Wireless LAN Mobility System Wireless LAN Switch and Controller Command Reference WX4400 WX2200 WX1200 WXR100 http://www.3Com.com/ Part No.
3Com Corporation 350 Campus Drive Marlborough, MA USA 01752-3064 Copyright © 2007, 3Com Corporation. All rights reserved. No part of this documentation may be reproduced in any form or by any means or used to make any derivative work (such as translation, transformation, or adaptation) without written permission from 3Com Corporation.
CONTENTS ABOUT THIS GUIDE Conventions 23 Documentation 24 Documentation Comments 1 25 USING THE COMMAND-LINE INTERFACE Overview 27 CLI Conventions 28 Command Prompts 28 Syntax Notation 28 Text Entry Conventions and Allowed Characters 29 MAC Address Notation 29 IP Address and Mask Notation 30 User Globs, MAC Address Globs, and VLAN Globs 30 Port Lists 32 Virtual LAN Identification 33 Command-Line Editing 33 Keyboard Shortcuts 33 History Buffer 34 Tabs 34 Single-Asterisk (*) Wildcard Character 34 Double-As
3 SYSTEM SERVICE COMMANDS Commands by Usage 41 clear banner motd 42 clear history 43 clear prompt 43 clear system 44 display banner motd 45 display base-information 45 display license 46 display load 47 display system 47 help 50 history 51 quickstart 52 set auto-config 52 set banner acknowledge 54 set banner motd 56 set confirm 57 set length 57 set license 58 set prompt 59 set system contact 60 set system countrycode 61 set system idle-timeout 65 set system ip-address 66 set system location 67 set system n
clear port type 74 display port counters 75 display port-group 76 display port mirror 77 display port poe 78 display port status 79 display port media-type 81 monitor port counters 82 reset port 87 set ap 87 set port 89 set port-group 90 set port media-type 91 set port mirror 92 set port name 93 set port negotiation 93 set port poe 94 set port speed 95 set port trap 96 set port type ap 97 set port type wired-auth 100 5 VLAN COMMANDS Commands by usage 103 clear fdb 104 clear security 12-restrict 105 clear
display vlan-profile 120 set fdb 121 set fdb agingtime 122 set security l2-restrict 123 set vlan name 124 set vlan port 125 set vlan tunnel-affinity 126 set vlan profile 127 6 QUALITY OF SERVICE COMMANDS Commands by Usage 129 clear qos 129 set qos cos-to-dscp-map 131 set qos dscp-to-cos-map 132 display qos 133 display qos dscp-table 134 7 IP SERVICES COMMANDS Commands by Usage 135 clear interface 137 clear ip alias 138 clear ip dns domain 139 clear ip dns server 139 clear ip route 140 clear ip telnet 14
display interface 152 display ip alias 153 display ip dns 154 display ip https 155 display ip route 156 display ip telnet 158 display ntp 159 display snmp community 161 display snmp counters 162 display snmp notify profile 162 display snmp notify target 162 display snmp status 163 display snmp usm 164 display summertime 164 display timedate 165 display timezone 165 ping 166 set arp 168 set arp agingtime 169 set interface 170 set interface dhcp-client 171 set interface dhcp-server 172 set interface status 17
set snmp notify profile 187 set snmp notify target 192 SNMPv3 with Informs 192 SNMPv3 with Traps 193 SNMPv2c with Informs 194 SNMPv2c with Traps 195 SNMPv1 with Traps 195 set snmp protocol 197 set snmp security 198 set snmp usm 199 set summertime 202 set system ip-address 203 set timedate 204 set timezone 205 telnet 206 traceroute 207 8 AAA COMMANDS Commands by Usage 211 clear accounting 213 clear authentication admin 214 clear authentication console 215 clear authentication dot1x 216 clear authentication
clear usergroup 227 clear usergroup attr 228 display aaa 229 display accounting statistics 232 display location policy 234 display mobility-profile 235 set accounting {admin | console} 235 set accounting {dot1x | mac | web | last-resort} set authentication admin 239 set authentication console 241 set authentication dot1x 243 set authentication mac 247 set authentication max-attempts 249 set authentication max-attempts 250 set authentication minimum-password-length set authentication password-restrict 252 se
display mobility-domain config 282 display mobility-domain status 283 set mobility-domain member 284 set mobility-domain mode member secondary seed-ip 285 set mobility-domain mode member seed-ip 286 set mobility-domain mode secondary-seed domain-name 287 set mobility-domain mode seed domain-name 288 set domain security 289 10 NETWORK DOMAIN COMMANDS Network Domain Commands by Usage 291 clear network-domain 292 clear network-domain mode 293 clear network-domain peer 294 clear network-domain seed-ip 295 dis
display ap vlan 337 display auto-tune attributes 338 display auto-tune neighbors 340 display ap boot-configuration 342 display ap connection 343 display ap global 345 display ap unconfigured 347 display load-balancing group 348 display radio-profile 350 display service-profile 353 reset ap 362 set ap auto 362 set ap auto persistent 364 set ap auto radiotype 365 set ap auto mode 366 set ap bias 367 set ap blink 368 set ap boot- configuration ip 369 set ap boot- configuration mesh mode 370 set ap boot-configu
set ap radio channel 387 set ap radio link-calibration 388 set ap radio load balancing 389 set ap radio load balancing group 390 set ap radio mode 391 set ap radio radio-profile 392 set ap radio tx-power 393 set ap security 395 set ap upgrade-firmware 396 set band-preference 397 set load-balancing mode 398 set load-balancing strictness 399 set radio-profile 11g-only 400 set radio-profile active-scan 400 set radio-profile auto-tune 11a-channel-range 401 set radio-profile auto-tune channel-config 402 set radi
set radio-profile wmm 430 set radio-profile wmm-powersave 430 set service-profile attr 431 set service-profile auth-dot1x 433 set service-profile auth-fallthru 434 set service-profile auth-psk 435 set service-profile beacon 436 set service-profile bridging 437 set service-profile cac-mode 438 set service-profile cac-session 439 set service-profile cipher-ccmp 440 set service-profile cipher-tkip 441 set service-profile cipher-wep104 442 set service-profile cipher-wep40 443 set service-profile cos 444 set ser
set service-profile tkip-mc-time 466 set service-profile static-cos 467 set service-profile transmit-rates 468 set service-profile use-client-dscp 470 set service-profile user-idle-timeout 471 set service-profile web-portal-acl 472 set service-profile web-portal-form 473 set service-profile web-portal-logout logout-url 475 set service-profile web-portal-logout mode 476 set service-profile web-portal-session-timeout 477 set service-profile wep active-multicastindex 478 set service-profile wep active-unicasti
set spantree portpri 507 set spantree portvlancost 508 set spantree portvlanpri 509 set spantree priority 510 set spantree uplinkfast 510 13 IGMP SNOOPING COMMANDS Commands by usage 513 clear igmp statistics 514 display igmp 514 display igmp mrouter 518 display igmp querier 519 display igmp receiver-table 521 display igmp statistics 523 set igmp 525 set igmp lmqi 526 set igmp mrouter 527 set igmp mrsol 528 set igmp mrsol mrsi 528 set igmp oqi 529 set igmp proxy-report 530 set igmp qi 531 set igmp qri 532
display security acl resource-usage 547 rollback security acl 551 set security acl 552 set security acl map 557 set security acl hit-sample-rate 559 15 CRYPTOGRAPHY COMMANDS Commands by Usage 562 crypto ca-certificate 562 crypto certificate 564 crypto generate key 565 crypto generate request 566 crypto generate self-signed 568 crypto otp 570 crypto pkcs12 572 display crypto ca-certificate 573 display crypto certificate 574 display crypto key domain 576 display crypto key ssh 576 16 RADIUS AND SERVER GRO
802.
19 RF DETECTION COMMANDS Commands by Usage 629 clear rfdetect attack-list 630 clear rfdetect black-list 631 clear rfdetect ignore 631 clear rfdetect ssid-list 632 clear rfdetect vendor-list 633 rfping 634 display rfdetect attack-list 635 display rfdetect black-list 636 display rfdetect clients 637 display rfdetect countermeasures 639 display rfdetect counters 640 display rfdetect data 642 display rfdetect ignore 644 display rfdetect mobility-domain 644 display rfdetect ssid-list 649 display rfdetect vendor
copy 667 delete 669 dir 670 install soda agent 673 display boot 674 display config 675 display version 677 load config 679 md5 681 mkdir 681 reset system 683 restore 684 rmdir 685 save config 685 set boot backup-configuration 686 set boot configuration-file 687 set boot partition 688 uninstall soda agent 688 21 TRACE COMMANDS Commands by Usage 691 clear log trace 692 clear trace 692 display trace 693 save trace 694 set trace authentication 694 set trace authorization 695 set trace dot1x 696 set trace sm 6
display snoop 706 display snoop info 706 display snoop map 707 display snoop stats 708 23 SYSTEM LOG COMMANDS Commands by Usage 711 clear log 711 display log buffer 712 display log config 714 display log trace 715 set log 716 set log mark 719 24 BOOT PROMPT COMMANDS Boot Prompt Commands by Usage autoboot 722 boot 723 change 725 create 726 delete 727 dhcp 728 diag 729 dir 729 display 730 fver 732 help 733 ls 734 next 735 reset 736 test 737 version 738 A 721 OBTAINING SUPPORT FOR YOUR 3COM PRODUCTS Reg
Purchase Extended Warranty and Professional Services Access Software Downloads 740 Contact Us 740 Telephone Technical Support and Repair 741 INDEX 740
Conventions 23 ABOUT THIS GUIDE This command reference explains Mobility System Software (MSS™) command line interface (CLI) that you enter on a 3Com WXR100 or WX1200 Wireless Switch or WX4400 or WX2200 Wireless LAN Controller to configure and manage the Mobility System™ wireless LAN (WLAN). Read this reference if you are a network administrator responsible for managing WXR100, WX1200, WX4400, or WX2200 wireless switches and their Managed Access Points (MAPs) in a network.
ABOUT THIS GUIDE This manual uses the following text and syntax conventions: Table 2 Text Conventions Convention Description Monospace text Sets off command syntax or sample commands and system responses. Bold text Highlights commands that you enter or items you select. Italic text Designates command variables that you replace with appropriate values, or highlights publication titles or words requiring special emphasis. [ ] (square brackets) Enclose optional parameters in command syntax.
Documentation Comments 25 Wireless Switch Manager Reference Manual This manual shows you how to plan, configure, deploy, and manage a Mobility System wireless LAN (WLAN) using the 3Com Wireless Switch Manager (3WXM). Wireless Switch Manager User’s Guide This manual shows you how to plan, configure, deploy, and manage the entire WLAN with the 3WXM tool suite.
ABOUT THIS GUIDE Please note that we can only respond to comments and questions about 3Com product documentation at this e-mail address. Questions related to Technical Support or sales should be directed in the first instance to your network supplier.
1 USING THE COMMAND-LINE INTERFACE This chapter discusses the 3Com Wireless Switch Manager (3WXM) command-line interface (CLI).
CHAPTER 1: USING THE COMMAND-LINE INTERFACE CLI Conventions Command Prompts Be aware of the following MSS CLI conventions for command entry: “Command Prompts” on page 28 “Syntax Notation” on page 28 “Text Entry Conventions and Allowed Characters” on page 29 “User Globs, MAC Address Globs, and VLAN Globs” on page 30 “Port Lists” on page 32 “Virtual LAN Identification” on page 33 By default, the MSS CLI provides the following prompt for restricted users.
CLI Conventions 29 A vertical bar (|) separates mutually exclusive options within a list of possibilities. For example, you enter either enable or disable, not both, in the following command: set port {enable | disable} port-list Text Entry Conventions and Allowed Characters Unless otherwise indicated, the MSS CLI accepts standard ASCII alphanumeric characters, except for tabs and spaces, and is case-insensitive.
CHAPTER 1: USING THE COMMAND-LINE INTERFACE IP Address and Mask Notation MSS displays IP addresses in dotted decimal notation — for example, 192.168.1.111. MSS makes use of both subnet masks and wildcard masks. Subnet Masks Unless otherwise noted, use classless interdomain routing (CIDR) format to express subnet masks — for example, 192.168.1.112/24. You indicate the subnet mask with a forward slash (/) and specify the number of bits in the mask.
CLI Conventions 31 Table 3 gives examples of user globs. Table 3 User Globs User Glob User(s) Designated jose@example.com User jose at example.com *@example.com All users at example.com whose usernames do not contain periods — for example, jose@example.com and tamara@example.com, but not nin.wong@example.com, because nin.wong contains a period *@marketing.example.com All marketing users at example.com whose usernames do not contain periods *.*@marketing.example.com All marketing users at example.
CHAPTER 1: USING THE COMMAND-LINE INTERFACE VLAN Globs A VLAN glob is a method for matching one of a set of local rules on an wireless LAN switch, known as the location policy, to one or more users. MSS compares the VLAN glob, which can optionally contain wildcard characters, against the VLAN-Name attribute returned by AAA, to determine whether to apply the rule. To match all VLANs, use the double-asterisk (**) wildcard characters with no delimiters.
Command-Line Editing 33 A hyphen-separated range of port numbers, with no spaces. For example: WX1200# reset port 1-3 Any combination of single numbers, lists, and ranges. Hyphens take precedence over commas. For example: WX1200# display port status 1-3,6 Virtual LAN Identification Command-Line Editing Keyboard Shortcuts The names of virtual LANs (VLANs), which are used in Mobility Domain™ communications, are set by you and can be changed.
CHAPTER 1: USING THE COMMAND-LINE INTERFACE Table 4 Keyboard Shortcuts (continued) History Buffer Tabs Keyboard Shortcut(s) Function Ctrl+U or Ctrl+X Deletes characters from the cursor to the beginning of the command line. Ctrl+W Deletes the last word typed. Esc B Moves the cursor back one word. Esc D Deletes characters from the cursor forward to the end of the word. Delete key or Backspace key Erases mistake made during command entry. Reenter the command after using this key.
Using CLI Help Using CLI Help 35 The CLI provides online help. To see the full range of commands available at your access level, type the help command.
CHAPTER 1: USING THE COMMAND-LINE INTERFACE To see all the variations, type one of the commands followed by a question mark (?).
2 ACCESS COMMANDS This chapter describes access commands used to control access to the Mobility Software System (MSS) command-line interface (CLI). Commands by Usage This chapter presents access services commands alphabetically. Use Table 5 to located commands in this chapter based on their use.
CHAPTER 2: ACCESS COMMANDS enable Places the CLI session in enabled mode, which provides access to all commands required for configuring and monitoring the system. Syntax — enable Access — All. History — Introduced in MSS Version 3.0. Usage — MSS displays a password prompt to challenge you with the enable password. To enable a session, your or another administrator must have configured the enable password to this WX switch with the set enablepass command.
set enablepass set enablepass 39 Sets the password that provides enabled access (for configuration and monitoring) to the WX switch. Syntax — set enablepass Defaults — None. Access — Enabled. History — Introduced in MSS Version 3.0. Usage — After typing the set enablepass command, press Enter. If you are entering the first enable password on this WX switch, press Enter at the Enter old password prompt. Otherwise, type the old password.
CHAPTER 2: ACCESS COMMANDS
3 SYSTEM SERVICE COMMANDS Use system services commands to configure and monitor system information for a WX switch. Commands by Usage This chapter presents system service commands alphabetically. Use Table 6 to locate commands in this chapter based on their use.
CHAPTER 3: SYSTEM SERVICE COMMANDS Table 6 System Services Commands by Usage (continued) Type Command clear system on page 44 clear prompt on page 43 Help help on page 50 History history on page 51 clear history on page 43 License display license on page 46 set license on page 58 Technical Support clear banner motd display base-information on page 45 Deletes the message-of-the-day (MOTD) banner that is displayed before the login prompt for each CLI session on the wireless LAN switch.
clear history clear history 43 Deletes the command history buffer for the current CLI session. Syntax — clear history Defaults — None. Access — All. History — Introduced in MSS Version 3.0. Examples — To clear the history buffer, type the following command: WX4400# clear history success: command buffer was flushed. See Also clear prompt history on page 51 Resets the system prompt to its previously configured value.
CHAPTER 3: SYSTEM SERVICE COMMANDS clear system Clears the system configuration of the specified information. CAUTION: If you change the IP address, any currently configured Mobility Domain operations cease. You must reset the Mobility Domain. Syntax — clear system [contact | countrycode | idle-timeout | ip-address | location | name] contact — Resets the name of contact person for the WX switch to null. countrycode — Resets the country code for the WX switch to null.
display banner motd display banner motd 45 Shows the banner that was configured with the set banner motd command. Syntax — display banner motd Defaults — None. Access — Enabled. History — Introduced in MSS Version 3.0.
CHAPTER 3: SYSTEM SERVICE COMMANDS See Also display license display boot on page 674 display config on page 675 display license on page 46 display system on page 47 display version on page 677 Displays information about the license currently installed on the WX switch. Syntax — display license Defaults — None. Access — All.
display load display load 47 Displays CPU usage on a WX switch. Syntax — display load Defaults — None. Access — Enabled. History — Introduced in MSS Version 4.1. Examples — To display the CPU load recorded from the time the WX switch was booted, as well as from the previous time the display load command was run, type the following command: WX4400# display load System Load: overall: 2% delta: 5% The overall field shows the CPU load as a percentage from the time the WX switch was booted.
CHAPTER 3: SYSTEM SERVICE COMMANDS Examples — To show system information, type the following command: WX4400# display system =============================================================================== Product Name: WX4400 System Name: WX-bldg3 System Countrycode: US System Location: first-floor-bldg3 System Contact: tamara@example.com System IP: 192.168.12.
display system 49 Table 7 display system output (continued) Field Description System idle timeout Number of seconds MSS allows a CLI management session (console, Telnet, or SSH) to remain idle before terminating the session. (The system idle timeout can be configured using the set system idle-timeout command.) System MAC WX switch’s media access control (MAC) machine address set at the factory, in 6-byte hexadecimal format. License License level installed on the WX switch (if applicable).
CHAPTER 3: SYSTEM SERVICE COMMANDS Table 7 display system output (continued) Field Description Memory Current size (in megabytes) of nonvolatile memory (NVRAM) and synchronous dynamic RAM (SDRAM), plus the percentage of total memory space in use, in the following format: NVRAM size /SDRAM size (percent of total) Total Power Over Ethernet Total power that the device is currently supplying to its directly connected MAP access points, in watts.
history crypto delete dir disable display disp tech support exit help history hit-sample-rate load logout monitor ping quit reset rollback save set telnet traceroute Crypto, use 'crypto help' for more information Delete url Show list of files on flash device Disable privileged mode Display, use 'display help' for more information Display technical support information Exit from the Admin session Show this help screen Show contents of history substitution buffer Set NP hit-counter sample rate Load, use 'loa
CHAPTER 3: SYSTEM SERVICE COMMANDS See Also quickstart clear history on page 43 Runs a script that interactively helps you configure a new switch. (For more information, see the “CLI quickstart Command” section of the “WX Setup Methods” chapter in the Wireless LAN Switch and Controller Configuration Guide.) CAUTION: The quickstart command is for configuration of a new switch only. After prompting you for verification, the command erases the switch’s configuration before continuing.
set auto-config 53 When the 3WXM server in the corporate network receives the configuration request, the server looks in the currently open network plan for a switch configuration with the same model and serial number as the one in the configuration request. If the network plan contains a configuration with a matching model and serial number, 3WXM sends the configuration to the switch and restarts the switch. The switch boots using the configuration it received from 3WXM.
CHAPTER 3: SYSTEM SERVICE COMMANDS Examples — The following commands stage a WX switch to use the auto-config option. The network where the switch is installed has a DHCP server, so the switch is configured to use the MSS DHCP client to obtain an IP address, default gateway address, DNS domain name, and DNS server IP addresses: 1 Configure a VLAN: WX-1200# set vlan 1 port 7 success: change accepted.
set banner acknowledge 55 message — Up to 32 alphanumeric characters, but not the delimiting character. None. Defaults — Access — History — Enabled. Introduced in MSS Version 6.0. Usage Enable the MOTD prompt, then optionally specify a prompt message. When a user logs into the WX switch using the CLI, the configured MOTD banner is displayed, followed by the MOTD prompt message (if one is specified).
CHAPTER 3: SYSTEM SERVICE COMMANDS set banner motd Configures the banner string that is displayed before the beginning of each login prompt for each CLI session on the WX switch. Syntax — set banner motd “text” “ — Delimiting character that begins and ends the message; for example, double quotes (“). text — Up to 2000 alphanumeric characters, including tabs and carriage returns, but not the delimiting character (^). The maximum number of characters is approximately 24 lines by 80 characters.
set confirm set confirm 57 Enables or disables the display of confirmation messages for commands that might have a large impact on the network. Syntax — set confirm {on | off} on — Enables confirmation messages. off — Disables confirmation messages. Defaults — Configuration messages are enabled. Access — Enabled. History — Introduced in MSS Version 3.0.
CHAPTER 3: SYSTEM SERVICE COMMANDS History — Introduced in MSS Version 3.0. Usage — Use this command if the output of a CLI command is greater than the number of lines allowed by default for a terminal type. Examples — To set the number of lines displayed to 100, type the following command: WX4400# set length 100 success: screen length for this session set to 100 set license Installs an upgrade license, for managing more MAPs.
set prompt 59 48 ports are enabled success: license was installed The additional ports refers to the number of additional MAPs the switch can boot and actively manage. See Also set prompt display license on page 46 Changes the CLI prompt for the WX switch to a string you specify. Syntax — set prompt string string — Alphanumeric string up to 32 characters long. To include spaces in the prompt, you must enclose the string in double quotation marks (“”).
CHAPTER 3: SYSTEM SERVICE COMMANDS set system contact display config on page 675 set system name on page 68 Stores a contact name for the WX switch. Syntax — set system contact string string — Alphanumeric string up to 256 characters long, with no blank spaces. Defaults — None. Access — Enabled. History — Introduced in MSS Version 3.0. To view the system contact string, type the display system command. Examples — The following command sets the system contact information to tamara@example.
set system countrycode set system countrycode 61 Defines the country-specific IEEE 802.11 regulations to enforce on the WX switch. Syntax — set system countrycode code code — Two-letter code for the country of operation for the WX switch. You can specify one of the codes listed in Table 8.
CHAPTER 3: SYSTEM SERVICE COMMANDS Table 8 Country Codes (continued) Country Code Egypt EG Estonia EE Finland FI France FR Germany DE Greece GR Guatemala GT Honduras HN Hong Kong HK Hungary HU Iceland IS India IN Indonesia ID Ireland IE Israel IL Italy IT Jamaica JM Japan JP Jordan JO Kazakhstan KZ Kenya KE Kuwait KW Latvia LV Lebanon LB Liechtenstein LI Lithuania LT Luxembourg LU Macedonia, former Yugoslav Republic of MK Malaysia MY Malta MT
set system countrycode Table 8 Country Codes (continued) Country Code Mexico MX Morocco MA Namibia NA Netherlands NL New Zealand NZ Nigeria NG Norway NO Oman OM Pakistan PK Panama PA Paraguay PY Peru PE Philippines PH Poland PL Portugal PT Puerto Rico PR Qatar QA Romania RO Russia RU Saudi Arabia SA Serbia CS Singapore SG Slovakia SK Slovenia SI South Africa ZA South Korea KR Spain ES Sri Lanka LK Sweden SE Switzerland CH Taiwan TW Thailand T
CHAPTER 3: SYSTEM SERVICE COMMANDS Table 8 Country Codes (continued) Country Code Trinidad and Tobago TT Tunisia TN Turkey TR Ukraine UA United Arab Emirates AE United Kingdom GB United States US Uruguay UY Venezuela VE Vietnam VN Defaults — The factory default country code is None. Access — Enabled. History — Introduced in MSS Version 3.0. Usage — You must set the system county code to a valid value before using any set ap commands to configure a MAP.
set system idle-timeout set system idle-timeout 65 Specifies the maximum number of seconds a CLI management session with the switch can remain idle before MSS terminates the session. Syntax — set system idle-timeout seconds seconds — Number of seconds a CLI management session can remain idle before MSS terminates the session. You can specify from 0 to 86400 seconds (one day). If you specify 0, the idle timeout is disabled. The timeout interval is in 30-second increments.
CHAPTER 3: SYSTEM SERVICE COMMANDS set system ip-address Sets the system IP address so that it can be used by various services in the WX switch. CAUTION: Any currently configured Mobility Domain operations cease if you change the IP address. If you change the address, you must reset the Mobility Domain. Syntax — set system ip-address ip-addr ip-addr — IP address, in dotted decimal notation. Defaults — None. Access — Enabled. History — Introduced in MSS Version 3.0.
set system location set system location 67 Stores location information for the WX switch. Syntax — set system location string string — Alphanumeric string up to 256 characters long, with no blank spaces. Defaults — None. Access — Enabled. History — Introduced in MSS Version 3.0. Usage — You cannot include spaces in the system location string. To view the system location string, type the display system command.
CHAPTER 3: SYSTEM SERVICE COMMANDS set system name Changes the name of the WX switch from the default system name and also provides content for the CLI prompt, if you do not specify a prompt. Syntax — set system name string string — Alphanumeric string up to 256 characters long, with no blank spaces. Use a unique name for each WX switch. Defaults — By default, the system name and command prompt have the same value.
4 PORT COMMANDS Use port commands to configure and manage individual ports and load-sharing port groups. Commands by Usage This chapter presents port commands alphabetically. Use Table 9 to locate commands in this chapter based on their use.
CHAPTER 4: PORT COMMANDS Table 9 Port Commands by Usage (continued) Type Command Port Groups set port-group on page 90 display port-group on page 76 clear port-group on page 71 Port Mirroring display port mirror on page 77 clear port mirror on page 73 set port mirror on page 92 Statistics display port counters on page 75 monitor port counters on page 82 clear port counters on page 71 clear ap Removes a Distributed MAP.
clear port counters clear port counters 71 Clears port statistics counters and resets them to 0. Syntax — clear port counters Defaults — None. Access — Enabled. History — Introduced in MSS Version 3.0. Examples — The following command clears all port statistics counters and resets them to 0: WX4400# clear port counters success: cleared port counters See Also clear port-group display port counters on page 75 monitor port counters on page 82 Removes a port group.
CHAPTER 4: PORT COMMANDS clear port media-type Disables the copper interface and reenables the fiber interface on an WX4400 gigabit Ethernet port. Syntax — clear port media-type port-list port-list—List of physical ports. MSS disables the copper interface and reenables the fiber interface on all the specified ports. Defaults — The GBIC (fiber) interface is enabled, and the copper interface is disabled, by default. Access — Enabled. History — Introduced in MSS Version 4.0.
clear port mirror 73 Examples — The following command clears the names of ports 1 through 3: WX4400# clear port 1-3 name See Also clear port mirror display port status on page 79 set port name on page 93 Removes a port mirroring configuration. Syntax — clear port mirror Defaults — None. Access — Enabled. History — Introduced in MSS Version 4.2.
CHAPTER 4: PORT COMMANDS History — Introduced in MSS Version 3.0. Usage — This command applies only to the WX4400. This command does not affect a link that is already active on the port. Examples — The following command clears the preference set on port 2 on a WX4400 switch: WX4400# clear port preference 2 See Also clear port type display port status on page 79 Removes all configuration settings from a port and resets the port as a network port.
display port counters 75 Table 10 Network port defaults Port Parameter Setting VLAN membership None. Note: Although the command changes a port to a network port, the command does not place the port in any VLAN. To use the port in a VLAN, you must add the port to the VLAN. Spanning Tree Protocol (STP) Based on the VLAN(s) you add the port to. 802.1X No authorization. Port groups None. Internet Group Management Enabled as port is added to VLANs.
CHAPTER 4: PORT COMMANDS receive-etherstats — Shows Ethernet statistics for received packets. transmit-etherstats — Shows Ethernet statistics for transmitted packets. port port-list — List of physical ports. If you do not specify a port list, MSS shows statistics for all ports. Defaults — None. Access — All. History — Introduced in MSS Version 3.0. Usage — You can specify one statistic type with the command.
display port mirror 77 Examples — The following command displays the configuration of port group server2: WX1200# display port-group name server2 Port group: server2 is up Ports: 5, 7 Table 11 describes the fields in the display port-group output. Table 11 Output for display port-group Field Description Port group Name and state (enabled or disabled) of the port group. Ports Ports contained in the port group.
CHAPTER 4: PORT COMMANDS See Also display port poe display port mirror on page 77 set port mirror on page 92 Displays status information for ports on which Power over Ethernet (PoE) is enabled. Syntax — display port poe [port-list] port-list — List of physical ports. If you do not specify a port list, PoE information is displayed for all ports. Defaults — None. Access — All. History — Introduced in MSS Version 3.0.
display port status 79 Table 12 Output for display port poe (continued) Field Description Link status Link status of the port: Port type PoE config PoE Draw up—The port is connected. down—The port is not connected. Port type: MAP —The port is a MAP access port. - (The port is not a MAP access port.) PoE state: enabled disabled Power draw on the port, in watts. For 10/100 Ethernet ports on which PoE is disabled, this field displays off.
CHAPTER 4: PORT COMMANDS Examples — The following command displays information for all ports on a WX1200 switch: WX1200# display port status Port Name Admin Oper Config Actual Type Media =============================================================================== 1 1 up up auto 100/full network 10/100BaseTx 2 2 up up auto 100/full ap 10/100BaseTx 3 3 up up auto 100/full network 10/100BaseTx 4 4 up down auto network 10/100BaseTx 5 5 up down auto network 10/100BaseTx 6 6 up down auto network 10/100Bas
display port media-type Table 13 Output for display port status (continued) Field Description Media Link type: 10/100BaseTX — 10/100BASE-T. GBIC — 1000BASE-SX or 1000BASE-LX GBIC. 1000BaseT — 1000BASE-T. No connector — GBIC slot is empty.
CHAPTER 4: PORT COMMANDS Examples — The following command displays the enabled interface types on all four ports of a WX4400 switch: WX4400# display port media-type Port Media Type =========================================================== 1 GBIC 2 RJ45 3 GBIC 4 GBIC Table 14 describes the fields in this display. Table 14 Output for display port media-type Field Description Port Port number. Preference Preference setting: GBIC—The GBIC (fiber) interface is enabled.
monitor port counters 83 transmit-etherstats — Displays Ethernet statistics for transmitted packets first. Defaults — All types of statistics are displayed for all ports. MSS refreshes the statistics every 5 seconds. This interval cannot be configured. Statistics types are displayed in the following order by default: Octets Packets Receive errors Transmit errors Collisions Receive Ethernet statistics Transmit Ethernet statistics Access — All.
CHAPTER 4: PORT COMMANDS For error reporting, the cyclic redundancy check (CRC) errors include misalignment errors. Jumbo packets with valid CRCs are not counted. A short packet can be reported as a short packet, a CRC error, or an overrun. In some circumstances, the transmitted octets counter might increment a small amount for a port with nothing attached.
monitor port counters 85 Table 16 Output for monitor port counters (continued) Statistics Option Field Description packets Number of unicast packets received. Rx Unicast This number does not include packets that contain errors. Rx NonUnicast Number of broadcast and multicast packets received. This number does not include packets that contain errors. Tx Unicast Number of unicast packets transmitted. This number does not include packets that contain errors.
CHAPTER 4: PORT COMMANDS Table 16 Output for monitor port counters (continued) Statistics Option Field Description collisions Single Coll Total number of frames transmitted that experienced one collision before 64 bytes of the frame were transmitted on the network. Multiple Coll Total number of frames transmitted that experienced more than one collision before 64 bytes of the frame were transmitted on the network.
reset port reset port 87 Resets a port by toggling its link state and Power over Ethernet (PoE) state. Syntax — reset port port-list port-list — List of physical ports. MSS resets all the specified ports. Defaults — None. Access — Enabled. History — Introduced in MSS Version 3.0. Usage — The reset command disables the port’s link and PoE (if applicable) for at least 1 second, then reenables them.
CHAPTER 4: PORT COMMANDS ap-number — Number for the Distributed MAP. The range of valid connection numbers depends on the WX switch model: For a WX4400, you can specify a number from 1 to 256. For a WX1200, you can specify a number from 1 to 30. serial-id serial-ID — MAP access point serial ID. The serial ID is listed on the MAP case. To show the serial ID using the CLI, use the display version details command. radiotype 11a | 11b| 11g — Radio type: 11a — 802.11a 11b — 802.
set port 89 See Also set port clear ap on page 70 clear port type on page 74 set port type ap on page 97 set system countrycode on page 61 Administratively disables or reenables a port. Syntax — set port {enable | disable} port-list enable — Enables the specified ports. disable — Disables the specified ports. port-list — List of physical ports. MSS disables or reenables all the specified ports. Defaults — All ports are enabled. Access — Enabled.
CHAPTER 4: PORT COMMANDS set port-group Configures a load-sharing port group. All ports in the group function as a single logical link. Syntax — set port-group name mode {on | off} name group-name group-name port-list — Alphanumeric string of up to 255 characters, with no spaces. port-list — List of physical ports. All the ports you specify are configured together as a single logical link. mode {on | off} — State of the group. Use on to enable the group or off to disable the group.
set port media-type 91 See Also set port media-type clear port-group on page 71 display port-group on page 76 Disables the fiber interface and enables the copper interface on an WX4400 gigabit Ethernet port. Syntax — set port media-type port-list rj45 port-list—List of physical ports. MSS sets the preference on all the specified ports. rj45—Uses the copper interface. Defaults — The GBIC (fiber) interface is enabled, and the copper interface is disabled, by default. Access — Enabled.
CHAPTER 4: PORT COMMANDS set port mirror Configures port mirroring. Port mirroring is a troubleshooting feature that copies (mirrors) traffic sent or received by a WX port (the source port) to another port (the observer) on the same WX. You can attach a protocol analyzer to the observer port to examine the source port’s traffic. Both traffic directions (send and receive) are mirrored.
set port name set port name 93 Assigns a name to a port. After naming a port, you can use the port name or number in other CLI commands. Syntax — set port port name name port — Number of a physical port. You can specify only one port. name name — Alphanumeric string of up to 16 characters, with no spaces. Defaults — None. Access — Enabled. History — Introduced in MSS Version 3.0.
CHAPTER 4: PORT COMMANDS Access — Enabled. History — Introduced in MSS Version 3.0. Usage — WX1200 10/100 Ethernet ports support half-duplex and full-duplex operation. 3Com recommends that you do not configure the mode of an WX port so that one side of the link is set to autonegotiation while the other side is set to full-duplex. Although MSS allows this configuration, it can result in slow throughput on the link.
set port speed 95 History — Introduced in MSS Version 3.0. Usage — This command does not apply to any gigabit Ethernet ports or to ports 7 and 8 on the WX1200 switch. Examples — The following command disables PoE on ports 4 and 5, which are connected to a MAP access point: WX1200# set port poe 4,5 disable If you are enabling power on these ports, they must be connected only to approved PoE devices with the correct wiring.
CHAPTER 4: PORT COMMANDS Usage — 3Com recommends that you do not configure the mode of a WX port so that one side of the link is set to autonegotiation while the other side is set to full-duplex. Although MSS allows this configuration, it can result in slow throughput on the link. The slow throughput occurs because the side that is configured for autonegotiation falls back to half-duplex. A stream of large packets sent to an WX port in such a configuration can cause forwarding on the link to stop.
set port type ap 97 See Also set port type ap set ip snmp server on page 180 set snmp community on page 185 Configures an WX switch port for a MAP access point. CAUTION: When you set the port type for MAP use, you must specify the PoE state (enable or disable) of the port. Use the WX switch’s PoE to power 3Com MAP access points only. If you enable PoE on a port connected to another device, physical damage to the device can result.
CHAPTER 4: PORT COMMANDS Defaults — All WX ports are network ports by default. MAP access point models AP2750, MAP-241, and MAP-341 have a single radio that can be configured for 802.11a or 802.11b/g. Other MAP models have two radios. On two-radio models, one radio is always 802.11a. The other radio is 802.11b/g, but can be configured for 802.11b or 802.11g exclusively. If the country of operation specified by the set system countrycode command does not allow 802.11g, the default is 802.11b.
set port type ap 99 Table 17 MAP Access Port Defaults (continued) Port groups Not applicable IGMP snooping Enabled as users are authenticated and join VLANs. Maximum user sessions Not applicable This command does not apply to any gigabit Ethernet ports or to ports 7 and 8 on the WX1200 switch or port 3 on the WX2200 switch. To manage a MAP access point on a switch model that does not have 10/100 Ethernet ports, use the set ap command to configure a Distributed MAP connection on the switch.
CHAPTER 4: PORT COMMANDS See Also set port type wired-auth clear ap on page 70 clear port type on page 74 set ap radio antennatype on page 383 set ap on page 87 set port type wired-auth on page 100 set system countrycode on page 61 Configures a WX switch port for a wired authentication user. Before changing the port type from ap to wired-auth or from wired-auth to ap, you must reset the port with the clear port type command.
set port type wired-auth 101 Usage — You cannot set a port’s type if the port is a member of a port VLAN. To remove a port from a VLAN, use the clear vlan command. To reset a port as a network port, use the clear port type command. When you change port type, MSS applies default settings appropriate for the port type. Table 18 lists the default settings that MSS applies when you set a port’s type to ap.
CHAPTER 4: PORT COMMANDS Examples — The following command sets port 2 for a wired authentication user: WX1200# set port type wired-auth 2 success: change accepted The following command sets port 7 for a wired authentication user and specifies a maximum of three simultaneous user sessions: WX1200# set port type wired-auth 7 max-sessions 3 success: change accepted See Also clear port type on page 74 set port type ap on page 97
5 VLAN COMMANDS Use virtual LAN (VLAN) commands to configure and manage parameters for individual port VLANs on network ports, and to display information about clients roaming within a mobility domain. Commands by usage This chapter presents VLAN commands alphabetically. Use Table 19 to locate commands in this chapter based on their use.
CHAPTER 5: VLAN COMMANDS Table 19 VLAN Commands by Usage (continued) Type Command display fdb agingtime on page 111 VLAN Profiles for MAP local Switching clear vlan-profile on page 108 clear vlan-profile on page 108 display vlan-profile on page 120 set vlan profile on page 127 clear fdb Deletes an entry from the forwarding database (FDB). Syntax — clear fdb {perm | static | dynamic | port port-list} [vlan vlan-id] [tag tag-value] perm — Clears permanent entries.
clear security 12-restrict 105 History —Introduced in MSS Version 3.0. Usage — You can delete forwarding database entries based on entry type, port, or VLAN. A VLAN name or number is required for deleting permanent or static entries. Examples — The following command clears all static forwarding database entries that match VLAN blue: WX4400# clear fdb static vlan blue success: change accepted.
CHAPTER 5: VLAN COMMANDS Access — Enabled. History —Introduced in MSS Version 4.1. Usage — If you clear all MAC addresses, Layer 2 forwarding is no longer restricted in the VLAN. Clients within the VLAN will be able to communicate directly. To clear the statistics counters without removing any MAC addresses, use the clear security l2-restrict counters command instead.
clear vlan 107 Examples — The following command clears Layer 2 forwarding restriction statistics for VLAN abc_air: WX4400# clear security 12-restrict counters vlan abc_air success: change accepted. See Also clear vlan clear security 12-restrict on page 105 set security l2-restrict on page 123 display security 12-restrict on page 116 Removes physical or virtual ports from a VLAN or removes a VLAN entirely.
CHAPTER 5: VLAN COMMANDS Examples — The following command removes port 1 from VLAN green: WX4400# clear vlan green port 1 This may disrupt user connectivity. Do you wish to continue? (y/n) [n]y success: change accepted. The following command removes port 4, which uses tag value 69, from VLAN red: WX1200# clear vlan red port 4 tag 69 This may disrupt user connectivity. Do you wish to continue? (y/n) [n]y success: change accepted.
display fdb 109 If a VLAN profile is changed so that traffic that had been tunneled to an VX switch is now locally switched by MAPs, or vice-versa, the sessions of clients associated with the MAPs where the VLAN profile is applied are terminated, and the clients must re-associate with the MAPs.
CHAPTER 5: VLAN COMMANDS dynamic — Displays dynamic entries. A dynamic entry is automatically removed through aging or after a reboot, reset, or power cycle. system — Displays system entries. A system entry is added by MSS. For example, the authentication protocols can add entries for wired and wireless authentication users. all — Displays all entries in the database, or all the entries that match a particular port or ports or a particular VLAN.
display fdb agingtime 111 Table 20 describes the fields in the display fdb output. Table 20 Output for display fdb Field Description VLAN VLAN number. TAG VLAN tag value. If the interface is untagged, the TAG field is blank. Dest MAC/Route Des MAC address of this forwarding entry’s destination. CoS Type of entry. The entry types are explained in the first row of the command output. Note: This Class of Service (CoS) value is not associated with MSS quality of service (QoS) features.
CHAPTER 5: VLAN COMMANDS VLAN 2 aging time = 600 sec VLAN 1 aging time = 300 sec Because the forwarding database aging timeout period can be configured only on an individual VLAN basis, the command lists the aging timeout period for each VLAN separately. See Also display fdb count set fdb agingtime on page 122 Lists the number of entries in the forwarding database. Syntax — display fdb count {perm | static | dynamic} [vlan vlan-id] perm — Lists the number of permanent entries.
display roaming station display roaming station 113 Shows a list of the stations roaming to the wireless LAN switch through a VLAN tunnel. Syntax — display roaming station [vlan vlan-id] [peer ip-addr] vlan vlan-id — Output is restricted to stations using this VLAN. peer ip-addr — Output is restricted to stations tunnelling through this peer WX switch in the Mobility Domain. Defaults — None. Access — Enabled. History —Introduced in MSS Version 3.0. Old AP MAC field removed in MSS Version 4.1.
CHAPTER 5: VLAN COMMANDS Table 21 Output for display roaming station (continued) Field Description State State of the session: Setup — Station is attempting to roam to this WX switch. This switch has asked the WX from which the station is roaming for the station’s session information and is waiting for a reply. Up — MSS has established a tunnel between the WX switches and the station has successfully roamed to this WX over the tunnel.
display roaming vlan display roaming vlan 115 Shows all VLANs in the mobility domain, the WX switches servicing the VLANs, and their tunnel affinity values configured on each switch for the VLANs. Syntax — display roaming vlan Defaults — None. Access — Enabled. History —Introduced in MSS Version 3.0. Examples — The following command shows the current roaming VLANs: WX4400# display roaming vlan VLAN WX Affinity ---------------- --------------- -------vlan-cs 192.168.14.2 5 vlan-eng 192.168.14.
CHAPTER 5: VLAN COMMANDS display security 12-restrict Displays configuration information and statistics for Layer 2 forwarding restriction. Syntax — display security 12-restrict [vlan vlan-id | all] vlan-id — VLAN name or number. all — Displays information for all VLANs. Defaults — If you do not specify a VLAN name or all, information is displayed for all VLANs. Access — Enabled. History —Introduced in MSS Version 4.1.
display tunnel 117 Table 23 Output for display security 12-restrict Field Description Hits Number of packets whose source MAC address was a client in this VLAN, and whose destination MAC address was one of those listed under Permit MAC. See Also display tunnel clear security 12-restrict on page 105 clear security 12-restrict counters on page 106 set security l2-restrict on page 123 Shows the tunnels from the wireless LAN switch where you type the command.
CHAPTER 5: VLAN COMMANDS Table 24 Output for display tunnel (continued) Field Description Remote Address IP address of the remote end of the tunnel. This is the system IP address of another WX switch in the mobility domain. State Tunnel state: Up Dormant Port Tunnel port ID. LVID Local VLAN ID. RVID Remote VLAN ID. See Also display vlan config display vlan config on page 118 Shows VLAN information. Syntax — display vlan config [vlan-id] vlan-id — VLAN name or number.
display vlan config 119 Table 25 describes the fields in this display. Table 25 Output for display vlan config Field Description VLAN VLAN number. Name VLAN name. Admin Status Administrative status of the VLAN: VLAN State Down — The VLAN is disabled. Up — The VLAN is enabled. Link status of the VLAN: Down — The VLAN is not connected. Up — The VLAN is connected. Tunl Affin Tunnel affinity value assigned to the VLAN. Port Member port of the VLAN.
CHAPTER 5: VLAN COMMANDS display vlan-profile Displays the contents of the VLAN profiles configured on the WX switch. A VLAN profile lists the VLANs for which traffic is locally switched by MAPs where the VLAN profile is applied. Syntax — display vlan-profile [profile-name] profile-name —VLAN profile name Defaults — If a profile-name is not specified, the contents of all VLAN profiles configured on the WX switch are displayed. Access — All. History — Introduced in MSS Version 6.0.
set fdb set fdb 121 Adds a permanent or static entry to the forwarding database. Syntax — set fdb {perm | static} mac-addr port port-list vlan vlan-id [tag tag-value] perm — Adds a permanent entry. A permanent entry does not age out and remains in the database even after a reboot, reset, or power cycle. static — Adds a static entry. A static entry does not age out, but is removed from the database after a reboot, reset, or power cycle. mac-addr — Destination MAC address of the entry.
CHAPTER 5: VLAN COMMANDS See Also set fdb agingtime clear fdb on page 104 display fdb on page 109 Changes the aging timeout period for dynamic entries in the forwarding database. Syntax — set fdb agingtime vlan-id age seconds vlan-id — VLAN name or number. The timeout period change applies only to entries that match the specified VLAN. age seconds — Value for the timeout period, in seconds. You can specify a value from 0 through 1,000,000.
set security l2-restrict set security l2-restrict 123 Restricts Layer 2 forwarding between clients in the same VLAN. When you restrict Layer 2 forwarding in a VLAN, MSS allows Layer 2 forwarding only between a client and a set of MAC addresses, generally the VLAN’s gateway routers. Clients within the VLAN are not permitted to communicate among themselves directly. To communicate with another client, the client must use one of the specified gateway routers.
CHAPTER 5: VLAN COMMANDS set vlan name Creates a VLAN and assigns a number and name to it. Syntax — set vlan vlan-num name name vlan-num — VLAN number. You can specify a number from 2 through 4093. name — String up to 16 alphabetic characters long. Defaults — VLAN 1 is named default by default. No other VLANs have default names. Access — Enabled. History —Introduced in MSS Version 3.0. Usage — You must assign a name to a VLAN (other than the default VLAN) before you can add ports to the VLAN.
set vlan port set vlan port 125 Assigns one or more network ports to a VLAN. You also can add a virtual port to each network port by adding a tag value to the network port. Syntax — set vlan vlan-id port port-list [tag tag-value] vlan-id — VLAN name or number. port port-list — List of physical ports. tag tag-value — Tag value that identifies a virtual port. You can specify a value from 1 through 4093. By default, no ports are members of any VLANs.
CHAPTER 5: VLAN COMMANDS set vlan tunnel-affinity Changes a wireless LAN switch’s preferability within a mobility domain for tunneling user traffic for a VLAN. When a user roams to a WX switch that is not a member of the user’s VLAN, the WX can forward the user traffic by tunneling to another WX switch that is a member of the VLAN. Syntax — set vlan vlan-id tunnel-affinity num vlan-id — VLAN name or number. num — Preference of this switch for forwarding user traffic for the VLAN.
set vlan profile set vlan profile 127 Configures entries in a VLAN profile that can be applied to an MAP for local switching. Syntax — set vlan-profile profile-name vlan vlan-name [tag tag-value] profile-name — VLAN profile name. vlan-name — Name of a VLAN. tag-value — Optional tag value associated with the VLAN. When this value is set, it is used as the 802.1Q tag for the VLAN. If local switching is enabled on a MAP, but no VLAN profile is configured, then a default VLAN profile is used.
CHAPTER 5: VLAN COMMANDS
6 QUALITY OF SERVICE COMMANDS Use Quality of Service (QoS) commands to configure packet prioritization in MSS. Packet prioritization ensures that WX switches and MAP access points give preferential treatment to high-priority traffic such as voice and video. (To override the prioritization for specific traffic, use access controls lists [ACLs] to set the Class of Service [CoS] for the packets. See “Security ACL Commands” on page 537.) Commands by Usage This chapter presents QOS commands alphabetically.
CHAPTER 6: QUALITY OF SERVICE COMMANDS Classify inbound packets by mapping their DSCP values to one of eight internal QoS values Classify outbound packets by marking their DSCP values based on the switch’s internal QoS values Syntax — clear qos [cos-to-dscp-map [from-qos] | dscp-to-cos-map [from-dscp]] cos-to-dscp-map — Resets the mapping between the specified internal QoS value and the DSCP values with which MSS marks outbound packets. QoS values are from 0 to 7.
set qos cos-to-dscp-map set qos cos-to-dscp-map 131 Changes the value to which MSS maps an internal QoS value when marking outbound packets. Syntax — set qos cos-to-dscp-map level dscp dscp-value level — Internal CoS value. You can specify a number from 0 to 7. dscp dscp-value — DSCP value. You can specify the value as a decimal number. Valid values are 0 to 63. Defaults — The defaults are listed by the display qos command. Access — Enabled. History —Introduced in MSS Version 4.1.
CHAPTER 6: QUALITY OF SERVICE COMMANDS set qos dscp-to-cos-map Changes the internal QoS value to which MSS maps a packet’s DSCP value when classifying inbound packets. Syntax — set qos dscp-to-cos-map dscp-range cos level dscp-range — You can specify the values as decimal numbers. Valid decimal values are 0 to 63. To specify a range, use the following format: 40-56. Specify the lower number first. cos level — Internal QoS value. You can specify a number from 0 to 7.
display qos display qos 133 Displays the switch’s QoS settings. Syntax — display qos [default] default — Displays the default mappings. Defaults — None. Access — Enabled. History —Introduced in MSS Version 4.1.
CHAPTER 6: QUALITY OF SERVICE COMMANDS display qos dscp-table Displays a table that maps Differentiated Services Code Point (DSCP) values to their equivalent combinations of IP precedence values and IP ToS values. Syntax — display qos dscp-table Defaults — None. Access — Enabled. History —Introduced in MSS Version 4.0 as the display security acl dscp command and renamed in MSS Version 4.1.
7 IP SERVICES COMMANDS Use IP services commands to configure and manage IP interfaces, management services, the Domain Name Service (DNS), Network Time Protocol (NTP), aliases, and to ping a host or trace a route. Commands by Usage This chapter presents IP services commands alphabetically. Use Table 28 to locate the commands in this chapter based on their use.
CHAPTER 7: IP SERVICES COMMANDS Table 28 IP Services Commands by Usage (continued) Type Command HTTPS Management set ip https server on page 177 display ip https on page 155 DNS set ip dns on page 175 set ip dns domain on page 175 set ip dns server on page 176 display ip dns on page 154 clear ip dns domain on page 139 clear ip dns server on page 139 IP Alias set ip alias on page 174 display ip alias on page 153 clear ip alias on page 138 Time and Date set timedate on page 204 set timezone on pa
clear interface 137 Table 28 IP Services Commands by Usage (continued) Type Command set snmp notify profile on page 187 set snmp notify target on page 192 set ip snmp server on page 180 display snmp status on page 163 display snmp community on page 161 display snmp usm on page 164 display snmp notify profile on page 162 display snmp notify target on page 162 display snmp counters on page 162 clear snmp community on page 143 clear snmp usm on page 144 clear snmp notify profile on page 143 clear snmp notif
CHAPTER 7: IP SERVICES COMMANDS Topology reporting for dual-homed MAP access points Default source IP address used in unsolicited communications such as AAA accounting reports and SNMP traps Examples — The following command removes the IP interface configured on VLAN mauve: WX1200# clear interface mauve ip success: cleared ip on vlan mauve See Also clear ip alias set interface on page 170 set interface dhcp-client on page 171 display interface on page 152 Removes an alias, which i
clear ip dns domain clear ip dns domain 139 Removes the default DNS domain name. Syntax — clear ip dns domain Defaults — None. Access — Enabled. History — Introduced in MSS Version 3.0. Examples — The following command removes the default DNS domain name from a WX switch: WX1200# clear ip dns domain Default DNS domain name cleared.
CHAPTER 7: IP SERVICES COMMANDS See Also clear ip route clear ip dns domain on page 139 display ip dns on page 154 set ip dns on page 175 set ip dns domain on page 175 set ip dns server on page 176 Removes a route from the IP route table. Syntax — clear ip route {default | ip-addr mask | ip-addr/mask-length} default-router default — Default route. default is an alias for IP address 0.0.0.0/0.
clear ip telnet clear ip telnet 141 Resets the Telnet server TCP port number to its default value. A WX listens for Telnet management traffic on the Telnet server port. Syntax — clear ip telnet Defaults — The default Telnet port number is 23. Access — Enabled. History — Introduced in MSS Version 3.0. Examples — The following command resets the TCP port number for Telnet management traffic to its default: WX4400# clear ip telnet success: change accepted.
CHAPTER 7: IP SERVICES COMMANDS Examples — The following command removes NTP server 192.168.40.240 from a WX switch configuration: WX4400# clear ntp server 192.168.40.240 success: change accepted. See Also clear ntp update-interval clear ntp update-interval on page 142 display ntp on page 159 set ntp on page 183 set ntp server on page 184 set ntp update-interval on page 185 Resets the NTP update interval to the default value.
clear snmp community clear snmp community 143 Clears an SNMP community string. Syntax — clear snmp community name comm-string comm-string — Name of the SNMP community you want to clear. Defaults — None. Access — Enabled. History —Introduced in MSS Version 4.0. Examples — The following command clears community string setswitch2: WX1200# clear snmp community name setswitch2 success: change accepted.
CHAPTER 7: IP SERVICES COMMANDS See Also clear snmp notify target set snmp notify profile on page 187 display snmp notify profile on page 162 Clears an SNMP notification target. Syntax — clear snmp notify target target-num target-num — ID of the target. Defaults — None. Access — Enabled. History —Introduced in MSS Version 4.0. Examples — The following command clears notification target 3: WX1200# clear snmp notify target 3 success: change accepted.
clear summertime 145 Examples — The following command clears SNMPv3 user snmpmgr1: WX1200# clear snmp usm snmpmgr1 success: change accepted. See Also clear summertime set snmp usm on page 199 display snmp usm on page 164 Clears the summertime setting from a WX. Syntax — clear summertime Defaults — None. Access — Enabled. History — Introduced in MSS Version 3.0. Examples — To clear the summertime setting from a WX, type the following command: WX1200# clear summertime success: change accepted.
CHAPTER 7: IP SERVICES COMMANDS clear system ip-address Clears the system IP address. CAUTION: Clearing the system IP address disrupts the system tasks that use the address. Syntax — clear system ip-address Defaults — None. Access — Enabled. History — Introduced in MSS Version 3.0.
display arp 147 Examples — To return the WX real-time clock to UTC, type the following command: WX4400# clear timezone success: change accepted. See Also display arp clear summertime on page 145 set summertime on page 202 set timedate on page 204 set timezone on page 205 display summertime on page 164 display timedate on page 165 display timezone on page 165 Shows the ARP table. Syntax — display arp [ip-addr] ip-addr — IP address.
CHAPTER 7: IP SERVICES COMMANDS Table 29 describes the fields in this display. Table 29 Output for display arp Field Description ARP aging time Number of seconds a dynamic entry can remain unused before MSS removes the entry from the ARP table. Host IP address, hostname, or alias. HW Address MAC address mapped to the IP address, hostname, or alias. VLAN VLAN the entry is for.
display dhcp-client 149 Examples — The following command displays DHCP client information: WX1200# display dhcp-client Interface: corpvlan(4) Configuration Status: Enabled DHCP State: IF_UP Lease Allocation: 65535 seconds Lease Remaining: 65532 seconds IP Address: 10.3.1.110 Subnet Mask: 255.255.255.0 Default Gateway: 10.3.1.1 DHCP Server: 10.3.1.4 DNS Servers: 10.3.1.29 DNS Domain Name: mycorp.com Table 30 describes the fields in this display.
CHAPTER 7: IP SERVICES COMMANDS display dhcp-server Displays MSS DHCP server information. Syntax — display dhcp-server [interface vlan-id] [verbose] interface vlan-id — Displays the IP addresses leased by the specified VLAN. verbose— Displays configuration and status information for the MSS DHCP server. Defaults — None. Access — All. History — Introduced in MSS Version 4.0.
display dhcp-server Default Gateway: DNS Servers: DNS Domain Name: 151 10.10.20.1 10.10.20.4 10.10.20.5 mycorp.com Table 31 and Table 32 describe the fields in these displays. Table 31 Output for display dhcp-server Field Description VLAN VLAN number Name VLAN name Address IP address leased by the server. MAC Address MAC address of the device that holds the least for the address. Lease Remaining Number of seconds remaining before the address lease expires.
CHAPTER 7: IP SERVICES COMMANDS Table 32 Output for display dhcp-server verbose Field Description IP Address IP address leased to the client. Subnet Mask Network mask of the IP address leased to the client. Default Gateway Default gateway IP address included in the DHCP Offer to the client. DNS Server DNS server IP address(es) included in the DHCP Offer to the client. DNS Domain Name Default DNS domain name included in the DHCP Offer to the client.
display ip alias 153 Table 33 Output for display interface Field Description VLAN VLAN number Name VLAN name Address IP address Mask Subnet mask Enabled Administrative state: State RIB YES (enabled) NO (disabled) Link state: Up (operational) Down (unavailable) Routing Information Base See Also display ip alias clear interface on page 137 set interface on page 170 set interface dhcp-client on page 171 Displays the IP aliases configured on the WX.
CHAPTER 7: IP SERVICES COMMANDS Table 34 describes the fields in this display. Table 34 Output for display ip alias Field Description Name Alias string. IP Address IP address associated with the alias. See Also display ip dns clear ip alias on page 138 set ip alias on page 174 Displays the DNS servers used by the WX. Syntax — display ip dns Defaults — None. Access — All. History —Introduced in MSS Version 3.0.
display ip https 155 Table 35 Output for display ip dns (continued) Field Description DNS Status Status of the WX switch’s DNS client: Enabled Disabled IP Address IP address of the DNS server Type Server type: PRIMARY SECONDARY See Also display ip https clear ip dns domain on page 139 clear ip dns server on page 139 set ip dns on page 175 set ip dns domain on page 175 set ip dns server on page 176 Shows information about the HTTPS management port.
CHAPTER 7: IP SERVICES COMMANDS Table 36 Output for display ip https Field Description HTTPS is enabled/disabled State of the HTTPS server: Enabled Disabled HTTPS is set to use port TCP port number on which the WX switch listens for HTTPS connections. Last 10 connections List of the last 10 devices to establish connections to the WX HTTPS server. IP Address IP address of the device that established the connection.
display ip route 157 Usage — When you add an IP interface to a VLAN that is up, MSS adds direct and local routes for the interface to the route table. If the VLAN is down, MSS does not add the routes. If you add an interface to a VLAN but the routes for that interface do not appear in the route table, use the display vlan config command to check the VLAN state.
CHAPTER 7: IP SERVICES COMMANDS Table 37 Output of display ip route (continued) Field Description NH-Type Next-hop type: Gateway Local — Route is for a local interface. MSS adds the route when you configure an IP address on the WX. Direct — Route is for a locally attached subnet. MSS adds the route when you add an interface in the same subnet to the WX. Router — Route is for a remote destination. A WX switch forwards traffic for the destination to the gateway router.
display ntp 159 Examples — The following command shows the status and port number for the Telnet management interface to the WX switch: WX4400> display ip telnet Server Status Port ---------------------------------Enabled 23 Table 38 describes the fields in this display. Table 38 Output for display ip telnet Field Description Server Status State of the HTTPS server: Port Enabled Disabled TCP port number on which the WX switch listens for Telnet management traffic.
CHAPTER 7: IP SERVICES COMMANDS Examples — To display NTP information for a WX switch, type the following command: WX4400> display ntp NTP client: enabled Current update-interval: 20(secs) Current time: Fri Feb 06 2004, 12:02:57 Timezone is set to 'PST', offset from UTC is -8:0 hours. Summertime is enabled. Last NTP update: Fri Feb 06 2004, 12:02:46 NTP Server Peer state Local State --------------------------------------------------192.168.1.
display snmp community 161 Table 39 Output for display ntp (continued) Field Description Peer state State of the NTP session from the point of view of the NTP server: Local state CORRECT REJECT SELCAND SYNCCAND SYSPEER State of the NTP session from the point of view of the WX NTP client: INITED START SYNCED See Also display snmp community clear ntp server on page 141 clear summertime on page 145 clear timezone on page 146 display timezone on page 165
CHAPTER 7: IP SERVICES COMMANDS See Also display snmp counters clear snmp community on page 143 set snmp community on page 185 Displays SNMP statistics counters. Syntax — display snmp counters Defaults — None. Access — Enabled. History —Introduced in MSS Version 4.0. display snmp notify profile Displays SNMP notification profiles. Syntax — display snmp notify profile Defaults — None. Access — Enabled. History —Introduced in MSS Version 4.0.
display snmp status See Also display snmp status clear snmp notify target on page 144 set snmp notify target on page 192 Displays SNMP version and status information. Syntax — display snmp status Defaults — None. Access — Enabled. History —Introduced in MSS Version 4.0.
CHAPTER 7: IP SERVICES COMMANDS display snmp usm Displays information about SNMPv3 users. Defaults — None. Access — Enabled. History —Introduced in MSS Version 4.0. See Also display summertime clear snmp usm on page 144 display snmp usm on page 164 Displays a WX offset time from its real-time clock time. Syntax — display summertime Defaults — There is no summertime offset by default. Access — All. History —Introduced in MSS Version 3.0.
display timedate display timedate set timedate on page 204 set timezone on page 205 165 Shows the date and time of day currently set on a WX real-time clock. Syntax — display timedate Defaults — None. Access — All. History —Introduced in MSS Version 3.0.
CHAPTER 7: IP SERVICES COMMANDS Examples — To display the offset from UTC, type the following command: WX4400# display timezone Timezone set to 'pst', offset from UTC is -8 hours See Also ping clear summertime on page 145 clear timezone on page 146 display summertime on page 164 display timedate on page 165 set summertime on page 202 set timedate on page 204 set timezone on page 205 Tests IP connectivity between a WX and another device.
ping 167 Because the WX switch adds header information, the ICMP packet size is 8 bytes larger than the size you specify. source-ip ip-addr — IP address, in dotted decimal notation, to use as the source IP address in the ping packets. source-ip vlan-name — VLAN name to use as the ping source. MSS uses the IP address configured on the VLAN as the source IP address in the ping packets. Defaults count — 5. dnf — Disabled. interval — 100 (one tenth of a second) size — 56.
CHAPTER 7: IP SERVICES COMMANDS set arp Adds an ARP entry to the ARP table. Syntax — set arp {permanent | static | dynamic } ip-addr mac-addr permanent — Adds a permanent entry. A permanent entry does not age out and remains in the database even after a reboot, reset, or power cycle. static — Adds a static entry. A static entry does not age out, but the entry does not remain in the database after a reboot, reset, or power cycle. dynamic — Adds a dynamic entry.
set arp agingtime set arp agingtime 169 Changes the aging timeout for dynamic ARP entries. Syntax — set arp agingtime seconds seconds — Number of seconds an entry can remain unused before MSS removes the entry. You can specify from 0 through 1,000,000. To disable aging, specify 0. Defaults — None. Access — Enabled. History— Introduced in MSS Version 3.0. Usage — Aging applies only to dynamic entries. To reset the ARP aging timeout to its default value, use the set arp agingtime 1200 command.
CHAPTER 7: IP SERVICES COMMANDS set interface Configures an IP interface on a VLAN. Syntax — set interface vlan-id ip {ip-addr mask | ip-addr/mask-length} vlan-id — VLAN name or number. ip-addr mask — IP address and subnet mask in dotted decimal notation (for example, 10.10.10.10 255.255.255.0). ip-addr/mask-length — IP address and subnet mask length in CIDR format (for example, 10.10.10.10/24). Defaults — None. Access — Enabled. History— Introduced in MSS Version 3.0.
set interface dhcp-client 171 See Also set interface dhcp-client clear interface on page 137 display interface on page 152 set interface dhcp-client on page 171 Configures the DHCP client on a VLAN and allows the VLAN to obtain its IP interface from a DHCP server. Syntax — set interface vlan-id ip dhcp-client {enable | disable} vlan-id — VLAN name or number. enable — Enables the DHCP client on the VLAN. disable — Disables the DHCP client on the VLAN.
CHAPTER 7: IP SERVICES COMMANDS See Also set interface dhcp-server clear interface on page 137 display dhcp-client on page 148 display interface on page 152 Configures the MSS DHCP server. Use of the MSS DHCP server to allocate client addresses is intended for temporary, demonstration deployments and not for production networks. It is recommended that you do not use the MSS DHCP server to allocate client addresses in a production network.
set interface status 173 Access — Enabled. History —Introduced in MSS Version 4.0. Usage — By default, all addresses except the host address of the VLAN, the network broadcast address, and the subnet broadcast address are included in the range. If you specify the range, the start address must be lower than the stop address, and all addresses must be in the same subnet. The IP interface of the VLAN must be within the same subnet but is not required to be within the range.
CHAPTER 7: IP SERVICES COMMANDS Examples — The following command disables the IP interface on VLAN mauve: WX4400# set interface mauve status down success: set interface mauve to down See Also set ip alias clear interface on page 137 display interface on page 152 set interface on page 170 Configures an alias, which maps a name to an IP address. You can use aliases as shortcuts in CLI commands.
set ip dns set ip dns 175 Enables or disables DNS on a wireless LAN switch. Syntax — set ip dns {enable | disable} enable — Enables DNS. disable — Disables DNS. Defaults — DNS is disabled by default. Access — Enabled. History— Introduced in MSS Version 3.0.
CHAPTER 7: IP SERVICES COMMANDS Aliases take precedence over DNS. When you enter a hostname, MSS checks for an alias with that name first, before using DNS to resolve the name. Examples — The following command configures the default domain name example.com: WX1200# set ip dns domain example.
set ip https server 177 success: change accepted. WX1200# set ip dns server 10.10.30.69/24 secondary success: change accepted. See Also set ip https server clear ip dns domain on page 139 clear ip dns server on page 139 display ip dns on page 154 set ip dns on page 175 set ip dns domain on page 175 Enables the HTTPS server on a WX. The HTTPS server is required for Web View access to the switch.
CHAPTER 7: IP SERVICES COMMANDS set ip route Adds a static route to the IP route table. Syntax — set ip route {default | ip-addr mask | ip-addr/mask-length} gateway metric default — Default route. A WX switch uses the default route if an explicit route is not available for the destination. Default is an alias for IP address 0.0.0.0/0. ip-addr mask — IP address and subnet mask for the route destination, in dotted decimal notation (for example, 10.10.10.10 255.255.255.0).
set ip route 179 When you add multiple routes to the same destination, MSS groups the routes and orders them from lowest cost at the top of the group to highest cost at the bottom of the group. If you add a new route that has the same destination and cost as a route already in the table, MSS places the new route at the top of the group of routes with the same cost. Examples — The following command adds a default route that uses gateway 10.5.4.
CHAPTER 7: IP SERVICES COMMANDS set ip snmp server Enables or disables the SNMP service on the WX. Syntax — set ip snmp server {enable | disable} enable — Enables the SNMP service. disable — Disables the SNMP service. Defaults — The SNMP service is disabled by default. Access — Enabled. History — Introduced in MSS Version 3.0. Examples — The following command enables the SNMP server on a WX switch: WX4400# set ip snmp server enable success: change accepted.
set ip ssh server 181 See Also set ip ssh server set ip ssh server on page 181 Disables or reenables the SSH server on a WX. CAUTION: If you disable the SSH server, SSH access to the WX is also disabled. Syntax — set ip ssh server {enable | disable} enable — Enables the SSH server. disable — Disables the SSH server. Defaults — The SSH server is enabled by default. Access — Enabled. History —Introduced in MSS Version 3.0. Usage — You must generate an SSH authentication key to use SSH.
CHAPTER 7: IP SERVICES COMMANDS Defaults — The default Telnet port number is 23. Access — Enabled. History —Introduced in MSS Version 3.0. Examples — The following command changes the Telnet port number on a WX to 5000: WX4400# set ip telnet 5000 success: change accepted.
set ntp 183 See Also set ntp clear ip telnet on page 141 display ip https on page 155 display ip telnet on page 158 set ip https server on page 177 set ip telnet on page 181 Enables or disables the NTP client on a WX. Syntax — set ntp {enable | disable} enable — Enables the NTP client. disable — Disables the NTP client. Defaults — The NTP client is disabled by default. Access — Enabled. History —Introduced in MSS Version 3.0.
CHAPTER 7: IP SERVICES COMMANDS set ntp server Configures a WX to use an NTP server. Syntax — set ntp server ip-addr ip-addr — IP address of the NTP server, in dotted decimal notation. Defaults — None. Access — Enabled. History —Introduced in MSS Version 3.0. Usage — You can configure up to three NTP servers. MSS queries all the servers and selects the best response based on the method described in RFC 1305, Network Time Protocol (Version 3) Specification, Implementation and Analysis.
set ntp update-interval set ntp update-interval 185 Changes how often a WX sends queries to the NTP servers for updates. Syntax — set ntp update-interval seconds seconds — Number of seconds between queries. You can specify from 16 through 1,024 seconds. Defaults — The default NTP update interval is 64 seconds. Access — Enabled. History —Introduced in MSS Version 3.0.
CHAPTER 7: IP SERVICES COMMANDS read-notify — Allows an SNMP management application using the string to get object values on the switch but not to set them. The switch can use the string to send notifications. notify-only — Allows the WX to use the string to send notifications. read-write — Allows an SNMP management application using the string to get and set object values on the switch.
set snmp notify profile 187 See Also set snmp notify profile clear snmp community on page 143 set ip snmp server on page 180 set snmp notify target on page 192 set snmp notify profile on page 187 set snmp protocol on page 197 set snmp security on page 198 set snmp usm on page 199 display snmp community on page 161 Configures an SNMP notification profile.
CHAPTER 7: IP SERVICES COMMANDS APTimeoutTraps—Generated when a MAP access point fails to respond to the WX switch. AuthenTraps—Generated when the WX switch’s SNMP engine receives a bad community string. AutoTuneRadioChannelChangeTraps—Generated when the RF Auto-Tuning feature changes the channel on a radio. AutoTuneRadioPowerChangeTraps—Generated when the RF Auto-Tuning feature changes the power setting on a radio.
set snmp notify profile 189 DAPConnectWarningTraps—Generated when a Distributed MAP whose fingerprint has not been configured in MSS establishes a management session with the switch. DeviceFailTraps—Generated when an event with an Alert severity occurs. DeviceOkayTraps—Generated when a device returns to its normal state. LinkDownTraps—Generated when the link is lost on a port. LinkUpTraps—Generated when the link is detected on a port.
CHAPTER 7: IP SERVICES COMMANDS RFDetectDoSPortTraps—Generated when MSS detects an associate request flood, reassociate request flood, or disassociate request flood. RFDetectDoSTraps—Generated when MSS detects a DoS attack other than an associate request flood, reassociate request flood, or disassociate request flood. RFDetectInterferingRogueAPTraps—Generated when an interfering device is detected.
set snmp notify profile WX1200# set snmp notify profile snmpprof_rfdetect RFDetectAdhocUserTraps success: change accepted. WX1200# set snmp notify profile snmpprof_rfdetect RFDetectAdhocUserDisappearTraps success: change accepted. WX1200# set snmp notify profile snmpprof_rfdetect RFDetectBlacklistedUserTraps success: change accepted. WX1200# set snmp notify profile snmpprof_rfdetect RFDetectClientViaRogueWiredAPTraps success: change accepted.
CHAPTER 7: IP SERVICES COMMANDS See Also set snmp notify target clear snmp notify profile on page 143 set ip snmp server on page 180 set snmp community on page 185 set snmp notify target on page 192 set snmp protocol on page 197 set snmp security on page 198 set snmp usm on page 199 set snmp notify profile on page 187 Configures a notification target for notifications from SNMP. A notification target is a remote device that the WX sends SNMP notifications.
set snmp notify target 193 username — USM username. This option is applicable only when the SNMP version is usm. If the user will send informs rather than traps, you also must specify the snmp-engine-id of the target. snmp-engine-id — {ip | hex hex-string} SNMPv3 with Traps SNMP engine ID of the target. Specify ip if the target SNMP engine ID is based on its IP address. If the target’s SNMP engine ID is a hexadecimal value, use hex hex-string to specify the value.
CHAPTER 7: IP SERVICES COMMANDS username — USM username. This option is applicable only when the SNMP version is usm. profile profile-name — Notification profile this SNMP user will use to specify the notification types to send or drop. SNMPv2c with Informs security — {unsecured | authenticated | encrypted} Specifies the security level, and is applicable only when the SNMP version is usm: - unsecured — Message exchanges are not authenticated, nor are they encrypted. This is the default.
set snmp notify target SNMPv2c with Traps 195 To configure a notification target for traps from SNMPv2c, use the following command: Syntax — set snmp notify target target-num ip-addr[:udp-port-number] v2c community-string trap [profile profile-name] target-num — ID for the target. This ID is local to the WX switch and does not need to correspond to a value on the target itself. You can specify a number from 1 to 10. ip-addr[:udp-port-number] — IP address of the server.
CHAPTER 7: IP SERVICES COMMANDS Usage — The inform or trap option specifies whether the MSS SNMP engine expects the target to acknowledge notifications sent to the target by the WX switch. Use inform if you want acknowledgements. Use trap if you do not want acknowledgements. The inform option is applicable to SNMP version v2c or usm only. Examples — The following command configures a notification target for acknowledged notifications: WX1200# set snmp notify target 1 10.10.40.
set snmp protocol set snmp protocol 197 Enables an SNMP protocol. MSS supports SNMPv1, SNMPv2c, and SNMPv3. Syntax — set snmp protocol {v1 | v2c | usm | all} {enable | disable} v1 — SNMPv1 V2c — SNMPv2c usm — SNMPv3 (with the user security model) all — Enables all supported versions of SNMP. enable — Enables the specified SNMP version(s). disable — Disables the specified SNMP version(s). Defaults — All SNMP versions are disabled by default. Access — Enabled.
CHAPTER 7: IP SERVICES COMMANDS set snmp security Sets the minimum level of security MSS requires for SNMP message exchanges. Syntax — set snmp security {unsecured | authenticated | encrypted | auth-req-unsec-notify} unsecured — SNMP message exchanges are not secure. This is the only value supported for SNMPv1 and SNMPv2c. authenticated — SNMP message exchanges are authenticated but are not encrypted. encrypted — SNMP message exchanges are authenticated and encrypted.
set snmp usm set snmp usm set snmp usm on page 199 display snmp status on page 163 199 Creates a USM user for SNMPv3. This command does not apply to SNMPv1 or SNMPv2c. For these SNMP versions, use the set snmp community command to configure community strings.
CHAPTER 7: IP SERVICES COMMANDS notify-only—The switch can use the string to send notifications. read-write—An SNMP management application using the string can get and set object values on the switch. notify-read-write — An SNMP management application using the string can get and set object values on the switch. The switch can use the string to send notifications.
set snmp usm 201 Defaults — No SNMPv3 users are configured by default. When you configure an SNMPv3 user, the default access is read-only, and the default authentication and encryption types are both none. Access — Enabled. History — Introduced in MSS Version 4.0. Examples — The following command creates USM user snmpmgr1, associated with the local SNMP engine ID. This user can send traps to notification receivers. WX#1200 set snmp usm snmpmgr1 snmp-engine-id local success: change accepted.
CHAPTER 7: IP SERVICES COMMANDS set summertime Offsets the real-time clock of a WX by +1 hour and returns it to standard time for daylight savings time or a similar summertime period. Syntax — set summertime summer-name [start week weekday month hour min end week weekday month hour min] summer-name — Name of up to 32 alphanumeric characters that describes the summertime offset. You can use a standard name or any name you like. start — Start of the time change period.
set system ip-address 203 Examples — To enable summertime and set the summertime time zone to PDT (Pacific Daylight Time), type the following command: WX1200# set summertime PDT success: change accepted See Also set system ip-address clear summertime on page 145 clear timezone on page 146 display summertime on page 164 display timedate on page 165 display timezone on page 165 set timedate on page 204 set timezone on page 205 Configures the system IP address.
CHAPTER 7: IP SERVICES COMMANDS Examples — The following commands configure an IP interface on VLAN taupe and configure the interface to be the system IP address: WX4400# set interface taupe ip 10.10.20.20/24 success: set ip address 10.10.20.20 netmask 255.255.255.0 on vlan taupe WX4400# set system ip-address 10.10.20.20 success: change accepted.
set timezone 205 Examples — The following command sets the date to March 13, 2003 and time to 11:11:12: WX4400# set timedate date feb 29 2004 time 23:58:00 Time now is: Sun Feb 29 2004, 23:58:02 PST See Also set timezone clear summertime on page 145 clear timezone on page 146 display summertime on page 164 display timedate on page 165 display timezone on page 165 set summertime on page 202 set timezone on page 205 Sets the number of hours, and optionally the number of minute
CHAPTER 7: IP SERVICES COMMANDS Examples — To set the time zone for Pacific Standard Time (PST), type the following command: WX1200# set timezone PST -8 Timezone is set to 'PST', offset from UTC is -8:0 hours. See Also telnet clear summertime on page 145 clear timezone on page 146 display summertime on page 164 display timedate on page 165 display timezone on page 165 set summertime on page 202 set timedate on page 204 Opens a Telnet client session with a remote device.
traceroute 207 Examples — In the following example, an administrator establishes a Telnet session with another device and enters a command on the remote device: WX4400# telnet 10.10.10.90 Session 0 pty tty2.d Trying 10.10.10.90... Connected to 10.10.10.90 Disconnect character is '^t' Copyright (c) 2004 3Com Corporation. All rights reserved.
CHAPTER 7: IP SERVICES COMMANDS dnf — Sets the Do Not Fragment bit in the ping packet to prevent the packet from being fragmented. no-dns — Prevents MSS from performing a DNS lookup for each hop to the destination host. port port-num — TCP port number listening for the traceroute probes. queries num — Number of probes per hop. size size — Probe packet size in bytes. You can specify from 40 through 1,460. ttl hops — Maximum number of hops, which can be from 1 through 255.
traceroute 209 The first row of the display indicates the target host, the maximum number of hops, and the packet size. Each numbered row displays information about one hop. The rows are displayed in the order in which the hops occur, beginning with the hop closest to the WX switch. The row for a hop lists the total time in milliseconds for each ICMP packet to reach the router or host, plus the time for the ICMP Time Exceeded message to return to the host.
CHAPTER 7: IP SERVICES COMMANDS
8 AAA COMMANDS Use authentication, authorization, and accounting (AAA) commands to provide a secure network connection and a record of user activity. Location policy commands override any virtual LAN (VLAN) or security ACL assignment by AAA or the local WX database to help you control access locally. (Security ACLs are packet filters. For command descriptions, see Chapter 14.) Commands by Usage This chapter presents AAA commands alphabetically.
CHAPTER 8: AAA COMMANDS Table 41 AAA Commands by Usage (continued) Type Command Local Authorization set user on page 271 for Password Users clear user on page 224 set user attr on page 273 clear user attr on page 225 set usergroup on page 275 clear usergroup on page 227 set user group on page 275 clear user group on page 226 clear usergroup attr on page 228 Local Authorization set mac-user on page 260 for MAC Users clear mac-user on page 220 set mac-user attr on page 261 clear mac-user attr on page
clear accounting 213 Table 41 AAA Commands by Usage (continued) Type Command Password and User set authentication password-restrict on page 252 Login Restrictions set authentication max-attempts on page 250 set authentication minimum-password-length on page 251 set user expire-password-in on page 274 set usergroup expire-password-in on page 277 clear user lockout on page 226 clear accounting Removes accounting services for specified wireless users with administrative access or network access.
CHAPTER 8: AAA COMMANDS Examples — The following command removes accounting services for authorized network user Nin: WX4400# clear accounting dot1x Nin success: change accepted. See Also clear authentication admin set accounting {admin | console} on page 235 display accounting statistics on page 232 Removes an authentication rule for administrative access through Telnet or Web Manager. Syntax — clear authentication admin user-glob user-glob — A single user or set of users.
clear authentication console clear authentication console clear authentication mac on page 217 clear authentication mac on page 217 clear authentication proxy on page 218 display aaa on page 229 set authentication admin on page 239 215 Removes an authentication rule for administrative access through the Console. Syntax — clear authentication console user-glob user-glob — A single user or set of users.
CHAPTER 8: AAA COMMANDS clear authentication dot1x clear authentication mac on page 217 clear authentication proxy on page 218 set authentication console on page 241 Removes an 802.1X authentication rule. Syntax — clear authentication dot1x {ssid ssid-name | wired} user-glob ssid ssid-name — SSID name to which this authentication rule applies. wired — Clears a rule used for access over a WX wired-authentication port. user-glob — A single user or a set of users with 802.
clear authentication mac clear authentication mac clear authentication proxy on page 218 display aaa on page 229 set authentication dot1x on page 243 217 Removes a MAC authentication rule. Syntax — clear authentication mac {ssid ssid-name | wired} mac-addr-glob ssid ssid-name — SSID name to apply the authentication. wired — Clears a rule used for access over a WX wired-authentication port. mac-addr-glob — A single user or set of users with access via a MAC address.
CHAPTER 8: AAA COMMANDS clear authentication proxy Removes a proxy rule for third-party AP users. Syntax — clear authentication proxy ssid ssid-name user-glob ssid ssid-name — SSID name to which this authentication rule applies. user-glob — User-glob associated with the rule you are removing. Defaults — None. Access — Enabled. History —Introduced in MSS Version 4.0.
clear location policy 219 Examples — The following command removes WebAAA for SSID research and userglob temp*@thiscorp.com: WX4400# clear authentication web ssid research temp*@thiscorp.
CHAPTER 8: AAA COMMANDS See Also clear mac-user display location policy on page 234 set location policy on page 256 Removes a user profile from the local database on the WX for a user authenticated by a MAC address. (To remove a user profile in RADIUS, see the documentation for your RADIUS server.) Syntax — clear mac-user mac-addr mac-addr — MAC address of the user, in hexadecimal numbers separated by colons (:). You can omit leading zeros. Defaults — None. Access — Enabled.
clear mac-user attr clear mac-user attr 221 Removes an authorization attribute from the user profile in the local database on the WX switch, for a user who is authenticated by a MAC address. (To remove an authorization attribute in RADIUS, see the documentation for your RADIUS server.) Syntax — clear mac-user mac-addr attr attribute-name mac-addr — MAC address of the user, in hexadecimal numbers separated by colons (:). You can omit leading zeros.
CHAPTER 8: AAA COMMANDS Access — Enabled. History —Introduced in MSS Version 3.0. Usage — Removing a MAC user from a MAC user group removes the group name from the user’s profile, but does not delete the user group from the local WX database. To remove the group, use clear mac-usergroup. Examples — The following command deletes the user profile for a user at MAC address 01:02:03:04:05:06 from its user group: WX4400# clear mac-user 01:02:03:04:05:06 group success: change accepted.
clear mac-usergroup attr 223 See Also clear mac-usergroup attr clear mac-usergroup attr on page 223 display aaa on page 229 set mac-usergroup attr on page 267 Removes an authorization attribute from a MAC user group in the local database on the WX, for a group of users who are authenticated by a MAC address. (To unconfigure an authorization attribute in RADIUS, see the documentation for your RADIUS server.
CHAPTER 8: AAA COMMANDS clear mobility-profile Removes a Mobility Profile entirely. Syntax — clear mobility-profile name name — Name of an existing Mobility Profile. Defaults — None. Access — Enabled. History —Introduced in MSS Version 3.0. Examples — The following command removes the Mobility Profile for user Nin: WX1200# clear mobility-profile Nin success: change accepted.
clear user attr 225 Examples — The following command deletes the user profile for user Nin: WX4400# clear user Nin success: change accepted. See Also clear user attr display aaa on page 229 set user on page 271 Removes an authorization attribute from the user profile in the local database on the WX for a user with a password. (To remove an authorization attribute from a RADIUS user profile, see the documentation for your RADIUS server.
CHAPTER 8: AAA COMMANDS clear user group Removes a user with a password from membership in a user group in the local database on the WX. (To remove a user from a user group in RADIUS, see the documentation for your RADIUS server.) Syntax — clear user username group username — Username of a user with a password. Defaults — None. Access — Enabled. History —Introduced in MSS Version 3.0.
clear usergroup History — Introduced 227 in MSS 6.0. If a user’s password has expired, or the user is unable to log in within the configured limit for login attempts, then the user is locked out of the system, and cannot gain access without the intervention of an adminstrator. Use this command to restore access to the user. Usage — Examples — The following command restores access to user Nin, who had previously been locked out of the system: WX# clear user Nin lockout success: change accepted.
CHAPTER 8: AAA COMMANDS See Also clear usergroup attr clear usergroup attr on page 228 display aaa on page 229 set usergroup on page 275 Removes an authorization attribute from a user group in the local database on the WX. (To remove an authorization attribute in RADIUS, see the documentation for your RADIUS server.) Syntax — clear usergroup group-name attr attribute-name group-name — Name of an existing user group.
display aaa display aaa 229 Displays all current AAA settings. Syntax — display aaa Defaults — None. Access — Enabled. History —Introduced in MSS Version 3.0. Web Portal section added, to indicate the state of the WebAAA feature in MSS Version 4.0.
CHAPTER 8: AAA COMMANDS user last-resort-guestssid Vlan-Name = k2 user last-resort-any Vlan-Name = foo mac-user 01:02:03:04:05:06 usergroup eastcoasters session-timeout = 99 Table 42 describes the fields that can appear in display aaa output. Table 42 display aaa Output Field Description Default Values RADIUS default values for all parameters. authport UDP port on the WX for transmission of RADIUS authorization and authentication messages. The default port is 1812.
display aaa 231 Table 42 display aaa Output (continued) T/o Setting of timeouts on each RADIUS server currently active. Tries Number of retransmissions configured for each RADIUS server currently active. The default is 3 times. Dead Length of time until the server is considered responsive again. State Current state of each RADIUS server currently active: UP (operating) DOWN (unavailable) Server groups Names of RADIUS server groups and member servers configured on the WX switch.
CHAPTER 8: AAA COMMANDS display accounting statistics Displays the AAA accounting records for wireless users. The records are stored in the local database on the WX. (To display RADIUS accounting records, see the documentation for your RADIUS server.) Syntax — display accounting statistics Defaults — None. Access — Enabled. History —Introduced in MSS Version 3.0. Formatting of output enhanced for readability in Version 4.
display accounting statistics 233 AAA_ACCT_SVC_ATTR=2 AAA_VLAN_NAME_ATTR=default Calling-Station-Id=00-06-25-12-06-38 Nas-Port-Id=3/1 Called-Station-Id=00-0B-0E-00-CC-01 AAA_SSID_ATTR=vineet-dot1x Table 43 describes the fields that can appear in display accounting statistics output. Table 43 display accounting statistics Output Field Description Date and time Date and time of the accounting record.
CHAPTER 8: AAA COMMANDS Table 43 display accounting statistics Output (continued) Nas-Port-Id Number of the port and radio on the MAP through which the session was conducted. Called-Station-Id MAC address of the MAP through which the client reached the network. See Also display location policy clear accounting on page 213 display aaa on page 229 set accounting {admin | console} on page 235 Displays the list of location policy rules that make up the location policy on an WX switch.
display mobility-profile display mobility-profile 235 Displays the named Mobility Profile. If you do not specify a Mobility Profile name, this command shows all Mobility Profile names and port lists on the WX. Syntax — display mobility-profile [name] name — Name of an existing Mobility Profile. Defaults — None. Access — Enabled. History —Introduced in MSS Version 3.0.
CHAPTER 8: AAA COMMANDS Specify a username, use the double-asterisk wildcard character (**) to specify all usernames, or use the single-asterisk wildcard character (*) to specify a set of usernames up to or following the first delimiter character—either an at sign (@) or a period (.). (For details, see “User Globs” on page 30.) This option does not apply if mac is specified. For mac, specify a mac-addr-glob. (See “MAC Address Globs” on page 31.
set accounting {dot1x | mac | web | last-resort} 237 See Also set accounting {dot1x | mac | web | last-resort} clear accounting on page 213 display accounting statistics on page 232 Sets up accounting services for specified wireless users with network access, and defines the accounting records and where they are sent.
CHAPTER 8: AAA COMMANDS start-stop — Sends accounting records at the start and end of a network session. stop-only — Sends accounting records only at the end of a network session. method1, method2, method3, method4 — At least one of up to four methods that MSS uses to process accounting records. Specify one or more of the following methods in priority order. If the first method does not succeed, MSS tries the second method, and so on.
set authentication admin set authentication admin 239 Configures authentication and defines where it is performed for specified users with administrative access through Telnet or Web Manager. Syntax — set authentication admin user-glob method1 [method2] [method3] [method4] user-glob — Single user or set of users with administrative access over the network through Telnet or Web Manager.
CHAPTER 8: AAA COMMANDS History —Introduced in MSS Version 3.0. The syntax descriptions for the set authentication commands are separated for clarity. However, the options and behavior for the set authentication admin command are the same as in previous releases. Usage — You can configure different authentication methods for different groups of users. (For details, see “User Globs, MAC Address Globs, and VLAN Globs” on page 30.
set authentication console set authentication console set authentication mac on page 247 set authentication web on page 254 241 Configures authentication and defines where it is performed for specified users with administrative access through a console connection. Syntax — set authentication console user-glob method1 [method2] [method3] [method4] user-glob — Single user or set of users with administrative access through the switch’s console.
CHAPTER 8: AAA COMMANDS Defaults — By default, authentication is deactivated for all console users, and the default authentication method in a console authentication rule is none. MSS requires no username or password, by default. These users can press Enter at the prompts for administrative access. It is recommended that you change the default setting unless the WX is in a secure physical location. Access — Enabled. History —Introduced in MSS Version 3.0.
set authentication dot1x set authentication dot1x set authentication admin on page 239 set authentication dot1x on page 243 set authentication mac on page 247 set authentication mac on page 247 set authentication web on page 254 243 Configures authentication and defines how it is performed for specified wireless or wired authentication clients who use an IEEE 802.1X authentication protocol to access the network through the WX.
CHAPTER 8: AAA COMMANDS Provides mutual authentication, integrity-protected negotiation, and key exchange Requires X.509 public key certificates on both sides of the connection Provides encryption and integrity checking for the connection Cannot be used with RADIUS server authentication (requires user information to be in the WX local database) peap-mschapv2 — Protected EAP (PEAP) with Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP-V2).
set authentication dot1x 245 Defaults — By default, authentication is unconfigured for all clients with network access through MAP ports or wired authentication ports on the WX switch. Connection, authorization, and accounting are also disabled for these users. Bonded authentication is disabled by default. Access — Enabled. History —Introduced in MSS Version 3.0. Usage — You can configure different authentication methods for different groups of users by “globbing.
CHAPTER 8: AAA COMMANDS If the username does not match an authentication rule for the SSID the user is attempting to access, MSS uses the fallthru authentication type configured for the SSID, which can be last-resort, web-portal (for WebAAA), or none. Examples — The following command configures EAP-TLS authentication in the local WX database for SSID mycorp and 802.1X client Geetha: WX4400# set authentication dot1x ssid mycorp Geetha eap-tls local success: change accepted.
set authentication mac set authentication mac 247 Configures authentication and defines where it is performed for specified non-802.1X users with network access through a media access control (MAC) address. Syntax — set authentication mac {ssid ssid-name | wired} mac-addr-glob method1 [method2] [method3] [method4] ssid ssid-name — SSID name to which this authentication rule applies. To apply the rule to all SSIDs, type any.
CHAPTER 8: AAA COMMANDS If you specify multiple authentication methods in the set authentication mac command, MSS applies them in the order in which they appear in the command, with these results: If the first method responds with pass or fail, the evaluation is final. If the first method does not respond, MSS tries the second method, and so on.
set authentication max-attempts set authentication max-attempts 249 Specifies the maximum number of login attempts users can make before being locked out of the system. Syntax — set authentication max-attempts number For Telnet or SSH sessions, a maximum of 4 failed login attempts are allowed by default. For console or network sessions, an unlimited number of failed login attempts are allowed by default. Defaults — number — Number of allowable login attempts for a user.
CHAPTER 8: AAA COMMANDS set authentication max-attempts Specifies the maximum number of login attempts users can make before being locked out of the system. Syntax — set authentication max-attempts number number — Number of allowable login attempts for a user. You can specify a number between 0 – 2147483647. Specifying 0 causes the number of allowable login attempts to reset to the default values. Defaults — For Telnet or SSH sessions, a maximum of 4 failed login attempts are allowed by default.
set authentication minimum-password-length set authentication minimum-password -length 251 Specifies the minimum allowable length for user passwords. Syntax — set authentication minimum-password-length length length — Minimum number of characters that can be in a user password. You can specify a minimum password length between 0 – 32 characters. Specifying 0 removes the restriction on password length. Defaults — Access — By default, there is no minimum length for user passwords. Enabled.
CHAPTER 8: AAA COMMANDS set authentication password-restrict Activates password restrictions for network and administrative users. Syntax — set authentication password-restrict {enable | disable} enable — Enables password restrictions on the WX. disable — Disables password restrictions on the WX. Defaults — Access — By default the password restrictions are disabled. Enabled. History —Introduced in MSS 6.0.
set authentication proxy 253 See Also set authentication proxy clear user lockout on page 226 set authentication minimum-password-length on page 251 set authentication max-attempts on page 250 Configures a proxy authentication rule for a third-party AP’s wireless users. Syntax — set authentication proxy ssid ssid-name user-glob radius-server-group ssid ssid-name — SSID name to which this authentication rule applies. user-glob — A single user or a set of users.
CHAPTER 8: AAA COMMANDS See Also set authentication web clear authentication proxy on page 218 set radius proxy client on page 585 set radius proxy port on page 586 Configures an authentication rule to allow a user to log in to the network using a web page served by the WX. The rule can be activated if the user is not otherwise granted or denied access by 802.1X, or granted access by MAC authentication.
set authentication web 255 Defaults — By default, authentication is unconfigured for all clients with network access through MAP ports or wired authentication ports on the WX switch. Connection, authorization, and accounting are also disabled for these users. Access — Enabled. History —Introduced in MSS Version 3.0. Usage — You can configure different authentication methods for different groups of users by “globbing.” (For details, see “User Globs” on page 30.
CHAPTER 8: AAA COMMANDS Examples — The following command configures a WebAAA rule in the local WX database for SSID ourcorp and userglob rnd*: WX4400# set authentication web ssid ourcorp rnd* local success: change accepted.
set location policy 257 inacl inacl-name — Name of an existing security ACL to apply to packets sent to the WX with attributes matching the location policy rule. Optionally, you can add the suffix .in to the name. outacl outacl-name — Name of an existing security ACL to apply to packets sent from the WX with attributes matching the location policy rule. Optionally, you can add the suffix .out to the name.
CHAPTER 8: AAA COMMANDS For user-glob, specify a username, use the double-asterisk wildcard character (**) to specify all usernames, or use the single-asterisk wildcard character (*) to specify a set of usernames up to or following the first delimiter character, either an at sign (@) or a period (.). (For details, see “User Globs” on page 30.) before rule-number — Inserts the new location policy rule in front of another rule in the location policy.
set location policy 259 When applying security ACLs: Use inacl inacl-name to filter traffic that enters the WX from users via a MAP access port or wired authentication port, or from the network via a network port. Use outacl outacl-name to filter traffic sent from the switch to users via a MAP access port or wired authentication port, or from the network via a network port. You can optionally add the suffixes .in and .
CHAPTER 8: AAA COMMANDS The following command places all users who are authorized for SSID tempvendor_a into VLAN kiosk_1: WX1200# set location policy permit vlan kiosk_1 iff ssid eq tempvendor_a success: change accepted See Also set mac-user clear location policy on page 219 display location policy on page 234 Configures a user profile in the local database on the WX for a user who can authenticate by a MAC address, and optionally adds the user to a MAC user group.
set mac-user attr 261 See Also set mac-user attr clear mac-user on page 220 display aaa on page 229 Assigns an authorization attribute in the local database on the WX to a user authenticating with a MAC address. (To assign authorization attributes through RADIUS, see the documentation for your RADIUS server.) Syntax — set mac-user mac-addr attr attribute-name value mac-addr — MAC address of the user, in hexadecimal numbers separated by colons (:). You can omit leading zeros.
CHAPTER 8: AAA COMMANDS Table 44 Authentication Attributes for Local Users Attribute Description Valid Value(s) encryption-type Type of encryption One of the following numbers that required for access by identifies an encryption algorithm: the client. Clients who 1—AES_CCM (Advanced Encryption attempt to use an Standard using Counter with unauthorized encryption CBC-MAC) method are rejected.
set mac-user attr 263 Table 44 Authentication Attributes for Local Users (continued) filter-id Inbound or outbound ACL to apply to the user. If configured in the WX local database, this attribute can be an access control list (ACL) to filter outbound or inbound traffic. Use the following format: filter-id inboundacl.in or filter-id outboundacl.out If you are configuring the attribute on a RADIUS server, the value field of filter-id can specify up to two ACLs.
CHAPTER 8: AAA COMMANDS Table 44 Authentication Attributes for Local Users (continued) service-type Type of access requested by the user. One of the following numbers: 2—Framed; for network user access 6—Administrative; for administrative access to the WX, with authorization to access the enabled (configuration) mode. The user must enter the enable command to access the enabled mode. 7—NAS-Prompt; for administrative access to the nonenabled mode only.
set mac-user attr 265 Table 44 Authentication Attributes for Local Users (continued) time-of-day (network access mode only) Day(s) and time(s) One of the following: during which the user is never—Access is always denied. permitted to log into the any—Access is always allowed. network. al—Access is always allowed.
CHAPTER 8: AAA COMMANDS Table 44 Authentication Attributes for Local Users (continued) url (network access mode only) URL to recirect the user after successful WebAAA. Web URL, in standard format. For example: http://www.example.com You must include the http:// portion.
set mac-usergroup attr 267 You can assign attributes to individual MAC users and to MAC user groups. If attributes are configured for a MAC user and also for the group the MAC user is in, the attributes assigned to the individual MAC user take precedence for that user. For example, if the start-date attribute configured for a MAC user is sooner than the start-date configured for the MAC user group the user is in, the MAC user’s network access can begin as soon as the user start-date.
CHAPTER 8: AAA COMMANDS attribute-name value — Name and value of an attribute used to authorize all MAC users in the group for a particular service or session characteristic. (For a list of authorization attributes, see Table 44 on page 262.) Defaults — None. Access — Enabled. History —Introduced in MSS Version 3.0. Usage — To change the value of an attribute, enter set mac-usergroup attr with the new value. To delete an attribute, use clear mac-usergroup attr.
set mobility-profile set mobility-profile 269 Creates a Mobility Profile and specifies the MAP access point and/or wired authentication ports on the WX switch through which any user assigned to the profile is allowed access. Syntax — set mobility-profile name name {port {none | all | port-list}} | {ap {none | all | ap-num}} name — Name of the Mobility Profile. Specify up to 32 alphanumeric characters, with no spaces.
CHAPTER 8: AAA COMMANDS CAUTION: When the Mobility Profile feature is enabled, a user is denied access if assigned a Mobility-Profile attribute in the local WX database or RADIUS server when no Mobility Profile of that name exists on the WX. To change the ports in a profile, use set mobility-profile again with the updated port list.
set mobility-profile mode set mobility-profile mode 271 Enables or disables the Mobility Profile feature on the WX switch. CAUTION: When the Mobility Profile feature is enabled, a user is denied access if assigned a Mobility-Profile attribute in the local WX database or RADIUS server when no Mobility Profile of that name exists on the WX. Syntax — set mobility-profile mode {enable | disable} enable — Enables the use of the Mobility Profile feature on the WX.
CHAPTER 8: AAA COMMANDS encrypted — Indicates that the password string you entered is already in its encrypted form. If you use this option, MSS does not encrypt the displayed form of the password string, and instead displays the string exactly as you entered it. If you omit this option, MSS does encrypt the displayed form of the string. password string — Password of up to 32 alphanumeric characters, with no spaces. Defaults — None. Access — Enabled. History —Introduced in MSS Version 3.0.
set user attr set user attr 273 Configures an authorization attribute in the local database on the WX switch for a user with a password. (To assign authorization attributes in RADIUS, see the documentation for your RADIUS server.) Syntax — set user username attr attribute-name value username — Username of a user with a password. attribute-name value — Name and value of an attribute you are using to authorize the user for a particular service or session characteristic.
CHAPTER 8: AAA COMMANDS The following command limits the days and times when user Student1 can access the network, to 5 p.m. to 2 a.m. every weekday, and all day Saturday and Sunday: WX4400# set user Student1 attr time-of-day Wk1700-0200,Sa,Su success: change accepted. See Also set user expire-password-in clear user attr on page 225 display aaa on page 229 Specifies how long a user password is valid before it must be reset.
set user group set user group 275 Adds a user to a user group. The user must have a password and a profile that exists in the local database on the WX. (To configure a user in RADIUS, see the documentation for your RADIUS server.) Syntax — set user username group group-name username — Username of a user with a password. group-name — Name of an existing user group for password users. Defaults — None. Access — Enabled. History —Introduced in MSS Version 3.0.
CHAPTER 8: AAA COMMANDS attribute-name value — Name and value of an attribute you are using to authorize all users in the group for a particular service or session characteristic. For a list of authorization attributes and values that you can assign to users, see Table 44 on page 262. Defaults — None. Access — Enabled. History —Introduced in MSS Version 3.0. Usage — To change the value of an attribute, enter set usergroup attr with the new value. To delete an attribute, use clear usergroup attr.
set usergroup expire-password-in set usergroup expire-password-in 277 Specifies how long the passwords for the users in user group are valid before they must be reset. Syntax set usergroup group-name expire-password-in time group-name — Name of a group for password users. How long the passwords for the users in the specified group are valid. The amount of time can be specified in days (for example, 30 or 30d), hours (720h), or a combination of days and hours (30d12h).
CHAPTER 8: AAA COMMANDS set web-portal Globally enables or disables WebAAA on a WX switch. Syntax — set web-portal {enable | disable} enable — Enables WebAAA on the switch. disable — Disables WebAAA on the switch. Defaults — Enabled. Access — Enabled. History —Introduced in MSS Version 3.0. Command name changed from set web-aaa to set web-portal, to match change to portal-based implementation in MSS Version 4.0. Usage — This command disables or reenables support for WebAAA.
9 MOBILITY DOMAIN COMMANDS Use Mobility Domain commands to configure and manage Mobility Domain groups. A Mobility Domain is a system of WX switches and MAP access points working together to support a roaming user (client). One WX acts as a seed switch, which maintains and distributes a list of IP addresses of the domain members. 3Com recommends that you run the same MSS version on all the WX switches in a Mobility Domain. Commands by Usage This chapter presents Mobility Domain commands alphabetically.
CHAPTER 9: MOBILITY DOMAIN COMMANDS clear mobility-domain Clears all Mobility Domain configuration and information from a WX , regardless of whether the WX is a seed or a member of a Mobility Domain. Syntax — clear mobility-domain Defaults — None. Access — Enabled. History —Introduced in MSS Version 3.0. Usage — This command has no effect if the WX is not configured as part of a Mobility Domain.
display mobility-domain 281 Usage — This command has no effect if the WX member is not configured as part of a Mobility Domain or the current WX is not the seed. Examples — The following command clears a Mobility Domain member with the IP address 192.168.0.1: WX1200# clear mobility-domain member 192.168.0.1 See Also display mobility-domain set mobility-domain member on page 284 On the seed WX, displays the Mobility Domain status and members. Syntax — display mobility-domain Defaults — None.
CHAPTER 9: MOBILITY DOMAIN COMMANDS Table 46 display mobility-domain Output Field Description Type Role of the WX in the Mobility Domain: MEMBER SEED SECONDARY-SEED Model Mode of the WX Version MSS version running on the WX See Also display mobility-domain config clear mobility-domain on page 280 set mobility-domain member on page 284 set mobility-domain mode member seed-ip on page 286 Displays the configuration of the Mobility Domain.
display mobility-domain status display mobility-domain status On the seed WX, displays the Mobility Domain status and members. Syntax — display mobility-domain status Defaults — None. Access — Enabled. History —Introduced in MSS Version 3.0. Examples — To display Mobility Domain status, type the following command: WX4400# display mobility-domain status Mobility Domain name: Pleasanton Member State Status ---------------------------------------192.168.253.11 STATE_UP MEMBER 192.168.253.
CHAPTER 9: MOBILITY DOMAIN COMMANDS set mobility-domain member On the seed WX, adds a member to the list of Mobility Domain members. If the current WX is not configured as a seed, this command is rejected. Syntax — set mobility-domain member ip-addr Key hex-bytes ip-addr — IP address of the Mobility Domain member in dotted decimal notation. Key hex-bytes — Fingerprint of the public key to use for WX-WX security. Specify the key as 16 hexadecimal bytes.
set mobility-domain mode member secondary seed-ip set mobility-domain mode member secondary seed-ip 285 Sets the IP address of the secondary seed WX on a nonseed WX. Syntax — set mobility-domain mode member secondary seed-ip secondary-seed-ip-addr key hex-bytes secondary-seed-ip-addr — IP address of the secondary seed, in dotted decimal notation. key hex-bytes — Fingerprint of the public key to use for WX-WX security. Specify the key as 16 hexadecimal bytes.
CHAPTER 9: MOBILITY DOMAIN COMMANDS set mobility-domain mode member seed-ip On a nonseed WX, sets the IP address of the seed WX. This command is used on a member WX to configure it as a member. If the WX is currently part of another Mobility Domain or using another seed, this command overwrites that configuration. Syntax — set mobility-domain mode member seed-ip ip-addr key hex-bytes ip-addr — IP address of the Mobility Domain member, in dotted decimal notation.
set mobility-domain mode secondary-seed domain-name set mobility-domain mode secondary-seed domain-name 287 Sets the current WX as a secondary-seed device for the Mobility Domain. Syntax — set mobility-domain mode secondary-seed domain-name mob-domain-name seed-ip primary-seed-ip-addr mob-domain-name — Name of the Mobility Domain. Specify between 1 and 32 characters with no spaces. primary-seed-ip-addr — The address of the seed device in the Mobility Domain Defaults — Access — None. Enabled.
CHAPTER 9: MOBILITY DOMAIN COMMANDS Examples — The following command configures this WX as the secondary seed in a Mobility Domain named Pleasanton: WX# set mobility-domain mode secondary-seed domain-name Pleasanton mode is: secondary-seed domain name is: Pleasanton See Also set mobility-domain mode seed domain-name clear mobility-domain member on page 280 display mobility-domain on page 281 Creates a Mobility Domain by setting the current WX as the seed device and naming the Mobility Domai
set domain security 289 See Also set domain security clear mobility-domain member on page 280 display mobility-domain status on page 283 Sets mobility domain security to required (enabled) or none (disabled) on the wireless LAN switch. The command needs to be entered on each wireless LAN switch that will participate as a member of the secure mobility domain. Syntax — set domain security {required | none} Defaults — Mobility domain security is disabled by default. Access — Enabled.
CHAPTER 9: MOBILITY DOMAIN COMMANDS
10 NETWORK DOMAIN COMMANDS Use Network Domain commands to configure and manage Network Domain groups. A Network Domain is a group of geographically dispersed Mobility Domains that share information over a WAN link. This shared information allows a user configured on a WX in one Mobility Domain to establish connectivity on a WX in another Mobility Domain in the same Network Domain. The WX forwards the user traffic by creating a VLAN tunnel to a WX in the remote Mobility Domain.
CHAPTER 10: NETWORK DOMAIN COMMANDS Table 48 Network Domain Commands by Usage (continued) Type Command clear network-domain peer on page 294 clear network-domain seed-ip on page 295 display network-domain on page 296 clear network-domain Clears all Network Domain configuration and information from a WX , regardless of whether the WX is a seed or a member of a Network Domain. Syntax — clear network-domain Defaults — None. Access — Enabled. History —Introduced in MSS 4.1.
clear network-domain mode clear network-domain mode 293 Removes the Network Domain seed or member configuration from the WX. Syntax — clear network-domain mode {seed | member} seed — Clears the Network Domain seed configuration from the WX switch. member — Clears the Network Domain member configuration from the WXswitch. Defaults — None. Access — Enabled. History —Introduced in MSS 4.1. Usage — This command has no effect if the WX is not configured as part of a Network Domain.
CHAPTER 10: NETWORK DOMAIN COMMANDS clear network-domain peer Removes the configuration of a Network Domain peer from a WX configured as a Network Domain seed. Syntax — clear network-domain peer {ip-addr | all} ip-addr — IP address of the Network Domain peer in dotted decimal notation. all — Clears the Network Domain peer configuration for all peers from the WX switch. Defaults — None. Access — Enabled. History —Introduced in MSS 4.1.
clear network-domain seed-ip clear network-domain seed-ip 295 Removes the specified Network Domain seed from the WX configuration. When you enter this command, the Network Domain TCP connections between the WX switch and the specified Network Domain seed are closed. Syntax — clear network-domain seed-ip ip-addr ip-addr — IP address of the Network Domain seed in dotted decimal notation. Defaults — None. Access — Enabled. History —Introduced in MSS 4.1.
CHAPTER 10: NETWORK DOMAIN COMMANDS display network-domain Displays the status of Network Domain seeds and members. Syntax — display network-domain Defaults — None. Access — Enabled. History —Introduced in MSS 4.1. Examples — To display Network Domain status, type the following command. The output of the command differs based on whether the WX switch is a member of a Network Domain or a Network Domain seed.
display network-domain 297 Table 49 describes the fields in the display. Table 49 Radio-Specific Parameters Parameter Description Output if WX is the Network Domain Seed Network Domain name Name of the Network Domain for which the WX is a seed. Peer IP addresses of the other seeds in the Network Domain. State State of the connection between the WX and the peer Network Domain seeds: UP DOWN Member IP addresses of the seed WX and members in the Network Domain.
CHAPTER 10: NETWORK DOMAIN COMMANDS set network-domain mode member seed-ip Sets the IP address of a Network Domain seed. This command is used for configuring a WX as a member of a Network Domain. You can specify multiple Network Domain seeds and configure one as the primary seed. Syntax — set network-domain mode member seed-ip ip-addr [affinity num] ip-addr — IP address of the Network Domain seed, in dotted decimal notation. num — Preference for using the specified Network Domain seed.
set network-domain peer 299 See Also set network-domain peer clear network-domain on page 292 display network-domain on page 296 On a Network Domain seed, configures one or more WX as redundant Network Domain seeds. The seeds in a Network Domain share information about the VLANs configured on the member devices, so that all the Network Domain seeds have the same database of VLAN information.
CHAPTER 10: NETWORK DOMAIN COMMANDS set network-domain mode seed domain-name Creates a Network Domain by setting the current WX as a seed device and naming the Network Domain. Syntax — set network-domain mode seed domain-name net-domain-name net-domain-name — Name of the Network Domain. Specify between 1 and 16 characters with no spaces. Defaults — None. Access — Enabled. History —Introduced in MSS 4.1.
11 MANAGED ACCESS POINT COMMANDS Use MAP access point commands to configure and manage MAP access points. Be sure to do the following before using the commands: Define the country-specific IEEE 802.11 regulations on the WX switch. (See set system countrycode on page 61.) Install the MAP access point and connect it to a port on the WX switch. Configure a MAP as a directly connected MAP or a Distributed MAP. (See set port type ap on page 97 and set ap on page 87.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS Table 50 Map Access Point Commands by Usage (continued) Type Command set ap radio auto-tune max- retransmissions on page 385 set ap radio link-calibration on page 388 set ap radio mode on page 391 set ap radio radio-profile on page 392 set ap auto radiotype on page 365 set ap upgrade-firmware on page 396 External Antennas set ap radio antennatype on page 383 set ap radio antenna-location on page 382 MAP-WX Security set ap fingerprint on page 376 set ap se
MAP Access Point Commands by Usage Table 50 Map Access Point Commands by Usage (continued) Type Command set radio-profile max-tx-lifetime on page 415 set radio-profile preamble-length on page 419 set radio-profile rts-threshold on page 423 Authentication and set service-profile attr on page 431 Encryption set service-profile auth-dot1x on page 433 set service-profile auth-fallthru on page 434 set service-profile web-portal-form on page 473 set service-profile web-portal-acl on page 472 set service-profil
CHAPTER 11: MANAGED ACCESS POINT COMMANDS Table 50 Map Access Point Commands by Usage (continued) Type Command QoS and VoIP set radio-profile qos-mode on page 420 set radio-profile wmm-powersave on page 430 set service-profile cac-mode on page 438 set service-profile cac-session on page 439 set service-profile static-cos on page 467 set service-profile cos on page 444 set service-profile use-client-dscp on page 470 DHCP Restrict set service-profile dhcp-restrict on page 445 Broadcast Control se
MAP Access Point Commands by Usage 305 Table 50 Map Access Point Commands by Usage (continued) Type Command set radio-profile auto-tune channel-lockdown on page 405 set radio-profile auto-tune power-config on page 406 set radio-profile auto-tune power-interval on page 407 set radio-profile auto-tune power-lockdown on page 408 set ap radio auto-tune max-power on page 384 display auto-tune neighbors on page 340 display auto-tune attributes on page 338 AeroScout Tag Support set radio-profile rfid-mode on
CHAPTER 11: MANAGED ACCESS POINT COMMANDS Table 50 Map Access Point Commands by Usage (continued) Type Command display ap unconfigured on page 347 display ap qos-stats on page 326 display ap etherstats on page 327 MAP Local Switching set ap local-switching mode on page 379 set ap local-switching vlan-profile on page 380 clear ap local-switching vlan-profile on page 307 display ap arp on page 314 display ap fdb on page 325 display ap vlan on page 337 WLAN Mesh Services set ap boot- configuration m
clear ap local-switching vlan-profile clear ap local-switching vlan-profile 307 Clears the VLAN profile that had been applied to an MAP to use with local switching. Syntax — clear {ap ap-number local-switching vlan-profile ap-number — Index value that identifies the MAP on the WX switch. Defaults — None. Access — Enabled. History — Introduced in MSS Version 6.0. History — A VLAN profile consists of a list of VLANs and tags.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS clear ap radio Disables a MAP radio and resets it to its factory default settings. Syntax — clear ap ap-num } radio {1 | 2 | all} ap ap-number — Index value that identifies the MAP on the WX. radio 1 — Radio 1 of the MAP. radio 2 — Radio 2 of the MAP. (This option does not apply to single-radio models.) radio all — All radios on the MAP.
clear ap radio 309 Table 51 Radio-Specific Parameters (continued) channel 802.11b — 6 802.11a — Lowest valid channel number for the country of operation Number of the channel in which a radio transmits and receives traffic mode disable radio-profile None. You must add the radios to a radio profile.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS clear ap boot-configuration Removes the static IP address configuration for a Distributed MAP. Syntax — clear ap boot-configuration apnum ap ap-number — Index value that identifies the MAP on the WX. Defaults — None. Access — Enabled. History —Introduced in MSS 4.2. Version 6.0 removed the dap option. Usage — When the static IP configuration is cleared for a MAP, and a MAP is rebooted, it uses the standard boot process.
clear ap radio load-balancing group clear ap radio load-balancing group 311 Removes a MAP radio from its load-balancing group. Syntax clear ap ap-number radio {1 | 2} load-balancing group ap ap-number — Index value that identifies the MAP on the WX. radio 1 — Radio 1 of the MAP. radio 2 — Radio 2 of the MAP. (This option does not apply to single-radio models.) Defaults — Access — None. Enabled. History — Introduced in MSS Version 6.0.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS clear radio-profile Removes a radio profile or resets one of the profile’s parameters to its default value. Syntax — clear radio-profile name [parameter] name — Radio profile name.
clear service-profile 313 The following commands disable the radios using radio profile rptest and remove the profile: WX4400# set radio-profile rptest mode disable WX4400# clear radio-profile rptest success: change accepted. See Also clear service-profile display radio-profile on page 350 set ap radio radio-profile on page 392 set radio-profile mode on page 416 display radio-profile on page 350 Removes a service profile or resets one of the profile’s parameters to its default value.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS Access — Enabled. History — Introduced in MSS Version 3.0. Options added to clear SODA parameters in Version 4.2. Usage — If the service profile is mapped to a radio profile, you must remove it from the radio profile first. (After disabling all radios that use the radio profile, use the clear radio-profile name service-profile name command.
display ap arp Examples — WX# display ap arp 7 AP 7: Host ---------------------10.5.4.51 10.5.4.53 315 The following command displays ARP entries for AP 7: HW Address ----------------00:0b:0e:00:04:0c 00:0b:0e:02:76:f7 VLAN ----1 1 State -------EXPIRED RESOLVED Type ------DYNAMIC LOCAL Table 52 describes the fields in this display. Table 52 Output for display ap arp Field Description Host IP address, hostname, or alias. HW Address MAC address mapped to the IP address, hostname, or alias.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS display ap config Displays global and radio-specific settings for a MAP access point. Syntax — display ap config [port-list [radio {1 | 2}]] ap-number — Index value that identifies the MAP on the WX. radio 1 — Shows configuration information for radio 1. radio 2 — Shows configuration information for radio 2. (This option does not apply to single-radio models.) Defaults — None. Access — All. History —Introduced in MSS Version 3.0. Version 6.
display ap config 317 Table 53 Output for display ap config Field Description Port WX port number to which the MAP is connected, if specified for the MAP. AP Index number that identifies the MAP to the WX. Serial-Id Serial ID of the MAP access point. AP model MAP access point model number. bias Bias of the WX connection to the MAP: High Low name MAP access point name, if configured.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS Table 53 Output for display ap config (continued) Field Description profile Radio profile that manages the radio. Until you assign the radio to a radio profile, MSS assigns the radio to the default radio profile. auto-tune max-power Maximum power level the RF Auto-Tuning feature can set on the radio. load-balance-group The value default means RF Auto-Tuning can set the power up to the maximum level allowed for the country of operation.
display ap counters display ap counters set ap radio mode on page 391 set ap radio antennatype on page 383 set ap radio channel on page 387 set ap radio radio-profile on page 392 set ap radio tx-power on page 393 319 Displays MAP access point and radio statistics counters. Syntax — display ap counters [ap-number[radio {1 | 2}]] ap-number — Index value that identifies the MAP on the WX. radio 1 — Shows statistics counters for radio 1.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS Examples — The following command shows statistics counters for Distributed MAP 7: WX1200# display ap counters 7 AP: 7 radio: 1 ================================= LastPktXferRate 2 PktTxCount NumCntInPwrSave 4294966683MultiPktDrop LastPktRxSigStrength -54 MultiBytDrop LastPktSigNoiseRatio 40 User Sessions TKIP Pkt Transfer Ct 0 MIC Error Ct TKIP Pkt Replays 0 TKIP Decrypt Err CCMP Pkt Decrypt Err 0 CCMP Pkt Replays CCMP Pkt Transfer Ct 0 RadioResets Radio Recv P
display ap counters 321 Table 54 describes the fields in this display. Table 54 Output for display ap counters Field Description AP Distributed MAP number. Port WX port number (if the MAP is directly connected to the WX and the WX port is configured as a MAP access point). radio Radio number. LastPktXferRate Data transmit rate, in Mbps, of the last packet received by the MAP access point. NumCntInPwrSave Number of clients currently in power save mode.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS Table 54 Output for display ap counters (continued) Field Description CCMP Pkt Transfer Ct Total number of CCMP packets sent and received by the radio. Radio Recv Phy Err Ct Number of times radar caused packet errors. If this counter increments rapidly, there is a problem in the RF environment. This counter increments only when radar is detected. Rate-specific Phy errors are instead counted in the PhyError columns for individual data rates.
display ap counters 323 Table 54 Output for display ap counters (continued) Field Description User Sessions Number of clients currently associated with the radio. Generally, this counter is equal to the number of sessions listed for the radio in display sessions output. However, the counter can differ from the counter in display sessions output if a client is associated with the radio but has not yet completed 802.1X authentication.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS Table 54 Output for display ap counters (continued) Field Description Noise Floor Received signal strength at which the MAP can no longer distinguish 802.11 packets from ambient RF noise. A value around -90 or higher is good for an 802.11b/g radio. A value around -80 or higher is good for an 802.11a radio. Values near 0 can indicate RF interference. 802.3 Packet Rx Ct Number of raw 802.3 packets received by the radio.
display ap fdb 325 See Also display ap fdb display sessions network on page 620 Displays the entries in a specified MPís forwarding database. Syntax — display ap fdb ap-number ap-number — Index value that identifies the MAP on the WX. Defaults — Access — None. All. History — Introduced in MSS Version 6.0. Examples — The following command displays FDB entries for AP 7: WX# display ap fdb 7 AP 7: # = System Entry.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS See Also display ap qos-stats set ap local-switching mode on page 379 set vlan profile on page 127 Displays statistics for MAP forwarding queues. Syntax — display ap qos-stats [ap-number][clear] ap-number — Index value that identifies the MAP on the WX. clear — Clears the counters after displaying their current values. Defaults — None. Access — Enabled. History — Introduced in MSS Version 4.0. Version 4.2 added the TxDrop field. Version 6.
display ap etherstats 327 Table 56 describes the fields in this display. Table 56 Output for display ap qos-stats Field Description CoS CoS value associated with the forwarding queues. Queue Forwarding queue. AP Distributed MAP number or MAP port number. radio Radio number. Tx Number of packets transmitted to the air from the queue. TxDrop Number of packets dropped from the queue instead of being transmitted. Some packet drops are normal, especially if the RF environment is noisy.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS Examples — The following command displays Ethernet statistics for the Ethernet ports on Distributed MAP 1: WX4400# display ap etherstats 1 AP: 1 ether: 1 ================================= RxUnicast: 75432 TxGoodFrames: RxMulticast: 18789 TxSingleColl: RxBroadcast: 8 TxLateColl: RxGoodFrames: 94229 TxMaxColl: RxAlignErrs: 0 TxMultiColl: RxShortFrames: 0 TxUnderruns: RxCrcErrors: 0 TxCarrierLoss: RxOverruns: 0 TxDeferred: RxDiscards: 0 55210 32 0 0 47 0 0 150
display ap group 329 Table 57 Output of display ap etherstats (continued) Field Description TxMaxColl Number of frames that were not transmitted because they encountered the maximum allowed number of collisions. Typically, this occurs only during periods of heavy traffic on the network. TxMultiColl Number of transmitted frames that encountered more than one collision. TxUnderruns Number of frames that were not transmitted or retransmitted due to temporary lack of hardware resources.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS Examples — The following command mesh link information for AP 7: WX# display ap mesh-links 7 AP: 7 IP-addr: 1.1.1.3 Operational Mode: Mesh-Portal Downlink Mesh-APs ------------------------------------------------BSSID: 00:0b:0e:17:bb:3f (54 Mbps) packets bytes TX: 307 44279 RX: 315 215046 The following command displays statistics for the path of mesh services devices that MAP is part of.
display ap status 331 See Also display ap status set ap boot-configuration mesh ssid on page 373 set service-profile mesh on page 450 Displays MAP access point and radio status information. Syntax — display ap status [terse] [ap-number | all [radio {1 | 2}]] terse — Displays a brief line of essential status information for each MAP. ap-number — Index value that identifies the MAP on the WX.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS Examples — The following command displays the status of a MAP access point: WX4400# display ap status 7 Dap: 1, IP-addr: 10.2.34.
display ap status 333 The following command uses the terse option to display brief information for MAPs: WX# display ap status terse Total number of entries: 120 Operational: 1, Image Downloading: 0, Unknown: 119, Other: 0 Flags: o = operational, b = booting, d = image downloading c = configuring, f = configuration failed a = auto AP, m = mesh AP, p = mesh portal i = insecure, e = encrypted, u = unencrypt AP Flag IP Address Model MAC Address Radio1 Radio2 Uptime --- ---- --------------- --------- --------
CHAPTER 11: MANAGED ACCESS POINT COMMANDS Table 59 Output for display ap status (continued) Field Description State State of the MAP: init — The MAP has been recognized by the WX but has not yet begun booting. booting — The MAP has asked the WX for a boot image. image downloading — The MAP is receiving a boot image from the WX. image downloaded — The MAP has received a boot image from the WX and is booting.
display ap status 335 Table 59 Output for display ap status (continued) Field Description Radio 1 type 802.11 type and configuration state of the radio. Radio 2 type The configure succeed state indicates that the MAP has received configuration parameters for the radio and the radio is ready to accept client connections. 802.11b protect indicates that the 802.11b/g radio is sending messages to 802.11b devices, while sending 802.11g traffic at higher data rates, to inform the 802.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS Table 59 Output for display ap status (continued) Field Description Radio 1 type Radio 2 type (cont.) The following information appears for external antennas: External antenna detected, configured as antenna-model—Indicates that an external antenna has been detected, and lists the antenna model configured on the radio. (MSS does not detect the specific model.
display ap vlan 337 Table 60 Output for display ap status terse (continued) Field Description Model MAP model number. MAC Address MAC address of the MAP. Radio1 State, channel, and power information for radio 1: The state can be D (disabled) or E (enabled). The channel and power settings are shown as channel/power. display ap vlan Radio2 State, channel, and power information for radio 2. Uptime Amount of time since the MAP booted using this link.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS Table 61 describes the fields in the display ap vlan output. Table 61 Output for display ap vlan Field Description VLAN VLAN number. Name VLAN name Mode Whether packets for the VLAN are locally switched by the MAP, or are tunneled to an WX switch, which places them on the VLAN. Port The port(s) through which traffic for the VLAN is sent. TAG VLAN tag value. If the interface is untagged, none is displayed in the TAG field.
display auto-tune attributes 339 Examples — The following command displays RF attribute information for radio 1 on the directly connected MAP access point on port 2: WX1200# display auto-tune attributes ap 2 radio 1 Auto-tune attributes for port 2 radio 1: Noise: -92 Packet Retransmission Count: Utilization: 0 Phy Errors Count: CRC Errors count: 122 0 0 Table 62 describes the fields in this display.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS display auto-tune neighbors Displays the other 3Com radios and third-party 802.11 radios that a 3Com radio can hear. Syntax — display auto-tune neighbors [ap map-num [radio {1 | 2| all}]] Syntax — display auto-tune neighbors [ap ap-number [radio {1 | 2| all}]] ap-number — Index value that identifies the MAP on the WX. radio 1 — Shows neighbor information for radio 1. radio 2 — Shows neighbor information for radio 2.
display auto-tune neighbors 341 Examples — The following command displays neighbor information for radio 1 on the directly connected MAP access point on port 2: WX1200# display auto-tune neighbors ap 2 radio 1 Total number of entries for port 2 radio 1: 5 Channel Neighbor BSS/MAC RSSI ------- ----------------- ---1 00:0b:85:06:e3:60 -46 1 00:0b:0e:00:0a:80 -78 1 00:0b:0e:00:d2:c0 -74 1 00:0b:85:06:dd:00 -50 1 00:0b:0e:00:05:c1 -72 Table 63 describes the fields in this display.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS display ap boot-configuration Displays information about the static IP address configuration (if any) on a Distributed MAP. Syntax — display ap boot-configuration ap-number ap-number — Index value that identifies the MAP on the WX. Defaults — None. Access — Enabled. History —Introduced in MSS Version 4.2. Version 6.0 removed the dap option, and added the following fields.
display ap connection 343 Table 64 Output for display ap boot-configuration display ap connection Field Description AP Distributed MAP number. IP address Whether static IP address assignment is enabled for this Distributed MAP. VLAN Tag Whether the Distributed MAP is configured to use a VLAN tag. Switch Whether the Distributed MAP is configured to use a manually specified WX switch as its boot device. Mesh Whether WLAN mesh services are enabled for this MAP.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS History —Introduced in MSS Version 3.0. Version 6.0 removed the dap option. Usage — The serial-id parameter displays the active connection for the specified Distributed MAP even if that MAP is not configured on this WX switch. If you instead use the command with the dap-num parameter or without a parameter, connection information is displayed only for Distributed MAPs that are configured on this WX switch.
display ap global 345 Table 65 Output of display ap connection Field Description AP ID assigned to the Distributed MAP. If the connection is configured on another WX switch, this field contains a hyphen ( - ). Serial Id Serial ID of the Distributed MAP. AP IP Address IP address assigned by DHCP to the Distributed MAP. WX IP Address System IP address of the WX switch on which the MAP has an active connection.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS Examples — The following command displays configuration information for all the Distributed MAPs configured on a WX switch: WX4400# display ap global Total number of entries: 8 AP Serial Id WX IP Address --- ------------------------1 M9DE48B012F00 10.3.8.111 M9DE48B012F00 10.4.3.2 2 M9DE48B123400 10.3.8.111 M9DE48B123400 10.4.3.2 17 M9DE48B123600 10.3.8.111 M9DE48B123600 10.4.3.2 18 M9DE48B123700 10.3.8.111 M9DE48B123700 10.4.3.
display ap unconfigured display ap unconfigured 347 Displays Distributed MAPs that are physically connected to the network but that are not configured on any WX switches. Syntax — display ap unconfigured Defaults — None. Access — Enabled. History —Introduced in MSS Version 3.0. Version 6.0 removed the dap option.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS Table 67 Output for display ap unconfigured (continued) IP Address IP address of the MAP. This is the address that the MAP receives from a DHCP server. The MAP uses this address to send a Find WX message to request configuration information from WX switches. However, the MAP cannot use the address to establish a connection unless the MAP first receives a configuration from a WX switch.
display load-balancing group 349 Examples — The following command displays information about the MAP radios that are in the same group as radio 1 on MAP 3: Radios in the same load-balancing group as: ap3/radio1 -------------------------------------------------IP address AP Radio Overlap --------------------- ----- ------10.2.28.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS display radio-profile Displays radio profile information. Syntax — display radio-profile {name | ?} name — Displays information about the named radio profile. ? — Displays a list of radio profiles. Defaults — None. Access — Enabled. History —Introduced in MSS Version 3.0. Name of the backoff timer field changed from Client Backoff Timer to Power Backoff Timer and new fields added in MSS Version 4.
display radio-profile 351 Table 69 describes the fields in this display. Table 69 Output for display radio-profile Field Description Beacon Interval Rate (in milliseconds) at which each MAP radio in the profile advertises the beaconed SSID. DTIM Interval Number of times after every beacon that each MAP radio in the radio profile sends a delivery traffic indication map (DTIM). Max Tx Lifetime Number of milliseconds that a frame received by a radio in the radio profile can remain in buffer memory.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS Table 69 Output for display radio-profile (continued) Field Description Channel Holddown Minimum number of seconds a radio in a radio profile must remain at its current channel assignment before RF Auto-Tuning can change the channel. Countermeasures Indicates whether countermeasures are enabled. Active-Scan Indicates whether the active-scan mode of RF detection is enabled.
display service-profile display service-profile set radio-profile max-tx-lifetime on page 415 set radio-profile mode on page 416 set radio-profile preamble-length on page 419 set radio-profile qos-mode on page 420 set radio-profile rts-threshold on page 423 353 Displays service profile information. Syntax — display service-profile {name | ?} name — Displays information about the named service profile. ? — Displays a list of service profiles. Defaults — None. Access — Enabled.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS CAC mode CAC sessions User idle timeout Idle client probing Web Portal Session Timeout Transmit rates for 11a / 11b / 11g: beacon rate multicast rate mandatory rate standard rates disabled rates Version 6.
display service-profile 355 Examples — The following command displays information for service profile spl: WX1200# display service-profile sp1 ssid-name: corp2 ssid-type: crypto Beacon: yes Proxy ARP: no DHCP restrict: no No broadcast: no Short retry limit: 5 Long retry limit: 5 Auth fallthru: none Sygate On-Demand (SODA): no Enforce SODA checks: yes SODA remediation ACL: Custom success web-page: Custom failure web-page: Custom logout web-page: Custom agent-directory: Static COS: no COS: 0 CAC mode: none
CHAPTER 11: MANAGED ACCESS POINT COMMANDS Table 70 Output for display service-profile Field Description ssid-name Service set identifier (SSID) managed by this service profile. ssid-type SSID type: beacon crypto — Wireless traffic for the SSID is encrypted. clear — Wireless traffic for the SSID is unencrypted. Indicates whether the radio sends beacons, to advertise the SSID: no yes Proxy ARP Indicates whether proxy ARP is enabled.
display service-profile 357 Table 70 Output for display service-profile (continued) Field Description Sygate On-Demand (SODA) Whether SODA functionality is enabled for the service profile. When SODA functionality is enabled, connecting clients download SODA agent files, which perform security checks on the client. Enforce SODA checks Whether a client is allowed access to the network after it has downloaded and run the SODA agent security checks.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS Table 70 Output for display service-profile (continued) Field Description CAC mode Call Admission Control mode: none—CAC is disabled. session—CAC is based on the number of active user sessions. If a MAP radio reaches the maximum number of active user sessions specified in the CAC session field, the MAP radio rejects new connection attempts.
display service-profile 359 Table 70 Output for display service-profile (continued) Field Description WEP Key 3 value State of static WEP key number 3: WEP Key 4 value none — The key is not configured. preset — The key is configured. State of static WEP key number 4: none — The key is not configured. preset — The key is configured. WEP Unicast Index Index of the static WEP key used to encrypt unicast traffic on an encrypted SSID.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS Table 70 Output for display service-profile (continued) Field Description 11a / 11b / 11g transmit rate fields Data transmission rate settings for each radio type: beacon rate—Data rate of beacon frames sent by MAP radios. multicast rate—Data rate of multicast frames sent by MAP radios. If the rate is auto, the MAP sets the multicast rate to the highest rate that can reach all clients connected to the radio.
display service-profile set service-profile no-broadcast on page 451 set service-profile proxy-arp on page 452 set service-profile psk-phrase on page 453 set service-profile psk-raw on page 454 set service-profile rsn-ie on page 455 set service-profile shared-key-auth on page 456 set service-profile short-retry-count on page 456 set service-profile soda mode on page 462 set service-profile ssid-name on page 465 set service-profile ssid-type on page 466 set service
CHAPTER 11: MANAGED ACCESS POINT COMMANDS reset ap Restarts a MAP access point. Syntax — reset ap ap-number ap ap-number — Index value that identifies the MAP on the WX. dap dap-num — Number of a Distributed MAP to reset. Defaults — None. Access — Enabled. History —Introduced in MSS Version 3.0. Version 6.0 removed the dap option. Usage — When you enter this command, the MAP drops all sessions and reboots.
set ap auto 363 The profile uses the default radio profile by default. You can change the profile using the set ap auto radio radio-profile command. You can use set ap auto commands to change settings for the parameters listed in Table 71. (The commands are listed in the “See Also” section.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS set ap auto persistent set ap blink on page 368 set ap group on page 379 set ap radio auto-tune max-power on page 384 set ap radio auto-tune max- retransmissions on page 385 set ap radio link-calibration on page 388 set ap radio mode on page 391 set ap radio radio-profile on page 392 set ap upgrade-firmware on page 396 Converts a temporary MAP configuration created by the MAP configuration profile into a persistent MAP configuration on the W
set ap auto radiotype set ap auto radiotype 365 Sets the radio type for single-MAP radios that use the MAP configuration profile. Syntax — set ap auto [radiotype {11a | 11b| 11g}] radiotype {11a | 11b| 11g} — Radio type. (The 11a option applies only to single-radio models. The 802.11a radio in two-radio models is always 802.11a.): 11a — 802.11a 11b — 802.11b 11g — 802.11g Defaults — The default radio type for models AP2750, MP-241, and MP-341, and for the 802.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS set ap auto mode Enables a WX profile for automatic Distributed MAP configuration. Syntax — set ap auto mode {enable | disable} enable — Enables the MAP configuration profile. disable — Disables the MAP configuration profile. Defaults — The MAP configuration profile is disabled by default. Access — Enabled. History —Introduced in MSS 4.0. Version 6.0 removed the dap option.
set ap bias set ap bias 367 Changes the bias for a MAP. Bias is the priority of one WX over other WX switches for booting and configuring the MAP. Syntax — set ap ap-number auto bias {high | low} ap ap-number — Index value that identifies the MAP on the WX. ap auto — Configures bias for the MAP configuration profile. (See set ap auto on page 362.) high — High bias. low — Low bias. Defaults — The default bias is high. Access — Enabled. History —Introduced in MSS Version 3.0.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS Examples — The following command changes the bias for a Distributed MAP to low: WX4400# set dap 1 bias low success: change accepted. See Also set ap blink display ap config on page 316 Enables or disables LED blink mode on a MAP to make it easy to identify. When blink mode is enabled on (MAP-xxx models, the health and radio LEDs alternately blink green and amber. By default, blink mode is disabled.
set ap boot- configuration ip set ap bootconfiguration ip 369 Specifies static IP address information for a Distributed MAP. Syntax — set ap ap-number boot-configration ip ip-addr netmask mask-addr gateway gateway-addr [mode {enable | disable}] Syntax — set dap dap-num boot-ip mode {enable | disable} ap ap-number — Index value that identifies the MAP on the WX. ip ip-addr — The IP address to be assigned to the MAP, in dotted decimal notation (for example, 10.10.10.10).
CHAPTER 11: MANAGED ACCESS POINT COMMANDS See Also set ap bootconfiguration mesh mode clear ap boot-configuration on page 310 display ap boot-configuration on page 342 set ap boot-configuration vlan on page 375 Enables WLAN mesh services on the MAP. Syntax — set ap ap-number boot-configration mesh mode [mode {enable | disable}] ap ap-number — Index value that identifies the MAP on the WX. mode {enable | disable} — Enables or disables WLAN mesh services for the MAP.
set ap boot-configuration mesh psk-phrase set ap boot-configuration mesh psk-phrase 371 Specifies a preshared key (PSK) phrase that a Mesh AP uses for authentication to its Mesh Portal AP. Syntax — set ap ap-number boot-configuration mesh psk-phrase passphrase ap ap-number — Index value that identifies the MAP on the WX. passphrase — An ASCII string from 8 to 63 characters long. The string can contain blanks if you use quotation marks at the beginning and end of the string. Defaults — None.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS set ap boot-configuration mesh psk-raw Configures a raw hexadecimal preshared key (PSK) to use for authenticating a Mesh AP to a Mesh Portal AP. Radios use the PSK as a pairwise master key (PMK) to derive unique pairwise session keys for individual WPA clients. Syntax — set ap ap-number boot-configuration mesh psk-raw hex ap ap-number — Index value that identifies the MAP on the WX.
set ap boot-configuration mesh ssid set ap boot-configuration mesh ssid 373 Specifies the name of the SSID a Mesh AP attempts to associate with when it is booted. Syntax — set ap ap-number boot-configuration mesh ssid mesh-ssid ap ap-number — Index value that identifies the MAP on the WX. mesh-ssid — Name of the mesh SSID (up to 32 characters). Defaults — Access — None. Enabled. History — Introduced in MSS Version 6.0.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS set ap bootconfiguration switch Specifies the WX a Distributed MAP contacts and attempts to use as its boot device. Syntax — set ap ap-number boot-configuration switch [switch-ip ip-addr] [name name dns ip-addr] [mode {enable | disable}] ap ap-number — Index value that indentifies the MAP on the WX. switch-ip ip-addr — The IP address of the WX switch the Distributed MAP should boot from.
set ap boot-configuration vlan 375 WX1200# set ap 1 boot- configuration switch switch-ip 172.16.0.21 mode enable success: change accepted. The following command configures Distributed MAP 1 to use the WX with the name wxr2 as its boot device. The DNS server at 172.16.0.1 is used to resolve the name of the WX switch. WX4400# set ap 1 boot-configuration switch name wxr2 dns 172.16.0.1 mode enable success: change accepted.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS Usage — When this command is configured, all Ethernet frames emitted from the Distributed MAP are formatted with an 802.1Q tag with a specified VLAN number. Frames sent to the Distributed MAP that are not tagged with this value are ignored. Examples — The following command configures Distributed MAP 1 to use VLAN tag 100: WX4400# set ap 1 boot-configuration vlan vlan-tag 100 mode enable success: change accepted.
set ap fingerprint 377 fingerprint — The 16-digit hexadecimal number of the fingerprint. Use a colon between each digit. Make sure the fingerprint you enter matches the fingerprint used by the MAP. Defaults — None. Access — Enabled. History —Introduced in MSS 4.0. Version 6.0 removed the dap option. Usage — MAPs are configured with an encryption key pair at the factory.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS set ap force-imagedownload Configures a MAP to download a software image from the WX instead of loading the image locally stored on the MAP. Syntax — set ap auto force-image-download {enable | disable} ap auto—Configures forced image download for the MAP configuration profile. force-image-download enable—Enables forced image download. force-image-download disable—Disables forced image download.
set ap group 379 set ap group Deprecated in MSS Version 6.0. To configure RF load balancing, see “set load-balancing mode” on page 398. set ap location Specifies information about the physical location of a MAP. Syntax — set ap port-list location string Examples — The following command specifies the location of MAP 7 as the conference room: WX4400# set ap 7 location ‘the conference room’ success: change accepted.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS If local switching is enabled on an MAP, but no VLAN profile is configured, then a default VLAN profile is used. The default VLAN profile includes a single VLAN named default that is not tagged. Examples — The following command enables local switching for MAP 7: WX# set ap 7 local-switching mode enable success: change accepted.
set ap name 381 Examples — The following command specifies that MAP 7 use VLAN profile locals: WX# set ap 7 local-switching vlan-profile locals success: change accepted. See Also set ap name clear ap local-switching vlan-profile on page 307 set ap local-switching mode on page 379 set vlan profile on page 127 Changes a MAP name. Syntax — set ap ap number name name ap ap-number — Index value that identifies the MAP on the WX.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS set ap radio antenna-location Specifies the location (indoors or outdoors) of an external antenna. Use this command to ensure that the proper set of channels is available on the radio. In some cases, the set of valid channels for a radio differs depending on the location of the antenna, indoors or outdoors. Syntax — set ap apnum radio number antenna-location {indoors | outdoors} ap apnum—Index value that identifies the MAP on the WX.
set ap radio antennatype set ap radio antennatype 383 Sets the model number for an external antenna. Syntax — set ap ap-number radio {1|2} antennatype {ANT1060 | ANT1120 | ANT1180 | ANT5060 | ANT5120 | ANT5180 | ANT-1360-OUT | ANT-5360-OUT |ANT-5120-OUT | internal} ap ap-number — Index value that identifies the MAP on the WX. radio 1 — Radio 1 of the MAP. radio 2 — Radio 2 of the MAP. (This option does not apply to single-radio models.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS Defaults — All radios use the internal antenna by default, if the MAP model has an internal antenna. The MP-620 802.11b/g radio uses model ANT-1360-OUT by default. The MP-620 802.11a radio uses model ANT-5360-OUT by default. The AP 3150 802.11b/g radio uses model ANT1060 by default.) Access — Enabled. History — Introduced in MSS Version 3.0. Model numbers added for 802.
set ap radio auto-tune max- retransmissions 385 Defaults — The default maximum power setting that RF Auto-Tuning can set on a radio is the highest setting allowed for the country of operation or highest setting supported on the hardware, whichever is lower. Access — Enabled. History —Introduced in MSS Version 3.0. Option auto added for configuration of the MAP configuration profile.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS Defaults — The default is 10 percent. Access — Enabled. History —Introduced in MSS Version 3.0. Option auto added for configuration of the MAP configuration profile. Version 6.0 removed the dap option. Usage — A retransmission is a packet sent from a client to a MAP radio that the radio receives more than once. This can occur when the client does not receive an 802.11 acknowledgement for a packet sent to the radio.
set ap radio channel 387 A radio also can increase power, in 1 dBm increments, if a client falls below the minimum allowed data rate. After a radio increases power, all clients must be at the minimum data rate or higher and the maximum retransmissions must be within the allowed percentile, before the radio begins reducing power again. Examples — The following command changes the max-retransmissions value to 20: WX1200# set ap 6 radio 1 auto-tune max-retransmissions 20 success: change accepted.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS Usage — You can configure the transmit power of a radio on the same command line. Use the tx-power option. This command is not valid if dynamic channel tuning (RF Auto-Tuning) is enabled. Examples — The following command configures the channel on the 802.11a radio on the MAP access point connected to port 5: WX1200# set ap 5 radio 1 channel 36 success: change accepted. The following command configures the channel and transmit power on the 802.
set ap radio load balancing 389 Usage — A Mesh Portal MAP can be configured to emit link calibration packets to assist with positioning the Mesh AP. A link calibration packet is an unencrypted 802.11 management packet of type Action. When enabled on an MAP, link calibration packets are sent at a rate of 5 per second. The MP-620 is equipped with a connector to which an external RSSI meter can be attached during installation.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS disable — Disables link calibration packets for the MAP radio. Defaults — Access — Disabled. Enabled. History — Introduced in MSS Version 6.0. Usage — By default, RF load balancing is enabled on all MAP radios. Use this command to disable or re-enable RF load balancing for the specified MAP radio. RF load balancing can also be disabled or re-enabled globally with the set load-balancing mode command.
set ap radio mode 391 rebalance — Configures the MAP radio to disassociate its client sessions and rebalance them whenever a new MAP radio is added to the load balancing group. Defaults — By default, MAP radios are not part of an RF load balancing group. Access — Enabled. History — Introduced in MSS Version 6.0. Usage — Assigning radios to specific load balancing groups is optional.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS mode disable — Disables a radio. Defaults — MAP access point radios are disabled by default. Access — Enabled. History —Introduced in MSS Version 3.0. Option auto added for configuration of the MAP configuration profile. Version 6.0 removed the dap option. Usage — To enable or disable one or more radios to which a profile is assigned, use the set ap radio radio-profile command.
set ap radio tx-power 393 radio-profile name — Radio profile name of up to 16 alphanumeric characters, with no spaces. mode enable — Enables radios on the specified ports with the parameter settings in the specified radio profile. mode disable — Disables radios on the specified ports. Defaults — None. Access — Enabled. History —Introduced in MSS Version 3.0. Option auto added for configuration of the MAP configuration profile. Version 6.0 removed the dap option.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS tx-power power-level — Number of decibels in relation to 1 milliwatt (dBm). The valid values depend on the country of operation. The maximum transmit power you can configure on any 3Com radio is the maximum allowed for the country in which you plan to operate the radio or one of the following values if that value is less than the country maximum: on an 802.
set ap security set ap security 395 Sets security requirements for management sessions between a WX and its Distributed MAPs. This feature applies to Distributed MAPs only, not to directly connected MAPs configured on MAP access ports. The maximum transmission unit (MTU) for encrypted MAP management traffic is 1498 bytes, whereas the MTU for unencrypted management traffic is 1474 bytes. Make sure the devices in the intermediate network between the WX switch and Distributed MAP can support the higher MTU.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS Examples — The following command configures a WX to require Distributed MAPs to have encryption keys: WX4400# set ap security require See Also set ap upgrade-firmware display ap config on page 316 display ap status on page 331 set ap fingerprint on page 376 Disables or reenables automatic upgrade of a MAP access point boot firmware.
set band-preference set band-preference 397 Configures MSS to steer clients that support both the 802.11a and 802.11b/g radio bands to a specific radio on an MAP for the purpose of RF load balancing. Syntax — set band-preference {none | 11bg | 11a} none — When a client supports both 802.11a and 802.11b/g radio bands, does not steer the client to a specific MAP radio. enable — When a client supports both 802.11a and 802.11b/g radio bands, steers the client to the 802.11b/g radio.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS set load-balancing mode Disables or reenables RF load balancing globbaly on the WXMAP. Syntax — set load-balancing mode {enable | disable} enable — Enables RF load balancing globally on the WX. disable — Disables RF load balancing globally on the WX. Defaults — Access — RF load balancing is enabled by default. Enabled. History — Introduced in MSS Version 6.0. By default, RF load balancing is enabled on all MAP radios.
set load-balancing strictness set load-balancing strictness 399 Controls the degree to which MSS balances the client load among MAPs when performing RF load balancing. Syntax — set load-balancing strictness {low |med |high | max} low — No clients are denied service. New clients can be steered to other MAPs, but only to the extent that service can be provided to all clients. med — Overloaded radios steer new clients to other MAPs more strictly than the low option.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS At the other end of the spectrum, when max strictness is specified, if an MAP radio has reached its maximum client load, MSS makes it invisible to new clients, causing them to attempt to connect to other MAP radios. In the event that all the MAP radios in the group have reached their maximum client load, then no new clients would be able to connect to the network.
set radio-profile auto-tune 11a-channel-range 401 disable — Configures radios to scan only passively for rogues by listening for beacons and probe responses. Defaults — Active scanning is enabled by default. Access — Enabled. History —Introduced in MSS Version 4.0. Usage — You can enter this command on any WX in the Mobility Domain. The command takes effect only on that WX.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS Examples — The following command enables the 802.11a radio to select any available channel in the 802.11a range: WX1200# set radio-profile test auto-tune 11a-channel-range all-bands success: change accepted. set radio-profile auto-tune channel-config Disables or reenables dynamic channel tuning (RF Auto-Tuning) for the MAP radios in a radio profile.
set radio-profile auto-tune channel-holddown 403 Examples — The following command disables dynamic channel tuning for radios in the rp2 radio profile: WX4400# set radio-profile rp2 auto-tune channel-config disable success: change accepted.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS Examples — The following command changes the channel holddown for radios in radio profile rp2 to 600 seconds: WX4400# set radio-profile rp2 auto-tune channel-holddown 600 success: change accepted.
set radio-profile auto-tune channel-lockdown 405 Examples — The following command sets the channel interval for radios in radio profile rp2 to 2700 seconds (45 minutes): WX4400# set radio-profile rp2 auto-tune channel-interval 2700 success: change accepted.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS Examples — The following command locks down the channel settings for radios in radio profile rp2: WX# set radio-profile rp2 auto-tune channel-lockdown success: change accepted See Also set radio-profile auto-tune power-config display radio-profile on page 350 set radio-profile auto-tune channel-config on page 402 set radio-profile auto-tune channel-holddown on page 403 set radio-profile auto-tune channel-interval on page 404 set radio-pr
set radio-profile auto-tune power-interval 407 Examples — The following command enables dynamic power tuning for radios in the rp2 radio profile: WX4400# set radio-profile rp2 auto-tune power-config enable success: change accepted.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS See Also set radio-profile auto-tune power-lockdown display service-profile on page 353 set ap radio auto-tune max- retransmissions on page 385 set radio-profile auto-tune power-config on page 406 Locks down the current power settings on all radios in a radio profile. The power settings that are in effect when the command is entered are changed into statically configured power settings on the radios.
set radio-profile auto-tune power-ramp-interval set radio-profile auto-tune power-ramp-interv al 409 Changes the interval at which power is increased or decreased, in 1 dBm increments, on radios in a radio profile until the optimum power level calculated by RF Auto-Tuning is reached. Syntax — set radio-profile name auto-tune power-ramp-interval seconds name—Radio profile name. seconds—Number of seconds MSS waits before increasing or decreasing radio power by another 1 dBm.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS Access — Enabled. History —Introduced in MSS Version 3.0. Usage — You must disable all radios that are using a radio profile before you can change parameters in the profile. Use the set radio-profile mode command. Examples — The following command changes the beacon interval for radio profile rp1 to 200 ms: WX4400# set radio-profile rp1 beacon-interval 200 success: change accepted.
set radio-profile countermeasures 411 configured — Configures radios to attack only devices in the attack list on the WX switch (on-demand countermeasures). When this option is specified, devices found to be rogues by other means, such as policy violations or by determining that the device is providing connectivity to the wired network, are not attacked. none — Disables countermeasures for this radio profile. Defaults — Countermeasures are disabled by default. Access — Enabled.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS set radio-profile dtim-interval Changes the number of times after every beacon that each MAP radio in a radio profile sends a delivery traffic indication map (DTIM). A MAP sends the multicast and broadcast frames stored in its buffers to clients who request them in response to the DTIM. The DTIM interval applies to both the beaconed SSID and the nonbeaconed SSID. Syntax — set radio-profile name dtim-interval interval name — Radio profile name.
set radio-profile frag-threshold set radio-profile frag-threshold 413 Changes the fragmentation threshold for the MAP radios in a radio profile. The fragmentation threshold is the threshold at which the long-retry-count is applicable insted of the short-retry-count. The long-retry-count specifies the number of times a radio can send a unicast frame that is equal to or longer than the frag-threshold without receiving an acknowledgment.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS See Also display radio-profile on page 350 set radio-profile mode on page 416 set radio-profile rts-threshold on page 423 set service-profile long-retry-count on page 449 set service-profile short-retry-count on page 456 set radio-profile long-retry Deprecated in MSS Version 4.2. In 4.2, this parameter is associated with service profiles instead of radio profiles. See set service-profile long-retry-count on page 449.
set radio-profile max-tx-lifetime 415 See Also set radio-profile max-tx-lifetime display radio-profile on page 350 set radio-profile mode on page 416 set radio-profile max-tx-lifetime on page 415 Changes the maximum transmit threshold for the MAP radios in a radio profile. The maximum transmit threshold specifies the number of milliseconds that a frame scheduled to be transmitted by a radio can remain in buffer memory.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS set radio-profile mode Creates a new radio profile, and disables or reenables all MAP radios that are using a specific profile. Syntax — set radio-profile name [mode {enable | disable}] radio-profile name — Radio profile name of up to 16 alphanumeric characters, with no spaces. Use this command without the mode enable or mode disable option to create a new profile. mode enable — Enables the radios that use this profile.
set radio-profile mode 417 Table 72 Defaults for Radio Profile Parameters (continued) Parameter Radio Behavior When Parameter Set to Default Value Default Value max-tx-lifetime 2000 Allows a frame that is scheduled for transmission to stay in the buffer for up to 2000 ms (2 seconds). preamble-length short Advertises support for short 802.11b preambles, accepts either short or long 802.11b preambles, and generates unicast frames with the preamble length specified by the client.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS To change a parameter in a radio profile, you must first disable all the radios in the profile. After you complete the change, you can reenable the radios. To enable or disable specific radios without disabling all of them, use the set ap radio command. Examples — The following command configures a new radio profile named rp1: WX4400# set radio-profile rp1 success: change accepted.
set radio-profile preamble-length set radio-profile preamble-length 419 Changes the preamble length for which an 802.11b/g MAP radio advertises support. This command does not apply to 802.11a. Syntax — set radio-profile name preamble-length {long | short} name — Radio profile name. long — Advertises support for long preambles. short — Advertises support for short preambles. Defaults — The default is short. Access — Enabled. History —Introduced in MSS Version 3.0.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS set radio-profile qos-mode Sets the prioritization mode for forwarding queues on MAP radios managed by the radio profile. Syntax — set radio-profile name qos-mode {svp | wmm} svp — Optimizes forwarding prioritization of MAP radios for SpectraLink Voice Priority (SVP). wmm — Classifies and marks traffic based on 802.1p and DSCP, and optimizes forwarding prioritization of MAP radios for Wi-Fi Multimedia (WMM). Defaults — The default QoS mode is wmm.
set radio-profile rfid-mode set radio-profile rfid-mode 421 Enables MAP radios managed by a radio profile to function as location receivers in an AeroScout Visibility System. An AeroScout Visibility System allows system administrators to track mobile assets using RFID tags. When you enable RFID mode on a radio profile, radios in the profile can receive and process signals transmitted by RFID tags and relay them with related information to the AeroScout Engine.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS Defaults — Access — Data rate enforcement is disabled by default. Enabled. History — Introduced in MSS Version 6.0. Usage — Each type of radio (802.11a, 802.11b, and 802.11g) providing service to an SSID has a set of radio rates allowed for use when sending beacons, multicast frames, and unicast data. You can configure the rate set for each type of radio, specifying rates in three categories: Mandatory - Valid 802.
set radio-profile rts-threshold 423 See Also set radio-profile rts-threshold display ap counters on page 319 set service-profile transmit-rates on page 468 Changes the RTS threshold for the MAP radios in a radio profile. The RTS threshold specifies the maximum length a frame can be before the radio uses the RTS/CTS method to send the frame. The RTS/CTS method clears the air of other traffic to avoid corruption of the frame due to a collision with another frame.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS set radio-profile service-profile Maps a service profile to a radio profile. All radios that use the radio profile also use the parameter settings, including SSID and encryption settings, in the service profile. Syntax — set radio-profile name service-profile name radio-profile name — Radio profile name of up to 16 alphanumeric characters, with no spaces. service-profile name — Service profile name of up to 16 alphanumeric characters, with no spaces.
set radio-profile service-profile 425 Table 73 Defaults for Service Profile Parameters (continued) Parameter Radio Behavior When Parameter Set Default Value to Default Value cipher-ccmp disable Does not use Counter with Cipher Block Chaining Message Authentication Code Protocol (CCMP) to encrypt traffic sent to WPA clients. cipher-tkip enable When the WPA IE is enabled, uses Temporal Key Integrity Protocol (TKIP) to encrypt traffic sent to WPA clients.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS Table 73 Defaults for Service Profile Parameters (continued) Parameter Radio Behavior When Parameter Set Default Value to Default Value shared-key-auth disable Does not use shared-key authentication. This parameter does not enable PSK authentication for WPA. To enable PSK encryption for WPA, use the set radio-profile auth-psk command. short-retry-count 5 Sends a short unicast frame up to five times without acknowledgment.
set radio-profile service-profile 427 Table 73 Defaults for Service Profile Parameters (continued) Parameter Radio Behavior When Parameter Set Default Value to Default Value transmit-rates 802.11a: Accepts associations only from clients that support one of the mandatory rates. mandatory: 6.0,12.0,24.0 Sends beacons at the specified rate (6 Mbps for 802.11a, 2 Mbps for beacon-rate: 802.11b/g). 6.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS Table 73 Defaults for Service Profile Parameters (continued) Parameter wep key-index Radio Behavior When Parameter Set Default Value to Default Value No keys defined Uses dynamic WEP rather than static WEP. wep activemulticast-index 1 Uses WEP key 1 for static WEP encryption of multicast traffic if WEP encryption is enabled and keys are defined.
set radio-profile service-profile set service-profile cac-mode on page 438 set service-profile cac-session on page 439 set service-profile cipher-ccmp on page 440 set service-profile cipher-tkip on page 441 set service-profile cipher-wep104 on page 442 set service-profile cipher-wep40 on page 443 set service-profile cos on page 444 set service-profile dhcp-restrict on page 445 set service-profile idle-client-probing on page 446 set service-profile long-retry-count on
CHAPTER 11: MANAGED ACCESS POINT COMMANDS set radio-profile short-retry Deprecated in MSS Version 4.2. In 4.2, this parameter is associated with service profiles instead of radio profiles. See set service-profile short-retry-count on page 456. set radio-profile wmm Deprecated in MSS Version 4.2. To enable or disable WMM, see set radio-profile qos-mode on page 420. set radio-profile wmm-powersave Enables Unscheduled Automatic Powersave Delivery (U-APSD) on MAP radios managed by the radio profile.
set service-profile attr 431 Usage — U-APSD is supported only for QoS mode WMM. If WMM is not enabled on the radio profile, use the set radio-profile qos-mode command to enable it. Examples — The following command enables U-APSD on radio profile rp1: WX2200# set radio-profile rp1 wmm-powersave enable success: change accepted.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS The SSID default attributes are applied in addition to any attributes supplied for the user by the RADIUS server or the local database. When the same attribute is specified both as an SSID default attribute and through AAA, then the attribute supplied by the RADIUS server or the local database takes precedence over the SSID default attribute. If a location policy is configured, the location policy rules also take precedence over SSID default attributes.
set service-profile auth-dot1x 433 See Also set service-profile auth-dot1x display service-profile on page 353 display sessions network on page 620 Disables or reenables 802.1X authentication of Wi-Fi Protected Access (WPA) clients by MAP radios, when the WPA information element (IE) is enabled in the service profile that is mapped to the radio profile that the radios are using. Syntax — set service-profile name auth-dot1x {enable | disable} name — Service profile name.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS See Also set service-profile auth-fallthru display service-profile on page 353 set service-profile auth-psk on page 435 set service-profile psk-phrase on page 453 set service-profile wpa-ie on page 481 Specifies the authentication type for users who do not match an 802.1X or MAC authentication rule for an SSID managed by the service profile.
set service-profile auth-psk 435 Access — Enabled. History —Introduced in MSS Version 3.0. Option for WebAAA fallthru authentication type changed from web-auth to web-portal in MSS Version 4.1. Usage — The last-resort fallthru authentication type allows any user to access any SSID managed by the service profile. This method does not require the user to provide a username or password. Use the last-resort method only if none of the SSIDs managed by the service profile require secure access.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS Access — Enabled. History —Introduced in MSS Version 3.0. Usage — This command affects authentication of WPA clients only. To use PSK authentication, you also must configure a passphrase or key. In addition, you must enable the WPA IE. The WebAAA fallthru authentication type is not supported in conjunction with WPA encryption using preshared keys (PSK) for the same SSID. These options are configurable together but are not compatible.
set service-profile bridging 437 enable — Enables beaconing of the SSID managed by the service profile. disable — Disables beaconing of the SSID managed by the service profile. Defaults — Beaconing is enabled by default. Access — Enabled. History —Introduced in MSS Version 3.0. Examples — The following command disables beaconing of the SSID managed by service profile sp2: WX4400# set service-profile sp2 beacon disable success: change accepted.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS WLAN mesh services can be used in a wireless bridge configuration, implementing MAPs as bridge endpoints in a transparent Layer 2 bridge. A typical application of wireless bridging is to provide network connectivity between two buildings using a wireless link. Usage — A Mesh Portal AP serving as a bridge endpoint can support up to five Mesh APs serving as bridge endpoints.
set service-profile cac-session 439 Examples — The following command enables session-based CAC on service profile sp1: WX4400# set service-profile sp1 cac-mode session success: change accepted. See Also set service-profile cac-session display service-profile on page 353 set service-profile cac-session on page 439 Specifies the maximum number of active sessions a radio can have when session-based CAC is enabled.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS set service-profile cipher-ccmp Enables Counter with Cipher Block Chaining Message Authentication Code Protocol (CCMP) encryption with WPA clients, for a service profile. Syntax — set service-profile name cipher-ccmp {enable | disable} name — Service profile name. enable — Enables CCMP encryption for WPA clients. disable — Disables CCMP encryption for WPA clients. Defaults — CCMP encryption is disabled by default. Access — Enabled.
set service-profile cipher-tkip set service-profile cipher-tkip 441 Disables or reenables Temporal Key Integrity Protocol (TKIP) encryption in a service profile. Syntax — set service-profile name cipher-tkip {enable | disable} name — Service profile name. enable — Enables TKIP encryption for WPA clients. disable — Disables TKIP encryption for WPA clients. Defaults — When the WPA IE is enabled, TKIP encryption is enabled by default. Access — Enabled. History —Introduced in MSS Version 3.0.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS set service-profile cipher-wep104 Enables dynamic Wired Equivalent Privacy (WEP) with 104-bit keys, in a service profile. Syntax — set service-profile name cipher-wep104 {enable | disable} name — Service profile name. enable — Enables 104-bit WEP encryption for WPA clients. disable — Disables 104-bit WEP encryption for WPA clients. Defaults — 104-bit WEP encryption is disabled by default. Access — Enabled. History —Introduced in MSS Version 3.0.
set service-profile cipher-wep40 443 See Also set service-profile cipher-wep40 display service-profile on page 353 set service-profile cipher-ccmp on page 440 set service-profile cipher-tkip on page 441 set service-profile cipher-wep40 on page 443 set service-profile wep key-index on page 480 set service-profile wpa-ie on page 481 Enables dynamic Wired Equivalent Privacy (WEP) with 40-bit keys, in a service profile.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS To support non-WPA clients that use static WEP, you must configure static WEP keys. Use the set service-profile wep key-index command. Examples — The following command configures service profile sp2 to use 40-bit WEP encryption: WX4400# set service-profile sp2 cipher-wep40 enable success: change accepted.
set service-profile dhcp-restrict 445 WX4400# set service-profile sp1 cos 7 success: change accepted. See Also set service-profile dhcp-restrict display service-profile on page 353 set service-profile static-cos on page 467 Enables or disables DHCP Restrict on a service profile. DHCP Restrict filters the traffic from a newly associated client and allows DHCP traffic only, until the client has been authenticated and authorized. All other traffic is captured by the WX and is not forwarded.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS set service-profile idle-client-probing Disables or reenables periodic keepalives from MAP radios to clients on a service profile’s SSID. When idle-client probing is enabled, the MAP radio sends a unicast null-data frame to each client every 10 seconds. Normally, a client that is still active sends an Ack in reply to the keepalive.
set service-profile keep-initial-vlan set service-profile keep-initial-vlan 447 Configures MAP radios managed by the radio profile to leave a roamed user on the VLAN assigned by the switch where the user logged on. When this option is disabled, a user’s VLAN is reassigned by each WX switch to which a user roams. Syntax — set service-profile name keep-initial-vlan {enable | disable} name — Service profile name.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS set service-profile load-balancingexempt Exempts a service profile from performing RF load balancing. Syntax — set service-profile name load-balancing-exempt {enable | disable} name — Service profile name. enable — Exempts the specified service profile from RF load balancing. disable — If a service profile has previously been exempted from RF load balancing, restores RF load balancing for the service profile.
set service-profile long-retry-count set service-profile long-retry-count 449 Changes the long retry threshold for a service profile. The long retry threshold specifies the number of times a radio can send a long unicast frame without receiving an acknowledgment. A long unicast frame is a frame that is equal to or longer than the frag-threshold. Syntax — set service-profile name long-retry-count threshold name — Service profile name.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS set service-profile mesh Creates a service profile for use with WLAN mesh services. Syntax — set service-profile name mesh mode {enable | disable} name — Service profile name. enable — Enables mesh services for the service profile. disable — Disables mesh services for the service profile. Defaults — Access — None. Enabled. History — Introduced in MSS Version 6.0. Usage — Use this command to configure mesh services for a service profile.
set service-profile no-broadcast set service-profile no-broadcast 451 Disables or reenables the no-broadcast mode. The no-broadcast mode helps reduce traffic overhead on an SSID by having more SSID bandwidth available for unicast traffic. The no-broadcast mode also helps VoIP handsets conserve power by reducing the amount of broadcast traffic sent to the phones. When enabled, the no-broadcast mode prevents MAP radios from sending DHCP or ARP broadcasts to clients on the service profile’s SSID.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS Examples — The following command enables the no-broadcast mode on service profile sp1: WX4400# set service-profile sp1 no-broadcast enable success: change accepted. See Also set service-profile proxy-arp display service-profile on page 353 set service-profile dhcp-restrict on page 445 set service-profile proxy-arp on page 452 Enables proxy ARP.
set service-profile psk-phrase 453 Examples — The following command enables proxy ARP on service profile sp1: WX4400# set service-profile sp1 proxy-arp enable success: change accepted. See Also set service-profile psk-phrase display service-profile on page 353 set service-profile dhcp-restrict on page 445 set service-profile no-broadcast on page 451 Configures a passphrase for preshared key (PSK) authentication to use for authenticating WPA clients, in a service profile.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS Examples — The following command configures service profile sp3 to use passphrase “1234567890123<>?=+&% The quick brown fox jumps over the lazy sl”: WX4400# set service-profile sp3 psk-phrase "1234567890123<> ?=+&% The quick brown fox jumps over the lazy sl" success: change accepted.
set service-profile rsn-ie 455 Examples — The following command configures service profile sp3 to use a raw PSK with PSK clients: WX4400# set service-profile sp3 psk-raw c25d3fe4483e867 d1df96eaacdf8b02451fa0836162e758100f5f6b87965e59d success: change accepted.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS set service-profile shared-key-auth Enables shared-key authentication, in a service profile. Use this command only if advised to do so by 3Com. This command does not enable preshared key (PSK) authentication for Wi-Fi Protected Access (WPA). To enable PSK encryption for WPA, use the set service-profile auth-psk command. Syntax — set service-profile name shared-key-auth {enable | disable} name — Service profile name.
set service-profile soda agent-directory 457 threshold — Number of times a radio can send the same short unicast frame. You can enter a value from 1 through 15. Defaults — The default short unicast retry threshold is 5 attempts. Examples — Enabled. History —Introduced in MSS Version 4.2. Examples — The following command changes the short retry threshold for service profile sp1 to 3: WX4400# set service-profile sp1 short-retry-count 3 success: change accepted.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS Examples — The following command specifies soda-agent as the location for SODA agent files for service profile sp1: WX4400# set service-profile sp1 soda agent-directory soda-agent success: change accepted.
set service-profile soda failure-page 459 When the enforce checks option is enabled, upon successful completion of the SODA agent checks, the client performs an HTTP Get operation to load the success page. Upon loading the success page, the client is granted access to the network. In order for the client to load the success page, you must make sure the SODA agent is configured (through SODA Manager) with the correct URL of the success page, so that the WX can serve the page to the client.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS Usage — Use this command to specify a custom page to be loaded by the client when the SODA agent checks fail. After this page is loaded, the specified remediation ACL takes effect, or if there is no remediation ACL configured, then the client is disconnected from the network. This functionality occurs only when the enforce checks option is enabled for the service profile. The enforce checks option is enabled by default.
set service-profile soda logout-page 461 History —Introduced in MSS Version 4.2. Usage — When a client closes the SODA virtual desktop, the client is automatically disconnected from the network. You can use this command to specify a page that loads when the client closes the SODA virtual desktop. The client can request this page at any time, to ensure that the client’s session has been terminated.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS set service-profile soda mode Enables or disables Sygate On-Demand (SODA) functionality for a service profile. Syntax — set service-profile name soda mode {enable | disable} name — Service profile name. enable — Enables SODA functionality for the service profile. disable — Disables SODA functionality for the service profile. Defaults — Disabled. Access — Enabled. History —Introduced in MSS Version 4.2.
set service-profile soda remediation-acl set service-profile soda remediation-acl 463 Specifies an ACL to be applied to a client if it fails the checks performed by the SODA agent. Syntax — set service-profile name soda remediation-acl acl-name name — Service profile name. acl-name — Name of an existing security ACL to use as a remediation ACL for this service profile. ACL names must start with a letter and are case-insensitive. Defaults — None. Access — Enabled.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS set service-profile soda success-page Specifies a page on the WX that loads when a client passes the security checks performed by the SODA agent. Syntax — set service-profile name soda success-page page name — Service profile name. page — Page that is loaded if the client passes the security checks performed by the SODA agent. Defaults — By default, the WX switch generates a page indicating that the client passed the SODA agent checks.
set service-profile ssid-name 465 See Also set service-profile ssid-name display service-profile on page 353 set service-profile soda enforce-checks on page 458 set service-profile soda mode on page 462 Configures the SSID name in a service profile. Syntax — set service-profile name ssid-name ssid-name name — Service profile name. ssid-name — Name of up to 32 alphanumeric characters. You can include blank spaces in the name, if you delimit the name with single or double quotation marks.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS set service-profile ssid-type Specifies whether the SSID managed by a service profile is encrypted or unencrypted. Syntax — set service-profile name ssid-type [clear | crypto] name — Service profile name. clear — Wireless traffic for the service profile’s SSID is not encrypted. crypto — Wireless traffic for the service profile’s SSID is encrypted. Defaults — The default SSID type is crypto. Access — Enabled. History —Introduced in MSS Version 3.0.
set service-profile static-cos 467 History —Introduced in MSS Version 3.0. Usage — Countermeasures apply only to TKIP and WEP clients. This includes WPA WEP clients and non-WPA WEP clients. CCMP clients are not affected. The TKIP cipher suite must be enabled. The WPA IE also must be enabled. Examples — The following command changes the countermeasures wait time for service profile sp3 to 30,000 ms (30 seconds): WX4400# set service-profile sp3 tkip-mc-time 30000 success: change accepted.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS Defaults — Static CoS is disabled by default. Access — Enabled. History —Introduced in MSS Version 4.2. Usage — The CoS level is specified by the set service-profile cos command. Examples — The following command enables static CoS on service profile sp1: WX4400# set service-profile sp1 static-cos enable success: change accepted.
set service-profile transmit-rates 469 The valid rates depend on the radio type: 11a—6.0, 9.0, 12.0, 18.0, 24.0, 36.0, 48.0, 54.0 11b—1.0, 2.0, 5.5, 11.0 11g—1.0, 2.0, 5.5, 6.0, 9.0, 11.0, 12.0, 18.0, 24.0, 36.0, 48.0, 54.0 Use a comma to separate multiple rates; for example: 6.0,9.0,12.0 disabled rate-list — Data transmission rates that MAP radios do not use to transmit data. This setting applies only to data sent by the MAP radios.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS beacon-rate: 11a—6.0 11b—2.0 11g—2.0 multicast-rate—auto for all radio types. Access — Enabled. History —Introduced in MSS Version 4.2. Usage — If you disable a rate, you cannot use the rate as a mandatory rate or the beacon or multicast rate. All rates that are applicable to the radio type and that are not disabled are supported by the radio. Examples — The following command sets 802.
set service-profile user-idle-timeout 471 History —If this command is enabled in the service profile, the 802.11 QoS level is ignored, and MSS classifies QoS level of IP packets based on their DSCP value. Examples — The following command enables mapping the QoS level of IP packets based on their DSCP value for service profile sp1: WX# set service-profile sp1 use-client-dscp enable success: change accepted.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS WX4400# set service-profile sp1 user-idle-timeout 360 success: change accepted. See Also set service-profile web-portal-acl display service-profile on page 353 set service-profile idle-client-probing on page 446 set service-profile web-portal-session-timeout on page 477 Changes the ACL name MSS uses to filter Web-Portal user traffic during authentication.
set service-profile web-portal-form 473 The Web-Portal ACL applies only to users who log on using Web Portal, and applies only during authentication. After a Web Portal user is authenticated, the Web Portal ACL no longer applies. ACLs and other user attributes assigned to the username are applied instead. Examples — The following command changes the Web-Portal ACL name to on service profile sp3 to creditsrvr: WX1200# set service-profile sp3 web-portal-acl creditsrvr success: change accepted.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS To use WebAAA, the fallthru authentication type in the service profile that manages the SSID must be set to web. To use WebAAA for a wired authentication port, edit the port configuration with the set port type wired-auth command. Examples — The following commands create a subdirectory named corpa-ssid, copy a custom login page named corpa-login.html and a jpg image named corpa-logo.
set service-profile web-portal-logout logout-url set service-profile web-portal-logout logout-url 475 Specifies the URL that is requested when the user clicks the button to terminate his or her session in the Mobility Domain. Syntax — set service-profile profile-name web-portal-logout logout-url url name — Service profile name. url — Specifies the URL for the Web Portal logout feature. The URL should be of the form https://host/logout.html.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS Examples — The following command configures the Web Portal logout URL as: wifizone.3Com.com/logout.html for service profile sp1. WX# set service-profile sp1 web-portal-logout logout-url https://wifizone.3Com.com/logout.html success: change accepted.
set service-profile web-portal-session-timeout 477 Examples — The following command enables the Web Portal logout functionality for service profile sp1. WX# set service-profile sp1 web-portal-logout mode enable success: change accepted.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS Note that the Web Portal WebAAA session timeout period applies only to Web Portal WebAAA sessions already authenticated with a username and password. For all other Web Portal WebAAA sessions, the default Web Portal WebAAA session timeout period of 5 seconds is used. Examples — The following command allows Web Portal WebAAA sessions to remain in the Deassociated state 180 seconds before being terminated automatically.
set service-profile wep active-unicast- index 479 See Also set service-profile wep active-unicastindex display service-profile on page 353 set service-profile wep active-unicast- index on page 479 set service-profile wep key-index on page 480 Specifies the static Wired-Equivalent Privacy (WEP) key (one of four) to use for encrypting unicast frames. Syntax — set service-profile name wep active-unicast-index num name — Service profile name. num — WEP key number.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS set service-profile wep key-index Sets the value of one of four static Wired-Equivalent Privacy (WEP) keys for static WEP encryption. Syntax — set service-profile name wep key-index num key value name — Service profile name. key-index num — WEP key index. You can enter a value from 1 through 4. key value — Hexadecimal value of the key.
set service-profile wpa-ie set service-profile wpa-ie 481 Enables the WPA information element (IE) in wireless frames. The WPA IE advertises the WPA authentication methods and cipher suites supported by radios in the radio profile mapped to the service profile. Syntax — set service-profile name wpa-ie {enable | disable} name — Service profile name. enable — Enables the WPA IE. disable — Disables the WPA IE. Defaults — The WPA IE is disabled by default. Access — Enabled.
CHAPTER 11: MANAGED ACCESS POINT COMMANDS
12 STP COMMANDS Use Spanning Tree Protocol (STP) commands to configure and manage spanning trees on the virtual LANs (VLANs) configured on a wireless LAN switch or controller, to maintain a loop-free network. STP Commands by Usage This chapter presents STP commands alphabetically. Use the following table to locate commands in this chapter based on their use.
CHAPTER 12: STP COMMANDS Table 74 STP Commands by Usage (continued) Type Command Fast Convergence, cont. set spantree backbonefast on page 502 display spantree backbonefast on page 491 set spantree uplinkfast on page 510 display spantree uplinkfast on page 500 Statistics display spantree statistics on page 494 clear spantree statistics on page 487 clear spantree portcost Resets to the default value the cost of a network port or ports on paths to the STP root bridge in all VLANs on a WX.
clear spantree portpri clear spantree portpri 485 Resets to the default value the priority of a network port or ports for selection as part of the path to the STP root bridge in all VLANs on a wireless LAN switch or controller. Syntax — clear spantree portpri port-list port-list — List of ports. The port priority is reset to 32 (the default) on the specified ports. Defaults — None. Access — Enabled. History —Introduced in MSS Version 3.0. Usage — This command resets the priority in all VLANs.
CHAPTER 12: STP COMMANDS vlan vlan-id — VLAN name or number. MSS resets the cost for only the specified VLAN. Defaults — None. Access — Enabled. History —Introduced in MSS Version 3.0. Usage — MSS does not change a port’s cost for VLANs other than the one(s) you specify. Examples — The following command resets the STP cost for port 2 in VLAN sunflower: WX4400# clear spantree portvlancost 2 vlan sunflower success: change accepted.
clear spantree statistics 487 History —Introduced in MSS Version 3.0. Usage — MSS does not change a port’s priority for VLANs other than the one(s) you specify. Examples — The following command resets the STP priority for port 2 in VLAN avocado: WX4400# clear spantree portvlanpri 2 vlan avocado success: change accepted.
CHAPTER 12: STP COMMANDS display spantree Displays STP configuration and port-state information. Syntax — display spantree [port-list | vlan vlan-id][active] port-list — List of ports. If you do not specify any ports, MSS displays STP information for all ports. vlan vlan-id — VLAN name or number. If you do not specify a VLAN, MSS displays STP information for all VLANs. active — Displays information for only the active (forwarding) ports. Defaults — None. Access — All.
display spantree 7 8 9 17 18 1 1 1 1 1 Forwarding Disabled Disabled STP Off STP Off 19 19 19 19 19 128 128 128 128 128 489 Disabled Disabled Disabled Disabled Disabled Table 75 describes the fields in this display. Table 75 Output for display spantree Field Description VLAN VLAN number. Spanning tree mode In the current software version, the mode is always PVST+, which means Per VLAN Spanning Tree+.
CHAPTER 12: STP COMMANDS Table 75 Output for display spantree (continued) Field Description Port Port number. Only network ports are listed. STP does not apply to 3Com Wireless LAN Managed Access Point AP2750 ports or wired authentication ports. Vlan VLAN ID. STP-State STP state of the port: or Blocking—The port is not forwarding Layer 2 traffic but is listening to and forwarding STP control traffic.
display spantree backbonefast 491 Table 75 Output for display spantree (continued) Field Description Port-state STP state of the port: Blocking — The port is not forwarding Layer 2 traffic but is listening to and forwarding STP control traffic. Disabled — The port is not forwarding any traffic, including STP control traffic. The port might be administratively disabled or the link might be disconnected. Forwarding — The port is forwarding Layer 2 traffic.
CHAPTER 12: STP COMMANDS Examples — The following example shows the command output on a WX switch with backbone fast convergence enabled: WX4400# display spantree backbonefast Backbonefast is enabled See Also display spantree blockedports set spantree backbonefast on page 502 Lists information about wireless LAN switch ports that STP has blocked on one or all of its VLANs. Syntax — display spantree blockedports [vlan vlan-id] vlan vlan-id — VLAN name or number.
display spantree portfast display spantree portfast 493 Displays STP uplink fast convergence information for all network ports or for one or more network ports. Syntax — display spantree portfast [port-list] port-list — List of ports. If you do not specify any ports, MSS displays uplink fast convergence information for all ports. Defaults — None. Access — All. History —Introduced in MSS Version 3.0.
CHAPTER 12: STP COMMANDS display spantree portvlancost Shows the cost of a port on a path to the STP root bridge, for each of the port’s VLANs. Syntax — display spantree portvlancost port-list port-list — List of ports. Defaults — None. Access — All. History —Introduced in MSS Version 3.0.
display spantree statistics 495 Usage — The command displays statistics separately for each port.
CHAPTER 12: STP COMMANDS topology change timer value hold timer hold timer value delay root port timer delay root port timer value delay root port timer restarted is 0 INACTIVE 0 INACTIVE 0 FALSE VLAN based information & statistics spanning tree type spanning tree multicast address bridge priority bridge MAC address bridge hello time bridge forward delay topology change initiator: last topology change occured: topology change topology change time topology change detected topology change count topolo
display spantree statistics 497 Table 77 Output for display spantree statistics Field Description Port Port number. VLAN VLAN ID. Spanning Tree enabled State of the STP feature on the VLAN. for vlan port spanning tree State of the STP feature on the port. state STP state of the port: Blocking — The port is not forwarding Layer 2 traffic but is listening to and forwarding STP control traffic. Disabled — The port is not forwarding any traffic, including STP control traffic.
CHAPTER 12: STP COMMANDS Table 77 Output for display spantree statistics (continued) Field Description config_pending Indicates whether a configured BPDU is to be transmitted on expiration of the hold timer for the port. port_inconsistency Indicates whether the port is in an inconsistent state. config BPDU’s xmitted Number of BPDUs transmitted from the port. A number in parentheses indicates the number of configured BPDUs transmitted by the WX switch for this VLAN’s spanning tree.
display spantree statistics 499 Table 77 Output for display spantree statistics (continued) Field Description hold timer Status of the hold timer. This timer ensures that configured BPDUs are not transmitted too frequently through any bridge port. hold timer value Current value of the hold timer, in seconds. delay root port timer Status of the delay root port timer, which enables fast convergence when uplink fast convergence is enabled.
CHAPTER 12: STP COMMANDS Table 77 Output for display spantree statistics (continued) Field Description port BPDU ok count Number of valid port BPDUs received. msg age expiry count Number of expired messages. link loading Indicates whether the link is oversubscribed. BPDU in processing Indicates whether BPDUs are currently being processed. num of similar BPDU’s to process Number of similar BPDUs received on a port that need to be processed.
set spantree 501 Table 78 Output for display spantree uplinkfast Field Description VLAN VLAN number. port list Ports in the uplink group. The port that is forwarding traffic is indicated by fwd. The other ports are blocking traffic. See Also set spantree set spantree uplinkfast on page 510 Enables or disables STP on one VLAN or all VLANs configured on a WX switch. Syntax — set spantree {enable | disable } [{all | vlan vlan-id | port port-list vlan-id}] enable — Enables STP.
CHAPTER 12: STP COMMANDS See Also set spantree backbonefast display spantree on page 488 Enables or disables STP backbone fast convergence on a wireless LAN switch. This feature accelerates a port’s recovery following the failure of an indirect link. CAUTION: The backbone fast convergence feature is not compatible with switches that are running standard IEEE 802.1D Spanning Tree implementations. This includes switches running Rapid Spanning Tree or Multiple Spanning Tree.
set spantree fwddelay set spantree fwddelay 503 Changes the period of time after a topology change that a WX switch which is not the root bridge waits to begin forwarding Layer 2 traffic on one or all of its configured VLANs. (The root bridge always forwards traffic.) Syntax — set spantree fwddelay delay {all | vlan vlan-id} delay — Delay value. You can specify from 4 through 30 seconds. all — Changes the forwarding delay on all VLANs. vlan vlan-id — VLAN name or number.
CHAPTER 12: STP COMMANDS Access — Enabled. History —Introduced in MSS Version 3.0. Examples — The following command changes the hello interval for all VLANs to 4 seconds: WX4400# set spantree hello 4 all success: change accepted. See Also set spantree maxage display spantree on page 488 Changes the maximum age for an STP root bridge hello packet that is acceptable to a wireless LAN switch acting as a designated bridge on one or all of its VLANs.
set spantree portcost set spantree portcost 505 Changes the cost that transmission through a network port or ports in the default VLAN on a wireless LAN switch adds to the total cost of a path to the STP root bridge. Syntax — set spantree portcost port-list cost cost port-list — List of ports. MSS applies the cost change to all the specified ports. cost cost — Numeric value. You can specify a value from 1 through 65,535. STP selects lower-cost paths over higher-cost paths.
CHAPTER 12: STP COMMANDS See Also set spantree portfast clear spantree portcost on page 484 clear spantree portvlancost on page 485 display spantree on page 488 display spantree portvlancost on page 494 set spantree portvlancost on page 508 Enables or disables STP port fast convergence on one or more ports on a wireless LAN switch. Syntax — set spantree portfast port port-list {enable | disable} port port-list — List of ports. MSS enables the feature on the specified ports.
set spantree portpri set spantree portpri 507 Changes the STP priority of a network port or ports for selection as part of the path to the STP root bridge in the default VLAN on a wireless LAN switch. Syntax — set spantree portpri port-list priority value port-list — List of ports. MSS changes the priority on the specified ports. priority value — Priority value. You can specify a value from 0 (highest priority) through 255 (lowest priority).
CHAPTER 12: STP COMMANDS set spantree portvlancost Changes the cost of a network port or ports on paths to the STP root bridge for a specific VLAN on a wireless LAN switch. Syntax — set spantree portvlancost port-list cost cost {all | vlan vlan-id} port-list — List of ports. MSS applies the cost change to all the specified ports. cost cost — Numeric value. You can specify a value from 1 through 65,535. STP selects lower-cost paths over higher-cost paths.
set spantree portvlanpri set spantree portvlanpri 509 Changes the priority of a network port or ports for selection as part of the path to the STP root bridge, on one VLAN or all VLANs. Syntax — set spantree portvlanpri port-list priority value {all | vlan vlan-id} port-list — List of ports. MSS changes the priority on the specified ports. priority value — Priority value. You can specify a value from 0 (highest priority) through 255 (lowest priority). all — Changes the priority on all VLANs.
CHAPTER 12: STP COMMANDS set spantree priority Changes the STP root bridge priority of a wireless LAN switch on one or all of its VLANs. Syntax — set spantree priority value {all | vlan vlan-id} priority value — Priority value. You can specify a value from 0 through 65,535. The bridge with the lowest priority value is elected to be the root bridge for the spanning tree. all — Changes the bridge priority on all VLANs. vlan vlan-id — VLAN name or number.
set spantree uplinkfast 511 History —Introduced in MSS Version 3.0. Usage — The uplink fast convergence feature is applicable to bridges that are acting as access switches to the network core (distribution layer) but are not in the core themselves. Do not enable the feature on WX switches that are in the network core. Examples — The following command enables uplink fast convergence: WX4400# set spantree uplinkfast enable success: change accepted.
CHAPTER 12: STP COMMANDS
13 IGMP SNOOPING COMMANDS Use Internet Group Management Protocol (IGMP) snooping commands to configure and manage multicast traffic reduction on a WX. Commands by usage This chapter presents IGMP snooping commands alphabetically. Use the following table to locate commands in this chapter based on their use.
CHAPTER 13: IGMP SNOOPING COMMANDS clear igmp statistics Clears IGMP statistics counters on one VLAN or all VLANs on a wireless LAN switch and resets them to 0. Syntax — clear igmp statistics [vlan vlan-id] vlan vlan-id — VLAN name or number. If you do not specify a VLAN, IGMP statistics are cleared for all VLANs. Defaults — None. Access — Enabled. History — Introduced in MSS Version 3.0.
display igmp 515 Examples — The following command displays IGMP information for VLAN orange: WX1200# display igmp vlan orange VLAN: orange IGMP is enabled Proxy reporting is on Mrouter solicitation is on Querier functionality is off Configuration values: qi: 125 oqi: 300 qri: 100 lmqi: 10 rvalue: 2 Multicast router information: Port Mrouter-IPaddr Mrouter-MAC Type TTL ---- --------------- ----------------- ----- ----1 192.28.7.
CHAPTER 13: IGMP SNOOPING COMMANDS Table 81 describes the fields in this display. Table 81 Output for display igmp Field Description VLAN VLAN name. MSS displays information separately for each VLAN. IGMP is enabled (disabled) IGMP state. Proxy reporting Proxy reporting state. Mrouter solicitation Multicast router solicitation state. Querier functionality Pseudo-querier state. Configuration values (qi) Query interval. Configuration values (oqi) Other-querier-present interval.
display igmp 517 Table 81 Output for display igmp (continued) Field Description TTL Number of seconds before this entry ages out if not refreshed. For static multicast router entries, the time-to-live (TTL) value is undef. Static multicast router entries do not age out. Group IP address of a multicast group. The display igmp receiver-table command shows the same information as these receiver fields. Port Physical port through which the WX can reach the group’s receiver.
CHAPTER 13: IGMP SNOOPING COMMANDS Table 81 Output for display igmp (continued) Field Description VLAN VLAN name. MSS displays information separately for each VLAN. IGMP is enabled (disabled) IGMP state. See Also display igmp mrouter display igmp mrouter on page 518 display igmp querier on page 519 display igmp receiver-table on page 521 display igmp statistics on page 523 Displays the multicast routers in a WX’s subnet, on one VLAN or all VLANs.
display igmp querier 519 Table 82 Output for display igmp mrouter Field Description Multicast routers for vlan VLAN containing the multicast routers. Ports are listed separately for each VLAN. Port Number of the physical port through which the WX can reach the router. Mrouter-IPaddr IP address of the multicast router. Mrouter-MAC MAC address of the multicast router.
CHAPTER 13: IGMP SNOOPING COMMANDS History — Introduced in MSS Version 3.0. Examples — The following command displays querier information for VLAN orange: WX1200# display igmp querier vlan orange Querier for vlan orange Port Querier-IP Querier-MAC TTL ---- --------------- ----------------- ----1 193.122.135.
display igmp receiver-table 521 See Also display igmp receiver-table set igmp querier on page 533 Displays the receivers to which a WX forwards multicast traffic. You can display receivers for all VLANs, a single VLAN, or a group or groups identified by group address and network mask. Syntax — display igmp receiver-table [vlan vlan-id] [group group-ip-addr/mask-length] vlan vlan-id — VLAN name or number. If you do not specify a VLAN, MSS displays the multicast receivers on all VLANs.
CHAPTER 13: IGMP SNOOPING COMMANDS The following command lists all receivers for multicast groups 237.255.255.1 through 237.255.255.255, in all VLANs: WX1200# display igmp receiver-table group 237.255.255.0/24 VLAN: red Session Port Receiver-IP Receiver-MAC TTL --------------- ---- --------------- ----------------- ----237.255.255.2 2 10.10.20.19 00:02:04:06:09:0d 112 237.255.255.119 3 10.10.30.
display igmp statistics display igmp statistics 523 Shows IGMP statistics. Syntax — display igmp statistics [vlan vlan-id] vlan vlan-id — VLAN name or number. If you do not specify a VLAN, MSS displays IGMP statistics for all VLANs. Defaults — None. Access — All. History — Introduced in MSS Version 3.0.
CHAPTER 13: IGMP SNOOPING COMMANDS Table 85 Output of display igmp statistics Field Description IGMP statistics VLAN name. Statistics are listed separately for each VLAN. for vlan IGMP message Type of IGMP message: type General-Queries — General group membership queries sent by the multicast querier (multicast router or pseudo-querier). GS-Queries — Group-specific queries sent by the multicast querier to determine whether there are receivers for a specific group.
set igmp 525 Table 85 Output of display igmp statistics (continued) Field Description Topology notifications Number of Layer 2 topology change notifications received by the WX. In the current software version, the value in this field is always 0. Packets with unknown IGMP type Number of multicast packets received with an unrecognized multicast type. Packets with bad length Number of packets with an invalid length.
CHAPTER 13: IGMP SNOOPING COMMANDS set igmp lmqi Changes the IGMP last member query interval timer on one VLAN or all VLANs on a wireless LAN switch. Syntax — set igmp lmqi tenth-seconds [vlan vlan-id] lmqi tenth-seconds — Amount of time (in tenths of a second) that the WX waits for a response to a group-specific query after receiving a leave message for that group, before removing the receiver that sent the leave message from the list of receivers for the group.
set igmp mrouter set igmp mrouter 527 Adds or removes a port in a WX’s list of ports on which it forwards traffic to multicast routers. Static multicast ports are immediately added to or removed from the list of router ports and do not age out. Syntax — set igmp mrouter port port-list {enable | disable} port port-list — Port list. MSS adds or removes the specified ports in the list of static multicast router ports. enable — Adds the port to the list of static multicast router ports.
CHAPTER 13: IGMP SNOOPING COMMANDS set igmp mrsol Enables or disables multicast router solicitation by a WX. Syntax — set igmp mrsol {enable | disable} [vlan vlan-id] enable — Enables multicast router solicitation. disable — Disables multicast router solicitation. vlan vlan-id — VLAN name or number. If you do not specify a VLAN, multicast router solicitation is disabled or enabled on all VLANs. Defaults — Multicast router solicitation is disabled on all VLANs by default. Access — Enabled.
set igmp oqi 529 Usage — You cannot add MAP access ports or wired authentication ports as static multicast ports. However, MSS can dynamically add these port types to the list of multicast ports based on multicast traffic. Examples — The following example changes the multicast router solicitation interval to 60 seconds: WX1200# set igmp mrsol mrsi 60 success: change accepted. See Also set igmp oqi set igmp mrsol on page 528.
CHAPTER 13: IGMP SNOOPING COMMANDS See Also set igmp proxy-report set igmp lmqi on page 526 set igmp qi on page 531 set igmp qri on page 532 set igmp querier on page 533 set igmp mrouter on page 527 set igmp rv on page 534 Disables or reenables proxy reporting by a WX on one VLAN or all VLANs. Syntax — set igmp proxy-report {enable | disable} vlan vlan-id — VLAN name or number. If you do not specify a VLAN, proxy reporting is disabled or reenabled on all VLANs.
set igmp qi set igmp qi 531 Changes the IGMP query interval timer on one VLAN or all VLANs on a WX. Syntax — set igmp qi seconds [vlan vlan-id] qi seconds — Number of seconds that elapse between general queries sent by the WX when the WX switch is the querier for the subnet. You can specify a value from 1 through 65,535. vlan vlan-id — VLAN name or number. If you do not specify a VLAN, the timer change applies to all VLANs. Defaults — The default query interval is 125 seconds. Access — Enabled.
CHAPTER 13: IGMP SNOOPING COMMANDS set igmp qri Changes the IGMP query response interval timer on one VLAN or all VLANs on a WX. Syntax — set igmp qri tenth-seconds [vlan vlan-id] qri tenth-seconds — Amount of time (in tenths of a second) that the WX waits for a receiver to respond to a group-specific query message before removing the receiver from the receiver list for the group. You can specify a value from 1 through 65,535. vlan vlan-id — VLAN name or number.
set igmp querier set igmp querier 533 Enables or disables the IGMP pseudo-querier on a WX, on one VLAN or all VLANs. Syntax — set igmp querier {enable | disable} [vlan vlan-id] enable — Enables the pseudo-querier. disable — Disables the pseudo-querier. vlan vlan-id — VLAN name or number. If you do not specify a VLAN, the pseudo-querier is enabled or disabled on all VLANs. Defaults — The pseudo-querier is disabled on all VLANs by default. Access — Enabled.
CHAPTER 13: IGMP SNOOPING COMMANDS Defaults — By default, no ports are static multicast receiver ports. Access — Enabled. History — Introduced in MSS Version 3.0. Usage — You cannot add MAP access ports or wired authentication ports as static multicast ports. However, MSS can dynamically add these port types to the list of multicast ports based on multicast traffic.
set igmp rv See Also set igmp oqi on page 529 set igmp qi on page 531 set igmp qri on page 532 535
CHAPTER 13: IGMP SNOOPING COMMANDS
14 SECURITY ACL COMMANDS Use security ACL commands to configure and monitor security access control lists (ACLs). Security ACLs filter packets to restrict or permit network usage by certain users or traffic types, and can assign to packets a class of service (CoS) to define the priority of treatment for packet filtering. (Security ACLs are different from the location policy on a WX, which helps you locally control user access. For location policy commands, see “AAA Commands” on page 211.
CHAPTER 14: SECURITY ACL COMMANDS clear security acl Clears a specified security ACL, an access control entry (ACE), or all security ACLs, from the edit buffer. When used with the command commit security acl, clears the ACE from the running configuration. Syntax — clear security acl {acl-name | all} [editbuffer-index] acl-name — Name of an existing security ACL to clear. ACL names start with a letter and are case-insensitive. all — Clears all security ACLs.
clear security acl map 539 WX4400# display security acl info all ACL information for all set security acl ip acl_133 (hits #1 0) --------------------------------------------------------1. deny IP source IP 192.168.1.6 0.0.0.0 destination IP any set security acl ip acl_134 (hits #3 0) --------------------------------------------------------1. permit IP source IP 192.168.0.1 0.0.0.
CHAPTER 14: SECURITY ACL COMMANDS Syntax — clear security acl map {acl-name | all} {vlan vlan-id | port port-list [tag tag-value] | ap ap-num} {in | out} acl-name — Name of an existing security ACL to clear. ACL names start with a letter and are case-insensitive. all — Removes security ACL mapping from all physical ports, virtual ports, and VLANs on a WX switch. vlan vlan-id — VLAN name or number. MSS removes the security ACL from the specified VLAN. port port-list — Port list.
commit security acl 541 To clear all physical ports, virtual ports, and VLANs on a WX switch of the ACLs mapped for incoming and outgoing traffic, type the following command: WX4400# clear security acl map all success: change accepted.
CHAPTER 14: SECURITY ACL COMMANDS Examples — The following commands commit all the security ACLs in the edit buffer to the configuration, display a summary of the committed ACLs, and show that the edit buffer has been cleared: WX4400# commit security acl all configuration accepted WX4400# display security acl ACL table ACL Type Class Mapping ----------------------- ---- ------ ------acl_123 IP Static acl_124 IP Static WX4400# display security acl info all editbuffer acl editbuffer information for all
display security acl editbuffer WX4400# display security acl ACL table ACL ---------------------------acl_123 acl_133 acl_124 Type ---IP IP IP Class -----Static Static Static 543 Mapping ------Port 2 In Port 4 In See Also display security acl editbuffer clear security acl on page 538 display security acl info on page 545 display security acl editbuffer on page 543 set security acl on page 552 Displays a summary of the security ACLs that have not yet been committed to the configuratio
CHAPTER 14: SECURITY ACL COMMANDS To view details about these uncommitted ACLs, type the following command. WX4400# display security acl info all editbuffer ACL edit-buffer information for all set security acl ip acl-111 (ACEs 3, add 3, del 0, modified 2) ---------------------------------------------------1. permit IP source IP 192.168.254.12 0.0.0.0 destination IP any 2. permit IP source IP 192.168.253.11 0.0.0.0 destination IP any 3. deny SRC source IP 192.168.253.1 0.0.0.
display security acl info 545 Examples — To display the security ACL hits on a WX switch, type the following command: WX4400# display security acl hits ACL hit-counters Index Counter ACL-name ----- -------------------- -------1 0 acl_2 2 0 acl_175 3 916 acl_123 See Also display security acl info set security acl hit-sample-rate on page 559 set security acl on page 552 Displays the contents of a specified security ACL or all security ACLs that are committed — saved in the running configuration a
CHAPTER 14: SECURITY ACL COMMANDS Examples — To display the contents of all security ACLs committed on a WX switch, type the following command: WX4400# display security acl info ACL information for all set security acl ip acl_123 (hits #5 462) --------------------------------------------------------1. permit IP source IP 192.168.1.11 0.0.0.255 destination IP any enable-hits 2. deny IP source IP 192.168.2.11 0.0.0.
display security acl resource-usage 547 Access — Enabled. History — Introduced in MSS Version 3.0.
CHAPTER 14: SECURITY ACL COMMANDS Examples — To display security ACL resource usage, type the following command: WX4400# display security acl resource-usage ACL resources Classifier tree counters -----------------------Number of rules : 2 Number of leaf nodes : 1 Stored rule count : 2 Leaf chain count : 1 Longest leaf chain : 2 Number of non-leaf nodes : 0 Uncompressed Rule Count : 2 Maximum node depth : 1 Sub-chain count : 0 PSCBs in primary memory : 0 (max: 512) PSCBs in secondary memory : 0 (max: 9
display security acl resource-usage 549 Table 87 Output of display security acl resource-usage Field Description Number of rules Number of security ACEs currently mapped to ports or VLANs. Number of leaf nodes Number of security ACL data entries stored in the rule tree. Stored rule count Number of security ACEs stored in the rule tree. Leaf chain count Number of chained security ACL data entries stored in the rule tree.
CHAPTER 14: SECURITY ACL COMMANDS Table 87 Output of display security acl resource-usage (continued) Field Description LUdef in use Number of the lookup definition (LUdef) table currently in use for packet handling. Default action pointer Memory address used for packet handling, from which default action data is obtained when necessary. L4 global Security ACL mapping on the WX switch: No rules Non-IP rules True — Security ACLs are mapped. False — No security ACLs are mapped.
rollback security acl 551 Table 87 Output of display security acl resource-usage (continued) Field Description In mapping Application of security ACLs to incoming traffic on the WX switch: No VLAN or PORT mapping No VPORT mapping rollback security acl True — Security ACLs are mapped to incoming traffic. False — No security ACLs are mapped to incoming traffic. Application of security ACLs to WX VLANs or ports on the WX switch: True — No security ACLs are mapped to VLANs or ports.
CHAPTER 14: SECURITY ACL COMMANDS Examples — The following commands show the edit buffer before a rollback, clear any changes in the edit buffer to security acl_122, and show the edit buffer after the rollback: WX4400# display security acl info all editbuffer ACL edit-buffer information for all set security acl ip acl_122 (ACEs 3, add 3, del 0, modified 0) --------------------------------------------------------1. permit IP source IP 20.0.1.11 0.0.0.255 destination IP any enable-hits 2.
set security acl 553 By ICMP packets Syntax — set security acl ip acl-name {permit [cos cos] | deny} icmp {source-ip-addr mask destination-ip-addr mask [type icmp-type] [code icmp-code] [precedence precedence ] [tos tos] [before editbuffer-index | modify editbuffer-index] [hits] By TCP packets Syntax — set security acl ip acl-name {permit [cos cos] |deny} tcp {source-ip-addr mask [operator port [port2]] destination-ip-addr mask [operator port [port2]]} [precedence precedence] [tos tos] [established] [bef
CHAPTER 14: SECURITY ACL COMMANDS 0 or 3—Best effort. Packets are queued in MAP forwarding queue 3. 4 or 5—Video. Packets are queued in MAP forwarding queue 2. Use CoS level 4 or 5 for voice over IP (VoIP) packets other than SpectraLink Voice Priority (SVP). 6 or 7—Voice. Packets are queued in MAP forwarding queue 1. In MSS Version 3.0, use 6 or 7 only for VoIP phones that use SVP, not for other types of traffic. deny — Blocks traffic that matches the conditions in the ACE.
set security acl 555 (For a complete list of TCP and UDP port numbers, see www.iana.org/assignments/port-numbers.) destination-ip-addr mask — IP address and wildcard mask of the network or host to which the packet is being sent. Specify both address and mask in dotted decimal notation. For more information, see “Wildcard Masks” on page 30. type icmp-type — Filters ICMP messages by type. Specify a value from 0 through 255. (For a list of ICMP message type and code numbers, see www.iana.
CHAPTER 14: SECURITY ACL COMMANDS before editbuffer-index — Inserts the new ACE in front of another ACE in the security ACL. Specify the number of the existing ACE in the edit buffer. Index numbers start at 1. (To display the edit buffer, use display security acl editbuffer.) modify editbuffer-index — Replaces an ACE in the security ACL with the new ACE. Specify the number of the existing ACE in the edit buffer. Index numbers start at 1.
set security acl map 557 The following command adds an ACE to acl_123 that denies packets from IP address 192.168.2.11: WX4400# set security acl ip acl_123 deny 192.168.2.11 0.0.0.0 The following command creates acl_125 by defining an ACE that denies TCP packets from source IP address 192.168.0.1 to destination IP address 192.168.0.2 for established sessions only, and counts the hits: WX4400# set security acl ip acl_125 deny tcp 192.168.0.1 0.0.0.0 192.168.0.2 0.0.0.
CHAPTER 14: SECURITY ACL COMMANDS Syntax — set security acl map acl-name {vlan vlan-id | port port-list [tag tag-list] | ap ap-num} {in | out} acl-name — Name of an existing security ACL to map. ACL names start with a letter and are case-insensitive. vlan vlan-id — VLAN name or number. MSS assigns the security ACL to the specified VLAN. port port-list — Port list. MSS assigns the security ACL to the specified physical WX port or ports.
set security acl hit-sample-rate 559 See Also set security acl hit-sample-rate clear security acl map on page 539 commit security acl on page 541 set mac-user attr on page 261 set mac-usergroup attr on page 267 set security acl on page 552 set user attr on page 273 set usergroup on page 275 display security acl map on page 546 Specifies the time interval, in seconds, at which the packet counter for each security ACL is sampled for display.
CHAPTER 14: SECURITY ACL COMMANDS Examples — The first command sets MSS to sample ACL hits every 15 seconds. The second and third commands display the results. The results show that 916 packets matching security acl_153 were sent since the ACL was mapped. WX4400# set security acl hit-sample-rate 15 WX4400# display security acl info acl_153 ACL information for acl_153 set security acl ip acl_153 (hits #3 916) --------------------------------------------------------1. permit IP source IP 20.1.1.1 0.0.0.
15 CRYPTOGRAPHY COMMANDS A digital certificate is a form of electronic identification for computers. The WX requires digital certificates to authenticate its communications to 3WXM and Web Manager, to WebAAA clients, and to Extensible Authentication Protocol (EAP) clients for which the WX performs all EAP processing. Certificates can be generated on the WX or obtained from a certificate authority (CA).
CHAPTER 15: CRYPTOGRAPHY COMMANDS Commands by Usage This chapter presents cryptography commands alphabetically. Use Table 88 to locate commands in this chapter based on their use.
crypto ca-certificate 563 PEM-formatted certificate — ASCII text representation of the certificate authority PKCS #7 certificate, consisting of up to 5120 characters that you have obtained from the certificate authority. Defaults — None. Access — Enabled. History —Introduced in MSS Version 3.0. Webaaa option renamed to web in MSS Version 4.1. Usage — The Privacy-Enhanced Mail protocol (PEM) format is used for representing a PKCS #7 certificate in ASCII text.
CHAPTER 15: CRYPTOGRAPHY COMMANDS crypto certificate Installs one of the WX switch’s PKCS #7 certificates into the certificate and key storage area on the WX switch. The certificate, which is issued and signed by a certificate authority, authenticates the WX switch either to 3WXM or Web Manager, or to 802.1X supplicants (clients).
crypto generate key 565 Examples — The following command installs a certificate: WX4400# crypto certificate admin Enter PEM-encoded certificate -----BEGIN CERTIFICATE----MIIBdTCP3wIBADA2MQswCQYDVQQGEwJVUzELMAkGA1UECBMCQOExGjAYBgNVBAMU EXR1Y2hwdWJzQHRycHouY29tMIGfMAOGCSqGSIb3DQEBAQAA4GNADCBiQKBgQC4 .....
CHAPTER 15: CRYPTOGRAPHY COMMANDS History —Introduced in MSS Version 3.0. Webaaa option renamed to web in MSS Version 4.1. Usage — You can overwrite a key by generating another key of the same type. SSH requires an SSH authentication key, but you can allow MSS to generate it automatically. The first time an SSH client attempts to access the SSH server on a WX switch, the switch automatically generates a 1024-byte SSH key.
crypto generate request 567 State Name string — (Optional) Specify the name of the state, in up to 64 alphanumeric characters. Spaces are allowed. Locality Name string — (Optional) Specify the name of the locality, in up to 80 alphanumeric characters with no spaces. Organizational Name string — (Optional) Specify the name of the organization, in up to 80 alphanumeric characters with no spaces.
CHAPTER 15: CRYPTOGRAPHY COMMANDS Examples — To request an administrative certificate from a certificate authority, type the following command: WX4400# crypto generate request admin Country Name: US State Name: CA Locality Name: Pleasanton Organizational Name: MyCorp Organizational Unit: ENG Common Name: ENG Email Address: admin@example.
crypto generate self-signed 569 After you type the command, you are prompted for the following variables: Country Name string — (Optional) Specify the abbreviation for the country in which the WX switch is operating, in 2 alphanumeric characters with no spaces. State Name string — (Optional) Specify the abbreviation for the name of the state, in 2 alphanumeric characters with no spaces.
CHAPTER 15: CRYPTOGRAPHY COMMANDS To generate a self-signed administrative certificate, type the following command: WX4400# crypto generate self-signed admin Country Name: State Name: Locality Name: Organizational Name: Organizational Unit: Common Name: wx1@example.
crypto otp 571 Note: On an WX switch that handles communications to and from Microsoft Windows clients, use a one-time password of 31 characters or fewer. The following characters cannot be used as part of the one-time password of a PKCS #12 file: Quotation marks (“ ”) Question mark (?) Ampersand (&) Defaults — None. Access — Enabled. History —Introduced in MSS Version 3.0. Webaaa option renamed to web in MSS Version 4.1.
CHAPTER 15: CRYPTOGRAPHY COMMANDS crypto pkcs12 Unpacks a PKCS #12 object file into the certificate and key storage area on the WX switch. This object file contains a public-private key pair, an WX certificate signed by a certificate authority, and the certificate authority’s certificate.
display crypto ca-certificate 573 Examples — The following commands copy a PKCS #12 object file for an EAP certificate and key pair—and optionally the certificate authority’s own certificate—from a TFTP server to nonvolatile storage on the WX switch, create the one-time password hap9iN#ss, and unpack the PKCS #12 file: WX4400# copy tftp://192.168.253.1/2048full.p12 2048full.p12 success: received 637 bytes in 0.
CHAPTER 15: CRYPTOGRAPHY COMMANDS Access — Enabled. History —Introduced in MSS Version 3.0. Webaaa option renamed to web in MSS Version 4.1. Examples — To display information about the certificate of a certificate authority, type the following command: WX4400# display crypto ca-certificate Table 89 describes the fields in the display. Table 89 display crypto ca-certificate Output Fields Description Version Version of the X.509 certificate.
display crypto certificate 575 Defaults — None. Access — Enabled. History —Introduced in MSS Version 3.0. Webaaa option renamed to web in MSS Version 4.1. Usage — You must have generated a self-signed certificate or obtained a certificate from a certificate authority before displaying information about the certificate. Examples — To display information about a cryptographic certificate, type the following command: WX4400# display crypto certificate eap Table 90 describes the fields of the display.
CHAPTER 15: CRYPTOGRAPHY COMMANDS display crypto key domain Displays domain key information. Syntax — display crypto key domain Defaults — None. Access — Enabled. History —Introduced in MSS Version 3.0. Examples — To display domain key information, type the following command: WX4400# display crypto key domain See Also crypto generate key on page 565 display crypto key ssh Displays SSH authentication key information.
16 RADIUS AND SERVER GROUP COMMANDS Use RADIUS commands to set up communication between a WX switch and groups of up to four RADIUS servers for remote authentication, authorization, and accounting (AAA) of administrators and network users. Commands by Usage This chapter presents RADIUS commands alphabetically. Use Table 91 to locate commands in this chapter based on their uses.
CHAPTER 16: RADIUS AND SERVER GROUP COMMANDS clear radius Resets parameters that were globally configured for RADIUS servers to their default values. Syntax — clear radius {deadtime | key | retransmit | timeout } deadtime — Number of minutes to wait after declaring an unresponsive RADIUS server unavailable before retrying the RADIUS server. key — Password (shared secret key) used to authenticate to the RADIUS server.
clear radius client system-ip 579 WX4400# clear radius timeout success: change accepted. See Also clear radius client system-ip display aaa on page 229 set radius on page 582 set radius server on page 587 Removes the WX switch’s system IP address from use as the permanent source address in RADIUS client requests from the switch to its RADIUS server(s). Syntax — clear radius client system-ip Defaults — None. Access — Enabled. History —Introduced in MSS Version 3.0.
CHAPTER 16: RADIUS AND SERVER GROUP COMMANDS clear radius proxy client Removes RADIUS proxy client entries for third-party APs. Syntax — clear radius proxy client all Defaults — None. Access — Enabled. History —Introduced in MSS 4.0. Examples — The following command clears all RADIUS proxy client entries from the switch: WX4400# clear radius proxy client all success: change accepted.
clear radius server clear radius server 581 Removes the named RADIUS server from the WX configuration. Syntax — clear radius server server-name server-name — Name of a RADIUS server configured to perform remote AAA services for the WX switch. Defaults — None. Access — Enabled. History —Introduced in MSS Version 3.0. Examples — The following command removes the RADIUS server rs42 from a list of remote AAA servers: WX4400# clear radius server rs42 success: change accepted.
CHAPTER 16: RADIUS AND SERVER GROUP COMMANDS Examples — To remove the server group sg-77 type the following command: WX4400# clear server group sg-77 success: change accepted. To disable load balancing in a server group shorebirds, type the following command: WX4400# set server group shorebirds load-balance disable success: change accepted. See Also set radius set server group on page 589 Configures global defaults for RADIUS servers that do not explicitly set these values themselves.
set radius 583 MSS encrypts the display form of the string in display config and display aaa output. retransmit number — Number of transmission attempts the WX switch makes before declaring an unresponsive RADIUS server unavailable. You can specify from 1 to 100 retries. timeout seconds — Number of seconds the WX switch waits for the RADIUS server to respond before retransmitting. You can specify from 1 to 65,535.
CHAPTER 16: RADIUS AND SERVER GROUP COMMANDS See Also set radius client system-ip clear radius server on page 581 display aaa on page 229 set radius server on page 587 Causes all RADIUS requests to be sourced from the IP address specified by the set system ip-address command, providing a permanent source IP address for RADIUS packets sent from the WX switch. Syntax — set radius client system-ip Defaults — None.
set radius proxy client set radius proxy client 585 Adds a RADIUS proxy entry for a third-party AP. The proxy entry specifies the IP address of the AP and the UDP ports on which the WX switch listens for RADIUS traffic from the AP. Syntax — set radius proxy client address ip-address [acct-port acct-udp-port-number] [port udp-port-number] key string address ip-address — IP address of the third-party AP. Enter the address in dotted decimal notation.
CHAPTER 16: RADIUS AND SERVER GROUP COMMANDS set radius proxy port Configures the WX port connected to a third-party AP as a RADIUS proxy for the SSID supported by the AP. Syntax — set radius proxy port port-list [tag tag-value] ssid ssid-name port port-list — WX port(s) connected to the third-party AP. tag tag-value — 802.1Q tag value in packets sent by the third-party AP for the SSID. ssid ssid-name — SSID supported by the third-party AP. Defaults — None. Access — Enabled.
set radius server set radius server 587 Configures RADIUS servers and their parameters. By default, the WX switch automatically sets all these values except the password (key). Syntax — set radius server server-name [address ip-address] [auth-port port-number] [acct-port port-number] [timeout seconds] [retransmit number] [deadtime minutes] [key string] encrypted-key string] [author-password password] server-name — Unique name for this RADIUS server.
CHAPTER 16: RADIUS AND SERVER GROUP COMMANDS author-password password — Password used for authorization to a RADIUS server for MAC users. Specify a password of up to 64 alphanumeric characters with no spaces or tabs.
set server group 589 Examples — To set a RADIUS server named RS42 with IP address 198.162.1.1 to use the default accounting and authorization ports with a timeout interval of 30 seconds, two transmit attempts, 5 minutes of dead time, and a key string of keys4u, type the following command: WX1200# set radius server RS42 address 198.162.1.
CHAPTER 16: RADIUS AND SERVER GROUP COMMANDS Do not use the same name for a RADIUS server and a RADIUS server group. Examples — To set server group shorebirds with members heron, egret, and sandpiper, type the following command: WX1200# set server group shorebirds members heron egret sandpiper success: change accepted.
set server group load-balance 591 Examples — To enable load balancing between the members of server group shorebirds, type the following command: WX1200# set server group shorebirds load-balance enable success: change accepted. To disable load balancing between shorebirds server group members, type the following command: WX1200# set server group shorebirds load-balance disable success: change accepted.
CHAPTER 16: RADIUS AND SERVER GROUP COMMANDS
17 802.1X MANAGEMENT COMMANDS Use 802. IEEE X management commands to modify the default settings for IEEE 802.1X sessions on an WX. For best results, change the settings only if you are aware of a problem with 802.1X performance on the WX. CAUTION: 802.1X parameter settings are global for all SSIDs configured on the switch. Commands by Usage This chapter presents 802.1X commands alphabetically. Use Table 92 to locate commands in this chapter based on their use. For information about configuring 802.
CHAPTER 17: 802.1X MANAGEMENT COMMANDS Table 92 802.
clear dot1x max-req 595 See Also clear dot1x max-req display dot1x on page 599 set dot1x bonded-period on page 603 Resets to the default setting the number of Extensible Authentication Protocol (EAP) requests that the WX switch retransmits to a supplicant (client). Syntax — clear dot1x max-req Defaults — The default number is 20. Access — Enabled. History —Introduced in MSS Version 3.0. Examples — To reset the number of 802.
CHAPTER 17: 802.1X MANAGEMENT COMMANDS Usage — This command is overridden by the set dot1x authcontrol command. The clear dot1x port-control command returns port control to the method configured. This command applies only to wired authentication ports. Examples — Type the following command to reset the wired authentication port control: WX4400# clear dot1x port-control success: change accepted.
clear dot1x reauth-max clear dot1x reauth-max Resets the maximum number of reauthorization attempts to the default setting. Syntax — clear dot1x reauth-max Defaults — The default is 2 attempts. Access — Enabled. History —Introduced in MSS Version 3.0. Examples — Type the following command to reset the maximum number of reauthorization attempts to the default: WX4400# clear dot1x reauth-max success: change accepted.
CHAPTER 17: 802.1X MANAGEMENT COMMANDS clear dot1x timeout auth-server Resets to the default setting the number of seconds that must elapse before the WX times out a request to a RADIUS server. Syntax — clear dot1x timeout auth-server Defaults — The default is 30 seconds. Access — Enabled. History —Introduced in MSS Version 3.0.
clear dot1x tx-period clear dot1x tx-period 599 Resets to the default setting the number of seconds that must elapse before the WX switch retransmits an EAP over LAN (EAPoL) packet. Syntax — clear dot1x tx-period Defaults — The default is 5 seconds. Access — Enabled. History —Introduced in MSS Version 3.0. Examples — Type the following command to reset the EAPoL retransmission time: WX4400# clear dot1x tx-period success: change accepted.
CHAPTER 17: 802.1X MANAGEMENT COMMANDS History —Introduced in MSS Version 3.0. Format of 802.1X authentication rule information in display dot1x config output changed in MSS Version 3.2. The rules are still listed at the top of the display, but more information is shown for each rule. Examples — Type the following command to display the 802.
display dot1x 802.
CHAPTER 17: 802.1X MANAGEMENT COMMANDS Table 93 display dot1x stats Output Field Description Enters Connecting Number of times that the WX switch state transitions to the CONNECTING state from any other state. Logoffs While Connecting Number of times that the WX switch state transitions from CONNECTING to DISCONNECTED as a result of receiving an EAPoL-Logoff message. Enters Authenticating Number of times that the state wildcard transitions.
set dot1x bonded-period 603 Defaults — By default, authentication control for individual wired authentication is enabled. Access — Enabled. History —Introduced in MSS Version 3.0. Usage — This command applies only to wired authentication ports. Examples — To enable per-port 802.1X authentication on wired authentication ports, type the following command: WX4400# set dot1x authcontrol enable success: dot1x authcontrol enabled.
CHAPTER 17: 802.1X MANAGEMENT COMMANDS Usage — Normally, the Bonded Auth period needs to be set only if the network has Bonded Auth clients that use dynamic WEP, or use WEP-40 or WEP-104 encryption with WPA or RSN. These clients can be affected by the 802.1X reauthentication parameter or the RADIUS Session-Timeout parameter. 3Com recommends that you try 60 seconds, and change the period to a longer value only if clients are unable to authenticate within 60 seconds.
set dot1x max-req 605 Examples — Type the following command to enable key transmission: WX4400# set dot1x key-tx enable success: dot1x key transmission enabled. See Also set dot1x max-req display dot1x on page 599 Sets the maximum number of times the WX retransmits an EAP request to a supplicant (client) before ending the authentication session. Syntax — set dot1x max-req number-of-retransmissions number-of-retransmissions — Specify a value between 0 and 10.
CHAPTER 17: 802.1X MANAGEMENT COMMANDS set dot1x port-control Determines the 802.1X authentication behavior on individual wired authentication ports or groups of ports. Syntax — set dot1x port-control {forceauth | forceunauth | auto} port-list forceauth — Forces the specified wired authentication port(s) to unconditionally authorize all 802.1X authentication attempts, with an EAP success message. forceunauth — Forces the specified wired authentication port(s) to unconditionally reject all 802.
set dot1x quiet-period set dot1x quiet-period 607 Sets the number of seconds a WX remains quiet and does not respond to a supplicant after a failed authentication. Syntax — set dot1x quiet-period seconds seconds — Specify a value between 0 and 65,535. Defaults — The default is 60 seconds. Access — Enabled. History —Introduced in MSS Version 3.0. Examples — Type the following command to set the quiet period to 90 seconds: WX4400# set dot1x quiet-period 90 success: dot1x quiet period set to 90.
CHAPTER 17: 802.1X MANAGEMENT COMMANDS See Also set dot1x reauth-max display dot1x on page 599 set dot1x reauth-max on page 608 set dot1x reauth-period on page 609 Sets the number of reauthentication attempts that the WX switch makes before the supplicant (client) becomes unauthorized. Syntax — set dot1x reauth-max number-of-attempts number-of-attempts — Specify a value between 1 and 10. Defaults — The default number of reauthentication attempts is 2. Access — Enabled.
set dot1x reauth-period set dot1x reauth-period 609 Sets the number of seconds that must elapse before the WX switch attempts reauthentication. Syntax — set dot1x reauth-period seconds seconds — Specify a value between 60 (1 minute) and 1,641,600 (19 days). Defaults — The default is 3600 seconds (1 hour). Access — Enabled. History —Introduced in MSS Version 3.0.
CHAPTER 17: 802.1X MANAGEMENT COMMANDS See Also set dot1x timeout supplicant display dot1x on page 599 clear dot1x timeout auth-server on page 598 Sets the number of seconds that must elapse before the WX switch times out an authentication session with a supplicant (client). Syntax — set dot1x timeout supplicant seconds seconds — Specify a value between 1 and 65,535. Defaults — The default is 30 seconds. Access — Enabled. History —Introduced in MSS Version 3.0.
set dot1x wep-rekey 611 Examples — Type the following command to set the number of seconds before the WX switch retransmits an EAPoL packet to 300: WX4400# set dot1x tx-period 300 success: dot1x tx-period set to 300. See Also set dot1x wep-rekey display dot1x on page 599 clear dot1x tx-period on page 599 Enables or disables Wired Equivalency Privacy (WEP) rekeying for broadcast and multicast encryption keys.
CHAPTER 17: 802.1X MANAGEMENT COMMANDS set dot1x wep-rekey-period Sets the interval for rotating the WEP broadcast and multicast keys. Syntax — set dot1x wep-rekey-period seconds seconds — Specify a value between 30 and 1,641,600 (19 days). Defaults — The default is 1800 seconds (30 minutes). Access — Enabled. History —Introduced in MSS Version 3.0.
18 SESSION MANAGEMENT COMMANDS Use session management commands to display and clear administrative and network user sessions. Commands by Usage This chapter presents session management commands alphabetically. Use Table 94 to locate commands in this chapter based on their use.
CHAPTER 18: SESSION MANAGEMENT COMMANDS telnet client [session-id] — Clears all Telnet client sessions from the CLI to remote devices, or clears an individual session identified by session ID. mesh-ap [session-id] — Clears all Mesh AP sessions, or clears an individual Mesh AP session identified by session ID. Defaults — None. Access — Enabled. History —Introduced in MSS Version 3.0.
clear sessions network clear sessions network 615 Clears all network sessions for a specified username or set of usernames, MAC address or set of MAC addresses, virtual LAN (VLAN) or set of VLANs, or session ID. Syntax — clear sessions network {user user-glob | mac-addr mac-addr-glob | vlan vlan-glob | session-id local-session-id} user user-glob — Clears all network sessions for a single user or set of users.
CHAPTER 18: SESSION MANAGEMENT COMMANDS Examples — To clear all sessions for MAC address 00:01:02:03:04:05, type the following command: WX4400# clear sessions network mac-addr 00:01:02:03:04:05 To clear session 9, type the following command: WX1200# clear sessions network session-id 9 SM Apr 11 19:53:38 DEBUG SM-STATE: localid 9, mac 00:06:25:09:39:5d, flags 0000012fh, to change state to KILLING Localid 9, globalid SESSION-9-893249336 moved from ACTIVE to KILLING (client=00:06:25:09:39:5d) To clear
display sessions 617 telnet — Displays sessions for all users with administrative access to the WX switch through a Telnet connection. telnet client — Displays Telnet sessions from the CLI to remote devices. Defaults — None. Access — All, except for display sessions telnet client, which has enabled access. History —Introduced in MSS Version 3.0.
CHAPTER 18: SESSION MANAGEMENT COMMANDS To view information about Telnet client sessions, type the following command: WX4400# display sessions telnet client Session Server Address Server Port ------------------------------0 192.168.1.81 23 1 10.10.1.22 23 Client Port ----------48000 48001 Table 95 describes the fields of the display sessions admin, display sessions console, and display sessions telnet displays.
display sessions mesh-ap display sessions mesh-ap 619 Displays summary or verbose information about Mesh AP sessions on the WX. Syntax — display sessions mesh-ap [session-id session-id | verbose] session-id local-session-id — Displays the specified Mesh AP session. To determine the local session ID for a Mesh AP session, use the display sessions mesh-ap command without the session-id option. verbose — Provides detailed output for all Mesh AP sessions. Defaults — Access — None. All.
CHAPTER 18: SESSION MANAGEMENT COMMANDS See also “clear sessions” on page 613 display sessions network Displays summary or verbose information about all network sessions, or network sessions for a specified username or set of usernames, MAC address or set of MAC addresses, VLAN or set of VLANs, or session ID.
display sessions network 621 Defaults — None. Access — All. History —Introduced in MSS Version 3.0. Output added to the display network sessions verbose command to indicate the user’s authorization attributes and whether they were supplied through AAA or through configured SSID defaults in a service profile in MSS Version 4.1. Usage — MSS displays information about network sessions in three types of displays. See the following tables for field descriptions. Summary display — See Table 98 on page 623.
CHAPTER 18: SESSION MANAGEMENT COMMANDS The following command displays summary information about all the sessions of users whose names begin with E: WX1200# display sessions network user E* User Sess IP or MAC Name ID Address --------------------------- ---- --------------EXAMPLE\Singh 12* 10.10.10.30 EXAMPLE\Havel 13* 10.10.10.
display sessions network 623 Start-Date=05/04/11-10:00 (AAA) 1 sessions total (Table 99 on page 624 describes the additional fields of the verbose output of display sessions network commands.) The following command displays information about network session 27: WX1200# display sessions network session-id 27 Global Id: SESS-27-000430-835586-58dfe5a State: ACTIVE Port/Radio: 3/1 MAC Address: 00:00:2d:6f:44:77 User Name: EXAMPLE Natasha IP Address: 10.10.40.
CHAPTER 18: SESSION MANAGEMENT COMMANDS Table 98 display sessions network (summary) Output Field Description Sess ID Locally unique number that identifies this session. An asterisk (*) next to the session ID indicates fully active sessions. IP or MAC Address IP address of the session user, or the user’s MAC address if the user has not yet received an IP address. VLAN Name Name of the VLAN associated with the session.
display sessions network 625 Table 99 Additional display sessions network verbose Output (continued) Field Description State Status of the session: AUTH, ASSOC REQ — Client is being associated by the 802.1X protocol. AUTH AND ASSOC — Client is being associated by the 802.1X protocol, and the user is being authenticated. AUTHORIZING — User has been authenticated (for example, by the 802.1X protocol and an AAA method), and is entering AAA authorization.
CHAPTER 18: SESSION MANAGEMENT COMMANDS Table 100 display sessions network session-id Output Field Description Global Id A unique session identifier within the Mobility Domain. State Status of the session: AUTH, ASSOC REQ — Client is being associated by the 802.1X protocol. AUTH AND ASSOC — Client is being associated by the 802.1X protocol, and the user is being authenticated. AUTHORIZING — User has been authenticated (for example, by the 802.
display sessions network 627 Table 100 display sessions network session-id Output (continued) Field Description Authentication Extensible Authentication Protocol (EAP) type used to authenticate Method the session user, and the IP address of the authentication server. Session statistics as updated from AP Time the session statistics were last updated from the MAP access point, in seconds since a fixed standard date and time.
CHAPTER 18: SESSION MANAGEMENT COMMANDS
19 RF DETECTION COMMANDS MSS automatically performs RF detection scans on enabled and disabled radios to detect rogue access points. A rogue access point is a BSSID (MAC address associated with an SSID) that does not belong to a 3Com switch and is not a member of the ignore list configured on the seed switch of the Mobility Domain. The ignore list is a list of third-party (friendly) BSSIDs that are not rogues.
CHAPTER 19: RF DETECTION COMMANDS Table 101 RF Detection Commands by Usage (continued) Type Command clear rfdetect vendor-list on page 633 Permitted SSID List set rfdetect ssid-list on page 659 display rfdetect ssid-list on page 649 clear rfdetect ssid-list on page 632 Client Black List set rfdetect black-list on page 654 display rfdetect black-list on page 636 clear rfdetect black-list on page 631 Attack List set rfdetect attack-list on page 653 display rfdetect attack-list on page 635 clear r
clear rfdetect black-list 631 See Also clear rfdetect black-list clear rfdetect attack-list on page 630 display rfdetect attack-list on page 635 Removes a MAC address from the client black list. Syntax — clear rfdetect black-list mac-addr mac-addr — MAC address you want to remove from the black list. Defaults — None. Access — Enabled. History —Introduced in MSS Version 4.0.
CHAPTER 19: RF DETECTION COMMANDS Examples — The following command removes BSSID aa:bb:cc:11:22:33 from the ignore list for RF scans: WX1200# clear rfdetect ignore aa:bb:cc:11:22:33 success: aa:bb:cc:11:22:33 is no longer ignored. See Also clear rfdetect ssid-list display rfdetect ignore on page 644 set rfdetect ignore on page 656 Removes an SSID from the permitted SSID list.
clear rfdetect vendor-list clear rfdetect vendor-list 633 Removes an entry from the permitted vendor list. Syntax — clear rfdetect vendor-list {client | ap} mac-addr | all client | ap — Specifies whether the entry is for an AP brand or a client brand. mac-addr | all — Organizationally Unique Identifier (OUI) to remove. Defaults — None. Access — Enabled. History —Introduced in MSS Version 4.0.
rfping CHAPTER 19: RF DETECTION COMMANDS Provides information about the RF link between the WX and the client based on sending test packets to the client. Syntax — rfping {mac mac-addr | session-id session-id} mac-addr — Tests the RF link between the WX and the client with the specified MAC address. session-id — Tests the RF link between the WX and the client with the specified local session ID. Defaults — None. Access — Enabled. History — Version 4.2 Command introduced. Version 6.
display rfdetect attack-list 635 Table 102 rfping Output (continued) Field Description RSSI Received signal strength indication (RSSI)óthe strength of the RF signal from the client, in decibels referred to 1 milliwatt (dBm). SNR Signal-to-noise ratio (SNR), in decibels (dB), of the data received from the client. RTT (micro-secs) The round-trip time, in microseconds, for the client response to the test packets.
CHAPTER 19: RF DETECTION COMMANDS display rfdetect black-list Displays information abut the clients in the client black list. Syntax — display rfdetect black-list Defaults — None. Access — Enabled. History —Introduced in MSS Version 4.0.
display rfdetect clients display rfdetect clients 637 Displays the wireless clients detected by a WX switch. Syntax — display rfdetect clients [mac mac-addr] mac mac-addr — Displays detailed information for a specific client. Defaults — None. Access — Enabled. History —Introduced in MSS Version 4.0.
CHAPTER 19: RF DETECTION COMMANDS Table 103 display rfdetect clients Output Field Description Client MAC MAC address of the client. Client Vendor Company that manufactures or sells the client. AP MAC MAC address of the radio with which the rogue client is associated. AP Vendor Company that manufactures or sells the AP with which the rogue client is associated. Port/Radio/Channel Port number, radio number, and channel number of the radio that detected the rogue. NoL Number of listeners.
display rfdetect countermeasures 639 Table 104 display rfdetect clients mac Output (continued) display rfdetect countermeasures Field Description Typ Classification of the rogue device: rogue—Wireless device that is on the network but is not supposed to be on the network. intfr—Wireless device that is not part of your network and is not a rogue, but might be causing RF interference with MAP radios. known—Device that is a legitimate member of the network.
CHAPTER 19: RF DETECTION COMMANDS Table 105 describes the fields in this display. Table 105 display rfdetect countermeasures Output Field Description Rogue MAC BSSID of the rogue. Type Classification of the rogue device: rogue—Wireless device that is on the network but is not supposed to be on the network. intfr—Wireless device that is not part of your network and is not a rogue, but might be causing RF interference with MAP radios.
display rfdetect counters 641 Examples — The following command shows counters for rogue activity detected by a WX switch: WX4400# display rfdetect counters Type Current Total -------------------------------------------------- ------------ -----------Rogue access points Interfering access points Rogue 802.11 clients Interfering 802.11 clients 802.11 adhoc clients Unknown 802.11 clients Interfering 802.11 clients seen on wired network 802.11 probe request flood 802.11 authentication flood 802.
CHAPTER 19: RF DETECTION COMMANDS display rfdetect data Displays all the BSSIDs detected by an individual WX switch during an RF detection scan. The data includes BSSIDs transmitted by other 3Com radios as well as by third-party access points. Syntax — display rfdetect data Defaults — None. Access — Enabled. History —Introduced in MSS Version 3.0. Vendor, Type, and Flag fields added in MSS Version 4.0. Usage — You can enter this command on any WX switch in the Mobility Domain.
display rfdetect data 643 Table 106 display rfdetect data Output Field Description BSSID BSSID detected by a MAP radio on this WX switch. Vendor Company that manufactures or sells the rogue device. Type Classification of the rogue device: rogue—Wireless device that is not supposed to be on the network. The device has an entry in a WX switch’s FDB and is therefore on the network. intfr—Wireless device that is not part of your network but is not a rogue.
CHAPTER 19: RF DETECTION COMMANDS display rfdetect ignore Displays the BSSIDs of third-party devices that MSS ignores during RF scans. MSS does not generate log messages or traps for the devices in the ignore list. Syntax — display rfdetect ignore Defaults — None. Access — Enabled. History —Introduced in MSS Version 3.0.
display rfdetect mobility-domain 645 Usage — This command is valid only on the seed switch of the Mobility Domain. To display rogue information for an individual switch, use the display rfdetect data command on that switch. Only rogues are listed. To display all devices detected, including 3Com radios, use the display rfdetect data command.
CHAPTER 19: RF DETECTION COMMANDS WX-IPaddress: 10.8.121.102 Port/Radio/Ch: 3/1/1 Mac: 00:0b:0e:00:0a:6a Device-type: interfering Adhoc: no Crypto-types: clear RSSI: -75 SSID: 3Com-webaaa WX-IPaddress: 10.3.8.103 Port/Radio/Ch: ap 1/1/1 Mac: 00:0b:0e:76:56:82 Device-type: interfering Adhoc: no Crypto-types: clear RSSI: -76 SSID: 3Com-webaaa Two types of information are shown. The lines that are not indented show the BSSID, vendor, and information about the SSID.
display rfdetect mobility-domain 647 Table 107 and Table 108 describe the fields in these displays. Table 107 display rfdetect mobility-domain Output Field Description BSSID MAC address of the SSID used by the detected device. Vendor Company that manufactures or sells the rogue device. Type Classification of the rogue device: Flags rogue—Wireless device that is not supposed to be on the network. The device has an entry in a WX switch’s FDB and is therefore on the network.
CHAPTER 19: RF DETECTION COMMANDS Table 108 display rfdetect mobility-domain ssid or bssid Output (continued) Field Description Crypto-Types Encryption type: clear (no encryption) ccmp tkip wep104 (WPA 104-bit WEP) wep40 (WPA 40-bit WEP) wep (non-WPA WEP) WX-IPaddress System IP address of the WX switch that detected the rogue. Port/Radio/Channel Port number, radio number, and channel number of the radio that detected the rogue. Mac MAC address of the radio that detected the rogue.
display rfdetect ssid-list display rfdetect ssid-list 649 Displays the entries in the permitted SSID list. Syntax — display rfdetect ssid-list Defaults — None. Access — Enabled. History —Introduced in MSS Version 4.0.
CHAPTER 19: RF DETECTION COMMANDS Examples — The following example shows the permitted vendor list on WX switch: WX1200# display rfdetect vendor-list Total number of entries: 1 OUI Type ----------------- -----aa:bb:cc:00:00:00 client 11:22:33:00:00:00 ap See Also display rfdetect visible clear rfdetect vendor-list on page 633 set rfdetect vendor-list on page 660 Displays the BSSIDs discovered by a specific 3Com radio.
display rfdetect visible 651 Usage — If a 3Com radio is supporting more than one SSID, each of the corresponding BSSIDs is listed separately. To display rogue information for the entire Mobility Domain, use the display rfdetect mobility-domain command on the seed switch.
CHAPTER 19: RF DETECTION COMMANDS Table 109 display rfdetect visible Output (continued) Field Description RSSI Received signal strength indication (RSSI)—the strength of the RF signal detected by the MAP radio, in decibels referred to 1 milliwatt (dBm). Flags Classification and encryption information for the rogue: The i, a, or u flag indicates the classification. The other flags indicate the encryption used by the rogue. For flag definitions, see the key in the command output.
set rfdetect attack-list set rfdetect attack-list 653 Adds an entry to the attack list. The attack list specifies the MAC addresses of devices that MSS should issue countermeasures against whenever the devices are detected on the network. The attack list can contain the MAC addresses of APs and clients. Syntax — set rfdetect attack-list mac-addr mac-addr — MAC address you want to attack. Defaults — The attack list is empty by default. Access — Enabled. History —Introduced in MSS Version 4.0.
CHAPTER 19: RF DETECTION COMMANDS set rfdetect black-list Adds an entry to the client black list. The client black list specifies clients that are not allowed on the network. MSS drops all packets from the clients on the black list. Syntax — set rfdetect black-list mac-addr mac-addr — MAC address you want to place on the black list. Defaults — The client black list is empty by default. Access — Enabled. History —Introduced in MSS Version 4.0.
set rfdetect countermeasures mac 655 Syntax — set rfdetect countermeasures {enable | disable} enable — Enables countermeasures. disable — Disables countermeasures. Defaults — Countermeasures are disabled by default. Access — Enabled. History —Introduced in MSS Version 3.0. Usage — This command is valid only on the seed switch of the Mobility Domain.
CHAPTER 19: RF DETECTION COMMANDS You can start countermeasures against more than one BSSID by typing additional set rfdetect countermeasures mac commands. After you type the first set rfdetect countermeasures mac command, MSS does not issue countermeasures against any devices except the ones you specify using this command. To resume normal countermeasures operation, where MSS automatically issues countermeasures against detected rogues, use the clear rfdetect countermeasures mac all command.
set rfdetect log 657 Usage — Use this command to identify third-party APs and other devices you are already aware of and do not want MSS to report following RF scans. If you try to initiate countermeasures against a device on the ignore list, the ignore list takes precedence and MSS does not issue the countermeasures. Countermeasures apply only to rogue devices.
CHAPTER 19: RF DETECTION COMMANDS History —Introduced in MSS Version 3.0. Usage — This command is valid only on the seed switch of the Mobility Domain. The log messages for rogues are generated only on the seed and appear only in the seed’s log message buffer. Use the display log buffer command to display the messages in the seed switch’s log message buffer.
set rfdetect signature key 659 Examples — The following command enables MAP signatures on a WX switch: WX1200# set rfdetect signature enable success: signature is now enabled. set rfdetect signature key Creates an encrypted RF fingerprint key to use as a signature for a MAP. Syntax — set rfdetect signature key encrypted key — 16 bytes separated by colons generated by the user. For example, a1:b2:c3:d4:e5:f6:g7:h8 can be a key value. encrypted — Encrypts the signature key.
CHAPTER 19: RF DETECTION COMMANDS If you add a device that MSS has classified as a rogue to the permitted SSID list, but not to the ignore list, MSS can still classify the device as a rogue. Adding an entry to the permitted SSID list merely indicates that the device is using an allowed SSID. However, to cause MSS to stop classifying the device as a rogue, you must add the device’s MAC address to the ignore list.
test rflink 661 If you add a device that MSS has classified as a rogue to the permitted vendor list, but not to the ignore list, MSS can still classify the device as a rogue. Adding an entry to the permitted vendor list merely indicates that the device is from an allowed vendor. However, to cause MSS to stop classifying the device as a rogue, you must add the device’s MAC address to the ignore list.
CHAPTER 19: RF DETECTION COMMANDS Examples — The following command tests the RF link between the WX switch and the client with MAC address 00:0e:9b:bf:ad:13: WX4400# test rflink mac 00:0e:9b:bf:ad:13 RF-Link Test to 00:0e:9b:bf:ad:13 : Session-Id: 2 Packets Sent Packets Rcvd RSSI SNR ------------ ------------ ------- ----20 20 -68 26 RTT (micro-secs) ---------------976 Table 110 describes the fields in this display.
20 FILE MANAGEMENT COMMANDS Use file management commands to manage system files and to display software and boot information. Commands by Usage This chapter presents file management commands alphabetically. Use Table 111 to locate commands in this chapter based on their use.
CHAPTER 20: FILE MANAGEMENT COMMANDS Table 111 File Management Commands by Usage (continued) Type Command System Backup and Restore backup on page 664 restore on page 684 Sygate install soda agent on page 673 On-Demand display boot on page 674 Agent (SODA) file installation and removal backup Creates an archive of WX system files and optionally, user file, in Unix tape archive (tar) format. Syntax — backup system [tftp:/ip-addr/]filename [all | critical] Defaults — All. Access — Enabled.
backup 665 Archive files created by the all option are larger than files created by the critical option. The file size depends on the files in the user area, and the file can be quite large if the user area contains image files. The backup command places the boot configuration file into the archive. (The boot configuration file is the Configured boot configuration in the display boot command’s output.
CHAPTER 20: FILE MANAGEMENT COMMANDS clear boot backup-configuration Clears the filename specified as the backup configuration file. In the event that MSS cannot read the configuration file at boot time, a backup configuration file is not used. Syntax — clear boot backup-configuration Defaults — None. Access — Enabled. History —Introduced in MSS Version 4.1.
copy 667 WX4400# reset system force ...... rebooting ...... See Also copy display config on page 675 reset system on page 683 Performs the following copy operations: Copies a file from a TFTP server to nonvolatile storage. Copies a file from nonvolatile storage or temporary storage to a TFTP server. Copies a file from one area in nonvolatile storage to another. Copies a file to a new filename in nonvolatile storage.
CHAPTER 20: FILE MANAGEMENT COMMANDS Defaults — None. Access — Enabled. History —Introduced in MSS Version 3.0. Usage — The filename and file:filename URLs are equivalent. You can use either URL to refer to a file in an WX switch’s nonvolatile memory. The tftp://ip-addr/filename URL refers to a file on a TFTP server. If DNS is configured on the WX switch, you can specify a TFTP server’s hostname as an alternative to specifying the IP address. The tmp:filename URL specifies a file in temporary storage.
delete 669 The following commands rename test-config to new-config by copying it from one name to the other in the same location, then deleting test-config: WX4400# copy test-config new-config WX4400# delete test-config success: file deleted. The following command copies file corpa-login.html from a TFTP server into subdirectory corpa in a WX switch’s nonvolatile storage: WX4400# copy tftp://10.1.1.1/corpa-login.html corpa/corpa-login.html success: received 637 bytes in 0.
CHAPTER 20: FILE MANAGEMENT COMMANDS Examples — The following commands copy file testconfig to a TFTP server and delete the file from nonvolatile storage: WX4400# copy testconfig tftp://10.1.1.1/testconfig success: sent 365 bytes in 0.401 seconds [ 910 bytes/sec] WX4400# delete testconfig success: file deleted. The following commands delete file dang_doc from subdirectory dang: WX4400# delete dang/dang_doc success: file deleted.
dir 671 Examples — The following command displays the files in the root directory: WX4400# dir =============================================================================== file: Filename Size Created file:configuration 48 KB Jul 12 2005, 15:02:32 file:corp2:corp2cnfig 17 KB Mar 14 2005, 22:20:04 corp_a/ 512 bytes May 21 2004, 19:15:48 file:dangcfg 14 KB Mar 14 2005, 22:20:04 old/ 512 bytes May 16 2004, 17:23:44 file:pubsconfig-april062005 40 KB May 09 2005, 21:08:30 file:sysa_bak 12 KB Mar 15 2005, 19:
CHAPTER 20: FILE MANAGEMENT COMMANDS The following command limits the output to the contents of the user files area: WX4400# dir file: =============================================================================== file: Filename Size Created file:configuration 48 KB Jul 12 2005, 15:02:32 file:corp2:corp2cnfig 17 KB Mar 14 2005, 22:20:04 corp_a/ 512 bytes May 21 2004, 19:15:48 file:dangcfg 14 KB Mar 14 2005, 22:20:04 dangdir/ 512 bytes May 16 2004, 17:23:44 file:pubsconfig-april062005 40 KB May 09 200
install soda agent 673 Table 113 Output for dir Field Description Filename Filename or subdirectory name. For files, the directory name is shown in front of the filename (for example, file:configuration). The file: directory is the root directory. For subdirectories, a forward slash is shown at the end of the subdirectory name (for example, old/ ). In the boot partitions list (Boot:), an asterisk (*) indicates the boot partition from which the currently running image was loaded and the image filename.
CHAPTER 20: FILE MANAGEMENT COMMANDS Usage — The install soda agent command installs a .zip file containing SODA agent files into a directory on the WX switch. Prior to installing the SODA agent files, you must have already copied the .zip file to the WX switch. This command creates the specified directory, unzips the file and places the contents into the directory.
display config 675 Table 114 describes the fields in the display boot output. Table 114 Output for display boot Field Description Configured boot version Software version the switch will run next time the software is rebooted. Configured boot image Boot partition and image filename MSS will use to boot next time the software is rebooted. Configured boot configuration Configuration filename MSS will use to boot next time the software is rebooted.
CHAPTER 20: FILE MANAGEMENT COMMANDS ip-config l2acl log mobility-domain network-domain ntp portconfig port-group qos radio-profile rfdetect service-profile sm snmp snoop spantree system trace vlan vlan-fdb vlan-profile If you do not specify a configuration area, nondefault information for all areas is displayed. all — Includes configuration items that are set to their default values. Defaults — None.
display version 677 Usage — If you do not use one of the optional parameters, configuration commands that set nondefault values are displayed for all configuration areas. If you specify an area, commands are displayed for that area only. If you use the all option, the display also includes commands for configuration items that are set to their default values.
CHAPTER 20: FILE MANAGEMENT COMMANDS Examples — The following command displays version information for a WX switch: WX1200# display version Mobility System Software, Version: 4.1.0 QA 67 Copyright (c) 2002, 2003, 2004, 2005 3Com Corporation. All rights reserved. Build Information: Model: Hardware Mainboard: PoE board: Serial number Flash: Kernel: BootLoader: (build#67) TOP 2005-07-21 04:41:00 WX version 24 ; revision 3 ; FPGA version 24 version 1 ; FPGA version 6 0321300013 4.1.0.14 - md0a 3.0.
load config 679 Table 115 describes the fields in the display version output. Table 115 Output for display version Field Description Build Information Factory timestamp of the image file. Label Software version and build date. Build Suffix Build suffix. Model Build model. Hardware Version information for the WX switch’s motherboard and Power over Ethernet (PoE) board. Serial number Serial number of the WX switch. Flash Flash memory version. Kernel Kernel version.
CHAPTER 20: FILE MANAGEMENT COMMANDS Defaults — The default file location is nonvolatile storage. The current version supports loading a configuration file only from the switch’s nonvolatile storage. You cannot load a configuration file directly from a TFTP server. If you do not specify a filename, MSS uses the same configuration filename that was used for the previous configuration load.
md5 md5 681 Calculates the MD5 checksum for a file in the switch’s nonvolatile storage. Syntax — md5 [boot0: | boot1:]filename boot0: | boot1: — Boot partition into which you copied the file. filename — Name of the file. Defaults — None. Access — Enabled. History —Introduced in MSS Version 4.0. Usage — You must include the boot partition name in front of the filename. If you specify only the filename, the CLI displays a message stating that the file does not exist.
CHAPTER 20: FILE MANAGEMENT COMMANDS Examples — The following commands create a subdirectory called corp2 and display the root directory to verify the result: WX4400# mkdir corp2 success: change accepted. WX4400# dir =============================================================================== file: Filename Size Created file:configuration 17 KB May 21 2004, 18:20:53 file:configuration.
reset system reset system 683 Restarts an WX switch and reboots the software. Syntax — reset system [force] force — Immediately restarts the system and reboots, without comparing the running configuration to the configuration file. Defaults — None. Access — Enabled. History —Introduced in MSS Version 3.0. Usage — If you do not use the force option, the command first compares the running configuration to the configuration file.
CHAPTER 20: FILE MANAGEMENT COMMANDS restore Unzips a system archive created by the backup command and copies the files from the archive onto the switch. Syntax restore system [tftp:/ip-addr/]filename [all | critical] Defaults — Critical. Access — Enabled. History —Introduced in MSS Version 3.2. Usage — If a file in the archive has a counterpart on the switch, the archive version of the file replaces the file on the switch.
rmdir 685 See Also rmdir backup on page 664 Removes a subdirectory from nonvolatile storage. Syntax — rmdir [subdirname] subdirname — Subdirectory name. Specify between 1 and 32 alphanumeric characters, with no spaces. Defaults — None. Access — Enabled. History —Introduced in MSS Version 3.0. Usage — MSS does not allow the subdirectory to be removed unless it is empty. Delete all files from the subdirectory before attempting to remove it.
CHAPTER 20: FILE MANAGEMENT COMMANDS Access — Enabled. History —Introduced in MSS Version 3.0. Usage — If you do not specify a filename, MSS replaces the configuration file loaded during the most recent reboot. To display the filename of the configuration file MSS loaded during the most recent reboot, use the display boot command. The command completely replaces the specified configuration file with the running configuration.
set boot configuration-file 687 History —Introduced in MSS Version 4.1. Examples — The following command specifies a file called backup.cfg as the backup configuration file on the WX switch: WX1200# set boot backup-configuration backup.cfg success: backup boot config filename set. See Also set boot configuration-file clear boot backup-configuration on page 666 display boot on page 674 Changes the configuration file to load after rebooting.
CHAPTER 20: FILE MANAGEMENT COMMANDS set boot partition Specifies the boot partition in which to look for the system image file following the next system reset, software reload, or power cycle. Syntax — set boot partition {boot0 | boot1} boot0 — Boot partition 0. boot1 — Boot partition 1. Defaults — By default, an WX switch uses the same boot partition for the next software reload that was used to boot the currently running image. Access — Enabled. History —Introduced in MSS Version 3.0.
uninstall soda agent 689 Usage — The uninstall soda command removes the SODA agent directory and all of its contents. All files in the specified directory are removed. The command removes the directory and its contents, regardless of whether it contains SODA agent files.
CHAPTER 20: FILE MANAGEMENT COMMANDS
21 TRACE COMMANDS Use trace commands to perform diagnostic routines. While MSS allows you to run many types of traces, this chapter describes commands for those traces you are most likely to use. For a complete listing of the types of traces MSS allows, type the set trace ? command. CAUTION: Using the set trace command can have adverse effects on system performance. 3Com recommends that you use the lowest levels possible for initial trace commands, and slowly increase the levels to get the data you need.
CHAPTER 21: TRACE COMMANDS clear log trace Deletes the log messages stored in the trace buffer. Syntax — clear log trace Defaults — None. Access — Enabled. History —Introduced in MSS Version 3.0. Examples — To delete the trace log, type the following command: WX4400# clear log trace See Also clear trace display log buffer on page 712 set log on page 716 Deletes running trace commands and ends trace processes.
display trace 693 To clear the session manager trace, type the following command: WX4400# clear trace sm success: clear trace sm See Also display trace display trace on page 693 set trace authentication on page 694 set trace authorization on page 695 set trace dot1x on page 696 set trace sm on page 697 Displays information about traces that are currently configured on the WX switch, or all possible trace options.
CHAPTER 21: TRACE COMMANDS save trace Saves the accumulated trace data for enabled traces to a file in the WX switch’s nonvolatile storage. Syntax — save trace filename filename — Name for the trace file. To save the file in a subdirectory, specify the subdirectory name, then a slash. For example: traces/trace1 Defaults — None. Access — Enabled. History —Introduced in MSS Version 3.0.
set trace authorization 695 Examples — The following command starts a trace for information about user jose’s authentication: WX4400# set trace authentication user jose success: change accepted. See Also set trace authorization clear trace on page 692 display trace on page 693 Traces authorization information. Syntax — set trace authorization [mac-addr mac-address] [port port-num] [user username] [level level] mac-addr mac-address — Traces a MAC address.
CHAPTER 21: TRACE COMMANDS See Also set trace dot1x clear trace on page 692 display trace on page 693 Traces 802.1X sessions. Syntax — set trace dot1x [mac-addr mac-address] [port port-num] [user username] [level level] mac-addr mac-address — Traces a MAC address. Specify a MAC address, using colons to separate the octets (for example, 00:11:22:aa:bb:cc). port port-num — Traces on a WX port number. user username — Traces a user.
set trace sm set trace sm 697 Traces session manager activity. Syntax — set trace sm [mac-addr mac-address] [port port-num] [user username] [level level] mac-addr mac-address — Traces a MAC address. Specify a MAC address, using colons to separate the octets (for example, 00:11:22:aa:bb:cc). port port-num — Traces on a WX port number. user username — Traces a user. Specify a username of up to 80 alphanumeric characters, with no spaces.
CHAPTER 21: TRACE COMMANDS
22 SNOOP COMMANDS Use snoop commands to monitor wireless traffic, by using a MAP as a sniffing device. The MAP copies the sniffed 802.11 packets and sends the copies to an observer, which is typically a protocol analyzer such as Ethereal or Tethereal. (For more information, including setup instructions for the monitoring station, see the “Remotely Monitoring Traffic” section in the “Troubleshooting a WX Switch” chapter of the Wireless LAN Switch and Controller Configuration Guide.
CHAPTER 22: SNOOP COMMANDS clear snoop Deletes a snoop filter. Syntax — clear snoop filter-name filter-name — Name of the snoop filter. Defaults — None. Access — Enabled. History —Introduced in MSS Version 4.0. Examples — The following command deletes snoop filter snoop1: WX1200# clear snoop snoop1 See Also clear snoop map set snoop on page 701 display snoop info on page 706 Removes a snoop filter from a MAP radio.
set snoop 701 Examples — The following command removes snoop filter snoop2 from radio 2 on Distributed MAP 3: WX1200# clear snoop map snoop2 ap 3 radio 2 success: change accepted. The following command removes all snoop filter mappings from all radios: WX1200# clear snoop map all success: change accepted. See Also set snoop display snoop on page 706 display snoop map on page 707 set snoop map on page 704 Configures a snoop filter.
CHAPTER 22: SNOOP COMMANDS To match on packets to or from a specific MAC address, use the dest-mac or src-mac option. To match on both send and receive traffic for a host address, use the host-mac option. To match on a traffic flow (source and destination MAC addresses), use the mac-pair option. This option matches for either direction of a flow, and either MAC address can be the source or destination address. If you omit a condition, all packets match that condition.
set snoop 703 The MAP that is running a snoop filter forwards snooped packets directly to the observer. This is a one-way communication, from the MAP to the observer. If the observer is not present, the MAP still sends the snoop packets, which use bandwidth. If the observer is present but is not listening to TZSP traffic, the observer continuously sends ICMP error indications back to the MAP. These ICMP messages can affect network and MAP performance.
CHAPTER 22: SNOOP COMMANDS set snoop map Maps a snoop filter to a radio on a MAP. A snoop filter does take effect until you map it to a radio and enable the filter. Syntax — set snoop map filter-name ap ap-num radio {1 | 2} filter-name — Name of the snoop filter. ap ap-num — Number of a MAP to which to map the snoop filter. radio 1 — Radio 1 of the MAP. radio 2— Radio 2 of the MAP. (This option does not apply to single-radio models.) Defaults — Snoop filters are unmapped by default.
set snoop mode set snoop mode 705 Enables a snoop filter. A snoop filter does not take effect until you map it to a MAP radio and enable the filter. Syntax — set snoop {filter-name | all} mode {enable [stop-after num-pkts] | disable} filter-name | all — Name of the snoop filter. Specify all to enable all snoop filters. enable — Enables the snoop filter. disable — Disables the snoop filter. Defaults — Snoop filters are disabled by default. Access — Enabled.
CHAPTER 22: SNOOP COMMANDS display snoop Displays the MAP radio mapping for all snoop filters. Syntax — display snoop Defaults — None. Access — Enabled. History —Introduced in MSS Version 4.0. Usage — To display the mappings for a specific MAP radio, use the display snoop map command.
display snoop map 707 Examples — The following command shows the snoop filters configured in the examples above: WX1200# display snoop info snoop1: observer 10.10.30.2 snap-length 100 all packets snoop2: observer 10.10.30.3 snap-length 100 frame-type eq data mac-pair (aa:bb:cc:dd:ee:ff, 11:22:33:44:55:66) See Also display snoop map clear snoop on page 700 set snoop on page 701 Shows the MAP radios that are mapped to a specific snoop filter.
CHAPTER 22: SNOOP COMMANDS display snoop stats Displays statistics for enabled snoop filters. Syntax — display snoop stats [filter-name [ap-num [radio {1 | 2}]]] filter-name — Name of the snoop filter. dap-num — Number of a Distributed MAP to which the snoop filter is mapped radio 1 — Radio 1 of the MAP radio 2 — Radio 2 of the MAP. (This option does not apply to single-radio models.) Defaults — None. Access — Enabled. History —Introduced in MSS Version 4.0.
display snoop stats 709 Table 118 describes the fields in this display. Table 118 display snoop stats Output Field Description Filter Name of the snoop filter. Dap Distributed MAP containing the radio to which the filter is mapped. Radio Radio to which the filter is mapped. Rx Match Number of packets received by the radio that match the filter. Tx Match Number of packets sent by the radio that match the filter.
CHAPTER 22: SNOOP COMMANDS
23 SYSTEM LOG COMMANDS Use the system log commands to record information for monitoring and troubleshooting. MSS system logs are based on RFC 3164, which defines the log protocol. Commands by Usage This chapter present system log commands alphabetically. Use Table 119 to locate commands in this chapter based on their use.
CHAPTER 23: SYSTEM LOG COMMANDS Access — Enabled. History — Introduced in MSS Version 3.0. Examples — To stop sending system logging messages to a server at 192.168.253.11, type the following command: WX4400# clear log server 192.168.253.11 success: change accepted. Type the following command to clear all messages from the log buffer: WX4400# clear log buffer success: change accepted.
display log buffer 713 severity severity-level — Displays messages at a severity level greater than or equal to the level specified. Specify one of the following: emergency — The WX switch is unusable. alert — Action must be taken immediately. critical — You must resolve the critical conditions. If the conditions are not resolved, the WX can reboot or shut down. error — The WX is missing data or is unable to form a connection. warning — A possible problem exists.
CHAPTER 23: SYSTEM LOG COMMANDS See Also display log config clear log on page 711 display log config on page 714 Displays log configuration information. Syntax — display log config Defaults — None. Access — Enabled. History — Introduced in MSS Version 3.0.
display log trace display log trace 715 Displays system information stored in the nonvolatile log buffer or the trace buffer. Syntax — display log trace [{+|-|/}number-of-messages] [facility facility-name] [matching string] [severity severity-level] trace — Displays the log messages in the trace buffer.
CHAPTER 23: SYSTEM LOG COMMANDS Defaults — None. Access — Enabled. History — Introduced in MSS Version 3.0.
set log 717 Logging state (enabled or disabled) To override the session defaults for an individual session, type the set log command from within the session and use the current option. trace — Sets log parameters for trace files. Port port-number — Sets the TCP port for sending messages to the syslog server. You can specify a number from 1 to 65535. The default syslog port is 514. severity severity-level — Logs events at a severity level greater than or equal to the level specified.
CHAPTER 23: SYSTEM LOG COMMANDS If you do not specify a local facility, MSS sends the messages with their default MSS facilities. For example, AAA messages are sent with facility 4 and boot messages are sent with facility 20 by default. enable — Enables messages to the specified target. disable — Disables messages to the specified target. Defaults — The following are defaults for the set log commands. Events at the error level and higher are logged to the WX console.
set log mark set log mark 719 Configures MSS to generate mark messages at regular intervals. The mark messages indicate the current system time and date. 3Com can use the mark messages to determine the approximate time when a system restart or other event causing a system outage occurred. Syntax — set log mark [enable | disable] [severity level] [interval interval] enable — Enables the mark messages. disable — Disables the mark messages.
CHAPTER 23: SYSTEM LOG COMMANDS
24 BOOT PROMPT COMMANDS Boot prompt commands enable you to perform basic tasks, including booting a system image file, from the boot prompt (boot>). A CLI session enters the boot prompt if MSS does not boot successfully or you intentionally interrupt the boot process. To interrupt the boot process, press q followed by Enter (return). CAUTION: Generally, boot prompt commands are used only for troubleshooting.
CHAPTER 24: BOOT PROMPT COMMANDS Table 120 Boot Prompt Commands by Usage (continued) Type Command Boot Profile Management display on page 730 create on page 726 Boot Profile Management, cont. next on page 735 change on page 725 delete on page 727 Diagnostics diag on page 729 test on page 737 autoboot Displays or changes the state of the autoboot option.
boot boot 723 Loads and executes a system image file. Syntax — boot [BT=type] [DEV=device] [FN=filename] [HA=ip-addr] [FL=num] [OPT=option] [OPT+=option] BT=type — Boot type: c — Compact flash. Boots using nonvolatile storage or a flash card. n — Network. Boots using a TFTP server.
CHAPTER 24: BOOT PROMPT COMMANDS Usage — If you use an optional parameter, the parameter setting overrides the setting of the same parameter in the currently active boot profile. However, the boot profile itself is not changed. To display the currently active boot profile, use the display command. To change the currently active boot profile, use the change command. Examples — The following command loads system image file WXA30001.Rel from boot partition 1: boot> boot FN=WXA03001.
change change 725 Changes parameters in the currently active boot profile. (For information about boot profiles, see display on page 730.) Syntax — change Defaults — The default boot type is c (compact flash). The default filename is default. The default flags setting is 0x00000000 (all flags disabled) and the default options list is run=nos;boot=0.
CHAPTER 24: BOOT PROMPT COMMANDS The following command enters the configuration mode for the currently active boot profile and configures the WX switch (in this example, an WXR100) to boot using a TFTP server: boot> change Changing the default configuration is not recommended. Are you sure that you want to proceed? (y/n)y BOOT TYPE: DEVICE: FILENAME: HOST IP: LOCAL IP: GATEWAY IP: IP MASK: FLAGS: OPTIONS: [c]> n [boot0:]> emac1 [default]> bootfile [0.0.0.0]> 172.16.0.1 [0.0.0.0]> 172.16.0.21 [0.0.0.
delete 727 Usage — A WX switch can have up to four boot profiles. The boot profiles are stored in slots, numbered 0 through 3. When you create a new profile, the system uses the next available slot for the profile. If all four slots already contain profiles and you try to create a fifth profile, the switch displays a message advising you to change one of the existing profiles instead. To make a new boot profile the currently active boot profile, use the next command.
CHAPTER 24: BOOT PROMPT COMMANDS Usage — When you type the delete command, the next-lower numbered boot profile becomes the active profile. For example, if the currently active profile is number 3, profile number 2 becomes active after you type delete to delete profile 3. You cannot delete boot profile 0.
diag 729 Examples — The following command displays the current setting of the DHCP option: boot> dhcp DHCP is currently enabled. The following command disables the DHCP option: boot> dhcp DHCP is currently disabled. See Also diag boot on page 723 Accesses the diagnostic mode. Syntax — diag Defaults — The diagnostic mode is disabled by default. Access — Boot prompt. History —Introduced in MSS Version 3.0. Usage — Access to the diagnostic mode requires a password, which is not user configurable.
CHAPTER 24: BOOT PROMPT COMMANDS Access — Boot prompt. History —Introduced in MSS Version 3.0. Usage — To display the system image software versions, use the fver command. This command does not list the boot code versions. To display the boot code versions, use the version command. Examples — The following command displays all the boot code and system image files on a WX switch: boot> dir Internal Compact Flash Directory (Primary): WXA30001.
display 731 A WX switch can have up to four boot profiles, numbered 0 through 3. Only one boot profile can be active at a time. You can create, change, and delete boot profiles. You also can activate another boot profile in place of the currently active one. Syntax — display Defaults — None. Access — Boot prompt. History —Introduced in MSS Version 3.0.
CHAPTER 24: BOOT PROMPT COMMANDS Table 121 Output of display command (continued) Field Description DEVICE Location of the system image file: c: — Nonvolatile storage area containing boot partition 0 d: — Nonvolatile storage area containing boot partition 1 e: — Primary partition of the flash card in the flash card slot f: — Secondary partition of the flash card in the flash card slot boot0 — boot partition 0 boot1 — boot partition 1 FILENAME System image file name.
help 733 Access — Boot prompt. History —Introduced in MSS Version 3.0. Usage — To display the image filenames, use the dir command. This command does not list the boot code versions. To display the boot code versions, use the version command. Examples — The following command displays the system image version installed in boot partition 1: boot> fver boot1 File boot1:default version is 3.0.1.
CHAPTER 24: BOOT PROMPT COMMANDS Examples — The following command displays detailed information for the fver command: boot> help fver fver Display the version of the specified device:filename. USAGE: fver [c:file|d:file|e:file|f:file|boot0:file|boot1:file| boot2:file|boot3:file] Command to display the version of the compressed image file associated with the given device:filename. See Also ls ls on page 734 Displays a list of the boot prompt commands. Syntax — ls Defaults — None.
next 735 Examples — To display a list of the commands available at the boot prompt, type the following command: boot> ls ls help autoboot boot profile. change create delete next display Display a list of all commands and descriptions. Display help information for each command. Display the state of, enable, or disable the autoboot option. Load and execute an image using the current boot configuration Change the current boot configuration profile. Create a new boot configuration profile.
CHAPTER 24: BOOT PROMPT COMMANDS Examples — To activate the boot profile in the next slot and display the profile, type the following command: boot> next BOOT Index: BOOT TYPE: DEVICE: FILENAME: FLAGS: OPTIONS: 0 c boot1: testcfg 00000000 run=nos;boot=0 See Also reset change on page 725 create on page 726 delete on page 727 display on page 730 Resets a WX switch’s hardware. Syntax — reset Defaults — None. Access — Boot prompt. History —Introduced in MSS Version 3.0.
test 737 3Com WX-4400 Bootstrap/Bootloader Version 3.0.2 Release Compiled on Wed Sep 22 09:18:47 PDT 2004 by Bootstrap Bootloader Bootstrap Bootloader 0 0 1 1 version: version: version: version: WX-4400 Board Revision: WX-4400 Controller Revision: WXA30001.Rel BOOT Index: BOOT TYPE: DEVICE: FILENAME: FLAGS: OPTIONS: 3.1 3.0.2 3.1 3.0.1 Active Active 2. 5.
CHAPTER 24: BOOT PROMPT COMMANDS Examples — The following command displays the current setting of the poweron test flag: boot> test The diagnostic execution flag is not set. See Also version boot on page 723 Displays version information for a WX switch’s hardware and boot code. Syntax — version Defaults — None. Access — Boot prompt. History —Introduced in MSS Version 3.0. Usage — This command does not list the system image file versions installed in the boot partitions.
A OBTAINING SUPPORT FOR YOUR 3COM PRODUCTS 3Com offers product registration, case management, and repair services through eSupport.3com.com. You must have a user name and password to access these services, which are described in this appendix. Register Your Product to Gain Service Benefits To take advantage of warranty and other service benefits, you must first register your product at: http://eSupport.3com.
APPENDIX A: OBTAINING SUPPORT FOR YOUR 3COM PRODUCTS Purchase Extended Warranty and Professional Services To enhance response times or extend your warranty benefits, you can purchase value-added services such as 24x7 telephone technical support, software upgrades, onsite assistance, or advanced hardware replacement. Experienced engineers are available to manage your installation with minimal disruption to your network.
Contact Us Telephone Technical Support and Repair 741 To obtain telephone support as part of your warranty and other service benefits, you must first register your product at: http://eSupport.3com.
APPENDIX A: OBTAINING SUPPORT FOR YOUR 3COM PRODUCTS Country Telephone Number Country Telephone Number Pakistan Call the U.S. direct by dialing 00 800 01001, then dialing 800 763 6780 Sri Lanka Call the U.S. direct by dialing 02 430 430, then dialing 800 763 6780 Vietnam Call the U.S. direct by dialing 1 201 0288, then dialing 800 763 6780 You can also obtain non-urgent support in this region at this email address apr_technical_support@3com.
Contact Us Country Telephone Number Country Telephone Number US and Canada — Telephone Technical Support and Repair All locations: 743 Network Jacks; Wired or Wireless Network Interface Cards: 1 847-262-0070 All other 3Com products: 1 800 876 3266
APPENDIX A: OBTAINING SUPPORT FOR YOUR 3COM PRODUCTS
INDEX A autoboot 722 B backup 664 boot 723 C change 725 clear accounting 213 clear ap 70 clear ap boot-configuration 310 clear ap local-switching vlan-profile 307 clear ap radio 308 clear authentication admin 214 clear authentication console 215 clear authentication dot1x 216 clear authentication mac 217 clear authentication proxy 218 clear banner motd 42 clear boot backup- configuration 666 clear boot config 666 clear dot1x bonded-period 594 clear dot1x max-req 595 clear dot1x port-control 595 clear dot
INDEX clear snmp notify profile 143 clear snmp notify target 144 clear snoop 700 clear snoop map 700 clear spantree portcost 484 clear spantree portpri 485 clear spantree portvlancost 485 clear spantree portvlanpri 486 clear spantree statistics 487 clear summertime 145 clear system 44 clear system countrycode 44 clear system ip-address 44, 146 clear system location 44 clear system name 44 clear timezone 146 clear trace 692 clear user 224 clear user attr 225 clear user group 226 clear user lockout 226
INDEX display display display display display display display display display display display display display display display display display display display display display display display display display display display display display display display display display display display display display display display display display display display display display display display display display display display display display network-domain 296 ntp 159 port counters 75 port media-type 81 port mirror 77 po
INDEX reset port 87 reset system 683 restore 684 rfping 634 rmdir 685 rollback security acl 551 S save config 685 save trace 694 set accounting {admin | console} 235 set accounting {dot1x | mac | web | last-resort} 237 set ap 87 set ap auto 362 set ap auto mode 366 set ap auto persistent 364 set ap auto radiotype 365 set ap bias 367 set ap blink 368, 379 set ap boot- configuration mesh mode 370 set ap boot-configuration mesh psk-phrase 371 set ap boot-configuration mesh psk-raw 372 set ap boot-config
INDEX set license 58 set load-balancing strictness 399 set location policy 256 set log 716 set log buffer 716 set log console 716 set log current 716 set log mark 719 set log server 716 set log sessions 716 set log trace 716 set mac-user 260 set mac-user attr 261 set mac-usergroup attr 267 set mobility profile 269 set mobility-domain member 284 set mobility-domain mode member seed-ip 285, 286 set mobility-domain mode secondary-seed domain-name 287 set mobility-domain mode seed domain-name 288 set mobility-
set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set INDEX service-profile cos 444 service-profile dhcp-restrict 445 service-profile idle-client-probing 446 service-profile keep-initial-vlan 447 service-profile load-balancing- 448 service-profile long-retry-count 449 service-profile no-broadcast 451 service-profile proxy-arp 452 service-pro
