the valueis zero.

LinkTrap Indicates whether the system generates linkUp or link Down traps for this interface.The default setting is enabled.

AutoNegotiate Indicates whether this port is activated forautonegotiations (only 10/100Base ports).Nortel recommends that you useautonegotiation whenever it is supported bythe devices on both ends of a Gigabit fiberlink.If the Ethernet Routing Switch 8600 isconnected to a device that does not supportit, disable autonegotiation and enable SFFD.The default setting is true.For more information, see NortelEthernet Routing Switch 8600 Planningand Engineering -- Network Design(NN46205-200).


NN46205-605 02.05 28 April 2010


.

Configuring a basic configuration 195

Variable Value

AdminDuplex Indicates the current duplex value of the portas one of the following modes:• half-duplex

• full-duplex

The default is half-duplex.

OperDuplex The current operational duplex mode of theport (half or full).The default is Full-duplex.

AdminSpeed Indicates the port data rate (10 Mb/s or 100Mb/s).

OperSpeed The current operating data rate of the port.

AutoNegAd The port speed to advertise.

QosLevel Quality of Service level.The default is level 1.

DiffServ Activates Differentiated Services on thisport.

Layer3Trust Configures the type of Differentiated Serviceto one of the following:

• none

• access

• core

The default is core.

MultimediaPlatformAndDevice Specifies the platform and multimediadevice.

TelephonyAndMultimediaFilterEnable

Activates telephony and multimedia filters.

MltId The MultiLink Trunk to which the port isassigned.The default is 0.

Locked Indicates whether or not the port is locked.If the port is locked, you cannot change theport configuration.To lock or unlock a port, select Edit,Security, Port Lock.The default is false.


NN46205-605 02.05 28 April 2010


.


Variable Value

UnknownMacDiscard If you enable UnknownMacDiscard on aport, the system drops a packet with anunknown source MAC address on thatport, and other ports discard packets thatcontain the unknown MAC address in thedestination field.For example, if 11:22:33:44:55:66 is anunknown source MAC, packets tagged witha source MAC of 11:22:33:44:55 comingfrom this port are discarded; packets taggedwith a destination MAC of 11:22:33:44:55:66coming from other ports are also discarded,unless the address is learned on anotherport or the restriction ages out.

You must enable autolearn beforeyou can set the unknown-mac-discardlock-autolearn-mac disable parameter.

DirectBroadcastEnable Indicates whether this interface forwardsdirect broadcast traffic.

AdminRouting Indicates whether the port is routable.

OperRouting The status of the port; whether it is routable.

HighSecureEnable Activates or disables the high securefeature.

Layer 2 Override 8021p Activates or disables IEEE 802.1p override.If activated, the 802.1p value from a taggedframe is not used.

CpLimitEnable Activates or disables extended CP Limit insystem.

CpMulticastLimit Selects the CP multicast limit.

CpBroadcastLimit Selects the CP broadcast limit.

Action One of the following port-related actions:

• none

• flushMacFdb—flush MAC forwardingtable for port

• flushArp—flush ARP table for port

• flushIp—flush IP route table for port

• flushAll—flush all tables for port


NN46205-605 02.05 28 April 2010


.

Opening a dual tab 197

Variable Value

• triggerRipUpdate—manually update theRIP table

• clearLoopDetectAlarm—manuallyenable the port on all the disabled vlans

Result The result of port-related actions.

Opening a dual tabIf you use ports with redundant connectors, a dual tab appears. Use thistab to define which connector is the primary connector.

Open a dual tab by performing this procedure.

Procedure steps

Step Action

1 On the device view, select at least two ports.

2 From the Device Manager menu bar, choose Edit, Port, General– Global Router (vrf 0)....

3 Click the Dual tab.

--End--

Variable definitionsUse the data in the following table to use the Dual tab.

Variable Value

Index A unique value assigned to each interface.

PrimaryConnector For ports configured with redundantconnectors, this value indicates whichconnector to use as the active connector onthis port the next time the port is placed intothe ifAdminStatus=Up state.

ActiveConnector Indicates which connector is currently theactive connector. Only one connector isactive at a time.

BackupConnectorStatus Indicates the status of the link attached tothe backup (nonactive) connector.


NN46205-605 02.05 28 April 2010


.


Editing portsIf you edit multiple ports, some options are not available, and otheroptions appear to be available even though the dialog box or tab is notapplicable. If a dialog box or tab does not apply for a port, you receive aNoSuchObject message.

If you edit a single port, dialog boxes and tabs that are not applicable arenot available for the selection.

Edit multiple ports by performing this procedure.

ATTENTIONIf a port is modified while an alarm is active on the port, and the port sendsfaults to a Multiservice Data Manager (MDM) server. It is possible that duplicatealarms appear in the MDM Active Alarm browser due to a component namechange. To clear these alarms, use the procedure called Clearing Local Alarmsin Nortel Multiservice Data Manager (MDM) Fault Management — Tools(NN10470-011).

Procedure steps

Step Action

1 Select the port, or ports, you want to edit.

2 Do one of the following:

• Double-click a port.

• Right-click a port. On the shortcut menu, choose Edit.

• From the Device Manager menu bar, choose Edit, Port.

--End--

Viewing the boot configurationView the boot source, as well as view the source from which the switchstarted last by performing this procedure.

Procedure steps

Step Action

1 On the device, select a chassis.



3 Click the Boot Config tab.


NN46205-605 02.05 28 April 2010


.

Reserving records 199

The Boot Config tab appears.

--End--

Variable definitionsUse the data in the following table to use the Boot Config tab.

Variable Value

Slot Specifies the slot number of the device

SwVersion Specifies the software version that is currentlyrunning

LastBootConfigSource Specifies the last source from which the switchstarted

LastRuntimeImageSource Specifies the last source for the run-time image

LastRuntimeConfigSource Specifies the last source for the run-timeconfiguration

Enabling Jumbo framesEnable Jumbo frames to increase the size of Ethernet frames supportedon the chassis by performing this procedure.

Procedure steps

Step Action


The System dialog box appears with the System tab displayed.

2 Click the Chassis tab.

The Chassis dialog box appears with the Chassis tab displayed.

3 Click MTU size: 1950 or 9600.

4 Click Apply.

5 Click Close.

--End--

Reserving recordsReserve records to change the number of hardware records available foreach record type by performing this procedure.

Prerequisites

• Reserving records is supported only on classic E and M modules.


NN46205-605 02.05 28 April 2010


.


Procedure steps

Step Action




3 Click the Record Reservation tab.

The Record Reservation tab appears.

4 Select the amount in the NewReserved column for the recordtype you want.

5 Enter the new value.

6 Click Apply.

The new number of reserved records appears in the Reservedcolumn.

--End--

Variable definitionsUse the data in the following table to configure the Chassis, RecordReservation tab.

Variable Value

Record Type Identifies the record type: filter, ipmc, local, mac, static,or vrrp.

Reserved Specifies the number of hardware records reserved forthe recordType.

Used Specifies the number of hardware records actuallyused by the recordType.

NewReserved Specifies the number of hardware records that isreserved for this record type after a reset if theconfiguration is saved.

DefReserved Specifies the number of records reserved for thisrecord type if loaded with factory default.

Viewing the trap sender tableUse the trap sender table to view source and receiving addresses byperforming this procedure.


NN46205-605 02.05 28 April 2010


.

Configuring the time 201

Procedure steps

Step Action




3 Click the Trap Sender Table tab.

The Trap Sender Table tab appears.

--End--

Variable definitionsUse the data in the following table to use the Chassis, Trap Sender Tabletab.

Variable Value

RecvAddress Specifies the IP address for the trap receiver. Thisvariable is a read-only variable containing the IPaddress configured in the TAddress field in theTargetTable.

SrcAddress Identifies the IP address for the trap sender.

Configuring the timeSet the date and time on the switch with the User Set Time tab byperforming this procedure.

Procedure steps

Step Action



The chassis dialog box appears with the System tab displayed.

3 Click the User Set Time tab.

The User Set Time tab appears.

4 Enter the correct details.

5 Click Apply.

--End--


NN46205-605 02.05 28 April 2010


.


Variable definitionsUse the data in the following table to configure the User Set Time tab.

Variable Value

Year Configures the year (integer from 1998–2097)

Month Configures the month (integer from 1–12)

Date Configures the day (integer from 1–31)

Hour Configures the hour (integer from 0–23)

Minute Configures the minute (integer from 0–59)

Second Configures the second (integer from 0–59)

Configuring SLPP globallyEnable the Simple Loop Prevention Protocol (SLPP) to detect a loop andautomatically stop it by performing this procedure.

Procedure steps

Step Action

1 From the Device Manager menu bar, select VLAN, SLPP.

The Slpp dialog box appears with the Global tab displayed.

2 Select GlobalEnable.

3 In the TransmissionInterval box, enter a value for the timeinterval for loop detection.

4 In the EtherType box, enter the SLPP protocol value as ahexadecimal number.

5 Click Apply.

--End--

Variable definitionsUse the data in the following table to configure the Slpp dialog box.

Variable Value

GlobalEnable Enables or disables SLPP globally.


NN46205-605 02.05 28 April 2010


.

Configuring the SLPP by VLAN 203

Variable Value

TransmissionInterval Sets the interval for which loopdetection occurs. The interval isexpressed in milliseconds in a rangefrom 500–5000.The default value is 500.

EtherType Specifies the SLPP protocolidentification. This value is expressedin hexadecimal format.

Configuring the SLPP by VLANActivates SLPP on a VLAN to enable forwarding of the SLPP packet overthe VLAN by performing this procedure.

Prerequisites

• Enable the SLPP globally before configuring it on a VLAN.

Procedure steps

Step Action



2 Click the VLANS tab.

The VLANS tab appears.

3 Click Insert.

The Slpp, Insert VLANS box appears.

4 Click the VlanID ellipses (...).

5 Select the desired VLAN ID.

6 Click Ok.

7 To enable SLPP, select SlppEnable.

8 Click Insert.

The ID and status of the selected VLAN appears in the Slpp,VLANS dialog box.

--End--

Variable definitionsUse the data in the following table to configure the SLPP, Insert VLANSdialog box.


NN46205-605 02.05 28 April 2010


.


Variable Value

VlanId Specifies the VLAN.Click the ellipsis button to select froma list of VLANs.

SlppEnable Enables SLPP on the selected VLAN.

The SLPP packet transmission andreception process is active only if youenable the SLPP operation.When you disable the SLPP operation,the following occurs:

• the system sends no SLPP packets

• the system discards received SLPPpackets

Configuring the SLPP by portUse SLPP on a port to avoid traffic loops on the port by performing thisprocedure.

ATTENTIONTo provide protection against broadcast and multicast storms, Nortelrecommends that you enable Rate Limiting for broadcast traffic and multicasttraffic.

Procedure steps

Step Action



2 Click the Ports tab.

The Ports tab appears displaying all available ports.

3 In the PktRxThreshold box for the desired port, specify thethreshold value for packet reception.

4 Double-click the SlppEnable box for the desired port.

5 Select true to enable SLPP.

6 Click Apply.

--End--


NN46205-605 02.05 28 April 2010


.

Configuring Extended CP Limit globally 205

Variable definitionsUse the data in the following table to configure the Slpp, Ports tab.

Variable Value

IfIndex Specifies the interface index numberfor a port.

PktRxThreshold Specifies the threshold for packetreception. The SLPP packet receivethreshold is set to a value (1- 500) thatrepresents the number of SLPP-PDUsthat must be received to shut downthe port. Note that this is a port-levelparameter, therefore if the port istagged, SLPP-PDUs from the variousVLANs increment this single thresholdcounter.

See Table 24 "SLPP recommendedvalues" (page 171) for recommendedvalues in an SMLT environment.

SlppEnable Enables SLPP on the selectedinterface.

IncomingVlanId VLAN ID of the classified packet on aport disabled by SLPP.

SrcNodeType Specifies the source node type of thereceived SLPP packet.

Configuring Extended CP Limit globallyExtended CP Limit protects the switch from congestion caused by excessdata flowing through one or more ports.Configure the Extended CP Limit to prevent the switch from beingoverwhelmed by performing this procedure.

Prerequisites

• You must enable and configure Extended CP Limit at the chassis level.

Procedure steps

Step Action

1 In the Device Manager menu, select Edit, Chassis, Ext. CPLimit.

The Chassis—Ext CP Limit dialog box appears.


NN46205-605 02.05 28 April 2010


.


2 Enter appropriate information in the fields provided and clickApply.

--End--

Variable definitionsUse the data in the following table to configure the Chassis—Ext. CP Limittab.

Variable Value

Enable Select this check box to enable the Extended CPLimit functionality.Clear the checkbox to disable Extended CP Limitfunctionality.

MinCongTime Configures the minimum time the system octapidremains in a congested state before triggering thecongestion algorithm.The default interval is 3000 milliseconds.

MaxPorts Configures the total number of ports that need tobe analyzed from the may-go-down port list.The range is from 0 to 512.The default is 0.

PortCongTime Configures the interval a port can remain at thecongestion threshold until the system disables it.The value ranges from 1 to 600 seconds.The default value is 5.

TrapLevel Indicates the trap level for extended CP Limit as:• none

• normal

• verbose

The default is none.

SysOctapidCongested Indicates whether system octapid congestion isdetected for extended CP Limit.

PortsMonitored Indicates ports monitored by extended CP Limit.

PortsShutDown Indicates whether ports are shut down due toextended CP Limit.

Configuring extended CP Limit for a portCP Limit functionality protects the switch from becoming congested by anexcess of data flowing through one or more ports. Currently the CP Limitfunctionality only protects the switch from broadcast and control traffic witha QoS value of 7. The Extended CP Limit functionality is configurable andyou can use it to prevent overwhelming the switch.


NN46205-605 02.05 28 April 2010


.

Configuring extended CP Limit for a port 207

Configure extended CP limit for a port by performing this procedure.

Prerequisites

• You must enable extended CP Limit at the chassis level before youenable it for a port.

Procedure steps

Step Action

1 On the device, select a port.

2 From the Device Manager menu, select Edit, Port, General –Global Router (vrf 0)....

The Edit Port dialog box appears with the Interface tabdisplayed.

3 Click the CP Limit tab.

4 Select a value for ExtCplimitConf.

5 Configure the threshold for ExtCplimitUtilRate.

6 Click Apply.

--End--

Variable definitionsUse the data in the following table to configure the CP Limit tab.

Variable Value

CpLimitEnable Activates or disables the CP Limit feature.The default is activated.

CpMulticastLimit Configures the multicast control frame rate in arange from 1000–100000 ppsThe default value is 10000.

CpBroadcastLimit Configures the broadcast control frame rate in arange from 1000–100000 pps.The default value is 10000.

AutoRecoverPort Activates or disables auto recovery of the port fromaction taken by CP Limit, link flap, or loop detectfeatures.The default value is disabled.


NN46205-605 02.05 28 April 2010


.


Variable Value

ExtCplimitConf Configures the manner in which the individual portparticipates in the Extended CP limit functionality.Select one of the following values for the port:

• None - port is not monitored.

• SoftDown - port belongs to may-go-down portlist.

• HardDown - port belongs to must-go-down portlist.

The default setting is none.

ExtCplimitUtilRate Configures the threshold percentage, from1–100, at which bandwidth utilization triggers themonitoring algorithm.The default value is 50.

Configuring loop detectConfigure loop detect to determine if the same MAC address appears ondifferent ports. Use the optional ARP-Detect feature to account for ARPpackets on IP configured interfaces.

Configure loop detect by performing this procedure.

Procedure steps

Step Action

1 On the device, select a port.



3 Click the VLAN tab.

4 Select the LoopDetect box to enable loop detection.

5 If required, select the ArpDetect box.

6 Select the appropriate action.

7 Click Apply.

--End--

Variable definitionsUse the data in the following table to configure the Loop Detect optionson the VLAN tab.


NN46205-605 02.05 28 April 2010


.

Configuring CP Limit 209

Variable Value

LoopDetect Activates or disables the loop detectfeature for the port.

ArpDetect Activates ARP-Detect.Activate ARP-Detect and loop detecton routed interfaces.

LoopDetectAction Specifies the loop detect action to betaken.• portDown shuts down the port

when the system detects a flappingMAC address

• vlanBlock shuts down the VLANwhen the system detects flappingMAC address

• macDiscard. ARP-Detect does notsupport macDiscard.

Configuring CP LimitCP Limit functionality protects the switch from becoming congested by anexcess of data flowing through one or more ports. Currently the CP Limitfunctionality only protects the switch from broadcast and control traffic witha QoS value of 7.

Configure CP limit by performing this procedure.

Procedure steps

Step Action


The Edit Port dialog box appears with the Interface tabdisplayed.

2 Click the CP Limit tab.

3 Select Enable or Disable for the CP Limit option.

4 Enter the multicast control frame rate.

5 Enter the broadcast control frame rate.

6 Click Apply.

--End--

Variable definitionsUse the data in the following table to configure the CP Limit tab.


NN46205-605 02.05 28 April 2010


.


Variable Value

CpLimitEnable Activates or disables the CP Limitfeature.The default is activated.

CpMulticastLimit Configures the multicast control framerate in a range from 1000–100000pps.The default is 15000.

CpBroadcastLimit Configures the broadcast control framerate in a range from 1000–100000pps.The default is 10000.

AutoRecoverPort Activates or disables auto recovery ofthe port from action taken by CP Limit,link flap, or loop detect features.The default value is disabled.

ExtCplimitConf Configures the way a port participatesin the Extended CP limit functionality.Select one of the following values forthe port:

• None - port is not monitored.

• SoftDown - port belongs tomay-go-down port list.

• HardDown - port belongs tomust-go-down port list.

ExtCplimitUtilRate Configures the threshold percentage,from 1–100, at which bandwidthutilization triggers the monitoringalgorithm. The default value is 50.

Editing the boot fileEdit the boot file to specify configuration settings such as the boot sourceand order for your switch by performing this procedure.

Procedure steps

Step Action

1 Select a SF/CPU card.

2 From the Device Manager menu bar, choose Edit, Card.

The Card dialog box appears with the Card tab displayed.

3 Click the Boot tab.


NN46205-605 02.05 28 April 2010


.

Editing the boot file 211

The Boot tab appears.

4 Change the appropriate settings.

5 Click Apply.

--End--

Variable definitionsUse the data in the following table to configure the Card, Boot tab.

Variable Value

SwVersion Specifies the currently running softwareversion

LastBootConfigSource Specifies the boot configuration file used mostrecently

LastRuntimeImageSource Specifies the run-time image loaded mostrecently

LastRuntimeConfigSource Specifies the run-time configuration loadedmost recently

PrimaryImageSource Specifies the primary image source file

PrimaryConfigSource Specifies the primary configuration source file

PrimaryBackupConfigSource Specifies the primary backup configurationsource (safeconfig)

SecondaryImageSource Specifies the secondary image source file

SecondaryConfigSource Specifies the secondary configuration sourcefile

TertiaryImageSource Specifies the tertiary image source file

TertiaryConfigSource Specifies the tertiary configuration source file

MezzImageSource Specifies the SuperMezz configuration sourcefile

EnableAutoBoot Activates the autoboot option.

After you power up the switch, the switch waits5 seconds and then starts.If you set this option to false, the boot processstops at the Boot Monitor.

EnableFactoryDefaults Activates the factory defaults option

EnableDebugMode Activates the debug mode option

EnableHwWatchDogTimer Activates the hardware watchdog timer option

EnableRebootOnError Activates the reboot on error option

EnableTelnetServer Activates the Telnet server option


NN46205-605 02.05 28 April 2010


.


Variable Value

EnableRloginServer Activates the rlogin server option

EnableFtpServer Activates the FTP server option

EnableTftpServer Activates the Trivial File Transfer Protocol(TFTP) server option

EnableSshServer Activates the SSH server option

EnableMezz Activates the SuperMezz option

Enable8616ReAutoneg Activates re-autonegotiation on the EthernetRouting Switch 8616

Editing the management port parametersThe management port on the switch fabric/CPU module is a 10/100 Mb/sEthernet port that you can use for an out-of-band management connectionto the switch.

You can use the Mgmt Port dialog box to specify, among other things,management information for the device and to set device configuration.

If you use Device Manager to configure the static routes of themanagement port, you do not receive a warning if you set a non-naturalmask. After you save the changes to the boot.cfg file, those staticroutes are deleted upon the next restart, possibly causing the loss of IPconnectivity to the management port.

If you are uncertain whether the mask you set is non-natural, use the CLIor NNCLI to configure static routes.

Edit the management port parameter by performing this procedure.

Procedure steps

Step Action

1 Select the management port object.

2 From the Device Manager menu bar, choose Edit, Mgmt Port.

The Mgmt Port dialog box appears with the Mgmt Port-IP tabdisplayed.

3 Modify the appropriate settings.

4 Click Apply.

--End--


NN46205-605 02.05 28 April 2010


.

Editing the management port CPU route table 213

Variable definitionsUse the data in the following table to configure the Mgmt Port-IP tab.

Variable Value

IfIndex Specifies the slot and port number of the managementport.

Descr Specifies the description of the management port.

AdminStatus Configures the administrative status of the device.

OperStatus Specifies the operational status of the device.

MgmtMacAddr Specifies the MAC address of the management device.

Addr Configures the IP address of the device.

Mask Configures the subnet IP mask.

AutoNegotiate Enables or disables autonegotiate.

AdminDuplex Specifies the administrative duplex mode for themanagement port.

If you change the duplex mode for the managementport, from full to half duplex on a 8649GTR port, thereis a 30 second loss of bidirectional traffic while thesoftware resets.

OperDuplex Specifies the operational duplex configuration for thisport.

AdminSpeed Specifies the administrative speed for this port.

OperSpeed Indicates the operational duplex mode for this port.

EnableBootp Activates or disables BootP.

Editing the management port CPU route tableEdit the management port CPU route table to specify network and gatewayIP addresses used to remotely manage the device.

Open the Mgmt Port Route Table dialog box by performing this procedure.

Procedure steps

Step Action



The Mgmt Port dialog box appears.

3 On the Mgmt Port dialog box, click the CPU Route Table tab.

The CPU Route Table dialog box appears.


NN46205-605 02.05 28 April 2010


.


4 On the Mgmt Port, CPU Route Table dialog box, click Insert.

The Mgmt Port Route Table, Insert CPU Route Table dialog boxappears.

5 Enter the new Network and Gateway IP addresses.

6 Click Insert.

--End--

Variable definitionsUse the data in the following table to configure the Mgmt Port, Insert CPURoute Table tab.

Variable Value

Network Specifies the network IP address.

Gateway Specifies the device gateway IP address.

Configuring the management port IPv6 interface parametersConfigure IPv6 management port parameters to use IPv6 routing on theport by performing this procedure.

Procedure steps

Step Action



The Mgmt Port dialog box appears.

3 On the Mgmt Port dialog box, click the Mgmt Port-IPv6Interface tab.

The Mgmt Port-IPv6 Interface tab appears.

4 Click Insert.

The Mgmt Port, Insert Mgmt Port IPv6 Interface dialog boxappears.

5 Edit the fields as required.

6 Click Insert.

7 Click Apply.

--End--


NN46205-605 02.05 28 April 2010


.

Configuring the management port IPv6 interface parameters 215

Variable definitionsUse the data in the following table to configure the Mgmt Port-IPv6Interface dialog box.

Variable Value

Identifier Configures the IPv6 address interface identifiers.Identifier is a binary string of up to 8 octets innetwork byte-order.

IdentifierLength Specifies the length of the Interface Identifier inbits.

Descr Specifies a textual string containing informationabout the interface.Descr string is also set by the networkmanagement system.

ReasmMaxSize Configures the MTU for this IPv6 interface.This value must be same for all the IP addressesdefined on this interface.The default value is 1500.

IPv6 does not support Jumbo Frames in Release4.1.

AdminStatus Configures the indication of whether IPv6is activated (up) or disabled (down) on thisinterface.This object does not affect the state of theinterface, only the interface connection to an IPv6stack.The default is false.

ReachableTime Configures the time a neighbor is consideredreachable after receiving a reachabilityconfirmation. The value is expressed inmilliseconds in a range from 0–3600000.The default value is 30000.

RetransmitTime Configures the time between retransmissions ofneighbor solicitation messages to a neighbor;during address resolution or neighbor reachabilitydiscovery. The value is expressed in millisecondsin a range from 0–3600000.The default value is 1000.

MulticastAdminStatus Configures the status indication for IPv6multicasting on this interface.The default is false.


NN46205-605 02.05 28 April 2010


.


Configuring management port IPv6 addressesConfigure management port IPv6 addresses to add or remove IPv6addresses from the port by performing this procedure.

Nortel supports IPv6 addressing with HTTP, SSH, TELNET, SNMPv3,FTP, RLOGIN, and TFTP access to the switch.

Procedure steps

Step Action

1 In the Device Manager window, select a management port.

2 From the Device Manager toolbar, select Edit, Mgmt Port.


3 Click the Mgmt Port-IPv6 Addresses tab.

The Mgmt Port-IPv6 Addresses tab appears.

4 Click Insert.

The Mgmt Port, Insert Mgmt Port-IPv6 Addresses dialog boxappears.

5 In the Addr box, enter the required IPv6 address for themanagement port.

6 In the AddrLen box, enter the number of bits from the IPv6address you want to advertise.

7 Click Insert.

8 Click Apply.

--End--

Variable definitionsUse the data in the following table to configure the Mgmt Port, Insert MgmtPort-IPv6 Addresses dialog box.

Variable Value

Addr Specifies the IPv6 address to which this entryaddressing information pertains.

If the IPv6 address exceeds 116 octets, the objectidentifiers (OIDS) of instances of columns in this rowis more than 128 sub identifiers and you cannot useSNMPv1, SNMPv2c, or SNMPv3 to access them.


NN46205-605 02.05 28 April 2010


.

Configuring the CPU IPv6 route table 217

Variable Value

AddrLen Specifies the prefix length value for this address.You cannot change the address length after creation.You must provide this field to create an entry in thistable.

Type Specifies Unicast, the only supported type.

Configuring the CPU IPv6 route tableUse the management port for switch connectivity and management. Aswith other ports, you can configure the management port to route IPv6 andconfigure a number of IP addresses on an interface. The switch does notadvertise the management port address to the other ports.

Configure the CPU IPv6 route table by performing this procedure.

Procedure steps

Step Action

1 In the main Device Manager window, select the managementport.

2 From the Device Manager toolbar, select Edit, Mgmt Port.


3 Click the CPU IPv6 Route Table tab.

The CPU IPv6 Route Table tab appears.

4 Click Insert.

The Mgmt Port, Insert CPU IPv6 Route Table dialog boxappears.


6 Click Insert.

7 Click Apply.

--End--

Variable definitionsUse the data in the following table to configure the Mgmt Port, Insert CPUIPv6 Route Table dialog box.


NN46205-605 02.05 28 April 2010


.


Variable Value

Network Specifies the IPv6 destination address.

GatewayConfigures the gateway as the IPv6 address of themanagement port.

Editing serial port parametersThe serial ports on the switch fabric/CPU module include the modem portand the console port.

Use the Serial Port dialog box to specify serial port communication settingsby performing this procedure.

Procedure steps

Step Action

1 Select the serial port.

2 Perform one of the following actions:

• Double-click the serial port.

• Right-click the serial port and click Edit.

• From the Device Manager menu bar, choose Edit, SerialPort.

• From the Device Manager menu bar, choose Edit, Select All,Serial Ports, and then choose Edit, Serial Port.

• On the Device Manager toolbar, click the Edit Selectedbutton.

The Serial Port dialog box appears .

3 Edit the port parameters as required.

--End--

Variable definitionsUse the data in the following table to configure the Serial Port dialog box.

Variable Value

IfIndex Specifies the slot and port number of the serial port.

Descr Specifies the description of the serial port.

Mode Specifies the mode in which this port operates.The default is ppp.

BaudRate Specifies the baud rate of this port.The default is 9600.


NN46205-605 02.05 28 April 2010


.

Enabling port lock 219

Variable Value

DataBits Specifies the number of data bits, for each byte of data,this port sends and receives.The default is 7.

MyAddr Specifies this IP address of the port.Use the IP address for both SLIP and PPP modes.

PeerAddr Specifies the peer IP address.Use the peer IP address for both SLIP and PPPmodes.

SlipMtu Specifies the MTU for this port in a range from 0–224.

SlipTxRxCompress Activates or disables compression of TCP/IP packetheaders on this port for SLIP mode only.

SlipRxCompress Activates or disables compression for receiving packetson this port for SLIP mode only.

PppConfigFile Specifies the configuration file to use PPP.

Enabling port lockUse the port lock feature to administratively lock a port or ports to preventother users from changing port parameters or modifying port action. Youcannot modify locked ports until you first unlock the port.

Enable port lock by performing this procedure.

Procedure steps

Step Action

1 From the Device Manager menu bar, choose Security, ControlPath, General.

The Control Path Security dialog box appears with the Port Locktab visible.

2 To enable port lock, select the Enable box.

3 Click Apply.

--End--

Variable definitionsUse the data in the following table to configure the Port Lock tab.


NN46205-605 02.05 28 April 2010


.


Variable Value

Enable Activates the port lock feature.

LockedPorts Lists the locked ports.Click the ellipsis (...) button to select the portsyou want to lock or unlock.

Locking a portUse the port lock feature to administratively lock a port or ports to preventother users from changing port parameters or modifying port action. Youcannot modify locked ports until you first unlock the port.

Lock a port by performing this procedure.

Prerequisites

• You must enable port lock before you lock or unlock a port.

Procedure steps

Step Action



2 In the LockedPorts box, click the elipsis button.

The PortLockLockedPorts dialog box appears.

3 Click the desired port or ports.

4 Click Ok.

5 On the Port Lock tab, click Apply .

--End--

Variable definitionsUse the data in the following table to configure the Port Lock tab.

Variable Value

Enable Activates the port lock feature.

LockedPorts Lists the locked ports.Click the ellipsis (...) button to select the ports you wantto lock or unlock.


NN46205-605 02.05 28 April 2010


.

Configuring slot priority 221

Enabling power managementEnable power redundancy to create traps and events after powerconsumption exceeds redundancy capacity by performing this procedure.

Procedure steps

Step Action

1 From the Device Manager menu bar, select Edit, Chassis.


2 Click the Power Management tab.

The Power Management dialog box appears.

3 Select PowerManagementEnable.

4 Select PowerManagementFanCheckEnable.

5 Click Apply.

--End--

Variable definitionsUse the data in the following table to configure the Power Managementtab.

Variable Value

PowerManagementEnable Activates power redundancy to createtraps and events if power consumptionexceeds redundancy capacity.

PowerManagementFanCheckEnable

Enables the fan check.

Configuring slot priorityConfigure slot priority to determine which slots shut down when notenough power is available in the chassis. The slot with the lowest priorityshuts down first. Slots with the same priority shut down by highest slotnumber first.

Configure priority of slots by performing this procedure.

Procedure steps

Step Action

1 In Device Manager, select a card.

2 From the Device Manager menu bar, select Edit, Card.


NN46205-605 02.05 28 April 2010


.


3 In the PowerManagementPriority box, select the priority level.

4 Click Apply.

--End--


NN46205-605 02.05 28 April 2010


.

223.

Chassis operations configurationusing the CLI



• “Enabling M mode” (page 225)

• “Enabling R mode ” (page 226)



• “Enabling CPU High Availability mode” (page 228)

• “Removing a master CPU with CPU-HA mode activated” (page 231)

• “Enabling jumbo frames” (page 231)


• “Configuring SLPP” (page 233)

• “Configuring SLPP on a port” (page 234)

• “Viewing SLPP information” (page 235)

• “Viewing SLPP information for a port” (page 236)

• “Configuring Extended CP Limit on the chassis” (page 236)

• “Configuring Extended CP Limit on a port” (page 238)






NN46205-605 02.05 28 April 2010


.

224 Chassis operations configuration using the CLI


Table 26Job aid

Command Parameter

<enable|disable>

multicast-limit <value>

config ethernet <slot/port> cp-limit

broadcast-limit <value>

<None|SoftDown|HardDown>config ethernet <ports> ext-cp-limit

threshold-util-rate <value>

<enable|disable>

action <value>

arp-detect

config ethernet <port> loop-detect

<enable|disable>

info

packet-rx <enable|disable>

config ethernet <portlist> slpp

packet-rx-threshold <integer>

config mac-flap-time-limit <10–5000milliseconds>

add <vid>

etherType <pid>

info

operation enable

remove <vid>

config slpp

tx-interval <integer>

<enable|disable>

info

max-ports-to-check <number of ports>

min-congestion-time <time in msec>

port-congestion-time <time in sec>

config sys ext-cp-limit extcplimit

trap-level <Normal|Verbose|None>


NN46205-605 02.05 28 April 2010


.

Enabling M mode 225

Command Parameter

m-mode <true|false>

r-mode <true|false>

enhanced-operational-mode <true|false>

global-filter-ordering <true|false>

info

multicast-check-packet <true|false>

config sys set flags

vlan-optimization-mode <true|false>

fan-check-enable <true|false>

info

power-check-enable <true|false>

config sys set power

slot-priority <slot> <criticial|high|low>

config sys set mtu <bytes>

filter <value>

info

ipmc <value>

local <value>

mac <value>

static-route <value>

config sys set record-reservation

vrrp <value>

Enabling M modeEnable M mode to support up to 128000 table entries in the system byperforming this procedure.

Prerequisites



— All modules installed in the chassis must be M, R, or RS modules,which are capable of supporting 128000 table entries.


NN46205-605 02.05 28 April 2010


.



— You must understand how the modules installed in the chassisaffects the operating mode of the switch.


• M mode and R mode cannot be activated at the same time.

Procedure steps

Step Action

1 Enable M mode by using the following command:

config sys set flags m-mode true



--End--

Enabling R modeEnable R mode to support 256000 IP routes. R mode supports theEthernet Routing Switch 8600 Release 4.0 and later feature sets.


ATTENTIONIf you use 8691 SF/CPU modules in your switch and you attempt to activate246000 IP routes features using the command line interface (CLI), the followingerror message appears: This feature will not be enabled with 8691SF/CPU cards.

Prerequisites


— The system must include R or RS modules only.


The 8648GTR module operates with 8691 and 8692 SF/CPUmodules. To support the 8648GTR with the 8691 SF/CPU, theSF/CPU must be configured with 256MB Synchronous Dynamic


NN46205-605 02.05 28 April 2010


.

Enabling enhanced operational mode 227

Random Access Memory (SDRAM) (the 8692 SF/CPU shipsstandard with 256MB SDRAM). A system with 8691 SF/CPUconfigured with 256MB SDRAM and only 8648GTR interfacemodules meets the conditions for R mode.

— When you configure an Ethernet Routing Switch 8600 system,you consider total power-consumption to ensure propersystem performance. The total input power-consumption ofthe components (modules and fan trays) must not exceed theoutput power rating of the power supply. See your power supplydocument for power supply specifications. For input powerconsumption information, see Nortel Ethernet Routing Switch 8600Installation — Chassis (NN46205-303).

• R mode and M mode cannot be activated at the same time.

Procedure steps

Step Action

1 Enable R mode by using the following command:

config sys set flags r-mode true

The following warning message appears:

Warning: The change made will take effect only after theconfiguration is saved and the full chassis is rebooted.This feature is not applicable to 8690SF/CPU cards.All non-RSP Cards will be taken off-line if r-mode isenabled.



--End--


Procedure steps

Step Action

1 Enable enhanced operational mode by using the followingcommand:


NN46205-605 02.05 28 April 2010


.


config sys set flags enhanced-operational-mode true


3 Restar the switch.

--End--

Enabling global filter orderingEnable the ordering of global filters.

By default, the system stores global filters in the hardware records in theorder that they are applied.

If you enable the ordering of global filters, the system stores global filtersin ascending order by identification number—assign a lower ID number toa global filter so that it is used first; assign a higher ID number to a lessspecific filter.

Enable order of global filter by performing this procedure.

Prerequisites

• Global filter ordering is supported on classic modules only; this featureis not applicable to R or RS modules.

Procedure steps

Step Action

1 Enable global filter ordering by using the following command:

config sys set flags global-filter-ordering true



--End--

Enabling CPU High Availability modeCPU high-availability (HA) mode enables switches with two CPUs torecover quickly from a failure of the master SF/CPU.

Use the procedure in this section to enable CPU HA mode.


NN46205-605 02.05 28 April 2010


.

Enabling CPU High Availability mode 229

Procedure steps

Step Action

1 To enable HA mode, enter the following boot flag command onthe master SF/CPU:

config bootconfig flags ha-cpu true




--End--

Table 15 "Release 3.5 and later synchronization capabilities in HA mode "(page 154) shows which features are supported in each release.

Job aidSee the following sample output for the messages the switch returns whenyou enable HA mode using CLI:

ERS-8610:6# config bootconfig flags ha-cpu trueSave bootconfig to file /flash/boot.cfg successful.Boot configuration is being saved on secondary CPUYou need to reset the secondary CPU for the change to take effect!!Do you want to restart the secondary CPU now (y/n) ? y

ATTENTIONThe preceding autosave of the boot configuration file occurs because thesavetostandby flag is enabled. If this flag is not enabled, a manual save of theboot configuration file on the secondary SF/CPU is required.

Answering the user prompt with a "y" causes the secondary SF/CPU toreset itself automatically, and that secondary SF/CPU restarts with HAmode enabled. You must manually reset the master SF/CPU immediately


NN46205-605 02.05 28 April 2010


.


(before the secondary CPU completes reset). Resetting the primary CPUcauses an interruption to traffic. After the reset completes successfully,the CPUs reverse roles (the CPU that was the primary CPU before resetbecomes the secondary CPU and the CPU that was secondary beforereset becomes the primary CPU).

Disabling CPU High Availability modeUse the procedure in this section to disable CPU HA mode.

Procedure steps

Step Action

1 To disable HA mode, enter the following boot flag command onthe master SF/CPU:

config bootconfig flags ha-cpu false

After disabling HA mode on the master SF/CPU, the secondarySF/CPU automatically resets to load settings from itspreviously-saved boot configuration file. You must manuallyreset the primary SF/CPU while the secondary SF/CPU isbooting.


--End--

Job aidSee the following sample output for the messages the switch returns whenyou disable HA mode using CLI:

ERS-8610:5(config)#config bootconfig flags ha-cpu false

Save bootconfig to file /flash/boot.cfg successful.Save to slave file /flash/boot.cfg successful.CPU5 [02/12/09 15:14:44] SNMP INFO Save to slave file/flash/boot.cfg successful.Boot configuration is being saved on both master and slave.CPU5 [02/12/09 15:14:44] SNMP INFO Save boot successful.

You need to reset the master for the changes to take effect.Resetting Slave CPU from Master CPU.


NN46205-605 02.05 28 April 2010


.

Enabling jumbo frames 231

Removing a master CPU with CPU-HA mode activatedProperly remove the master SF/CPU to avoid loss of traffic if CPU-HA isactivated by performing this procedure.

Procedure steps

Step Action

1 Software reset the master SF/CPU, which becomes the standby.

2 Remove what is now the standby SF/CPU.

The master is removed. Because CPU-HA is activated, no trafficdata is lost during reset.

ATTENTIONReinserting an SF/CPU module before the HA-activated CPUbecomes the master SF/CPU can cause the master SF/CPU toremain in a booting state.

--End--

Enabling jumbo framesEnable jumbo frames to increase the size of Ethernet frames supported onthe chassis by performing this procedure.

Procedure steps

Step Action

1 Enable jumbo frames by using the following command:

config sys set mtu <bytes>

--End--

Variable definitionsUse the data in the following table to configure the config sys set mtucommand.


NN46205-605 02.05 28 April 2010


.


Variable Value

<bytes> The control plane (CPU, CPP) doesnot support Jumbo frames, but canlearn properly when you use Jumboframes.You can use mtu <bytes> to activateJumbo frame support for the datapath.• bytes is the Ethernet Frame size,

either 1522, 1950 (default), or 9600bytes. Settings of either 1950 or9600 bytes activate Jumbo framesupport.

Jumbo frame support is activated bydefault.


Prerequisites

• You can reserve records only on modules E and M.

Procedure steps

Step Action

1 At the prompt, enterconfig sys set record-reservation [filter<value>|info|ipmc <value>|local <value>|mac<value>|static-route <value>|vrrp <value>]

--End--

Variable definitionsUse the data in the following table to configure config sysrecord-reservation.

Variable Value

filter <value> Configure reservation for filter record type.Enter a filter value between 1025 and 8192.The default value is 4096.


NN46205-605 02.05 28 April 2010


.

Configuring SLPP 233

Variable Value

info Show current level parameter settings and nextlevel directories.

ipmc <value> Configure reservation for ipmc record type.Enter an ipmc value between 0 and 8000.The default value is 500.

local <value Configure reservation for local record type.Enter a local value between 0 and 16000.The default value is 2000.

mac <value> Configure reservation for mac record type.Enter a mac value between 0 and 200000.The default value is 2000.

static-route <value> Configure reservation for static-route recordtype.Enter a route value between 0 and 1000.The default value is 200.

vrrp <value> Configure reservation for vrrp record type.Enter a vrrp value between 0 and 510.The default value is 500.

Configuring SLPPEnable the Simple Loop Prevention Protocol (SLPP) globally and ona VLAN to detect a loop and automatically stop it by performing thisprocedure.

Procedure steps

Step Action

1 Enable SLPP by using the following command:

config slpp operation enable

2 Specify the SLPP protocol ID by using the following command:

config slpp etherType <pid>

3 Configure the transmission interval by using the followingcommand:

config slpp tx-interval <integer>

4 Add a VLAN to the transmission list by using the followingcommand:

config slpp add <vid>

--End--


NN46205-605 02.05 28 April 2010


.


Variable definitionsUse the data in the following table to use the config slpp command.

Variable Value

add <vid> Adds a VLAN to a SLPP transmissionlist.• <vid> is the VLAN ID.

etherType <pid> Specifies the SLPP PDU Ethernettype.• <pid> is the SLPP protocol ID in

hexadecimal format.

info Shows current level parameter settingsand next level directories.

operation <enable|disable> Enables or disables the SLPPoperation.

ATTENTIONIf the SLPP operation is disabled,the system sends no SLPP packetsand discards received SLPPpackets.The SLPP packets transmitand receive process is active only ifthe SLPP operation is enabled.

remove <vid> Removes a VLAN from a SLPPtransmission list.• <vid> is the ID of the VLAN.

tx-interval <integer> Configures the SLPP packet transmitinterval, expressed in milliseconds in arange from 500–5000.• <integer> is the SLPP packet

transmit interval.


Configuring SLPP on a portEnable SLPP on a port to detect, and automatically terminate, a loop byperforming this procedure.



NN46205-605 02.05 28 April 2010


.

Viewing SLPP information 235

Procedure steps

Step Action

1 Configure SLPP on a port by using the following command:

config ethernet <portlist> slpp

--End--

Variable definitionsUse the data in the following table to use the config ethernet<portlist> slpp command.

Variable Value

info Shows current level parameter settingsand next level directories.

packet-rx <enable|disable> Activates or disables SLPP packetreception on the listed ports.

packet-rx-threshold <integer> Specifies the threshold for packetreception. The SLPP packet receivethreshold is set to a value (1- 500) thatrepresents the number of SLPP-PDUsthat must be received to shut downthe port. Note that this is a port-levelparameter, therefore if the port istagged, SLPP-PDUs from the variousVLANs increment this single thresholdcounter.


<portlist> Identifies the slot/port.

Viewing SLPP informationUse SLPP information to view simple loop information by performing thisprocedure.

Procedure steps

Step Action

1 View SLPP information by using the following command:


NN46205-605 02.05 28 April 2010


.


show slpp info

--End--

Viewing SLPP information for a portShow SLPP information for a port so that you can view the loopinformation for a port by performing this procedure.

Procedure steps

Step Action

1 Show the SLPP information for a port or all ports by using thefollowing command.

show ports info slpp [port <slot/port>]

--End--

Variable definitionsUse the data in the following table to help you view the SLPP portinformation.

Variable Value

PORT NUM Specifies the port number.

PKT-RX Specifies whether SLPP is enabled ordisabled.

PKT-RX THRESHOLD Specifies the configured SLPP receivethreshold configured on the port.

INCOMING VLAN ID VLAN Specifies the ID of the classifiedpacket on a port disabled by SLPP.

SLPP PDU ORIGINATOR Specifies the originator of the SLPPPDU.

Configuring Extended CP Limit on the chassisCP Limit functionality protects the switch from becoming congested by anexcess of data flowing through one or more ports. Currently the CP Limitfunctionality only protects the switch from broadcast and control traffic witha QoS value of 7. The Extended CP Limit functionality is configurable andyou can use it to prevent overwhelming the switch.

Configure extended CP Limit on the chassis by performing this procedure.


NN46205-605 02.05 28 April 2010


.

Configuring Extended CP Limit on the chassis 237

Procedure steps

Step Action

1 Enable Extended CP Limit by using the following command:

config sys ext-cp-limit extcplimit enable

2 Configure additional optional parameters

--End--

Variable definitionsUse the data in the following table to use the config sys ext-cp-limitcommand.

Variable Value

extcplimit <enable|disable>

Configures the extended CP limit.The default is disabled.

info Specifies the current configuration.

max-ports-to-check<number of ports>

Configures the total number of ports tomonitor.

• number of ports is in the range of 0–512.The default is 0.

min-congestion-time<time in msec>

Configures the minimum time for whichtraffic keeps hitting the SF/CPU to trigger thecongestion algorithm.

• time in msec is the time in milliseconds inthe range of 100–600000.The default value is 3000.


NN46205-605 02.05 28 April 2010


.


Variable Value

port-congestion-time<time in sec>

Configures the time duration for which, if thebandwidth utilization for a monitoring portremains more than the threshold, the port isdisabled.

• time in sec is the time in seconds in therange of 1–600.The default value is 5 seconds.

trap-level <Normal|Verbose|None>

Configures the trap level. The options are:

• Normal–sends a single trap for all the portswhich are disabled.

• Verbose–sends a trap for each of the portswhich is disabled.

• None–no traps are sent.

The default value is None.

Configuring Extended CP Limit on a portCP Limit functionality protects the switch from becoming congested by anexcess of data flowing through one or more ports. Currently the CP Limitfunctionality only protects the switch from broadcast and control traffic witha QoS value of 7. The Extended CP Limit functionality is configurable andyou can use it to prevent overwhelming the switch.

Configure extended CP Limit on a port by performing this procedure.

Procedure steps

Step Action

1 Configure Extended CP Limit on a port by using the followingcommand:

config ethernet <ports> ext-cp-limit <None|SoftDown|HardDown> [threshold-util-rate <value>]

--End--

Variable definitionsUse the data in the following table to use the config ethernetext-cp-limit command.


NN46205-605 02.05 28 April 2010


.

Configuring loop detect 239

Variable Value

<None|SoftDown|HardDown> Indicates the following:• None–the port does not need to be

checked.

• SoftDown–the port belongs to themay-go-down-port-list.

• HardDown–the port belongs to themust-go-down-port-list.

<ports> Specifies a port or list of ports.

threshold-util-rate Specifies the threshold bandwidthutilization rate expressed in per cent ina range from 1–100.The default value is 50.

Configuring loop detectConfigure loop detect to determine if the same MAC address appears ondifferent ports. Use the ARP-Detect feature to account for ARP packetson IP configured interfaces.


Procedure steps

Step Action

1 Configure loop detect by using the following command:

config ethernet <port> loop-detect <enable|disable>action <value>

2 Configure the interval at which MAC addresses are monitored:

config mac-flap-time-limit <10..5000 milliseconds>

--End--

Variable definitionsUse the data in the following table to use the config ethernetloop-detect command.


NN46205-605 02.05 28 April 2010


.


Variable Value

action <value> Specifies the loop detect action to betaken.• port-down shuts down the port

upon detecting a flapping MACaddress

• vlan-block shuts down the VLANupon detecting a flapping MACaddress

• mac-discard. ARP-Detect does notsupport this action.

arp-detect Activates ARP-Detect.On routed interfaces, activateARP-Detect with loop detect.

<enable|disable> Activates or disables the loop detectfeature for the port.

Configuring CP LimitCP Limit functionality protects the switch from becoming congestedby excess data flowing through one or more ports by performing thisprocedure.

Procedure steps

Step Action

1 Configure CP Limit by using the following command:

config ethernet <slot/port> cp-limit <enable|disable>[multicast-limit <value>] [broadcast-limit <value>]

--End--

Variable definitionsUse the data in the following table to use the config ethernetcp-limit command.

Variable Value

broadcast-limit <value> Configures the broadcast control framerate expressed as pps in a range from1000–100000.The default value is 10000.


NN46205-605 02.05 28 April 2010


.


Variable Value

<enable|disable> Activates or disables the CP Limitfeature.The default is activated.

info Specifies the configured parametersfor CP Limit.The syntax for this command is:config ethernet slot/port info

multicast-limit <value> Configures the multicast control framerate expressed in pps in a range from1000–100000.The default value is 15000.


Procedure steps

Step Action

1 At the prompt, enter config sys set power.

2 Configure power management by using the following command:

power-check-enable true

You must save the run-time configuration and reset the switchfor this change to take effect.

--End--

Configuring slot priorityConfigure slot priority to determine which slots shut down if not enoughpower is available in the chassis. The slot with the lowest priority shutsdown first. Slots with the same priority shut down by highest slot numberfirst.

Configure priority of slots by performing this procedure.

Procedure steps

Step Action

1 Configure slot priority by using the following command:


NN46205-605 02.05 28 April 2010


.


config sys set power slot-priority <slot> <critical|high|low>

--End--

Variable definitionsUse the data in the following table to use the config sys set powerslot-priority command.

Variable Value

<critical|high|low> Configures the priority for the slot.

slot Specifies the slot for which to set thepriority value.You can configure priority for slots 1–4and 7–10.


NN46205-605 02.05 28 April 2010


.

243.

Chassis operations configurationusing the NNCLI



• “Enabling M mode ” (page 245)

• “Enabling R mode ” (page 246)



• “Enabling the CPU High Availability mode” (page 248)

• “Removing a master SF/CPU with CPU-HA mode activated” (page251)

• “Enabling jumbo frames” (page 252)


• “Configuring SLPP” (page 254)

• “Configuring SLPP on a port” (page 256)

• “Viewing SLPP information” (page 257)

• “Viewing SLPP information for a port” (page 257)

• “Configuring Extended CP Limit on the chassis” (page 258)

• “Configuring Extended CP Limit on a port” (page 260)






NN46205-605 02.05 28 April 2010


.

244 Chassis operations configuration using the NNCLI


Table 27Job aid

Command Parameter


boot config flags ha-cpu

mac-flap-time-limit <10–5000milliseconds>

enable

ethertype

operation

tx-interval

slpp

vid

max-ports-to-check <value>

min-congestion-time <time>

port-congestion-time <time>

sys ext-cp-limit

trap-level <dummy|None|Normal|Verbose>

enhanced-operational-mode

global-filter-ordering

multicast-check-packet

m-mode

r-mode

sys flags

vlan-optimization-mode

sys mtu <bytes>

sys power

sys power slot-priority <1–10> critical|high|low

filter <value>

ipmc <value>

local <value>

mac <value>

static-route <value>

sys record-reservation

vrrp <value>

Interface Configuration mode


NN46205-605 02.05 28 April 2010


.

Enabling M mode 245

Command Parameter

broadcast-limit <value>cp-limit port

multicast-limit <value>

<None|SoftDown|HardDown>ext-cp-limit port <PortList>

threshold-util-rate <value>

action <mac-discard|port-down|vlan-block>

loop-detect

arp-detect

packet-rx

packet-rx-threshold <1-500>

slpp port <portlist>

port <portlist>


show slpp interface

GigabitEthernet <slot/port>

Fastethernet <slot/port>

Enabling M modeEnable M mode to support up to 128 000 table entries in the system byperforming this procedure.

Prerequisites



— All modules installed in the chassis must be M, R, or RS modules,which are capable of supporting 128 000 table entries.


— You must understand how the modules installed in the chassisaffects the operating mode of the switch.


• M mode and R mode cannot be activated at the same time.



NN46205-605 02.05 28 April 2010


.


Procedure steps

Step Action

1 Enable M mode by using the following command:

sys flags m-mode



--End--

Enabling R modeEnable R mode to support 256000 IP routes. R mode supports the NortelEthernet Routing Switch 8600 Release 4.0 and later feature sets.


ATTENTIONIf you use 8691 SF/CPU modules in your switch and you attempt to activate246000 IP routes features using the NNCLI, the following error messageappears: This feature will not be enabled with 8691 SF/CPU cards.

Prerequisites


— The system must include R or RS modules only.


The 8648GTR module operates with 8691 and 8692 SF/CPUmodules. To support the 8648GTR with the 8691 SF/CPU, theSF/CPU must be configured with 256MB Synchronous DynamicRandom Access Memory (SDRAM) (the 8692 SF/CPU shipsstandard with 256MB SDRAM). A system with 8691 SF/CPUconfigured with 256MB SDRAM and only 8648GTR interfacemodules meets the conditions for R mode.

— When configuring an Ethernet Routing Switch 8600 system,you consider total power-consumption to ensure propersystem performance. The total input power-consumption ofthe components (modules and fan trays) must not exceed theoutput power rating of the power supply. See your power supplydocument for power supply specifications. For input power


NN46205-605 02.05 28 April 2010


.

Enabling enhanced operational mode 247

consumption information, see Nortel Ethernet Routing Switch 8600Installation — Chassis (NN46205-303).

• R mode and M mode cannot be activated at the same time.


Procedure steps

Step Action

1 Enable R mode by using the following command:

sys flags r-mode

The following warning message appears:

Warning: The change made will take effect only after theconfiguration is saved and the full chassis is rebooted.This feature is not applicable to 8690SF/CPU cards.All non-RSP Cards will be taken off-line if r-mode isenabled.



--End--


Prerequisites


Procedure steps

Step Action

1 Enable enhanced operational mode by using the followingcommand:

sys flags enhanced-operational-mode



NN46205-605 02.05 28 April 2010


.



--End--

Enabling global filter orderingEnable the ordering of global filters. By default, global filters are stored inthe hardware records in the order that they are applied. When you enablethe ordering of global filters, global filters are stored in the order of theirIDs. To ensure that a global filter is used first, you need to assign a lowerID to that filter; or assign a higher ID to a less specific filter.

Enable order of global filter by performing this procedure.

ATTENTIONGlobal filter ordering is supported only on classic modules; this feature is notapplicable to R or RS modules.

Prerequisites


Procedure steps

Step Action

1 Enable global filter ordering by using the following command:

sys flags global-filter-ordering true



--End--

Enabling the CPU High Availability modeCPU high-availability (HA) mode enables switches with two CPUs torecover quickly from a failure of the master SF/CPU.

Use the procedure in this section to enable CPU HA mode.

Prerequisites



NN46205-605 02.05 28 April 2010


.

Enabling the CPU High Availability mode 249

Procedure steps

Step Action

1 To enable HA mode, enter the following boot flag command onthe master SF/CPU:

boot config flags ha-cpu




--End--

Table 15 "Release 3.5 and later synchronization capabilities in HA mode "(page 154) shows which features are supported in each release.

Job aidSee the following sample output for the messages while enabling the HAmode using NNCLI:

ERS-8610:6(config)#boot config flags ha-cpu

The config files on the Master and Slave will be overwritten withthe current active configuration.Note:-POS/ATM card not supported in HA mode.-IPX will be disabled globally.-Layer 2/3 features except IPX will be enabled in L2/L3redundancy mode.

Do you want to continue (y/n) ? ySave bootconfig to file /flash/boot.cfg successful.Save to slave file /flash/boot.cfg successful.


NN46205-605 02.05 28 April 2010


.


CPU6 [02/02/09 12:41:33] SNMP INFO Save to slave file/flash/boot.cfg successful.CPU6 [02/02/09 12:41:33] SNMP INFO Save boot successful.

Boot configuration is being saved on both master and slave.Save config to file /flash/config.cfg successful.Save to slave file /flash/config.cfg successful.CPU6 [02/02/09 12:41:37] SNMP INFO Save config successful.

Runtime configuration is being saved on master and slave.

You need to reset the master for the changes to take effect.Resetting Slave CPU from Master CPU.

ATTENTIONThe preceding autosave of the boot configuration file occurs because thesavetostandby flag is enabled. If this flag is not enabled, a manual save of theboot configuration file on the secondary SF/CPU is required.

Answering the user prompt with a "y" causes the secondary SF/CPU toreset itself automatically, and that secondary SF/CPU restarts with HAmode enabled. You must manually reset the master SF/CPU immediately(before the secondary CPU completes reset). Resetting the primary CPUcauses an interruption to traffic. After the reset completes successfully,the CPUs reverse roles (the CPU that was the primary CPU before resetbecomes the secondary CPU and the CPU that was secondary beforereset becomes the primary CPU).

Disabling CPU High Availability modeUse the procedure in this section to disable CPU HA mode.

Prerequisites


Procedure steps

Step Action

1 To disable HA mode, enter the following boot flag command onthe master SF/CPU:

no boot config flags ha-cpu

After disabling HA mode on the master SF/CPU, the secondarySF/CPU automatically resets to load settings from itspreviously-saved boot configuration file. You must manuallyreset the primary SF/CPU while the secondary SF/CPU isbooting.


NN46205-605 02.05 28 April 2010


.

Removing a master SF/CPU with CPU-HA mode activated 251


--End--

Job aidSee the following sample output for the messages the switch returns whenyou disable HA mode using NNCLI:

ERS-8610:5(config)#no boot config flags ha-cpu

Note:-savetostandby flag is TRUE. Modify the same if required.

Save bootconfig to file /flash/boot.cfg successful.Save to slave file /flash/boot.cfg successful.

Boot configuration is being saved on both master and slave.CPU5 [02/02/09 12:30:19] SNMP INFO Save to slave file/flash/boot.cfg successful.CPU5 [02/02/09 12:30:19] SNMP INFO Save boot successful.You need to reset the master for the changes to take effect.Resetting Slave CPU from Master CPU.

Removing a master SF/CPU with CPU-HA mode activatedProperly remove the master SF/CPU to avoid loss of traffic if CPU-HA isactivated by performing this procedure.

Prerequisites


Procedure steps

Step Action

1 Software reset the master SF/CPU to becomes the standby.

2 Remove the standby SF/CPU.

The master is removed. Because CPU-HA is activated, no trafficdata is lost during reset.


NN46205-605 02.05 28 April 2010


.


ATTENTIONReinserting a SF/CPU module before the HA-activated SF/CPUbecomes the master SF/CPU can cause the master SF/CPU toremain in a booting state.

--End--

Enabling jumbo framesEnable jumbo frames to increase the size of Ethernet frames supported onthe chassis by performing this procedure.

Prerequisites


Procedure steps

Step Action

1 Enable jumbo frames by using the following command:

sys mtu <bytes>

--End--

Variable definitionsUse the data in the following table to configure the sys mtu command.

Variable Value

<bytes> The control plane (CPU, CPP) doesnot support Jumbo frames, but canlearn properly when you use Jumboframes.You can use mtu <bytes> to activateJumbo frames support for the datapath.• bytes is the Ethernet Frame size,

either 1522, 1950 (default), or 9600bytes. Settings of either 1950 or9600 bytes activate Jumbo framesupport.

Jumbo frame support is activated bydefault.


NN46205-605 02.05 28 April 2010


.

Reserving records 253


Prerequisites

• You can reserve records only on modules E and M.

• You must use this command in the NNCLI Global configurationcommand mode.

Procedure steps

Step Action

1 At the Global configuration prompt, entersys record-reservation [filter <value>|ipmc<value>|local <value>|mac <value>|static-route<value>|vrrp <value>]

--End--

Variable definitionsUse the data in the following table to configure sys record-reservation.

Variable Value

filter <value> Configure reservation for filter record typeexpressed in a range from 1025–8192.The default value is 4096

ipmc <value> Configure reservation for ipmc record typeexpressed as an ipmc value in a range from0–8000.The default value is 500.

local <value Configure reservation for local record typeexpressed as a local value in a range from0–16000.The default value is 2000.

mac <value> Configure reservation for mac record typeexpressed as a mac value in a range from0–200000.The default value is 2000.


NN46205-605 02.05 28 April 2010


.


Variable Value

static-route <value> Configure reservation for static-route recordtype expressed as a route value in a range from0–1000.The default value is 200.

vrrp <value> Configure reservation for vrrp record typeexpressed as a vrrp value from 0–510.The default value is 500.

Job aidAfter you enter the show sys record-reservation command, thesystem displays the HW Record Reservation table. The following tableexplains the column headings in the HW Record Reservation table.

Column heading Description

Record Type Identifies the record type as follows:• filter

• ipmc

• local

• mac

• static-route

• vrrp

Reserved Specifies the number of hardware recordsreserved for the record type.

Used Specifies the number of hardware recordsactually used by the record type.

New-Reserved Specifies the number of hardware recordsreserved for this record type after a switch resetif you save the current configuration.

Def-Reserved Specifies the number of hardware recordsreserved for this record type after a switch resetif you use the factory default configuration.

Configuring SLPPEnable the Simple Loop Prevention Protocol (SLPP) globally and ona VLAN to detect a loop and automatically stop it by performing thisprocedure.

Prerequisites



NN46205-605 02.05 28 April 2010


.

Configuring SLPP 255

Procedure steps

Step Action

1 Enable SLPP by using the following command:

slpp operation

2 Specify the PDU Ether type by using the following command:

slpp ethertype <pid>

3 Configure the transmission interval by using the followingcommand:

slpp tx-interval <integer>

4 Add a VLAN to the transmission list by using the followingcommand:

slpp <vid>

--End--

Variable definitionsUse the data in the following table to use the slpp command.

Variable Value

ethertype <pid> Specifies the SLPP PDU Ethernettype.• <pid> is the SLPP protocol ID

expressed as an integer from1–65535.


operation Enables or disables the SLPPoperation.

You must enable the SLPP operationto enable the SLPP packet transmitand receive process.

If you disable the SLPP operation, thesystem sends no SLPP packets anddiscards received SLPP packets.



NN46205-605 02.05 28 April 2010


.


Variable Value

tx-interval <integer> Configures the SLPP packet transmitinterval.• <integer> is the SLPP packet

transmit interval expressed inmilliseconds in a range from500–5000.

The default value is 500.To set this option to the default value,use the default operator with thecommand.

<vid> Adds a VLAN to a SLPP transmissionlist.• <vid> is the VLAN ID expressed in

a range from 1–4095.

Use the no operator to remove thisconfiguration.

Configuring SLPP on a portEnable SLPP by port to detect a loop and automatically stop it byperforming this procedure.


Prerequisites

• You must log on to the NNCLI FastEthernet or GigabitEthernetInterface Configuration mode.

Procedure steps

Step Action

1 Configure SLPP on a port by using the following command:

slpp port <portlist> [packet-rx] [packet-rx-threshold<1-500>]

--End--

Variable definitionsUse the data in the following table to use the slpp port command.


NN46205-605 02.05 28 April 2010


.

Viewing SLPP information for a port 257

Variable Value

packet-rx Activates SLPP packet reception onthe listed ports.To set this option to the default value,use the default operator with thecommand.

packet-rx-threshold <1-500> Specifies the threshold for packetreception. The SLPP packet receivethreshold is set to a value (1- 500) thatrepresents the number of SLPP-PDUsthat must be received to shut downthe port. Note that this is a port-levelparameter, therefore if the port istagged, SLPP-PDUs from the variousVLANs increment this single thresholdcounter.


<portlist> Identifies the slot/port.

Viewing SLPP informationUse SLPP information to view loop information by performing thisprocedure.

Prerequisites


Procedure steps

Step Action

1 View SLPP information by using the following command:

show slpp

--End--

Viewing SLPP information for a portShow SLPP information for a port so that you can view the loopinformation for a port by performing this procedure.


NN46205-605 02.05 28 April 2010


.


Prerequisites


Procedure steps

Step Action

1 View SLPP information for a port by using the followingcommand:

show slpp interface

--End--

Configuring Extended CP Limit on the chassisCP Limit functionality protects the switch from becoming congested byexcess data flowing through one or more ports.You can configure the Extended CP Limit functionality to prevent theswitch from being overwhelmed.

Currently the CP Limit functionality only protects the switch from broadcastand control traffic with a QoS value of 7.

Configure extended CP Limit on the chassis by performing this procedure.

Prerequisites


Procedure steps

Step Action

1 Configure Extended CP Limit by using the following command:

sys ext-cp-limit [max-ports-to-check <value>][min-congestion-time <time>] [port-congestion-time<time>] [trap-level <dummy|None|Normal|Verbose>]

--End--

Variable definitionsUse the data in the following table to use the sys ext-cp-limitcommand.


NN46205-605 02.05 28 April 2010


.

Configuring Extended CP Limit on the chassis 259

Variable Value

max-ports-to-check<number of ports>

Configures the total number of ports tomonitor.

• number of ports is expressed in a rangefrom 0–512.The default value is 0.


min-congestion-time<time in msec>

Configures the minimum time required totrigger the congestion algorithm (while trafficcontinues to hit the SF/CPU).

• time in msec is expressed milliseconds ina range from 100–600000.The default value is 300.


port-congestion-time<time in sec>

Specifies the duration that the monitoring portbandwidth utilization can exceed thresholdbefore the system disables the port.

• time in sec is expressed in a range from1–600.The default value is 5.


trap-level <dummy|None|Normal|Verbose>

Configures the trap level.Trap levels are:

• dummy

• None–no traps are sent

• Normal–sends a single trap for all disabledports

• Verbose–sends a trap for each disabledport

The default value is None.



NN46205-605 02.05 28 April 2010


.


Configuring Extended CP Limit on a portCP Limit functionality protects the switch from becoming congestedby excess data flowing through one or more ports. You can configureExtended CP Limit functionality to prevent excess data from overwhelmingthe switch.

Configure extended CP Limit on a port by performing this procedure.

Prerequisites

• You must log on to theNNCLI FastEthernet or GigabitEthernet Interfaceconfiguration mode.

Procedure steps

Step Action

1 Configure Extended CP Limit on a port by using the followingcommand:

ext-cp-limit port <PortList> <None|SoftDown|HardDown>[threshold-util-rate <value>]

--End--

Variable definitionsUse the data in the following table to use the ext-cp-limit command.

Variable Value

<None|SoftDown|HardDown> Specifies port status as follows:• None–the port does not need to be

checked.

• SoftDown–the port belongs to themay-go-down-port-list.

• HardDown–the port belongs to themust-go-down-port-list.

port <PortList> Specifies a port or list of ports.

threshold-util-rate Specifies the threshold bandwidthutilization expressed as per cent in arange from 1–100.The default value is 50.To set this option to the default value,use the default operator with thecommand.


NN46205-605 02.05 28 April 2010


.

Configuring loop detect 261

Configuring loop detectConfigure loop detect to determine if the same MAC address appears ondifferent ports. Use the ARP-Detect feature to account for ARP packetson IP configured interfaces.


Prerequisites

• To use the loop-detect command, you must log on to the FastEthernetor GigabitEthernet Interface Configuration mode.

• Complete the remainder of the procedure in Global Configurationmode.

• On routed interfaces you must activate ARP-Detect with loop detect.

Procedure steps

Step Action

1 Configure loop detect by using the following command:

loop-detect action <mac-discard|port-down|vlan-block>arp-detect

2 Exit to Global Configuration mode:

exit

3 Configure the interval at which MAC addresses are monitored:

mac-flap-time-limit <10–5000 milliseconds>

--End--

Variable definitionsUse the data in the following table to use the loop-detect command.


NN46205-605 02.05 28 April 2010


.


Variable Value

action <mac-discard|port-down|vlan-block>

Specifies the loop detect action to betaken.• port-down shuts down the port if

the system detects a flapping MACaddress

• vlan-block shuts down the VLAN ifthe system detects a flapping MACaddress

• mac-discard. ARP-Detect does notsupport this action.

arp-detect Activates ARP-Detect.

Configuring CP LimitCP Limit functionality protects the switch from becoming congestedby excess data flowing through one or more ports by performing thisprocedure.

Prerequisites

• You must log on to the NNCLI FastEthernet or GigabitEthernetInterface Configuration mode.

Procedure steps

Step Action

1 Configure CP Limit by using the following command:

cp-limit port [multicast-limit <value>] [broadcast-limit <value>]

--End--

Variable definitionsUse the data in the following table to use the cp-limit command.

Variable Value

broadcast-limit <value> Configures the broadcast control framerate expressed as pps in a range from1000–100000.The default value is 10000.To set this option to the default value,use the default operator with thecommand.


NN46205-605 02.05 28 April 2010


.


Variable Value

multicast-limit <value> Configures the multicast control framerate expressed as pps in a range from1000–100000.The default is 15000.To set this option to the default value,use the default operator with thecommand.

port Specifies a port or list of ports.To set this option to the default value,use the default operator with thecommand.


Prerequisites


Procedure steps

Step Action

1 Enable power management by using the following command:

sys power

--End--

Configuring slot priorityConfigure slot priority to determine which slots shut down if insufficientpower is available in the chassis.The slot with the lowest priority shuts down first.Slots with the same priority shut down in descending order (highest slotnumber first).

Configure priority of a slot by performing this procedure.

Prerequisites



NN46205-605 02.05 28 April 2010


.


Procedure steps

Step Action

1 Configure slot priority by using the following command:

sys power slot-priority <1–10> {critical|high|low}

--End--

Variable definitionsUse the data in the following table to use the sys power slot-prioritycommand.

Variable Value

critical|high|low Specifies slot priority.

1–10 Designates the slot for priority setting.You can configure priority for slots 1–4and 7–10.To set this option to the default value,use the default operator with thecommand.


NN46205-605 02.05 28 April 2010


.

265.

Hardware status using Device ManagerThis sections provides methods to check the status of basic hardwareinstalled in the chassis.

Hardware status navigation• “Viewing card information” (page 265)

• “Viewing fan details” (page 266)

• “Viewing MDA parameters” (page 267)

• “Viewing power supply parameters” (page 268)

Viewing card informationView the administrative status for all input/output (I/O) cards except theSF/CPU card.

Procedure steps

Step Action

1 Select one or more modules.


• Double-click the module.

• Right-click the module. On the shortcut menu, choose Edit.

• From the Device Manager menu bar, choose Edit, Card.

• From the Device Manager menu bar, choose Edit, Select All,Cards, and then choose Edit, Card.

• On the Device Manager toolbar, click Edit Selected.


--End--


NN46205-605 02.05 28 April 2010


.

266 Hardware status using Device Manager

Variable definitionsUse the data in the following table to use the Card, Card tab.

Variable Value

FrontTypeBackType

Indicates card types in the Ethernet RoutingSwitch 8600.Front refers to the I/O portion of the module,the I/O card.

FrontDescriptionBackDescription

Specifies the model number of the module.

FrontAdminStatus Indicates the administrative status of the card.

FrontOperStatus Indicates the operational status of thedesignated module.

FrontSerialNumBackSerialNum

Specifies the serial number of the I/O card.

FrontHwVersionBackHwVersion

Specifies the hardware version of the I/Ocard.

FrontPartNumberBackPartNumber

Specifies the part number of the I/O card.

FrontDateCodeBackDateCode

Specifies the manufacturing date code for theI/O card.

FrontDeviationsBackDeviations

Shows deviations.

PowerManagementPriority Configures the priority level for the slot.Configure slot priority to determine whichslots shut down if insufficient power isavailable in the chassis. The slot with thelowest priority shuts down first.Slots with the same priority shut down indescending order (highest slot number first).

PCMCIAType Indicate the type of Personal ComputerMemory Card International Association(PCMCIA) card currently installed in thisSF/CPU card.

For non-SF/CPU cards, this variable is set tonone.

PCMCIADescr Specifies the PCMCIA description, if installed.

Viewing fan detailsThe Fan dialog box provides read-only information about the operatingstatus of the switch fans.


NN46205-605 02.05 28 April 2010


.

Viewing MDA parameters 267

Procedure steps

Step Action

1 Select the fan object.


• Double-click the fan object.

• Right-click the fan object and click Edit.

• From the Device Manager menu bar, choose Edit, Fan.

• From the Device Manager menu bar, choose Edit, Select All,Fan, and then choose Edit, Fan.


--End--

Variable definitionsUse the data in the following table to use the Fan, Details tab.

Variable Value

Id Specifies the fan ID.

OperStatus Specifies the status of the fan as follows:

• unknown—status cannot be determined.

• up—present and supplying power.

• down—present, but failure indicated.

Type Indicates the fan type. Fan types are thefollowing:

• unknown—type cannot be determined.

• regularSpeed—a regular speed fan ispresent.

• highSpeed—a high speed fan is present.

AmbientTemperature Indicates the temperature of the air enteringthe fan.

Viewing MDA parametersThe media dependent adapter (MDA) dialog box provides read-onlyinformation about the operating status of the switch MDAs.


NN46205-605 02.05 28 April 2010


.


Procedure steps

Step Action

1 Select the MDA object.


• Double-click the MDA object.

• Right-click the MDA object and click Edit.

• From the Device Manager menu bar, choose Edit, MDA.

• From the Device Manager menu bar, choose Edit, Select All,MDA , and then choose Edit, MDA.


The MDA dialog box appears.

--End--

Variable definitionsUse the data in the following table to use the MDS dialog box.

Variable Value

Type Specifies the media type of the MDA as one ofthe following:

• OC-3 SMF MDA

• OC-3 MMF MDA

• OC-12 SMF MDA

• OC-12 MMF MDA—rc2klx0c12cBaseMM

Description Specifies a description of the MDA as one ofthe following:

• OC-3 SMF MDA—Quad OC-3 SM

• OC-3 MMF MDA—Quad OC-3 MM

• OC-12 SMF MDA—Single Port OC-12 SM

• OC-12 MMF MDA —Single Port OC-12 MM

Viewing power supply parametersThe Power Supply dialog box provides read-only information about theoperating status of the switch power supplies.


NN46205-605 02.05 28 April 2010


.

Viewing power supply parameters 269

Procedure steps

Step Action

1 Select the power supply object.


• Double-click the power supply object.

• Right-click the power supply object and click Edit.

• From the Device Manager menu bar, choose Edit, PowerSupply.

• From the Device Manager menu bar, choose Edit, Select All,Power Supplies, and then choose Edit, Power Supply.


The PowerSupply Detail tab appears.

--End--

Variable definitionsUse the information in the following table to understand the Power Supply,Detail tab.

Variable Value

Type Describes the type of power used—AC or DC.

Description Provides a description of the power supply.

SerialNumber Specifies the power supply serial number.

HardwareRevision Specifies the hardware revision number.

PartNumber Specifies the power supply part number.

PowerSupplyOperStatus Specifies the status of the power supply asone of the following:.• on (up)

• off (down)


NN46205-605 02.05 28 April 2010


.


Variable Value

InputLineVoltage Specifies the input line voltage.There are two possible states:• low 110v—power supply connected to a

110 Volt source

• high 220v—power supply connected to a220 Volt source

If the power supplies in a chassis are notof identical input line voltage values, theoperating line voltage displays the low 110vvalue.

OperLineVoltage Specifies the operating line voltage.There are two possible states:• low 110v—output power equivalent to

power supply operating with a 110 Voltinput

• high 220v—output power equivalent topower supply operating with a 220 Voltinput

If the power supplies in a chassis are notof identical input line voltage values, theoperating line voltage displays the low 110vvalue.


NN46205-605 02.05 28 April 2010


.

271.

System access fundamentalsThis section contains conceptual information about accessing the NortelEthernet Routing Switch 8600 and creating users and user passwords foraccess.

Navigation• “Logging on to the system” (page 271)

• “Managing the switch using different VRF contexts” (page 273)

• “CLI passwords” (page 274)

• “Access policies for services” (page 275)

• “Web interface passwords” (page 275)

Logging on to the systemAfter the switch startup sequence is complete, the login prompt appears.The default values for login and password for the console and Telnetsessions are shown in the following table .

Table 28Access levels and default logon values

Access level DescriptionDefaultlogon

Defaultpassword

Read-only Permits view only configuration andstatus information. Is equivalentto Simple Network ManagementProtocol (SNMP) read-onlycommunity access.

ro ro

Layer 1 read/write View most switch configurationand status information and changephysical port settings.

l1 l1

Layer 2 read/write View and change configurationand status information for Layer 2(bridging and switching) functions.

l2 l2


NN46205-605 02.05 28 April 2010


.

272 System access fundamentals

Table 28Access levels and default logon values (cont’d.)

Access level DescriptionDefaultlogon

Defaultpassword

Layer 3 read/write(8600 switches only)

View and change configuration andstatus information for Layer 2 andLayer 3 (routing) functions.

l3 l3

Read/write View and change configuration andstatus information across the switch;does not allow changing security andpassword settings. This access levelis equivalent to SNMP read-writecommunity access.

rw rw

Read/write/all Permits all the rights of Read-Writeaccess and the ability to changesecurity settings, including thecommand line interface (CLI) andWeb-based management user namesand passwords and the SNMPcommunity strings.

rwa rwa

You can enable or disable users with particular access levels on theEthernet Routing Switch 8600, eliminating the need to of maintain largenumbers of access levels and passwords for each user.

A user with a disabled access level who attempts to log on is deniedaccess to the switch. The following error message appears after a userattempts to log on with a blocked access level:

Code=0x1ff0009 Blocked unauthorized cli access.The system logs the following message to the log file:

User <user-name> tried to connect with blocked access level<access-level> from <src-ipaddress> via <login type>.The system logs the following message for the console or modem port:

User <user-name> tried to connect with blocked access level<access-level> from <console/modem> port.

RADIUS authentication takes precedence over the local configuration. Ifyou enable RADIUS authentication on the switch, the user can access theswitch even if an access level is blocked on the switch.

If you disable an access level all running sessions, except FTP sessions,with that access level to the switch terminate.


NN46205-605 02.05 28 April 2010


.

Managing the switch using different VRF contexts 273

ATTENTIONOnly the RWA user can disable an access level on the switch. You cannotdisable the RWA access level on the switch.

These configurations are preserved across restarts.

hsecure bootconfig flagThe Ethernet Routing Switch 8600 supports a configurable flag called HighSecure (hsecure). Use the hsecure flag to enable the following passwordfeatures:

• 10 characters enforcement

• aging time

• limitation of failed login attempts

• protection mechanism to filter designated IP addresses

If you activate the hsecure flag, the software enforces the 10-characterrule for all passwords. If you upgrade from a previous release, if thepassword does not contain at least 10 characters, you must change thepassword to the mandatory character length. The password must containa minimum of two uppercase characters, two lowercase characters, twonumbers, and two special characters.

For more information about the hsecure flag, see Nortel Ethernet RoutingSwitch 8600 Security (NN46205-601).

Managing the switch using different VRF contextsYou can use Device Manager to manage the switch using differentVRF contexts. When you open a switch using Device Manager in theGlobalRouter (VRF 0) context, you can manage the entire switch. Whenyou open a switch using Device Manager in a different VRF context, youhave limited capability for managing the switch. For example, you canmanage only the ports that were assigned to this VRF. In addition, many ofthe Device Manager management functions are not available to you.

Using Device Manager, you can open the switch in the GlobalRouter(VRF 0) context and switch to another VRF context. You can switch theVRF contexts by choosing IP, VRF from the Device Manager menu.Just as when you open the switch using a VRF context other than theGlobalRouter (VRF 0) , when you use Device Manager to switch to adifferent VRF, you are limited to how you can manage the switch. You canmanage only those functions and components that are assigned to thatspecific VRF.


NN46205-605 02.05 28 April 2010


.


With the use of user names and context names (SNMPv3), and communitystrings (SNMPv1/v2) , administrators can assign different VRFs to manageselected components, such as ports and VLANs. For more informationabout context names and community strings, see Nortel Ethernet RoutingSwitch 8600 Security (NN46205-601).

CLI passwordsThe switch ships with default passwords set for access to the CLI througha console or Telnet session. If you possess read/write/all access authority,and you are using SNMPv3, you can change passwords that are inencrypted format. If you are using Device Manager, you can also specifythe number of allowed Telnet sessions and rlogin sessions.

ATTENTIONBe aware that the default passwords and community strings are documentedand well known. Nortel strongly recommends that you change the defaultpasswords and community strings immediately after the first logon.

For security, if you fail to log on correctly on the master central processingunit (CPU) in three consecutive instances, the CPU locks for 60 seconds.

Password encryptionIn the Nortel Ethernet Routing Switch 8600 software Release 4.1 and later,passwords are stored in encrypted format and are no longer stored in theconfiguration file.

CAUTIONSecurity riskIf you load a configuration file saved prior to Release 3.7.6,saved passwords from the configuration file are not recognized.If you start the switch for the first time with Release 3.7.6 orhigher image, the password resets to default values and thesystem generates a log, indicating changes.

For security reasons, Nortel recommends that you set thepasswords to values other than the factory defaults.

Subscriber or administrative interactionAs a network administrator, you can configure the RADIUS server foruser authentication to override user access to commands. You must stillprovide access based on the existing six access levels in the EthernetRouting Switch 8600, but you can customize user access by allowing anddisallowing specific commands.


NN46205-605 02.05 28 April 2010


.

Web interface passwords 275

You must configure the following three returnable attributes for each user:

• Access priority (single instance)–the access levels currently availableon Ethernet Routing Switch 8600 ro, l1, l2, l3, rw, rwa.

• Command access (single instance)–indicates whether the commandsconfigured on the RADIUS server are allowed or disallowed for theuser.

• CLI commands (multiple instances)–the list of commands that the usercan or cannot use.

Access policies for servicesYou can control access to the switch by creating an access policy. Anaccess policy specifies the hosts or networks that can access the switchthrough various services, such as Telnet, Simple Network ManagementProtocol (SNMP), Hypertext Transfer Protocol (HTTP), Secure Shell(SSH), and remote login (rlogin). You can enable or disable accessservices by configuring flags.

You can define network stations that are explicitly allowed to access theswitch or stations that are explicitly forbidden to access the switch. Foreach service you can also specify the level of access, such as read-onlyor read/write/all.

When you configure access policies, you can either:

Globally enable the access policy feature, and then create and enableindividual policies. Each policy takes effect immediately after you enable it.

or

Create and enable individual access policies, and then globally enable theaccess policy feature to activate all the policies at the same time.

For more information about configuring access policies on IPv6, seeNortel Ethernet Routing Switch 8600 Configuration — IPv6 Routing(NN46205-504).

Web interface passwordsThe Ethernet Routing Switch 8600 includes a Web-management interfacethat you can use to monitor your switch through a Web browser fromanywhere on your network. The interface provides many of the samemonitoring features as the Device Manager software.


NN46205-605 02.05 28 April 2010


.


The Web management interface is protected by a security mechanism thatrequires you to log in to the device using a user name and password. Theswitch ships with the default user name and password both specified as ro.

ATTENTIONFor security reasons, the Web interface is disabled by default. For instructionsabout how to enable the interface, see Nortel Ethernet Routing Switch 8600User Interface Fundamentals (NN46205-308)

Web server passwordWeb-server passwords authenticate the user who is accessing the deviceusing the web interface. The passwords are encrypted using the blowfishalgorithm and are stored in a hidden file. The passwords are not visibleon the device through any show command and are not stored in theconfiguration file.

Password resetYou can selectively reset login username and passwords, Web SwitchModules (WSM) passwords, SSL Acceleration Module (SAM) passwordsweb-server passwords, and SNMP community strings. This reset isimplemented as a hidden command in the CLI and Nortel Networkscommand line interface (NNCLI) and you can access the command only ifyou are assigned the rwa access level.

Password encryptionThe Ethernet Routing Switch 8600 handles password encryption in thefollowing manner:

• When the device starts, the web-server passwords and communitystrings are restored from the hidden file.

• When the web-server username/password or SNMP community stringsare modified, the modifications are updated to the hidden file.

Password recoveryUse the following CLI commands to recover your password. Only a userwith rwa access can access these hidden commands.

• ERS-8606:5/config/sys/set/reset-passwd# login-user<l1|l2|l3|ro|rw>

The preceding command resets the login usernames and passwordsselectively. You can reset the following access levels: l1, l2, l3, ro, rw.

ATTENTIONYou cannot reset the rwa community string.

• The following command resets the WSM usernames/passwordsselectively. You can reset the following WSM access levels:


NN46205-605 02.05 28 April 2010


.

Web server password 277

l4admin, slbadmin, oper, l4oper, slboper: ERS-8606:5/config/sys/set/reset-passwd# wsm-passwd<l4admin|slbadmin|oper|l4oper|slboper>

• The following command resets the ssladmin username/password:ERS-8606:5/config/sys/set/reset-passwd# sam-passwd<ssladmin>

• The following command resets the web server username/passwordfor "ro" access: ERS-8606:5/config/sys/set/reset-passwd#web-server-passwd <ro>

• The following command resets the following SNMP community strings:l1, l2, l3, ro, rw : ERS-8606:5/config/sys/set/reset-passwd#snmp-community-strings <l1|l2|l3|ro|rw>


NN46205-605 02.05 28 April 2010


.



NN46205-605 02.05 28 April 2010


.

279.

System access configuration usingDevice Manager

The section provides procedures you can use to manage system access.Procedures include configurations for usernames, passwords, and accesspolicies.

Navigation• “Enabling access levels” (page 279)

• “Changing passwords” (page 281)

• “Creating an access policy” (page 283)

• “Enabling an access policy” (page 286)

Enabling access levelsEnable access levels to control the configuration actions of various usersby performing this procedure.

ATTENTIONOnly the RWA user can disable an access level on the switch. The RWA accesslevel cannot be disabled on the switch.


Procedure steps

Step Action



2 Click the CLI tab.

The CLI tab appears.


NN46205-605 02.05 28 April 2010


.

280 System access configuration using Device Manager

3 Select the Enable box for the required access level.

4 Click Apply.

--End--

Variable definitionsUse the data in the following table to configure the Control Path SecurityCLI tab.

Variable Value

RWAUserName Specifies the user name for the read/write/allCLI account.

RWAPassword Specifies the password for the read/write/allCLI account.

RWEnable Activates the read/write access.

RWUserName Specifies the user name for the read/write CLIaccount.

RWPassword Specifies the password for the read/write CLIaccount.

RWL3Enable Activates the read/write Layer 3 access.

RWL3UserName Specifies the user name for the Layer 3read/write CLI account.

RWL3Password Specifies the password for the Layer 3read/write CLI account.







ROEnable Activates the read-only CLI account.

ROUserName Specifies the user name for the read-only CLIaccount.

ROPassword Specifies the password for the read-only CLIaccount.


NN46205-605 02.05 28 April 2010


.

Changing passwords 281

Variable Value

MaxTelnetSessions Specifies the maximum number of concurrentTelnet sessions that are allowed expressed ina range from 0–8.

MaxRloginSessions Specifies the maximum number of concurrentRlogin sessions that are allowed in a rangefrom 0–8 .

Timeout Specifies the number of seconds of inactivityfor a Telnet or Rlogin session before thesystem initiates automatic timeout anddisconnect, expressed in a range from30–65535.

NumAccessViolations Indicates the number of CLI access violationsdetected by the system.This variable is a read-only field.

Changing passwordsUse this procedure to

• configure new passwords for each access level

• change the login for different access levels

• change the password for different access levels

The Ethernet Routing Switch 8600 ships with default passwords set foraccess to the CLI.If you use Simple Network Management Protocol version 3 (SNMPv3), youcan change encrypted passwords.

Procedure steps

Step Action



2 Click the CLI tab.

The CLI tab appears.

3 Specify the user name and password for the appropriate accesslevel.

4 Click Apply.

--End--


NN46205-605 02.05 28 April 2010


.


Variable definitionsUse the data in the following table to configure the Control Path SecurityCLI tab.

Variable Value

RWAUserName Specifies the user name for the read/write/all CLIaccount.

RWAPassword Specifies the password for the read/write/all CLIaccount.

RWEnable Activates the read/write access.

RWUserName Specifies the user name for the read/write CLI account.

RWPassword Specifies the password for the read/write CLI account.


RWL3UserName Specifies the user name for the Layer 3 read/write CLIaccount.

RWL3Password Specifies the password for the Layer 3 read/write CLIaccount.







ROEnable Activates the read-only CLI account.

ROUserName Specifies the user name for the read-only CLI account.

ROPassword Specifies the password for the read-only CLI account.

MaxTelnetSessions Specifies the maximum number of concurrent Telnetsessions that are allowed expressed in a range from0–8.

MaxRloginSessions Specifies the maximum number of concurrent Rloginsessions that are allowed expressed in a range from0–8.


NN46205-605 02.05 28 April 2010


.

Creating an access policy 283

Variable Value

Timeout Specifies the number of seconds of inactivity for aTelnet or Rlogin session before the switch initiatesautomatic timeout and disconnect expressed in a rangefrom 30– 65535.

NumAccessViolations Indicates the number of CLI access violations detectedby the system.This is a read-only field.

Creating an access policyYou can control access to the switch by creating an access policy. Anaccess policy specifies the hosts or networks that can access the switchthrough various services, such as Telnet, SNMP, HTTP, rsh, and rlogin.

You can define network stations that are explicitly allowed to accessthe switch or network stations that are explicitly forbidden to access theswitch. For each service, you can also specify the level of access, such asread-only or read/write/all.Create an access policy by performing this procedure.

ATTENTIONDevice Manager does not provide SNMPv3 support for an access policy. If youmodify an access policy with Device Manager, SNMPV3 is disabled.

Procedure steps

Step Action

1 From the Device Manager menu bar, choose Security,ControlPath, Access Policies.

The ControlPathSecurity dialog box appears with the AccessPolicies tab active.

2 In the Security dialog box, click Insert.

The ControlPathSecurity, Insert Access Policy dialog boxappears. All fields are optional except ID.

3 In the ID box, type the policy ID.

4 In the Name box, type the policy name.

5 Select the PolicyEnable check box.

6 Select the Mode option to allow or deny a service.

7 From the Service options, select a service.

8 In the Precedence box, type a precedence number for theservice (lower numbers mean higher precedence).


NN46205-605 02.05 28 April 2010


.


9 Select the NetInetAddrType.

10 In the NetInetAddress box, type an IP address.

11 In the NetInetAddrPrefixLen box, type the prefix length.

12 In the TrustedHostInet Address box, type an IP address for thetrusted host.

13 In the TrustedHostUserName box, type a user name for thetrusted host.

14 Select an AccessLevel for the service.

15 Select the AccessStrict check box, if desired.

ATTENTIONIf you select the AccessStrict option, you specify that a user mustuse an access level identical to the one you selected in the dialog boxto use this service.

16 Click Insert.

--End--

Variable definitionsUse the data in the following table to configure the Insert access policiestab.

Variable Value

Id Specifies the policy ID.

Name Specifies the name of the policy.

PolicyEnable Activates the access policy.

Mode Indicates whether a packet with a source IPaddress matching this entry is permitted toenter the device or is denied access.

Service Indicates the protocol to which this entryapplies.

Precedence Indicates the precedence of the policyexpressed in a range from 1–128.The lower the number, the higher theprecedence.


NN46205-605 02.05 28 April 2010


.

Creating an access policy 285

Variable Value

NetInetAddrType Indicates the source network Internet addresstype as one of the following.• any

• IPv4

• IPv6

IPv4 is expressed in the format a.b.c.d.IPv6 is expressed in the format a:b:c:d:e:f:g:h.

NetInetAddress Indicates the source network Inet address(prefix/network).If the address type is IPv4, you must enter anIPv4 address and its mask length.If the type is IPv6, you must enter an IPv6address.

NetInetAddrPrefixLen Indicates the source network Inet addressprefix-length/mask.If the type is IPv4, you must enter an IPv4address and mask length;If the type is IPv6, you must enter an IPv6address and prefix length.

TrustedHostInetAddr Indicates the trusted Inet address of a hostperforming a remote login to the device.TrustedHostInetAddr applies only to rlogin andrsh.

ATTENTIONYou cannot use wildcard entries in theTrustedHostInetAddr field.

TrustedHostUserName Specifies the user name assigned to thetrusted host. The trusted host name appliesonly to rlogin and rsh. Ensure that the trustedhost user name is the same as your networklogon user name; do not use the switch username, for example, rwa.

ATTENTIONYou cannot use wildcard entries. The usermust already be logged in with the username to be assigned to the trusted host.For example, using "rlogin -l newusernamexx.xx.xx.xx" does not work from a UNIXworkstation.


NN46205-605 02.05 28 April 2010


.


Variable Value

AccessLevel Specifies the access level of the trusted hostas one of the following:• readOnly

• readWrite

• readWriteAll

AccessStrict Enables or disables strict access criteria forremote users.

If unchecked, a user must use an access levelidentical to the one you selected in the dialogbox to use this service.

• true: remote login users can use only thecurrently configured access level

• false: remote users can use any accesslevel

ATTENTIONIf you do not select true or false, user accessis governed by criteria specified in the policytable. For example, a user with an rw accesslevel specified for a policy ID in the policytable is allowed rw and rw access, and ro isdenied access.

Enabling an access policyEnable the access policy feature globally to control access across theswitch.

You can create an access policy to control access to the switch. Anaccess policy specifies the hosts or networks that can access the switchthrough access services; for example Telnet, SNMP, Hypertext TransferProtocol (HTTP), and remote login (rlogin).Enable an access policy by performing this procedure.

Procedure steps

Step Action


The Chassis dialog box appears with the System tab visible.



NN46205-605 02.05 28 April 2010


.

Enabling an access policy 287

The System Flags tab appears.

3 Select the EnableAccessPolicy check box.

4 Click Apply.

5 Click Close.

--End--


NN46205-605 02.05 28 April 2010


.



NN46205-605 02.05 28 April 2010


.

289.

System access configuration using theCLI

The section provides procedures to manage system access throughconfigurations such as usernames, passwords, and access policies.


• “Enabling CLI access levels” (page 291)


• “Resetting and modifying passwords” (page 305)

• “Enabling the access policy globally” (page 296)


• “Configuring an access policy” (page 297)

• “Specifying a name for an access policy” (page 300)

• “Specifying the host address and username for rlogin” (page 301)

• “Enabling an access service” (page 301)

• “Allowing a network access to the switch” (page 303)

• “Configuring access policies by MAC address” (page 304)



NN46205-605 02.05 28 April 2010


.

290 System access configuration using the CLI

Table 29Job aid

Command Parameter

access level <access level><enable|disable>

aging <days>

default-lockout-time <secs>

info

l1 <username> [ <password> ]



l4admin <username>

l4oper <username>

lockout-time <HostAddress> <secs>

min-passwd-len <integer>

oper <username>

password-history <number>

ro <username> [ <password> ]

rw <username> [ <password> ]

rwa <username> [ <password> ]

slboper <username>

slbadmin <username>

config cli password

ssladmin <username>

<string length 2..8>config cli password access-level

<enable|disable>

config cli password <access-level><username>

add <mac> <action>

del <mac>

default-action <default-action>

config sys access-policy by-mac

info

config sys access-policy enable<true|false>


NN46205-605 02.05 28 April 2010


.

Enabling CLI access levels 291

Command Parameter

accesslevel <level>

access-strict <true|false>

create

delete

disable

enable

host <ipaddr/IPv6addr>

info

mode <allow|deny>

name <name>

network <addr/mask>

precedence <precedence>

snmp-group-add <group-name> <model>

snmp-group-del <group-name> <model>

snmp-group-info

config sys access-policy policy <pid>

username <string>

ftp <enable|disable>

http <enable|disable>

info

rlogin <enable|disable>

snmpv3 <enable|disable>

ssh <enable|disable>

telnet <enable|disable>

config sys access-policy policy <pid>service

tftp <enable|disable>

reset-passwd

Enabling CLI access levelsEnable command line interface (CLI) access levels to control theconfiguration actions of system users by performing this procedure.

ATTENTIONOnly the RWA user can disable an access level on the switch. You cannotdisable the RWA access level on the switch.



NN46205-605 02.05 28 April 2010


.


Procedure steps

Step Action

1 Enable a CLI access level by using the following command:

config cli password access-level <access-level><enable|disable>

--End--

Variable definitionsUse the data in the following table to use the config cli passwordaccess-level command.

Variable Value

access level Specifies the required access levelwith a string length of 2–8 characters.

enable|disable Blocks or permits the access level.The default value is enable.

Changing passwordsConfigure new passwords for each access level, or change the login orpassword for switch access levels.

The Ethernet Routing Switch 8600 ships with default passwords set foraccess to the CLI. For security, passwords are saved to a hidden file. Theoptional parameter password is the password associated with the username or login name.

If you use Simple Network Management Protocol version 3 (SNMPv3), youcan change encrypted passwords.Change password by performing this procedure.

Prerequisites

• To change passwords, you must have read-write-all privileges.

Procedure steps

Step Action

1 Change a password by using the following command:


NN46205-605 02.05 28 April 2010


.


config cli password

--End--

VariablesUse the data in the following table to use the config cli passwordcommand

Variable Value

access level <access level><enable|disable>

Permits or blocks an access level.

• access level is expressed as aninteger from 2–8.

• enable|disable activates ordisables the designated level.

aging <days> Configures the age-out time forpasswords.

• days is expressed as an integerfrom 1–365.

default-lockout-time <secs> Changes the default lockout time afterthree invalid attempts, expressed inseconds. .

• secs is the lockout time in a rangefrom 60–65000.


info Specifies the current level parametersettings and the next level directories.

l1 <username> [ <password> ] Changes the Layer 1 read/write loginand password.

• username is the login name

• password is the passwordassociated with the login name.

l2 <username> [ <password> ] Changes the Layer 2 read/write loginand password.

• username is the login name.



NN46205-605 02.05 28 April 2010


.


Variable Value

l3 <username> [ <password> ] Changes the Layer 3 read/write loginand password (applies only to theEthernet Routing Switch 8600).



l4admin <username> Configures the Layer 4 administratorlogin for connection to the WebSwitching Module (WSM). For moreinformation about the WSM, see NortelEthernet Routing Switch 8600 WebSwitching Module Fundamentals(NN46205-314).

l4oper <username> Configures the Layer 4 operator loginfor connection to the WSM. For moreinformation about the WSM, see NortelEthernet Routing Switch 8600 WebSwitching Module Fundamentals(NN46205-314).

lockout-time <HostAddress><secs>

Configures the host lockout time.

• HostAddress is the Host InternetProtocol (IP) address in the formata.b.c.d.

• secs is the password lockout-outtime, in seconds, expressed in arange from 60–65000. .

The default value is 60

min-passwd-len <integer> Configures the minimum length forpasswords in high-secure mode.

• integer is as an integer in arange from 10–20.

oper <username> Configures the operator login forconnection to the WSM. For moreinformation about the WSM, see NortelEthernet Routing Switch 8600 WebSwitching Module Fundamentals(NN46205-314).


NN46205-605 02.05 28 April 2010


.


Variable Value

password-history <number> Specifies the number of previouspasswords to retain in systemmemory.

• number is expressed as an integerin a range from 3–32.

The default is 3.

ro <username> [ <password> ] Changes the read-only login andpassword.



rw <username> [ <password> ] Changes the read/write login andpassword.



rwa <username> [ <password> ] Changes the read/write/all login andpassword.



slboper <username> Configures the server load balancing(SLB) operator login for connection tothe WSM. For more information aboutthe WSM, see Nortel Ethernet RoutingSwitch 8600 Web Switching ModuleFundamentals (NN46205-314).

slbadmin <username> Configures the SLB administratorlogin to connect to the WSM. Formore information about the WSM, seeNortel Ethernet Routing Switch 8600Web Switching Module Fundamentals(NN46205-314).

ssladmin <username> Configures the ssladmin login toconnect to and configure the SAM(SSL acceleration module).


NN46205-605 02.05 28 April 2010


.


Enabling the access policy globallyEnable the access policy feature globally to control access across theswitch. You can control access to the switch by creating an access policy.An access policy specifies the hosts or networks that can access theswitch through various access services, such as Telnet, SNMP, HypertextTransfer Protocol (HTTP), and remote login (rlogin). You must enable thefeature globally before individual policies take effect.Enable access policy globally by performing this procedure.

Procedure steps

Step Action

1 Enable the access policy feature globally with the followingcommand:

config sys access-policy enable <true|false>

--End--

Variable definitionsUse the data in the following table to use the config sysaccess-policy command.

Variables Value

enable <true|false> Activates the access policy on theswitch.• true globally activates the

access-policy feature.

• false globally disables theaccess-policy feature.

Creating an access policyCreate an access policy to control access to the switch. You can definenetwork stations that are explicitly allowed to access the switch or networkstations that are explicitly forbidden to access the switch. For eachservice, you can also specify the level of access, such as read-only orread/write/all.Create an access policy by performing this procedure.

Procedure steps

Step Action

1 Create an access policy by using the following command:


NN46205-605 02.05 28 April 2010


.

Configuring an access policy 297

config sys access-policy policy <pid> create

--End--

Variable definitionsUse the data in the following table to use the config sysaccess-policy policy command.

Variables Value

create Creates the specified access policy onthe switch.

policy <pid> Identifies a policy.

• <pid> is a number that identifies apolicy.

Example of creating an access policy

Step Action

1 Enable access policies globally with the following command:

ERS-8606:5# config sys access-policy enable true

2 Create the policy 2345 with the following command:

ERS-8606:5# config sys access-policy policy 2345create

--End--

Configuring an access policyConfigure an access policy to control access to the switch by performingthis procedure.

Prerequisites

• You must enable the access policy feature globally before theindividual policy can take effect.

Procedure steps

Step Action

1 Configure optional parameters for an access policy by using thefollowing command:


NN46205-605 02.05 28 April 2010


.


config sys access-policy policy <pid>

2 Enable the access policy by using the following command:

config sys access-policy policy <pid> enable

--End--


Variables Value

accesslevel <level> Specifies the level of access if youcofigure the policy to allow access.

• level is the access level

access-strict <true|false> Designates access associated withconfigured levels.• true—the system accepts only the

currently configured access level

• false—the system accepts accessup to the configured level

create Creates the specified access policy onthe switch.

delete Removes the specified access policyfrom the switch.

disable Disables the access policy on theswitch.

enable Activates the access policy on theswitch.

host <ipaddr/IPv6addr> For rlogin access, specifies the trustedhost address as an IP address.

info Shows the current status of an accesspolicy.

mode <allow|deny> Specifies whether a designatednetwork address is allowed or deniedaccess through the specified accessservice.The default setting is allow.

name <name> Specifies the name of the policy.The default name is policy_<ID>


NN46205-605 02.05 28 April 2010


.


Variables Value

network <addr/mask> Specifies whether the designatedIP address and subnet mask arepermitted or denied access throughthe specified access service.

precedence <precedence> Specifies a precedence for a policyto determine which policy the systemuses if multiple policies apply..

• precedence is expressed asa number from 1–128. Lowernumbers take higher precedence.

The default precedence value is 10.

snmp-group-add <group-name><model>

Adds snmp-v3 group under the accesspolicy.

• group-name is the snmp-v3 groupname expressed in a range from1–32 characters.

• model is the security model: eithersnmpv1, snmpv2c, or usm.

snmp-group-del <group-name><model>

Removes an snmp-v3 group under theaccess policy.

• group name is the snmp-v3 groupname expressed in a range from1–32 characters.

• model is the security model: eithersnmpv1, snmpv2c, or usm.

snmp-group-info Shows snmp-v3 groups under thisaccess policy

username <string> For rlogin access, specifies the trustedhost user name.

Job aidThe following is an example of configuring an access policy.

Procedure steps

Step Action

1 Enable access policies globally:

ERS-8606:5# config sys access-policy enable true


NN46205-605 02.05 28 April 2010


.


2 Assuming no access policies exist, start with policy 2 and namethe policy policy2 as follows:

ERS-8606:5# config sys access-policy policy 2 create

ERS-8606:5# config sys access-policy policy 2 namepolicy2

3 Add read/write/all access level to policy 2:

ERS-8606:5# config sys access-policy policy 2accesslevel rwa

4 Add the usm group group_example to policy 2:

ERS-8610:5# config sys access-policy policy 2snmp-group-add group_example usm

5 Enable access strict enable:

ERS-8610:5# config sys access-policy policy 2access-strict true

6 Enable policy 2:

ERS-8610:5# config sys access-policy policy 2enable

--End--

Specifying a name for an access policyAssign a name to the access policy to uniquely identify the policy byperforming this procedure.

Procedure steps

Step Action

1 Assign a name to the access policy by using the followingcommand:

config sys access-policy policy <pid> name <name>

--End--



NN46205-605 02.05 28 April 2010


.

Enabling an access service 301

Variables Value

name

<name>

name is a string from 0–15 characters.

policy <pid> Identifies the policy.• <pid> is a number that identifies

the policy expressed in a rangefrom 1—65535.

Specifying the host address and username for rloginSpecify the address and username required to access the SF/CPU whenusing rlogin by performing this procedure.

Procedure steps

Step Action

1 Specify the trusted host address with the following command:

config sys access-policy policy <pid> host <ipaddr>

2 Specify the trusted host user name with the following command:

config sys access-policy policy <pid> username<string>

--End--

Variable definitionsUse the data in the following table to use the config sysaccess-policy command.

Variables Value

host <ipaddr/IPv6addr> For rlogin access, specifies the trustedhost address as an IP address.

username <string> For rlogin access, specifies the trustedhost user name.

Enabling an access serviceEnable an access service for the specified policy. An access policyspecifies the hosts or networks that can access the switch through variousservices, such as Telnet, SNMP, Hypertext Transfer Protocol (HTTP),Secure Shell (SSH), and remote login (Rlogin).Enable an access service by performing this procedure.


NN46205-605 02.05 28 April 2010


.


Procedure steps

Step Action

1 Enable an access service for the specified policy by using thefollowing command:

config sys access-policy policy <pid> service

--End--

Variable definitionsUse the data in the following table to use the config sysaccess-policy policy service command.

Variables Value

ftp <enable|disable> Activates or disables FTP for thespecified policy.Because FTP derives its accesslevel and password from the CLImanagement filters, FTP works onlyfor the following access levels:• read-write-only (rwo)

• read-write (rw)

FTP does not work for read-only (ro).

http <enable|disable> Activates or disables HTTP for thespecified policy.

info Shows the status (disable or enable)of each service (for example, ftp, http,rlogin) .

rlogin <enable|disable> Activates or disables rlogin for thespecified policy.

snmpv3 <enable|disable> Activates or disables SNMPv3for the specified policy. For moreinformation about SNMPv3, see NortelEthernet Routing Switch 8600 Security(NN46205-601).

ssh <enable|disable> Activates or disables SSH for thespecified policy. For more informationabout SSH, see Nortel EthernetRouting Switch 8600 Security(NN46205-601).


NN46205-605 02.05 28 April 2010


.

Allowing a network access to the switch 303

Variables Value

telnet <enable|disable> Activates or disables Telnet for thespecified policy.

tftp <enable|disable> Activates or disables Trivial FileTransfer Protocol (TFTP) for thespecified policy.

Job aidThe following is an example of enabling FTP, Rlogin, HTTP, SNMP, SSH,and Telnet access services.

Procedure steps

Step Action

1 Enable access services:

ERS-8610:6/config/sys/access-policy/policy/2/service#ftp enable

ERS-8610:6/config/sys/access-policy/policy/2/service#rlogin enable http enable

ERS-8610:6/config/sys/access-policy/policy/2/service#snmpv3 enable

ERS-8610:6/config/sys/access-policy/policy/2/service#ssh enable telnet enable

--End--

Allowing a network access to the switchSpecify the network to which you want to allow access by performing thisprocedure.

Procedure steps

Step Action

1 Specify the network with the following command:

config sys access-policy policy <pid> network<addr/prefix- length>

--End--


NN46205-605 02.05 28 April 2010


.



Variables Value

accesslevel <level> Specifies an access level.• level is expressed as one of

these access levels: ro, rw, rwa,or the equivalent community stringdesignation (read-only, read/write,or read/write/all).

addr/prefix-length Designates the IPv4 address/mask, orthe IPv6 address/prefix-length that ispermitted or denied access throughthe specified access service.


Configuring access policies by MAC addressConfigure access-policies by MAC address to permit or deny local MACaddresses on the network management port after you activate an accesspolicy.

If the source MAC does not match a configured entry, then the defaultaction is taken. The system generates a log message to record the denialof access.

For connections coming in from a different subnet, the source mac of thelast hop is used in decision making.

Configure access-policies by MAC address does not perform MAC orforwarding database (FDB) filtering on data ports.

Access policies are changed from previous releases. Before you attemptto upgrade an access policy from a previous release, see Nortel EthernetRouting Switch 8600 Upgrades — Software Release 5.1 (NN46205-400).Configure an access policy by MAC address by performing this procedure.

Procedure steps

Step Action

1 Configure access-policies by MAC address by using thefollowing command:


NN46205-605 02.05 28 April 2010


.

Resetting and modifying passwords 305

config sys access-policy by-mac

--End--

Variable definitionsUse the data in the following table to use the config sysaccess-policy by-mac command.

Variables Value

add <mac><action>

Adds a MAC address for a designated action.

• <mac> is the MAC address in the format0x00:0x00:0x00:0x00:0x00:0x00.

• <action> is allow or deny.

del <mac> Deletes a designated MAC address.

default-action<default-action>

Specifies the default action to allow or deny a MACaddress with no match.The default action is allow.

info Specifies the current access level configured by MACaddress.

Resetting and modifying passwordsModify passwords to protect security if users forget passwords or yoususpect they are compromised by performing this procedure.

Procedure steps

Step Action

1 In the boot-monitor CLI, reset all passwords to the factorydefaults by using the following command:

reset-passwd

2 In the run-time CLI, change passwords by using the followingcommand:

config cli password <access-level><username>

You are prompted to enter the old password, the new password,and to confirm the new password.

ATTENTIONAll passwords are case-sensitive.

--End--


NN46205-605 02.05 28 April 2010


.


Variable definitionsUse the data in the following table to use the config cli passwordcommand.

Variable Value

access-level Specifies the access level associatedwith the password to be changed.

username Identifies the user account assocaitedwith the password to be changed.


NN46205-605 02.05 28 April 2010


.

307.

System access configuration using theNNCLI

The section provides procedures to manage system access throughconfigurations such as usernames, passwords, and access policies.

Prerequisites• To perform the procedures in this section, you must log on to the



• “Enabling CLI access levels” (page 309)



• “Configuring an access policy” (page 313)

• “Enabling the access policy globally” (page 317)

• “Specifying a name for an access policy” (page 317)

• “Allowing a network access to the switch” (page 318)

• “Configuring access policies by MAC address” (page 319)



NN46205-605 02.05 28 April 2010


.

308 System access configuration using the NNCLI

Table 30Job aid

Command Parameter


access-strict

accesslevel <ro|rwa|rw>

enable

ftp

host <word>

http

mode <allow|deny>

name <word>

network <A.B.C.D>

precedence <1-128>

rlogin

snmp-group <word> <snmpv1|snmpv2c|usm>

snmpv3

ssh

telnet

tftp

access-policy <1-65535>

username <word>

<0x00:0x00:0x00:0x00:0x00:0x00>access-policy by-mac

action <allow|deny>

l4admin

l4 oper

layer 1

layer 2

layer 3

oper

read-only

read-write

read-write-all

slbadmin

slboper

cli password <word> <access-level>


NN46205-605 02.05 28 April 2010


.

Enabling CLI access levels 309

Command Parameter

ssladmin

access-level <word>

aging-time day <1-365>

default-lockout-time <60-65000>

lockout <word> <time>

min-passwd-len <10-20>

password

password-history <0-32>

Enabling CLI access levelsEnable CLI access levels to control the configuration actions of varioususers by performing this procedure.

ATTENTIONOnly the RWA user can disable an access level on the switch. The RWA accesslevel cannot be disabled on the switch.


Prerequisites


Procedure steps

Step Action

1 Enable an access level by using the following command:

password access-level <word>

--End--

Variable definitionsUse the data in the following table to use the password access-levelcommand.


NN46205-605 02.05 28 April 2010


.


Variable Value

word Specifies the name of the requiredaccess leve, expressed as a stringlength from 2–8 characters.To set this option to the default value,use the default operator with thecommand.

Changing passwordsConfigure new passwords for each access level, or change the login orpassword for the access levels of the switch.

The Ethernet Routing Switch 8600 ships with default passwords set foraccess to the CLI. For security, the system saves passwords to a hiddenfile.

If you use Simple Network Management Protocol version 3 (SNMPv3), youcan change encrypted passwords.Change passwords by performing this procedure.

Prerequisites

• You must have read-write-all privileges to change passwords.


Procedure steps

Step Action

1 Change a password by using the following command:

cli password <word> <access-level>

2 Configure password options by using the following command:

password [aging-time day <1-365>] [default-lockout-time<60-65000>] [lockout <word> <time>] [min-passwd-len<10-20>] [password-history <0-32>]

--End--

VariablesUse the data in the following table to use the password commands.


NN46205-605 02.05 28 April 2010


.


Variable Value

access level Permits or blocks a designated accesslevel from the following list:

• l4admin

• l4oper

• layer1 <word>

• layer2

• layer3 <word>

• oper

• read-only <word>

• read-write <word>

• read-write-all <word>

• slbadmin

• slboper

• ssladmin

Use Layer 4 administrator andoperator access levels to connect tothe Web Switching Module (WSM).For more information about the WebSwitching Module (WSM), see NortelEthernet Routing Switch 8600 WebSwitching Module Fundamentals(NN46205-314).

aging-time day <1-365> Configures the age-out time forpasswords, in days.

default-lockout-time<60-65000>

Changes the default lockout time afterthree invalid attempts. Configures thelockout time in seconds and is in therange of 60–65000. The default is 60seconds.



NN46205-605 02.05 28 April 2010


.


Variable Value

lockout <word> <time> Configures the host lockout time.

• word is the Host Internet Protocol(IP) address in the format a.b.c.d.

• time is the lockout-out time inseconds for passwords lockout inthe range of 60–65000. The defaultis 60 seconds.

min-passwd-len <10-20> Configures the minimum length forpasswords in high-secure mode.


password-history <3-32> Specifies the number of previouspasswords to remember. The defaultis 3.


<word> Represents the new passwordcontaining 0–20 characters.

Creating an access policyCreate an access policy to control access to the switch by performing thisprocedure.

Prerequisites


Procedure steps

Step Action

1 Create an access policy by assigning it a number

access-policy <1-65535>

--End--


NN46205-605 02.05 28 April 2010


.


Configuring an access policyConfigure an access policy to control access to the switch.

You can define network stations that are explicitly allowed to access theswitch or network stations that are explicitly forbidden to access the switch.

For each service, you can also specify the level of access; for example,read-only or read/write/all.Configure an access policy by performing this procedure.

Prerequisites


Procedure steps

Step Action

1 Configure access for an access policy by using the followingcommand:

access-policy <1-65535> [access-strict] [accesslevel<ro|rwa|rw>]

2 Configure the access policy mode, network and precedence byusing the following command:

access-policy <1-65535> [mode <allow|deny>] [network<A.B.C.D>] [precedence <1-128>]

3 Configure optional access protocols for an access policy byusing the following command:

access-policy <1-65535> [ftp] [http] [ssh] [telnet][tftp]

4 Configure optional rlogin access for an access policy by usingthe following command:

access-policy <1-65535> host <word> rlogin username<word>

5 Configure optional SNMP parameters for an access policy byusing the following command:

access-policy <1-65535> [snmp-group <word><snmpv1|snmpv2c|usm>] [snmpv3]

--End--

Variable definitionsUse the data in the following table to use the access-policy command.


NN46205-605 02.05 28 April 2010


.


Variables Value

accesslevel <ro|rwa|rw> Specifies the level of access if youconfigure the policy to allow access.

access-strict Restrains access to criteria specifiedin the access policy.• true—the system accepts only the

currently configured access level

• false—the system accepts accessup to the configured level


ftp Activates or disables FTP for thespecified policy.Because FTP derives itslogin/password from the CLImanagement filters, FTP worksfor read-write-only (rwo) and read-write(rw) access but not for the read-only(ro) access.Use the no operator to remove thisconfiguration.To set this option to the default value,use the default operator with thecommand.

host <word> For rlogin access, specifies the trustedhost address as an IP address.

http Activates the HTTP for this accesspolicy.Use the no operator to remove thisconfiguration.To set this option to the default value,use the default operator with thecommand.

mode <allow|deny> Specifies whether the designatednetwork address is allowed accessto the system through the specifiedaccess service.The default setting is allow.

network <A.B.C.D> Specifies the IP address and subnetmask that can access the systemthrough the specified access service.


NN46205-605 02.05 28 April 2010


.


Variables Value

precedence <1-128> Specifies a precedence value for apolicy, expressed as a number from1–128.The precedence value determineswhich policy the system uses ifmultiple policies apply.Lower numbers take higherprecedence.The default value is 10.

rlogin Activates remote login for the accesspolicy. Use the no operator to removethis configuration.To set this option to the default value,use the default operator with thecommand.

snmp-group <word> <snmpv1|snmpv2c|usm>

Adds an snmp-v3 group under theaccess policy.

• word is the snmp-v3 group nameconsisting of 1–32 characters.

• <snmpv1|snmpv2c|usm> is thesecurity model; either snmpv1,snmpv2c, or usm.

Use the no operator to remove thisconfiguration.

snmpv3 Activates SNMP version 3 for theaccess policy. For more informationabout SNMPv3, see Nortel EthernetRouting Switch 8600 Security(NN46205-601).



NN46205-605 02.05 28 April 2010


.


Variables Value

ssh Activates SSH for the access policy.For more information about SSH, seeNortel Ethernet Routing Switch 8600Security (NN46205-601).


telnet Activates Telnet for the access policy.Use the no operator to remove thisconfiguration.To set this option to the default value,use the default operator with thecommand.

tftp Activates the Trivial File TransferProtocol (TFTP) for this access policy.Use the no operator to remove thisconfiguration.To set this option to the default value,use the default operator with thecommand.

username <word> Specifies the trusted host user namefor remote login access.

Example of configuring an access policy

Step Action

1 Assuming no access policies exist, start with policy 3 and namethe policy policy3 as follows:

ERS-8606:5(config)# access-policy 3 name policy3

2 Add read/write/all access level to policy 3:

ERS-8606:5(config)# access-policy 3 accesslevelrwa

3 Add the usm group group_example to policy 3:

ERS-8606:5(config)# access-policy 3 snmp-groupgroup_example usm

4 Enable access strict:

ERS-8606:5(config)# access-policy 3 access-strict

5 Enable policy 3:


NN46205-605 02.05 28 April 2010


.

Specifying a name for an access policy 317

ERS-8606:5(config)# access-policy 3 enable

--End--

Enabling the access policy globallyEnable the access policy globally to control access across the switch. Youcan control access to the switch by creating an access policy. An accesspolicy specifies the hosts or networks that can access the switch throughvarious access services, such as Telnet, SNMP, Hypertext TransferProtocol (HTTP), and remote login (rlogin).Enable an access policy globally by performing this procedure.

Prerequisites


Procedure steps

Step Action

1 Enable the access policy globally with the following command:

access-policy <1-65535> enable

--End--

Specifying a name for an access policyAssign a name to the access policy to uniquely identify the policy byperforming this procedure.

Prerequisites


Procedure steps

Step Action

1 Assign a name to the access policy by using the followingcommand:

access-policy <1-65535> name <word>

--End--


NN46205-605 02.05 28 April 2010


.



Variables Value

name <word> Specifies a name expressed as astring from 0–15 characters.

Allowing a network access to the switchSpecify the network to which you want to allow access by performing thisprocedure.

Prerequisites


Procedure steps

Step Action

1 Specify the network with the following command:

access-policy <1-65535> [accesslevel <ro|rwa|rw>] [mode<allow|deny>] [network <A.B.C.D>]

--End--


Variables Value

accesslevel <ro|rwa|rw> Configures the access level (ro, rw,rwa) or equivalent community stringdesignation (read-only, read/write, orread/write/all).


network <A.B.C.D> The IPv4 address/mask, or the IPv6address/prefix-length permitted, ordenied, access through the specifiedaccess service.


NN46205-605 02.05 28 April 2010


.

Configuring access policies by MAC address 319

Configuring access policies by MAC addressConfigure access-policies by MAC address to allow or deny local MACaddresses on the network management port after an access policy isactivated. If the source MAC does not match a configured entry, then thedefault action is taken. A log message is generated to record the denialof access. For connections coming in from a different subnet, the sourcemac of the last hop is used in decision making. Configure access-policiesby MAC address does not perform MAC or Forwarding Database (FDB)filtering on data ports.

Access policies are changed from previous releases. Before you attemptto upgrade an access policy from a previous release, see Nortel EthernetRouting Switch 8600 Upgrades — Software Release 5.1 (NN46205-400).Configure access policy by MAC address by performing this procedure.

Prerequisites


Procedure steps

Step Action

1 Add the MAC address and configure the action for the policy byusing the following command:

access-policy by-mac <0x00:0x00:0x00:0x00:0x00:0x00>action <allow|deny>

--End--

Variable definitionsUse the data in the following table to use the access-policy by-maccommand.

Variables Value

<0x00:0x00:0x00:0x00:0x00:0x00>

Adds a MAC address to the policy.Enter the MAC address in hexadecimal format.

<allow|deny> Specifies the action to take for the designatedMAC address.


NN46205-605 02.05 28 April 2010


.



NN46205-605 02.05 28 April 2010


.

321.

Ethernet Routing Switch 8600 licensingfundamentals

This section provides conceptual information about the feature licensing forthe Nortel Ethernet Routing Switch 8600. Review this section before youmake changes to the license configuration.

Navigation• “Feature licensing” (page 321)

• “License type and part numbers” (page 323)

• “License certificates” (page 325)

• “License file generation” (page 325)

• “Working with feature license files” (page 325)

• “License transfer” (page 325)

Feature licensingEnabling features on a Ethernet Routing Switch 8600 requires thegeneration and installation of a license file that contains the authorizedMAC addresses of the switches that the license file will be installed on.

In addition to a Base Software License, the Ethernet Routing Switch 8600supports optional Advanced and Premier feature licenses to provideaccess to additional switch features contained within those licensinglevels. These licenses are purchased separately in the form of either anAdvanced License Kit or Premier License Kit. The Premier License Kitcontains all Advanced License Kit features. When you purchase eitheran Advanced License Kit or a Premier License Kit, all current and futurefeatures are covered under the license. If you currently have an AdvancedLicense Kit, there is no discounted price to move to a Premier LicenseKit, you must purchase a complete Premier License Kit. If you purchase


NN46205-605 02.05 28 April 2010


.

322 Ethernet Routing Switch 8600 licensing fundamentals

a Premier License Kit at any time, you are licensed for all features forthe life of the product. For more information, contact your Nortel salesrepresentative.

You must purchase one Base software license for each chassis to obtainaccess to those features.

Advanced and Premier License level features use a software-basedlicensing mechanism to unlock specific features.

You must specify the location of your license file in the boot configurationfile. If you do not specify the location of your license file, you canencounter issues with your licensed features. For more informationsee “Boot parameter configuration using the CLI” (page 43)and “Bootparameter configuration using the NNCLI” (page 81).

Advanced LicenseThe features enabled by the Advanced License are as follows:

• Border Gateway Protocol version 4 (BGP4) for more than 10 Peers

• Bidirectional Forwarding Detection

• IPv6 Routing

• Multicast Source Discovery Protocol (MSDP)

• Packet Capture function (PCAP)

Premier LicenseThe features enabled by the Premier License are as follows:

• All Advanced License features

• Virtual Routing and Forwarding, Lite version (VRF-Lite)

• Multi-Protocol Border Gateway Protocol (MP-BGP)

• IP-Virtual Private Network, Multi-Protocol Label Switching (RFC2547)(IP-VPN MPLS RFC2547)

• IP-Virtual Private Network-Lite (IP-VPN-Lite – IP in IP)

• Multicast virtualization for VRF-Lite (IGMP and PIM-SM/SSM)

The Premier License enables all licensed features on the Ethernet RoutingSwitch 8600.


NN46205-605 02.05 28 April 2010


.

License type and part numbers 323

ATTENTIONNortel recommends that you purchase the Premier License if you anticipategrowth in your network. If you purchase the Advanced License, and laterrequire features available only if you have the Premier License, you must alsopurchase the Premier License. If you purchase the Premier License initially, youhave access to all features enabled by the Advanced License and the PremierLicense (there is no need to purchase the Advanced License separately).

You must purchase the Base software license for each chassis. You can installan Advanced or Premier License on each chassis after you have installed theBase software license, but the Advanced and Premier Licenses are optional.

Premier Trial LicenseThe Ethernet Routing Switch 8600 provides a trial period of 60 daysduring which you have access to all features. In the trial period you canconfigure all features without restriction, including system console and logmessages.

System console and log messages alert you to the expiry of the 60 daytrial period. The message Trial Period for Automatic PremierFeature usage will expire in ## days first appears when 30 daysof the trial period remain. You receive periodic notification until fewer than10 days remain in the trial period, at which point you receive notificationevery 24 hours until the expiry date.

At the end of the trial period, the following message appears:The automatic Premier feature trial period has now expired.Any Advanced or Premier features that were used or enabledwill continue to work but will be disabled after any switchreboot. Please buy the proper license if you wish tocontinue to use these features.This message is the last notification recorded.

The switch logs the preceding messages even if no license features areused or tested during the trial period. If any valid license is loaded on theswitch at any time, none of the preceding messages will be recorded.

License type and part numbersThe following table provides the part number for the various licensessupported on the Ethernet Routing Switch 8600.


NN46205-605 02.05 28 April 2010


.


Table 31Supported licenses for the Ethernet Routing Switch 8600

Part number/Order code

License type and description Number of chassissupported

DS1410021 Ethernet Routing Switch 8600 Advanced LicenseKit for one chassis. Enabled features: BGP4(above 10 peers), IPv6 Routing, PCAP, MSDP,and BFD. (One license required per chassis.)

1

DS1410022 Ethernet Routing Switch 8600 Advanced LicenseKit for up to 10 chassis. Enabled features: BGP4(above 10 peers), IPv6 Routing, PCAP, MSDP,and BFD. (One license required per chassis.)

10

DS1410023 Ethernet Routing Switch 8600 Advanced LicenseKit for up to 50 chassis. Enabled features: BGP4(above 10 peers), IPv6 Routing, PCAP, MSDP,and BFD. (One license required per chassis.)

50

DS1410024 Ethernet Routing Switch 8600 Advanced LicenseKit for up to 100 chassis. Enabled features: BGP4,IPv6 Routing, PCAP, MSDP, and BFD. (Onelicense required per chassis.)

100

DS1410026 Ethernet Routing Switch 8600 Premier Licensekit for one chassis. Enabled features: AdvancedLicense features, plus, VRF-Lite, MP-BGP, IP-VPNMPLS RFC4364/2547, IP-VPN-Lite (IP-in-IP)and Multicast Virtualization for VRF-lite (IGMP,PIM-SM/SSM). (One license required per chassis.)

1

DS1410027 Ethernet Routing Switch 8600 Premier License Kitfor up to 10 chassis. Enabled features: AdvancedLicense features, plus, VRF-Lite, MP-BGP, IP-VPNMPLS RFC4364/2547, IP-VPN-Lite (IP-in-IP)and Multicast Virtualization for VRF-lite (IGMP,PIM-SM/SSM). (One license required per chassis.)

10

DS1410028 Ethernet Routing Switch 8600 Premier License Kitfor up to 50 chassis. Enabled features: AdvancedLicense features, plus, VRF-Lite, MP-BGP, IP-VPNMPLS RFC4364/2547, IP-VPN-Lite (IP-in-IP)and Multicast Virtualization VRF-lite (IGMP,PIM-SM/SSM). (One license required per chassis.)

50

DS1410029 Ethernet Routing Switch 8600 Premier License Kitfor up to 100 chassis. Enabled features: AdvancedLicense features, plus, VRF-Lite, MP-BGP, IP-VPNMPLS RFC4364/2547, IP-VPN-Lite (IP-in-IP)and Multicast Virtualization for VRF-lite (IGMP,PIM-SM/SSM). (One license required per chassis.)

100


NN46205-605 02.05 28 April 2010


.

License transfer 325

License certificatesEach Advanced or Premier License Kit contains a License Certificate witha License Authorization Code (LAC) that enables a specific number oflicenses for one or multiple Ethernet Routing Switch 8600 switches. EachEthernet Routing Switch 8600 switch requires and uses only one licensefile to unlock features associated with that license. A single license filecan contain up to 100 Base MAC addresses for installation on multipleEthernet Routing Switch 8600 switches.

The License Certificate has printed instructions detailing how to depositlicense entitlements (LACs) into a license bank, enter switch base MACaddresses and create the license file. It also has instructions on howto copy the license file onto each switch to unlock additional featuresassociated with a license.

License file generationAfter you purchase a license, you must generate the license file usingthe Nortel Electronic Licensing portal. The licensing portal works onthe concept of a license bank—an electronic repository for all licenseentitlements and licenses. License entitlements are deposited into yourlicense bank when you enter a License Authorization Code (LAC). TheLAC is provided on the License Certificate when you purchase the license.

The software license file is based on authorized chassis base MACaddresses. You can generate an individual license file with one or multiplechassis base MAC addresses. You can add additional MAC addresses tothe same license file at a later time, if required. A license file can supportup to 100 unique MAC addresses.

Working with feature license filesAfter you obtain the license file to enable Advanced or Premier Licensefeatures, you must install the license file on the switch to unlock theassociated licensed features. For an Ethernet Routing Switch 8600, alicense file must be loaded on the flash.

License transferFor information about transferring a license and obtaining an updatedlicense file for the Ethernet Routing Switch 8600, see “License transfer”(page 345).


NN46205-605 02.05 28 April 2010


.



NN46205-605 02.05 28 April 2010


.

327.

Ethernet Routing Switch 8600 licensingGenerate and install license files to enable advanced and premier featureson your Nortel Ethernet Routing Switch 8600.

Prerequisites to Ethernet Routing Switch 8600 licensing• You must purchase the appropriate license for the additional

switch features. For more information, contact your Nortel salesrepresentative.

Ethernet Routing Switch 8600 licensing tasksThis work flows shows you the sequence of tasks you perform to configurelicensed features. To link to a task, go to “Ethernet Routing Switch 8600licensing navigation” (page 328).

Figure 6Licensing tasks


NN46205-605 02.05 28 April 2010


.

328 Ethernet Routing Switch 8600 licensing

Ethernet Routing Switch 8600 licensing navigation

• “Generating a license” (page 329)

• “Installing a license file using Device Manager” (page 333)

• “Installing a license file using the CLI” (page 337)

• “Installing a license file using the NNCLI” (page 341)


NN46205-605 02.05 28 April 2010


.

329.

License generationGenerate the license file you need to enable licensed features on thesystem. This task is independent of loading the license file on to theswitch.

Navigation• “Generating a license” (page 329)

Generating a licenseGenerate a license to enable licensed features on the switch by performingthis procedure.

Prerequisites

• You must have a purchased Ethernet Routing Switch 8600 license kitcontaining a License Certificate with a License Authorization Code(LAC).

• Before you generate a license file, you need to obtain the EthernetRouting Switch 8600 base MAC address that you want to enablelicensed features on. The base MAC address can be found by usingthe following CLI command:show sys info

You can also find the base MAC address by using the Nortel Networkscommand line interface (NNCLI) command:show sys-info

For sample output from these commands, see “Job aid” (page 332).

Procedure steps

Step Action

1 Go to the Nortel Electronic Licensing portal atwww.nortellicensing.com


NN46205-605 02.05 28 April 2010


.

http://support.avaya.com/licensemanagement

330 License generation

2 Type your contact information in the required boxes.

3 Create a new license bank or provide details for an existinglicense bank to deposit licenses.

4 Select an E-mail notification option. Newly generated licensesare always sent to the nominated E-mail address.

5 Enter the License Authorization Code provided on the LicenseCertificate when you purchased the license.

6 Click Submit.

A new screen appears while the portal activates and depositsthe associated number of licenses in the license bank. Do notleave the page or close your Web browser. Upon successfulcompletion, a confirmation message appears.

7 Click Go to License Bank to Download license.

The License Bank screen appears and displays informationabout the License Authorization Code just activated.

8 Click Generate License.

The Generate License screen appears.

9 Enter the required details for the license file.

For additional information, see “Variable definitions” (page 330).

10 Click Generate License File.

A confirmation message appears. The license file is immediatelysent to the nominated E-mail address set up with the licensebank. You can choose to return to the license bank or log outfrom the licensing portal.

ATTENTIONThe license file is a compressed binary file. It is important that whiledownloading or saving this file, the browser does not automaticallydecompress this file.

--End--

Variable definitionsUse the data in the following table to complete the Generate licensescreen.

Variable Value

Switch MAC Address Specifies the base MAC address ofthe switch for which the license file isbeing generated. Follow the exampleformat displayed next to the entry box.


NN46205-605 02.05 28 April 2010


.

Generating a license 331

Variable Value

File Name of List of MAC Addresses Specifies the file name containingmultiple base MAC addresses of theswitches for which the license file isbeing generated. The file must bean ASCII text file and adhere to thefollowing rules:

• Each line must contain one MACaddress (use MS-DOS or UNIX lineending characters.

• The MAC addresses can be inlower or upper case charactersand must be in hexadecimal formatwith each pair (byte) separated bycolons (XX:XX:XX:XX:XX:XX).

• Do not use other characters orspaces.

• The file must contain the correctbase MAC addresses. Incorrectaddresses results in non-workinglicensed features.

• The number of MAC addressesmust not exceed the number oflicenses allowed for the LicenseAuthorization Code.

Output License File Name Specifies the name of the licensefile. The file name is limited to 63alphanumeric, lowercase characters.The underscore (_) character isallowed. Do not use spaces or specialcharacters. The filename must usea dot (.) with a three character fileextension. For example, license.dat.

ATTENTIONWhile a license file generated foran Ethernet Routing Switch 8600on the Nortel Licensing portal canbe created using any filename orextension, an Ethernet RoutingSwitch 8600 searches for a licensefilename with an extension of .datin its flash directory. Therefore,you need to ensure the destinationlicense file being copied to the


NN46205-605 02.05 28 April 2010


.

332 License generation

Variable Value

Ethernet Routing Switch 8600 has.dat as the file extension. Failureto do this results in Advanced orPremier features not being available.

User Comment 1 Provides a location for free-form,user-entered text related to the licensefile. For example, a location to assistin asset tracking.

User Comment 2 Provides a second location forfree-form, user-entered text relatedto the license file. For example, alocation to assist in asset tracking.

Job aidThe following shows sample output that is displayed when you use the CLIshow sys info command. You can also use the NNCLI show sys-infocommand to display the base MAC address.


NN46205-605 02.05 28 April 2010


.

333.

License installation using DeviceManager

Install and manage a license file for the Nortel Ethernet Routing Switch8600, using Device Manager.

Navigation• “Installing a license file using Device Manager” (page 333)

Installing a license file using Device ManagerInstall a license file on an Ethernet Routing Switch 8600 to enable licensedfeatures by performing this procedure.

Prerequisites

• You must have the license file stored on a Trivial File Transfer Protocol(TFTP) server.

• Ensure that you have the correct license file with the base MACaddress of the Ethernet Routing Switch 8600 that you are installing thelicense on. Otherwise, system does not unblock the licensed features.

• If the Ethernet Routing Switch 8600 chassis has two SF/CPU modulesinstalled, you do not need to install the license file on the secondarySF/CPU. When you enable High Availability, the primary SF/CPUcopies the license vectors to the secondary SF/CPU during tablesynchronization and the trial period counters stop. The systemcopies the license file to the secondary SF/CPU when you save theconfiguration on the primary SF/CPU.

In warm-standby mode, license vectors are not synchronized with thesecondary SF/CPU. However, the system copies the license file tothe secondary SF/CPU when you save the configuration using thesaveRuntimeConfigtoSlave option.


NN46205-605 02.05 28 April 2010


.

334 License installation using Device Manager

Procedure steps

Step Action

1 From the main Device Manager menu bar, select Edit, FileSystem.

The FileSystem dialog box appears with the Copy File tabdisplayed.

2 In the Source field, enter the IP address of the TFTP serverwhere the license file is located and the name of the license file.

3 In the Destination field, enter the flash device and the name ofthe license file.

The license file name must be lower case and have a fileextension of .dat.

4 In the Action field, select start.

5 Click Apply.

The license file is copied to the flash of the primary SF/CPUmodule. The status of the file copy is provided in the Result field.

6 From the main Device Manager menu bar, select Edit, Chassis.


7 In ActionGroup1, select loadLicense.

8 Click Apply.

ATTENTIONIf the loading fails, the switch cannot unlock the licensed features andreverts to base functionality.

9 If you have two SF/CPU modules installed, you need to save theconfiguration so that the license file is copied to the secondarySF/CPU. From the Device Manager menu bar, choose Edit,Chassis. On the System tab, select saveRuntimeConfig fromActionGroup1, and then click Apply.

--End--

Variable definitionsUse the data in the following table when copying a license file with theCopy File tab.

Variable Value

Source Identifies the IPv4 address of the TFTP server and thename of the license file that you are copying.


NN46205-605 02.05 28 April 2010


.

Installing a license file using Device Manager 335

Variable Value

Destination Specifies the location and the name of the license filewhen copied to the SF/CPU. The destination file namemust be lower case and have a file extension of .dat. Forexample, /flash/bld100_8610adv.dat or /flash/license.dat.

Action Starts the copy process or cancels the copy process.

Result Specifies the result of the copy process:• none

• inProgress

• success

• fail

• invalidSource

• invalidDestination

• outOfMemory

• outOfSpace

• fileNotFound

Job aidThe following is an example of the FileSystem, Copy File tab filled in forcopying the license file from a TFTP server to the SF/CPU flash.


NN46205-605 02.05 28 April 2010


.

336 License installation using Device Manager


NN46205-605 02.05 28 April 2010


.

337.

License installation using the CLIInstall and manage a license file for the Nortel Ethernet Routing Switch8600, using the command line interface (CLI).

Navigation• “Installing a license file using the CLI” (page 337)

• “Showing a license file using the CLI” (page 339)

Installing a license file using the CLIInstall a license file on an Ethernet Routing Switch 8600 to enable licensedfeatures by performing this procedure.

Prerequisites



• If the Ethernet Routing Switch 8600 chassis has two SF/CPU modulesinstalled, you do not need to install the license file on the secondarySF/CPU. When you enable High Availability, the primary SF/CPUcopies the license vectors to the secondary SF/CPU during tablesynchronization and the trial period counters stop. The systemcopies the license file to the secondary SF/CPU when you save theconfiguration on the primary SF/CPU.

In warm-standby mode, license vectors are not synchronized with thesecondary SF/CPU. However, the system copies the license file to thesecondary SF/CPU when you save the configuration with the save tostandby flag set to true.


NN46205-605 02.05 28 April 2010


.

338 License installation using the CLI

Procedure steps

Step Action

1 Install a license file by using the following command:

copy <a.b.c.d>:<srcfile> /flash/<destfile>

The following is an example of copying a license file from aTFTP server to the flash on an SF/CPU module of an EthernetRouting Switch 8600:

ERS-8610:5# copy 10.10.10.20:bld100_8610adv.lic/flash/bld100_8610adv.dat

2 Load the license file to unlock the licensed features.

config load-license

ATTENTIONIf the loading fails, or if the switch restarts and cannot locate a licensefile in the specified location, the switch cannot unlock the licensedfeatures and reverts to base functionality.

The following shows sample output that is displayed on theconsole when issuing a load-license command:

CPU5 [05/10/08 03:26:17] SW INFO Found serial number <00:19:69:7b:50:00> in file </flash/license.dat>

CPU5 [05/10/08 03:26:17] SW INFO LicenseSuccessfully Loaded From <license.dat> LicenseType -- PREMIER


save config

--End--

Variable definitionsUse the data in the following table to help you install a license with thecopy command.

Variable Value

<a.b.c.d> Specifies the IPv4 address of the TFTP serverwhere the license file is to be copied from.


NN46205-605 02.05 28 April 2010


.

Showing a license file using the CLI 339

Variable Value

<destfile> Specifies the name of the license file when copiedto the flash. The destination file name must belower case and have a file extension of .dat. Forexample, bld100_8610adv.dat or license.dat.

<srcfile> Specifies the name of the license file on theTFTP server. For example, bld100_8610adv.lic orlicense.dat.

Showing a license file using the CLIDisplay the existing software licenses on your switch by performing thisprocedure.

Procedure steps

Step Action

1 To display the existing software licenses on your switch, use thefollowing command:

show license

For samples of the output shown with this command, see “Jobaid” (page 339).

--End--

Job aidThe following shows two sample outputs for different licenses with theshow license command.


NN46205-605 02.05 28 April 2010


.

340 License installation using the CLI


NN46205-605 02.05 28 April 2010


.

341.

License installation using the NNCLIInstall and manage a license file for the Nortel Ethernet Routing Switch8600, using the Nortel Networks command line interface (NNCLI).

Navigation• “Installing a license file using the NNCLI” (page 341)

• “Showing a license file using the NNCLI” (page 343)

Installing a license file using the NNCLIInstall a license file on an Ethernet Routing Switch 8600 to enable licensedfeatures.

Prerequisites




• If the Ethernet Routing Switch 8600 chassis has two SF/CPU modulesinstalled, you do not need to install the license file on the secondarySF/CPU. When you enable High Availability, the primary SF/CPUcopies the license vectors to the secondary SF/CPU during table syncand the trial period countdown is stopped. This ensures that the runtime vectors of the primary and secondary SF/CPU are the same.When you save the configuration on the primary SF/CPU, the systemcopies the license file to the secondary SF/CPU.

In warm-standby mode, license vectors are not synchronized with thesecondary SF/CPU. However, the system copies the license file to thesecondary SF/CPU when you save the configuration with the save tostandby flag set to true.


NN46205-605 02.05 28 April 2010


.

342 License installation using the NNCLI

Procedure steps

Step Action

1 Install a license file by using the following command:

copy <a.b.c.d>:<srcfile> /flash/<destfile>

The following is an example of copying a license file from aTFTP server to the flash on an SF/CPU module of an EthernetRouting Switch 8600:

ERS-8610:5# copy 10.10.10.20:bld100_8610adv.lic/flash/bld100_8610adv.dat

2 Load the license file to unlock the licensed features.

load-license

ATTENTIONIf the loading fails, or if the switch restarts and cannot locate a licensefile in the specified location, the switch cannot unlock the licensedfeatures and reverts to base functionality.

The following shows sample output that is displayed on theconsole when issuing a load-license command:

CPU5 [05/10/08 03:26:17] SW INFO Found serial number <00:19:69:7b:50:00> in file </flash/license.dat>

CPU5 [05/10/08 03:26:17] SW INFO LicenseSuccessfully Loaded From <license.dat> LicenseType -- PREMIER


save config

--End--

Variable definitionsUse the data in the following table to help you install a license with thecopy command.

Variable Value

<a.b.c.d> Specifies the IPv4 address of the TFTP serverwhere the license file is to be copied from.


NN46205-605 02.05 28 April 2010


.

Showing a license file using the NNCLI 343

Variable Value

<destfile> Specifies the name of the license file when copiedto the flash. The destination file name must belower case and have a file extension of .dat. Forexample, bld100_8610adv.dat or license.dat.

<srcfile> Specifies the name of the license file on theTFTP server. For example, bld100_8610adv.lic orlicense.dat.

Showing a license file using the NNCLIDisplay the existing software licenses on your switch.

Procedure steps

Step Action

1 To display the existing software licenses on your switch, use thefollowing command:

show license

For samples of the output displayed with this command, see “Jobaid” (page 343).

--End--

Job aidThe following shows two sample outputs for different licenses with theshow license command.


NN46205-605 02.05 28 April 2010


.

344 License installation using the NNCLI


NN46205-605 02.05 28 April 2010


.

345.

License transferTransfer a license and obtain an updated license file for Nortel EthernetRouting Switch 8600. You need to transfer a license in the followingscenarios:

• Due to a chassis failure, you replaced the switch with a replacementchassis that has a new base MAC address.

• You entered an incorrect base MAC address on the Nortel ElectronicLicensing portal during the license file generation process.

• You need to transfer the license to a different switch.

Transferring a licenseTransfer a license and obtain an updated license file for an EthernetRouting Switch 8600 by performing this procedure.

Prerequisites

• Before you transfer a license, you need to obtain the new replacementEthernet Routing Switch 8600 base MAC address. The base MACaddress can be found by using the following command line interface(CLI) command:show sys info

You can also find the base MAC address by using the Nortel Networkscommand line interface (NNCLI) command:show sys-info

Procedure steps

Step Action

1 Go to the Nortel Electronic Licensing portal atwww.nortellicensing.com

2 Click License Bank on the left menu.


NN46205-605 02.05 28 April 2010


.

http://support.avaya.com/licensemanagement

346 License transfer

3 Login to the License Bank by entering the License Bank nameand password.

4 Select the appropriate License Authorization Code (LAC) entryin the License Bank associated with the license type, and thenclick View Details.

Note that a License Bank can contain many different Licensetypes for different products. Therefore, it is important that youselect the correct LAC entry for the product and license typeto access the license file containing the MAC address youwant to replace. For example, if the Ethernet Routing Switch8600 base MAC address that is being replaced is running aPremier License, then select a Premier Licence LAC to view thetransaction for the license file containing the base MAC.

ATTENTIONMAC address replacements are allocated and limited on a per LACbasis. You can replace only one MAC address in a 1 or 10 licenseLAC entry. You can replace up to 5 or 10 MAC addresses for 50 or100 license LAC deposits, respectively.

5 Within the View Details screen, select a transaction that has thelicense file name in use on the Ethernet Routing Switch 8600that is being replaced.

The same license file name can appear in several transactions;choose any transaction that has the license file name that youneed to replace. The license file always contains the latest fulllist of MAC addresses.

6 Click Replace Switch.

The Replace Switch MAC screen appears displaying the name ofthe license file and the MAC addresses that it contains.

7 In the Enter Replacement Switch MAC Address box, type thenew base MAC address.

8 In the Select the Switch MAC Address to replace list, select theMAC address that you want to replace.

Before proceeding to the next step, ensure that you selectedthe correct MAC address to be replaced, and that the new baseMAC address is correct.

9 Click Replace Switch MAC.

A screen appears confirming the MAC address replacement. Thelicense file is immediately updated, however it is not sent to thenominated License Bank E-mail address.

If the MAC replacement limit reaches for the LAC, a messageis displayed and the MAC replacement fails. If this occurs, youneed to repeat this procedure with a different LAC entry in theLicense Bank. If there are no other LAC entries in the LicenseBank, contact Nortel Technical Support.


NN46205-605 02.05 28 April 2010


.

Transferring a license 347

10 Click Return to License Bank Details.

11 Locate the transaction with the license file that is updated withthe new MAC address, and then click Download.

A File Download window appears.

12 When prompted, click Save.

You can save the license file on the PC being used to accessthe license portal. After downloading the license file, you needto install it on the new switch.

--End--


NN46205-605 02.05 28 April 2010


.

348 License transfer


NN46205-605 02.05 28 April 2010


.

349.

NTP fundamentalsThis section provides conceptual material on the Network Time Protocol(NTP). Review this content before you make changes to the NTPconfiguration

Navigation• “Overview” (page 349)

• “NTP system implementation model” (page 350)

• “Time distribution within a subnet” (page 351)

• “Synchronization” (page 352)

• “NTP modes of operation” (page 352)

• “NTP authentication” (page 353)

OverviewThe Network Time Protocol (NTP) synchronizes the internal clocks ofvarious network devices across large, diverse networks to universalstandard time. NTP runs over the User Datagram Protocol (UDP), whichin turn runs over IP. The NTP specification is documented in Request ForComments (RFC) 1305.

Every network device relies on an internal system clock to maintainaccurate time. On local devices, the internal system clock is usually setby eye or by wristwatch to within a minute or two of the actual time andis rarely reset at regular intervals. Many local clocks are battery-backeddevices that use room temperature clock oscillators that can drift as muchas several seconds each day. NTP solves this problem by automaticallyadjusting the time of the devices so that they are synchronized within amillisecond (ms) on LANs and up to a few tens of milliseconds on WANsrelative to Coordinated Universal Time (UTC).


NN46205-605 02.05 28 April 2010


.

350 NTP fundamentals

The current implementation of NTP supports only unicast client mode. Inthis mode, the NTP client, which is tailored to the limitations of the RealTime Clock (RTC) on the SF/CPU board (Dallas Semiconductors DS1307series), sends NTP time requests to other remote time servers in anasynchronous fashion. The NTP client collects four samples of time fromeach remote time server. A clock selection algorithm determines the bestserver among the selected samples based on stratum, delay, dispersionand the last updated time of the remote server. The RTC is adjusted to theselected sample from the chosen server.

NTP termsA peer is a device that runs NTP software. However, this implementationof NTP refers to peers as remote time servers that provide timeinformation to other time servers on the network and to the local NTPclient. An NTP client refers to the local network device, an EthernetRouting Switch 8600, that accepts time information from other remote timeservers.

NTP system implementation modelNTP is based on a hierarchical model that consists of a local NTP clientthat runs on the Ethernet Routing Switch 8600 and on remote timeservers. The NTP client requests and receives time information fromone or more remote time servers. The local NTP client reviews the timeinformation from all available time servers and synchronizes its internalclock to the time server whose time is most accurate. The NTP client doesnot forward time information to other devices running NTP.

Two types of time servers exist in the NTP model: primary time serversand secondary time servers. A primary time server is directly synchronizedto a primary reference source, usually a wire or radio clock that issynchronized to a radio station providing a standard time service. Theprimary time server is the authoritative time source in the hierarchy,meaning that it is the one true time source to which the other NTP devicesin the subnet synchronize their internal clocks.

A secondary time server uses a primary time server or one or moresecondary time servers to synchronize its time, forming a synchronizationsubnet, see Figure 7 "NTP time servers forming a synchronization subnet"(page 351). A synchronization subnet is a self-organizing, hierarchicalmaster-slave configuration with the primary servers at the root andsecondary servers of decreasing accuracy at successive levels.

Figure 7 "NTP time servers forming a synchronization subnet" (page351) shows NTP time servers forming a synchronization subnet.


NN46205-605 02.05 28 April 2010


.

Time distribution within a subnet 351

Figure 7NTP time servers forming a synchronization subnet

In the NTP model, the synchronization subnet automatically reconfigures ina hierarchical primary-secondary (master-slave) configuration to produceaccurate and reliable time, even if one or more primary time servers orthe path between them fails. This feature applies in a case in which allthe primary servers on a partitioned subnet fail, but one or more backupprimary servers continue to operate. If all of the primary time serversin the subnet fail, the remaining secondary servers synchronize amongthemselves.

Time distribution within a subnetNTP distributes time through a hierarchy of primary and secondaryservers, with each server adopting a stratum, see Figure 7 "NTP timeservers forming a synchronization subnet" (page 351). A stratum defineshow many NTP hops away a particular secondary time server is froman authoritative time source (primary time server) in the synchronizationsubnet. A stratum 1 time server is located at the top of the hierarchy and isdirectly attached to an external time source, typically a wire or radio clock;a stratum 2 time server receives its time through NTP from a stratum 1time server; a stratum 3 time server receives its time through NTP from astratum 2 time server, and so forth.

Each NTP client in the synchronization subnet chooses as its timesource the server with the lowest stratum number with which it isconfigured to communicate through NTP. This strategy effectively builds aself-organizing tree of NTP speakers. The number of strata is limited to 15to avoid long synchronization loops.


NN46205-605 02.05 28 April 2010


.


NTP avoids synchronizing to a remote time server whose time isinaccurate. NTP never synchronizes to a remote time server that is notitself synchronized. NTP compares the times reported by several remotetime servers.

SynchronizationUnlike other time synchronization protocols, NTP does not attempt tosynchronize the internal clocks of the remote time servers to each other.Rather, NTP synchronizes the clocks to universal standard time, using thebest available time source and transmission paths to that time source.

NTP uses the following criteria to determine the time server whose timeis best:

• The time server with the lowest stratum.

• The time server closest in proximity to the primary time server (reducesnetwork delays).

• The time server offering the highest claimed precision.

NTP accesses several (at least three) servers at the lower stratum levelbecause it can apply an agreement algorithm to detect a problem on thetime source.

NTP modes of operationNTP uses unicast client mode to enable time servers and NTP clients tocommunicate in the synchronization subnet. The Ethernet Routing Switch8600 supports only unicast client mode.

After you configure a set of remote time servers (peers), NTP creates a listthat includes each time server IP address. The NTP client uses this list todetermine the remote time servers to query for time information.

After the NTP client queries the remote time servers, the servers respondwith various timestamps, along with information about their clocks, such asstratum, precision, and time reference, see Figure 8 "NTP time serversoperating in unicast client mode" (page 353). The NTP client reviews thelist of responses from all available servers and chooses one as the bestavailable time source from which to synchronize its internal clock.

Figure 8 "NTP time servers operating in unicast client mode" (page353) shows how NTP time servers operate in unicast mode.


NN46205-605 02.05 28 April 2010


.

NTP authentication 353

Figure 8NTP time servers operating in unicast client mode

NTP authenticationYou can authenticate time synchronization to ensure that the localtime server obtains its time services only from known sources. NTPauthentication adds a level of security to your NTP configuration. Bydefault, network time synchronization is not authenticated.

If you select authentication, the Ethernet Routing Switch 8600 uses theMessage Digest 5 (MD5) algorithm to produce a message digest of thekey. The message digest is created using the key and the message, butthe key itself is not sent. The MD5 algorithm verifies the integrity of thecommunication, authenticates the origin, and checks for timeliness.

To authenticate the message, the client authentication key must matchthat of the time server. Therefore, the authentication key must be securelydistributed in advance (the client administrator must obtain the key fromthe server administrator and configure it on the client).

While a server can know many keys (identified by many key IDs) it ispossible to declare only a subset of these as trusted. The time server usesthis feature to share keys with a client that requires authenticated time andthat trusts the server, but that is not trusted by the time server.


NN46205-605 02.05 28 April 2010


.



NN46205-605 02.05 28 April 2010


.

355.

NTP configuration using DeviceManager

This section describes how to configure the Network Time Protocol (NTP)using Device Manager.

Prerequisites to NTP configuration• Before you configure NTP, you must perform the following tasks:

— Configure an IP interface on the Ethernet Routing Switch 8600 andensure that the NTP server is reachable through this interface. Forinstructions, see Nortel Ethernet Routing Switch 8600 Configuration— IP Routing (NN46205-523).

— Ensure the Real Time Clock is present on the SF/CPU board.

ATTENTIONNTP server MD5 authentication does not support passwords (keys) that startwith a special character or that contain a space between characters.

NTP configuration proceduresThis task flow shows you the sequence of procedures you perform toconfigure basic elements of IP multicast routing. To link to a procedure,click on the procedure title in “NTP configuration navigation” (page 356).


NN46205-605 02.05 28 April 2010


.

356 NTP configuration using Device Manager

Figure 9NTP configuration procedures

NTP configuration navigation

• “Enabling NTP globally ” (page 356)

• “Adding an NTP server ” (page 357)

• “Configuring authentication keys ” (page 359)

Enabling NTP globallyEnable NTP globally on the Ethernet Routing Switch 8600 by performingthis procedure. Default values are in effect for most NTP parameters.


NN46205-605 02.05 28 April 2010


.

Adding an NTP server 357

Procedure steps

Step Action

1 From the Device Manager menu bar, select Edit, NTP.

The NTP dialog box appears with the Globals tab displayed.

2 Select the Enable check box.

3 Click Apply.

--End--

Variable definitionsUse the data in the following table to configure the Globals tab.

Variable Value

Enable Activates (true) or disables (false) NTP.By default, NTP is disabled.

Interval Specifies the time interval (10–1440 minutes) between successiveNTP updates. The default interval is 15 minutes.

ATTENTIONIf NTP is already activated, this configuration does not take effectuntil you disable NTP, and then re-enable it.

Adding an NTP serverAdd a remote NTP server to the configuration by specifying its IP address.NTP adds this IP address to a list of servers, which the local NTP clientuses when it queries remote time servers for time information. The list ofqualified servers called to as a peer list.

You can configure a maximum of 10 time servers.Add an NTP server by performing this procedure.

Procedure steps

Step Action



2 Click the Server tab.

The Server tab appears.

3 Click Insert.


NN46205-605 02.05 28 April 2010


.


The NTP, Insert Server dialog box appears.

4 Specify the IP address of the NTP server.

5 Click Insert.

The IP address of the NTP server that you configured isdisplayed in the Server tab of the NTP dialog box.

--End--

Variable definitionsUse the data in the following table to configure the Server tab.

Variable Value

ServerAddress Specifies the IP address of the remote NTP server.

Enable Activates or disables the remote NTP server.

Authentication Activates or disables MD5 authentication on this NTPserver.MD5 produces a message digest of the key.MD5 verifies the integrity of the communication,authenticates the origin, and checks for timeliness.

The default is no MD5 authentication.

KeyId Specifies the key ID used to generate the MD5 digest forthis NTP server.You must specify a number between 1–214743647.The default is 0, which indicates that authentication isdisabled.

AccessAttempts Specifies the number of NTP requests sent to this NTPserver.

AccessSuccess Specifies the number of times this NTP server updated thetime.

AccessFailure Specifies the number of times this NTP server was rejectedwhile attempting to update the time.

Stratum This variable is the stratum of the server.

Version This variable is the NTP version of the server.

RootDelay This variable is the root delay of the server.

Precision This variable is the NTP precision of the server in seconds.

Reachable This variable is the NTP reach ability of the server.

Synchronized This variable is the status of synchronization with theserver.


NN46205-605 02.05 28 April 2010


.

Configuring authentication keys 359

Configuring authentication keysAssign an NTP key to use MD5 authentication on the server by performingthis procedure.

Procedure steps

Step Action



2 Click the Key tab.

The Key tab appears.

3 Click Insert.

The NTP, Insert Key dialog box appears.

4 Click Insert.

The values that you specified for the key ID and the MD5 key IDare displayed in the Key tab of the NTP dialog box.

--End--

Variable definitionsUse the data in the following table to configure the Key tab.

Variable Value

KeyId This field is the key id used to generate the MD5 digest.You must specify a value between 1–214743647.The default value is 1, which indicates that authentication isdisabled.

KeySecret This field is the MD5 key used to generate the MD5 Digest.You must specify an alphanumeric string between 0–8

ATTENTIONYou cannot specify the number sign (#) as a value in theKeySecret field. The NTP server interprets the # as thebeginning of a comment and truncates all text entered afterthe #. This limitation applies to xntpd, the NTP daemon,version 3 or lower.


NN46205-605 02.05 28 April 2010


.



NN46205-605 02.05 28 April 2010


.

361.

NTP configuration using the CLIThis section describes how to configure the Network Time Protocol (NTP)using the command line interface (CLI).

Prerequisites to NTP configuration• Before you configure NTP, you must perform the following tasks:




NTP configuration proceduresThis task flow shows you the sequence of procedures you perform toconfigure the NTP. To link to a procedure, click on the procedure title in“NTP configuration navigation” (page 362).


NN46205-605 02.05 28 April 2010


.

362 NTP configuration using the CLI



• “Job aid” (page 363)

• “Enabling NTP globally” (page 363)




NN46205-605 02.05 28 April 2010


.

Enabling NTP globally 363


Table 32Job aid

Command Parameter

enable <true|false>

info

config ntp

interval <value>

create <auth_key_value> <secret_key_value>

delete <auth_key_value>

<ID>

info

<IP address>

config ntp key

set <auth_key_value> <secret_key_value>

create <ipaddr> [enable <value>][auth <value>] [key <value>]

delete <ipaddr>

info

config ntp server

set <ipaddr> [enable <value>] [auth<value>] [key <value>]

Enabling NTP globallyEnable NTP globally. Default values are in effect for most parameters.You can customize NTP by modifying parameters.Enable NTP globally by performing this procedure.

Procedure steps

Step Action

1 Enable NTP globally by using the following command:

config ntp enable true interval <value>

--End--


NN46205-605 02.05 28 April 2010


.


Variable definitionsUse the data in the following table to use the config ntp command.

Variable Value

enable <true|false> Globally activates or disables NTP.The default is false.

info Specifies current NTP settings on this NTPserver.

interval <value> Specifies the time interval between successiveNTP updates.

value is the time interval expressed inminutes in a range from 10–1440.

The default is 15.

ATTENTIONIf NTP is already activated, this configurationdoes not take effect until you disable NTP,and then reenable it.

Example of enabling NTP globally

Step Action

1 Enable NTP :

ERS-8606:5# config ntp enable true

--End--

Adding an NTP serverAdd an NTP server or modify existing NTP server parameters byperforming this procedure. You can configure a maximum of 10 timeservers.

Procedure steps

Step Action

1 Add an NTP server by using the following command:


NN46205-605 02.05 28 April 2010


.

Adding an NTP server 365

config ntp server create <ipaddr> [enable <value>] [auth<value>] [key <value>]

--End--

Variable definitionsUse the data in the following table to use the config ntp servercommand.

Variable Value

create <ipaddr> [enable<value>] [auth <value>][key <value>]

Adds an NTP server.

• ipaddr is the IP address of the NTPserver. NTP adds this address to a list ofservers. The local NTP server consults thislist of servers for time information.

• enable value activates (true) or disables(false) the NTP server. The default isenable.

• auth value activates (true) or disables(false) MD5 authentication on thisNTP server. The default is no MD5authentication.

• key value specifies the key ID valueused to generate the MD5 digest for thisNTP server. The value range is an integerfrom 1–2147483647. The default value is0, which indicates that authentication isdisabled.

delete <ipaddr> Deletes the NTP server.

• ipaddr is the IP address of the NTPserver you want to delete.

info Specifies NTP server configuration settings onthe switch.

set <ipaddr> [enable<value>] [auth <value>][key <value>]

Use to modify NTP server parameters.

• ipaddr is the IP address of the NTPserver.

• enable value activates (true) or disables(false) the NTP server. The default isenable.

• auth value activates (true) or disables(false) MD5 authentication on this


NN46205-605 02.05 28 April 2010


.


Variable Value

NTP server. The default is no MD5authentication.

• key value specifies the key ID value usedto generate the MD5 digest for this NTPserver.

• The value range is an integer from1–2147483647. The default value is 0,which indicates that authentication isdisabled.

Example of adding an NTP server

Step Action

1 Add an NTP server:

ERS-8606:5# config ntp server create 47.140.53.187enable true

2 View the current configuration:

ERS-8606:5# config ntp serverERS-8606:5/config/ntp/server# info

Sub-Context:Current Context:create :Server Ip Enabled Auth Key Id 47.140.53.187 true false 0

delete : N/Aset : N/A

--End--

Configuring authentication keysConfigure NTP authentication keys to use MD5 authentication byperforming this procedure.

Procedure steps

Step Action

1 Create an authentication key by using the following command:

config ntp key create <auth_key_value> <secret_key_value>


NN46205-605 02.05 28 April 2010


.


2 Enable MD5 authentication for the server by using the followingcommand:

config ntp server set <IP address> auth true

3 Assign an authentication key to the server by using the followingcommand:

config ntp server set <IP address> key <ID>

--End--

Variable definitionsUse the data in the following table to use the config ntp key command.

Variable Value

create <auth_key_value><secret_key_value>

Adds an MD5 authentication key entryto the list where:

• auth_key_value is the keyID used to generate the MD5digest. Specify a value between1–2147483647. The default is 0.

• secret_key_value is the MD5key ID used to generate the MD5digest. Specify an alphanumericstring between 0–8 characters.

delete <auth_key_value> Delete an MD5 authentication keyentry from the list.

• auth_key_value is the key IDused to generate the MD5 digest.

<ID> Specifies the entry ID of theauthentication key to apply to theNTP server.

info Display NTP authentication keyconfiguration settings.


NN46205-605 02.05 28 April 2010


.


Variable Value

<IP address> Specifies the IP address of the NTPserver for which you are enabling MD5authentication.

set <auth_key_value><secret_key_value>

Modifies a MD5 authentication keyvalue where:

• auth_key_value is the keyID used to generate the MD5digest. Specify a value between1–2147483647. The default is 0.

• secret_key_value is the MD5key ID used to generate the MD5digest. Specify an alphanumericstring between 0–8 characters.

Example of configuring an NTP authentication key

Step Action

1 Create the authentication key:

ERS-8606:5# config ntp keyERS-8606:5/config/ntp/key# create 5 18

2 Enable MD5 authentication for the NTP server:

ERS-8606:5#

config ntp server set 47.140.53.187 auth true

3 Assign an authentication key to the NTP server:

ERS-8606:5/config/ntp/server#

set 47.140.53.187 key 5

--End--


NN46205-605 02.05 28 April 2010


.

369.

NTP configuration using the NNCLIThis section describes how to configure the Network Time Protocol (NTP)using the Nortel Networks command line interface (NNCLI).

Prerequisites to NTP configuration• Unless otherwise stated, to perform the procedures in this section, you

must log on to the Global Configuration mode in the NNCLI. For moreinformation about using NNCLI, see Nortel Ethernet Routing Switch8600 User Interface Fundamentals (NN46205-308).

• Before you configure NTP, you must perform the following tasks:




NTP configuration proceduresThis task flow shows you the sequence of procedures you perform toconfigure NTP. To link to a procedure, click on the procedure title in “NTPconfiguration navigation” (page 370).


NN46205-605 02.05 28 April 2010


.

370 NTP configuration using the NNCLI



• “Job aid” (page 371)

• “Enabling NTP globally” (page 371)




NN46205-605 02.05 28 April 2010


.

Enabling NTP globally 371


Table 33Job aid

Command Parameter


authentication-key <1-2147483647><word>

ntp

interval <10-1440>

auth-enable

authentication-key <0-2147483647>

ntp server <A.B.C.D>

enable

Enabling NTP globallyEnable NTP globally. Default values are in effect for most parameters.You can customize NTP by modifying parameters.Enable NTP globally by performing this procedure.

Prerequisites


Procedure steps

Step Action

1 Enable NTP globally by using the following command:

ntp interval <10-1440>


ntp authentication-key <1-2147483647> <word>

--End--


NN46205-605 02.05 28 April 2010


.


Variable definitionsUse the data in the following table to use the ntp command.

Variable Value

authentication-key<1-2147483647> <word>

Creates an authentication key for MD5authentication.To set this option to the default value, use thedefault operator with the command.

interval <10-1440> Specifies the time interval, in minutes, betweensuccessive NTP updates.

• interval is expressed as an integer in arange from 10–1440

The default value is 15.To set this option to the default value, use thedefault operator with the command.

ATTENTIONIf NTP is already activated, this configurationdoes not take effect until you disable NTP,and then re-enable it.

Adding an NTP serverAdd an NTP server or modify existing NTP server parameters byperforming this procedure. You can configure a maximum of 10 timeservers.

Prerequisites


Procedure steps

Step Action

1 Add an NTP server by using the following command:

ntp server <A.B.C.D>

2 Configure additional options for the NTP server by using thefollowing command:

ntp server <A.B.C.D> [auth-enable] [authentication-key<0-2147483647>] [enable]

--End--


NN46205-605 02.05 28 April 2010


.


Variable definitionsUse the data in the following table to use the ntp server command.

Variable Value

auth-enable Activates MD5 authentication on this NTPserver.The default is no MD5 authentication.To set this option to the default value, use thedefault operator with the command.

authentication-key<0-2147483647>

Specifies the key ID value used to generatethe MD5 digest for the NTP server.The value range is an integer from1–2147483647.The default value is 0, which indicates disabledauthentication.To set this option to the default value, use thedefault operator with the command.

enable Activates the NTP server.To set this option to the default value, use thedefault operator with the command.

Example of adding an NTP server

Step Action

1 Add an NTP server:

ERS-8606:5(config)# ntp server 47.140.53.187

--End--

Configuring authentication keysConfigure NTP authentication keys to use MD5 authentication byperforming this procedure.

Prerequisites


Procedure steps

Step Action


ntp authentication-key <1-2147483647> <word>


NN46205-605 02.05 28 April 2010


.


2 Enable MD5 authentication for the server by using the followingcommand:

ntp server <A.B.C.D> auth-enable

3 Assign an authentication key to the server by using the followingcommand:

ntp server <A.B.C.D> authentication-key <0-2147483647>

--End--

Example of configuring an NTP authentication key

Step Action

1 Create the authentication key:

ERS-8606:5(config)# ntp authentication-key 5 test

2 Enable MD5 authentication for the NTP server:

ERS-8606:5(config)#ntp server 47.140.53.187auth-enable

3 Assign an authentication key to the NTP server:

ERS-8606:5(config)#ntp server 47.140.53.187authentication-key 5

--End--


NN46205-605 02.05 28 April 2010


.

375.

DNS fundamentalsThis section provides conceptual material on the Domain Name Service(DNS) implementation for the Nortel Ethernet Routing Switch 8600.Review this content before you make changes to the configurable DNSoptions.

Navigation• “DNS client” (page 375)

DNS clientEvery equipment interface connected to a Transmission Control Protocolover IP (TCP/IP) network is identified with a unique IP address. You canassign a name to every machine that uses an IP address. The TCP/IPdoes not require the usage of names, but these names make the taskeasier for network managers in the following ways:

• An IP client can contact a machine with its name, which is converted toan IP address, based on a mapping table. All applications that use thisspecific machine are not dependent on the addressing scheme.

• It is easier to remember a name than a full IP address.

To establish the mapping between an IP name and an IP address you usethe Domain Name Service (DNS). DNS is a hierarchical database thatyou can distribute on several servers for backup and load sharing. Afteryou add a new hostname, update this database. The information is sentto all the different hosts. An IP client that resolves the mapping betweenthe hostname and the IP address sends a request to one of the databaseservers to resolve the name.

After you establish the mapping of IP name and IP address, the applicationis modified to use a hostname instead of an IP address. The switchconverts the hostname to an IP address.


NN46205-605 02.05 28 April 2010


.

376 DNS fundamentals

If the entry for translating the hostname to IP address is not found in thehost file, the switch queries the configured DNS server for the mappingfrom hostname to IP address. You can configure connections for up tothree different DNS servers—primary, secondary and tertiary. First theprimary server is queried, and then the secondary, and finally the tertiary.

Ping, Telnet, and copy applications are modified. You can either entera hostname or an IP address for invoking Ping, Telnet, and copyapplications.

The DNS query to remote host is not performed if the application isinvoked from the boot monitor. Only the /etc/hosts file lookup is performedfor translating the hostname to IP address when invoked from the bootmonitor.

In non-HA mode, you can configure a separate DNS server for master andslave SF/CPUs. In HA mode, you can configure a DNS server only fromthe master SF/CPU.

A log/debug report is generated for all the DNS requests sent to DNSservers and all successful DNS responses received from the DNS servers.

Nortel does not provide a default hosts file on the system. The format issimilar to the one used in a Uniplexed Information and Computing Service(UNIX) workstation. Use the editor provided on the system to create, save,or modify such a file.


NN46205-605 02.05 28 April 2010


.

377.

DNS configuration using DeviceManager

This section describes how to configure the Domain Name Service (DNS)using Device Manager.

Navigation• “Configuring the DNS client ” (page 377)

• “Querying the DNS host” (page 378)

Configuring the DNS clientUse the DNS client to establish the mapping between an IP name and anIP address.

You can configure connections for up to three different DNSservers—primary, secondary and tertiary. First the primary server isqueried, and then the secondary, and finally the tertiary.Configure DNS client by performing this procedure.

Procedure steps

Step Action

1 From the Device Manager menu bar, choose Edit, Diagnostics,DNS.

The DNS dialog box appears with the DNS Host tab visible.

2 Click the DNS Servers tab.

The DNS Servers tab appears.

3 Click Insert.

The DNS, Insert DNS Servers tab appears.

4 In the DnsServerListType box, select the DNs server type.

5 In the DnsServerListAddressType box, select the IP version.


NN46205-605 02.05 28 April 2010


.

378 DNS configuration using Device Manager

6 In the DnsServerListAddress box, enter the DNS server IPaddress.

7 Click Insert.

--End--

Variable definitionsUse the data in the following table to configure the DNS Servers tab.

Variable Value

DnsServerListType Configures the DNS server as primary,secondary, or tertiary.

DnsServerListAddressType Configures the DNS server address type asIPv4 or IPv6.

DnsServerListAddress Specifies the DNS server address.

• ipaddress in a.b.c.d format configuresthe IPv4 address.

• ipv6address in hexadecimal format(string length 0–46) configures the IPv6address.

DnsServerListStatus Specifies the status of the DNS server.

DnsServerListRequestCount Specifies the number of requests sent to theDNS server.

DnsServerListSuccessCount Specifies the number of successful requestssent to the DNS server.

Querying the DNS hostQuery the DNS host for information about host addresses.

You can enter either a hostname or an IP address. If you enter thehostname, this command shows the IP address corresponding to thehostname and if you enter an IP address, this command shows thehostname for the IP address.Query the DNS host by performing this procedure.

Procedure steps

Step Action

1 From the Device Manager menu bar, choose Edit, Diagnostics,DNS.

The Dns dialog box appears with the DNS Host tab visible.


NN46205-605 02.05 28 April 2010


.

Querying the DNS host 379

2 In the HostData text box, enter the DNS host name or IPaddress.

3 Click the Query button.

--End--

Variable definitionsUse the data in the following table to use the DNS Host tab.

Variable Value

HostData Identifies the host name or host IP address.This variable is a read-only field.

HostName Identifies the host name.This variable is a read-only field.

HostAddressType Identifies the address type of the host.

HostAddress Identifies the host IP address.This variable is a read-only field.

HostSource Identifies the DNS server IP or host file.This variable is a read-only field.


NN46205-605 02.05 28 April 2010


.

380 DNS configuration using Device Manager


NN46205-605 02.05 28 April 2010


.

381.

DNS configuration using the CLIThis section describes how to configure the Domain Name Service (DNS)client using the command line interface (CLI).


• “Configuring the DNS client” (page 382)



Table 34Job aid

Command Parameter

info

delete <primary|secondary|tertiary>

domain-name <domain-name>

primary-create <IPAddress|IPv6Address>

secondary-create <IPAddress|IPv6Address>

config sys dns

tertiary-create <IPAddress|IPv6Address>

show host <hostname|ipaddress|ipv6address>

show sys dns


NN46205-605 02.05 28 April 2010


.

382 DNS configuration using the CLI

Configuring the DNS clientConfigure the Domain Name Service to establish the mapping between anIP name and an IP address.

You can configure connection for up to three different DNSservers—primary, secondary and tertiary. First the primary server isqueried, and then the secondary, and finally the tertiary.Configure DNS client by performing this procedure.

Procedure steps

Step Action

1 Configure the DNS client by using the following command:

config sys dns domain-name <domain-name> primary-create<IPAddress|IPv6Address>

2 Optionally, add addresses for additional DNS servers by usingthe following command:

config sys dns domain-name <domain-name> secondary-create <IPAddress|IPv6Address> tertiary-create<IPAddress|IPv6Address>

3 View the DNS client system status by using the followingcommand:

show sys dns

--End--

Variable definitionsUse the data in the following table to use the config sys dns command.

Variable Value

delete <primary| secondary|tertiary>

Deletes the IP address of the specifiedprimary, secondary, or tertiary DNSserver.

domain-name <domain-name> Configures the default domain name.

• domain-name is a string 0–255characters.

info Specifies the list of DNS servers, withthe status (active/inactive).


NN46205-605 02.05 28 April 2010


.

Configuring the DNS client 383

Variable Value

primary-create <IPAddress|IPv6Address>

Configures the primary DNS serveraddress.

• IPAddress in a.b.c.d formatconfigures the IP address

• IPv6Address in hexadecimalformat (string length 0–46)configures the IPv6 address

secondary-create <IPAddress|IPv6Address>

Configures the secondary DNS serveraddress.



tertiary-create <IPAddress|IPv6Address>

Configures the tertiary DNS serveraddress.



Job aidFigure 12 "Job aid" (page 384) shows sample output for the show sysdns command.


NN46205-605 02.05 28 April 2010


.


Figure 12Job aid



Procedure steps

Step Action

1 View the host information by using the following command:

show host <hostname|ipaddress|ipv6address>

--End--

Variable definitionsUse the data in the following table to use the show host command.


NN46205-605 02.05 28 April 2010


.


Variable Value

hostname Specifies the name of the host DNSserver as a string of 0–255 characters.

ipaddress Specifies the IP address of the hostDNS server in a.b.c.d format.

ipv6address Specifies the IPv6 address of the hostDNS server in hexadecimal format(string length 0–46).

Job aidFigure 13 "Job aid" (page 385) shows sample output for the show hostcommand.

Figure 13Job aid


NN46205-605 02.05 28 April 2010


.



NN46205-605 02.05 28 April 2010


.

387.

DNS configuration using the NNCLIThis section describes how to configure the Domain Name Service (DNS)client using the Nortel Networks command line interface (NNCLI).

Prerequisites to DNS configuration• Unless otherwise stated, to perform the procedures in this section, you

must log on to the Global Configuration mode in the NNCLI. For moreinformation about using NNCLI, see Nortel Ethernet Routing Switch8600 User Interface Fundamentals (NN46205-308).


• “Configuring the DNS client” (page 388)



Table 35Job aid

Command Parameter


show hosts <word>

show ip dns



NN46205-605 02.05 28 April 2010


.

388 DNS configuration using the NNCLI


Command Parameter

ip domain-name <word>

primary <word>

secondary <word>

ip name-server

tertiary <word>

Configuring the DNS clientConfigure the Domain Name Service to establish the mapping between anIP name and an IP address.

You can configure connection for up to three different DNSservers—primary, secondary and tertiary. First the primary server isqueried, and then the secondary, and finally the tertiary.Configure DNS client by performing this procedure.

Prerequisites


Procedure steps

Step Action

1 Configure the DNS client by using the following command:

ip domain-name <word>

2 Optionally, add addresses for additional DNS servers by usingthe following command:

ip name-server primary <word> [secondary <word>][tertiary <word>]

3 View the DNS client system status by using the followingcommand:

show ip dns

--End--


NN46205-605 02.05 28 April 2010


.


Variable definitionsUse the data in the following table to use the ip domain-name and ipname-server commands.

Variable Value

domain-name <word> Configures the default domain name.

• word is a string 0–255 characters.

primary <word> Configures the primary DNS serveraddress. Enter the IP address ina.b.c.d format for IPv4 or hexadecimalformat (string length 0–46) for IPv6.

secondary <word> Configures the secondary DNS serveraddress. Enter the IP address ina.b.c.d format for IPv4 or hexadecimalformat (string length 0–46) for IPv6.

tertiary <word> Configures the tertiary DNS serveraddress. Enter the IP address ina.b.c.d format for IPv4 or hexadecimalformat (string length 0–46) for IPv6.



Prerequisites


Procedure steps

Step Action

1 View the host information by using the following command:


NN46205-605 02.05 28 April 2010


.

390 DNS configuration using the NNCLI

show hosts <word>

--End--

Variable definitionsUse the data in the following table to use the show hosts command.

Variable Value

word Specifies one of the following:• the name of the host DNS server

as a string of 0–255 characters.

• the IP address of the host DNSserver in a.b.c.d format.

• the IPv6 address of the host DNSserver in hexadecimal format(string length 0–46).


NN46205-605 02.05 28 April 2010


.

391.

Multicast group ID fundamentalsThis section provides conceptual material on the expansion of themulticast group ID (MGID) for the Ethernet Routing Switch 8600. Reviewthis content before you make changes to the MGID reservation.

Navigation• “Introduction” (page 391)

• “Expansion” (page 391)

IntroductionThe MGID is a hardware mechanism the switch uses to send data toseveral ports simultaneously. Instead of sending the data to a specific portnumber, the data is directed to an MGID. The switch maintains a tablethat maps MGIDs to their member ports. Both virtual LAN (VLAN) and IPmulticast (IPMC) use MGIDs. The system also reserves a small number ofMGIDs.

Generally, each VLAN requires one MGID, though more are required incertain situations, such as if IST is enabled on the system; or in certainchassis modes if the VLAN is associated with an MLT. Several IPMCstreams can use a single MGID but performance begins to suffer aftermore than eight streams use one MGID.

Nortel Ethernet Routing Switch 8600 Release 4.1 provides 2048 MGIDssplit between system, VLAN, and IPMC use. Release 4.1 uses a fixedrange of 64, from 64 to 127, of those MGIDs for IPMC.

ExpansionRelease 5.1 expands the total number of MGIDs to 4096, still split betweensystem, VLAN, and IPMC. MGID expansion provides support for moreVLANs and higher performance for IPMC.


NN46205-605 02.05 28 April 2010


.

392 Multicast group ID fundamentals

MGID expansion provides a maximum VLAN mode. If you configuremaximum VLAN mode, every available MGID, except system-usedMGIDs, is used for VLANs; no IPMC traffic occurs. The system supports amaximum of 4084 VLANs.

If you do not configure the maximum VLAN mode, you can reserve MGIDsfor IPMC. You can reserve between 64 and 4084 MGIDs for IPMC. Thedefault for IPMC is 2048.

MGID expansion is available in R mode only and requires an 8692SF/CPU. If the switch does not operate in R mode, the switch usesthe same MGID allocation as if it is running Release 4.1 software. Thefollowing figure illustrates MGID allocation in various modes and releases.

Figure 14MGID allocation map


NN46205-605 02.05 28 April 2010


.

393.

Multicast group ID reservation usingDevice Manager

This section provides procedures to create multicast group ID (MGID)reservations using Device Manager.

Navigation• “Enabling maximum VLAN mode” (page 393)

• “Reserving MGIDs for IPMC” (page 394)

Enabling maximum VLAN modeEnable maximum VLAN mode to use all available MGIDs for VLANs. NoIP multicast (IPMC) traffic transmits if you enable maximum VLAN mode.Enable maximum VLAN mode by performing this procedure.

Procedure steps

Step Action



2 Click the MGID Expansion tab.

3 For NewMaxVlanResourceReservation, select Enable.

4 Click Apply.

--End--

Variable definitionsUse the data in the following tab to configure the Chassis, MGIDExpansion tab.


NN46205-605 02.05 28 April 2010


.

394 Multicast group ID reservation using Device Manager

Variable Value

NewMulticastResourceReservation Specifies the number of MGIDs toreserve for IPMC traffic. Select fromthe range of 64–4084. The defaultvalue is 2048.You cannot configure this option ifmaximum VLAN mode is activated.

MulticastResourceReservation Specifies the current IPMC MGIDreservation. The default value is 2048.

NewMaxVlanResourceReservation Activates or disables the maximumVLAN mode for MGID use.The default is disabled.

MaxVlanResourceReservation Specifies the current configurationstatus of maximum VLAN mode.The default is disabled.

UsageVlanCurrent Specifies the number of MGIDscurrently in use by VLANs.The default value is 1.

UsageVlanRemaining Specifies the number of VLANreserved MGIDs still available.The default value is 1972.

UsageMulticastCurrent Specifies the number of MGIDscurrently in use by IPMC.The default value is 0.

UsageMulticastRemaining Specifies the number of IPMCreserved MGIDs still available.The default value is 64.

Reserving MGIDs for IPMCReserve MGIDs for IPMC to increase the number of IPMC traffic streamssupported on the system by performing this procedure.

Procedure steps

Step Action



2 Click the MGID Expansion tab.

3 In NewMulticastResourceReservation, type the number ofMGIDs to reserve for IPMC.


NN46205-605 02.05 28 April 2010


.

Reserving MGIDs for IPMC 395

4 Click Apply.

--End--


NN46205-605 02.05 28 April 2010


.

396 Multicast group ID reservation using Device Manager


NN46205-605 02.05 28 April 2010


.

397.

Multicast group ID reservation usingthe CLI

This section provides procedures to create multicast group ID (MGID)reservations using the command line interface (CLI).


• “Enabling maximum VLAN mode” (page 397)



Table 36Job aid

Command Parameter

config sys set max-vlan-resource-reservation

<enable|disable>

config sys set multicast-resource-reservation <value>



NN46205-605 02.05 28 April 2010


.

398 Multicast group ID reservation using the CLI

Procedure steps

Step Action

1 Enable maximum VLAN mode by using the following command:

config sys set max-vlan-resource-reservation enable

--End--


Procedure steps

Step Action

1 Reserve MGIDs for IPMC by using the following command:

config sys set multicast-resource-reservation <value>

--End--

Variable definitionsUse the data in the following table to use theconfig sys setmulticast-resource-reservation command.

Variable Value

value Specifies the number of MGIDs toreserve for IPMC traffic. Select fromthe range of 64–4083. The defaultvalue is 2048.


NN46205-605 02.05 28 April 2010


.

399.

Multicast group ID reservation usingthe NNCLI

This section provides procedures to create multicast group ID (MGID)reservations using the Nortel Networks command line interface (NNCLI).

Prerequisites to multicast group ID reservation• To perform the procedures in this section, you must log on to the



• “Enabling maximum VLAN mode” (page 400)



Table 37Job aid

Command


sys max-vlan-resource-reservation

sys multicast-resource-reservation <value>


NN46205-605 02.05 28 April 2010


.

400 Multicast group ID reservation using the NNCLI


Prerequisites


Procedure steps

Step Action

1 Enable maximum VLAN mode by using the following command:

sys max-vlan-resource-reservation

--End--


Prerequisites


Procedure steps

Step Action

1 Reserve MGIDs for IPMC by using the following command:

sys multicast-resource-reservation <value>

--End--

Variable definitionsUse the data in the following table to use thesys multicast-resource-reservation command.


NN46205-605 02.05 28 April 2010


.

Reserving MGIDs for IPMC 401

Variable Value

value Specifies the number of MGIDs toreserve for IPMC traffic. Select fromthe range of 64–4083. The defaultvalue is 2048.To set this option to the default value,use the default operator with thecommand.


NN46205-605 02.05 28 April 2010


.

402 Multicast group ID reservation using the NNCLI


NN46205-605 02.05 28 April 2010


.

403.

Common procedures using DeviceManager

The following section describes common procedures that you use whileconfiguring and monitoring the Ethernet Routing Switch 8600 operations.

Navigation• “Showing the MTU for the system” (page 403)

• “Showing the MTU for each port” (page 404)

• “Viewing topology status information” (page 404)

• “Viewing the MIB status” (page 405)

• “Displaying flash memory and PCMCIA information for the system”(page 406)

• “Displaying flash file information for a specific SF/CPU” (page 407)

• “Displaying flash file information for the system” (page 408)

• “Displaying PCMCIA file information for a specific SF/CPU” (page 408)

• “Displaying PCMCIA file information for the system” (page 409)

• “Copying a PCMCIA or flash file” (page 409)

Showing the MTU for the systemShow the MTU configured for the entire system by performing thisprocedure.

Procedure steps

Step Action


The System dialog box appears with the System tab displayed.

2 Click on the Chassis tab.


NN46205-605 02.05 28 April 2010


.

404 Common procedures using Device Manager

The Chassis dialog box appears with the Chassis tab displayed.

3 Make sure that 9600 is selected for MTU size.

--End--

Showing the MTU for each portShow the MTU for each port by performing this procedure.

Procedure steps

Step Action

1 From the Device View, click the port for which you want todisplay information.

To select more than one port, click the first port. Then, whilepressing the Ctrl key, click on the ports for which you want todisplay information.

2 From the Device Manager menu bar, choose Edit, Port, General– Global Router (vrf 0).


3 Examine the MTU box to verify the MTU size for each port.

--End--

Viewing topology status informationView topology status information (which includes Nortel Management MIBstatus information) by performing this procedure.

Procedure steps

Step Action

1 From the Device Manager menu bar, choose Edit, Diagnostics,Topology.

The Topology dialog box appears with the Topology tab visible.

For a description of the topology status information, see“Variable definitions” (page 404).

--End--

Variable definitionsThe following table describes the Topology tab fields.


NN46205-605 02.05 28 April 2010


.

Viewing the MIB status 405

Variable Value

IpAddr Specifies the IP address of the device.

Status Indicates whether Nortel topology is on or off for thedevice.

NmmLstChg Specifies the value of sysUpTime, the last time anentry in the network management MIB (NMM) topologytable was added, deleted, or modified, if the table didnot change since the last cold or warm start of theagent.

NmmMaxNum Specifies the maximum number of entries in the NMMtopology table.

NmmCurNum Specifies the current number of entries in the NMMtopology table.

Viewing the MIB statusView MIB status (which includes topology message status) by performingthis procedure.

Procedure steps

Step Action

1 From the Device Manager menu bar, choose Edit, Diagnostics,Topology.

The Topology dialog box appears with the Topology tabdisplayed.

2 Click the Topology Table tab.

The Topology Table tab appears.

For a description of the topology table, see “Variable definitions”(page 405).

--End--

Variable definitionsThe following table describes the Topology Table fields.

Variable Value

Slot Specifies the slot number in the chassis that receivedthe topology message.

Port Specifies the port that received the topology message.

IpAddr Specifies the IP address of the sender of the topologymessage.


NN46205-605 02.05 28 April 2010


.


Variable Value

SegId Specifies the segment identifier of the segment fromwhich the remote agent sent the topology message.This value is extracted from the message.

MacAddr Specifies the MAC address of the sender of thetopology message.

ChassisType Specifies the chassis type of the device that sent thetopology message.

BkplType Specifies the backplane type of the device that sent thetopology message.

LocalSeg Indicates if the sender of the topology message is onthe same Ethernet segment as the reporting agent.

CurState Specifies the current state of the sender of the topologymessage. The choices are:

• topChanged—Topology information recentlychanged.

• heartbeat—Topology information is unchanged.

• new—The sending agent is in a new state.

Displaying flash memory and PCMCIA information for the systemDisplay the amount of memory used and available for both onboard flashmemory and an installed Personal Computer Memory Card InternationalAssociation (PCMCIA) card, as well as the number of files in each location.Display flash memory and PCMCIA information for the system byperforming this procedure.

Procedure steps

Step Action

1 From the Device Manager menu bar, choose Edit , File System.

The Filesystem dialog box appears with the Copy File tabdisplayed.

2 Click the Device Info tab.

The Device Info tab appears.

--End--

Variable definitionsUse the data in the following table to use the Device Info tab.


NN46205-605 02.05 28 April 2010


.

Displaying flash file information for a specific SF/CPU 407

Variable Value

Slot Specifies the slot number of the SF/CPU module.

FlashBytesUsed Specifies the number of bytes used in flashmemory.

FlashBytesFree Specifies the number of bytes available for use inflash memory.

FlashNumFiles Specifies the number of files in flash memory.

PcmciaBytesUsed Specifies the number of bytes used on thePCMCIA card.

PcmciaBytesFree Specifies the number of bytes available for use onthe PCMCIA card.

PcmciaNumFiles Specifies the number of files on the PCMCIA card.

PcmciaAction Used to reset the PCMCIA card.

Result Specifies the result of the PCMCIA action.

Displaying flash file information for a specific SF/CPUDisplay information about the files in flash memory for a specific SF/CPUmodule to view general file information by performing this procedure.

Procedure steps

Step Action

1 Select an SF/CPU module.



3 Click the Flash Files tab.

The Flash Files tab appears.

--End--

Variable definitionsUse the data in the following table to use the Card, Flash Files tab.

Variable Value

Name Specifies the directory name of the flash file.

DateSpecifies the creation or modification date of the flashfile.

Size Specifies the size of the flash file.


NN46205-605 02.05 28 April 2010


.


Displaying flash file information for the systemDisplay information about the files in flash memory for all SF/CPU modulesto view general file information by performing this procedure.

Procedure steps

Step Action

1 From the Device Manager menu bar, choose Edit, File System.

2 Click the Flash Files tab.

--End--

Variable definitionsUse the data in the following table to use the Flash Files tab.

Variable Value


Name Specifies the name of the flash file.

Date Specifies the creation or modification date and time ofthe Flash file.

Size Specifies the size of the flash file in bytes.

Displaying PCMCIA file information for a specific SF/CPUDisplay information about the files stores in the PCMCIA card for aspecific SF/CPU module to view general file information by performingthis procedure.

Procedure steps

Step Action

1 Select an SF/CPU card.



3 Click the PCMCIA Files tab.

The PCMCIA Files tab appears.

--End--

Variable definitionsUse the data in the following table to use the Card, PCMCIA Files tab.


NN46205-605 02.05 28 April 2010


.

Copying a PCMCIA or flash file 409

Variable Value

Name Specifies the directory name of the PCMCIA file.

Date Specifies the creation or modification date of thePCMCIA file.

Size Specifies the size of the PCMCIA file.

Displaying PCMCIA file information for the systemDisplay information about the files stored in the PCMCIA card for allSF/CPU modules to view general file information by performing thisprocedure.

Procedure steps

Step Action


2 Click the PCMCIA Files tab.

--End--

Variable definitionsUse the data in the following table to use the PCMCIA Files tab.

Variable Value


Name Specifies the name of the PCMCIA file.

DateSpecifies the creation or modification date and time ofthe PCMCIA file.

Size Specifies the size of the PCMCIA file in bytes.

Copying a PCMCIA or flash fileCopy files between the flash and the PCMCIA. File copying and fileinformation are all related to files on the switch SF/CPU module.Copy a PCMCIA or flash file by performing this procedure.

Procedure steps

Step Action


The FileSystem dialog box appears with the Copy File tab active.



NN46205-605 02.05 28 April 2010


.


3 Click Apply.

--End--

Variable definitionsUse the data in the following table to configure the Copy File tab.

Variable Value

Source Identifies the source file to copy from the flash/PCMCIAor the config file on the NVRAM or trace file.

Destination Identifies the device and the file name (optional) towhich the source file is to be copied.The destination options are• flash

• PCMCIA

• NVRAM

Trace files are not a valid destination.

Action Starts the copy process or cancels the copy process.

Result Specifies the result of the copy process:

• none

• inProgress

• success

• fail

• invalidSource

• invalidDestination

• outOfMemory

• outOfSpace

• fileNotFound


NN46205-605 02.05 28 April 2010


.

411.

Common procedures using the CLIThe following section describes common procedures that you use whileconfiguring and monitoring the Nortel Ethernet Routing Switch 8600operations.


• “Saving the boot configuration to a file” (page 413)

• “Restarting the switch” (page 415)

• “Resetting the switch” (page 416)

• “Accessing the standby SF/CPU” (page 416)

• “Pinging an IP device” (page 417)

• “Pinging an IPX device” (page 418)

• “Calculating the MD5 digest” (page 419)

• “Resetting system functions” (page 421)

• “Sourcing a configuration” (page 423)


Table 38Job aid

Command Parameter

<file>

config <value>

boot

-y


NN46205-605 02.05 28 April 2010


.

412 Common procedures using the CLI


Command Parameter

cpuswitchover

info

resetconsole

resetcounters


resetmodem

wildcard (*

)

-f <checksum-file-name>

-r

-a

md5

-c

peer <operation>

count value

-d

datasize value

HostName/ipv4address/ipv6address

-I

-s

scopeid value

-t

ping

vrf <value>

ipxhost

count

-s

-q

pingipx

-t

reset

verbose

standby <value>

save <savetype> [file <value>]

backup <value>

stop

debug

source <file>

syntax


NN46205-605 02.05 28 April 2010


.

Saving the boot configuration to a file 413

Saving the boot configuration to a fileSave a boot configuration to a file to retain the configuration settings byperforming this procedure. You can configure the switch to load a specificconfiguration file.

CAUTIONRisk of data lossIf a Personal Computer Memory Card International Association(PCMCIA) card is removed before a write operation is complete,the file can contain a corrupted end of file (EOF) marker. Beforeremoving the PCMCIA card, execute the command line interface(CLI) command stop-pcmcia.

Prerequisites

• Some PCMCIA cards become file allocation table (FAT) corrupted afteryou insert them into the PC-card slot. If this situation occurs, format orrepair the FAT on the card.

• The boot configuration file must be named boot.cfg for the system toboot using it.

• To save a file to the standby SF/CPU, you must enable Trivial FileTransfer Protocol (TFTP) on the standby SF/CPU.

Procedure steps

Step Action

1 Save the configuration by using the following command:

save <savetype> [file <value>] [verbose] [standby<value>] [backup <value>]

--End--

Variable definitionsUse the data in the following table to use the save command.


NN46205-605 02.05 28 April 2010


.


Variable Value

backup

<value>

Saves the specified file name andidentifies the file as a backup file.value uses one of the followingformats:• [a.b.c.d]:<file>

• peer/<file>

• /pcmcia/ <file>

• /flash/ <file>

file is a string of 1–99 characters.

file

<value>

Specifies the file name in one of thefollowing formats for value:• [a.b.c.d]: <file>

• peer/<file>

• /pcmcia/ <file>

• /flash/ <file>


savetype Specifies what to save.Values for this parameter include:• config

• bootconfig

• log

• trace

• clilog

standby

<value>

Saves the specified file name to thestandby SF/CPU in the followingformat for value:• filename, /pcmcia/ <file>

• /flash/ <file>


verbose Saves the default and currentconfiguration. If you omit thisparameter, the command savesonly parameters you changed.

Example of saving the boot configuration to a file

Step Action

1 Save a boot configuration file as a backup file by using thefollowing command:


NN46205-605 02.05 28 April 2010


.

Restarting the switch 415

save bootconfig file boot.cfg backup2

--End--

Restarting the switchRestart the switch to implement configuration changes or recover from asystem failure. When you restart the system, you can specify the bootsource (flash, PCMCIA card, or TFTP server) and file name. If you donot specify a device and file, the run-time CLI uses the software andconfiguration files on the primary boot device that is defined by the BootMonitor choice command.

After the switch restarts normally, a cold trap is sent within 45 secondsafter a restart. If a single strand fiber (SSF) switchover occurs, awarm-start management trap is sent within 45 seconds of a restart.Restart the switch by performing this procedure.

Procedure steps

Step Action

1 Restart the switch by using the following command:

boot [<file>] [config <value>] [-y]

ATTENTIONEntering the boot command with no arguments causes the switch tostart using the current boot choices defined by the choice command(next).

--End--

Variable definitionsUse the data in the following table to use the boot command.

Variable Value

config <value> Specifies the software configurationdevice and file name in the format:[a.b.c.d:]<file> /pcmcia/<file>/flash/<file>. The file name, includingthe directory structure, can include upto 99 characters.


NN46205-605 02.05 28 April 2010


.


Variable Value

file Specifies the software image deviceand file name in the format:[a.b.c.d:]<file> /pcmcia/<file>/flash/<file>. The file name, includingthe directory structure, can include upto 99 characters.

-y Suppresses the confirmation messagebefore the switch restarts. If you omitthis parameter, you are asked toconfirm the action before the switchrestarts.

Resetting the switchReset the switch to reload system parameters from the most recentlysaved configuration file by performing this procedure.

Procedure steps

Step Action

1 Reset the switch by using the following command:

reset

--End--

Accessing the standby SF/CPUAccess the standby SF/CPU to make changes to the standby SF/CPUwithout reconnecting to the console port on that module by performingthis procedure.

Prerequisites

• The Telnet daemon is activated.

• You must set an rlogin access policy on the standby SF/CPU beforeyou can use the peer command to access it from the master SF/CPUusing rlogin. To set an access policy on the standby SF/CPU, connecta terminal to the Console port on the standby SF/CPU. For moreinformation about the access policy commands, see Nortel EthernetRouting Switch 8600 Fundamentals — User Interfaces (NN46205-308).


NN46205-605 02.05 28 April 2010


.

Pinging an IP device 417

Procedure steps

Step Action

1 Access the standby SF/CPU by using the following command:

peer <operation>

--End--

Variable definitionsUse the data in the following table to use the peer command.

Variable Value

operation Specifies either Telnet or remote login(rlogin).

Pinging an IP devicePing a device to test the connection between the Ethernet Routing Switch8600 and another network device. After you ping a device, an InternetControl Message Protocol (ICMP) packet is sent from the switch to thetarget device. If the device receives the packet, it sends a ping reply.After the switch receives the reply, a message appears indicating that thespecified IP address is alive. If no reply is received, the message indicatesthat the address is not responding.Ping an IP device by performing this procedure.

Procedure steps

Step Action

1 Ping an IP network connection by using the following command:

ping <HostName/ipv4address/ipv6address> [scopeid<value>] [datasize <value>] [count <value>][-s] [-I<value>] [-t <value>] [-d] [vrf <value>]

--End--

Variable definitionsUse the data in the following table to use the ping command.

Variable Value

count value Specifies the number of times to ping(for IPv4) (1–9999).


NN46205-605 02.05 28 April 2010


.


Variable Value

-d Configures ping debug mode (forIPv4).

datasize value Specifies the size of ping data sent, inbytes, as follows:• 16–4076 for IPv4

• 16–65487 for IPv6


Specifies the Host Name or IPv4(a.b.c.d) or IPv6 (x:x:x:x:x:x:x:x)address (string length 1–256).

-I Specifies the interval betweentransmissions in seconds (1–60).

-s Configures the continuous ping atthe interval rate defined by the [-I]parameter (for IPv4).

scopeid value Specifies the circuit ID (for IPv6)(1–9999).

-t Specifies the no-answer time-out valuein seconds (1–120) (for IPv4).

vrf <value> Specifies the VRF name from 0–16characters..

Pinging an IPX devicePing a device to test the connection between the Ethernet Routing Switch8600 and another network device. After you ping a device, an InternetControl Message Protocol (ICMP) packet is sent from the switch to thetarget device. If the device receives the packet, it sends a ping reply.After the switch receives the reply, a message appears indicating that thespecified IP address is alive. If no reply is received, the message indicatesthat the address is not respondingPing an IPX device by performing this procedure.

Procedure steps

Step Action

1 Ping an IPX network connection by using the followingcommand:

pingipx <ipxhost> <count>[-s] [-q] [-t <value>]

--End--


NN46205-605 02.05 28 April 2010


.

Calculating the MD5 digest 419

Variable definitionsUse the data in the following table to use the pingipx command.

Variable Value

ipxhost Specifies the IP address of thenetwork node to ping

count Specifies the number of times to ping(for IPv4) (1–9999)

-s Configures a continuous ping

-q Configures quiet output (same asnonverbose mode)

-t Specifies the no-answer time-out valuein seconds (1–120)

Calculating the MD5 digestCalculate the MD5 digest to verify the MD5 checksum. The md5 commandcalculates the MD5 digest for files on the switch flash or PCMCIA andeither displays the output on screen or stores the output in a file that youspecify. An MD5 command option compares the calculated MD5 digestwith that in a checksum file on flash or PCMCIA, and the compared outputappears on the screen. By verifying the MD5 checksum, you can verifythat the file transferred properly to the switch. This command is availablefrom both the boot monitor and runtime CLI.

The MD5 file, p80a5000.md5, is provided with the Release 5.0 software.This contains the MD5 checksums of all software Release 5.0 files.Calculate the MD5 digest by performing this procedure.

ATTENTIONIf the MD5 key file parameters change, you must remove the old file and createa new file.

Prerequisites

• Use the md5 command with reserved files (for example, a passwordfile) only if you possess sufficient permissions to access these files.

• A checksum file is provided with the images for download. Transferyour image files to the switch and use the md5 command to ensurethat the checksum of the images on the switch is the same as thechecksum file.


NN46205-605 02.05 28 April 2010


.


Procedure steps

Step Action

1 Calculate the MD5 digest by using the following command:

md5 <filename>

--End--

Variable definitionsUse the data in the following table to use the md5 command.

Variable Value

wildcard (*) Calculates the MD5 checksum of allfiles.

-f <checksum-file-name> Stores the result of MD5 checksum toa file on flash or PCMCIA.

If the output file specified with the -foption is one of the:

• reserved filenames on the switch,the command fails with the errormessage:Error: Invalid operation.

• files for which MD5 checksum is tobe computed, the command failswith the error message:Ethernet Routing Switch-8610:5# md5 *.cfg -f config.cfgError: Invalid operationon file <filename>

If the checksum filename specified bythe -f option exists on the switch (andis not one of the reserved filenames),the following message appears on theswitch:

File exists. Do you wish tooverwrite? (y/n)


NN46205-605 02.05 28 April 2010


.

Resetting system functions 421

Variable Value

-r Reverses the output. Use with the -foption to store the output to a file.

The -r option cannot be used with the-c option.

-a Adds data to the output file instead ofoverwriting it.

You cannot use the -a option with the-c option.

-c Compares the checksum of thespecified file by <filename> withthe MD5 checksum present inthe checksum file name. You canspecify the checksum file nameusing the -f option. If the checksumfilename is not specified, the file/flash/checksum.md5 is used forcomparison.

If the supplied checksum filenameand the default file are not availableon flash, the following error messageappears:

Error: Checksum file <filename> notpresent.

The -c option also:

• calculates the checksum of filesspecified by filename

• compares the checksum with allkeys in the checksum file, even iffilenames do not match

• displays the output of comparison

Resetting system functionsReset system functions to reset all statistics counters, the modem port, theconsole port, and the operation of the switchover function by performingthis procedure.


NN46205-605 02.05 28 April 2010


.


Procedure steps

Step Action

1 Reset system functions by using the following command:


--End--

Variable definitionsUse the data in the following table to use the config sys set actioncommand.

Variable Value

cpuswitchover Resets the switch to change over to the backupSF/CPU.

info Specifies the current settings for system actions.

resetconsole Reinitializes the hardware universal asynchronousreceiver transmitter (UART) drivers. Use thiscommand only if the console or modem connectionis hung.

resetcounters Resets all the statistics counters in the switch tozero.

resetmodem Resets the modem port.

Example of resetting system functions

Step Action

1 Reset the switch to change over to the backup SF/CPU:

ERS-8606:5# config sys set action cpuswitchover

2 Reset the statistics counters:

ERS-8606:5# config sys set action resetcountersAre you sure you want to reset system counters(y/n)? y

3 Display information about the system function:

ERS-8606:5# config sys set action info

Sub-Context: clear config dump monitor show testtrace wsm Current Context:cpuswitchover : (N/A)resetconsole : (N/A)resetcounters : (N/A)


NN46205-605 02.05 28 April 2010


.

Sourcing a configuration 423

resetmodem : (N/A)ERS-8606:5#

--End--

N/A displayed in a command output indicates that the information is NotAvailable or Not Applicable.

Sourcing a configurationSource a configuration to merge a script file into the running configurationby performing this procedure.

Procedure steps

Step Action

1 Source a configuration by using the following command:

source <file> [stop] [debug] [syntax]

--End--

Variable definitionsUse the data in the following table to use the source command.

Variable Value

debug Debugs the script output.

file Specifies a filename and locationfrom 1–99 characters. Use the format{a.b.c.d:|peer:|/pcmcia/|/flash/}<file>

stop Stops the merge after an error occurs.

syntax Verifies the script syntax.


NN46205-605 02.05 28 April 2010


.



NN46205-605 02.05 28 April 2010


.

425.

Common procedures using the NNCLIThe following section describes common procedures that you use whileconfiguring and monitoring the Nortel Ethernet Routing Switch 8600operations.

Prerequisites to common procedures• Unless otherwise stated, to perform the procedures in this section,

you must log on to the Privileged EXEC mode in the Nortel Networkscommand line interface (NNCLI). For more information about usingNNCLI, see Nortel Ethernet Routing Switch 8600 User InterfaceFundamentals (NN46205-308).


• “Saving the boot configuration to a file” (page 427)

• “Saving the current configuration to a file” (page 429)

• “Restarting the switch” (page 431)

• “Resetting the switch” (page 432)

• “Accessing the standby SF/CPU” (page 433)

• “Resetting system functions” (page 438)

• “Sourcing a configuration” (page 439)



NN46205-605 02.05 28 April 2010


.

426 Common procedures using the NNCLI

Table 39Job aid

Command Parameter


config <value>boot [<file>]

-y

peer <telnet|rlogin>

-a

-c

-f

md5 <filename>

-r

scopeid <value>

datasize <value>

count <value>

-s

-I <value>

-t <value>

-d

ping <HostName/ipv4address/ipv6address>

vrf <word>

<count>

-s

-q

pingipx <ipxhost>

-t <value>

reset -y

verbose

standby <value>

backup <word>

save bootconfig [file <word>]

mode (cli|nncli)

verbose

standby <value>

backup <word>

save config [file <word>]

mode (cli|nncli)

debug

stop

source <file>

syntax


NN46205-605 02.05 28 April 2010


.

Saving the boot configuration to a file 427


Command Parameter


cpu-switch-oversys action

reset {console|counters|modem]

Saving the boot configuration to a fileSave a boot configuration to a file to retain the configuration settings byperforming this procedure. You can configure the switch to load a specificconfiguration file.

CAUTIONRisk of data lossIf a Personal Computer Memory Card International Association(PCMCIA) card is removed before a write operation is complete,the file can contain a corrupted end of file (EOF) marker.Before removing the PCMCIA card, execute the commandpcmcia-stop.

Prerequisites



• To save a file to the standby SF/CPU, you must enable Trivial FileTransfer Protocol (TFTP) on the standby SF/CPU.


Procedure steps

Step Action


save bootconfig [file <word>] [verbose] [standby<value>] [backup <word>] [mode (cli|nncli)]

--End--


NN46205-605 02.05 28 April 2010


.


Variable definitionsUse the data in the following table to use the save bootconfigcommand.

Variable Value

backup

<word>

Saves the specified file name andidentifies the file as a backup file.word uses one of the followingformats:• [a.b.c.d]:<file>

• peer/<file>

• /pcmcia/ <file>

• /flash/ <file>

file

is a string of 1–99 characters.

file

<word>


• peer/<file>

• /pcmcia/ <file>

• /flash/ <file>

File


mode (cli|nncli) Saves the boot configuration in eitherCLI or NNCLI format.

standby

<word>


• /flash/ <file>

file




NN46205-605 02.05 28 April 2010


.

Saving the current configuration to a file 429


Step Action


ERS-8606:5#save bootconfig file boot.cfg modenncliFile [boot.cfg] already existing, overwrite (y/n) ?

--End--

Saving the current configuration to a fileSave the current configuration to a file to retain the configuration settingsby performing this procedure.

CAUTIONRisk of data lossIf a PCMCIA card is removed before a write operation iscomplete, the file can contain a corrupted end of file (EOF)marker. Before removing the PCMCIA card, execute thecommand pcmcia-stop.

Prerequisites



• To save a file to the standby SF/CPU, you must enable TFTP on thestandby SF/CPU.


Procedure steps

Step Action


save config [file <word>] [verbose] [standby <value>][backup <word>] [mode (cli|nncli)]

--End--


NN46205-605 02.05 28 April 2010


.


Variable definitionsUse the data in the following table to use the save config command.

Variable Value

backup

<word>

Saves the specified file name andidentifies the file as a backup file.word uses one of the followingformats:• [a.b.c.d]:<file>

• peer/<file>

• /pcmcia/ <file>

• /flash/ <file>

file


file

<word>


• peer/<file>

• /pcmcia/ <file>

• /flash/ <file>

File


mode (cli|nncli) Saves the boot configuration in eitherCLI or NNCLI format.

standby

<word>


• /flash/ <file>

file




NN46205-605 02.05 28 April 2010


.

Restarting the switch 431


Step Action


ERS-8606:5#save bootconfig file boot.cfg modenncliFile [boot.cfg] already existing, overwrite (y/n) ?

--End--

Restarting the switchRestart the switch to implement configuration changes or recover from asystem failure. When you restart the system, you can specify the bootsource (flash, PCMCIA card, or TFTP server) and file name. If you donot specify a device and file, the run-time NNCLI uses the software andconfiguration files on the primary boot device that is defined by the BootMonitor choice command.

After the switch rerestarts normally, a cold trap is sent within 45 secondsafter a restart. If a single strand fiber (SSF) switchover occurs, awarm-start management trap is sent within 45 seconds of a restart.Restart the switch by performing this procedure.

Prerequisites


Procedure steps

Step Action

1 Restart the switch by using the following command:

boot [<file>] [config <value>] [-y]

ATTENTIONEntering the boot command with no arguments causes the switch tostart using the current boot choices defined by the choice command(next).

--End--

Variable definitionsUse the data in the following table to use the boot command.


NN46205-605 02.05 28 April 2010


.


Variable Value

file Specifies the software image deviceand file name in the format:[a.b.c.d:]<file> /pcmcia/<file>/flash/<file>. The file name, includingthe directory structure, can include upto 99 characters.

config <value> Specifies the software configurationdevice and file name in the format:[a.b.c.d:]<file> /pcmcia/<file>/flash/<file>. The file name, includingthe directory structure, can include upto 99 characters.

-y Suppresses the confirmation messagebefore the switch restarts. If you omitthis parameter, you are asked toconfirm the action before the switchrestarts.

Resetting the switchReset the switch to reload system parameters from the most recentlysaved configuration file by performing this procedure.

Prerequisites


Procedure steps

Step Action

1 Reset the switch by using the following command:

reset [-y]

--End--

Variable definitionsUse the data in the following table to use the reset command.

Variable Value

-y Suppresses the confirmation messagebefore the switch resets. If you omitthis parameter, you are asked toconfirm the action before the switchresets.


NN46205-605 02.05 28 April 2010


.

Pinging an IP device 433

Accessing the standby SF/CPUAccess the standby SF/CPU to make changes to the standby SF/CPUwithout reconnecting to the console port on that module by performingthis procedure.

Prerequisites

• The Telnet daemon is activated.

• You must set an rlogin access policy on the standby SF/CPU beforeyou can use the peer command to access it from the master SF/CPUusing rlogin. To set an access policy on the standby SF/CPU, connecta terminal to the console port on the standby SF/CPU. For moreinformation about the access policy commands, see Nortel EthernetRouting Switch 8600 Fundamentals — User Interfaces (NN46205-308).


Procedure steps

Step Action

1 Access the standby SF/CPU by using the following command:

peer <telnet|rlogin>

--End--

Variable definitionsUse the data in the following table to use the peer command.

Variable Value

(telnet|rlogin) Specifies either Telnet or rlogin to useto access the standby SF/CPU.

Pinging an IP devicePing a device to test the connection between the Ethernet Routing Switch8600 and another network device. After you ping a device, an InternetControl Message Protocol (ICMP) packet is sent from the switch to thetarget device. If the device receives the packet, it sends a ping reply.After the switch receives the reply, a message appears indicating that thespecified IP address is alive. If no reply is received, the message indicatesthat the address is not responding.Ping an IP device by performing this procedure.


NN46205-605 02.05 28 April 2010


.


Prerequisites


Procedure steps

Step Action

1 Ping an IP network connection by using the following command:

ping <HostName/ipv4address/ipv6address> [scopeid<value>] [datasize <value>] [count <value>][-s] [-I<value>] [-t <value>] [-d] [vrf <word>]

--End--

Variable definitionsUse the data in the following table to use the ping command.

Variable Value

count value Specifies the number of times to ping(for IPv4) (1–9999).

-d Configures ping debug mode (forIPv4).

datasize value specifies the size of ping data sent inbytes (for IPv4) (16–4076).


Specifies the Host Name or IPv4(a.b.c.d) or IPv6 (x:x:x:x:x:x:x:x)address (string length 1–256).

-I Specifies the interval betweentransmissions in seconds (1–60).

-s Configures the continuous ping atthe interval rate defined by the [-I]parameter (for IPv4).

scopeid value Specifies the circuit ID (for IPv6)(1–9999).

-t Specifies the no-answer time-out valuein seconds (1–120)(for IPv4).

vrf <word> Specifies the VRF name from 1–16characters..


NN46205-605 02.05 28 April 2010


.


Pinging an IPX devicePing a device to test the connection between the Ethernet Routing Switch8600 and another network device. After you ping a device, an InternetControl Message Protocol (ICMP) packet is sent from the switch to thetarget device. If the device receives the packet, it sends a ping reply.After the switch receives the reply, a message appears indicating that thespecified IP address is alive. If no reply is received, the message indicatesthat the address is not responding.Ping an IPX device by performing this procedure.

Prerequisites


Procedure steps

Step Action

1 Ping an IPX network connection by using the followingcommand:

pingipx <ipxhost> <count>[-s] [-q] [-t <value>]

--End--

Variable definitionsUse the data in the following table to use the pingipx command.

Variable Value

ipxhost Specifies the IP address of thenetwork node to ping

count Specifies the number of times to ping(for IPv4) (1–9999)

-s Configures a continuous ping

-q Configures quiet output (same asnonverbose mode)

-t Specifies the no-answer time-out valuein seconds (1–120

Calculating the MD5 digestCalculate the MD5 digest to verify the MD5 checksum. The md5 commandcalculates the MD5 digest for files on the switch flash or PCMCIA andeither displays the output on screen or stores the output in a file thatyou specify. An md5 command option compares the calculated MD5


NN46205-605 02.05 28 April 2010


.


digest with that in a checksum file on flash or PCMCIA, and displays thecompared output on the screen. By verifying the MD5 checksum, you canverify that the file transferred properly to the switch. This command isavailable from both the boot monitor and runtime NNCLI.

The MD5 file, p80a5000.md5, is provided with the Release 5.0 software.This contains the MD5 checksums of all software Release 5.0 files.Calculate the MD5 digest by performing this procedure.

ATTENTIONIf the MD5 key file parameters change, you must remove the old file and createa new file.

Prerequisites

• Use the md5 command with reserved files (for example, a passwordfile) only if you possess sufficient permissions to access these files.

• A checksum file is provided with the images for download. Transferyour image files to the switch and use the md5 command to ensurethat the checksum of the images on the switch is the same as thechecksum file.


Procedure steps

Step Action

1 Calculate the MD5 digest by using the following command:

md5 <filename> [-a] [-c] [-f] [-r]

--End--

Variable definitionsUse the data in the following table to use the md5 command.

Variable Value

-a Adds data to the output file instead ofoverwriting it.

You cannot use the -a option with the-c option.


NN46205-605 02.05 28 April 2010


.


Variable Value

-c Compares the checksum of thespecified file by <filename> withthe MD5 checksum present inthe checksum file name. You canspecify the checksum file nameusing the -f option. If the checksumfilename is not specified, the file/flash/checksum.md5 is used forcomparison.

If the supplied checksum filenameand the default file are not availableon flash, the following error messageappears:

Error: Checksum file <filename> notpresent.

The -c option also:

• calculates the checksum of filesspecified by filename

• compares the checksum with allkeys in the checksum file, even iffilenames do not match

• displays the output of comparison

-f <checksum-file-name> Stores the result of MD5 checksum toa file on flash or PCMCIA.

If the output file specified with the -foption is one of the:

• reserved filenames on the switch,the command fails with the errormessage:Error: Invalid operation.

• files for which MD5 checksum is tobe computed, the command failswith the error message:Ethernet Routing Switch-8610:5# md5 *.cfg -f config.cfgError: Invalid operationon file <filename>


NN46205-605 02.05 28 April 2010


.


Variable Value

If the checksum filename specified bythe -f option exists on the switch (andis not one of the reserved filenames),the following message appears on theswitch:

File exists. Do you wish tooverwrite? (y/n)

-r Reverses the output. Use with the -foption to store the output to a file.

The -r option cannot be used with the-c option.

Resetting system functionsReset system functions to reset all statistics counters, the modem port, theconsole port, and the operation of the switchover function by performingthis procedure.

Prerequisites

• You must log on to the Global Configuration mode of the NNCLI.

Procedure steps

Step Action

1 Change to the backup SF/CPU by using the following command:

sys action cpu-switch-over

2 Reset system functions by using the following command:

sys action reset {console|counters|modem}

--End--

Variable definitionsUse the data in the following table to use the sys action command.


NN46205-605 02.05 28 April 2010


.

Sourcing a configuration 439

Variable Value

cpuswitchover Resets the switch to change over to the backupSF/CPU.

reset {console|counters|modem}

Reinitializes the hardware universal asynchronousreceiver transmitter (UART) drivers. Use thiscommand only if the console or modem connectionis hung. Resets all the statistics counters in theswitch to zero. Resets the modem port.

Example of resetting system functions

Step Action

1 Reset the switch to change over to the backup SF/CPU:

ERS-8606:5(config)# sys action cpuswitchover

2 Reset the statistics counters:

ERS-8606:5(config)# sys action reset countersAre you sure you want to reset system counters(y/n)? y

--End--

Sourcing a configurationSource a configuration to merge a script file into the running configurationby performing this procedure.

Prerequisites

• You must log on to Privileged EXEC mode in the NNCLI.

Procedure steps

Step Action

1 Source a configuration by using the following command:

source <file> [stop] [debug] [syntax]

--End--

Variable definitionsUse the data in the following table to use the source command.


NN46205-605 02.05 28 April 2010


.


Variable Value

debug Debugs the script output.

file Specifies a filename and locationfrom 1–99 characters. Use the format{a.b.c.d:|peer:|/pcmcia/|/flash/}<file>

stop Stops the merge after an error occurs.

syntax Verifies the script syntax.


NN46205-605 02.05 28 April 2010


.

441.

CLI show command referenceThis reference information provides show commands to view theoperational status of the Nortel Ethernet Routing Switch 8600.

Navigation• “Access, logon names, and passwords” (page 441)

• “All CLI configuration ” (page 442)

• “Current switch configuration” (page 443)

• “CLI settings” (page 445)

• “Hardware information” (page 446)


• “MTU for all ports” (page 448)

• “NTP server status” (page 448)

• “Power summary” (page 449)

• “Slot power details” (page 450)

• “System status (detailed)” (page 450)

• “System status and parameter configuration” (page 451)

• “Users logged on” (page 458)

Access, logon names, and passwordsUse the show cli password command to display the CLI access, logonname, and password combinations. The syntax for this command is asfollows.

show cli password

The following figure shows output from the show cli passwordcommand.


NN46205-605 02.05 28 April 2010


.

442 CLI show command reference

Figure 15show cli password command output

All CLI configurationUse the show command to display all relevant CLI information. The syntaxfor this command is as follows.

show cli show-all [file <value>]

The following table explains parameters for this command.

Table 40Command parameters

Parameter Description

file value Specifies the filename to which output isredirected. Options include:• /pcmcia/ <file>

• /flash/ <file>

File is a string of 1 to 99 characters.

The following figure shows sample output.


NN46205-605 02.05 28 April 2010


.

Current switch configuration 443

Figure 16show cli show-all command output

Current switch configurationUse the show config command to display the current switchconfiguration. The syntax for this command is as follows.

show config [verbose] [module <value>]



NN46205-605 02.05 28 April 2010


.




verbose Specifies a complete list of all configurationinformation about the switch.

module

<value>

module <value> specifies the commandgroup for which you are requesting configurationsettings. The options are:• cli

• sys

• web

• rmon

• vlan

• port

• qos

• traffic-filter

• mlt

• stg

• ip

• ipx

• diag

• dvmrp

• radius

• atm

• ntp

• svlan

• lacp

• naap

• cluster

• bootp

• filter

• ipv6

If you make a change to the switch, it is displayed under that configurationheading. Figure 17 "show config command (partial output)" (page445) shows a subset of the output of this command.


NN46205-605 02.05 28 April 2010


.

CLI settings 445

Figure 17show config command (partial output)

If you add verbose to the show config command, the output containscurrent switch configuration including software (versions), performance,VLANs (such as numbers, port members), ports (such as type, status),routes, OSPF (such as area, interface, neighbors), memory, interface, andlog and trace files. With the verbose command, you can view the currentconfiguration and default values.

CLI settingsUse the show cli info command to display information about the CLIconfiguration. The syntax for this command is as follows.

show cli info

The following figure shows sample output from the show cli infocommand.


NN46205-605 02.05 28 April 2010


.


Figure 18show cli info command output

Hardware informationUse the show sys info command to display system status and technicalinformation about the switch hardware components. The commanddisplays several pages of information, including general information aboutthe system (such as location), chassis (type, serial number, and base MACaddress), temperature, power supplies, fans, cards, system errors, portlocks, topology status, and message control information. The syntax forthis command is as follows.

show sys info [card] [asic] [mda] [gbic]




info Specifies the current settings.

card Specifies information about all the installedmodules.

asic Specifies information about the application-specific integrated circuit (ASIC) installed on eachmodule.

mda Specifies information about installed mediadependent adapters (MDA).

gbic Specifies information about installed gigabitinterface converters (GBIC).

The following figure shows partial output from the show sys infocommand.


NN46205-605 02.05 28 April 2010


.

Memory size for secondary CPU 447

Figure 19show sys info command (partial output)

Memory size for secondary CPUUse the show boot info command to display the secondary CPU DRAMmemory size, in hexadecimal format.

The syntax for the command is as follows: show boot info


NN46205-605 02.05 28 April 2010


.


Example of show boot info command outputFollowing is an example of the screen output for the show boot infocommand.

ERS-8606:5# show boot info

CPU Slot 5: PMC280-B-MV-B-MPC7447A (1.1)

Version: 5.1.0.0/022

Memory Size: 0x10000000

MTU for all portsUse the show port info command to display the MTU values for allports on the chassis. The syntax for this command is as follows.

show port info all

The following figure shows partial output for this command.

Figure 20show port info all command (partial output)

NTP server statusUse the show ntp server stat command to view the followinginformation:

• Number of NTP requests sent to this NTP server

• Number of times this NTP server updated the time

• Number of times this NTP server was rejected attempting to updatethe time

• Stratum

• Version


NN46205-605 02.05 28 April 2010


.

Power summary 449

• Sync Status

• Reachability

• Root Delay

• Precision

The syntax for this command is as follows.

show ntp server stat

The following figure shows sample command output.

Figure 21show ntp server stat command output

Power summaryUse the show sys power info command to view a summary of thepower information for the chassis.


show sys power info


Figure 22show sys power info command output


NN46205-605 02.05 28 April 2010


.


Slot power detailsUse the show sys power slot-info command to view detailed powerinformation for each slot.


show sys power slot-info


Figure 23show sys power slot-info command output

System status (detailed)Use the show tech command to display technical information aboutsystem status and information about the hardware, software, and operationof the switch.

The information available from the show tech command includes generalinformation about the system (such as location), hardware (chassis, powersupplies, fans, and modules), system errors, boot configuration, softwareversions, memory, port information (locking status, configurations, names,interface status), VLANs and STGs (numbers, port members), OSPF(area, interface, neighbors), VRRP, IPv6, RIP, PIM, PGM, and log andtrace files. This command displays more information than the similar showsys info command. The syntax for this command is as follows.

show tech

The following figure shows representative output from the show techcommand.


NN46205-605 02.05 28 April 2010


.

System status and parameter configuration 451

Figure 24show tech command (partial output)

System status and parameter configurationUse the show sys command to view current system status and parameterconfiguration. The syntax for this command is as follows.

show sys



NN46205-605 02.05 28 April 2010


.




info [card] [asic] [mda][gbic]

Specifies system status and technicalinformation about the switch hardwarecomponents.

• card displays information about allthe installed modules.

• asic displays information aboutthe ASICS installed on eachmodule.

• mda displays information aboutinstalled Media DependentAdapters (MDA).

• gbic displays informationabout installed Gigabit InterfaceConverters (GBIC).

dns Specifies the DNS Default DomainName, see Figure 25 "show sys dnsoutput" (page 454).

eapol Specifies the Extensible AuthenticationProtocol over LAN (EAPoL) settings,see Figure 26 "show sys eapol output"(page 454).

ext-cp-limit Specifies the ext-cp-limit settings,see Figure 27 "show sys ext-cp-limitoutput" (page 454).

force-msg Specifies the message control forcemessage pattern settings, see Figure28 "show sys force-msg output" (page455).

mcast-mlt-distribution Specifies the settings formulticast over MultiLink Trunking(MLT), see Figure 29 "show sysmcast-mlt-distribution output" (page455).

mcast-software-forwarding Specifies the settings for multicastsoftware forwarding, see Figure 30"show sys mcast-software-forwardingoutput" (page 455).

msg-control Specifies the system message controlfunction status (activated or disabled),see Figure 31 "show sys msg-controloutput" (page 455).


NN46205-605 02.05 28 April 2010


.


Table 43Command parameters (cont’d.)


perf Specifies system performanceinformation, such as CPU utilization,switch fabric utilization, Non-VolatileRandom Access Memory (NVRAM)size, and NVRAM used. Theinformation is updated once a second,so it is no more than one second fromreal time, see Figure 32 "show sysperf output" (page 456).

power Specifies chassis power summary,power supply information, and powerinformation per slot basis. Options are:• info—chassis power summary

• power-supply-info—powerinformation for each power supply

• slot-info—power information foreach slot

record-reservation Specifies the number of reservedrecords and usage information foreach record type. Record typesinclude filter, IP multicasting (IPMC),MAC, and static route, see Figure 33"show sys record-reservation output"(page 456).

sw Specifies the version of softwarerunning on the switch, the last updateof that software, and the Boot ConfigTable. The Boot Config Table lists thecurrent system settings and flags, seeFigure 34 "show sys sw output" (page457).

topology Specifies the topology table. This tableshows the information that is sentto Enterprise Network ManagementSystem for creating network displays,see Figure 35 "show sys topologyoutput" (page 457).

The following figure shows output from the show sys dns command.


NN46205-605 02.05 28 April 2010


.


Figure 25show sys dns output

The following figure shows output from the show sys eapol command.

Figure 26show sys eapol output

The following figure shows output from the show sys ext-cp-limitcommand.

Figure 27show sys ext-cp-limit output

The following figure shows output from the show sys force-msgcommand.


NN46205-605 02.05 28 April 2010


.


Figure 28show sys force-msg output

The following figure shows output from the show sys mcast-mlt-distribution command.

Figure 29show sys mcast-mlt-distribution output

The following figure shows output from the show sys mcast-software-forwarding command.

Figure 30show sys mcast-software-forwarding output

The following figure shows output from the show sys msg-controlcommand.

Figure 31show sys msg-control output

The following figure shows output from the show sys perf command.


NN46205-605 02.05 28 April 2010


.


Figure 32show sys perf output

The following figure shows output from the show sys record-reservation command.

Figure 33show sys record-reservation output

The following figure shows output from the show sys sw command.


NN46205-605 02.05 28 April 2010


.


Figure 34show sys sw output

The following figure shows output from the show sys topologycommand.

Figure 35show sys topology output

Job aid

Field Description

Local Port Specifies the local port number.

IP Address Specifies the IP address.

Segment Id

MACAddress Specifies the MAC address of the system.


NN46205-605 02.05 28 April 2010


.


Field Description

ChassisType Specifies the type of chassis.

BT Back Lane Type

LS Specifies the local segment as yes or no.

CS Specifies the current state as one of thefollowing:• HtBt (Heartbeat)—topology has not

changed.

• New— the sending agent is in a new state.

Rem Port

Users logged onUse the show cli who command to display a list of users who are loggedon to the switch. The syntax for this command is as follows.

show cli who

The following figure shows output from the show cli who command.

Figure 36show cli who command output


NN46205-605 02.05 28 April 2010


.

459.

NNCLI show command referenceThis reference information provides show commands to view theoperational status of the Nortel Ethernet Routing Switch 8600.

Navigation• “Access, logon names, and passwords” (page 459)

• “Basic switch configuration” (page 460)

• “Current switch configuration” (page 460)

• “CLI settings” (page 462)

• “Hardware information” (page 463)


• “NTP server status” (page 464)

• “Power summary” (page 465)

• “Power management information” (page 466)

• “Power information for power supplies” (page 466)

• “Slot power details” (page 466)

• “System information” (page 467)

• “System status (detailed)” (page 472)

• “Users logged on” (page 473)

Access, logon names, and passwordsUse the show cli password command to display the access, logonname, and password combinations. The syntax for this command is asfollows.

show cli password

The following figure shows output from the show cli passwordcommand.


NN46205-605 02.05 28 April 2010


.

460 NNCLI show command reference

Figure 37show cli password command output

Basic switch configurationUse the show basic config command to display the basic switchconfiguration. The syntax for this command is as follows.

show basic config

The following figure shows the output of this command.

Figure 38show basic config command output

Current switch configurationUse the show running-config command to display the current switchconfiguration. The syntax for this command is as follows.

show running-config [mode (cli|nncli)][module <value>][verbose]




mode (cli|nncli) Selects the mode between CLI and NNCLI.


NN46205-605 02.05 28 April 2010


.

Current switch configuration 461


module

<value>

module <value> specifies the commandgroup for which you are requesting configurationsettings. The options are:• cli

• sys

• web

• rmon

• vlan

• port

• qos

• traffic-filter

• mlt

• stg

• ip

• ipx

• diag

• dvmrp

• radius

• atm

• ntp

• svlan

• lacp

• naap

• cluster

• bootp

• filter

• ipv6

verbose Specifies a complete list of all configurationinformation about the switch.

If you make a change to the switch, it is displayed under that configurationheading. shows a subset of the output of this command.


NN46205-605 02.05 28 April 2010


.


Figure 39show running-config partial output

If you add verbose to the show running-config command, theoutput contains current switch configuration including software (versions),performance, VLANs (such as numbers, port members), ports (such astype, status), routes, OSPF (such as area, interface, neighbors), memory,interface, and log and trace files. With the verbose command, you canview the current configuration and default values.

CLI settingsUse the show cli info command to display information about the NNCLIconfiguration. The syntax for this command is as follows.


NN46205-605 02.05 28 April 2010


.

Hardware information 463

show cli info

The following figure shows sample output from the show cli infocommand.

Figure 40show cli info command output

Hardware informationUse the show sys-info command to display system status and technicalinformation about the switch hardware components. The commanddisplays several pages of information, including general information aboutthe system (such as location), chassis (type, serial number, and base MACaddress), temperature, power supplies, fans, cards, system errors, portlocks, topology status, and message control information. The syntax forthis command is as follows.

show sys-info [asic] [card] [mda]




asic Specifies information about the application-specific integrated circuit (ASIC) installed on eachmodule.

card Specifies information about all the installedmodules.

mda Specifies information about installed mediadependent adapters (MDA).

The following figure shows partial output from the show sys-infocommand.


NN46205-605 02.05 28 April 2010


.


Figure 41show sys-info partial output

Memory size for secondary CPUUse the show boot config command to display the secondary CPUDRAM memory size, in hexadecimal format.

From the Privileged Executive command prompt, the syntax for thiscommand is as follows: show boot config general

Example of show boot config general command outputThe following is an example of the screen output for the show bootconfig general command.

ERS-8610:5#show boot config general

CPU Slot 5: PMC280-B-MV-B-MPC7447A (1.1)

Version: 5.1.0.0/022

Memory Size: 0x10000000

ERS-8610:5#

NTP server statusUse the show ntp server statistics command to view the followinginformation:

• Number of NTP requests sent to this NTP server

• Number of times this NTP server updated the time

• Number of times this NTP server was rejected attempting to updatethe time

• Stratum


NN46205-605 02.05 28 April 2010


.

Power summary 465

• Version

• Sync Status

• Reachability

• Root Delay

• Precision


show ntp server statistics


Figure 42show ntp server statistics command output

Power summaryUse the show sys power command to view a summary of the powerinformation for the chassis.


show sys power


Figure 43show sys power command sample output


NN46205-605 02.05 28 April 2010


.


Power management informationUse the show sys power global command to view a summary of thepower redundancy settings.


show sys power global


Figure 44show sys power global command sample output

Power information for power suppliesUse the show sys power power-supply command to view detailedpower information for each power supply.


show sys power power-supply


Figure 45show sys power power-supply command sample output

Slot power detailsUse the show sys power slot command to view detailed powerinformation for each slot.


NN46205-605 02.05 28 April 2010


.

System information 467


show sys power slot


Figure 46show sys power slot command sample output

System informationUse the show sys command to display system status and technicalinformation about the switch hardware components and softwareconfiguration. The command displays several pages of information,including general information about the system (such as location), chassis(type, serial number, and base MAC address), temperature, powersupplies, fans, cards, system errors, port locks, topology status, andmessage control information. The syntax for this command is as follows.

show sys



8648gtr Specifies technical information about the 8648gtrsettings, see Figure 47 "show sys 8648gtr commandoutput" (page 469).

action Specifies the configuration for the system actionparameter, see Figure 48 "show sys actioncommand output" (page 469).

dns Specifies the DNS default domain name, see Figure49 "show sys dns command output" (page 469).

ecn-compatibility Specifies the status of Explicit CongestionNotification (ECN) compatibility, either enabled ordisabled.

ext-cp-limit Specifies the ext-cp-limit settings, see Figure 50"show sys ext-cp-limit command output" (page 469).


NN46205-605 02.05 28 April 2010


.



flags Specifies the configuration of system flags, seeFigure 51 "show sys flags command output" (page470).

force-msg Specifies the message control force messagepattern settings.

global-filter Specifies the status of system global filter settings,either enabled or disabled.

mcast-smlt Specifies the settings for multicast over SplitMultiLink Trunking (MLT).

mgid-usage Specifies the multicast group ID (MGID) usage forVLANs and multicast traffic, see Figure 52 "showsys mgid-usage command output" (page 470).

msg-control Specifies the system message control functionstatus (activated or disabled), see Figure 53 "showsys msg-control command output" (page 470).

mtu Specifies system maximum transmission unit (MTU)information.

performance Specifies system performance information, such asCPU utilization, switch fabric utilization, Non-VolatileRandom Access Memory (NVRAM) size, andNVRAM used. The information is updated oncea second, see Figure 54 "show sys performancecommand output" (page 470).

power Specifies power information for the chassis.Command options are:• group—power management settings

• power-supply—power information for eachpower supply

• slot—power information for each slot

record-reservation Specifies the number of reserved records andusage information for each record type. Recordtypes include filter, IP multicasting (IPMC),MAC, and static route, see Figure 55 "show sysrecord-reservation command output" (page 471).

setting Display system settings, see Figure 56 "show syssetting command output" (page 471).

smlt-on-single-cp Specifies the settings for SMLT on a single CP.

software Specifies the version of software running on theswitch, the last update of that software, and theBoot Config Table. The Boot Config Table lists thecurrent system settings and flags, see Figure 57"show sys software command output" (page 472).


NN46205-605 02.05 28 April 2010


.



stats Specifies system statistics. For more informationabout statistics, see Nortel Ethernet Routing Switch8600 Performance Management (NN46205-704).

vlan-bysrcmac Specifies the status of VLANs created by sourceMAC address, either enabled or disabled.

The following figure shows output from the show sys 8648gtr command.

Figure 47show sys 8648gtr command output

The following figure shows output from the show sys action command.

Figure 48show sys action command output

The following figure shows output from the show sys dns command.

Figure 49show sys dns command output

The following figure shows output from the show sys ext-cp-limitcommand.

Figure 50show sys ext-cp-limit command output


NN46205-605 02.05 28 April 2010


.


The following figure shows output from the show sys flags command.

Figure 51show sys flags command output

The following figure shows output from the show sys mgid-usagecommand.

Figure 52show sys mgid-usage command output

The following figure shows output from the show sys msg-controlcommand.

Figure 53show sys msg-control command output

The following figure shows output from the show sys performancecommand.

Figure 54show sys performance command output

The following figure shows output from the show sys record-reservation command.


NN46205-605 02.05 28 April 2010


.


Figure 55show sys record-reservation command output

The following figure shows output from the show sys setting command.

Figure 56show sys setting command output

The following figure shows output from the show sys softwarecommand.


NN46205-605 02.05 28 April 2010


.


Figure 57show sys software command output

System status (detailed)Use the show tech command to display technical information aboutsystem status and information about the hardware, software, and operationof the switch.

The information available from the show tech command includes generalinformation about the system (such as location), hardware (chassis, powersupplies, fans, and modules), system errors, boot configuration, softwareversions, memory, port information (locking status, configurations, names,interface status), VLANs and STGs (numbers, port members), OSPF(area, interface, neighbors), VRRP, IPv6, RIP, PIM, PGM, and log andtrace files. This command displays more information than the similar showsys-info command. The syntax for this command is as follows.

show tech

The following figure shows representative output from the show techcommand.


NN46205-605 02.05 28 April 2010


.

Users logged on 473

Figure 58show tech command partial output

Users logged onUse the show users command to display a list of users who are loggedon to the switch. The syntax for this command is as follows.

show users

The following figure shows output from the show users command.

Figure 59show users command output


NN46205-605 02.05 28 April 2010


.



NN46205-605 02.05 28 April 2010


.

475.

Port numbering and MAC addressassignment reference

This section provides information about the port numbering and MediaAccess Control (MAC) address assignment used on the Nortel EthernetRouting Switch 8600.

Navigation• “Port numbering” (page 475)

• “Interface indexes” (page 476)

• “MAC address assignment” (page 477)

Port numberingA port number includes the slot location of the module in the chassis, aswell as the port position in the input/output (I/O) module. In the EthernetRouting Switch 8600, slots are numbered from top to bottom. Figure 60"8010 chassis slots" (page 476) shows slot numbering for an 8010 chassis.


NN46205-605 02.05 28 April 2010


.

476 Port numbering and MAC address assignment reference

Figure 608010 chassis slots

Ports are numbered from left to right beginning with 1 for the far leftport. On high-density modules with two rows of ports, ports in the toprow are assigned sequential odd numbers, and ports in the bottom roware assigned sequential even numbers, seeFigure 61 "Port numbers onhigh-density modules" (page 476).

Figure 61Port numbers on high-densitymodules

Interface indexesThe Simple Network Management Protocol (SNMP) uses interface indexesto identify ports, Virtual Local Area Networks (VLAN), and multilink trunks(MLT).

Port interface indexThe interface index of a port is computed using the following formula:

ifIndex = (64 x slot number) + (port number – 1)


NN46205-605 02.05 28 April 2010


.

MAC address assignment 477

where

Slot number is a value between 1–10, inclusive.Port number is a value between 1–48, inclusive.

For example, the interface index of port 1/1 is 64, and the interface indexof port 10/48 is 687.

VLAN interface indexThe interface index of a VLAN is computed using the following formula:

ifIndex = 2048 + VLAN multicast group ID (MGID)

Because the default VLAN always uses an MGID value of 1, its interfaceindex is always 2049.

MLT interface indexThe interface index of a multilink trunk (MLT) for Release 5.0 is computedusing the following formula:

ifIndex = 6143 + MLT ID number

For releases earlier than 5.0, use the following formula:

ifIndex = 4095 + MLT ID number

MAC address assignmentIt is important to understand how MAC addresses are assigned if youperform one of the following actions:

• define static Address Resolution Protocol (ARP) entries for IPaddresses in the switch

• use a network analyzer to decode network traffic

System assigns each chassis a base of 4096 MAC addresses. Within theswitch, system assigns these MAC addresses as follows:

• 512 addresses for ports in the switch (physical MAC addresses)

• 3584 addresses for VLANs in the switch (virtual MAC addresses).

— If you have the maximum VLAN resource reservation(max-vlan-resource-reservation) enabled, you can create only 2000VLANs with an IP address.

— The last 12 addresses are reserved for the SF/CPU.

A MAC address uses the format shown in the following figure.


NN46205-605 02.05 28 April 2010


.


Figure 62Parts of a MAC address

The MAC address is divided into the following parts:

• Bits 47–24: Institute of Electrical and Electronics Engineers (IEEE)Organization Unique Identity (OUI) (for example, 00-80-2d)

• Bits 23–12: Chassis ID

• Bit 11-9: Type of MAC address in the switch

If all zeroes (000), it is a port address (physical MAC address);otherwise it is a VLAN address (virtual MAC address)

• Bits 8-0: 512 port MAC addresses

• Bits 11–0: 3584 VLAN MAC addresses

Physical MAC addressesPhysical MAC addresses are addresses assigned to the physicalinterfaces or ports visible on the device. The physical MAC addresses areused in the following types of frames:

• Spanning Tree Protocol Bridge Packet Data Units (BPDU) sent by theswitch

• Frames to or from the physical interface an isolated routing port

BPDUs are sent using the physical MAC address as the source becausethe Spanning Tree Protocol must identify the physical port that sent theBPDU.

The ports on the SF/CPU module use the following last bytes:

• Management port in slot 5: 0xf4

• SF/CPU port (an internal port) in slot 5: 0xf5

• Management port in slot 6: 0xf6

• SF/CPU port in slot 6: 0xf7


NN46205-605 02.05 28 April 2010


.

MAC address assignment 479

Virtual MAC addressesVirtual MAC addresses are the addresses assigned to VLANs. Systemassigns a virtual MAC address to a VLAN when the VLAN is created. TheMAC address for a VLAN IP address is the virtual MAC address assignedto the VLAN.


NN46205-605 02.05 28 April 2010


.



NN46205-605 02.05 28 April 2010


.

481.

Customer serviceVisit the Nortel Web site to access the complete range of services andsupport that Nortel provides. Go to www.nortel.com, or go to one of thepages listed in the following sections.

Navigation• “Updated versions of documentation” (page 481)

• “Getting help” (page 481)

• “Express Routing Codes” (page 481)

• “Additional information” (page 482)

Updated versions of documentationYou can download and print the latest versions of Nortel Ethernet RoutingSwitch 8600 NTPs and Release Notes directly from the Internet atwww.nortel.com/documentation.

Getting helpIf you purchased a service contract for your Nortel product from adistributor or authorized reseller, contact the technical support staff for thatdistributor or reseller for assistance.

If you purchased a Nortel service program, you can get help bycontacting one of the Nortel Technical Solutions Centers foundat www.nortel.com/callus; or visit our Technical Support site atwww.nortel.com/support.

Express Routing CodesAn Express Routing Code (ERC) is available for many Nortel products andservices.

When you use an ERC, your call is routed to a technical support personwho specializes in supporting that particular product or service. To locatean ERC for a product or service, go to www.nortel.com/erc.


NN46205-605 02.05 28 April 2010


.

http://www.avaya.com

http://www.avaya.com/documentation

http://www.avaya.com/callus

http://www.avaya.com/support

http://www.avaya.com/erc

482 Customer service

Additional informationUse the information in the following table to access other areas of theNortel Web site.

For information about Contact

Contact Us www.nortel.com/contactus

Documentation feedback www.nortel.com/documentfeedback

Products (marketing) www.nortel.com/products

Partner Information Center (PIC) www.nortel.com/pic

Register www.nortel.com/register

Search www.nortel.com/search

Services www.nortel.com/services

Training www.nortel.com/training


NN46205-605 02.05 28 April 2010


.

http://www.avaya.com/contactus

http://www.avaya.com/documentfeedback

http://www.avaya.com/products

http://www.avaya.com/pic

http://www.avaya.com/register

http://www.avaya.com/search

http://www.avaya.com/services

http://www.avaya.com/training

483.

Index

Aaccess policies

configuring, using the CLI 297creating, using the NNCLI 313enabling globally, using the CLI 296

, 317overview of 275specifying the host and username for

rlogin, using the CLI 301access services

allowing network access for, usingthe CLI 303

allowing network access for, usingthe NNCLI 318

enabling, using the CLI 301list of 302

active SF/CPU 25ambient temperature 267autoboot, enable 211autonegotiation, on a CPU port 67, 102

Bbackup SF/CPU, activating 422, 439banner, login 124, 141baud option 70, 105baud rate, setting 70, 105, 218Boot Config tab 198boot configuration 198

displaying 80, 115saving 181

boot configuration choices,displaying 79, 114

boot configuration file 27boot configuration file, identifying 55, 90boot configuration, bypassing 30boot image, verifying after the boot

process 33

boot monitorprompt 49, 53, 87

Boot monitoraccessing 34

boot monitor image load 26boot sequence

changing 30default 51, 54, 87diagram 29summary 25

boot sequence, changing 55boot sources, viewing 55, 90boot-choice parameter 55, 90booting with factory defaults 35, 60, 95BootP (BootStrap Protocol)

enabling 67, 102bootp option 67, 102Bootp, enabling 213box-level prompt 128

Ccard

hardware version 266model number 266part number 266PCMCIA type 266serial number 266status 266types 266

chassisediting 181, 200temperature 182

chassis serial number 182CLI

logging of commands 125CLI commands

setdate 121


NN46205-605 02.05 28 April 2010


.

484

CLI configuration, displaying 79, 114CLI login banner 124commands

setdate 121, 139compression, TCP/IP headers 219config bootconfig commands

cli 53show 79, 114

config ethernet commandext-cp-limit 238

config sys commandsgeneral set 126set action 422

configurationdefault 27displaying

boot 80, 115CLI 79, 114host 80, 114serial port 80, 115SF/CPU port 80, 114

loading 27configuration file

debugging 59, 94syntax checking 63, 98

connection, testing 417–418, 433, 435connector, modem 39Console port

RS-232 port 38console, reset 181counters, reset 181counters, resetting 422, 439

Ddaylight saving time, setting 77, 112daylight-saving-time flag 35, 59, 94debug mode, enable boot 211debugmode flag 35, 60, 94default load order 27defaults

booting with 35, 60, 95login names and passwords 271switch configuration 27

dst-end option 77, 112dst-name option 77, 113dst-offset option 77, 113dst-start option 77, 113

Eegress traffic, mirroring 60, 94egress-mirror flag 35, 60, 94Extended CP Limit, configuring 205

Ffactory defaults, booting with 35, 60, 95factorydefaults flag 35, 60, 95fatal error, debug mode 35, 60, 94file names, changing 30file transfers, FTP 65, 100flag settings, displaying 80, 114flags commands

boot monitor 91boot monitor CLI 56

flash memory, onboard 87FTP transfers 65, 100FTP, enabling 60, 95FTP, enabling boot server 212ftp-debug option 64, 99ftpd flag 35, 60, 95full-duplex mode, enabling 68, 103fullduplex option 68, 103

Gglobal filtering, setting 127, 144

Hhard reset 181hardware revision 182hardware watchdog timer 36, 64, 98hash bucket display, TFTP 65, 100host commands

boot monitor CLI 64, 99host configuration, displaying 80, 114host password option 65, 100

Iidle timeout 50, 54, 87, 124image file, identifying 55, 90interface index 476IP address, assigning physical port 68

, 103IPv6

Management port address,configuring 216


NN46205-605 02.05 28 April 2010


.

485

JJumbo frames

enabling using Device Manager 199enabling using the CLI 231enabling using the NNCLI 252overview 174supported modules and interfaces 175tagged VLAN support 175

LLayer 2 SF/CPU redundancy

hot standby 174warm standby 174

LED, enabling the alternate LED 212logging flag 35, 61, 96logging, trace 36, 63, 98login banner 124, 141login names

default 271login prompt, changing using NNCLI 139Loop detection

configuring using the CLI 239configuring using the NNCLI 261

MMAC

management port address 213MAC address

block used by switch 182MAC address assignment 477management port, assigning IP

address 68, 103management port, editing 216master command 101master SF/CPU

and master command 101displaying location 80, 114master command 65

max rlogins, using NNCLI 139max Telnet sessions, using NNCLI 139message of the day 125message of the day, NNCLI 142MIBs

checking MIB topology status 404viewing the topology message

status 405modem port, resetting 439Modem port, resetting 422modem, connecting 39

modem, reset 181MTU

serial port 219mtu option 71, 105Multi-Link Trunk interface index 477my-ip option 71, 105

Nnet commands 66, 101Network Time Protocol. See NTP 349NMM (network management MIB) 405NNCLI

logging of commands 142NNCLI commands

setdate 139NNCLI login banner 141NNCLI show command reference

show sys power command 465show sys power power-supply

command 466show sys power slot command 466

NTPAccessAttempts field 358AccessFailure field 358AccessSuccess field 358authentication 353Authentication field 358best available time server 352client device 350Coordinated Universal Time (UTC) 349description 349Enable field 357–358enabling globally 363, 371hierarchical 350Interval field 357KeyID field 358–359KeySecret field 359Message Digest 5 (MD5) 353modes of operation 352peer device 350primary time server 350Real Time Clock 350secondary time server 350ServerAddress field 358stratum 351synchronization subnet 350time distribution 351UDP 349unicast client mode 350


NN46205-605 02.05 28 April 2010


.

486

Ooffset, time zone 78, 113offset-from-utc option 78, 113onboard flash memory 87

Ppassword commands 281, 292, 310password prompt 123, 140password prompt, changing using

NNCLI 139passwords

default 271PCMCIA card 66, 101PCMCIA type 266peer-ip option 71, 106performance, system 453, 468physical MAC address 478pin assignments, Modem port 39point-to-point link 71, 105port

enabling 67locking 129Modem 422, 439SF/CPU 66, 101

port locking, enabling 129port numbering 476ports

interface index 477numbering 475

power supplyviewing power supply parameters 268

PPP configuration file 219pppfile option 71, 106primary file source 87prompt

boot monitor 49, 53, 87box-level 128root-level 128, 145

prompt, password 123, 140

Rreboot flag 36, 62, 97reboot, enable on error 211redundant switch fabric modules 25remote host login, defining 64, 99remote login

number allowed, setting 49username, setting 65, 100

remote login, configuring numberallowed 123, 140

reserve records 232, 253reset

console 181counters 181hard 181modem 181soft 181

restart option 68, 71, 103, 106retransmission timeout, TFTP 65, 100Rlogin

enable boot server 212rlogind flag 36, 62, 97root-level prompt 128, 145route option 68, 103route, configuring for port 68, 103run-time configuration source 199, 211run-time configuration, saving 181run-time image 27run-time image source 199, 211

Ssaved configuration file, failure to load 54secondary file source 87serial number of cards 266serial number, chassis 182serial port

configuring 69, 103settings, displaying 80, 115

setdate command 121, 139setting the time 201SF/CPU clock synchronization 38SF/CPU network port devices 66, 101SF/CPU port, displaying

configuration 80, 114SF/CPU, accessing standby 416, 433SF/CPU, active 25SF/CPU, switch control 181show bootconfig commands 79, 114show cli commands

info 445, 462password 441, 459who 458

show cli show-all command 442show config command 443, 460show ntp server stat command 448, 464show sys commands 469–471show sys commands, info 446, 463show sys power global command


NN46205-605 02.05 28 April 2010


.

487

NNCLI 466show sys power info command 449show sys power slot-info 450show tech command 450, 472show users command 473sio commands 69, 103sio mode option 71, 105slip-compression option 72, 106slip-rx-compression option 72, 106slot numbering 476soft reset 181software version 179, 199source MAC-based VLAN, enabling 130speed option 69, 103switch configuration load 27switch fabric, redundant 25system logging 35, 61, 96system performance, verifying 453, 468System tab 178

TTCP/IP header compression 72, 106TCP/IP headers, compressing 219technical information, viewing 450, 472Telnet

enable for boot 211Telnet sessions

boot monitor 50number allowed 124, 141

telnetd flag 36, 63, 98temperature of chassis 182temperature, ambient 267tertiary file source 87TFTP hash bucket display 65, 100tftp option 69, 103TFTP retransmission timeout 65, 100TFTP server, setting 69, 103TFTP, enabling boot server 212tftp-debug option 65, 100tftp-hash command 65, 100tftp-rexmit option 65, 100tftp-timeout option 65, 100tftpd flag 36, 63, 98time server

primary 350time zone

displaying 80, 115time zone commands 76, 111time, setting 201timeout

idle 50, 54, 87TFTP 65, 100

timeout, idle 124timer, watchdog 64, 98topology 404topology table 129, 453trace logging 36, 63, 98trace-logging flag 36, 63, 98transfers, FTP 65, 100troubleshooting

configuration file does not load 54tz commands 76, 111

Uuniversal standard time 352user option 65, 100User Set Time tab 201

Vverify-config flag 36, 63, 98virtual MAC address 479VLAN interface index 477

Wwatchdog timer 36, 64, 98watchdog, enable boot timer 211wdt flag 36, 64, 98


NN46205-605 02.05 28 April 2010


.

488


NN46205-605 02.05 28 April 2010


.

Nortel Ethernet Routing Switch 8600

AdministrationRelease: 5.1Publication: NN46205-605Document revision: 02.05Document release date: 28 April 2010


While the information in this document is believed to be accurate and reliable, except as otherwise expressly agreed to in writingNORTEL PROVIDES THIS DOCUMENT "AS IS" WITHOUT WARRANTY OR CONDITION OF ANY KIND, EITHER EXPRESSOR IMPLIED. The information and/or products described in this document are subject to change without notice.

Nortel, Nortel Networks, the Nortel logo, and the Globemark are trademarks of Nortel Networks.

All other trademarks are the property of their respective owners.

To provide feedback or to report a problem in this document, go to www.nortel.com/documentfeedback.

www.nortel.com

Nortel Ethernet Routing Switch 8600 Administration

Documents

Transcript of Nortel Ethernet Routing Switch 8600 Administration